Category Archives: How To

IT Audit: 3 Easy Steps to Finding Rogue Wireless Clients

0
Posted by David Hoelzer on March 3, 2010 – 3:47 pm
Filed under How To, Security

Everyone knows to check for unauthorized wireless access points within the business.  What about unauthorized client access, though?  What I’m talking about here is your employees connecting to other open wireless networks from their office!

It turns out that there are some really simple things you can do to discover if there are hosts from your network connecting to unprotected networks nearby and to figure out which hosts are the rogues.  To do this testing we need just a few tools.

Wireless Sniffer

Any wireless sniffer will do provided it creates PCap based output files.  Tools like Kismet, TCPDump and Airodump produce exactly what we’re looking for.  Start out by simply looking for open wireless networks and configure your tool to store a packet capture file.  You don’t need any encryption keys, you don’t need any special configurations, just turn it on and store the file!

Extracting Strings

NetBIOS broadcasts the workstation and domain names every minute or so on the network.  The NetBIOS information is encoded, so you can’t read it directly, but they’re pretty easy to spot; they’re always 32 characters long and in upper case.  To find them we can just use the “strings” tool to extract printable strings:

David-Hoelzers-iMac:class dhoelzer$ strings wireless.cap | more
809056 3 ipp://appleserver-1.private:631/printers/LaserJet2200
_tcp
_tcp
local
EEEBFGEJEECNEIEJECDBFDFFEEEGDCAA
FHEPFCELEHFCEPFFFACACACACACACABN

Notice the long strings of uppercase letters?  These are exactly what we’re looking for!  With a little bit of easy magic we can narrow these down to just what we need.  Here’s an example one line script that can do this for us:

#!/bin/sh
strings -n 32 $1 | awk "/[A-Z]{32}/ { print \$1;}" | sort | uniq | ./netbios.pl

We may still get some additional “junk” but what we have now is in a condition that it’s super easy to extract the NetBIOS names and decode them!

Decoding Names

Now that we’ve got the strings we need to decode them.  We’re not going to get into how the encoding scheme works, but we will point you at a script that can very quickly and easily decode them for you!  You can download the script here.

Putting our extraction script together with our decoding script gives us the following result:

David-Hoelzers-iMac:class dhoelzer$ cat wireless.cap | ./extract_strings 
Wide character in print at ./netbios.pl line 16, <STDIN> line 21.
Wide character in print at ./netbios.pl line 16, <STDIN> line 21.
�?????????????????
APPLESERVER-1  
DAVID-HIB1SUDF2
ENCLAVEFORENSIC
ENCLAVEFORENSIC
IMAC            
MACINTOSH-6    
NEVADA-TIME-CA  
WORKGROUP      
WORKGROUP      
WORKGROUP      
David-Hoelzers-iMac:class dhoelzer$ 

Looking at this output and considering our corporate network we can see that our domain name is in fact being broadcast out onto some other wireless network which means that we have some naughty users!  Going further we could track down which packets these names came from and then extract the MAC addresses of the hosts involved.  If we have a good hardware inventory we can then use this to identify the offenders.

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.

IT Audit: 6 VMWare Settings Every IT Auditor Should Know About

2
Posted by Dave Shackleford on February 25, 2010 – 4:33 pm
Filed under Checklists, Compliance, How To, Security

For organizations using VMware virtualization technologies, there are likely a number of different virtual machines in the environment, representing a number of platforms ranging from Windows desktops and servers to Linux and UNIX systems as well. Each of these will have an associated file with the VMX extension that contains the VM’s specific configuration details – hardware specifications, software information, and a number of settings that can definitively impact security and compliance for the environment hosting that virtual machine. Unfortunately, documentation for these files is sorely lacking, and auditors are often left to their own devices to determine what VM settings are enabled and what their impacts could be. Here we’ll take a look at settings that impact security, and how they should ideally be configured:

Goal: Disabling Copy & Paste operations between the VMware host and the VM guest

VMX Settings:

isolation.tools.copy.disable = “TRUE”
-Disables copy functionality
isolation.tools.paste.disable = “TRUE”
-Disables paste functionality
isolation.tools.setGUIOptions.enable = “FALSE”
-Disables any GUI functionality for these options

Goal: Disable “Drag and Drop” functionality between VMware host and guests

VMX Setting:

isolation.tools.dnd.disable = “TRUE”
 -Disables Drag and Drop functionality

Goal: Disable shared folders between the VMware host and any VMs (mostly applicable on Workstation versions)

