1 / 25

Attack signatures derived from Metasploit Final Presentation

Attack signatures derived from Metasploit Final Presentation. E. Ramirez ( ramirez@eurecom.fr ) A. Zoghbi ( zoghbi@eurecom.fr ) Institut Eurecom. Outline. Introduction Project tools and components Different tools used. How it all fits together Tools interaction, project schematic.

umeko
Download Presentation

Attack signatures derived from Metasploit Final Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attack signatures derived from MetasploitFinal Presentation E. Ramirez (ramirez@eurecom.fr) A. Zoghbi (zoghbi@eurecom.fr) Institut Eurecom

  2. Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion

  3. Introduction • Background information • Leurrecom database gathers data about attack processes found on the internet. • The data is presented in ‘numerical’ form, identifying port attack sequences, and grouping into clusters. • Clusters are only identified by the port attack sequence. • Need to ‘name’ clusters. • Project purpose • Identify clusters in Leurrécom database corresponding to released exploits. • Main tools needed • Metasploit framework for exploit execution. • Honeyd for data collection.

  4. Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion

  5. Project tools and components • Metasploit (www.metasploit.org) • Executes attacks based on exploit files. • Exploit files are written by individuals and released to community. • Metasploit allows us to launch attacks on dummy station running honeyd. • Honeyd(www.honeyd.org) • Emulates different operating systems (WIN98, NT, Linux) • Acts as ‘attack playground’ where attacks and intrusions can be observed. • Provides tcp dump of activity. • Dump is collected and analyzed. • VMWare • Allows integration of multiple logical stations on one physical machine.

  6. Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Unmatched clusters • Matched clusters • Analysis • Conclusion

  7. How it all fits together • Virtual station runs Metasploit and honeypots. • Dump data is collected into trace DB. • Core application analyzes traces and queries Leurrécom. • Clusters are identified and matched with attacks.

  8. Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion

  9. Manually identified exploits Name: Veritas Backup Exec Windows Remote Agent Overflow Disclosed: Jun 24 2005 Port seq num: 10000 Common use: ndmp - Network Data Management Protocol, Veritas Backup Exec Remote Agent. Name: Veritas Backup Exec Win Remote File Access Disclosed: Aug 12 2005 Port seq num: 6101 Common use: SynchroNet-rtc, Veritas Agent Browser for Backup Exec Name: Microsoft WINS MS04-045 Code Execution Disclosed: Dec 14 2004 Port seq num: 42 Common use: Windows Internet Naming Service (WINS).

  10. Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion

  11. Detailed operation • Big picture *Everything on Oracle

  12. Detailed operation cont. • Launchattack.pl • Purpose: obtain attack signature file • Input: None • Output: binary tcpdump file for each attack • Operation: • Query metasploit for all attacks and payloads • Start Honeyd • Launch attack on honeypot IP combination • Stop Honeyd (to release lock on log file) • Save log file with appropriate name

  13. Detailed operation • Convert_to_text.pl • Purpose: Convert binary tcpdump files to text files for easy parsing. • Input: binary tcpdump files • Output: text formatted log files • Operation: • For each tcpdump file in a given directory • Use tethereal –r to read dumpfile and generate text file • Save text file in an other directory

  14. Deep overview cont. • script_clusters_list.pl • Purpose: obtain cluster signature file • Input: Oracle database • Output: clusters.list • Operation: • Query Oracle database for cluster attributes (port sequence, packets sent, clusterid) • Compute average and standard deviation • Create cluster signature • Append signature to cluster signature file clusterid=73802 ports=6101 dev1=1 dev2=0 dev3=0 n1=2 n2=0 n3=0

  15. Detailed operation • honeyIDS.pm • Purpose: Compare cluster signature file to attack signature file • Input: Attack signature list, Cluster signature list • Output: unmatched_clusters.log, matched_clusters.log • Operation: • Based on original work by Quang. • Added comparison module that reads input files from a directory and compares each attack signature to all cluster signatures • If match found, save entry in matched_clusters.log • If no match found, save attack signature in unmatched_clusters.log

  16. Detailed operation • honeyIDS.pm (continued) • Entry format in unmatched_clusters.log attack=backupexec_ns.win32_downloadexec.192.168.1.12.13 ports=6101 T= N=1 n1=0 n2=1 n3=0

  17. Detailed operation • script_expl_desc.pl • Purpose: Gather information about exploit (release date, release by, description …), for documentation • Input: Metasploit exploit information • Output: Parsed exploit information • Operation: • Execute msfcli command with S flag for each attack • Obtain information, parse it and store it in exploit_info_<ver>.txt

  18. Detailed operation • graph_data.pl • Purpose: Generate match information that can be plotted for better visualization and analysis • Input: match_clusters.log, exploit description, Oracle database • Output: graph_data • Operation: • For each matched cluster, query the database for ±30 days relative to day 0, the exploit release day • Calculate average (avg) and standard deviation (std) of 61 days series • If within a window of ±5 days centered at day 0, we have a activity larger than avg + 2*std then attack/cluster correlation is strengthened. • Save cluster and matched peak date in graph_data

  19. Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion

  20. Results • 125 Attacks used • 11’200 dump files (attack+payload combo) • 3’200 left because of 0-byte dump files • 95’000 Clusters obtained from Oracle database • ~6’000 initial matches • ~2’100 unmatched attacks • ~500 confirmed matches (activity at or around exploit release day)

  21. Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion

  22. Analysis – Manually matched clusters Name: BakBone NetVault Remote Heap Overflow Disclosed: Apr 01 2005 Port seq num: 20031 Common use: overflow vulnerabilities in Bakbone NetVault product Clusterid: 85817 Name: CA CAM log_security() Stack Overflow (Win32) Disclosed: Oct 18 2005 Port seq num: 4105 Common use: Computer Associates Products Message Queuing Vulnerabilities Clusterid: 84041 Name: Veritas Backup Exec Win Remote File Access Disclosed: Aug 12 2005 Port seq num: 6101 Common use: SynchroNet-rtc, Veritas Agent Browser for Backup Exec Clusterid: 73803

  23. Analysis • Occurrence of peak attack per cluster and per day. • Used to generate next graph. • Cluster activity is logically centered around exploit release date. • Interesting behavior trend

  24. Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion

  25. Conclusion • Consistent results • Manually identified clusters appear in automatically generated matches • Cluster peak activity correctly centered around vulnerability disclosure date • Limitations • ‘Popular’ port sequences are difficult to match with low interaction honeypot outputs • Questions?

More Related