Attack signatures derived from Metasploit Final Presentation - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Attack signatures derived from Metasploit Final Presentation

Description:

Honeyd for data collection. Outline Introduction Project tools and components Different tools used. How it all fits together Tools interaction, project schematic. – PowerPoint PPT presentation

Number of Views:101
Avg rating:3.0/5.0
Slides: 26
Provided by: Amj63
Category:

less

Transcript and Presenter's Notes

Title: Attack signatures derived from Metasploit Final Presentation


1
Attack signatures derived from MetasploitFinal
Presentation
  • E. Ramirez (ramirez_at_eurecom.fr)
  • A. Zoghbi (zoghbi_at_eurecom.fr)
  • Institut Eurecom

2
Outline
  • Introduction
  • Project tools and components
  • Different tools used.
  • How it all fits together
  • Tools interaction, project schematic.
  • Initial identification
  • Detailed operation
  • Results
  • Analysis
  • Conclusion

3
Introduction
  • Background information
  • Leurrecom database gathers data about attack
    processes found on the internet.
  • The data is presented in numerical form,
    identifying port attack sequences, and grouping
    into clusters.
  • Clusters are only identified by the port attack
    sequence.
  • Need to name clusters.
  • Project purpose
  • Identify clusters in Leurrécom database
    corresponding to released exploits.
  • Main tools needed
  • Metasploit framework for exploit execution.
  • Honeyd for data collection.

4
Outline
  • Introduction
  • Project tools and components
  • Different tools used.
  • How it all fits together
  • Tools interaction, project schematic.
  • Initial identification
  • Detailed operation
  • Results
  • Analysis
  • Conclusion

5
Project tools and components
  • Metasploit (www.metasploit.org)
  • Executes attacks based on exploit files.
  • Exploit files are written by individuals and
    released to community.
  • Metasploit allows us to launch attacks on dummy
    station running honeyd.
  • Honeyd (www.honeyd.org)
  • Emulates different operating systems (WIN98, NT,
    Linux)
  • Acts as attack playground where attacks and
    intrusions can be observed.
  • Provides tcp dump of activity.
  • Dump is collected and analyzed.
  • VMWare
  • Allows integration of multiple logical stations
    on one physical machine.

6
Outline
  • Introduction
  • Project tools and components
  • Different tools used.
  • How it all fits together
  • Tools interaction, project schematic.
  • Initial identification
  • Detailed operation
  • Results
  • Unmatched clusters
  • Matched clusters
  • Analysis
  • Conclusion

7
How it all fits together
  • Virtual station runs Metasploit and honeypots.
  • Dump data is collected into trace DB.
  • Core application analyzes traces and queries
    Leurrécom.
  • Clusters are identified and matched with attacks.

8
Outline
  • Introduction
  • Project tools and components
  • Different tools used.
  • How it all fits together
  • Tools interaction, project schematic.
  • Initial identification
  • Detailed operation
  • Results
  • Analysis
  • Conclusion

9
Manually identified exploits
Name Veritas Backup Exec Windows Remote Agent
Overflow Disclosed Jun 24 2005 Port seq num
10000 Common use ndmp - Network Data Management
Protocol, Veritas Backup Exec Remote Agent.
Name Veritas Backup Exec Win Remote File
Access Disclosed Aug 12 2005 Port seq num
6101 Common use SynchroNet-rtc, Veritas Agent
Browser for Backup Exec
Name Microsoft WINS MS04-045 Code Execution
Disclosed Dec 14 2004 Port seq num 42 Common
use Windows Internet Naming Service (WINS).
10
Outline
  • Introduction
  • Project tools and components
  • Different tools used.
  • How it all fits together
  • Tools interaction, project schematic.
  • Initial identification
  • Detailed operation
  • Results
  • Analysis
  • Conclusion

11
Detailed operation
  • Big picture

Everything on Oracle
12
Detailed operation cont.
  • Launchattack.pl
  • Purpose obtain attack signature file
  • Input None
  • Output binary tcpdump file for each attack
  • Operation
  • Query metasploit for all attacks and payloads
  • Start Honeyd
  • Launch attack on honeypot IP combination
  • Stop Honeyd (to release lock on log file)
  • Save log file with appropriate name

