====== Sans 401 June 10-17, 2009 ====== ===== SANS Security Essentials===== ==== Schedule ==== * 0900-1030 - class * 1030-1050 - break * 1050-1200/1215 - class * 1200-1330 - Lunch * 1330-1500 - class * 1500-1520 - break * 1520-1715 - class * 1715-1900 - Bootcamp ====== Networking Concepts - Day 1 ====== ===== Module 1: Network Fundamentals..1-2 ===== * color coding scheme * Red - external * Yellow - DMZ * Green - internal * left interface usually external interface ==== Network Fundamentals..1-3 ==== ===types of networks..1-6=== * LAN - Local Area Network * MAN - Metropolitan Area Network * WAN - Wide area network * Internet * PAN - Personal Area Network === Physical and Logical Topologies..1-9 === * Physical * Bus - older * Ring - older * Star - most popular * Logical * Ethernet * Token Ring === Ethernet..1-12 === * Baseband shared media network. * CSMA/CD - carrier sense, multiple access with collision detection * the most common layer 2 protocol * A Chunk of data transmitted over the wire is called a frame * Uses 1500 byte frame size * GigE networks utilize Jumbo Frames. Large numbers of small frames will cause problems on GigE. === Token Ring and FDDI..1-14 === * Communications is token based * Not common with client computing * Large mainframes where each system needs to communicat in a predictable manner still use this technology === Asynchronous Transfer Mode (ATM)..1-17 === * Older protocol * Encapsulates common protocols * Like combining Ethernet and IP * expensive to set up, not seen on LANs * efficient for video streaming * commonly used for establishing high speed backbones over significant distances === WAN Technologies..1-19 === * Dedicated lines * T1 or T3 * E1 or E3 * Frame Relay * MPLS - IPv6, VoIP, IP Video -- considered a replacement for Frame Relay and ATM * ISDN - any ISDN could possibly call any other ISDN providing a backdoor attack * DSL * Distance limitations * Cable Modems * WAN ==== Networking Hardware..1-24 ==== * Category 1 and 2 * Cat 3 10Mb * Cat 4 16Mb * Cat 5,5e 100Mb-1Gb * Cat 6 * Network Taps * Vampire Taps === Crossover Cable..1-26 === * +TX to +RX * -TX to -RX === Network Devices..1-28 === * Hub * Bridge * Switch - can be flooded and turned into a hub. Newer devices not susceptible. * ettercap * dsniff * Router - Drops traffic if it does not know where to send it. == regarding ping == * block-all-icmp cannot (should not) be done on IPv6 * ping * ECHO REQ -> * ECHO REP <- * sending an inbound ECHO REP can let a hacker map networks blocking ECHO REQ, because the router sends host unreachable. If the machine exists, the reply will just be dropped, indicating the existence of a machine. === Virtual LAN (VLAN) and Network Access Control (NAC)..1-32 === * can be used to switch an attacking machine to a virtual "jail". ==== Network Design..1-33 ==== === Network Design Objectives..1-34 === * Publish separate mail, Web and DNS servers to the Internet * Provide appropriate access from the internal network to the Internet * Protect the internal network from external attaccks * Provide defense-in-depth * Protect all aspects of the system === Network Sections..1-35 === * Public - Internet * Semi-public(DMZ) - Web, Mail, DNS servers * Private - Internal Systems * Locate firewalls: * Between the Internet and the other networks * Between the semi-public and private network * Between sections of varying trust levels === The Final Design..1-38 === ===== Module 2: IP Concepts..1-41 ===== ==== Network Protocol..1-44 ==== === What is Network Protocol?..1-45 === * Three basic purposes * to standardizw the format of communication * to specify the order or timing of communication * to allow all parties to determine the meaning of a communication * Protocol Stacks - The layered protocols involved in communication === The OSI Protocol Stack..1-47 === * International Standards Organization (ISO) Open Systems Interconnect (OSI) * Application - Layer 7 * Presentation - Layer 6 * Session - Layer 5 * Transport - Layer 4 * Network - Layer 3 * Data - Layer 2 * Physical - Layer 1 === OSI vs TCP/IP..1-49 === ^OSI^TCP/IP^ |5 Session, 6 Presentation, 7 Application|Application| |4 Transport|Transport (TCP)| |3 Network|Internet (IP)| |1 Physical, 2 Data|Network| === How Protocol Stacks Communicate..1-51 === === How TCP/IP Packets are Generated..1-52 === * Encapsulation passes information to each layer * Each layer adds header information * The previous layer's headers are the current layers data ==== IP Packets..1-55 ==== === IPv4 Header..1-56 * === === IPv4 Header..1-57 === * Version field tells IPv4 or IPv6 * Protocol can be a user defined number by a hacker * TTL Time to Live, router hops counts * Decremented each time and is discarded once the count reaches 0 * Can tell how far away in router hops. * TTL can tell if a packet has been spoofed. If you expect a close route and receive a high count, something is wrong or intercepted (man in the middle). * Fragment Offset * 1500 bytes is generally the MTU. Anything longer will need to be put back together once received. * crafting the offset value can cause bytes to overlap and change the value. * IP addresses * Identity Match - commercial SSN finder === IP Header Identifies Protocol..1-60 === ==== Network Addressing..1-61 ==== === Addressing Basics..1-62 === === Two Parts of and Address..1-63 === * network and Host portions === IPv4 Addressess and Subnets..1-64 === * Class A address - 1-127 * N.H.H.H * 255.0.0.0 * /8 * Class B Address - 128-191 * /16 * Class C Address - 192-223 * N.N.N.H * 255.255.255.0 * /24 === Netmasks and CIDR..1-65 === * CIDR provides a shorthand like /16 * 172.20.0.0/16 * the 16 is how many bits are allocated to the network address === Broadcast Addresses === * all 1's for the host portion * older networking hardware will interpret all zeros as broadcast * 172.20.15.0/24 broadcast is 172.20.15.255 * Limited Broadcast - 255.255.255.255 limited to local network * smurf attack based on Windows 95 stack vulnerability from broadcast flood === Private Network Addressing..1-69 === * 10.0.0.0 * 172.16.0.0 * 192.168.0.0 * using NAT on wireless does not buy you anything because a sniffer can read the internal IP's === Two Addresses..1-71 === * Mac address * IP address === Address Resolution Protocol (ARP)..1-74 === * Hacker in the '90's would respond to arp requests and be man in the middle. ==== Domain Name System (DNS)..1-76 ==== === Domain Name System (DNS)..1-77 === * Static host tables * === Domain Hierarchy..1-79 === === Types of DNS Queries..1-81 === * Gethostbyname * Gethostbyaddr === DNS Security..1-83 === * Attacks * Cashe poisioning * Denial of service * Footprinting - information leakage * Registration spoofing * Defenses * Keep DNS software up-to-date * Distribute aurhoritative DNS servers * Limit zone transfers (Never allow this) * Register with reputable registrars * split dns * external * only authoritative for your domain name * randomize query id's * only recursive for your internal dns server * don't allow zone transfers * internal * always does recursion on external === IPv6..1-85 === * 128 bits === IPv4 vs. IPv6 === * IPv4 * 32 bits, 4.2 billion addresses * no authentication * Encryption provided by applications * Best effort transport * IPv6 * 128 bits, 240 undecillion addresses * Provides authentication of endpoinots * Support for encryption in protocol * Quality of Service (QoS) features provided in the protocol === IPv6 features..1-88 === === IPv6 Addressing..1-90 === * divided in three portions * Network prefix (48 bits) * Subnet ID (32 bits) * Interface ID (64 bits) ===== Module 3: IP Concepts II..1-94 ===== ==== ==== === Objectives === === ...OSI === === User