Security Essentials Workbook

--------------------------

Security Essentials Workbook

--------------------------

2

Security Essentials DAY 1

Exercises

3

Security Essentials Day 1 Exercise 1

Description Before an aggressor can successfully attack or exploit an organization, a certain level of reconnaissance must be performed. The aggressor must collect enough information about the target to have a solid understanding of their network, services and probable vulnerabilities. One tool to assist in that reconnaissance is hping2. hping2 is a network tool which sends custom ICMP/UDP/TCP packets and displays target replies like ping does with ICMP replies. In addition to the normal ICMP functionality, hping2 can handle fragmentation, arbitrary packet body and size and can be used in order to transfer files under any supported protocol. This tool is useful for testing firewall rules, spoofed port scanning, testing network performance under different protocols, packet sizes, TOS, and fragmentation, path MTU discovery, file transfer even with really fast firewall rules, traceroute with different protocols, firewalk-like usage, remote OS fingerprinting, TCP/IP stack auditing, and much more

Objective To provide an understanding of what an attacker can learn about your system from outside your organization. You will also learn how stealth can be used to protect the identity of the scanner.

Requirements

Hardware Intel based system

Software Hping2 available at http://www.hping.org/hping2.0.0-rc1.tar.gz From the provided CD D:\Security Essentials Day 1\SSEC1.1\Downloads\hping2.0.0-rc1.tar.gz Linux-based OS (2.2 Kernel or higher)

Challenge Procedure 1. Download and install hping2. 2. Verify that you have an IP address bound to your NIC. 3. Use hping2 to determine if a host is active. Use your host as the target for all

scans. Use your actual IP address not localhost or 127.0.0.1 4. Use hping2 to determine if a service is active. The target service will depend

on your host configuration. The SSH service (port 22) may be a good service to scan for.

5. Perform a stealth scan on your system with hping2.

4

Challenge Procedure Step By Step 1. Create a folder called sans in the /usr/local directory.

cd /usr/local mkdir sans

2. Mount your CdRom

cd /mnt mount cdrom

3. Type cd /mnt/cdrom/Security Essentials Day 1/SSEC1.1/Downloads

4. Copy hping2 to the sans directory cp hping2.0.0-rc1.tar.gz /usr/local/sans cd /usr/local/sans

5. Install Hping2 tar zxf hping2.0.0-rc1.tar.gz 5.1. Change directory to hping2.0.0-rc1:

cd hping2

Edit the configure shell script so that it will correctly set the search path for the man files:

5

5.1.1. Use vi to edit the file

5.1.2. Search for the line that sets the man path variable /INSTALL_MANPATH= (After you press the “/” the cursor will go to the bottom of your screen Enter the search value and press RETURN to execute the search.)

5.1.3. Use your cursor keys to position your cursor to the “e” in “echo”. 5.1.4. Change the remainder of the line by pressing “C” (capital C). The

last part of the command should disappear. Enter the following: manpath | cut –f1 –d:` (The last character is the backwards apostrophe usually found to the left of the 1 key on a PC keyboard.)

6

5.1.5. Press the ESC key to complete the change. 5.1.6. Save the change and quit vi by pressing ZZ.

5.2. Run configure to prepare the Makefile for compilation of hping2: ./configure

7

5.3. Run make to compile hping2: Make

make install

8

6. Use hping2 To Determine If A Host Is Active: hping2 192.168.0.50 –S –p 22 (Use the actual IP address of your system. Do not use 127.0.0.1.)

Challenge Question: What is the primary difference between hping2 and the standard ping utility? _______________________________________________________________ _______________________________________________________________

7. Use hping2 To See If A This Host Is Running The SSH Service:

Challenge Question: What is the benefit of hping2 displaying the TCP flags that were set in the return packets? _______________________________________________________________ _______________________________________________________________ Notice that the return packets have the SYN/ACK flags set which is the second stage of the TCP three-way handshake. Challenge Question: What does this indicate? _______________________________________________________________ _______________________________________________________________

9

8. Use hping2 to scan a remote system and hide its identity:

Notice that no packets came back to the scanning system. That’s because the spoofing option made the packets appear to be coming from another host. Challenge Question: How can spoofing be used by an attacker doing recon? _______________________________________________________________ _______________________________________________________________

Additional Reading /mnt/cdrom/Security Essentials Day 1/SSEC1.1/Additional Reading

• Spoof Scanning With Hping • AS-BACKDOOR

Summary

Hping2 is a powerful and stealthy tool that can be used to find remote hosts and to determine the services running on the remote host. You have learned how a scan can use spoofing to hide the identity of the scanning system. Remember this when you start reviewing log files for evidence of scans done on your system. Just because it says it came from Host A does not mean it actually did. In addition to scanning for listening servers and services, hping2 can also act as a backdoor on a compromised system.

10


Description Reconnaissance is important for a successful attack, but it can give the attacker away. Knowing where you are being probed can tell where you may be attacked. Every Intrusion Detection System logs the anomalies it detects. Reviewing these logs can be an overwhelming task. To assist with this process many tools have been developed to automate the reviewing process. One tool for monitoring Unix’ syslogs is Swatch. Swatch monitors syslog looking for new entries that match specific criteria and provides a variety of alert mechanisms.

Objective This exercise will demonstrate how to install and configure Swatch. Once installed an alert will be triggered and notification will be sent to the local administrator.

Requirements


Software Swatch is available from: ftp://ftp.stanford.edu/general/security-tools/swatch/

D:\Security Essentials Day 1\SSEC1.2\Downloads Linux-based OS (2.2 or later Kernel)

Challenge Procedure

1. Download and install swatch 2. Configure Swatch.

Create a swatch configuration file and add an entry to send an alert when someone changes user to your account.

3. Test swatch by triggering an event that requires notification to be provided.

Challenge Procedure Step By Step 1. Install Swatch

cd /mnt/cdrom/Security\Essentials\Day\1/SSEC1.2/Downloads 2. Copy the Swatch file to the sans directory

cp swatch-3.0.4.tar.gz /usr/local/sans 3. Create the swatch source directory:

11

tar zxf swatch-3.0.4.tar.gz

4. Change directory to the swatch source directory cd swatch-3.0.4

5. Create the MakeFile: perl Makefile.PL

Note: Depending on the configuration of your Perl environment this command may provide additional prompts to create Perl modules required by swatch. If so prompted, answer yes to all questions. 6. When MakeFile.PL completes execution, perform the following command to

verify that it created the MakeFile required in the next step: ls -la

12

7. Make the swatch executables: make

8. Test the executables that were created: make test

9. If the test was successful, install the swatch executables: make install

13

10. Change back to the home directory: cd $HOME

11. Configure Swatch 12. Use A Sample Configuration File

The swatch configuration file defines the patterns to match and what actions should be taken if a match is found. The default location and name for this file is $HOME/.swatchrc. Since a full description of the configuration options is outside the scope of this exercise, you will need to copy a sample configuration to your home directory. Type in the following command

cp /usr/local/sans/swatch-3.0.4/examples/swatchrc.personal .swatchrc

13. Review The Configuration File Let’s check out at least one entry in the configuration file. At a command prompt enter: vi .swatchrc

14

Notes: • ’watchfor’ is a keyword that instructs swatch to look for a pattern match and

take an action if one is found. • ‘INVALID|REPEATED|INCOMPLETE/’ parameter tells swatch what

patterns to look for. • The pipe symbol “|” separating INVALID, REPEATED and INCOMPLETE

means “or”. Therefore the statement shown above means to look for any of the three words provided.

• The ‘echo inverse’ is the first action to be taken if a match is found. In this case swatch will echo the log entry in reverse video.

• Finally, the ‘bell 3’ command will cause the workstation to beep. Challenge question: What is the purpose of the “ignore” keyword? _________________________________________________ _________________________________________________ 14. Add An Event To Watch For.

In this case we want to be notified if someone changes to a specific account. Use your favorite editor to add the following entry to .swatchrc. In the instructions below a sample user account, jmm, will be used. When you do this exercise change ‘jmm’ to a valid user on your system

• Once inside of the file using VI, press the I key. This is the insert key • Proceed to type the following 4 lines exactly as you see them.

#Alert me when someone changes user to jmm watchfor /session opened for user jmm/

mail address=root bell 3

• When complete press the Esc key • Now press : • Now type wq! And press enter

15

15. Start swatch as a background process: Swatch –config-file=.swatchrc &

Challenge Question: Why must swatch be run by root? ________________________________________________ ________________________________________________ 16. Trigger an event that will cause swatch to issue a notification:

su jmm

Challenge Question: Review the entry that was added to .swatchrc. How will you know when the mail has been sent by swatch? ________________________________________________ ________________________________________________ How long did it take for swatch to generate a notification, and what is the significance of this time lag? ________________________________________________ ________________________________________________

16

17. Check root’s mail for the notification from swatch:

Determine the process id for swatch and kill the process:

ps kill (Process ID)

Challenge Question: Why use the kill command instead of killall? ________________________________________________ ________________________________________________

Additional Reading “Centralized System Monitoring With Swatch”, Stephen E. Hansen and E. Todd Atkins, http://www.oit.ucsb.edu/~eta/swatch/lisa93.html Swatch 1993 LISA Conference Paper.mht D:\Security Essentials Day 1\SSEC1.2\Additional Reading

Summary

Swatch is a widely used log monitoring tool for *nix systems. It provides a simple method for notification when selected events occur on the system. While useful for security purposes, it is also valuable for other system administration purposes. Since you are able to specify the log messages to watch for, any message that is logged can trigger a notification.

17

Swatch also provides for a variety of notification methods such as mail, pagers, pop-up windows or any other means available to a custom command. Because the operating environment constantly changes, swatch does not eliminate the need to periodically review log files. New problems may show up in the log files that swatch was not configured to monitor. However, swatch does reduce the need for constant attention to log files while providing a more timely awareness of issues as they arise.

18


Description Snort is an example of a network based intrusion detection application because it monitors the activities of the network on which it exists. Network based intrusion detection (NID) monitors traffic passing across the network for evidence of hostile or unusual activity. Snort is one of the leading freeware network based IDS. It works by listening to traffic on the network and comparing it against the patterns or signatures of known malicious traffic.

Objective This exercise will step you through the process of installing and configuring Snort on Windows as well as analyzing its output.

Requirements


Software Win32 Snort v1.8.2 available at

http://www.snort.org/downloads.html#1.19 Windows 2000 OS (Service Pack 1 or 2)

Challenge Procedure 1. Download the necessary files. 2. Install Snort Win32 3. Configure Snort With IDSCenter 4. Test and Start Snort 5. Trigger an Alert

Challenge Procedure Step By Step

If you do not have WinZip installed on your system please install it using the following procedure. If you have WinZip installed, please skip the following section Winzip Installation

1. Go to the directory D:\Security Essentials Day 2\SSEC2.1\Downloads 2. Double click the winzip80.exe icon 3. Follow the on screen prompts to finish the installation.

19

Snort Installation 1. Download or copy the files listed above to a temporary directory. In this

example we will use C:\sntemp 2. Install Snort Win32

2.1. Start -> Run -> C:\sntemp\snort-182.exe

Click on OK to begin the installation.

2.2. On the Welcome screen click on “Next” to proceed.

20

2.3. Click on the “I accept the license agreement” radio button and then “Next” to proceed.

2.4. Click on “Browse” to select the destination folder. Use C:\ as the destination folder

21

2.5. On the Ready To Install screen, press the “Next” to install Snort.

22

2.6. The installation will be performed. Click on “Finish” when the installation completes.

23

3. Configure Snort With IDSCenter: 3.1. Start -> Program Files -> idscenter.exe

A new black icon should appear in your System Tray. 3.2. Bring up the IDSCenter console by right clicking on the IDSCenter

icon and choosing “Settings”

3.3. Make the following General setup changes:

3.3.1. Verify that Snort Version 1.8 is set. 3.3.2. Verify that the Snort file location is set to “C\Snort-1.8.2\snort.exe” 3.3.3. Under the Network Settings box, select on the IP address of

your PC to set the Network Interface setting and press the “Select” button.

3.3.4. Verify that the home network and subnet is appropriate for the loopback address, i.e. 127.0.0.1/32.

3.3.5. Press the “Create script” button.

24

3.4. Click on the “IDS rules” button and make the following changes to the IDS rules settings:

3.4.1. Verify that the Snort configuration file location is set to “C\Snort-1.8.2\snort.conf”.

3.4.2. Change the editor to “C:\WINNT\notepad.exe” and press the “Start editor” button.

3.4.3. With Notepad, click on Edit -> Find, search for “var HOME_NET any” and click on “Find Next”.

25

3.4.4. Change the word “any” to “127.0.0.1/32”.

3.4.5. Use the Replace function to add the installation folder to the path of all included files. Click on Edit -> Replace, enter “include “ (be sure to add a space after the word include but not the quotes), enter “include C:\Snort-1.8.2\” (without any spaces at the end or quotes), and click on “Replace All”.

3.4.6. Click on “Cancel” to exit from the Replace function. 3.4.7. Save the file and close Notepad.

4. Test and Start Snort 4.1. If the button on the top of the Snort console reads “Stop Snort”, click

it to stop Snort. 4.2. Press the “Test configuration” button. Review the messages

displayed and verify no errors occurred. Press RETURN after the messages have been reviewed.

4.3. Usually the IDS console selects the correct network interface. However, if you have multiple interfaces, you may have to change the Interface Number option to determine the right entry for this field. Aside from searching the registry, there is no easy way to determine the right value.

Challenge Question: Where can the correct value be found for the Network Interface number? _________________________________________________ _________________________________________________ 4.4. If no errors were displayed, press the “Start Snort” to have Snort

start monitoring network traffic.

26

5. Trigger A Snort Alert 5.1. This can be done by issuing the following command at a command

line prompt ping 127.0.0.1 –l 63000 -t

Additional Reading

“Snort – Lightweight Intrusion Detection For Networks”, Marty Roesch, http://snort.sourcefire.com/docs/lisapaper.txt

“Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, Thomas H. Ptacek and Timothy N. Newsham, http://snort.sourcefire.com/docs/idspaper/ “Snort’s Place In A Windows 2000 Environment”, Jon Bull, http://snort.sourcefire.com/docs/snort-win32.doc

Summary

In this exercise you learned how to install and configure Snort on a Windows 2000 system. Additionally, you installed a GUI front-end to assist with the configuration and monitoring of Snort output.

27


Description Reconnaissance is the key to successfully penetrating a site. Therefore, the key to your defense is to see yourself from the attacker’s eyes. It is imperative that you employ the same techniques used by those who want to penetrate your site.

Objective Nessus is a free Open-source vulnerability scanner that provides a view of your networks as seen by outsiders. It uses Nmap to scan for open ports, but it goes a step further by attempting to determine what vulnerabilities may exist for the services it finds running. Finally, it provides a detailed report that identifies the vulnerabilities and identifies the critical issues that need to be corrected. The objective of this exercise is to teach how to install, configure, and use Nessus and interpret its output.

Requirements Permission

This exercise will scan a system for vulnerabilities. If you are not the legal owner of the systems used for this exercise, you should obtain authorization from the legal owner and/or your management prior to conducting this exercise. Do not proceed without receiving the necessary permissions.


Software Nessus nessus-installer.sh available at www.nessus.org The Gimp Toolkit GTK v1.2 available at ftp://ftp.gimp.org/pub/gtk/v1.2. Nmap v2.54BETA30 available at http://www.insecure.org/nmap/ m4 v1.4 available at ftp.gnu.org/pub/gnu/m4

Linux OS with the 2.2 kernel or later

28

Challenge Procedure 1. Install GTK 2. Install Nmap 3. Install m4 4. Install Nessus 5. Configure Nessus 6. Run a Vulnerability Scan

Challenge Procedure Step By Step 1. Copy the necessary files.

1.1. Change directories mount /mnt/cdrom cd /mnt/cdrom/Security Essentials Day 1/SSEC1.5/Downloads

1.2. Copy all of the files to the sans directory cp *.* /usr/local/sans

2. Install GTK 2.1. Unpack the source file

tar zxf gtk+-1.2.10.tar.gz

2.2. Change directory to the GTK source directory cd gtk+-1.2.10

2.3. Run the configure utility to create the MakeFile ./configure

2.4. Run make to create the executables make

29

2.5. Run make install to install the package make install

3. Install Nmap

tar zxf nmap-2.54BETA30.tgz cd nmap-2.54BETA30 ./configure make make install

4. Install m4

4.1. Unpack the source file tar zxf m4-1.4.tar.gz

4.2. Change directory to the m4 source directory cd m4-1.4

4.3. Run the configure utility to create the MakeFile

./configure

31

4.4. Run make to create the executables make

4.5. Run make install to install the package make install

5. Install Nessus

cd /usr/local/sans sh-nessus-installer.sh

6. Configure Nessus 6.1. Start the Nessus server daemon and add the host server user

nessusd –make-user=root,password

Note: On the screen above, “password” should be replaced with an appropriately complex password in a real world environment.

32

6.2. Create a Nessus user nessus-adduser

6.3. Start the Nessus server nessusd &

6.4. Start the Nessus client

nessus

33

7. Run a Vulnerability Scan 7.1. Log in as the user created in Step 6.2 above.

7.2. Select the Nessus host server

34

7.3. Select the vulnerabilities to be scanned for Warning: If you enable all there is a Great likelihood that you will cause the targeted machine to crash. For the purposes of this course please select “enable all but dangerous plugins”

35

7.4. Select the target to be scanned 7.4.1. Choose either your loopback address or the address bound to your

local NIC card

7.5. Review the scan results

36

7.6. Investigate the detail of a vulnerability

Additional Reading

“How To Write A Security Test In NASL”, Renaud Deraison, http://www.nessus.org/doc/nasl.html

Summary

Nessus is a powerful vulnerability scanner that allows you to get the same view of your network, as an outsider would have. Using a client/server architecture and a graphical user interface, it makes it easy to determine the corrective action required to secure your network. Additionally, as part of the open source community, users from around the world constantly make contributions as new vulnerabilities are discovered.

37


Description The initial steps in defending your systems are to properly install and harden them. Your network security policy defines the security stance of your organization. However, the process of putting your security policy into practice can be a very daunting process. For this reason, tools that assist with the management of these settings are extremely helpful in establishing and maintaining a safe position.

Objective This exercise is going to examine the Security Configuration and Analysis Tool that comes with Windows 2000. While this tool can be used to audit the settings on a system, the focus of this exercise will be on establishing the initial security stance of the system.

Requirements Hardware

Intel based PC.

Software Security Configuration and Analysis Tool

Windows 2000 Server Edition (Any Service Pack)

Challenge Procedure 1. Open The Security Configuration and Analysis Tool 2. Create A Security Policy Database 3. Import A Security Template 4. Examine And Configure Various Security Settings 5. Apply The New Security Policies

Challenge Procedure Step By Step 1. Before beginning, the following changes must be made to the system

environment variables 1.1. Right click on the “My Computer” icon on the Desktop. 1.2. Choose “Properties” 1.3. Click on the “Advanced Tab” 1.4. Click on the “Environment Variables” button 1.5. Add the following new variables and associated values:

DSDIT – C:\Winnt\Ntds DSLOG – C:\Winnt\Ntds SYSVOL – C:\Winnt\Sysvol

38

Note: If your operating system is installed in a directory other than Winnt make the appropriate substitutions. Note: Refer to Microsoft Knowledge Base article Q250454 – “Error Returned Importing the BASICDC Security Template in Security Configuration Editor” for details.

2. Open The Security Configuration and Analysis Tool 2.1. Run the Microsoft Management Console

39

2.2. Choose “Add/Remove Snap-In” from the Console drop down menu

2.3. Click on the “Add” button

40

2.4. Scroll down and choose “Security Configuration and Analysis Tool”

2.5. Click on OK and the SCAT console will appear.

3. Create A Security Policy Database. 3.1. Double Click on the Security Configuration and Analysis item to expand

the options. You will be instructed on how to create a new database.

41

3.2. Right click on the Security Configuration and Analysis item and choose “Open Database”.

3.3. Provide a database name and click OK.

4. Import a Security Template 4.1. Import the securedc security template

42

5. Examine And Configure Various Security Settings 5.1. Right click on Security Configuration and Analysis and choose “Analyze

Computer Now”

After the analysis has completed, the following screen will appear

5.2. Set password history to 42 days. 5.2.1. Expand the Account Polices by double-clicking on it 5.2.2. Expand the Password Policies 5.2.3. To change the Password History setting, right click on it and

choose “Security”.

43

5.3. Change the Password History to 24 passwords and click on OK

Challenge Question: Why remember old passwords? _________________________________________________ _________________________________________________

44

5.4. Enable Password Complexity

Challenge Question: Why are complex passwords important? ____________________________________________________ ____________________________________________________

45

5.5. Expand Local Policies and Audit Policies

5.6. Set Account Logon Events to audit all logon events

Challenge Question: How can you tell if the system is not in accordance with a setting in the policy database? __________________________________________________ __________________________________________________

46

5.7. Set System Events to audit all events

5.8. Expand User Rights Assignment and restrict the ability to shutdown the system to administrators and server operators.

47

6. Apply The New Security Policies 6.1. Right click on Security Configuration and Analysis and choose

“Configure Computer Now”

6.2. The system will display a progress box

Additional Reading

Windows 2000 Security: Step-By-Step, SANS Institute, www.sansstore.org

Summary

Managing all the various security settings of a modern computer is a daunting task compounded by the fact that these settings are scattered throughout the system. Using security management tools such as the Security Configuration and Analysis Tool that comes with Windows 2000 and recently patched NT 4.0 systems makes the job easier for security managers.

48


Exercises

49


Description Confidentiality is one of the three bedrock principles of information assurance. With access to confidential, sensitive information an attacker can proceed to attack the integrity or availability of the system. Therefore, it is critical to restrict the means by which this information is gained. A hole in Windows NT and Windows 2000 operating systems is null sessions. Required by these operating systems for communications between servers, it is often left open for anonymous users. This gives an attacker access to a lot of information that can be leveraged to obtain greater access to the system One tool that can gather information through Null Sessions is DumpSec (formerly known as DumpACL). As always what’s valuable to attackers is valuable to network administrators. DumpSec is an excellent tool to use as part of an audit tool kit.

Objective The objective of this exercise is to teach how to install, use and analyze output of DumpSec.

Requirements

Permission This exercise entails the gathering of sensitive information from the target system. If you are not the legal owner of the systems used for this exercise, you should obtain authorization from the legal owner and/or your management prior to conducting this exercise. Do not proceed without receiving the necessary permissions. It is also strongly recommended that you have appropriate system change controls in place to facilitate returning the system to its original state should you uninstall the software used in this exercise.

Hardware Intel based system Software

DumpSec available at www.somarset.com D:\Security Essentials Day 2\SSEC2.1\Downloads\dumpacl.zip Windows NT (service Pack 3 or later) or Windows 2000 OS (Any service pack)

50

Challenge Procedure 1. Install DumpSec 2. Select A Target Computer 3. Search For Unprotected Shares 4. Extract User Information 5. Search For RAS Dial In Accounts 6. Analyze System Policies 7. Examine Running Services


1. Install DumpSec 1.1. Download the files to a temporary directory

51

1.2. Open the zip file

1.3. Run The Installation Program

Double click on “SystemTools.EXE” to install DumpSec. 2. Start DumpSec And Select The Target Computer

2.1. Start -> Program Files -> System Tools -> DumpSec 2.2. Select the target computer

Go to Report -> Select Computer….

52

….and enter the loopback address

3. Search For Unprotected Shares 3.1. Choose Report -> Dump Permissions For Shares

Challenge Question: Is there an unprotected share? ____________________________________________________ ____________________________________________________ 4. Extract User Information

4.1. Select the user information to display

53

4.2. Analyze the results

Challenge Questions: Which user would you attempt to exploit first and why? ____________________________________________________ ____________________________________________________ What do the IUSR and IWAM accounts imply? ____________________________________________________ ____________________________________________________ Are there any inactive accounts? Why is that valuable to know? ____________________________________________________ ____________________________________________________ 5. Search For RAS Dial In Accounts

5.1. Select the information to display

54

5.2. Analyze the results

Challenge Questions: Do any RAS users exist? ____________________________________________________ ____________________________________________________

Why would it be valuable to know the callback number for a RAS user? ____________________________________________________ ____________________________________________________

55

6. Analyze System Policies 6.1. Choose Report -> Dump Policies

Challenge Questions: What is the value of knowing the bad logon lockout count and reset value? ____________________________________________________ ____________________________________________________

56

7. Examine Running Services 7.1. Choose Report -> Dump Services

Challenge Question: Why is it valuable to know which services are running on the system? ____________________________________________________ ____________________________________________________ Which service would try to attack and why? ____________________________________________________ ____________________________________________________

Additional Reading www.summersoft.com

Summary

A lot of valuable information is available to an attacker if they are able to establish a null session with a system. This approach attacks the confidentiality of the system. Once this information is gained, it can be used to begin attacking the integrity of the system for privilege escalation or unauthorized usage. DumpSec is a tool for attackers and auditors alike. You have seen how it can be used to determine valid users of the system, find unprotected shares and even find other systems to target.

57


Description A strong password policy is mandatory for effective network security. However, the policy is only as good as users’ compliance with it. An audit mechanism is required to determine if the policy is being followed by everyone. A single weak password can lead to the compromise of the entire system.

Objective The objective of this exercise is to introduce you to the John The Ripper which is a password cracking utility that can be used to determine if any weak passwords exist and identify that password’s associated account.


This exercise entails the installation of a program that is capable of revealing sensitive information. If you are not the legal owner of the systems used for this exercise, you should obtain authorization from the legal owner and/or your management prior to conducting this exercise. Do not proceed without receiving the necessary permissions.

It is also strongly recommended that you have appropriate system change controls in place to facilitate returning the system to its original state should you uninstall the software used in this exercise.

Hardware IBM Compatible PC

Software • Windows NT (Service pack 4 or later) or Windows 2000 (Any service

pack) • John The Ripper v1.6 available at http://www.openwall.com/john/.

C:\ Security Essentials Day 2\SSEC2.2\Downloads\john-16w.zip • WinZip available at www.winzip.com

C:\ Security Essentials Day 2\SSEC2.1\Downloads\winzip80.exe • Pwdump2 available at www.webspan.net/~tas/pwdump2/

C:\ Security Essentials Day 2\SSEC2.2\Downloads\pwdump.exe

58

Challenge Procedure 1. Download The Necessary Files. 2. Install John The Ripper 3. Prepare A Unix File To Crack 4. Crack The Unix Password File 5. Prepare A NT File To Crack 6. Display Cracked Accounts


1. Download The Necessary Files. 2. Install John The Ripper

2.1. Create a temporary directory called “C:\Tmp” 2.2. Use WinZip to unpack John The Ripper into C:\Tmp

3. Prepare A Unix File To Crack

3.1. Open a command line Start -> Run -> command

3.2. Change directories to C:\Tmp cd \tmp

3.3. Combine the password and shadow files (If you do not have access to these files, samples have been provided for this exercise on the provided cd in D:\Security Essentials Day 2\SSEC2.2\Downloads. Copy the sample files to the \tmp directory.)

