Re: Rogue activity methodology (was: Tool to find hidden web proxyserver)

["Dejan Markovic" <dejanmarkovic () hotmail com>]

Hi Guys,

EtherApe (EtherMan) anyone...?

Regards,
Dan

----- Original Message ----- 
From: "Chris Brenton" <cbrenton () chrisbrenton org>
To: "Pen-Test Mailing List" <pen-test () securityfocus com>
Sent: Wednesday, September 08, 2004 1:51 AM
Subject: Re: Rogue activity methodology (was: Tool to find hidden web
proxyserver)


Note to Moderator:
It might be time to type 8 the list. My last post generated 20-30
bounces, out of office, and auto-spam filtering replies. :(

On Wed, 2004-09-08 at 00:25, Shashank Rai wrote:
> Finally, a good assessment of the facts!!

Thank you. :)

> "scan your network, run nessus/nmap" or "mirror the ports on the
> switch"..... really nice pieces of advice but how practical?? We don't
> know what kind of network the guy is talking about.

That was my point and the reason for spawning this thread. Pen-testing
is all about methodology. If you don't have a good process down, you are
going to miss things. I think sometimes we fall back on the tools we are
familiar with as "crutches", rather than:

1) Assessing the facts
2) Establishing goals
3) _Then_ picking the best tools for the job

I obviously can't speak for anyone else that replied, but it *seemed*
like people were recommending nmap, Nessus, etc. simply because they are
great tools. Not necessarily because they were the best tools for the
task at hand.

> Agreed, Vinay should have supplied more information or at the least
> replied to the various suggestions that have been given in the thread;
> on how feasible these solutions are?

To be honest, in a way I'm glad he didn't because it gave us a chance to
see what direction people would run with the limited information he
provided. would be cool to get a response from Vinay at this point
however to see what worked for them.

You still here Vinay???? ;-)

> 1) if PCs comprise of windows based systems, part of a domain, then as
> domain admin, you can find what applications are installed by any user.

I thought of this as well. Certainly if the environment is doing some
form of regular audits the rogue software would stick out like a sore
thumb. The reason I didn't suggest this was because I assumed that if
Vinay had a base line of the desktops he would already know what is
"different" about the systems running the proxies and would not have
needed to ask. I totally agree however that this process would have
nixed the problem as soon as the first user tried to get away with it.

> Preferably, have a policy on what users can do with their workstations
> and impose it domain wide. And installing proxies or for that matter any
> unauthorized software should be a big NO NO.

Again, totally agree. Another point I was not sure of is what level of
access he had to the desktop systems. He could be the only admin for the
entire network, or he could have a job title that lets him tweak the
firewall and nothing else. Its one of those unclear points that would
certainly change what options are available.

> 2) Secondly, if you have a single point of exit from the corporate
> network to the Internet (which i can safely assume, as you have
> mentioned about the firewall having IP based access list), then as
> suggested by Chris, sniff the traffic at the exit point. Look for proxy
> give away like "X-FORWARDED-FOR".

As mentioned the only caveat with this method is a "really smart" user
may disable the tag. Still, its a *very* easy place to start as its a
single ngrep command and you can run the tool from Windows, Linux or
UNIX.

> Look for traffic patterns: which of
> the allowed IPs generates most HTTP traffic. Look at the patterns for a
> day or so and then port scan the machines of the top 10 IPs.

I was banging my head on the desk when I read this earlier. I'm really
big on using traffic metrics for security analysis and *totally* missed
this as one of the possible options. True its possible to get false
positives (get one legit user cruising a few porn archives and they'll
skew the results ;-). As you said however if you pick on the top 10 or
so and pull metrics from an extended period of time, chances are you
will at lest pick off a few of them. Once you know what software is
running and where its listening, _now_ you can pull out nmap to check
the rest of the network as you have a specific target to go after.

HTH,
Chris



----------------------------------------------------------------------------
--
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------