The second class of security solutions that we are going to cover in the current chapter is host-based solutions. Such solutions are installed on the same hosts which they have to protect.
You need to have a host-based security solution in your lab mainly for two purposes: to practice firewall/IPS evasion techniques and to test the detectability and obfuscation of your exploits (payloads) and malware. But, as always, there could be other personal reasons for having such security measures.
To better imitate a real enterprise network and create a possibility for testing various evasion techniques, we are going to install free endpoint security solutions on our lab workstations.
We recommend that you create snapshots of your workstations before installing any host-based security solutions, as they will definitely make penetrating workstations a bit problematic and you don't need it before you proceed to an advanced hacking level. Using snapshots allows quick switching between the various system states of a VM and you can always fall back if you have broken something.
The first workstation security solution in our list is the Enhanced Mitigation Experience Toolkit (EMET) from Microsoft. This tool helps to protect applications from being exploited if they contain software vulnerabilities. The tool uses a lot of protection techniques, including memory randomization and protection techniques as well as certificate pinning feature to withstand man-in-the-middle attacks. It can be obtained from the official website at http://www.microsoft.com/emet.
We are going to install EMET 5.2 on a Windows 7 workstation. The installation process using graphical interface is not complicated, so we will use a lot of screenshots.
Now, we can proceed with installing a host-based intrusion prevention system.
Like EMET, we need a HIPS and antivirus mostly for evasion testing purposes and for advanced attacks or research scenarios. You can choose any of the popular software and the more solutions you have in the lab, the better it is because it will allow you to test your payloads and evasion techniques against a wider range of detection and protection tools. This will give you a better chance of a successful attack.
Normally, it is not recommended to install a lot of security solutions of one type from different vendors as they can conflict and cause system instability. In our example, we have tested the proposed solution, but if you want to do the same thing with other software, we recommend you test it properly.
For demonstration purposes, it will be enough to install just one solution, and preferably it should be free. We have chosen Comodo Internet Security 2015.
Comodo Internet Security (IS) is a solution that combines antivirus, firewall, and auto-sandbox software and has a free version available at Comodo's website. The steps are as follows:
Web application firewall is a class of security solutions that is dedicated to protecting web applications by inspecting HTTP/S requests and responses and taking various actions based on special patterns (rules). Those actions can be blocking or logging or some more complicated actions can be taken.
When talking about free web application firewalls, the first one that comes to our mind is definitely ModSecurity. To better explain what is it, we are going to quote the description from the official ModSecurity website (https://www.modsecurity.org/):
"ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections."
We think we will not be wrong if we say that it is the most popular free web application firewall in the world and we would like to show you how to prepare it for lab usage on our web server. So, let's start.
First, we should install ModSecurity. There are several ways to install ModSecurity, but the fastest and the easiest one in our case is installing it from the Ubuntu package repository using Advanced Packaging Tool (APT). Log in to the web server and run the following commands:
sudo apt-get update sudo apt-get install libapache2-modsecurity
To check whether ModSecurity was successfully installed and loaded, you can use the apachectl
utility with the option -M
and grep
:
sudo apachectl -M|gerp security
You should see something similar to security2_module
(shared), which indicates that ModSecurity was successfully integrated to Apache.
ModSecurity keeps its configs in the /etc/modsecurity/
directory and it is distributed with a sample of predefined rules and configs. The default configuration file is modsecurity.conf-recommended
. It is a good idea to keep a backup of that file so that we will create a copy that will serve as a working config:
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modesecurity/modsecurity.conf
After that, we need to restart Apache web server in order to make it load with the new ModSecurity config:
sudo service apache2 restart
ModSecurity can work as an intrusion detection system and as an intrusion prevention system. When working in the detection mode, ModSecurity just logs activities that were determined as malicious according to a current rule set. In the prevention mode, it can actually block attacks.
The mode settings (as well as a lot of other ModSecurity settings) can be changed in /etc/modsecurity/modsecurity.conf
.
For initial web hacking training, you probably don't want your attacks to be blocked, and in this case you can leave ModSecurity in an IDS mode (detection mode), leaving the SecRuleEngine
option with the following value:
SecRuleEngine DetectionOnly
This will allow you to practice various attacks without any interference from the WAF. At the same time, it allows you to understand how WAF works with a current rule set by inspecting its logs.
When you want to practice advanced attacks with WAF evasion techniques, you can switch WAF into the prevention mode by changing the value of the SecRuleEngine
option to On
:
SecRuleEngine On
There is also another interesting configuration option that is important in case of limited processing resources on VMs: SecResponseBodyAccess
. This option enables and disables server response body inspection, which does not makes a lot of sense in a lab environment unless you need it for specific tasks. It also consumes additional processing resources that can slow down the server a bit. Our recommendation is to turn the response body inspection off in the meantime and turn it on when it is really necessary. The feature is turned on by default:
SecResponseBodyAccess On
We need to change it:
SecResponseBodyAccess Off
To make use of ModSecurity, it should have rules set, according to which it will inspect requests (and/or responses). There is a predefined rule set distributed with ModSecurity and called Core Rule Set (CRS). You can find it in /usr/share/modsecurity-crs/
. To activate the rule set, we need to explicitly include their directories in Apache's configuration in the file /etc/apache2/mods-enabled/mod-security.conf
file and create symlinks to the rules that we would like to activate in /usr/share/modsecurity-crs/activated_rules/
:
/etc/apache2/mods-enabled/security2.conf
file in the editor and put the following lines in the <IfModule security2_module> </IfModule>
section:Include "/usr/share/modsecurity-crs/*.conf" Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
/usr/share/modsecurity-crs/activated_rules/
. Go to the directory and execute the following commands:ln –s ../base_rules/modsecurity_40_generic_attacks.data ln –s ../base_rules/modsecurity_crs_40_generic_attacks.conf ln –s ../base_rules/modsecurity_crs_41_xss_attacks.conf ln –s ../base_rules/modsecurity_crs_41_sql_injeciton_attacks.conf
sudo service apache2 reload
Now the configuration phase is finished, we need to check if ModSecurity works and detects malicious requests. Let's use DVWA for that. Open a browser on another machine and navigate to http://10.0.0.5/dvwa/login.php
. Enter an obvious SQL injection pattern in the username field, for example:
user' or 1=1 --
Click on the Login button or just hit Enter. Go back to the web server and check the content of the ModSecurity's log:
sudo cat /var/log/apache2/modsec_audit.log
The log should contain an alert indicating that the request matched a pattern from the SQL injection rule set:
So, we have protected workstations based on the Windows operating system from virus threats. Now, it's time to protect our Linux servers and e-mail services from malicious code.
To build a multi-tier protection, we must protect not only Windows platform hosts, but also Linux servers, as well as transfer and store file services. So, we create automatic scans for viruses for all incoming and outgoing e-mail messages.
For this purpose, as an antivirus solution, we consider ClamAV. ClamAV is antivirus software that runs on many operating systems, including Unix-like OSes, OpenVMS, Microsoft Windows, and Apple Mac OS X. ClamAV is produced under the GNU General Public License and is a free software.
The main objective of ClamAV is integration with e-mail servers to verify the files attached to messages. The package includes a scalable multi-threaded daemon clamd, which is controlled from the command line scanner clamscan, as well as a module signature that updates via the Internet freshclam.
Some of the ClamAV features are as follows:
Well, let's start with solution's installation. For obtaining the ClamAV distribution package, please visit the manufacturer's website http://www.clamav.net/download.html. Or, as in our case, you can use built-in operating system tools. Since we are using the Ubuntu Linux operating system 14.04.3, we just run following command in the console on behalf of the root user:
apt-get clamav clamav-daemon
If you prefer to use a normal user, you can execute following command:
sudo apt-get clamav clamav-daemon
After this, we will have a working instance of ClamAV. To start or stop the service, you can use the built-in tools of your operating system.
In the next step, we need to reconfigure ClamAV so that the ClamAV daemon uses TCP connections instead of a local Unix socket. For this, just execute the following command:
dpkg-reconfigure clamav-base
This command will start a configuration wizard. Let's leave all the answers at the default values, except for the following:
TCP
instead of Unix
)clamd
will listen on (you can set your own TCP port address for listening to incoming messages, but we recommend you leave it as 3310
)clamd
will listen on (here, we should set the IP address of the used network interface, but you can also set it as any)You can check or clarify your configuration of ClamAV by editing the configuration file /etc/clamav/clamd.conf
.
After the reconfiguration process is completed, we need to restart the ClamAV daemon:
/etc/init.d/clamav-daemon restart
Next, we should update the database. For this, we need to execute the following command:
freshclam
We have installed the antivirus solution and updated the database. Now we need to check how it works. For example, to check a directory, run the following command:
clamscan -r /
This command will check the entire filesystem if it is necessary to check any particular directory; instead of /
, specify the directory name. To check a suspicious file, just type clamscan FILENAME
. Let's check our antivirus with an EICAR (European Institute for Computer Antivirus Research) test file. It is a standard file that is used to check whether the antivirus and inherently is not a virus. You can get this file at http://www.eicar.org/download/eicar.com.txt.
The next screenshot shows the output of ClamAV:
Next, we need to check the open port for connecting third-party applications. It's enough to execute the following command:
netstat -antp | grep clamd tcp 0 0 0.0.0.0:3310 0.0.0.0:* LISTEN 9917/clamd tcp6 0 0 :::3310 :::0:* LISTEN 9917/clamd
After checking that it works, let's make sure that our mail server scans all messages for viruses. To do this, perform the following steps:
10.0.0.107
)3310
)Now all the traffic of the lab.local
e-mail accounts is scanning on the ClamAV server.
We have already set up a network intrusion detection system and HIPS for Windows hosts. Let's now consider another option for Linux platform hosts.
OSSEC (http://ossec.github.io/) is a host system intrusion detection system (HIDS), and it is free and open source. It conducts analysis of system logs, integrity checking, monitoring the registry of Windows, rootkit detection, and alerting at a particular time and event. It provides the function of intrusion detection for most operating systems, including Linux, BSD-like, Mac OS, Solaris, and Windows. Its cross-platform architecture makes it easy to manage and monitor for multiple operating systems.
OSSEC consists of a main application (server), agents, and the web management interface.
Well, let's start with OSSEC by installing it in our infrastructure. First of all, we need to satisfy some requirements. OSSEC requires gcc
, libc
, and apache
with php5
support. For this, we should execute the following commands:
apt-get install build-essential apt-get install apache2 apache2-utils libapache2-mod-php5
Next, we need to obtain OSSEC. For this purpose, we should execute the following commands:
git clone https://github.com/ossec/ossec-hids git clone https://github.com/ossec/ossec-wui
Now that we have installation packages, let's install them using the following command:
cd ossec-hids/ ./install.sh
It starts a wizard with a few questions that we should answer. The most important question is about the type of installation. Here, we should create two different types of installation: for agents and for the server.
Next, let's install the web part of OSSEC. Move the ossec-wui
directory to the folder where it can be accessed by the web server:
mv ossec-wui* /var/www/htdocs/ossec-wui
Then, execute the setup script:
cd /var/www/htdocs/ossec-wui ./setup.sh
The wizard will start, so we should answer questions such as login and password to gain access to the web interface of OSSEC.
OSSEC stores all the files in /var/ossec
. Let's open the /var/ossec/ossec.conf
file and give it the form we need. Here, we set sending alerts to e-mail by selecting the server address, mailing address, and the maximum possible number of messages per hour.
Then, there is a block of rules that describes what and how OSSEC will react.
The syscheck
section sets the integrity check. Its meaning lies in the fact that the system calculates a hash of each file in the specified directory and checks them periodically. Here, we set what we will monitor in a directory and how long it will be checked for. The section describes the command scripts that can be used by the system under certain conditions.
In the end, we set log files that need to be analyzed and compared with the rules.
Now, the coarse settings of the OSSEC server are finished and we can run it:
service ossec-hids start
If successful, you will receive an e-mail with a message on startup in the mailing address.
After this, we need to add the user account of the web server (www-data
) to the OSSEC group. Open the /etc/group
file in editor:
nano /etc/group
Find the line ossec:x:1002
and change it to ossec:x:1002:www-data
.
After that, we need to set permissions for the tmp
directory of our OSSEC instance and restart Apache service.
chmod 770 tmp/ chgrp www-data tmp/ apachectl restart
Now we can access the OSSEC web interface using the following link: http://localhost/ossec-wui/
.
Let's install an OSSEC agent from the same distribution. We choose the agent mode in the wizard. For the question "What's the IP Address or hostname of the OSSEC HIDS server?" we input the IP address of our OSSEC server. Now, we need to associate the OSSEC agent with our server. For this, we should go to the server and launch the manager working with the agents:
/var/ossec/bin/manage_agents
In the interactive mode, we need to perform the following steps:
Restart the server for the successful addition of the agent:
/etc/init.d/ossec restart
Then, let's go to our agent and go in the manager working with the agents:
/var/ossec/bin/manage_agents
In the interactive mode, we need to perform the following steps:
/etc/init.d/ossec start
It should come in the mail notification that a new agent is connected. Go to the server to check whether the agent is connected:
/var/ossec/bin/agent_control -l
Here, we will see the list of our agents with the status Active
. Also, /var/ossec/logs/alerts.alerts.log
should have an event like that.
So the OSSEC agent is connected. Now, we can see our agent in the web interface.
If you want to learn more about OSSEC, the official documentation is available at http://ossec.github.io/docs/.
3.12.166.61