250 likes | 381 Views
Attack signatures derived from Metasploit Final Presentation. E. Ramirez ( ramirez@eurecom.fr ) A. Zoghbi ( zoghbi@eurecom.fr ) Institut Eurecom. Outline. Introduction Project tools and components Different tools used. How it all fits together Tools interaction, project schematic.
E N D
Attack signatures derived from MetasploitFinal Presentation E. Ramirez (ramirez@eurecom.fr) A. Zoghbi (zoghbi@eurecom.fr) Institut Eurecom
Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion
Introduction • Background information • Leurrecom database gathers data about attack processes found on the internet. • The data is presented in ‘numerical’ form, identifying port attack sequences, and grouping into clusters. • Clusters are only identified by the port attack sequence. • Need to ‘name’ clusters. • Project purpose • Identify clusters in Leurrécom database corresponding to released exploits. • Main tools needed • Metasploit framework for exploit execution. • Honeyd for data collection.
Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion
Project tools and components • Metasploit (www.metasploit.org) • Executes attacks based on exploit files. • Exploit files are written by individuals and released to community. • Metasploit allows us to launch attacks on dummy station running honeyd. • Honeyd(www.honeyd.org) • Emulates different operating systems (WIN98, NT, Linux) • Acts as ‘attack playground’ where attacks and intrusions can be observed. • Provides tcp dump of activity. • Dump is collected and analyzed. • VMWare • Allows integration of multiple logical stations on one physical machine.
Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Unmatched clusters • Matched clusters • Analysis • Conclusion
How it all fits together • Virtual station runs Metasploit and honeypots. • Dump data is collected into trace DB. • Core application analyzes traces and queries Leurrécom. • Clusters are identified and matched with attacks.
Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion
Manually identified exploits Name: Veritas Backup Exec Windows Remote Agent Overflow Disclosed: Jun 24 2005 Port seq num: 10000 Common use: ndmp - Network Data Management Protocol, Veritas Backup Exec Remote Agent. Name: Veritas Backup Exec Win Remote File Access Disclosed: Aug 12 2005 Port seq num: 6101 Common use: SynchroNet-rtc, Veritas Agent Browser for Backup Exec Name: Microsoft WINS MS04-045 Code Execution Disclosed: Dec 14 2004 Port seq num: 42 Common use: Windows Internet Naming Service (WINS).
Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion
Detailed operation • Big picture *Everything on Oracle
Detailed operation cont. • Launchattack.pl • Purpose: obtain attack signature file • Input: None • Output: binary tcpdump file for each attack • Operation: • Query metasploit for all attacks and payloads • Start Honeyd • Launch attack on honeypot IP combination • Stop Honeyd (to release lock on log file) • Save log file with appropriate name
Detailed operation • Convert_to_text.pl • Purpose: Convert binary tcpdump files to text files for easy parsing. • Input: binary tcpdump files • Output: text formatted log files • Operation: • For each tcpdump file in a given directory • Use tethereal –r to read dumpfile and generate text file • Save text file in an other directory
Deep overview cont. • script_clusters_list.pl • Purpose: obtain cluster signature file • Input: Oracle database • Output: clusters.list • Operation: • Query Oracle database for cluster attributes (port sequence, packets sent, clusterid) • Compute average and standard deviation • Create cluster signature • Append signature to cluster signature file clusterid=73802 ports=6101 dev1=1 dev2=0 dev3=0 n1=2 n2=0 n3=0
Detailed operation • honeyIDS.pm • Purpose: Compare cluster signature file to attack signature file • Input: Attack signature list, Cluster signature list • Output: unmatched_clusters.log, matched_clusters.log • Operation: • Based on original work by Quang. • Added comparison module that reads input files from a directory and compares each attack signature to all cluster signatures • If match found, save entry in matched_clusters.log • If no match found, save attack signature in unmatched_clusters.log
Detailed operation • honeyIDS.pm (continued) • Entry format in unmatched_clusters.log attack=backupexec_ns.win32_downloadexec.192.168.1.12.13 ports=6101 T= N=1 n1=0 n2=1 n3=0
Detailed operation • script_expl_desc.pl • Purpose: Gather information about exploit (release date, release by, description …), for documentation • Input: Metasploit exploit information • Output: Parsed exploit information • Operation: • Execute msfcli command with S flag for each attack • Obtain information, parse it and store it in exploit_info_<ver>.txt
Detailed operation • graph_data.pl • Purpose: Generate match information that can be plotted for better visualization and analysis • Input: match_clusters.log, exploit description, Oracle database • Output: graph_data • Operation: • For each matched cluster, query the database for ±30 days relative to day 0, the exploit release day • Calculate average (avg) and standard deviation (std) of 61 days series • If within a window of ±5 days centered at day 0, we have a activity larger than avg + 2*std then attack/cluster correlation is strengthened. • Save cluster and matched peak date in graph_data
Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion
Results • 125 Attacks used • 11’200 dump files (attack+payload combo) • 3’200 left because of 0-byte dump files • 95’000 Clusters obtained from Oracle database • ~6’000 initial matches • ~2’100 unmatched attacks • ~500 confirmed matches (activity at or around exploit release day)
Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion
Analysis – Manually matched clusters Name: BakBone NetVault Remote Heap Overflow Disclosed: Apr 01 2005 Port seq num: 20031 Common use: overflow vulnerabilities in Bakbone NetVault product Clusterid: 85817 Name: CA CAM log_security() Stack Overflow (Win32) Disclosed: Oct 18 2005 Port seq num: 4105 Common use: Computer Associates Products Message Queuing Vulnerabilities Clusterid: 84041 Name: Veritas Backup Exec Win Remote File Access Disclosed: Aug 12 2005 Port seq num: 6101 Common use: SynchroNet-rtc, Veritas Agent Browser for Backup Exec Clusterid: 73803
Analysis • Occurrence of peak attack per cluster and per day. • Used to generate next graph. • Cluster activity is logically centered around exploit release date. • Interesting behavior trend
Outline • Introduction • Project tools and components • Different tools used. • How it all fits together • Tools interaction, project schematic. • Initial identification • Detailed operation • Results • Analysis • Conclusion
Conclusion • Consistent results • Manually identified clusters appear in automatically generated matches • Cluster peak activity correctly centered around vulnerability disclosure date • Limitations • ‘Popular’ port sequences are difficult to match with low interaction honeypot outputs • Questions?