Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Newbie
    Join Date
    Apr 2009
    Posts
    5

    Default Using Metasploit to test IDS

    I have been trying to trigger just one log or one block in the Untangle 6.1 IDS just so I can convince myself it is working.

    I have a wireless home router with an XP PC and an Untangle box hardwired on the same segment. The Untangle box has a 2nd ethernet port set to bridge and on this second piece of the segment I have a hub and a 2nd XP PC. All PCs are connected and I am VNCing from a 3rd PC to the 1st and the 2nd PCs via a wireless connection into the home router. Everything talked to everything.

    I have the ISD and logging turned on - all other racks are off.

    I started by hitting the 2nd PC from the 1st with nmap and nessus and nothing triggered a log or a block.

    I installed Metasploit 3 on the 1st PC. I have been trying to cross reference the Snort SIDs listed in the IDS rules set to the selection of Metsploits exploits in the hopes of finding an exploit that would trigger a log or a block. I looked at the SID for Windows related rules then I looked up the entry on the Snort web site to see if there was an MS vulnerability listed and I would use that number to seach in the Metasploit Web Gui for a corresponding exploit. Or I would do the whole thing in the reverse order.

    After a few evenings, I have come up dry.

    I tried just browsing for a Snort rule that I could try to trigger without any of the aforementioned tools. For example I found 710 TELNET EZsetup account attempt. I checked off the log and block options for this rule on the Untangle server. I ran a telnet server on the 2nd PC and tried to log in with username OutOfBox from the 1st PC. No log and no block.

    Untangle IDS is indicating 21,000 scanned session and 0 sessions logged and 0 sessions blocked.

    I would have thought this would have been easier than this.

    Any advice?

  2. #2
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default

    It's hard to judge from your description, if you laid it out, pc1 & pc3---router---UT---hub---pc2, all ethernet except pc3 which is wifi.

    If you're running the UT in bridge are you sure your exploit attempts from pc1 to pc2 are running from the external UT interface, or another way of saying, you're sure of the correct direction of wan to lan by testing the interfaces in the config of UT?
    Of course you're only using the ethernet on pc2 off the hub, wireless is off?

    Sounds like fun, something I've had on my list to do, low, but it's on the list.

  3. #3
    Newbie
    Join Date
    Apr 2009
    Posts
    5

    Default Network Topology - Using Metasploit to test IDS

    I guess I should have described things more fully.

    Here is a picture of who is connected to whom.

    Internet--DSLModem---(WAN)-Router-(LAN)--PC1&PC3--(ext)--UT--(int)--hub--PC2

    Router - ip 10.1.20.1 on LAN
    PC1 - ip 10.1.20.21 - running nmap, nessus, metasploit. telnet client - all aimed at PC2. Also running VNC server
    PC2 - ip 10.1.20.20 - XP, f/w off, wireless is off, running VNC server, Telenet server & IE7 (logged into UT as admin)
    PC3 - ip 10.1.20.22 - running VNC viewer 2x and connected to PC1 & to PC2
    UT - ip 10.1.20.23 on external, bridged to 2nd network card (internal)

    Everything is hardwired except PC3 which is wifi into router. The hub has no wireless. PC2 has no wireless.

    So I am attacking PC2 from PC1 by coming into the external i/f of the UT.

    I hope that makes the description of my experiment clearer.
    Last edited by gMark; 05-02-2009 at 04:36 AM. Reason: change NT (typo) to UT

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    do you have attack blocker installed? is anything in its eventlog?
    beware that attack blocker may be blocking those sessions from even connecting if that client (PC1) has a bad enough reputation.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    Apr 2009
    Posts
    5

    Default

    As mentioned in the 1st post - I have the ISD and logging turned on - all other racks are off.

    When I go into the reports section, there are entries for Platform and Intrusion Prevention only.

    I should also add that I have some evidence that traffic is allowed to go through the UT box to PC1. For example, when I tried out the telnet exploit (log in with user name OutOfBox), I was able to connect to the telnet server on PC1. The server refused the connection since the account didn't exist but UT definitely did not stand in the way of the attempt.

  6. #6
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default

    Last night I had a few minutes at a clients with a 6.0.2 UT in Bridge behind a gateway.
    I plugged a laptop booted into Ubuntu into one of the gateway lan ports and ran the port scanner tool bundled with it, then ran Zenmap against both a node and then the subnet behind it, the ips never triggered but the attack blocker happily dropped 21 thousand requests and limited and rejected a few hundred.
    I glanced at the ips rule list, but with 99 pages and my inability to find a search function I couldn't quickly tell if there was a rule that applied to scanning.

    The firewall logged all the udp and tcp sessions, the fw is set to pass and log all incoming.

    When I get a chance, I'll boot into BT3 and run some exploits in the same manner, with the attack blocker turned off of course.

  7. #7
    Newbie
    Join Date
    Apr 2009
    Posts
    10

    Default Btk3?

    Did you get anywhere with that. I have install ut in a hostile network and found it to stop activity such as backorrifice and some otheres but I can't find logs anywhere to back that up other than the network is now running well and the hostile activity apears to have ceased.

  8. #8
    Newbie
    Join Date
    Apr 2009
    Posts
    5

    Default

    I have not made any headway.

    For fun I placed PC2 on the router's DMZ and ran a sniffer to see who might come knocking. I hoped all this traffic would fire off something in the UT box. I should mention I had all the racks turned on for this test.

    I got lots of visitors and my Avast Network Shield even reported a DCOM Exploit from someone. The sniffer said this computer was trying to talk to PC2 on ports 135 and 4460. I found a posting that said this:

    In this attack the attacker tries to exploit a vulnerability on TCP Port 135 and part of the attack includes creating a remote command shell on TCP port 4460 to which the attacker sends instructions to the victim to download the worm from TCP port 18394 and then execute it.

    The UT box didn't complain and obviously let all this traffic through and nothing was logged as being bad. The Intrusion Prevention rack logged 1573 events for the day of the test and 0 matches. The attack blocker reported 342 resource requests and 0 rejected.

    Anyone care to comment?

  9. #9
    Untangle Ninja
    Join Date
    Jan 2009
    Posts
    1,186

    Default

    Is your router running an spi fw?
    Your router is the network router, dhcp and/or dns, or are you running fixed?
    If so that exploit would pass through the dmz but not to the UT when the UT is on one of the router's lan ports.

    With the UT in bridge have you connected the ext port to the router's dmz?
    Maybe then put pc2 behind UT to see if Avast triggers but UT does not?

    Keep at it, I'd like to get in on this myself but I'm swamped, I will follow up myself but it's going to be a bit.

  10. #10
    Master Untangler JEllingson's Avatar
    Join Date
    Jan 2008
    Location
    Warner Robins, GA
    Posts
    342

    Default

    I'm wondering about IDS working in Untangle 6.1.0 as well.

    I used to have my UT box in bridged mode behind a pfSense firewall. pfSense with snort installed was always going off like mad with worm attacks, port scanning, etc.

    A couple weeks ago, I pulled pfSense out and built from scratch a new 6.1.0 UT box in standard router mode. Everything is on and working, but I get no messages of port scanning or worm code attacks or anything in the ID logs.

    I'll look at the IIS logs and see if some requests from worms made it through.

    - Jason

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2