Resources

From ChekMate Security Group

Application Security


Application Monitoring

Architecture



Auditing & Assessments


Authentication

  • Password Safe Encrypted database for storage and generation of passwords


Backup Strategies


Best Practices


Certifications


Disaster Recovery


Distributions

eCommerce


Education

Whitepapers from http://www.redsiren.com/:

Whitepapers from http://www.forensics.com/:

Encryption 

This script uses:
   "ltrace -i ./vpnclient connect ... 2>&1 | fgrep 805ac57" to decode passwords. 
   (client: vpnclient-linux-4.0.3.B-k9).
This does not work with newer versions of the Linux vpnclient, e.g. 4.6.  It has something in it to 
defeat ltrace (clearly in response to publicicity about the vulnerability). Might be just some of 
the privilege separation voodoo which  breaks ltrace. Cisco did not changed the encoding method, so
the above online decoder does still work.

Enterprise Security

  • Passive Information Gathering - The Analysis of Leaked Network Security Information by Gunter Ollmann
Part 1
Part 2


Exploits

  • milw0rm Remote Exploits
  • milw0rm Local Exploits


Finger Printing

OPENXTRA has a version (NMapWin) for Windows http://www.openxtra.com/.


Firewall & Perimeter Protection

Blake (a Calgarian) solicits the members of BBR to get an unsolicited packet through the NAT/Firewall of several popular home routers.
Challenge Delivered
First Winner
  • Kerio, Sygate, ZoneAlarm Personal firewalls. Sygate and Kerio's firewalls are more advanced than ZoneAlarm

pf Firewall

The pf firewall is a BSD licenced firewall that showed up around OpenBSD 3.0. It has been adopted by FreeBSD, NetBSD and a few others. It is known for it's clarity in configuration and flexibility with large feature set. QoS, statefull failover, and a large feature set for logging and authetication make this a firewall of choice for some users of this site.

FAQs and Docs

Configuration help

Logging and Monitoring


iptables example rulesets and utility programs

(Mirrored from Daniel De Graaf's web site with permission. http://daniel.6dns.org/info/iptables/)

Programs

Ruleset manipulation

  • confread, which allows you to make a more english-like configuration file (example)
  • view, which displays a summary of the iptables rules from an iptables-restore file, or if run as root with no arguments, the current table
  • mkscript, which converts these rulesets to shell scripts
  • patch, which takes two rulesets and outputs a script to move from one to the other (needs IPTables.pm)

Ruleset debugging

  • trace - allows you to see what actions are taken on a packet as it goes through iptables. Use -v to see each rule that is checked. This script uses IPTables.pm. There is no relation between this and the TRACE target
  • TRACE target - add this to the raw table (like iptables -t raw -A PREROUTING -j TRACE) and the packets will be traced in the system log. This target requires that you patch your kernel and iptables binaries with patch-o-matic and recompile them. See the README for a quick howto
  • nfsim - full kernel-level simulation of netfilter code. More useful for debugging the kernel modules, but you can debug or test a ruleset with it

Log analysis

  • adcfw-log - firewall log analyzer/summarizer with several types of reports
  • IptablesWeb - Inspect iptables logs using a web browser, PHP, and MySQL
  • fire-log, which either displays a summary of firewall logs or runs a continuous summary. Config file

Administration tools

  • ulogd - if you are using the LOG target for more than just debugging, ULOG is better for several reasons: it doesn't fill up dmesg, logs to a separate file or even database, and can log in tcpdump format
  • conntrack - Kernel 2.6.14 and later lets you manipulate the conntrack table from userspace. This program can list, add, remove, or clear entries from the conntrack table
  • ctview - a perl ncurses-based frontend to the conntrack tool above. Entries with an endpoint on the local system are resolved to the owning pid, uid, and command. You can also delete any entry by using 'd' when it is selected

Frontends

If you don't want to learn iptables, you can use one of several frontends to it. I haven't personally used any of them, but other people like them. There are many more on google; there are just the ones I have looked at.

  • KIptablesGenerator - a graphical frontend to iptables that generates a script and lets you configure allowed ports and NAT
  • ipkungfu - generates an iptables ruleset from a set of config files in /etc/ipkungfu/. Allows both simple and complex configuration including NAT and logging, or custom rules if needed

Example rulesets

Simpler rulesets are at the start, with more complex scripts near the end. All rulesets are in iptables-save format and I discuss their use below.

Empty Script

  • empty - this resets the firewall to an accept-all policy. Ignore any "unable to initialize table" rules

Single host

  • minimal - no open ports, logging, or anything else. Good starting place
  • ssh for single host - allow SSH connections from a single IP address (1.8.9.7)
  • simple - two open services, DNS and WWW
  • simple+log - same, but with logging to syslog
  • simple+ulog - log to ulog (need ulogd running; creates a separate firewall log)
  • server - basic server. Mail, dns, www, ssh access from local network (10.0.0.0/8) and another host
  • outbound filtering by UID. This is usually not needed, but can provide an extra barrier to certain attacks (for example, an exploit on the http server would not be able to create a spambot or connect to a controlling host)

Normal router

  • MAC filtering - bind a specific MAC to an IP. This can be spoofed, but it requires finding an unused mac-ip pair and taking them. Eth1 is local network, eth0 is the internet link, all requests come from a single MAC.

NAT Router

  • NAT router - simple NAT router, no open or forwarded ports; eth1 is local network, eth0 is dynamic IP
  • Port forward - NAT router with port 80 forwarded to 10.0.0.2 and port 25 open on the router; with logs
  • DMZ router - NAT router with a DMZ of 10.0.0.* and clients on 10.0.1.*; one mail&ssh server and one ftp&web server.
  • complex - NAT, server, port-knocking, portscan-blocking, logging, bad-source-block, ipv6, ... this was generated from this configuration file by confread, and commented to be more readable.

Bridge Router

  • bridge router - simple bridge, network connected to eth1 is allowed to make outgoing connections but incoming connections are blocked
  • my bridge - filtering bridge allowing card0 and card1 full access, but doing a bit of protection against inbound. Newer version of the complex ruleset above, with the source

Abnormal setups

  • Passwordless VNC server - You can run a VNC server on port 5900, with no password, and it is only accessible by someone logged in as you. This is useful if you tunnel it through SSH (which this example also opens) - you've already logged in once
  • Multi-subnet virtual host NAT - Each server has its own /24 which is actually empty, but which the server thinks contains all the other services it needs to contact. External connections retain their source, of course. This was created for a contest that requires you to eventually drop the firewall, but not the NAT

Use of the recent module

  • port knocking - to connect to SSH, first connect to port 12345, then connect to ssh within 5 minutes (300 seconds) of your first connection
  • multiport knocking - to connect to SSH, connect to port 10001,20002,30003,40004,50005 then connect to ssh
  • CGI knocking - Instead of connecting to random ports, just visit a webpage. This ruleset could be protected with a password on the webserver for extra security. It could be combined with either of the previous two rulesets
  • portscan blocking - gives an hour's block to any IP that tries to connect to an unused port 4 times (in this example, all ports are unused). The service on tcp port 12345 cannot be revealed by nmap unless you know the number beforehand (or are excessively patient)
  • brute-force prevention - prevents more than two SSH connections per minute to slow down SSH scans. Can be used in combination with port knocking to prevent a DoS attack - just put the port knocking first.
  • ident opening - Opens the ident port to any host you connect on port 25 (SMTP) or 6667 (IRC) so that ident checks succeed while not giving everyone access to the ident port. Closes the port after 60 seconds
  • manual conntrack - If you are getting SYN flooded at 100-500Mbit, the linux state modules panics. This is an alternate state-tracking ruleset written using -m recent which doesn't crash the kernel. Of course, the normal state tracking is better and this code should only be used when actually under an attack

HowTo

Tutorials

  • Iptables Tutorial by Oskar Andreasson (mirror) is a very nice starting place for iptables, but may be a bit long
  • netfilter.org howtos - Some of the external links on that page are outdated, but overall it is a good collection of information

Diagrams

Rulesets

These rulesets are in iptables-save format. I have written some simple documentation of the iptables-save format. I use this format for several reasons: it ensures there are no other rules in iptables, it loads faster, it avoids the possibility of a race condition that most iptables scripts have (although the race window would be about 1ms for most rulesets).

