empirical study of the impact of metasploit related
play

Empirical study of the impact of Metasploit-related attacks in 4 - PowerPoint PPT Presentation

Jun 11, 2023 •152 likes •584 views

Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E. Ramirez-Silva and M. Dacier Eurcom Institute - Sophia Antipolis, France ASIAN'07 December 11, 2007- Doha, Qatar Introduction Overview Introduction

  1. Empirical study of the impact of Metasploit-related attacks in 4 years of attack traces E. Ramirez-Silva and M. Dacier Eurécom Institute - Sophia Antipolis, France ASIAN'07 December 11, 2007- Doha, Qatar

  2. Introduction Overview Introduction Introduction ✔ The Leurré.com project ✔ Experimental framework ✔ Experimental results Conclusions

  3. Introduction Overall goal of the approach What can honeypots tell us about “script kiddies” related attacks? – How much impact do they have on these datasets? – Where do they come from? – When are we likely to see them? – Do they have a specific profile of activity?

  4. Introduction To be or not to be a script kiddie Question: – Among all the attacks observed on a honeypot, how can we distinguish those likely due to script kiddies? Answer: – Define and detect on the honeypot the traces left by a specific tool, supposed to be used by script kiddies.

  5. Introduction Our response Script kiddie tool: – We have decided to identify and study only instances of attacks likely due to metasploit plugins. Traces of the attack tool: – We have built an environment to run all attacks against a honeypot in a monitored environment. – The recorded traces are used to generate “network signatures” for each plugin.

  6. Introduction To be or not to be at the right place Question: – What is the best “place” to look for attacks? Answer: – Everywhere in the world as previous work have shown that different blocks of addresses can be hit by different types of attacks.

  7. Introduction Our response Our source of information: – We use attack traces collected by the low-interaction honeypots deployed within the Leurré.com project. Origin of the data: – This gives us access to 4 years of data collected in a large number of different environments, on the very same type of platform • 50 platforms in 30 different countries as of today • None in Qatar ... yet ...

  8. Introduction Caveat We acknowledge the fact that, by focusing on Metasploit plugins only, we address a small fraction of the whole problem space ➔ The experiments only derive lower bounds of the amount of attacks due to script kiddies. The lessons learned are, hopefully, of a much broader interest.

  9. Overview Introduction Introduction ✔ The Leurré.com project The Leurré.com project ✔ Experimental framework ✔ Experimental results Conclusions

  10. The Leurré.com Project Leurré.com: a brief overview Ongoing effort since 2003: – Around 50 platforms running today in 30 different countries – All platforms have the very same configuration ; based on honeyd, each one implements 3 virtual machines Every day, tcpdump files are uploaded, enriched and stored into a centralized DB. – geographical location of the attackers, passive OS fingerprints of their machines, reverse name lookups, etc.

  11. The Leurré.com Project 50 platforms in 30 different countries

  12. The Leurré.com Project In Europe

  13. The Leurré.com Project Win-Win Partnership Interested partner provides – An old PC (Pentium II, 256MB RAM, 233 MHz) – 4 unfiltered routable IP addresses The Project provides – Installation CD Rom containing OS + applications – Remote log collection and integrity checks – Access to the whole data set + wiki + various tools developed by the community (GUI, java applets, Matlab programs, alert ticketing system, etc.)

  14. The Leurré.com Project Clusters of traces Among the various treatments, one important one aims at grouping together attack traces likely due to the same attack tool. This is done thanks to a simple clustering algorithm that group together attack sessions (traces of 1 IP against 1 platform) that share the same fingerprints Fingerprints are defined by means of 7 groups of attributes

  15. The Leurré.com Project Attack fingerprints 1.Amount of targeted virtual machines, 2.Order in which they have been hit, 3.Amount of packets sent by the attacker to each virtual machine, 4.Sequence of ports, 5.Total amount of packets sent by the attacker, 6.Average IAT between packets received. 7.Duration of the attack.

  16. The Leurré.com Project Data used The experiments reported are based on the 4 years of collected data. They take advantage of the notion of clusters as defined and implemented by the project in the database available to all partners.