59

Challenge Question: What is the purpose of the shadow file? ____________________________________________________ ____________________________________________________

4. Crack The Unix Password File 4.1. Execute john

john passwd.1

5. Preparing an NT File To Crack 5.1. Extract pwdump2.exe and samdump.dll to C:\Tmp

5.2. Open a command prompt. Start -> Run -> command

5.3. Change directory to C:\Tmp cd \tmp

60

5.4. Execute pwdump2 pwdump2 > pwdump.out

5.5. Review the contents of pwdump.out more pwdump.out

6. Display Cracked Accounts 6.1. Execute John with the –show option

john –show passwd.1

Challenge Question: What can be surmised from the above output? ____________________________________________________ ____________________________________________________

61

Additional Reading “Password Auditing and Password Filtering to Improve Network Security”, Tina McGregor, SANS Institute, www.sans.org/infosecFAQ/authentic/improve.htm “Password [In]security: Common Issues Surrounding Compromised Passwords”, Carl Root, SANS Institute, www.sans.org/infosecFAQ/authentic/insecurity.htm

Summary A solid password policy is fundamental to good network security. However, no matter how strong the policy is it can be negated by one weak password on one account. To verify that such chinks don’t exist in your network armor, you should regularly audit the passwords used on your system. John The Ripper is a password cracking tool that can be used for this purpose. It is able to crack Unix password files with or without the accompanying shadow file. With the use of pwdump2 it can crack passwords from Windows 2000’s Active Directory or the SAM database regardless of whether or not SYSKEY has been enabled.

62


Description Publishing a web site can be risky business because they often contain connections back into your corporate network and also may contain sensitive information locally. The risk is especially high if you publish active content. Active content exposes some sort of program be it a CGI script or an ActiveX component to the Internet public where it can be probed for any errors that may exist in it. Even if your web site is completely static, it may contain information that an attacker could find useful in a variety of ways. Developer names could be useful for social engineering. Links used during development may be left behind and may divulge internal network names or addresses. Therefore, it is important to audit your web site from the attackers point of view. Tools are available such as BlackWidow to let you download and analyze your website. Programs like BlackWidow can save an attacker a lot of link clicking by pulling the entire site down for quick scanning. It is important to note that this product does not scan for vulnerabilities. It is used to gather social engineering information as well as clues about the organization that houses the device.

Objective The objective of this exercise is to familiarize you with how a tool such as BlackWidow can be used to probe a website for vulnerabilities that can be exploited.


This exercise entails the installation of a program that is capable of revealing sensitive information. If you are not the legal owner of the systems used for this exercise, you should obtain authorization from the legal owner and/or your management prior to conducting this exercise. Do not proceed without receiving the necessary permissions.

It is also strongly recommended that you have appropriate system change controls in place to facilitate returning the system to its original state should you uninstall the software used in this exercise.

Hardware

Intel based system

63

Software BlackWidow v4.14 available at http://softbytelabs.com/files/BlackWidow.exe D:\Security Essentials Day 2\SSEC2.6\Downloads\BlackWidow.exe Windows OS (Windows 9x, NT 4.0 or Windows 2000)

Challenge Procedure 1. Download And Install The Software 2. Retrieve A Website 3. Examine Website Structures 4. Use The Web Browser 5. Examine Broken Links 6. Examine Embedded Email Addresses


1. Download And Install The Software 2. Retrieve A Website

2.1.An offline web site is provided in the following directory on the CD given at the beginning of this course.

D:\Security Essentials Day 2\SSEC2.6\Downloads\www.ideahamster.org.web 2.2. Click on the scan icon . 2.3. Choose the following scan options

64

Challenge Question: What does the Deep Link Search function do? ____________________________________________________ ____________________________________________________ 3. Examine Website Structures

3.1. Open the Structures tab

Challenge Question: What is in the osstmm.zip file? ____________________________________________________ ____________________________________________________ 4. Use The Web Browser

4.1. Right Click on index.htm and choose “Browse this file”.

65

Challenge Question: What is Jack? ____________________________________________________ ____________________________________________________ 5. Examine Broken Links

5.1. Click on Structures tab

Challenge Question: Which broken link looks to have the most promising information for an attacker? Why? ____________________________________________________ ____________________________________________________

66

6. Examine Embedded Email Addresses 6.1. Open the @Emails tab

Challenge Question: How can this information be used for a social engineering attack? ____________________________________________________ ____________________________________________________

Additional Reading

“Preparing For A Web Security Review”, Peter Maung, SANS Institute, http://www.sans.org/infosecFAQ/audit/web_review.htm "Web Security: A step-by-step reference guide", Stein, Lincoln D., Addison-Wesley Longman, Inc. 1998 "Web Security & Commerce," Garfinkel, Simson with Spafford, Gene, O’Reilly & Associates, Inc.

Summary BlackWidow is an offline web analysis tool that is valuable to attackers and auditors alike. Because websites are becoming increasingly complex in structure, BlackWidow provides an efficient means to retrieve a full website or a portion within. Once the website is captured offline, BlackWidow assists in the analysis by representing the site in a familiar Explorer-style format. Separate views are provided for broken links and embedded mail addresses.

67


Description Network security begins with a policy statement that is implemented via procedures. Good management practices dictate that procedures should be based on policy. However, it is not unusual to find that there is no policy document in place. So what do you do? Usually even though there is no written policy, there are ususally set procedures in place to address the various needs of the organization. These procedures are the explicit evidence of implicit policies. If you have procedures, then you have policies. You just need to make them explicit and get them accepted by appropriate management. This is the process of making policies from procedures.

Objective In this exercise you are going to be given several procedures. From these procedures you need to develop the policy statement that underlies the procedure.

Requirements

Hardware Pencil

Software Paper

Challenge Procedure 1. Replacement Of A Lost Password 2. Access To The Internet 3. Installation Of A New Application 4. Changes To Firewall and Router ACL’s 5. Termination Of A Network Administrator

68

Challenge Procedure Step By Step 1. Replacement Of A Lost Password

a. Scenario: Bob is a salesman that is often on the road. Shortly after changing his password, he went on an extended trip and forgot his password. Upon his return to the office, he called the IS help desk and asked for his password. The help desk asked him to come to their office with his employee ID and managers name. When Bob arrived at the help desk’s office, they verified his identity and called his manager to get permission to reset the password. After receiving permission from Bob’s manager, they explained to Bob that they had no way to recover his password so it would be reset instead. The help desk forwarded the request to the network administrator who reset Bob’s password.

b. Who resets the password? The password is reset by the network administrator. Why? Passwords need to be tightly controlled to protect against unauthorized access to confidential data and system resources.

c. Who places the request with the network administrator? The help desk. Why? To have at least two people involved in the process and to minimize the effort required of the network administrator.

d. What must be done to verify Bob’s identity? He must produce his employee ID and his manager must confirm his request. Why? To verify Bob is an employee of the company and that his is authorized to access the system.

e. What was done to fulfill Bob’s request? The password was reset. Why? Password cracking software was prohibited.

f. Resulting Policy Statement: In order to control access to the organization’s confidential data and system resources, the IS Help Desk is responsible for resetting passwords of authorized users who have lost or are otherwise unable to change their password on their own. The IS Help Desk will require the user to physically present proof of employment, and will confirm with the user’s manager that they are authorized to the access they are requesting. Once the user identity and authorization have been confirmed, the IS Help Desk will forward the request to a network administrator authorized to reset passwords.

2. Access To The Internet

a. Scenario: Carol works in the purchasing department. Until recently her duties have primarily consisted of posting purchase orders. As a result of a departmental reorganization, she now also has limited buying authority for selected supplies. To fulfill these new responsibilities, Carol would like access to the Internet to research prices and place online orders. Carol places a request to the Purchasing Manager. Agreeing with the merit of her request, the Purchasing Manager requested that the IS Manager grant Internet

69

access to her. The IS Manager approved the request and instructed the network administrator to add Carol to the group of users with Internet access.

b. How is the Carol provided access to the Internet? By making her a member of the Internet access group. Why? It’s easier to manage group policy that individual policy.

c. Who made the change? The network administrator. Why? Limiting who can make a change provides more control over the process.

d. Who instructed the network manager to make the change? The IS Manager. Why? It is the IS Manager’s responsibility to provide final approval to access system and network resources to ensure that adequate resources are available to meet the organization’s needs.

e. Who made the request to the IS Manager? The Purchasing Manager. Why? Department heads must provide initial approval for employee requests to access network and system resources.

f. Resulting Policy Statement: All employee requests for access to system and network resources must be justified to and approved by the employee’s departmental head. If approved, the request will be forwarded by the department head to the IS Manager. Based on current system capacities and their ability to effectively meet the organization’s needs, the IS Manager will provide the final approval of the request. If approved, the IS Manager will instruct the network administrator to provide access to the user. To promote administrative effectiveness, only authorized network administrators will make the change and group policy management procedures will be used.

3. Installation Of A New Application

a. Scenario: Ted had a CD-Writer installed in his PC, and now he wants to install Gnutella onto his PC so that the can create his on music CD’s. Ted takes his request to his department manager who doesn’t have a problem with it as long as he does it on his own time and with his own CD-R’s. The department manager forwards Ted’s request to the IS Manager who in turn assigns the network administrator to investigate the ramifications of granting the request. The network manager reports that downloading MP3 files can represent a significant amount of traffic which could impact evening workers. He also points out that Gnutella can open a backdoor channel that can provide unauthorized, external systems access to the internal systems. Based on this report, the IS Manager denies the request. (It could happen!)

b. Who investigated the effects of Gnutella on the network? The network administrator. Why? He possessed the necessary skills to determine the ramifications of its use.

70

c. Who gave the final approval? The IS Manager. Why? Because he is responsible for ensuring that the organization’s network resources are adequate for the business functions of the organization.

d. Who made the request to the IS Manager? The department head. Why? Because department heads are responsible for authorizing the activities of their subordinates.

e. Resulting Policy Statement: All requests for the installation of new applications on an employee’s individual system will be presented to the employee’s department head. Any requests approved by the department head will be forwarded to the IS Manager for consideration as to the effect granting the request will have on the organization’s existing IS infrastructure. Final approval for all such requests will be determined by the IS Manager after investigation by appropriate personnel in the IS department. The IS Manager is responsible for the ensuring that the IS infrastructure is adequate and secure for carrying out the business functions of the organization.

4. Changes To Firewall and Router ACL’s

a. Scenario: Alice in Human Resources works closely with the organization’s third-party Worker’s Comp administrator. In order to be able to access case information maintained by the third-party administrator, Alice needs to be able to connect to their system via a VPN. Alice takes her request to the head of HR who agrees that it would be beneficial to the organization. The request is forwarded to the IS Manager who in turn forwards it to the network administrator for investigation. After meeting with the technical staff of the third-party administrator, the network administrator determines that the equipment is compatible and a VPN can be successfully established. Based on the network administrators report, the IS Manager approves the request and instructs the network administrator to make the necessary changes to the firewall and router ACL’s.

b. Who investigated whether the VPN connection could be established? The network administrator. Why? Because the network administrator had the appropriate expertise.

c. Who gave final approval for the request? The MS Manager. Why? Because the MS Manager is responsible for maintaining the confidentiality and integrity of the organization’s network and system resources.

d. Who made the request to the IS Manager? The head of HR. Why? Because department heads are responsible for authorizing the activities of their subordinates.

e. Resulting Policy Statement: All requests that require connectivity with third-party organizations will be presented to the request originator’s department head for justification of the business requirement of the request. Any requests approved by the department head will be forwarded to the IS Manager for consideration as to the

71

effect granting the request will have on the security of the organization’s existing IS infrastructure. Final approval for all such requests will be determined by the IS Manager after investigation by appropriate personnel in the IS department. The IS Manager is responsible for the ensuring that the IS infrastructure is adequate and secure for to carry out the business functions of the organization.

5. Termination Of A Network Administrator

a. Scenario: Eric, the network administrator, has left the organization to take a job doing presentations at SANS conferences around the world. Human Resources immediately notifies the IS Manager who in turn orders the change of all IS passwords to which Eric had access. Once all of the password changes have been made, a full review of all user accounts is done to verify that Eric didn’t leave a few extra accounts behind for his future use.

b. Who notified the IS Manager of Eric’s Departure? The HR Manager. Why? Because the HR department handles all employee departures.

c. What action did the IS Manager take? All known passwords to which Eric had access were changed. An audit was then done of all user accounts to look for any Trojan accounts that may have been left behind.

d. Resulting Policy Statement: Human Resources will notify the IS Manager of all employee departures. All passwords to which the departing employee had access will be immediately changed. If the departing employee had the ability during the normal course of their job to add accounts, then a full review should be done of all user accounts for the purpose of detecting any spurious accounts.

72

Additional Reading “Network Security Policy – A Manager’s Perspective”, Ernest D. Hernandez, SANS Institute, http://www.sans.org/infosecFAQ/policy/policy_list.htm

”Herding Cats 101: Development & Implementation of Security Policies at a University”, Jodi Ito, SANS Institute, http://www.sans.org/infosecFAQ/policy/policy_list.htm “The Value of Documentation: A Useful System Security Plan Template”, Falan Memmott, SANS Institute, http://www.sans.org/infosecFAQ/policy/policy_list.htm

Summary While the best practice is to develop the organization’s security policy first then develop the procedures accordingly, the policy is often never officially adopted. Instead, the procedures are developed to address the needs of the organization with the policy implicitly buried in the procedure. This exercise has shown how to extract the policy that is implicit in the organization’s procedure. In this manner the hidden network security policy can be turned into the initial formal policy of the organization.

