Thursday, May 2, 2019

Having Fun with CrackMapExec - Snort IDS/IPS Analysis

Now that we have the crackmapexec attack, logs analysis and packet analysis and Zeek analysis done, let's see what we can learn from Snort. I'm using the Snort community ruleset and the default configuration as of April 5, 2019. At the end of this post, hopefully you understand the importance of customizing your security tools to suit your environment.

root@securitynik:~# snort -A full -K ascii -l . -r cme-scan.pcap -c /etc/snort/snort.conf 

Commencing packet processing (pid=5478)
===============================================================================
Run time for packet processing was 1.4221 seconds
Snort processed 1570 packets.
Snort ran for 0 days 0 hours 0 minutes 1 seconds
   Pkts/sec:         1570
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       45666304
  Bytes in mapped regions (hblkhd):      13574144
  Total allocated space (uordblks):      40400688
  Total free space (fordblks):           5265616
  Topmost releasable block (keepcost):   93600
===============================================================================
Packet I/O Totals:
   Received:         1570
   Analyzed:         1570 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:         1572 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:           51 (  3.244%)
       Frag:            0 (  0.000%)
       ICMP:            1 (  0.064%)
        UDP:            0 (  0.000%)
        TCP:           50 (  3.181%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:         1521 ( 96.756%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            2 (  0.127%)
      Total:         1572
===============================================================================
Action Stats:
     Alerts:            1 (  0.064%)
     Logged:            1 (  0.064%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:         1570 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================
Frag3 statistics:
        Total Fragments: 0
      Frags Reassembled: 0
               Discards: 0
          Memory Faults: 0
               Timeouts: 0
               Overlaps: 0
              Anomalies: 0
                 Alerts: 0
                  Drops: 0
     FragTrackers Added: 0
    FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
    Frag Nodes Inserted: 0
     Frag Nodes Deleted: 0
===============================================================================
===============================================================================
Stream statistics:
            Total sessions: 4
              TCP sessions: 4
              UDP sessions: 0
             ICMP sessions: 0
               IP sessions: 0
                TCP Prunes: 0
                UDP Prunes: 0
               ICMP Prunes: 0
                 IP Prunes: 0
TCP StreamTrackers Created: 4
TCP StreamTrackers Deleted: 4
              TCP Timeouts: 0
              TCP Overlaps: 0
       TCP Segments Queued: 21
     TCP Segments Released: 21
       TCP Rebuilt Packets: 9
         TCP Segments Used: 16
              TCP Discards: 0
                  TCP Gaps: 1
      UDP Sessions Created: 0
      UDP Sessions Deleted: 0
              UDP Timeouts: 0
              UDP Discards: 0
                    Events: 0
           Internal Events: 0
           TCP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 48
           UDP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 0
===============================================================================
===============================================================================
SMTP Preprocessor Statistics
  Total sessions                                    : 0
  Max concurrent sessions                           : 0
===============================================================================
dcerpc2 Preprocessor Statistics
  Total sessions: 3
  Total sessions aborted: 3

  Transports
    SMB
      Total sessions: 3
      Packet stats
        Packets: 6
        Maximum outstanding requests: 1
        SMB command requests/responses processed
          Negotiate (0x72) : 3/0
===============================================================================
===============================================================================
SIP Preprocessor Statistics
  Total sessions: 0
===============================================================================
Snort exiting

Let's see if our "alert" file was created.


root@securitynik:~/cme# ls .
10.0.0.2  alert

Now that we know the "alert" file exists, let's see what type of alerts were created.


root@securitynik:~/cme# cat alert 
[**] [1:404:6] ICMP Destination Unreachable Protocol Unreachable [**]
[Classification: Misc activity] [Priority: 3] 
04/07-23:12:37.586514 10.0.0.2 -> 10.0.0.100
ICMP TTL:255 TOS:0x0 ID:24 IpLen:20 DgmLen:56
Type:3  Code:2  DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.100:50838 -> 10.0.0.2:445
TCP TTL:64 TOS:0x0 ID:17710 IpLen:20 DgmLen:60 DF
Seq: 0x4C552250

From above it seems from Snort's perspective, the only thing it detected was a single ICMP destination unreachable protocol unreachable message.

