PaulDotCom mailing list archives
Blue Team Tactics
From: rbutturini at epictn.com (Russell Butturini)
Date: Sun, 2 Aug 2009 21:07:01 -0500
On the Windows side, off the top of my head without looking at the links (so if any of these are repeats from the links below I apologize), from the CLI: 1. Capturing the date and time on the system for establishing timelines-date /t and time /t 2. Enumerating local accounts-net users 3. Enumerating users and IPs remotely connected to system resources-net sessions 4. Enumerating local groups/members of local groups-net localgroup and net localgroup <groupname> 5. Networking "stuff"-ipconfig and its many switches, like ipconfig /displaydns to show the DNS cache. 6. ARP table enumeration-arp -a 7. Linking open TCP/UDP connections to the processes that spawned them: netstat -anob 8. Displaying the routing table-route print or netstat -r (I think this one has cleaner more detailed output) 9. Enumeration of the hosts file from the command line-type %systemroot%\system32\drivers\etc\hosts 10. Viewing firewall status/making firewall changes-netsh firewall show state/show service for verifying status, a myriad of other commands for manipulating and opening/closing ports and adding deny rules from the CLI. 11. Enumerating mapped drives-net use 12. Enumerating the NetBIOS name cache-nbtstat -c 13. Task enumeration using built in tools (depends on how "modern" the OS we are working with is)-tasklist (tasklist /svc gives us the associated services running from each process) 14. Service manipulation from the command line-sc query, sc start, sc pause, etc. 15. Find group polices applied to a machine-gpresult (requires different command line switches if Vista/server 2k8), apply new policies to a machine in a hurry-gpupdate /force, need to use secedit with different switches if earlier than Windows XP/2003 16. Enumerate drivers on a machine in use-driverquery 17. Enumeration of system variables/Setting new system variables-set 18. Enumeration of scheduled tasks-at/schtasks 19. Registry manipulation-reg 20. Manipulate printers on a machine-Use the VBScript in the System32 folder prnmngr.vbs for enumeration and changes. 21. Verify the OS build-ver 22. review the event logs-use the eventquery.vbs script located in the System32 folder As far as I recall, all of these things are built into the OS and none require access to a GUI to use; Granted, some of these are not available on older Microsoft operating systems, but I think that part of good incident response is having a fundamental understanding of the tools provided to you by the OS you are working on. Hope this is along the lines of what's being asked for. ________________________________ From: pauldotcom-bounces at mail.pauldotcom.com on behalf of John Strand Sent: Sat 8/1/2009 9:30 AM To: Tim Rosenberg Cc: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Blue Team Tactics So far the BLue team recommendations have been fantastic, so I though I would drop in a few suggestions to keep the discussion going. One of the first things I wish any BLue teamer would do is download the SANS incident response cheat-sheets for Windows and for Linux. http://isc.sans.org/diary.html?storyid=5354 <http://console.mxlogic.com/redir/?5xWX28UsCro76zBcQsILzzo0elbtjokU03y4JymU74GjH4J90VZBZwTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76QjqbNJwsqekPhOyqejhOr5CeH> http://www.sans.org/info/3826 <http://console.mxlogic.com/redir/?2MZtx4sejdI3zhOCqemnNNI05jokU03AEeRNBVdMTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76QPqbNJwsqekPhOyqejhOr5CeH> http://www.sans.org/info/3831 <http://console.mxlogic.com/redir/?2MZtx4sejdI3zhOCqemnNNI05jokU03AEeRNBVB4TvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76SjqbNJwsqekPhOyqejhOr5CeH> Consider this the basics to play. I hate it when I see a defender stare at Task Manager for an hour or two with a blank stare on their face. What are they looking for? EvilBackdoor.exe? Now, how about how to use your firewall on Linux? http://www.youtube.com/watch?v=kUdCsZpt2ew <http://console.mxlogic.com/redir/?b3RS4hMVcSMed7apEVpv76M0hqHsSO7YLxzpS9Az9Nk9E2l09mCDVwTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76S3qbNJwsqekPhOyqejhOr5CeH> What if you do not have a firewall on a Windows server? You are screwed right? No, look at IPSec filters. http://www.youtube.com/watch?v=amHaBmOlfgE <http://console.mxlogic.com/redir/?b3RS4hMVcSMed7apEVpv76M0hqHsSO7YLxzpS9Az9SGxvhBkc7KAhETvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76TPqbNJwsqekPhOyqejhOr5CeH> Why is it that many times the BLue team keeps getting owned by RPC or SMB and they don't block the ports? And what about some log analysis kung-fu? (Special note:I am trying to invoke the all powerful Red SANS Instructor with the above statement.) If IP Address X, or range Y keeps attacking you, block them. (Another special note.. I recommend only blocking temporarily and being very careful when you do. Otherwise, you may DoS yourself.) Sure, third party tools are great.. However, many REd/BLue activities (I am talking to you Tim) will not allow defenders to get access to all of this stuff right out of the gate. Why? Is it because the people who put these games on evil? Possibly (I am still talking to you Tim). Possibly. However, the real reason is that all of our security technologies, while helpful, have their limitations. We depend on them far to much. We need to learn how to "live off the land" as it were. Also, a solid long term strategy may not work right now. Developing these defender skills for short term damage control is key to our industry. So, there have been some very cool recommendations for third party tools. Now I want you to focus on the CLI and the built-in tools you get with a Windows or Linux system. This is, quite possibly, the best security list ever. -strandjs On Jul 30, 2009, at 1:43 PM, Tim Rosenberg wrote: John, Thanks for the nod. I like the thread. Also thanks to Paul for attending our NYC CTF event and running an excellent Red Cell as always. These suggestions are all very good. One thing I would offer up. We have the Cyber Dawn event in October in VA. It would be great to have a professional defense team there to show/document/demonstrate how to lock down a system/network and monitor it. One of the great suggestions from the NYC event was that there needed to be a Defense Coach...just like the role Larry played in Vegas. I frankly couldn't agree more. I see the note about apache and windows...time to trade up some of the defensive assets too. One of the things I would ask the defender community. One of the difficult things in designing these exercises is the creation of a series of functional network services that are realistic and yet vulnerable. Rather than turning this into a patch game where the fastest keyboard wins, the feedback I'm getting from participants is to provide more of a leg up for the defenders. This needs to be balanced against a diverse skill set of Red Cell, some of whom are professional pen testers, others are running metasploit for the first time. So here's some thoughts, please feel free to criticize. 1. Providing a 'test network'; an unprotected unpatched network that is unstaffed by humans. This would be used as a test net for new Red Cell to cut their teeth on tools prior to going against the human defended networks. The down side to this is that by the time they've played around, the holes they exploited on the Test Net will most certainly be closed by the humans. 2. Provide unpatched 'legacy systems' that cannot be updated by the defenders. These low hanging fruit targets would be only one or two systems inside the defenders' networks. It would provide an easy target for the Red Cell, but for them to further exploit the network, they would have to know how to pivot really well. 3. Defender challenges; I would welcome an opportunity to connect to the larger community and ask for help in building systems that may only have one way in. Preferably through a single less known or more difficult vulnerability. For example, Paul has consistently found a way into the Debian boxes we use. However, he only get limited user access as there is nothing installed to support local privilege escalation. Cheers, Tim Rosenberg On 7/28/09 11:29 PM, "John Strand" <strandjs at gmail.com> wrote: Time to bring Tim in on this. The White Wolf guys are simply the best at this kind of simulation. Tim, care to throw in your two cents? john On Jul 28, 2009, at 5:53 PM, Tim Mugherini wrote: All Good Suggestions. To answer Erik's question on scoring per my experience last week at the NYC CTF. Red Team members were required to run a script on the comrpomised system once it was compromised to gain a point for the hack. They were encouraged to take data but no DDOS were allowed. However, they could take down systems towards the end of the day (although they would not getting points for doing so but the blue team would gain points for systems down - more points are bad for blue). Blue Team Members with the lowest score won. They needed to keep systems and services online. If compromised they could regain (subtract some points) if they were able to get the systems online quickly and accurately report data loss to the FBI field office. (Paul and Renald actually did a good job destroying the team that won but because they were able to restore and start over (DR) they regained their lead. So with that said while tools (both preventative and reactive) would certainly help the blue team, I think the most important thing is to be organized, have a plan, have the expertise (one person for linux, one for windows, one for web apps/databases, and one for networking), and know when to say we are screwed lets implement our DR plan. And ss Erik pointed out lock down the systems! Some command line and gooyee tools could certainly have helped with this but would be no substitute for experience and organization. Scripting command line stuff and GPO's would certainly help in a large environment (have quite of bit of experience there) but in an exercise like this it may just slow a team down (better to do it manually since there were only a handful of systems). So AV, log monitoring, best practices (i.e. all of Erik's preventative suggestions and more), and things like TCSTools switchblade for incident response would all be helpful. I'm wondering if the questions of what tools is the right question. Maybe the question is what best practices? Just My 2 1/2 cents. On Tue, Jul 28, 2009 at 1:21 PM, Erik Harrison <eharrison at gmail.com> wrote: beyond a lot of the great reactive or visibility driven suggestions already provided, and assuming this is in a lab environment (i hope) - harden the crap out of the server. standard fare, remove/disable unnecessary services, change default service accounts to low priv. add manual ntfs permissions across the filesystem *and registry* to limit that account's access. patch the os, apps, services, any web software (just assuming they're gonna give you joomla w/ 1500 plugins and modules to make it utterly impossible to win). move db passwords in the code into an included file ../ out of the main web directory, deny writes to all web directories for the duration of the scenario so no webshells can be uploaded, fix outbound connections at the firewall (host and upstream), switch services to listen only on 127.0.0.1, blah blah blah.. the list goes on how are you measuring successful intrusion? what's the jackpot for red? you could just be a bastard, and move or delete that file :D lock it away in a truecrypt volume protected by keys and passphrases. On Tue, Jul 28, 2009 at 12:56 PM, Tim Mugherini <gbugbear at gmail.com> wrote: Very Nice. Does Autopatcher allow you to manually copy over patches (already have many downloaded)? To add some: Again Sysinternals Tools: Process Monitor, PSTools, TCPView Kiwi Syslog Server & Viewer or comparable, Mandiant Highlighter Nessus - Home Feed of course Dumpsec - NTFS File Permission dumper Your favorite free sniffer - Wireshark, etc.. MRTG - Router bandwidth monitoring AVG or other decent free AV Snort On Tue, Jul 28, 2009 at 11:05 AM, Carlos Perez <carlos_perez at darkoperator.com> wrote: 8 GB stick prepared with autopatcher http://www.autopatcher.com/http://www.autopatcher.com/ <http://console.mxlogic.com/redir/?Ifnoh73APr0UQsFCzBBYsr01qTeGSPIj-fbU02RKtlJDoDYunMTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76T3qbNJwsqekPhOyqejhOr5CeH> I would have patches for all versions of windows. <http://www.autopatcher.com/ <http://console.mxlogic.com/redir/?2MZtx4sejdI3zhOCqemnNNI05HsWHreNfUYLxK_nKC-yYYqekn3tPqSJDElCKn8lrxrW0EjVrmPQaPnVsSMyODsSyCMqekmbCzCXxJBwS2_id41Fr2SJDElCKqnjh0cDJ-q80j-GCy04XqsHkdPYfDwedzzqbNJwsqekPhOyqejhOr5CeH>
I would also place portable firefox, and xamp in case i need to migrate an apache LAMP server to an updated version
since I have seen a trend of putting apache on windows in this competition, also place several pre-made security
templates for use with GPO or local application, URLscan installer and pre-made urlscan.ini files. Komodo free firewall
installer and the NSA cisco templates, acl templates, Nipper for checking the cisco equipment config quickly and some
pvaln sample configs. Keepass for password storage and generation.
that is what comes now to mind.
On Tue, Jul 28, 2009 at 8:54 AM, John Strand <strandjs at gmail.com> wrote:
Please! PSW land! Share your Blue Team tactics!
What tools, scripts, and techniques do you use as part of Incident Response and
Blue Team Activities?
I have sat in on one to many Red/Blue/CTF games where the Red team gets Core,
Canvas, Metasploit, Nessus, Satan, Sara, Cain and Able, Ettercap, Dsniff, Hydra, 0phcrack, Nmap, BT4 and various
torture techniques (including IronGeek's rubber hoses) and the the Blue team gets....
"An un-patched Windows 2000 box and a slew of un-patched software!!!!!''
Please see the following video for reference:
http://www.youtube.com/watch?v=Y77n--Af1qo
<http://console.mxlogic.com/redir/?Ifnoh73APr0UQsFCzBBYsr015GJPr8vO-6dDoCicD0ssewnby3G8JkTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76TzqbNJwsqekPhOyqejhOr5CeH>
Yea.. Thats right.... As of today the Blue Team is what you get assigned to
when you are caught stuffing peas up your nose.
This stops today!!!
There are a few rules. Tricks and scripts must be able to run at the command
line of your operating system of choice and all tools must be freeware or open source.
Thats it!!!
Look, the Blue Team can rock!!! So please share your tricks.
I am going to collect and add to them so we have a solid list and this will
serve as the playbook for the Blues going forward.
Be expecting this on the PDC site soon.
strandjs
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
<http://console.mxlogic.com/redir/?5xWX28UsCro76zBcQsILzzo0cjVrmPQaPnVv04bA9gMjlS67OFek7qUJHpW5pHCXZuWrWbPNEVhsdTdHqSuxmqVsxlK5LE2xfBJrfgHdvBPr2batPqar1EVhoKqerK6Sm3obZ8Qg6BIbqSuxmqVFtd40OuTVEw1fWGq80jJFOJgTfM-u0USqejqbNJwsqekPhOyqejhOr5CeH>
Main Web Site: http://pauldotcom.com
<http://console.mxlogic.com/redir/?2MZtx4sejdI3zhOCqemnNNI06JHpW5pHYKrLRXFLELf6zB5MTsSJHpW5pHBO5mUm-wa4-mRIZ2IR-ndI8IFTdEFI6zB5yVEVKUrpodwLQzh0qmMJHpW5pHCBQQg39XvCy04_GFEw1eSDaR3s_3VU3zqdPqbNJwsqekPhOyqejhOr5CeH>
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
<http://console.mxlogic.com/redir/?Ifnoh73APr0UQsFCzBBYsr01yvbqSuxmq_bU0xsxa62qKMM-l9OwXn5JrfgHdsTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76QkjqbNJwsqekPhOyqejhOr5CeH>
Main Web Site: http://pauldotcom.com
<http://console.mxlogic.com/redir/?5xWX28UsCro76zBcQsILzzo0drmPQaPnVsTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76QkPqbNJwsqekPhOyqejhOr5CeH>
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
<http://console.mxlogic.com/redir/?Ifnoh73APr0UQsFCzBBYsr01yvbqSuxmq_bU0xsxa62qKMM-l9OwXn5JrfgHdsTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76QmjqbNJwsqekPhOyqejhOr5CeH>
Main Web Site: http://pauldotcom.com
<http://console.mxlogic.com/redir/?5xWX28UsCro76zBcQsILzzo0drmPQaPnVsTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76Qm3qbNJwsqekPhOyqejhOr5CeH>
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
<http://console.mxlogic.com/redir/?Ifnoh73APr0UQsFCzBBYsr01yvbqSuxmq_bU0xsxa62qKMM-l9OwXn5JrfgHdsTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76QnPqbNJwsqekPhOyqejhOr5CeH>
Main Web Site: http://pauldotcom.com
<http://console.mxlogic.com/redir/?5xWX28UsCro76zBcQsILzzo0drmPQaPnVsTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76Qn3qbNJwsqekPhOyqejhOr5CeH>
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
<http://console.mxlogic.com/redir/?1ouKMye79CS1NEVjd7bbUUS034-mRIZ2IR-nM12V2kc4RtxxYGjB1SKbqSuxmqVK_nKC-yYYqekn3tPqSJDElCKn8lrxrW0EjVrmPQaPnVsSMyODsSyCMqekmbCzCXxJBwS2_id41Fr2SJDElCKqnjh0cDJ-q80j-GCy04XqsHkdPYfDwedEzzqbNJwsqekPhOyqejhOr5CeH>
Main Web Site: http://pauldotcom.com
<http://console.mxlogic.com/redir/?5xWX28UsCro76zBcQsILzzo0drmPQaPnVsTvHTjvhuud7abxKVJrmPQaPnbAaJMJZ0k9YJHpW5pHYKrohpjKrhjod7ab5PhPtMSOMr1vF6y0QJxrmPQaPndbFEw6jS_d409_ljh02tJelG6V-7PM76QnzqbNJwsqekPhOyqejhOr5CeH>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 19895 bytes
Desc: not available
Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090802/92d85f60/attachment.bin
Current thread:
- Blue Team Tactics John Strand (Aug 01)
- Blue Team Tactics Jack Daniel (Aug 01)
- Blue Team Tactics Russell Butturini (Aug 02)
- Blue Team Tactics strandjs at gmail.com (Aug 03)
- Blue Team Tactics Dave Hull (Aug 05)
- Blue Team Tactics Nathan Sweaney (Aug 05)
- Blue Team Tactics John Strand (Aug 05)
- Blue Team Tactics Nathan Sweaney (Aug 17)
- Blue Team Tactics John Strand (Aug 23)
- Blue Team Tactics Nathan Sweaney (Aug 05)
- Blue Team Tactics Nick Drage (Aug 25)