Wednesday, March 27, 2013

Windows Firewall with Advanced Security

I don't know very many people that take the Windows Firewall seriously.  That's too bad because the Windows Firewall with Advanced Security in Windows Vista, 7, Server 2008, and newer operating systems has some features that can help you baseline what "normal" traffic is on your systems.  

Below is a sample script I use when building out a 2008R2 server. (Yeah, I know Netsh is supposed to be going away, so maybe I'll re-write this in PowerShell for a future post.)

Configure Logging 

First of all I want to turn on logging for everything inbound and outbound.  By default, the settings for logging are disabled (only verified this for Windows 7 and Server 2008R2).  I want to set the log size to the max 32 MB and log all dropped and allowed connections.  

Sample Script:



This is important because the default firewall settings only drop inbound connections that do not explicitly match a defined rule.  Outbound connections are allowed anywhere, anytime by default.  (I'll come back to this topic in another post later.)



Disable Unused Rules

Also, best practice is to disable anything you aren't using, and since I'm not running IPv6 on my network, I want to disable all of the IPv6 related rules.  It is always good to double check that IPv6 is actually unchecked on your NIC as well.


Sample Script:




ICMP Echo Request

Next I want to enable the default echo request rule so I can ping this new server. 

Sample Script:



There may be some other rules that you should disable depending on your environment, (such as DCHP or IGMP), but this should provide a decent example to get started with Netsh and the Windows Firewall with Advanced Security.
Posted by at No comments:
Labels: , , , , , , , ,

Monday, March 25, 2013

Product Review: Ibex 17 Inch Notebook Backpack

The Ibex 17 Inch Notebook Backpack by Swiss Gear is a fantastic backpack.  I ordered one of these from Amazon.com to have something to carry around the 17" Dell Inspiron N7110 I've been using lately.  There are pockets all over the place and even the smaller pockets are a lot bigger than they look.  The 17" laptop actually fits really well.  It is built well, very sturdy and still fairly lightweight.
 



This thing is like a portable file cabinet.  There is enough room for the laptop, several text books, file folder, phone charger, snacks, water bottle, power cable, patch cables, spare hard drives, an assortment of USB cables/dongles/connectors, CD/DVD case full of disks, pens, pencils, flashlight, screw drivers, leatherman, wifi hotspot, sticky notes, more snacks and some paper clips just in case I need to pull a MacGyver at some point.


 I've had this Ibex for several months and use it on a daily basis back and forth to the office and on several out of town trips.  The only real downside for me is that it doesn't have a chest buckle which would be nice for longer hikes.
Posted by at No comments:
Labels: , , , ,

Saturday, March 23, 2013

SANS 2013 Orlando

SANS 2013 was great, but I'm certainly glad to be back home.  It was a long week of sitting in conference rooms from sun up to sun down listening to some of the brightest instructors in InfoSec.  I really enjoy the quality of the conferences that SANS provides.

GIAC Intrusion Analyst (GCIA) Job Task Analysis (JTA)

It was an honor to be selected to participate in the JTA session.  The JTA is a way for GIAC to double check the correlation of their certification exam scores to the actual job skills that SANS is trying to teach.  I flew in a day early to take part in the exercise. I enjoyed the opportunity and hopefully get to help out again in the future.  And, I got to meet Judy Novak.

 SEC504: Hacker Techniques, Exploits and Incident Handling

This is the fourth class I've taken from SANS, so I pretty well knew what to expect.  SEC504 covered a lot of material, but much of the material felt familiar to me already, just more depth and insight into the attack techniques that are readily available.  For a lot of the attacks out there today, there really aren't very many good defenses.  So I guess numero uno on the list for things I learned at SANS 2013 isn't really something new, but something old and very foundational to InfoSec.  
 - Use common sense to limit who has access to systems and data in your environment.
 - Baseline your environment so that you know what is "normal" in terms of ports being used and processes running on your systems.
 - Don't reuse the same password for local administrator accounts across your organization.
 - Use host-based firewalls to prevent compromised systems from being able to easily pivot to other systems on the same subnet.
 - I also picked up a Teensy to play around with for physical testing.

Now I just have to get busy studying for the GCIH exam... 

APT: It is Not Time to Pray, It is Time to Act - Dr. Eric Cole

Dr. Cole is an excellent speaker and easy for me to pay attention to.  His tone and cadence in his presentations are very academic, but at the same time very candid and realistic.  He doesn't come across as somebody that is trying to wow you with his vast knowledge of InfoSec.  He seems to genuinely care about the material he is presenting and willing to do whatever it takes to make that material interesting and tangible to his audience.  The content of the keynote for SANS 2013 wasn't so much about all of the APT hype as it was a very focused warning of the need to master the basics of InfoSec before we will really be able to win against the attackers.  

