KRACK WPA2 Wi-Fi Vulnerability

A serious security vulnerability in wireless (Wi-Fi) protocol has been identified: KRACK, short for Key Reinstallation Attack. Comprehensive details on the vulnerability and proof-of-concept exploitation video can be found on vulnerability’s official website:  https://www.krackattacks.com/

Great vulnerability summary and what to do:

Monitor & Remediate: 

Assigned CVEs:

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the four-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the four-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the four-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.

List of Affected Vendors:

*Nix Distributions:

Additional References:

 

Advertisements
Tagged , ,

Petya Response Summary

Wanted to share a quick response plan against the recent Petya ransomware breakout:

  • Apply Microsoft security updates released in March 2017 bulletin: MS17-010
  • Most Firewall and IDS/IPS vendors have released signatures for the SMB vulnerability exploit however, if you do not have auto-updates enabled you want to do a manual update
  • Disable the support of SMBv1 protocol. A detailed write-up here: https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/
  • Some variants of Petya have been reported to use WMIC & Microsoft PSExec to laterally move within the environment.
    • Petya scans the local /24 to discover enumerate ADMIN$ shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on system hosting the share.
    • Petya uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use them to execute itself on the targeted host.
    • Blocking ADMIN$ share via GPO should address lateral movement concerns
  • If you cannot block, monitor ingress/egress traffic on 455/137/138/139
  • If you use tax accounting software, MEDoc read this: http://www.bbc.co.uk/news/technology-40428967

Most of the recent ransomware campaigns are taking advantage of vulnerabilities disclosed by the Shadow Brokers in April 2017. In addition to MS17-010 (EternalBlue), all of the related vulnerabilities should be patched as soon as possible:

  • Code Name : Solution
    • “EternalBlue” : Addressed by MS17-010
    • “EmeraldThread” : Addressed by MS10-061
    • “EternalChampion” : Addressed by CVE-2017-0146 & CVE-2017-0147
    • “ErraticGopher” : Addressed prior to the release of Windows Vista 
    • “EsikmoRoll” : Addressed by MS14-068 
    • “EternalRomance” : Addressed by MS17-010 
    • “EducatedScholar” : Addressed by MS09-050 
    • “EternalSynergy” : Addressed by MS17-010 
    • “EclipsedWing” : Addressed by MS08-067

Petya campaign is still developing and it is important to monitor the developments. One of the best ways to monitor the situation is via Twitter under the following hashtags: #Petya #NotPetya #Ransomware

References:

Tagged , ,

BlackLight Forensics Software

BlackBag BlackLight

I had no idea just how tightly BlackLight would grab onto my attention and then keep its hold. Yet, here I am. While I’ve heard positive feedback from people in the information security community regarding BlackBag’s forensic software products, I have not had the opportunity to use one of their products on my own. Thus, I was thrilled to review BlackBag’s BlackLight product.

For those who are not familiar, BlackBag’s BlackLight is a piece of comprehensive forensics analysis software that supports all major platforms, including Windows, Android, iPhone, iPad, and Mac. In addition to analysis, it can logically acquire Android and iPhone/iPad devices. You can also run the software on both Windows and Mac OS X.

In this particular review, I used the latest version of BlackLight (2016 release 3). I decided to use it on Mac. The main reason I chose Mac was that most of analysis that I have performed thus far has been with the traditional Windows Forensic Recovery of Evidence Device (FRED) and I figured this would be a great opportunity to try something different.

Installing BlackLight on Mac was a breeze. I simply downloaded the installation file from BlackBag’s website and entered the license key upon initial file execution. The single installation file took care of all of the dependencies needed for the software, which I was glad to see.

BlackLight Actionable Intel

BlackLight Actionable Intel

Here were the configurations for my Mac: MacBook Pro running Sierra OS version 10.12.2. The hardware included Intel Core i7 with 2.5 GHz with 16GB memory and a standard hard disk drive.

With review, I wanted to make a use-case in which I would perform basic processing and analysis of a traditional disk image using BlackLight running on Mac. Without any real experience with BlackLight, I focused on usability and intuitiveness.

Processing

For this review, used a 15GB physical image of Windows XP SP3 E01 Disk. I processed this image through BlackLight with all of the ingestion options available in the software and to my surprise, it took under 10 minutes to complete.

