[Snort-sigs] Sid 2123

Joel Ebrahimi jebrahimi at ...274...
Fri Feb 17 15:18:01 EST 2006


I was playing around with metasploit running successful attacks and getting a cmd shell on Windows. The rules I was evaluating were triggering fine but I never once got any info that a cmd.exe banner had been seen. 
 
Here is the rule in the Attack Response ruleset that I have active.
 
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:3;)
 
Here is a breakdown of the relevant network traffic
 
 0000   00 0e 9b 16 3e 46 00 d0 b7 3c c5 12 08 00 45 00  ....>F...<....E.
  0010   00 5b 21 a3 40 00 80 06 80 4a ac 15 00 44 ac 15  .[!. at ...3199...
  0020   00 41 11 5c 85 19 39 65 83 3a 45 90 53 79 80 18  .A.\..9e.:E.Sy..
  0030   fa f0 bc 1f 00 00 01 01 08 0a 00 14 d6 a7 00 bd  ................
  0040   b8 23 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64  .#Microsoft Wind
  0050   6f 77 73 20 58 50 20 5b 56 65 72 73 69 6f 6e 20  ows XP [Version
  0060   35 2e 31 2e 32 36 30 30 5d                                5.1.2600]
  
  
  
  0000   00 0e 9b 16 3e 46 00 d0 b7 3c c5 12 08 00 45 00  ....>F...<....E.
  0010   00 75 21 a4 40 00 80 06 80 2f ac 15 00 44 ac 15  HYPERLINK "mailto:.u!. at ...552.../...D".u!. at ...552.../...D..
  0020   00 41 11 5c 85 19 39 65 83 61 45 90 53 79 80 18  .A.\..9e.aE.Sy..
  0030   fa f0 12 51 00 00 01 01 08 0a 00 14 d6 a7 00 bd  ...Q............
  0040   b8 4c 0d 0a 28 43 29 20 43 6f 70 79 72 69 67 68  .L..(C) Copyrigh
  0050   74 20 31 39 38 35 2d 32 30 30 31 20 4d 69 63 72  t 1985-2001 Micr
  0060   6f 73 6f 66 74 20 43 6f 72 70 2e 0d 0a 0d 0a 43  osoft Corp.....C
  0070   3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d  :\WINDOWS\system
  0080   33 32 3e                                                             32>
 
 
So the distance keyword following  content:"|28|C|29| Copyright 1985-"; would cause this rule to never trigger. Now I am using a very old unpatched version of Windows XP. Im not sure if the cmd.exe has been updated since then and this rule only reflects the current version out there but I thought Id bring it up.
 
// Joel
Joel Ebrahimi
HYPERLINK "mailto:jebrahimi at ...274..."jebrahimi at ...274... 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.10/263 - Release Date: 2/16/2006
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060217/7155ddc6/attachment.html>


More information about the Snort-sigs mailing list