  17. Overview Introduction Introduction ✔ The Leurré.com project The Leurré.com project ✔ Experimental framework Experimental framework ✔ Experimental results Conclusions

  18. Experimental Framework Sanity Check Question: – Have we ever observed a clear manifestation of a metasploit related cluster in the Leurré.com data set? Answer: – Yes, for instance, on May 15 2006, the one implementing an exploit against the ‘RealVNC password authentication bypass vulnerability’ (realvnc_41_bypass)

  19. Experimental Framework Graphical Representation Dshield 1200 sources vs. 180 ! Metasploit plug-in released Leurré.com Metasploit plug-in released

  20. Experimental Framework Metasploit framework It is often referred to as the most popular vulnerability exploitation tool Its ease of use makes it the ideal tool for script kiddies For practical reasons, we restrict ourselves to all versions of the Metasploit framework within the release 2 (2.0-2.7) to analyze their impacts on our dataset.

  21. Experimental Framework Method used We have run all attacks from all Metasploit releases, one by one, against one of our platforms, in a dedicated environment. Traces have been recorded and labels Cluster attributes have been derived from these traces Matching clusters have been retrieved from the DB for further analysis.

  22. Experimental Framework Metasploit signature generation

  23. Experimental Framework Metasploit signature generation

  24. Experimental Framework Metasploit signature generation

  25. Overview Introduction Introduction ✔ The Leurré.com project The Leurré.com project ✔ Experimental framework Experimental framework ✔ Experimental results Experimental results Conclusions

  26. Experimental Results Initial Selection of Clusters 132 Metasploit modules used Running all of them in different ways, using various possible options, etc. led to 4000 distinct tpcdump files 19000 clusters (out of 150000) had their characteristics matching the ones of at least one of these files Clearly, we were selecting more than wanted!

  27. Experimental Results Amount of exploits per cluster

  28. Experimental Results Finding a few very “good” ones Question: – How to find which ones, among these 19000, are very likely to be related to a given Metasploit plugin? Answer: – Select only the clusters that have a substantial peak of activity very close to the plugin release date and no larger peak at any other point in time.

  29. Experimental Results Algorithm 1 For each of the 19000 selected clusters: – obtain the original plugin release date – compute the number of attacks, per day, observed for that cluster in the period ±30 days relative to the exploit release day – compute average (avg) and standard deviation (std) for the period ±30 days – If within a window of ±5 days centered at day 0, we have an activity larger than avg + 2*std then select the cluster as a good candidate For each candidate, search for its maximal number of attacks over its whole lifetime. Discard the candidate, if this value does not appear within the period ±5 days around day 0. Result: 700 clusters remain

  30. Experimental Results Activities around day 0 of original release

  31. Experimental Results Refinment Question: – How can we see if “old plugin” are reused when a new general release of the environment is made public? Answer: – Repeat the same experiment but consider each release date for all clusters now instead of the sole original plugin release date. Result: – This leads us to find 1300 new matching clusters

  32. Experimental Results Activities around day 0 of all releases

  33. Experimental Results Analysis of burst at day -2 Large number of Chinese IP addresses trying the mssql2000_preauthentication exploit module (release 2.6) against platforms all over the world.

  34. Experimental Results Analysis of burst at day -1 Large number of IP, mostly from Germany and Spain, did attack 2 distinct platforms, in Luxembourg and France, with the msasn1_ms04_007_killbill exploit module (release 2.5).

  35. Experimental Results Sanity Check Question: – How many good clusters did we lose because of the constraint regarding the maximal peak value around ±5 days? Answer: – select all clusters which very first manifestation was observed in a window of ±2 days around any of the 8 possible release dates. Result: – This leads us to find 80 new matching clusters

  36. Experimental Results Activities of clusters unseen before day-2

  37. Experimental Results Summing it up Day 1: Before Day 0: Be outliers prepared! + ... ? Shape does not match “models”: script kiddies?

