root@securitynik:~# snort -A full -K ascii -l . -r cme-scan.pcap -c /etc/snort/snort.conf Commencing packet processing (pid=5478) =============================================================================== Run time for packet processing was 1.4221 seconds Snort processed 1570 packets. Snort ran for 0 days 0 hours 0 minutes 1 seconds Pkts/sec: 1570 =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 45666304 Bytes in mapped regions (hblkhd): 13574144 Total allocated space (uordblks): 40400688 Total free space (fordblks): 5265616 Topmost releasable block (keepcost): 93600 =============================================================================== Packet I/O Totals: Received: 1570 Analyzed: 1570 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 1572 (100.000%) VLAN: 0 ( 0.000%) IP4: 51 ( 3.244%) Frag: 0 ( 0.000%) ICMP: 1 ( 0.064%) UDP: 0 ( 0.000%) TCP: 50 ( 3.181%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 1521 ( 96.756%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 2 ( 0.127%) Total: 1572 =============================================================================== Action Stats: Alerts: 1 ( 0.064%) Logged: 1 ( 0.064%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 1570 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) Retry: 0 ( 0.000%) =============================================================================== Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 Drops: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0 =============================================================================== =============================================================================== Stream statistics: Total sessions: 4 TCP sessions: 4 UDP sessions: 0 ICMP sessions: 0 IP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 IP Prunes: 0 TCP StreamTrackers Created: 4 TCP StreamTrackers Deleted: 4 TCP Timeouts: 0 TCP Overlaps: 0 TCP Segments Queued: 21 TCP Segments Released: 21 TCP Rebuilt Packets: 9 TCP Segments Used: 16 TCP Discards: 0 TCP Gaps: 1 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 0 Internal Events: 0 TCP Port Filter Filtered: 0 Inspected: 0 Tracked: 48 UDP Port Filter Filtered: 0 Inspected: 0 Tracked: 0 =============================================================================== =============================================================================== SMTP Preprocessor Statistics Total sessions : 0 Max concurrent sessions : 0 =============================================================================== dcerpc2 Preprocessor Statistics Total sessions: 3 Total sessions aborted: 3 Transports SMB Total sessions: 3 Packet stats Packets: 6 Maximum outstanding requests: 1 SMB command requests/responses processed Negotiate (0x72) : 3/0 =============================================================================== =============================================================================== SIP Preprocessor Statistics Total sessions: 0 =============================================================================== Snort exiting
Let's see if our "alert" file was created.
root@securitynik:~/cme# ls . 10.0.0.2 alert
Now that we know the "alert" file exists, let's see what type of alerts were created.
root@securitynik:~/cme# cat alert [**] [1:404:6] ICMP Destination Unreachable Protocol Unreachable [**] [Classification: Misc activity] [Priority: 3] 04/07-23:12:37.586514 10.0.0.2 -> 10.0.0.100 ICMP TTL:255 TOS:0x0 ID:24 IpLen:20 DgmLen:56 Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 10.0.0.100:50838 -> 10.0.0.2:445 TCP TTL:64 TOS:0x0 ID:17710 IpLen:20 DgmLen:60 DF Seq: 0x4C552250
From above it seems from Snort's perspective, the only thing it detected was a single ICMP destination unreachable protocol unreachable message.
When the file with the pcap file containing the share enumeration traffic was fed to snort, no alerts were generated.
root@securitynik:~/cme# snort -A console -K none -c /etc/snort/snort.conf -r cme-enum-shares.pcap .... =============================================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 487 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) Retry: 0 ( 0.000%) ===============================================================================
As can be seen above, no alerts were created and 487 packets were allowed.
root@securitynik:~/cme# snort -A full -K ascii -l . -r cme-enum-users.pcap -c /etc/snort/snort.conf
Looking at the user enumeration, we see no alerts were created yet again.
=============================================================================== Packet I/O Totals: Received: 438 Analyzed: 438 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 442 (100.000%) VLAN: 0 ( 0.000%) IP4: 437 ( 98.869%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 437 ( 98.869%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 5 ( 1.131%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 4 ( 0.905%) Total: 442 =============================================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 438 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) Retry: 0 ( 0.000%) ===============================================================================
Let's run Snort against this packet capture containing the packets for the policy and see if anything shows up.
root@securitynik:~/cme# snort -r cme-pass-pol.pcap -A console -K none -c /etc/snort/snort.conf ............. =============================================================================== Run time for packet processing was 0.3095 seconds Snort processed 113 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 113 =============================================================================== .... =============================================================================== Packet I/O Totals: Received: 113 Analyzed: 113 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== .... =============================================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 113 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) Retry: 0 ( 0.000%) ===============================================================================
Uh Oh! Once again, we have no visibility into the packets and thus snort produced no results.
Let's now see what the communication looks like when crackmapexec runs a powershell command.`
root@securitynik:~/cme# snort -A console -K none -c /etc/snort/snort.conf -r cme-powershell.pcap Commencing packet processing (pid=7651) 04/18-04:32:12.474140 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900 04/18-04:32:13.474803 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900 04/18-04:32:14.475259 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900 04/18-04:32:15.476480 [**] [1:1917:6] SCAN UPnP service discover attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {UDP} 10.0.0.3:56736 -> 239.255.255.250:1900 =============================================================================== Run time for packet processing was 1.751 seconds Snort processed 247 packets. Snort ran for 0 days 0 hours 0 minutes 1 seconds Pkts/sec: 247 =============================================================================== Packet I/O Totals: Received: 247 Analyzed: 247 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 250 (100.000%) VLAN: 0 ( 0.000%) IP4: 242 ( 96.800%) .... UDP: 4 ( 1.600%) TCP: 238 ( 95.200%) .... Bad Chk Sum: 127 ( 50.800%) Bad TTL: 0 ( 0.000%) S5 G 1: 3 ( 1.200%) S5 G 2: 0 ( 0.000%) Total: 250 =============================================================================== Action Stats: Alerts: 4 ( 1.600%) Logged: 4 ( 1.600%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 247 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) Retry: 0 ( 0.000%) ===============================================================================
So it looks like above we got four alerts. However, these in no way reflect what our concerns are.
Let's move on now to running Snort against the final command. In this case, we will be running Snort against the pcap which contains our "ncat.exe" execution.
root@securitynik:~/cme# snort -A console -K none -r cme-ncat.pcap -c /etc/snort/snort.conf ...... =============================================================================== Run time for packet processing was 1.2717 seconds Snort processed 356 packets. Snort ran for 0 days 0 hours 0 minutes 1 seconds Pkts/sec: 356 =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 44724224 Bytes in mapped regions (hblkhd): 13574144 Total allocated space (uordblks): 40400432 Total free space (fordblks): 4323792 Topmost releasable block (keepcost): 3680 =============================================================================== Packet I/O Totals: Received: 356 Analyzed: 356 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 360 (100.000%) VLAN: 0 ( 0.000%) IP4: 360 (100.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 360 (100.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 192 ( 53.333%) Bad TTL: 0 ( 0.000%) S5 G 1: 3 ( 0.833%) S5 G 2: 1 ( 0.278%) Total: 360 =============================================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 356 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) Retry: 0 ( 0.000%) ===============================================================================
Bummer!! Once again, we see there is no alerts. Guess by default, we may have lots of blindspots.
Well let's wrap up this post here.
Important Note: One of the reasons why I used the default ruleset without any modification, as in enabling disabling any rule, is because I wanted to emphasize the importance of ensuring you configure and customize your security tools to your specific environment.This is true for all of your security tools which allow you the ability to customize for your unique environment.
References:
Snort
Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis
No comments:
Post a Comment