Monthly Archives: October 2009

SANS Sydney 2009 SEC501: Advanced Security Essentials – Enterprise Defender with Eric Cole

Posted on by
Reply

Wow!

I have been accepted as the class volunteer for SEC501: Advanced Security Essentials – Enterprise Defender with Dr Eric Cole.

If anyone else is going to be at SANS Sydney 2009, I’ll be the class minon for Dr Cole for his week teaching the class. 

It promises to be a fantastic week of re-evaluating the security defender role and what it takes to keep the enterprise safe. Dr Cole’s class promises to be a highly enteraining and deep dive follow up to the 401 course.

I hope to absorb what I can from the massive stream of knowledge that I’ll be wading in during the week.

If you are there, say hi and no stealing my mints ;-)

METASPLOIT UNLEASHED – MASTERING THE FRAMEWORK

Posted on by
Reply

Stumbled over this while working on my offensive security course work. The study took a “short break” while I thumbed through the pages.

So far, it looks excellent and for a great cause too.

METASPLOIT UNLEASHED – MASTERING THE FRAMEWORK

This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework.      This is the free online version of the course. If you enjoy it and find it useful, we ask that you make a donation to the HFC (Hackers For Charity), $4.00 will feed a child for a month, so any contribution is welcome. We hope you enjoy this course as much as we enjoyed making it.  The “full” version of this course includes a PDF guide (it has the same material as the wiki) and a set of flash videos which walk you though the modules. You may purchase these materials from the Offensive Security Training page. All proceeds from this course go to HFC.

Forefront Vs Conficker

Posted on by
Reply

Conficker has been doing the rounds for awhile, so it was only a matter of time before it found a way on to the network.

There are some fantastic write ups on how Conficker acts: Sneaky tricks, Autorun.inf , working groups , detection methods and resources.

Here’s how Forefront deals with it.

From a USB drive

When Conficker is on a USB drive, Forefront reports it as conficker.x!inf, x being the version, and happily wipes the autorun.inf file on the USB drive. It doesn’t remove the hidden file at detection; a scan has to be run on the USB drive to remove it. Nice and straightforward.

ON the network

When you get Forefront detected Conficker on a machine warning, this is the time you need to be worried. Why is it a worry?

Well gentle reader, this means Conficker was able to infect the machine and Forefront has stepped in to clean it after the fact.

By after the fact, I mean Conficker has attacked the system and dropped it’s dll and AT1.job in to a local folder on the attacked system.

Look in the attacked machine’s System event log, two Event ID 3004, Source FCSAM followed by a Event ID 3005, Source FCSAM have been generated.

Event ID 3004 is Forefront detecting and suspending the file, Event ID 3005 is Forefront removing the file.

Event ID from System

IMPORTANT NOTE:

If someone is logged on to the machine Forefront is protecting and Conficker attacks it, the Forefront icon turns in to a red cross. If the user simply ignores this, that is doesn’t click the icon and press smart clean, after ten minutes Forefront removes or quarantines the file.

This means for those ten minutes the AT1.Job file and the .dll are on the attacked system, despite being in a suspended state. By suspended state, the files are still visible.

So how did Conficker get on the machine in the first place?

There are only three ways that can happen:

1)      Conficker was on the machine before you installed Forefront and Forefront detects it on first scan

2)      The patch to protect against Conficker, MS08-086 KB958644, is not installed and Conficker attacks the machine

3)      And the worst, by far, is an administrative account has been used to attempt to install Conficker on the machine

Ignoring the first way and using the deployment tool of your choice to patch your machines for the second way, let’s talk about big bad number three.

Here are some of the scenarios for way number three can occur first:

1)      You have a terrible password policy and the password of a local administrator account is in the guessing file of Conficker

2)      Conficker successfully attacks a machine left logged in as a local Admin with no AV

3)      Someone with administrator rights plugs in a infected USB in to the machine without antivirus (or the antivirus is horribly out of date)

So having Forefront installed on all machines and up to date is step one. Step two is user education on USB sticks. Step three is an awareness campaign to all of your IT admins. Since you’re using Forefront, Active Directory should be in use as well. If you don’t have money for smarter tools just use software deployment GPO’s to install Forefront and then use WSUS to push out the updates.

So now that I’ve taught you to suck eggs, here are some suggestions to actually help.

Group policy objects (GPO) can aid find Conficker infected machines First enable audit policies (Computer Configuration – Windows Settings – Security Settings – Local Policies – Audit Policies), with the most important being Audit account login events. Set this to success and failure.

With this GPO enabled and applied, when the next machine reports being attacked by Conficker connect to the machines Security event log and filter by Event ID 680. This ID deals with which account login in to the machine and from which machine.

Event ID from Security

What we want is the 680 successes as our number one priority, as this means Conficker has an account that can connect to the system. The 680 failures still tell which machines are attacking and can be add to the clean up task.

There a number of log parsing tools and scripts out there to automate finding the 680 event id on multiple systems, pick your favourite and use that.

The two pieces of information we are interested in are Logon Account and Source Workstation within the 680 event id. These two wonderful fields tell us which account and which computer successful attacked the machine.

Stating the obvious, run a cleaning tool Ms tool or any one of these or format and rebuild the computer only after taking a copy of the event logs. The more important part is the user account. In a number of companies, every machine has the same local administrator account. If this is a poor password, it is time to change it. Script out a password change for all machines, plenty of examples on how to do this are online.