incident response tools - users.cs.jmu.edu
TRANSCRIPT
IncidentResponseTools
JamesMadisonUniversityDept.ofComputerScience
June13,2015
1Introduction
Beingsuccessfullyattackedisinevitable.AdeterminedhackerWILLbeabletopenetrateyournetwork.
Theattacker,iftheywanttore-enteryournetwork,willhavetoleaveabackdoorsomewhere.Thismeanstheywilllikelyre-addguestaccounts,disablefirewallports,andre-enableservicesthatyouhadpreviouslydisabled(intheWindowsSecurityExercise...likeFTP)toprovideameansforthemtoaccessyourcomputereasily.
Inthischapter,wewillbrieflyre-examinethingstalkedaboutintheWindowsSecurityExercisethatarerelevantafteranincidentandthenwewillcovernewtoolsthatwillhelpyouinvestigateanincident.
AlltoolsnecessaryareavailableontheDesktopofyourIRToolssnapshot.
2Services
Knowingwhatservicesarerunningonyourwindowsmachineisveryimportant,especiallyafterbeingattacked.Havingextraservicesrunningthatarenotnecessarymayaddvulnerabilitiestoyourmachineandmayallowanattackertore-enteryournetwork.Themoreservicesthatarerunningonamachinemeansthemoreservicesyoumustprotectandsecure.Bydefault,manysoftwarepackagesinstallmanyextrasideservicesyoudonotwanttoberunning,andasgoodnetworkadministratoryoumustbeawareofthese.
2.1WhatServicesarerunning?
AllMicrosoftWindowsServerEditionshaveaGraphicalUserInterfacestohelpmanagethemachine’sservices.TheGUItomanagewhatservicesarerunningcanbeaccessedintheStartMenuunderAdministrativeToolsbyclickingonServices.Figure1showshowtoaccesstheservicesGUIfromthestartmenu.
Figure1:ClickonServicestomanagewhatservicesarerunning
Bydefault,thelistofthingsonthislistislargeanddifficulttosortthroughbutwewillonlybelookingatafewchoicethings.Bydefault,WindowsFirewallisDisabled.Thisisaveryimportantservice.Anattacker,wantingtoregainaccesstoyoursystemlater,mayhavedisabledWindowsFirewall.Toturnitbackondoubleclickonit,change”Disabled”to”Automatic”,andthenPress”Start”.Figure2showshowtodothis.
Figure2:ChangeSetuptypetoAutomatictoturnthefirewallon.
YoumayalsonoticethattheFileTransferProtocolmaybeenabled.Itisveryimportantthatthisprotocol,andTelnet,aredisabledandtheyshouldalwaysstaydisabled.Theseprotocolsareusedsoremoteuserscanauthenticateanduseyourcomputer.RemoteAuthenticationisastandardpractice,butFTPandTelnetdonotdoitsecurely.IfyouseeSSHorVerySecurityFileTransferProtocoltheseservicesareokaytouse.Afteranattackerentersyoursystemtheymayre-enableFTPorTelnetinordertoaccessyourmachinelater.Theymaythinkthatthe
systemadministratormaynotnoticesincetheywerelikelydisabledtobeginwith.Thisiswhyitissoimportanttocheckandre-disabletheseservicesiftheyhavebeenenabled.
3Firewalls
AllWindowsdistributionscomewithabuiltinhostbasedfirewallthatyoucanconfigure.Intherealworldmanycompaniesbuyexpensivemachinesthatservesolelyasafirewall.EventhoughtheWindowsFirewallisnotexpensiveanddedicatedhardwareitisagreatlineofdefensetokeepattackersfromaccessingportsonyourcomputerthatmayhaveavulnerability.Itwillalsoprotectyourcomputerfromattacksthatoriginatefrominsideyournetwork.Itisveryeasytounderstandhowafirewallworks.Peopleconnecttoyourcomputerthroughportsandafirewallblocksports.Aneasywaytothinkaboutportsisalotoftinymailboxes.Anytimesomeonewantstocommunicatewithyourservertheyputmailinaparticularmailbox.Eachportisforadifferentpurpose.Afirewallwillblockthesemailboxessonobodycanputanythinginthem.Thisdecreasesthesurfaceareaahackercouldattackyouwith.
