Information Systems Auditing

A question was raised today during a presentation about what utilities you can use without installing them. There are engagements that the auditor is not allowed to use their own laptop and must use a laptop provided by the auditee. This severely limits how effective an engagement can be but it is not impossible to obtain the information you need when you connect to the auditee’s network. I’ve made changes to the Security Tools page to highlight which tools are stand-alone and do not require installation.  Also for reference see Penetration Testing Ninjitsu which I pulled from a Core Security webcast.

NA CACS conference hosted by ISACA (18-22 April 2010)

Remote Security Testing for Web Applications
Presented by David Rhoades
Maven Security Consulting

Attending this conference workshop session introduced me to Maven Security’s Web Security Dojo.  This is a virtual image, Ubuntu based, that includes several free and open source tools used for web application auditing.  The image also includes web application environments that are vulnerable to many common vulnerabilities to allow you to test and learn how to use the tools.  This pre-configured environment is perfect for educational purposes.  They also include a BASH script that will setup your own Ubuntu environment.

I’ve created an updated configuration tutorial for setting up your Linux laptop to conduct system and network audits.  This version details how to get everything up and running on the latest Ubuntu currently at version 9.10 (Karmic Koala).  The specific brand I use is the Netbook Remix.  See the Configuration Tutorials to download the latest pdf document.

Password cracking Windows hashes on Linux using John the Ripper (JtR). If you prefer the Linux operating system JtR is the password cracking utility to use. By default JtR does not support the hashes that we are interested in cracking. See below for installation and patching instructions for JtR.   Applying the patch to JtR adds the functionality to crack NTLM and MS-Cache passwords.  NOTE:  This install was done on Ubuntu 10.4 but should work on any Linux system since we are compiling from source.

$./john --format=mscash --rules --wordlist=<PASSWORD_LIST> <CACHE_HASH_FILE>
$./john --format=nt --rules --wordlist==<PASSWORD_LIST> <NTLM_HASHE_FILE>

For additional information you can read the JtR documentation and wiki from Openwall.

OpenSSL is needed. This can be installed through your package manager or may already be installed.   Remember to install the development package (libssl-dev or libssl-devel).  Instructions on download and compile are included below.

$ wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz
$ tar zxvf openssl-1.0.0a.tar.gz
$ cd openssl-1.0.0a
$ ./config --openssldir=/usr/local
$ make
$ sudo make install
$ wget http://www.openwall.com/john/g/john-1.7.5.tar.gz
$ tar zxvf john-1.7.5tar.gz
$ cd john-1.7.5/
$ wget http://www.openwall.com/john/contrib/john-1.7.5-jumbo-3.diff.gz
$ gzip -d john-1.7.3-jumbo-3.diff.gz
$ patch -p1 < john-1.7.5-jumbo-3.diff
$ cd src/
$ make linux-x86-sse2

John will be found in the run directory.

As an auditor I liked to quickly analyze my Nmap scan results by parsing the XML output produced and loading it into my favorite spreadsheet application.
From there I could sort by host, port, service, or operating system for analysis. The parsed results are a lot easier to add to reports and workpapers. Just remember to keep the original Nmap results.
I’ve developed a LAMP framework to parse and load Nmap results into a database for reporting and analysis. However if you are just looking to quickly parse the results of individual scans I’ve got a Perl script for you!
First a quick blurb on getting installing Perl and and Nmap-Parser module.

Windows

Download ActivePerl from the Active State website: https://www.activestate.com/activeperl/downloads/
Once ActivePerl is installed you will need to install the Nmap Parser written by Anthony Persaud.
From the Command Prompt enter the following command:

C:\>ppm install nmap-parser
Downloading Nmap-Parser-1.19...done
Downloading XML-Twig-3.32...done
Unpacking Nmap-Parser-1.19...done
Unpacking XML-Twig-3.32...done
Generating HTML for Nmap-Parser-1.19...done
Generating HTML for XML-Twig-3.32...done
Updating files in site area...done
21 files installed

Linux

For Ubuntu/Debian you can install the package.
#apt-get install libnmap-parser-perl

For every Linux distro you can install the package via CPAN.
#perl -MCPAN -e 'install Nmap::Parser'

Copy the following Perl code below and save it as nmap_parse.pl.

use Nmap::Parser;

my $np = new Nmap::Parser;
my $infile = @ARGV[0];

$np->parsefile($infile);

#GETTING SCAN INFORMATION

print "Scan Information:\n";
my $si = $np->get_session();
print
'Number of services scanned: '.$si->numservices()."\n",
'Start Time: '.$si->start_str()."\n",
'Finish Time: '.$si->time_str()."\n",
'Scan Arguments: '.$si->scan_args()."\n";

print "Host Name,Ip Address,MAC Address,OS Name,OS Family,OS Generation,OS Accuracy,Port,Service Name,Service Product,Service Version,Service Confidence\n";
for my $host ($np->all_hosts()){
  for my $port ($host->tcp_ports()){
    my $service = $host->tcp_service($port);
    my $os = $host->os_sig;
    print $host->hostname().",".$host->ipv4_addr().",".$host->mac_addr().",".$os->name.",".$os->family.",".$os->osgen().",".$os->name_accuracy().",".$port.",".$service->name.",".$service->product.",".$service->version.",".$service->confidence()."\n";
  }
}

C:\>nmap_parse.pl nmap_scan_output.xml >> results.csv

Additional Information

ppm – Perl Package Manager, version 4

http://docs.activestate.com/activeperl/5.10/bin/ppm.html

ActiveState CPAN PPM Repository

http://ppm4.activestate.com/

Nmap Parser

http://search.cpan.org/dist/Nmap-Parser/Parser.pm

Take this hypothetical scenario (Okay, it really wasn’t hypothetical at the time).  You recommend to your client that minimum 8 character passwords should be enforced but they want a minimum of 6 character passwords and instead they will enforce password complexity (alphanumeric and special characters).

As auditors we like to have facts to back-up our recommendations.  What better fact than simple math.

Password strength in relation to the number of guesses an attacker needs to brute force the password is represented by the number of characters available to choose from raised to the power of the length of the password.

N^x

N = number of characters available
x = length of the password.

Lets do some simple math for six character passwords vs eight character passwords.  We will even have complex passwords for the six character password and simpler passwords requirements for the eight character password.

If an individual was required to have all 4 character strength requirements (uppercase and lowercase letters, numbers, and special characters) and had a six character password we can compute how many guesses you would need to crack the password.

Upper alpha = 26
Lower alpha = 26
Number = 10
Special Char = 32

Note:  Special character support depends on the system.  In this example we are going with what Windows supports for passwords ()`~!@#$%^&*-+=|\{}[]:;”‘<>,.?/ and space.  Also of note is Windows supports 65,000 additional Unicode characters but we will keep it to symbols found on the keyboard.  Other systems do not support as many special characters as Windows.

94^6 = 689,869,781,056  (690 billion guesses).

Now we take a password with only upper and lowercase password requirements but make it an eight character minimum requirement.

Upper alpha = 26
Lower alpha = 26

52^8 = 53,459,728,531,456 (53.5 trillion guesses).

As you can see the eight character password, with few character requirements, has 74 times more choices than a “complex” six character password.

How about some computational proof!  I use Cain & Abel to show how long it would take to bruteforce the example above with an NTLM (local windows account) hash and a MS-Cache hash (domain windows account).  Note:  Brute force attempts also depend on the complexity of the encryption method used.  You will see that the complexity for an MS-Cache password is greater than NTLM.

NTLM six character, alphanumeric and special characters (here).
NTLM eight character, alpha characters (here).

MS-Cache six character, alphanumeric and special characters (here).
MS-Cache eight character, alpha characters (here).

You can see from the computational results from Cain & Abel show that it takes about 80 times longer to brute force the less complex eight character password compared to the more complex six character password.

An auditor’s interest in the Windows NTBACKUP Utility extends beyond examining their DR/BCP plan.

Suppose you just got command prompt access to a server (example tutorial 1, 2, & 3) but the host has anti-virus installed and you can’t disable it. You can’t use your trusty pwdump2 to dump the local password hashes (the same utility that SQLAT and SQLNINJA use). No problem, just use the ntbackup utility to make a current backup of the registry (including SAM and SYSTEM keys).

C:\>ntbackup backup systemstate /j "Auditor Owns Your Hashes" /f "%systemroot%\temp\%Username%SysState.bkf" /a
C:\>del "c:%systemroot%\temp\%Username%SysState.bkf"

You don’t need the backup file you created so it can be deleted (C:\>del %systemroot%\temp\%Username%SysState.bkf). When a backup is done of the systemstate the files in the %systemroot%\repair folder are updated. Copy the sam, system, and security files from %systemroot%\repair.

Once those files are obtained you can use the command line utilities from the creddump project to produce the same files obtained form PWDumpX (see tuturial).

Python needs to be installed for creddump to work.

Python version 2.5.4 from http://www.python.org/download/releases/2.5.4/
Pycrypto version 2.0.1 from http://jintoreedwine.com/files_and_stuff/pycrypto-2-0-1.zip

C:\creddump-0.1>pwdump.py SYSTEM SAM >> PWHashes.txt
C:\creddump-0.1>lsadump.py SYSTEM SECURITY >> LSASecrets.txt
C:\creddump-0.1>cachedump.py SYSTEM SECURITY >> PWCache.txt

Using RainbowCrack and the rainbowtables obtained from The Schmoo Group you will be able to obtain the passwords to any local account with a password 14 characters or less from PWHashes.txt.

See this tuturial on how to dictionary attack the passwords obtained from the PWCache.txt file.

You can review the LSASecrets.txt file to obtain plain text passwords for Windows service accounts. Often these accounts are also Domain accounts with the same password or even Domain Administrator accounts.

On a recent pentest I was able to use SQLNINJA to exploit a SQL Injection vulnerability I had identified.  I documented the steps I took so that future auditors can take advantage of this tool.  Check out the tutorial here.

I have created an updated configuration document for my Motion Computing m1300 wireless tablet. This document details getting Ubuntu 8.04 LTS Hardy Heron up and running on the tablet. Included in the documentation are the steps to get Kismet, Aircrack-ng, and Karmasploit up and running. Those steps will be helpful no matter what hardware you install Ubuntu on.

I have also created an updated configuration document for the setup of my Linux laptop that I use for penetration testing.

During an audit I had to determine whether a particular remote control service was installed on the Domain workstations and servers. It was determined during the interview process that no remote control software was in use.  I decided to obtain the evidence to the contrary.  I had already compromised a Domain Administrator account so I had the appropriate permissions.

Get a list of servers and workstations.
C:\>net view /domain
C:\>net view /domain:<domain_name> >> host_list.txt

The host_list.txt will need to be edited as descriptions of the workstations and servers will show up to the right of the host name. You can quickly edit it in Excel (text to columns). Of course if this was Linux and /or you had awk you could pipe it and choose the first column (| awk ‘{print $1}’)

The command we will be using to query remote services is called Service Control (sc) from the Windows Resource Kit.  For more information on the command see this site.

C:\>for /f %i in (host_list.txt) do @echo %i >> results.txt && sc %i query <Service_Name>

In addition to the service results I would like to have the fully qualified domain name and ip address of the server or workstation I am querying.  A quick addition of the nslookup command you and you get this:

C:\>if /f %i in (host_list.txt) do @nslookup %i >> results.txt && sc %i query <Service_Name> >> results.txt

Finally, I would like to know, with reasonable assurance, the user of that workstation.  For that we will be using a command line tool from the pstools tool kit called psloggedin.  Once that tool is installed on your auditor workstation/laptop you can add it to our command.

C:\>if /f %i in (host_list.txt) do @nslookup %i >> results.txt && sc %i query <Service_Name >> results.txt && psloggedin -l -x %i >> results.txt

I wrote a quick script to parse the output of the above command so it can be sorted and analyzed in your preferred spreadsheet application.

#!/usr/bin/perl

$numArgs = $#ARGV +1;
if($numArgs < 1){
  print "Invalid Number of Arguments\n";
  print "serviceparse.pl \n\n";
  exit;
}

#open the file
$infile = "$ARGV[0]";
open(DAT, $infile) || die("Something did not work.  You figure it out.");

#save file contents into an array
@raw_data=;
close(DAT);

#Cycle through the entire array
for($count=0;$count<=$#raw_data;$count++){

  #get fully qualified domain name
  if(@raw_data[$count] =~ /Name:/){
    @array = split(/:/, @raw_data[$count]);
    $host = @array[1];
    $host =~ s/^s+//;
    $host =~ s/s+$//;

    #get ip address
    @array = split(/:/, @raw_data[$count+1]);
    $ip = @array[1];
    $ip =~ s/^s+//;
    $ip =~ s/s+$//;

    $service = "";
    $user = "";
    for($c=$count+1;$c<=$#raw_data;$c++){

      if(@raw_data[$c] =~ /RUNNING/){
        $service = "Installed and Running";
      }
      if(@raw_data[$c] =~ /STOPPED/){
        $service = "Installed and Stopped";
      }
      if(@raw_data[$c] =~ /FAILED 1722/){
        $service = @raw_data[$c+2];
        $service =~ s/^s+//;
        $service =~ s/s+$//;
      }
      if(@raw_data[$c] =~ /FAILED 1060/){
        $service = @raw_data[$c+2];
        $service =~ s/^s+//;
        $service =~ s/s+$//;
      }

      if(@raw_data[$c] =~ /locally:/){
        @array = split(//, @raw_data[$c+3]);
        $user = @array[1];
        $user =~ s/^s+//;
        $user =~ s/s+$//;
      }else {if(@raw_data[$c] =~ /Error opening HKEY_USERS/){$user = "";}}

      if(@raw_data[$c] =~ /Server:/){print "$host,$ip,$service,$user\n";last;}
    }
  }
}

$perl serviceparse.pl results.txt > parseresults.csv