Infrastructure PenTest Series : Part 6 - Configuration Review

So far, we have discussed about the IT infrastructure penetration testing in which plethora of attacking methods, tools, commands were explained. Now it’s time get our hands dirty with the secure configuration re`view of network devices. Often in an engagement we are required to perform a secure configuration review of network devices such as routers, switches, firewalls etc. We will try to cover devices by different vendors.

Introduction

Before Jumping into the configuration review of devices, let us provide a small introduction to such devices:

Routers

These devices operate at layer 3 of OSI model connect and route data between networks using IP addresses. Once data is routed to the destination network, the data goes to a switch where the destination host might be connected.

Switches

Unlike hub which takes a frame that it receives on any given port and repeats it out to every port on the hub, A switch is an intelligent learning device which learns the MAC address for each host plugged into the switch ports. With this information, the switch will repeat a frame only out to the port that contains the correct destination MAC address.

Firewalls

These are the main devices which protect us in a day to day activities by carefully examining the packets destined to us. Now over the time there are several types of firewalls in action which are listed below.

  • Packet filtering Firewall : These are essentially routers operating at Layer 3 using set ACLs. Decisions are made to allow and disallow traffic based on the source and destination IP address, protocol, and port number.
  • Stateful Inspection firewall : Also known as stateful packet inspection (SPI) or dynamic packet-filtering firewall which operates at Layers 3 and 4. A router at home allows us to establish and maintain a session externally with another address. The “state” refers to identifying and tracking sessions that occur in Layers 4 and 5. The rules are changed dynamically when we establish an outbound connection to enable packets from the destination IP address to be returned to you. All other traffic is stopped from reaching our computer, protecting us from the dangers from Internet.
  • Application Firewalls : These firewalls combine the functionality of the typical firewall operating in the lower OSI layers with the power and deep inspection of application awareness. Based on the information at the application level, such as known malicious traffic, decisions can be made to allow or disallow traffic. for example an appliance or host that screens web traffic before it hits our web server,based on the behavior and content of the web traffic, decisions might be made to refuse access to the web server.

Now lets begin our quest to configuration reviews.

Broadly speaking, the configuration review/ Hardening checks can be categorized for the devices under the 3 major functional categories of a network:

  • Management Plane: Made up of applications and protocols (SSH, SNMP etc.) it is responsible for the management of traffics that are sent the IOS devices.
  • Data Plane : This forwards data through a network device and it doesn’t include traffic that is sent to the local IOS device.
  • Control Plane : This plane processes the traffic, which is very important to maintain the functionality of the network infrastructure. It consists of applications and protocols between the devices.

Cisco Devices

Its always recommended to perform a manual review for the devices. The manual approach may take time but its the best way to learn the IOS configuration commands as well. First and foremost, we need to obtain the configuration file of the device. To do so we will talk a bit about various modes present in CISCO devices.

User EXEC              Log in.                                                                         Router>
Privileged EXEC        From user EXEC mode, use the enable EXEC command.                               Router#
Global configuration   From privileged EXEC mode, use the configure terminal privileged EXEC command.  Router(config)#

Now to pull out the configuration of the device one of the simplest way is by using telnet (Though its an insecure protocol, Its just a method)

Router# show runnning-config

There are many ways to save the configuration into a text file like saving the config to a tftp/ftp server and then get the file from there etc. But the simplest way is by using Putty emulator, for this we just have to enable the logging section under the sessions tab.

Note

telnet -f fileName.txt xx.xx.xx.xx This will directly save the telnet session in a text file. (Though its an insecure protocol, Its just a method.)

Tools

So, Now that we have a running configuration file of the device the next step would be to perform a security review for the device. for the manual review we will discuss few pointers which can be checked in no time.

  • password must be secured using type 5 encryption level.
  • Check for AAA (Authentication, authorization, and accounting).
  • Unused interfaces should be shutted down or properly configured with port security in voilation mode. (only on switches)
  • Schedule a meeting with the stakeholder’s and obtain the network diagram. Analyze the buisness requirement and the traffic flow and based on that verify whether the access list is cleraly defined or not.
  • HTTP server i.e accessing the device management via a http should not be configured.
  • Check for default password authnetication by manually doing SSH.
  • Telent should be disabled for managing the device.
  • Cisco discovery protocol should be disabled because CDP packets contains some juicy informations related to sender, hardware model, Operating system verison and IP address details.
  • Ensure that logging is configured on the device with a separate ip address for syslog server.
  • Switches and routers should be configured with login banners.
  • Domain lookup should be disabled if the DNS server isnt configured.
  • Risky services such as Telnet, HTTP, Finger etc. should be disabled.
  • Based upon the requiremnet of no.of VTY lines (provides logical connections to the device) should be limited.
  • Auxilliary console should be disabled.
  • All the console options such as console line, Aux Line, and VTY lines should be configured with 10 minutes of timeout.
  • VTY line should be configured with proper access contorl lines (ACL) in case of routers and switches.

