AuditCasts with David Hoelzer

Greetings! A few quick things. First, many folks from the class said that they knew others in the office who should attend this class. If you do know someone like that, there’s a vLive class (taught completely online, two nights each week over six weeks) starting on August 4. I’m pretty sure that there’s even an offer to get an Apple Laptop or get $850 off of the class for the session that’s starting up. If you know someone who would benefit from attending, auditor or not, please let them know! (Discount/laptop deal: https://www.sans.org/vlive/specials - AUD507 - https://www.sans.org/vlive/details/35515) Here are the course notes that I made during our recent 507 class. If there’s something else that you’re looking for that I forgot to include below, please let me know! Also, please remember that you can use your existing VPN credentials to our lab to connect to and work on the AuditWars challenge at https://score.enclaveforensics.com. Of course, that link will only work if you are already connected to our VPN (Don’t forget to run the interface as an administrator!) Finally, I’ve attached a set of handy Powershell scripts that a student donated to the end of this email. To use them you will want to open them up and search for the word “insert” so that you can insert the relevant information from your domain. If you try to watch the Lab videos (Disks 3 & 4) and find that some of them don’t seem to work, it is probably a missing Codec. If you go to http://videolan.org and download that *free* player, they work just fine. :) Feel free to link to me: http://www.linkedin.com/profile/view?id=34778231 I also try to tweet useful stuff now and then: http://twitter.com/it_audit And periodically post useful YouTube videos: https://www.youtube.com/user/DHAtEnclaveForensics Have a great day! Day 2 Stuff: Router Auditing: http://auditcasts.com/screencasts/2-do-differences-matter NMap Management & Auditing Scripts: http://www.unspecific.com/nmap WPA2 PSK Hacking Demo: http://auditcasts.com/screencasts/3-auditing-hacking-wpa-wpa2 Finding Wireless Clients: http://auditcasts.com/screencasts/4-can-you-hear-me-now NMap Difference Tracking: http://auditcasts.com/screencasts/5-herding-the-cats NMap Difference Tracking Continued: http://auditcasts.com/screencasts/6-cat-herding-part-deux-nmap-differences Day 3: Fuzzing with WebScarab: http://auditcasts.com/screencasts/8-effective-webscarab-fuzzing Scaling WebApp Fuzzing: http://it-audit.sans.org/blog/2011/07/25/scaling-input-fuzzing-with-webscarab Day 4: Getting users: dsquery user -s 507dc.enclaveforensics.com -u auditor -p Password1 Getting users whose passwords never expire: dsquery * -filter "(&(objectCategory=Person)(ObjectClass=User) (userAccountControl:1.2.840.113556.1.4.803:=65536))" -s 507dc.enclaveforensics.com -u auditor -p Password1 Bit masking for LDAP:(userAccountControl:1.2.840.113556.1.4.803:=####) Users who are not required to have a password: dsquery * -filter "&(objectCategory=Person)(objectClass=User) (useraccountcontrol:1.2.840.113556.1.4.803:=544)" -s 507dc.enclaveforensics.com -u auditor -p Password1 -attr samaccountname Getting last logon timestamps: dsquery * -filter "(&(objectCategory=Person)(objectClass=user))" -attr lastLogonTimeStamp sAMAccountName -s 507dc.enclaveforensics.com -u auditor -p Password1 Useful bit values for UAC: 2 Disabled Account 16 Locked Out 32 Password not required (can be blank) 512 Normal account 65536 Password never expires http://auditcasts.com/screencasts/19-detecting-signs-of-apt-and-malware UAC values: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144

Heartbleed has been making headlines for the last week and you can find some saying that it's 11 out of 10 on the impact scale while others are downplaying the severity of the flaw and the long term impact. What's the real deal? What are you telling your CEO when he asks you what this means for your company? In this short video we'll take a look at how quickly and easily a site can be attacked and then we'll look at actual captured data to see what the impact could be. With that data as context we'll explain to you why this matters and what it means for your company if your server was vulnerable. Especially since there is mounting evidence that this vulnerability was known by attackers since as early as October of 2013, organizations could be looking at massive amounts of leaked data from busy vulnerable servers.

Layer 2 management protocols like STP, MSTP, TRILL, SPB, CDP, VTP, HSRP, etc., should never be visible on user facing ports. There are some technical challenges when deploying something like VOIP in a converged network solution, but barring this, having these protocols exposed is an easy to find and obvious indication of misconfiguration. In this short video we look at a quick intro to Wireshark, look at a few of the features and see easy ways to find these packets if they are visible. We also talk about how a network engineer or security engineer would weed out traffic, identifying interesting traffic that does not belong. This video is a sample of one of the labs covered in the SANS Advanced Audit course (AUD507) by David Hoelzer. Visit http://www.sans.org for more information!

Virtualization is here to stay. That's not to say it's a bad thing, but among the things that we spend some time talking about in the SANS Audit 507 course are the most common and most serious security mis-configurations and hazards that we find in virtualized environments. Also in the course we spend time demystifying the VMWare Best Practices guide and give super clear reasons why some of what it recommends is just plain old bad advice! This video, however, gives you a brief 34 minute look at one of the lab exercises in that audit/security course. The lab will give you broad-brush familiarity with the vSphere management client, discuss common issues in ESXi configurations in addition to demonstrating how to get specific data that is related to some of the more common problem areas in these systems. For a more detailed discussion into this topic and many others you might consider this class: http://www.sans.org/course/auditing-networks-perimeters-systems

UNIX systems, at least up to a point, tend to be deterministic systems. This is quite different from Windows hosts which are completely non-deterministic. What this means for the System Administrator and the Auditor is that it is not only possible to accurately baseline which processes should be running on the system but also to tie those processes to specific process ID numbers! Especially when faced with detecting compromise and the possible installation of malware, this becomes an incredibly valuable detection technique. If malware is installed by an attacker it will typically be installed in such a way that it will automatically restart the next time that the system is booted. Since We now have a baseline of which processes should be running and also know precisely which process IDs they should have, even if the malware is hidden we can see that it has displaced the process IDs!

It's pretty important that any system baseline include a list of all network services that are running on the system. Additionally, the baseline should include information on which binary, possibly even which process, is using each port. This information allows system administrators to automatically detect possible compromises in addition to being a very simple system for detecting undocumented changes to systems by the auditors. In this webcast we'll take a fast look at Netstat, the /etc/services file and lsof to see how we can quickly and easily extract the network service information that is particularly relevant for a baseline.

The installation of a file integrity testing tool should be a part of the standard install of any server class system in your environment. Not only does it allow for simple continuous monitoring and detection of unauthorized configuration changes, but it also allows for rapid damage assessment in the face of a compromise. This episode will take a fast look at the open source version of Tripwire. We'll examine common configuration errors in addition to discussing how to automate reporting for an auditor effectively without having to give the auditor or security officer root access to the system.

In this short webcast we take a look at how to create a very basic shell script that will identify the initial run level of any Linux based system. Linux systems today have two primary mechanisms that are used to start services during startup. The more traditional system (using inittab) and the more modern Upstart system. This screencast demonstrates logical testing for files, extracting output from a command and assigning it into an environment variable and basic AWK usage.

If you're an auditor or security administrator and you have UNIX systems in your environment then you will eventually have to learn how to use the UNIX command line. Unlike Microsoft Windows, UNIX graphical interfaces are really GUIs lying on top of command lines. In Windows you have a graphical operating system that happens to have a command line interface as well; quite different. This video gives you a very basic crash course of a few commands and information on how to use the built-in UNIX manual to look up additional information. This video also mirrors the first few introductory pages of the UNIX lab material for students in the Audit 507 course offered through SANS.

Of all of the editors that are available in the UNIX environment, two are ubiquitous. One, the 'Ed' editor, is very unfriendly since it was really designed for use on a teletype. The second, "VI", or the Visual editor, is much better. In fact, despite its age, the vi editor remains extremely popular. Part of what makes the editor so popular are the many commands and shortcuts designed to make large scale editing of virtually any size file very fast and very easy... At least relatively easy once you learn all of the shortcuts! This video is intended to give you just enough of an introduction to make your way around and get started using the editor to do useful tasks.

Welcome to our next episode! Last time we were talking about Powershell, demonstrating some different ways that we could use it to begin to automate some of our audit and administrative tasks. For example, pulling some information out of our Active Directory. In this week's AuditCast we're going to continue on and try to modularize some of the code that we wrote last week. At the same time, we'll try to simplify, clean it up, and finally generalize it just a bit, to create something that we can use in many different tasks that we'll be examining over the next couple of weeks. Before starting the AuditCast, I actually did do one or two things that I've done ahead of time. The first thing is that I took some of the code that we were working with last week, the code that actually got the handle for doing a domain search, and I moved that into what's called a "function." This week we'll see how we can leverage these sorts of things. You should be able to see that see that this code is essentially exactly the same code we wrote last week; the only difference is it's in a function. For a full write-up along with the source code for the scripts written in this episode, please go here: http://it-audit.sans.org/blog/2012/03/15/learning-powershell-how-to-extract-user-objects-from-active-directory-using-powershell/

A common question in an audit of information resources is whether or not accounts for users are being properly managed. One aspect of that is determining whether or not the accounts created are needed while another is looking for evidence that accounts for terminated users are being disabled or deleted in a timely fashion. An easy way to answer both of these questions is through the use of Active Directory queries! This screencast demonstrates exactly how to do just that. While it's true that the information that we're looking for can be obtained directly from the Active Directory using tools like DSQuery and DSGet, in the long term I think it's far wiser to learn a little bit of basic scripting that will allow you to perform just about any kind of query you'd ever want to in Active Directory, even if your admins have customized the Active Directory Schema! Learning to write Powershell scripts, though, can seem daunting. Not only will we have to face the differences between different versions of Powershell and the .NET requirements that sometimes lead to software conflicts when we're still using some legacy code, but some Powershell scripts just look downright confusing! Not to worry. Rather than trying to learn everything that there is to know about Powershell and directory queries, there's a great deal of value in learning some basic "recipes" that can be used to extract useful data using a script. Once we've got a good handle on the recipe, it's much easier to just adjust the "ingredients", if you will, to get at what we're looking for. In the various classes that I teach for Auditors, whenever there's an opportunity to do so, I strongly recommend that auditors take some time to learn some basic scripting. This screencast is a perfect example. Once you've got a few of the basics in the script, you can easily modify the script to look for just about anything you'd want to. Not only that, you can make those modifications without ever really getting a deep understanding of exactly what an Active Directory Search object is and how it works! The source code for this script can be obtained here: http://it-audit.sans.org/blog/2012/03/05/identifying-inactive-and-unnecessary-user-accounts-in-active-directory-with-powershell

This webcast is a bit off the normal track for us. This recording was made live at a conference a few months back. (Sorry that the first few minutes have the screen capture software in view. Be patient, it goes away before we get to anything really good!) In the recording, David Hoelzer walks through a demonstration of the various phases that a security researcher (or hacker) would go through to discovery a vulnerability, build a proof of concept and finally create a working exploit. A major take-away from this demonstration is how quickly this can be done. The actual demonstration takes only 60 minutes from beginning to end and that's with all of the talking and explaining. This exploit could, after being discovered, have a working POC exploit and Metasploit module written in about 15 minutes. I've had people say, "Well, sure, there's a flaw, but it would be really hard to exploit it." Guess what.. In many cases they're just plain wrong!

How hard is it for someone to insert a proxy between you and the rest of the Internet without you knowing? Will running a Mac or Linux protect you? In this episode we combine the concepts from Episode 20 with the WPAD style attack that was discussed back in Episode 17, creating a quick and easy how-to when it comes to creating a man in the middle attack that will work against any system that has Automatic Proxy Discovery enabled. This feature is sometimes thought to be a Windows specific issue, but as we demonstrate here by transparently creating a man in the middle proxy for a Mac, it really does apply everywhere. There are just a few simple pieces that you need to accomplish this attack and there are some quick and easy things that you can do to defend yourself or that you can look for during an audit. For more details and a link to the source code, please check the Blog article here: http://it-audit.sans.org/blog/2011/11/09/it-security-audit-what-about-wpad/

This screencast was created specifically as a support video for our VisualSniff product. The default permissions that are set on the BPF adapters on OS X are a bit atypical and make it impossible for a user to start a sniffer without becoming an administrator. Using the directions in the video with the accompanying script resolves this issue so that VisualSniff will work correctly. The script referenced can be downloaded here: http://enclaveforensics.com/ClientFiles/VisualSniffPerms.sh

BIND is usually the go-to DNS solution if you're looking to set up a DNS sinkhole to contain and identify malware. While I love BIND as much as the next guy, I find that it's a real pain in the neck to get everything set up just right and the maintenance involved in adding a new authoritative zone is just more than I'm willing to do. As a solution to this, I've revived a tool that I wrote more than a decade ago for Internet usage policy enforcement. As it turns out, it already was a DNS sinkhole, I just never called it one! Watch the episode for a demonstration and discussion and check out the blog article for more information and the source code: http://it-audit.sans.org/blog/2011/11/02/dns-sinkhole-for-malware-defense-and-policy-enforcement/

In all of the cases that I've worked where a malware infection, suspected APT or other security breach had occurred, detectable file remnants were left behind. How can you find them? Can IT audit techniques help? In this episode we take a look at a super easy technique that allows you to find any type of file or any specific file anywhere within your domain. The script can also be modified to allow you to create an inventory of any other type of file you need to. For a copy of the script and a longer discussion, please be sure to check the show notes: http://it-audit.sans.org/blog/2011/10/17/detecting-malware-apt-like-threats-domain-wide-file-finder/

I've been saying for years that Change Control is one of the most critical processes in our enterprise and the one that we are failing to follow most often. When you consider the 20 Critical Controls, you'll find that at least 5, and likely more, are directly related to how well you know the systems in your business. In fact, if you know your systems well you are poised to be able to discover any 0-day infections and most any APT like (Advanced Persistent Threat) threats. How can you know your systems well? Watch this webcast for a demonstration! The Show Notes for this episode along with copies of the scripts demonstrated can be obtained here: http://it-audit.sans.org/blog/2011/10/11/detecting-apt-and-other-zero-day-malware-through-service-auditing/

In today's networked world, the vast majority of "work" that we do is done in a web browser. As it turns out, there's a very common configuration setting that creates enormous potential for serious information leakage or compromise in those very web browsers that we trust. In this episode we take a look at a demonstration of the WPAD (Web Proxy Auto-Discovery) service and how it can be leveraged to compromise data, particularly on Windows computers. It is important to note that the actual browser being used is not important! All modern browsers support the WPAD protocol. If a hacker finds himself on a network with even one system configured in this way, he has an immediate attack vector that allows him to start intercepting data. Of course, if he can intercept data, there's no reason he can't inject data too! This is a perfect avenue for the injection of malicious Javascript and other exploits, though we will not explore that in the demo. What's the answer to this problem? The answer is at the end of the episode or, if you don't want to wait, stop by the related show notes over at the SANS site for a quick explanation of what to look for:

If I asked you for your password, no doubt you'd tell me to get lost. If I asked for your username you would be suspicious. If I asked you for your email address, you'd likely give it up. Of course, your email address and your username are quite likely one and the same. What good is your username if I don't have your password? Well, there's not much that can be done with a single username in terms of hacking. In large numbers, however, usernames can be quite useful. How can I get my hands on a large number of usernames? There are many techniques, some for web applications, others for internal attacks. In this episode we depart from our usual audit focus to weaponize an information disclosure that is a part of virtually every Microsoft Windows domain that you'll encounter. Using a few easy tools, we'll extract the usernames and then use an easy technique to capture valid username/password credentials, compromising accounts! For a longer discussion of what's happening in this presentation, please be sure to visit here: http://it-audit.sans.org/blog/2011/09/21/usernames-matter-more-than-passwords