LPTv4 Module 35 Log Management Penetration Testing

ECSA/LPT
EC Council
EC-Council
Module XXXV
Log Management
Penetration Testing
Penetration Testing Roadmap

Start Here
Information
Vulnerability
External
Gathering
Analysis
Penetration Testing
Firewall
i
ll
Penetration Testing
Router and
Switches
Internal
Network
Penetration Testing
Penetration Testing
Wireless
Network
Denial of
Service
Penetration Testing
Penetration Testing
IDS
Penetration Testing
Contd
Application
Penetration Testing
EC-Council
Stolen Laptop, PDAs

and Cell Phones
Penetration Testing
Social
Engineering
Password
Cracking
Penetration Testing
Penetration Testing
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing Roadmap

(cont d)
(contd)
Contd
Physical
S
Security
i
Database
P
Penetration
i testing
i
VoIP
P
Penetration
i T
Testing
i
War Dialing
VPN
Penetration Testing
Penetration Testing
Virus and
Vi
d
Trojan
Detection
Log
Management
Penetration Testing
Blue Tooth and

Hand held
Device
Penetration Testing
File Integrity
Checking
End Here
Data Leakage
Penetration Testing
EC-Council
Security
Patches
Penetration Testing
Email Security
Penetration Testingg
Telecommunication
And Broadband
Communication
Penetration Testing
Introduction
Log files maintain record of all the events occurring in an organizations
systems and networks.
networks
Log management systems are used to manage log files across a network.
Since threats against the systems and networks has increased, security of
the log management systems also need to be increased.
Logs are classified into:
Security software logs: These logs record all instances of detected
vulnerabilities to software.
Operating system logs: These logs record all instances of detected
vulnerabilities to the operating system.
EC-Council
Need for Log Management

To record each and every action performed on the system
To ensure the recorded instances are stored for appropriate duration
To perform routine log review and analysis that helps to identify the security threats, policy
violation, operational problems, etc.
To perform auditing and forensic analysis in investigation of malicious activities
Operating
p
g system
y
log
g entryy example:
p
Event Type: Success Audit
Event Source: Security
Event Category: (1)
Event ID: 517
Date: 3/3/2008
Time: 4:30:40 PM
User: NT AUTHORITY\SYSTEM
Computer: KENT
Description:
The audit log was cleared
Primary User Name: SYSTEM
Primary Logon ID: (0x0,0x3F7)
Client Domain: KENT
EC-Council
Primary Domain: NT AUTHORITY

Client User Name: userk
Client Logon ID: 0x0,0x28BFD)
Challenges in Log Management

Potential problems with the initial generation of logs
Inconsistent log formats
Confidentiality,
fd
l
integrity, and
d availability
l b l off generated
d llogs
Inaccuracy in internal clock
EC-Council
Steps for Log Management

Penetration Testing
1
2
3
4
5
6
7
8
Scan for log files

Try to flood Syslog servers with bogus log data
Tryy malicious Syslog
y g message
g attack ((buffer overflow))
Perform man-in-the-middle attack
Check whether the logs are encrypted
Check whether arbitrary data can be injected remotely into Microsoft ISA server log file
Perform DoS attack against check point FW-1 Syslog daemon
Send
S d Syslog
S l
messages containing
i i escape sequences to Syslog
S l daemon
d
off check
h k point
i FW
FW-1 NG FP3
FP
EC-Council
Step 1: Scan for Log Files

Use different scanning tools to scan the log files in the system.
Some of the log file scanning tools are:
Sawmill.
Bcnumsg.
g
EC-Council
Step 2: Try to Flood Syslog

Servers with Bogus Log Data
Most syslog implementations use the connectionless, unreliable
UDP to transfer logs between hosts.
UDP p
provides no assurance that log
g entries will be received
successfully or in the correct sequence.
Most syslog implementations do not perform any access control, so
any host can send messages to a syslog server.
Check for denial of service that may cause flooding.
EC-Council
Step 3: Try Malicious Syslog Message