VMX Setting:

isolation.tools.hgfs.disable = “TRUE”
 -Disables all shared folder functionality

Goal: Ensure proper logging is enabled for the VM, and that ESX-VM logging interactions are set accordingly

VMX Settings:

log.rotateSize 100000
 -This value should be set to a number in Kbytes (this example is 100k). As these logs can become very large, a policy for these is important to maintain.

log.keepOld 10
 -This value determines the number of log files maintained in a rotation schedule (this example is 10 distinct logs kept at a time)

isolation.tools.log.disable = “FALSE”
-This setting ensure that logging is enabled. This setting is the default, and so the configuration item may not be present, which is fine.

logging = “TRUE”
 -This enables VM logging for the ESX host, monitoring the VMX process that manages VM interaction

log.fileName = “logs/vm.log”
 -Sets the log file name and path. Ensure this matches policy and process.

Goal: Disable Unauthorized hardware and devices within a VM

VMX Settings:

floppy<x>.present = “FALSE”
serial<x>.present = “FALSE”
parallel<x>.present = “FALSE”

All of these settings disable various device types, replacing <x> with a numeral starting at 0 (depending on the number of devices in a system)

Goal: Prevent VM users from connecting and removing devices

VMX Settings:

isolation.tools.connectable.disable = “TRUE”
 -This setting disables a user’s ability to connect removable devices, such as USB drives.

<devicename>.allowGuestConnectionControl = “FALSE”
 -This setting, on a per -device basis, disables Guest user control of a specific device.

This is not a complete list of VMX settings, by any means, and there are many more that could potentially be configured within your environment. This is a great start in terms of “best practices” security settings, however, and can help you begin to develop a baseline for ongoing monitoring and measurement.

4 Easy Steps: Searching for Hashes of Malicious Files (APT – Aurora)

0
Posted by James Tarala on February 16, 2010 – 12:20 am
Filed under How To, Security

A couple weeks ago I posted a blog article with some sample file hashes and domain names associated with the recent Google hacks (think APT or Aurora). More information on those file hashes can be found here.

Since then I’ve had quite a few people ask me, if you have a system that you suspect might have been compromised, how do you search that system for files that are malicious if you have a list of hashes that you know are malicious? In other words, you have a list of hashes and you want to know if there are any files on your file system that has the same hash value.

Disclaimer – before we continue you should know, hashes of malicious files are just one way of attempting to discover if your system has been compromised. Especially when dealing with a threat like APT, which is highly intelligent and adaptable, you have to know that if the threat knows that you’re on to them and that you’re looking for a specific set of hashes, that they’re smart enough to adapt. What will they do, they’ll change their malicious files so the hashes change as well. There’s no doubt this is a limitation. But utilizing the technique we’re about to describe you can at least start to eliminate some of the low hanging fruit. You may also want to investigate the projects involved with fuzzy hashing. This may be an alternative to some of the standard techniques described here.

Ok, now that you’re ready to start examining your systems for malicious files, here is a process to consider:

Step One: Assemble a Text File of Known Malicious Hashes. The first step you need to follow is to gather a list of hashes of known malicious files. This will be the list of hashes you’re scanning your system for. Remember, the value of your scan will only be as good as the list of hashes you have. A starter list of MD5 hashes is currently being hosted at Enclavesecurity.com and can be found here if you’re looking for a list to get you started. This list certainly is not comprehensive, but at least is a place to consider building your first list from.

Step Two: Decide Which Hashing Tool to Use. There are a number of good tools that you can use to scan your system and to generate hashes of all the files on your file system. Many of these tools are commercial and there are open source tools for this as well. On the commercial side tools like Tripwire, Lumension, and Bit9 are quite effective at this. There are certainly others, but many of you are already using these tools, so you might as well take advantage of them. Unfortunately there are also many of you that simply cannot afford these tools. If you’re looking for a good open source tool to use to start scanning your systems, let me recommend MD5Deep. This is a tool in the public domain that is especially useful for this purpose. While there’s not enough time in this post to talk about how to use the tool, we’ll post more on it later. You could also consider rolling your own scripts, using PowerShell or shell scripting to generate these hashes as well (but I still recommend MD5Deep – it’s cross platform, supports recursive file scans of directories, and natively interfaces with a number of hash databases).

Step Three: Scan Your System. Now that you have your list of hashes for malicious files and you have your scanning tool, now it’s time to scan your system to see if any files with these hashes exist on your system. This is the basic part of the exercise – do you have malicious files on your system or not? Depending on the tool you’re using this process will be slightly different, but in the end you’re trying to determine if you have a compromised host. Auditors – you should be asking companies the control question, if law enforcement approaches you with a list of hashes like we’re describing here and they say you need to check your system to see if any of these files exist on particular hosts in your environment, how would you look for the hashes? Ask to see their process in action (we want more than tabletop reviews here).

Step Four: Automate System Scans. Finally once you have your tool working in a manual mode, automate the scans. This is one of the major principles of the 20 Critical Controls / Consensus Audit Guidelines that we talk so much about. Manual scans are fine when you need to use them – but how much better is it if you could implement a tool that would be constantly scanning your systems and would notify you one of the hashes were discovered? Automation is key.

While there are certainly other ways to go about looking for malicious files on your file system or indicators of compromise on a system, examining file hashes certainly has to be part of your arsenal. If you’re auditing a system, knowing that you have a control in place to scan for signatures of known bad files has to be part of your toolkit. Traditionally we’ve done this with anti-malware tools, but unfortunately many of the large anti-malware vendors still don’t let you know which hashes they’re scanning for and they don’t give you the ability to add hashes that you’d like to scan for in their tools. Thus we’re left to our own devices to discover if files with these signatures are still on our systems.

Hopefully putting this tool in your toolkit gives you one more angle to consider when looking for indicators of a compromise on your systems.

Automating Audit Tests with Eventtriggers.exe (20 Critical Control Scripting Tip)

0
Posted by James Tarala on January 19, 2010 – 2:59 pm
Filed under How To, Security

One of the issues that we have been dealing with extensively lately is the issue of auditing and automation. This has come most often been raised when we’ve been discussing how to address automating control assessments in conjunction with implementing the 20 Critical Controls. One of the core principles of the 20 Critical Controls is that organizations need to have the ability to automate security assessments in order to reduce risk detection times and allow for a more prompt response to detected threats.

One way to assist with the automation of any given assessment is to script your assessments and automate the scripts you write. This way your tests can work for you and can automatically respond in some way should a particular event be discovered. Rather than creating a mechanism to perform detection and alerting from scratch, why not use a mechanism that’s already built into most Microsoft Windows versions you’re already running? The Windows Event Log is a great place to start.

First, you can use a command such as EventCreate to generate new event log entries as a result of a particular action in your scripts. For example, if you use nmap with PBNJ to look for new hosts on your network (think critical control #1), then you could use EventCreate to generate an event log entry every time a new device is discovered. Or, for example, let’s say you use WMIC to list startup items on a machines (think critical control #2), then you could use EventCreate to generate an event log entry every time a new startup entry is added. Get the idea? Use built in Windows tools to support your automation efforts – and all it costs is a little sweat equity and trial with built in tools!

For more details on how to use EventCreate, check out these resources to get started:

Microsoft TechNet Reference on EventCreate:

http://technet.microsoft.com/en-us/library/bb490899.aspx

Microsoft Support article for creating custom event log entries:

http://support.microsoft.com/kb/324145

For details on how to use eventtriggers in more depth, here are a couple resources that will help to get you started:

Microsoft TechNet Reference on EventTriggers.exe:

http://technet.microsoft.com/en-us/library/bb490901.aspx

Petri.co.il Article on EventTriggers.exe:

http://www.petri.co.il/how-to-use-eventtriggersexe-to-send-e-mail-based-on-event-ids.htm

In addition to automating tasks with the eventtriggers.exe command, you may also want to consider command line e-mail tools which can be used to generate an e-mail as a result of an action in your command line tool. Two such free command line tools that you may want to consider are:

Blat (http://www.blat.net/)

Bmail (http://www.beyondlogic.org/solutions/cmdlinemail/cmdlinemail.htm)

To run either of these tools you will need to have access to an active mail server, although thankfully it does not need to listen only on tcp/25 – but you do have to use the SMTP protocol. While security by obscurity is certainly no singular way to protect your system, running administrative mail servers like this on alternate ports can never hurt!

5 Things Every IT Auditor Needs to Know About: SSH Configuration

3
Posted by David Hoelzer on January 8, 2010 – 11:55 am
Filed under Checklists, Compliance, How To, Security

SSH has been around since around 1995.  In some ways it has become the backbone of remote network management and configuration in our enterprises.  Since everything from our Cisco routers to our Firewalls and servers support this protocol, what do we need to know as an IT auditor to make sure it’s configured correctly?  Here are the top five items to check on (in no particular order)

1: Use Version 2
SSH version 1 was shown to have significant flaws as early as 2001.  While some of these flaws were coding errors, others are flaws that can allow for replay and other forms of attacks against the protocol itself.  From time to time you may find that the administrators have configured the service as follows:

Protocol 2,1

What this means is that SSH version 2 is preferred, but the service can fall back to support version 1.  There is no reason any public facing system should have version 1 enabled in any form!

2: Verify IP Address Binding
The lazy way (default) of configuring SSH is to allow the service to run on all bound IP addresses.  On internal networks this may not be such a big deal, but for a public facing system this is a bad idea!  Your SSH service should be bound to a specific IP address, preferably one accessible only from the internal network.  If an administrator needs to get to something remotely, require that they log into the VPN first and then connect to the internal facing SSH service.

3: Use TCP Wrappers
The SSH daemon is perfectly capable of running by itself.  The trouble with this is that it doesn’t enforce any connection restrictions beyond the authentication system.  Requiring that TCP Wrappers be used to control access to SSH allows us to restrict connections to specific networks or hosts regardless of authentication credentials.  This creates an additional level of defense and also protects us should our service be inadvertently configured to run on all interfaces.

4: Require Key Based Authentication
SSH can be configured to use the local username/password database to authenticate users.  In fact, this is the default.  The problem is that this means that someone could potentially attempt to brute force entry into our system by repeatedly attempting passwords against a common user (like root).  If we require users to use key based authentication we leverage strong cryptographic mechanisms for authentication (asymmetric keys) and make it infeasible for a brute force attack.  Don’t just make sure that key authentication is turned on, make sure password based authentication is turned off!  Look for these lines:

RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no 

5: Don’t Permit Root Logons
Why do administrators like to log in a root?  Let’s face facts:  it’s easy and everything works!  Of course, this is super bad because it can lead to all kinds of auditing and accountability issues.  Be aware that blocking root logins through things like securetty configurations and PAM adjustments is likely not enough to keep someone from logging in as root via SSH!  To verify that root is not permitted to log in directly, look for this line:

PermitRootLogin no

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.

Off Topic: Creating Metasploit Exploit Modules Step By Step (Tutorial!)

0
Posted by David Hoelzer on January 4, 2010 – 11:34 am
Filed under How To, Security

Over the past few weeks I’ve been completing work on a Secure C/C++ Coding course.  The course is for programmers and code reviewers, helping to prepare them for the Secure Coding certification and to teach them how to avoid the most common coding errors in C.

Along the way, I created a module in the course to demonstrate how vulnerabilities are exploited.  In the meantime I got an invitation to do an evening presentation at the SANS New Orleans and Orlando conferences, so I turned it into a “How to Find and Exploit Buffer Overflows Step by Step.”  As long as I was going to all of that work, I decided it would be worthwhile to add a few slides to demonstrate how to turn it into a Metasploit exploit module.

The screencast should be pretty easy to follow, but if you have any questions, please feel free to post them here as comments!

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.

IT Audit: Correlating Logs and Event Logs

1
Posted by David Hoelzer on January 1, 2010 – 12:29 pm
Filed under How To, Security

Back a few years ago I put together an event log and general log aggregation and management system.  Almost a year ago, our internal development server for this system died and work halted.  Yesterday we finally pulled the system out of the rack to see what had gone wrong and put a new server up in its place.  Finally, work has started up again!

I mention this project here on this blog because just about every company that I talk to is struggling with log management and correlation.  The fact that Microsoft went and changed just about every Event ID in the found in the event logs hasn’t made life much better.  While it’s certainly true that managing events on a Windows system (particularly Vista and above) has become much easier with event subscriptions and significantly improved reporting, many of us are still using XP and 2003 in many installations.  How are we to manage these logs?

Microsoft has a solution (Audit Collection Services) as a part of the Microsoft Operations Manager tool, but there are still a few gaps.  For instance, how do I get my syslogs, weblogs, firewall logs, IDS information, etc. into it?  Solving this problem is why DAD was originally created.

If you’re planning to come to the SANS conference in New Orleans starting on January 10, please be sure to come by and say hello.  I’ll be bringing our development DAD server with us if you’d like to see a quick demo!  We look at this free open source tool as another way that we can give back to the community!

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.

Making the transition from IT to IT Audit

0
Posted by J Kenneth Magee on November 6, 2009 – 5:00 am
Filed under How To

IT Audit: Making the transition from IT to IT Audit

On several occasions I’ve been asked “How does someone make the transition from IT to IT Audit?”
If you’re new to Information Security then you should take an introductory course in information security. SANS has an excellent one in SEC301 Intro to Information Security. Then follow that course with a bootcamp style security essentials course, something similar to SEC401 SANS Security Essentials Bootcamp Style. And while you’re in the mood for bootcamps, follow the security essentials up with an IT Audit essentials bootcamp. Look at AUD429 IT Security Audit Essentials Bootcamp from SANS.

Now you’ve got the essentials down, security and IT Audit, or should I say you’ve got the skeleton course work finished. Now let’s put some substance to the body of knowledge that you’re building. There are three more things that you need to do; two courses and one certification exam. You will need to take a course in IT auditing that covers things like networks; routers, switches and the like; operating systems (UNIX and Windows); and maybe even some web application auditing. Look at AUD507 Auditing Networks, Perimeters, and Systems from SANS and make sure it’s being taught by David Hoelzer. Also look at AUD 423 Training for the ISACA ® CISA ® Cert Exam. Then the last thing you want to do is to register for and take the CISA certification exam from ISACA.

As your taking the courses from SANS, most of them will have optional GIAC certifications and I encourage you to take those as you complete each SANS course. The certification for SEC301 course is GISF; for SEC401 it’s GSEC and for AUD507 it’s GSNA.

Now with some work experience you’ve made the transition from IT to IT Audit and you’re well on your way, congratulations.

IT Audit: Hybrid Password Assessment & Password Cracking

0
Posted by David Hoelzer on November 4, 2009 – 5:00 am
Filed under Compliance, How To, Security

In the last of our three part series on IT Audit and password strength validation we’ll take a look at the final aspect:  Hybrid password assessment.

Before we dig into hybrid assessment, you may be wondering why an IT auditor wouldn’t perform a brute force attack against the password hashes.  The easy answer is that a brute force assessment simply doesn’t provide any valuable information to an auditor.  Remember, we’re trying to validate that the strong password controls are effective.  If we can break the password with a dictionary or a hybrid attack, the controls are not sufficient. A brute force attack will always be successful and reveals nothing about the controls.  Even when we break a password with a dictionary or hybrid attack, the passwords themselves are unimportant; we’re really interested in how easy the passwords are to guess.

A hybrid attack takes your preexisting dictionary from our last article and expands upon it.  Using the dictionary as a foundation, the hybrid attack will try adding numbers to the end of the potential password (single and double digits are common), capitalizing the word, capitalizing the first letter, etc.  In other words, we’re using the dictionary as a basis to generate additional passwords without generating every possible password.

Based on our experience, you can expect to find between ten and twenty percent of passwords in an organization to be broken using the combination of a dictionary and hybrid attack.  Should this be the case, one of the most effective controls to solve this problem is good training.

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.

IT Audit: Dictionary Attacks, Password Validation & Password Cracking

0
Posted by David Hoelzer on November 1, 2009 – 8:21 pm
Filed under Compliance, How To, Security

In our last posting concerning validation of strong password controls, we discussed the importance for an IT Auditor to do more than just check the settings on the operating system since it is still likely that some users will select poor passwords.  In this article we’ll explore one aspect of the testing that an auditor should perform in cooperation with the administrator.

As someone performing an IT Audit, when we submit our report findings, we are also providing a level of assurance, a guarantee if you will, of the security of an environment based on its compliance with a stated policy or standard.  If we fail to go beyond what the controls say by verifying the effectiveness of the controls we increase our own personal liability and also provide a false sense of security for management.

To perform a dictionary based attack, we simply work with the administrator to obtain a copy of the current password hashes stored on the system being examined.  Using a password testing tool of our choice (John the Ripper or Cain & Abel are excellent choices) we then test the password hashes against a dictionary of common words and passwords.

Where do you get a good password testing list?  You can get one in the Advanced System & Network Auditing course that SANS offers, but you can also start building your own!  As you come across good wordlists while performing IT Audits, start gluing them together!

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“.  David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.