73


Exercises

74

Security Essentials

Day 3 Exercise 1 Description

Network design is driven by the organization’s security policy and its objectives. Corporate environments traditionally operate with a “deny all unless explicitly allowed” security stance. On the other hand academic networks are intended to promote academic freedom so their security stance is usually “allow all unless specifically denied”. Good network design also should provide defense in depth. This way if one component is compromised other layers remain to minimize the consequences of the breach.

Objective The objective of this exercise is to design a network that allows for the following:

• Publish separate mail, web and DNS servers to the Internet • Provide appropriate access from the internal network to the Internet • Protect the internal network from external attacks

In the event that a successful penetration of the primary firewall occurs the design should:

• Provide a second line of defense for the internal network • Minimizes the opportunity for the attacker to sniff passwords

Be sure to define the various network intersections and the placement of each component. Discuss what vulnerabilities can still exist with your design. How would you attempt to break it?

Requirements

Hardware Pencil

Software Paper

75

Additional Reading “Layered Security: An ISP Case Study with Cisco and Solaris”, Rockie Brockway, SANS Institute, www.sans.org/infosecFAQ/firewall/layered_sec.htm “Designing a DMZ”, Scott Young, SANS Institute, http://www.sans.org/infosecFAQ/firewall/DMZ.htm

Summary The network design is the first manifestation of the network security policy. It is the infrastructure upon which the policy is based. Building a secure network requires a lot of time, energy and expertise. In order to build a secure network, not only must security be built in from the beginning, but you must be able to understand all of the various network components in order to understand how to secure them.

76


Description Personal firewalls are gaining a lot of popularity among users throughout the world. They are an inexpensive and effective way to protect a specific machine from outside threat. Personal firewalls are also being used as an additional layer of defense in enterprise environments. .

Objective The objective of this exercise is to familiarize you with the installation and configuration of ZoneAlarm and how to evaluate its logging capabilities.

Requirements

Hardware Intel compatible PC Software

Windows 9x, Me, NT 4.0 or Windows 2000 ZoneAlarm Personal Firewall available at: http://www.zonealarm.com/za_download_1.htm C: \Security Essentials Day 3\SSEC3.2\Downloads\zonalm26.exe LeakTest available at: http://grc.com/lt/leaktest.htm C: \Security Essentials Day 3\SSEC3.2\Downloads\LeakTest2.exe

Challenge Procedure 1. Download and Install ZoneAlarm 2. Configure ZoneAlarm’s Logging Capability 3. Test ZoneAlarm’s Detection Capabilities 4. Evaluate ZoneAlarm’s Logging Capabilities


1. Download and Install ZoneAlarm Retrieve ZoneAlarm from D:\Security Essentials Day 3\SSEC3.2\Downloads Double Click on the Zonalm26.exe

2. Configure ZoneAlarm’s Logging Capability 2.1. Activate the ZoneAlarm console by double clicking on its icon in the

System Tray (to the left of the system time on the Windows Start Bar).

77

2.2. The following window should appear:

2.3. Expand the Alerts Configuration controls by clicking on the Alerts button. The console should appear as below:

78

2.4. Check the “Log alerts to a text file” and “Show the alert popup window” check boxes. The console should appear as below:

Note: Notice that the log file is named “C\WINNT\Internet Logs\ZALog.txt”. The initial folder is WINNT because this screenshot was made on a Windows 2000 PC. The folder for the log file may be different for you depending on the version of Windows you use.

79

3. Test ZoneAlarm’s Detection Capabilities Note: The following test cannot be performed during class. It is highly recommended that you perform this test when you have access to the Internet.

3.1. Open up your Web browser and go to http://grc.com/lt/leaktest.htm.

3.2. Click on “Ready To Test” image. When the following screen is displayed, choose the “Save this program to disk” radio button and click on OK.

80

3.3. Once the download has completed and the following screen appears, click on the “Open” button.

3.4. The LeakTest program should execute and the following introductory screen should appear:

Click on “OK” to proceed.

81

3.5. Read the information provided on the screen that appears and then press the “Test For Leaks” button.

3.6. Read the instructions that appear and press “OK”.

82

3.7. You should get an alert from ZoneAlarm that resembles the one below.

3.8. Click on the “No” button as you were instructed in Step 3f. 3.9. After a few moments you should receive a notification from LeakTest

that it is was unable to connect to the GRC Nanoprobe Server.

83

4. Evaluate ZoneAlarm’s Logging Capabilities 4.1. Using Notepad open the ZoneAlarm log file.

Note: (Check the ZoneAlarm Alert console for the correct location of the log file as shown in Step 4.) You should see entries like the following in the log file:

ZoneAlarm Logging Client v2.6.88 Windows NT-5.0.2195-Service Pack 1-SP type date time source destination transport PE 2001/07/02 09:19:28 -4:00 GMT ZoneAlarm 0.0.0.0:0 N/A PE 2001/07/02 09:19:28 -4:00 GMT ZoneAlarm 192.168.0.4:1745 N/A PE 2001/07/02 09:21:39 -4:00 GMT Firewall Leak Testing Utility 0.0.0.0:0 N/A PE 2001/07/02 09:21:42 -4:00 GMT Firewall Leak Testing Utility 192.168.0.4:1745 N/A Note: The type “PE” indicates that an application running on the PC attempted to access the Internet.

4.2. If you have other personal firewalls such as BlackIce Defender, Tiny

Personal Firewall or LockDown 2000 installed, try running LeakTest against them.

Additional Reading

“On Guard at Home”, Les Freed, PC Magazine, http://www.pcmag.com/article/0,2997,s%253D1626%2526a%253D2330,00.asp

“Personal Firewall: Pros and Contras”, Pavel Epifanov, SANS Institute, http://www.sans.org/infosecFAQ/homeoffice/personal_fw2.htm “Personal Firewalls: What are they, how do they work?”, Tina Zych, SANS Institute http://www.sans.org/infosecFAQ/homeoffice/personal_fw.htm

Summary This exercise has shown how to install the ZoneAlarm personal firewall and set up logging for it. An Internet event was created in order to trigger an alert by ZoneAlarm, and you reviewed the entries that were placed in the log. Personal firewalls can be a great addition to the security environment of your organization, but they need to be carefully implemented. If a user has the ability to block access to an administrator, that could pose serious security risks as well as an added administrative burden

84


Description All digital computing is based on the states of on and off which is represented by 1’s and 0’s. Among other things in networking these 1’s and 0’s represent the IP address of the devices attached to the network. However, more is required in order to properly route traffic to the device. Subnet masks help identify the network upon which the device resides.

Objective The purpose of this exercise is to give you some practice in converting binary numbers to their decimal equivalents.

Requirements

Hardware Pencil

Software Paper

Challenge Questions The following binary IP address is a hint to a popular song title. Convert the number to its decimal equivalent and Name That Tune! 01010110.01001011.00011110.00001001

Challenge Procedure Step By Step First octet: 01010110

0 * 1 = 0 1 * 2 = 2 1 * 4 = 4 0 * 8 = 0 1 * 16 = 16 0 * 32 = 0 1 * 64 = 64 0 * 128 = 0 = 86

Second Octet: 01001011

1 * 1 = 1 1 * 2 = 2 0 * 4 = 0 1 * 8 = 8

85

0 * 16 = 0 0 * 32 = 0 1 * 64 = 64 0 * 128 = 0 = 75

Third Octet: 00011110

0 * 1 = 0 1 * 2 = 2 1 * 4 = 4 1 * 8 = 8 1 * 16 = 16 0 * 32 = 0 0 * 64 = 0 0 * 128 = 0 = 30

Fourth Octet: 00001001

1 * 1 = 1 0 * 2 = 0 0 * 4 = 0 1 * 8 = 8 0 * 16 = 0 0 * 32 = 0 0 * 64 = 0 0 * 128 = 0 = 9

Challenge Solution

IP Address = 86.75.30.9 The song title is “Jenny (867-5309)” by Tommy Tutone

86

Additional Reading Hexadecimal and Binary Numbering and IP Addressing; Cisco Systems Inc; http://www.cisco.com/cpress/cc/td/cpress/fund/primer/cb0708.htm IP Subnet Calculation & Design; Cisco Systems Inc; Cisco Connection Online; http://www.cisco.com/techtools/ip_addr.html

Summary Binary numbers are the core of all digital computing. In the network world two areas that they are especially significant are the IP address, which uniquely identifies each network device and the subnet mask that designates the network and host portions of the IP address. In order to fully understanding the significance of these two areas, a good working knowledge of their relationship to binary numbers is required.

87


Description It is has been stressed over and over again that reconnaissance is key for the attacker. Considerable time and effort is spent going from house to house rattling doorknobs to see who may be an easy target. To defend against attack you should examine your systems from the viewpoint of the attacker. It’s often difficult to determine if a given tool was developed for attack or audit purposes. But does it matter as long as the tool is useful to the auditor? Nmap is a classic example. Regardless of its development origins, it is the most useful tool for network reconnaissance available to attacker and auditor alike.

Objective The objective of this exercise is to introduce you to the use and role of nmap in auditing systems. While the NT ported version of nmap has the same features as the Linux version and is covered in this exercise, given a choice you would be better off using the Linux version. The NmaptNT product is not as robust as the *nix version.

Requirements


Software Windows NT 4.0 SP 4 or later, Windows 2000 any service pack, Windows 9x Windows version: nmapnt available at www.eeye.com/html/Research/Tools/nmapNT.html D:\Security Essentials Day 3\SSEC3.4\Downloads\ *nix version: nmap available at www.insecure.org/nmap/nmap_download.html D:\ Security Essentials Day 3\SSEC3.4\Downloads

Challenge Procedure 1. Install nmap(nt) 2. Perform Simple Scan 3. Perform Stealth Scan 4. Perform OS Identification 5. Perform OS Identification and Service Selection

88

Challenge Procedure Step By Step 1. Install nmap(nt)

1.1. Unpack the nmapNT zip file (D:\Security Essentials Day 3\SSEC3.3\Downloads into C:\Program Files\NmapNT)

1.2. Install the libpcap drivers 1.3. Right click on Network Neighborhood/My Network Places and go to

Properties. 1.4. Choose your network adapter and either click on Properties or go to the

Services tab.

89

1.5. On the adapter’s Properties screen click on Install

90

1.6. On the Select Network Component Type screen select Protocol and click on Add

1.7. On the Select Network Protocol screen click on Have Disk

91

1.8. On the “Install From Disk” screen click on Browse and navigate to the Drivers directory of the directory that you installed nmapnt into. It should be C:\Program Files\NmapNT\Drivers. There will be three sub-directories. Choose the one appropriate for your operating system.

1.9. On the Select Network Protocol screen select the Packet capture driver and click on OK

92

1.10. On the Files Needed click on OK

1.11. Click on OK or Close until you are back to the desktop. 1.12. Reboot your system.

2. Linux Installation 2.1. Use the rpm command to install the nmap rpm file

rpm -Uhi nmap-2.54-beta.i386.rpm

3. Perform Simple Scan 3.1. On the exercises below use 127.0.0.1 for the IP address. 3.2. Open a command prompt and enter the following command:

ping 127.0.0.1 or ping “IP address of your adapter”

Note: The commands entered are identical for nmap and nmapnt.

93

3.3. Check to see if the host is really down as opposed to blocking ping probes: nmapnt –P0 127.0.0.1 Note: The –P0 (that is a zero) option tells nmap to scan the given IP address whether or not it allows ICMP traffic to it.

4. Perform A Stealth Scan nmapnt –sS –P0 –p135 127.0.0.1 Note: The –sS option performs a SYN scan instead of the default TCP

connect scan. Note: The –p option specifies the ports to scan

Challenge Question: What is the difference between a TCP connect scan and a SYN scan? ______________________________________________________ ______________________________________________________

94

5. Perform OS Identification nmapnt –sT –O 127.0.0.1 Note: The –sT option is for the TCP connect scan. It is not required because

it is considered the default for an nmap scan Note: The –O will attempt to perform OS fingerprinting through analyzing the

predictability of the sequence numbers returned from the target device. This option can add a considerable amount of time to the scan length.

6. Perform OS Identification and Service Selection

95

Challenge Question: How accurate was the operating system guess? ______________________________________________________ ______________________________________________________

Additional Reading

“The Art of Port Scanning”, Fyodor, www.insecure.org/nmap/p51-11.txt

“Remote OS detection via TCP/IP Stack FingerPrinting”, Fyodor, www.insecure.org/nmap/nmap-fingerprinting-article.txt

Summary

This quote says it all: "If your goal is to understand your network from a 40,000-foot view, then Windows port scanning tools will suffice. But if you're serious about your security and looking for the holes that crackers will find, then take the time to install a Linux box and use nmap." -- Info World

96


Description

Every router and firewall in an organization utilizes access control lists to determine what kind of network traffic is going to be allowed to pass through. Access control lists are a collection of rules that detail how selected packet should be handled. Routers are used to route traffic across the Internet. Many organizations do not utilize all of the capabilities inherent in the router IOS. This lab will discuss how to implement ACLs to create “Defense in Depth” in your organization. Defense in Depth is a concept of redundancy. If an attacker is able to get through one wall of defense they are presented with another. Most attackers are looking for easy prey. The more walls you have built between your organization and them, the less likely it is that they will persist in their attempts to break in.

Objective The objective of this exercise is to introduce you to the structure and development of access control lists.

Requirements

Hardware Pencil

Software Paper

Challenge Assumptions 1. Web server IP address 200.200.200.2 2. Email server IP address 200.200.200.3 3. DNS server IP address 200.200.200.4 4. Private Class C addresses 192.168.0.0 5. Private Class C subnet 255.255.0.0

Challenge Questions

1. Give two examples of source independent restrictions: ________________________________________________ ________________________________________________

97

2. Give the ACL statements to restrict the examples you gave in Question 1: ______________________________________________________ ______________________________________________________

3. Give three examples of general restrictions that are neither source or destination dependent: ______________________________________________________ ______________________________________________________

4. Give the ACL statements to restrict the examples you gave in Question 2: ______________________________________________________ ______________________________________________________

5. What is the format for a Standard ACL? ______________________________________________________ ______________________________________________________

6. Give an example Standard ACL that denies inbound traffic from a spoofed Class C private address: ______________________________________________________ ______________________________________________________

7. Why is a Standard ACL used above instead of an Extended ACL? ______________________________________________________ ______________________________________________________

8. What is the format for an Extended ACL? ______________________________________________________ ______________________________________________________

9. Give an example of an Extended ACL that allows inbound SMTP traffic to the mail server: ______________________________________________________ ______________________________________________________

10. Why is an Extended ACL used instead of a Standard ACL? ______________________________________________________ ______________________________________________________

11. Give an example of a Reflexive ACL to allow return HTTP traffic from an internally initiated web session: ______________________________________________________ ______________________________________________________

98

Additional Reading “Top Ten Blocking Recommendations Using Cisco ACLs Securing the Perimeter with Cisco IOS 12 Routers”, Scott Winters, SANS Institute, www.sans.org/infosecFAQ/firewall/blocking_cisco.htm

Summary

Routers and firewalls use access control lists to make packet-filtering decisions. ACL’s are a collection of individual rules that define how a specific network packet should be treated. Each packet that passes through the device is matched against each rule until a specific rule either allows or denies access. Because of this fact, how rules are designed and implemented is extremely important as to their usefulness. For example, you have 50 rules in your ACL. Your first rule is Any Any accept. Because all packets passing through the system match that rule, all subsequent rules would be ignored.

99


Description Packet sniffing is the heart of intrusion detection. Intrusion detection can be as simple as analyzing all the packets of data passing through the network. At its core even the most expensive intrusion detection system performs the same function as tcpdump and windump. However, without the options and filters provided by tcpdump, the task of analyzing these packet would be overwhelming. Going a step further, full featured intrusion detection systems such as Shadow or Snort use higher level filters or rule sets to generate alerts for the network security administrators.

Objective The objective of this exercise is to demonstrate how to install and use tcpdump and windump. RequirementsPermission

This exercise entails the installation of software that allows you to view potentially all traffic passing across a network. If you are not the legal owner of the systems used for this exercise, you should obtain authorization from the legal owner and/or your management prior to conducting this exercise. Do not proceed without receiving the necessary permissions.


Windows Version: windump.exe v3.5.2b available at http://netgroup-serv.polito.it/windump/install/Default.htm D:\Security Essentials Day 3\SSEC3.4\Downloads\windump.exe winpcap v2.2 available at http://netgroup-serv.polito.it/winpcap/install/default.htm D:\Security Essentials Day 3\SSEC3.4\Downloads\WinPcap.exe Linux Version: tcpdump v3.6.2 available at www.tcpdump.org \mnt\cdrom\Security Essentials Day 3\SSEC3.4\Downloads\tcpdump-3.6.2.tar.gz Libpcap v0.6.2 available at www.tcpdump.org

100

\mnt\cdrom\Security Essentials Day 3\SSEC3.4\Downloads\libpcap-0.6.2.tar.gz Windows NT 4.0 or Windows 2000 (any service pack) Or Linux Red Hat 7.2 PC

Challenge Procedure 1. Install tcpdump or windump 2. Determine The Interface Name (Windump only) 3. Capture Traffic 4. Capture Traffic For A Host 5. Capture Traffic For A Service 6. Interpret tcpdump/windump Output


1. Install windump (If you are using tcpdump, go to Step 2.) 1.1. Download the necessary files

D:\Security Essentials Day 3\SSEC3.4\Downloads 1.2. Install winpcap

Double click WinPcap.exe

101

1.3. When instructed, restart the system.

1.4. Create C:\windump to hold windump.exe. 1.5. Copy windump.exe to that folder.

From D:\Security Essentials Day 3\SSEC3.4\Downloads Copy windump.exe to C:\windump

2. Install tcpdump 2.1. Copy the necessary files to the directory \usr\local\tools\tcpdump

From \mnt\cdrom\Security Essentials Day 3\SSEC3.4\Downloads Copy tcpdump.exe c:\tcpdump

2.2. Unpack the libpcap files tar zxf libpcap-0.6.2.tar.gz

2.3. Change directory to the libpcap directory cd libpcap-0.6.2

102

2.4. Create the Makefile ./configure

2.5. Compile the libpcap files make

2.6. Install the libpcap files make install

3. Install tcpdump. 3.1. Copy the tar file to the proper directory

mount /mnt/cdrom cd /mnt/cdrom cp tcpdump-3.6.2.tar.gz /usr/local/tools

3.2. Unpack the tcpdump files cd /usr/local/tools tar zxf tcpdump-3.6.2.tar.gz

3.3. Change directory to the tcpdump source directory cd tcpdump-3.6.2

103

3.4. Create the Makefile ./configure

3.5. Compile the tcpdump executables make

3.6. Install the tcpdump executables make install

4. Determine the interface name (windump only) 4.1. All commands in this exercise are identical for tcpdump and windump

with one exception. windump must include the interface specification whereas it is optional with tcpdump.

4.2. To determine the correct interface to use, open a command window and execute the following command windump -D

4.3. Note the number associated with your interface.

104

5. Capture Traffic 5.1. Open two command windows. In the first window prepare to execute the

following nmap(nt) command: nmapnt –sT 127.0.0.1

5.2. In the second window execute the following command:

5.3. Press CTRL-C to stop the capture. 5.4. The –n option instructs windump/tcpdump to not attempt to resolve the

system domain from the IP address. Challenge Question: What is the primary benefit derived from the –n option not doing name resolution? ____________________________________________________ ____________________________________________________

6. Capture Traffic For A Host 6.1. Open two command windows and prepare to execute the nmap(nt) as in

Step 5.1. nmapnt –sT 127.0.0.1

105

6.2. In the second window execute the following command: windump –i 1 –n host 127.0.0.1

6.3. After tcpdump completes, press CTRL-C to stop the capture.

7. Capture Traffic For A Service 7.1. Open two command windows and prepare to execute the nmap(nt) as in

Step 5.1. nmapnt –sT 127.0.0.1

7.2. In the second window execute the following command: windump –i 1 –n port http

7.3. After tcpdump completes, press CTRL-C to stop the capture.

8. Interpret tcpdump/windump output Challenge Questions: Using the output from above, how does nmap try to find out if a host resides at the target address? ______________________________________________________ ______________________________________________________ Why does nmap send an ACK packet to the target? ______________________________________________________ ______________________________________________________ What service does nmap try when it is using TCP to locate the target? ______________________________________________________ ______________________________________________________

106

What can be concluded about how the target system is configured? ______________________________________________________ ______________________________________________________

Additional Reading “Development of an Architecture for Packet Capture and Network Traffic Analysis”, Loris Degioanni, Graduation Thesis, Politecnico Di Torino (Turin, Italy, Mar. 2000), http://netgroup-serv.polito.it/windump/docs/default.htm

Summary

Tcpdump/windump are powerful packet capture utilities that allow for the extraction of particular types of network traffic based on header information. It can filter any field in the IP, ICMP, UDP or TCP header using byte offsets. Tcpdump also acts as the basis for many intrusion detection systems such as Shadow.

107


Exercises

108


Description

PGP is part of your organization’s security toolkit for protecting one of your most important assets: information. PGP is a valuable tool to help you protect the security and integrity of your organization’s data and messages. PGP adds to your security system by offering information protection for individual computers. The types of added security include data encryption, including email, stored files, and instant messaging; and virtual private networking, for secure remote communications. Before PGP is rolled out in any environment, the proper policies and procedures must be implement to govern its use. If a user PGPs information, that data can be lost to both the administrator as well as the organization if that person leaves.

Objective The objective of this exercise is to help you install PGP and generate your personal key pair.

Requirements


PGP Freeware v7.0.3 available at http://www.pgpi.org/products/pgp/versions/freeware/ PGP 7.0.3 Hotfix 1 available at http://www.pgpi.org/products/pgp/versions/freeware/ Windows 9x, Me, NT 4.0 or 2000 OS (Versions are also available for AIX, Amiga, Atari, BeOS, EPOC, Linux, MacOS, MS-DOS, Newton, OS/2, PalmOS, and Unix)

109

Challenge Procedure 1. Download The Required Software 2. Install PGP Freeware 3. Establish Key Pairs 4. Install The Hotfix

Challenge Procedure Step By Step 1. Download The Required Software

D:\Security Essentials Day 4\SSEC4.1\Downloads Copy PGPfw703.zip c:\temp

2. Install PGP Freeware 2.1. Unzip the distribution zipfile to C:\tmp

2.2. Run the setup routine: C:\temp PGPfreeware 7.0.3.exe

110

2.3. Identify the installation type:

2.4. Select the components. Uncheck the PGPnet Personal Firewall option.

111

3. Establish Key Pairs 3.1. The Key Generation Wizard will start automatically. Click on “Next”

when prompted. You will be asked to enter a passphrase.

3.2. Your key pairs will be generated.

112

4. Install The Hotfix 4.1. Unpack the Hotfix file to C:\Tmp

D:\Security Essentials Day 4\SSEC4.1\Downloads Copy PGPfreeware703hotfix1.zip c:\temp

4.2. Unpack the enclosed zip files and execute the hotfix file: Start -> Run C:\tmp\PGPhotfix.exe

4.3. Re-boot the system when prompted:

113

Additional Reading “An Introduction To Cryptography” – Included with the PGPi Freeware distribution

“The Codebreakers: The Story of Secret Writing”, David Kahn, Simon & Schuster Trade,

Summary PGP provides protection to your information assets through the use of encryption. PGP was one of the first implementations of PKI encryption software made freely available to the general public. PGP encryption can be used for digital signatures; encryption of files, email and disk drives; and to secure network communications.

114


Description Confidentiality is often required for any venture to succeed. However, confidentiality is contrary to the need to communicate plans or information to successfully achieve an objective. Over the millennium various encryption techniques have been developed to facilitate communication while maintaining the confidentiality of the message or information. Public Key Infrastructure (PKI) is among the most recent encryption techniques. In order for encryption to be of value, the receiver must have some way of decrypting the message. PKI provides a mechanism for publicly exchanging the keys necessary for decryption without compromising their integrity.

Objective The objective of this exercise is to explore the key exchange mechanism provided by PGP.

Requirements

Hardware Intel baed system Software

PGP Freeware v7.0.3 available at http://www.pgpi.org/products/pgp/versions/freeware/ Microsoft Outlook, Eudora or other supported mail client. Windows 9x, Me, NT 4.0 or 2000 OS (Versions are also available for AIX, Amiga, Atari, BeOS, EPOC, Linux, MacOS, MS-DOS, Newton, OS/2, PalmOS, and Unix)

Challenge Procedure 1. Exchange A Key Through A Key Server 2. Exchange A Key Through Email 3. Exchange A Key With A Text File 4. Digitally Sign An Email Message

115

Challenge Procedure Step By Step 1. Exchange A Key Through A Key Server

1.1. Click on the PGP icon on the system tray and choose PGPkeys

1.2. Select your key to send to the key server

116

1.3. Select the key server you want to send the key to. Click on Server -> Send To -> ldap://keyserver.pgp.com

2. Exchange A Key Through Email 2.1. Select the key you want to email 2.2. Copy the key values to the clipboard

117

2.3. Open your mail program and address your email message. Put the cursor in the message body and copy the key values into it by clicking on Edit -> Paste

118

3. Exchange A Key With A Text File 3.1. Select the key you want to export 3.2. Click on Keys -> Export

3.3. Select the location you want to save the key values in.

119

4. Digitally Sign An Outlook Email Message 4.1. Compose your email message. When the message is complete, click on

PGP – Sign On Send

4.2. When prompted, enter your passphrase

After you click on OK and if you entered your passphrase correctly, your message will be sent.

120

Additional Reading

“e-Signatures: A Signature that Can Be Trusted?”, Brent Gifford, SANS Institute, http://www.sans.org/infosecFAQ/encryption/esignatures.htm

"Digital Signature Guidelines", American Bar Association, http://www.abanet.org/scitech/ec/isc/dsg.pdf

Summary

Encryption is used to maintain the confidentiality of information while still promoting the ability to communicate it. To be of any value whatever is encrypted must be decrypted. To do so the use of a decryption key is required. Somehow this decryption key must be exchanged with the receiver of the message. While private exchanges are the most secure, they are the least convenient. PKI provides a means of conveniently publishing a public key that can be used to digitally sign or encrypt messages. Keys can be published at a key server, or they can be exchanged within an email message or text file.

121


Description Encryption maintains confidentiality without impacting the ability to communicate the information it protects. PGP provides three basic encryption mechanisms: email, files and self-decrypting files. Encryption of email messages allows for their safe transmission over an untrusted medium such as the Internet. Files are often encrypted to protect their contents from others snooping on the system where they are stored. Self-decrypting files are useful for securely transferring confidential information to someone that does not have PGP installed.

Objective The purpose of this exercise is to familiarize you with the process of encrypting email messages or files and with the creation of self-decrypting files.

