Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attack signatures derived from Metasploit Final Presentation E. Ramirez A. Zoghbi

Similar presentations


Presentation on theme: "Attack signatures derived from Metasploit Final Presentation E. Ramirez A. Zoghbi"— Presentation transcript:

1 Attack signatures derived from Metasploit Final Presentation E. Ramirez (ramirez@eurecom.fr) ramirez@eurecom.fr A. Zoghbi (zoghbi@eurecom.fr) zoghbi@eurecom.fr Institut Eurecom

2 2 Outline Introduction Introduction Project tools and components Project tools and components –Different tools used. How it all fits together How it all fits together –Tools interaction, project schematic. Initial identification Initial identification Detailed operation Detailed operation Results Results Analysis Analysis Conclusion Conclusion

3 3 Introduction Background information Background information –Leurrecom database gathers data about attack processes found on the internet. –The data is presented in ‘numerical’ form, identifying port attack sequences, and grouping into clusters. –Clusters are only identified by the port attack sequence. –Need to ‘name’ clusters. Project purpose Project purpose –Identify clusters in Leurrécom database corresponding to released exploits. Main tools needed Main tools needed –Metasploit framework for exploit execution. –Honeyd for data collection.

4 4 Outline Introduction Introduction Project tools and components Project tools and components –Different tools used. How it all fits together How it all fits together –Tools interaction, project schematic. Initial identification Initial identification Detailed operation Detailed operation Results Results Analysis Analysis Conclusion Conclusion

5 5 Project tools and components Metasploit (www.metasploit.org) Metasploit (www.metasploit.org)www.metasploit.org –Executes attacks based on exploit files. –Exploit files are written by individuals and released to community. –Metasploit allows us to launch attacks on dummy station running honeyd. Honeyd (www.honeyd.org) Honeyd (www.honeyd.org)www.honeyd.org –Emulates different operating systems (WIN98, NT, Linux) –Acts as ‘attack playground’ where attacks and intrusions can be observed. –Provides tcp dump of activity. –Dump is collected and analyzed. VMWare VMWare –Allows integration of multiple logical stations on one physical machine.

6 6 Outline Introduction Introduction Project tools and components Project tools and components –Different tools used. How it all fits together How it all fits together –Tools interaction, project schematic. Initial identification Initial identification Detailed operation Detailed operation Results Results –Unmatched clusters –Matched clusters Analysis Analysis Conclusion Conclusion

7 7 How it all fits together Virtual station runs Metasploit and honeypots. Virtual station runs Metasploit and honeypots. Dump data is collected into trace DB. Dump data is collected into trace DB. Core application analyzes traces and queries Leurrécom. Core application analyzes traces and queries Leurrécom. Clusters are identified and matched with attacks. Clusters are identified and matched with attacks.

8 8 Outline Introduction Introduction Project tools and components Project tools and components –Different tools used. How it all fits together How it all fits together –Tools interaction, project schematic. Initial identification Initial identification Detailed operation Detailed operation Results Results Analysis Analysis Conclusion Conclusion

9 9 Manually identified exploits Name: Veritas Backup Exec Win Remote File Access Disclosed: Aug 12 2005 Port seq num: 6101 Common use: SynchroNet-rtc, Veritas Agent Browser for Backup Exec Name: Veritas Backup Exec Windows Remote Agent Overflow Disclosed: Jun 24 2005 Port seq num: 10000 Common use: ndmp - Network Data Management Protocol, Veritas Backup Exec Remote Agent. Name: Microsoft WINS MS04-045 Code Execution Disclosed: Dec 14 2004 Port seq num: 42 Common use: Windows Internet Naming Service (WINS).

10 10 Outline Introduction Introduction Project tools and components Project tools and components –Different tools used. How it all fits together How it all fits together –Tools interaction, project schematic. Initial identification Initial identification Detailed operation Detailed operation Results Results Analysis Analysis Conclusion Conclusion

11 11 Detailed operation Big picture Big picture *Everything on Oracle

12 12 Detailed operation cont. Launchattack.pl Launchattack.pl –Purpose: obtain attack signature file –Input: None –Output: binary tcpdump file for each attack –Operation:  Query metasploit for all attacks and payloads  Start Honeyd  Launch attack on honeypot IP combination  Stop Honeyd (to release lock on log file)  Save log file with appropriate name

13 13 Detailed operation Convert_to_text.pl Convert_to_text.pl –Purpose: Convert binary tcpdump files to text files for easy parsing. –Input: binary tcpdump files –Output: text formatted log files –Operation:  For each tcpdump file in a given directory  Use tethereal –r to read dumpfile and generate text file  Save text file in an other directory