  38. Overview Introduction Introduction ✔ The Leurré.com project The Leurré.com project ✔ Experimental framework Experimental framework ✔ Experimental results Experimental results Conclusions Conclusions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical

AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical

AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical studies of how developer decisions Irene Manotas, * Christian Bird, impact energy consumption (design patterns, web Lori Pollock, * and James

354 views • 32 slides
who am i ? H D Moore <hdm [at] metasploit.com> Metasploit project Core developer and

who am i ? H D Moore <hdm [at] metasploit.com> Metasploit project Core developer and

METASPLOIT FOSDEM 2007 who am i ? H D Moore <hdm [at] metasploit.com> Metasploit project Core developer and project lead BreakingPoint Systems Director of Security Research FOSDEM 2007 why listen ? A great tool you can use today

403 views • 21 slides
Utilit Utility and d Happiness pp Miles Kimball and Bob Willis + Related Empirical

Utilit Utility and d Happiness pp Miles Kimball and Bob Willis + Related Empirical

Utilit Utility and d Happiness pp Miles Kimball and Bob Willis + Related Empirical Work With Other Coauthors 1 Partial List of Coauthors on Related Empirical Papers Related Empirical Papers What Do You Think Would Make You

1.8k views • 136 slides
Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th 2015 Only perform scans and exploitations after receiving permission from the owner of the machine/device. Nmap Purpose Scan a

671 views • 30 slides
Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami

Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami

Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami James Lee egypt Core Developer, Metasploit Project Working full time on Metasploit for 2 User Interface Scanning for

793 views • 60 slides
with the Metasploit Framework defcon 17 Who Are We? Chris Gates <cg [@]

with the Metasploit Framework defcon 17 Who Are We? Chris Gates <cg [@]

Attacking Oracle with the Metasploit Framework defcon 17 Who Are We? Chris Gates <cg [@] metasploit.com> What pays the bills Pentester for Security Blogger http:/ / carnal0wnage.attackresearch.com Security Twit

868 views • 54 slides
with the Metasploit Framework BlackHat USA 2009 Who Am I? Chris Gates <cg [@]

with the Metasploit Framework BlackHat USA 2009 Who Am I? Chris Gates <cg [@]

Attacking Oracle with the Metasploit Framework BlackHat USA 2009 Who Am I? Chris Gates <cg [@] metasploit.com> What pays the bills Pentester/Security Consultant Security Blogger

360 views • 31 slides
Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti

Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti

Introduction to Metasploit Stefano Cristalli November 29, 2018 Laboratorio di Sicurezza e Reti Universit` a degli Studi di Milano Table of contents 1. Basic commands in the Metasploit console 2. DEMO: exploiting Heartbleed 3. Exercises

690 views • 13 slides
An empirical journey towards impact assessment: the case of ITC Presentation to AFT event, 06

An empirical journey towards impact assessment: the case of ITC Presentation to AFT event, 06

An empirical journey towards impact assessment: the case of ITC Presentation to AFT event, 06 December 2012 E. Robin, M. Mimouni 2 Overview ITCs approach to impact assessment Impact assessment methodology Challenges 3 RBM

549 views • 14 slides
Empirical Invariance in Stock Market and Chii-Ruey Hwang Institute of Related Problems

Empirical Invariance in Stock Market and Chii-Ruey Hwang Institute of Related Problems

Empirical Invariance in Stock Market and Related Problems Empirical Invariance in Stock Market and Chii-Ruey Hwang Institute of Related Problems Mathematics, Academia Sinica, Taipei TAIWAN Chii-Ruey Hwang Empirical Analysis

912 views • 57 slides
Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami scriptjunkie Security research Metasploit contributor whoami wrote this thing whoami I work here Disclaimer This

1.02k views • 76 slides
AN EMPIRICAL INVESTIGATION OF THE IMPACT OF DIFFERENT METHODS FOR SYNTHESISING EVIDENCE IN A

AN EMPIRICAL INVESTIGATION OF THE IMPACT OF DIFFERENT METHODS FOR SYNTHESISING EVIDENCE IN A

AN EMPIRICAL INVESTIGATION OF THE IMPACT OF DIFFERENT METHODS FOR SYNTHESISING EVIDENCE IN A NETWORK META- ANALYSIS Project team Amalia (Emily) Karahalios - School of Public Health and Preventive Medicine, Monash University, Australia