Figure3:ChangeSetuptypetoAutomatictoturnthefirewallon.
TousetheWindowsFirewallyoumustfirstenableit.WindowsFirewallcanbefoundintheControlPanel.AfterclickingonWindowsFirewallyoushouldseeauserinterfaceliketheoneinFigure3.ChangeWindowsFirewallfromofftoonandthenclicktheAdvancedtabatthetopoftheinterface.
Figure4:ClickSettingsandcheckAllowincomingechorequest.
Intheadvancedtab,clickSettingswithintheICMPsettings.WhentheICMPSettingsuserinterfacepopsupselectAllowincomingechorequestsandthenOk.Thisallowsothercomputerstopingyourcomputer.Pingisspecialanddoesnotuseaport,butyourfirewallisstillabletoblockit.NextclickontheExceptionstabatthetopoftheWindowsFirewall.TheseinstructionsarereflectedinFigure4
ClickontheAddPortbuttonintheExceptionstabtoaddexceptionstotheFirewall.BydefaultWindowsFirewallwillblockallportsandyouwillonlyopentheonesyouneed.Thisismucheasierthanleavingallopenandblockingtheonesyoudon’twantbecausetherearemorethansixty-fivethousandports.YourcomputerwillberunningaWebserverandwebserversgenerallyuseport80tocommunicatewithcomputersthatrequestwebpages.Figure5showsyouhowtounblockport80.AfterpressingOkinWindowsFirewall,yourFirewallchangeswilltakeaffectandyourfirewallwillbeactive.Youshouldalsodothesamewithport
23whichisTelnet(wewillgointowhylater,yesTelnetisinsecureandingeneralshouldnotbeused,butwehaveaveryspecificreason).
Figure5:MakesuretoselectTCPafterhittingpressingAddPort.
4CommandLineTools
Thecommandlineisapowerfultoolthatcanhelpadefendergetimportantinformationquicklyandeasily.Thereisalittlebitofalearningcurvewhenusingthecommandline,andalmostnobodyknowseverycommandthereis,butlearninghowtouseafewbasiccommandsisquickandeasy.Toopenthecommandline,clicktoopentheStartmenuandclickCommandPrompt,orpressWindowsKey+Randtypecmd.exe.Inthesetutorialswewillonlyscratchthesurfaceofthethingsthesecommandscando.Ifyouwanttolearnmoreaboutaparticularcommand,youcandosobytypingcommandhelpintotheterminal,where”command”isthecommandyouwantmoreinformationon.
4.1netstat
Netstatisapowerfulcommandlinetoolthatlistsimportantnetworkinginformationaboutyourcomputer.Themainusesfornetstatistoshowopennetworkconnections.Toreadcomprehensivedocumentationaboutnetstatyoucanreadhttps://technet.microsoft.com/en-us/library/bb490947.aspx.Netstatwillshowwhoandwhatiscurrentlyconnectedtoyourcomputer.Thisisanextremelyimportantthingtoknow.Ifanattackerwastohackyourcomputer,theywouldhavetocommunicatewithyourcomputeroverthenetworkinordertointeractwithit.Usingnetstatyoucouldseeifahackeriscurrentlyconnectedtoyourcomputerandtakestepstokickhimout.Inthecommandlinewindowtypenetstat-an.The-anisusedtospecifyexactlywhatinformationyouwanttoshow.-ameansnetstatwillshowallactiveconnections.-nmeansnetstatwillshowallportsyourcomputerislisteningforactiveconnectionson.Aftertypingnetstat–anandhittingenteryourterminalshouldlooksimilartothecommandlinewindowinFigure6.
