Aliensanti

Collecting and managing data remotely via WMI

2010-06-23T08:48:00.000-07:00

WMI seems to be a good method to remotely collect Microsoft Windows events and data in an agent-less way. So, as remote access configuration is a bit tricky, i wanted to explain how I've done it from a Debian box using wmic (a wmi client implementation). Also, as it is interesting as well, I have done brief explanations on how to manage WMI namespaces security and how to explore WMI classes.

It's fair to mention that most of the steps described below have been found in the Internet (references are listed at the end of the guide). So I have just put it all together as, at least for me, it makes much more sense this way.

In this case my scenario is composed by two different boxes:

Microsoft Windows XP SP2: Data source
Debian Linux: Data collector

1.- Creating a user for remote WMI access.

First step is creating a new limited user, so we don't need to use an administrator account for remote connections. This makes the installation much more secure, but of course the same configuration would work for administrators.
In this case, as an example, I have created the following limited user:

Name: wmiuser
Password: wmi

Once this is done, then we need to configure DCOM settings to allow our user to access the computer remotely. This is perfectly described at http://msdn.microsoft.com/en-us/library/aa393266(VS.85).aspx. Nevertheless, to sum up, there are two main points, explained below:

Grant DCOM remote launch and activation permissions for our user.
Grant DCOM remote access permissions

2.- Grant DCOM remote launch and activation permissions for our user.

Click Start, click Run, type DCOMCNFG, and then click OK.
In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
In the My Computer Properties dialog box, click the COM Security tab.
Under Launch and Activation Permissions, click Edit Limits.
In the Launch Permission dialog box, follow these steps to add our "wmiuser" user:
1. In the Launch Permission dialog box, click Add.
2. In the "Select Users, Computers, or Groups" dialog box, add your name in the "Enter the object names to select" box, and then click OK.
In the Launch Permission dialog box, select our user in the "Group or user names" box. In the Allow column under Permissions for User, select Remote Launch, Local Activation and Remote Activation, and then click OK.

3.- Grant DCOM remote access permissions.

Click Start, click Run, type DCOMCNFG, and then click OK.
In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
In the My Computer Properties dialog box, click the COM Security tab.
Under Access Permissions, click Edit Limits.
In the Access Permission dialog box, select ANONYMOUS LOGON name in the Group or user names box. In the Allow column under Permissions for User, select Remote Access, and then click OK.

4.- Allowing remote administration at Windows firewall.

At this point we have already done the hard part. Now we just need to go ahead allowing remote administration in the Windows firewall. This is needed as when querying WMI, we are going to execute an asynchronous call, so we need to add an exception for it. This all is done executing the following from the command line:

C:\> netsh firewall set service RemoteAdmin enable

5.- For Windows XP and 2003 only: Relaxing the security policy.

Sharing and security model is set to "Guest only" on Windows XP Pro and Windows 2003, so we must to make sure that remote logons are not being coerced to the "Guest" account (this is enabled by default on computers that are not attached to a domain). To do this, open the Local Security Policy editor (e.g. by typing 'secpol.msc' into the Run box, without quotes). Expand the "Local Policies" node and select "Security Options". Now scroll down to the setting titled "Network access: Sharing and security model for local accounts". If this is set to "Guest only", change it to "Classic" and restart the computer.

6.- Querying WMI locally.

At this point your system should be ready to be queried. So you don't need to do any further configuration and we can start playing a little bit. So we can test access this way:

Click Start -> Run and type wbemtest. The wbemtest application starts.
Click Connect and type \root\cimv2, replacing with the name of the remote server. Click Connect. If you are unable to connect, there is a problem with the authentication between the machines.
If you are able to connect, click Query and type select * from win32_service. Click Apply. After a short wait, you should see a list of running services. If this does not work, then the authentication works, but the user is running as does not have enough privileges to run that operation.

7.- Querying WMI remotely from a Debian box.

Using Debian packages manager, "apt-get", I have installed "wmi-client" in my box. It includes a DCOM/WMI client implementation, allowing us to query our Windows box remotely. That can be done using "wmic" command with the following syntax:

# wmic -U wmiuser%wmi --namespace='root\cimv2' //windows_ip_address "select * from Win32_Process"

Of course, "windows_ip_address" should be replaced by the real IP address of your Windows host. One of the resulting events (the one related to the System Idle Process) looks like this:

System Idle Process|(null)|Win32_Process|(null)|Win32_ComputerSystem|WINDOWS-DB0B159|System Idle Process|(null)|0|0|0|(null)|692341250000|0|0|System Idle Process|Win32_OperatingSystem|Microsoft Windows XP Professional|C:\WINDOWS||0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|(null)|(null)|1|0|0|5.1.2600|28672|0|0

8.- Managing WMI namespaces security.

It's also very interesting to mention you can set permissions for each WMI namespace, using wmimgmt.msc tool. In this tool, you can set security that is based off of the root or select individual namespaces. You can also use inheritance that is based on namespace hierarchy.

For example, in case we want to set permission for our "wmiuser" we would open "WMI Control (Local) Properties) and, once selected a namespace, click on "Security" adding our user.

9.- Exploring WMI classes.

Browsing in the Internet I have found "WMI Explorer" which is a useful tool if you want to explore the full set of WMI management classes, objects and their properties. It can be found at the following website:
http://www.ks-soft.net/hostmon.eng/wmi/index.htm

Once you download and run it you will see an easy to use interface that allows you not only to explore the WMI classes but also to execute anny WQL query and view the result set. Playing a little bit with it will give you an idea of how powerful WMI is, and how many different ways you can use it for your own profit. In my case, those will be mainly related to applications inventory.

10.- Where to find more information.

As mentioned at the beginning most of this guide is based on documentation found somewhere in the Internet, so here is a list of useful links where you can find more detailed documentation about issues discussed here:

WMI documentation: http://msdn.microsoft.com/en-us/library/aa394582(v=VS.85).aspx
Configuring and securing a remote WMI connection: http://msdn.microsoft.com/en-us/library/aa393266(VS.85).aspx
Examples: http://msdn.microsoft.com/en-us/library/aa394585(v=VS.85).aspx
Troubleshooting: http://www.10-strike.com/networkinventoryexplorer/help/wmi.shtml
WMI Explorer homepage: http://www.ks-soft.net/hostmon.eng/wmi/index.htm

MySQL replication master-master for two hosts

2010-04-29T05:12:00.000-07:00

This howto describes, step by step, how to setup a MySQL replication cluster with only two hosts. It tries to give a solution to the one-way synchronization master-slave documented in MySQL website without the need to setup a cluster (which requires at least three hosts). So, with this howto, a two-ways synchronization can be done and, because of that, I named it master-master replication mode.

It has been successfully tested in Mysql Server 5.1.41 but it probably will also work for more advanced versions.

1.- Edit my.cnf files:

[In server A]
server-id = 1
log_bin = /var/log/mysql/mysql-bin.log
auto_increment_increment = 2
auto_increment_offset = 1
#bind-address = 0.0.0.0

[In server B]
server-id = 2
log_bin = /var/log/mysql/mysql-bin.log
auto_increment_increment = 2
auto_increment_offset = 2
#bind-address = 0.0.0.0

Notes:

Server-id should be different for every node
There is a well known issue with master-master replication and auto_increments described here: http://onlamp.com/pub/a/onlamp/2006/04/20/advanced-mysql-replication.html
Bind address should be commented or set to the ip address where mysql daemon will be listening.

Then restart both servers.

2.- Server A to server B replication:

In both servers stop every connection to the databases.
Check it with a "show full processlist" and use "kill" if necessary.

[In server A]
mysql> CREATE USER 'repl'@'ip_server_B' IDENTIFIED BY 'password';
mysql> GRANT REPLICATION SLAVE ON *.* TO 'repl'@'ip_server_B';

Lock tables:
mysql>FLUSH TABLES WITH READ LOCK;
mysql>SHOW MASTER STATUS

Notes:

Take note of these values as they will be used later.
Very important - Keep that mysql client running so tables keep locked.

Backup the entire database:
mysqldump --all-databases --lock-all-tables --master-data -u root -ppassword > dbdump.db
Note: --master-data option includes a line with master position
CHANGE MASTER TO MASTER_LOG_FILE='mysql-bin.000002', MASTER_LOG_POS= 270346;

move the backup file to server B:
scp -v dbdump.db root@ip_server_B:/root/

[In server B]
recover backup from server A:
mysql -u root -ppassword < dbdump.db

mysql>CREATE USER 'repl'@'ip_server_A' IDENTIFIED BY 'password';
mysql>GRANT REPLICATION SLAVE ON *.* TO 'repl'@'ip_server_A';
mysql>STOP SLAVE;
mysql>CHANGE MASTER TO MASTER_HOST='ip_server_A', MASTER_USER='repl', MASTER_PASSWORD='password', MASTER_LOG_FILE='binary_log_file', MASTER_LOG_POS='position';
Note: For MASTER_LOG_FILE and MASTER_LOG_POS use values you already got.

mysql>START SLAVE;
mysql> SHOW MASTER STATUS;
Note: Take note of these values too, as they will be used when replicating server B to server A.

3.-Server B to server A replication:

[In server A]
mysql>STOP SLAVE;
mysql>CHANGE MASTER TO MASTER_HOST='ip_server_B', MASTER_USER='repl', MASTER_PASSWORD='password', MASTER_LOG_FILE='binary_log_file', MASTER_LOG_POS='position';
Note: For MASTER_LOG_FILE and MASTER_LOG_POS use values you already got.

mysql>START SLAVE;

4.- Summary:

Once finished these steps you should have a high-availability system.

Every change, doesn't matter on which server, should be replicated in the other. And, in case of outage of one of them, the other will keep working and changes will be synchronized when it comes back up again.

It is still in my TODO to test it using linux-ha so that way replication cluster will be transparent for clients using the database.

OSSIM Alarms by type radar graph

2009-10-06T12:00:00.000-07:00

I want to share a new graph configuration I have done for OSSIM "Executive Panel". It just shows most generated alarms in a radar.

To create it just edit a graph, go to "Category -> Config Import" and paste the following:

plugin_custom_sql::
YTo0OntzOjY6InBsdWdpbiI7czoyMjoicGx
1Z2luX2NvbmZpZ19leGNoYW5nZSI7czoxMT
oicGx1Z2luX29wdHMiO2E6Mjc6e3M6ODoiZ
3JhcGhfZGIiO3M6NToib3NzaW0iO3M6OToi
Z3JhcGhfc3FsIjtzOjI0NDoic2VsZWN0IEN
PTkNBVChTVUJTVFJJTkcoUkVQTEFDRShwbH
VnaW5fc2lkLm5hbWUsImRpcmVjdGl2ZV9ld
mVudDogIiwiIiksMSwxNyksIi4uLiIpLCBj
b3VudCgqKSBhcyBudW0gZnJvbSBhbGFybSw
gcGx1Z2luX3NpZCAKd2hlcmUgYWxhcm0ucG
x1Z2luX2lkID0gcGx1Z2luX3NpZC5wbHVna
W5faWQgYW5kIAphbGFybS5wbHVnaW5fc2lk
ID0gcGx1Z2luX3NpZC5zaWQKZ3JvdXAgYnk
gYWxhcm0ucGx1Z2luX3NpZCBsaW1pdCA4Oy
I7czoxMToiZ3JhcGhfdGl0bGUiO3M6MDoiI
jtzOjEwOiJncmFwaF90eXBlIjtzOjU6InJh
ZGFyIjtzOjE4OiJncmFwaF9sZWdlbmRfZml
lbGQiO3M6Mzoicm93IjtzOjE2OiJncmFwaF
9wbG90c2hhZG93IjtzOjE6IjEiO3M6MTU6I
mdyYXBoX3BpZV90aGVtZSI7czo1OiJ3YXRl
ciI7czoxNzoiZ3JhcGhfcGllXzNkYW5nbGU
iO3M6MjoiNDUiO3M6MTc6ImdyYXBoX3BpZV
9leHBsb2RlIjtzOjM6ImFsbCI7czoyMToiZ
3JhcGhfcGllX2V4cGxvZGVfcG9zIjtzOjE6
IjEiO3M6MjI6ImdyYXBoX3BpZV9hbnRpYWx
pYXNpbmciO3M6MToiMSI7czoxNjoiZ3JhcG
hfcGllX2NlbnRlciI7czo0OiIwLjIzIjtzO
jE4OiJncmFwaF9wb2ludF9sZWdlbmQiO3M6
MDoiIjtzOjE3OiJncmFwaF9zaG93X3ZhbHV
lcyI7czoxOiIwIjtzOjExOiJncmFwaF9jb2
xvciI7czo3OiIjMDAwMDgwIjtzOjE0OiJnc
mFwaF9ncmFkaWVudCI7czoxOiIwIjtzOjEw
OiJncmFwaF9saW5rIjtzOjA6IiI7czoxNjo
iZ3JhcGhfcmFkYXJfZmlsbCI7czoxOiIxIj
tzOjExOiJncmFwaF95X21pbiI7czoxOiIwI
jtzOjExOiJncmFwaF95X21heCI7czoxOiIw
IjtzOjExOiJncmFwaF94X21pbiI7czoxOiI
wIjtzOjExOiJncmFwaF94X21heCI7czoxOi
IwIjtzOjExOiJncmFwaF95X3RvcCI7czoxO
iIwIjtzOjExOiJncmFwaF95X2JvdCI7czox
OiIwIjtzOjExOiJncmFwaF94X3RvcCI7czo
xOiIwIjtzOjExOiJncmFwaF94X2JvdCI7cz
oxOiIwIjtzOjE1OiJleHBvcnRlZF9wbHVna
W4iO3M6MTc6InBsdWdpbl9jdXN0b21fc3Fs
Ijt9czoxMToid2luZG93X29wdHMiO2E6Mzp
7czoyOiJpZCI7czozOiIxeDMiO3M6NToidG
l0bGUiO3M6MTQ6IkFsYXJtcyBieSBUeXBlI
jtzOjQ6ImhlbHAiO3M6MDoiIjt9czoxMToi
bWV0cmljX29wdHMiO2E6NDp7czoxNDoiZW5
hYmxlX21ldHJpY3MiO3M6MToiMCI7czoxMD
oibWV0cmljX3NxbCI7czowOiIiO3M6MTM6I
mxvd190aHJlc2hvbGQiO2k6MDtzOjE0OiJo
aWdoX3RocmVzaG9sZCI7aTowO319

And, on the other hand, if you are curious about the SQL query, here it is:

select CONCAT(SUBSTRING(REPLACE(plugin_sid.name,"directive_event: ",""),1,17),"..."), count(*) as num from alarm, plugin_sid where alarm.plugin_id = plugin_sid.plugin_id and alarm.plugin_sid = plugin_sid.sid group by alarm.plugin_sid limit 8;

OSSIM Collecting events with rsyslog

2009-09-08T12:00:00.000-07:00

This article tries to be a small how-to about OSSIM events collection using rsyslog. For example lets try to configure OSSIM to collect events from a Netscreen firewall.

OSSIM agent

First of all we need to active the plugin at /etc/ossim/agent/config.cfg adding a new line to our plugins list. This line could be like the following:

netscreen=/etc/ossim/agent/plugins/netscreen-firewall.cfg
Then we will set the "location" variable at the config file of the plugin we want to use. In our case this file will be at /etc/ossim/agent/plugins/netscreen-firewall.cfg (other config files can be found here too). For example lets set it this way:

location=/var/log/netscreen-firewall.log
Once finished other two steps don't forget to restart the ossim-agent daemon, so it will load the new configuration.

/etc/init.d/ossim-agent restart

Rsyslog

Then it's time to go through rsyslogd configuration.

To enable logging from remote machines we have to edit /etc/default/syslogd and set SYSLOGD variable to "-r". This line should be enough:

SYSLOGD="-r"
Then, to use rsyslog v3 native interface (I am not sure if this is needed, but just in case), we will need to set RSYSLOGD_OPTIONS variable to "-c3" at /etc/default/rsyslog file.

RSYSLOGD_OPTIONS="-c3"
Now lets edit the /etc/rsyslog.conf file. For our example I will add this lines at the beginning of the logging rules. Be aware of the comments to know what does they do.

# Line 1: Discard logs with "action=Permit" string
# This is just tuning, as this kind of logs are useless for our security system (as they are accepted by the firewall policy)
:msg, contains, "action=Permit" ~

# Line 2: If coming from "netscreen_hostname" (at /etc/hosts) send logs to /var/log/netscreen-firewall.log
# The symbol "-" means that it wont sync every log (faster)
:fromhost, isequal, "netscreen_hostname" -/var/log/netscreen-firewall.log

# Line 3: Then discard all logs coming from "netscreen_hostname" so they wont be written at system log files.
:fromhost, isequal, "netscreen_hostname" ~

#... standard logging rules should go right here ...

If you need more help with rsyslog.conf possibilities you can find it at:

http://www.rsyslog.com/doc-rsyslog_conf_filter.html
At last we just need to restart rsyslogd daemon:

/etc/init.d/rsyslogd restart

At this point it should be listening at port 514 (the default one), you can check it with netstat command. So, once we configure our device to send logs to our OSSIM sensor, they should be collected and correlated.

As you can see this how-to is quite simple, but I hope it can help you with your configurations or help me to remember it if needed.

OSSIM Detecting a buffer overflow attack

2009-09-01T12:00:00.000-07:00

Introduction

I am posting for the first time at my recently opened blog. Hope issues discussed here will be interesting for OSSIM users and probably for some other people.

First thing I will try to explain is how to test OSSIM generating real time attacks, such as exploiting a buffer overflow against a non patched host. For this purpose we will use Micrososft ASN.1 library buffer overflow vulnerability, whose details can be found at http://www.phreedom.org/solar/exploits/msasn1-bitstring/ We can even find here an exploit called kill-bill to take advantage of the mentioned vulnerability ;-)

Now lets see steps in order to get an alarm with OSSIM and execute an action-response policy...

OSSIM configuration

1.- Detecting the intrusion with snort rules. In this case it's done by the rule "NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt". I paste it here, copied from the /etc/snort/rules/netbios.rules file:

netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3000; rev:4;)

2.- Next step is to create a simple directive to feed the correlation engine. It can be done at /etc/ossim/server/generic.xml. The one I have created is:

This is the simplest form of a directive, but if we want, we can use different levels to detect more complex attacks (i.e. we can add rules matching port scans or session duration...). Here is an example of a port scan with an open port found directive (I also use it for the video demo you will find below):

3.- Last thing is to configure an action (for example sending a mail) to execute when the alarm is generated. We can use the web framework to do it in a easy way.

Video Demo

Well, at the end, I have decided to upload a video demo which has been made as a proof of concept of all I have been talking before. Its duration is 10:33, it has no sound but I think it's quite self explanatory. Hope you will enjoy it.