2005 SANS Advanced Auditing Course Notes - Ver.01

Auditing Networks,
Perimeters, and Systems

SANS Course: Advanced Audit 507
Day 1: Auditing Principles and Concepts......................................................................7
Module 1: Defining Terms..............................................................................................................7
Module 2: How Does Auditing Help?..............................................................................................8
Module 3: Baselines....................................................................................................................... 8
Module 4: Time Based Security......................................................................................................9
Module 5: The Audit Process.........................................................................................................9
Day 2: Auditing Perimeters........................................................................................... 13
Module 1: Routers........................................................................................................................13
Module 2: Firewalls.......................................................................................................................18
Day 3: Auditing Networks.............................................................................................. 23
Module 3: War Dialing..................................................................................................................23
Module 4: Wireless.......................................................................................................................24
Module 5: Network Maps and Critical Systems............................................................................26
Module 6: Vulnerability Assessments...........................................................................................28
Module 7: SQL Basics and Database Auditing.............................................................................29
Module 8: Putting it All Together..................................................................................................31
Day 4: Auditing Web Servers & Applications..............................................................33
Module 1: Web Concepts.............................................................................................................33
Module 2: Auditing Web Servers..................................................................................................37
Module 3: Auditing Web Applications...........................................................................................39
Module 4: User Input Testing.......................................................................................................41
Day 5: Auditing Windows.............................................................................................. 42
Module 1: Windows Auditing Introduction....................................................................................42
Module 2: Windows System Information......................................................................................43
Module 3: Windows Necessary Components and Services.........................................................44
Module 4: Windows Users, Groups, and Passwords...................................................................44
Module 5: Windows Data Protection............................................................................................46
Module 6: Windows Operating System and Application Security.................................................47
Module 7: Windows Auditing and Logging...................................................................................47
Module 8: Windows Ongoing Host Monitoring.............................................................................49
Day 6: Auditing UNIX..................................................................................................... 51
Module 1: UNIX Overview............................................................................................................51
Module 2: UNIX Logging..............................................................................................................53
Module 3: UNIX System Information............................................................................................54
Module 4: UNIX Authorized Access.............................................................................................55
Module 5: UNIX User Management..............................................................................................55
Module 6: UNIX Files....................................................................................................................55
Module 7: UNIX Key Information and Potential Vulnerabilities.....................................................56
Appendix A: Researching Information.........................................................................58
Appendix B: Auditing Tools..............................................................................................60
Christopher Davis Course Notes 1

Audit 507: Auditing Networks, Perimeters, and Systems
Detailed Contents
Day 1: Auditing Principles and Concepts......................................................................7
Module 1: Defining Terms..............................................................................................................7
Fifty Thousand Foot Views.........................................................................................................7
Baselines................................................................................................................................ 7
TBS......................................................................................................................................... 7
COBIT..................................................................................................................................... 7
FISCAM.................................................................................................................................. 7
Checklists............................................................................................................................... 8
Policy and Auditing................................................................................................................. 8
Module 2: How Does Auditing Help?..............................................................................................8
 Case Study: Wall Street Audit.........................................................................................8
Module 3: Baselines....................................................................................................................... 8
Module 4: Time Based Security......................................................................................................9
Module 5: The Audit Process.........................................................................................................9
 Case Study: Audit Internet AUP (Acceptable Usage Policy).........................................11
Step 1: Audit Planning..........................................................................................................11
Step 2: Entrance Conference...............................................................................................11
Step 3: Fieldwork.................................................................................................................. 11
Step 4: Preparing the Report................................................................................................12
Step 5: Exit Conference........................................................................................................12
Step 6: Report to Management............................................................................................12
Day 2: Auditing Perimeters........................................................................................... 13
Module 1: Routers........................................................................................................................13
Audit Preparation...................................................................................................................... 13
Cisco Router Basics................................................................................................................. 14
System Management................................................................................................................16
Accessing Cisco Routers......................................................................................................16
Auditing Access Methods.....................................................................................................16
Authentication....................................................................................................................... 16
Services and Banners..........................................................................................................16
System Controls....................................................................................................................... 17
Data Control............................................................................................................................. 17
Filter Rule Audit.................................................................................................................... 17
Router Audit Tool (RAT)...........................................................................................................18
Module 2: Firewalls.......................................................................................................................18
Introduction............................................................................................................................... 18
Why Perform Perimeter Audits?...........................................................................................18
General Types of Firewalls:..................................................................................................19
NAT...................................................................................................................................... 19
Audit Preparation...................................................................................................................... 19
Policies and Procedures.......................................................................................................19
Firewall Architecture................................................................................................................. 19
Testing the Firewall.................................................................................................................. 20
Testing the Firewall Rulebase..................................................................................................20
Aleting and Logging..................................................................................................................21
Alerts and Logs in the Corporate Environment.....................................................................21
NIDS Auditing....................................................................................................................... 21
Day 3: Auditing Networks.............................................................................................. 23
Overall Methodology Review....................................................................................................23
Module 3: War Dialing..................................................................................................................23
Modems.................................................................................................................................... 23
Module 4: Wireless.......................................................................................................................24
Overall Wireless Approach.......................................................................................................24
Bluetooth Wireless.................................................................................................................... 25
802.11b Wireless Overview......................................................................................................25
Module 5: Network Maps and Critical Systems............................................................................26
Network Maps........................................................................................................................... 26
Critical Systems Considerations...............................................................................................27
Best Practices....................................................................................................................... 27

Considerations for All Systems.............................................................................................27

Specific Mail System Considerations...................................................................................27
Specific DNS System Considerations..................................................................................27
Specific Web Host Considerations.......................................................................................28
Module 6: Vulnerability Assessments...........................................................................................28
Tools......................................................................................................................................... 29
Module 7: SQL Basics and Database Auditing.............................................................................29
SQL (Structured Query Language)...........................................................................................29
Securing the DB....................................................................................................................... 30
DB Structure and Files.........................................................................................................30
Authentication....................................................................................................................... 30
Links......................................................................................................................................... 30
Link Types............................................................................................................................ 30
Links Specify........................................................................................................................ 30
Considerations for Links.......................................................................................................30
Module 8: Putting it All Together..................................................................................................31
1. Determine areas of responsibility.........................................................................................31
2. Research vulnerabilities and risks........................................................................................31
3. Secure the perimeter............................................................................................................31
4. Secure the DMZ................................................................................................................... 31
5. Eliminate externally accessible vulnerabilities......................................................................31
6. Eliminate internally accessible vulnerabilities.......................................................................32
7. Search for Trojan horse programs........................................................................................32
Day 4: Auditing Web Servers & Applications..............................................................33
Module 1: Web Concepts.............................................................................................................33
Hidden Content......................................................................................................................... 33
Encryption................................................................................................................................. 33
Discovery Methods...............................................................................................................33
Considerations for Encryption..............................................................................................34
References........................................................................................................................... 34
Sensitive Output....................................................................................................................... 34
Session Tracking...................................................................................................................... 34
Basic Components of Session Tracking...............................................................................34
Session Tracking Methods...................................................................................................35
Session Tracking Controls....................................................................................................35
ASP.NET: Decoding View State Data..................................................................................35
Sign-On & Sign-Off from the Web Server.................................................................................36
Authentication Methods Overview........................................................................................36
Common Authentication Methods........................................................................................36
Sign-On Security Issues.......................................................................................................36
Audit Checklist for Sign-On..................................................................................................37
Audit Checklist for Sign-Off..................................................................................................37
Action Forms............................................................................................................................ 37
Module 2: Auditing Web Servers..................................................................................................37
High-Level Audit Checklist........................................................................................................38
Researching Possible Vulnerabilities.......................................................................................38
Vendor Specific Resources..................................................................................................38
General Resources...............................................................................................................38
Notes on IIS 5........................................................................................................................... 38
Quick IIS 5.0 Checklist.........................................................................................................38
IIS 5.0 Specific Tools............................................................................................................38
Module 3: Auditing Web Applications...........................................................................................39
Web Primer...............................................................................................................................39
HTML vs. HTTP....................................................................................................................39
SSL / TLS.............................................................................................................................39
GET vs. POST......................................................................................................................39
Cookies................................................................................................................................. 39
Techniques for Auditing Web Applications...............................................................................40
Web Server Security Scanning.............................................................................................40
CGI Scanning....................................................................................................................... 40
Brute Force Authentication...................................................................................................40
Traffic / Protocol Analysis.....................................................................................................40

Traffic Interception & Manipulation.......................................................................................40

Common Tools of the Trade.....................................................................................................40
Module 4: User Input Testing.......................................................................................................41
Malicious Input.......................................................................................................................... 41
User Input Testing Tools......................................................................................................41
Suggested Controls:.............................................................................................................41
User Input Audit Recommendations:....................................................................................41
XSS: Cross Site Scripting.........................................................................................................41
Auditing XSS........................................................................................................................ 41
Day 5: Auditing Windows.............................................................................................. 42
Module 1: Windows Auditing Introduction....................................................................................42
Tools Available......................................................................................................................... 42
OS Tools...............................................................................................................................42
Third Party Tools.................................................................................................................. 42
Remember................................................................................................................................ 42
Research.................................................................................................................................. 43
Module 2: Windows System Information......................................................................................43
Tools to Identify Windows System Information.........................................................................43
Built-in Command Line Tools...............................................................................................43
GUI Windows Tools..............................................................................................................43
Third-Party Tools (mostly command line).............................................................................43
System Patches and Updates..................................................................................................43
Types of Windows Patches..................................................................................................44
Soft Issues: Policy and Procedure Checks...........................................................................44
Module 3: Windows Necessary Components and Services.........................................................44
Tools to Identify Windows Components and Services.............................................................44
Module 4: Windows Users, Groups, and Passwords...................................................................44
Valid Users............................................................................................................................... 44
User Tools include................................................................................................................45
Group Tools Include.............................................................................................................45
Password Considerations.........................................................................................................45
Password Tools Include.......................................................................................................45
Module 5: Windows Data Protection............................................................................................46
AGULP: Accounts to Permissions............................................................................................46
Tools for Auditing Windows File Permissions...........................................................................46
Tools for Auditing Windows Share Permissions.......................................................................46
Module 6: Windows Operating System and Application Security.................................................47
Tools for Auditing Windows OS and Application Security........................................................47
Tools for Finding Windows Rootkits.........................................................................................47
Module 7: Windows Auditing and Logging...................................................................................47
Recommended Windows Auditing Settings..............................................................................47
Reviewing Windows Audit Logs...............................................................................................48
Logon/Logoff Events:............................................................................................................48
Looking for Logons/Logoffs..................................................................................................48
Looking for Account Management Changes:.......................................................................48
Object Access Auditing.........................................................................................................49
Log Management..................................................................................................................49
Consolidating and Parsing Logs...................................................................................49
Module 8: Windows Ongoing Host Monitoring.............................................................................49
Baseline Method....................................................................................................................... 49
WMIC – Windows Management Instrumentation Command Line............................................49
Shortened Help Output.........................................................................................................50
Use examples....................................................................................................................... 50
Day 6: Auditing UNIX..................................................................................................... 51
Module 1: UNIX Overview............................................................................................................51
UNIX Basics.............................................................................................................................51
Everything is a File...............................................................................................................51
Files and Permissions..........................................................................................................51
Set-UID (SUID) Program.............................................................................................51
File Notation.................................................................................................................51
Manipulating Files........................................................................................................51

UNIX Services......................................................................................................................52
Remote Procedure Calls and Portmapper.....................................................................52
UNIX Services: NFS.....................................................................................................52
UNIX Services: NIS.....................................................................................................52
UNIX Services: NIS+...................................................................................................53
UNIX Configuration Control......................................................................................................53
Module 2: UNIX Logging..............................................................................................................53
UNIX Logs................................................................................................................................ 53
Remember.....................................................................................................................54
Module 3: UNIX System Information............................................................................................54
UNIX Toolkit Shopping List.......................................................................................................54
UNIX System Information.........................................................................................................54
Patch Information:................................................................................................................ 55
Module 4: UNIX Authorized Access.............................................................................................55
Module 5: UNIX User Management..............................................................................................55
Module 6: UNIX Files....................................................................................................................55
SUID, SGID, and Unlinked Files...............................................................................................55
UNIX File Integrity.................................................................................................................... 56
UNIX NFS................................................................................................................................. 56
Module 7: UNIX Key Information and Potential Vulnerabilities.....................................................56
Logon Banners.........................................................................................................................56
Look for Promiscuous Mode NICs using:.................................................................................56
Test the Overall Configuration..................................................................................................57
Host-based Assessment Tools.............................................................................................57
Network-based Assessment Tools.......................................................................................57
Appendix A: Researching Information.........................................................................58
Auditing Principles and Concepts.............................................................................................58
Vendor Specific Resources......................................................................................................58
Government Resources............................................................................................................58
General Research.................................................................................................................... 58
Appendix B: Auditing Tools..........................................................................................60
Auditing Perimeters.................................................................................................................. 60
Routers................................................................................................................................. 60
Firewalls............................................................................................................................... 60
Auditing Networks..................................................................................................................... 60
War Dialing........................................................................................................................... 60
Bluetooth.............................................................................................................................. 60
Wireless Auditing.................................................................................................................. 60
Network Mapping.................................................................................................................. 60
Web Auditing........................................................................................................................ 60
Vulnerability Assessment.....................................................................................................60
SQL and Database Auditing.................................................................................................61
Search for Trojan horse programs........................................................................................61
Auditing Web Servers & Applications.......................................................................................61
General Resources...............................................................................................................61
IIS 5.0 Specific Tools............................................................................................................61
Web Server Security Scanning.............................................................................................61
CGI Scanning....................................................................................................................... 62
Brute Force Authentication...................................................................................................62
Traffic / Protocol Analysis.....................................................................................................62
Traffic Interception & Manipulation.......................................................................................62
Common Tools of the Trade.................................................................................................62
User Input Testing Tools......................................................................................................62
Auditing Windows..................................................................................................................... 62
Built-in Command Line Tools...............................................................................................62
GUI Windows Tools..............................................................................................................62
Third-Party Tools (mostly command line).............................................................................62
System Patches and Updates..............................................................................................62
Identify Windows Components and Services.......................................................................63
Windows Users, Groups, and Passwords............................................................................63
Group Tools Include.............................................................................................................63

Password Tools Include.......................................................................................................63

Tools for Auditing Windows File Permissions.......................................................................63
Tools for Auditing Windows Share Permissions...................................................................63
Tools for Auditing Windows OS and Application Security....................................................64
Tools for Finding Windows Rootkits.....................................................................................64
Windows Logging................................................................................................................. 64
Baseline Method................................................................................................................... 64
Auditing UNIX........................................................................................................................... 64
Manipulating Files.................................................................................................................64
UNIX Services......................................................................................................................64
UNIX Services: NIS..............................................................................................................64
UNIX System Information.....................................................................................................64
Patch Information:................................................................................................................ 65
UNIX User Management......................................................................................................65
UNIX Files............................................................................................................................65

Day 1: Auditing Principles and Concepts

Thursday, April 07, 2005 Instructor: John Green
Module 1: Defining Terms
 There’s an emphasis on figuring out “What” to audit (defining the scope) prior to the
“How” (control validation) of the audit. I.e. you should know your scope before you
begin your work.
 If we consider “How” too early, then we might adjust the scope or objectives of the
audit, potentially blinding ourselves to risk. Stick to the defined scope.
 Auditing: Measurement, hard metric, of conformance
 Assessment: this is a measurement or estimation of risk, threat, vulnerability, and
cost of exposure. Assessment is more subjective than assessment. E.g. how did we
do? What could go wrong?
 Scope: is the defined “what”, or boundaries of what you audit
 Objective: is the goal of the policy or procedure. Two types of objectives include the
audit objectives and the individual system objectives.
 Control: How we meet our objectives
 Audit Exception: item that fails to meet audit criteria
 Remediation: what you do to fix the Audit Exception
 Mitigation: steps taken to reduce loss or harm
 Root Cause: center of what “really” went wrong
Fifty Thousand Foot Views

Baselines
 Measurement of a system in a “known good state”
 Used to measure a systems current state
 Excellent auditing method
 “Baseline” is also used to define the configuration of a system
TBS
 Time Based Security: allows measurement of security events, risk, defenses, etc
COBIT
 Control OBjectives for Information and related Technology
 Accepted standard for Information Technology Security
 Provides a framework and control practices
 www.isaca.org/cobit.htm; From their website, “COBIT has been developed as a
generally applicable and accepted standard for good Information Technology (IT)
security and control practices that provides a reference framework for management,
users, and IS audit, control and security practitioners.”
FISCAM
 NIST CSRC: http://csrc.nist.gov/sec-cert/ca-controls.html Information on FISCAM,
FIPS, and other established controls and methodologies. FISCAM is the Federal

Information System Controls Audit Manual, and FIPS is the Federal Information
Processing Standards.
Checklists
 Checklist: is a statement of purpose and scope, primary tool for the auditor. Primary
goal of the auditor is to learn how to write a good checklist. Checklists make the audit
process far less subjective and can serve to allow the auditor and the system
administrator to examine the checklist together as equals rather than the sysadmin
viewing the audit checklist as the auditor’s pitchfork.
Policy and Auditing
 Good policy is required for good auditing
 Policy: is the what. Policy answers questions about whom, what, and maybe why.
Policies are high-level. E.g. must have AV.
 Procedure: is the how. Procedures answer what person does what, when, and why.
Procedures are low-level. E.g., Sysadmin will update AV signatures weekly on user
desktops from server a.b.c.d and report findings to helpdesk. In the event a virus is
found, then report the incident to help desk immediately and keep the system off the
network.
 Audit: is the verification of policy and procedure.
Module 2: How Does Auditing Help?
 Vectors: Internal and External

o Internal: Intentional and accidental
o External: Intentional loss, intentional harm, or accidental
 Auditing and Storytelling: cooperative audits have a far greater impact on the
group being audited than forceful, pitchforked audits.
 Elevator Statements: Auditors should understand the positive impact to the
business and be ready to back up the reason for their existence.
 Auditing should be sold. Effectively. To management, sysadmins, others.
 Case Study: Wall Street Audit

 Major Wall Street Investment Firm was audited for policies and general conformance.
Place of audit: The Trading Floor. Strong physical security. Great security policies.
Desks with no walls. High end computers. Fax machines.
 Connected to one fax machine telephone line was a computer with PC Anywhere on
the trading floor… with no password configured.
 All security measures where defeated by just one single user with the potential
impact of stealing the crown jewels or ruining the public image. There shouldn’t have
been analogue lines to any of the desks.
Module 3: Baselines
 Baseline: Measurement of a system in a “Known Good State”. Used to measure a

system’s current state. Baseline must be trusted.
 winmsd: creates baseline snapshot. Using diff, you can quickly create a useable
baseline and exceptions list. This utility is for Windows NT. This is now called
System Information in XP and above.

 Baselines can be for anything from traffic loads, operating systems, users, LDAP, etc.
It’s a useful method for evaluating changes. Simply establish a known good and
automate against changes in the known good.
Module 4: Time Based Security
 Time Based Security (TBS) : Security analysis model promulgated by Winn

Schwartau. TBS allows an approach to auditing new systems that have no existing
audit checklists or procedures.
 Great for new systems, products. While we can’t eliminate the need to have some
knowledge of the new system to be implemented, we can measure that system
against a generalized criteria to make informed risk management decisions.
 Building a Castle… Multiple layers of protection, each taking a certain amount of time
and resources to compromise
 Guided Missile Destroyer’s role is defense-in-depth for the aircraft carrier
 TBS Formula:
o Protection > Detection + Response
o P: Protection Time (How long our defensive measures remain intact)
o D: Detection Time (How long it takes us to detect and threat analyze an
event)
o R: Response Time (How long it takes us to respond to a threat)
 The Thief’s Real-World Example: Takes a thief 10 minutes to steal a painting in a
gallery. It takes 5 minutes to trip the alarm and cause an alert, 2 minutes to call the
police, 2 minutes for the police to dispatch a car, and 2 minutes more for them to
arrive. That’s 11 minutes. The thief just got away with the painting.
o P (10) < D (5) + R (6)
o This is bad. Should be “greater than” not “less than”
 TBS Analysis Process
o Assume P=0
o P (Protection) becomes E (Exposure)
o Measure best and worst case Exposure (also equivalent to Detection +
Response)
o This should give you measurable data to work with (best case) or at least a
concrete method to understand the real exposure window (worst case).
 Example Given: Evaluate Wireless Access Point (five years ago)
o Exposure = Time to detect hacked network because of the new technology
+ Time to react and fix the problem
Module 5: The Audit Process
 Primary Auditor Objective: Measure and report on risk

o This objective can often be met by measuring and effectively reporting on
how well a system or process measures up to “Best Practice” or “Corporate
Policy”
 Secondary Auditor Objective: Influence others to reduce risk
o This objective can often be met by raising awareness with the groups you
spend time auditing.

Six Step Process

1. Audit Planning
2. Entrance Conference
3. Fieldwork
4. Preparing the Report
5. Exit Conference
6. Report to Management
Audit Step 1 – Audit Planning

 Pre-audit activities (research; determining scope; determining audit strategy;
creating or compiling checklists; formulating the auditing procedures)
 Research: Corporate policies; Industry best practices; Audit frameworks; Online (e.g.
CIS Center for Internet Security)
 Re-visiting scope often degrades the customer’s confidence in the audit. Try to define
quickly and the first time out.
Audit Step 2 – Entrance Conference

 Attendees: High-level people should come to the Entrance Conference along with
others that will play a major role in the audit. (management representatives; system
administrators; sometimes users; system’s security representatives)
 Should cover: scope; objectives; auditor’s role; role of others; audit process; time
frame
  Definitely NOT a place to say:
o “I’m in charge here!”
o “I’m here to see what you’re doing wrong!”
o “My report to management will reflect how well you are performing”
Audit Step 3 – Fieldwork

 Maintain integrity, professionalism, focus, and reasonableness.
 Reasonable auditing:
o Report what you find
o Discuss why you found it
o Explain why it is or is not a threat.
 Fieldwork = Teamwork
o Mobilize your forces
o Rely on strengths of others
o Communicate
o Be Humble
Audit Step 4 – Preparing the Report

 Write clearly. Good language skills are a must.
 Logical development will help the reader understand the report
 Start with the details and rest of the report first, and write the executive summary last.
 Executive Summary: Describe the purpose and scope; Bullet findings; Describe risk
and impact for major findings.

Audit Step 5 – Exit Conference

 Who?: Same people as the entrance conference (kickoff meeting). Might have a few
more higher-ups. If this is the case, then consider a pre-meeting to share details with
the technical people to make sure everyone is on the same page.
 Cover: Scope, objectives, roles of auditors, roles of others, audit process, audit
findings
  Definitely NOT a place to say:
o “Here’s what you’re doing wrong!”
o “Here are some promises…”
o “Most administrators know better than to…”
Audit Step 6 – Report to Management

 Keep it clear and concise. This is going to be the last impression of the audit and will
set the tone for how they remember the audit… and you.
 Remember the executive summary
 Remember the positives – and report on them.
 Leave room for discussion
 Case Study: Audit Internet AUP (Acceptable Usage Policy)

This case was about a real company that wanted to measure their Internet usage and
compliance to company policy. These are the steps they walked through to get there.
Step 1: Audit Planning
 Scope:
o All users
o Web traffic is the focus
o Other traffic is secondary
o How and when are important
o Who is important
o Define time frame
 Methodology:
o Define information that must be gathered
o Find tools and methods to gain access to this information
o Research best methods to define and create metrics as needed to effectively
report on the controls
 Tools Available:
o TCPDump o Dsniff o MS Excell
o Snort o Sniffer Pro o Others
Step 2: Entrance Conference
 Entrance Conference… happens
Step 3: Fieldwork
 ID sensors are tasked with collecting the data
 URLSniff is installed on sensors as well

Step 4: Preparing the Report

 We have a list of URLs… BUT what we need is a list of classified URLs and analyzed
packet headers
 Massage the data
 Create metrics
 There is a way that would work in this case to quickly classify all URLs (millions of
them) in just a few short hours. A script can provide the auditor with successive URLs
and ask the auditor to classify them. Once a URL from a particular domain is
classified, all other URLs in that domain can be classified in the same way. Doing
this, you can quickly classify all of the URLs in just a few short hours. Just goes to
show you that seemingly daunting tasks can have creative solutions.
Step 5: Exit Conference
 Exit Conference: Critical to wrapping up issues and agreeing to the outcome and
possible next steps.
Step 6: Report to Management
 Report to Management: Higher-level report with metrics (useful measurements for
upper-level management that enables them to get a grasp on a subject area they
know little about); The intent here is to educate upper-level management, not to
create a panic.

Day 2: Auditing Perimeters

Friday, April 08, 2005 Instructor: John Green
Module 1: Routers
The training material for this section was developed in part by Tanya Baccam.
Audit Preparation
 Define Scope: The audit methodology applies here as you would expect. Begin by
defining your scope.
 Conduct Research: Similarly, your research needs to be conducted:
o Questions to Ask
 What’s being protected?
 What risks exist?
 How’s the router configured?
 What’s the architecture?
 What processes exist?
o Sources for Research
 Interviews with the audit team, sysadmins, network admins, policy
team, information security team
 Router documentation including router functional definitions and
network diagrams
 External Sources such as manufacturer alerts (newsletters/website),
CERT/CIAC, SANS, Security Focus, User groups, other best
practices sources
 Best Practices: Many sources for this, including:
o Security Focus o BS7799/ISO17799
o Packet Storm o COBIT
o Regulations/Legislation o NIST
(GLB, HIPPA, SOX) o CIS
o CERT o NSA Security Guide
o CIAC o Generally Accepted System
o SANS Top 20 Security Principles
o GIAC practicals o AICPA Trust Services
Principles and Criteria
 Architecture: Router architecture must support the business flow of information. Find
version information (OS, patch levels, etc..). Find router’s role:
o Border Router? (highest risk level)
o Interior Router?
o Backbone Router?
  Processes: This is the time to also test processes – not just the configuration:
o Processes to Check:

 Change Control  Password Policies

 Backups  Patch Updates
 User Management
 Standardized,
secure builds for
router platforms
o Example:
 Sample a recent alert
 Understand the process currently followed by the administrators to
address alerts
 Obtain audit evidence that the process is in place through interviews
and manual checking (personal observations)
 Document and suggest improvements to the process
Cisco Router Basics

 Things to know:
o Most of the Internet runs on Cisco
o Excellent capability with features such as stateful filtering, content checking
options
o Command line based. Cisco IOS is Cisco IOS, across all their gear.
 Modes of Operation:
o Non-privileged Mode – router>
o Privileged Mode – router#
o Global config mode – router(config)#
o Interface config mode – router(config-if)#
o ACL config mode – router(config-ext-nacl)#
o Boot loader mode – router(boot)
 Config Files:
o Startup-Config
 Loaded at boot time
 Router#show startup-config
o Running-Config
 Actual configuration being used
 Live changes are made to running-config
 Router#show running-config
 Static Packet Filtering
o Traffic control implemented on most routers
o Works by breaking down the IP addresses into sections (bytes) from the IP
header and comparing them to what they are supposed to match
o E.g. “permit traffic to 220.10.16.0/24”
 Does byte 16 in the IP header contain 220?

 If so… permit to pass. If not… process next rule. Out of rules… drop
packet.
 Stateful Packet Filtering
o Basics goes like this: Most network traffic requires a stimulus, meaning they
require a reply back into the network for the session to make sense. The
issue starts when people figured out how the make evil packets that look like
harmless replies. Stateful filtering “remembers” the outbound reply so that it
can match the inbound reply to what just left. It only allows legitimate replies
into the network.
 When to use Static or Stateful:
o Static Packet Filtering: Use Static for absolutes. E.g. blocking traffic from
private IP addresses; blocking all traffic headed to the SNMP ports; blocking
all inbound echo-requests (pings)
o Stateful Packet Filtering (Reflexive Filters1): Use Stateful for conditionals.
E.g. Not at all or… for everything else; Router deployment is dependent on
perimeter configuration
 Cisco’s IP Access List Types
o STANDARD IP access control lists
Defined by list numeric range of 1-99, 1300-1999
Only test IP SOURCE, thus making it faster than EXTENDED access
list
o EXTENDED IP access control lists
 Defined by numeric range 100-199, 2000-2699
 Tests SOURCE, DESTINATION, PROTOCOL, UDP/TCP PORT and
ICMP types in sequence
o REFLEXIVE IP access control lists
 Uses state table to maintain secure connections
o Named access control lists
 All of the above can be created using the number ranges specified or
by using a descriptive name
 Standard ACL Format:
access-list number action source [wild card] | any
E.g.: access-list 20 permit 192.168.1.0 0.0.0.255
o Number  must be 1-99 or 1300-1999 for standard
 Extended ACL Format:
access-list number action protocol source [wild card] [src-
port] destination [wild-card] [dest-port] [other-options]
o Number: must be 100-199 or 2000-269 for extended
o Action: must be permit or deny
o Protocol: name or number of protocol. E.g. ip, tcp, udp, icmp, etc..
o Source: source IP address to compare. Must be TCP or UDP source port
o Destination: destination address to compare
o Log or log-input: log to console and/or syslog server
1
As of Cisco IOS 11.3, Cisco included stateful filtering capability referred to as
“Reflexive Filters”. They are moving away from reflexive filters and towards CBAC
(Context-Based Access Control) because reflexive filters are pretty strong, but not
perfect.
 Named Access Lists: descriptive names can be used instead of numbers. Reflexive
filters must be placed in extended named access lists.
 CBAC: Product name is the “Firewall Feature Set”. Very CPU intensive. Protocol
aware control.
 Creating the Packet Filter
o IP access-group number [in|out]
o Number is the value of a defined access list
 Show Access-list Command:
Router# sh access-lists 100
Extended IP access list 100
permit tcp any any established (88 matches)
permit tcp any any eq telnet (12 matches)
System Management
Accessing Cisco Routers
 Local: Best method – but not usually realistic
 Remote: Telnet, SSH, HTTP, SNMP, TFTP
o Should be secure
Auditing Access Methods
 Disable access to a give line or port
no exec
 Remote access should be disabled if not needed
transport input none
 SSH preferred over telnet
transport input ssh
transport input telnet
 Use timeouts for session activity
exec-timeout 10 0
 Control access via access control lists
access-list 102 permit ip host 192.168.1.1 any
Authentication
 Methods include: enable, krb5, krb5-telnet, line, local, local-case, none, group radius,
group tacacs+, group group-name
Services and Banners
 SNMP: Preferable to disable SNMP completely. Not always feasible. Should not have
read-write community strings. Should not have default community strings. Should
restrict access to authorized addresses
 Management Services: should be disabled. E.g. Finger; Identd; HTTP
 Banners: legal notice should be given; only available for clear-text protocols;
displayed after authentication.
 Password Encryption: Two types:
o Type 7: Cisco defined; weak
o Type 5: MD-5; much more secure; preferred
 AAA Accounting: used to keep an audit trail of user activity; four levels:

o start-stop: Background processes sends records when the type specified is

started or stopped
o wait-start: sends a record when the type specified is started and stopped;
process cannot continue until a message is sent; if message not recorded,
then process is terminated
o stop-only: sends a record at the end of user process
o none: no accounting records generated
System Controls
 NTP and Clock Configuration: Query for clock information; ideally should have 3
separate time servers.
show clock detail
 Logging: should be enabled; syslog servers specified explicitly; logs time stamped;
buffer size of logs specified; specify console level logging set level of logging
o Examples:
logging on
logging buffer 16000
logging console critical
logging trap information
 Unnecessary Control Services
o Small TCP services o Config service
o Small UDP sercies o TFTP services
o Bootp o Should enable TCP keep-
o CDP alive services to flush
inactive connections
Data Control
 Routing Protection: Stop the following:
o Directed broadcasts o Tunneled interfaces
o Source routing o ICMP redirects and echo-
o Proxy ARP requests
o ICMP unreachables
 Ingress Filtering: refers to filtering the traffic coming into the network from an
external source. Great way to ensure someone isn’t spoofing addresses that
obviously didn’t originate from your network. These addresses are defined in
RFC3330 and include addresses in the ranges of: 169.254.x.x; 127.x.x.x; 192.0.2.x;
0.x.x.x; 224.0.0.0-31.x.x.x
 Egress Filtering: refers to filtering the traffic leaving the network from an internal
source.
Filter Rule Audit
 Do the filter rules meet policy and/or best practices?
 Are the filter rules authorized?
 Are the filter rules optimized?
 Conduct technical verification of the filter rules.
 Document and recommend changes as necessary.

Router Audit Tool (RAT)

Available from: http://www.cisecurity.org
 Can be run against: Stored configurations; Live routers; Multiple of each
 Has scripting potential: Can periodically pull live configurations and compare to
baseline configurations
Solves:
 Lack of Cisco IOS benchmark  Need to quickly fix incorrect settings
 Lack of audit tool for IOS  Need for reporting and
 Difficulty maintaining consistency customization
and detecting changes  Need to check non-IOS devices
Misses:
 Management issues  Bandwidth-based DoS
 Poor operations mistakes  New vulnerabilities
 Vendor code issues  Local configuration choices
 Weaknesses in protocols  Need for competence and vigilance
 Host-based issues (viruses, code
red, etc)
Rule Categories:
 Management Plane: setting up and examining the static configuration of the router,
and the authentication and authorization of router administrators
o E.g. SSH, Telnet
 Control Plane: support and document the operation, traffic handling, and dynamic
status of the router
o E.g. logging, NTP
 Data Plane: data passing through the router
o E.g. CBAC, ingress filtering, egress filtering
Summary:
 Identify router function, purpose
 Determine intended controls
 Verify if controls are in place and functioning
 Document and suggest recommendations at a functional level
Module 2: Firewalls
Introduction
 Convergence by big vendors to create a firewall that does everything
 More access node available, then more ways to get into the network
 Defense-in-Depth: layers built into security. E.g. perimeter FWs, internal FWs, IDS,
border routers, internal routers, policies, procedures, audits,...
Why Perform Perimeter Audits?
Many of the rules we’re testing involve complex filtering. Especially, when there are
multiple devices in place doing the filtering. It’s very easy for administrators to make a

mistake, for example, from lack of experience or simply mistyping. When you have
multiple administrators administering devices, the changes of an error occurring
increases. Vendors can also make mistakes.
 Firewalls and routers are both needed. There are some moves by both vendor types
to create the functionality of the other. Generally, these should compliment each
other.
General Types of Firewalls:
 Packet Filter: Fast, low security
 Stateful Inspection: Medium, medium security
 Proxy or Application Gateway: Slow, high security
NAT
Allows use of private addresses on the Intranet (RFC1918 addresses). Variations include
port forwarding (redirection), many-to-one (Hide NAT), one-to-one (static NAT), NAT
address pool
Audit Preparation
Policies and Procedures
 Policies and what to define:
o What information is the firewall protecting?
o What are the expectations of the firewall?
o What risks is the organization willing to take?
o What actions are authorized?
 Procedures:
o Change Control
o Backups
o User management
o Password policy
o Patch updates
o Standardized, secure builds for firewall platforms
Firewall Architecture
 Review of the architecture should reveal allowed and disallowed data flows.
 Logical diagrams illustrate the data flows. The firewall is responsible for controlling
the data flow.
 Questions to Ask:
o Are the firewalls segmenting the information correctly?
o Need to add or remove a firewall?
o Need to add or remove network interfaces?
o Are architecture procedures being followed?
o Does the architecture support the security policy?

Architecture 1: Single Firewall – No Router
Architecture 2: Single Firewall – Border Router
Architecture 3: Dual Firewall – Border Router
Architecture 4: Dual Inline Firewalls
Architecture 5: Firewall – VPN
Architecture 6: Firewall – VPN – Border Router
Testing the Firewall

Things to consider include configurations that bypass the rule base and security features
that are specific to the platform you are auditing. Helpful resources might include the
documentation, peers, mailing lists, user groups, and of course Google.
Testing the Firewall Rulebase

 Manually review the rule set including the filter rules
 Eliminate unneeded rules
 Combine repetitive rules

 Identify unauthorized rules

 End up with as few as possible while maintaining security
 Manually validate the rule set
 Scan through the firewall
 Determine what the firewall allows and drops
 Scan from every interface
 Scans to consider include:
 TCP and UDP scan the firewall for all 65,535 ports
 Perform a Ping sweep to see if Echo-requests get passed
 SYN scan subnet to look for open ports
Use a Full TCP Connect scan for Proxies
 Slow SYN scan to see if port scans are detected
 Scan with FIN packets to see if they are handled differently
 Scan with ACK packets to see if they are handled differently
 Scan with Fragmented ACK packets to see if they are handled differently
 UDP scan subnet to look for open ports
 Additional Tests:
 Test any other policy specifications. E.g. include:
Should loopback be blocked?
Should spoofed source be blocked? The replies have to go
somewhere..
Should private addresses be blocked?
Should critical services be blocked?
Should certain ICMP type/codes be blocked?
 Test additional “stealth” scans and flag combinations such as:
Xmas, FIN, Null
 Test source ports:
0, 20, 21, 53, 80, 88, 443, 500, 1025
 Additional fragmentation testing to verify that legitimate fragmentation is
handled properly
 Test in all directions
 Tools to use include:
 Network mapping: nmap, hping, nemesis, others
 Passive vulnerability assessment: Ethereal, tcpdump, windump, others
 Active vulnerability testing: Nessus, Retina, others
Alerting and Logging

Alerts and Logs in the Corporate Environment
During the course of the review, were the attacks logged? Noted? Appropriate people
notified? In smaller organizations, this ideology may be OK. However, in large
organizations, attacks happen all the time, continuously, from both curious and malicious
attackers. Depending on the number of attacks happening at any one time, this may not
be practical, but it “should” be in an ideal security world.

NIDS Auditing
Nmap can be used to kick off port scans and check for port scan detection. A vulnerability
scanner such as Nessus or Retina can be used for checking payloads. Fragroute can
check for fragmentation, and you can combine each of these with a sniffer to check for
accuracy.
 Using Fragrouter
o Requires Two (2) Machines!
 On host-1, add a route to the destination that goes through host-2
which will run fragrouter: route add destination host-2
 Start fragrouter on host-2: fragrouter –F1
 Send attacks from host-1 to destination. Host-2 will intercept and
fragment the traffic, forwarding it on to the destination host.
o There are many options available. Read the help file or use fragrouter
--help

Day 3: Auditing Networks

Saturday, April 09, 2005 Instructor: John Green
Overall Methodology Review

1. Determine areas of responsibility
2. Research vulnerabilities and risks
3. Secure the perimeter
4. Secure the DMZ
5. Eliminate externally accessible vulnerabilities
6. Eliminate internally accessible vulnerabilities
7. Search for Trojan horse programs
Module 3: War Dialing
Modems
 Overall War Dialing Approach: Inventory active modems; create baseline; collect
banners; audit active modems for authorization and security issues; recommend
corrective actions; maintain inventory over time
 Considerations:
o Permission: Get appropriate permission from everyone that’s involved and
affected.
o What: (scope, range of numbers)
o Cost: Not all countries have flat rate phone charges. This could be costly in
Europe and parts of Asia
o Time (4-digit extension = 10,000 numbers x 30 seconds each = slow
process)
o Avoid emergency numbers and extensions
o Put war dialers behind PBX to avoid DID restrictions and phone charges
o How often should this be done?
o When to call? Day of the week and time of day.. 3-day weekends are great,
and after normal business hours to avoid annoying office workers.
 Risks: calling emergency numbers; calling people from an ISDN device; night
stations; denial of service (blank voicemails and legacy systems)
 Test the Configuration: Check how the software responds to:
o Voicemail
o Person answering
o Busy and disconnected signals
o ISDN
o Etc
 Preparing the system:
o Disable power management and screen saver
o Disable fax software

o Physically disconnect from the LAN

o Disable v-mail notification
o Don’t share the line
o Disable auto-answer on your modem (usually the default to have it on)
 Tools Available:
o Opensource/Freeware:
 Toneloc
 THC Scan
 Phone Tag
 Rasusers
 TBA (palm OS)
 Microsoft’s Hyper-Terminal
o Commercial
 PhoneSweep
 Sandtrap
 Procomm Plus (connects to modems)
War-Dialing Audit Considerations:

 Policy: Acceptable Use Policy
 Vendor access policy
 Modems identified should be authorized for business use only
 Authentication, authorization, and auditing should exist
 Functionality prior to authentication should be disabled
 Default accounts should not exist
 Login attempts should be limited and should not reveal unnecessary information
 “Warning” login banner should be in place and it should not reveal system information
 Physical inspections should occur
 Modems should use an assigned block of telephone numbers separate from normal
voice
 Regular modem audits should be conducted
 Disable the answer feature fro outgoing modems
 Call back modems can be used
 Logs should be reviewed
 Increase modem ring count
 Modem “firewall” or “honey pot”
Module 4: Wireless
Overall Wireless Approach

 Identify wireless devices you want to audit; Access points?, Bluetooth?; Audit active
access points for authorizations and security issues; Recommend corrective or
mitigating countermeasures; Maintain inventory over time to know what you have on
site

Bluetooth Wireless
 Short range; low bandwidth; PDAs, cell phones, laptops; Security issues include
bluejack, bluesnarfing, DoS (www.bluestumber.com)
 Normal recommendations are to set devices to undiscoverable or to turn off
bluetooth.
 Bluetooth Tools:
o Bluez: Linux BT
o OpenOBEX:
o Redfang:
o Bluesniff:
o Btscanner:
o Btxml:
802.11b Wireless Overview

 Runs at 2.4 GHz; 802.11g raises speed to theoretical limit of 54 Mbps
 WEP, WPA: Security for home users based on WEP, WPA2 (uses RC-4), WPA2
o WPA2 based on the final 802.11i standard and uses AES
 TKIP: Temporal Key Integrity Protocol
o Based on WEP; uses RC-4 for encryption; supports dynamic key exchanges
 WRAP: Will never be implemented… too many legal battles over the ownership
 CCMP: Preferred 802.11i encryption protocol; uses AES (FIPS140-2 requirement);
Requires hardware upgrade; implementation will take time
 802.1x: Based on EAP (Extensible Authentication Protocol); not responsible for
encryption of the data, just the authentication; uses a generic interface for the
authentication; permits wide range of options like EAP (LEAP), certificates, OTP
(one-time-password) schemes
 Identifying Access Points
o Physical Audits: Netstumbler, Kismet, other tools to detect the wireless
signals
o Logical Audits: Nessus, Retina, and other tools can detect the MAC and
identify the router as an AP; can also do this with TCP-IP fingerprinting; FTP
printing; etc..
o Many, many tools here for identifying them, breaking them, simulating them,
etc.
WLAN Audit Considerations
 Does WLAN security policy exist?
 Base station configuration policy exist?
 Has a risk assessment been carried out for the environment?
 Are APs physically secured?
 Appropriate training provided for administrators?
 What is the architecture of the WLAN environment?
 What wireless technologies are being used?
 Should the signal strength be adjusted?
2
WPA designed to replace WEP
 Do clients have to authenticate to base stations?

 Have manufactures’ default settings, such as passwords and SSIDs been
changed?
 How often are network access passwords and encryption keys changed?
 Possible to augment security with IPSec, something else? Other means?
 Does the design and architecture of the wireless network meet business
objectives while minimizing external signal leakage and exposure?
Module 5: Network Maps and Critical Systems
Network Maps
Network maps help by giving us the same view of our network that hackers would have.
Creating a network map is one of the most reliable ways to complete an audit. In this
method, we actually send tests or watch the network in order to identify potential
vulnerabilities.
 Safely Mapping Your Network
The Seven P’s of Safe Network Mapping
1. Plan: the scan one subnet at a time
2. Policy: Should be developed and followed
3. Permission: Get it before scanning!
4. Publicize: Let others know!
5. Be Present: Before, during, and after for issues that may come up
6. Be Persistent: Identify all devices
7. Provide Feedback!
 Host and Network Maps
o Host Maps: Two dimensional representations of the host ports and services
o Network Maps: Three dimensional representation of multiple host ports and
services
 NAT and DHCP: Make things tricky! No known way to do this.

 Using nLog (www.digitaloffense.net/nlog)
o What it does: converts output files to a flat file database
o Browser interface to nlog database via cgi
o Can query based on hosts, ports, state, etc
o Written by HD Moore; allows you to query through nmap results. The nLog
script can convert the nmap output file to a flat file database. The –oM option
must be used with nmap for the scan.
 ndiff: Utilizes nmap output to identify the differences or changes that have occurred
in your environment across network scans

Critical Systems Considerations

Best Practices
In general, there are several best practices that can be applied across all of these. Here
are a few that should be remembered while conducting any assessment for systems or
applications.
 Defense-in-Depth
 Open design: Security by obscurity is not security
 Least privilege rule: Least privileges possible for users
 Separation of duties: According to user’s role
 Economy of mechanism: Keep the mechanism simple over the life of the system
 Complete mediation: Everyone is subject to every control
 Validate: Both Input and Output
 Fail Closed: Fail to safe
 Keep it Simple: See economy of mechanism rule. Worth repeating twice.
 Reuse trusted components: Find something simple that works.. and reuse.
Considerations for All Systems
 Install the server on a dedicated host
 Ensure you’re running the most up-to-date version
 Ensure patches have been installed
 Remove vendor documentations and sample code
 Ensure the machine runs minimal services
 Run services with the least privileges possible
 Modify the service banners to report appropriately
 Ensure logging is properly controlled
 Ensure remote administration is addressed adequately
 Use file integrity checking tools
 Infrastructure considerations
 Check the operating system for poor configuration
Specific Mail System Considerations
 Disable open relaying
 Disable commands such as VRFY and EXPN
 Limit file transfer size
 Limit what IP addresses can use the system
 Limit the users that can send mail
 Scan messages for viruses
 Implement a content filtering policy
 Add a legal disclaimer to e-mails
 Configure the server to block mail from open relay blacklists and specific
domains
 If web access is necessary, only allow such access over SSL/TLS
Specific DNS System Considerations
 Restrict zone transfers
 Disable recursive checks and retrieval attempts
 Deploy split DNS
 Logging all zone transfer attempts

 Restrict queries
 Restrict dynamic updates
 Split and Split-Split DNS
o Split DNS: Split DNS is the logical and physical separation of your IP
address space
 External IP addressing: What the Internet needs to know
 Internal IP addressing: What the Internet does not need to know
o Split-Split DNS
 External: Advertise and resolve
 Internal: Resolves for internal clients
 Create a primary and secondary for each: Zone transfers only from
primary to secondaries
 Tools to Audit DNS
o A secure DNS server is making sure it works exactly the way you expect it to
work. Tools include nslookup, dig, Sam Spade, Nessus, and others.
Specific Web Host Considerations
 Separate the web server from internal and public networks
 Web server should run with a user and group designed exclusively for the web
server
 Permissions of critical files should be appropriate
 Server log files
 System SW and config files
 Applications SW and config files
 Password files
 Protect against DoS attacks
 Configure the public web server so it cannot serve files that are outside of a
specified file directory tree
 Content should be in a single directory and executables should be in a separate
single directory
 Disable directory listings
 Enable logging
 Review logs
 Install patches
 Review executables
 Disable server-side includes
 Use encryption when appropriate
 Use authentication when appropriate
 Tools to Audit Web Hosts:
o Nikto: Nessus can leverage Nikto
o N-Stealth
o Whisker
o Many others – Check out OWASP (http://owasp.org/)

Module 6: Vulnerability Assessments

There are multiple tools for this, including open source and commercial tools. This
section could have a lot of information about how to set up and run each of the tools, but
the best place to learn that is to look online at the forums, Google, user-groups, reading
FAQs, etc.
Tools
 Nessus: Good open source tool
 NeWT: Commercial version of Nessus
 GFI LANgaurd: Been around forever
 Retina: Best Window’s based tool. Fastest of every tool on the market.
 nCircle: Excellent appliance-based (hardened Linux appliance) architecture
 MBSA: MS’s local scanner. More of an over-all audit tool.
Module 7: SQL Basics and Database Auditing
SQL (Structured Query Language)

Provides the capability to retrieve and update information and database structures.
 SELECT Statement
SELECT <field(s)> FROM <table> WHERE <condition>
 Where Clause: Can include the following characters:
= <> != > < >= <= IN BETWEEN LIKE AND OR
o Quotes may be necessary
 Data Manipulation Language
o Select o Delete
o Update o Insert Into
 Data Definition Language
o Create o Alter Table o Drop
Table o Drop Table Index
o Create Index
 Aggregate Functions
o ORDER o Sum o Last
BY o Max o Count
o GROUP o Min o Avg
BY
o First
 Controlling Permissions
o GRANT o DENY o REVOKE
 SQL Injection Basics
o See OWASP (http://owasp.org/) for excellent tutorials. Information here is
very, very basic and not self-explanatory.
o OR 1=1

 SELECT * FROM user_table WHERE username = ‘Tanya’

and password = ‘my_password’
 UNION ALL SELECT field FROM table WHERE condition
Securing the DB
DB Structure and Files
 Control Files: hold the executable code needed for the proper functioning of the
database
 Log Files: audit trail
 Data Files: Actual blocks of data being stored
Authentication
 Oracle: When authenticating to an Oracle database, there are two methods that can
be used: operating system (OS authentications and authentication via the password
file. When connecting remotely, a password file should be used unless the
connection is secure, then OS authentications can be used.
 MS SQL: Windows NT Authentication mode integrates with the OS and is considered
a trusted connection by the DB because it rides on top of the OS which relies on NT
Auth.
o Mixed Mode: Supports Windows NT Authentication and additionally SQL
Server Authentication for non-trusted connections (those not capable of
authenticating via the domain). This second method provides for backwards
compatibility, support for Windows 95/98 clients, and is required for Internet
connections.
 Users, Roles and Profiles: All used. Self-explanatory.
 Privileges: System vs. Object privileges:
o System: allow performance of a specific action with the db
o Object: allow access and manipulation of database objects
o When auditing, you should identify any users with special privileges such as
CREATE ROLE, ALTER USER, ALTER ANY ROLE, DROP USER, DROP
ANY ROLE, SELECT ANY TABLE, ALTER SYSTEM, CREATE
%PROCEDURE, CREATE%LIBRARY%, “%ANY%”, INSERT, DELETE,
UPDATE, ALL
Tools to use:
 Nmap: Check for appropriate ports
 Nessus: www.nessus.org contains plugins for Oracle, MS SQL and My-SQL
 Retina: Contains built-in checks
 SQL Server Analyzer: From MS website
Links
Links are connections from one database to another
Link Types
 Private – only the owner can use
 Public – anyone can use
 Global – applies to all db when a names server is used

Links Specify
 Protocol  DB name  Account
 Remote host  Account UID Password
Considerations for Links

 Are private and public links used?
 What are considered valid business reasons to set up links?
 Are all links required and authorized for business purposes?
 Which user IDs are used to set up links
 Do you use explicit logins for links?
 Are naming conventions used?
 What are the current policies, procedures, and processes for links?
 Are links allowed to be used in scripts? How is this processed controlled?
Module 8: Putting it All Together
1. Determine areas of responsibility

 Define your address space scope that needs to be scanned
 Identify exceptions
 Interview system owners and administrators
 Determine network population – number of hosts
2. Research vulnerabilities and risks

 Understand Information Risk: Consider what you’re trying to protect. Define the
risk. Measure it. Quantify the impact or put it into terms that helps management
understand. If they care, you should care. Consider how you would attack the
network if you were on the outside.
 Research: Again – Google is your friend. Check out the Appendix for many
suggestions that many be useful for your research.
o Security Focus mailing lists
o Google
o CVE
o SANS Top 20
o CIS
 Prioritize list of vulnerabilities: including historical exploits, current ones, and
Trojan programs
3. Secure the perimeter

 Manual Review: Sitting at the router or have someone else dump the config file for
the router
 Interviews: With the network admins
4. Secure the DMZ

 Map Hosts in the DMZ: Scan them ruthlessly. If you can drop a host by scanning, so
can an attacker.
 Allow NO EXTRA:
o Ports o Services o Applicat
ions
5. Eliminate externally accessible vulnerabilities

 Map, target, and shore up externally accessible services/applications using scanners,
research, and specialized tools
6. Eliminate internally accessible vulnerabilities

 Map, target, and shore up internally accessible services/applications using scanners,
research, and specialized tools
7. Search for Trojan horse programs

 List of common Trojan ports: www.doshelp.com
 Methods:
o Measure nmap against ports listed on www.doshelp.com
o Use Nessus and the backdoors plugin family

Day 4: Auditing Web Servers & Applications

Sunday, April 10, 2005 Instructor: John Green
Module 1: Web Concepts
Hidden Content
Purpose: Determine if sensitive system information is revealed to clients. The impact is
usually limited to exposure, not the vulnerability, and allows the hacker to focus their
attack by eliminating branches from their attack tree. The controls in this case are
sanitized HTML and client side code and correctly configured web servers.
 Examples of hidden content:
o HTTP headers: Check out Netcraft’s website at www.netcraft.com; Can also
get this from nmap, most scanners, telnet to port 80, and other methods
o Hidden messages in JavaScript: Can record information in Achilles or other
tools
o Look for:
 <!- HTML comments
 // JavaScript comments
 HTTP Header information
 NAME-GENERATOR HTML meta tags
 Audit Technique: Automated mirroring of the website to your local hard drive for
later dissection and analysis
o HTTrack (free): www.httrack.com
o Website Extractor (free): www.esalesbiz.com/extra
o WebCopier (free): www.maximumsoft.com
o Wget (free): www.freshmeat.net/projects/wget
o BlackWidow (commercial): supports HTTP, SSL, FTP;
www.softbytelabs.com
o Other tools
Encryption
Again, SSL and TLS do not protect the web application. They do mitigate or eliminate
eavesdropping, hijacking, web spoofing (with web server certificates), and provide client
authentication (with client certificates).
 SSL: Secure Socket Layer
 TLS: Transport Layer Security
 Audit Objective: Determine if the web server is using encryption appropriately
 Controls: Presence of encryption; strength of encryption (use of strong ciphers)
Discovery Methods
 Netcraft: www.netcraft.com
 Open SSL: If you can connect to the target web server using either one of these
commands, then it proves that the target web server is using a weak or null cipher:

o openssl s_client –connect target:port –ssl2 –cipher

‘LOW:NULL:aNULL:EXPORT’
o openssl s_client –connect target:port –ssl3 –cipher
‘LOW:NULL:aNULL:EXPORT’
 Ethereal and other network traffic tools capable of recording and breaking down the
SSL session handshake. This information is passed along to the client during the
handshake to let the client know what ciphers the web server supports.
Considerations for Encryption
 Verify all pages displaying sensitive data are sent using encryption
 Verify all pages requesting sensitive data are sent using encryption
 Perform cipher inventory and compare with company policies and current best
practices
References
 SSL v3: http://wp.netscape.com/eng/ssl3
 TLS: http://www.ietf.org/html.charter/tls-charter.html
 Open SSL Project: http://www.openssl.org
 Crypto Law Survey: Information about crypto laws in other countries around the
world; http://rechten.uvt.nl/koops/cryptolaw
 Digital Signature Law Survey: http://rechten.uvt.nl/simone/DS-LAWSU.htm
Sensitive Output
Purpose: Determine if sensitive output from web application/server is protected in transit
and on the client (not always possible – depends on client setup)
 Controls:
o Encryption: Covered in previous section
o Anti-Caching
 Caching occurs in two places: the browser (local to the client) and
the proxy
 Truth is that with forensic tools most of the data a user views can be
recovered with standard browser configurations. This is beyond the
scope of this course. See Hacking Exposed: Computer Forensics or
other technical forensic-related books for detailed information on
recovering this kind of data.
 Real risk depends on the organization
Session Tracking
HTTP is a stateless protocol and does not persist as a continuous connection. A session
is a unique instance of a specific user interacting with a web application. The Session
Identifier is originally determined and sent over by the server, and given to the client
before, during, or immediately after authentication. Not all Session IDs require
authentication, like Yahoo and other search engines, and other sites. Afterwards, for
each request, the client sends the ID back to the server so the server can track the
client’s interaction with the web server. This is a means of identifying the user.
Basic Components of Session Tracking
 Session ID: The unique identifier used (e.g. SID=2uy234tyu23t5%2332%23)
 Session Tracking Mechanism: How the session ID is embedded into the client/server
traffic (e.g. cookie or URL embedded)

Session Tracking Methods

 URL Re-writing: Server places session ID into URLs
 Cookies: Stored on the client
 HTTP Basic Auth: User credentials persist in the browser memory; user name and
password encoded into the HTTP header of every client request; not encrypted
o Easily decoded: E.g. This website will automatically decoded base64
encoded strings: www.securitystats.com/tools/base64.asp
o After using wget or other similar tool to clone, index, or walk the site, look for
any string that ends in “=” (equal sign without the quotes). There’s a good
chance that the information is base64 encoded.
Session Tracking Controls
 Robust Session IDs should be:
o Random
o Not related to user information
o Large size (not easily brute forced)
o Perishable (has expiration)
o Sent over secure mechanism
o Tamper prevention and detection
 Can be accomplished with checksums stored on the server
 Secure session tracking mechanisms should:
o Cookies containing session IDs:
 Cookie with proper parameters set
 Non-persistent (not stored on the hard drive if possible)
 Reasonably limited in their Path and Domain
 Optionally digitally signed to prevent and detect tampering (integrity
violation)
o Basic Authentication:
 Credentials should always be sent with SSL or other encryption
 Consider one-time-passwords (OTP) if the application is highly
critical. This isn’t always practical, and if the application is that
critical, there should be another method used for authentication.
 See audit checklist for Sign-on and Sign-off
o URL Re-Writing (Embedded Session IDs)
 Credentials should always be sent with SSL or other encryption
 Should not be appended to URLs sent to 3rd party sites
 Server logs should be secured from unauthorized access, or the
session information shouldn’t be stored at all
ASP.NET: Decoding View State Data
 Automated View State Decoder:
http://staff.develop.com/onion/tools/viewstatedecoder.zip
o This utility lets you decode the hidden viewstate field on any .aspx page to
view the contents in a tree view, as raw text, or as parsed
 Manual Dissection Method: The view state is placed into a hidden form element
called _VIEWSTATE. Use your browser’s “View Page Source” feature (View | Source)

and copy the information into the Automated View State Decoder Tool. Click Decode
and view the decoded data on the right.
Sign-On & Sign-Off from the Web Server

The process by which a user initially authenticates to a web site. Session IDs re-
authenticates the user thereafter.
Authentication Methods Overview
Purpose: Determine if authentication mechanism is secure
Controls: Proper implementation, encryption, and strong credentials
Common Authentication Methods
 Client Certificates
o Strengths: Uses x.509 format; very secure; provides non-repudiation,
confidentiality, mutual authentication
o Weaknesses: Limited mobility; high administration costs
o Best Practices: Use for extremely high security needs; can use hardware
token containing the certificate for greater mobility
o Audit Checklist:
 Ensure all web-based certificate support systems are audited
 Test revoking certificate to make sure access privileges are removed
 Form-Based Authentication
o Strengths: Easy to implement; good balance between security and user
friendliness
o Weaknesses: Brute force capable (not so good); misconfigurations can
expose credentials; same weaknesses as username and password (i.e.
same equivalent security); not encrypted by default (requires attention to the
configuration)
o Best Practices: Use HTTP POST to submit user credentials; submit user
credentials with SSL or other encryption; use TYPE=PASSWORD for password
fields; consider using tokens
o Audit Checklist:
 Ensure form method is POST and is encrypted
 HTTP Basic Authentication
o Strengths: Very easy to implement
o Weaknesses: Not easily cleared from browser; not encrypted; trivial to brute
force; acts like session ID in that it confuses long-term secret with short-term
secret
o Best Practices: Encrypt all traffic during and after authentication because
credentials are sent with every request.
o Audit Checklist:
 Ensure all requests with credentials are encrypted
Sign-On Security Issues
 Warning Banners
o Should exist; best practice; best chance to establish potential hackers know
corporate policies
 User Name Harvesting

o Used to feed brute force engines

o Results in compromise or DoS for determined hackers
o Retrieved from reading failed login responses and looking for messages
similar to
 “Your attempt to login failed because you entered an incorrect
password. Please enter the correct password…”
 Brute Force Password Guessing
o Should provide limited number of password attempts for each user name.
Accounts should be locked out after a set number of attempts
 Automated Account Lock-Outs
o Can be good – can be bad, as this allows an attacker to lockout several
accounts quickly using automated tools
o Speed Bump Lockout Technique: Web application inserts a short delay
(e.g. 30 seconds) between logon attempts. This can be an incremented
counter that starts at 10 seconds, and adds 10 seconds to each successive
try, making brute forcing impractical.
 First incorrect attempt: 10 seconds wait
 Second incorrect attempt: 20 seconds wait
 Third incorrect attempt: 30 seconds wait
 Etc…
Audit Checklist for Sign-On
 Legally approved warning banner
 Non-revealing error messages used for incorrect log-ins
 All credential traffic encrypted
 Lockout mechanism used to prevent brute forcing
 Lockout not directly vulnerable to DoS (i.e. using Speed Bump Lockout
 Inactivity timeouts for sign-on process to kill half-open sessions
 Robust passwords enforced by the application
Audit Checklist for Sign-Off
 Make sure sign-off is used (to clear sessions)
 Make sign-off button or text extremely visible on every page in the active session
 Use anti-caching techniques in the sign-off page
 Force automatic sign-off from session inactivity
Action Forms
Purpose: The primary focus of this section is to ensure the security of sensitive data
submitted via HTML forms. In general, the ACTION method should be POST, not GET.
Controls: Encryption and ACTION method of POST
 GET method is dangerous in that it exposes user parameter values in:
o User web browser history file
o Web server logs
o Other websites through the HTTP Referrer field
Module 2: Auditing Web Servers

This section is much shorter and much less complex than auditing web applications,
covered in the next section. This is because there are more web applications from more
vendors than there are web servers.
High-Level Audit Checklist

 Review company policies, procedures, guidelines, standards
 Review industry best-practices
 Audit OS separately
 Using methods previously covered
 Review patching process
 Audit web server
 Using methods previously covered
 Using web server tools mentioned in this section
 Look or default material and directories capable of being indexed
 Audit web applications and third-party add-ons
Researching Possible Vulnerabilities

Please see Appendix A for a complete list of research options.
Vendor Specific Resources
 Microsoft: http://www.microsoft.com/technet/security/default.mspx
o Install and Configuration Checklists:
http://www.microsoft.com/security/guidance/prodtech/iis.mspx
o IIS 5.0 Baseline Security:
http://www.microsoft.com/technet/security/chklist/iis5cl.mspx
o Securing IIS 5.0:
http://www.microsoft.com/technet/security/chklist/iis5chk.mspx
 iPlanet: http://developers.sun.com/techtopics/security/index.html
 Apache: http://httpd.apache.org/docs/misc/security_tips.html
o Load testing Apache: Flood: http://httpd.apache.org/test/flood
General Resources
 Center for Information Security: www.cisecurity.org
 SANS Server Policy: www.sans.org/resources/policies/server_security_policy.pdf
 NSA/CSS Infosec: www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1
Notes on IIS 5
Quick IIS 5.0 Checklist
1. Set ACLs on virtual directories
2. Set ACLs on log files
3. Enable logging
4. Disable (better to remove) sample applications
5. Remove IISADMPWD virtual directory
6. Remove unused script mappings
7. More complete checklist  See above on researching possible vulnerabilities

IIS 5.0 Specific Tools

 URLScan: Screens all incoming requests to the web server before the web server
processes the requests, filtering out inappropriate requests at the source before
crashing the web server
o www.microsoft.com/technet/security/tools/urlscan.mspx
 IIS Lockdown Tool: Turns off unnecessary features and provides security setting
templates for the major IIS-dependent MS products (MS Project Server, SharePoint,
etc)
o www.microsoft.com/technet/security/tools/locktool.mspx
 MBSA (MS Baseline Security Analyzer): Looks for common misconfigurations;
somewhat makes HFNetChk obsolete
o www.microsoft.com/technet/security/tools/mbsahome.mspx
Module 3: Auditing Web Applications
Web Primer
HTML vs. HTTP
 HTML is shuttled back and forth across the Internet via HTTP.
o HTTP – HyperText Transfer Protocol
 Browsers and web servers speak HTTP. Client requests are HTTP,
and server responses are HTML wrapped in HTTP
 Content-Length; GET vs. POST; Referrer fields
 Just text; Client can view, analyze, modify all HTTP; User input
separated by ampersand (&); Cookies are just HTTP headers
 See www.asciitable.com for list of common encodes used (e.g. %3D
for Equal Sign (=))
o HTML – HyperText Markup Language
 Forms and form elements
 Comments; Client-side input restrictors
 Just text; not case-sensitive; quotes usually optional; “Hidden” isn’t
hidden
SSL / TLS
 Secure Sockets Layer ver.3.0 = Transport Layer Security ver.1.0.
 Only encrypts traffic; does not protect the contents on the web server. SSL does not
protect web applications, only the conversation.
GET vs. POST
Both work, and both have their own potential security issues.
 GET: user input is within the URL requested. E.g. is a Yahoo.com search.
 POST: user input is within the body of the request. E.g. is an Amazon.com search.
Cookies
Cookies are a general mechanism that a web server can use to store and retrieve
information on the client (web browser), consisting of small amounts of text transmitted in
special HTTP headers
 Cookie Parts:
1. Name: Cookie identifier
2. Domain: Range of hosts where the browser is permitted to transmit the cookie
3. Path: Range of URLs where the browser is permitted to transmit the cookie
4. Expires: When browser must no longer store the cookie
5. Secure: Use SSL or not
6. Date: Can be anything, arbitrary strings of text
Techniques for Auditing Web Applications

Web Server Security Scanning
Purpose: Look for misconfigurations and known issues for the specific web server
 Nessus: www.nessus.org
 GFI Langaurd: www.gfi.com/lannetscan
 NeXpose: www.rapid7.com
 Qualys: www.qualys.com
 Platform specific tools previously discussed
CGI Scanning
Purpose: Looks for default material or CGI/ASP/JSP/etc with known security issues by
rapidly requesting multiple URLs and reading the responses
 N-Stealth: www.nstalker.com/nstealth
 Multiple at: www.packetstormsecurity.org/UNIX/cgi-scanners/indexdate.shtml
Brute Force Authentication
Purpose: Locate default, common, or weak username and password combinations
 Brutus: www.hoobie.net/brutus/index/html
Traffic / Protocol Analysis
Purpose: To record or view HTTP and HTML in order to analyze for various security
issues by capturing traffic and analyzing it
Traffic Interception & Manipulation
Purpose: Submit unexpected input in an effort to make the web server choke; record
traffic; insert alternate choices into lists and pull down menus
 Achilles: www.achilles.mavensecurity.com
 Odysseus: www.wastelands.gen.nz/index.php?page=odysseus
Common Tools of the Trade

 IE Booster: Easy way to see and change hidden form elements;
www.freewareweb.com/cgi-bin/archive.cgi?ID=1594
 Screaming Cobra: Uses Perl; crawls websites looking for ACTION statements (i.e.
forms); Attacks each form element found by sending garbage as text inside the form
element value; www.cobra.lucidx.com
 Stunnel: Adds SSL support for other tools; Acts as a proxy that will wrap any
inbound traffic in SSL and forward to the IP address and TCP port you specify; not
limited to only CGI scanner support; multiple uses; www.stunnel.org
 Web Sleuth: version 1.36 is free; www.sandsprite.com/sleuth/download.html

 Web Scarab: from OWASP; work in progress; excellent freeware tool; should look
around OWASP as well; www.owasp.org/software/webscarab.html
 Spike Proxy:(www.immunitysec.com/resources-freesoftware.shtml);
 Paros:(www.proofsecure.com);
 Burp Proxy:(www.portswigger.net/proxy);
 WebProxy by @Stake: (commercial product) (www.atstake.com/products/webproxy)
Module 4: User Input Testing
Malicious Input
Purpose: Ensure the application properly handles malformed (unexpected) user input so
that the server doesn’t and reveal information.
Controls: Server-side filtering of user input (size, type of content or characters allowed)
 Depending on what’s being changed and why (potential impact), testing user input in
known by: Hidden Field Manipulation, Stealth Commanding, Buffer Overflows
 User inputs to attempt manipulating if possible:
o All form elements
o All cookies
o Session IDs
o HTTP headers used by site/application
User Input Testing Tools
 Screaming Cobra: www.cobra.lucidx.com
 Web Sleuth: www.geocities.com/dzzie/sleuth
 Spike Proxy: www.immunitysec.com/resources-freesoftware.shtml
 Nessus Plugins
Suggested Controls:
 Filter everything from she user’s browser that is used by the server!
User Input Audit Recommendations:
 Test every form element, recording permutations and output
 Record verbose messages produced from form element testing
 Test HTTP headers, recording permutations and output
 Record verbose messages produced from HTTP header testing
XSS: Cross Site Scripting

Purpose: Detect Cross Site Scripting (XSS). Cross site scripting is when a web server or
application displays the user’s input within a web page. This can happen temporarily, like
in dynamically generated pages showing search results, or permanently in pages such as
newsgroups and message boards.
 Two methods:
o URL Insertion: Temporarily displayed dynamic pages; E.g. “Searched the
web for ‘Fraggles’. Results 1-10 of about 45,000”
o Page Embedded: Stored and displayed; E.g. newsgroup or message board

Auditing XSS
 Scan with updated CGI scanner to test for known XSS exploits
 Attempt finding an error that will embed data from the URL into the HTML code
and display user input. E.g. JavaScript embedded in URL

Day 5: Auditing Windows

Monday, April 11, 2005 Instructor: John Green
Module 1: Windows Auditing Introduction
The topics covered in this section are intended to focus on auditing, not necessarily
securing Windows machines. Some things here apply to NT, but overall, Windows NT
should be considered a security risk. Topics covered here include:
 Basic System Information
 Running Necessary Components and Services
 Users, Groups, and Passwords
 Protecting Data
 Operating System and Application Security
 Auditing and Logging
 Ongoing Monitoring
Tools Available
OS Tools
 Local Security  SCAT (Security  Support Tools
Policy / Group Configuration and  Windows
Policy Analysis) Resource Kit
 Event Viewer  Many More
 Registry Viewer
Third Party Tools
 Sysinternals  Somarsoft  Many More
 Foundstone  Cygwin
 DiamondCS  UnxUtils
Remember
1. Baseline your systems. There are many tools we’ll discuss here that give text-
based outputs that will baseline your systems for you.
2. Policies pushed from AD affect the security of your clients. Client security is
impacted by domain settings.
3. Resultant set of policies is your effective policy set. You must consider the whole,
sum of the parts, and not just the individual host. Trusts, domain admins, and
other users may affect the security perimeter and subsequent attack surface of
the host.
4. Non-technical issues to think about include:
a. Appropriate separation of duties
b. Principle of least privilege
c. New account setup
d. Password management and change
e. Backup policies

f. Configuration change management
Research
Many sites exist containing checklists and white papers for securing Windows machines
 Microsoft: www.microsoft.com/technet/security/default.mspx
o Checklists, security guides, services information, certified configurations,
much more
 US NSA (National Security Agency): www.nsa.gov/snac/index.cfm
 US NIST (National Institute of Standards and Technology): www.csrc.nist.gov
 DISA (Defense Information Systems Agency): restricted to .mil only; www.disa.mil
Module 2: Windows System Information
Purpose: Identify basic information about the host including OS type, OS version, system
information, hardware information, and partition information.
Tools to Identify Windows System Information

Built-in Command Line Tools
 ver: Lists Windows OS version information
 systeminfo : Great short listing of the system information
GUI Windows Tools
 msinfo32: GUI based interface; can export lengthy report into text file
Third-Party Tools (mostly command line)
 psinfo One of many Sysinternal’s tools.
o Try running psinfo –h –s –d > psinfo<host_name>.txt
o Here’s a sample output run without the recommended switches listed above:
System information for \\BETAFISHTWO:
Uptime: 0 days 2 hours 8 minutes 54 seconds
Kernel version: Microsoft Windows XP, Uniprocessor
Free
Product type: Professional
Product version: 5.1
Service pack: 2
Kernel build number: 2600
Registered organization: Texas Instruments, Inc
Registered owner: TI User
Install date: 5/30/2003, 11:50:04 AM
Activation status: Activated
IE version: 6.0000
System root: C:\WINDOWS
Processors: 1
Processor speed: 1.4 GHz
Processor type: Intel(R) Pentium(R) M processor
Physical memory: 512 MB
Video driver: MOBILITY RADEON 9000
 Many others. See Appendix B for listing.

System Patches and Updates

Again, several tools available
 hfnetchk / qfecheck
 MBSA (Microsoft’s Baseline Security Analyzer)
 Patch Management Tools: SUS / WUS / SMS; other third-party tools
Types of Windows Patches
 Service Packs: Major updates that roll up previous security and non-security
patches; may include new features
 Hotfixes or Critical Updates: fix for single critical issue affecting security or system
stability
 QFE fixes: Interim fix for a single, specific issue; usually available only from MS
support
Soft Issues: Policy and Procedure Checks
1. What’s the change control policy? How much testing is done prior to deploying
patches?
2. How is scheduled maintenance performed? Is it regular? How often? How’s it
communicated to server admins? Users?
3. What’s the compliance policy? Is the host compliant with the latest recommended
or required fixes and patches?
4. What is the exception policy? When is it OK not to patch?
Module 3: Windows Necessary Components and Services
Purpose: Only necessary components and services should be running on the host.
Tools to Identify Windows Components and Services

 MMC: Start  Run  MMC | Load computer management snap-in
 tasklist: Built-in command line tool
 psservice.exe: Sysinternals tool
 fport: Foundstone tool
 OpenPorts: DiamondCS Tool; www.diamondcd.com.au
 nmap: Thanks to Fyodor
 SuperScan: Foundstone tool
 Port Reporter: (PR) Free from MS: Messy output by itself and requires PR Parser to
read the data and help make it readable. PR runs as a service and monitors all port
related activity.
Module 4: Windows Users, Groups, and Passwords

Purpose: Only valid users should have access to the host and they should use strong
passwords.
Auditing Valid Users

 Should have authorized users only

 Look for orphaned user accounts for users that have left the organization or that
are not using a valid account (e.g. has not been logged into for >30 days, >60
days).
 Audit use of special accounts such as Administrator or Guest
 Audit use of Built-in accounts
User Tools include
 net user: Lists the user accounts on a system
 addusers: Windows Resource Kit tool; allows you to dump a list of users, local
groups, global groups, and group memberships from a local computer or domain.
Run this with switches like this:
addusers \\hostname /d <file_name>
 rasusers: Lists all users that have remote access permissions
 DumpSec: Somarsoft tool; formally DumpACL
Group Tools Include
 net group: Also net localgroup;
 findgrp: ResKit Tool; lists all groups which a given domain user is a member,
including indirect memberships. Very useful tool for tracing user memberships. User
must be domain user.
 showgrps: ResKit Tool; lists all groups which a given user is a member, including
indirect memberships. Very useful tool for tracing user memberships. Designed for
use on local host.
 showmbrs: ResKit Tool; lists all members of a specific group
Password Considerations
 Should have password 
 Regular password changes enforced
 Strong passwords used and enforced through:
 Logical Controls: E.g. Server forces user to use strong passwords
 Process: E.g. Method by which passwords are issued, especially if
automated
 Policy: E.g. Windows Server Policy
 Good encryption used to store passwords; syskey; LM turned off
 No blank passwords
 Passwords should have age restrictions (expire)
 Passwords should lock out after x number of invalid logon attempts
Password Tools Include
 net accounts: listing of basic password policy settings
 DumpSec: Somarsoft tool; formally DumpACL; dumps password policy, audit policy,
and trust information from local or remote host
 LophtCrack : Symantec bought @Stake; LC now in ver.05 (LC5)
 John the Ripper: Openwall’s Tool; http://www.openwall.com/john
 pwdump: May be needed to dump the SAM to feed into John
 MBSA: MS’s tool checks for a few really, really dumb passwords.

Module 5: Windows Data Protection

Purpose: Enforce least privilege and need to know in an effort to control access to
objects and control the actions that users can perform.
Data at Rest: Data on the system
Rights: Also called privileges, are specific tasks that can be carried out on the
system; E.g. logon locally, load drivers, shut down
Permissions: Access controls; read, add, modify, execute, delete, change
Grant: allow
Deny : forbid – overrides Grant
AGULP: Accounts to Permissions

o Accounts (applied to) 
o Global groups (Domain level) (applied to) 
o Universal groups (Forrest level) (applied to) 
o Local groups (Host level) (and given explicit) 
o Permissions
Tools for Auditing Windows File Permissions

 cacls: included with the OS and can be used to view or set high-level permissions
(read, write, modify, full control)
 xcacls: ResKit Tool; similar to cacls; allows finer controls
 perms.exe: ResKit Tool; useful for determining the access that a given user or
group has to an object. Better suited to checking a few files or folders. There are
better tools for checking permissions across all files in a file system.
 AccessEnum: This is more suitable for generating a complete list of permissions for
a large number of objects; From Sysinternals.
 DumpSec: Can extract and provide a detailed report on the permissions assigned to
an entire file system. Additionally lists ownership information for files and directories.
 SFind.exe: Used to locate files with ADS (Alternate Data Streams – sometimes
used to hide data in parallel streams of the standard data)
 Audited.exe: Used to read the SACL (System Access Control List – contains
information about files or directories that have been marked for auditing)
 DACLchk.exe: List the ACLs (permissions) associated with a specific file or
directory, similar to cacls and xcacls. Additionally determines if ACLs are
processed in the correct order.
Tools for Auditing Windows Share Permissions

 ShareEnum: Free graphical utility from Sysinternals similar to AccessEnum for
identifying shares across multiple hosts. Information reported includes the share
name, local path to the share on the host, level of access for the “Everyone” group,
and read or write permissions for other groups.
 DumpSec: Lists shares on a local or remote system, including the permissions
assigned to those shares

 WinFingerprint: SourceForge project; General purpose windows scanner; can do

network discovery, OS version, patch level, users, groups, services, shares, SNMP
queries, and much, much more; http://winfingerprint.sourceforge.net
 sysdiff: ResKit Tool; verifies file integrity
 wininterrogate: SourceForge project; General purpose tool that generates MD5 or
SHA1 hashes of files in a directory (recursively) for integrity checking; Project is
found on SourceForge here: http://winfingerprint.sourceforge.net
 MD5Sum: Creates MD5 hashes of files
 MD5deep: similar to MD5Sum; adds capability to do recursive hashing of files
Module 6: Windows Operating System and Application Security
Purpose: Ensure OS-specific vulnerabilities are addressed and security features are
enabled
Tools for Auditing Windows OS and Application Security

 MS SCAT: Microsoft’s built-in Security Configuration and Analysis Tool; found in the
MMC; comes with multitude of templates; can create own as needed or wanted; ini
files are easy to manipulate; Things to know:
o “ws” in the template name stands for workstation or server
o Can export settings and compare them to other systems
o Reports on differences from baseline template
o Can fix many of the issues deviating from the baseline template
 Group Policy Ed.: Allows you to view and modify group policy settings; no built-in
auditing tool; can be used to create policies and settings for both computers and
users.
 General Scanners: MBSA; Nessus; eEye’s Retina; ISS Network Scanner; others
Tools for Finding Windows Rootkits

 RootkitRevealer: Sysinternals Tool; finds all rootkits listed on www.rootkit.org;
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
o More information from MS’s website about rootkits can be found here:
www.research.microsoft.com/rootkit
Module 7: Windows Auditing and Logging
Purpose: Ensure security logging is enabled and correctly configured

 Critical parameters of the Log Files: Size, Location, and Wrapping Options
Recommended Windows Auditing Settings

Audit account logon events Success, Failure
Audit account management Success, Failure
Audit directory service access Not defined
Audit logon events Failure
Audit object access No auditing
Audit policy change Success, Failure
Audit privilege use Failure

Audit process tracking No auditing

Audit system events No auditing
Reviewing Windows Audit Logs

Logon/Logoff Events:
 Event ID:
Event ID: 528 ≡ Successful Logon
Event ID: 538 ≡ User Logoff
Event ID: 529 ≡ Bad user name or password
Event ID: 539 ≡ Account locked out
 Logon Type:
Logon Type: 2 ≡ Interactive
Logon Type: 3 ≡ Network
Logon Type: 4 ≡ Batch
Logon Type: 5 ≡ Service
Logon Type: 6 ≡ Proxy
Logon Type: 7 ≡ Unlock Workstation
 Look for the MS white paper titled “Monitoring and Auditing for End Systems” for
detailed explanations of logon events. See the section titled Monitoring Logons
http://www.microsoft.com/technet/security/bestprac/bpent/sec3/monito.mspx
Looking for Logons/Logoffs
 Event Viewer: Filter or sort using the event viewer. You can also right click and
export the information to a tab delimited text file.
 EventCombMT: Free from MS; Originally part of the security operations guide for
Windows 2000; parses event viewer logs from multiple servers; selectively search
and filter for specific events; write output to designated file/location; part of the
Account Lockout and Management Tools; Self extracting executable – unload into
directory of choice – eventcombMT.exe
http://www.microsoft.com/downloads/details.aspx?
displaylang=en&familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E;
 Dumpel.exe: ResKit Tool; used to dump an event log into a tab-separated text file;
allows filtering for certain events; E.g. Event ID = 529 (bad user name or
password)
 Frank Heyne’s R529: details all failed logon attempts and uses simple pattern
recognition to distinguish between user error bad logons from actual attacks;
shareware version is good for four weeks and found here:
http://www.heysoft.de/Frames/f_sw_re_en.htm
 MS KB article 174073: “Auditing User Authentication” describes how to pre-compute
a list of users if you wanted to audit against that.
Looking for Account Management Changes:
 MS KB article 174073: “Auditing User Authentication” describes how to pre-compute
a list of users and SIDs using the addusers.exe and getsid.exe utilities from the
ResKit.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q174073
 Look for the MS white paper titled “Monitoring and Auditing for End Systems” for
explanations of specific events.
http://www.microsoft.com/technet/security/bestprac/bpent/sec3/monito.mspx

Object Access Auditing

 Can be helpful for internal auditing, but may generate a large number of log entries.
Judiciously use this auditing method on select files
o Helpful to use low-level permissions (granular permissions) to limit the
amount of logs generated. E.g. audit “read data” but not “read attributes”
which is done more often.
 How it works:
o Windows checks DACL (Discretionary ACL) to see if user has permissions
to read, execute, etc. permissions.
o Windows checks SACL (System ACL) for audit settings. It does this
regardless of the previous output, and then roles through the following:
 Am I supposed to log access to the file? If YES, then…
 Am I supposed to log access for the USER or the GROUP?
 Am I supposed to log access for the requested access type?
 Am I supposed to log successful or failed attempts?
Log Management
 Ensure logs are cleared, rotated, and/or consolidated
 DumpEVT: From Somarsoft; www.somarsoft.com; most useful for high-level log
management for periodically dumping and clearing log files; remembers last dump so
subsequent dumps aren’t duplicated; doesn’t support filtering while dumping
 Psloglist: From Sysinternals; www.sysinternals.com; significant advantage over
DumpEVT in that it supports filtering, but disadvantage in some cases that it does not
remember the last dump and will dump everything in the log file every time
o Excellent for filtering log data as you extract it. Examples include Event ID
= 592 (failed logons)
 Syslog: Old UNIX method used to send event logs to remote server, ported to
Windows with Kiwi Syslog (freeware: http://www.kiwisyslog.com/) and Adiscon
WinSyslog (commercial: http://www.winsyslog.com/en/)
Consolidating and Parsing Logs
 Freeware Options: MS EventComb; Syslog daemons (Kiwi and Adiscon WinSyslog);
other homegrown searching and parsing tools
 MS Windows ACS: (Audit Collection Services) – MS’s agent based log aggregator
Module 8: Windows Ongoing Host Monitoring

Purpose: Automating the log auditing process
Baseline Method
 Baseline the system
 Monitor against the baseline
 Use file compare (fc.exe) or other tools to do this
WMIC – Windows Management Instrumentation Command Line

 All purpose CLI to WMI; local or remote administration; interactive and non-
interactive mode
 Extensive documentation and help files
Shortened Help Output

wmic /?
[global switches] <command>
For specific global switch, type: switch-name /?
For specific alias, type: alias /?
For CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?
Use examples
Aliases: refer to specific parameters (desktop, disk drive, group, process, registry,
useraccount…)
Verbs: perform actions on aliases (call, create, delete, get, list, set…)
wmic useraccount list
wmic group list
wmic process list

Day 6: Auditing UNIX

Tuesday, April 12, 2005 Instructor: John Green
Module 1: UNIX Overview
UNIX Basics
Everything is a File
 As far as possible, everything is written and treated as a file
o Directories are files containing pointers to other files
o Files are files
o Devices are special files
o Network sockets are files too
Files and Permissions
 Defined for: Owner; Group; World
dr-xr-xr-x 1 user group 0 Mar 9 20:45
Favorites
Set-UID (SUID) Program
It is possible to set the permissions on a file so that the person running the system
inherits the effective user ID (EUID) of the user who owns the file. This is known as a
SUID program. Essentially, this means that the process thread under which the program
runs has all the rights and permissions of the owner of the file. The /bin/passwd program,
for example, is typically a SUID program owned by root; this is more or less required
since only the root user may alter the password file on a the system.
File Notation
 File with permissions of 555:
Owner Group World
d | r-x | r-x | r-x
1 421 421 421
 The first character listed determines:
o l – Link
o c – Character
o b – Block
o p – Pipe
o d – Directory
 Permissions are natively octal
 SUID and GID bits take a Macro view to apply the same strategy for each set of three
permissions (owner, group, and world)
o SUID = 4
o GID = 2
o Sticky = 1
Manipulating Files
 chmod :modify permissions on a file
Usage: chmod [OPTION]... MODE[,MODE]... FILE...

or: chmod [OPTION]... OCTAL_MODE FILE...
-R, --recursive change files and directories recursively
 ls: List files in a directory
o –a :show all files
o –l :long
o –t :sort
o –r :reverse sort order
 cat: roughly equivalent to MS’s type command
 more or less: view the contents of a file or output one screen at a time
 head or tail: can view the first or last few lines of a file
 man: UNIX help pages
o man –k <search term> :search all man pages for <search term>
UNIX Services
Remote Procedure Calls and Portmapper
 Remote Procedure Calls (RPC): are used in a distributed computing environment
(DCE) to allow a process on one system to execute functionality on another system
transparently.
 Portmapper: acts as a directory service, allowing applications to register their
versions and the port numbers that they are listening. Programs that need to access
one of those services can query the Portmapper to find out if the service is running
and what port number the service is using. Process name could be:
o portmap o rpc.bind o portmappe
r
 rpcinfo is a standard tool to query services
o Discover local services
rpcinfo -p
o Discover remote services
rpcinfo –p <target>
UNIX Services: NFS
 NFS: Network File System runs on port 2049 over TCP or UDP and is controlled by a
variety of processes (mountd, nfsd, statd, lockd)
 Created to provide a standard mechanism or sharing file and disk resources across a
network between UNIX systems. Extremely flexible and works with just about every
variety of UNIX regardless of the architecture of file system format
 Interesting configuration files:
o /etc/export: list of exported file systems
o /etc/fstab: list of file systems that can be easily mounted
o /etc/hosts.allow: list of allowed hosts
o /etc/hosts.deny: list of denied hosts

UNIX Services: NIS

 Originally designed and supported by Sun Microsystems to allow for central
management of user and authentication information among UNIX systems. NIS is
ASCII based. UNIX systems grouped together and connected via NIS are called
Domains (don’t confuse with other Domains). The management, authentication, and
naming service are handled through the NIS “Yellow Pages” services:
o yppasswd: used to update password information in a NIS environment
o ypcat: used to view the ASCII text versions of the database files
o yppush: used by the NIS server to push updates to NIS slave servers
UNIX Services: NIS+
 Very different from NIS! NIS is ASCII based, where NIS+ maintains a tree of objects.
The object-based model also permits the administrator somewhat more granular
control over resources in terms of access controls and role-based access control
 Supports YP-compatibility
 Users have two passwords! Users have both local password and NIS+ password
UNIX Configuration Control

Purpose: the idea behind configuration control is that strong accreditation processes are
implemented within the organization.
 Find a good source of information containing useable checklists
o Local policies
o Security checklists
o www.cisecurity.org
o www.nswc.navy.mil/issec/form/accredforms/index.html
o www.nsa.gov
o www.sans.org and www.sans.org/score
Module 2: UNIX Logging
UNIX Logs
 /var/run/utmp: current login “snapshot”
 /var/log/wtmp: login/logout history
 /var/log/btmp: bad login history
 /var/log/messages: also called syslog file; messages from the syslog facility;
contains copy of each system message that is displayed on the console; can contain
a rich source of information; can review for indications for system trouble, including
failed devices, filled file systems, system misconfigurations; some have both
messages and syslog files
o /etc/syslog.conf – contains configuration details about where information is
sent.
 /var/log/secure: access and authentication logs
 /var/run/utmp: contains snapshot of the current users; contents are ephemeral
(short-lived, temporary); username, terminal, login time, remote host
o who - Query utmp file

 /var/log/wtmp: similar to utmp in the information it keeps; major difference is that

it’s semi-permanent and maintains a formal audit trail
o last - Query wtmp file
 /var/log/btmp: logs bad login attempts; similar to wtmp in the information it keeps
and the semi-permanence; maintains a formal audit trail
o Lastb –adx: Query wtmp file
Remember
 UNIX logs typically auto-rotate; logs contain lots of information
Module 3: UNIX System Information
Purpose: Evaluate the security of an unknown system

 Fundamentals: Can you trust the information stored on the system and can you trust
the tools that reside on the system? If you’re sampling an untrusted system, then you
can review the local files with may different tools:
o Knoppix (http://www.knopper.net/knoppix/index-en.html)
o F.I.R.E (blah)
o Local Area Security (LAS) (http://localareasecurity.com); others
UNIX Toolkit Shopping List

The following is a list of common tools that can be pulled together on a CD for auditing
purposes. There are scripts available that will do portions or all of a complete audit on a
UNIX system. E.g. TARA
 shared libraries  who, w, finger
 static system libraries  dig
 netstat, lsof, top  find, df, du
 gdb, nm  rm, mv, cp
 ps, ls, diff, su  chown, chgrp, chmod
 passwd  script (automatic note taking)
 netcat  tar, dd, compress, gzip
 strace/ltrace  gcc, ldd – dependency discovery
 MD5  sh, csh
 fdisk/cfdisk
UNIX System Information

Purpose: Evaluate the running process, configuration and patching information
 uname –a: processor and OS information; universally available
 mount: currently mounted file systems and sizes
 fdisk –a: produces a list of all partitions on the specified device; validates mounted
versus actual disk areas
 free: memory utilization
 netstat –a –p --inet: lists all active connections (-a :all, and -p :process
information)

 lsof: “lists open files”; files are held open by processes, and since much of the OS
is held in files, you can get at a lot of the OS with lsof; perfect for process, file, and
network status investigations; can produce output suitable for other programs;
ftp://vic.cc.purdue/edu/pub/tools/unix/lsof
o lsof –i :use to identify network connections
 ps -aux: lists processes
 top: general process information updated in real time
 /etc/inetd.conf: Think of Inetd as a service broker, where requests for
services are made through inetd, and the services that it brokers are defined in
/etc/inetd.conf. One way to disable some extraneous services is to comment out their
entry in /etc/inetd.conf.
 /etc/xinetd.conf: xInetd is the updated version of Inetd, with access controls
built-in from TCP wrappers, providing access control from the super daemon without
a need to call tcpd for each of the services as they start.
Patch Information:
o patchdiag: Sun
o up2date: RedHat
o showrev –p: UNIX
Module 4: UNIX Authorized Access
Purpose: Evaluate host access

 TCP Wrappers: Should be running, or have equivalent
 Hosts.allow: Should have defined, limited access; not open to entire networks if
possible
 Hosts.deny: List of denied hosts
Module 5: UNIX User Management

Purpose: Only valid users should have access to the host and they should use strong
passwords.
 /etc/password: Traditional location of user credential information; list of users;
generally world-readable; has the format of:
User:Password:UID:GID:Name:Home:Shell
Root:x:0:0:root:/root:/bin/bash
 /etc/shadow: Only readable by root; moved password hashes from password file
and into this controlled file
 shadow-utils: Group of tools know as the shadow utilities that provide interfaces
to the various user account management files. Among other things, these tools allow
you to easily convert back and forth between a shadow style and a classic style
password format depending upon you needs.
 John-the-Ripper: Excellent free crack tool from Openwall;
http://www.openwall.com/john
 chkwtmp: Examine wtmp file for unusual or inconsistent entries
 chklastlog: Examines wtmp file for unusual or inconsistent entries

Module 6: UNIX Files
SUID, SGID, and Unlinked Files

Purpose: Ensure only necessary files have set-user or set-group bits set and identify
recently modified files.
 find: recursively search through the file system and (optionally) perform some
action on files with matching attributes. E.g. Find a list of all SUID and SGID files:
find / \(-perm -004000 –o –perm -002000\) –type f
 lsof +L1: finds unlinked, but still open files for us
o Malicious users can start a process that opens a file and then unlinks the file.
Even though the file has been unlinked, the process can continue to write to
it. Since unlinking the file results in its directory entries being removed, it
becomes invisible. However, disk resources remain in use until the file is
actually closed.
o How to Read Hidden File Contents: Identify the process; cd
/proc/<PID>/cwd; chances are you can touch the file (copy, read, etc.)
there because the process space and kernel are available to use through the
file system in the /proc file tree.
UNIX File Integrity

Purpose: Ensure critical system files have not been modified.
 Tripwire, Sherpa, RIACS, L5, AIDE –File integrity assessment tools.
UNIX NFS
Purpose: Identify if NFS is running.
 Easiest method:
 See previous information above and also try:
ps –aux | grep ‘(nfs)|(lockd)|(statd)|(mountd)|(rpc)’
 Other tools available for NFS include:
o nfstrace: sniffer that runs on an IDS or Ethernet interface on an NFS server;
collects all NFS related packets; ftp://ftp.cerias.purdue.edu/pub/tools/unix/
o nfswatch: Similar to nfstrace but not as detailed; reports NFS problems and
throughput; ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils
Module 7: UNIX Key Information and Potential Vulnerabilities
Purpose: Identify potential sources of information leaks.
Logon Banners
Check for logon banners in the following directories:
cat /etc/issue
cat /etc/issue.net
cat /etc/motd
tail /etc/rc.d/rc.local

Look for Promiscuous Mode NICs using:

ifconfig
Promiscuous mode NICs will have the following line:
UP BROADCAST RUNNING PROMISC MULTICAST MTU:XXXX Metric:x
Test the Overall Configuration

You can do this using host-based and network-based assessment tools
Host-based Assessment Tools
 Tiger: Formally COPS, but picked up by TAMU and turned into Tiger. This tool is
somewhat outdated and not well maintained.
 Nessus: Scan the local host
 TARA: No longer actively maintained; but still useful. Code is hard to follow. Last
update was in 2002.
Network-based Assessment Tools
 Nessus: Scan the remote host
 Retina and other network scanner tools
o Some of these can log onto the host and perform privileged scans.

Appendix A: Researching Information

Tuesday, April 12, 2005 Compilation: Chris Davis
Auditing Principles and Concepts

 COBIT: www.isaca.org/cobit.htm; From their website, “COBIT has been developed
as a generally applicable and accepted standard for good Information Technology
(IT) security and control practices that provides a reference framework for
management, users, and IS audit, control and security practitioners.”
 NIST CSRC: http://csrc.nist.gov/sec-cert/ca-controls.html Information on FISCAM,
FIPS, and other established controls and methodologies. FISCAM is the Federal
Information System Controls Audit Manual, and FIPS is the Federal Information
Processing Standards.
 ISSAF (Information Systems Security Assessment Framework) from OISSG:
http://www.oissg.org/content/view/71/71
 OSSTMM: Open Source Testing Methodologies; http://www.isecom.org/
Vendor Specific Resources

 Microsoft: http://www.microsoft.com/technet/security/default.mspx
o Install and Configuration Checklists:
http://www.microsoft.com/security/guidance/prodtech/iis.mspx
o IIS 5.0 Baseline Security:
http://www.microsoft.com/technet/security/chklist/iis5cl.mspx
o Securing IIS 5.0:
http://www.microsoft.com/technet/security/chklist/iis5chk.mspx
o Microsoft: www.microsoft.com/technet/security/default.mspx
 iPlanet: http://developers.sun.com/techtopics/security/index.html
 Apache: http://httpd.apache.org/docs/misc/security_tips.html
o Load testing Apache: Flood: http://httpd.apache.org/test/flood
Government Resources
 US NSA (National Security Agency): www.nsa.gov/snac/index.cfm
 US NIST (National Institute of Standards and Technology): www.csrc.nist.gov
 DISA (Defense Information Systems Agency): restricted to .mil only; www.disa.mil
General Research
 SCORE Project (Security Benchmarks)
 Help Net Security (Vulnerability Info)
 COTSE (Church of the Swimming Elephant - Online Toolbox)
 Netcraft (Identifies what a website is running for you)
 Securityfocus.com Archive
 SANS Institute (Cooperative Education and Research Institute)
 BugTraq and Security Focus (Newsletter/ Well-known site)
Christopher Davis 59
 Packet Storm (Search and on the fly updates. Try the Quick Check)
 Zone-H (Misc Downloads)
 OWASP The Open Web Application Security Project
 CVE Common Vulnerability and Exposure List
 CERT Advisories (Carnegie Mellon Software Institute advisories)
 Microsoft TechNet Security (MS Windows Security Forum/Info)
 http://www.k-otik.com/
 Windows Security
 ntsecurity.nu/toolbox/
 Open Source Vulnerability Database
 ICAT Metabase Vulnerability DB
 Openwall (Free Password Cracking)
 www.sqlsecurity.com (SQL injection FAQ, tools, resources)
 www.homeport.org/~adam/review.html (Secure Code Review Guidelines)
Appendix B: Auditing Tools

Tuesday, April 12, 2005 Compilation: Chris Davis
There are literally hundreds of tools, and listing them all here just isn’t practical. However,
here is a list of tools mentioned in the course and a few more that should be mentioned.
Auditing Perimeters
Routers
 RAT (Router Audit Tool) Available from: http://www.cisecurity.org
Firewalls
 Network mapping: nmap, hping, nemesis, others
 Passive vulnerability assessment: Ethereal, tcpdump, windump, others
 Active vulnerability testing: Nessus, Retina, others
Auditing Networks
War Dialing
 Toneloc  Microsoft’s Hyper-Terminal
 THC Scan  PhoneSweep
 Phone Tag  Sandtrap
 Rasusers  Procomm Plus
 TBA (palm OS)
Bluetooth
 Bluez  Bluesniff
 OpenOBEX  Btscanner
 Redfang  Btxml
Wireless Auditing
 Physical Audits: Netstumbler, Kismet, other tools to detect the wireless signals
 Logical Audits: Nessus, Retina, and other tools can detect the MAC and identify the
router as an AP; can also do this with TCP-IP fingerprinting; FTP printing; etc..
Network Mapping
 nLog (www.digitaloffense.net/nlog)
 ndiff: Utilizes nmap output to identify the differences or changes
Web Auditing
 Nikto: Nessus can leverage Nikto
 N-Stealth
 Whisker
 OWASP (http://owasp.org/)
Vulnerability Assessment
 Nessus: Good open source tool
 NeWT: Commercial version of Nessus
 GFI LANgaurd: Been around forever
 Retina: Best Window’s based tool. Fastest of every tool on the market.
 nCircle: Excellent appliance-based (hardened Linux appliance) architecture
 MBSA: MS’s local scanner. More of an over-all audit tool.
SQL and Database Auditing
 SQL Injection Basics see OWASP (http://owasp.org/) for excellent tutorials.
 Nmap: Check for appropriate ports
 Nessus: www.nessus.org contains plugins for Oracle, MS SQL and My-SQL
 Retina: Contains built-in checks
 SQL Server Analyzer: From MS website
Search for Trojan horse programs
 List of common Trojan ports: www.doshelp.com
Auditing Web Servers & Applications

 HTTrack (free): www.httrack.com
 Website Extractor (free): www.esalesbiz.com/extra
 WebCopier (free): www.maximumsoft.com
 Wget (free): www.freshmeat.net/projects/wget
 BlackWidow (commercial): supports HTTP, SSL, FTP; www.softbytelabs.com
 Netcraft: www.netcraft.com
 Open SSL
 Ethereal
 Crypto Law Survey: Information about crypto laws in other countries;
http://rechten.uvt.nl/koops/cryptolaw
 Digital Signature Law Survey: http://rechten.uvt.nl/simone/DS-LAWSU.htm
 Automated View State Decoder: lets you decode the hidden viewstate field on
any .aspx page to view the contents in a tree view, as raw text, etc;
http://staff.develop.com/onion/tools/viewstatedecoder.zip
General Resources
 Center for Information Security: www.cisecurity.org
 SANS Server Policy: www.sans.org/resources/policies/server_security_policy.pdf
 NSA/CSS Infosec: www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1
IIS 5.0 Specific Tools
 URLScan: www.microsoft.com/technet/security/tools/urlscan.mspx
 IIS Lockdown Tool: www.microsoft.com/technet/security/tools/locktool.mspx
 MBSA (MS Baseline Security Analyzer): Looks for common misconfigurations;
www.microsoft.com/technet/security/tools/mbsahome.mspx
Web Server Security Scanning
 www.asciitable.com for list of common encodes used
 Nessus: www.nessus.org
 GFI Langaurd: www.gfi.com/lannetscan
 NeXpose: www.rapid7.com
 Qualys: www.qualys.com
CGI Scanning
 Multiple at: www.packetstormsecurity.org/UNIX/cgi-scanners/indexdate.shtml
Brute Force Authentication
Traffic / Protocol Analysis
 Ethereal
Traffic Interception & Manipulation
 Odysseus: www.wastelands.gen.nz/index.php?page=odysseus
Common Tools of the Trade
 IE Booster: Easy way to see and change hidden form elements;
www.freewareweb.com/cgi-bin/archive.cgi?ID=1594
 Screaming Cobra: Uses Perl; attacks ACTION statements (i.e. forms);
www.cobra.lucidx.com
 Stunnel: Adds SSL support for other tools; www.stunnel.org
 Web Sleuth: version 1.36 is free; www.sandsprite.com/sleuth/download.html
 Web Scarab: from OWASP; www.owasp.org/software/webscarab.html
 Spike Proxy:(www.immunitysec.com/resources-freesoftware.shtml);
 Paros:(www.proofsecure.com);
 Burp Proxy:(www.portswigger.net/proxy);
 WebProxy by @Stake: (commercial product) (www.atstake.com/products/webproxy)
User Input Testing Tools
 Screaming Cobra: www.cobra.lucidx.com
 Web Sleuth: www.geocities.com/dzzie/sleuth
 Spike Proxy: www.immunitysec.com/resources-freesoftware.shtml
 Nessus Plugins
Auditing Windows
Built-in Command Line Tools
 ver Lists Windows OS version information
 systeminfo Great short listing of the system information
GUI Windows Tools
 msinfo32 GUI based interface; can export lengthy report into text file
Third-Party Tools (mostly command line)
 psinfo One of many Sysinternal’s tools.
System Patches and Updates
 hfnetchk / qfecheck
 MBSA (Microsoft’s Baseline Security Analyzer)
 Patch Management Tools: SUS / WUS / SMS; other third-party tools
Identify Windows Components and Services

 MMC – Start  Run  MMC | Load computer management snap-in
 tasklist – Built-in command line tool
 psservice.exe – Sysinternals tool
 fport – Foundstone tool
 OpenPorts – DiamondCS Tool; www.diamondcd.com.au
 nmap – Thanks to Fyodor
 SuperScan – Foundstone tool
 Port Reporter (PR) Free from MS – Messy output – Should use PR Parser
Windows Users, Groups, and Passwords
 net user – Lists the user accounts on a system
 addusers – Windows Resource Kit tool; allows you to dump information
 rasusers – Lists all users that have remote access permissions
 DumpSec – Somarsoft tool; formally DumpACL
Group Tools Include
 net group – Also net localgroup;
 findgrp – ResKit Tool; lists all groups.
 showgrps – ResKit Tool; lists all groups.
 showmbrs – ResKit Tool; lists all members of a specific group
Password Tools Include
 net accounts – listing of basic password policy settings
 DumpSec – Somarsoft tool; formally DumpACL
 LophtCrack – password cracking
 John the Ripper – Openwall’s Tool; http://www.openwall.com/john
 pwdump – May be needed to dump the SAM to feed into John
 MBSA – MS’s tool checks for a few really, really dumb passwords.
Tools for Auditing Windows File Permissions
 cacls – view or set high-level permissions (read, write, modify, full control)
 xcacls – ResKit Tool; similar to cacls; allows finer controls
 perms.exe – ResKit Tool; useful for determining the access
 AccessEnum – Generates complete list of permissions; Sysinternals tool
 DumpSec
 SFind.exe – Used to locate files with ADS
 Audited.exe – Used to read the SACL
 DACLchk.exe – List the ACLs for a specific file or directory
Tools for Auditing Windows Share Permissions
 ShareEnum – Free graphical utility from Sysinternals
 DumpSec – Lists shares on a local or remote system
 WinFingerprint – SourceForge project; General purpose windows scanner;
http://winfingerprint.sourceforge.net
 sysdiff – ResKit Tool; verifies file integrity
 wininterrogate – SourceForge project for integrity checking;

http://winfingerprint.sourceforge.net
 MD5Sum – Creates MD5 hashes of files
 MD5deep – similar to MD5Sum; adds capability to do recursive hashing of files
 wmic – Command line windows management interface
Tools for Auditing Windows OS and Application Security
 MS SCAT – Microsoft’s built-in Security Configuration and Analysis Tool
 Group Policy Editor – Allows you to view and modify group policy settings
 General Scanners – MBSA; Nessus; eEye’s Retina; ISS Network Scanner
Tools for Finding Windows Rootkits
 RootkitRevealer – Sysinternals Tool; finds all rootkits listed on www.rootkit.org;
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
o More information from MS’s website about rootkits can be found here:
www.research.microsoft.com/rootkit
Windows Logging
 Event Viewer – built into MMC
 EventCombMT – Free from MS; http://www.microsoft.com/downloads/details.aspx?
displaylang=en&familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E;
 Dumpel.exe – ResKit Tool;
 Frank Heyne’s R529 – details all failed logon attempts and uses simple pattern
recognition to distinguish; http://www.heysoft.de/Frames/f_sw_re_en.htm
Baseline Method
 Use file compare (fc.exe) or other tools to do this. Google WinMerge
Auditing UNIX
Manipulating Files
 chmod :modify permissions on a file
 ls :List files in a directory
 cat :roughly equivalent to MS’s type command
 more or less :view the contents of a file or output one screen at a time
 head or tail :can view the first or last few lines of a file
 man :UNIX help pages
UNIX Services
 rpcinfo is a standard tool to query services
UNIX Services: NIS
 yppasswd – used to update password information in a NIS environment
 ypcat – used to view the ASCII text versions of the database files
 yppush – used by the NIS server to push updates to NIS slave servers
UNIX System Information
 uname –a :processor and OS information; universally available
 mount : currently mounted file systems and sizes
 fdisk –a :validates mounted versus actual disk areas
 free :memory utilization

 netstat –a –p --inet – lists all active connections
 lsof – “lists open files”; ftp://vic.cc.purdue/edu/pub/tools/unix/lsof
 ps -aux – lists processes
 top – general process information updated in real time
Patch Information:
 patchdiag – Sun
 up2date – RedHat
 showrev –p -- UNIX
UNIX User Management
 shadow-utils
 John-the-Ripper – From Openwall; http://www.openwall.com/john
 chkwtmp: Examine wtmp file for unusual or inconsistent entries
 chklastlog: Examines wtmp file for unusual or inconsistent entries
UNIX Files
 find – search file system and perform action on files with matching attributes.
 lsof +L1 – finds unlinked, but still open files
 nfstrace: sniffer that runs on an IDS or Ethernet interface on an NFS server;
collects all NFS related packets; ftp://ftp.cerias.purdue.edu/pub/tools/unix/
 nfswatch: Similar to nfstrace but not as detailed; reports NFS problems and
throughput; ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils

2005 SANS Advanced Auditing Course Notes - Ver.01

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2005 SANS Advanced Auditing Course Notes - Ver.01

Uploaded by

Copyright:

Available Formats

Auditing Networks,

Perimeters, and Systems

Christopher Davis Course Notes 1

Christopher Davis Course Notes 2

Considerations for All Systems.............................................................................................27

Christopher Davis Course Notes 3

Traffic Interception & Manipulation.......................................................................................40

Christopher Davis Course Notes 4

Christopher Davis Course Notes 5

Password Tools Include.......................................................................................................63

Christopher Davis Course Notes 6

Day 1: Auditing Principles and Concepts

Module 1: Defining Terms

Fifty Thousand Foot Views

Christopher Davis Course Notes 7

Module 2: How Does Auditing Help?

 Vectors: Internal and External

 Case Study: Wall Street Audit

 Baseline: Measurement of a system in a “Known Good State”. Used to measure a

Christopher Davis Course Notes 8

Module 4: Time Based Security

 Time Based Security (TBS) : Security analysis model promulgated by Winn

Module 5: The Audit Process

 Primary Auditor Objective: Measure and report on risk

Christopher Davis Course Notes 9

Six Step Process

Audit Step 1 – Audit Planning

Audit Step 2 – Entrance Conference

Audit Step 3 – Fieldwork

Audit Step 4 – Preparing the Report

Christopher Davis Course Notes 10

Audit Step 5 – Exit Conference

Audit Step 6 – Report to Management

 Case Study: Audit Internet AUP (Acceptable Usage Policy)

Christopher Davis Course Notes 11

Step 4: Preparing the Report

Christopher Davis Course Notes 12

Day 2: Auditing Perimeters

Christopher Davis Course Notes 13

 Change Control  Password Policies

Cisco Router Basics

Christopher Davis Course Notes 14

Christopher Davis Course Notes 16

o start-stop: Background processes sends records when the type specified is

Christopher Davis Course Notes 17

Router Audit Tool (RAT)

Christopher Davis Course Notes 18

Christopher Davis Course Notes 19

Architecture 1: Single Firewall – No Router

Architecture 2: Single Firewall – Border Router

Architecture 3: Dual Firewall – Border Router

Architecture 4: Dual Inline Firewalls

Architecture 5: Firewall – VPN

Architecture 6: Firewall – VPN – Border Router

Testing the Firewall

Testing the Firewall Rulebase

Christopher Davis Course Notes 20

 Identify unauthorized rules

Alerting and Logging

Christopher Davis Course Notes 21

Christopher Davis Course Notes 22

Day 3: Auditing Networks

Overall Methodology Review