13
Detailed operation
  • Convert_to_text.pl
  • Purpose Convert binary tcpdump files to text
    files for easy parsing.
  • Input binary tcpdump files
  • Output text formatted log files
  • Operation
  • For each tcpdump file in a given directory
  • Use tethereal r to read dumpfile and generate
    text file
  • Save text file in an other directory

14
Deep overview cont.
  • script_clusters_list.pl
  • Purpose obtain cluster signature file
  • Input Oracle database
  • Output clusters.list
  • Operation
  • Query Oracle database for cluster attributes
    (port sequence, packets sent, clusterid)
  • Compute average and standard deviation
  • Create cluster signature
  • Append signature to cluster signature file

clusterid73802 ports6101 dev11 dev20 dev30
n12 n20 n30
15
Detailed operation
  • honeyIDS.pm
  • Purpose Compare cluster signature file to attack
    signature file
  • Input Attack signature list, Cluster signature
    list
  • Output unmatched_clusters.log,
    matched_clusters.log
  • Operation
  • Based on original work by Quang.
  • Added comparison module that reads input files
    from a directory and compares each attack
    signature to all cluster signatures
  • If match found, save entry in matched_clusters.log
  • If no match found, save attack signature in
    unmatched_clusters.log

16
Detailed operation
  • honeyIDS.pm (continued)
  • Entry format in unmatched_clusters.log

attackbackupexec_ns.win32_downloadexec.192.168.1.
12.13 ports6101 T N1 n10 n21 n30
17
Detailed operation
  • script_expl_desc.pl
  • Purpose Gather information about exploit
    (release date, release by, description ), for
    documentation
  • Input Metasploit exploit information
  • Output Parsed exploit information
  • Operation
  • Execute msfcli command with S flag for each
    attack
  • Obtain information, parse it and store it in
    exploit_info_ltvergt.txt

18
Detailed operation
  • graph_data.pl
  • Purpose Generate match information that can be
    plotted for better visualization and analysis
  • Input match_clusters.log, exploit description,
    Oracle database
  • Output graph_data
  • Operation
  • For each matched cluster, query the database for
    30 days relative to day 0, the exploit release
    day
  • Calculate average (avg) and standard deviation
    (std) of 61 days series
  • If within a window of 5 days centered at day 0,
    we have a activity larger than avg 2std then
    attack/cluster correlation is strengthened.
  • Save cluster and matched peak date in graph_data

19
Outline
  • Introduction
  • Project tools and components
  • Different tools used.
  • How it all fits together
  • Tools interaction, project schematic.
  • Initial identification
  • Detailed operation
  • Results
  • Analysis
  • Conclusion

20
Results
  • 125 Attacks used
  • 11200 dump files (attackpayload combo)
  • 3200 left because of 0-byte dump files
  • 95000 Clusters obtained from Oracle database
  • 6000 initial matches
  • 2100 unmatched attacks
  • 500 confirmed matches (activity at or around
    exploit release day)

21
Outline
  • Introduction
  • Project tools and components
  • Different tools used.
  • How it all fits together
  • Tools interaction, project schematic.
  • Initial identification
  • Detailed operation
  • Results
  • Analysis
  • Conclusion

22
Analysis Manually matched clusters
Name BakBone NetVault Remote Heap Overflow
Disclosed Apr 01 2005 Port seq num
20031 Common use overflow vulnerabilities in
Bakbone NetVault product Clusterid 85817
Name CA CAM log_security() Stack Overflow
(Win32) Disclosed Oct 18 2005 Port seq num
4105 Common use Computer Associates Products
Message Queuing Vulnerabilities Clusterid 84041
Name Veritas Backup Exec Win Remote File
Access Disclosed Aug 12 2005 Port seq num
6101 Common use SynchroNet-rtc, Veritas Agent
Browser for Backup Exec Clusterid 73803
23
Analysis
  • Occurrence of peak attack per cluster and per
    day.
  • Used to generate next graph.
  • Cluster activity is logically centered around
    exploit release date.
  • Interesting behavior trend

24
Outline
  • Introduction
  • Project tools and components
  • Different tools used.
  • How it all fits together
  • Tools interaction, project schematic.
  • Initial identification
  • Detailed operation
  • Results
  • Analysis
  • Conclusion

25
Conclusion
  • Consistent results
  • Manually identified clusters appear in
    automatically generated matches
  • Cluster peak activity correctly centered around
    vulnerability disclosure date
  • Limitations
  • Popular port sequences are difficult to match
    with low interaction honeypot outputs
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com