Datagram Protocol (UDP)..1-98 === === UDP..1-99 === * connectionless communications === UPD uses..1-101 === * (Multimedia/VoIP) streaming * multicasting is required * transmission is expected to occur on a reliable network. * TCP is fundamentally incapable of multicasting * DNS * Common protocols: === UDP Header..1-103 === === TCP (Transmission Control Protocol..105 === === TCP uses..1-107 === * Offers flow control to handle network congestion * Allows for transmission of larger amount of data per packet * Guaranteed delivery of transmitted dtat is more important than speed * offers better === FTP (File Transfew Protocol)..1-108 * === * bounce attack can allow access to FTP through firewall === Active vs. Passive FTP..1-111 * === * google "FTP Bounce attack" === Establishing a TCP Connection..1-113 === * SYN, SYN/ACK, ACK === TCP Header..1-114 === === TCP Header - Key Fields..1-116 * === * session hijacking can be accomplished by sending a duplicate frame number which will cause the receiver to discard the old frame * **hunt** 1.5 is a tool to hijack telnet or tcp sessions === TCP Code Bits/Flags..1-119 * === * Mask * SYN 02 * SYN/ACK 12 * ACK 10 === Closing a TCP Session..1-121 === * an attacker could open a session then disconnect leaving an outbound port open * graceful close is 4-way * Abrupt closure RST/ACK in either direction === TCPdump Output from a Graceful Connection Termination..1-123 === === TCPdump Output from an Aborted Connection === * Because closure occurs based upon a single packet, be sure to validate the packet was not spoofed * Check Sequence/Acknowledgment numbers === TCP and UDP..1-126 === === Internet Control Message Protocol (ICMP)..1-127 === === ICMP..1-128 === * two purposes * report errors * provide network information === ICMP Header..1-129 === * ICMP Payload usually contains the header of the packet that failed * Payload can contain anything * tools that cross firewall * icmptunnel * httptunnel * smtptunnel * loki is an old tool that used the icmp tunnel === ping..1-132 === * be most concerned about icmp being used as covert data channel === traceroute..1-133 === === Unix and Windows Traceroute..1-135 === * Unix traceroute uses UDP packets * Windows tracert uses ICMP ===== M0dule 4: Protocal Analysis..1-139 ===== ==== Protocal Analysis..1-140 ==== === tcpdump/windump..1-143 === === What is a Sniffer..1-144 === * airpcap wireless * ettercap dcap for wired networks === Sniffing on a Switch..1-147 === * The technique of sniffing traffic on a switched segment has been discussed for some time. ...dsniff === tcpdump..1-148 === === tcpdump commands..1-149 === * -s entire packet * -vv * -nn === Analysys with tcpdump..1-150 === === Sample TCPdump ICMP Output..1-153 === === Sample TCPdump UDP Output..1-154 === === Sample TCPdump TCP Output..1-155 === * some extra fields * Flag * Sequence numbers === Reading Packets..1-157 === === Hexadecimal Representaion..1-160 === === Five Tips for Decoding Packets..1-161 === === Decoding and IP Header..163 ..1-170 === === Decoding a TCP Header..1-171 ..1-180 (* 1-177 and 1-180)=== === Calculating Variable Length Fields..1-177 === ===== Module 5: Virtual Machines..1-183 ===== ===== Module 6: Safety and Physical Security ===== ==== Managing Safety & Physical Security..1-231 ==== * Safety trumps security * oftcrack * backtrack === Evacuation Procedures..1-237 === === Restricted Area..1-253 === === Preventing Unauthorized access..1-258 === === Deterring Unauthorized Access..1-262 === === Managing Physical Security..1-267 === ===== Cookbook Tools - Networking Concepts..2-1 ===== ====== Defense in Depth - Day 2 ====== ===== Module 7: Defense in Depth..2-2 ===== ==== Defense in Depth..2-3 ==== router example - put in * no ip source routing * no ip directed broadcast === Defense in Depth..2-5 === * application flaws should be known to the user for them to make the decision on how to proceed. * the informed user is a safe user === What is Defense-in-Depth?..2-6 === * Data * Application * Host * internal network * perimeter * Physical security === Focus of Security is Risk..2-7 === * Risk = threat x vulnerabilities === Key Focus of Risk..2-8 === === Prioritizing CIA..2-10 === * Confidentiality * Pharmaceuticals * soft drink manufacturers * Integrity * Availability === What is a Threat?..2-11 === * Primary Threats: * Malware * Insider * Natural disasters * Terrorism === Vulnerabilities..2-13 === * known * unknown - "zero day" * unpatched systems * mis-configured systems === Approaches to DiD..2-15 === === Uniform Protection..2-16 === === Protected Enclaves..2-17 === === Information Centric..2-18 === === Vector-Oriented..2-19 === === Viruses and Malicious Code..2-20 === === Viruses..2-23 === === COM/Script Program Infectors..2-25 === * inserts itself in existing code === EXE Program Infectors..2-26 === * similar to com infectors === web bug === * a 1x1 document that points to a remote site which records a log entry indicating the document has been opened. * cnn.com use techniques like this all the time. === Worms..2-27 === * Attack systems through known vulnerabilities * scan for more systems to attack * used to build botnets === The Morris Worm 1988..2-29 === === Linux Worms..2-31 === * search for lrk4 lrk5 lrk6 to find these rootkits === SQL Slammer Worm..2-33 === === Sasser/Netsky Worms..2-34 === === Conficker Worm..2-35 === === Fixing the Problem..2-36 === === What Worms Teach Us about Configuration management..2-37 === === Malicious Browser Content..2-39 === === Hybrid Threats..2-41 === === Malware Capabilities..2-43 === * backdoor access * leaking of data === propagation Techniques..2-46 * === === Malware Defense Techniques..2-47 * === * Activity monitoring * malware scanners * File and resource integrity checking * Stripping e-mail attachments - can cause business practice problems * Remember defense-in-depth * Patch all systems * turn off unused services === Malware Analysis..2-54 === === "The machinery of democracy" === * paper on problems with voting machines ===== Module 8: Basic Security Policy..2-57 ===== ==== Basic Security Policy..2-58 ==== === Why an Organization Needs a Security Policy..2-61 === * Protect people who are trying to do the right thing === Convincing the Organization..2-63 === * if an organization does not have this is will cost money maybe in fines === Mission Statement..2-64 === === Overall Security Posture..2-65 === === Example Posture Issues..2-66 === * Presumption of privacy * physical search * Trust for all connections initid inside the organization * no egress filtering === Establish a Documentation Baseline..2-68 === === Policy and Procedures..2-69 === * A high level policy should not address specific technologies === Defining a Policy..2-70 === * make sure there is a way to enforce the policy. For instance each user should be responsible for activities from an account. === Procedure Definitions and Issues..2-71 === === Standard Definitions and Issues..2-72 === === Baseline Definitions and Issues..2-73 === === Guideline Definitions and Issues..2-74 === === Documentation Review..2-75 === === Issue-Specific Policies..2-76 === === Policy Table of Contents..2-77 === === Policy Statement Must..2-79 === * SMART === Is the Policy..2-81 === * consistent with law, regulations? === Creating the Policy..2-83 === === Building the Policy: State the Issue..2-84 === === Example of Applicability/Scope..2-85 === === Compliance/Penalties..2-86 === === Non-Disclosure Agreement..2-88 === === Intellectual Property - Copyright..2-90 === === Contingency Planning..2-93 === === What is a Business Continuity Plan?..2-95 === === What is a Disaster Recovery Plan?..2-97 === === BCP vs DRP...2-99 === === Basic Elements of Continuity Planning..2-102 === === BCP Key Components..2-104 === === Business Impact Analysis..2-105 === * Maximum tolerable downtime MTD === BCP-DRP Planning Process Lifecycle..2-107 === === Top BCP/DRP Planning Mistakes..2-108 === === Asset Classification (Randy's) === * several machines may be part of a single system, such as an Oracle system ===== Module 9: Access Control and Password Management..2-112 ===== ==== Access Control Theory..2-115 ==== === Key Terms & Principles..2-116 === * it is the data owners job to determine if the data is sensitive. === Data Classification by Sensitive and by Type..2-118 === === Identity, Authentication, Authorization, and Accountability..2-120 === * Identity * Authentication * Authorization * Accountability * Angels and Demons <--movie === Controlling Access..2-122 === * Least Privilege * Need to Know * Separation of Duties * Rotation of Duties === Access Control Techniques..2-123 * === * Discretionary * Mandatory * Role-based * Ruleset-based * List-based * Token-based === Managing Access..2-125 === === Single Sign-On (SSO)..2-127 === === Protocols and Centralized Control..2-128 === ==== Password Management..2-131 ==== === Reversible and Irreversible Encryption..2-132 === === Access Control: Passwords..2-134 === * best stored as irreversible hashes === What is Password Cracking?..2-135 === * crack for unix systems used the dictionary to create hashes and compared to the password file === What determines the strength of a Password Hash?..2-137 === * Quality of algorithm * etc... === Methods of Password Assessment..2-139 === * Dictionary attack * Hybrid attack * Brute force * Precomputation brute force (Rainbow attack) === John the Ripper vs Linux MD5 Password File..2-143 === === Windows Passwords..2-146 === * ntds.dit === Cain-Password Cracking..2-148 === === Rainbow Tables..2-151 === * ophcrack website has pre-made tables === Winrtgen..2-152 === === Cain and Rainbow Tables..2-154 === === How to protect against password Cracking Hacks..2-155 === * check the passwords! === Enforce a Strong Password Policy..2-156 === === Use Shadow Passwords..2-159 === === Use One-time Passwords..2-160 === === Utilize Biometrics..2-162 === === Disable LAN Manager Authentication..2-165 === ===== Module 10: Incident handling Foundations..2-168 ===== === Incident handling Fundamentals..2-171 === === Why is it Important?..2-173 * === === What is an Incident?..2-175 === === What is an Event?..2-176 === === Overview of the Incident-Handling Process..2-179 === === The Six-Step Process for Incedent Handling..2-180 === * Preparation..2-181 * Identification..2-183 * Containment..2-188 * Eradication..2-190 * Recovery..2-192 * Lessons Learned..2-194 === Key Mistakes in Incident Handling..2-195 === === Putting the steps together..2-196 === === Legal Aspects of Incident Handling..2-198 === === Incident Handling and the Legal System..2-201 === * Criminal Law * Civil Law * Others * GLBA, SOX, HIPAA, PCI === The United States Code, Title 18, Section 1030..2-204 === * Computer Fraud and Abuse Act === Laws Relating to Incident Handling..2-206 === * Computer Security Act of 1987 * US Privacy Act of 1974 * ECPS 1986 * HIPAA === Terrorism, Infrastructure Protection and Espionage..2-208 === === Search/Seizure with Warrant..2-210 === === Arrest/False Arrest..2-212 === === Evidence Must be Admissible..2-213 === * base business decisions on logs will show the logs are used for important purposes. * 18 month retention allows 6 months to do a 1 year log review. === Chain of Custody..2-215 === === Evidence Integrity..2-217 === * md5sum === Real and Direct..2-218 === === Best Evidence..2-219 === * Search Warrant, comply immediately * supeana contact local authority first ===== Module 11: Information Warfare..2-221 ===== === The Threat, Attacks are Increasing..2-225 === === More Unknowns than knowns..2-226 === === Information Warfare tools..2-228 === === Example of a blended Threat..2-229 === === Could the US Presidency be Affected?..2-230 === === Could a city be destroyed?..2-231 === === Offshore Coding and SW Engineering 2009..2-232 === === Terrorism and Economic Warfare (The business of terrorism.)..2-233 === ==== Information Warfare Theory..2-234 ==== === Information Warfare Theory..2-235 === === Cycle Time..2-237 === === Indications and Warning..2-238 === === Indications and Warnings Analysis Model..2-239 === === Measures of Effectiveness..2-240 === === Offensive Players..2-241 === === Offensive Operations Goal..2-242 === === Increase Value to Offense..2-243 === === Decrease Value to Defense..2-244 === === Defense is not Usually Dominant..2-245 === ===== Module 12: Web Communications and Security..2-248 ===== === Web Application Security..2-251 === === Web Architecture Hardening..2-255 === === Web Communication Basics - http..2-257 === === http transactions..2-259 === === html-Hypertext Markup Language..2-261 * === === html forms..2-262 * === * POST Actions sends form data in http headers * GET action post form dta appended with URL === Cookies..2-266 === === SSL/TLS..2-269 === === Server Side Programming..2-271 === === Client Side Programming..2-273 === === Developing Secure Web Applications..2-275 === * 99% of problems are input validation problems * accunetics (commercial), paros (free) === Basics of Secure Coding..2-277 === === Web Application Service Providers..2-279 === === Web Application Vulnerabilities..2-281 === === Web Application Authentication..2-282 * === * basic mode uses base64 encoding * digest used encryption === Access Control..2-286 === === Session Tracking/Maintaining State..2-288 === === Hacking Session Information..2-289 === === Protection from Session Attacks..2-291 === === Input Attacks..2-293 === ===== Cookbook ===== ====== Day 3 ====== [[http://www.giac.org/proctor/kryterion.php]] ===== Module 13: Attack Strategies and Mitigation..3-2 ===== === K. Mitnick vs. T. Shimomura..3-6 === * Reconnaissance (r utilities, rlogin, rshell) * TCP/IP sequence number prediction attack === Two Systems, Trust Relationship..3-8 === === Starting the Attack..3-9 === * Finger gives information about users and accounts === Silence B with DoS..3-11 === * SYN Floods B === Attacker Probes for a Weakness in A's TCP Stack..3-13 * === * IP spoofing attack === Attacker Pretends to be B..3-14 === * The Attacker, pretending to be B, uses the predictable response to open a connection === Make 'A' Defenseless..3-15 === * Attacker sends expected ACK wut fake SRC IP Address to establish a connection === Finish the job..3-16 == * Sends rshell packet '"echo ++">/.rhosts' to open the victim to accept any login * Then, Attacker uses '# rlogin -l root' to takover "A" === Detecting and Prevention Techniques?..3-19 === === Patch Systems..3-21 === === Hardening the System Disabling Unused Services..3-22 === * disable finger === Network Vulnerability Scanner..3-23 === === Host-based Intrusion Detection..3-24 === * tripwire * aide === Network-based Intrusion Detection..3-25 === === Firewalls..3-26 === === Mitnick Examples: Lessons Learned * === ==== Common Types of Attacks..3-31 ==== === Methods of Attack..3-32 === * Logic Bombs * Trojan Horses * Trap Doors * Embed malware in something that looks like a music file. === Denial of Service..3-35 === * Smurf * SYN flood * DDoS Attacks === Physical Attack..3-36 === * stealing hard drives === Buffer Overflows..3-37 === * poorly coded applications * extra code placed in buffers can be used to execute attack code * The Shellcoder's Handbook 2nd or 3rd edition === Buffer Overflow concepts..3-38 === * buffer, heap, stack * "Smashing the Stack" paper on topic === When the Return Address Points to our Payload, We