ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLYPractical Use of Infosec

Tools

14 – ISSA Journal | July 2014

AbstractEvery day in the information security world, we use vari-ous tools to do various tasks ranging from access control to checking for poor configurations and security weaknesses. However, many of these tools are also important to the De-vOps (a term collectively used to refer to both IT develop-ment and IT operations) world. In this article, the author shows some examples of commonly used, freely available in-formation security tools that are useful during various prac-tical DevOps tasks.

A security practitioner’s toolset comprises of various tools to perform different activities. The tools vary depending on the role of the practitioner. A foren-

sic analyst typically tends to use a different toolset than a penetration tester who in turn uses different tools compared to an incident response manager. Similarly, different IT de-velopment and IT operations teams (collectively called as “DevOps” in this article) tend to use different tools for ac-complishing their daily duties. While there can be literally hundreds of tools in this toolset, this article focuses on eight

free tools—Nmap, Autoruns, GMER, AccessEnum, EMET, DirBuster, Zed Attack Proxy (ZAP), Nikto—tools that are very common in information security and have practical ap-plications in troubleshooting during the traditional DevOps cycle. The article intends to expose the capabilities of these tools to the DevOps personnel and also to the information security personnel who may not realize the tools may have some daily usage in their organizations or their clients’ or-ganizations. Some of the tools discussed are typically used in the offensive side of information security while others are used on the defensive side. Here are some non-traditional cases where free information security tools help solve real-world problems.

Nmap Nmap (Network Mapper) is one of the most widely used open source tools in the information security world. The most common use of this tool is to enumerate the services running on a remote system, which expose listeners (both on TCP and/or UDP ports). Nmap is typically used by penetration testers to enumerate all these listeners so the exposed services can be attacked. For DevOps teams Nmap can help perform

Every day in the information security world, we use various tools to do various tasks ranging from access control to checking for poor configurations and security weaknesses. In this article, the author shows some examples of commonly used, freely available information security tools that are useful during various practical DevOps tasks.

By Rajat Swarup – ISSA member, New York Metro Chapter

Practical Use of

Infosec Tools

ure 1 shows Nmap and the ssl-enum-ciphers Lua script enu-merating weak ciphers.Nmap also has other scripts like ssl-known-key that match the SHA-1 hash of the SSL certificate the exposed private keys (indicating that the private key of the SSL certificate is compromised). This is a typical case in large organizations where server builds are utilized to provision new servers. Many times, private keys are also replicated during the build process. Nmap can help detect such SSL servers with private keys that have been known to be compromised as shown in Figure 2.The recently publicized Heartbleed vulnerability1 was essen-tially an unauthorized memory read based on user control-lable values in the SSL Heartbeat Messages. Nmap has an NSE script called ssl-heartbleed that helps detect your organiza-tion’s exposure to the Heartbleed vulnerability as well. This vulnerability was affecting OpenSSL versions 1.0.1 to 1.0.1f. While IIS servers were not affected with the Heartbleed bug, there could be other web servers on Windows systems such as the Hewlett Packard Integrated Lights Out (iLO) or Web-sphere using the affected OpenSSL libraries that could be vul-nerable to this bug. In Figure 3, the command to detect the vulnerability to Heartbleed using Nmap is shown.

1 Codenomicon (2014, May ). Heartbleed bug. Retrieved from http://heartbleed.com.

quick checks against builds by comparing the exposed ser-vices against the builds. A simple command as shown below will help enumerate lis-tening services: nmap -sS –p0- -A hostname –oA scanoutput -v

But one of the most promising extensions of Nmap is the Nmap Scripting Engine (NSE) that is constantly being updat-ed with Lua scripts written by various security practitioners that perform extended tasks. A common task from a DevOps perspective is enumerating the ciphers exposed on the web servers (weak ciphers are con-veniently marked in outputs). This is a fairly common task because of various compliance requirements such as the PCI Data Security Standard (DSS) which mandates the use of strong ciphers to transmit credit card information. An orga-nization especially wants to disable the export ciphers (en-cryption algorithms that use small key sizes such as 40-bit or 56-bit keys) because the keys can be easily compromised by exhausting the brute-forcing key space due to the advances in processing power, especially of the Graphical Processing Units (GPUs) or “video cards” that can be programmed to perform cryptographic operations at astounding speeds. Fig-

Figure 2 – A known SSL key found by Nmap ssl-known-key NSE script

July 2014 | ISSA Journal – 15

Practical Use of Infosec Tools | Rajat Swarup

Figure 1 – Nmap scan output showing weak ciphers enabled

Figure 3 – The Heartbleed vulnerability affecting the scanned host

Explorer that have an impact on IE memory consumption. Autoruns is a fantastic utility that goes through the startup programs in or-der. To determine the startup programs, Auto-runs uses a comprehensive list of mechanisms that causes an executable to be run at startup including Startup folder, scheduled tasks, Run & RunOnce registry keys, auto-start services, and startup services. Figure 5 shows that a bit torrent utility (such as uTorrent) running at system startup may be in violation of corpo-rate policies. Also, a bit torrent client may be using up a lot of system resources apart from being in violation of security policies, causing

a system slowdown.Often times, users install software on their machines that

they may not be aware starts on system bootup. This is espe-cially common in organizations where administrative rights to Windows systems are loosely given to all or most users. Such organizations tend to have a higher instance of the “sys-tem slowdown” issues. In many cases, stealthy malware may be running which was inadvertently installed. With the end of life of Windows XP, this incidence will undoubtedly de-crease because with Windows 7, by default, even administra-tive users cannot directly install applications without elevat-ing privileges; the access tokens with administrator tokens are removed by default. But if you run a program by clicking on “run as administrator” menu item, then the administra-tor access tokens are associated with the programs, allowing administrative actions as if it was Windows XP. Mark Russinovich, the author of Autoruns, indicated that Autoruns checks about a hundred locations from where an application could be run automatically.3 All the running pro-cesses use memory and even CPU cycles (occasionally). Large

3 Hunting Down and Killing Ransomware (2013, January 7). Retrieved from Mark Russinovich's Blog: http://blogs.technet.com/b/markrussinovich/archive/2013/01/07/3543763.aspx.

Of course, trying to write an article about all the capabilities of Nmap is difficult when there is a whole book written about it,2 but some really cool features come by what information you filter out of an Nmap scan. For example, suppose you want to weed out rogue access points on your wired network. A rogue access point is a wireless access point plugged into an organization’s wired network so that employees can have ac-cess to the organization network via WiFi. There may or may not be malicious intent behind planting these on a network. Nmap can help! Nmap detects the operating system and also the services—multiple indicators that a rogue access point is connected to the wired network if you scan the wired LAN segments. The following markers, as detected by Nmap, may be used to detect an access point using the data returned via an Nmap scan: the operating system guess, the administrative interface fingerprint, the MAC address OUI (organization-ally unique identifier) of a live device, or the “Service Info” indicator. As shown in Figure 4, if any system shows up with, say, two markers such as a web interface belonging to a wire-less access point and “service info” match as a wireless access point, the host is further investigated and may be a wireless access point that is plugged into the wired LAN. Two different indicators are used because there may be false positives for any of the above indicators. Nmap relies on its fingerprinting database, which may result in a false positive for other devices or computers on the network. But if there are two indicators that a device is a wireless access point, it is less likely to be a false positive, decreasing error rates in detecting such rogue access points. It’s the quickest and most geographically cen-tralized way of detecting rogue access points on a network.

AutorunsEver wondered why your computer is slow? Most organiza-tions’ help desks tend to have the same gripe from most em-ployees. Of course, you cannot start upgrading the systems, and why is it that the systems became slow over a period of time? A free (but not open source) Microsoft sysinternals utility used by forensic analysts and incident handlers may help. Autoruns helps find processes that run on Windows system startup as well as ActiveX hooks attached to Internet

2 Lyon, G. F. (2009). Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning –http://nmap.org/book/toc.html.

Figure 5 – Program running that should not be running per organization policies

16 – ISSA Journal | July 2014

Practical Use of Infosec Tools | Rajat Swarup

Figure 4 – Detecting rogue access points on your wired network in the DHCP pool

amounts of memory consumption can cause less user space memory being available for user activities, causing the mem-ory to be swapped in and out of secondary storage (e.g., disk), causing latency in user interaction. From a security perspec-tive, autorun programs are a simple way for persistence of malicious software on compromised systems. Such software tends to be used by attackers to steal user data and is a typical feature of most breaches. Tools like Autoruns can help de-tect many such programs (unless, of course, they are stealthy enough to specifically hide from a tool like Autoruns). Auto-runs also has options to hide Microsoft signed applications, so that may help narrow down the third-party applications that may be causing issues with the user experience. Another popular type of malware/spyware that is often found is browser helper objects (BHOs). BHOs are browser exten-sions that load when Internet Explorer is started. Not all BHOs are malicious and there might be legitimate extensions that are also installed. But either way, all BHOs cause IE to consume more memory and allow the extension to run inside the context of IE using precious CPU cycles that may impact the user experience (ever seen the prompt about disabling add-ons in IE 10 when the browser is behaving a little slower than expected?). Autoruns can help detect such extensions and help you disable them, improving performance of the browser. Some BHOs may also be in violation of corporate policies such as browser extensions allowing users to directly upload files into a cloud-based storage such as those shown in Figure 6. Another common source of slow boot times or poor system performance is the scheduled tasks that spike up the CPU usage. Autoruns is smart enough to sift through these as shown in figure 7, which shows that Google Updater tasks are scheduled to autorun. Depending on the network connectiv-ity, such tasks may take a long time to execute (especially if the network connection is restricted or unavailable). Forensic analysts also use Autoruns to find persistence mechanisms

using scheduled tasks (i.e., backdoors to the machine). Pene-tration testers use a common trick of using the at and schtasks utilities to create command shells with NT AUTHORITY\SYSTEM privileges. Autoruns will pick up such tasks too.

GMERGMER is a fairly old free tool; first released in 2006, it has been periodically updated since. It is primarily used for sys-tem reversing and mostly in the context of analysis of poten-tially “infected” systems. GMER looks for typical techniques used by rootkits (a term used to describe stealthy, malicious software that masks the key operations of the operating sys-tem to avoid detection). Generally, most rootkits use “hooks,” i.e., inserted malicious code inside the operating system data structures such as process lists, thread lists, interrupt descriptor tables, file system tables, etc. GMER uses simple enumeration techniques of browsing these data structures to detect hidden aspects of the operating system. This can help security practitioners in detecting non-targeted malware in most cases. One of the practical uses of tools like GMER on the DevO-ps side is to troubleshoot “blue screens of death” (BSOD).While there are many means of investigating BSODs, GMER is one tool on the forensic analyst’s toolset that may help in this troubleshooting. GMER can identify loaded modules (as shown in figure 8) on the system which may be causing such failures. In some instances device driver conflicts or errors may cause the BSOD. Generally, the BSODs are associated with an irrecoverable failure that happens inside the kernel. There are various tools like “Device Tree” that can also help you do that.4 But GMER is a “rootkit detector” which adds other aspects that may potentially be causing BSODs. And you end up learning a lot about the system under investiga-tion using simple techniques.

4 OSR Online. (n.d.). Retrieved from www.osronline.com: http://www.osronline.com/article.cfm?article=97.

Figure 6 – SkyDrive plugin enabled in Internet Explorer, which allows uploading of files to the cloud

Figure 8 – Screenshot of kernel modules loaded

July 2014 | ISSA Journal – 17

Practical Use of Infosec Tools | Rajat Swarup

Figure 7 – The scheduled tasks that autorun on system bootup

AccessEnumAccessEnum is a free utility by Microsoft that helps in enu-meration of access control lists (ACL) for various file folders and registry entries on the local system. AccessEnum browses through the security access permissions on the folders and registry keys to verify which users and groups have Read/Write permissions assigned or denied. This tool is incredibly

useful from a forensics perspective as well as from a system hardening perspective, which allows security practitioners to see if the permissions on certain folders or registry entries were modified, especially, if the permissions are altered on the system root folders (e.g., C:\WINDOWS). Figure 9 shows the registry key permissions given to which users and for which key. Figure 10 shows similar access control permis-sions but for the file system. Using such tools, DevOps teams can find if users have altered permissions on objects resulting in problems. This is especially critical when over-privileged developers assign “Full Control” to “Everyone.” Such mis-placed ACLs may place the confidentiality and integrity of file systems at risk. Lax permissions on registry keys may have even more disastrous impact, depending on the function of the registry key.

EMETEMET (Enhanced Mitigation Experience Toolkit) is a free Microsoft tool that works on the lowest levels of the operating system, making exploitation of vulnerabilities difficult. Thus, EMET is fundamentally different from the previous tools presented here—while others are detective tools, EMET is a preventative tool that helps prevent exploitation of vulner-abilities by enforcing operating system controls. Windows XP, one of the most popular OSs in the Microsoft flagship, has come to an end of life. Organizations that did not plan ahead are now hurriedly looking for a make-shift measure before they upgrade their operating systems. Dur-ing this “forced” transition phase for many organizations, EMET can offer a good stop-gap, reducing the exploitability of software. However, it should be noted that even EMET is not a foolproof way to stay on XP forever. In fact, organiza-tions should make every effort to root out unsupported oper-

The CurmudgeonWHAT POSSIBLE PRACTICAL USE could there be for infosec tools?

Most people are only mildly irritating, but there’s always “The One.” Wouldn’t you know it; he’s my neighbor.

He brags about being on top of tech: using his smartphone to con-trol his front door lock, TV, stereo, thermostat, remote start on his car, joining WiFi for “free” phone calls/no minutes (any open AP). He has to have the biggest TV. Every year he buys the latest car with in-dash-everything, backup camera, and videos in the back of the seats. He bets I’m jealous. Loud music. Loud sports parties. He’s got a web-enabled refrigerator with built-in TV. He bought a camera-carrying quadcopter to use to watch bikinis sunbathing. Of course, he has an obnoxious dog that barks at everything; and he never picks up after it. He calls me “code monkey” instead of my name.

Let’s see: Kali Linux; Wokfi antenna; USB Bluetooth and WiFi adapt-ers? Check, check, and check. A bit of research on the Internet; it’s interesting what you can find out there.

Let the games begin! Snipe his smartphone, his WiFi AP, his net-worked thermostats. His WAP has no security? Well, I can help him

out! Add an admin password. Now let’s work on MAC filtering. His web-enabled refrigerator? He likes to come home to a cold one. We’ll just tweak his fridge’s setting a touch...75˚ F ought to be about right. The wireless security camera—streaming its video to his NAS flash drive. Replace that with Bambi Meets Godzilla. He just bought the latest digital camera—with wireless image trans-fer, via an open server running X. Borrow some unusual images from online and post to it. Pair his front door with someone else’s smartphone; hope he has a spare key. Crack his thermostat; put up a script to drop the temp two degrees per hour, starting at 9 PM.

Let’s just check out his car.... Add an appointment to his car cal-endar for “Bambi” in “Accounting,” timed to show up when his wife goes shopping. The next day, about every 15 feet, his car’s brakes “lock up” for no rea-son, stalling out. Vroom-screech. Restart. Repeat.

I love my job!

Your local, grumpy, tie-wearing, un-impressed, and suspicious

Curmudgeon

Figure 9 –AccessEnum showing the registry key permissions

Figure 10 –AccessEnum showing file folder permissions

18 – ISSA Journal | July 2014

Practical Use of Infosec Tools | Rajat Swarup

ating systems. But as most DevOps people know, even today Windows 2000 is yet to be rooted out. So outdated XP is a far newer problem to tackle. EMET accomplishes this task by adding various mitiga-tions such as Data Execution Prevention, SEHOP (protec-tion against Structured Exception Handler Overwriting), NullPage Mitigation (avoiding overwriting of 0x00000000 address), HeapSpray protections, Export Address Filtering Protections, ASLR (extensive rebasing of addresses), and various Return Oriented Programming (ROP) exploitation mitigations.5 An informational presentation of EMET 4.0’s features was provided at ReCon 2013.6 The latest version at the time of this writing is EMET 4.1 Update 1, while EMET 5.0 is available for preview usage. Other than the protections offered on an application level, there are some other interest-ing protections offered by EMET such as Certificate Pinning that protects against maliciously issued SSL certificates (via an attack against the certification authorities). As shown in Figure 11, Notepad++,7 a popular 32-bit text editor, is being configured to be protected by EMET. Any exploit targeting this application will now have to bypass all the protections of EMET that had traditionally not existed on the OS where Notepad++ was being run. But EMET retrofits these addi-tional preventive controls on the protected process (as shown with the check mark in figure 12).

DirBuster/Zed Attack Proxy/NiktoHow often do you find those pesky test files or backup files in the production web servers? In this section, three tools—

5 EMET - Enhanced Mitigation Experience Toolkit. (n.d.). Retrieved from http://technet.microsoft.com/en-us/security/jj653751.

6 Bachaalany, E. (2013). Inside EMET 4.0. Retrieved from http://recon.cx/2013/slides/Recon2013-Elias Bachaalany-Inside EMET 4.pdf.

7 Notepad++ (n.d.) – http://notepad-plus-plus.org/.

DirBuster, Zed Attack Proxy (ZAP), and Nikto—can perform similar func-tions to discover such unnecessary files. DirBuster8 and ZAP9 are both OWASP projects, whereas Nikto is an old, open source tool written by Sul-lo.10 In fact, the DirBuster component included in ZAP is essentially the same as the standalone DirBuster tool that attempts to access commonly found files in web-accessible directories. While ZAP has various other more prominent capabilities including be-ing a local proxy and web application vulnerability scanner, one easy-to-use feature is DirBuster. DirBuster is essentially an HTTP cli-ent written in Java that uses a list of commonly found directories and sends requests to each of those direc-tories. Since the tool is Java-based it can be run from either *nix-based or

Windows-based systems. If in an organization’s IT environ-ment commonly uses web servers such as Apache, Tomcat, JBoss, Microsoft IIS, or others, it is quite likely that the de-fault directories might be copied over accidentally into the production web roots—web root is a folder/directory on the web server’s file system which is directly accessible when a re-quest is sent to the “/” file such as http://www.example.com/. The build processes tend to even duplicate private keys on many occasions. Figure 13 shows OWASP DirBuster listing the directory structure of a scanned server. Figure 14 shows the same tool executed within the ZAP environment. If un-necessary files are found by a DirBuster scan, the IT deploy-ment teams should delete such files. Typically, the IT build

8 OWASP DirBuster Project. (n.d.). Retrieved from OWASP: https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project.

9 OWASP Zed Attack Proxy Project. (n.d.). Retrieved from OWASP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.

10 Nikto. (n.d.). Retrieved from CIRT: https://www.cirt.net/Nikto2.

Figure 11 –Application Configuration to protect Notepad++ (32-bit process)

Figure 12 – Screenshot showing Notepad++ being protected by EMET

Figure 13 – DirBuster showing the directories

20 – ISSA Journal | July 2014

Practical Use of Infosec Tools | Rajat Swarup

process for DevOps teams. Other tools tend to be more suit-ed to be run either by developers or QA per-sonnel because of the level of application-specific knowledge needed, but Nikto is easy to run and per-forms a quick test of some of the most commonly found ex-traneous files. A per-fect case of great re-turn with little effort!

ConclusionIn this article, the au-thor presented some free and commonly

used security tools that are a security practitioner’s “bread and butter” but can help IT practitioners accomplish impor-tant tasks that may not necessarily have security as the main goal. While this article lists only a small sample of tools, the most important aspect is that information security is really not all that far from efficient DevOps in most organizations. Many times the actions performed by the information securi-ty teams could easily be performed proactively by the IT staff, thus reducing the security exposure in the organizational lifetime of an asset.

About the AuthorRajat Swarup is a Practice Lead at AT&T Security Solutions in the Threat and Vulner-ability Management practice based out of Jersey City, NJ. Rajat advises Fortune 100 organizations on different aspects of offensive and defensive information security. Rajat obtained his MS from the University of Southern California in Los Angeles and Bachelors in Engineering from Fr. CR Col-lege of Engineering, Mumbai, India. He blogs at networkingex-changeblog.att.com and http://www.rajatswarup.com. He may be reached at rajats@gmail.com.

processes should include scanning of the deployed code so unnecessary directories can be found. Such tools are meant to catch only the commonly found folders and do not claim to find all the unnecessary files/folders for you. Nikto is a tool written in Perl and works on both *nix and Windows-based systems. It attempts to download common files and known vulnerable web-based scripts such as PHP, Perl, and Python among others. If any vulnerable files are found, these can be removed or right permissions set to clean up the web root. Figure 15 shows Nikto finding interesting directories and files in web root. There are subtle differences between Nikto and DirBuster. Nikto sends HTTP requests to active scripts or dynamic pages along with static pages, whereas DirBuster only sends requests to static pages. There are other more comprehensive commercial and free web scanning tools available as well, and Nikto is a light scanning tool. In fact, Nikto has only bare minimal capabilities to fuzz request parameters, but it is easy enough to run that it could be a part of the build/deployment

Figure 14 – DirBuster integrated into Zed Attack Proxy

Figure 15 - Nikto finding files that could reveal information about the users

Collaborate. Discuss. Share.

ISSA Special Interest Groups connect people who are interested in a specific topic and would like to share resources. Special interest groups meet vir-

tually and non-members are welcome.

Join a Group Today!

July 2014 | ISSA Journal – 21

Practical Use of Infosec Tools | Rajat Swarup