Open in app

Sign in

Write

Sign in

THM Walkthrough — Snort Challenge — Live Attacks

Hatice Zehra Kamanlı
7 min readFeb 23, 2024

--

Hi! I am very excited to share with you the challenge steps I have completed. First of all, I should point out that we will use the commands given in snort here as well.

If everything okey let’s begin. If not you can contact me.

Introduction

Before joining this room, we suggest completing the snort room.

Note: There are two VMs attached to this challenge. Each task has dedicated VMs. You don’t need SSH or RDP, the room provides a “Screen Split” feature.

Scenario 1 | Brute-Force

[+] J.A.V.A. Welcome, sir. I am sorry for the interruption. It is an emergency. Somebody is knocking on the door!

[+] YOU Knocking on the door? What do you mean by “knocking on the door”?

[+] J.A.V.A. We have a brute-force attack, sir.

[+] THE NARRATOR This is not a comic book! Would you mind going and checking what’s going on! Please…

[+] J.A.V.A. Sir, you need to observe the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the brute-force attack. GOOD LUCK!

First of all, start Snort in sniffer mode and try to figure out the attack source, service and port.

Then, write an IPS rule and run Snort in IPS mode to stop the brute-force attack. Once you stop the attack properly, you will have the flag on the desktop!

Here are a few points to remember:

  • Create the rule and test it with “-A console” mode.
  • Use “-A full” mode and the default log path to stop the attack.
  • Write the correct rule and run the Snort in IPS “-A full” mode.
  • Block the traffic at least for a minute and then the flag file will appear on your desktop.

Let’s begin

As written in the tip, we will first run the following commands:

sudo snort -A full
sudo snort -A console

Then Let’s proceed by following the steps given above. We should start Snort in sniffer mode and try to figure out the attack source, service and port.For this process, we first need to run the following command:

sudo snort -v -l .

After running this command for a while, we can stop it with ‘control + c’ and examine the logs.

Daily logs are kept in the ‘snort.log.xxx’ directory. What we need to do is find xxx. We will use TAB for this. And run…

sudo snort -r snort.log.1708695095 -X

After Snort is done reading the file, and outputting it to the screen. We need to scroll up to the last packet.

When I examined the packets, I noticed that port 22 appeared on both the destination and the source. To see if my suspicions were justified, I ran the following command using grep.

sudo snort -r snort.log. 1708695095 -X | grep :22

In this way we can see ports 22. As my suspicions grow stronger, I run the same code again using grep “ssh” for ssh running on port 22.

Question-2: What is the name of the service under attack?

answer >> ssh

So let’s narrow it down and take a look at the package. To do this I used the command sudo snort -r snort.log.1672414629 -X -n 30 which will only output the first 30 packets to the terminal.

When we scroll up, you will notice the package standing apart from the others.

When we compare the ip:port matches, we see similarities with the logs we found before. Since we are sure, we found the answer to the 3rd question here.

Question-3: What is the used protocol/port in the attack?

answer >> TCP/22

To answer the first question, let’s write our snort rule.

First, we need to open the local.rules file in a text editor. Using the command:

sudo gedit /etc/snort/rules/local.rules

Considering the requirements, the ‘action’ value of our rule should be used as drop. And we known it’s TCP protocol. To finish off the rule since we only have one, the sid: should be 100001, and the rev: will stay at 1.

Let’s save this and exit.

I run the following command using the method shown under the IPS mode and dropping packets heading in the snort challenge.

sudo snort -c /etcsnort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A full

The press enter and let it run till you see the flag.txt file pop-up on the desktop. Congratulation!

Question-1: Stop the attack and get the flag (which will appear on your Desktop)

answer >> THM{81b7fef657f8aaa6e4e200d616738254}

Scenario 2 | Reverse-Shell

[+] You Thanks team. J.A.V.A. can you do a quick scan for me? We haven’t investigated the outbound traffic yet.

[+] J.A.V.A. Yes, sir. Outbound traffic investigation has begun.

[+] THE NARRATOR The outbound traffic? Why?

[+] YOU We have stopped some inbound access attempts, so we didn’t let the bad guys get in. How about the bad guys who are already inside? Also, no need to mention the insider risks, huh? The dwell time is still around 1–3 months, and I am quite new here, so it is worth checking the outgoing traffic as well.

[+] J.A.V.A. Sir, persistent outbound traffic is detected. Possibly a reverse shell…

[+] YOU You got it!

[+] J.A.V.A. Sir, you need to observe the traffic with Snort and identify the anomaly first. Then you can create a rule to stop the reverse shell. GOOD LUCK!

First of all, start Snort in sniffer mode and try to figure out the attack source, service and port.

Then, write an IPS rule and run Snort in IPS mode to stop the brute-force attack. Once you stop the attack properly, you will have the flag on the desktop!

Here are a few points to remember:

  • Create the rule and test it with “-A console” mode.
  • Use “-A full” mode and the default log path to stop the attack.
  • Write the correct rule and run the Snort in IPS “-A full” mode.
  • Block the traffic at least for a minute and then the flag file will appear on your desktop.

Then Let’s proceed again by following the steps given above. We should start Snort in sniffer mode and try to figure out the attack source, service and port.For this process, we first need to run the following command:

sudo snort -v -l .

After running this command for a while, we can stop it with ‘control + c’ and examine the logs.

Daily logs are kept in the ‘snort.log.xxx’ directory. What we need to do is find xxx. We will use TAB for this. And run following command.

sudo snort -r snort.log.xxx -X

When I examined the packets, I noticed that port 4444 appeared on both the destination and the source. This could indicate the possibility of a reverse shell.

Now we find second questions answer:

Question-2: What is the used protocol/port in the attack?

answer >> tcp/4444

When we do a little research with Google Dork, we will be able to find the tool associated with port number 4444.

Question-3: Which tool is highly associated with this specific port number?

answer >> metasploit

Now that we have the necessary port information, we can write the snort rule.

sudo gedit /etc/snort/rules/local.rules

Considering the requirements, the ‘action’ value of our rule should be used as drop again. And we known it’s TCP protocol. To finish off the rule since we only have one, the sid: should be 100001, and the rev: will stay at 1.

Let’s save this and exit.

I run the following command using the method shown under the IPS mode and dropping packets heading in the snort challenge.

sudo snort -c /etcsnort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A full

The press enter and let it run till you see the flag.txt file pop-up on the desktop.

Congratulations!

Question-1: Stop the attack and get the flag (which will appear on your Desktop)

answer >> THM{0ead8c494861079b1b74ec2380d2cd24}

That’s it you finally finished this challenges.

I hope I could help. If you have any feedback, I’m always here. enjoy your work.

Rules
Security
Cybersecurity
Network Security
Snort

--

--

Hatice Zehra Kamanlı

Written by Hatice Zehra Kamanlı

29 Followers

cyber security enthusiast and everything 🇹🇷🇹🇷

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams