Eikonal Blog

2011.01.05

Auditing MS Windows

Articles


Tools

What to audit

  • 1) List of domain users. Their user groups (who belongs to what groups).
  • 2) Logging parameters: number of unsuccessful retries before account lock-out, number of minutes the account is temporary disabled (due to sequence of failed logon attempts), …
  • 3) Password parameters: minimal password length, used character sets, password complexity requirement (is it enforced or not), password expiration, …
  • 4) Auditing parameters: are all account logon attempts being logged? Are changes in account privileges (e.g. adding users to different groups) being logged? Are additions, removals or renaming of accounts being logged? Are privilege violations being logged (e.g. user trying to access resources [files, applications, shares] that they do not have right to access)? Are changes to security policies being logged? Are changes to user passwords being logged? Are changes in account status (e.g. disabling and enabling accounts) logged? etc
  • 5) Inspect the content of system logs.
  • 6) List of services
  • 7) Look at the open network connections.
  • \8) Registry checkup

Tools

DumpSec

SomarSoft’s DumpSec/DumpAcl – http://www.systemtools.com/somarsoft/?somarsoft.com

DumpEvt

DumpEvt is a command line tool by SomarSoft – http://www.systemtools.com/somarsoft/?somarsoft.com

Syntax:

c:>dumpevt
2011.01.06 13:23:28
Somarsoft DumpEvt V1.7.6, Copyright ▒ 1995-2007 by Somarsoft, Inc.
Copy 07353, registered to (this program is now free of charge)
==>Missing /logfile parameter
Dump eventlog in format suitable for importing into database
Messages written to stdout
Dump output written to file specified by /outfile or /outdir
Parameters:
  /logfile=type      eventlog to dump; can be app, sec, sys, dns, dir, or rpl
  /logfile=type=path backed up eventlog file to dump
  /outfile=path      create new file or append to end of existing file
  /outdir=path       create new .tmp file in specified directory
  /all               dump all recs (default is recs added since last dump
  /computer=name     dump eventlog for specified computer (default is local)
  /reg=local_machine use HKEY_LOCAL_MACHINE instead of HKEY_CURRENT_USER
  /clear             clear event log after successful dump
Specify formatting parameters in DUMPEVT.INI file
See dumpevt.hlp for complete documentation
Visit http://www.somarsoft.com for latest version

Example:

c>dumpevt /logfile=sec /outfile=20100106-system7-seclog.txt
2011.01.06 13:31:36
Somarsoft DumpEvt V1.7.6, Copyright ▒ 1995-2007 by Somarsoft, Inc.
Copy 07353, registered to (this program is now free of charge)
LogType=Security
Computer=(local)
SystemRoot=C:\WINDOWS
Outfile=20100106-system7-seclog.txt
Use HKEY_CURRENT_USER for saving record number
Format=yes
DateFormat=(locale dependent)
TimeFormat=HH':'mm':'ss
FieldSeparator=,
ReplaceFieldSeparator=  (blank)
ReplaceCR=^
ReplaceLF=`
StringSeparator=;
MaxMessageLen=32000
MaxFragmentLen=32000
DumpData=none
SplitDateTime=yes
UseGmtTime=no
DumpRecnum=no
==>LastProcessed (0) < Oldest (1), log records lost
process event log records starting with 1
last event log record processed = 1018
Elapsed time= 0.594 seconds, NumRecs=1018

Fport

Example:

c>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid   Process            Port  Proto Path
508                  ->  135   TCP
4     System         ->  139   TCP
4     System         ->  445   TCP
1644  dirmngr        ->  1059  TCP   C:\Program Files\GNU\GnuPG\dirmngr.exe
4084                 ->  1080  TCP
3856                 ->  1192  TCP
2428  ccApp          ->  1202  TCP   C:\Program Files\Common Files\Symantec Shared\ccApp.exe
0     System         ->  1212  TCP
3652  firefox        ->  2036  TCP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  2037  TCP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  2044  TCP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  2045  TCP   C:\Program Files\Mozilla Firefox\firefox.exe
4     System         ->  6846  TCP
3652  firefox        ->  6896  TCP   C:\Program Files\Mozilla Firefox\firefox.exe
3856                 ->  6938  TCP
3856                 ->  6939  TCP
0     System         ->  6945  TCP
4456526               ->  123   UDP
4     System         ->  123   UDP
5177412               ->  137   UDP
4     System         ->  137   UDP
6029362               ->  138   UDP
4     System         ->  138   UDP
3652  firefox        ->  138   UDP   C:\Program Files\Mozilla Firefox\firefox.exe
508                  ->  445   UDP
4     System         ->  500   UDP
3652  firefox        ->  1069  UDP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  1103  UDP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  1357  UDP   C:\Program Files\Mozilla Firefox\firefox.exe
3652  firefox        ->  1520  UDP   C:\Program Files\Mozilla Firefox\firefox.exe
4     System         ->  2576  UDP
3856                 ->  62514 UDP

netstat

On Windows XP:

c>netstat -a
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    server7:epmap      interesting.website.org:0      LISTENING
  TCP    server7:microsoft-ds  interesting.website.org:0      LISTENING
  TCP    server7:5556       interesting.website.org:0      LISTENING
  TCP    server7:1059       interesting.website.org:0      LISTENING
  TCP    server7:1080       interesting.website.org:0      LISTENING
  TCP    server7:1202       interesting.website.org:0      LISTENING
  TCP    server7:2036       localhost:2037         ESTABLISHED
  TCP    server7:2037       localhost:2036         ESTABLISHED
  TCP    server7:2044       localhost:2045         ESTABLISHED
  TCP    server7:2045       localhost:2044         ESTABLISHED
  TCP    server7:62514      interesting.website.org:0      LISTENING
  TCP    server7:netbios-ssn  interesting.website.org:0      LISTENING
  TCP    server7:1192       strangemachine:netbios-ssn  ESTABLISHED
  TCP    server7:6846       alphaomega.com:microsoft-ds  ESTABLISHED
  TCP    server7:7061       server2:8585       ESTABLISHED
  TCP    server7:7062       server2:8585       ESTABLISHED
  TCP    server7:netbios-ssn  interesting.website.org:0      LISTENING
  TCP    server7:7067       strangemachine:netbios-ssn  SYN_SENT
  TCP    server7:netbios-ssn  interesting.website.org:0      LISTENING
  TCP    server7:7068       strangemachine:netbios-ssn  SYN_SENT
  UDP    server7:microsoft-ds  *:*
  UDP    server7:isakmp     *:*
  UDP    server7:4500       *:*
  UDP    server7:52311      *:*
  UDP    server7:ntp        *:*
  UDP    server7:1025       *:*
  UDP    server7:1069       *:*
  UDP    server7:1103       *:*
  UDP    server7:1357       *:*
  UDP    server7:1520       *:*
  UDP    server7:1900       *:*
  UDP    server7:2576       *:*
  UDP    server7:62514      *:*
  UDP    server7:ntp        *:*
  UDP    server7:netbios-ns  *:*
  UDP    server7:netbios-dgm  *:*
  UDP    server7:1900       *:*
  UDP    server7:ntp        *:*
  UDP    server7:netbios-ns  *:*
  UDP    server7:netbios-dgm  *:*
  UDP    server7:1900       *:*
  UDP    server7:ntp        *:*
  UDP    server7:netbios-ns  *:*
  UDP    server7:netbios-dgm  *:*
  UDP    server7:1900       *:*

Getting list of users and groups

Inside Cygwin, there are commands mkpasswd and mkgroup. These can build the Cygwin’s /etc/passwd and /etc/group from either local system or from the domain the system is on.

mkpasswd -l > local-users.txt
mkpasswd -d -l > domain-users.txt
mkgroup -l > local-groups.txt
mkgroup -d -l > domain-groups.txt

Advertisements

2010.08.03

Powershell

Filed under: scripting, windows — Tags: , , , , , — sandokan65 @ 14:32

Portable Powershell:

2010.01.29

Vulnerability Assessment tools

Information Gathering

Network Scanners and Discovery, Port scanners

Vulnerability Scanners, Integrated VA (Vulnerability Assessment) scanners

Windows Auditing

GOTO: https://eikonal.wordpress.com/2011/01/05/auditing-ms-windows/

Unix Auditing

GOTO: https://eikonal.wordpress.com/2011/07/08/auditing-unix/

Database auditing

GOTO: https://eikonal.wordpress.com/2011/02/24/database-security/

Web Applications and Web Services assessment

Lists of tools:

Application Assessment:

Web services testing:

Fuzzing:

Using browsers as the webapp testing tools:

Misc info:

  • Book: “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/
  • The Web Application Security Consortium (WASC): http://www.webappsec.org/ | http://projects.webappsec.org/
  • OSSTMM – “Open Source Security Testing Methodology Manual” by Pete Herzog – http://www.isecom.org/osstmm/
  • OWASP: http://www.owasp.org/index.php/Main_Page
    • OWASP Testing Guide:
  • Top 10 Web Vulnerability Scanners – http://sectools.org/web-scanners.html:

    • #1 – Nikto : A more comprehensive web scanner:
      Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.
    • #2 – Paros proxy : A web application vulnerability assessment proxy
      A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
    • #3 – WebScarab : A framework for analyzing applications that communicate using the HTTP and HTTPS protocols
      In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
    • #4 – WebInspect : A Powerful Web Application Scanner
      SPI Dynamics’ WebInspect application security assessment tool helps identify known and unknown vulnerabilities within the Web application layer. WebInspect can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.
    • #5 – Whisker/libwhisker : Rain.Forest.Puppy’s CGI vulnerability scanner and library
      Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.
    • #6 – Burpsuite : An integrated platform for attacking web applications
      Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
    • #7 – Wikto : Web Server Assessment Tool
      Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.
    • #8 – Acunetix WVS : Commercial Web Vulnerability Scanner
      Acunetix WVS automatically checks web applications for vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, weak password strength on authentication pages. AcuSensor technology detects vulnerabilities which typical black box scanners miss. Acunetix WVS boasts a comfortable GUI, an ability to create professional security audit and compliance reports, and tools for advanced manual webapp testing.
    • #9 – Rational AppScan : Commercial Web Vulnerability Scanner
      AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more. Appscan was merged into IBM’s Rational division after IBM purchased it’s original developer (Watchfire) in 2007.
    • #10 – N-Stealth : Web server scanner
      N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of “30,000 vulnerabilities and exploits” and “Dozens of vulnerability checks are added every day” are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components. They may not all be as up-to-date or flexible though. N-Stealth is Windows only and no source code is provided.
  • Jeremiah Grossman blog on web applicaiton’s security: http://jeremiahgrossman.blogspot.com | RSS – http://feeds.feedburner.com/JeremiahGrossman:
  • “Web Application Testing” by Russ Klanke (at Aggressive Virus Defense blog) – http://aggressivevirusdefense.wordpress.com/2009/08/02/web-application-testing/ – has numerous good links and tips.
  • Browser Security Handbook – http://code.google.com/p/browsersec/wiki/Main
      Browser Security Handbook is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.

      The document currently covers several hundred security-relevant characteristics of Microsoft Internet Explorer (versions 6, 7, and 8), Mozilla Firefox (versions 2 and 3), Apple Safari, Opera, Google Chrome, and Android embedded browser.

      Open-source test cases provided alongside with this document permit any other browser implementations to be quickly evaluated in a similar manner.

  • “Web Security Testing Cookbook” by Paco Hope – http://websecuritytesting.com/

(other) Specialized scanners

IPSec security

  • IPSecScan (by NTSecurity.nu) – http://ntsecurity.nu/toolbox/ipsecscan/IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled.

Wireless Hacking and auditing

VoIP & Telephony auditing

Live CDs

Exploitation Frameworks

Tools:

Articles:

Penetration Testing and Exploitation

Network testers


See also: list of (other) security tools (in this blog) – https://eikonal.wordpress.com/2010/07/28/security-tools/.

Create a free website or blog at WordPress.com.