incident response tools - users.cs.jmu.edu

IncidentResponseTools

JamesMadisonUniversityDept.ofComputerScience

June13,2015

1Introduction

Beingsuccessfullyattackedisinevitable.AdeterminedhackerWILLbeabletopenetrateyournetwork.

Theattacker,iftheywanttore-enteryournetwork,willhavetoleaveabackdoorsomewhere.Thismeanstheywilllikelyre-addguestaccounts,disablefirewallports,andre-enableservicesthatyouhadpreviouslydisabled(intheWindowsSecurityExercise...likeFTP)toprovideameansforthemtoaccessyourcomputereasily.

Inthischapter,wewillbrieflyre-examinethingstalkedaboutintheWindowsSecurityExercisethatarerelevantafteranincidentandthenwewillcovernewtoolsthatwillhelpyouinvestigateanincident.

AlltoolsnecessaryareavailableontheDesktopofyourIRToolssnapshot.

2Services

Knowingwhatservicesarerunningonyourwindowsmachineisveryimportant,especiallyafterbeingattacked.Havingextraservicesrunningthatarenotnecessarymayaddvulnerabilitiestoyourmachineandmayallowanattackertore-enteryournetwork.Themoreservicesthatarerunningonamachinemeansthemoreservicesyoumustprotectandsecure.Bydefault,manysoftwarepackagesinstallmanyextrasideservicesyoudonotwanttoberunning,andasgoodnetworkadministratoryoumustbeawareofthese.

2.1WhatServicesarerunning?

AllMicrosoftWindowsServerEditionshaveaGraphicalUserInterfacestohelpmanagethemachine’sservices.TheGUItomanagewhatservicesarerunningcanbeaccessedintheStartMenuunderAdministrativeToolsbyclickingonServices.Figure1showshowtoaccesstheservicesGUIfromthestartmenu.

Figure1:ClickonServicestomanagewhatservicesarerunning

Bydefault,thelistofthingsonthislistislargeanddifficulttosortthroughbutwewillonlybelookingatafewchoicethings.Bydefault,WindowsFirewallisDisabled.Thisisaveryimportantservice.Anattacker,wantingtoregainaccesstoyoursystemlater,mayhavedisabledWindowsFirewall.Toturnitbackondoubleclickonit,change”Disabled”to”Automatic”,andthenPress”Start”.Figure2showshowtodothis.

Figure2:ChangeSetuptypetoAutomatictoturnthefirewallon.

YoumayalsonoticethattheFileTransferProtocolmaybeenabled.Itisveryimportantthatthisprotocol,andTelnet,aredisabledandtheyshouldalwaysstaydisabled.Theseprotocolsareusedsoremoteuserscanauthenticateanduseyourcomputer.RemoteAuthenticationisastandardpractice,butFTPandTelnetdonotdoitsecurely.IfyouseeSSHorVerySecurityFileTransferProtocoltheseservicesareokaytouse.Afteranattackerentersyoursystemtheymayre-enableFTPorTelnetinordertoaccessyourmachinelater.Theymaythinkthatthe

systemadministratormaynotnoticesincetheywerelikelydisabledtobeginwith.Thisiswhyitissoimportanttocheckandre-disabletheseservicesiftheyhavebeenenabled.

3Firewalls

AllWindowsdistributionscomewithabuiltinhostbasedfirewallthatyoucanconfigure.Intherealworldmanycompaniesbuyexpensivemachinesthatservesolelyasafirewall.EventhoughtheWindowsFirewallisnotexpensiveanddedicatedhardwareitisagreatlineofdefensetokeepattackersfromaccessingportsonyourcomputerthatmayhaveavulnerability.Itwillalsoprotectyourcomputerfromattacksthatoriginatefrominsideyournetwork.Itisveryeasytounderstandhowafirewallworks.Peopleconnecttoyourcomputerthroughportsandafirewallblocksports.Aneasywaytothinkaboutportsisalotoftinymailboxes.Anytimesomeonewantstocommunicatewithyourservertheyputmailinaparticularmailbox.Eachportisforadifferentpurpose.Afirewallwillblockthesemailboxessonobodycanputanythinginthem.Thisdecreasesthesurfaceareaahackercouldattackyouwith.

Figure3:ChangeSetuptypetoAutomatictoturnthefirewallon.

TousetheWindowsFirewallyoumustfirstenableit.WindowsFirewallcanbefoundintheControlPanel.AfterclickingonWindowsFirewallyoushouldseeauserinterfaceliketheoneinFigure3.ChangeWindowsFirewallfromofftoonandthenclicktheAdvancedtabatthetopoftheinterface.

Figure4:ClickSettingsandcheckAllowincomingechorequest.

Intheadvancedtab,clickSettingswithintheICMPsettings.WhentheICMPSettingsuserinterfacepopsupselectAllowincomingechorequestsandthenOk.Thisallowsothercomputerstopingyourcomputer.Pingisspecialanddoesnotuseaport,butyourfirewallisstillabletoblockit.NextclickontheExceptionstabatthetopoftheWindowsFirewall.TheseinstructionsarereflectedinFigure4

ClickontheAddPortbuttonintheExceptionstabtoaddexceptionstotheFirewall.BydefaultWindowsFirewallwillblockallportsandyouwillonlyopentheonesyouneed.Thisismucheasierthanleavingallopenandblockingtheonesyoudon’twantbecausetherearemorethansixty-fivethousandports.YourcomputerwillberunningaWebserverandwebserversgenerallyuseport80tocommunicatewithcomputersthatrequestwebpages.Figure5showsyouhowtounblockport80.AfterpressingOkinWindowsFirewall,yourFirewallchangeswilltakeaffectandyourfirewallwillbeactive.Youshouldalsodothesamewithport

23whichisTelnet(wewillgointowhylater,yesTelnetisinsecureandingeneralshouldnotbeused,butwehaveaveryspecificreason).

Figure5:MakesuretoselectTCPafterhittingpressingAddPort.

4CommandLineTools

Thecommandlineisapowerfultoolthatcanhelpadefendergetimportantinformationquicklyandeasily.Thereisalittlebitofalearningcurvewhenusingthecommandline,andalmostnobodyknowseverycommandthereis,butlearninghowtouseafewbasiccommandsisquickandeasy.Toopenthecommandline,clicktoopentheStartmenuandclickCommandPrompt,orpressWindowsKey+Randtypecmd.exe.Inthesetutorialswewillonlyscratchthesurfaceofthethingsthesecommandscando.Ifyouwanttolearnmoreaboutaparticularcommand,youcandosobytypingcommandhelpintotheterminal,where”command”isthecommandyouwantmoreinformationon.

4.1netstat

Netstatisapowerfulcommandlinetoolthatlistsimportantnetworkinginformationaboutyourcomputer.Themainusesfornetstatistoshowopennetworkconnections.Toreadcomprehensivedocumentationaboutnetstatyoucanreadhttps://technet.microsoft.com/en-us/library/bb490947.aspx.Netstatwillshowwhoandwhatiscurrentlyconnectedtoyourcomputer.Thisisanextremelyimportantthingtoknow.Ifanattackerwastohackyourcomputer,theywouldhavetocommunicatewithyourcomputeroverthenetworkinordertointeractwithit.Usingnetstatyoucouldseeifahackeriscurrentlyconnectedtoyourcomputerandtakestepstokickhimout.Inthecommandlinewindowtypenetstat-an.The-anisusedtospecifyexactlywhatinformationyouwanttoshow.-ameansnetstatwillshowallactiveconnections.-nmeansnetstatwillshowallportsyourcomputerislisteningforactiveconnectionson.Aftertypingnetstat–anandhittingenteryourterminalshouldlooksimilartothecommandlinewindowinFigure6.

