Attack signatures derived from Metasploit Final Presentation

1
Attack signatures derived from MetasploitFinal
Presentation

• E. Ramirez (ramirez_at_eurecom.fr)
• A. Zoghbi (zoghbi_at_eurecom.fr)
• Institut Eurecom

2
Outline

• Introduction
• Project tools and components
• Different tools used.
• How it all fits together
• Tools interaction, project schematic.
• Initial identification
• Detailed operation
• Results
• Analysis
• Conclusion

3
Introduction

• Background information
• Leurrecom database gathers data about attack
  processes found on the internet.
• The data is presented in numerical form,
  identifying port attack sequences, and grouping
  into clusters.
• Clusters are only identified by the port attack
  sequence.
• Need to name clusters.
• Project purpose
• Identify clusters in Leurrécom database
  corresponding to released exploits.
• Main tools needed
• Metasploit framework for exploit execution.
• Honeyd for data collection.

4
Outline

• Introduction
• Project tools and components
• Different tools used.
• How it all fits together
• Tools interaction, project schematic.
• Initial identification
• Detailed operation
• Results
• Analysis
• Conclusion

5
Project tools and components

• Metasploit (www.metasploit.org)
• Executes attacks based on exploit files.
• Exploit files are written by individuals and
  released to community.
• Metasploit allows us to launch attacks on dummy
  station running honeyd.
• Honeyd (www.honeyd.org)
• Emulates different operating systems (WIN98, NT,
  Linux)
• Acts as attack playground where attacks and
  intrusions can be observed.
• Provides tcp dump of activity.
• Dump is collected and analyzed.
• VMWare
• Allows integration of multiple logical stations
  on one physical machine.

6
Outline

• Introduction
• Project tools and components
• Different tools used.
• How it all fits together
• Tools interaction, project schematic.
• Initial identification
• Detailed operation
• Results
• Unmatched clusters
• Matched clusters
• Analysis
• Conclusion

7
How it all fits together

• Virtual station runs Metasploit and honeypots.
• Dump data is collected into trace DB.
• Core application analyzes traces and queries
  Leurrécom.
• Clusters are identified and matched with attacks.

8
Outline

• Introduction
• Project tools and components
• Different tools used.
• How it all fits together
• Tools interaction, project schematic.
• Initial identification
• Detailed operation
• Results
• Analysis
• Conclusion

9
Manually identified exploits
Name Veritas Backup Exec Windows Remote Agent
Overflow Disclosed Jun 24 2005 Port seq num
10000 Common use ndmp - Network Data Management
Protocol, Veritas Backup Exec Remote Agent.
Name Veritas Backup Exec Win Remote File
Access Disclosed Aug 12 2005 Port seq num
6101 Common use SynchroNet-rtc, Veritas Agent
Browser for Backup Exec
Name Microsoft WINS MS04-045 Code Execution
Disclosed Dec 14 2004 Port seq num 42 Common
use Windows Internet Naming Service (WINS).
10
Outline

• Introduction
• Project tools and components
• Different tools used.
• How it all fits together
• Tools interaction, project schematic.
• Initial identification
• Detailed operation
• Results
• Analysis
• Conclusion

11
Detailed operation

• Big picture

Everything on Oracle
12
Detailed operation cont.

• Launchattack.pl
• Purpose obtain attack signature file
• Input None
• Output binary tcpdump file for each attack
• Operation
• Query metasploit for all attacks and payloads
• Start Honeyd
• Launch attack on honeypot IP combination
• Stop Honeyd (to release lock on log file)
• Save log file with appropriate name

13
Detailed operation

• Convert_to_text.pl
• Purpose Convert binary tcpdump files to text
  files for easy parsing.
• Input binary tcpdump files
• Output text formatted log files
• Operation
• For each tcpdump file in a given directory
• Use tethereal r to read dumpfile and generate
  text file
• Save text file in an other directory

