WEBCAST: Blue Team-Apalooza

Kent Ickler & Jordan Drysdale //


We had a sysadmin and security professional “AA” meeting on November 8, 2018. We met and discussed things that seem to be painfully slow to take hold in our organizations; patching, regular scanning, even just finding time to manage our inventory.

Slides available here: https://blackhillsinformationsecurity.shootproof.com/gallery/7945173/

Five Things (That Seriously Make A Difference)

  1. Baselining a network with Nmap, Masscan, learning networking
  2. Inventory management and gaining control
  3. Updates, Upgrades, Patching.
  4. Revisit baselining. Hardening cleartext services.
  5. Group policies we love, the ones that make it hard for pentesters and attackers

We talked about a whole lot more than that.


Q&A Follow Up

There were so many great questions we thought we would post them. Here goes.

Q: Do you recommend scanning all RFC1918 addresses on a regular basis (monthly/quarterly) to discover unknown devices/segments being used? If so, use nmap, mass scan or current vuln scanner?
A: Absolutely, and we would use masscan. But…this depends. Does your position, or location on the network allow access to all segments? If you control the network gear (switches, routers, firewalls), you might start running SNMP[v3 :)]. Gather reports that include ports that have more than one MAC address on a port. This could mean that someone dropped a NAT device on the network and you would never see their rogue segment anyway. It could also mean you have started the process of mapping important ports on the network (switch uplinks, access points, etc).

Q: Can someone expand on why OpenVAS is bad?
A: OpenVAS isn’t necessarily bad…and like we mentioned, it is a great place to start. ESPECIALLY if your organization allows offensive posturing from its systems team. Meaning: if you can identify flaws with OpenVAS and then exploit them, you can prove that the company may want to invest in a commercial product. While we have no specific relationship with Tenable, we consider the cost to benefit ratio of Nessus to be the industry standard. And oh yeah, we don’t have time on our contracts to wait around for OpenVAS – it’s a bit slow…

Attendee comment about OpenVAS: “I am not sure on the legalitity on the licensing, but I compared OpenVAS results to nexpose ‘free license’ and used that comparision to mgmt to show why we needed a commerical tool.”

A perfect lead in to —

Q: Nessus vs Nexpose?
A: If you can afford Nexpose, by all means, go for it. It provides rationalization for the efforts of a systems team to mitigate vulnerabilities over time in beautiful graphical format (Nessus Manager does this too). IDR can integrate directly and provide feedback in the “flight recorder” scenario that another attendee asked about. This product is great! The reports, in my opinion which is not the opinion of BHIS (Black Hills InfoSec) is that they are not as functional or easy to read as the Nessus reports. There is a BUT here as well….but – from a rapid response contract perspective, Nessus is what I use every day – I may simply not know how to use Nexpose properly.

Comment: 100% worth dropping here. The following is based on a long conversation I had with Jeff Man at WWHF about pentesting versus vulnerability assessments.

“In Army parlance, a blue team is a vuln test with insider knowledge.  A red team is a hostile pen test. A vuln assessment is simply a check against standards like STIGs.  As always, rules of engagement are key.”

Comment / Q: “We have 15 char. password policy, but get dinged on state audits for not having 8 + complexity. Any compliance initiatives that you all have seen that show 15 is better and acceptable?”
A: Uggh. I complained about this on the webcast. The standards and compliance bodies are missing this. We state 15 characters specifically because of Active Directory’s default password storage mechanism: Lanman. Without configuring the GPO to “enable the setting that disables Lanman hash storage” 15 characters is how we defeat this very very bad vendor default. Why are compliance bodies slow to move? People still use Nist 87 (I think) for guidance – it was 8 characters in 1987…seriously, I know this is an AA meeting, but it is time to change this.

Check out Stanford’s policy: https://uit.stanford.edu/service/accounts/passwords/quickguide – basically, if you want a short password it is good for two weeks. The more entropy in your password, the longer it can live. Brilliant.