Dr. Cole outlined 5 steps to improving security posture and being able to react to indicators of compromise more efficiently.

 1. Identify Critical Data - Align critical assets with threats and vulnerabilities to focus on risk.  Using Risk Based Thinking - What is the risk? Is it the highest priority risk? Is it the most cost effective way of reducing the risk?
2. Align the Defense with the Offense - The areas that defense currently focuses on are not the same as what the offense is focusing on.
3. Know thy Organization - You Cannot Protect What You Do Not Know About.  Organizations need accurate up-to-date network diagrams and network visibility maps, focus on configuration management and change control.
4. Defense in Depth
    a) Inbound Prevention
    b) Outbound Detection
    c) Log Correlation
    d) Anomaly Detection
5. Common Metrics - Use the 20 Critical Controls!

 Vendor Expo

Eh, not much to say here other than some vendors had some boths set up with some trinkets and trash on display.  And now my inbox and voicemail are full of messages that I don't really need.

Social Zombies: Rise of the Mobile Dead - Kevin Johnson

Yeah, I know social media is out to get me.  Really, duck face?

 Introduction to Windows Kernel Exploitation - Stephen Sims

This is one area that I have no experience with.  Stephen did a great job of taking a difficult subject and explaining it so that I could follow along.

How to Become a SANS Instructor - Eric Conrad - Lunch-n-Learn 

 Eric has an interesting story about how getting involved with SANS boosted his career and opened up the door of opportunity.  I've thought about signing up for the Mentor program, maybe this was persuasive enough to get me to send in the application?

 ADHD and Samurai - John Strand and Kevin Johnson

The Active Defense Harbinger Distribution (ADHD) is pretty cool.  It is a Linux distro built around the idea of making life difficult for the bad guys.  It focuses on Annoyance, Attribution and Attack.  Some of the fun features include infinitely recursive directories, seeding honeytokens with call-home commands so that you can locate where your data has be exfiltrated, and setting up the signed Java applet attack in Metasploit to actually exploit the attacker.  There is a great write up of Paul Asadoorian and John Strand's RSA presentation here.

 The Samurai Web Testing Framework (WTF) is also a nifty Linux distro with a series of tools to assist in web app pen testing.

 Hacking You Friends and Neighbors For Fun - Joshua Wright 

Very entertaining.  If you haven't seen this talk yet, check out the slides here.

 InfoSec in the Financial World: War Stories and Lessons Learned - Bryan Simon

Bryan make the case for improving the information sharing of financial institutions with regards to adversaries, attacks and defense strategies.  Ironically, on his way to the conference, half his slides were yanked by his legal department so that he wasn't able to share some of the stories he wanted to.  The best part about this session were all of the conversations that started up afterwards.

NetWars Tournament

 Wow, this was my first time at Netwars.  I wasn't really sure what to expect here.  All I can say is, there are some wicked smart people at SANS and I need some more practice.
Posted by at No comments:
Labels: , , , , , ,

Wednesday, March 20, 2013

Surprising Results Improving Weak Passwords

Last year I saw a presentation by John Strand of Black Hills Information Security titled "Everything They Told Me About Security Was Wrong" during which he talked about how ridiculously easy it is to crack most people's passwords.  John gave several examples about how the typical alpha-numeric-special-character complexity requirements mandated by most security frameworks or regulations are actually making it easier to break into and harder on users to remember their passwords. 


Then along came correct horse battery staple.  Just for reference, here are a few examples from the Brute Force Calculator (these examples are based on a system running an Intel i7-2600K CPU @ 3.40GHz).

Password
Length		 Password
Type		 Character Set Total Key Space
(password combinations)		 Time Required
to Brute Force
7NT MD4Mixed Alpha Numeric All6.5545E+13 15 days
8NTLMv2Mixed Alpha Space6.3456E+1315 days
8NT MD4Mixed Alpha Numeric All6.16123E+154 years
15NT MD4Mixed Alpha Space7.45436E+25 50 billion years
15NTLMv2Mixed Alpha Space7.45436E+252 trillion years
18NTLMv2Mixed Alpha Space1.10978E+31357 quadrillion years
19NTLMv2Mixed Alpha Space5.88185E+3219 quintillion years
20NTLMv2Mixed Alpha Space3.11738E+341 sextillion years

 Implementing the Changes

 So, I decided to see if I could get my organization to go along with the idea of much longer but less complex passwords.  There were two parts to implementation, the first was the social/political side of things, getting the right approvals internally to change the policy, explaining to users why the change was good for them and the company, and convincing the auditors that this change actually improves security.

