You are on page 1of 19

ECSA/LPT

EC Council
EC-Council

Module XXXV
Log Management
Penetration Testing

Penetration Testing Roadmap


Start Here

Information

Vulnerability

External

Gathering

Analysis

Penetration Testing

Firewall
i
ll
Penetration Testing

Router and
Switches

Internal
Network

Penetration Testing

Penetration Testing

Wireless
Network

Denial of
Service

Penetration Testing

Penetration Testing

IDS
Penetration Testing
Contd
Application
Penetration Testing

EC-Council

Stolen Laptop, PDAs


and Cell Phones
Penetration Testing

Social
Engineering

Password
Cracking

Penetration Testing

Penetration Testing

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Penetration Testing Roadmap


(cont d)
(contd)
Contd

Physical
S
Security
i

Database
P
Penetration
i testing
i

VoIP
P
Penetration
i T
Testing
i

War Dialing

VPN
Penetration Testing

Penetration Testing

Virus and
Vi
d
Trojan
Detection

Log
Management
Penetration Testing

Blue Tooth and


Hand held
Device
Penetration Testing

File Integrity
Checking

End Here
Data Leakage
Penetration Testing

EC-Council

Security
Patches
Penetration Testing

Email Security
Penetration Testingg

Telecommunication
And Broadband
Communication
Penetration Testing

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Introduction
Log files maintain record of all the events occurring in an organizations
systems and networks.
networks
Log management systems are used to manage log files across a network.
Since threats against the systems and networks has increased, security of
the log management systems also need to be increased.
Logs are classified into:
Security software logs: These logs record all instances of detected
vulnerabilities to software.
Operating system logs: These logs record all instances of detected
vulnerabilities to the operating system.
EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Need for Log Management


To record each and every action performed on the system
To ensure the recorded instances are stored for appropriate duration
To perform routine log review and analysis that helps to identify the security threats, policy
violation, operational problems, etc.
To perform auditing and forensic analysis in investigation of malicious activities
Operating
p
g system
y
log
g entryy example:
p
Event Type: Success Audit
Event Source: Security
Event Category: (1)
Event ID: 517
Date: 3/3/2008
Time: 4:30:40 PM
User: NT AUTHORITY\SYSTEM
Computer: KENT
Description:
The audit log was cleared
Primary User Name: SYSTEM
Primary Logon ID: (0x0,0x3F7)
Client Domain: KENT

EC-Council

Primary Domain: NT AUTHORITY


Client User Name: userk
Client Logon ID: 0x0,0x28BFD)
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Challenges in Log Management


Potential problems with the initial generation of logs
Inconsistent log formats
Confidentiality,
fd
l
integrity, and
d availability
l b l off generated
d llogs
Inaccuracy in internal clock

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Steps for Log Management


Penetration Testing
1
2
3
4
5
6
7
8

Scan for log files


Try to flood Syslog servers with bogus log data
Tryy malicious Syslog
y g message
g attack ((buffer overflow))
Perform man-in-the-middle attack
Check whether the logs are encrypted
Check whether arbitrary data can be injected remotely into Microsoft ISA server log file
Perform DoS attack against check point FW-1 Syslog daemon
Send
S d Syslog
S l
messages containing
i i escape sequences to Syslog
S l daemon
d
off check
h k point
i FW
FW-1 NG FP3
FP

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Step 1: Scan for Log Files


Use different scanning tools to scan the log files in the system.
Some of the log file scanning tools are:
Sawmill.
Bcnumsg.
g

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Step 2: Try to Flood Syslog


Servers with Bogus Log Data
Most syslog implementations use the connectionless, unreliable
UDP to transfer logs between hosts.
UDP p
provides no assurance that log
g entries will be received
successfully or in the correct sequence.
Most syslog implementations do not perform any access control, so
any host can send messages to a syslog server.
Check for denial of service that may cause flooding.

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Step 3: Try Malicious Syslog Message


Attack (Buffer Overflow)
Construct a large syslog message with target specific codes at the end of
the
h message.
If syslog messages are allowed from untrusted hosts, try to send syslog
messages until
il a b
buffer
ff overflow
fl
condition
di i iis ffound.
d
Try to elevate a local user process to root privileges after buffer overflow.

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Step 4: Perform Man-in-theMiddle Attack


Man-in-the-middle attacks can be used to modifyy or destroyy syslog
y g
messages in transit.
Check if the syslog client checks for the server's
server s identity as presented in
the server's certificate message before sending log files.
Check client
clientss local /.ssh/known_hosts
/ ssh/known hosts file if ssh tunnel is used for log
transmissions.

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Step 5: Check Whether the Logs


are Encrypted
Most of the syslog cannot use encryption to protect the integrity or
confidentiality of logs during transaction.
Sniff the network with different sniffing tools such as Ethereal and SniffIt.
SniffIt
Try to monitor syslog messages containing sensitive information
regarding system configurations and security weaknesses.

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Step 6: Check Whether Arbitrary Data Can be


Injected Remotely into Microsoft ISA Server Log
File ( Only for Microsoft ISA Server)
Send a specially-crafted HTTP request to modify the destination
h
host
parameter iin the
h llog fil
file.
GET / HTTP/1.0
Host:
t %01%02%03%04
Transfer-Encoding: whatever

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Step 7: Perform DoS Attack Against Check


Point FW-1 Syslog Daemon (Only for
Ch kP i t Firewall)
CheckPoint
Fi
ll)
Start syslog
y g daemon byy enabling
g the firewall object
j
Check for listening syslog daemon
Send a valid syslog message from a remote host
Send random payload via syslog message from a remote host
[evilhost]# cat /dev/urandom | nc -u firewall 514

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Step 8: Send Syslog Messages Containing Escape


Sequences to Syslog Daemon of Check Point FW-1
NG FP3 (Only for CheckPoint Firewall)
Enable receiving of syslog from remote by FW-1
Send some special escape sequences via syslog
[evilhost]#
[
ilh t]# echo
h -e "<189>19:
"<189>19 00
00:01:04:
01 04
Test\a\033[2J\033[2;5m\033[1;31mHACKER~
ATTACK\033[2;25m\033[22;30m\033[3q" | nc -u firewall 514

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Checklist For Secure Log


Management
Maintain back up for log files
Use updated version of software for logging mechanisms
Select secure log file locations
Encrypt log files
Store them on the other host in order to stop tampering of log
files
Establish standard policies and procedures for log management
C
Create
and
d maintain
i i secure llog management iinfrastructure
f
EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Checklist for Secure Log


Management (cont
(contd)
d)
Train the p
personnel holding
g log
g management
g
responsibilities
p
Give limited access to log files
Use the secure mechanism to transfer log files from one system to
another
Check the internal clock of the system

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Summary
Log files are the files that maintain record of all the events
occurring in an organizations systems and networks.
Logs are used to perform auditing and forensic analysis in
investigation of malicious activities.
Most syslog
y g implementations
p
use the connectionless unreliable
UDP to transfer logs between hosts.
Use updated version of software for logging mechanisms.
mechanisms
Ch k th
Check
the iinternal
t
l clock
l k off th
the system.
t
EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

EC-Council

Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited