Professional Documents
Culture Documents
Detailed Contents
Day 1: Auditing Principles and Concepts......................................................................7
Module 1: Defining Terms..............................................................................................................7
Fifty Thousand Foot Views.........................................................................................................7
Baselines................................................................................................................................ 7
TBS......................................................................................................................................... 7
COBIT..................................................................................................................................... 7
FISCAM.................................................................................................................................. 7
Checklists............................................................................................................................... 8
Policy and Auditing................................................................................................................. 8
Module 2: How Does Auditing Help?..............................................................................................8
Case Study: Wall Street Audit.........................................................................................8
Module 3: Baselines....................................................................................................................... 8
Module 4: Time Based Security......................................................................................................9
Module 5: The Audit Process.........................................................................................................9
Case Study: Audit Internet AUP (Acceptable Usage Policy).........................................11
Step 1: Audit Planning..........................................................................................................11
Step 2: Entrance Conference...............................................................................................11
Step 3: Fieldwork.................................................................................................................. 11
Step 4: Preparing the Report................................................................................................12
Step 5: Exit Conference........................................................................................................12
Step 6: Report to Management............................................................................................12
Day 2: Auditing Perimeters........................................................................................... 13
Module 1: Routers........................................................................................................................13
Audit Preparation...................................................................................................................... 13
Cisco Router Basics................................................................................................................. 14
System Management................................................................................................................16
Accessing Cisco Routers......................................................................................................16
Auditing Access Methods.....................................................................................................16
Authentication....................................................................................................................... 16
Services and Banners..........................................................................................................16
System Controls....................................................................................................................... 17
Data Control............................................................................................................................. 17
Filter Rule Audit.................................................................................................................... 17
Router Audit Tool (RAT)...........................................................................................................18
Module 2: Firewalls.......................................................................................................................18
Introduction............................................................................................................................... 18
Why Perform Perimeter Audits?...........................................................................................18
General Types of Firewalls:..................................................................................................19
NAT...................................................................................................................................... 19
Audit Preparation...................................................................................................................... 19
Policies and Procedures.......................................................................................................19
Firewall Architecture................................................................................................................. 19
Testing the Firewall.................................................................................................................. 20
Testing the Firewall Rulebase..................................................................................................20
Aleting and Logging..................................................................................................................21
Alerts and Logs in the Corporate Environment.....................................................................21
NIDS Auditing....................................................................................................................... 21
Day 3: Auditing Networks.............................................................................................. 23
Overall Methodology Review....................................................................................................23
Module 3: War Dialing..................................................................................................................23
Modems.................................................................................................................................... 23
Module 4: Wireless.......................................................................................................................24
Overall Wireless Approach.......................................................................................................24
Bluetooth Wireless.................................................................................................................... 25
802.11b Wireless Overview......................................................................................................25
Module 5: Network Maps and Critical Systems............................................................................26
Network Maps........................................................................................................................... 26
Critical Systems Considerations...............................................................................................27
Best Practices....................................................................................................................... 27
UNIX Services......................................................................................................................52
Remote Procedure Calls and Portmapper.....................................................................52
UNIX Services: NFS.....................................................................................................52
UNIX Services: NIS.....................................................................................................52
UNIX Services: NIS+...................................................................................................53
UNIX Configuration Control......................................................................................................53
Module 2: UNIX Logging..............................................................................................................53
UNIX Logs................................................................................................................................ 53
Remember.....................................................................................................................54
Module 3: UNIX System Information............................................................................................54
UNIX Toolkit Shopping List.......................................................................................................54
UNIX System Information.........................................................................................................54
Patch Information:................................................................................................................ 55
Module 4: UNIX Authorized Access.............................................................................................55
Module 5: UNIX User Management..............................................................................................55
Module 6: UNIX Files....................................................................................................................55
SUID, SGID, and Unlinked Files...............................................................................................55
UNIX File Integrity.................................................................................................................... 56
UNIX NFS................................................................................................................................. 56
Module 7: UNIX Key Information and Potential Vulnerabilities.....................................................56
Logon Banners.........................................................................................................................56
Look for Promiscuous Mode NICs using:.................................................................................56
Test the Overall Configuration..................................................................................................57
Host-based Assessment Tools.............................................................................................57
Network-based Assessment Tools.......................................................................................57
Appendix A: Researching Information.........................................................................58
Auditing Principles and Concepts.............................................................................................58
Vendor Specific Resources......................................................................................................58
Government Resources............................................................................................................58
General Research.................................................................................................................... 58
Appendix B: Auditing Tools..........................................................................................60
Auditing Perimeters.................................................................................................................. 60
Routers................................................................................................................................. 60
Firewalls............................................................................................................................... 60
Auditing Networks..................................................................................................................... 60
War Dialing........................................................................................................................... 60
Bluetooth.............................................................................................................................. 60
Wireless Auditing.................................................................................................................. 60
Network Mapping.................................................................................................................. 60
Web Auditing........................................................................................................................ 60
Vulnerability Assessment.....................................................................................................60
SQL and Database Auditing.................................................................................................61
Search for Trojan horse programs........................................................................................61
Auditing Web Servers & Applications.......................................................................................61
General Resources...............................................................................................................61
IIS 5.0 Specific Tools............................................................................................................61
Web Server Security Scanning.............................................................................................61
CGI Scanning....................................................................................................................... 62
Brute Force Authentication...................................................................................................62
Traffic / Protocol Analysis.....................................................................................................62
Traffic Interception & Manipulation.......................................................................................62
Common Tools of the Trade.................................................................................................62
User Input Testing Tools......................................................................................................62
Auditing Windows..................................................................................................................... 62
Built-in Command Line Tools...............................................................................................62
GUI Windows Tools..............................................................................................................62
Third-Party Tools (mostly command line).............................................................................62
System Patches and Updates..............................................................................................62
Identify Windows Components and Services.......................................................................63
Windows Users, Groups, and Passwords............................................................................63
Group Tools Include.............................................................................................................63
There’s an emphasis on figuring out “What” to audit (defining the scope) prior to the
“How” (control validation) of the audit. I.e. you should know your scope before you
begin your work.
If we consider “How” too early, then we might adjust the scope or objectives of the
audit, potentially blinding ourselves to risk. Stick to the defined scope.
Auditing: Measurement, hard metric, of conformance
Assessment: this is a measurement or estimation of risk, threat, vulnerability, and
cost of exposure. Assessment is more subjective than assessment. E.g. how did we
do? What could go wrong?
Scope: is the defined “what”, or boundaries of what you audit
Objective: is the goal of the policy or procedure. Two types of objectives include the
audit objectives and the individual system objectives.
Control: How we meet our objectives
Audit Exception: item that fails to meet audit criteria
Remediation: what you do to fix the Audit Exception
Mitigation: steps taken to reduce loss or harm
Root Cause: center of what “really” went wrong
Information System Controls Audit Manual, and FIPS is the Federal Information
Processing Standards.
Checklists
Checklist: is a statement of purpose and scope, primary tool for the auditor. Primary
goal of the auditor is to learn how to write a good checklist. Checklists make the audit
process far less subjective and can serve to allow the auditor and the system
administrator to examine the checklist together as equals rather than the sysadmin
viewing the audit checklist as the auditor’s pitchfork.
Policy and Auditing
Good policy is required for good auditing
Policy: is the what. Policy answers questions about whom, what, and maybe why.
Policies are high-level. E.g. must have AV.
Procedure: is the how. Procedures answer what person does what, when, and why.
Procedures are low-level. E.g., Sysadmin will update AV signatures weekly on user
desktops from server a.b.c.d and report findings to helpdesk. In the event a virus is
found, then report the incident to help desk immediately and keep the system off the
network.
Audit: is the verification of policy and procedure.
Module 3: Baselines
Baselines can be for anything from traffic loads, operating systems, users, LDAP, etc.
It’s a useful method for evaluating changes. Simply establish a known good and
automate against changes in the known good.
Module 1: Routers
The training material for this section was developed in part by Tanya Baccam.
Audit Preparation
Define Scope: The audit methodology applies here as you would expect. Begin by
defining your scope.
Conduct Research: Similarly, your research needs to be conducted:
o Questions to Ask
What’s being protected?
What risks exist?
How’s the router configured?
What’s the architecture?
What processes exist?
o Sources for Research
Interviews with the audit team, sysadmins, network admins, policy
team, information security team
Router documentation including router functional definitions and
network diagrams
External Sources such as manufacturer alerts (newsletters/website),
CERT/CIAC, SANS, Security Focus, User groups, other best
practices sources
Best Practices: Many sources for this, including:
o Security Focus o BS7799/ISO17799
o Packet Storm o COBIT
o Regulations/Legislation o NIST
(GLB, HIPPA, SOX) o CIS
o CERT o NSA Security Guide
o CIAC o Generally Accepted System
o SANS Top 20 Security Principles
o GIAC practicals o AICPA Trust Services
Principles and Criteria
Architecture: Router architecture must support the business flow of information. Find
version information (OS, patch levels, etc..). Find router’s role:
o Border Router? (highest risk level)
o Interior Router?
o Backbone Router?
Processes: This is the time to also test processes – not just the configuration:
o Processes to Check:
If so… permit to pass. If not… process next rule. Out of rules… drop
packet.
Stateful Packet Filtering
o Basics goes like this: Most network traffic requires a stimulus, meaning they
require a reply back into the network for the session to make sense. The
issue starts when people figured out how the make evil packets that look like
harmless replies. Stateful filtering “remembers” the outbound reply so that it
can match the inbound reply to what just left. It only allows legitimate replies
into the network.
When to use Static or Stateful:
o Static Packet Filtering: Use Static for absolutes. E.g. blocking traffic from
private IP addresses; blocking all traffic headed to the SNMP ports; blocking
all inbound echo-requests (pings)
o Stateful Packet Filtering (Reflexive Filters1): Use Stateful for conditionals.
E.g. Not at all or… for everything else; Router deployment is dependent on
perimeter configuration
Cisco’s IP Access List Types
o STANDARD IP access control lists
Defined by list numeric range of 1-99, 1300-1999
Only test IP SOURCE, thus making it faster than EXTENDED access
list
o EXTENDED IP access control lists
Defined by numeric range 100-199, 2000-2699
Tests SOURCE, DESTINATION, PROTOCOL, UDP/TCP PORT and
ICMP types in sequence
o REFLEXIVE IP access control lists
Uses state table to maintain secure connections
o Named access control lists
All of the above can be created using the number ranges specified or
by using a descriptive name
Standard ACL Format:
access-list number action source [wild card] | any
E.g.: access-list 20 permit 192.168.1.0 0.0.0.255
o Number must be 1-99 or 1300-1999 for standard
Extended ACL Format:
access-list number action protocol source [wild card] [src-
port] destination [wild-card] [dest-port] [other-options]
o Number: must be 100-199 or 2000-269 for extended
o Action: must be permit or deny
o Protocol: name or number of protocol. E.g. ip, tcp, udp, icmp, etc..
o Source: source IP address to compare. Must be TCP or UDP source port
o Destination: destination address to compare
o Log or log-input: log to console and/or syslog server
1
As of Cisco IOS 11.3, Cisco included stateful filtering capability referred to as
“Reflexive Filters”. They are moving away from reflexive filters and towards CBAC
(Context-Based Access Control) because reflexive filters are pretty strong, but not
perfect.
Christopher Davis Course Notes 15
Audit 507: Auditing Networks, Perimeters, and Systems
Named Access Lists: descriptive names can be used instead of numbers. Reflexive
filters must be placed in extended named access lists.
CBAC: Product name is the “Firewall Feature Set”. Very CPU intensive. Protocol
aware control.
Creating the Packet Filter
o IP access-group number [in|out]
o Number is the value of a defined access list
Show Access-list Command:
Router# sh access-lists 100
Extended IP access list 100
permit tcp any any established (88 matches)
permit tcp any any eq telnet (12 matches)
System Management
Accessing Cisco Routers
Local: Best method – but not usually realistic
Remote: Telnet, SSH, HTTP, SNMP, TFTP
o Should be secure
Auditing Access Methods
Disable access to a give line or port
no exec
Remote access should be disabled if not needed
transport input none
SSH preferred over telnet
transport input ssh
transport input telnet
Use timeouts for session activity
exec-timeout 10 0
Control access via access control lists
access-list 102 permit ip host 192.168.1.1 any
Authentication
Methods include: enable, krb5, krb5-telnet, line, local, local-case, none, group radius,
group tacacs+, group group-name
Services and Banners
SNMP: Preferable to disable SNMP completely. Not always feasible. Should not have
read-write community strings. Should not have default community strings. Should
restrict access to authorized addresses
Management Services: should be disabled. E.g. Finger; Identd; HTTP
Banners: legal notice should be given; only available for clear-text protocols;
displayed after authentication.
Password Encryption: Two types:
o Type 7: Cisco defined; weak
o Type 5: MD-5; much more secure; preferred
AAA Accounting: used to keep an audit trail of user activity; four levels:
System Controls
NTP and Clock Configuration: Query for clock information; ideally should have 3
separate time servers.
show clock detail
Logging: should be enabled; syslog servers specified explicitly; logs time stamped;
buffer size of logs specified; specify console level logging set level of logging
o Examples:
logging on
logging buffer 16000
logging console critical
logging trap information
Unnecessary Control Services
o Small TCP services o Config service
o Small UDP sercies o TFTP services
o Bootp o Should enable TCP keep-
o CDP alive services to flush
inactive connections
Data Control
Routing Protection: Stop the following:
o Directed broadcasts o Tunneled interfaces
o Source routing o ICMP redirects and echo-
o Proxy ARP requests
o ICMP unreachables
Ingress Filtering: refers to filtering the traffic coming into the network from an
external source. Great way to ensure someone isn’t spoofing addresses that
obviously didn’t originate from your network. These addresses are defined in
RFC3330 and include addresses in the ranges of: 169.254.x.x; 127.x.x.x; 192.0.2.x;
0.x.x.x; 224.0.0.0-31.x.x.x
Egress Filtering: refers to filtering the traffic leaving the network from an internal
source.
Filter Rule Audit
Do the filter rules meet policy and/or best practices?
Are the filter rules authorized?
Are the filter rules optimized?
Conduct technical verification of the filter rules.
Document and recommend changes as necessary.
Module 2: Firewalls
Introduction
Convergence by big vendors to create a firewall that does everything
More access node available, then more ways to get into the network
Defense-in-Depth: layers built into security. E.g. perimeter FWs, internal FWs, IDS,
border routers, internal routers, policies, procedures, audits,...
Why Perform Perimeter Audits?
Many of the rules we’re testing involve complex filtering. Especially, when there are
multiple devices in place doing the filtering. It’s very easy for administrators to make a
mistake, for example, from lack of experience or simply mistyping. When you have
multiple administrators administering devices, the changes of an error occurring
increases. Vendors can also make mistakes.
Firewalls and routers are both needed. There are some moves by both vendor types
to create the functionality of the other. Generally, these should compliment each
other.
General Types of Firewalls:
Packet Filter: Fast, low security
Stateful Inspection: Medium, medium security
Proxy or Application Gateway: Slow, high security
NAT
Allows use of private addresses on the Intranet (RFC1918 addresses). Variations include
port forwarding (redirection), many-to-one (Hide NAT), one-to-one (static NAT), NAT
address pool
Audit Preparation
Policies and Procedures
Policies and what to define:
o What information is the firewall protecting?
o What are the expectations of the firewall?
o What risks is the organization willing to take?
o What actions are authorized?
Procedures:
o Change Control
o Backups
o User management
o Password policy
o Patch updates
o Standardized, secure builds for firewall platforms
Firewall Architecture
Review of the architecture should reveal allowed and disallowed data flows.
Logical diagrams illustrate the data flows. The firewall is responsible for controlling
the data flow.
Questions to Ask:
o Are the firewalls segmenting the information correctly?
o Need to add or remove a firewall?
o Need to add or remove network interfaces?
o Are architecture procedures being followed?
o Does the architecture support the security policy?
NIDS Auditing
Nmap can be used to kick off port scans and check for port scan detection. A vulnerability
scanner such as Nessus or Retina can be used for checking payloads. Fragroute can
check for fragmentation, and you can combine each of these with a sniffer to check for
accuracy.
Using Fragrouter
o Requires Two (2) Machines!
On host-1, add a route to the destination that goes through host-2
which will run fragrouter: route add destination host-2
Start fragrouter on host-2: fragrouter –F1
Send attacks from host-1 to destination. Host-2 will intercept and
fragment the traffic, forwarding it on to the destination host.
o There are many options available. Read the help file or use fragrouter
--help
Modems
Overall War Dialing Approach: Inventory active modems; create baseline; collect
banners; audit active modems for authorization and security issues; recommend
corrective actions; maintain inventory over time
Considerations:
o Permission: Get appropriate permission from everyone that’s involved and
affected.
o What: (scope, range of numbers)
o Cost: Not all countries have flat rate phone charges. This could be costly in
Europe and parts of Asia
o Time (4-digit extension = 10,000 numbers x 30 seconds each = slow
process)
o Avoid emergency numbers and extensions
o Put war dialers behind PBX to avoid DID restrictions and phone charges
o How often should this be done?
o When to call? Day of the week and time of day.. 3-day weekends are great,
and after normal business hours to avoid annoying office workers.
Risks: calling emergency numbers; calling people from an ISDN device; night
stations; denial of service (blank voicemails and legacy systems)
Test the Configuration: Check how the software responds to:
o Voicemail
o Person answering
o Busy and disconnected signals
o ISDN
o Etc
Preparing the system:
o Disable power management and screen saver
o Disable fax software
Module 4: Wireless
Bluetooth Wireless
Short range; low bandwidth; PDAs, cell phones, laptops; Security issues include
bluejack, bluesnarfing, DoS (www.bluestumber.com)
Normal recommendations are to set devices to undiscoverable or to turn off
bluetooth.
Bluetooth Tools:
o Bluez: Linux BT
o OpenOBEX:
o Redfang:
o Bluesniff:
o Btscanner:
o Btxml:
2
WPA designed to replace WEP
Christopher Davis Course Notes 25
Audit 507: Auditing Networks, Perimeters, and Systems
Network Maps
Network maps help by giving us the same view of our network that hackers would have.
Creating a network map is one of the most reliable ways to complete an audit. In this
method, we actually send tests or watch the network in order to identify potential
vulnerabilities.
Safely Mapping Your Network
The Seven P’s of Safe Network Mapping
1. Plan: the scan one subnet at a time
2. Policy: Should be developed and followed
3. Permission: Get it before scanning!
4. Publicize: Let others know!
5. Be Present: Before, during, and after for issues that may come up
6. Be Persistent: Identify all devices
7. Provide Feedback!
Host and Network Maps
o Host Maps: Two dimensional representations of the host ports and services
o Network Maps: Three dimensional representation of multiple host ports and
services
Tools
Nessus: Good open source tool
NeWT: Commercial version of Nessus
GFI LANgaurd: Been around forever
Retina: Best Window’s based tool. Fastest of every tool on the market.
nCircle: Excellent appliance-based (hardened Linux appliance) architecture
MBSA: MS’s local scanner. More of an over-all audit tool.
Securing the DB
DB Structure and Files
Control Files: hold the executable code needed for the proper functioning of the
database
Log Files: audit trail
Data Files: Actual blocks of data being stored
Authentication
Oracle: When authenticating to an Oracle database, there are two methods that can
be used: operating system (OS authentications and authentication via the password
file. When connecting remotely, a password file should be used unless the
connection is secure, then OS authentications can be used.
MS SQL: Windows NT Authentication mode integrates with the OS and is considered
a trusted connection by the DB because it rides on top of the OS which relies on NT
Auth.
o Mixed Mode: Supports Windows NT Authentication and additionally SQL
Server Authentication for non-trusted connections (those not capable of
authenticating via the domain). This second method provides for backwards
compatibility, support for Windows 95/98 clients, and is required for Internet
connections.
Users, Roles and Profiles: All used. Self-explanatory.
Privileges: System vs. Object privileges:
o System: allow performance of a specific action with the db
o Object: allow access and manipulation of database objects
o When auditing, you should identify any users with special privileges such as
CREATE ROLE, ALTER USER, ALTER ANY ROLE, DROP USER, DROP
ANY ROLE, SELECT ANY TABLE, ALTER SYSTEM, CREATE
%PROCEDURE, CREATE%LIBRARY%, “%ANY%”, INSERT, DELETE,
UPDATE, ALL
Tools to use:
Nmap: Check for appropriate ports
Nessus: www.nessus.org contains plugins for Oracle, MS SQL and My-SQL
Retina: Contains built-in checks
SQL Server Analyzer: From MS website
Links
Links are connections from one database to another
Link Types
Private – only the owner can use
Public – anyone can use
Global – applies to all db when a names server is used
Links Specify
Protocol DB name Account
Remote host Account UID Password
Map Hosts in the DMZ: Scan them ruthlessly. If you can drop a host by scanning, so
can an attacker.
Allow NO EXTRA:
o Ports o Services o Applicat
ions
Hidden Content
Purpose: Determine if sensitive system information is revealed to clients. The impact is
usually limited to exposure, not the vulnerability, and allows the hacker to focus their
attack by eliminating branches from their attack tree. The controls in this case are
sanitized HTML and client side code and correctly configured web servers.
Examples of hidden content:
o HTTP headers: Check out Netcraft’s website at www.netcraft.com; Can also
get this from nmap, most scanners, telnet to port 80, and other methods
o Hidden messages in JavaScript: Can record information in Achilles or other
tools
o Look for:
<!- HTML comments
// JavaScript comments
HTTP Header information
NAME-GENERATOR HTML meta tags
Audit Technique: Automated mirroring of the website to your local hard drive for
later dissection and analysis
o HTTrack (free): www.httrack.com
o Website Extractor (free): www.esalesbiz.com/extra
o WebCopier (free): www.maximumsoft.com
o Wget (free): www.freshmeat.net/projects/wget
o BlackWidow (commercial): supports HTTP, SSL, FTP;
www.softbytelabs.com
o Other tools
Encryption
Again, SSL and TLS do not protect the web application. They do mitigate or eliminate
eavesdropping, hijacking, web spoofing (with web server certificates), and provide client
authentication (with client certificates).
SSL: Secure Socket Layer
TLS: Transport Layer Security
Audit Objective: Determine if the web server is using encryption appropriately
Controls: Presence of encryption; strength of encryption (use of strong ciphers)
Discovery Methods
Netcraft: www.netcraft.com
Open SSL: If you can connect to the target web server using either one of these
commands, then it proves that the target web server is using a weak or null cipher:
Sensitive Output
Purpose: Determine if sensitive output from web application/server is protected in transit
and on the client (not always possible – depends on client setup)
Controls:
o Encryption: Covered in previous section
o Anti-Caching
Caching occurs in two places: the browser (local to the client) and
the proxy
Truth is that with forensic tools most of the data a user views can be
recovered with standard browser configurations. This is beyond the
scope of this course. See Hacking Exposed: Computer Forensics or
other technical forensic-related books for detailed information on
recovering this kind of data.
Real risk depends on the organization
Session Tracking
HTTP is a stateless protocol and does not persist as a continuous connection. A session
is a unique instance of a specific user interacting with a web application. The Session
Identifier is originally determined and sent over by the server, and given to the client
before, during, or immediately after authentication. Not all Session IDs require
authentication, like Yahoo and other search engines, and other sites. Afterwards, for
each request, the client sends the ID back to the server so the server can track the
client’s interaction with the web server. This is a means of identifying the user.
Basic Components of Session Tracking
Session ID: The unique identifier used (e.g. SID=2uy234tyu23t5%2332%23)
Session Tracking Mechanism: How the session ID is embedded into the client/server
traffic (e.g. cookie or URL embedded)
and copy the information into the Automated View State Decoder Tool. Click Decode
and view the decoded data on the right.
Action Forms
Purpose: The primary focus of this section is to ensure the security of sensitive data
submitted via HTML forms. In general, the ACTION method should be POST, not GET.
Controls: Encryption and ACTION method of POST
GET method is dangerous in that it exposes user parameter values in:
o User web browser history file
o Web server logs
o Other websites through the HTTP Referrer field
This section is much shorter and much less complex than auditing web applications,
covered in the next section. This is because there are more web applications from more
vendors than there are web servers.
Notes on IIS 5
Quick IIS 5.0 Checklist
1. Set ACLs on virtual directories
2. Set ACLs on log files
3. Enable logging
4. Disable (better to remove) sample applications
5. Remove IISADMPWD virtual directory
6. Remove unused script mappings
7. More complete checklist See above on researching possible vulnerabilities
Web Primer
HTML vs. HTTP
HTML is shuttled back and forth across the Internet via HTTP.
o HTTP – HyperText Transfer Protocol
Browsers and web servers speak HTTP. Client requests are HTTP,
and server responses are HTML wrapped in HTTP
Content-Length; GET vs. POST; Referrer fields
Just text; Client can view, analyze, modify all HTTP; User input
separated by ampersand (&); Cookies are just HTTP headers
See www.asciitable.com for list of common encodes used (e.g. %3D
for Equal Sign (=))
o HTML – HyperText Markup Language
Forms and form elements
Comments; Client-side input restrictors
Just text; not case-sensitive; quotes usually optional; “Hidden” isn’t
hidden
SSL / TLS
Secure Sockets Layer ver.3.0 = Transport Layer Security ver.1.0.
Only encrypts traffic; does not protect the contents on the web server. SSL does not
protect web applications, only the conversation.
GET vs. POST
Both work, and both have their own potential security issues.
GET: user input is within the URL requested. E.g. is a Yahoo.com search.
POST: user input is within the body of the request. E.g. is an Amazon.com search.
Cookies
Cookies are a general mechanism that a web server can use to store and retrieve
information on the client (web browser), consisting of small amounts of text transmitted in
special HTTP headers
Cookie Parts:
1. Name: Cookie identifier
Christopher Davis Course Notes 39
Audit 507: Auditing Networks, Perimeters, and Systems
2. Domain: Range of hosts where the browser is permitted to transmit the cookie
3. Path: Range of URLs where the browser is permitted to transmit the cookie
4. Expires: When browser must no longer store the cookie
5. Secure: Use SSL or not
6. Date: Can be anything, arbitrary strings of text
Web Scarab: from OWASP; work in progress; excellent freeware tool; should look
around OWASP as well; www.owasp.org/software/webscarab.html
Spike Proxy:(www.immunitysec.com/resources-freesoftware.shtml);
Paros:(www.proofsecure.com);
Burp Proxy:(www.portswigger.net/proxy);
WebProxy by @Stake: (commercial product) (www.atstake.com/products/webproxy)
Malicious Input
Purpose: Ensure the application properly handles malformed (unexpected) user input so
that the server doesn’t and reveal information.
Controls: Server-side filtering of user input (size, type of content or characters allowed)
Depending on what’s being changed and why (potential impact), testing user input in
known by: Hidden Field Manipulation, Stealth Commanding, Buffer Overflows
User inputs to attempt manipulating if possible:
o All form elements
o All cookies
o Session IDs
o HTTP headers used by site/application
User Input Testing Tools
Screaming Cobra: www.cobra.lucidx.com
Web Sleuth: www.geocities.com/dzzie/sleuth
Spike Proxy: www.immunitysec.com/resources-freesoftware.shtml
Nessus Plugins
Suggested Controls:
Filter everything from she user’s browser that is used by the server!
User Input Audit Recommendations:
Test every form element, recording permutations and output
Record verbose messages produced from form element testing
Test HTTP headers, recording permutations and output
Record verbose messages produced from HTTP header testing
Auditing XSS
Scan with updated CGI scanner to test for known XSS exploits
Attempt finding an error that will embed data from the URL into the HTML code
and display user input. E.g. JavaScript embedded in URL
The topics covered in this section are intended to focus on auditing, not necessarily
securing Windows machines. Some things here apply to NT, but overall, Windows NT
should be considered a security risk. Topics covered here include:
Basic System Information
Running Necessary Components and Services
Users, Groups, and Passwords
Protecting Data
Operating System and Application Security
Auditing and Logging
Ongoing Monitoring
Tools Available
OS Tools
Local Security SCAT (Security Support Tools
Policy / Group Configuration and Windows
Policy Analysis) Resource Kit
Event Viewer Many More
Registry Viewer
Third Party Tools
Sysinternals Somarsoft Many More
Foundstone Cygwin
DiamondCS UnxUtils
Remember
1. Baseline your systems. There are many tools we’ll discuss here that give text-
based outputs that will baseline your systems for you.
2. Policies pushed from AD affect the security of your clients. Client security is
impacted by domain settings.
3. Resultant set of policies is your effective policy set. You must consider the whole,
sum of the parts, and not just the individual host. Trusts, domain admins, and
other users may affect the security perimeter and subsequent attack surface of
the host.
4. Non-technical issues to think about include:
a. Appropriate separation of duties
b. Principle of least privilege
c. New account setup
d. Password management and change
e. Backup policies
Research
Many sites exist containing checklists and white papers for securing Windows machines
Microsoft: www.microsoft.com/technet/security/default.mspx
o Checklists, security guides, services information, certified configurations,
much more
US NSA (National Security Agency): www.nsa.gov/snac/index.cfm
US NIST (National Institute of Standards and Technology): www.csrc.nist.gov
DISA (Defense Information Systems Agency): restricted to .mil only; www.disa.mil
Purpose: Identify basic information about the host including OS type, OS version, system
information, hardware information, and partition information.
Purpose: Only necessary components and services should be running on the host.
Look for orphaned user accounts for users that have left the organization or that
are not using a valid account (e.g. has not been logged into for >30 days, >60
days).
Audit use of special accounts such as Administrator or Guest
Audit use of Built-in accounts
User Tools include
net user: Lists the user accounts on a system
addusers: Windows Resource Kit tool; allows you to dump a list of users, local
groups, global groups, and group memberships from a local computer or domain.
Run this with switches like this:
addusers \\hostname /d <file_name>
rasusers: Lists all users that have remote access permissions
DumpSec: Somarsoft tool; formally DumpACL
Group Tools Include
net group: Also net localgroup;
findgrp: ResKit Tool; lists all groups which a given domain user is a member,
including indirect memberships. Very useful tool for tracing user memberships. User
must be domain user.
showgrps: ResKit Tool; lists all groups which a given user is a member, including
indirect memberships. Very useful tool for tracing user memberships. Designed for
use on local host.
showmbrs: ResKit Tool; lists all members of a specific group
Password Considerations
Should have password
Regular password changes enforced
Strong passwords used and enforced through:
Logical Controls: E.g. Server forces user to use strong passwords
Process: E.g. Method by which passwords are issued, especially if
automated
Policy: E.g. Windows Server Policy
Good encryption used to store passwords; syskey; LM turned off
No blank passwords
Passwords should have age restrictions (expire)
Passwords should lock out after x number of invalid logon attempts
Password Tools Include
net accounts: listing of basic password policy settings
DumpSec: Somarsoft tool; formally DumpACL; dumps password policy, audit policy,
and trust information from local or remote host
LophtCrack : Symantec bought @Stake; LC now in ver.05 (LC5)
John the Ripper: Openwall’s Tool; http://www.openwall.com/john
pwdump: May be needed to dump the SAM to feed into John
MBSA: MS’s tool checks for a few really, really dumb passwords.
Purpose: Ensure OS-specific vulnerabilities are addressed and security features are
enabled
Baseline Method
Baseline the system
Monitor against the baseline
Use file compare (fc.exe) or other tools to do this
UNIX Basics
Everything is a File
As far as possible, everything is written and treated as a file
o Directories are files containing pointers to other files
o Files are files
o Devices are special files
o Network sockets are files too
Files and Permissions
Defined for: Owner; Group; World
dr-xr-xr-x 1 user group 0 Mar 9 20:45
Favorites
Set-UID (SUID) Program
It is possible to set the permissions on a file so that the person running the system
inherits the effective user ID (EUID) of the user who owns the file. This is known as a
SUID program. Essentially, this means that the process thread under which the program
runs has all the rights and permissions of the owner of the file. The /bin/passwd program,
for example, is typically a SUID program owned by root; this is more or less required
since only the root user may alter the password file on a the system.
File Notation
File with permissions of 555:
Owner Group World
d | r-x | r-x | r-x
1 421 421 421
The first character listed determines:
o l – Link
o c – Character
o b – Block
o p – Pipe
o d – Directory
Permissions are natively octal
SUID and GID bits take a Macro view to apply the same strategy for each set of three
permissions (owner, group, and world)
o SUID = 4
o GID = 2
o Sticky = 1
Manipulating Files
chmod :modify permissions on a file
Christopher Davis Course Notes 52
Audit 507: Auditing Networks, Perimeters, and Systems
UNIX Logs
/var/run/utmp: current login “snapshot”
/var/log/wtmp: login/logout history
/var/log/btmp: bad login history
/var/log/messages: also called syslog file; messages from the syslog facility;
contains copy of each system message that is displayed on the console; can contain
a rich source of information; can review for indications for system trouble, including
failed devices, filled file systems, system misconfigurations; some have both
messages and syslog files
o /etc/syslog.conf – contains configuration details about where information is
sent.
/var/log/secure: access and authentication logs
/var/run/utmp: contains snapshot of the current users; contents are ephemeral
(short-lived, temporary); username, terminal, login time, remote host
o who - Query utmp file
lsof: “lists open files”; files are held open by processes, and since much of the OS
is held in files, you can get at a lot of the OS with lsof; perfect for process, file, and
network status investigations; can produce output suitable for other programs;
ftp://vic.cc.purdue/edu/pub/tools/unix/lsof
o lsof –i :use to identify network connections
ps -aux: lists processes
top: general process information updated in real time
/etc/inetd.conf: Think of Inetd as a service broker, where requests for
services are made through inetd, and the services that it brokers are defined in
/etc/inetd.conf. One way to disable some extraneous services is to comment out their
entry in /etc/inetd.conf.
/etc/xinetd.conf: xInetd is the updated version of Inetd, with access controls
built-in from TCP wrappers, providing access control from the super daemon without
a need to call tcpd for each of the services as they start.
Patch Information:
o patchdiag: Sun
o up2date: RedHat
o showrev –p: UNIX
UNIX NFS
Purpose: Identify if NFS is running.
Easiest method:
See previous information above and also try:
ps –aux | grep ‘(nfs)|(lockd)|(statd)|(mountd)|(rpc)’
Other tools available for NFS include:
o nfstrace: sniffer that runs on an IDS or Ethernet interface on an NFS server;
collects all NFS related packets; ftp://ftp.cerias.purdue.edu/pub/tools/unix/
o nfswatch: Similar to nfstrace but not as detailed; reports NFS problems and
throughput; ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils
Logon Banners
Check for logon banners in the following directories:
cat /etc/issue
cat /etc/issue.net
cat /etc/motd
tail /etc/rc.d/rc.local
Government Resources
US NSA (National Security Agency): www.nsa.gov/snac/index.cfm
US NIST (National Institute of Standards and Technology): www.csrc.nist.gov
DISA (Defense Information Systems Agency): restricted to .mil only; www.disa.mil
General Research
SCORE Project (Security Benchmarks)
Help Net Security (Vulnerability Info)
COTSE (Church of the Swimming Elephant - Online Toolbox)
Netcraft (Identifies what a website is running for you)
Securityfocus.com Archive
SANS Institute (Cooperative Education and Research Institute)
BugTraq and Security Focus (Newsletter/ Well-known site)
Christopher Davis 59
Audit 507: Auditing Networks, Perimeters, and Systems
Packet Storm (Search and on the fly updates. Try the Quick Check)
Zone-H (Misc Downloads)
OWASP The Open Web Application Security Project
CVE Common Vulnerability and Exposure List
CERT Advisories (Carnegie Mellon Software Institute advisories)
Microsoft TechNet Security (MS Windows Security Forum/Info)
http://www.k-otik.com/
Windows Security
ntsecurity.nu/toolbox/
Open Source Vulnerability Database
ICAT Metabase Vulnerability DB
Openwall (Free Password Cracking)
www.sqlsecurity.com (SQL injection FAQ, tools, resources)
www.homeport.org/~adam/review.html (Secure Code Review Guidelines)
Christopher Davis 60
Audit 507: Auditing Networks, Perimeters, and Systems
There are literally hundreds of tools, and listing them all here just isn’t practical. However,
here is a list of tools mentioned in the course and a few more that should be mentioned.
