[Bro] Crowdstrike Additional Intel types

Andrew Ratcliffe andrew.ratcliffe at nswcsystems.co.uk
Tue Jan 13 00:30:25 PST 2015

Hi All,
I was trying out the Crowdstrike bro additional Intel framework types http://blog.crowdstrike.com/maximizing-network-threat-intel-bro/ and very cool they are too.

But does anyone know if the Intel::USER_NAME could be extended to CIFS/SMB where the username is in the clear?

I have seen APT activity where service accounts that have been cracked and then used to attempt to authenticate to devices around the network. A simple CIFS honeypot might be used to attract an attacker to attempt authentication.

Or even the metasploit module:

msf exploit(phpmyadmin_config) > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /root/johnpwfile
JOHNPWFILE => /root/johnpwfile
msf auxiliary(smb) > exploit
[*] Auxiliary module execution completed
msf auxiliary(smb) >
[*] Server started.
[*] SMB Captured - 2015-01-12 20:55:09 +0000
NTLMv2 Response Captured from -
USER:andy DOMAIN: OS:Mac OS X 10.10 LM:SMBFS 3.0.0
LMHASH:4d983d718a78a8692a5501f05c54f90a LM_CLIENT_CHALLENGE:cb67074c9d31d0bb
NTHASH:728a9e6db88b8b4ed3ff7832cfe8fc7e NT_CLIENT_CHALLENGE:0101000000000000009e550caa2ed001cb67074c9d31d0bb00000000000000000200000000000000

If it were possible to extend the scripts to examine the SMB username then the Intel framework would pick up on this activity just using a list of usernames that should not appear on the network.

Kind regards,
Andrew.Ratcliffe at NSWCSystems.co.uk<mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150113/0e8c1c4f/attachment.html 

More information about the Bro mailing list