There are several ways to use these rulesets.

  • Use the scripts as an init script without any modifications
  • Use mkscript to convert the iptables-save file into a shell script and add the script to your init scripts
  • Save the ruleset as-is to /etc/iptables.conf and use this init script
  • Add pre-up iptables-restore < /etc/iptables.conf to the internet-facing interface in /etc/network/interfaces (Debian-based Distributions only)

For the best security, a firewall should be applied before the internet-facing interface is brought up. If you have a dynamic IP and need to use it in your ruleset, consider loading a simple deny-all firewall (remember to allow DHCP) before bringing up the interface, then switching to the real firewall after the you get an IP.

Related scripts

  • sysctl settings that may be useful if you are running a firewall.

References

  • The iptables 1.3.4 manpage, which has a full syntax description and covers all the modules.
  • Netfilter, the official iptables/netfilter website.

Forensics

  • AccessData Corporation's Registry Quick Find Chart
  • Computer Crime Research Center A non-profit organization which conducts extensive research on the problems of computer crime and cyber terrorism.
  • DoD Cyber Crime Center http://www.dcfl.gov/dc3/home.htm
  • Breakwater Security Associates - A leading provider of information protection and forensics solutions for business and government.
  • The Forensic Science Service - Supplier of forensic science services to police forces, as well as being a source of training, consultancy and scientific support.
  • US Secret Service - Forensic examiners in the Secret Service Forensic Services Division (FSD) provide analysis for questioned documents, fingerprints, false identification, credit cards, and other related forensic science areas.
  • The Coroner's Toolkit http://www.porcupine.org/forensics/tct.html http://www.fish.com/tct
  • Independent Validation & Verification of SMART for Linux by Thomas Rude, CISSP
    An Independent Validation and Verification for the data forensic program SMART, developed by ASR Data Acquisition and Analysis, LLC. In this paper I verified the four critical functions all forensic examiners need; authentication, imaging, restoring, and wiping. (PDF format)
  • Next Generation Data Forensics & Linux by Thomas Rude, CISSP
    I wrote this article so that folks new to Linux could get a clear grasp of what makes Linux so powerful and an excellent platform for performing Data Forensics work, whether it be the analysis of standalone personal computers or network investigations. It was originally published in the June 2002 edition of Under the Brim, the monthly Red Hat publication. It is part one of a two part series. (PDF format)
  • Building a Super Kernel for Data Forensics Updated January 2003 by Thomas Rude, CISSP
    After receiving a number of e-mails and wanting to make updates I set out to revise my original paper. However, after a bit of work I opted for a clean start, a new write. So here it is, my new kernel paper. Please discard the old copy if you have it! This paper focuses on recompiling the Linux kernel for the benefit of data forensics.
  • Independent Validation & Verification of SMART for BeOS by Thomas Rude, CISSP
    This paper is the result of an validation I performed on the SMART utility written by ASR Data & Acquisition, LLC. I tested four functions of the program; hashing, imaging, wiping, and restoring. View the results in this paper (PDF format).
  • Poor Man's Guide to Multi-Booting by Thomas Rude, CISSP
    A KISSing (Keeping it simple stupid) approach on partitioning a hard disk so that numerous operating systems can be installed and booted. Take you from A to Z, including some key technical information. Read this to jump start your system!
  • Analysis of Microsoft's AutoComplete Function by Thomas Rude, CISSP
    An in-depth analysis of how this function is used within Internet Explorer. I've also included a list of tools that can be used to monitor this activity.
  • And You Thought DELETE Meant DELETE! by Thomas Rude, CISSP
    This is a very high level article aimed at the average computer user. When you delete a file, is it really deleted? Read this article to find out!
  • Evidence Seizure Methodology for Computer Forensics by Thomas Rude, CISSP
    I started writing this paper as a guideline for evidence seizure - sort of a step-by-step approach. As I got more and more involved with this subject area, I became aware that there is no one methodology for seizing evidence. From that, this paper branched out into how to prepare your department for a forensics investigation, the importance of developing a methodology, as well as the steps to take when seizing evidence.
  • Examples of using DD within UNIX to Create Physical Backups by Thomas Rude, CISSP
    In response to some questions I've received as well as listening to a few individuals at the Computer Crime Symposium, I decided to write a short paper on the UNIX DD command and how useful it is when creating a physical backup of evidence.

