Re: R: host-based ids evaluation
From: Detmar Liesen (counter.spy@gmx.de)Date: 08/17/02
- Previous message: abiola abimbola: "the effects of IPSEC encryption & fragmented packets on network sensors papers"
- In reply to: Gianpiero Porchia: "R: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 17 Aug 2002 10:00:13 +0200 (MEST) From: Detmar Liesen <counter.spy@gmx.de> To: "Gianpiero Porchia" <gianpiero.porchia@atsweb.it>
Sorry, but you're off topic.
We are discussing __host__-based ids.
NFR NID is a network IDS.
Well, and I was not asking how to monitor ports for various machines but
rather trying to ask how to detect when a program gets bound to a specific TCP
or UDP port on a particular machine. One of the answers was looking into the
netstat tables (a good one).
Normally, the command cmd does spawn a shell on the local console.
If this console gets bound to a TCP or UDP port, the HIDS should notice
that.
Check out nc -L -e cmd.exe [port] on a windoze box and connect from another
machine (e.g. a Linux box) by typing the command:
netcat [dip] [dport]
You can add some additional options like telnet negotiation, but the above
should suffice.
The result will be a remote shell (cmd prompt) with the local rights of the
user that is logged into the windoze box. You could play around a little bit
with windows script host in order to improve things, e.g. automatic startup
of the netcat server, runas or whatever nasty things you can imagine.
Cheers,
Detmar
Gianpiero wrote:
---------------------------
> I'm using an NFR-NID, and I've wrote a custom N-code script that can
> detect
> connections, over strange ports. I've said that in a my precedent post,
> we
> can do that easily writing a hosts list:
>
> 192.168.0.3, 80,25,22
> 192.168.0.4, 21,22
> ...
>
> and for every connection not in this list, my NIDS is raising an alert.
> Obiuvsly, the script can detect shells on that connection (example looking
> for a prompt, or for a shell command - dir or ls).
>
> Bye
>
> - gianpiero
>
> Ing. Gianpiero Porchia
> Security Engineer
> ATS - Advanced Telecom Systems
> Designing, Testing, Managing Network Quality
>
> Via Salgari, 17 - 41100 Modena - ITALY
> Tel +39 059 821332
> Fax +39 059 821492
> E-mail: gianpiero.porchia@atsweb.it
> Web site: http://www.atsweb.it
>
-- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
- Previous message: abiola abimbola: "the effects of IPSEC encryption & fragmented packets on network sensors papers"
- In reply to: Gianpiero Porchia: "R: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