Auditing Perimeters
Routers
RAT (Router Audit Tool) Available from: http://www.cisecurity.org
Firewalls
Network mapping: nmap, hping, nemesis, others
Passive vulnerability assessment: Ethereal, tcpdump, windump, others
Active vulnerability testing: Nessus, Retina, others
Auditing Networks
War Dialing
Toneloc Microsoft’s Hyper-Terminal
THC Scan PhoneSweep
Phone Tag Sandtrap
Rasusers Procomm Plus
TBA (palm OS)
Bluetooth
Bluez Bluesniff
OpenOBEX Btscanner
Redfang Btxml
Wireless Auditing
Physical Audits: Netstumbler, Kismet, other tools to detect the wireless signals
Logical Audits: Nessus, Retina, and other tools can detect the MAC and identify the
router as an AP; can also do this with TCP-IP fingerprinting; FTP printing; etc..
Network Mapping
nLog (www.digitaloffense.net/nlog)
ndiff: Utilizes nmap output to identify the differences or changes
Web Auditing
Nikto: Nessus can leverage Nikto
N-Stealth
Whisker
OWASP (http://owasp.org/)
Vulnerability Assessment
Nessus: Good open source tool
NeWT: Commercial version of Nessus
GFI LANgaurd: Been around forever
Christopher Davis 61
Audit 507: Auditing Networks, Perimeters, and Systems
Retina: Best Window’s based tool. Fastest of every tool on the market.
nCircle: Excellent appliance-based (hardened Linux appliance) architecture
MBSA: MS’s local scanner. More of an over-all audit tool.
SQL and Database Auditing
SQL Injection Basics see OWASP (http://owasp.org/) for excellent tutorials.
Nmap: Check for appropriate ports
Nessus: www.nessus.org contains plugins for Oracle, MS SQL and My-SQL
Retina: Contains built-in checks
SQL Server Analyzer: From MS website
Search for Trojan horse programs
List of common Trojan ports: www.doshelp.com
Christopher Davis 62
Audit 507: Auditing Networks, Perimeters, and Systems
CGI Scanning
N-Stealth: www.nstalker.com/nstealth
Multiple at: www.packetstormsecurity.org/UNIX/cgi-scanners/indexdate.shtml
Brute Force Authentication
Brutus: www.hoobie.net/brutus/index/html
Traffic / Protocol Analysis
Ethereal
Traffic Interception & Manipulation
Achilles: www.achilles.mavensecurity.com
Odysseus: www.wastelands.gen.nz/index.php?page=odysseus
Common Tools of the Trade
IE Booster: Easy way to see and change hidden form elements;
www.freewareweb.com/cgi-bin/archive.cgi?ID=1594
Screaming Cobra: Uses Perl; attacks ACTION statements (i.e. forms);
www.cobra.lucidx.com
Stunnel: Adds SSL support for other tools; www.stunnel.org
Web Sleuth: version 1.36 is free; www.sandsprite.com/sleuth/download.html
Web Scarab: from OWASP; www.owasp.org/software/webscarab.html
Spike Proxy:(www.immunitysec.com/resources-freesoftware.shtml);
Paros:(www.proofsecure.com);
Burp Proxy:(www.portswigger.net/proxy);
WebProxy by @Stake: (commercial product) (www.atstake.com/products/webproxy)
User Input Testing Tools
Screaming Cobra: www.cobra.lucidx.com
Web Sleuth: www.geocities.com/dzzie/sleuth
Spike Proxy: www.immunitysec.com/resources-freesoftware.shtml
Nessus Plugins
Auditing Windows
Built-in Command Line Tools
ver Lists Windows OS version information
systeminfo Great short listing of the system information
GUI Windows Tools
msinfo32 GUI based interface; can export lengthy report into text file
Third-Party Tools (mostly command line)
psinfo One of many Sysinternal’s tools.
System Patches and Updates
hfnetchk / qfecheck
MBSA (Microsoft’s Baseline Security Analyzer)
Patch Management Tools: SUS / WUS / SMS; other third-party tools
Christopher Davis 63
Audit 507: Auditing Networks, Perimeters, and Systems
Auditing UNIX
Manipulating Files
chmod :modify permissions on a file
ls :List files in a directory
cat :roughly equivalent to MS’s type command
more or less :view the contents of a file or output one screen at a time
head or tail :can view the first or last few lines of a file
man :UNIX help pages
UNIX Services
rpcinfo is a standard tool to query services
UNIX Services: NIS
yppasswd – used to update password information in a NIS environment
ypcat – used to view the ASCII text versions of the database files
yppush – used by the NIS server to push updates to NIS slave servers
UNIX System Information
uname –a :processor and OS information; universally available
mount : currently mounted file systems and sizes
fdisk –a :validates mounted versus actual disk areas
Christopher Davis 65
Audit 507: Auditing Networks, Perimeters, and Systems
Christopher Davis 66