Requirements

Hardware Intel based PC

Software PGP Freeware v7.0.3 available at http://www.pgpi.org/products/pgp/versions/freeware/ Microsoft Outlook, Eudora or other supported mail client. Windows 9x, Me, NT 4.0 or 2000 OS (Versions are also available for AIX, Amiga, Atari, BeOS, EPOC, Linux, MacOS, MS-DOS, Newton, OS/2, PalmOS, and Unix)

Challenge Procedure 1. Encrypt And Decrypt An Email Message 2. Encrypt And Decrypt A File 3. Create A Self-Decrypting File 4. Opening A Self-Decrypting File

122

Challenge Procedure Step By Step 1. Encrypt An Email Message

1.1. Open Outlook or your email client in off-line mode 1.2. Compose a test message and then click on PGP -> Encrypt on send

1.3. Press Send 1.4. Select your key to use for encryption and click on OK

123

1.5. Open your outbox and open the message you just sent

1.6. Click on the PGP icon system tray

124

1.7. Click on Current Window -> Decrypt & Verify

1.8. Read the message

2. Encrypt and Decrypt A File 2.1. With Notepad create a file in C:\Tmp to encrypt. Save the file and close

Notepad. 2.2. With Windows Explorer navigate to C:\Tmp.

125

2.3. Right click on the file and click on PGP -> Encrypt

126

2.4. Select your key and click on OK

2.5. With Notepad open the encrypted file and check out its contents

127

2.6. With Windows Explorer navigate to C:\Tmp and right click on the encrypted file

2.7. Enter your passphrase and save the file

128

3. Create A Self-Decrypting File 3.1. With Windows Explorer navigate to C:\Tmp 3.2. Right Click on your test file and click on PGP -> Create SDA

3.3. Enter and confirm a one-time password

3.4. Save the file

129

4. Opening A Self-Decrypting File 4.1. With Windows Explorer navigate to C:\Tmp 4.2. Double click on the SDA file and enter the passphrase

4.3. Save the file

Additional Reading

“History of PGP”, Adam Back, Cypherspace, http://www.cypherspace.org/~adam/timeline/

Summary PGP provides three basic encryption mechanisms. Encrypting email messages protects communications across the Internet. Encrypting files protects them in their storage location. Self-Decrypting Archives are useful in sharing files securely with someone who does not have PGP.

130


Description

When dealing with sensitive data, your computer system is writing that data in various locations such as temporary files and even in the swap file. When you close the application that was accessing the information, it “deletes” the temporary files. But, what does that mean? It usually means the reference to the file is removed from the file system, but it does not mean that the data was removed from the disk drive. This means that the data can still be accessed by a skilled attacker. PGP provides the capability to securely wipe these left over fragments from the disk drive. It even supports the US DoD seven pass extended character rotation wiping standard (DoD 5200.28-STD).

Objective The objective of this exercise to familiarize you with PGP’s secure disk wiping capabilities and to show how it is integrated with the Windows File Manager.

Requirements


Software PGP Freeware v7.0.3 available at http://www.pgpi.org/products/pgp/versions/freeware/ Windows 9x, Me, NT 4.0 or 2000 OS (Versions are also available for AIX, Amiga, Atari, BeOS, EPOC, Linux, MacOS, MS-DOS, Newton, OS/2, PalmOS, and Unix)

Challenge Procedure 1. Securely Delete A File With PGP Wipe 2. Wipe System Free Space 3. Schedule A PGP Free Space Wiper Session

131

Challenge Procedure Step By Step 1. Securely Delete A File With PGP Wipe

1.1. With Windows Explorer navigate to C:\Temp 1.2. Create a notepad file called pgpdelete.txt 1.3. Right-click on pgpdelete.txt. Choose “Delete with wiping”

1.4. Confirm your intent to delete the file

132

1.5. You should receive a status box like the following

Challenge Question: Why is the swap file wiped when you did not select it? ____________________________________________________________ ____________________________________________________________

2. Wipe System Free Space

2.1. Open Windows Explorer and navigate to the C: Drive 2.2. Right-click on the C: Drive and choose “Wipe free space with BCWipe”

133

2.3. Choose the U.S. DoD option and note the time that will be required to complete the task. Press OK if you want to continue or Cancel to quit.

3. Schedule A PGP Free Space Wiper Session 3.1. Click on the PGP icon on the System Tray 3.2. Choose PGPtools

3.3. Click on the Freespace Wipe icon

134

3.4. The Wipe Free Space Wizard will start. Click on “Next” to start the wizard. On the Gathering Information choose the “C:” drive and click on “Next”.

3.5. Click on “Schedule” to start the Windows Task Scheduler

135

3.6. Click on OK to continue

3.7. Because the Windows title asks for a passphrase, this can be can be confusing. Enter you NT or Windows 2000 password. Do not enter your PGP passphrase.

136

3.8. Enter your scheduling choices and press OK

Additional Reading “Securely Deleting Files”, John Kinney, SANS Institute, http://www.sans.org/infosecFAQ/privacy/deleting.htm

"Secure Deletion of Data from Magnetic and Solid-State Memory", Peter Gutmann, http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

137


Description

This exercise will involve the installation of Trojan software, a look at some of the Trojan’s capabilities, and the use of a special Trojan removal software. Optionally, depending on the configuration of the target PC, it will test any anti-virus software that may be on the PC including detection of the attempt to install the Trojan and its ability to clean up an infected system.

Objective To give you first hand experience on the capabilities of Trojan software and measures that should be taken to protect against this type of attack.

Requirements

Permission This exercise entails the installation of malware that provides complete control over the target system. If you are not the legal owner of the systems used for this exercise, you should obtain authorization from the legal owner and/or your management prior to conducting this exercise. Do not proceed without receiving the necessary permissions. It is also strongly recommended that you have appropriate system change controls in place to facilitate returning the system to its original state should you uninstall the software used in this exercise.

Hardware Intel-based PC

Software SubSeven Client and Server available at: http://www.securityfocus.com/tools/1403 Purge-It! available at: http://www.purge-it.com Windows based operating system

Challenge Procedure 1. Unpack and install the SubSeven software 2. Run The SubSeven Server Editor 3. Configure The SubSeven Server Executable.

138

4. Infect A Victim System With The Trojan Server. 5. Take Control Of Your Victim 6. Remove the Trojan from the victim system using Purge-It!.

Challenge Procedure Step By Step 1. Unpack And Install The SubSeven Software:

1.1. Click On Start > Run:

1.2. If you have anti-virus software installed and it is up-to-date, you should get a virus notification such as this:

1.3. Disable your anti-virus real-time protection and repeat Step 1.

2. Run The SubSeven Server Editor Click on Start > Run

139

3. Configure The SubSeven Server Executable. The SubSeven Server is the program used to infect your victim. EditServer allows you to alter the many options that makes SubSeven so capable and difficult to detect. We are going to adjust a few of the settings to make it a little more secure to have on your system.

3.1. In the server text box browse to the directory to which you extracted the

SubSeven files and select the “server.exe” executable. 3.2. Click on the “read current settings” button. 3.3. Click off all startup methods except WIN.INI. 3.4. Click off all notification options except “enable e-mail notify”. Enter

your email address in the “notify to:” text box. 3.5. For installation options, check the “server password” check box. Enter a

unique, strong password. Also, for the server name click on the “specify a filename” radio button and leave the default of “server.com” in the text box.

3.6. Under the protect server section, check the “protect the server after saving or updating settings” check box. Enter a unique, strong password in the password text boxes.

3.7. Click on the “save new setting” button. Challenge Questions: What notification options did the SubSeven server have besides email? ______________________________________________________ ______________________________________________________

140

What other start up options are provided by SubSeven? ______________________________________________________ ______________________________________________________

4. Infect A Victim System With The Trojan Server. Copy “server.exe” onto a victim Windows 9x system. Remember if they have anti-virus software running, you will probably have to disable it to successfully install the Trojan. If you do not have access and permission to install the server on another PC, skip this step and execute the server on your system.

5. Take Control Of Your Victim

5.1. Run “server.exe” on the victim system to start the server and infect it. Click on Start > Run

Normally, this is done by social engineering (tricking) the victim in some way such as sending them an email with an appeal to click on an attachment. The attachment may be the server itself. However, you may have noticed in Step 5 that the editor can bind the server to some other executable. This means you can wrap it with a program that puts dancing puppies on the victim’s screen while their system is being infected.

141

5.2. Take control of your victim

Fill out your victim’s IP address and press Connect. Play around. Flip their screen under the “fun manager” drop down menu. Open and close their CD with the extra option under the “extra fun” drop down. Look at what else can be done such as searching for passwords under the “advanced” drop down.

142

6. Remove the Trojan from the victim system using Purge-It! 6.1. Use WinZip to unpack Purge-It!

Click on Start > Run

6.2. Install Purge-It!

143

6.3. Run Purge-It!

144

6.4. Click on the Running Files tab and the following screen will appear:

Right click on the server.com entry and choose Delete.

145

6.5. Click on the System Files tab and the following screen will appear:

Right click on the “run=server.com” entry and choose Delete.

146

6.6. Stop and Restart Purge-It! Click on the Connections tab and the following screen will appear:

Note: Verify that nothing is running on port 27374. Challenge Questions: What did you need to know in order to use Purge-It! to clean the SubSeven Trojan from the victim system? _________________________________________________________ _________________________________________________________ What shortcoming does this point out about Purge-It? _________________________________________________________ _________________________________________________________

6.7. Verify that the SubSeven client cannot connect to the victim PC by trying to repeat Step 8.

Challenge Question: What characteristics of SubSeven make it so dangerous and difficult to detect? _________________________________________________________ _________________________________________________________

147

Additional Reading Crapanzano, Jamie. “Deconstructing SubSeven, the Trojan Horse of Choice” URL: http://www.sans.org/infosecFAQ/malicious/subseven.htm (8 January 2001)

Summary In this exercise you learned how Trojans work, get installed and how appropriate counter measures can help protect systems from this form of attack. You have learned that Trojans such as SubSeven contain two components: a server that is installed on the victim system and a client that is used by the attacker to control the victim system. You may have seen how up-to-date anti-virus software can help prevent the trojan’s installation. Finally, you have learned how to use special Trojan removal software to clean an infected system.

148


149


“

Description One of the primary vulnerabilities for Windows-based is trojans that are running unbeknownst to the user. In order for the attacker to use the trojan it must be running. Windows provides several different mechanisms that the attacker can use to start a program up automatically during system start up. The System Configuration Utility (SCU) helps to determine what is being run at startup, but it does not detail where the executable is located within the file system and does not indicate which startup mechanism is used to initiate the execution of the trojan. However, this utility is not available for Windows NT and Windows 2000 systems. Startup Cop supplements SCU by providing this missing information. It also provides the capability to permanently delete the trojan from the infected system.

Objective The objective of this exercise is to familiarize you with Startup Cop and how it can be used to detect and eliminate trojan programs on an infected system.

Requirements


Software Startup Cop available at http://www.pcmag.com/article/0,2997,s=400&a=8066,00.asp?download_url=http://common.ziffdavisinternet.com/download/0/1098/startcop.zip (PC Magazine membership required.) Windows Operating system

Challenge Procedure 1. Install Startup Cop 2. Examine the Main Console 3. Examine Item Detail 4. Create A Startup Profile 5. Disable A Startup Item 6. Restore A Startup Profile

150

Challenge Procedure Step By Step 1. Install Startup Cop 2. Examine the Main Console

Challenge Question: From this screen how can you determine where the startup entry is located? ______________________________________________________ ______________________________________________________ In what order does Windows process the startup mechanisms? ______________________________________________________ ______________________________________________________

3. Examine Item Detail

Challenge Question: What does the “Action” line indicate? ______________________________________________________ ______________________________________________________

151

4. Create A Startup Profile

5. Disable A Startup Item

152

5.1. Click on an unnecessary item 5.2. Click on the Disable radio button 5.3. Click on the Apply button 5.4. Log out and log back in.

6. Restore A Startup Profile

6.1. Select the profile you created in Step 4. 6.2. Click on the “& Logoff” or the “& Restart button as is appropriate.

Challenge Question: How can you determine which button to click? ____________________________________________________ ____________________________________________________

6.3. Log back in. 6.4. Check and see if the application started during login.

153

Summary Windows provides attackers a variety of locations where the startup specifications for trojan programs can be placed. Windows 9x provides the Security Configuration Utility that can show what programs are executed automatically during startup. SCU also allows you to enable or disable startup programs. Unfortunately, SCU does not show where the files are located, and it cannot permanently the items from the system. Startup Cop makes up for both of these shortcomings making it a more useful tool for coping with trojans. Its profile feature also allows for an effective mechanism for saving a set of legitimate startup programs.

154


Description One of the most important defensive measures that can be taken is to maintain all applicable patches available for your systems. This process requires knowledge of what patches have been applied and what patches are available which have not been applied. This does not mean that you have to install every patch that is released for your specific operating system. It is highly recommened that Knowing what patches have been applied is the easier of the two tasks. You can check various locations on the system to determine what has been done. Even in the absence of this, you can still maintain good system change logs to document what has been done. The tricky part is learning what you are not aware of. In August, 2001 Microsoft released two tools to assist with this process. Hfnetchk is a hotfix audit tool that obtains from Microsoft the latest database of security patches that have been released. It then checks the system to determine if any patches exist that have not been applied.

Objective The objective of this exercise is to familiarize you with hfnetchk in maintaining a properly patched system.

