P
Petr Kazil
Hi, I have a testmachine running on the Internet without a firewall (on
purpose). Every evening I start getting a lot of failed logon's to my
accounts (Administrator, krbgt, IUSR etc.). My guess is that: hackers come
home from work and start hacking - or - innocent users come home and switch
on their infected machines.
Question 1:
Using _windump_ and _ethereal_ I can trace this traffic to port 445 and many
different IP adresses. These must be worms, trojans or scripts since I get
many logon attempts every second. That's too fast for manual hacking.
Using _ScoopLM_ I can filter out the challenge, lm-response and ntlm
response. But what tool could I use to get the passwords that these entities
are trying against my machine? I would like to know what kind of
dictionaries they are using.
Since this is just "fooling around" I cannot afford the 100+ dollars for
Lophtcrack, and I don't even know if that would do the trick. Any
suggestions?
Question 2:
If I want to catch a live worm, what is the common procedure? I could share
a directory and then write a script that scans the directory every minute or
so. As soon as a file appears in the directory I could reset the share or
file permissions or block the network traffic (I guess a lot is possible
with WMI). But probably there are more elegant and intelligent solutions.
(Note: Snort doesn't seem to work on this machine, it's an old laptop with a
Xircom Cardbus. Snort and nmap don't seem to work with this PCMCIA network
interface.)
purpose). Every evening I start getting a lot of failed logon's to my
accounts (Administrator, krbgt, IUSR etc.). My guess is that: hackers come
home from work and start hacking - or - innocent users come home and switch
on their infected machines.
Question 1:
Using _windump_ and _ethereal_ I can trace this traffic to port 445 and many
different IP adresses. These must be worms, trojans or scripts since I get
many logon attempts every second. That's too fast for manual hacking.
Using _ScoopLM_ I can filter out the challenge, lm-response and ntlm
response. But what tool could I use to get the passwords that these entities
are trying against my machine? I would like to know what kind of
dictionaries they are using.
Since this is just "fooling around" I cannot afford the 100+ dollars for
Lophtcrack, and I don't even know if that would do the trick. Any
suggestions?
Question 2:
If I want to catch a live worm, what is the common procedure? I could share
a directory and then write a script that scans the directory every minute or
so. As soon as a file appears in the directory I could reset the share or
file permissions or block the network traffic (I guess a lot is possible
with WMI). But probably there are more elegant and intelligent solutions.
(Note: Snort doesn't seem to work on this machine, it's an old laptop with a
Xircom Cardbus. Snort and nmap don't seem to work with this PCMCIA network
interface.)