Figure6:Outputfromanetstat-ancommand
Thisshowsyouwhatitlookslikewhentherearenoactiveconnectionsbutwhatwillitlooklikewhenyoudohaveanactiveconnection?Inordertotestthisandseehownetstatchanges,openawebbrowserandentergoogle.comintotheURLbarandhitenter.Re-enternetstat-anintotheterminalandviewhowtheoutput
changes.Therearenowconnectionsconnectingtoaforeignaddressthatyoucansee.ThisisbecauseyourcomputerestablishesaconnectionwithGoogleinordertocommunicateandaskGoogletosendyoutheirwebpage.Openanewwebpageandseehownetstatchanges.Itmaysometimesbedifficulttoidentifygoodversusbadconnectionsonyourcomputer.Generallyaconnectiontoaportthatyoushouldnotneedisbad.Anexampleofthiswouldbeawebserverthatonlyneedstoallowconnectionstoport80.Connectionsyouseetoport80aremorethanlikelygood,butifnetstatshowsaconnectiononport21,22,or23toaremoteaddressthenitishighlylikelythatyourcomputerhasbeencompromised.Alsocheckforyourcomputerconnectingtoforeignaddressonhighnumberports.
4.2ipconfig
ipconfigisacommandlineprogramthatcanbeusedtoshowthenetworkinginformationofyourcomputer.ItwillshowthingslikeyourIPaddress,physicaladdress,andDNSserver.
Figure7:Outputfromipconfig/allcommand
Thistoolisnotagreattooltokeephackersoutofyourcomputer.Itismoreatooltousewhenyoufirstsitdownonyourcomputer.ItmaybeusefultonoteyourIPaddress,DNSServer,gateway,andphysicaladdress.Thesevaluesarenotstaticandyoumaynoticethemchange,butifyounoticethesethingschangingoftenitmaybeasignanattackerhasplayedwithyournetworkingconfiguration.
5SysInternals
Sysinternalsisasuiteoffreetoolsthathelpusersbetterunderstandwhatishappeningonthecomputer.Theyareallavailable,alongwithtutorialsanddocumentation,athttp://technet.microsoft.com/enus/sysinternals/.Inthisdocumentwewilldemonstrateafewofthebesttoolsinthesuite.IfyouwishtodownloadallSysinternalstools,youcanathttp://download.sysinternals.com/files/SysinternalsSuite.zip,butalltoolsarealreadyinstalledtoyourdesktopintheSysinternalsfolder.Whatiscoveredinthistutorialisbynomeanscomprehensive.TheSysinternalssuitehassomanyusesandeventhetoolswecoverhavemanyusesbeyondthescopeofthistutorial.Ifyouhaveextratimetryloadingupatoolthatsoundsinterestingandseewhatyoucanfigureout.
5.1TCPView
TCPViewisaprogramwrittenbyMicrosoftthathelpsyouseenetworkinginformationforyourcomputer.Itisverysimilartonetstatbutinagraphicalform.Itcanbedownloadedfromhttp://download.sysinternals.com/files/TCPView.zip.Torunitdoubleclickon’tcpview.exe’intheSysinternalsfolder.Thegraphicaluserinterfacewillshowcurrent,activeTCPconnections.Ifanattackeriscommunicatingwithyourcomputeryoumayseeasuspiciousconnection.AnexampleofthiswouldbesomethinglikeNotepad.exeusingaTCPporttocommunicatewitharemotehost.Notepadshouldneverbecommunicatingoverthenetwork.
Figure8:TCPViewofadefaultWindows2003Installation.
AsyoucanseeWindowshasavarietyofservicesthatuseTCP.ThemajorityofthesedonothaveaRemoteAddress.Thismeansthatsomeprocessesonyourcomputerarecommunicating,usingTCP,withotherprocessesonyourcomputer.Thisisastandardpracticeand,forthemostpart,youwillonlyneedtobeconcernedwithsuspiciousprocessesconnectingtosuspiciousremoteaddresses.IfyoudonoticeasuspiciousTCPconnectionyoucaneasilyrightclickontheprocessesandclickonEndProcess.Itmaybeobviousthatthistoolisverysimilartonetstat.Ifyouareinahurryyoumightsavetimebyusingnetstat,butTCPViewismorepowerfulandhasgreaterfunctionalitybeyondmonitoring.YoucaneasilyseetheprocessassociatedwitheachTCPconnectionwhichisveryhelpful.
5.2ProcessMonitor
ProcessMonitor,calledprocmon.exeinSysinternals,isaprogramthatcanbeusedtoshowwhatresourceseachprocessesisusing.Manyprocessesrequiretheusageofdifferentresourcesthatarestoredonyourcomputer.ProcessMonitorwillhelpyouunderstandwhichresourceseachprocessisusing.ForthemostpartProcessMonitorisanadvancedtooltousethattakesalotoftechnicalknowledgetounderstandwhatisreallybeingshown,butknowingaboutthistoolisimportant.
Figure9showsausageforProcessMonitorthatdoesnotrequiredeeptechnicalknowledge.UsingtheProcessTree,foundintools,youcaneasilyseehoweachprocesswascreated,andbywhatprocesses.Thisisextremelyuseful.
Figure9:ProcessTreeexample.Seehowprocesseswerespawned.
UsingProcessTree,youcanlookforsuspiciouschildprocesses(processescreatedbyothers).Forexample,Firefox.exeshouldnotbespawningNotepad.exe.Processesthathavenothingtodowitheachothershouldnotbespawningeachother.IfyouseethisyoushouldinvestigatetheprocessesusingTCPViewasyoumayhavebeencompromised.Spendsometimelookingattheprocesstreeandnotinghowoneprocessmyspawnmanyothers.OpenaprogramandseehowtheProcessTreechanges.
5.3Autoruns
Onethinganattackerwilllikelydoafterhackingacomputerisaddinginamechanismtogetbackintothecomputerwhenitisturnedoffandon.Thismeanstheattackerhastosetthecomputertorunacertainprogramonstartup,
otherwiseonceyouturnacomputeroffalloftheattacker’sworkisgone.TodothistheywilladdafiletoanautorundirectoryortotheRegistry.Usually,whenapplicationswishtorunatstartup,theywillbeaddedinmsconfigtotheautoruntab.Checkingthisautoruntabisagoodstartbutisnotenough.AnattackerwhoknowsWindowsinternalswillknowtherearemanyplacestheycanputcodethattheywanttoberunatstart-up.In-fact,therearesomanyplacesitwouldtaketoolongtodothismanually.AutorunsisanapplicationthatcanbeusedtoshowALLprogramsthatwillrunatstart-up.Figure10showshowtoviewallAutorunprograms.Openautoruns.exeandselecttheEverythingtab.
Figure10:Showallprocessesthatareautorun.
InthisEverythingtabyoushouldseealotofthingsthatrunatstartupthatarerequiredforthecomputertoworkproperly.TheyarepartoftheWindowsOperatingSystem.LiketheotherSysinternalstools,youshouldbelookingforsuspiciousprogramsthatauto-run.SuspiciousprogramswouldincludeServicesthatarebeingstartedthatyouknowyoushouldnotberequired.IfanFTPServerisstartedwhenyoudonotneedFTP(youshouldneverneedFTP),orifastrange
looking.exeisstarted,youneedtoinvestigatethisandpossiblyremoveit.ChecktoseeifitislisteningforincomingconnectionswithnetstatandcheckTCPViewtoseeiftheprocesshasaremoteconnectiontoit.Nothingiscurrentlyhiddeninanautorundirectory.Thereisnothingforyoutoremovewiththistool,buttherearemanythingsthatrunatstartup.Takealookaroundatthem.Allthefunctionalitythatyourcomputerhasisaccomplishedwithprogramsthatrunatstartup.Itmaybeagoodideatofamiliarizeyourselfwithwhatanormalset-uplookslike,andthenlookforthingsthatareoutofplacewhenthetimecomes.
5.4RootkitRevealer
Sometimeshackerwillusesophisticatedsoftwaretohidetheirpresenceonthemachine.Forexample,thesoftwaremaychangethenetstatcommandoutputtofilteroutthehacker’sconnectiontoyourcomputer.Anyonewhousesthenetstatcommandwillseeregularoutputfromthecommand,butthehacker’sconnectionwillbemysteriouslymissing.ProgramsthatdothisarecalledRootkits.Theyareextremelydangerousandcanbedifficulttofind.InSysinternalsRootkitRevealer.execanbeusedtohelplocatethese.
Figure11:Showallprocessesthatareautorun.
Figure11showshowtostartascanandtellyourcomputertobeginlookingforrootkits.RootkitRevealerworksbyaskingforthesameinformationfromalotofdifferentplacesandtryingtofinddiscrepancies.Forexample,itmayaskforopenTCPconnections.Todothis,Rootkitrevealermayusenetstat,butalsoasktheunderlyingoperatingsystem.Ifthereisadiscrepancyintheinformationthatisreturned,RootkitRevealerwillalertyouandlookfortherootcause.RootkitRevealer,ifitfindsawell-knownrootkit,willalsoeasilyallowyoutoremoveit.Rootkitsareextremelypowerfultoolsandhavegottenextremelyadvancedandeasytouseinthelastfewyears.RootkitRevealermayhelp,butasadefenderyoureallydonotwanttobeinapositionwhereyouhavetoremovearootkit.IfRootkitRevealerdoesn’thelp,youmayhaveadifficultroadaheadofyou.Rememberthat,althoughthisisapowerfultoolandwilldoagoodjobdetectingrootkits,itisnotfoolproof.Thereisalwaysachanceofafalsepositivewhenscanning.
6EventViewer
TheEventviewerisusedtoviewlogsastheyaregeneratedonyourcomputer.Yourcomputer,bydefault,logsmanythings,likesuccessfulloginstoyourcomputer.Whatthecomputerlogscanbechangedtologmoreinformationortologlessinformation.Thisisatradeoff.Themorethingsyoulog,themoresystemresourcesyoumustdedicatetologging(processingpower,writingtodisk,andspace).Logtoolittleandyouareunabletodeterminewhathappenedifsomeonehacksyourcomputer.Thisisanimportanttradeoff.YoucanaccesstheEventViewerintheComputerManagementwindowinAdministrativeTools.Tochangeexactlywhatislogged,youmustaccesstheLocalSecurityPolicies,inAdministrativeTools.
6.1ChangeWhatIsLogged
Bydefault,Windowsdoesnotlogenough.Wewouldatleastliketoseefailedloginattemptsinsteadofonlysuccessful.Tomakewindowslogthese:
Figure12:Howtoaddfailedloginattempts.Remembertopress’apply’
YoucanviewtheseattemptsandseemuchmoreinformationintheeventviewerlikeinFigure13.DoubleclickingeventsintheEventViewerwillprovideyouwithmoreinformation.UsingtheEventViewer,youmaybeabletonoticeifyouhavebeencompromised.Forexample,ifyounoticemanyunsuccessfulloginattemptsatonecertaintime,followedbyasuccessfulattempt,itwouldbeagoodideathatyoushouldlookfurtherintotheincidentandresetthatuser’spassword.
Figure13:Howtoaddfailedloginattempts.Remembertopress’apply’
7ValhallaHoneypots
Honeypotsaretrapsthatdefenderssetontheirnetworkinordertoattracthackersandallowdefenderstoeasilyidentifywhoismaliciousontheirnetwork.Theconceptisstraightforward.AdefendercreatesaVirtualMachineorarealmachineandputsitontheirnetwork.Thedefendermakesitlooklikethismachineisveryoldandvulnerabletoattacks(lowhangingfruit).Hackersarelazy,solowhangingfruitisverydesirable.Sincearegularuseronthenetworkwillneverhaveaneedtoaccessthehoneypot,anycomputerthatcontactsthehoneypotislikelycompromised.Therearedifferentlevelsofinteractionthatahoneypotcanhave.Alowinteractionhoneypotwillfoolvulnerabilityscannersbutahackerwillneverbeabletohackor’log-in’.HighinteractionHoneypotswillfoolvulnerabilityscannersbutwillalsogivetheattacktheillusionthattheycanlog-inorhackthecomputer.ThereisalotofsoftwareouttherethatallowsyoutoeasilysetupahoneypotonaWindowsmachine.WewillbeusingsoftwarecalledValhallatocreatehoneypots.Valhallaiscapableofcreatinglow-interactionandhigh-interactionhoneypots.TouseValhalla,opentheValhalladirectoryonthedesktopanddoubleclickthe.exefile.Next,clicktheServerConfigbuttonontheleftside.
Figure14:ValhallaServerConfigGUI
AfteropeningtheServerConfigGUI,presstheOptionsbuttonforWebServer,FTPServer,andTELNETServer.SelecttheEnablebuttonsyouseeinFigure15andtheNoLoginrequiredbutton.
Figure15:ValhallaServerConfigGUI
AfterclickingtheEnablebuttonsyoucanXoutofthewindowsandclick"Monitoring".
Figure17:Valhallamonitoring.
NowtotestthiswecanruntheTELNETclientfromtheCommandPrompt.WithintheCommandPrompt,type"telnet127.0.0.1"(asshowninfigure16)andhitENTER.
Figure16:TelnetcommandwithinCommandPrompt
ThiswillnowestablishaconnectionwithyourHoneypot,whichcanbeseenwithintheValhallamonitoringwindow.Ifyoutypecommands(noneofwhichshouldworkordomuch)theywillalsobeloggedbytheHoneypot.
Figure19:Thehoneypotatwork.
AbovewastheTELNETpartoftheHoneypot,butwhataboutWEB?Stoppingthemonitoring,gobacktotheWEBclientportionofServerConfigandgototheOptions.MakesuretheFolderis"c:\inetpub\wwwroot"andtheIndexPageis"index.html"asshowninfigure20.
Figure20:WEBClientOptions
PressStart,clickRun,andtypecmd.exeandhitEnter.ThiswillcauseaCommandPrompttoopen.Next,typeecho”TextWebpage”>C:\inetpub\wwwroot\index.html.Thiswillcreateanewfile,calledindex.html,thatcontains”TextWebpage”.
AfterthisyoucanXoutoftheValhallaconfigurationwindowsandclick"Monitoring".
ThepointofthisisthatyouconfiguredValhallatohaveaWebserverhoneypot.ThispagewillbesenttoanyonewhotriestoaccessyourcomputeronPort80,becausewebserversalwaysrunonPort80.Totestthis,openupawebbrowser,andintheURLbartype"http://localhost".
8Conclusion
Respondingtoanincidentcanbedifficult.Piecingtogetherwhathappenedcanbeextremelychallenginganditispossiblethatyoumayneverhaveacompletepictureofwhathappened.Thistutorialwasshowedbasicre-hardeningand
incidentresponsetools,butthereisstillmuchtolearninthefuture.Therewasnothingtoremoveinthisexercisebecauseitisaverygoodideatoseewhatanon-compromisedcomputerlookslike,beforeyoutrytodecidewhetheradifferentcomputeriscompromised.Moreadvancedincidentresponsetechniqueswillalldifferdependingonwhatyouwishtodofollowingtheincident.Ifyouwishtobuildacaseandpresschargesagainsttheindividualsresponsible,yourcourseofactionwillbeverydifferentthanifyouonlywantyourcomputertobesafefromoutsiders.