Blogger is a great platform and worked well for me over the past few months; but recently I have been given the opportunity to be apart of http://securegossip.com/about/ and I humbly accepted it. In short, SecureGossip was created to unite all security & IT[secure coding, system administration,
etc. that leads to complete security] blogs under one roof.
I hope all my readers will join me and subscribe to the new feeds, leave comments and just make http://infolookup.securegossip.com/ your new home.
Thank you to all the current readers and I hope to be exposed to more readers on this new platform, I will keep this blog up for a while before taking it down, but all new posting will be on the new site.
What are ADS or Alternative data streams? Alternate data streams allow more than one data stream to be associated with a filename, using the filename format "filename:streamname" (e.g., "text.txt:extrastream"). Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. Only the main stream of a file is preserved when it is copied to a FAT-formatted USB drive, attached to an e-mail, or uploaded to a website. As a result, using alternate streams for critical data may cause problems.
Why you should care about ADS? One reason you should care is even though this has been around for quite some time now its still has a very high rate of success when implemented in a piece of malware. The ability to hide behind a know system file without changing the file size can be very deceiving.
Another important reason as stated by http://www.rootkitanalytics.com/, is due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named 'Mailbot.AZ' aka 'Backdoor.Rustock.A' used to hide its driver file into system32 folder (C:\Windows\system32) as a stream '18467'.
Below is a brief illustration of what this looks like:
Now before you start worrying yourself there is hope on the horizon thanks to tools like "StreamArmor" .
What is Stream Armor you might ask?
StreamArmor is the sophisticated tool for discovering hidden alternate data streams (ADS) as well as clean them completely from the system. It's advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. StreamArmor comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams.
Or as I prefer to call it, the first step in the first direction... Don't get me wrong the are other great tools out there like streams from Microsoft or Gmer but after using StreamArmor recently I don't see how I could go back to those tools.
I decided to see how StreamArmor would performs when compared to two of their competitors (Streams and Gmer ). I created several ADS samples and split them up into two folders on my C drive, then scanned both folders with each program twice.
My sample streams included the following:
12 streams in total
I placed various files (exe, png, and avi) behind a few .txt, .doc, bmp and .pub documents.
I then encrypted one of those files, zipped two of them (one with Windows 7 build in compression and the other with winrar).
Microsoft Streams Results 9 out of 12
Gmer scan results: 5 out of 12
StreamArmor results: 9 out of 12
In the end both StreamArmor and MS Streams found 9 out of 12, none of them found the ADS that were zipped or the one that was encrypted (not that I expected the encrypted files to be discovered). At this point I am as confident as when I started writing this post "StreamArmor is my preferred choice". The ability to export great reports, easy to do run customize scans, and overall the results are not difficult to interpret.
This posting initially started off as a discussion on the "Yahoo Computer Business group" by Hank Cranmore from http://www.mobitech4u.com/corporateservices.html . The discussion was surrounding cloud commuting and the damaging effects it will soon have on most computer technicians businesses. This is due in part to how affordable it is to run your small business virtually from the cloud and drastically reduce the need for support contracts or better yet on site technical support.
Technicians are people skilled in a particular area. They serve their
purpose in the strategic sense of demand and need until eventually, as
with all things like this before, down thru history, technology replaces
the technician.
Let me repeat that, "Technology replaces the technicians".
To make it worse, technicians are historically weak during periods of
economic downturns or other disasters that destabilize their ability to
continue to do what they do in the face of a more efficient and cheaper
competitor.
Here are some favorite examples of mine from history of when technology
replaces technicians in the past.
Example #1 - Spinning thread. In today's terminology a person who is
skilled at spinning fibers by hand into thread or yarn would be labeled a
Spinning Tech. They were replaced by a series of rapidly evolving
technology. But not to fear, those that did not starve to death got jobs
by the thousands working 12 hour shifts tending to the machines of the
textile factories that replaced them.
Example #2 - Computer. Not our modern day computers, but people who in a
time of great illiteracy could perform math computations with great
skill. The word computer has existed since at least 300 AD. Up until the
point in time they were replaced by machines, human computers were
employed wide and far. They were the first computer techs. The first
computer business was similar to a CPA but was not limited to money. A
business could send a batch of calculations to the corner computer shop
and it would be processed by hand, by computer techs into final numbers.
One of the largest calculations in history processed by human computers
was 21,000 pages long and took 7 years to complete. Something had to
change. The first computer techs were put out of business by machines
set in motion by Charles Babbage. Not sure what happen to those techs,
but it was just in time for WW I, the great depression labor camps
(CCC), WW II and the growth of Corporations.
What will replace the computer tech? Technology!
Ever hear of a calculator tech lately? Nope!
The calculator on my desk is cheap, disposable and now that I think of
it, I dont even need to change the battery. It could run forever! If I
break it, I replace it. All I need to do is to buy it and operate it.
If I did break it and did not have time to go buy another one, I would
just turn to a virtual calculator on my computer or a calculator app out
on the internet, or "The Cloud".
But what if that little calculator could also be any business machine I
needed it to be? An internet interface?
The ultimate end of computer techs will be the "Walmart" scenario. When
replacing your internet interface is as cheap and easy as going to the
corner Walmart, picking the color and style of your choice and paying
less than a new shirt to replace the shirt you lost as a computer tech.
Prior to that, as the work and demand goes away, former techs will work
by the thousands for tech mills such as central repair depots, remote
support centers and Onforce type dispatch services. Again awaiting the
final "Walmart" stage.
Freelance techs can evolve into Technology Consultants and then
Technology Consultants can evolve into Business Consultants.
Eventually, virtual hardware and software activation cards hanging on
hooks at Walmart like gift cards will replace most technology
consultants and then preconfigured activation "suites/packages" cards
will threaten most business consultants.
But do not worry. History has proven that techs will be taken care of
one way or the other after they are replaced.
Independence? Many weavers and spinners enjoyed great independence while
it lasted. When it ended, it was bad. Ironically, it was only when
weavers were without work did the last "die hards" focus on becoming
experts at marketing and sales as a last resort to bring in more
business. Eventually the need to support a family forced them to join
the ranks of employees again.
Problem: While configuring our NetMRI appliance I notice that I was unable to view the configuration for serveral of our Routers and Switches, if I looked under Network Explorer --> Devices à Entire Netork I can see I have 20 devices but under the "Configuration Management" tab I am only able to see 6 devices.
Fig 1
Fig2
After clicking on one of the devices from within the "Network Configuration" tab, and selecting the "Errors" option I was greeted with the below message:
Fig 3 Solution: After receiving the above error I knew it was time to log into this Switch and re-configure the SSH RSA key.
Switch Commands to delete the SSH rsa key then recreate a new one:
config t
no crypto key rsa (naturally you would think this is the command, but it's not instead it tells you the correct command)crypto key zeroize rsacrypto key generate rsa
1024 (when ask for the RSA key bit)wr mem
Once that's done the next step is the log into the NetMRI appliance to reset the authentication information and update the device. This will occur automatically after 24 hours, or you can do it manually but navigating to Network Explorer --> Devices
then click on the device in question and go to the "Settings" tab -->"Config File Collection" and click "Reset Authentication info" then "Update" and lastly "Get Configs".
Check your error tab again for good measure if all goes well look under the config tab and you should now be able to manage the configuration on this device.
I am working on a project whereby I have to configure our entire Network Infrastructure and a few high profile servers to be monitors by NetMRI and our Orion. Now since most of our devices are already being monitored by several other devices in the pass, I will try to illustrate the approach I took while doing this project.
Phase 1 (Backup and Cleanup)
It’s extremely important to make sure you backup your current running configuration before making any changes, and if you do have to make changes try to do them off hours so if something does goes wrong you wouldn’t get a million calls coming into the HelpDesk from angry workers. Before attempting the below you will need to first setup a TFTP server on your computer, here is a link to one of my favorites àhttp://tftpd32.jounin.net/.
During this phase, I first logged into each appliance and run the following commands just to get a quick idea of what user accounts are configured on the device, and what are the SNMP settings.
sh run | inc snmp
sh run | inc user
Once I have gotten the above information I can build my configuration file. In our case we are removing old community strings and SNMP host while at the same thing updating the devices with the new information.
=============================
Updating Configuration on Cisco 3560
==============================
Config t
no snmp-server community public RO
no snmp-server community private RW
no snmp-server user pubic pubic v1
no snmp-server user pubic pubic v2c
snmp-server community $y$10g
username L0gg3r password P@$$\/\/0rd
snmp-server host 192.168.3.6 $y$10g
===================================
Configuring SNMP on Cisco WLAN
====================================
SSH into
config snmp version v2c enable
config snmp community create $y$10g
config logging syslog host 192.168.3.6 (maximum number of host this controller supports is one)
save config (answer Y)
you are set!
Once that’s all setup its time to log back into both Orion, and the NetMRI appliance and verify it configured correctly but triggering a few test alerts.
Yesterday I received a call from a user who was unable to do the following, "Use the Mark Complete flag" in Outlook or "Copy message from their inbox to a share public folder". After researching the issue I came across this article from Microsoft that solved the issue.
Solution:
To resolve this issue, remove the explicit Deny for the Everyone group on these permissions:
1. Start Exchange System Manager. 2. Under the Folders object, right-click the Public Folders object, and then click Properties.
Fig1
3. Click the Security tab, and then click the Everyone group.
4. Click to de-select the Deny check box for the three following permissions:
* Create public folder
* Create top level public folder
* Create named properties in the information store
Fig2 Fig3
5. Click Apply, and then lick OK to close the properties.
I got the following message when I was attempting to change the DNS address on a few of my VMware Servers today.
The IP address
XXX.XXX.XXX.XXX you have entered for this network adapter is already assigned to
another adapter Name of adapter. Name of adapter is hidden from the network and
Dial-up Connections folder because it is not physically in the computer or is a
legacy adapter that is not working. If the same address is assigned to both
adapters and they become active, only one of them will use this address. This
may result in incorrect system configuration. Do you want to enter a different
IP address for this adapter in the list of IP addresses in the advanced dialog
box? In this message,
XXX.XXX.XXX.XXX is an IP address that you are trying to set and Name of adapter
is the name of a network adapter that is present in the registry but hidden in
Device Manager.
I tried Microsoft's suggestion in this article "http://support.microsoft.com/?kbid=269155" however it didn't work for me. I had to create a "system environment variable" and give it the value of "1". Once that was completed I was able to follow the rest of the article. I removed all hidden adapters except for the "RAS Adapter" and I was then able to add the new IP address.
How to create a system variable:
On a Windows machine right click "My
Computer" --> Properties --> Advanced tab--> Environment
Variables--> System variables -->Click new -->
Specify a "Variable name" (devmgr_show_nonpresent_devices) and the "Variable value" which is 1
If you installed the ESX software and you are unable to ping the host after installation try the following steps.
1.Verify that the required network interface cards are up and the switch port is up and configure correctly.
ESX Command to check network cards:
esxcfg-nics –l
Once you confirmed that your NICS are up verify the duplex setting on both your network switch and your ESX host.
ESX Command to set the speed to 1 Gig / Full duplex to full for NIC 0 esxcfg-nics –s 1000 –d full vmnic0
2.Verify that you have the correct network addressing configuration: less /etc/sysconfig/network
3.Verify your vSwitch configuration. esxcfg-vswitch –l This command is also use to create and update a virtual machine (vswitch) network settings as you will see later one. Here you can see that NIC 0 and 2 are both assigned to vSwitch0
Verify your service console network setting. esxcfg-vswif –l This command is also used to create and update the service console network settings. This command is used if you cannot manage the ESX Server host through the VI Client because of network configuration issues
You can also use this command to create and update the virtual machine (vswitch) network settings.
If you are still unable to establish connectivity to the hosts, by this time, you can use the following commands to delete and recreate the vSwitch.
Phase two: ChangesAt this point if after verifying the following settings you don’t see anything unusual, you would take note of the above settings, delete them and recreate it.
esxcfg-vswitch –d vSwitch0 --> To remove virtual switch esxcfg-vswitch –a vSwitch0 --> To re-add a virtual switch esxcfg-vswitch -L vmnic0 vSwitch0 --> To assign physical nic0 (repeat and add additional nics) esxcfg-vswif -d vswif0 --> To remove the service console network.
esxcfg-vswif -a vswif0 -p "Service Console" -i 10.100.0.114 -n 255.255.255.128 --> Add a Service Console (vswif0) esxcfg-vswitch -v 69 -p "Service Console" vSwitch0 --> Add Vlan 69 to service console on vSwitch0
After these steps its important to restart the network service with the "service network restart" command.
The idea of this post came about while using the program "cewl" that was created by Robin Wood aka @digininja. I initially started using this application to harvest the email addresses on my company's website so I can compare to a know list of exchange public folders and correct any discrepancy. If you would like to give cewl a try you can find a nice install guide over at @joswr1ght website. However after utilizing some of cewl's functions to download documents while analyzing the email addresses, I then went a step further and used Larry's paper as a guide to analyze some of those documents and the results were shocking. This brought on the realization that a lot of companies just post PDF's/ Word documents online without thinking about sanitizing them first, and thats just making it easy for the bad guys. I am not going to get into all the details of my findings but I would say if you haven't used cewl or read Larry's paper you are doing yourself a great injustice.
Now before you start panicking the are a few things you can do to limit the exposure of personal data your company might inadvertently leak on the internet. The National Security Agency published a paper back in 2008 which I believe is still very useful today. You can use this paper as a guide for sanitizing your PDF's and other documents before publishing them online. I decided to do something new this time, and ask both Authors a few questions:
Robin Wood Q&A:
What prompted you to create cewl?
Cewl is based on a blog post by Larry "HaxorTheMatrix" Pesce from http://www.pauldotcom.com/. He used command line tools,and I put it all in one place.
Do you think that the area of metadata research is not getting a lot of attention?
I think there is a bit of research going on, Larry does some and foca is a great app. It is defense that is lacking.
What was the main usage you had in mind for this tool and is that goal being meet?
The main usage was creating dictionaries for dictionary attacks and it seems to be working from the feedback I've been getting.
What other meta data analysis tools are you working on?
I'm currently not working on any meta data projects at the moment, however I tend to be a spur of the moment developer so if I have an idea you might see a tool the next day.
How can someone contribute or help out with this tools or any other of your projects?
If anyone wants to contribute they can mail me ideas or send code patches. I'm always happy to listen to ideas.
Where can people follow your work and find out more about what you are doing?
For more details on my projects visit http://www.digininja.org/ or follow me on twitter @digininja.
Larry Pesce Q&A:
What made you decided to focus your research and write a paper on the evils of meta data?
It started with they myspace 1.6 gig picture leak, I wanted to see if any of the images contained GPS info so that I could tie the picture to a location.
Do you think everyone is doing their part to bring awareness to this issue?
I think that folks are just starting to come around on the whole "detailed recon" aspect of a test and are starting to educate themselves.
Would you say every company that publishes documents on the web should have a policy in place that addresses sanitizing documents?
I would not say that every company needs to have a policy on it.I know shocking! For some, the effort put forth to sanitize the public documents has no reward in reducing risk. But I think that if you do the analysis, any mid sized or larger company can easily and adequately address the risk that it introduces.
Since the paper have you done any additional work or research in this area?
I have done some, such as looking at some other common stuff for information gathering and recon. I have looked at simcards, and other document types; such as streaming video, stuff like YouTube for GPS tagged videos, and of course automating a lot of the work.
Do you think that more people should be doing research in this field?
Yes, in as much as the attackers are doing the same thing. I think that most of us don't realize how much info is out there with a little bit of digging
I would like to end with a quote which I am sure I have picked up from the PDC crew “no need for a zero day, when all your personal information is in the wild".
I am currently in the middle of working on a project that involves configuring a NetMRI appliance and a accompanying event collector. So far I am finish configuring the appliance along with a test switch "Cisco 3560".This blog posting will briefly go over some of the steps I took to accomplish this task.
What is NetMRI?
NetMRI enables organizations to take control of network configurations
and changes–making it easy to identify hard-to-find configuration
problems that are lurking in the network and meet internal standards and
external compliance requirements. Instead of just logging changes,
NetMRI utilizes built-in subject matter expertise to audit, analyze and
automate network change.
Prior
to starting the configuration process for the NetMRI appliance you need to
install an SSH client and have a cross over cable, or a switch with the correct VLAN configured. NetMRI always listens on the private IP address 169.254.1.1,with
subnet 255.255.255.0. Simply configure your machine to 169.254.1.3 or any
address in that range within this range that’s lower than .254 with a subnet of
255.255.255.0.
Once
you are finish try to ping 169.254.1.1 if you are able to communicate with the
appliance you can use your favorite SSH client and connect to the appliance on
port 22 using the following credentials
admin/admin and from there run the “configure server” command.
During
this process you will be asked several questions:
·Network , Server and Domain name
·Two DNS address
·Time server/ time zone
·Management port IP address and gateway
·Scanning port IP address an gateway if you choose to use both
ports
Once you are
finish you can now login into the appliance using the newly assigned IP address
that was selected during the setup above. Ex http://172.29.19.4
Select next to continue.
Step 1: Chose a new admin password. Choose a
difficult password, since the username cant be changed its advisable to use a password that's not easily guessed.
Step 2:
License file Browse to
the location on your computer where you have the file and click next.
Step 3: IP
Addresses/CIDR Blocks You can
either add a whole subnet or individual IP addresses using a /32 at the end of
the IP address.
Setp 4:
Community Strings Here is
where you will enter the string that you will be configuring on your router and
switches.
Step 5: CLI
Credentials
Here
is where you need to enter the user name and password that the NetMRI appliance
is going to be using to access your infrastructure devices; you will also need
to enter your Enable password here to.
Once
you are done click finish.
After the NetMRI setup process
has been completed, review the Network Explorer tab > Inventory tab
> Devices / Interfaces section > Devices page. If the
Default Gateway, CIDR blocks, SNMP credentials and Telnet/SSH credentials were
entered correctly, you should start to see devices listed in this table within
a few minutes. Periodically refresh your browser to see the progress of the
discovery process.
Troubleshooting
If you don’t see any devices
within a few minutes, you should verify the accuracy of the network information
added during the configuration process as follows:
1. In the NetMRI header panel,
click the Settings button. In the menu along the right side of the Settings
window, click the Setup section, then click Discovery Settings.
Ensure that the given CIDR blocks cover the desired parts of your network.
Also, ensure that the Default Gateway is covered by one of the Included CIDR
blocks, but not by one of the Excluded CIDR blocks.
2. In the menu along the right
side of the Settings window, click Collectors and Groups (just
above Discovery Settings). Ensure that SNMP collection is
Enabled. In the Settings window, click SNMP Credentials and
verify that the community strings for your network devices are entered properly
(e.g., check spelling and case-sensitivity).
3. If NetMRI was configured using
a crossover Ethernet cable and NetMRI was not on the network following
completion of the configuration process, then NetMRI may not have been
successful in its initial probes of the network. Navigate to Settings >
Settings section > Discovery Settings page and click the Reset
Discovery Counters button (below the table) to kick off the initial network
probes again, then continue to monitor the discovery process as before.
Any changes made using the forms described
above will be automatically used by the discovery process. If the new
information is correct, you should start to see devices appearing in the table
at Network Explorer tab > Inventory tab > Devices /
Interfaces section > Devices
Cisco Device Configuration
Create Username on the Cisco 3560
switch
======================================
username mriuser password 7
aaa new-model
aaa authentication login default
local
Configure SNMP Cisco Catalysis
3560
===================================
config t
snmp-server group nmri v2c read mrigp
snmp-server community mr131 RO
snmp-server user mriuser nmri
v2c
snmp-server enable traps syslog
Doing an SNMP Walk
In order to do a SNMP walk you
need to replace the Root OID system with 1.3.6.1.2.1.1.
Posts
