In this talk you will learn how information security awareness training can be

delivered to IT staff, like developers, management and helpdesk personnel, using

actual incidents to create a lasting impression. The training exercise will

investigate an actual compromised system recreated on a VMware image. Using

this hands-on approach, the attendees will review the system; find the

vulnerabilities, the hidden folders and files; and practice cleaning up the system -

all the while documenting their findings and following the organization’s incident

handling procedures. Attendees will learn how a hands-on approach in a lab

setting can be an effective learning tool.

2

- Turn your information security training or awareness talk into a hands-on

exercise based on a real incident using VMware.

- This gets the students involved, so they will retain more.

- By using an example of a real incident at your organization, you can drive home

the importance of information security incident handling and apply the lessons

learned.

- If your organization does not practice incident handling, how will you know

your organization is ready for a real incident?

3

Configuration

- It is best to use a real incident that impacted your organization.

- For this presentation, we will recreate an incident I was involved in.

- We will use VMware running a Windows 2000 Server.

- We will be setting up a Warez site for bootlegged movies and a key logger.

Installation

- Using VMware, install the Windows 2000 operating system.

- Make sure the server is vulnerable to the null session exploit.

- Create ‘illegal’ folders.

- Copy and hide files.

- Install and start the FTP server and key logger.

4

The Incident Background

- Users notice that the system is running out of disk space.

- Server administrators cannot account for several gigabytes of disk space.

- Network traffic from the Internet is observed going to and from the internal

server.

- Your group is called in to investigate and handle the incident.

- It is important to properly set up the scenarios.

- Give the audience clues on what to look for:

Missing disk space

Network connections

- It is best to follow your organization’s incident response procedures.

- This can be part of a larger training plan, an awareness exercise or just a demo

for management.

5

The Purpose and Rules

The point of the exercise is to determine what happened and clean it up.

To achieve this purpose we should:

- Work together in teams

- Be able to explain what your team did and discovered

- Focus on learning, not just cleaning up the system

What are your organization’s incident handling policies and procedures with

respect to:

- Record keeping?

- Informing management and system owners?

- Human Resources and Legal notification and involvement?

- When to engage Human Resources, Legal, Compliance, Management, ISO,

CTO, CEO?

- What about outside notification? Law enforcement, the press, the public?

Think privacy breach laws!

6

The Teams

- The exercise should be a team effort.

- Involve members from different IT groups or departments.

- The strongest technical person needs to explain the process and results clearly

so the entire team understands.

- A time limit with milestones should be used – provide hints if teams get stuck

– It is better to learn in a training exercise setting rather than a real incident.

The Tools

- Provide any additional tools needed on the VMware image.

- The tools you provide will depend on the technical level of the students.

- For short exercises, provide teams with all necessary information.

- For longer exercises, allow the use of outside information.

- Keep it simple; you will want to provide all the tools needed to complete the

exercise.

- The exercise should not become a treasure hunt for the tools.

- This helps limit the scope of the exercise. For example, there is no need to

bring in Encase for forensic investigation.

- You may want to include:

Pens and papers for incident handling notes, recording times

White boards, large note pads or overhead for debrief walk through

7

The Walk Through

- Identify the accounts with weak or no passwords.

- In this case, the vulnerability is null sessions - a “feature” of Windows 2000. It

is still around in all versions of Windows by default. Null sessions can allows the

Bad Guys to enumerate system information (usernames, shares, etc.) without

logging in first. But the Bad Guys could have used any Windows 2000

vulnerability to break in.

8

- For Windows 2000, the hidden folders can be accessed from the desktop with

Start > Run and then the host IP address, name of the share and then the path

name – all in quotes, for example: “\\192.168.10.128\c$\aux\ \com3

\HiddenFolder”. Note there is a non-printing alt-255 character after com3.

9

- For Windows XP, use Start > Run “c:\aux\ \com3 \HiddenFolder” (don’t forget

the alt-255 after com3) to access the folder. Just double clicking on ‘aux’ can

hang up Explorer under both Windows 2000 and Windows XP.

The Walk Through

- To find hidden folders and files in them, use Windows search and look in the

common hiding places:

\Winnt or \Windows system folders

Documents and Settings

Recycle bin (i.e.: c:\recycler)

Only limited by the Bad Guy’s imagination

Deleting the folders

- This example uses the reserved name folder trick and Alt-255*

- The Bad Guys have hidden their files in a folder with an illegal folder name (i.e.,

AUX, COM1, PRN, LPT1).

- works under at least Windows 2000, Windows XP and Windows 2003

- These folders cannot be deleted using normal methods.

- See How to Remove Files with Reserved Names in Windows from Microsoft.

(http://support.microsoft.com/?kbid=120716)

* Part of the Extended ASCII Character Set, alt 255 is a nonprinting null

character. Because it is unprinted, it appears to be a space.

There are at least two methods you can use to delete these folders:

- Using the rm.exe tool from the Windows Resource Kit

rm -d "//C/Program Files/Subdir/COM1"

- The rd command with special syntax

Rd/s \\.\c:\aux

10

The Walk Through

- A Serv-U FTP server was installed as a service using FireDaemon.

- FireDaemon can convert an application to a Windows service.

- It can automatically restart the application if it stops.

- It can be installed and started via the command line.

11

The Walk Through

- Finding unusual services requires knowing what the usual services are.

- This is partly prior knowledge, partly guess work.

- Google can help identify unknown services.

- Note details of the service, for example the path to the executable.

- The FTP server can be removed by stopping and deleting the service and then

deleting the files.

12

The Walk Through

Key Logger:

- Installed via the command line

- Startup added to the registry

- Hidden from the task manager

13

The Walk Through

- What to look for and where to look

- Key logger can be removed by deleting the files and the startup source via

msconfig. Msconfig does not come with Windows 2000 but the XP version of

msconfig works with windows 2000. You can use other tools as well, for example

HiJackThis.

- What about “contraband” files? For example, child pornography

- What does your organization’s policy say?

14

The Walk Through

- What else could be checked?

User accounts

Group permissions

Event logs

Startup files

Installed programs

Network connections

What else?

15

Discussion

- What steps would your organization take to return the server to production?

- Would you try and clean the server or just rebuild it?

- How would you ensure the server was not re-infected?

- What procedures are in place to return the server to production?

- Who signs off on the server before returning it to production?

- Will the server be monitored once it is back in production?

16

Discussion

- Why was this server compromised?

- What vulnerability made this attack possible?

- How could this have been prevented?

Fixing the Vulnerability

- Edit the registry to add the “RestrictAnonymous” registry key and set the value

of the key to “2” under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.

The possible values are:

0 - None. Rely on default permissions

1 - Do not allow enumeration of SAM accounts and names

2 - No access without explicit anonymous permissions

- This change can break networks and applications. It should be tested before

changing production systems.

17

- Security awareness talks are not always the most effective.

- Training may be required to demonstrate compliance with policy and

regulations – might as well make it effective.

- Can be a team building exercise.

- It is important to make it relevant to YOUR organization.

18

- Know your audience and tailor the exercise for them.

- Take a more hands-on approach for the techies, but maybe a quick demo

would be best for management.

- This is an inexpensive training once the exercise has been configured and

documented.

References:

GCIH Gold Paper - Hijacked Server Serves Up Foreign Bootlegged Pornography

http://www.giac.org/certified_professionals/practicals/GCIH/00447.php

The files and scripts used to setup this Windows 2000 server are available online

at: http://drop.io/VB08train