Win!..3-39 === === Brute Force..3-40 === * bombard with passwords === Remote Maintenance..3-42 === * vendor can have access to machine === Browsing..3-43 === === Race Condidtions..3-44 === === Interrupts..3-46 === === Alteration of Code..3-47 === === Rootkits..3-48 === * rootkit.com ===== Module 14: Firewalls and Honeypots..3-51 ===== === Why a Firewall?..3-55 === * Protecting systems from attempts to exploit vulnerabilities === How does a Firewall fit in the big picture?..3-57 === === Benefits of Firewalls..3-58 === * protects unwanted services * logs === Shortcomings of Firewalls..3-58 == * Attacks at the application layer may sneak through * Dial-up, VPN extranet can bypass. === The Default Rule..3-60 === === Filtering..3-61 === * firewall protect in one direction only * Ingress * Egress === Multi-Zone Designs..3-63 === === Stateless Packet Filter..3-65 === === No State Inspection ACK Flag Set..3-66 === === Stateful Firewalls..3-68 === * what happens if the state table fills up * DoS or Stateless === Stateful Inspection with FTP..3-70 * === === Proxy or Application Gateway..3-72 === === Desktop Protection Personal Firewalls..3-74 === === Firewall Complementing and IDS..3-75 === === Network Address Translation (and Private Addresses)..3-76 === * wireless allows anyone to sniff addresses behind NAT === Port Address Translation(PAT)..3-78 * == === Randy's === * Old document on firewall configuration [[http://www.security.vt.edu/lockitdown/Firewall_Ports_and_Protocols_Summary.doc]] * 80, 1494 are only needed now for Citrix server ==== Honeypots..3-81 ==== === What is a Honeypot?..3-82 === * system that has no legitimate purpose for someone to connect. === Honeypot Example..3-84 === === Advantages of Honeypots..3-84 === * Provides insight === Disadvanges of Honeypots..3-86 === * Way too time consuming === Classifying honeypots..3-90 === === Basic honeypot - Netcat Listener..3-93 === * nc -l -p 80 -n -o hexcapture.txt >port80-listener.txt === honeyd..3-94 === * simulate network === Sticky Honeypots - LaBrea Tarpit..3-99 === === Deploying Honeypots..3-102 === === Honeypot Checklist/Summary..3-104 === ===== Module 15: Vulnerability Scanning..3-107 ===== === R3: Reconnaissance, Resource Protection, ROI.. === * Steve Gibbson - Shields up === 5 Vulnerability axioms..3-113 === === Threat Types and Vectors..3-114 === === Threat Concerns..3-115 === === Firewall Subversion..3-117 === === KaZaA - Firewall Subversion..3-118 === * P2P * bounce a scan off an internal machine === Bypassing Firewall Protection..3-120 === === Firewalls, Wireless Connections, and Modems..3-121 === === HTTP Tunnels..3-123 === === Social Engineering..3-125 === === Social Engineering Defense..3-127 === === Bypassing Firewall Protection Controls..3-128 === === Network Mapping Tools..3-129 === ==== Network Mapping Tools..3-129 === * ids.cirt.vt.edu === Finding Unprotected Shares - Legion..3-131 === === Hping3 - Spoofing Port Scanner..3-133 === * allows crafting packets with illegal flag settings === Attack History..3-136 === ==== Network Scanning..3-139 ==== === What is a Port Scan?..3-140 === === Port Scanning with Nmap..3-142 === * nmap -A -T4 testip === Simple nmap scan..3-144 === === nmap scan types..3-146 === === Operating System Identification..3-149 === * system fingerprinting based on responses to various requests === Vulnerability Scanning..3-151 === === Vulnerability Scanners..3-152 === * only scan systems you own * the difference between a hacker and a vulnerability scan is permission === How to do a Vulnerability Scan..3-154 === * scan when you can respond === Nessus..3-156 === * Freeware scanner. * grand daddy of all scanners ==== Alternate Network Mapping Techniques..3-167 === === Wireless network scanning..3-168 === === Net Stumbler..3-169 === * Windows === Kismet..3-172 === * Linux === Mitigating Wireless network Mapping..3-176 === === War Dialing..3-177 === * identify phone modems and see who answers to find an entry point === War Dialers..3-178 === === Managing Penetration testing..3-181 === * Core Impact * metasploit auto pwn === Pen Testing Techniques..3-182 === === Scanning Tools Warning..3-184 === ===== Module 16: Intrusion Detection Technologies..3-189 ===== ==== Intrusion Detection Technologies..3-189 ==== === What is IDS?..3-192 === * sec 503 Sans intrusion detection === IDS Technology..3-194 === === IDS Alerts..3-197 === * true positives, False Positive * True Negative, False Negative === NIDS Overview..3-199 === * passive sensor, a sniffer === How Signature Analysis Works..3-201 === * to attack a signature, alter the signature === Rules and Signature Criteria..3-202 * === === How Anomaly Analysis Works..3-204 * === * requires an understanding of what "normal" is === How Application Protocol Analysis Works..3-205 === * things like it's not possible to have SYN and FIN set at the same time === Deep vs. Shallow Packet Inspection..3-207 === === Data Normalization..3-209 === === NIDS Advantages..3-210 === === NIDS Challenges..3-213 === === Topology Limitatinos..3-214 === === Analyzing Encrypted Traffic..3-216 === === Signature Quality vs Quantity..3-217 === === Performance Limitations..3-218 === === NIDS Costs..3-220 === === TCPdump as NIDS..3-222 === === Snort as NIDS..3-224 === === Snort Rule Flexibility..3-227 === === Writing Snort Rules..3-228 === === Simple Snort Rules..3-229 === === Advanced Snort Rules..3-230 === === Key Points for NIDS..3-231 * === === Developments in NIDS..3-233 === === HR IDS Application - Content Monitoring Systems..3-236 === ==== HIDS Overview..3-238 ==== * Early were local only with no way to collect logs. === How File Integrity Checking Works..3-241 === * Tripwire === How Log Monitoring works..3-242 === * logcheck === HIDS Network Monitoring..3-244 === === HIDS Advantages..3-245 === === HIDS Challenges..3-246 === === HIDS Recommendations..3-248 === === Developments in HIDS..3-248 === * Zone Alarm is Randy's Favorite === Host and Network-based Intrusion Detection..3-251 === === Internet Storm Center..3-252 === ===== Module 17: Intrusion Prevention Technologies..3-255 ===== === What is IPS?..3-259 === === What IPS is Not?..3-261 === === HIPS Detail..3-263 === * Host based Intrusion Prevention System === HIPS Advantages..3-264 === === HIPS Challenges..3-265 === === Application Behavior Monitoring..3-267 === === HIPS Recommendations..3-269 === * to test, use hping * Port Sentry === Developments in HIPS..3-271 === ==== NIPS Overview..3-273 ==== === How NIPS Work..3-274 === === NIPS Detail..3-275 === === NIPS Challenges..3-278 === === Passive Analysis..3-279 === === Developments in NIPS..3-281 * === === IPS Examples..3-284 === === Randy === * network-tools.com/analyze * FastDial add on for Firefox ===== Module 18: IT Risk Management..3-291 ===== === Risk management Overview..3-295 === === IT Risk management - Where do I Start?..3-296 === === IT is Only One Form of Risk..3-300 === === Define Risk..3-301 === === Risk Management Questions..3-302 === === SLE vs ALE..3-305 === === Single Loss Expectancy (SLE - one shot)..3-306 === === Annualize Loss Expectancy (ALE - multi-hits)..3-307 === === Quantitative vs Qualitative..3-309 === === Threat Assessment, Analysis & Report to Management..3-311 === === Business Case for Risk Management..3-312 === === Business Case - Applications..3-313 === === Step 1 Threat Assessment and Analysis..3-314 === === Outsider Attack - Internet..3-316 === === Insider Attack - Internal Net..3-318 === === Insider Attack - Honeypot..3-320 === === Malicious Code..3-321 === === Step 2 - Asset Identification and Valuation..3-322 === === Step 3 - Vulnerability Analysis..3-323 === === Step 4 - Risk Evaluation..3-324 === === Step 