Re: Auditing / Logging

From: Don Parker (dparker_at_rigelksecurity.com)
Date: 01/13/04

  • Next message: Kaushik Mukherjee: "Re: Securing SSH"
    Date: Mon, 12 Jan 2004 18:17:42 -0500 (EST)
    To: "R. DuFresne" <dufresne@sysinfo.com>, Don Parker <dparker@rigelksecurity.com>
    
    

    Well, you raise a valid point as to the commands not being logged.
    Again I would prefer simplicity, so just install a keylogger. There
    is no need to overcomplicate things. Though a keylogger will not work
    on most *nix systems to my knowledge. Though all of this should be
    negotiated with the client prior to the pen test being done ie: what
    kinds of logs will be retained and the such. This is one thing which
    should be spelt out clearly prior to any pen test actually taking place.

    Cheers

    -------------------------------------------
    Don Parker, GCIA
    Intrusion Detection Specialist
    Rigel Kent Security & Advisory Services Inc
    www.rigelksecurity.com
    ph :613.249.8340
    fax:613.249.8319
    --------------------------------------------

    On Jan 12, "R. DuFresne" <dufresne@sysinfo.com> wrote:

    On Mon, 12 Jan 2004, Don Parker wrote:

    > The simplest solution would be to simply log all activity using tcpdump in binary
    > format. This decreases the file size, is faster, and allows you to manipulate it after.
    > You can also input this binary log into any protocol analyzer afterwards as well ie:
    > ethereal, etherpeek nx and the such.
    >
    > Doing the above also gives you and your client a copy of exactly what it is you have
    > done during your pen test should there be any questions/complaints.

    Which s great on the data being obtained, yyet fails to retain the nature
    of the exact command that retrieved the data, so make sure one either
    tee's allcommands to a file <date stamps can help here> or one runs script
    or something. This helps if one has data results that are similiar and
    they need to know which command applies to which data, as well as make it
    possible to dupe scenarios.

    Thanks,

    Ron DuFresne

    -- 
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            admin & senior security consultant:  sysinfo.com
                            <a href='http://sysinfo.com'>http://sysinfo.com>
    "Cutting the space budget really restores my faith in humanity.  It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation."
                    -- Johnny Hart
    testing, only testing, and damn good at it too!
    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
    course! All of our class sizes are guaranteed to be 10 students or less. 
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
    and many other technical hands on courses. 
    Visit us at <a 
    href='http://www.infosecinstitute.com/securityfocus'>http://www.infosecinstitute.com/secur
    ityfocus</a> to get $720 off 
    any course!  
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
    course! All of our class sizes are guaranteed to be 10 students or less. 
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
    and many other technical hands on courses. 
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
    any course!  
    ----------------------------------------------------------------------------
    

  • Next message: Kaushik Mukherjee: "Re: Securing SSH"

    Relevant Pages

    • RE: Auditing / Logging
      ... If you want the function of a keylogger without having to worry about ... > need to know which command applies to which data, ... > We provide Ethical Hacking, Advanced Ethical Hacking, ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)
    • RE: Auditing / Logging
      ... but the question was one of keylogging; as a keylogger it is the most ... > usable as evidence as to in what order commands were issued. ... >> We provide Ethical Hacking, Advanced Ethical Hacking, ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)
    • Re: Auditing / Logging
      ... so just install a keylogger. ... should be spelt out clearly prior to any pen test actually taking place. ... they need to know which command applies to which data, ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Pen-Test)
    • RE: Auditing / Logging
      ... If you want the function of a keylogger without having to worry about ... >> You can also input this binary log into any protocol ... > need to know which command applies to which data, ... > We provide Ethical Hacking, Advanced Ethical Hacking, ...
      (Pen-Test)
    • Randomly generated password for windows
      ... Does anyone remember what command to use in order to generate a password ... Randomly under windows 2000/XP/2003. ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)