What was even more impressive was that it had very little performance impact on my system. In fact, as the image was being processed in the background, I continued to perform normal operations such as browsing the web and using Open Office software with no problem. Continue reading at forensicfocus.com by clicking here!

Tagged , ,

Advanced Forensic Toolkit (FTK) Course Review

For a few years, I had been using Access Data’s FTK (Forensic Toolkit) software without any formal training. I had managed to work my way through the fundamentals on my own, but I always sensed that there was much on which I was missing out.

emailvisualization

FTK  Email Analysis Visualization

It was only after I recently attended the Advance FTK class offered by AccessData (Syntricate) that I realized the enormity of what had been right under my nose the whole time.

You can read my complete review of this course at Forensic Focus or by clicking here.

Tagged ,

Burp and Samurai-Web Testing Framework

The other day I came across a social media post that was about utilizing Burp Suite to identify vulnerabilities in web applications. I had heard of Burp before but never really had the chance to play around with it – until now.

Just like a lot of other security tools, Burp has a community version along with its commercial product. I decided to download the free edition from here in my home lab.  The installation process is straight forward and in no time you have Burp up and running. Here is how the initial interface looks like:

Burp

Right when I finished my installation of  Burp, I realized that I did not have a web application running in my lab that I could use to test Burp against. Bummer! Now I had to decide between setting up a web server myself or finding a commercial distribution that came pre-built with one. This was a no-brainer – and within minutes I found a few distributions that were designed for testing and learning web application security; such as: SamuraiWTF, WebGoat and Kali Web Application Metapackages. I decided to go with SamuraiWTF.

SamuraiWTF gives you the option to run from a live disk or install it in a VM. I decided to install the VM. Here is a good guide on the installation process. I give my VM instance 4GB RAM and 3 cores; more than enough horsepower.

This distribution comes pre-installed with Mutillidae, which is a “free, open source, deliberately vulnerable web-application providing a target for web-security enthusiasts”. This was perfect for what I was looking for. Setting up the Mutillidae in pretty simple – all I had to do was change my network configurations to NAT and that was it. However, if you need more information on configuration here are some great video guides on Mutillidae; in fact I used some of these myself while configuring Burp to work with Mutilliade.

After finishing all of the above prep work, I was ready to run Burp!

For those who are not familiar with Burp, its an interception proxy which sits between your browser and the web server and by doing so it is able to intercept requests/responses and provides you the ability to manipulate the content. To do so you have to configure Burp as your proxy. On your VM, this would be your local host (Proxy Tab > Options):

Proxy

Likewise, you would have to configure your browser to that same proxy. Here is my proxy configuration on Firefox:

Firefox Proxy Configuration

Now as you navigate through your Mutilliadae webpage, all your requests should go through Burp. One thing you have to do is turn on the Intercept option in Burp. Its under Proxy > Intercept.

What this allows you to do is see the request as its made but gives you the control to either forward it to the web server or simply drop the request (like a typical MiTM). For example, on the login page of Mutilliade i used admin name and admin123 password. And as soon as I hit “Login” I saw the request being made from my browser to the webserver in Burp:

Burp Intercept

In the screenshot above, you can see the two options: Forward and Drop. If you hit forward, the web server will receive this request from your browser and will respond as it would normally. In this case, the account I used to login did not exist:

Web Server Respose

Burp has the capability to also capture the responses. It is an option that you can turn on by going to Proxy > Options and towards the middle of the page you will see “Intercept Server Responses”. By turning this on you will be able to see and control both sides of the requests:

Request and Response

If you look under Target > Site Map; on the left pane you will see list of all the sites that you have visited with the Burp proxy on:

History Map

One advantage of the above feature is that it allows you to go back and revisit requests and responses. The sites that are in grey color are those that are available on the target web page but you have not visited them.

Another neat feature is that if you do not want to visit each page individually you can run the “Spider” feature which will map the whole target page for you.

Spider

If you go under Spider > Control you are able to see the status of the Spider as it runs:

Spider Status

When you intercept request or response, you have the ability to send that to other features of Burp. You are able to view these additional options by right clicking on the intercept:

Intercept Additional Options

Towards the bottom of the official Burp Suite guide page here you can see a brief description of most of the options shown in the screenshot above. The one i found really neat is the “Repeater” option which allows you to modify and re-transmit requests repeatedly without having the need to perform new intercepts each time.

This concludes my brief journey of getting started with Burp using SamuraiWTF. There is whole lot more than I had the chance to explore but here is a great reference for advance topics.

Below  is a quick blurb on some of Burps features:

Spider: crawls the target and saves the numerous webpages that are on the target.

Intruder: automated attack feature which tries to automagically determine which parameters can be targeted i.e. fuzzing.

Fuzzing options: Sniper (fuzz each position one-by-one), Battering Ram (all positions on the target receive one payload), Pitchfork (each target position is fuzzed in parallel) Cluster Bomb (repeats through payloads for multiple positions at once).

Proxy: used to capture requests & responses to either just monitor or manipulate and replay.

Scope: controls what (pages, sites) is in/out of the test “scope”.

Repeater: manually resubmit requests/responses; allows modification.

Sequencer: used to detect predictability of session tokens using various built-in tests i.e. FIPS 140-2.

Decoder: allows encoding/decoding of the target data i.e. BASE64, Hex, Gzip, ASCII, etc.

Comparer: allows side-by-side analysis between two requests/responses.

Cheers!

Tagged , ,

Botnets?

How does it feel to know that your personal computer can be remotely controlled by someone without your knowledge for ill purposes? Or worse, instead of a single individual having this unauthorized access to your system it can be a group of people over the internet that control what your computer does and how it does it. In the field of Information Security, if your system is involved in such control it is considered a bot: a computer system being controlled by an automated malicious program. In addition, your computer system can be part of a larger group of infected computer systems and these collections of infected computers create botnets. Casually, these bots are also referred to as zombies and the remote controller is called the botmaster. So how are these bots born and grow into botnets?

According to Damballa, an independent security firm’s annual threat report, “at its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of 8 percent per week ”. Originally, these bots are developed by techsavvy criminals who develop the malicious bot code and then usually release in the open internet. While on the internet, the bot can perform numerous malicious functions based on its code design but it most cases it spreads itself across the internet by searching for vulnerable, unprotected computers to infect. After compromising victims’ computer, these bots quickly hide their presents in difficult to find locations, such as computer’s operating system files. The botmaster’s goal here is to maintain the compromised system behavior as normal as possible so the victim does not become suspicious. Common activities that bots perform at this stage involve registering themselves as trusted program in any anti-virus program that might be on victim’s computer. Moreover, to maintain persistence, bots add their operations in systems startup functions which results in bots automatically reactivating even after shutdown/restart. Throughout this process bots continue to report back to botmaster and wait for further instructions.

Below lists some of the common operations that bots can perform on behalf of its botmaster:

Sending
Stealing
DoS (Denial of Service)
Clickfraud
They send
– spam
– viruses
– spyware
They steal personal and private information and communicate it back to the malicious user:
– credit card numbers
– bank credentials
– other sensitive personal information
Launching denial of service (DoS) attacks against a specified target. Cybercriminals extort money from Web site owners, in exchange for regaining control of the compromised sites.
Fraudsters use bots to boost Web advertising billings by automatically clicking on Internet ad

As the chart above states, there are numerous functions that bots can perform. However, recently bots have mainly been used to conducted Distributed Denial of Service (DDoS) attacks: utilizing hundreds or thousands of bots from around the whole world against a single target.  Botmaster’s goal with DDoS is to use thousands of bots with numerous botnets to attempt to access the same resource simultaneously. This overwhelms the resource with thousands of requests per second thus making the resource unreachable. This inaccessibility of the resource has severe effects on legitimate users and requests. According to FBI, “botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major U.S. businesses. They’ve also affected universities, hospitals, defense contractors, law enforcements, and all levels of government”.

A misconception exists that if your system does not hold any valuable information or if you do not use your system to conduct online financial transactions than an adversary is less likely to target your system. Unfortunately, as much as we would like this to be true, it is not the case. For botnets the most valuable element is your system’s storage and your internet speed. Our personal computers are now capable of storing and processing terabytes of information seamlessly and are able to use our high speed internet to transfer this information.  As stated by a malware researcher team from Dell SecureWorks, botnets “allows a single person or a group to leverage the power of lots of computers and lots of bandwidth that they wouldn’t be able to afford on their own”.

——————————————————————-

http://www.fbi.gov/news/news_blog/botnets-101

https://www.damballa.com/press/2011_02_15PR.php

http://news.discovery.com/tech/what-are-botnets-110304.htm

http://us.norton.com/botnet/

Tagged ,

Forensic Timeline with Autopsy and More

The process of timeline creation is extremely critical in forensic because it provides you with a holistic view of the system in question and gets you one step closer to answering those key questions. There are multiple ways that you can create a system’s timeline. However, the one I recently came to know is Autopsy’s Timeline Analysis module and here is my first experience with it.

Autopsy can be downloaded from here. The installation is simple – no dongle required!

Welcome Screen

Welcome Screen

To test the timeline module, I used one of my test windows 7 machines. And to create some activity, I browsed the known-bad-URLs and downloaded some potentially malicious files. Also, installed AVG AntiVirus Free edition as  a basic detection mechanism. However, to my surprise, AVG was able to detect and block most of the executables that I tried to run.

AVG DetectionsSince, I had to run some executable to create the lab, so instead of making exceptions in AVG – I decided to uninstall it. I figured it would be interesting to see how the evidence of software uninstall will be presented.

I went back and ran the following three executables: sydzcr22.exe, b.exe, b01.exe. 

In addition, I added total of two new accounts on this machine. First one (admin01) I created using the windows “Manage Accounts” interface and the second (admin02) via command prompt. Both accounts have administrative privileges.

Account Management

Lastly, I made a logcial image of the target system and created a new case in Autopsy. Here is a guide on how to create a case and add evidence in autopsy.

This is how the output after the initial processing is completed looks like:

Initial Processing

As you will notice from the screenshot above, a lot of the common places that you would want to look in an image are readily available in a nice, organized manner. The first thing I did was perform keyword searches for the three executables that I ran earlier (sydzcr22.exe, b.exe, b01.exe) just to confirm their presents.  

Keyword Search

The keyword search was pretty fast and it found all the three exe files that I had browsed and installed. In the screen shot we can see the exes’ browsed URL, date, and the location on the disk where that piece of evidence is locatedindex.dat. I searched the Temporary Internet Files but was only able to find one B01.exe but not others; not sure why.

 B01The second thing I wanted to look for is the installation of the AVG antivirus and then the removal. Lets see what we find.

The first place I looked at was the “Installed Programs” menu option:

Installed Programs

I do not see any instance of AVG here. But regardless, I guess this is a handy feature to have quick access to in order to see the installed applications at the time the image was acquired. I see the AVG2015 folder under Program Data directory but not much more:

AVG2015 Directory Folder

So with this, now we get to the reason why we started this project – timeline! The process for generating a timeline is pretty simple. You go to Tools and the Timeline. You see a status bar and at least for my image (120G) it took  around 2-3 minutes and I had my timeline opened in the second window:

 Generating TimelineTimeline Window

Graph Legend

Graph Legend

As you will notice in the second screenshot above, there are some anomalies in the time range. You can easily modify the scope by using the the scale on the top left, the start and end (not shown in the screenshot) options towards the middle of the screen as well as using the graph itself to zoom into the date of interest. From all of these options, the one that I liked the most is right clicking on the time range of your interest and select the “Zoom into Time Range” options. In my option this is faster and easier then messing with the scales:

Zoom into Time Range

As you continue to zoom in you will get to the month timeframe where you can see which date of the month had what amount of events:

Zoom In To MonthLastly, when you zoom into one specific day of the month you can see the events by the hour:

Zoom In To TimeSo getting back to finding AVG activity, I first see the web activity

AVG Web Download

In the screenshot above, please take a note of the “Text Filter” option; which comes handy in narrowing down results. In fact, if you don’t narrow down the results the system will not be able to display the events and instead will give the following message:

5000Max

However, it seems like if you change the “Visualization Mode” from “Count” to “Details” you are able to overcome the above limitation. However, the output is in a different format:

Details Visualization Mode

Notice above that when you hover over any of the events, you receive the option for further details by the symbols of “+” and “-“. However, after spending sometime going through the information presented above, I did not get close to finding answers to the original questions. This is not to say that information here is not valuable, it just did not come handy in answering our particular questions.

So my next step was to extract windows event logs from the image and review them. And pretty quickly we find the following entries:

AVG Installation Completed Successfully

AVG Installation Completed Successfully


AVG Installation Successful Without Errors

AVG Installation Successful Without Errors

Similarly, we find log entries for removal:

AVG Successful Removal Without Errors

AVG Successful Removal Without Errors


AVG Removal Completed Successfully

AVG Removal Completed Successfully

With the information presented from our target system’s event logs we are now able to see both the successful installation and later the removal of the AVG anti-virus software. It would have been nice to see some of the event log information in our timeline.

On a side note, while looking through application logs, I found two application crash events; one for our b.exe and the second for sydzcr22.exe – both of which we attempted to install from the browser earlier in the lab.

b.exe Application Crash

b.exe Application Crash

The last question that we wanted to answer was the evidence of account creation for admin01 and admin02. Both of which we created earlier – one using Windows Account Management interface and the second via command prompt. Here is the windows log event for the first one:

Admin01 Account Here is the evidence for the second account creation:

Admin02 Account

Based on the above to account creation logs, we cannot tell which account was created via windows interface vs command prompt. The only difference that we see is that one account has its password set (which is the account we created through command prompt and had to give it a password but without this knowledge we cannot tell the difference). Also the account created from command prompt (admin02) does not have the “Display Name” set; maybe this could be an identifier.

On a separate note, if we go back to our timeline and see the events around the time frame of the above windows events we see the following activity.

Admin01 Created

Admin02 Created

If you look at that first entry, it refer to the following default account display picture:

Account Picture

Around the same time we see security logs getting updated:

Security Log

This is all the information that I can pick out from our timeline that I think is there to indicate creation of an account. However, what’s interesting is that in our timeline we do not see any entry to command prompt – which we used to create the second account and if there was an entry for it, it could be used as another hint.

Anyway, at this point I was not sure how to go about getting user account artifacts so I reached out to the people of DFIR community via Twitter and as always got wonderful feedback. One of the suggestions was to perform shellbag analysis. This was a great suggestion however, this was not going to work in our situation. The reason being, shellbag analysis requires two artifacts for each account: ntuser.dat and usrclass.dat. These two artifacts are created the first time the user interactively logs on at the computer; establishing a user account on the computer does not create a profile for that user. In our case, we did not login using either of the (admino1, admin02) accounts after we created them, hence there aren’t any profile files like there are for our main (dfir) account:

ntuserSome of the other suggestions included examining memory of the target system (which we did not acquire) and reviewing windows command line history (which is not saved by default on the disk running Win7-32 but again could have pulled from memory).

So the last thing I wanted to check out before closing out this lab was do a quick comparison with traditional log2timeline. So I ran l2t against the same disk image and here is the outcome of our supertimeline:

SuperTimeLine

There is a lot that is going on here but the key things to look at is when the two accounts are created and what happens around them. The first account (admin01 – created via GUI) is underlined in red and the second account (admin02 – created via cmd) is underlined in blue. The section marked in green shows the launch of command prompt. It is obvious that the first account was created right after the creation of few security event logs however, the second account was created right after the launch of windows command prompt (there is some delay in seconds but that was due to me confirming the cmdline syntax before executing).

The last thing I want to point out from our supertimeline – which correlates with our earlier finding during manual review of event logs and is the small section in the screenshot above highlighted in yellow. You will notice that for the first account, admin01 there is an account name right next to the SAM ID of the same name. However, for the second account we just see the SAM ID but no account name.

This concludes my exploration with Autopsy and its timeline feature. The goal here was not to simply go through the different menu options of this powerful tool but rather run it against a made up scenario. And even the scenario itself is something that I made up as I went along in the process; so to be honest, I am not sure how some of the other (even commercial) tools would handle this scenario. In the end, the whole post became another CDR entry where we almost went through all the three stages to an extent. Anyway, it took me sometime to gather all the screenshots and do this write up from the time when I actually did the lab; so I am sure numerous updates have been made to the tool since then. Overall, I am very pleased with the tool and the capabilities that it provides; hard to believe its free! When I did the lab, the timeline feature was fairly a new addition to the tool but we can sure except some awesome updates to it. Definitely an awesome, powerful and fast tool to have in your toolbox – check it out!