14
Deep overview cont.

• script_clusters_list.pl
• Purpose obtain cluster signature file
• Input Oracle database
• Output clusters.list
• Operation
• Query Oracle database for cluster attributes
  (port sequence, packets sent, clusterid)
• Compute average and standard deviation
• Create cluster signature
• Append signature to cluster signature file

clusterid73802 ports6101 dev11 dev20 dev30
n12 n20 n30
15
Detailed operation

• honeyIDS.pm
• Purpose Compare cluster signature file to attack
  signature file
• Input Attack signature list, Cluster signature
  list
• Output unmatched_clusters.log,
  matched_clusters.log
• Operation
• Based on original work by Quang.
• Added comparison module that reads input files
  from a directory and compares each attack
  signature to all cluster signatures
• If match found, save entry in matched_clusters.log
  
• If no match found, save attack signature in
  unmatched_clusters.log

16
Detailed operation

• honeyIDS.pm (continued)

• Entry format in unmatched_clusters.log

attackbackupexec_ns.win32_downloadexec.192.168.1.
12.13 ports6101 T N1 n10 n21 n30
17
Detailed operation

• script_expl_desc.pl
• Purpose Gather information about exploit
  (release date, release by, description ), for
  documentation
• Input Metasploit exploit information
• Output Parsed exploit information
• Operation
• Execute msfcli command with S flag for each
  attack
• Obtain information, parse it and store it in
  exploit_info_ltvergt.txt

18
Detailed operation

• graph_data.pl
• Purpose Generate match information that can be
  plotted for better visualization and analysis
• Input match_clusters.log, exploit description,
  Oracle database
• Output graph_data
• Operation
• For each matched cluster, query the database for
  30 days relative to day 0, the exploit release
  day
• Calculate average (avg) and standard deviation
  (std) of 61 days series
• If within a window of 5 days centered at day 0,
  we have a activity larger than avg 2std then
  attack/cluster correlation is strengthened.
• Save cluster and matched peak date in graph_data

19
Outline

• Introduction
• Project tools and components
• Different tools used.
• How it all fits together
• Tools interaction, project schematic.
• Initial identification
• Detailed operation
• Results
• Analysis
• Conclusion

20
Results

• 125 Attacks used
• 11200 dump files (attackpayload combo)
• 3200 left because of 0-byte dump files
• 95000 Clusters obtained from Oracle database
• 6000 initial matches
• 2100 unmatched attacks
• 500 confirmed matches (activity at or around
  exploit release day)

21
Outline

• Introduction
• Project tools and components
• Different tools used.
• How it all fits together
• Tools interaction, project schematic.
• Initial identification
• Detailed operation
• Results
• Analysis
• Conclusion

22
Analysis Manually matched clusters
Name BakBone NetVault Remote Heap Overflow
Disclosed Apr 01 2005 Port seq num
20031 Common use overflow vulnerabilities in
Bakbone NetVault product Clusterid 85817
Name CA CAM log_security() Stack Overflow
(Win32) Disclosed Oct 18 2005 Port seq num
4105 Common use Computer Associates Products
Message Queuing Vulnerabilities Clusterid 84041
Name Veritas Backup Exec Win Remote File
Access Disclosed Aug 12 2005 Port seq num
6101 Common use SynchroNet-rtc, Veritas Agent
Browser for Backup Exec Clusterid 73803
23
Analysis

• Occurrence of peak attack per cluster and per
  day.
• Used to generate next graph.

• Cluster activity is logically centered around
  exploit release date.
• Interesting behavior trend

24
Outline

• Introduction
• Project tools and components
• Different tools used.
• How it all fits together
• Tools interaction, project schematic.
• Initial identification
• Detailed operation
• Results
• Analysis
• Conclusion

25
Conclusion

• Consistent results
• Manually identified clusters appear in
  automatically generated matches
• Cluster peak activity correctly centered around
  vulnerability disclosure date
• Limitations
• Popular port sequences are difficult to match
  with low interaction honeypot outputs
• Questions?