Dionaea

I wouldn't say I am a honeypot guru. Far from it, but I am not a complete novice either. That being said if you are replacing a product like nepenthes (which was very good IMO) the product you are replacing it with should be ready to roll.

Thanks to Andrew Waite for informing us of the Mercury-Live Honeypot DVD, because it's where I had first run dionaea. Figuring I'm not doing something right and being a hacker (the person who wants to figure things out and not the person who attacks other systems illegally) I decided to start from scratch. Could it be any more complicated?

Documentation is extremely limited. There is only a single page on the whole project. There is a blog that provides some useful information, but again very limited.

One thing I don't really care for is the requirement that dionaea be run from root. I see the reasoning behind it. Obviously binding to specific ports requires the access, but there are ways around it and with all the configuration required I would think this something to toss in there.

The requirement that Python3 be installed within the /opt/dionaea folder was another sticking point. I would think that there would be a better way to do this.

Even scripting the installation with updates would be nice. They have a complete step by step write up on the web page , but if someone took all that effort to write it up I would think it would be fairly simple to write an installation script. Not being a very good programmer I wouldn't know the first thing about doing it, but it could be done.

It would also be a nice option to allow the use of anything other than sqlite to store results.

OK, will all that basically rambled off it seems fairly stable after install. I'm going to continue to play with it and see how much it takes to break.

Honeypot experimentation

Lately I have been reading Virtual Honeypots and in the interest of education I have been using certain honeypots to gather Malware for reversing. It seems to be a fairly common practice in the Information Security community so why not.

My initial honeypot was a simple and quick installation of Kippo. The instructions where fairly clear on the website and it really takes very little to accomplish so I won't rehash that here. Andrew Waite has an excellent tutorial on installing Kippo from SVN and logging it to MySQL. Though kippo does not require MySQL to run.

With the honeypot running behind a firewall with the SSH port forwarded internally to my Linux box I started receiving login attempts within 30 minutes of activation. On average I get a brute force attempt started every hour. While most times it appears to be just a script or bot and when a command shell has been granted a scripted set of commands are run that test the shell and then logged out. Perhaps someone is just logging open ssh only with the username and password that is there.

The files that I have received thus far are:

army1.tar md5: 4ba9b19b262bd87b6af702dd6d7a3683
decoder.tar.gz md5: 1a29f818c023993baf903ebacc001da2
flood md5: e8ad571c662e01f6e942ced9859eddaa
gosh.tgz md5: d41d8cd98f00b204e9800998ecf8427e

(Since I started the post yesterday that has increased, but I'll save that for later)

Some of this isn't malware, but IRCbots. I guess someone is trying to flood a channel. Didn't work, but I'm not here to help them with it.

In a discussion to start a blog with a pretty good reverse engineer to start a blog just dedicated to the malware from my honeypot and what it does. Where it came from and who (if we know) is responsible. So once we get to that we will start posting write ups for each piece of malware we find (hopefully).

I'm still trying to learn Reversing better and this gives me an opportunity to work on some more tools/malware.

File analysis from memory

One of the things I find most helpful in the analysis of a possible hacked system is to really comb through the memory. Having direct access to the systems memory and pagefile or at least an image of the memory and a copy of the pagefile at the time is extremely helpful in investigating if a system has been compromised. With the sophistication of attacks these days it may be the only way that you can tell if the system has been compromised or is still compromised.

One thing I have found attackers to do is mount a drive or create a virtual drive, launch their attacks from there and then remove the drives. Leaving nothing for the investigator to pull off the hard disk. There may be some residual traces in the logs etc.., but does that let you find out what they did Or does it just give you an idea that something was done.

The attacker would then have their programs running on the system and unless the system was restarted, full control of whatever they were doing. How often do you restart a mission critical server? Probably no where near as much as you should.

When I do memory analysis I like to use three sets of tools: Strings/Grep, Memoryze/Audit Viewer, and Volatility.

While I'm sure most have used Strings/Grep not everyone has used Memoryze and or Volatility. While I'll go over both of the tools in a later post, I'll say that I am drifting away from Volatility and using Memoryze more. The OSes supported in Memoryze are a great deal more and it doesn't seem as if the primary developer of Volatility has done much to advance the program.

The whole point of the post though is the support of file acquisition from memory. While both programs seem to give you the ability to reconstruct the program from memory, I haven't had much success in getting the accompanying drivers with the executable in Volatility. I've also found that Memoryze works extremely well with the MRI(Malware Rating Index), but unfortunately this only works on live memory. In email exchanges with the developer (Peter Silberman) he was kind enough to explain the reasoning in terms that a moron such as myself could understand.

I'll try to break it down into Barney terms here. When the system memory is dumped you are taking a snapshot of the memory, but you are not taking the pagefile. This is critical for the rating and analysis of memory. Even if you grab the pagefile and then try to merge the two to create a better snapshot the system is constantly paging out files and back in. By the time you are done snatching the memory chunks that were paged out to point A may have moved to point R or not exist at all. So the reference is invalid. He did a much better job of explaining, to the point of even including stack references. If I tried to mimic without plagiarizing what he said, my license to use the internet would be revoked.