Nipper

Nipper is a very handy tool which is by default available in Kali linux. This tool is a cli based and can be utilised to perform some basic checks related to firmware version, device control etc. Its also available as a paid version and n trial version with limited amount of devices to be audited. However, the inbuilt nipper module in kali linux sometimes gives a lot of false positives, but for a start this also gives some juicy information.

nipper [Options]

General Options:
    --input=<file> :  Specifies a  device configuration  file to  process.  For CheckPoint Firewall-1 configurations, the input should be the conf directory.
    --output=<file> | --report=<file> : Specified an output file for the report.
    --csv=<file> : Want to output the network filtering configuration to a CSV file?.
    --version : Displays the program version.

Example usage: nipper --ios-router --input=ios.conf --output=report.html (for cisco routers)

Nipper also supports various devices such as juniper Netscreen Firewall, Sonicwall firewall, checkpoint firewall, cisco firewalls.

Nessus (Professional version)

Nessus pro. is great tool which can be used for auditing various platforms such ios, Windows, Unix, IBM iseries, Junos, Extreme OS etc. one of the major features of Nessus professional version is offline configuration of sensitive devices. However, this features only gives compliance audit results.

Below are a few steps for an offline configuration audit.

  • To create an offline configuration audit, select the Offline Config Audit in the new Policies library.
  • To see the compliance options, click on the Compliance menu. This will bring up options different than the standard compliance audit.
  • The column on left shows the supported network devices that can have their configurations audited offline.
  • Select your desired platform and at the bottom you should see ‘offline configuration audit’ under ‘global settings’.
  • click on ‘add file’ and add your devices config. files.

Note

We can also add multiple device configs. to a single compressed folder and upload the same. However, same platform devices are to added.

A more recent option (which we haven’t tried yet) is the Nessus IOS plugin from Tenable.

rConfig

It is a free and open source network device configuration management utility for network engineers to take frequent configuration snapshots of their network devices. This can be utilized for viewing and extracting out the configuration of network devices in order to perform analysis of the network communication in devices perspective. rConfig Version 3 now has a Configuration Compliance Management utility to enable you to monitor device configurations for policy compliance. Refer to the tutorial and usage of this tool Rconfig.

More ad hoc (single-function) tools can be found at PacketStorm and cymru.

Solarwinds Network Configuration Manager

NCM can be used to improve network security and compliance by using NCM automation to identify IOS vulnerabilities, upgrade IOS firmware and audit device configs for NIST FISMA, DISA STIG, and DSS PCI compliance. Although its a paid tool but it supports 30 day free trial version. Refer Solarwinds Network Configuration Manager for the datasheet and for downloading.

ciscoconfparse

CiscoConfParse is an open-source audit toolset that lets us express the audit as Python code. It is a Python library, which parses through Cisco IOS-style configurations. It can be used for the following:

  • Audit existing router / switch / firewall / wlc configurations
  • Retrieve portions of the configuration
  • Modify existing configurations
  • Build new configurations

Refer the documentation Cisco-Conf-Parse.

Tuffin Orchestration Suite

The Tufin Orchestration Suite intelligently analyzes the network, automates configuration changes and proactively maintains security and compliance across the entire enterprise network. It comprises three products: * SecureTrack dashboard (change tracking, risk analysis, etc.) * SecureChange (change automation-ticketing) - A comprehensive solution for automating network configuration changes to firewalls and routers. * SecureApp - An automated solution that enables organizations to easily define, update, monitor and remove applications and services from the network.

refer Tufin toc for installations and usage guidelines.

Solarwinds FSM

Firewall security manager by solarwinds is a good for offline configuration audit (Rule base) of cisco firewalls and other vendors. Although its a commercial product released by solarwinds, it is available for free trial which supports at least 1 device for the reneiw purpose. Upon successful import of config. file the solarwinds will generate 3 pdf files related to Rulebase review, firewall rule optimization and clean up, rules page. This tool also gives a tabulated view of various ingress and egress points of a firewall. For details Refer Firewall Security Management.

Springbok

It is a good open source firewall visualization tool which creates a visual map of firewall ingress and egress points which can be used to analyze the traffic flow from different nodes integrated. It also provides the feature of viewing the rules and analyze them according to the integrated nodes.

For details regarding usage and installation refer Springbok.

Feel free to add more tools and software’s which we might have missed.

End-Point Review

We are often required to perform end-point review for operating systems for windows and linux on our own in some engagements. Here i will be discussing about few of the commands and tools required for auditing the operating systems.

Windows Operating Systems

Gpresult

Displays the Resultant Set of Policy (RSoP) information for a remote user and computer. To use RSoP reporting for remotely targeted computers through the firewall, you must have firewall rules that enable inbound network traffic on the ports.

Usage

gpresult [/s <compUTER> [/u <USERNAME> [/p [<PASSWOrd>]]]] [/user [<TARGETDOMAIN>\]<TARGETUSER>] [/scope {user | computer}] {/r | /v | /z | [/x | /h] <FILENAME> [/f] | /?}

The following example displays RSoP data for the computer srvmain and the logged-on user. Data is included about both the user and the computer. The command is run with the credentials of the user maindomhiropln, and p@ssW23 is entered as the password for that user.

gpresult /s srvmain /u maindom\hiropln /p p@ssW23 /r

Net Accounts

This is a native windows command for acquires account related information such as password complexity, Password expiration, No. of passwords to be remembered, Lockout Duration etc.

Usage

Net Accounts            - View the current password & logon restrictions for the computer
Net Accounts /Domain    - View the current password & logon restrictions for the domain.
NET USER [/DOMAIN]      - View user account details

WMIC.exe

Windows Management Instrumentation Command : Retrieve a huge range of information about local or remote computers. Make configuration changes to multiple remote machines.

Refer Here for more information on usage.

Applications installed

We also have to look for vulnerable applications installed by getting a comprehensive list of installed applications. This can be gathered by using the following command line in native windows powershell.

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table AutoSize > File.txt

auditpol

We also need to look for the audit policies defined for systems/ Servers in order identify various misconfiguration of windows audit policy this can be gathered by using this command which displays information about and performs functions to manipulate audit policies.

Usage

Auditpol command [<sub-command><options>]

auditpol /get
[/user[:<username>|<{sid}>]]
[/category:*|<name>|<{guid}>[,:<name|<{guid}> ]]
[/subcategory:*|<name>|<{guid}>[,:<name|<{guid}> ]]
[/option:<option name>]
[/sd]
[/r]

Refer Auditpol-Get.

Simply issue

auditpol /get /category:* > Audit_Policy.txt

For extracting the audit policy.

PolicyAnalyzer

PolicyAnalyzer released by Microsoft for analyzing and comparing sets of Group Policy Objects (GPOs). It can highlight when a set of Group Policies has redundant settings or internal inconsistencies, and can highlight the differences between versions or sets of Group Policies. It can also compare GPOs against current local policy settings and against local registry settings. And you can export its findings to a Microsoft Excel spreadsheet.

Microsoft security compliance tool kit allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations.

File Server permission

It is also essential to review the file permission for a file server during the OS review phase. There are many tools available to do the same but we will be restricting to only few here…:)

AccessEnum

AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary.

Permission Reporter

This tool is free downloadable file permission analyzer which can be used to analyze different permissions related to different groups, Individual users etc. This comes handy while determining the unnecessary file/ Folder permisssion in a file server.

SolarWinds Permission Analyzer

Persmission Analyzer tool helps in:

  • Quickly identify how a user’s permissions are inherited
  • Browse permissions by group or individual user
  • Analyze user permissions based on group membership and permissions

The only issue here with this tool is that it doesn’t generate a report rather it just displays the file permissions associated.

Linux Operating systems

Tiger

Tiger is security tool that can be use both as a security audit and intrusion detection system. It supports multiple UNIX platforms and it is free and provided under a GPL license. Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language. Tiger has some interesting features that merit its resurrection, including a modular design that is easy to expand, and its double edge, it can be used as an audit tool and a host intrusion detection system tool.The current stable release is 3.2.3, the previous (old) stable release is 3.2.2.

unix-privesc-check

Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfiguration that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases). t is written as a single shell script so it can be easily uploaded and run. It looks for the following

  • Writable Home Directories
  • Readable /etc/shadow
  • Weak Permissions On Cron Jobs
  • Writable Configuration Files
  • Writable Device Files
  • Readable Files In Home Directories
  • Running Processes Correspond To Writable Programs
  • sudo Configuration
  • Accounts with no Password

LSAT

Linux Security Auditing Tool LSAT is a post install security auditing tool. It is modular in design, so new features can be added quickly. It checks inetd entries and scans for unneeded RPM packages. It is being expanded to work with Linux distributions other than Red Hat, and checks for kernel versions. Few features of LSAT is listed below:

  • checkbp: Checks for boot loader password.
  • checkcfg: This module is performed last
  • checkdotfiles: Looks for .forward, .exrc, .rhosts and .netrc files on the system.
  • checkfiles: Checks that /tmp and /var/tmp have sitcky bit set, checks utmp, wtmp, motd, mtab for chmod 644.
  • checkftpusers: Checks that all accounts in /etc/passwd are in /etc/ftpusers.
  • checkhostsfiles: Reads /etc/hosts.allow and /etc/hosts.deny files
  • checkinetd: Checks either /etc/inetd.conf or /etc/xinetd.d/*
  • checkinittab: Checks to see if default runlevel is 5. If it is, give the user a warning.
  • checkipv4: Checks to see that common forwarding and ignoring are off/on in ipv4.
  • checklimits: Performs simple check of limits.conf file
  • checklogging: Performs a simple check to see if auth and authpriv logging facilities are on.

Lynis

Lynis is an open source linux security auditing tool. The primary goal is to help users with auditing and hardening of Unix and Linux based systems. The software is very flexible and runs on almost every Unix based system (including Mac). Lynis performs hundreds of individual tests. Each test will help to determine the security state of the system. Each test is written in shell script and has its own identifier.

Changelog

  • Binary Exploitation/ Vulnarable Machines/ Linux Essentials/ Configuration Review- Push by bitvijays