[Bro] Crowdstrike Additional Intel types
Andrew Ratcliffe
andrew.ratcliffe at nswcsystems.co.uk
Tue Jan 13 00:30:25 PST 2015
Hi All,
I was trying out the Crowdstrike bro additional Intel framework types http://blog.crowdstrike.com/maximizing-network-threat-intel-bro/ and very cool they are too.
But does anyone know if the Intel::USER_NAME could be extended to CIFS/SMB where the username is in the clear?
I have seen APT activity where service accounts that have been cracked and then used to attempt to authenticate to devices around the network. A simple CIFS honeypot might be used to attract an attacker to attempt authentication.
Or even the metasploit module:
msf exploit(phpmyadmin_config) > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /root/johnpwfile
JOHNPWFILE => /root/johnpwfile
msf auxiliary(smb) > exploit
[*] Auxiliary module execution completed
msf auxiliary(smb) >
[*] Server started.
[*] SMB Captured - 2015-01-12 20:55:09 +0000
NTLMv2 Response Captured from 172.31.254.13:53729 - 172.31.254.13
USER:andy DOMAIN: OS:Mac OS X 10.10 LM:SMBFS 3.0.0
LMHASH:4d983d718a78a8692a5501f05c54f90a LM_CLIENT_CHALLENGE:cb67074c9d31d0bb
NTHASH:728a9e6db88b8b4ed3ff7832cfe8fc7e NT_CLIENT_CHALLENGE:0101000000000000009e550caa2ed001cb67074c9d31d0bb00000000000000000200000000000000
If it were possible to extend the scripts to examine the SMB username then the Intel framework would pick up on this activity just using a list of usernames that should not appear on the network.
Kind regards,
Andy
Andrew.Ratcliffe at NSWCSystems.co.uk<mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA
Blog.InfoSecMatters.net<http://blog.infosecmatters.net/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150113/0e8c1c4f/attachment.html
More information about the Bro
mailing list