So while post wasn't to exciting I plan on more indepth useful information in the future. I'm working on a head to head smack down between Volatility and Memoryze. I've heard there is a bit of bad blood between the two teams, so maybe an unbiased look will help.

Who's selling APT today?

Oh the shame. I used APT in my blog. I USED A BUZZ WORD! How can I look myself in the mirror?

Who cares?

The fact is that one half of the info sec community is sick of hearing about APT and the other half is doing everything they can to sell themselves with "Advanced Persistent Threat". We have all these companies and pontificating "read my book" "super-star" security bloggers pushing their products, their services, their thoughts, their speeches, their dead-trees, etc.. etc.. etc.. Until I am tired hearing their BS as well. I mean honestly, do I need to be told to read your F'ing book every time something happens? It was written five years ago. Get new material.

What matters most is that APT is real, it may not directly impact everyone in information security, but it does impact every indirectly at least.

It doesn't matter if Google was full of crap with half their statements about what they will do to China next. It doesn't matter that APT uses off the shelf products as much as home brew and every idiotic inexperienced moron with an Anti-Virus setup will claim that the "enemy is at the gates" or inside for that matter.

No what matters is that it has peoples attention and they start treating things like they should. Even if it's for a little while it's more than what you had before. The worst it can do is make your job harder. Let's face it, if your job is harder are you not still employed? I can go down to the next ISSA meeting and find someone who will trade you positions if you feel like bitching about your job. Up to you.

There is no magic IDS system that will find APT. Even though it's claimed that you can scan all your months worth of traffic in just a few minutes, I highly doubt you will need to worry then. Most times they are not after the local software developer with 4 people on staff. The attackers will steal your stuff from a bigger source anyway.

There is no single firewall that will keep them out. You have to have holes to let stuff in and out. The attackers know how to find your holes and they know how to exploit them. If you think a firewall will save you, then you need to go back to 1998.

Your AV system will not always find them and clean them out. What if you are using the same tools? What if they popped a box that was out of the network, dumped your password and then crashed the hard drive? Would you even see the logs or malware that was left there? Then they have access to your network without using malware.

Scanning your logs alone will do nothing, but hurt your eyes. Can you identify every single login in your network? If you can then you probably are not a target. Can you identify every single time a user logs in and not a script? Can you identify every system the user has permission to log into? Do you have a single server that the user is assigned to? So if that user has to check out a file from another server, do they ask a local administrator to do it? We all know those local admins will NEVER elevate someones permissions to save time.

Then there is training. How many of your users know not to open every PDF they come across? Or how about those links that get sent in? That awesome flash video demonstrating the effectiveness of the military's new weapons? Who's responsible for checking it? Do you want that job or should we just send the link to the "super star" security guy? He will solve all your problems.

It takes an effort of all these things and more. It's going to take an investment of time, money, people and effort. It's not going to come out of reading one guys blog, book or sales material. It's going to take new innovative ideas. The bad guys are thinking up new ideas all the time. They can stockpile 0 days. If joe snuffy finds a 0 day do the higher ups shrug him off as inexperienced moron? But I'm sure some of you have blown off or intimidated some lower person in the food chain regarding an idea. Maybe they told you and you dismissed it or maybe they were to scared to tell you. Either way you may have lost out. YOU may be a "super star", but you don't know everything and he may not have read your book. Listen and learn.

No environment is the same as another, but if you are not looking at what you have and wondering how to make it more secure: just shut off your firewall, shut off your computers, and ship the harddrives to China/Russia/Korean/Where ever.

You don't have the money for gear is your excuse: you have systems already. Virtualize. Do what you have to.

You don't have money for software. BS! there is plenty of free stuff and if not there are plenty of scripting languages to learn that can help you.

You don't have the experience. How the hell did you get that job to begin with? Pick up some books, ask some friends, join some social network sites. Don't put your company info out there, but absorb everything you can.

Acer Aspire One D250 Windows recovery

I thought I would be smart and throw Ubuntu on my netbook as soon as I got it. While not being a big fan of Ubuntu, my prefered option of Archlinux had some issues with the D250 that I didn't want to resolve right away. So I loaded up a spare USB stick with Ubuntu and created a dualboot system.

Fortunately I was smart enough to leave the recovery partition alone.

I tried out Ubuntu 9.04 and found that I really just didn't care for the feel of it on the netbook. I have it loaded on a laptop and it works fine, but for the netbook it never "felt" right. So now comes the tricky part. How do I remove it without a CD drive? How do I get the system back online? First off don't boot into the recovery partition. That will screw up Grub and you will have to reinstall it to get it to work. (I did, and I'll include those instructions later.)

Boot into your windows load and download http://www.partitionwizard.com/ . There are others out there that are similar, but this one is FREE as in Beer and does the job quite well.

Use Partition Wizard to change the file type of the recovery partition to NTFS. Mount the drive and then run the MBR recovery program. Many times it will have MBR in the filename, but mine did not. This will remove grub and put the Acer MBR back on the system. Just remember to change the partition type back to the Compaq type that way you don't accidentally overwrite your recovery partition.

I've since purchased Windows 7 and installed that. I don't know if it's everything that Micro$oft claims it to be, but I do like it better than Vista. Vista just plain sucked. It has a lot of the look and feel of Vista, but it works.

Volatility

So the group I am working with is more fledgling than we would like to be. Granted I work with some really brilliant folks. They honestly make me feel stupid with the amount of knowledge they have, but one thing we are lacking is a good memory analysis technique. We spend countless hours pouring through the process dumps off of a box and then I'm not sure that it does any good. Let's face it, after multiple hours of looking at useless lines of code/commands/garbage you may miss the important stuff. Fortunately we always have an idea of what we are looking for. When will our luck run out?

So I have been looking at Volatility. I'm impressed and I'm disappointed.

The first disappointment that I have is with the connections command. I've dealt with numerous pieces of Malware that beacon, establish a connection as needed and then drop off to only connect again if the beacon returns a specific reply. It doesn't establish a connection nor does it listen on a port. I've found no way for Volatility to give me information on any connection attempts or IPs that the Malware is trying to talk to on an irregular basis.

The second disappointment is I haven't found a way to find any commands issued to a program. Many times memory will retain the list of commands and at times the passwords to specific encryption that was typed from a terminal and executed on the software. If would be very helpful if there were a way for Volatility to gather this information and which commands were executed on which pieces of Malware. Now this becomes an issue with privacy. Not sure how to get around that.

Now what impresses me is that amount of information that you can recover from memory by issuing a few commands. Many of the items that you would usually need SysInternals for you can now get from memory. Many times if there is a rootkit or a hidden piece of malware then you won't get any return from the SysInternals tools.

Example: There are ways to configure a secondary route. Possibly VPN subversion or just a forced route to a malicious site. SysInternals does not always show this location. Using Volatility you have a possibility to pull this information back. Does it always? No. This is where it's not always best to just rely on this tool to do the work for you.

Definitely has potential and I'll continue to watch, but I can't rely on it just yet.

Certifications in IT and Security specifically

Over the past 10 years or maybe a little less I have held a handful of different certifications. I only place CISSP on my business cards and email block simply for the fact it's considered the "Number One" security certification and lends a little credibility to those people who are not familiar. Let's face it how many times have you had to talk to someone and they act like you are the most incompetent person because you tell them they need to fix something. Having a little credibility helps...a little.

That being said I was listening to a podcast this morning on my drive to work and the speaker made a joke out of "at least he's not a CISSP". Interesting. Is it he's not a CISSP because he doesn't want to be? Or is it he's not a CISSP because he hasn't taken the test?

I know there are plenty of people who hold their certifications like some badge that suddenly gives them access to all the knowledge that could possibly be possessed. I am truly ashamed to be grouped with those people.

But in the same token there are tons of people who are jealous of those people who are certified or scared to take the test and make every effort to mock the people who were successful enough to pass the test. After I passed my CISSP I told some people who were genuinely interested in my results. One of them decided to announce it to the office. Interestingly enough out of the blue someone walks up to me and states "just because you have the CISSP doesn't mean you know anything". At no point have I declared "I am supreme commander of all security knowledge", but I was a challenge to this person and basically told where my place was.

When I as a more junior network engineer I completed my CCNA, CCDA and started on my CCNP. I was only about 3 years into working with Cisco, but I considered myself decent for what I had accomplished. After passing my first CCNP exam a project manager approached me and told me "congrats, now we just need to get you some skill to go with the certifications". At the time I was the only one on the team who could spell Cisco, but I had rubbed this guy the wrong way and it was later proven in a court case (that I wasn't involved in) that this man had some 'racial' issues. However it definitely put a chip in my confidence. I passed one more and never advanced any further.

The reason I go for certifications is plain and simple. My own personal challenge. If I have to study say Encase (my current project) then why shouldn't I attempt the EnCe? It's not to rub it in someone's face. I'm currently the most versed person on EnCase in my office. So what does it accomplish? Nothing, but my own personal satisfaction. I can put it on my resume. It may give someone who asks my advice a little confidence in my answer, but it doesn't prove I have the right to hold my nose in the air and piss in someone's grapenuts. I can do that without a cert. Just means I know enough to pass the test and can retain the information I have read/heard/learned.

With all that being said a certification means as much as anything else. I know people with EE degrees, Masters and a couple borderline PhD's that are complete and utter morons. I know people who haven't finished 9th grade who are sharper than most Doctors.

So if you know of someone that is studying for a certification do one of two things: help them/support them or shut the hell up. If it isn't worth anything let the market decide. If it's on DoD 8570.1 it will only help them find a job. If they pass and get a big head on their shoulders, give them a difficult task. If they complete it well again shut the hell up or prove you're better. If they fail explain why they failed, show them how much they have to learn and help them learn it.

So to summarize if you are not helping someone advance their knowledge, but only complaining about someone elses achievements you're the problem. Not the certification. If you don't want to take the test, fine. I don't judge on what alphabet soup you have behind your name. But if you only look better when you someone else falls on their face perhaps you're the reason IT is beginning to look more like the office politics that everyone goes to IT to avoid.