Penetration Testing RoadmapStart Here Information Vulnerability External Gathering Analysis Penetration Testing i ll Router and Internal Firewall Penetration Testing Router and Switches
Trang 1/ ECSA/ LPT
Log Man agem en t Pen etration Testin g
Trang 2Penetration Testing Roadmap
Start Here
Information Vulnerability External Gathering Analysis Penetration Testing
i ll Router and Internal Firewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social Engineering Application
Cont’d
Penetration Testing Penetration Testing Penetration Testing
Penetration Testing
Trang 3Penetration Testing Roadmap
(cont’d)
Cont’d
Physical
S i
Database
VoIP
Security
Penetration Testing
Penetration testing Penetration Testing
Vi d Virus and Trojan Detection
War Dialing VPN
Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held Device
Penetration Testing
Telecommunication And Broadband Communication
Email Security
Penetration Testing
Security Patches
Data Leakage
Penetration Testing
End Here
Communication
Penetration Testing
g Penetration Testing
Penetration Testing
Trang 4Log files maintain record of all the events occurring in an organization’s
systems and networks
systems and networks
Log management systems are used to manage log files across a network
Since threats against the systems and networks has increased, security of the log management systems also need to be increased
Logs are classified into:
• Security software logs: These logs record all instances of detected vulnerabilities to software.
• Operating system logs: These logs record all instances of detected
• Operating system logs: These logs record all instances of detected vulnerabilities to the operating system.
Trang 5Need for Log Management
To record each and every action performed on the system
To ensure the recorded instances are stored for appropriate duration
To perform routine log review and analysis that helps to identify the security threats, policy violation, operational problems, etc.
To perform auditing and forensic analysis in investigation of malicious activities
Operating system log entry example: p g y g y p
Event Type: Success Audit Event Source: Security Event Category: (1) Event ID: 517
Date: 3/3/2008 Time: 4:30:40 PM User: NT AUTHORITY\SYSTEM Computer: KENT
Description:
The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3F7) Client User Name: userk
Client Domain: KENT Client Logon ID: 0x0,0x28BFD)
Trang 6Challenges in Log Management
Potential problems with the initial generation of logs
Inconsistent log formats
Confidentiality, integrity, and availability of generated logs
Inaccuracy in internal clock
Trang 7Steps for Log Management
Penetration Testing
1 • Scan for log files
2 • Try to flood Syslog servers with bogus log data
• Try malicious Syslog message attack (buffer overflow)
4 • Perform man-in-the-middle attack
5 • Check whether the logs are encrypted
6 • Check whether arbitrary data can be injected remotely into Microsoft ISA server log file
7 • Perform DoS attack against check point FW-1 Syslog daemon
S d S l i i S l d f h k i FW NG FP
8 • Send Syslog messages containing escape sequences to Syslog daemon of check point FW-1 NG FP3
Trang 8Step 1: Scan for Log Files
Use different scanning tools to scan the log files in the system
Some of the log file scanning tools are:
• Sawmill.
• Bcnumsg g
Trang 9Step 2: Try to Flood Syslog Servers with Bogus Log Data
Most syslog implementations use the connectionless, unreliable
UDP to transfer logs between hosts.
UDP provides no assurance that log entries will be received p g
successfully or in the correct sequence.
Most syslog implementations do not perform any access control, so any host can send messages to a syslog server.
Check for denial of service that may cause flooding
Trang 10Step 3: Try Malicious Syslog Message
Attack (Buffer Overflow)
Construct a large syslog message with target specific codes at the end of
h
the message
If syslog messages are allowed from untrusted hosts, try to send syslog
messages until a buffer overflow condition is found
Try to elevate a local user process to root privileges after buffer overflow
Trang 11Step 4: Perform
Man-in-the-Middle Attack
Man-in-the-middle attacks can be used to modify or destroy syslog y y y g
messages in transit
Check if the syslog client checks for the server's identity as presented in
the server's certificate message before sending log files
Check client’s local / ssh/known hosts file if ssh tunnel is used for log
transmissions
Trang 12Step 5: Check Whether the Logs
are Encrypted
Most of the syslog cannot use encryption to protect the integrity or
confidentiality of logs during transaction
Sniff the network with different sniffing tools such as Ethereal and SniffIt Sniff the network with different sniffing tools such as Ethereal and SniffIt
Try to monitor syslog messages containing sensitive information
regarding system configurations and security weaknesses
Trang 13Step 6: Check Whether Arbitrary Data Can be Injected Remotely into Microsoft ISA Server Log
File ( Only for Microsoft ISA Server)
Send a specially-crafted HTTP request to modify the destination
host parameter in the log file.
GET / HTTP/1.0
t %01%02%03%04 Host: %01%02%03%04 Transfer-Encoding: whatever
Trang 14Step 7: Perform DoS Attack Against Check Point FW-1 Syslog Daemon (Only for
CheckPoint Firewall)
Start syslog daemon by enabling the firewall object y g y g j
Check for listening syslog daemon
Send a valid syslog message from a remote host
Send random payload via syslog message from a remote host
•[evilhost]# cat /dev/urandom | nc -u firewall 514
Trang 15Step 8: Send Syslog Messages Containing Escape Sequences to Syslog Daemon of Check Point FW-1
NG FP3 (Only for CheckPoint Firewall)
Enable receiving of syslog from remote by FW-1
Send some special escape sequences via syslog
[ ilh t]# h "<189>19 00 01 04
[evilhost]# echo -e "<189>19: 00:01:04:
Test\a\033[2J\033[2;5m\033[1;31mHACKER~
ATTACK\033[2;25m\033[22;30m\033[3q" | nc -u firewall 514
Trang 16Checklist For Secure Log
Management
Maintain back up for log files
Use updated version of software for logging mechanisms
Select secure log file locations
Encrypt log files
Store them on the other host in order to stop tampering of log
files
Establish standard policies and procedures for log management
Create and maintain secure log management infrastructure
Trang 17Checklist for Secure Log Management (cont’d)
Train the personnel holding log management responsibilities p g g g p
Give limited access to log files
Use the secure mechanism to transfer log files from one system to another
Check the internal clock of the system
Trang 18Log files are the files that maintain record of all the events
occurring in an organization’s systems and networks.
Logs are used to perform auditing and forensic analysis in
investigation of malicious activities.
Most syslog implementations use the connectionless unreliable y g p
UDP to transfer logs between hosts.
Use updated version of software for logging mechanisms
Use updated version of software for logging mechanisms.
Ch k th i t l l k f th t
Check the internal clock of the system.