14 14 Deep overview cont. script_clusters_list.pl script_clusters_list.pl –Purpose: obtain cluster signature file –Input: Oracle database –Output: clusters.list –Operation:  Query Oracle database for cluster attributes (port sequence, packets sent, clusterid)  Compute average and standard deviation  Create cluster signature  Append signature to cluster signature file clusterid=73802 ports=6101 dev1=1 dev2=0 dev3=0 n1=2 n2=0 n3=0

15 15 Detailed operation honeyIDS.pm honeyIDS.pm –Purpose: Compare cluster signature file to attack signature file –Input: Attack signature list, Cluster signature list –Output: unmatched_clusters.log, matched_clusters.log –Operation:  Based on original work by Quang.  Added comparison module that reads input files from a directory and compares each attack signature to all cluster signatures  If match found, save entry in matched_clusters.log  If no match found, save attack signature in unmatched_clusters.log

16 16 Detailed operation honeyIDS.pm (continued) honeyIDS.pm (continued) Entry format in unmatched_clusters.log Entry format in unmatched_clusters.log attack=backupexec_ns.win32_downloadexec.192.168.1.12.13 ports=6101 T= N=1 n1=0 n2=1 n3=0

17 17 Detailed operation script_expl_desc.pl script_expl_desc.pl –Purpose: Gather information about exploit (release date, release by, description …), for documentation –Input: Metasploit exploit information –Output: Parsed exploit information –Operation:  Execute msfcli command with S flag for each attack  Obtain information, parse it and store it in exploit_info_.txt

18 18 Detailed operation graph_data.pl graph_data.pl –Purpose: Generate match information that can be plotted for better visualization and analysis –Input: match_clusters.log, exploit description, Oracle database –Output: graph_data –Operation:  For each matched cluster, query the database for ±30 days relative to day 0, the exploit release day  Calculate average (avg) and standard deviation (std) of 61 days series  If within a window of ±5 days centered at day 0, we have a activity larger than avg + 2*std then attack/cluster correlation is strengthened.  Save cluster and matched peak date in graph_data

19 19 Outline Introduction Introduction Project tools and components Project tools and components –Different tools used. How it all fits together How it all fits together –Tools interaction, project schematic. Initial identification Initial identification Detailed operation Detailed operation Results Results Analysis Analysis Conclusion Conclusion

20 20 Results 125 Attacks used 125 Attacks used 11’200 dump files (attack+payload combo) 11’200 dump files (attack+payload combo) 3’200 left because of 0-byte dump files 3’200 left because of 0-byte dump files 95’000 Clusters obtained from Oracle database 95’000 Clusters obtained from Oracle database ~6’000 initial matches ~6’000 initial matches ~2’100 unmatched attacks ~2’100 unmatched attacks ~500 confirmed matches (activity at or around exploit release day) ~500 confirmed matches (activity at or around exploit release day)

21 21 Outline Introduction Introduction Project tools and components Project tools and components –Different tools used. How it all fits together How it all fits together –Tools interaction, project schematic. Initial identification Initial identification Detailed operation Detailed operation Results Results Analysis Analysis Conclusion Conclusion

22 22 Analysis – Manually matched clusters Name: CA CAM log_security() Stack Overflow (Win32) Disclosed: Oct 18 2005 Port seq num: 4105 Common use: Computer Associates Products Message Queuing Vulnerabilities Clusterid: 84041 Name: BakBone NetVault Remote Heap Overflow Disclosed: Apr 01 2005 Port seq num: 20031 Common use: overflow vulnerabilities in Bakbone NetVault product Clusterid: 85817 Name: Veritas Backup Exec Win Remote File Access Disclosed: Aug 12 2005 Port seq num: 6101 Common use: SynchroNet-rtc, Veritas Agent Browser for Backup Exec Clusterid: 73803

23 23 Analysis Cluster activity is logically centered around exploit release date. Cluster activity is logically centered around exploit release date. Interesting behavior trend Interesting behavior trend Occurrence of peak attack per cluster and per day. Occurrence of peak attack per cluster and per day. Used to generate next graph. Used to generate next graph.

24 24 Outline Introduction Introduction Project tools and components Project tools and components –Different tools used. How it all fits together How it all fits together –Tools interaction, project schematic. Initial identification Initial identification Detailed operation Detailed operation Results Results Analysis Analysis Conclusion Conclusion

25 25 Conclusion Consistent results Consistent results –Manually identified clusters appear in automatically generated matches –Cluster peak activity correctly centered around vulnerability disclosure date Limitations Limitations –‘Popular’ port sequences are difficult to match with low interaction honeypot outputs Questions? Questions?


Download ppt "Attack signatures derived from Metasploit Final Presentation E. Ramirez A. Zoghbi"

Similar presentations


Ads by Google