Using Network Monitor to Head Off an AUTH Attack
One practical use for Network Monitor is to obtain detailed information about the packets traveling to and from your server when you suspect the server is under attack. For example, you might be familiar with the type of attack by which a spammer bombards an Exchange server with SMTP AUTH commands until the spammer successfully logs on to the server. By default, Microsoft Exchange Server 2003 and Microsoft Exchange 2000 Server let a mail server relay messages if the sender can authenticate with a valid username and password. A spammer obtains a valid user ID and password by performing a brute-force attack against your mail server or launching some type of attack against your network. You can turn on Exchange's Diagnostics Logging and set the maximum value for MSExchangeTransport Categories, which will show you the user ID that was used to authenticate to the server. However, the Microsoft Management Console (MMC) Event Viewer snap-in doesn't usually display the spammer's IP address. You can obtain the address by performing a packet trap, as follows:
Install Network Monitor on the Exchange server and begin a packet capture. (Of course, you must wait until the spammer authenticates to your server to obtain the spammer's IP address.) You might want to increase the capture-buffer size to make sure you don't lose any captured packet information. After the spammer authenticates to the server, you can stop the packet capture.
Set a filter to TCPDestination Port 25, as Figure 5 shows. To do so, select Display, Filter and highlight the line Protocol==Any in the Display Filter window. Click the Edit Expression button, then click the Property tab. Scroll down in the Protocol Property window and double-click +TCP, then click Destination Port. Click == in the Relation window, select Decimal (below the Value window), enter a value of 25 (SMTP), and click OK.
Find the Auth Login command. Examine the data in each SMTP packet until you reach a packet that contains Auth Login. In the top window, the Src Other Addr column displays the spammer's IP address. Although the IP address might be spoofed, you can at least block port 25 traffic that comes from this address to prevent the spammer from using it in the future. Better yet, disable Basic and Integrated Windows Authentication on any outfacing Exchange server to prevent users from authenticating to the mail server when sending mail.
Find the username. In case you're wondering, the next command string in the TCP data field should have the username and password that was used to authenticate to the server. However, these values are Base64 encoded, so you'll need to use a Base64 coder/decoder to decode them. Many Base64 coders/decoders are available on the Web—such as the one at http://www.dillfrog.com/tools/base-64_encode. (For practice, try using the Dillfrog decoder to decode the user ID c3BhbW1lcg== and the password cmVsYXk= . The decoded answers appear at the end of the article.) Of course, as I mentioned earlier, you can also increase the level of diagnostic logging on the Exchange server to view the user ID that was used to authenticate to your server.
Armed for Network Troubleshooting
Network Monitor is a handy network troubleshooting tool, but it requires some training and skill to obtain the greatest benefit. Become familiar with Network Monitor and the traffic on your network before you have an emergency, so that you can establish some network baselines and not have to fight a learning curve under stressful conditions. Network Monitor and other third-party network sniffers require expertise to quickly find and resolve problems. Get up to speed now to make the most of Network Monitor's capabilities.
Answers to decoding examples: c3BhbW1lcg== spammer cmVsYXk= relay
Very informative article that I will use for monitoring our office network.
bgermain August 31, 2004 (Article Rating: )
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
bgermain August 31, 2004 (Article Rating: