Sabtu, 16 Oktober 2004

Simple Post-Installation Baselines on Windows

I just finished setting up a new Windows XP SP2 system on a Shuttle SB52G2 for my wife. This box screams compared to the 1998-era PII 333 MHz tower it replaced.

Now that the installation is done and I've loaded all the software we expect to use on the system and all appropriate patches, I've taken a few simple steps to record a baseline configuration. I use the free PsTools suite from SysInternals.com to record key aspects of the operating system and installed software. Here are the tools I run and sample output for each. All of this information is redirected into text files that I store on the system and on a separate system for safekeeping. I ran all of these programs without administrator privileges.

Believe it or not, but not everyone who breaks into your Windows systems is a Uber Elite hacker. Sometimes they tools used by intruders or malware leaves evidence in output such as this. If you can compare this listing, taken in a known good state, to later records, you might discover unauthorized software. It is best to update these records each time you apply a service pack or hotfix.

PsInfo: This utility records essential system information, like patch levels and installed applications:



c:\>psinfo -h -s -d



System information for \\SCOUT:



Volume Type Format Label Size Free Free

A: Removable 0%

C: Fixed NTFS 15.0 GB 11.8 GB 78%

D: Fixed NTFS data 59.5 GB 55.9 GB 94%

E: CD-ROM 0%

OS Hot Fix Installed



KB834707 10/16/2004

KB885884 10/16/2004

Q147222 10/12/2004

Applications:

7-Zip 4.09 beta

Adobe Acrobat - Reader 6.0.2 Update 6.0.2

Adobe Download Manager 1.2 (Remove Only)

Adobe Photoshop Album 2.0 Starter Edition 2.00.100

Adobe Reader 6.0.1 006.000.001

AutoUpdate 1.0

Avance AC'97 Audio

CC_ccStart 2.0.0.635

DivX 5.2.1

DivX Player 2.5.5

Intel(R) 82845G Graphics Driver Software

Intel(R) PRO Ethernet Adapter and Software

Intel(R) PRO Intelligent Installer 2.01.0000

IrfanView (remove only)

LiveReg (Symantec Corporation) 2.4.2.2295

LiveUpdate 2.5 (Symantec Corporation) 2.5.55.0

MSRedist 1.0.0.0

MWSnap 3 3.0.0.74

Macromedia Shockwave Player

Microsoft Baseline Security Analyzer 1.2.1 1.2.4013.0

Microsoft Money 2002 10.0.80

Microsoft Money 2002 System Pack 10.0.80

Microsoft Office XP Standard 10.0.6626.0

NetTime 2.0

Norton AntiVirus 2004 10.00.00

Norton AntiVirus 2004 (Symantec Corporation) 10.00.00

Norton AntiVirus Parent MSI 10.0.0

Norton AntiVirus SYMLT MSI 10.0.0

Norton WMI Update 2005.1.0.111

PDFCreator 0.8.0

QuickTime

RealPlayer

SymNet 4.7.1

Symantec Script Blocking Installer 1.0.0

WebFldrs XP 9.50.7523

WinMX

Windows XP Hotfix - KB834707 20040929.110854

Windows XP Hotfix - KB885884 20040924.025457

ccCommon 2.0.0.635

iTunes 4.6.0.15

iTunes 4.6.0.15


PsList: This tool lists all processes running on the system. Again, you might notice an unauthorized process by comparing a later listing to this one taken under post-installation conditions. While the PsInfo output was easy to ready, it can be more difficult to make sense of processes based solely on their names.


c:\>pslist



PsList 1.26 - Process Information Lister

Copyright (C) 1999-2004 Mark Russinovich

Sysinternals - www.sysinternals.com



Process information for SCOUT:



Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time

Idle 0 0 1 0 0 0:34:33.093 0:00:00.000

System 4 8 55 266 0 0:00:09.468 0:00:00.000

smss 372 11 3 21 164 0:00:00.984 0:40:50.680

csrss 664 13 11 498 1680 0:00:20.765 0:40:47.946

winlogon 688 13 20 532 7468 0:00:05.125 0:40:46.540

services 736 9 15 296 1912 0:00:07.703 0:40:45.540

lsass 748 9 20 366 3720 0:00:05.375 0:40:45.446

svchost 892 8 20 206 3008 0:00:01.343 0:40:44.086

svchost 960 8 11 376 1844 0:00:06.828 0:40:43.680

svchost 1000 8 72 1459 13024 0:00:11.953 0:40:43.461

svchost 1080 8 6 101 1252 0:00:00.343 0:40:42.665

svchost 1160 8 15 212 1656 0:00:00.328 0:40:42.071

CCSETMGR 1268 8 6 183 2400 0:00:00.765 0:40:40.774

CCEVTMGR 1296 8 22 202 2584 0:00:00.484 0:40:40.336

spoolsv 1460 8 14 144 3520 0:00:03.281 0:40:39.571

NAVAPSVC 1580 8 11 241 5648 0:00:11.937 0:40:39.071

NeTmSvNT 1616 8 7 74 844 0:00:01.203 0:40:38.805

NMSSvc 1668 8 6 136 1964 0:00:01.781 0:40:38.415

SAVSCAN 1724 8 7 60 8240 0:00:08.546 0:40:37.993

svchost 1768 8 8 135 3424 0:00:01.218 0:40:37.540

symlcsvc 1796 8 4 78 784 0:00:00.265 0:40:37.040

SymWSC 1904 8 8 254 7448 0:00:10.062 0:40:36.024

alg 240 8 6 105 1016 0:00:00.078 0:40:31.149

explorer 2740 8 11 325 11004 0:00:11.218 0:28:14.425

PROMon 3692 8 4 85 776 0:00:01.406 0:28:08.753

igfxtray 3764 8 1 58 1228 0:00:00.203 0:28:08.659

hkcmd 1156 8 2 67 1348 0:00:00.281 0:28:08.503

SOUNDMAN 3384 8 1 42 1708 0:00:00.031 0:28:08.409

CCAPP 1676 8 22 336 5092 0:00:04.156 0:28:08.347

NetTime 3716 8 2 33 744 0:00:00.203 0:28:08.284

iTunesHelper 3160 8 4 104 800 0:00:00.171 0:28:08.128

qttask 3144 8 2 38 500 0:00:00.125 0:28:08.066

iPodService 2220 8 6 112 1896 0:00:00.203 0:28:06.144

LUCOMS~1 3824 8 5 132 2244 0:00:00.578 0:28:04.925

cmd 3368 8 1 31 1928 0:00:00.578 0:05:26.631

msmsgs 4056 8 4 149 1176 0:00:00.156 0:00:17.109

pslist 3036 13 2 70 680 0:00:00.046 0:00:00.046



Netstat: Recently Windows has added the ability to show the process id (PID) of the process that opens a listening socket. That means the old netstat command can show the PID responsible for open sockets on a Windows system if passed the -o switch:


c:\>netstat -nao



Active Connections



Proto Local Address Foreign Address State PID

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 960

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4

TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 240

TCP 127.0.0.1:1078 0.0.0.0:0 LISTENING 1676

TCP 192.168.2.11:139 0.0.0.0:0 LISTENING 4

UDP 0.0.0.0:445 *:* 4

UDP 0.0.0.0:500 *:* 748

UDP 0.0.0.0:1031 *:* 1080

UDP 0.0.0.0:1032 *:* 1080

UDP 0.0.0.0:1033 *:* 1080

UDP 0.0.0.0:1034 *:* 1080

UDP 0.0.0.0:1035 *:* 1080

UDP 0.0.0.0:4500 *:* 748

UDP 127.0.0.1:123 *:* 1000

UDP 127.0.0.1:1900 *:* 1160

UDP 192.168.2.11:123 *:* 1000

UDP 192.168.2.11:137 *:* 4

UDP 192.168.2.11:138 *:* 4

UDP 192.168.2.11:1900 *:* 1160



You can get similar but not exactly the same output with Foundstone's Fport program:


c:\>fport

FPort v2.0 - TCP/IP Process to Port Mapper

Copyright 2000 by Foundstone, Inc.

http://www.foundstone.com



Pid Process Port Proto Path

960 -> 135 TCP

4 System -> 139 TCP

4 System -> 445 TCP

240 -> 1025 TCP

1676 ccApp -> 1078 TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe



0 System -> 123 UDP

0 System -> 137 UDP

0 System -> 138 UDP

960 -> 445 UDP

4 System -> 500 UDP

240 -> 1031 UDP

1676 ccApp -> 1032 UDP C:\Program Files\Common Files\Symantec Shared\ccApp.exe

4 System -> 1033 UDP

0 System -> 1034 UDP

0 System -> 1035 UDP

0 System -> 1383 UDP

0 System -> 1900 UDP

0 System -> 4500 UDP



PsService: The last program I like to run shows the services that load under Windows. Only a few are shown for demonstration purposes:


c:\>psservice

PsService v2.12 - local and remote services viewer/controller

Copyright (C) 2001-2004 Mark Russinovich

Sysinternals - www.sysinternals.com



SERVICE_NAME: Alerter

DISPLAY_NAME: Alerter

Notifies selected users and computers of administrative alerts. If the service is

stopped, programs that use administrative alerts will not receive them. If this

service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 1077 (0x435)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0



SERVICE_NAME: ALG

DISPLAY_NAME: Application Layer Gateway Service

Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and

the Windows Firewall.

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0



SERVICE_NAME: AppMgmt

DISPLAY_NAME: Application Management

Provides software installation services such as Assign, Publish, and Remove.

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 1077 (0x435)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0


Again, in a situation where you expect an intrusion, comparing new data to this baseline can help identify suspicious processes or services.

If you want to collect even more data, assume administrator privileges and run Listdlls. Listdlls displays all of the DLLs loaded on a Windows system.

If you're wondering how I identify potential intrusions on Windows systems, the answer is simple. One of the host-based steps involves "live response," or the collection of volatile information using certain Windows tools. My IR toolkit includes these and other tools. Quite often I can identify suspicious entries in records like those shown, and having a baseline in hand makes that job much easier. Of course, truly skilled intruders will use kernel mode rootkits to hide their presence. Under those conditions, other techniques must be applied.

0 komentar:

Posting Komentar