Skill-Assessment- Snort

There is a file named wannamine.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to the Overpass-the-hash technique which involves Kerberos encryption type downgrading. Replace XX with the appropriate value in the last content keyword of the rule with sid XXXXXXX within the local.rules file so that an alert is triggered as your answer.

$ alert tcp $HOME_NET any → any 88 (msg: “Kerberos Ticket Encryption Downgrade to RC4 Detected”; flow: no_stream, established, to_server; content: “|A1 03 02 01 05 A2 03 02 01 0A|”, offset 12, depth 10; content: “|A1 03 02 01 02|”, distance 5, within 6; content: “|A0 03 02 01 XX|”, distance 6, within 6; content: “krbtgt”, distance 0; sid:9999999;)

The answer is to replace XX with a byte value. So I just remove XX and run snort.

$ sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -R /home/htb-student/local.rules -r /home/htb-student/pcaps/wannamine.pcap -v -A cmg | grep ‘A0 03 02 01’

It gave me the hex values of the targeted packets and the byte values after A0 03 02 01 are: 01, 02 and 14 but none of them are correct. Any feedback?

Stuck on the same one, did you find any solution? :confused:

I also don’t find the correct answer, I need some instructions. Can someone help me, please?

I found correct answer. You do same instruction above then run comment:

sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -r /home/htb-student/pcaps/wannamine.pcap -v -A cmg

After that, you must read snort.raw[…], it look like

Try to find administrator, and then read hex, you will find code same “A0 03 02 01 XX”.

Good luck

1 Like

Well,after some trying I figured it out, but tbh, that was more like guessing.
As people here alreasy said, you delete XX in the rule (in my opinion you can even delete the whole content: “|A0 03 02 01 XX|”, distance 6, within 6; condition), then run snort and save the results.

After that you really need to search, and indeed if you logically search for A0 03 02 01, you will find only 12, 01 and 02 as next bytes, which is wrong.

So I searched for “administrator” as ngoducthuan12 said, but grep gave me no results, so I experemented a bit and found that this string is broken apart (like “adm inistrat … or”).

So finally I did grep -A4 adm, and in the row with “03 02 01” you will find the needed byte at the end.

And honestly, as i mentioned, I have not logical solution, it was more like guessing with some clues, so it sombody really understand the task and the intended solution, I would appriciate if you could explain it. :smiling_face_with_tear:

The local.rules file needs to be edited first, XX phrase should be removed then you should be able to find correct number close to 14 with snort query you used.

I don’t like the lab’s logic, the exercises should be based on the course content and here you have to guess or discover how to do things. Learning by guessing is not the best way…

2 Likes

Can anyone drop a hint related to the right answer? I found as you all said the value 01, 02, 12, 14, 17 but none of them works… The answer is the right value, like A0 03 02 01 XX or what exactly?
Tried to delete the whole content: “|A0 03 02 01 XX|”, distance 6, within 6;
Tried to delete only the XX from the rule
Tried to make a rule for every value found: 01, 02, 12, 14, 17
I still don’t understand that the answer must be …

Any help is welcomed. Thanks!

Got it.

I remove the rule XX phase, rerun the snort, which will be able to detect the desired event krb or something.

However, there are two ‘A0’ in the event one is wrong and one is right.

Did you find the answer?

The anwser format is XX and not XX XX XX XX XX. Pay atention in the hint. “XX”