262 views • 12 slides
Empirical Study: Expert Finding Matthieu Vergne vergne@fbk.eu Fondazione Bruno Kessler

Empirical Study: Expert Finding Matthieu Vergne vergne@fbk.eu Fondazione Bruno Kessler

Presentation Experiment Conclusion Empirical Study: Expert Finding Matthieu Vergne vergne@fbk.eu Fondazione Bruno Kessler Information and Communication Technology University of Trento February 19th, 2014 Empirical Study: Expert Finding 1/

484 views • 24 slides
Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation

Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation

Latest Metasploit Hardware Bridge Techniques Craig Smith - Research Director of Transportation Security Hardwear.io Agenda Overview of what the HW Bridge is Details on how it works How you can build hardware to support Metasploit

632 views • 22 slides
An empirical study of Gaussian belief propagation and application in the detection of F-formations

An empirical study of Gaussian belief propagation and application in the detection of F-formations

Regularized Gaussian belief propagation Empirical Study F-formation detection Concluding Remarks An empirical study of Gaussian belief propagation and application in the detection of F-formations Francois Kamper Stellenbosch University

578 views • 20 slides
An Empirical Study of Code Clone Genealogies

An Empirical Study of Code Clone Genealogies

An Empirical Study of Code Clone Genealogies MiryungKim,VibhaSazawal,DavidNotkin,andGailMurphy UniversityofWashington UniversityofBritishColumbia ESEC/FSESept2005 Conventional Wisdom

491 views • 25 slides
Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and Collin Mulliner Security in Telecommunications Technische Universit at Berlin, Germany { steffen,mlange } @sec.t-labs.tu-berlin.de Northeastern

713 views • 11 slides
Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC

Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC

Io IoT Ho T Hone neyBot yBot Haris emi and Saa Mrdovi Cryptacus: Workshop and MC meeting Nijmegen, Netherlands, 2017 Honeypots Honeypots Emulation of a network resource Built to be discovered, attacked and compromised

497 views • 18 slides
Tedder Village www.tedderavenue.com.au ON THE AVENUE TEDDER VILLAGE WWW.TEDDERAVENUE.COM.AU

Tedder Village www.tedderavenue.com.au ON THE AVENUE TEDDER VILLAGE WWW.TEDDERAVENUE.COM.AU

Village Life Tedder Avenue Tedder Avenue Tedder Village www.tedderavenue.com.au ON THE AVENUE TEDDER VILLAGE WWW.TEDDERAVENUE.COM.AU Village Life TEDDER VILLAGE ON THE AVENUE WWW.TEDDERAVENUE.COM.AU ZONES 5 HOW IT WORKS 7 UNDER THE HOOD

321 views • 20 slides
Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng , Xiaojing Liao, XiaoFeng Wang, Haining Wang, Qiang Li, Kai Yang, Hongsong Zhu, Limin Sun USENIX Security 2019 Internet-of-Things (IoT) Devices IoT

422 views • 23 slides
Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES

Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES

Robot Attack! Repelling Bots, DDOS, and other Fiends Stanford Drupal Camp 2015 MEET YOUR GUIDES Suzanne Aldrich Martijn Gonlag Senior Customer Success Engineer - Pantheon Technical Support Engineer - CloudFlare AGENDA Surveying Robots

247 views • 13 slides
E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to

E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to

Motivation How E-mail works Conventional Wisdom Previous Work Implementation Results Conclusion E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to track harvesting behavior Robert Marmorstein

447 views • 17 slides
Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche 1 , E. Alata 1 , V.Nicomette 1 , Y. Deswarte 1 , M. Dacier 2 LAAS-CNRS 1 , Eurecom 2 Mohamed.Kaaniche@laas.fr ACI Scurit &

409 views • 17 slides
Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security Landscape Meraki Security Demo Security Landscape The Growing Importance of Security MALWARE HAS RISEN BY MORE THAN 10X IN THE LAST YEAR 70% M ALW AR E

604 views • 35 slides

More recommend