This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Issue with parser to detect bind/reverse shells. Please adivse.

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-08-26 08:54 PM

Hello all,. i was hoping someone could point out what im doing wrong here.  The parser below does seem to match on the bash_shell token name, but not one the rest even though the values are clearly in the packets. 

 

IP 192.168.1.19.13377 > 192.168.1.17.52172: Flags [P.], seq 666:690, ack 17, win 91, options [nop,nop,TS val 911716 ecr 1343276283], length 24

E..L..@.@...........4A...'....@?...[H[.....

.dP...root@ubuntu:/usr/_gtW_#

 

IP 192.168.1.19.13377 > 192.168.1.17.52172: Flags [P.], seq 627:666, ack 17, win 91, options [nop,nop,TS val 911716 ecr 1343276282], length 39

E..[..@.@...........4A...'....@?...[.......

.dP...uid=0(root) gid=0(root)

 

 

It does however match on the bash-shell token and bash-shell match:

IP 192.168.1.19.13377 > 192.168.1.17.52172: Flags [P.], seq 565:600, ack 14, win 91, options [nop,nop,TS val 910924 ecr 1343273116], length 35

E..W.{@.@...........4A...'.K..@<...[.f.....

.LP...bash: no job control in

 

Below is the parser, and i've attached the pcap

 

 

 

<?xml version="1.0" encoding="utf-8"?>

<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="C:\Program Files\NetWitness\NetWitness 9.0\Investigator\parsers\parsers.xsd">

 

  <!--

  Parser created by dniz0r@gmail.com on 8/26/2013

  Last update:

  Discussion:

  Attempts to detect rootshell in the TCP stream. kbeast rootkit was used in order to create this parser

 

Keys required by this parser:

 

  <key description="Risk: Warning" format="Text" level="IndexValues" name="risk.warning" valueMax="1000"/>

 

  -->

  <parser name="bash_shell" desc="bash_shell">

 

    <declaration>

 

      <meta format="Text" key="risk.warning" name="warning"/>

     

      <token name="bash-shell" value="bash:"/>

      <token name="root-shell" value="&#x72;&#x6F;&#x6F;&#x74;&#x40;" /> <!--root@-->

      <token name=uid" value="uid=" />

      <number name="temp_offset"/>

     

    </declaration>

 

    <match name="bash-shell">

      <find length="30" name="temp_offset" value="no job control in">

        <register name="warning" value="bash_shell"/>

      </find>

    </match>

 

 

    <match name="root-shell">

      <find length="60" name="temp_offset" value="&#x23;">   <!--#-->

        <register name="warning" value="root_shell"/>

      </find>

    </match>

 

    <match name="uid">

      <find length="60" name="temp_offset" value="gid="> 

        <register name="warning" value="root_shell"/>

      </find>

    </match>

 

  </parser>

</parsers>

kbeast_in.pcap
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-08-27 04:03 AM

This is what happens:

  • The first token "bash:" is searched and found.
  • The read position is set to the byte following "bash:"
  • Since "bash:" comes after the other two tokens, they won't trigger a match (the read position won't start at the beginning!)

 

Since your parser is simply looking for keywords, consider using the "search parser".

View solution in original post

0 Likes
2 REPLIES 2

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-08-27 04:03 AM

This is what happens:

  • The first token "bash:" is searched and found.
  • The read position is set to the byte following "bash:"
  • Since "bash:" comes after the other two tokens, they won't trigger a match (the read position won't start at the beginning!)

 

Since your parser is simply looking for keywords, consider using the "search parser".

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-08-28 03:09 PM

In this single occasion you could just reorder your "match" statements to make it work, but if they come in a different order in future, your parser may fail again.

 

Dave

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.