Figure6:Outputfromanetstat-ancommand

Thisshowsyouwhatitlookslikewhentherearenoactiveconnectionsbutwhatwillitlooklikewhenyoudohaveanactiveconnection?Inordertotestthisandseehownetstatchanges,openawebbrowserandentergoogle.comintotheURLbarandhitenter.Re-enternetstat-anintotheterminalandviewhowtheoutput

changes.Therearenowconnectionsconnectingtoaforeignaddressthatyoucansee.ThisisbecauseyourcomputerestablishesaconnectionwithGoogleinordertocommunicateandaskGoogletosendyoutheirwebpage.Openanewwebpageandseehownetstatchanges.Itmaysometimesbedifficulttoidentifygoodversusbadconnectionsonyourcomputer.Generallyaconnectiontoaportthatyoushouldnotneedisbad.Anexampleofthiswouldbeawebserverthatonlyneedstoallowconnectionstoport80.Connectionsyouseetoport80aremorethanlikelygood,butifnetstatshowsaconnectiononport21,22,or23toaremoteaddressthenitishighlylikelythatyourcomputerhasbeencompromised.Alsocheckforyourcomputerconnectingtoforeignaddressonhighnumberports.

4.2ipconfig

ipconfigisacommandlineprogramthatcanbeusedtoshowthenetworkinginformationofyourcomputer.ItwillshowthingslikeyourIPaddress,physicaladdress,andDNSserver.

Figure7:Outputfromipconfig/allcommand

Thistoolisnotagreattooltokeephackersoutofyourcomputer.Itismoreatooltousewhenyoufirstsitdownonyourcomputer.ItmaybeusefultonoteyourIPaddress,DNSServer,gateway,andphysicaladdress.Thesevaluesarenotstaticandyoumaynoticethemchange,butifyounoticethesethingschangingoftenitmaybeasignanattackerhasplayedwithyournetworkingconfiguration.

5SysInternals

Sysinternalsisasuiteoffreetoolsthathelpusersbetterunderstandwhatishappeningonthecomputer.Theyareallavailable,alongwithtutorialsanddocumentation,athttp://technet.microsoft.com/enus/sysinternals/.Inthisdocumentwewilldemonstrateafewofthebesttoolsinthesuite.IfyouwishtodownloadallSysinternalstools,youcanathttp://download.sysinternals.com/files/SysinternalsSuite.zip,butalltoolsarealreadyinstalledtoyourdesktopintheSysinternalsfolder.Whatiscoveredinthistutorialisbynomeanscomprehensive.TheSysinternalssuitehassomanyusesandeventhetoolswecoverhavemanyusesbeyondthescopeofthistutorial.Ifyouhaveextratimetryloadingupatoolthatsoundsinterestingandseewhatyoucanfigureout.

5.1TCPView

TCPViewisaprogramwrittenbyMicrosoftthathelpsyouseenetworkinginformationforyourcomputer.Itisverysimilartonetstatbutinagraphicalform.Itcanbedownloadedfromhttp://download.sysinternals.com/files/TCPView.zip.Torunitdoubleclickon’tcpview.exe’intheSysinternalsfolder.Thegraphicaluserinterfacewillshowcurrent,activeTCPconnections.Ifanattackeriscommunicatingwithyourcomputeryoumayseeasuspiciousconnection.AnexampleofthiswouldbesomethinglikeNotepad.exeusingaTCPporttocommunicatewitharemotehost.Notepadshouldneverbecommunicatingoverthenetwork.

Figure8:TCPViewofadefaultWindows2003Installation.

AsyoucanseeWindowshasavarietyofservicesthatuseTCP.ThemajorityofthesedonothaveaRemoteAddress.Thismeansthatsomeprocessesonyourcomputerarecommunicating,usingTCP,withotherprocessesonyourcomputer.Thisisastandardpracticeand,forthemostpart,youwillonlyneedtobeconcernedwithsuspiciousprocessesconnectingtosuspiciousremoteaddresses.IfyoudonoticeasuspiciousTCPconnectionyoucaneasilyrightclickontheprocessesandclickonEndProcess.Itmaybeobviousthatthistoolisverysimilartonetstat.Ifyouareinahurryyoumightsavetimebyusingnetstat,butTCPViewismorepowerfulandhasgreaterfunctionalitybeyondmonitoring.YoucaneasilyseetheprocessassociatedwitheachTCPconnectionwhichisveryhelpful.

5.2ProcessMonitor

ProcessMonitor,calledprocmon.exeinSysinternals,isaprogramthatcanbeusedtoshowwhatresourceseachprocessesisusing.Manyprocessesrequiretheusageofdifferentresourcesthatarestoredonyourcomputer.ProcessMonitorwillhelpyouunderstandwhichresourceseachprocessisusing.ForthemostpartProcessMonitorisanadvancedtooltousethattakesalotoftechnicalknowledgetounderstandwhatisreallybeingshown,butknowingaboutthistoolisimportant.

Figure9showsausageforProcessMonitorthatdoesnotrequiredeeptechnicalknowledge.UsingtheProcessTree,foundintools,youcaneasilyseehoweachprocesswascreated,andbywhatprocesses.Thisisextremelyuseful.

Figure9:ProcessTreeexample.Seehowprocesseswerespawned.

UsingProcessTree,youcanlookforsuspiciouschildprocesses(processescreatedbyothers).Forexample,Firefox.exeshouldnotbespawningNotepad.exe.Processesthathavenothingtodowitheachothershouldnotbespawningeachother.IfyouseethisyoushouldinvestigatetheprocessesusingTCPViewasyoumayhavebeencompromised.Spendsometimelookingattheprocesstreeandnotinghowoneprocessmyspawnmanyothers.OpenaprogramandseehowtheProcessTreechanges.

5.3Autoruns

Onethinganattackerwilllikelydoafterhackingacomputerisaddinginamechanismtogetbackintothecomputerwhenitisturnedoffandon.Thismeanstheattackerhastosetthecomputertorunacertainprogramonstartup,

otherwiseonceyouturnacomputeroffalloftheattacker’sworkisgone.TodothistheywilladdafiletoanautorundirectoryortotheRegistry.Usually,whenapplicationswishtorunatstartup,theywillbeaddedinmsconfigtotheautoruntab.Checkingthisautoruntabisagoodstartbutisnotenough.AnattackerwhoknowsWindowsinternalswillknowtherearemanyplacestheycanputcodethattheywanttoberunatstart-up.In-fact,therearesomanyplacesitwouldtaketoolongtodothismanually.AutorunsisanapplicationthatcanbeusedtoshowALLprogramsthatwillrunatstart-up.Figure10showshowtoviewallAutorunprograms.Openautoruns.exeandselecttheEverythingtab.

Figure10:Showallprocessesthatareautorun.

InthisEverythingtabyoushouldseealotofthingsthatrunatstartupthatarerequiredforthecomputertoworkproperly.TheyarepartoftheWindowsOperatingSystem.LiketheotherSysinternalstools,youshouldbelookingforsuspiciousprogramsthatauto-run.SuspiciousprogramswouldincludeServicesthatarebeingstartedthatyouknowyoushouldnotberequired.IfanFTPServerisstartedwhenyoudonotneedFTP(youshouldneverneedFTP),orifastrange

looking.exeisstarted,youneedtoinvestigatethisandpossiblyremoveit.ChecktoseeifitislisteningforincomingconnectionswithnetstatandcheckTCPViewtoseeiftheprocesshasaremoteconnectiontoit.Nothingiscurrentlyhiddeninanautorundirectory.Thereisnothingforyoutoremovewiththistool,buttherearemanythingsthatrunatstartup.Takealookaroundatthem.Allthefunctionalitythatyourcomputerhasisaccomplishedwithprogramsthatrunatstartup.Itmaybeagoodideatofamiliarizeyourselfwithwhatanormalset-uplookslike,andthenlookforthingsthatareoutofplacewhenthetimecomes.

5.4RootkitRevealer

Sometimeshackerwillusesophisticatedsoftwaretohidetheirpresenceonthemachine.Forexample,thesoftwaremaychangethenetstatcommandoutputtofilteroutthehacker’sconnectiontoyourcomputer.Anyonewhousesthenetstatcommandwillseeregularoutputfromthecommand,butthehacker’sconnectionwillbemysteriouslymissing.ProgramsthatdothisarecalledRootkits.Theyareextremelydangerousandcanbedifficulttofind.InSysinternalsRootkitRevealer.execanbeusedtohelplocatethese.

Figure11:Showallprocessesthatareautorun.

Figure11showshowtostartascanandtellyourcomputertobeginlookingforrootkits.RootkitRevealerworksbyaskingforthesameinformationfromalotofdifferentplacesandtryingtofinddiscrepancies.Forexample,itmayaskforopenTCPconnections.Todothis,Rootkitrevealermayusenetstat,butalsoasktheunderlyingoperatingsystem.Ifthereisadiscrepancyintheinformationthatisreturned,RootkitRevealerwillalertyouandlookfortherootcause.RootkitRevealer,ifitfindsawell-knownrootkit,willalsoeasilyallowyoutoremoveit.Rootkitsareextremelypowerfultoolsandhavegottenextremelyadvancedandeasytouseinthelastfewyears.RootkitRevealermayhelp,butasadefenderyoureallydonotwanttobeinapositionwhereyouhavetoremovearootkit.IfRootkitRevealerdoesn’thelp,youmayhaveadifficultroadaheadofyou.Rememberthat,althoughthisisapowerfultoolandwilldoagoodjobdetectingrootkits,itisnotfoolproof.Thereisalwaysachanceofafalsepositivewhenscanning.

6EventViewer

TheEventviewerisusedtoviewlogsastheyaregeneratedonyourcomputer.Yourcomputer,bydefault,logsmanythings,likesuccessfulloginstoyourcomputer.Whatthecomputerlogscanbechangedtologmoreinformationortologlessinformation.Thisisatradeoff.Themorethingsyoulog,themoresystemresourcesyoumustdedicatetologging(processingpower,writingtodisk,andspace).Logtoolittleandyouareunabletodeterminewhathappenedifsomeonehacksyourcomputer.Thisisanimportanttradeoff.YoucanaccesstheEventViewerintheComputerManagementwindowinAdministrativeTools.Tochangeexactlywhatislogged,youmustaccesstheLocalSecurityPolicies,inAdministrativeTools.

6.1ChangeWhatIsLogged

Bydefault,Windowsdoesnotlogenough.Wewouldatleastliketoseefailedloginattemptsinsteadofonlysuccessful.Tomakewindowslogthese:

Figure12:Howtoaddfailedloginattempts.Remembertopress’apply’

YoucanviewtheseattemptsandseemuchmoreinformationintheeventviewerlikeinFigure13.DoubleclickingeventsintheEventViewerwillprovideyouwithmoreinformation.UsingtheEventViewer,youmaybeabletonoticeifyouhavebeencompromised.Forexample,ifyounoticemanyunsuccessfulloginattemptsatonecertaintime,followedbyasuccessfulattempt,itwouldbeagoodideathatyoushouldlookfurtherintotheincidentandresetthatuser’spassword.

Figure13:Howtoaddfailedloginattempts.Remembertopress’apply’

7ValhallaHoneypots

Honeypotsaretrapsthatdefenderssetontheirnetworkinordertoattracthackersandallowdefenderstoeasilyidentifywhoismaliciousontheirnetwork.Theconceptisstraightforward.AdefendercreatesaVirtualMachineorarealmachineandputsitontheirnetwork.Thedefendermakesitlooklikethismachineisveryoldandvulnerabletoattacks(lowhangingfruit).Hackersarelazy,solowhangingfruitisverydesirable.Sincearegularuseronthenetworkwillneverhaveaneedtoaccessthehoneypot,anycomputerthatcontactsthehoneypotislikelycompromised.Therearedifferentlevelsofinteractionthatahoneypotcanhave.Alowinteractionhoneypotwillfoolvulnerabilityscannersbutahackerwillneverbeabletohackor’log-in’.HighinteractionHoneypotswillfoolvulnerabilityscannersbutwillalsogivetheattacktheillusionthattheycanlog-inorhackthecomputer.ThereisalotofsoftwareouttherethatallowsyoutoeasilysetupahoneypotonaWindowsmachine.WewillbeusingsoftwarecalledValhallatocreatehoneypots.Valhallaiscapableofcreatinglow-interactionandhigh-interactionhoneypots.TouseValhalla,opentheValhalladirectoryonthedesktopanddoubleclickthe.exefile.Next,clicktheServerConfigbuttonontheleftside.

Figure14:ValhallaServerConfigGUI

AfteropeningtheServerConfigGUI,presstheOptionsbuttonforWebServer,FTPServer,andTELNETServer.SelecttheEnablebuttonsyouseeinFigure15andtheNoLoginrequiredbutton.

Figure15:ValhallaServerConfigGUI

AfterclickingtheEnablebuttonsyoucanXoutofthewindowsandclick"Monitoring".

Figure17:Valhallamonitoring.

NowtotestthiswecanruntheTELNETclientfromtheCommandPrompt.WithintheCommandPrompt,type"telnet127.0.0.1"(asshowninfigure16)andhitENTER.

Figure16:TelnetcommandwithinCommandPrompt

ThiswillnowestablishaconnectionwithyourHoneypot,whichcanbeseenwithintheValhallamonitoringwindow.Ifyoutypecommands(noneofwhichshouldworkordomuch)theywillalsobeloggedbytheHoneypot.

Figure19:Thehoneypotatwork.

AbovewastheTELNETpartoftheHoneypot,butwhataboutWEB?Stoppingthemonitoring,gobacktotheWEBclientportionofServerConfigandgototheOptions.MakesuretheFolderis"c:\inetpub\wwwroot"andtheIndexPageis"index.html"asshowninfigure20.

Figure20:WEBClientOptions

PressStart,clickRun,andtypecmd.exeandhitEnter.ThiswillcauseaCommandPrompttoopen.Next,typeecho”TextWebpage”>C:\inetpub\wwwroot\index.html.Thiswillcreateanewfile,calledindex.html,thatcontains”TextWebpage”.

AfterthisyoucanXoutoftheValhallaconfigurationwindowsandclick"Monitoring".

ThepointofthisisthatyouconfiguredValhallatohaveaWebserverhoneypot.ThispagewillbesenttoanyonewhotriestoaccessyourcomputeronPort80,becausewebserversalwaysrunonPort80.Totestthis,openupawebbrowser,andintheURLbartype"http://localhost".

8Conclusion

Respondingtoanincidentcanbedifficult.Piecingtogetherwhathappenedcanbeextremelychallenginganditispossiblethatyoumayneverhaveacompletepictureofwhathappened.Thistutorialwasshowedbasicre-hardeningand

incidentresponsetools,butthereisstillmuchtolearninthefuture.Therewasnothingtoremoveinthisexercisebecauseitisaverygoodideatoseewhatanon-compromisedcomputerlookslike,beforeyoutrytodecidewhetheradifferentcomputeriscompromised.Moreadvancedincidentresponsetechniqueswillalldifferdependingonwhatyouwishtodofollowingtheincident.Ifyouwishtobuildacaseandpresschargesagainsttheindividualsresponsible,yourcourseofactionwillbeverydifferentthanifyouonlywantyourcomputertobesafefromoutsiders.