[unisog] Windows Command Prompt in the clear in the network?

Nathan W. Labadie ab0781 at wayne.edu
Thu Oct 12 13:27:31 GMT 2006


This is more or less situational. Around 75% of the "cmd.exe banner" 
alerts from our IDS are false positives. The guilty culprit is usually 
a SMTP, HTTP, POP3, etc session that contains the signature itself 
(e.g. a web page describing how to add a user via cmd.exe). 

As far as the high source and destination port, there's always the 
chance that the user was downloading a file containing the signature 
via active FTP. If I recall correctly, I've also seen older versions of 
RPC-DCOM trigger the alert, but I could be wrong on this.

However, we do investigate all of the alerts that do not fall into the 
above categories via nmap:

nmap -sV -p <port> <host>

The "-sV" tells nmap to determine what type of service is listening on 
the port (great for finding backdoors in general). If it's a cmd.exe 
backdoor, nmap will report it as such, although I don't recall the 
exact output. Netcat can also be used to interrogate the port.

Hope this helps.

Thanks,
Nate

On Wednesday 11 October 2006 16:56, Glenn Forbes Fleming Larratt wrote:
> Folks,
>
> Honeypot and honeynet issues aside:
>
>    - is the presence in the clear of a Windows Command Prompt, from a
> high TCP source port to a high destination port, *ever*
>      legitimate/normal/to be expected in the Windows world?
>
>    - if not, is that presence *always* indicate of compromise, or at
> least of a vulnerability having been exploited?
>
> We have noted a 1-to-1 correspondence so far between compromised
> machines in our network and a Command Prompt banner
>
>      Microsoft Windows {XP,2000}...
>
> or
>
>      Microsoft(R) Windows NT...
>
> appearing in the sample payload of our network flow recorder
> (QRadar).
>
> Please reply to me, I will summarize to the list.
>
> Thanks,

-- 
Nathan W. Labadie
Sr. Security Specialist
C&IT Security and Access Management
Wayne State University
http://security.wayne.edu

"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759


More information about the unisog mailing list