[Snort-sigs] Kerberos login failure detection

Micheal Cottingham micheal.cottingham at ...2462...
Sun May 9 16:14:10 EDT 2004


We have a pure 2k/XP environment. I have caught traffic (unexpectedly, 
sort of) on port 445, but nowhere near the amount I have been expecting. 
Here are some packet captures:

12/13-00:47:21.204392 0:7:E9:60:7D:5E -> 0:E:7F:B4:96:41 type:0x800 
len:0x198
192.168.1.2:3211 -> 192.168.1.1:445 TCP TTL:128 TOS:0x0 ID:44916 
IpLen:20 DgmLen:394 DF
***AP*** Seq: 0x26EA93C5  Ack: 0x5787264C  Win: 0xF7EA  TcpLen: 20
00 00 01 5E FF 53 4D 42 73 00 00 00 00 18 07 C8  ...^.SMBs.......
00 00 42 53 52 53 50 59 4C 20 00 00 00 00 FF FE  ..BSRSPYL ......
02 40 80 00 0C FF 00 5E 01 04 41 32 00 01 00 00  . at ...957...^..A2....
00 00 00 BC 00 00 00 00 00 D4 00 00 A0 23 01 A1  .............#..
81 B9 30 81 B6 A2 81 B3 04 81 B0 4E 54 4C 4D 53  ..0........NTLMS
53 50 00 03 00 00 00 18 00 18 00 70 00 00 00 18  SP.........p....
00 18 00 88 00 00 00 08 00 08 00 40 00 00 00 16  ........... at ...552...
00 16 00 48 00 00 00 12 00 12 00 5E 00 00 00 10  ...H.......^....
00 10 00 A0 00 00 00 15 82 88 E0 54 00 45 00 53  ...........T.E.S
00 54 00 6D 00 63 00 6F 00 74 00 74 00 69 00 6E  .T.m.c.o.t.t.i.n
00 67 00 68 00 61 00 6D 00 43 00 48 00 52 00 32  .g.h.a.m.C.H.R.2
00 31 00 33 00 37 00 34 00 31 00 F4 BE ED A5 22  .1.3.7.4.1....."
F4 E5 5A 00 00 00 00 00 00 00 00 00 00 00 00 00  ..Z.............
00 00 00 13 0A 3A 73 D5 09 B2 7A D0 E4 A8 66 5A  .....:s...z...fZ
D2 56 87 7A FD ED 41 E3 C5 46 3E 0D 85 B6 A2 C9  .V.z..A..F>.....
FB 0E F8 D3 52 68 C9 1D 92 DC 6C 00 57 00 69 00  ....Rh....l.W.i.
6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00  n.d.o.w.s. .2.0.
30 00 32 00 20 00 32 00 36 00 30 00 30 00 20 00  0.2. .2.6.0.0. .
53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00  S.e.r.v.i.c.e. .
50 00 61 00 63 00 6B 00 20 00 31 00 00 00 57 00  P.a.c.k. .1...W.
69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00  i.n.d.o.w.s. .2.
30 00 30 00 32 00 20 00 35 00 2E 00 31 00 00 00  0.0.2. .5...1...
00 00                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/13-00:47:21.210991 0:E:7F:B4:96:41 -> 0:7:E9:60:7D:5E type:0x800 len:0x5D
192.168.1.1:445 -> 192.168.1.2:3211 TCP TTL:128 TOS:0x0 ID:15656 
IpLen:20 DgmLen:79 DF
***AP*** Seq: 0x5787264C  Ack: 0x26EA9527  Win: 0xFD2C  TcpLen: 20
00 00 00 23 FF 53 4D 42 73 6D 00 00 C0 98 07 C8  ...#.SMBsm......
00 00 42 53 52 53 50 59 4C 20 00 00 00 00 FF FE  ..BSRSPYL ......
02 40 80 00 00 00 00                             . at ...957...


Pretty straightforward, I think. In that packet is the test domain I am 
testing with, the username account I tried, and the computer fingerprint 
information. Then as you can see, the server responds on port 445. The 
test domain I have is a 2k server and two XP machines, on a closed 
network. Here are some port 88 captures from the same session:

12/13-00:47:21.194624 0:7:E9:60:7D:5E -> 0:E:7F:B4:96:41 type:0x800 
len:0x171
192.168.1.2:3213 -> 192.168.1.1:88 UDP TTL:128 TOS:0x0 ID:44914 IpLen:20 
DgmLen:355
Len: 327
6A 82 01 43 30 82 01 3F A1 03 02 01 05 A2 03 02  j..C0..?........
01 0A A3 67 30 65 30 50 A1 03 02 01 02 A2 49 04  ...g0e0P......I.
47 30 45 A0 03 02 01 17 A1 06 02 04 77 F5 7D 70  G0E.........w.}p
A2 36 04 34 12 92 E7 47 8B 23 9B 05 1E 86 E9 CE  .6.4...G.#......
89 48 37 26 8E 60 A5 76 52 4F E7 18 DD 5B 9B 8D  .H7&.`.vRO...[..
34 BA 1F BF EE 71 83 4F 3C DD FB 90 44 15 35 1C  4....q.O<...D.5.
5A 64 E9 87 F9 B8 D2 2D 30 11 A1 04 02 02 00 80  Zd.....-0.......
A2 09 04 07 30 05 A0 03 01 01 FF A4 81 C9 30 81  ....0.........0.
C6 A0 07 03 05 00 40 81 00 10 A1 18 30 16 A0 03  ...... at ...2465...
02 01 01 A1 0F 30 0D 1B 0B 6D 63 6F 74 74 69 6E  .....0...mcottin
67 68 61 6D A2 12 1B 10 54 45 53 54 2E 53 56 2E  gham....TEST.SV.
56 43 43 53 2E 45 44 55 A3 25 30 23 A0 03 02 01  VCCS.EDU.%0#....
02 A1 1C 30 1A 1B 06 6B 72 62 74 67 74 1B 10 54  ...0...krbtgt..T
45 53 54 2E 53 56 2E 56 43 43 53 2E 45 44 55 A5  EST.SV.VCCS.EDU.
11 18 0F 32 30 33 37 30 39 31 33 30 32 34 38 30  ...2037091302480
35 5A A6 11 18 0F 32 30 33 37 30 39 31 33 30 32  5Z....2037091302
34 38 30 35 5A A7 06 02 04 12 EB C1 EB A8 19 30  4805Z..........0
17 02 01 17 02 02 FF 7B 02 01 80 02 01 03 02 01  .......{........
01 02 01 18 02 02 FF 79 A9 1D 30 1B 30 19 A0 03  .......y..0.0...
02 01 14 A1 12 04 10 43 48 52 32 31 33 37 34 31  .......CHR213741
20 20 20 20 20 20 20                                   

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/13-00:47:21.202950 0:E:7F:B4:96:41 -> 0:7:E9:60:7D:5E type:0x800 
len:0x115
192.168.1.1:88 -> 192.168.1.2:3213 UDP TTL:128 TOS:0x0 ID:15654 IpLen:20 
DgmLen:263
Len: 235
7E 81 E8 30 81 E5 A0 03 02 01 05 A1 03 02 01 1E  ~..0............
A4 11 18 0F 32 30 30 33 31 32 31 33 30 35 34 37  ....200312130547
32 31 5A A5 05 02 03 05 13 8E A6 03 02 01 18 A9  21Z.............
12 1B 10 54 45 53 54 2E 53 56 2E 56 43 43 53 2E  ...TEST.SV.VCCS.
45 44 55 AA 25 30 23 A0 03 02 01 02 A1 1C 30 1A  EDU.%0#.......0.
1B 06 6B 72 62 74 67 74 1B 10 54 45 53 54 2E 53  ..krbtgt..TEST.S
56 2E 56 43 43 53 2E 45 44 55 AC 7F 04 7D 30 7B  V.VCCS.EDU...}0{
30 79 A1 03 02 01 0B A2 72 04 70 30 6E 30 09 A0  0y......r.p0n0..
03 02 01 17 A1 02 04 00 30 0A A0 04 02 02 FF 7B  ........0......{
A1 02 04 00 30 09 A0 03 02 01 80 A1 02 04 00 30  ....0..........0
24 A0 03 02 01 03 A1 1D 04 1B 54 45 53 54 2E 53  $.........TEST.S
56 2E 56 43 43 53 2E 45 44 55 6D 63 6F 74 74 69  V.VCCS.EDUmcotti
6E 67 68 61 6D 30 24 A0 03 02 01 01 A1 1D 04 1B  ngham0$.........
54 45 53 54 2E 53 56 2E 56 43 43 53 2E 45 44 55  TEST.SV.VCCS.EDU
6D 63 6F 74 74 69 6E 67 68 61 6D                 mcottingham

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Again, pretty straightforward, I think. And yet, my production snort 
install only picks up 445 failures, and not anywhere near what I think 
it should be picking up. Any help is much appreciated. If need be, I can 
show you the rules I am using at the moment.

Sean Lazar wrote:

> What are your clients? Kerberos, if I am correct, only works with 
> Windows 2000 clients and above. Windows 95/98/ME/NT use NTLM 
> authentication.
>
> Sean
>
> Micheal Cottingham wrote:
>
>> I've tried 
>> http://marc.theaimsgroup.com/?l=snort-sigs&w=2&r=1&s=kerberos&q=b and 
>> several variations of it, but I cannot for the life of me get Snort 
>> to detect anything from this. His rule was really close to my own 
>> packet analysis, but it doesn't seem to work. Windows 2000, Active 
>> Directory. Any suggestions? Much appreciated.
>>
>> Micheal Cottingham
>>
>> _____________________________________
>> Micheal Cottingham, Comptia A+
>> micheal.cottingham at ...2462...
>> 1-434-949-1078
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by Sleepycat Software
>> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
>> deliver higher performing products faster, at low TCO.
>> http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>






More information about the Snort-sigs mailing list