Requirements


Software Hfnetchk v3.1 available at http://www.microsoft.com/downloads/release.asp?releaseid=31154 Optionally, Microsoft Security Patch XML Database available at http://download.microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.cab Microsoft Excel (Any version) or Excel 97/2000 Viewer available at http://download.microsoft.com/download/excel2000/Xlviewer/2000/WIN98/EN-US/xlViewer.exe Windows NT or Windows 2000-based OS

155

Challenge Procedure 1. Download and install hfnetchk 2. Perform A Scan 3. Scan With Verbose Output 4. Output Scan Results To A Database


1. Download and install hfnetchk • D:\Security Essentials Day 5\SSEC5.2\Downloads\nshc.exe • Double click on nshc.exe to install

2. Perform A Scan 2.1. With Internet Access

2.1.1. Open a command prompt and navigate to the directory into which you installed hfnetchk. • Start -> run -> cmd • cd program files\network security hotfix manager

2.1.2. Enter the following command: Hfnetchk

156

2.1.3. When the Code Signing screen appears, click on “Yes”

Note: It is never advisable to click on the “Always trust content from ‘any organization”

2.1.4. Hfnetchk will complete and display any patches required.

2.2. Without Internet Access 2.2.1. Obtain a copy of the security XML database and copy it to the

same directory you loaded hfnetchk into. • D:\Security Essentials Day 5\SSEC5.2\Downloads • copy mssecure.xml c:\program files\ network security

hotfix manager 2.2.2. Open a command prompt and navigate to the directory into which

you installed hfnetchk. • Start -> run -> cmd • cd program files\network security hotfix manager

157

2.2.3. Enter the following command: hfnetchk –x mssecure.xml Note: This will use the local database instead of having to connect to the Internet. It is advisable that you use a pre-hardened device to download the .XML file from Microsoft. You can then use that file to check the patch and hotfixes on all of your Internet facing machines before they go into production so no machine is exposed to the Internet with known holes.

158

3. Scan With Verbose Output 3.1. Enter the following command:

hfnetchk –v –x mssecure.xml

4. Output Scan Results To A Database 4.1. Enter the following command to redirect the output to a TAB-separated

file: hfnetchk –o tab –x mssecure.xml > netcheck.csv

159

4.2. Open the file with Excel File -> Open -> Files of type: -> Text Files (*.prn; *.txt; *.csv)

4.3. The Convert Text To Columns Wizard will start. Note: (If it does not start automatically, click on Data -> Text to

Columns to start it.) 4.4. Click on the “Delimited” radio button then Click on “Next”.

160

4.5. Click on the “Tab” checkbox and press on “Finish”.

4.6. A spreadsheet similar to below. This spreadsheet can be used as a quick reference guide to determine the current patch levels of a specific device:

161

Additional Reading “Microsoft Network Security Hotfix Checker”, Microsoft TechNet, http://support.microsoft.com/support/kb/articles/q303/2/15.asp?id=303215&sd=tech

“Frequently Asked Questions about the Microsoft Network Security Hotfix Checker”, Microsoft TechNet, http://support.microsoft.com/support/kb/articles/Q305/3/85.ASP

Summary Maintaining a properly patched system is a critical first step in securing a system against inappropriate usage. Microsoft released the Network Security Hotfix Checker (hfnetchk) to allow administrators and security professionals to quickly determine the patch level of specific devices. Using a constantly updated XML database, it automates the process of staying current on the patches available for your systems. It is important to note that before any patch or hotfix is applied to a production system, it should be tested in a lab environment. If this is not possible in your specific situation the following steps should be followed. Perform a complete back up right before you apply the fix; verify the integrity of that backup; apply the fix; test the machine to verify that it is still functioning correctly; log all activities in your change control log book.

162


Description

As was stated in the previous exercise, a properly patched system is a primary starting point for establishing good network security. In August, 2001 Microsoft released two tools to assist with this process. Hfnetchk is the primary tool for system and network administrators. Although a commercial, enterprise version is available, the second free tool released by Microsoft, the Microsoft Personal Security Advisor (MPSA), is targeted for individual users of NT Workstation and Windows 2000 Professional.

Objective The objective of this exercise is to familiarize you with MPSA and how it can be used to assess the current patch state of your system.

Requirements


Software Internet Explorer 5.0 or greater Internet access Windows NT 4.0 (SP4 or greater), Windows 2000, or Windows XP

Challenge Procedure 1. Scan System 2. Review Results 3. Take Corrective Action

163

Challenge Procedure Step By Step 1. Scan System

1.1. Navigate to www.microsoft.com/technet/mpsa/start.asp and click on “Scan Now”

164

1.2. During the scan you will receive the following screen: Click on “Yes”.

165

2. Review Results 2.1. Examine the summary results

166

2.2. Check detail findings:

167

3. Take Corrective Action 3.1. Click on a link on under the Issue column

3.2. Review the corrective advise and apply where necessary

168

Summary The Microsoft Personal Security Advisor (MPSA) is the second of two tools released by Microsoft in August of 2001. It is intended for individual users of Windows NT 4.0 Workstation and Windows 2000 Professional. This tool should not be used as a scanner for a corporate device. It is only intended to help individual users gain a better perspective into the security of their specific machine.

169


Description

Once a system has been hardened, it is almost ready to be put into production. The final step is to baseline it so that any changes that may be indicative of a successful intrusion can be detected. Many tools are available for this purpose, but running them all can be a time-consuming task. However, with the use of scripting and scheduling tools, effective baselines can be established and used for auditing your systems. The system logs are an invaluable source of information regarding activity on your systems. However, the logs can provide an overwhelming amount of information. Also, there is no standard mechanism for consolidating the logs of several systems. Tools such as dumpel can dump the contents of the logs to files that can be consolidated into a database of events.

Objective The objective of this exercise is to introduce you how simple tools can be used to create more powerful ways to baseline and audit your systems.

Requirements


Software Dumpel available in the NT Resource Kit or from http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp Microsoft Excel Fport available from http://www.foundstone.com/rdlabs/termsofuse.php?filename=FportNG.zip Windows NT4.0 or Windows 2000 based OS

Challenge Procedure 1. Analyze Log Files 2. Baseline Open Ports 3. Baseline Running Services 4. Scheduling Baseline Audits

170

Challenge Procedure Step By Step 1. Analyze Log Files

1.1. Download and install dumpel • D:\Security Essentials Day 5\SSEC5.4\Downloads • Double Click on Dumpel.exe to install

1.2. Open a command prompt and navigate to the directory that you installed dumpel in.

1.3. Dump the system log by executing the following command: dumpel –f event.out –l system –t

1.4. Start Excel and open the output file. The “Convert Text To Columns” Wizard should start automatically. If not, click on Data -> Text to Columns.

171

1.5. On the wizard’s first screen click on the “Delimited” radio button then click on “Next”.

1.6. On the wizard’s second screen click on the “Tab” checkbox then click on “Finish”

172

1.7. Sort the data by date and time in descending order by clicking on Data -> Sort

173

1.8. To apply a filter to view only failed logins (Event ID 7013), click on Data -> Filter -> AutoFilter

1.9. Down arrow icons will appear at the top of each column. Click on the arrow icon for column E, scroll down and select 7013. If it’s not available, just choose another event number.

174

1.10. Filtered output:

2. Baseline Open Ports 2.1. Download and install Fport.

• D:\Security Essentials Day 5\SSEC5.4\Downloads • Extract fportNG.zip to c:\temp

2.2. Open a command prompt and navigate to the directory where you installed fport. • Start -> Run -> cmd • cd temp

175

2.3. Execute fport and view its output. • Type fport • Note: By not defining a target IP, Fport defaults to the local device

2.4. Execute fport and redirect its output to a file for future reference. Fport > baseport.txt

176

3. Baseline Running Services 3.1. Open a command prompt.

Start -> run -> cmd 3.2. Execute netsvc with the following parameters

netsvc \\”Local Device” /list

3.3. Execute netsvc and redirect its output to a file for future reference. netsvc \\”Local Device” /list > basesvc.txt

4. Scheduling Baseline Audits 4.1. With your favorite text editor create the following bat file:

177

4.2. Type “baseline” (without the quotes) at a command prompt to test the bat file.

4.3. Type the following command to review baseline’s output: more baseline.txt

4.4. Open the Windows Scheduler:

4.5. The Scheduled Task Wizard should start. Click on Next

178

4.6. On the program selection screen click on Browse

4.7. Navigate to the directory where you created the baseline.bat file then click on Open.

179

4.8. Enter a name for the task and click of the Daily radio button.

4.9. Enter the time the baseline should run at then click on Next

180

4.10. Enter the user name and password that should be used to run the baseline operation then click on Next.

4.11. Click on Finish to schedule the task.

181

Additional Reading “How to Develop Your Company’s First Security Baseline Standard”, Gene Livingston, SANS Institute, http://www.sans.org/infosecFAQ/policy/baseline.htm

“Scripting as a Method of Establishing a Reliable Baseline Posture”, George Montcrief, SANS Institute, http://www.sans.org/infosecFAQ/start/scripting.htm

Summary Before a hardened system is put into production, a baseline of the system should be made for future audit purposes. Simple tools can then be scripted to easily monitor the system for any unexpected changes. Additionally, it is vital to review logs to detect attempts to compromise a system before a breach actually occurs. Since neither NT nor Windows 2000 have standard mechanisms to consolidate log files and both are capable of generating vast amounts of data, tools such as dumpel allow you to export the log data in a form that can be imported into a database for easier manipulation.

182


Description

Backups are like insurance. No one wants to spend the time or money on them, and no one appreciates them until they are needed. But, like insurance, backups are mandatory to protect a system not only from attack, but more likely from hardware failure, operator error, or catastrophe. There are many backup techniques that can be employed. Some sites do a full backup of the entire system. Some do an incremental backup that is a backup of only those files that have been created or changed since the last incremental backup. Others do a differential backup that is a backup of only those files that have been created or changed since the last normal backup.

Objective The objective of this exercise is to reinforce the differences between incremental and differential backups.

Requirements


Software Windows 2000 Backup Utility Windows 2000-based OS

Challenge Procedure 1. Set Windows Explorer View Options 2. Perform A Normal Backup 3. Perform An Incremental Backup 4. Perform A Differential Backup

183

Challenge Procedure Step By Step 1. Set Windows Explorer View Options

1.1. Open Windows Explorer and navigate to a folder with a limited number of files.

1.2. Set the View Option to Details.

1.3. Set the View Option to be able to view each file’s attributes.

184

2. Perform A Normal Backup 2.1. Click on Start -> Accessories -> System Tools -> Backup

185

2.2. Click on the Backup tab and select the folder to be backed up.

2.3. Click on Browse to specify where the backup should be placed then click on Open.

2.4. On the main backup screen click on Start Backup.

186

2.5. Enter any backup descriptions then click on Start Backup. Secure the backup by clicking on the “Allow only the owner and the Administrator access to the backup data.” checkbox.

2.6. View the backup results.

187

3. Perform An Incremental Backup 3.1. Turn on the archive bit of a file.

3.1.1. Select a file, right click on it, and click on properties. 3.1.2. On the file properties window click on Advanced.

3.1.3. Click on the “File is ready for archiving” checkbox then click on OK.

188

3.2. Windows Explorer screen before the incremental backup:

3.3. Start the backup utility and click on the backup tab. 3.4. Select the folder to be backed up.

3.5. Click on Browse and create a backup file name increment1.

189

3.6. Click on the Start Backup button. 3.7. On the Backup Job Information window click on Advanced

190

3.8. On the Advanced Backup Options window select Incremental from the Backup Type dropdown box then click on OK.

3.9. Click on Start Backup on the Backup Job Information window. 3.10. Windows Explorer after the incremental backup.

191

3.11. Click on the Restore tab and expand the media set to see what files were backed up.

Challenge Question: How many restores will be necessary to restore this directory to its current state? ____________________________________________________ ____________________________________________________

4. Perform A Differential Backup 4.1. Turn on the archive bit as instructed in step 3.1. 4.2. Window Explorer before the differential backup.

192

4.3. Start the backup utility and click on the Backup tab. 4.4. Select the folder to be backed up. 4.5. Click on Browse and create a backup file name differential1. 4.6. Click on Start Backup button. 4.7. On the Backup Job Information window click on the Advanced button. 4.8. On the Advanced Backup Options window select Incremental from the

Backup Type dropdown box then click on OK.

4.9. Click on Start Backup on the Backup Job Information window. 4.10. Windows Explorer after the differential backup.

193

4.11. Click on the Restore tab and expand the media set to see what files were backed up.

Challenge Question: How many restores will be necessary to restore this directory to its current state? ____________________________________________________ ____________________________________________________

194

Additional Reading “Disaster Recovery Planning with a Focus on Data Backup/Recovery”, Judith J. Johnson, SANS Institute, http://www.sans.org/infosecFAQ/incident/recovery.htm

“Amanda, the Advanced Maryland Automated Network Disk Archiver”, Drew Einhorn, SANS Institute, http://www.sans.org/infosecFAQ/incident/amanda.htm

Summary

An important early step in Disaster Recover Planning is to develop a strong backup plan. This minimizes the damage that results from a data loss. This data loss can occur as a result of an intrusion, but it is even more likely to occur because of hardware failure, operator, power failure or other catastrophe. Several backup techniques can be used. Normal or full backups backup all of the files selected. Incremental backups backup all of the files that have been created or changed since the last incremental backup. Differential backups backup all of the files that have been created or changed since the last normal backup.

195


Description

IIS is Microsoft’s web server solution. Since its release, it has been the target of a large number of exploits. Code Red and Code Red II are recent examples of the ways that IIS servers can be compromised. Patching IIS is vital, but it also must be configured properly as well. Hfnetchk assists with the process of maintaining the patches. Microsoft has also released another tool, IIS Lockdown, to assist with the configuration process. Microsoft claims that with the use of this tool IIS servers would have been protected from Code Red even without the appropriate patches. IIS Lockdown works in two modes, Express and Advanced. Express mode configures the server in a highly secure way that is appropriate for most basic web servers. Advanced mode allows the administrator to pick and choose the technologies that will be enabled on the server.

Objective The objective of this exercise is to familiarize you with IIS Lockdown, its capabilities and its shortcomings.

Requirements


Software IIS (Version 4.0 or 5.0) IIS Lockdown v1.0 Windows 2000-based OS

Challenge Procedure 1. Download and Install IIS Lockdown 2. Perform An Express Lockdown 3. Undo The Express Lockdown 4. Perform An Advanced Lockdown And Leave WebDAV Enabled

196

Challenge Procedure Step By Step 1. Download and Install IIS Lockdown

• D:\Security Essentials Day 5\SSEC5.6\Downloads • Double click iislockd.exe

2. Perform An Express Lockdown 2.1. To execute IIS Lockdown click on Start -> Run and browse to the

directory that it was installed in.

2.2. On the Lockdown Type window leave Express Lockdown selected and click on Next.

197

2.3. Click on Yes to initiate the lockdown.

2.4. Lockdown progress window:

3. Undo The Express Lockdown 3.1. Start execution of IIS Lockdown. 3.2. Choose to Undo the previous lockdown.

198

3.3. Lockdown Undo progress screen:

4. Perform An Advanced Lockdown And Leave WebDAV Enabled 4.1. Start execution of IIS Lockdown. 4.2. Click on the Advanced Lockdown then on Next.

199

4.3. Uncheck any additional checkboxes for services you may want to leave enabled then click on Next.

Challenge Question: What service above was exploited by the Code Red worm? ____________________________________________________ ____________________________________________________

200

4.4. Uncheck the “Disable Distributed Authoring and Versioning (WebDAV)” checkbox the click on Next.

4.5. Confirm applying the lockdown .

201

Additional Reading “Secure Internet Information Services 5 Checklist”, Microsoft, http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/iis5chk.asp

“Securing IIS on Windows 2000”, Carl Denowh, SANS Institute, http://www.sans.org/infosecFAQ/win2000/sec_IIS.htm “NT IIS Vulnerabilities Involving Active Server Pages”, Nancy Gabriel, SANS Institute, http://www.sans.org/infosecFAQ/win/IIS_vulnerabilities.htm

Summary Hardening a server is a multi-step process. Patching a system is a first step because it eliminates known problems with the software on the system. Hfnetchk is intended to assist with this process. However, perfect software can still be dangerously configured, and if the software has flaws in it, it raises the risks exponentially. The Code Red worm is a classic example of this. To assist with the configuration process Microsoft released the IIS Lockdown tool. IIS Lockdown operates in two modes. The Express mode operation lockdowns the system in a manner that Microsoft has decided to be generally acceptable. Advanced mode operation provides administrators greater control over the process by allowing them to determine what should be enabled or disabled.

202


Exercises

203

Security Essentials Day 6 Hour 2 Exercise

Description The Unix file system provides the basis of much of the security aspects of Unix. Understanding its structures is essential to learning how to secure systems that run Unix. A fundamental component of the file system is inodes. Inodes contain owner, group owner, permissions information; access and modification times; file size and number of blocks used; and a pointer to the data blocks.

Objective The objective of this exercise is to demonstrate various commands that manipulate inodes and the role that inodes play in security.

Requirements

Hardware Redhat Linux 7.0-based PC

Software

Challenge Procedure 4. Rotate Log Files 4. Find A Hidden Directory 4. Find The Ten Largest Files In A Directory Tree 4. Baseline Files With Set-UID And Set-GID

Challenge Procedure Step By Step 1. Rotate Log Files

a. Change directory to the /var/log

204

b. Rotate the second oldest log file to the oldest.

c. Rotate the third oldest log file to the second oldest.

d. Rotate the active log file to the third oldest log file.

e. Create the new log file.

f. Restart the service.

i. Verify the newly created log file is being accessed.

ii. Restart the syslog daemon.

g. Re-check if any process is accessing the newly created messages

file.

205

Challenge Question: What became of the messages that were written between the time you renamed messages to messages.1 and when you re-started the service? Challenge Question: Why is this choice of a filename effective? ____________________________________________________ ____________________________________________________

h. Why? ____________________________________________________ ____________________________________________________

2. Find A Hidden Directory. a. Change directory to /dev.

b. Check the directory contents.

i. Do a regular ls command with details.

h

ii. Do an ls command with hidden files and details.

206

c. Create a hidden directory.

d. Check for the hidden directory.

Challenge Question: Why is this choice of a filename effective? ____________________________________________________ ____________________________________________________

e. Remove the hidden directory.

3. Find The Ten Largest Files In A Directory Tree

207

a. Check for disk usage of each file.

b. Sort the disk usage in descending file size.

208

c. Limit the output to the ten largest files.

Challenge Question: How can this command be used for forensic purposes? ____________________________________________________ ____________________________________________________

4. Baseline Files With Set-UID And Set-GID

209

a. Identify files with the Set-UID and Set-GID bits set.

b. Create the baseline file.

c. Change the Set-UID bit on the ls command.

i. Check permissions before hand.

ii. Change the set-UID bit.

iii. Re-check the permissions.

210

d. Re-check for files where the Set-UID bit changed.

e. Compare the results.

Challenge Question: What could a new set-UID program indicate? ____________________________________________________ ____________________________________________________

f. Return the permissions to the original values.

Additional Reading UNIX in a Nutshell: System V Edition, 3rd Edition, Arnold Robbins, O’Reilly & Associates

Summary Inodes play a vital role in granting access to Unix resources. The information they store can be used to hide files and to grant access to privileged commands. These capabilities can be used to establish baselines for audit purposes or to control access to sensitive commands.

211


Description One unfortunate aspect of Unix is that its privilege is either all or nothing. It does not provide the granular control necessary to limit users to access of only selected privileged commands. Sudo does not attempt to change this characteristic of Unix. Instead sudo attempts to resolve this shortcoming by providing a mechanism that grants limited authority to selected users and groups. The file /etc/sudoers is used to define who can do what. Privileged commands are run through sudo which references the sudoers file. Sudo also goes a step beyond standard Unix by providing detailed logging information regarding all attempts to run privileged commands.

Objective The objective of this exercise is to demonstrate the installation, configuration and use of sudo to control access to privileged commands. It will also demonstrate the error messages and log entries generated by sudo.

Requirements

Permission This exercise requires root access to the system. If you are not the legal owner of the systems used for this exercise, you should obtain authorization from the legal owner and/or your management prior to conducting this exercise. Do not proceed without receiving the necessary permissions.


Software Sudo v1.6.3p7available from http://www.rge.com/pub/admin/sudo/

Challenge Procedure 4. Install sudo 4. Configure sudo 4. Execute the linuxconf command

212

4. Test An Invalid Password 4. Test An Invalid Command 4. Test An Invalid User 4. Review The Log Entries

Challenge Procedure Step By Step 1. Login as root and install sudo

a. Load the file to a temporary directory and unpack the file.

b. Prepare to compile the sudo executable.

c. Create the sudo executable.

d. Install the sudo executable.

2. Configure sudo

a. Execute the sudo configuration tool.

b. Add the following entries to the sudoers file.

i. Press SHIFT-G to go to the end of the file. ii. Press o to open a new line.

213

iii. Key in the text below. Replace <username> with the name of a non-privileged account.

c. Press :wq! to save the changes and exit the configuration utility.

3. Test the linuxconf command. a. Log out of root and log back in as the user added to the sudoers

file. b. Try running the linuxconf command.

c. Try using sudo to execute the linuxconf command.

214

d. linuxconf should execute successfully.

4. Test An Invalid Password

a. Deliberately type in an invalid password three times.

5. Test An Invalid Command

a. Execute a privileged command that is not set up in the sudoers file.

6. Test An Invalid User

a. Execute sudo and change the user you added to another name.

215

i. Use the su command to get root privileges.

ii. Press SHIFT-G to go to the end of the file.

iii. Use the cursor keys to move the cursor to the first character of the user name you added in Step 2.

iv. Press cw to change the user name. The user name should disappear. Type in sudouser or some other bogus name.

v. Press ESC to complete the change. vi. Press :wq! to save the changes.

vii. At the command prompt type exit to end the su session. b. Try to execute linuxconf.

7. Review The Log Entries

a. su to root and execute the following command: grep sudo /var/log/messages

Additional Reading “Delegating superuser tasks with sudo”, Jeremy C. Reed, BSD Today, June 2000, http://www.bsdtoday.com/2000/June/Features192.html

Summary Sudo was developed to provide a mechanism for granting limited access to privileged commands. These commands are accessed through sudo which references /etc/sudoers to determine if use of the command should be allowed. In addition to access control, sudo also logs all attempts of privileged commands, valid or invalid.

216


Description Many different factors lead to the ability to pass data from point A to point B. First you need a device that can transmit information. This device must have a unique, unchanging address. However, since the device can be moved from one network to another, it must also have a logical address to identify its location within the network. Once the device’s location can be specified, we need a mechanism that directs data from one network to another. This mechanism must be able to move the traffic between locations without necessarily knowing the path that must be taken.

Objective The objective of this exercise is to use a few Unix network related commands to demonstrate how it passes data between network devices. These techniques are not Unix specific, but actually related to the TCP/IP protocol.

Requirements

Permission This exercise requires root-level access to the system. If you are not the legal owner of the systems used for this exercise, you should obtain authorization from the legal owner and/or your management prior to conducting this exercise. Do not proceed without receiving the necessary permissions.

Hardware Redhat Linux 7.0

Software

Challenge Procedure 4. Relate The Hardware To The Logical Network Address 4. Locate The Device’s Position Within The Network 4. Test For Connectivity Between Network Devices 4. Determine The Route The Data Will Take

Challenge Procedure Step By Step 1. Relate The Hardware Address To The Logical Network Address

217

a. Type ifconfig -a

Challenge Question: What is the hardware addresss? _________________________________________________ _________________________________________________ What is the logical network address? _________________________________________________ _________________________________________________

2. Locate The Device’s Position Within The Network a. Type netstat -a

Challenge Question: What is the address of the network this device is on? _________________________________________________ _________________________________________________ What is the function of the gateway? _________________________________________________ _________________________________________________

3. Test For Connectivity Between Network Devices a. Type ping <IP address>. If you are connected to a network, use

an IP address outside your network. If you are not connected to a network, use the local address 127.0.0.1.

218

Challenge Question: What does “ttl” mean and what is its use? _________________________________________________ _________________________________________________

4. Determine The Route The Data Will Take a. Type traceroute <IP address>

Challenge Question: What role does the ttl play in traceroute? _________________________________________________ _________________________________________________

Additional Reading TCP/IP Illustrated, Volume 1, W. Richard Stevens, April 2000, Addison-Wesley Professional Computing Series

Summary The TCP protocol is not unique to Unix, but it was its tight integration with Unix that has led it to become the dominant protocol. This dominant position led to its subsequent acceptance by Microsoft as the default protocol for Windows 2000 and beyond. TCP defines how a hardware device is uniquely identified, how that unique hardware address is associated with a logical network address, and how data is routed among networks without is path being known at the time of transmission.

219


Description The importance of log files cannot be under estimated. However, as has been previously pointed out, it is difficult to give them the constant scrutiny they require. Logcheck is another example of an automated log monitoring tool. It consists of a set of shellscripts and configuration files that define what should be reported. The primary script is logcheck.sh. This script is executed periodically from cron. The alerts that it generates are sent by email to the administrator account. By default this administrator account is root. The configuration files are used to determine what should be reported and what can be safely ignored. Logcheck-hacking contains keywords that are certifiable attacks on the system. Logcheck-violations contains keywords that are usually seen as negative. Logcheck-violations-ignore contains keywords that are searched after a violation has been found. If the violation contains a matching keyword specification, no alert is generated.

Objective The objective of this exercise is to demonstrate the installation, configuration and use of logcheck.

Requirements

Permission This exercise requires root access to the system. If you are not the legal owner of the systems used for this exercise, you should obtain authorization from the legal owner and/or your management prior to conducting this exercise. A sample authorization is provided to assist you. Do not proceed without receiving the necessary permissions.


Software Logcheck v1.1.1 available at http://www.psionic.com/abacus/logcheck

220

Challenge Procedure 4. Install Logcheck 4. Activate Logcheck In Cron. 4. Test And Verify Logcheck’s Operation

Challenge Procedure Step By Step 1. Install Logcheck

a. Log in as root. b. Download and save logcheck to a temporary directory. Cd to that

directory. c. Unpack the distribution file.

d. Change directories to the distribution directory.

e. Move the routines for your system into place for installation.

f. Install logcheck

2. Activate Logcheck In Cron.

a. Start the crontab editor.

b. Add the following entry:

i. Press o to open a new line

221

ii. Type the following entry:

iii. Press the ESC to exit insert mode. iv. Type :wq to save and activate the entries.

3. Test And Verify Logcheck’s Operation a. Verify that the logcheck is loaded in cron.

b. Log out of root. c. Log back in as another user. d. Use su to become the root user then type exit to end the su session. e. Use su again but use an invalid password. f. Log off and back in again as root. g. At a command prompt type in mail to prompt check root’s mail. h. You should see a new message in the mail list.

i. Enter the message number (1 in the above example) and press

RETURN to view the message detail. Note the last three entries from

222

PAM_unix.

j. Press d to delete the message. k. Press q to quit the mail program.

Additional Reading “UNIX Logging and Security (Systems Under Siege)”, Chris Boyd, SAN Institute, http://www.sans.org/infosecFAQ/unix/unix_log.htm

“Log Consolidation with syslog”, Donald Pitts, SANS Institute, http://www.sans.org/infosecFAQ/unix/syslog.htm

Summary Throughout this course the importance log files has been repeatedly stressed. It is recognized though that monitoring log files is a difficult, tedious process. For these reasons several automated log checking tools such as logcheck have been developed. Logcheck uses a shell script running in cron tab to parse the log files for hacking and security violation keywords. When possible violations are detected, they are checked against a file of violations to ignore. If the violation is to be reported, a message is sent via email to the system’s administrator.

Security Essentials Workbook

Documents

Transcript of Security Essentials Workbook