Re: Rogue activity methodology (was: Tool to find hidden web proxyserver)
From: Dejan Markovic (dejanmarkovic_at_hotmail.com)
Date: 09/09/04
- Previous message: Martin Mkrtchian: "Re: Problem with Hacme Bank Install"
- In reply to: Chris Brenton: "Re: Rogue activity methodology (was: Tool to find hidden web proxy server)"
- Next in thread: Ben Timby: "Re: Tool to find hidden web proxy server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Pen-Test Mailing List" <pen-test@securityfocus.com> Date: Thu, 9 Sep 2004 15:54:39 -0400
Hi Guys,
EtherApe (EtherMan) anyone...?
Regards,
Dan
----- Original Message -----
From: "Chris Brenton" <cbrenton@chrisbrenton.org>
To: "Pen-Test Mailing List" <pen-test@securityfocus.com>
Sent: Wednesday, September 08, 2004 1:51 AM
Subject: Re: Rogue activity methodology (was: Tool to find hidden web
proxyserver)
Note to Moderator:
It might be time to type 8 the list. My last post generated 20-30
bounces, out of office, and auto-spam filtering replies. :(
On Wed, 2004-09-08 at 00:25, Shashank Rai wrote:
>
> Finally, a good assessment of the facts!!
Thank you. :)
> "scan your network, run nessus/nmap" or "mirror the ports on the
> switch"..... really nice pieces of advice but how practical?? We don't
> know what kind of network the guy is talking about.
That was my point and the reason for spawning this thread. Pen-testing
is all about methodology. If you don't have a good process down, you are
going to miss things. I think sometimes we fall back on the tools we are
familiar with as "crutches", rather than:
1) Assessing the facts
2) Establishing goals
3) _Then_ picking the best tools for the job
I obviously can't speak for anyone else that replied, but it *seemed*
like people were recommending nmap, Nessus, etc. simply because they are
great tools. Not necessarily because they were the best tools for the
task at hand.
> Agreed, Vinay should have supplied more information or at the least
> replied to the various suggestions that have been given in the thread;
> on how feasible these solutions are?
To be honest, in a way I'm glad he didn't because it gave us a chance to
see what direction people would run with the limited information he
provided. would be cool to get a response from Vinay at this point
however to see what worked for them.
You still here Vinay???? ;-)
> 1) if PCs comprise of windows based systems, part of a domain, then as
> domain admin, you can find what applications are installed by any user.
I thought of this as well. Certainly if the environment is doing some
form of regular audits the rogue software would stick out like a sore
thumb. The reason I didn't suggest this was because I assumed that if
Vinay had a base line of the desktops he would already know what is
"different" about the systems running the proxies and would not have
needed to ask. I totally agree however that this process would have
nixed the problem as soon as the first user tried to get away with it.
> Preferably, have a policy on what users can do with their workstations
> and impose it domain wide. And installing proxies or for that matter any
> unauthorized software should be a big NO NO.
Again, totally agree. Another point I was not sure of is what level of
access he had to the desktop systems. He could be the only admin for the
entire network, or he could have a job title that lets him tweak the
firewall and nothing else. Its one of those unclear points that would
certainly change what options are available.
> 2) Secondly, if you have a single point of exit from the corporate
> network to the Internet (which i can safely assume, as you have
> mentioned about the firewall having IP based access list), then as
> suggested by Chris, sniff the traffic at the exit point. Look for proxy
> give away like "X-FORWARDED-FOR".
As mentioned the only caveat with this method is a "really smart" user
may disable the tag. Still, its a *very* easy place to start as its a
single ngrep command and you can run the tool from Windows, Linux or
UNIX.
> Look for traffic patterns: which of
> the allowed IPs generates most HTTP traffic. Look at the patterns for a
> day or so and then port scan the machines of the top 10 IPs.
I was banging my head on the desk when I read this earlier. I'm really
big on using traffic metrics for security analysis and *totally* missed
this as one of the possible options. True its possible to get false
positives (get one legit user cruising a few porn archives and they'll
skew the results ;-). As you said however if you pick on the top 10 or
so and pull metrics from an extended period of time, chances are you
will at lest pick off a few of them. Once you know what software is
running and where its listening, _now_ you can pull out nmap to check
the rest of the network as you have a specific target to go after.
HTH,
Chris
----------------------------------------------------------------------------
-- Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
- Previous message: Martin Mkrtchian: "Re: Problem with Hacme Bank Install"
- In reply to: Chris Brenton: "Re: Rogue activity methodology (was: Tool to find hidden web proxy server)"
- Next in thread: Ben Timby: "Re: Tool to find hidden web proxy server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
