[Snort-sigs] pwdump, l0phtcrack, hash extraction

Matthew Jonkman matt at ...2436...
Tue Jul 20 18:27:12 EDT 2004


Nice updates. They're all up on bleedingsnort.com now.

Thanks gents.

Matt

Matt Sheridan wrote:

> 
> I found that to be the case as well. I edited the supplied sigs (Thanks 
> Abe and Matt), to have both a port 139 445 versions. After testingI have 
> validated accuracy - they work well. Using pwdump3 by Phil Staubs, the 
> following signatures were effective: (I edited the header info a bit, 
> but the content material is the same. These are the sigs sent in 
> response by both Abe and Matt)
> 
> #This sig by Abe was effective in identifying the initial pwdump 
> connection.
> 
> alert tcp any any -> any 139 (msg:"Pwdump3e Session Established 
> Reg-Entry port 139 by Abe"; content:"|53 00 4f 00 46 00 54 00 57 00 41 
> 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|";)
> 
> alert tcp any any -> any 445 (msg:"Pwdump3e Session Established 
> Reg-Entry port 445 by Abe"; content:"|53 00 4f 00 46 00 54 00 57 00 41 
> 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|";)
> 
> #This sig by matt was effective in identifying the executable push from 
> pwdump.
> 
> alert tcp any any -> $HOME_NET 139 (msg:"Pwdump3e pwservice.exe Push 
> Port 139 by Matt"; 
> content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; 
> sid:2000564; rev:2;)
> 
> alert tcp any any -> $HOME_NET 445 (msg:"Pwdump3e pwservice.exe Push 
> Port 445 by Matt"; 
> content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; 
> sid:2000564; rev:2;)
> 
> #This sig by Matt was effective in seeing ":500" content responses. 
> Possibly some false positives.
> 
> alert tcp $HOME_NET 139 -> any any (msg:"Hash Retrieval Response UID 500 
> Port 139 Pwdump3e by Matt"; content:"\:|00|5|00|0|00|0"; sid:2000563; 
> rev:2;)
> 
> alert tcp $HOME_NET 445 -> any any (msg:"Hash Retrieval Response UID 500 
> Port 445 Pwdump3e by Matt"; content:"\:|00|5|00|0|00|0"; sid:2000563; 
> rev:2;)
> 
> 
> 




More information about the Snort-sigs mailing list