lptv4 module 35 log management penetration testing
DESCRIPTION
ECSAv4 Module 00 Student IntroductionTRANSCRIPT
/ECSA/LPT
EC Council Module XXXVEC-Council Module XXXV
Log Management Penetration TestingPenetration Testing
Penetration Testing Roadmap
Start HereInformation Vulnerability External
Gathering Analysis Penetration Testing
i ll Router and InternalFirewall
Penetration Testing
Router and Switches
Penetration Testing
Internal Network
Penetration Testing
IDS
Penetration Testing
Wireless Network
Penetration Testing
Denial of Service
Penetration Testing
Password Cracking
Stolen Laptop, PDAs and Cell Phones
Social EngineeringApplication
Cont’d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration TestingPenetration Testing Penetration TestingPenetration Testing
Penetration Testing Roadmap (cont’d)(cont d)
Cont’dPhysical S i
Database P i i
VoIP P i T iSecurity
Penetration Testing
Penetration testing Penetration Testing
Vi dVirus and Trojan
Detection
War Dialing VPN Penetration Testing
Log Management
Penetration Testing
File Integrity Checking
Blue Tooth and Hand held
Device Penetration Testing
Telecommunication And Broadband Communication
Email Security Penetration Testing
Security Patches
Data Leakage Penetration Testing
End Here
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Communication Penetration Testing
gPenetration Testing
Penetration Testing
Introduction
Log files maintain record of all the events occurring in an organization’s systems and networkssystems and networks.
Log management systems are used to manage log files across a network.
Since threats against the systems and networks has increased, security of the log management systems also need to be increased.
Logs are classified into:
• Security software logs: These logs record all instances of detectedvulnerabilities to software.
• Operating system logs: These logs record all instances of detected
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Operating system logs: These logs record all instances of detectedvulnerabilities to the operating system.
Need for Log Management
To record each and every action performed on the system
To ensure the recorded instances are stored for appropriate duration
To perform routine log review and analysis that helps to identify the security threats, policy violation, operational problems, etc.violation, operational problems, etc.
To perform auditing and forensic analysis in investigation of malicious activities
Operating system log entry example:p g y g y pEvent Type: Success AuditEvent Source: SecurityEvent Category: (1)Event ID: 517Date: 3/3/2008Time: 4:30:40 PMUser: NT AUTHORITY\SYSTEMComputer: KENTDescription:The audit log was clearedPrimary User Name: SYSTEM Primary Domain: NT AUTHORITY
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Primary User Name: SYSTEM Primary Domain: NT AUTHORITYPrimary Logon ID: (0x0,0x3F7) Client User Name: userkClient Domain: KENT Client Logon ID: 0x0,0x28BFD)
Challenges in Log Management
Potential problems with the initial generation of logs
Inconsistent log formats
f d l d l b l f d lConfidentiality, integrity, and availability of generated logs
Inaccuracy in internal clock
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps for Log Management Penetration TestingPenetration Testing
1• Scan for log files
2• Try to flood Syslog servers with bogus log data
• Try malicious Syslog message attack (buffer overflow)3
y y g g ( )
4• Perform man-in-the-middle attack
5• Check whether the logs are encrypted
6• Check whether arbitrary data can be injected remotely into Microsoft ISA server log file
7• Perform DoS attack against check point FW-1 Syslog daemon
S d S l i i S l d f h k i FW NG FP
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8• Send Syslog messages containing escape sequences to Syslog daemon of check point FW-1 NG FP3
Step 1: Scan for Log Files
Use different scanning tools to scan the log files in the system.
Some of the log file scanning tools are:
• Sawmill.• Bcnumsg. g
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Try to Flood Syslog Servers with Bogus Log Data Servers with Bogus Log Data
Most syslog implementations use the connectionless, unreliable UDP to transfer logs between hosts.
UDP provides no assurance that log entries will be received p gsuccessfully or in the correct sequence.
Most syslog implementations do not perform any access control, so Most syslog implementations do not perform any access control, so any host can send messages to a syslog server.
Check for denial of service that may cause flooding.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Try Malicious Syslog Message Attack (Buffer Overflow)Attack (Buffer Overflow)
Construct a large syslog message with target specific codes at the end of h the message.
If syslog messages are allowed from untrusted hosts, try to send syslog il b ff fl di i i f dmessages until a buffer overflow condition is found.
Try to elevate a local user process to root privileges after buffer overflow.Try to elevate a local user process to root privileges after buffer overflow.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Perform Man-in-the-Middle AttackMiddle Attack
Man-in-the-middle attacks can be used to modify or destroy syslog y y y gmessages in transit.
Check if the syslog client checks for the server's identity as presented in Check if the syslog client checks for the server s identity as presented in the server's certificate message before sending log files.
Check client’s local / ssh/known hosts file if ssh tunnel is used for log Check client s local /.ssh/known_hosts file if ssh tunnel is used for log transmissions.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Check Whether the Logs are Encryptedare Encrypted
Most of the syslog cannot use encryption to protect the integrity or confidentiality of logs during transaction.
Sniff the network with different sniffing tools such as Ethereal and SniffItSniff the network with different sniffing tools such as Ethereal and SniffIt.
Try to monitor syslog messages containing sensitive information regarding system configurations and security weaknesses.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Check Whether Arbitrary Data Can be Injected Remotely into Microsoft ISA Server Log
File ( Only for Microsoft ISA Server)File ( Only for Microsoft ISA Server)
Send a specially-crafted HTTP request to modify the destination h i h l filhost parameter in the log file.
GET / HTTP/1.0 t %01%02%03%04Host: %01%02%03%04
Transfer-Encoding: whatever
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Perform DoS Attack Against Check Point FW-1 Syslog Daemon (Only for
Ch kP i t Fi ll)CheckPoint Firewall)
Start syslog daemon by enabling the firewall objecty g y g j
Check for listening syslog daemon
Send a valid syslog message from a remote host
Send random payload via syslog message from a remote host
•[evilhost]# cat /dev/urandom | nc -u firewall 514
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Send Syslog Messages Containing Escape Sequences to Syslog Daemon of Check Point FW-1
NG FP3 (Only for CheckPoint Firewall)NG FP3 (Only for CheckPoint Firewall)
Enable receiving of syslog from remote by FW-1
Send some special escape sequences via syslog
[ ilh t]# h "<189>19 00 01 04[evilhost]# echo -e "<189>19: 00:01:04: Test\a\033[2J\033[2;5m\033[1;31mHACKER~ ATTACK\033[2;25m\033[22;30m\033[3q" | nc -u firewall 514
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Checklist For Secure Log ManagementManagement
Maintain back up for log files
Use updated version of software for logging mechanisms
Select secure log file locations
Encrypt log filesEncrypt log files
Store them on the other host in order to stop tampering of log files
Establish standard policies and procedures for log management
C d i i l i f
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Create and maintain secure log management infrastructure
Checklist for Secure Log Management (cont’d)Management (cont d)
Train the personnel holding log management responsibilities p g g g p
Give limited access to log files
Use the secure mechanism to transfer log files from one system to another
Check the internal clock of the system
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Log files are the files that maintain record of all the events occurring in an organization’s systems and networks.
Logs are used to perform auditing and forensic analysis in investigation of malicious activities.
Most syslog implementations use the connectionless unreliable y g pUDP to transfer logs between hosts.
Use updated version of software for logging mechanismsUse updated version of software for logging mechanisms.
Ch k th i t l l k f th t
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check the internal clock of the system.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited