Caught in the Hack! Network Security Monitoring vs Backtrack Autopwn
This will be the first in a series of articles analyzing attacks used against networks and what can be done to catch them.
For this part of the series I will be using three machines – a target machine, an attacker system and a third computer running the Network Security Monitoring (NSM) Security Onion Live CD. The NSM machine will be connected to the target machine via a mirrored port (DualComm’s DCSW-1005PT) so all the incoming attacks can be monitored in realtime.
This article is for informational use only. Do not attempt anything found in these articles on any network or computer system without written permission from the owners. Doing so could get you into trouble and you may end up in jail.
For quite a while now, I wanted to write some articles about NSM. Today, I finally set everything up and ran some tests. The first test I wanted to run was to pit the ever popular BackTrack 4 R2 Fast-Track “Autopwn” program against NSM and see what would happen.
Autopwn is a great program for new users to try their hand at penetration testing. Autopwn basically does all the work for you. All you need to tell the program is what you want to attack, and the program does the rest.
The program runs nmap and looks for open ports. It then uses that information to create a tailored attack against the target system using Metasploit. Quick, simple and easy.
You boot up your Backtrack 4 system, start networking, go to the Backtrack menu, select “penetration” menu, “Fast-Track” and finally “Fast-Track Interactive”.
You should have a screen that looks like this:
Just run the updates, option #1, then run Autopwn – option #2. Provide it with a single IP address or a range of addresses that you want to attack, then what kind of payload shell you want. I always pick “reverse” – connect back to me. That’s it. The program then automatically attacks the systems and tries to open a reverse shell to it.
Wow, pretty impressive, but what can be done to detect this type of attack? Well, while this attack was running against my target machine, my NSM system monitored every packet coming into the system through a mirrored port. The NSM system runs Snort which detects intrusion attempts and displays the alerts in the network security analyst program Sguil.
The result? Sguil lit up like a Christmas tree. See the Sguil interface screenshot below:
The alerts are color coded for severity and list the Source, or attackers IP address. You can click on each alert and find out more about it, or view the actual packets involved in the alert in Wireshark.
So even though this attack was not detectable by the target machine, my NSM machine captured the whole event, while it happened, in realtime.
Okay, we have a readout displaying that an attack occurred, which is nice to have, but how do we stop this type of attack?
Autopwn uses the standard exploits in Metasploit. The best defense in this case is to keep your machine and software patched, and updated. Also make sure that your firewall is on. If you do, then the attacker should see the screen below on his Backtrack system:
No Active Sessions. That’s a good thing for us, this means that none of the exploits worked and the attack was unsuccessful!
And with Sguil and NSM, we also have an electronic packet trail of the attack and his source IP!