Hacking


Incident Handling


Intrusion Detection

  • Snort


Legal Issues

  • American Bar Association - An article on ensuring the admissibility of electronic forensic evidence and enhancing its probative value at trial
  • FSS - The FSS delivers support to diverse customers throughout the UK legal system such as coroners and the Criminal Cases Review Commission.
  • When Data Spills, Who do You Notify? - Columnist Linda LeBlanc had her laptop stolen a few weeks ago, and she's still digging out from the mess. But the theft left her with some questions. Who should be notified? (Wi-Fi Planet)


Malicious Code


Network Monitoring

FTP

  • Autobuf http://dast.nlanr.net/Features/Autobuf_v1.0/ is an auto tuning-enabled FTP client and server. The client, a modification of the NcFTP Client, enables Auto Tuning to calculate optimal window sizes before files are transferred. The client is compatible with most other FTP servers. The server, a modification of the WuFtp FTP server, allows connecting clients to reset its buffer size dynamically by using a SITE option.
  • bbcp http://www.slac.stanford.edu/~abh/bbcp/ a secure peer to peer file copy program supporting large windows and multiple streams. See also the presentation and the PDF paper.
  • bbftp http://ccweb.in2p3.fr/bbftp/ is designed to quickly transfer files across a wide area network. The package comprises of a server and clients. It also provides compression and secures the transmission of the username and password by using the cryptolib of the OpenSSL project.
  • Firehose http://heroinewarrior.com/firehose.php3 Firehose uses multiple interfaces to stripe a bulk data transfer (it's geared towards files, the home-grown protocol includes sending a filename and the client requires a file) over multiple network interfaces.
  • GSIFTP http://www.globus.org/security/v1.1/ftp/install.html is an ftp client and server with built in kerberos and GSI (globus) security, and also allows you to set the TCP buffers on both the client and server.
  • SafeTP http://www.cs.berkeley.edu/~smcpeak/SafeTP/ operates by installing a transparent proxy in the Windows networking stack which detects outgoing FTP connections from any Windows FTP client, and silently secures them using modern cryptographic techniques.
  • NcFTP http://www.ncftp.com/ has a popular free FTP client that adds support for firewalls, intelligent ls caching, background and scheduled processing, and Microsoft Windows.
  • RFT http://www-unix.mcs.anl.gov/~madduri/RFT.html Reliable File Transfer Service is a service that allows byte streams to be transferred in a reliable manner. Reliability, in this context, means that problems of less than a certain, user defined magnitude are dealt with automatically. i.e. problems like dropped connections, machine reboots, temporary network outages, etc are dealt with automatically (usually via retry) until they either resume or meet some "ultimate failure" condition
  • WU-FTPD http://www.wuftpd.org/ is a popular FTP server from Washington University.

Mapping

Monitoring Infrastructures

  • Cheops http://www.marko.net/cheops/ is an Open Source Network User Interface designed to unify your network utilities.
  • CycleTraders http://www.cycletraders.com/, is a cooperative network of users that gather critical information about the status of each other's website.
  • Ganglia http://ganglia.sourceforge.net/ is a scalable distributed monitoring system for high-performance computing systems such as clusters and Grids.
  • Mon http://www.kernel.org/software/mon/ is a general-purpose resource monitoring system, which can be used to monitor network service availability, server problems, environmental conditions such as the temperature in a room, or any number of things.
  • Nagios http://www.nagios.org/ (used to be NetSaint) is an open source host, service and network monitoring program. It is designed to run under Linux, although it should work under most other *NIX variants. It can run either as a normal process or as a daemon, intermittently running checks on various services that you specify. The actual service checks are performed by external "plugins" which return service information to Nagios. Several CGI programs are included with Nagios in order to allow you to view the current service status, history, etc. via a web browser.
  • NetMeter http://www.ccaba.upc.es/netmeter/ This application provides an integrated graphical interface for a set of tools that allows the measurement of QoS parameters over IPv4 and IPv6 networks. Network Performance Meter (netmeter) is an Tcl/Tk application which tries to solve these tasks in a flexible and modular way.
  • Network Performance Advisor http://dast.nlanr.net/Projects/Advisor/ is a single application which integrates the measuring, analyzing, and displaying of network performance statistics.
  • NIMI http://www.psc.edu/networking/nimi/welcome.html
  • OSSMON http://www.crystalballinc.com/vlad/software/ossmon/ is a web-based monitoring package based on OSSWEB application framework. It supports SNMP monitoring as well as specific services like POP3, SMTP, Ping.
  • PingER http://www-iepm.slac.stanford.edu/pinger/ End-to-end active measurement using ping to monitor end-to-end performance of Internet links.
  • SCAMPI http://www.ist-scampi.org/ SCAMPI is a platform for passive monitoring. It can use several different hardware monitoring adapters (SCAMPI adapters developed in the project, DAG cards produced by Endace and regular NIC cards). It provides MAPI (Monitoring API) as a high-level abstraction of passive monitoring for easy creation of portable monitoring applications.
  • Scriptroute http://www.cs.washington.edu/research/networking/scriptroute/ is a flexible network measurement and debugging system. Measurements are expressed as scripts that run as an ordinary user, and a priviledged daemon schedules and manages the packet exchange. The goal is to allow any user to connect to any server and execute any safe network measurement.
  • Website Monitoring http://checkwebsite.org/ is a free website monitoring application released under the GPL that provides an uptime monitoring tool.
  • Wombat http://wombot.net/ monitors the availability and operation of websites. When your website goes down or produces a defineable error, WOMbot will automatically notify you via SMS and Email.

Path Characterization

Ping

RRDtool

(Round Robin Database tool) is a system to store and display time-series data.

  • Bronc http://bronc.blueaspen.com/ is a package of utilities that allow you to gather and visualize data in the form of graphs. It uses RRD and is similar in function to Cricket and MRTG, though it is claimed to be faster.
  • Cricket http://cricket.sourceforge.net/ is a high performance, flexible system for monitoring trends in time-series data. The collector runs from cron every 5 minutes (by default), and stores data into a file-based database managed by the RRD Tool. Later, when you want to check on the data you have collected, you can use a web-based interface to view graphs of the data.
  • Host Grapher II http://software.foxlink.org/hostgrapher2/ is a light program that uses RRD to draw graphics of Hosts for Network, Processes, CPU, Memory etc. Writing addicional plugins is quite simple. Works on all major UNIX platforms and on win32.
  • NMIS http://www.sins.com.au/nmis/ Network Management Information System is an SNMP polling and statistics viewer front-end to Tobi Oetiker's RRDTool.
  • Orca http://www.orcaware.com/orca/ is a tool useful for plotting arbitrary data from text files onto a directory on a Web server.
  • remstats http://remstats.sourceforge.net/release/releasenotes.html Remstats is a system of programs to: gather data from servers and routers, store and maintain the data for long periods, produce graphs and web-pages tieing them together, and monitor the data for anomalous behavious and issue alerts. This software is a pretty good hack to wrap around rrdtool as collector and presenter, easy to set up with not to much prerequesits. It only needs a some perlmodules and perl. Its under GPL and is able to maintain and monitor big environments.
  • SmokePing http://people.ee.ethz.ch/~oetiker/webtools/smokeping/ measures latency and packet loss in your network. Uses RRDtool to maintain a longterm datastore and to draw pretty graphs giving up to the minute information on the state of each network connection.

SNMP

Throughput Tools

Traceroute

Network Tools