5 - Interim Report..3-325 === === Acceptable Risk - Who Decides?..3-326 === === Cost Benefit Analysis..3-327 === === "Final" Report..3-328 === [[http://www.security.vt.edu/playitsafe/riskassessmentresources.html]] ===== Cookbook - Internet Security Technologies..2-1 ===== === Available upon request from Security Office *** === * Nexpose commercial vulnerability scanner * Hawki asset manager === find where ipaddresses originate === * ip2location.com * dnsstuff.com ====== Day 4 ====== ===== Module 19: Encryption 101..4-2 ===== ===Encryption 101..4-3=== === What is Cryptography?..4-6 ** === * means hidden writing * plaintext is a message in its original form * Ciphertext is a message in its encrypted form * David kann, "Codebreaker" === Security by Obscurity is no Security..4-8 === * never believe in a secret pro proprietary cryptographic algorithm === Beware of Overconfidence..4-10 === * large key lengths do not ensure security === Credit Cards Over the Internet..4-11 === === The Challenges That We Face..4-13 === === Goals of Cryptography..4-14 * === === Digital Substitution (Encryption)..4-16 === === Digital Substitution (Decryption)..4-18 === * symmetric crypto system uses the same key to encrypt and decrypt === General Symetric Encryption Technique..4-19 === * substitution * Permutation * Hybrid === Arbitrary Substitution..4-20 === === Rotation Substitution..4-21 === * Usenet uses ROT-13 === Permutation..4-23 === === Block Ciphers..4-24 * === * ECB * CBC * CFB * OFB === Stream Ciphers..4-26 * === * could be used for VoIP ==== General Types of Cryptosystems..4-28 === === Types..4-29 === * Secret Key * Symmetric * Single or 1-key encryption * Public Key * Asymetric * Dual or Two key encryption * Hash * One-way transformation * No key encryption === Symetric Key Cryptosystems..4-30 === * AKA "Secret Key" Encryption * DES * Triple-DES * RC4 * IDEA === Asymmetric Key Cryptosystems..4-32 === * "Public-Key" Encryption * RSA * EI Gamal * ECC === Diffie-Hellman Key Exchange..4-35 * === * Agree on a large prime number, n * generator number, g * ... * algorithms like this are not unbreakable, just not in a reasonable amount of time === Hash Functions..4-37 === * No Key * Primary Use: Message integrity * "weaknesses in oracle password algorithm" * a weakness involves multiple strings resolving to the same hash. * marchany, marchan, marcha all could give the same hash. This is bad ==== Steganography..4-39 ==== === Steganography (Stego)..4-40 === * hides message in another, like a message in a picture === Crypto vs Stego..4-41 === === Detecting Cryptography..4-43 === === Historgrams..4-44 === === How Steganography Works..4-45 === * need Host to carry the message, an image or sound file === General Types of Stego..4-46 === * Injection..4-47 * antiword - retrieves deleted text in a Word document * hydan * Substitution..4-49 * Generate New File..4-46 * spammimic.com * xrite.com Online color Challenge ===== Module 20: Encryption 102..4-53 ===== === Concepts in Cyptography..4-57 === * Tractable problems * Intractable problems, cannot be solved in a reasonable time..4-58 * factory primes * solving the discrete logarithm problem (El Garmal)..4-61 * Computing Elliptic curves (ECC)..4-63 * low power consumption would be useful on cell phones, pda's ==== Symmetric & Asymmetric Cryptosystems..4-64 ==== === DES..4-65 === * began in 1975 (same time Randy started at Tech) * O'Riely "Cracking DES" === DES Weakness..4-66 === === DES Advangage..4-68 === === Meet-in-the-middle Attack..4-69 * === === Triple DES..4-70 === === AES..4-72 === * Advanced Encryption Standard * round is the number of iterations within the algorithm === AES Algorithm..4-74 * === === AES Basic Functions..4-75 === === AES (2)..4-76 === * DVD encryption secrecy resulted in a crackable system * seed numbers make an algorithm secure === RSA..4-77 === * center part of SSL * cracked system have been insecure keys or small key length === AES vs. DES (Asymetric vs Symmetric)..4-78 === * speed. DES is about 100 times faster === Elliptic Curve Cyptosystems (1)..4-79 === * PDA's smart phones, appliances, smart cards === Elliptic Curve Cyptosystems (2)..4-80 === === Comparing Key Length..4-82 * === * important when evaluating vendor encryption * bigger may not be better * compare sysmetric systems with symetric systems === Crypto Attacks..4-83 === * known plaintext attack * chosen plaintext attack * Adaptive chosen plaintext attack * Ciphertext only Attack * Chosen ciphertext attack * Chosen key attack === Birthday Attack..4-87 === * pairs of messages might share the same hash ===== Module 21: Applying Cryptography..4-90 ===== === Applying Cryptography..4-91 === === Objectives..4-92 === * Data in Transit - VPN's * data at rest - PGP * Key Management - PKI === Virtual Private Networks (VPN's)..4-95 === === Confidentiality in Transit..4-96 === * private network === Virtual Private Network (VPN)..4-97 === * data encrypted at on end, cyphertext is transmitted * endpoints are the weakness === VPN Advantage - "Flexibility"..4-98 === === VPN Advantage - "Cost"..4-99 === === VPN Breakdown..4-100 === === Types of Remote Access..4-101 === === Security Implications..4-103 === * must trust the other end === IPSec Overview..4-105 === * IP Security Standard for VPN's * the term gets blurred with a Windows term === Types of IPSec Headers..4-106 * === * authentication header (AH) * ICV computation , AH includes every field that does not change from source to destination * Encapsulation Security Payload (ESP) * encrypts the entire message including the header === Types of IPSec Modes..4-109 * === * tunnel mode (site to site VPN's) * entire ip packet * transport mode (client side) === SSL VPN's..4-112 === * requirements for procurement..4-113 * === Examples of Non-IPSec VPN's..4-114 === * ssh * L2TP * SLIP * PPP * SOCKS ==== Pretty Good Privacy (PGP)..4-116 ==== === Confidentiality in Storage..4-117 === * Phil Zimmerman * entire disk vs file-by-file === On-the-Fly Encryption..4-120 === * data encrypted to be transmitted === Establishing a Key..4-121 === === Choosing a Passphrase..4-122 === === Encrypting Outbound Email..4-123 === === Sample PGP-Encrypted E-mail..4-125 === === Decrypting Inbound E-mail..4-126 === === Signing Outbound E-mail..4-127 === === Confirming a Signed E-mail..4-128 === === Public Key infrastructure (PKI)..4-129 === === What is the business Value of a Public Key Infrastructure?..4-130 === === How PKI Works..4-132 === * repository of digital certificates that is vetted by some personal identification. * root CA * Intermediate CA * Issuing CA * implementation * Microsoft Certificate Services * Entrust Authority * Verizon / Cybertrust UniCert PKI * OpenSSL === Operational Goals of PKI..4-135 * === === Digital Certificates..4-139 * === === Secure Web Traffic (SSL)..4-141 === === PKI SSL Crypto: An Illustration..4-143 * === - Client Web Request - Server Responds - Client validates certificate & Crypto ( this is the step the client can cause failure by accepting the cert) - Client encrypts the session dey - Session key exchange - Server decrypts the session key - Encrypted messages are exchanged === Secure E-mail (S/MIME)..4-145 === === Partial or Whole Disk encryption..4-147 === * Microsoft BitLocker..4-148 === Other Uses of PKI..4-150 === === PGP as 'Web of Trust'..4-151 === === Problems with PKI..4-154 === * Certificate Authorities * expense * certification of the CA === Applying Cryptography: Summary..4-156 === * [[www.pki.vt.edu]] ===== Module 22: Wireless Network Security..4-158 ===== === Wireless Network Security..4-159 === * PDA's * Mobile Phones * Laptops * Pagers * HVAC Control Units * traffic signals * power meters === Wireless Advantages..4-163 === === Vertical Markets..4-165 === * Healthcare * Financial * Academia * Factroies/Industrial * Retail * Wireless Internet Service Providers ==== Bluetooth..4-168 ==== === Bluetooth..4-169 === === Bluetooth Specification..4-170 === === Bluetooth Security..4-172 === * 4-16 byte pin * default 0000 or 9999 === Bluetooth Security Issues === * * hackfromacave.com - John Paul's security tools === blueScanner..4-176 === * hcitool bluez-hcidump * merlin and frontline are commercial sniffers === Bluesnarf Attacks..4-177 === === Bluetooth Sniffing Impact..4-178 === === Protecting Bluetooth..4-180 === * non-advertise mode * change pin * Josh Write utube - Eavesdropping on Bluetooth headsets * carwhisperer * bluesnipper * gumstick computer === ZigBee Wireless..4-182 === * HVAC * product tracking * medical device monitoring * Industrial sensors * Home automation === ZigBee Specification..4-183 === * 10-75 meters * 868 MHz, 915 MHz, 2.4 GHz * low power consumption, goal of 10 year service === ZigBee Security..4-185 === === 802.11..4-187 === === IEE 802.11 Wireless..4-188 === === WEP Security..4-190 === * airsnort has been replaced by aircrack (aircrack-ng) === IEEE 802.11i, 802.1x, EAP..4-192 === === 802.1x Authentication..4-193 * === === Wi-Fi Protected Access..4-195 === === Wireless Security..4-196 === * wellenreiter - listens for mac address and spoofs the address for wireless access === General Misconceptions..4-197 === === Top 4 Security Risks for WLAN's..4-203 === === Eavesdropping..4-204 === === Eavesdropping Mitigation..4-205 === * use strong encryption in the lowest layer protocol possible * Design you wireless networks with caution- minimize coverage area * Audit with a sniffer === Masquerading..4-207 === === Masquerading Mitigation..4-209 === * Use SSL/TLS * Educate users on the danger of clicking "Yes" to digital certificate warnings <--Joke? === Denial-of-Service Attacks..4-210 === === DoS Attack Mitigation..4-212 === === Rogue AP's..4-213 === === Rogue AP Mitigation..4-214 === === Steps to Planning a Secure WLAN..4-216 * === * detection tools: * kismet * get_essid === Protecting Wireless Networks..4-218 * === ===== Module 23: Voice over IP..4-220 ===== === VoIP..4-221 === === VoIP Functionality & Architecture..4-223 === === VoIP Overview..4-224 === * Phone can be routed and transmitted over the network. * can be any combination of analog telephone adapter, IP telephone and Computers. === VoIP Risks..4-225 === * External attacks * Internal Misuse * Theft * System Malfunction * Service interruption === LAN VoIP..4-227 === === WAN VoIP..4-228 === === VoIP Networking..4-229 === === Advantages of VoIP..4-231 === === Disadvantages of VoIP..4-234 === === VoIP Architecture..4-238 === === VoIP Components..4-240 === * Media Gateways * Registration and location servers * Messaging servers * End user devices: VoIP phones, softphones === VoIP Traffic Patterns..4-242 === === VoIP Protocols..4-243 === * H.323, SIP === VoIP Signaling H.323..4-245 * === * ... * H239 === VoIP Signaling - SIP..4-247 === * alternate to H.323 === SIP Packet Details..4-248 === === SIP Exchange..4-249 === === VoIP Media - RTP..4-251 === === VoIP and TCP vs UDP..4-252 === * base protocol decision on need. reliable connection would require TCP === Skype..4-253 === === VoIP Challenges..4-254 === === VoIP Operation Challenges..4-255 === === VoIP Security Challenges..4-257 === * CID spoofing. privacy attacks * Phone impersonation === VoIP Security Challenges..4-259 === * Call Hijacking === Securing VoIP..4-261 === * security focus article#1862 [[http://www.securityfocus.com/infocus/1862]] === other services === * google voice ===== Module 24: Operations Security..4-264 ===== === Operations Security (OPSEC) Defensive and Offensive Methods..4-265 === === Management Application - Operations Security (OPSEC)..4-268 === === The three Laws of Defensive OPSEC..4-270 === === OPSEC Weekly Assessment Cycle..4-271 === === Employee Issues..4-273 === === Employment Agreements..4-275 === === Need to Know..4-277 === === Putting it all together..4-278 === === Sensitive Information..4-280 === === Offensive OPSEC..4-282 === * bing bird's eye view * pipl.com * governmentrecords.com * magtech software for reading and writing magnetic cards === Society for Competitive Intelligence Professionals Code of Ethics..4-290 === === Corporate Information..4-292 === === Edgar Search..4-293 === === Wayback Search..4-298 === === Company Information from Other Web Sites..4-301 === === Company Financials..4-302 === === Project/Product Information..4-304 === === Individual Information..4-305 === === Project/Product Information..4-304 === === Individual Information..4-305 === * Intelius * County Court House records === What does this mean to me..4-306 === === How to Apply OPSEC - Summary..4-307 === * google searches ===== Cookbook Tools - Secure Communications ===== === pgp === === netstumbler === === s-tools === * steganographic tools * bmp * gif * wav === Invisible Secrets === * hide information inside * jpeg * png * bmp * html * wav * DOD-compliant shredder * 30 day demo * added features cost extra === xsteg/stegdetect === * xsteg is gui front end for stegdetect * detects stego from the following: * jsteg * outguess * jphide * invisible secrets * f5 === wireshark === === wireshark and VoIP=== ====== Day 5 ====== * tiddlywiki java script and css [[http://www.tiddlywiki.com]] * articles to google: * How Mitnick Hacked Tsutomu Shimomura with an IP sequence attack * Best Practices for "Forgotten Passwords" Feature * truecrypt * only one person gets rw access, all others ro * put hidden volume inside a visible truecrypt volume (plausible denyability) * pgp netshare gets around the rw limitation of truecrypt * [[http://security.vt.edu/findssnccn.html]] * [[http://securiosities.org/tag/secret-question/]] ===== Module: 25 The Windows Security Infrastructure..5-2 ===== === The Windows Security Infrastructure..5-3 === === Windows Operating Systems..5-5 === * Windows Mobile * not socket access, so no sniffers available === Windows XP..5-6 === * xp home used to ship with a blank admin password * sp2 started shipping with security features enabled === Windows Server 2003..5-9 === === Windows Vista & Windows 7..5-11 === === Windows Server 2008..5-14 === * same code base as vista * Powershell * Hyper-V === Windows Mobile..5-17 === * no raw socket support, so no sniffer cannot be written for it * therefore, no IDS would be available * showing up in embedded systems * Windows Mobile security Best Practices..19 * === Windows Workgroups and Accounts..5-21 === ==== Workgroups..5-22 ==== * no domain controller === Workgroups..5-24 Benefits === === Workgroups..5-25 Drawbacks === * Users are creatively careless === Managing Local Accounts..5-26 === * wmic * netsh === Security ID Numbers (SIDs)..5-27 === * SIDs for common accounts are well known, like Administrator and Everyone * changing the name of these common accounts is a minimal security gain * it might lessen the brute force attacks * it could also lessen the log entries === Your Security Access Token (SAT)..5-29 === whoami.exe /all /fo list === To Form a More Perfect Workgroup..5-31 === ==== Windows Active Directory and Group Policy..5-33 ==== === Active Directory Domains..5-34 === * master database for machines and users * similar to nis+ * partial list of what can be stored in Active Directory..5-36 * === Authentication Protocols (1 of 3)..5-37 === * 4 parts of SAT..5-37 * === Authentication Protocols: Kerberos (2 of 2)..5-39 === * default authentication protocol * NTLM only used when necessary * ticket encrypted based on the user's passphrase * vulnerable to brute-force cracking, last paragraph..40 * * [[http://ntsecurity.nu]] === Forests and Trusts..5-42 === * ..43 2nd paragraph [[http://www.microsoft.com/activedirectory]] === The Nature of Trust..5-44 === === Cross-Forest Trusts..5-46 * === === Group Policy..5-48 === === How Group Policy Works..5-49 === * GPO's applied at boot-up, Logon and 90-120 minute intervals ===== Module 26: Service packs, Hotfixes and Backups..5-53 ===== === Service Packs..5-56 === * It's a Giant Patch * Do staged roll-outs and check for problems === Slipstreaming..5-58 === * nlite helps with this === Hands-Free Service Packs..5-59 === === Hotfixes..5-61 === === E-mail/Newsfeed Bulletins..5-62 === * microsoft.com/security * * * === Installing Multiple Hotfixes..5-63 === === Organize Hotfixes..5-64 === === BATCH.BAT..5-65 === === Microsoft Update..5-67 === === Windows Update..5-68 === * http://vtnet.vt.edu === Windows Server update Services (WSUS)..5-69 === === How does WSUS work..5-71 === === WSUS Administration..5-72 * === === 3rd-Party Patch Management..5-74 === * [[http://www.windowsitpro.com]] * for remote offices heise or disconnected remote site [[http://www.h-online.com/security/Do-it-yourself-Service-Pack--/features/80682]] ==== Windows Backup and Restore..5-76 ==== === Importance of Backups for Security..5-77 === === Windows XP/2003 Backup..5-78 * === * ntbackup.exe came from veritas === System State Backup..5-80 === * Windows 7 will allow system state over the network === Windows Vista/2008/7 Backup..5-81 === * robocopy (Vista/2008/7) * wbadmin (2008) === Third-Party Backup Solutions..5-84 === === Binary Disk Images..5-85 === === System Restore..5-86 * === * system restore snapshot times === Previous Versions..5-89 === === Device Driver Rollback..5-91 === === Summary..5-92 === === comment === To clean up a new system * [[http://www.pcdecrapifier.com/]] ===== Module 27: Windows Access Controls..5-94 ===== ==== Windows Access Controls..5-96 ==== === NTFS Overview..5-98 * === === NTFS DACL's..5-100 === === Advanced Security Settings for ACE's * === * by default, deny overrides allow * inherited..5-103 * === NTFS Owners..5-104 === === Principle of Least Privilege..5-106 === * needs analysis === AGULP..5-108,5-109 * === === AD Users and Computers..5-110 === === Shared Folder Permissions..5-112 === * net help share === Hidden and Administrative Shares..5-115 === === Combining NTFS and Share DACL's..5-117 * === * calculate effective permissions of user === What is the Registry?..5-119 === === Remote Registry Service..5-120 === * default is enabled === Registry DACL..5-122 === === Active Directory Permissions..5-123 === === Delegation of Authority in AD..5-125 === === Mandatory Integrity Control (MIC)..5-127 * === * medium is default === User Rights..5-129 === * ..5-130,5-132 * === Encypting File System..5-137 === * can prevent Linux boot disk access * cipher.exe === EFS Implementation Details..5-139 * === === EFS Key Recovery..5-140 === === EFS Best Practices..5-142 === === BitLocker Overview..5-144 === === Trusted Platform Module..5-146 === * motherboard failure would render data inaccessible. === BitLocker TPM Options..5-148 === === Disabling vs Turning Off..5-150 === * ...the decryption key is stored in plaintext on the drive === Emergency Recovery..5-151,5-153 * === ===== Module 28: Enforcing Security Policy..5-156 ===== === Security Templates..5-159 * === * keep track of the template directory with tripwire. * CIS scoring tool..5-162,5-163 === SCA Snap-In..5-164 === * there is no Un-Do === SECEDIT.EXE..5-166 === === Local Group Policy Object..5-167 === === GPO Security Settings..5-169 === === GPO Scripts..5-170 === * activestate.com * loopback policy processing mode === Administrative Templates..5-171 === * if there is a conflict between user and computer, usually the computer wins === Domain Group Policy Objects..5-173 === * gpupdate /force /sync === Default Domain and OU GPO's..5-175 === === Checklist of GPO Settings..5-176 * (for audit) === === GPO > Passphrase Policy..5-177 === === GPO > Lockout Policy..5-179 === === GPO > Security Options..5-180,5-183 === === Anonymous Access..5-184 ** check === net.exe use \\address\IPC$ "" /user:"" * null users not used as much on later OS's === Kerberos & NTLMv1..5-186 === * Don't use! === Kerberos & NTLMv2..5-187 === === The Guest Account..5-188 === === Administrative Accounts..5-190 === * Randy does not recommend 4 or 6 on the slide === Software restriction Policies..5-192 === * Windows 7, AppLocker === User Account Control..5-195 === === Internet Explorer Security..5-198 * === * folders with Low MIC label assigned "low" contain low in name === Internet Explorer Security..5-201 === * Internet Zone * Trusted Sites Zone..5-203 * SmartScreen filter and XSS Filter ===== Module 29: Windows Network Services..5-207 ===== === The Best Way to Secure a Service..5-210 === === How to disable Service..5-211 === * Service Applet * Security Template * GPO * SC.EXE === Security Configuration Wizard..5-214 === * Windows XP services that can be disabled [[http://www.digitalmediaminute.com/article/1841/windows-xp-services-that-can-be-disabled]] * blackviper [[http://www.blackviper.com/]] === Server Manager..5-218 === === Network Adapter Bindings..5-220 === === Do I Still Need NetBIOS?..5-222 === * restrict to campus or subnet * don't let requests off campus or subnet nbstat.exe -A ipaddress * refer to table on page 5-223 * === Key Protocols..5-226 === * SMB TCP/139/445 * RPC TCP/135 * LDAP TCP/389/636/3268/3269 * Kerberos TCP/UDP/88 === More Key Protocols..5-228 === === The Windows Firewall in Vista/2008/7..5-230 === === Network Location Types..5-232 * === === Managing Firewall Rules..5-234 === * Order Firewall Rules are processes..5-235,5-236 * ==== Windows IPSec & other VPN's..5-238 ==== === Internet Protocol Security..5-239 === === Command-Line IPSec Tools..5-240 === === IPSec & Group Policy..5-242 === === Group Policy Example..5-243 === === Virtual Private Networking..5-245 === * never use PPTPv1 or NTML * these could be required by embedded devices that cannot be updated * Windows VPN Client..5-247 === Routing and Remote Access Service..5-249 === ==== Windows IIS Security..5-251 ==== === Securing Internet Information Server (IIS)..5-252 === === Use a Minimal Patched Install..5-253 === * the gui is almost required to get it to do anything === Separate NTFS Volumes for Web Content..5-255 === * very important * makes backup easier === Require a Host Header..5-257 === === Remove Unused Handler Mapping..5-259 === === Folders Not to Have..5-261 === === IIS Access Controls..5-263 === === Some Questions for Your Web Developers..5-267,5-270 * === === SQL SErver Security Tips..5-271,5-272 * === * Validate and sanitize all user input before letting it touch the server ==== Remote Desktop Services..5-273 ==== === Remote Desktop Services..5-274 === * TCP port 3389 === RDP Best Practices..5-278 === * Investigate Citrix as a cross-platform alternative ===== Module 30: Automation, auditing and response..5-285 ===== ==== Windows Automation and Auditing..5-286 ==== === Automation..5-289 === === The Support Tools..5-290,5-291 === === Microsoft Resource Kits..5-292 === === WMIC.EXE..5-297 === wmic.exe process list full === Network Configuration Tools..5-302 === * netsh.exe === Other free Toolsets..5-304 === * whatsrunning [[http://www.whatsrunning.net/]] * activeports === Scripting Support And *NIX tools..5-306 === === Microsoft PowerShell..5-310 === * windowsitpro.com has tutorials === Push Scripts with Group Policy..5-312 === === Scheduling Jobs..5-314 === === Auditing..5-316 * === === Verifying Policy Comliance..5-317 === === The SCA Snap-In