Q: Can you go over the NMAP commands again and how they enumerate?
A: These are the standards I use on every test, almost every day.

[-F] Top100

[-p-] allTCP

[-A] OS+svc

[-sV] svcVer

[-sP] ping  


[-sU] UDP

[–script vuln / smb-sec-mode / ssl-enum] ## These are close, but probably not quite right

[-oA] outputAll

Instead, check this out: https://blogs.sans.org/pen-testing/files/2013/10/NmapCheatSheetv1.1.pdf

Q: Does Recon-NG still work w/LinkedIn scraping?
A: Yes. But, I’m not sure we’re allowed to call it “scraping.” The couple of things you need are available in the Azure Portal. You will need a custom search API from Bing. Once this is available, you may need to verify the Bing API v7 Endpoint in the module’s code. Make the code match yours, and in recon-ng use “keys add bing_api <API-String-here>.

Q: How fast to patch? I’m for testing, then as soon as possible, but I normally see customers at 30 days…
A: This is interesting and we just had this conversation internally. It went something like this and I think John refrained from telling us testers we were wrong. “If a critical flaw is identified and we can test it on an engagement, attackers certainly aren’t waiting around for patching windows.” I think this continues the upward pressure on vendors to push patches downstream as fast as possible.

Which parlays over to a point I want to make about inventory controls.

Comment: Inventory management is hard, but please, put a control in place at procurement. All new gear inbound to an organization, and I seriously don’t care if it is a $30 netgear switch, needs a point of contact assigned in the inventory management control sheet. This person is responsible for registering the product with the vendor. Ditch the crap and use real contact information or you will miss the notification that security fixes were dropped and you need to patch.

Q: Recommendation on framework for a SMB just starting security program?  CIS 20? NIST 800-53? Other?
A: We love the CIS/CSC 20, preach them and find them incredibly difficult to implement. This can even cause extreme levels of distrust between IT Ops and Execs. However, for organizations looking for a framework to use as part of a belt-tightening strategy, this is a great place to start. Remember Kent’s slide:

Q: What’s the reference to Cisco Smart Install TCP/4786?
A: One of the next couple blogs we post will be about this feature. It is another “on by default” dangerous, but acceptable in certain scenarios, feature. The feature allows unauthenticated retrieval of configuration files. Please use Cisco Type 5 for your admin username parameters, because if you missed the ‘no vstack’ config parameter on your Cisco gear, someone probably already reversed your admin password (type 7 reversible, not crypto’d). The feature also allows a config push – check out the “US Flag ASCII art story” that landed on a bunch of Russian Cisco routers. Also – the SIET tool automates this.

Comment: Love that intern bit… as someone looking for an internship thats what we are good for =P
A: We seriously love our interns. You are the up and coming next generation of defenders!!!

Comment / Q: We use Nessus to scan, we are getting responses that patches are ineffective due to registry setting and GPO settings not being applied, do you have any thoughts on this?  Is it possible some of these issues have been resolved with superseding patches?
A: If the systems on my network start exhibiting anomalous results against any of the control validation steps in use, it is definitely time to baseline image the thing! Intern, fill this coffee 😀 and image this box. I joke, seriously. Interns are awesome and image deployment is a part of learning. Multicasting! PIM, routing images from my storage segment to the computer lab over sparse mode. Joining multicast groups, ghost, fog, so many awesome fundamental concepts to learn.

Q: What is the best way to store, update and collaborate with the baseline data?
A: Best is hard. Best for us is FOG. It is easy. It is free. We capture the images that we know we use over and over — Kali with some mods (LVM sucks for imaging by the way) and a Win10R&D. Boom, reimage takes less than an hour. Standardize your desktops and laptops. Upgrade the images when you upgrade your hardware.

Jason: “Thank You for all the content y’all provide.  I find it extremely valuable and appreciate it.”

In closing, a shout out to Jason – we do this for you sir! And everyone else out there that follows us in our efforts. We appreciate you too sir!