Toolsmith Tidbit: Windows Auditing with WINspect

WINSpect recently hit the toolsmith radar screen via Twitter, and the author, Amine Mehdaoui, just posted an update a couple of days ago, so no time like the present to give you a walk-through. WINSpect is a Powershell-based Windows Security Auditing Toolbox. According to Amine's GitHub README, WINSpect "is part of a larger project for auditing different areas of Windows environments. It focuses on enumerating different parts of a Windows machine aiming to identify security weaknesses and point to components that need further hardening. The main targets for the current version are domain-joined windows machines. However, some of the functions still apply for standalone workstations."
The current script feature set includes audit checks and enumeration for:

• Installed security products
• World-exposed local filesystem shares
• Domain users and groups with local group membership
• Registry autoruns
• Local services that are configurable by Authenticated Users group members
• Local services for which corresponding binary is writable by Authenticated Users group members
• Non-system32 Windows Hosted Services and their associated DLLs
• Local services with unquoted path vulnerability
• Non-system scheduled tasks
• DLL hijackability
• User Account Control settings
• Unattended installs leftovers

I can see this useful PowerShell script coming in quite handy for assessment using the CIS Top 20 Security Controls. I ran it on my domain-joined Windows 10 Surface Book via a privileged PowerShell and liked the results.

The script confirms that it's running with admin rights, checks PowerShell version, then inspects Windows Firewall settings. Looking good on the firewall, and WINSpect tees right off on my Window Defender instance and its configuration as well.

Not sharing a screenshot of my shares or admin users, sorry, but you'll find them enumerated when you run WINSpect.

 WINSpect then confirmed that UAC was enabled, and that it should notify me only apps try to make changes, then checked my registry for autoruns; no worries on either front, all confirmed as expected.

WINSpect wrapped up with a quick check of configurable services, SMSvcHost is normal as part of .NET, even if I don't like it, but the flowExportService doesn't need to be there at all, I removed that a while ago after being really annoyed with it during testing. No user hosted services, and DLL Safe Search is enable...bonus. Finally, no unattended install leftovers, and all the scheduled tasks are normal for my system. Sweet, pretty good overall, thanks WINSpect. :-)

Give it a try for yourself, and keep an eye out for updates. Amine indicates that Local Security Policy controls, administrative shares configs, loaded DLLs, established/listening connections, and exposed GPO scripts on the to-do list. 

Cheers...until next time.

toolsmith: Hey Lynis, Audit This

Prerequisites/dependencies

Unix/Linux operating systems

Introduction

Happy holidays to all readers, the ISSA community, and infosec tool users everywhere. As part of December’s editorial theme for the ISSA Journal, Disaster Recovery/Disaster Planning, I thought I’d try to connect tooling and tactics to said theme. I’m going to try and do this more often so you don’t end up with a web application hacking tool as part of the forensics and analysis issue. I can hear Tom (editor) and Joel (editorial advisory board chair) now: “Congratulations Russ, it only took you seven years to catch up with everyone else, you stubborn git.” :-)

Better late than never I always say, so back to it. As cited in many resources, including Georgetown University’s System and Operations Continuity page, “Of companies that had a major loss of business data, 43% never reopen, 51% close within two years, and only 6% will survive long-term.” Clearly then, a sound disaster recovery and planning practice is essential to survival. The three control measures for effective disaster recovery planning are preventive, detective, and corrective. This month we’ll discuss Lynis, a security and system auditing tool to harden Unix/Linux (*nix) systems, as a means to which facilitate both preventative (intended to prevent an event from occurring) and detective (intended to detect and/or discover unwanted events) controls. How better to do so than with a comprehensive and effective tool that performs a security scan and determines the security posture of your *nix systems while providing suggestions or warning for any detected security issues? I caught wind of Lynis via toolswatch, a great security tools site that provides quick snapshots on tools useful to infosec practitioners. NJ Ouchn (@ToolsWatch), who runs toolswatch and the Blackhat Arsenal Tools event during Blackhat conferences, mentioned a new venture for the Lynis author (CISOfy) so it seemed like a great time to get the scoop directly from Rootkit.nl’s Michael Boelen, the Lynis developer and project lead.

According to Michael, there is much to be excited about as a Lynis Enterprise solution, including plugins for malware detection, forensics, and heuristics, is under development. This solution will include the existing Lynis client that we’ll cover here, a management and reporting interface as well as related plugins. Michael says they’re making great progress and each day brings them closer to an official first version. Specific to the plugins, while a work in progress, they create specialized hooks via the client. As an example, imagine heuristics scanning with correlation at the central node, to detect security intrusions. Compliance checking for the likes of Basel II, GLBA, HIPAA, PCI DSS, and SOx is another likely plugin candidate.
The short term roadmap consists of finishing the web interface, followed by the presenting and supporting documents. This will include documentation, checklists, control overviews and materials for system administrators, security professionals and auditors in particular. This will be followed by the plugins and related services. In the meantime CISOfy will heavily support the development of the existing Lynis tool, as it is the basis of the enterprise solution. Michael mentions that Lynis is already being used by thousands of people responsible for keeping their systems secure.
A key tenet for Lynis is proper information gathering and vulnerability determination/analysis in order to provide users with the best advice regarding system hardening. Lynis will ultimately provide both auditing functionality but monitoring and control mechanisms; remember the above mentioned preventative and detective controls? For monitoring, there will be a clear dashboard to review the environment for expected and unexpected changes with light touch for system administrators and integration with existing SIEM or configuration management tools. The goal is to leverage existing solutions and not reinvent the wheel.

Lynis and Lynis Enterprise will ultimately provide guidance to organizations who can then more easily comply with regulations, standards and best practices by defining security baselines and ready-to-use plans for system hardening in a more measurable and action-oriented manner.
One other significant advantage of Lynis is how lightweight it is and easy to implement. The requirements to run the tool are almost non-existent and it is, of course, open source, allowing ready inspection and assurances that it’s not overly intrusive. Michael intends to provide the supporting tools (such as the management interface) as a Software-as-as-Service (SAAS) solution, but he did indicate that, depending on customer feedback and need, CISOfy might consider appliances at a later stage.

I conducted an interesting little study of three unique security-centric Linux distributions running as VMWare virtual machines to put Lynis through its paces and compare results, namely, SIFT 2.1.4, SamuraiWTF2.1, and Kali 1.0. Each of these was assessed as pristine, new instances, as if they’d just been installed or initialized.

Setting Lynis up for use

Lynis is designed to be portable and as such is incredibly easy to install. Simply download and unpack Lynis to a directory of your choosing. You can also create custom packages if you wish; Lynis has been tested on multiple operating systems including Linux, all versions of BSD, Mac OS X, and Solaris. It's also been tested with all the package managers related to these operating systems so deployment and upgrading is fundamentally simple. To validate its portability I installed it on USB media as follows.

1)      On a Linux system downloaded lynis-1.3.5.tar.gz

2)      Copied and unpacked it to /media/LYNIS/lynis-1.3.5 (an ext2-formatted USB stick)

3)      In VMWare menu, selected VM, then Removable Devices, and checked Toshiba Data Traveler to make my USB stick available to the three virtual machines mentioned above.

You can opt to make modifications to the profile configuration (default.prf) file to disable or enable certain checks, and establish a template for operating system, system role, and/or security level. I ran my test on the three VMs with the default profile.

Using Lynis

This won’t be one of those toolsmith columns with lots of pretty pictures, we’re dealing with a command prompt and text output when using the Lynis client. Which is to say, change directories to your USB drive, suxh as cd /media/LYNIS/lynis-1.3.5 on my first test instance, followed by sh lynis –auditor HolisticInfoSec –c from a root prompt as seen in Figure 1.

FIGURE 1: Lynis kicking off

You can choose to use the –q switch for quiet mode which prompts only on warnings and doesn’t require you to step through each prompted phase. Once Lynis is finished you can immediately review results via /var/log/lynis-report.dat and grep for suggestions and warnings. You’re ultimately aiming for a hardening index of 100. Unfortunately our first pass on the Kali system yielded only a 50. Lynis suggested installing auditd and removing unneeded compilers. Please note, I am not suggesting you actually do this with your Kali instance, fine if it’s a VM snapshot, this is just to prove my point re: Lynis findings. Doing so did however increase the hardening index to a 51. J

Lynis really showed its stuff while auditing the SANS SIFT 2.1.4 instance. The first pass gave us a hardening index of 59 and a number of easily rectified warnings. I immediately corrected the following and ran Lynis again:

• warning[]=AUTH-9216|M|grpck binary found errors in one or more group files|
• warning[]=FIRE-4512|L|iptables module(s) loaded, but no rules active|
• warning[]=SSH-7412|M|Root can directly login via SSH|
• warning[]=PHP-2372|M|PHP option expose_php is possibly turned on, which can reveal useful information for attackers.|

Running grpck told me that 'sansforensics' is a member of the 'ossec' group in /etc/group but not in /etc/gshadow. Easily fixed by adding ossec:!::sansforensics to /etc/gshadow.

I ran sudo ufw enable to fire up active iptables rules, then edited /etc/ssh/sshd_config with PermitRootLogin no to ensure no direct root login. Always do this as root will be bruteforce attacked and you can sudo as needed from a regular user account with sudoers permissions. Finally changing expose_php to Off in /etc/php5/apache2/php.ini solves the PHP finding.

Running Lynis again after just these four fixes improved the hardening index from 59 to 69. Sweet!

Last but not least, an initial Lynis run against SamuraiWTF informed us of a hardening index of 47. Uh-oh, thank goodness the suggestion list per sudo cat /var/log/lynis-report.dat | grep suggestion gave us a lot of options to make some systemic improvements as seen in Figure 2.

FIGURE 2: Lynis suggests how the Samurai might harden his foo

Updating just a few entries pushed the hardening index to 50; you can spend as much time and effort as you believe necessary to increase the system’s security posture along with the hardening index

The end of a Lynus run, if you don’t suppress verbosity with the –q switch will result in the like of Figure 3, including your score, log and report locations, and tips for test improvement.

FIGURE 3: The end of a verbose Lynis run

Great stuff and incredibly simple to utilize!

Conclusion

I’m looking forward to the Lynis Enterprise release from Michael’s CISOfy and believe it will have a lot to offer for organizations looking for a platform-based, centralized means to audit and harden their *nix systems. Again, count on reporting and plugins as well as integration with SIEM systems and configuration management tools such as CFEngine. Remember too what Lynis can do to help you improve auditability against controls for major compliance mandates.

Good luck, and wishing you all a very Happy Holidays.

Stay tuned to vote for the 2013 Toolsmith Tool of the Year starting December 15^th.

Ping me via email if you have questions (russ at holisticinfosec dot org).

Cheers…until next month.

Acknowledgements

Michael Boelen, Lynis developer and project lead

toolsmith: Implementing Redmine for Secure Project Management

Prerequisites/dependencies

VMWare for this methodology or a dedicated installation platform if installed from ISO

Introduction

From Redline for March’s toolsmith to Redmine for April’s, we’ll change pace from hacker space to the realm of secure project management. Following is a shortened version of a much longer Redmine study written for the SANS Reading Room as part of graduate school requirements and released jointly with ISSA.

Security and collaborative project management should not be exclusive. Software designed to support secure project management and security-oriented projects can be both feature rich and hardened against attacks. Web applications such as Redmine offer just such a solution and can embrace the needs of project managers and security practitioners alike. Redmine is project management and bug tracking software built on Ruby on Rails with a focus on collaboration, functionality, and when enhanced with specific plugins, can be configured securely to facilitate security-oriented projects. As a productivity platform, Redmine allows convenient team workflow while embracing the needs of virtual or mobile project members with a focus on socially oriented processes. We’ll explore the secure implementation and configuration of a Redmine server, and then transition into step-by-step details for managing a real world web application penetration testing project using Redmine. This will include the distribution of a virtual machine ready-built for real world use during such projects, pre-configured with a project template based on workflow in the SANS 542 Web Application Penetration Testing course.

From the TurnKey Redmine Web page: “Redmine is a Rails web application that provides integrated project management features, issue tracking, and support for multiple version control programs. It includes calendar and Gantt charts to aid visual representation of projects and their deadlines. It also features multi-project support, role based access control, a per-project wiki, and project forums”. Additionally, a tool such as Redmine allows the convergence of software and security testing. As a software configuration management (SCM) tool, Redmine is ideally suited to projects related to software development. That said, the security expertise required to security test software needs equal consideration and project management. “Sometimes security, or pen-testers for short - work on the same test team as functionality testers; other times, pen-testers work as security consultants and are hired by the software development company to perform security tests”[1]. Regardless of who solicits the use of pen-testers, the related pen-test is a project, and Redmine is the ideal application to provide the agile, flexible platform pen-testers need to coordinate their efforts with the help of a PM or team lead.

Installation

Redmine installation and configuration using a TurnKey Linux Redmine appliance built on a Debian-based Linux distribution, is reasonably straightforward. Your ability to install a Linux operating system from an ISO file on a dedicated machine, or configuring a VMware virtual machine is assumed. It is also assumed you have control of or access to an Active Directory domain for LDAP authentication to Redmine, as it allows for more robust user management. As referenced later, the IP address of the Redmine instance was 192.168.248.16 and 192.168.248.248 for the domain controller. The stable version of the TurnKey virtual Redmine appliance (version 12) running on a lean instance of Debian Squeeze (CLI only, no X11 GUI) via VMWare Workstation 9 was utilized for this research. Note, readers will find running the shell via Putty or a client where you can cut and paste installation strings easier as the VMWare tools aren’t effective without the GUI. This TurnKey Redmine appliance relies on Passenger, a module for Apache that hosts Ruby on Rails applications, and supports the use of SSL/TLS (configured by default) and ModSecurity for better security.

As of this writing the current version of Redmine was 2.2.1 and will be described herein. The installed version of Redmine on the TurnKey appliance is 1.4.4; this guidance will include its upgrade to Redmine 2.2.1.

First, download the Turnkey Linux VM appliance and open it in VMWare.  The first boot routine will ask you to create passwords for the root account, the MySQL root user, and the Redmine admin. When the routine completes you should be presented the TurnKey Linux Configuration Console as seen in Figure 1.

FIGURE 1: TurnKey Linux Configuration Console

In the Hardening section, the process of disabling the services you don’t intend to use will be discussed. Take a snapshot of the virtual machine at this point and name the snapshot Base Install.

Update the Redmine version from a command prompt on the Redmine server as follows:

1.                   apt-get update

2.                   apt-get upgrade

3.                   apt-get install locate

4.                   updatedb

5.                   cd /var/www

6.                   mv redmine redmine -old

7.                   hg clone --updaterev 2.0-stable https://bitbucket.org/redmine/redmine-all redmine

8.                   cp redmine -old/config/database.yml redmine/config/database.yml

9.                   cp -r redmine-old/files/ redmine/files/

10.               chown -R root:www-data /var/www/ redmine

11.               cd redmine

12.               gem install bundler

13.               gem install test-unit

14.               bundle install --without development test rmagick

15.               mkdir public/plugin_assets

16.               rake generate_secret_token

17.               rake db:migrate RAILS_ENV=production

18.               chown -R www-data:www-data files log tmp public/plugin_assets

19.               rake redmine:plugins:migrate RAILS_ENV=production

20.               chmod -R 755 files log/ tmp/ public/plugin_assets

21.               rake tmp:cache:clear

22.               rake tmp:sessions:clear

Run the script /var/www/redmine/script/about to confirm the version upgrade.

LDAP authentication is inherent to Redmine but requires a bit of setup. The example Active Directory domain name utilized via a virtual Windows Server 2008 domain controller was REDMINE. The user redminer was established as the service-like account utilized by Redmine to access the directory. Do not user a domain administrator account for this user. Should your Redmine instance be compromised so too then would be your domain. Via your browser, as the Redmine admin user, navigate to Administration then LDAP Authentication. Refer to the Redmine LDAP Authentication page via the Redmine WIKI but refer to the following example configuration as successfully utilized for this research seen in Figure 2.

FIGURE 2: LDAP Configuration

Select Save then, assuming a correct configuration, you should receive indication of a successful connection when you click Test on the resulting Authentication Modes page.

Refer to the SANS Reading Room version regarding additional installation and hardening steps and don’t skip! These are important:

·         Installation

o   Pixel Cookers theme for a streamlined, tech-centric look as well as the

o   Email settings

o   Plugin installation (Ldap Sync, Scrum2B, Screenshot, Monitoring & Controlling)

·         Hardening

o   Disable unnecessary services

o   Tighten down SSH

o   Restrict Redmine web access to HTTPS only

o   Implement UFW (the uncomplicated firewall)

Engaging With Redmine

Following is a step by step description of a penetration testing engagement where Redmine is utilized to provide project support for a team of three.

The first and most important steps to undertake are the elimination of all unwanted permissions for the Non member and Anonymous roles. Login to Redmine as the admin user and select Administration | Roles and permissions | Non member | Uncheck all | Save. Repeat this process for the Anonyomous roles. These steps will ensure that you don’t inadvertently expose project data to those who don’t have explicit permission to view it. Next, to add users for this project, select Administration | Groups to add a group called PenTesters.  From Administration | Users add three users with appropriately defined login names pentester1 (Fred), pentester2 (Wilma), pentester3 (Barney), and pentestpm (BamBam) and add them to the PenTesters group. Remember these users need to also have been created in the domain you’re utilizing for LDAP authentication. Via the Administration menu, under Projects, create a project called Web Application Pentest. The activities related to this project are drawn directly from tasks outlined in the SANS 542: Web App Penetration Testing and Ethical Hacking course as well as the Samurai Web Testing Framework. Select all Modules and Trackers for the project. You’ll note that Monitoring and Controlling by Project and Scrum2b are available as implemented during the installation phase described earlier. These plugins will be described in more detail as their use is inherent to agile project management for projects such as penetration testing.

Redmine allows the creation of subprojects as well; the Web Application Pentest project should be divided into four subprojects named as follows: 1-Recon, 2-Mapping, 3-Discovery, and 4-Exploitation. Add each of them from Redmine Web Application Pentest project page and remember to enable all Modules and Trackers.

Add the user accounts for the three penetration testers and the project PM user as project and subproject members via the Members tab as seen in Figure 3.

FIGURE 3: Pen-test Project Members

Return to the project overview, select 1-Recon under subprojects, and add a new issue. File a bug for each recon phase task you’d like completed, with the applicable start and due dates. You can upload related files, screenshots (thanks to the plugin installed earlier), and designate an assignee, as well as watchers.

Under Settings for each project or subproject you define you can establish issue categories. This is an ideal method by which to establish penetration testing activities for each subproject. As an example, the recon phase of a web application penetration test includes general recon along with DNS and Whois lookups, search engine analysis, social network analysis, and location analysis. Establishing each of these as issues categories will then allow bugs (tasks) to be filed specific to each category. Each bug can in turn be assigned a pen-tester with start and end dates, along with files that might be useful to complete the task. Location analysis could include gleaning location data from victim Tweets as described in Violent Python[2]. Twitter provides an API to developers which allows information gathering about individuals (potential penetration test targets). A script from Violent Python to help in this information gathering can be uploaded into the Redmine bug, Location data from Tweets as seen in Figure 4.

FIGURE 4: Bug (task) assigned to Fred, with helper code

As bugs are added, assigned, and/or updated, if configured to communicate verbosely, Redmine will email notices to the appropriate parties. The email as seen in Figure 5 was received as a function of filing the bug in Figure 4.

FIGURE 5: Email notice for bug (task) filed

This allows real-time communication among penetration testers or any project participants defined in your Redmine deployment. As pen-testers generate findings, they can be uploaded to the associated bug, and if versioning is required, managed via the Mercurial SCM offering as described during installation.

Bug status can be tracked as New, In Progress, Resolved, Feedback, and Closed or Rejected, and each bug can be assigned a priority and estimated time. As completed, actual time spent on each bug can be tracked too. Overall project time allotments as defined in the bug then track quite nicely via the Redmine Gantt functionality as seen in Figure 6.

FIGURE 6: Redmine Gantt functionality

Scrum2b

The concept of agile software development has, over time, been applied directly to project management. Consider the use of Scrum methodology as part of agile project management. According to Agile Project Management with Scrum, “the heart of Scrum lies in the iteration. The team takes a look at the requirements, considers the available technology, and evaluates its own skills and capabilities. It then collectively determines how to build the functionality, modifying its approach daily as it encounters new complexities, difficulties, and surprises. The team figures out what needs to be done and selects the best way to do it. This creative process is the heart of the Scrum’s productivity”[3]. These creative processes, assessment of capabilities, and changing complexities and surprises are also inherent to any penetration test and as such, the agile project management framework is an ideal way to coordinate pen-test projects. The Scrum2b plugin for Redmine is well suited to answer this calling. If each phase of the pen-test is considered a sprint as defined by the Scrum process, the planning and awareness necessary to support the sprint is essential. The Scrum2b interface is a virtual Scrum Board that allows project participants to track activities by bug and members while editing the bug on the fly with the appropriate permission. The pentestpm user, as project manager, could adjust task’s percentage of completion right from Scrum2b using the time slider.

FIGURE 7: Scrum2b Scrum Board for pen-testers

If the assignee needs to jump right to the bug, the plugin is fully hyperlink enabled. The Scrum Board allows filtering the view by members and issues. New issues can also be added right from the Scrum Board.

Monitoring & Controlling

All projects require the right balance of monitoring and controlling, and penetration tests are no exception. The Monitoring and Controlling Project Work process includes “gathering, recording, and documenting project information that provides project status, measurements of progress, and forecasting to update cost and schedule information that is reported to stakeholders, project team members, management, and others”[4]. The Monitoring & Controlling plugin for Redmine shines in this capacity. Established as a convenient left-pane menu item with the Pixel Cookers theme, this plugin creates a dashboard for project data organized by Tasks Management, Time Management, and Human Resource Management. Tasks Management tracks Tasks by Status, Tasks by Category, and Task Management (manageability). Applied again to the context of a pen-test project, Figure 8 represents the Recon phase of a pen-test.

FIGURE 8: Monitoring & Controlling Tasks Management

Refer again to the SANS Reading Room version, page 17, for more regarding Time & Human Resources Management with the Redmine Monitoring & Controlling plugin.

In Conclusion

Project management includes a certain amount of tedium, but Redmine configured with the aforementioned plugins allows for a refreshing, dynamic approach to the overall secure project management lifecycle. While no system is ever absolutely secure (a serious Ruby on Rails SQL injection flaw was disclosed as this paper was written), the appropriate hardening steps can help ensure enhanced protection. Steady maintenance and diligence will also serve you well. The convenience of an implementation such as TurnKey Redmine makes keeping the entire system up to date quite easy.

A version of a TurnKey Redmine virtual machine as discussed here will be made available to readers via the HolisticInfoSec Skydrive. This instance will include a web application project template, with predefined subprojects, issue categories and bugs, again as defined in the SANS 542 course. Readers will need only create users, assign dates and members, and establish access to an LDAP service.

Ping me via email if you have questions or suggestions for topic via russ at holisticinfosec dot org or hit me on Twitter @holisticinfosec.

Cheers…until next month.

References

---

[1] Gallagher, Jeffries, and Landauer (2006). Hunting Security Bugs, Redmond, WA: Microsoft Press.

[2] O'Connor, T. (2013). Violent python. (p. 229). Walthm, MA: Syngress.

[3] Schwaber, K. (2004). Agile project management with scrum.

[4] Heldman, K. (2009). Pmp: Project management professional exam study guide. (Fifth ed.). Indianapolis, IN: Sybex.