Again.. === === SECEDIT.EXE..5-320 === === Microsoft Baseline Security Analyzer..5-322,5-323 * === === MBSACLI.EXE..5-326 === === Windows Defender..5-328 === === Creating Snapshots..5-330 === === Snapshot Batch Script..5-334,5-335,to 5-338 === * [[http://www.windowspowershelltraining.com/downloads/scripts.zip]] === Gathering Ongoing Data..5-339 === * event log scanning tools * ossec [[http://en.wikipedia.org/wiki/OSSEC]] * Microsoft log parser [[http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx]] === Security Event Log and Audit Policies..5-341 * === === NTFS, Registry and Printer SACLs..5-343 === === What Objects Should be Audited?..5-346 * === * running security tools and monitoring logs will help reveal what the logs will look like with a certain attack. Signature. === Log Size and Wrapping Options === * kb183097 === Log Consolidation..5-350 === === IIS Logging..5-352 === === Change Detection and Analysis..5-355 === ===== Cookbook - Windows Security..5-358 ===== ==== ==== === nmap scans === nmap SYN: -sS, UDP: -sU, Xmas: -sX, FIN: -sF ==== Cookbook ==== === SCA === === BSA === === CIS === ====== Linux Security - Day 6 ====== ===== Module 31: Securing Linux/Unix..6-3 ===== === fog === * Free Opensource Ghost [[http://www.fogproject.org]] * [[http://www.hfslip.org]] for slipstreaming xp, 2003 * nLite, vLite ==== Securing Linux/Unix..6-3 ==== === Operating System Overview..6-5 === === Kernel..6-6=== * the most important thing to protect from a security point === File system Structure..6-7 === * the root structure is independent of drives === File System Strucure..6-8 === * only one root denoted by / === Shell..6-9 === * three basic shells * sh was native shell === Examples of Shells..6-10 === * sh * csh * bash * ksh * tcsh * for windows, COMMAND.COM === Commands You Need to Know..6-11,6-12 * === * pwd..6-13 * cd..6-14 * ls..6-15 * touch / clear..6-16 * cat..6-17 * mv..6-18 * cp..6-19 * mkdir..6-20 * rmdir..6-21 * rm..6-22 * su..6-23 * find..6-26 * grep..6-27 * generic regular expression program * man * vms moved from DEC to windows NT (vms->wnt one letter off) (ibm->hal one letter of Arthur C. Clarke's Space Odyssey saga) === Unix File Permissions..6-29 === * ls -l * - regular file * d directory * l link * c * v * w implies delete * x execute, or list directory === Unix File Permissions..6-31 * === * permissions have different meaning if the target it is a file or or a folder === === * chmod..6-32 * setuid..6-33 * run program with owner's permission * for example passwd modifies /etc/passwd, which is not writable by users. * don't have shell scripts with suid set, especially if the owner is root. Aborting the shell will leave the system in root shell. * 4 suid, 2 sgid, 1 sticky * capital S means x is not set * chmod..38 chmod nnnn * chown/chgrp === Group Management..6-40 === * newgrp * groupadd * groupdel === /etc/group..6-41 === * gpasswd..6-42 === === * id..6-44 uid=500(steve) gid=500(steve) groups=500(steve) context=user_u:system_r:unconfined_t === passwd File "good old days"..6-45 === * Hash string stored in passwd file * @Large book on password cracking === Passwd/shadow..6-46 === * AIX * /etc/passwd * /etc/security/passwd * Free BSD * /etc/passwd * /etc/master.passwd * HP-UX * /etc/passwd * /etc/files/auth/root * LINUX(RedHat) & Solaris * /etc/passwd * /etc/shadow === passwd File..6-47 * === === shadow File..6-48 * === === useradd..6-49 === * some flavors - adduser === Enabling Password Aging..6-50 === * /etc/login.defs * /etc/default/useradd === Account Password Info..6-52 === chage -l === Enforce stronger Passwords..6-53 === === Restricting Use of Previous Passwords..6-54 === === Locking User Accounts After To Many Login Failures..6-55 === === Process Status (ps)..6-56 === ps -aux |more === Process Status (ps)..6-57 === * User * PID * %CPU * %mem * vsz * stat * start * time * command === netstat..6-59 === === Backup with dd..6-61 === ===== Module 32: Securing Linux/Unix..6-63 ===== ==== ==== === How Unix Systems Boot..6-65 === * 1st stage is MBR * 2nd stage === Boot Loader..6-69 === * lilo * grub === Run Levels..6-70,6-71 * === === inittab..6-72 === === Run condition directory..6-73 === * rc files and directories * scripts in /etc/init.d * rc directories have links to these scripts === init.d..6-74 === * solaris 10 uses smf instead of rc === service management..6-75 === === Patch a Disabled Service?..6-76 === === service command..6-77 === === chkconfig..6-78 === * list services at each run level === How are services started..6-79 === * at boot time * automatically by inetd/xinetd * cron * command line === Common Services..6-80 === * File sharing - NFS and samba * Naming - NIS/NIS+, DNS * RPC * internet === Network File System..6-81 === * UDP port 2049 === NFS..6-82.6-83 === * different machines can have different users with the same UID === Samba..6-84 === * uses smb to share with Windows clients === DNS Basic..6-85 === * DNS server check cache first the goes out to root servers === Network Information Service (NIS)..6-86 === * used to be called Yellow Pages (yp) === Remote Procedure Call..6-88 === === Remote Procedure Call in action..6-89 === === Port Mapper..6-90 === === Other RPC Services..6-91 === * lockd * statd * automountd * rsh * rcmd and rexd === Inetd/ xinetd..6-92 === === inetd..6-93 === === xinetd..6-95 === === xinetd Key files/Directory..6-96 * === === tcpwrappers..6-98 === * gave a method for access control for services started with inetd ===== Module 33: Securing Linux/Unix..6-106 ===== ==== Logs and Log Management ==== * showing use of log files for business decisions will validate confidence in logs even for legal matters. === Important Log Files..6-108 === === WTMP Log..6-109 === * /var/log/wtmp * logins and logouts * last command pulls from here === UTMP Log..6-110 === * w, finger and who * updated by login program === utmp "w" output..6-112 === === Lastlog..6-113 === === SULOG..6-114 === * /var/adm/sulog === HTTP Logs..6-116,6-117 *=== === Messages (SYSLOG)..6-118 === === Messages..6-119 * === === The syslogd..6-120 === * /etc/syslog.conf === syslog.conf..6-122 === * Facilities..6-123 * Levels..6-124 * Actions..6-125 === Secure Log..6-126 === === Example of a Secure Log after a Scan..6-127 === === FTP Logs..6-128 === === Maillog..6-132 === ===== Module 34: Securing Linux/Unix..6-136 ===== ==== Patch Management ==== === Why Patch..6-138 === === Be Careful..6-139 === === Finding Out About Patches..6-140 === === Using apt..6-141 === === RPM..6-143 === * rpm -q * rpm -initdb * rpm -rebuilddb === GUI Tools..6-145 === === Other O/S..6-146 === ===== Module 35: Securing Linux/Unix..6-148 ===== ==== Security Enhancement Utilities ==== === Tripwire..6-150 === === Tripwire Attribute Tracking..6-151 === === Tripwire Common Commands..6-152 === === iptables..6-153 === == Mangle..6-154 == == filtering..6-155 == == nat..6-156 == == Custom Chains..6-157 == == rules..6-158,6-159 * == == iptables -L (list)..6-160 == iptables -L -n == iptables -F (flush)..6-161 == ==== Additional Security Options..6-162 ==== * Boot Loader Password * ps * Netstat * SELinux * AppArmor === Security-Enhanced Linux (SELinux)..6-164 === == Parts of SELinux..6-165 == == How to Enforce..6-166 == == DAC & SELinux Policy..6-167 == == MLS/MCS..6-168 == == SELinux COmmands..6-169 == == sestatus..6-170 == == chcon & semanage..6-171 == == restorecon..6-172 == == audit2allow..6-173 == == getenforce..6-174 == == setenforce..6-175 == == Other Approaches..6-176 == * AppArmor ===== Glossary of Terms..6-181 ===== ===== Other ===== * center for internet security cis tool [[http://www.cisecurity.org/]] * katana [[http://www.hackfromacave.com]] * [[ronin@shadowcave.org]]