lptv4 module 35 log management penetration testing

/ECSA/LPT

EC Council Module XXXVEC-Council Module XXXV

Log Management Penetration TestingPenetration Testing

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

i ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here



Communication Penetration Testing

gPenetration Testing

Penetration Testing

Introduction

Log files maintain record of all the events occurring in an organization’s systems and networkssystems and networks.

Log management systems are used to manage log files across a network.

Since threats against the systems and networks has increased, security of the log management systems also need to be increased.

Logs are classified into:

• Security software logs: These logs record all instances of detectedvulnerabilities to software.

• Operating system logs: These logs record all instances of detected



• Operating system logs: These logs record all instances of detectedvulnerabilities to the operating system.

Need for Log Management

To record each and every action performed on the system

To ensure the recorded instances are stored for appropriate duration

To perform routine log review and analysis that helps to identify the security threats, policy violation, operational problems, etc.violation, operational problems, etc.

To perform auditing and forensic analysis in investigation of malicious activities

Operating system log entry example:p g y g y pEvent Type: Success AuditEvent Source: SecurityEvent Category: (1)Event ID: 517Date: 3/3/2008Time: 4:30:40 PMUser: NT AUTHORITY\SYSTEMComputer: KENTDescription:The audit log was clearedPrimary User Name: SYSTEM Primary Domain: NT AUTHORITY



Primary User Name: SYSTEM Primary Domain: NT AUTHORITYPrimary Logon ID: (0x0,0x3F7) Client User Name: userkClient Domain: KENT Client Logon ID: 0x0,0x28BFD)

Challenges in Log Management

Potential problems with the initial generation of logs

Inconsistent log formats

f d l d l b l f d lConfidentiality, integrity, and availability of generated logs

Inaccuracy in internal clock



Steps for Log Management Penetration TestingPenetration Testing

1• Scan for log files

2• Try to flood Syslog servers with bogus log data

• Try malicious Syslog message attack (buffer overflow)3

y y g g ( )

4• Perform man-in-the-middle attack

5• Check whether the logs are encrypted

6• Check whether arbitrary data can be injected remotely into Microsoft ISA server log file

7• Perform DoS attack against check point FW-1 Syslog daemon

S d S l i i S l d f h k i FW NG FP



8• Send Syslog messages containing escape sequences to Syslog daemon of check point FW-1 NG FP3

Step 1: Scan for Log Files

Use different scanning tools to scan the log files in the system.

Some of the log file scanning tools are:

• Sawmill.• Bcnumsg. g



Step 2: Try to Flood Syslog Servers with Bogus Log Data Servers with Bogus Log Data

Most syslog implementations use the connectionless, unreliable UDP to transfer logs between hosts.

UDP provides no assurance that log entries will be received p gsuccessfully or in the correct sequence.

Most syslog implementations do not perform any access control, so Most syslog implementations do not perform any access control, so any host can send messages to a syslog server.

Check for denial of service that may cause flooding.



Step 3: Try Malicious Syslog Message Attack (Buffer Overflow)Attack (Buffer Overflow)

Construct a large syslog message with target specific codes at the end of h the message.

If syslog messages are allowed from untrusted hosts, try to send syslog il b ff fl di i i f dmessages until a buffer overflow condition is found.

Try to elevate a local user process to root privileges after buffer overflow.Try to elevate a local user process to root privileges after buffer overflow.



Step 4: Perform Man-in-the-Middle AttackMiddle Attack

Man-in-the-middle attacks can be used to modify or destroy syslog y y y gmessages in transit.

Check if the syslog client checks for the server's identity as presented in Check if the syslog client checks for the server s identity as presented in the server's certificate message before sending log files.

Check client’s local / ssh/known hosts file if ssh tunnel is used for log Check client s local /.ssh/known_hosts file if ssh tunnel is used for log transmissions.



Step 5: Check Whether the Logs are Encryptedare Encrypted

Most of the syslog cannot use encryption to protect the integrity or confidentiality of logs during transaction.

Sniff the network with different sniffing tools such as Ethereal and SniffItSniff the network with different sniffing tools such as Ethereal and SniffIt.

Try to monitor syslog messages containing sensitive information regarding system configurations and security weaknesses.



Step 6: Check Whether Arbitrary Data Can be Injected Remotely into Microsoft ISA Server Log

File ( Only for Microsoft ISA Server)File ( Only for Microsoft ISA Server)

Send a specially-crafted HTTP request to modify the destination h i h l filhost parameter in the log file.

GET / HTTP/1.0 t %01%02%03%04Host: %01%02%03%04

Transfer-Encoding: whatever



Step 7: Perform DoS Attack Against Check Point FW-1 Syslog Daemon (Only for

Ch kP i t Fi ll)CheckPoint Firewall)

Start syslog daemon by enabling the firewall objecty g y g j

Check for listening syslog daemon

Send a valid syslog message from a remote host

Send random payload via syslog message from a remote host

•[evilhost]# cat /dev/urandom | nc -u firewall 514



Step 8: Send Syslog Messages Containing Escape Sequences to Syslog Daemon of Check Point FW-1

NG FP3 (Only for CheckPoint Firewall)NG FP3 (Only for CheckPoint Firewall)

Enable receiving of syslog from remote by FW-1

Send some special escape sequences via syslog

[ ilh t]# h "<189>19 00 01 04[evilhost]# echo -e "<189>19: 00:01:04: Test\a\033[2J\033[2;5m\033[1;31mHACKER~ ATTACK\033[2;25m\033[22;30m\033[3q" | nc -u firewall 514



Checklist For Secure Log ManagementManagement

Maintain back up for log files

Use updated version of software for logging mechanisms

Select secure log file locations

Encrypt log filesEncrypt log files

Store them on the other host in order to stop tampering of log files

Establish standard policies and procedures for log management

C d i i l i f



Create and maintain secure log management infrastructure

Checklist for Secure Log Management (cont’d)Management (cont d)

Train the personnel holding log management responsibilities p g g g p

Give limited access to log files

Use the secure mechanism to transfer log files from one system to another

Check the internal clock of the system



Summary

Log files are the files that maintain record of all the events occurring in an organization’s systems and networks.

Logs are used to perform auditing and forensic analysis in investigation of malicious activities.

Most syslog implementations use the connectionless unreliable y g pUDP to transfer logs between hosts.

Use updated version of software for logging mechanismsUse updated version of software for logging mechanisms.

Ch k th i t l l k f th t



Check the internal clock of the system.

lptv4 module 35 log management penetration testing

Documents