Brutkey

da_667
@da_667@infosec.exchange

Now, I'm not doing this to be a bully, but I'm going to just note that this fella stated he was knowledgable about Snort, Suricata, Regular expressions, Vulnerability Management, Wireshark, and tcpdump.

I wanna remind you, that I gave him a quick tutorial blog post on how to generate pcaps from a proof of concept exploit. and that his resume says he is competent in this skillset.

https://community.emergingthreats.net/t/come-sail-the-cves-part-2-turning-data-into-rules/2751

My boy took four hours to tell me that his pcap was empty and had nothing int it. So I ask 'em. what is the command you're using?

he copies it to me. The -i option is reserved for the interface you want to sniff packets on. I have not a single clue why, but his -i switch was an IP address.

da_667
@da_667@infosec.exchange

I demo using ip -br a to briefly list the network interfaces in one's VM. And show how how to figure out which is which. According to the IP address next to it, and by process of elimination. He generates a pcap.

Then he generates rules. Plural. For a directory traversal attack. Both rules trigger alerts, but neither rule actually detects the directory traversal attack. I even gave him the regex string we typically use for catching directory traversal attempts, because it's kind of complex, but it's extremely effective.

pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R";

In laymans' terms this reads: "IMMEDIATELY after the previous content match, (^, /R flag), look for one to two period characters, at least one forward (/) or backslash (\), in either plain format, OR url-encoded, and find this entire pattern at least twice."

No where in either rule was the regex I gave him a hint that he should definitely use is in either rule. No, he focused on the curl user-agent, and the fact that python3's http.server module throws a 501 error and doesn't support POST requests when I told him, straight up, we do not care what the server responds with, we just wanna see what the exploit looks like being throw at a server.