looking for ssl certs with keys less than 1024bits

On September 11, 2012 Microsoft released an update that will block SSL certificates that use RSA keys less than 1024bits.  If you are looking for a way to discover if there are weak certificates in use on your network one tool you can use is good ol nmap.  nmap has a handy dandy scripting engine that you can use to do things like look for certain vulnerabilities.  Lucky for us their is a script built into the default bundle that comes with nmap that we can use to find SSL certs and their bit length.

A basic scan would look like this dumping everything to standard out:

nmap -sV -sC -v network/subnet

If you have a lot of hosts to scan you probably need a report:

nmap -sV -sC -v —webxml -oX sslCerts.xml 192.168.1.1/24

xsltproc sslCerts.xml sslCerts.html

Then you can open sslCerts.html in your browser and voila.  This assumes you have xsltproc available on your OS of course.  

block w00tw00t scans with fail2ban

Tired of seeing “/w00tw00t.at.blackhats.romanian.anti-sec:)”, and the other variations, in your logs?  First install fail2ban if you don’t have it already (you will wish you’d known about this sooner).  Create a new file in /etc/fail2ban/filter.d/ called “w00tw00t.conf”.  Inside put:

#block w00tw00t scans of all variations

[Definition]

failregex = ^<HOST> .*”GET \/w00tw00t*

ignoreregex =

Then edit /etc/fail2ban/jail.conf and at the bottom put:

[w00tw00t-scans]

enabled  = true

action   = iptables-allports

sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com]

filter   = w00tw00t

logpath  = /var/log/httpd/access_log

maxretry = 1

bantime  = 86400

Restart fail2ban and you’re good to go.  You will now ban any IP running one of these automated scanners from connecting to your server, on any port, for 24 hours and get an email alert when it happens.

forefront endpoint protection 2010

So I’m in the middle of replacing McAfee with FEP2010 and I must say so far I’m impressed.  I was a little concerned at first about using SCCM to manage it, but I think I’m over that now.  My beef with SCCM is simply that it’s too complicated and messy.  Despite what MS says, it’s no different than SMS (certainly not any easier to use).  Once you have SCCM up and running, installing FEP is a breeze.  Setup is quick and simple and pushing policy is cake.  If you are still using a separate WSUS server for updates this is the only real work you’ll need to do.

So if you have SCCM up and running already all you need to do is run the FEP installer executable on your SCCM management server.  It will create a new DB and then add some new things in the SCCM console; easy as that.  You’ll see a new collection called “FEP Collections” which have some special locked collections that show you things like failed deployments, which computers have out of date definitions, which have malware, and many other things.  There will also be a “Forefront Endpoint Protection” section until Computer Management now which is where you can define custom policies.  Finally, you’ll notice it automatically creates some packages and advertisements for you.  Told you it was easy!

If you have a separate WSUS server you should configure it to auto approve the FEP definition updates so all your clients stay up to date.  To do that check out this guide on TechNet.  

Deploying is also pretty simple and I’m not even going to detail of any of that here since this guide does a fantastic job.

remediating “null session / password NetBIOS Access” and “NetBIOS Remote User List Disclosure” on domain controller

SOLVED (kind of):

Finally was granted the opportunity to do some testing on one of the production domain controllers (always fun to do!) by the boss man since I couldn’t replicate the issue anywhere else.  Turns out if you remove “samr” from the local security policy “Network access: Named pipes that can be accessed anonymously” you can no longer dump the user list from an anonymous, non-domain account.  I’m not sure if this remediates the Qualys scan entirely (I had to put it back in production until we know the consequences of removing it), but for practical purposes the threat of an anonymous account being able to dump your userlist and then start brute forcing is eliminated.  Changing “Network access: Do not allow anonymous enumeration of SAM accounts and shares” to enabled did not however fix the issues (I changed this first then ran a new Qualys scan and it can back with the original results).

