IT Breathes!

So a friend of mine sent me a link to a small article on ZD net. The article contained an interesting quip about someone setting up a website to rate auditors: ratemyauditor.com.

After thinking about it for a bit I realized how awful an idea it is. Rate my auditor is either the worst idea (if it is not an anonymous service) or the worst idea (if it does allow anonymous comments) I’ve ever heard. People hate being audited, no matter what. Especially IT audits. Why? Because IT people but a lot of blood sweat and tears into making sure a system works. The audit firm sends in a young 20 year old with a 10 page checklist
telling him exactly what to look at. There’s no context, no risk evaluation. Just a kid with a checklist and if one of those checks fail then, at best, the IT department has a meeting with the execs, at worst, it gets outsourced to
India. (I’m obviously going a little over board here). This also makes dealing with the IT department very difficult as they have to defend every decision made against a checklist. It shouldn’t be like this but this is what happens because a subject matter expert, who knows Unix cold, costs $250 an hour while intern only costs $80. So of course you get an IT guy, who already knows his way around the internet, pissed off because the auditors don’t know the difference between CONSOLE and FTPACCESS so what is he to do? He could complain to management but they likely wont listen. He can’t complain to the auditors. So what is he to do? He will go online and sound off on some website saying that the people at firm XYZ don’t know anything about Unix. If another company starts looking and they find out that firm XYZ doesn’t know Unix then how can that company faithfully
rely on a SAS70 performed which specifically tested Unix logical access controls.

This could go the other way too. A lot of IT folks, especially in smaller shops or shops that have grown organically, don’t understand what being audited means, why SoX matters to them and what controls are. All they know is that people have access, security is pretty tight and things just work. It can be very frustrating for them when they’re told that the lockout threshold should have been set to 3 instead of the 8 they have set now. They can’t argue against an the auditor. They can’t complain to management so they will go online and write that Firm ABC doesn’t understand how their IT works. Since it is all anonymous it doesn’t matter how long a diatribe they write.

Now the other side, non-anonymous comments (I.E. So and so from company GDC) wouldn’t work either, people are not going to complain because the second a partner finds out John complained he’s going to call his friend on the audit committee and John is going to be having a meeting with an executive. Now, executives probably wont complain because they would be concerned about the image it gives their company *and* the strain it would put on their relationships with partners.

Finally, I doubt it would ever contain any negative ratings because the second a firm finds out about the negative rating they’ll sic their lawfirm on them to get the comment removed. All in all I prefer the current method of allowing clients to review your performance in private and sending that to the partner level, which helps decide their bonus. This way crap auditors get to learn their crap (supposedly) and can learn how to improve instead of never hearing the complaint until they stumble on ratemyauditor.com

To follow up the rousing discussion about Microsoft’s COFEE (thanks Peter!) I thought I would bring to you the marvelous world of brute forcing logons. On linux there are two wonderful tools for brute forcing multiple protocols: THC-Hydra and Medusa.

THC-Hydra, made by The Hackers Choice was really the first brute forcing pentest tool using multiple threads and having multiple protocols. The most recent version was updated 2 years ago. You can find the most recent version and more information here: http://freeworld.thc.org/thc-hydra/

Medusa was made by Foofus. It was really built because the developer wasn’t happy with the way THC-Hydra was handling threading. The most recent version is about a year old. You can find more information here: http://www.foofus.net/jmk/medusa/medusa.html

Both tools fundamentally do the same thing, they allow you to specify a username (or supply a list of usernames) and a list of passwords to test against a given protocol. For this test we’re going to try to brute force the user ‘Brutus’ on the local machine using SSH.

One little caveat, I went into this task assuming that Medusa would leave THC-Hydra’s stone corpse sinking to the bottom of the ocean.

The Setup

To test each tool I installed Vector Linux to a new VMware image. Vector linux is a great lightweight Linux distribution based on Slackware made for older machines and is really fast.

Compiling

I compiled each tool from their source by issuing the ol’ ‘./configure, make’ and running the compiled binaries. This is where I hit my first snag with THC-Hydra. Vector Linux comes with only the newest version of the SSH libraries. After working for about an hour I was finally able to force it to use a downloaded older version of the libraries. Medusa however uses the newer libraries and was able to compile without any hiccups. Each tool, however, has their own set of dependencies for various brute forcing options. For example in Medusa you would need extra libraries to brute force SubVersion (SVN) logons.

Testing the tools

Hydra and Medusa have their own syntax but they are very similar. To run the for Hydra I entered in the following command:

./hydra -l brutus -P /home/grassmunk/dict.txt 192.168.1.130 ssh

The Hydra command works like this: The -l is the username you want to test, in this case it’s ‘brutus’. The –P is the password file you want to use. Once you’ve established the username(s) and passwords to test you simply tell Hydra which server to use, in this case 192.168.1.130 and the protocol to use which was ssh.

Here’s where I hit my second snag.

./hydra: error while loading shared libraries: libssh.so: cannot open shared object file: No such file or directory

So even though it compiled fine it wasn’t able to locate the library files. I copied that damn file everywhere but to no avail.

To test Medusa I entered the following command:

./medusa -h 192.168.1.130 -u brutus -p /home/grassmunk/dict.txt -M ssh

As you can see the syntax is very similar. The –u is the username, the –p Is the password file and the –M is the protocol to use (which Medusa calls a ‘Module’).

This is where I hit my first problem with Medusa, after running the command it crashed and spit out this lovely debug information

It was at this point I was about ready to give up. Neither of these tools were really usable or good at testing SSH bruteforcing. One needed old SSH libraries to work and the other crashed and burned upon the first use.

Seeing as this might be due to Vector Linux I tried each tool in BackTrack. BackTrack is a pentesters Linux livecd distribution. It has a lot of tools you can use to scan, test and break into systems. You can find it here: http://www.remote-exploit.org/backtrack.html

With backtrack loaded I was able to test each tool, and the outcomes were astounding! For a newer and better tool Medusa was the slowest and least usable of the two tools. Medusa would fail after 4 or 5 logon attempts. Initially I thought this was due to my configuration of SSH but THC-Hydra had no problems blowing through 42 logons every second.

I also tested FTP on Vector Linus, which worked in both tools, and the results were exactly the same. THC-Hydra runs flawlessly while Medusa stops after a handful of logons.

Conclusion

When I first discovered Medusa I was really excited. It sounded like a faster and newer tool than THC-Hydra but in the end The Hackers Choice really stands true. It’s the best and fastest tool out there and easiest to use.

Note: I also tested a tool included with BackTtack called SSHater. I can’t say how disappointed I was with this tool. When I setup the server’s I picked a password and put it about in between the 900 and 901st password so I could see what happened when the tool returned a positive. SSHater tested every password with multiple errors, passes my password without even blinking and continued on. I wanted until the tool went through every password and I didn’t even say anything. As far as I could tell SSHater just lists the passwords and a bunch of errors. I didn’t bother looking at the SSH log to see if it was actually trying to initiate a connections though.

Microsoft just recently released a tool to help IT security people do their forensics work. The tool is called COFEE (Computer Online Forensic Evidence Extractor) and it’s a USB key with U3 capabilities. A U3 USB thumb drive works such that Windows accepts the drive as a CD with autorun capabilities. Once inserted the USB key drive goes to work collecting what it can using whatever tools Microsoft has at its disposal. Here’s an excerpt from their site:

COFEE (Computer Online Forensic Evidence Extractor) is a framework for first-responders to customize a set of command line tools. It is a framework that law enforcement can use to leverage publically available tools to access information on a live Windows system operating from a USB storage device. The tool allows law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab. 

Now the problem I see with this tool is you have to initiate the scanning manually. What if you’re trying to gather data off of a running headless server? You’ll have to get a username and password for the server which might prove difficult if you’re law enforcement.

Unfortunately Microsoft is only providing this tool to those in Law Enforcement and so far only Interpol. So what can we, the lay person, use? Well there are plenty of alternatives out there.

Linux Live CDs

There are a multitude of Live CDs out there for your choose from do this type of work. Backtrack, which gives you a slew of tools for forensics and other tools such as adding a user to windows and downloading the entire LMHash db. There’s also Helix which provides you with a multitude of forensic tools. The only problem with a live CD is that you must shutdown the machine and reboot it into Linux. This erases all memory on the machine. One of the upsides however is you can mount the Windows hard drives as read only.

Hak5’s USB Switchblade

This is where I think windows got the whole idea for this anyway. It’s basically a USB key that has U3 and contains a whole slew of tools for gathering evidence. The key with Swithblade is that it doesn’t need any interaction from a user. The main downside is it can get caught up by Anti-virus software. You can find information about the tool and download it here: http://wiki.hak5.org/wiki/USB_Switchblade.

In the end Microsoft really isn’t doing anything new here. The reason everyone is in an uproar over this is because privacy experts are concerned COFEE is using some as yet unknown backdoors into Windows. While I doubt that’s the case it is interesting that Microsoft is only releasing COFEE to Law Enforcement and no one outside that are is allowed access to the tool. That doesn’t mean people wont get access but if it smells fishy it’s probably fish.