Attack (Buffer Overflow)
Construct a large syslog message with target specific codes at the end of
the
h message.
If syslog messages are allowed from untrusted hosts, try to send syslog
messages until
il a b
buffer
ff overflow
fl
condition
di i iis ffound.
d
Try to elevate a local user process to root privileges after buffer overflow.
EC-Council
Step 4: Perform Man-in-theMiddle Attack

Man-in-the-middle attacks can be used to modifyy or destroyy syslog
y g
messages in transit.
Check if the syslog client checks for the server's
server s identity as presented in
the server's certificate message before sending log files.
Check client
clientss local /.ssh/known_hosts
/ ssh/known hosts file if ssh tunnel is used for log
transmissions.
EC-Council
Step 5: Check Whether the Logs

are Encrypted
Most of the syslog cannot use encryption to protect the integrity or
confidentiality of logs during transaction.
Sniff the network with different sniffing tools such as Ethereal and SniffIt.
SniffIt
Try to monitor syslog messages containing sensitive information
regarding system configurations and security weaknesses.
EC-Council
Step 6: Check Whether Arbitrary Data Can be

Injected Remotely into Microsoft ISA Server Log
File ( Only for Microsoft ISA Server)
Send a specially-crafted HTTP request to modify the destination
h
host
parameter iin the
h llog fil
file.
GET / HTTP/1.0
Host:
t %01%02%03%04
Transfer-Encoding: whatever
EC-Council
Step 7: Perform DoS Attack Against Check

Point FW-1 Syslog Daemon (Only for
Ch kP i t Firewall)
CheckPoint
Fi
ll)
Start syslog
y g daemon byy enabling
g the firewall object
j
Check for listening syslog daemon
Send a valid syslog message from a remote host
Send random payload via syslog message from a remote host
[evilhost]# cat /dev/urandom | nc -u firewall 514
EC-Council
Step 8: Send Syslog Messages Containing Escape

Sequences to Syslog Daemon of Check Point FW-1
NG FP3 (Only for CheckPoint Firewall)
Enable receiving of syslog from remote by FW-1
Send some special escape sequences via syslog
[evilhost]#
[
ilh t]# echo
h -e "<189>19:
"<189>19 00
00:01:04:
01 04
Test\a\033[2J\033[2;5m\033[1;31mHACKER~
ATTACK\033[2;25m\033[22;30m\033[3q" | nc -u firewall 514
EC-Council
Checklist For Secure Log

Management
Maintain back up for log files
Use updated version of software for logging mechanisms
Select secure log file locations
Encrypt log files
Store them on the other host in order to stop tampering of log
files
Establish standard policies and procedures for log management
C
Create
and
d maintain
i i secure llog management iinfrastructure
f
EC-Council
Checklist for Secure Log

Management (cont
(contd)
d)
Train the p
personnel holding
g log
g management
g
responsibilities
p
Give limited access to log files
Use the secure mechanism to transfer log files from one system to
another
Check the internal clock of the system
EC-Council
Summary
Log files are the files that maintain record of all the events
occurring in an organizations systems and networks.
Logs are used to perform auditing and forensic analysis in
investigation of malicious activities.
Most syslog
y g implementations
p
use the connectionless unreliable
UDP to transfer logs between hosts.
Use updated version of software for logging mechanisms.
mechanisms
Ch k th
Check
the iinternal
t
l clock
l k off th
the system.
t
EC-Council
EC-Council

LPTv4 Module 35 Log Management Penetration Testing

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

LPTv4 Module 35 Log Management Penetration Testing

Загружено:

Авторское право:

Доступные форматы

ECSA/LPT

Penetration Testing Roadmap

Stolen Laptop, PDAs

Penetration Testing Roadmap

Blue Tooth and

Need for Log Management

Primary Domain: NT AUTHORITY

Challenges in Log Management

Steps for Log Management

Scan for log files

Step 1: Scan for Log Files

Step 2: Try to Flood Syslog

Step 3: Try Malicious Syslog Message

Step 4: Perform Man-in-theMiddle Attack

Step 5: Check Whether the Logs

Step 6: Check Whether Arbitrary Data Can be

Step 7: Perform DoS Attack Against Check

Step 8: Send Syslog Messages Containing Escape

Checklist For Secure Log

Checklist for Secure Log

Вам также может понравиться