Bash Shell Vulnerability called Shellshock

A vulnerability in Unix-based operating systems using the command interpreter called Bourne-again shell or Bash has been discovered last week by an IT engineer named Stephane Chazelas taking the security world by storm.  The severity of the bug and the wide spread use of Bash has led mainstream newspapers such as BBC, CNN, Guardian, and so many prominent security bloggers and researchers to report on the story.  Social media is also rife with people discussing, commenting, showing concern, and even joking about it.

Bash exists on many operating systems, including embedded ones such as the ones running on Android phones, Wi-Fi routers, and even TVs, making the vulnerability widely spread and possibly the biggest in history.  The simplicity with which the vulnerability can be exploited has given the bug a critical severity with most vendors advising prompt patching.  If the bug is exploited by attackers, they can gain unauthorized information such as passwords and configuration files or can take over the system completely.

This looks like it is going to be a security nightmare for enterprises for many weeks to come as they rush to patch their vulnerable servers before the bad guys get to them.  With that said, it is time for me to go back and do the discovery of this dirty bug and put in the remediation strategies for our infrastructure.

Below are some resources on this topic:

• Red Hat Security Blog
• Trend Micro Security Blog
• Symantec Blog

Network Security Using TACACS – Part 2

Where to find TACACS+ server?

In the first part of this series, we had a brief introduction to the TACACS protocol and how it helps in centralizing and securing access to network devices.  This post will be a continuation and will be discussing the options we have available for implementing TACACS+ and will contain an example of how to use one of the free TACACS+ servers to implement the AAA functions we have talked about earlier.  In this post i will be using TACACS and TACACS+ interchangeably when referring to the protocol.

TACACS+ can be implemented using commercially available solutions such as Cisco’s widely deployed Access Control Server (ACS) or using freely available open-source implementations.  During my research, i found out that there are limited choices when it comes to TACACS+ software whether commercial or free as compared to other products.  Below i am posting the links to some of the sites i have come across for commercial solutions and open source or free implementations.

Commercial

• Cisco Access Control Server
• Nttac-Plus
• Clearbox TACACS

Open Source/ Free

• PyTACS Python Tacacs+ Server – (Linux based)
• Shrubbery TACACS+ Daemon – (Linux based)
• TACACS.net TACACS+ Server – (Windows based)

TACACS Demonstration

In this post, i have decided to try TACACS+ from TACACS.net installed on a Windows 7 machine for the simple reason of its simplicity and ease of installation and configuration.  The folks at TACACS.net have provided plenty of documentation on just about everything related to installation and configuration of their software.  I highly recommend reading the guides especially if advanced configurations are required.

For the client i have used a Cisco 1801 router since i have one at hand to play with.  The free open-source Cisco simulation software GNS or the virtual router Vyatta can also be used as a client if you can’t find a real router or switch for testing.  Below is a diagram showing the setup i have used for this post.

The steps i have followed are downloading and installing the TACACS server on a windows 7 machine, configuring the TACACS server, configuring the Cisco 1801 router, testing authentication to the router via the TACACS server, and finally checking the accounting functionality of the TACACS server.  The TACACS users used for this test will be locally configured on the TACACS server again for the sake of simplicity.

TACACS Installation & Configuration

Installation

The installation of the TACACS server is a straight forward process made easy by an installation wizard.  Clicking through a few steps will get the software installed and ready for configuration.  During the installation, as shown below, we need to specify a pre-shared key that will be used between the TACACS server and the clients.  The purpose of this key is to encrypt the communication channel between the server and the client so that credentials are securely transmitted between the two.

After the installation is complete, you can verify if the installation was correct in couple of ways. One way is by checking whether the TACACS service is installed and its status is running. The other way is to open a command prompt and use the ” netstat -abn” command to check if the server has opened a TCP port numbered 49 and is listening for connections.

Server Configuration

By default, the server is configured to use the localhost IP address 127.0.0.1 of the computer for accepting connections as shown above. We need to change this so that the server listens on the IP address required. Open the file “tacplus.xml” located in  %ALLUSERSPROFILE%\TACACS.net\config\ using notepad or wordpad and locate the “Local IP” section and change the IP to reflect the IP address of the real IP address of the server.  For sake of clarity, i recommend using Notepad++ which has so many added features to open the files mentioned here.  In my setup, the IP address of the server will be 192.168.244.124.  Besides the IP address, there are a number of other options that can be changed about the server configuration but for the purpose of this post i have kept all other options at their default.  After applying and saving the change, the TACACS service needs to be restarted to reflect the changes.  Once you verify the IP address you have assigned is listening on TCP port 49 by checking netstat, we can do further test by using Telnet to connect to that port from the same computer or a different machine.  If you are not able to connect then you will need to check if there is a firewall blocking the connection.

User Configuration

Now that the TACACS server is up and listening for TACACS requests on the IP address we have assigned, we need to configure the users who will be authenticated.  There are number of ways TACACS users credentials can be configured. The credentials can be locally configured using the configuration file provided by the installation or can be pulled from an Active Directory or LDAP Server. User accounts on the local system from where the users are connecting can also be used. The configuration file by default also enables users in the local administrators group access as a fallback option. This is when a user can not remember their password or the TACACS server becomes unavailable. For the purpose of this post, we will be using locally configured accounts in configuration file.  An example of each of user type is given within the configuration file.

Open the file named “authentication.xml” under the C:\ProgramData\TACACS.net\config\ directory and add the lines shown in the screenshot below. The easiest way for adding the user configuration is to copy the examples found in the file and editing the fields. In this example i copied the example group “Network Engineering” and it associated users and renamed the group to “Net Admins” and the two users accounts as “User1” and “User2” with a clear Login & Enable password of “P@ssw0rd”. We can insert a DES encrypted version of the password also in the password field for added security.  In the production environment, we need to harden the TACACS server, put it behind firewall to limit who can connect to it, and must ensure the sensitive files are protected and monitored.  If you decide to copy from the examples given, make sure you remove the comment section of the XML file which are denoted by “<!–” for beginning and “–>” for ending.

Testing

TACACS.NET provides two tools for testing your configuration called Tacverify & Tactest.  Tacverify is used for checking errors in the server configuration files while Tactest checks to see if you can connect to the TACACAS server using credentials. They are both found under the TACACS installation folder which in our example is located at C:\Program Files (x86)\TACACS.net. To list the available options relating to the tools we can issue -? with the commands.

As shown from the results of the commands above, Tacverify shows our server configuration is okay and the authentication test done by Tactest was successful.  We now should be ready to configure our clients to use the TACACS server for authentication, authorization, and accounting.

Client Configuration

TACASCS configuration on clients is different from one client to another depending on the manufacturer.  For the purposes of this demonstration, we are using Cisco 1801 router as a client. The commands required for enabling TACACS are shown in the screen shots below.  A TACACS authentication list called “use-tacacs” is configured and applied on the VTY lines of the router.  Also as mentioned above, we need to specify the TACACS pre-shared key entered at the server.

Authentication Test

Once the configuration of the Cisco router is ready, we are now ready for testing TACACS authentication. Using the users that we have configured above when we try to connect to the terminal line of the router using Putty,  we are asked to provide for TACACS username. After pressing enter, we will be asked for the password of the username just entered. If the username exists in the configuration and the password supplied is valid, the user is granted access to the operational mode of the router. Typing enable command and entering the enable password earlier configured in the configuration file will allow access to the privilege mode of the router.

 Accounting Test

From the previous post we have learned that the accounting module of TACACS takes care of documenting about the TACACS session and what the TACACS users have done.  To test this functionality, a few commands were entered in the configration mode after logging into the client router using the credential for User1.  As shown below, User1 went into the loopback interface configuration, removed the IP address and shutdown the interface.  If no log archiving is configured on the router, then these commands entered by User1 cannot be recalled back.  But thanks to the Accounting module of the TACACS server all commands are captured as we shall see below.

The logs for the TACACS.net server are kept C:\ProgramData\TACACS.net\Logs folder.  By opening the latest log file for accounting we see that the commands entered above have been recorded along with who the user was, the IP address of the User, the IP address of the network device, and the time stamp.  This kind of information becomes very important when troubleshooting an issue or investigating an incident.

As we have seen from this post, it is relatively easy to install and configure a free TACACS+ server and use it for securing your network devices.  In addition to authenticating users, we have seen also how all commands executed on network devices can be recorded for later investigative purposes.  Furthermore, we can also implement an Authorization module which restricts what users can or can not do once they are authenticated.

Update 1

I have noticed on a couple of occasions after the installation of Tacacs.net is done, the service installed is not started by default and clicking on the start services will start and stop the service immediately.  After some investigation, i checked the logs in the event viewer and noticed that the service did not start because it encountered some XML errors.  I checked the tacplus.xml file and found there were improperly placed statements.  I fixed the statements and the service started properly.  I found this issue occurs if previous configuration files are existing when installing the software.  Just check the error message which most of the time tells you the line number to go and check where the problem is.

 

Security Onion

I stumbled upon a promising open source tool called Security Onion managed by Doug Burks (@dougburks).  What is so exciting about the tool is that it combines several of the best tools from the open source security community running on Ubuntu Linux distribution and creatomg a kind of Security Operations Center giving you several insights into your network and its behavior.

Security Onion is a tool which combines Intrusion Detection/Prevention System (IDS/IPS), Host Intrusion Detection/Prevention System (HIDS/HIPS), Network Security Monitoring, and Log Management functions into a single system.  It achieves this by including Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools.  It requires a significant amount of time and expertise to configure and optimize all of the previously mentioned tools and have them integrated but Security Onion makes the task easy by removing the complexity involved in the installation and management of the individual tools.  It does that by providing with a setup wizard which takes care of all the necessary software and package installation.  Of course one still needs, the expertise and time to manage the system once it is installed and running.

Detailed information on the tool such as how to get started, network configuration, customization, and tips/tricks can be found on the Wiki page.  Doug also keeps a blog with detailed instruction and step by step guides.  I am very excited to try this excellent combination of security tools to see how i can utilize it to add additional security layer to our network.

Recovering Lost Windows 2008 Password

As IT professionals, we are bound to run into problems every now and then during the course of our work.  One of the most common problems i have seen is a lost password to a system, application, or network devices.  I have had my share of losing and recovering passwords for many systems and network devices except for Window based systems until an opportunity presented itself today so i set out on a search mission on Google to find how to do it.  Thanks to many who shared their posts and videos i was able to successfully recover using a simple method.  So this post is to explain what i have found on the web on how to recover from a lost Windows 2008 password.  If we are able to get a command prompt as a recovery option, then i the procedure should also work on Windows 7, 8, and other versions of 2008 because they all contain the “Utilman.exe” utility which is the main reason why this trick works as we shall see below.

Below are the steps i have followed to recover successfully one of my test systems.   The procedure involves rebooting the system so it should be planned if is to be applied on production systems.

 

Steps to Recovery

1. You will need to find the Windows OS installation media for the system you are trying to recover and mount it into the CD Rom and reboot the system.
2. Ensure your BIOS is set to boot from the CD Rom first.  If not go to the BIOS, change it, save the changes and continue with the reboot.
   
3. While restarting you will be asked if you want to boot from the CD.  Press enter and the CD Rom files will start to load.
4. After the file loading is complete you will come across the screen below.  Click next.
   
5. On the next screen, choose “Repair your computer” option.
   
6. You will find the next screen.  Choose the hard drive on which Windows was installed and click next.
7. On the next screen choose “Command Prompt”.  This will open a command prompt window.
8. On the command prompt window enter the exact commands that you see below in screen capture.  The procedure basically takes a backup of the Utilman.exe and then replaces it with with a command prompt executable. You need to be in the System32 folder of your Windows installation when executing the commands.
9. Once done, close the command window and click on restart.
10. After the system reboots, then click on the “Ease of Access” icon found usually on the left bottom corner.
11. Because of the change we did above, this will open a command prompt instead of the utility.  Now in the command prompt you have full access to the system and can add users.  In the example below, we used the “Net User” command to add a user named “Hacker” with the password “TopS3cr3t” and added the user to the local “administrators” group.
    
12. Use the newly created user with the local administrator right to login to the system and reset the password of the user account you have lost the password for.

Network Security Using TACACS – Part 1

What is TACACS?

TACACS usually pronounced as tack-axe is the acronym for Termnial Access Controller/Access Control System.  As the name implies, it is a protocol used as an access control mechanism for accessing networking devices via terminal connections.  In other words, it is used to regulate the access to routers, switches, wireless access controllers, network security devices, and any other network device that supports it.  It regulates this access by determining who can connect to the devices, what time they can connect, and once they are connected it determines what they can see and do.  In addition, it also records the activity of each authenticated user and information about the TACACS session.

Briefly to go into the history of the protocol, TACACS was originally developed in 1984 for the US department of defense by MILNET as a way to secure and automate access to network resources.  Since then, it has undergone several changes and three versions of it have been deployed over time.  The first version of the protocol to be adopted by the wider public was facilitated by Cisco’s adaption of the protocol at the end of 1984.  This version was in use for some time until Cisco began adding more features and extensions to the original protocol.  In 1990 these extensions on top of TACACS became Cisco’s proprietary protocol and were called Extended TACACS or XTACACS and gave us the second version of TACACS.   The protocol continued to evolve over the following years and eventually a third version of the protocol called TACACS+ was developed by Cisco in 1996.  Although TACACS+ is developed by Cisco and has not been accepted as an open standard, it is considered the most widely deployed protocol nowadays.  Most networking vendors now support the use of TACACS+ in their products.

What does TACACS do?

TACACS is a protocol that implements Authentication, Authorization, and Accounting (AAA) modules to achieve access control for network devices.  The Authentication module determines which users can connect to network devices.  It does that by checking the credentials against a list of users locally configured in the TACACS server or by checking against external user data stores such LDAP or Microsoft Active Directory.  Once users are authenticated, the Authorization module is responsible for determining what the users are allowed to see and do.  In other words, this module puts boundaries around what commands can be seen and executed by network administrators on the network devices they have been granted access.  Finally the Accounting module tracks information on the activity of the users and the TACACS session itself.  This information includes among other things, the commands that were executed, the length of the session, the user credentials, and the network device accessed.

So what does all of this really mean?  To demonstrate what TACACS can do, we will use an example in which a company has 200 network devices and 3 network administrators.  Without TACACS, each of the 200 network devices have to be configured with 3 separate user accounts representing the three administrators.  Each of the three administrators have to remember the username and password of the 200 network devices unless they decide to have the same credentials on all the devices.  If one administrator leaves, then the other admins need to reconfigure all of the 200 devices to remove the credential of the admin who has left.  In order to audit what a particular admin has done, all 200 network devices have to be configured for logging and checked individually.  Furthermore, if you want to limit what your administrates can see and do, then again you have to configure all the 200 devices one by one.  As you can see, without central mechanism, it quickly becomes clear that this is going to be an operational nightmare and most likely will lead to an insecure implementation.  TACACS solves the operational and security issues related to managing network devices by centralizing the AAA functions.

In the above example, the credentials for the three admins can be configured on the TACACS server or can be pulled from an LDAP or AD server.  Once the credentials are configured, then TACACS gets into action by allowing the admins access to all 200 devices using only one credential.  Furthermore, each admin can be assigned a different authorization profile centrally on the TACACS server thus restricting what they can see and do on each router.  Finally all of the actions of the three admins are tracked centrally.  If any of the admins leave, then it is just a smiple matter of deleting one credential from the TACACS configuration instead of doing it 200 times.  So in a nutshell, TACACS allows you to centrally manage your network devices allowing you to drastically reduce your operational and security risks.

 How does it work?

So now that we know a little about TACACS and what it is capable of doing, the next question will be how does it work.

As shown in the diagram, there are three components in a TACACS implementation.  A user, a client and a TACACS server.  The user is either an administrator or a program requesting access to a network device (client), and the client is any network device that is configured to be accessed via the TACACS protocol.  The TACACS server sometimes referred as to nework authentication server or NAS is the server running software components containing the AAA modules we mentioned above.  Without going into detail, the following are the main steps involved when a user or program is requesting access to a network device (client) configured with TACACS protocol.

Step 1

A user or a program requests access to the terminal connection of a network client such a router using Telnet or SSH protocol.  Also most networking equipment today include web based management access which can also be integrated with TACACS.

Step 2

The request is then passed onto the TACACS server which in turn asks the client (router) for a username.

Step 3

The client router then responds with the username supplied by the user or program trying to connect to it.

Step 4

Once the TACACS server receives the username, it responds back with a request for a password from the client.

Step 5

The client router then responds with the password supplied by the user or program.

Step 6

The TACACS server then responds to the client router whether the supplied credentials were valid or not after which the session is established if valid credentials were entered or otherwise it is ended.

 Summary

As we have seen, TACACS is a protocol that was invented to centralize and secure the access to network resources.  Since it was first introduced in 1984,  it was adopted by the networking giant Cisco which have added several options to it.  Today the version widely deployed is Cisco’s version of the protocol called TACACS+ or TACACS Plus.  TACACS is used to implement authentication, authorization, and accounting for networking devices and can be used to minimize the operational complexity and security related risks.

In conclusion, i strongly advice network administrators and security professionals tasked with securing networks to look into  implementing centralized AAA environment for managing network resources either through TACACS or Radius.  There are free TACACS servers available as open source implementation as well as commercially available products that should meet the requirements of most enterprise networks.  In the second part of this series, I will be posting  about the options available and configuration details.

Network Security Using TACACS – Part 2

Adding proxy configuration in Debian/Ubunutu Linux

 

This post is about how to configure proxy server settings for Linux based computers.  In most enterprise networks, access to the internet is restricted and given only through a proxy server or gateway.   Therefore in order to connect to the internet or have your Linux machine update its software packages, you need to configure the proxy server settings.

After struggling for a while to have it working, i found that there a number of methods available for configuring proxy settings.  The two common methods are either exporting the proxy server details to your shell profile or adding a file called apt.conf in the /etc/apt/ directory.  I have tried the second options was successful in connecting to the internet and updating my Kali machine.

The exact steps i have followed are posted below:

1. create apt.conf file under the directory etc/apt/ if it does not exist already
2. Insert the following line in the file by editing the file
   Acquire::http::Proxy “http://proxy name or IP:port-number”;
   Make sure you replace Proxy name or IP and Port-number with your own information. 
   Example1:  Acquire::”http::Proxy http://192.168.111.33:8089/ “; (Proxy without authentication)
   Example2:  Acquire::”http::Proxy http://user1:P@ss@192.168.111.33:8089/ “; (Proxy with authentication)
   
3. Save the file and exit
4. Check if apt-get update works otherwise reboot the system and check.

Note that if your proxy uses authentication to grant access, you will have to insert your credentials in apt.conf file as in the example two above.  Since the credentials will be stored in plain text, then appropriate measures must be taken to ensure that the credentials are protected.

Below are some of the sites i have come across with good information on how to configure proxy for Debian and Debian based Linux distributions.

http://www.pc-freak.net/blog/aptget-proxy-making-debian-ubuntu-aptget-work-proxified-networks/

http://askubuntu.com/questions/89437/how-to-install-packages-with-apt-get-on-a-system-connected-via-proxy

Update for CentOS Configuration

The following configration should work for CentOS and on other distributions similar to RedHat .

System-wide proxy settings – add the following lines to your /etc/environment file:

# vi /etc/environment

http_proxy="http://user:password@proxysrv:8080/"
https_proxy="https://user:password@proxysrv:8080/"
ftp_proxy="ftp://user:password@proxysrv:8080/"
no_proxy=".mylan.local,.domain1.com,host1,host2"

To apply these settings without restarting the machine run the following commands on the bash shell:

export http_proxy="http://user:password@proxysrv:8080/"
export https_proxy="https://user:password@proxysrv:8080/"
export ftp_proxy="ftp://user:password@proxysrv:8080/"
export no_proxy=".mylan.local,.domain1.com,host1,host2"

You also need to configure yum:

# vi /etc/yum.conf

export http_proxy="http://user:password@proxysrv:8080/"