When the file with the pcap file containing the share enumeration traffic was fed to snort, no alerts were generated.

root@securitynik:~/cme# snort -A console -K none -c /etc/snort/snort.conf -r cme-enum-shares.pcap 
....
===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          487 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================


As can be seen above, no alerts were created and 487 packets were allowed.


root@securitynik:~/cme# snort -A full -K ascii -l . -r cme-enum-users.pcap -c /etc/snort/snort.conf 

Looking at the user enumeration, we see no alerts were created yet again.


===============================================================================
Packet I/O Totals:
   Received:          438
   Analyzed:          438 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:          442 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:          437 ( 98.869%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:          437 ( 98.869%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            5 (  1.131%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            4 (  0.905%)
      Total:          442
===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          438 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================

Let's run Snort against this packet capture containing the packets for the policy and see if anything shows up.


root@securitynik:~/cme# snort -r cme-pass-pol.pcap -A console -K none -c /etc/snort/snort.conf 
.............
===============================================================================
Run time for packet processing was 0.3095 seconds
Snort processed 113 packets.
Snort ran for 0 days 0 hours 0 minutes 0 seconds
   Pkts/sec:          113
===============================================================================
....
===============================================================================
Packet I/O Totals:
   Received:          113
   Analyzed:          113 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
....

===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          113 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================

Uh Oh! Once again, we have no visibility into the packets and thus snort produced no results.

Let's now see what the communication looks like when crackmapexec runs a powershell command.`


root@securitynik:~/cme# snort -A console -K none -c /etc/snort/snort.conf -r cme-powershell.pcap 

Commencing packet processing (pid=7651)
04/18-04:32:12.474140  [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900
04/18-04:32:13.474803  [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900
04/18-04:32:14.475259  [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900
04/18-04:32:15.476480  [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900
===============================================================================
Run time for packet processing was 1.751 seconds
Snort processed 247 packets.
Snort ran for 0 days 0 hours 0 minutes 1 seconds
   Pkts/sec:          247
===============================================================================
Packet I/O Totals:
   Received:          247
   Analyzed:          247 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:          250 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:          242 ( 96.800%)
....
        UDP:            4 (  1.600%)
        TCP:          238 ( 95.200%)
....
Bad Chk Sum:          127 ( 50.800%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            3 (  1.200%)
     S5 G 2:            0 (  0.000%)
      Total:          250
===============================================================================
Action Stats:
     Alerts:            4 (  1.600%)
     Logged:            4 (  1.600%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          247 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================

So it looks like above we got four alerts. However, these in no way reflect what our concerns are.

Let's move on now to running Snort against the final command. In this case, we will be running Snort against the pcap which contains our "ncat.exe" execution.


root@securitynik:~/cme# snort -A console -K none -r cme-ncat.pcap -c /etc/snort/snort.conf 
......
===============================================================================
Run time for packet processing was 1.2717 seconds
Snort processed 356 packets.
Snort ran for 0 days 0 hours 0 minutes 1 seconds
   Pkts/sec:          356
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       44724224
  Bytes in mapped regions (hblkhd):      13574144
  Total allocated space (uordblks):      40400432
  Total free space (fordblks):           4323792
  Topmost releasable block (keepcost):   3680
===============================================================================
Packet I/O Totals:
   Received:          356
   Analyzed:          356 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:          360 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:          360 (100.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:          360 (100.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:            0 (  0.000%)
Bad Chk Sum:          192 ( 53.333%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            3 (  0.833%)
     S5 G 2:            1 (  0.278%)
      Total:          360
===============================================================================
Action Stats:
     Alerts:            0 (  0.000%)
     Logged:            0 (  0.000%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          356 (100.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            0 (  0.000%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================


Bummer!! Once again, we see there is no alerts.  Guess by default, we may have lots of blindspots.

Well let's wrap up this post here.

Important Note: One of the reasons why I used the default ruleset without any modification, as in enabling disabling any rule, is because I wanted to emphasize the importance of ensuring you configure and customize your security tools to your specific environment.This is true for all of your security tools which allow you the ability to customize for your unique environment.

References:
Snort

Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis

No comments:

Post a Comment