Welcome to the SecurityisFutile blog

I welcome comments and suggestions, I take criticism very lightly (at least most of the time). My goal for this blog is to document various experiments and research projects I feel are both relevant and prominent in the field of computer security (or lack there of) and share my results and experiences with other fellow computer security enthusiests. Most of my topics are based soley on open source technology and methodology, mostly due to availability and cost. I believe that effective security measures help keep people honest with their technology, for the most part. Security is futile (usless) or at least it feels that way when an inspired opportunist comes around and exploits your weaknesses. With that being said I leave you with a quote of inspiration; There is no security on this earth, there is only opportunity.-- General Douglas MacArthur

Wednesday, December 9, 2009

Spelunking with splunk> & OSSMS

The purpose of this exercise is to simulate the integration of SIEM (Security Information and Event Management) data into an enterprise indexing repository where we can analyze, generate reports and correlate security relevant events through the use of regular expressions. The ideal goal is to try and build a free OSSMS (Open Source Security Management System). The SIEM devices sit on the border and internal segments of the network and report violations based on the security policy then take corrective action as necessary. Those alerts are forwarded to a filter device; OSSEC HIDS (Host-based Intrusion Detection System) in our scenario that separates our security relevant data from our SIEM devices, in the form of alerts and severity levels based on our organizational security policy, then ingest those events into our indexing engine, Splunk. This way we can filter out any unnecessary alerts/data and pull back only what we want, in a controlled fashion (to help stay within the 500MB of data per day budget and help keep the costs of the Splunk license to $0 to help sustain our free open source security management system). In the end, Splunk should help to enrich the security analysts experience by providing a faster and more efficient way to retrieve, search and query SIEM data from a central location, or across multiple Splunk repositories through its distributed search capability.

Here is my test scenerio, an OSSEC HIDS forwarding alerts to a Splunk server on the same network. Here is what you need to do from a test/configuration stand point:

Setup the OSSEC server
- Install / configure CentOS5

- Download install ossec v1.6 or 2.3
(This is a generic installation, so just accept all of the defaults when running the install.sh script. Read installation files for additional information)

- Inside ossec.conf add a syslog_output block specifying your Splunk system IP address and the port it is listening on: (can be changed to what ever you configuration allows for)









- Now you need to enable the syslog_output module and restart OSSEC:
#/var/ossec/bin/ossec-control enable client-syslog
#/var/ossec/bin/ossec-control restart


-----------------------------------------------------------

Setup SPLUNK
- Install / configure CentOS 5 (I used Ubuntu v9.10 in a VM since I only had one processesor any way)

- Download SPLUNK v4.0.6 tar ball for i386 or 64bit Linux to root's home directory

- Extract the .tar ball in the /opt directory (creates directory /opt/splunk)
# cp $HOME/splunk_linux_name.tar /opt;tar xf /opt/splunk_linux_name.tar

- Make sure you update any local or network firewalls that this communication is traversing and then restart Splunk.
# $SPLUNK_HOME/bin/splunk restart

(Accept the license agreement)
- Open browser and go to http://serverip:8000
* user: admin
*password: changeme

-----------------------------------------------------------

Splunk Configuration
· On the main dash board page, click the Manager link in the top right hand corner of the page

· Under “System Configurations” click on the Data Inputs link

· Click on the UDP link, then click the New button

· Enter the port number (10002 or what ever you entered in during the OSSEC configuration for the port SPLUNK will receive OSSEC alerts from)

· Select “Manual” from the dropdown box pertaining to source type

· Enter in “ossec” in the Source Type text box, then click the Save button

· Now you must enable the data input feed for the port by clicking on the enable link in the row that corresponds to your new UDP port/feed for OSSEC

· Click on the Back to Search link in the top left hand corner of the web browser, generate some alerts from the OSSEC server (or your OSSEC agents) and the alerts should be arriving into SPLUNK soon!!!!

Happy Splunking!!!!!


RESOURCES:
http://www.ossec.net/main/splunk-ossec-integration

http://www.splunk.com/base/Documentation/latest/Installation/InstallonLinux#Tarball_install

Monday, November 16, 2009

http browser autopwn

At the Defcon conference this year a new exploit was provided to the open source hacking community (Thanks to Egypt - Thank You), which allows one to fingerprint the victims browser/OS and patch levels prior to sending the exploit. Previously the exploit was chartered as a Cluster Bomb but is now known more of a guided missile.

I was able to test this exploit against a vulnerable microshaft IE 6.0.3 browser this afternoon and the payload exploited with out a hitch! If you like watching videos here is a good proof of concept you can develop your future exploits from off of youtube:

(PaulDotCom Enterprises, LLC)
http://www.youtube.com/watch?v=FwBDTg7W1wY

Just run the Metasploit console and load the /auxiliary/server/browser_autopwn exploit module then set values for:

LHOST (IP victim will connect back to)

SRVPORT (port to run exploit on, can be 80 or 443 HTTPS)

URIPATH (directory to host exploit from)

run exploit, connect from victims vulnerable browser to http://(IP)/(URIPATH) and the exploit should launch, results should start to show over in MSF console window. Once a session is generated you are in using the privileges as the victim (now you can quickly escalate privileges to system/admin/root)

Test:
sessions -l (session ids should list)
sessions -i (session id), then type: hashdump, ipconfig /all, ifconfig -a (what ever)

if not then try again. I had some problems when the browser sent a response the server didn't know how to respond to (sent RST and 404 message back to client usually when victims browsers doesn't have a plugin installed), like apple quicktime, java or something like that). Take out those checks done by the exploit in the ruby code and you might have some success!!! I didn't test with a anti-virus scanner installed, but I have heard it can bypass/evade some of the scanners and generic IDS rules based on how you submit your exploit to the victim. This is definitely an effective means of getting inside through a phishing attack.

NMAP XML Parser

Recently I took on the challenge to write my own python DOM parser ,to take the output of an NMAP SYN scan and parse the results into a database of choice, like MySQL. After doing some preliminary checking of what is already out on the web I came across a tool developed by http://www.tssci-security.com that will handle just what I was looking for. Once you make some tweaks to the code to parse out the "ipaddr" for both the MAC and the IP addresses the python script "nmapxmlparse.py" works like a champ! It outputs the NMAP xml formated file into a ingestable .csv file, which can then be scripted to insert into your MySQL tables.