Acknowledgements for responding to the original Twitter question:

—-

(Here is the update on user account creation analysis done by @b!n@ry – Great job!; instead of looking for usrclass.dat for the new accounts created, you would look into the account you suspect created those two new accounts! Ref: 1 and 2. Also the net.exe and net1.exe prefetch files proved to be extremely valuable). #NoteToSelf! :)

Tagged , ,

Nexpose Scanner – Quick Setup

My last blog post was related to setting up Nessus home edition scanner for your lab to do testing. Nessus is properly what I am most familiar with and I like it. I also have some experience using Qualys scanner but it has been couple years since I have used it. However, the scanning technology that I have only heard of but never actually used is Nexpose. So for that reason I figured I give it a try.

Similar to other commercial scanning technologies, there is a community edition of Nexpose that you can download in your home lab for testing from here.

They have a pretty straight forward user/installation guide here, which I followed in my installation. But just in-case, here is the high level overview of how I did my setup.

  • Selected the VMWare Virtual Appliance option of the Community Edition
    • Completed the online forum and received the activation code in the email
    • The download contains 1.02GB of .ova file called NexposeVA.ova
  • I opened that file using VMWare Workstation
    • Please note that by default, it allocates 8GB of memory, 2 processors and 160GB of disk space. So, please modify these settings if you do not have those resources available before you power-on the VM.
  • After the VM completely boots, you will login using the following credentials: login: nexpose password: nexpose (please change this)
    • If you just want to complete the most basic setup and want to get up and running immediately without messing with any of the advance configurations or upgrades, the only configuration you need to do is networking. The virtual appliance is setup in bridge mode by default and should be able to get you an IP automatically. But if you need to give it static IP then you will have to do that manually.
  • At this point you are pretty much done with the setup. You will be able to complete the rest of the setup by accessing your Nexpose instance by typing following in your browser: https://%5BVM-IP-Address%5D:3780
    • The default username for the web interface is: nxadmin and the password is: nxpassword
    • After your first logon, the initlization process will take some time. For me, it was about 5-7 minutes.

Login Page

  • Like I said earlier, this was my first time using Nexpose so I did not know the exact steps to follow after logging in. But my goal was to run couple different scans against all of my lab machines (14 active IPs). So, without reading the user guide and only spending sometime familiarizing myself with the interface, following is the approach I took to setup my scans.
  • Create a “New Static Site
    • To me, this is similar to the Organization in Nessus (SecurityCenter)
    • Assets: here you provide the name of your site, list all of the IPs (assets) that are part of this site. I added my 14 IPs here.
    • Scan Setup: this is where you choose the type of scan. I personally did not like the scan setup option being part of the Site Configuration because each time you need to run a different type of a scan it seems like that you need to go and edit the site.
    • Credentials: In the next tab you can provide credentials. I like how it gives you the option to restrict each credentials to specific IP.
    • Web Application: next there is option for doing authenticated scans against a web application target. I did not explore this since I don’t have a test web application, yet.
    • Organization and Access: these two seem optional: Organization information and the ability to restrict access to this site to selected users.

Site Configuration

  • At this point you are ready to kick of your scan. Simply go back to your home page and find the “Scan Now” option towards the middle of the page. New window will come up and notice there you have the option to change Site; if you have multiple sites. But by default the site that you created in the previous step should be selected and you should see all of you assets (IPs) listed. And if you want to run the scan against all of those assets you kick it off by clicking “Start Now” but if you want to exclude some IPs or run it against only specific IP you can do that on this same screen.

Start New Scan

  • In the next screen you will be able to see the scan progress in real time.

Scan Progress

  • You will be able to see the scan results right after the scan completes. The scan results seen below are from a non-credentialed, exhausted scan against my lab machines.

Scan Results

  • The screenshot below shows the vulnerabilities tab of the web interface. You will notice the two columns that represent malware and exploit present; right before CVSS and Risk columns. This feature is different from Nessus but I like it. I think the commercial version of Nexpose allows you to take this to the next step and actually run an exploit.

Vulnerabilites

  • The last feature that I wanted to explore was reporting. By default, there are several report templates that are available for you to select from:

All Report Templates

  • By simply selecting the template that you want from above you can choose the file format (PDF, XML, Excel), the scope (individual scan, assets like, from filters) and lastly the report frequency.
  • Here is the same report from my lab asset group:

Sample Report

This concludes the basic, quick deployment and walk-through of the commercial Nexpose. By using the virtual appliance option, the deployment is almost effort-less. And even after the deployment, setting up assets and kicking off basic scans from templates is straight forward. I will continue to use it on my lab machines and will share any new things that I discover that are worth sharing with new users!

Tagged , ,

Nessus Scanner – Quick Setup

Unfortunately, after my last CDR post  – for some unrelated reason, I had my main lab system crash and now I have to rebuild most of the different lab machines that I had before. Obviously this is little frustrating because I had everything setup the way I wanted it and now I have to pretty much start from scratch. But to make this rebuilding process little more pleasant and productive, I think I am going to document and share some of the labs that I am going to build. Most of these are going to be pretty simple to setup without much difficulty using VMware Workstation. I am not going to go over setting up VMware Workstation since there are already a ton of YouTube videos on it.

First we are going to select the platform that we are going to use for most of these machines – our choice: Ubuntu 13 Desktop.

The first tool that we are going to install is Nessus vulnerability scanner. In the first CDR project, we used Nessus as one of our reconnaissances tool along with Nmap. However, this tool can be used in just your lab or home network for identifying vulnerabilities in your systems.

We are going to be installing the latest version of Nessus v6 Home – as of this post. For the operating system, we will choose Ubuntu 11.10, 12.04, 12.10, 13.04, 13.10, and 14.04 AMD64 and download the .deb package.

Here are the sequence of commands after you have downloaded the package and opened the appropriate download directory in the terminal.

Nessus_installationWe are pretty much done. The only thing you need to check is if the Nessus service is running. Usually, it starts automatically but you can verify by running: service nessusd status. If the output shows stopped then simply run the following to start it: service nessusd start.

After above, open your browser and type your ip and port 8834. You can find your ip address by running ifconfig in your terminal. My ip address on this machine is: 192.168.244.178.

LocalIP

 

You should get a similar page as above. Follow through the prompt and in couple screens you will have the option to create an initial account for your Nessus scanner. After that you will need to provide Plugin Feed Registration. For home use you can request the activation code by completing the following: http://www.tenable.com/products/nessus-home

After completing all the steps thus far – you are done with installing your Nessus scanner. Now you need to configure you scans. Following are the basic steps to configure a scan:

New Scan > Basic Network Scan > [Complete the General Page with the Name of the Scan and the target IPs]. On the left side you have additional scan options that you can play around with. After you are done with making your selections, simply hit save and your scan will automatically start. The scan duration depends on the number of IPs that you are scanning and if they are credentialed or  non-credentialed.

After your scan completes you will be able to see the scan results and drill down on each host to see the details on the findings.  Later you can also run just reports against previously ran scan.

This is pretty much all you need to do for the basic setup. Feel free to run more scans and try to run credentialed scan as they will provide most comprehensive vulnerability information and its also least intrusive on your target systems.

Until next time!

 

Tagged , ,

Physical Drive Image With Plugable USB Hub

The other day I was trying to image a physical 250GB desktop hard drive using FTK Imager but I continued to get the following error under status: Failed: The specified network name is no longer available. This was the first time that I received this error so first I was not sure what caused it. Here was my setup:

The error was little random in that it would fail at different places – anywhere between 2% – 13%. My first thought was that the docking station was bad; so I took out my WiebeTech write-blocker and attempted to image the drive again. But I received the same error at 6%. At this point I knew that the docking station was fine and that the problem had to be with either the FTK Imager software, Windows Server 2012 (my first time using Server 2012 during imagining) or the USB hub. I decided to start with the hub; I unplugged the docking station from the hub and connected it directly to the server’s USB port – skipping the hub completely. I started FTK Imager and began the imagining process – and to my surprise the imaging completed without any errors!

From the 7 ports provided by the hub, only one port was being utilized (connected only to the docking station) eliminating the possibility of overwhelmed hub. In fact, the hub worked fine when I copied large operating system .iso files from an external hard drive to the server. So, I am not sure where the problem is within the hub but in this situation I was unable to image a relatively small hard drive due to this hub.

Tagged