 The second part was configuring Windows Group Policy to enforce the new policy.  This turned out to be not as straight forward as I expected.  Using the Windows GPO Editor to set passwords minimum length stops at 14.


Some Google-fu netted me this result that provides a couple of examples for fixing Microsoft's shortsightedness for improving password security.

Joeware's ADMod tool makes it easy to modify the Default Domain Policy, here's the command to set the minimum length to 15 characters

    admod -default minpwdlength::15


Then to see if it worked...



Dealing With Auditors

 You know you are going to have a fun time when an IT auditor asks a question like, "Can you explain how to read this network diagram?" Another point John made during his prezi, was that no organization is ever 100% compliant with every applicable regulation or security requirement.  No one.  So what happens when your organization doesn't meet the specific letter of the law for a particular requirement?  You implement a compensating control.  After walking through a few examples of password cracking tools, such as John the Ripper and Cain/Abel, it wasn't as tough a sell as I was expecting.

 Results

 The auditors signed off for the changes to the password policy without too much trouble. The auditors weren't the only concern I had about changing the policy.  My guess was that these changes were going to create a problem for users as well as IT having to do account unlocks all the time.  After having this policy in place for several months now, one of the biggest surprises I found from going through this exercise is that account lockouts are currently at an all time low across the entire company.  That is what you call a Win-Win!
Posted by at No comments:
Labels: , , , , , ,

Saturday, March 9, 2013

Just Some Notes On TCPDump Filters

Well I'm sitting here in Orlando at the SANS 2013 conference.  I have a few hours until registration opens up and I was looking through some of my notes from previous SANS conferences.  Here are some tcpdump examples and notes I had accumulated while studying for the GCIA exam.  Some of these are examples I've found from various other sources* and some of them I added for my own reference.  Enjoy!

Expression Description
[x:y] start at offset x from the beginning of packet and read y bytes
[x] abbreviation for [x:1]
proto[x:y] start at offset x into the proto header and read y bytes
p[x:y] & z = 0 p[x:y] has none of the bits selected by z
p[x:y] & z != 0 p[x:y] has any of the bits selected by z
p[x:y] & z = z p[x:y] has all of the bits selected by z
p[x:y] = z p[x:y] has only the bits selected by z
The usual rules about operator precedence apply; nesting things inside brackets is probably a good plan. you'll probably want to put the filter into a file or at least single-quote it on the commandline to stop the shell from interpreting the metacharacters. !([:])&


Parts of an IP Packet
ip[0] & 0xf0 High order nibble: IP version (4 = IPv4, 6 = IPv6)
ip[0] & 0x0f Low order nibble: Header Length (Common Value = 5, Multiplier 4, 20 byte header)
ip[1] Type of Service/QoS/DiffServ
ip[2:2] Total length of datagram in octets
ip[4:2] IP ID number
ip[6] & 0x80 Reserved (Evil bit)
ip[6] & 128 != 0 Evil bit set (RFC 3514 defines the evil bit as April Fools joke)
ip[6] & 0x40 Don't Fragment bit
ip[6] & 0x20 More Fragments bit
ip[6:2] & 0x1fff Fragment Offset (number of 8 octet blocks)
ip[6:2] & 0x1fff != 0x000 Fragment Offset is not 0
ip[6:2] & 0x3fff != 0 Look for ALL fragmented ip packets
ip[6] &0x20 = 0x20 or ip[6:2] &0x1fff != 0 Look for more fragment bit set or fragment offset greater than 0 (Look for ALL fragmented ip packets)
ip[6] &0x20 = 0 and ip[6:2] &0x1fff != 0 Look for more fragment bit not set and fragment offset greater than 0 (Last fragment packets)
ip[8] TTL
ip[9] Protocol
ip[9] = 0x01 1 = ICMP
ip[9] = 0x02 2 = IGMP
ip[9] = 0x06 6 = TCP
ip[9] = 0x09 9 = IGRP
ip[9] = 0x11 17 = UDP
ip[9] = 0x2F 47 = GRE
ip[9] = 0x32 50 = ESP
ip[9] = 0x33 51 = AH
ip[10:2] Header Checksum
ip[12:4] Source IP
ip[16:4] Destination IP
ip[20..60] No IP Header Options


Parts of an ICMP Packet
icmp[0] Type
icmp[1] Code
icmp[2:2] Checksum
icmp[4...] Payload


Parts of a UDP Packet
udp[0:2] source port
udp[2:2] destination port
udp[4:2] datagram length
udp[6:2] UDP checksum


Parts of a TCP Packet
tcp[0:2] source port
tcp[2:2] destination port
tcp[4:4] sequence number
tcp[8:4] acknowledgement number
tcp[12] header length (Multiplier 4)
tcp[13] tcp flags
tcp[14:2] window size
tcp[16:2] checksum
tcp[18:2] urgent pointer
tcp[20..60] options or data


Other Examples
(tcp[13] & 0x02) != 0 Contains SYN (maybe other stuff as well)
(tcp[13] & 0x03) = 3 SYN / FIN
ip[12:4] = ip[16:4] Land Attack
(tcp[2:2] = 139) && (tcp[13] & 0x20 != 0) && (tcp[19] & 0x01 = 1) Winnuke
(tcp[13] & 0xe7) != 0 Things other than ACK/PSH
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0) Initial fragments
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0) Intervening fragments
(ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0) End of the fragment train
(ip[0] & 0x0f) != 5 Has IP Options (or is truncated, or is just some sort of freak...)
((ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)) && ((65535 < (ip[2:2] + 8*(ip[6:2] & 0x1fff)) Ping-O-Death (any oversized IP-transported data...)


TCP Flags (Control Bits)
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN



FIN = Finish
SYN = Synchronize
RST = Reset
PSH = Push
ACK = Acknowledgment
URG = Urgent
ECE = Explicit Congestion Notification Echo
CWR = Congestion Window Reduced




Filter Flags Binary      Hex Description
tcp[13] = 0x01 ---- ---F 0000 0001 = 0x01 FIN only
tcp[13] = 0x02 ---- --S- 0000 0010 = 0x02 SYN only
tcp[13] = 0x03 ---- --SF 0000 0011 = 0x03 SYN-FIN
tcp[13] = 0x04 ---- -R-- 0000 0100 = 0x04 RST only
tcp[13] = 0x05 ---- -R-F 0000 0101 = 0x05 RST-FIN
tcp[13] = 0x06 ---- -RS- 0000 0110 = 0x06 SYN-RST
tcp[13] = 0x07 ---- -RSF 0000 0111 = 0x07 SYN-FIN-RST
tcp[13] = 0x08 ---- P--- 0000 1000 = 0x08 PSH only
tcp[13] = 0x10 ---A ---- 0001 0000 = 0x10 ACK only
tcp[13] = 0x12 ---A --S- 0001 0010 = 0x12 SYN-ACK
tcp[13] = 0x14 ---A -R-- 0001 0100 = 0x14 RST-ACK (it happens)
tcp[13] = 0x18 ---A P--- 0001 1000 = 0x18 PSH-ACK
tcp[13] = 0x20 --U- ---- 0010 0000 = 0x20 URG only
tcp[13] = 0x29 --U- P--F 0010 1001 = 0x29 URG-PSH-FIN (nmap fingerprint packet)
tcp[13] = 0x38 --UA P--- 0011 1000 = 0x38 PSH-URG-ACK interactive stuff like ssh
tcp[13] = 0x40 -Y-- ---- 0100 0000 = 0x40 anything >= 0x40 has a reserved bit set
Tcp[13] = 0x80 X--- ---- 1000 0000 = 0x80 CWR only
tcp[13] = 0xC0 XY-- ---- 1100 0000 = 0xC0 Both ECN flags set
tcp[13] = 0xFF XYUA PRSF 1111 1111 = 0xFF FULL_XMAS scan




tcp[13] & 1 != 0 ---- ---F 0000 0001 = 0x01 FIN set
tcp[13] & 2 != 0 ---- --S- 0000 0010 = 0x02 SYN set
tcp[13] & 4 != 0 ---- -R-- 0000 0100 = 0x04 RST set
tcp[13] & 8 != 0 ---- P--- 0000 1000 = 0x08 PSH set
tcp[13] & 16 != 0 ---A ---- 0001 0000 = 0x10 ACK set
tcp[13] & 32 != 0 --U- ---- 0010 0000 = 0x20 URG set
tcp[13] & 64 != 0 -Y-- ---- 0100 0000 = 0x40 ECE set
tcp[13] & 128 != 0 X--- ---- 1000 0000 = 0x80 CWR set

*Some examples are from
http://staff.washington.edu/dittrich/talks/core02/tools/tcpdump-filters.txt and reformatted into a table.  This site also has some other useful info and examples.
Posted by at No comments:
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)