legal contact rss
 

Demo alerting with Kali2

To demonstrate the capabilities of our logging and alerting tools, the aim for an noisy attacker came on the plan.

Well, here is the howto build such noisy attacker to trigger all your sensors and have the results displayed in Splunk

Adjust your Kali2

To read the actions later in Splunk, activate msfconsole logging by butting below command into your ~/.msf4/msfconsole.rc:

pool /var/log/msf_output.txt

 

Get the db_autopwn.rb medule that was once within backtrak from here.

Put it into /usr/share/metasploit-framework/plugins/ of your Kali2-instance

Open the msfconsole and issue bellow commands to run it:

msf >load db_autopwn
msf >db_nmap -T4 [your target(s)]
msf > db_autopwn -p -e -t -r
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[-]
[-] Warning: The db_autopwn command is not officially supported and exists only in a branch.
[-] This code is not well maintained, crashes systems, and crashes itself.
[-] Use only if you understand it's current limitations/issues.
[-] Minimal support and development via neinwechter on GitHub metasploit fork.
[-]
[*] Analysis completed in 47 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] 192.168.178.1:21 exploit/freebsd/ftp/proftp_telnet_iac (port match)
[*] 192.168.178.1:21 exploit/linux/ftp/proftp_sreplace (port match)
[*] 192.168.178.1:21 exploit/linux/ftp/proftp_telnet_iac (port match)
[*] 192.168.178.1:21 exploit/mainframe/ftp/ftp_jcl_creds (port match)
[*] 192.168.178.1:21 exploit/multi/ftp/pureftpd_bash_env_exec (port match)
[*] 192.168.178.1:21 exploit/multi/ftp/wuftpd_site_exec_format (port match)
[*] 192.168.178.1:21 exploit/osx/ftp/webstar_ftp_user (port match)
[*] 192.168.178.1:21 exploit/unix/ftp/proftpd_133c_backdoor (port match)
[*] 192.168.178.1:21 exploit/unix/ftp/vsftpd_234_backdoor (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/3cdaemon_ftp_user (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/ability_server_stor (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/bison_ftp_bof (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/cesarftp_mkd (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/comsnd_ftpd_fmtstr (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/dreamftp_format (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/easyfilesharing_pass (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/easyftp_cwd_fixret (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/easyftp_list_fixret (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/easyftp_mkd_fixret (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/filecopa_list_overflow (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/freefloatftp_user (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/freefloatftp_wbem (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/freeftpd_pass (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/freeftpd_user (port match)
[*] 192.168.178.1:21 exploit/windows/ftp/globalscapeftp_input (port match)

Installing snort

To have a real attacker view within the demo, I installed a snort engine directly on the Kali box.

apt install suricata-oinkmaster
(all other needed packages will be installed automatically)

Update with the latest rules:
oinkmaster -C /etc/suricata/suricata-oinkmaster.conf -o /etc/suricata/rules/

ls -l /etc/suricata/rules/
total 13912
-rw-r--r-- 1 root root 1295 Nov 29 12:16 app-layer-events.rules
-rw-r--r-- 1 root root 28622 Feb 11 12:08 botcc.portgrouped.rules
-rw-r--r-- 1 root root 288454 Feb 11 12:08 botcc.rules
.........

Finally, start suricata and create the logfile:

suricata -i eth0 -c /etc/suricata/suricata.yaml -l /var/log/suricata
11/2/2017 -- 12:12:18 - <Notice> - This is Suricata version 3.2 RELEASE
11/2/2017 -- 12:12:21 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.

Metasploit specific rules

A big thanks to "dgroenewegen" for supplying the community with his work of some metasploit specifix snort rules.

Download and install them to your rules directory and don't forget to activate them in the config.

 

Start the demo attack

msfconsole

load db_autopwn

db_nmap -T4 [target IP(s)]

db_autopwn -p -e -t -r -T 30

Locate the logfiles for further actions

The attacks used are within the msfconsol-log

tail -f /var/log/msf_output.txt

10.10.0.88:22 exploit/unix/ssh/tectia_passwd_changereq (port match)
10.10.0.88:22 exploit/windows/ssh/freeftpd_key_exchange (port match)
10.10.0.88:22 exploit/windows/ssh/freesshd_authbypass (port match)
10.10.0.88:22 exploit/windows/ssh/freesshd_key_exchange (port match)
10.10.0.88:22 exploit/windows/ssh/sysax_ssh_username (port match)
10.10.0.88:80 exploit/bsdi/softcart/mercantec_softcart (port match)
10.10.0.88:80 exploit/freebsd/http/watchguard_cmd_exec (port match)
10.10.0.88:80 exploit/freebsd/misc/citrix_netscaler_soap_bof (port match)
10.10.0.88:80 exploit/linux/antivirus/escan_password_exec (port match)
10.10.0.88:80 exploit/linux/http/accellion_fta_getstatus_oauth (port match)

The suricata log:

tail -f /var/log/suricata/eve.json

{"timestamp":"2017-02-11T12:12:57.000961-0500","event_type":"stats","stats":{"uptime":36,"capture":{"kernel_packets":26,"kernel_drops":0},"decoder":{"pkts":27,"bytes":4898,"invalid":0,"ipv4":14,"ipv6":13,"ethernet":27,"raw":0,"null":0,"sll":0,"tcp":1,"udp":26,"sctp":0,"icmpv4":0,"icmpv6":0,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":181,"max_pkt_size":342,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7076608},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":0,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":0,"synack":0,"rst":0,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":0,"memuse":1638400,"reassembly_memuse":12320544},"detect":{"alert":1},"app_layer":{"flow":{"http":0,"ftp":0,"smtp":0,"tls":0,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":0,"dcerpc_udp":0,"dns_udp":0,"failed_udp":8},"tx":{"http":0,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":0}},"flow_mgr":{"closed_pruned":0,"new_pruned":1,"est_pruned":0,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":0,"memcap_state":0,"memcap_global":0},"http":{"memuse":0,"memcap":0}}}

Logstash input parser

If your not about to use Splunk for visualizing your snort logs, you might want to have a look at Kibana and Logstash.

Justin Henderson has dome some great work in writing a logstash parser for snort.

 

Having Logstash running, you might want to use this dashboard written by Mark Walkom.