The kicker is I still have “samr” in the list for my other DC’s and I can’t dump those user lists, so I’m still kind of at a loss.  There must be some other setting/permission in a GPO or something that I’m over looking.  We’ve upgraded all the way from a 2000 domain over the years and a lot of original policy is still in place.  I think I’ll get a call in to MS for this eventually to see what the real problem is…

UPDATE:

As of 4/10/11 I still haven’t solved this.  Qualys sent me this link via twitter which is the same stuff everyone recommends.  I’m putting in a call to MS this week to see what’s up…

So I recently did a Qualys scan on three of my Windows 2008 R2 domain controllers and all three came back with ”null session / password NetBIOS Access” and “NetBIOS Remote User List Disclosure”.  The scan report does not have any remediation steps for Server 2008; I tried the fixes suggested for 2003 (see below).  Everything I’ve found so far while reading TechNet forums and Googling has pointed back to 6 local security policy settings (and also their associated reg keys which are not displayed below) which the scan report also mentions it a round about kind of way:

  • Network access: Allow anonymous SID / Name translation - Disabled
  • Network access: Do not allow anonymous enumeration of SAM accounts - Enabled
  • Network access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
  • Network access: Let Everyone permissions apply to anonymous users - Disabled
  • Network access: Named Pipes that can be accessed anonymously - None
  • Network access: Shares that can be accessed anonymously - None

These seem to have zero effect.  I’ve got three other domain controllers using identical settings as the three that come back with the vulnerabilities and they come back clean from the scan.  

I’ve confirmed that the vuln’s actually exist and aren’t false positives.  Using the tool enum I’m able to initiate a null session and also enumerate domain user accounts when using a non-domain account from a laptop.  If I try to do this on the other DC’s that come back clean from the scan it fails.

I’ve run MBSA and the Directory Services BPA (Best Practices Analyzer builtin to Server 2008 products) on the DC’s both of which come back clean.  Windows itself thinks anonymous sessions are disabled when they clearly are not!  The built-in “Guest” account is disabled also.

If anyone has any suggestions on fixing this please let me know.  Tweet me @userdel, reply to this post, or email me at josh+qualys@userdel.com!  I’m opening a ticket with Qualys to see what they recommend, but I’m hoping you folks on the intarwebz are a little quicker ;)

shmoocon 2011: come and gone

So this year I attended my first Shmoocon and I can definitely say I had a good time.  It’s an affordable con with a lot of stuff to do and a good variety of subject matter.  The atmosphere is laid back and there’s a lot of swag to be had if that’s your thing.  Most of the talks that I attended were pretty interesting with only a couple being crappy.  Of the interesting ones a few stand out that I’ll recap on.  They are supposed to put all the talks online to watch for free so I will update as soon as that is available.

Keynote by Mudge:

Mudge gave an outstanding keynote which was a real treat to hear.  He’s a great speaker and very respected in the security community so it was really neat to actually see him in person.

John McNabb:

If you try to google John McNabb you won’t find much.  He’s nobody famous (infamous?) in the hacker community, but he’s doing some great work on an area that is going to get more attention in the years to come: SCADA systems and Cyberterroism.  His talk focused on “Smart Water” systems and how attackers could attack a public water system.  John did an outstanding job and I look forward to seeing more work from him.

@surbo:

The long and short of it is that Trent Lo (aka Surbo) found the absolute most broken site I’ve ever heard of.  Surbo completely dismantles evite.com with some hilarious antics.  For the love of god do not use this website ever!!!

Richard Freidberg:

Rich gave a great talk on the NetSA Security Suite offered by CERT.  Admittedly, we don’t use netflow in any form at my current employer, but after seeing this it’s officially near the top of my to-do list.  This free suite of tools can give you more visibility into your network and seems to be pretty valuable for anyone playing defense.  I hope to get it setup soon and will post an article when I do.

Other than talks, Shmoocon also had a “Lock Pick Village” to learn about lock picking, a contest called “Hack Fortress” that combines hacking/puzzle challenges and TF2 (very cool concept), and several other contests involving things like crypto and hacker-esque puzzles.  I did check out the Lock Pick Village which was my first foray into picking locks and it was very cool.  

I didn’t do any of the contests unfortunately, except for Barcode Shmarcode which is a contest to make the coolest barcode (your barcode is your ticket into the con).  I didn’t win because they said mine didn’t scan, however in my testing it does in fact scan but that’s ok.  I made a Shmoocon Passport that mimics a standard US Passport with some modifications. I didn’t put as much effort into it as I wanted, but the guy that won blew everyone out of the water anyway.  Below is a picture of the inside of my passport:

All in all I had a great time and if I can I plan on attending again next year even though it’s cold as hell in DC in January!