Cyberarms – Intrusion Detection

Background

Cyberarms Intrusion Detection is the second IDS product that we will be evaluating.  The first product been BF Guard.

Idealistic

As the saying goes everything is idealistic until it get reals.

My real world came almost week ago.  I was home that Saturday morning having cleared my schedule.  A friend had dropped off two laptops.  There were viruses and malwares to rid off, cluttered full hard drive to prune, and personal data to remove.

Never imagined, I had similar problems until I tried connecting to one of the computers in our Lab and was faced with that now familiar error message, “exceeded maximum number of connections”.

Cyberarms

Download

Downloaded Cyberarms version 2.2 from here.

Install Files

Version 2.2 only supports 64 bit systems and so those of us that that still have 32-bit systems are out of luck.

Compressed Package

The installer is packaged as a zip file.

Extracted Files

InstallationFiles_20170615_0421PM

Installation

Screen Shot

We have two sets of Install Steps:

  1. Prerequisite
    • Visual C++ 2010 Runtime Libraries (x64)
  2. Core
    • Cyberarms Intrusion Detection

Prerequisite

Visual C++ 2010 Runtime Libraries (x64)
Outline
  1. Install Components
  2. Extract Files
  3. If  “Visual C++ 2010 Runtime Libraries (x64)” exist on system
    • User is asked whether to remove or repair package
  4. Runtime Installed on system

 

Install Components?

Extracting Files

Repair or Remove

Repair is Complete

Core

Outline

  1. License Agreement
  2. Select Install Folder
  3. Confirm Installation
  4. Installing…
  5. Install Complete

License Agreement

 

Select Installation Folder

 

Confirm Installation

Installing Cyberarms Intrusion Detection

 

Installation Complete

 

Configuration

Screen Shot

Settings

Settings – Lock out configuration

Explanation
  1. Set lock threshold (unsuccessful logins )
    • By default set @ 3 unsuccessful logins
  2. Set lock duration ( minutes )
    • By default set for 20 minutes
  3. Hard lock threshold ( unsuccessful logins )
    • By default set or 10 unsuccessful logins
  4. Hard lock duration ( hours )
    • By default set for 24 hours
  5. Hard lock forever
    • In cases of multiple failed logins where hard lock threshold reached, a choice on whether to lock forever

 

Settings – Safe Networks

Explanation
  1. Define safe network also known as whitelisting

 

Settings – Email Notification

Explanation
  1. We indicated that we want to be notified on everything
    • Events
      • On soft lock events
      • On hard lock events
      • On unlock events
  2. Reports
    • Unfortunately, we are only in the evaluation phase and have yet to allocate money for a paid version.
      Therefore, No Reports yet.

Settings – SMTP Configuration

Explanation
  1. Enter Email Addresses
    • Sender address
    • Recipient address
  2. SMTP server
    • SMTP Server
  3. SMTP/SSL Port
    • 25
  4. Use SSL for communication
  5. This server requires authentication
    • Username & Password

Agents

Agents – TLS/SSL Security Agent

Because Terminal Services is the lone service that we are exposing and securing via Active Directory on this box, it is the only service that we enable.

Original Screen

Revised Screen

Explanation
  1. Override Configuration
    • Check
  2. Enable this Security Agent
    • Check
  3. Extended Configuration
    • RdpPort
      • Keep port 3389 if you have left Terminal Services running on its default port

 

Usage

We tried connecting thru RDP from a few boxes and intentionally entered wrong password.

 

Security Log

 

Explanation

The following information is logged:

  1. Intrusion #1
    • Type :- Intrusion
    • Latest Entry :- Date
    • IP Address :- z.y.x.w
    • Message :- TLS/SSL Security Agent: Possible intrusion attempt.

 

Email Notifications

Outline

  1. We have attached a couple of emails
    • Our Inbox filtered to show messages from Cyberarms IDDS
    • Test Email Notification
    • Soft Lock Notification
    • Hard Lock Notification

 

Inbox

Message – Test Message

Message – Soft Lock

Message – Hard Lock

 

Summary

Cyberarms Intrusion Detection tool is a very, very strong well engineered product.

It capables identifies intrusion attempts based on monitoring Windows Event Viewer.

The newest version requires x64 based system and for those still running 32 bit OS that might be an impedance.

 

References

  1. Configure Intrusion Detection to block based on your requirements
    Link
  2. Secure your systems today with Cyberarms Intrusion Detection and Defense System
    Link

 

BFGuard – Day 2

Background

In this post we actually start BFGuard and try to connect to the host from other workstations.

 

Target OS

Here are the Windows OS that we will use for this exercise:

  1. Server
    • Windows Server 2012 R2
  2. Client
    • Windows Server 2012 R2
    • Windows 7

What we saw

BF Guard

BF Guard – Application

Scenario – After 1 failed Login

BF Guard – Application – Statistics

Explanation
  1. ip
    • Count :- 1
    • Date :- 2016-06-15 15:34:13
      • Time in GMT, not local time

 

Scenario – After Numerous failed Logins

BF Guard – Application – Statistics

Explanation
  1. ip
    • Count :- 7
    • Date :- 2016-06-15 16:47:18
      • Time in GMT, not local time

 

BF Guard – Application – Log entrys

Explanation
  1. @ 2017-06-15 09:47:39
    • – Auto blocking IP: for: 54864000 minutes

 

BF Guard – Application – Blocked IP

Explanation
  1. IP Address
    • IP Address :-
    • From :- 2017-06-15 09:47:39
    • To      :- 2017-06-15 10:47:39
    • City    :- Blocked

 

OS – Windows

Windows Logs

Windows Logs – Security

Windows Logs – Security – Filter

Here we filter for “Audit Failure“.

Windows Logs – Security – Logs

And, here are the events captured.

 

Windows Logs – Security – Log – Detailed

Windows Logs – Security – Log – Detailed- Event ID = 4625
Image

 

Explanation
  1. Subject
    • Security SID :- NULL SID
      • Since account that we entered to login in under is not known to the targeted computer or Active Directory, we get “NULL SID
    • Logon ID :-  0x0
      • Again, unknown Logon ID
  2. Logon Type
    • Our Logon Type is 3
      • Logon Type = 3
        • Network
  3. Account for which Logon Failed
    • Security SID :- NULL SID
    • Account Name :- bobsmith
    • Account Domain :- LAB
  4. Failure Information
    • Failure Reason :- unknown username or password
    • Status :- 0xC00006D
    • Sub Status :- 0xC0000064
  5. Process Information
    • Caller Process ID :- 0x0
      • Remote Caller Process is not known
    • Caller Process Name :-
      • Remote Caller Process is not known
  6. Network Information
    • Workstation Name :- ASTSQL01
    • Source Network Address :-
      • Network Address not passed in
    • Source Port :-
      • Network Port not passed in
  7. Detailed Authentication Information
    • Logon Process :- NtlmSsp
    • Authentication Package :- NTLM
  8.  Summary
    • Log Name :- Security
    • Source :- Microsoft Windows security
    • Event ID:- 4625
    • Task Category :- Logon
    • Keywords :- Audit Failure
    • Computer :- Host attempted for logon

 

OS – Windows Firewall

Reviewed server’s Windows Firewall to see how it is configured for “Remote Desktop“.

 

Explanation

  1. Remote Desktop configured as:
    • Domain :- Yes
    • Home/Work :- Yes
    • Public :- No
    • Group Policy – Yes

 

Summary

Unfortunately, Windows was not able to capture the incoming IP Address.

BF Guard was thus unable to read the IP Address from the Windows Logs.

Because of this inability, it is not able to re-configure the local Windows Firewall and have it start blocking the Source IP Address.

 

BFGuard – Day 1

Background

Googled online to identify steps to take for securing MS Windows Terminal Services.

One of the tools mentioned is BFGuard.

BFGuard

What is BFGuard?

BFGuard stands for “Brute Force Guard”.

How does it work?

It principally monitors the local machine’s event log.  The relevant log file in this case is the “Security Log“.

Upon finding entries that indicate failed logins correlative data is gathered.  Obvious correlative data includes username and IP Address.

Once the configured maximum number of failed attempts are reached the specific IP Address is blacklisted.

Download

Please download the free tool from here.

Screen Shots Please

Log Entries

BFGuard_Free_LogEntries_20170615_0629AM

Blocked IP

BFGuard_Free_BlockedIP_20170615_0633PM

WhiteList

BFGuard_Free_WhiteList_20170615_0635AM

Statistics

BFGuard_Free_Statistics_20170615_0638AM

Functionalities

From the screen shots here are the functionalities offered:

  1. A listing of “Blocked IPs
  2. Ability to whitelist specific IP Addresses
  3. Statistics on each connected IP Address

 

Summary

Wanted to introduce the product.

In the days ahead we will revisit and update our post.

“Simple TCP/IP Services” – Network Utilization

Background

My ISP has been charging us extra since they started metering our Network Usage.

A couple of weeks ago installed Glass-wire & Net Balancer.

Let us see how well they help us identify which hosts and processes are victimizing us.

 

Trouble Shooting

GlassWire

Image

Explanation

  1. Time Span
    • Weekly
      • Graph
        • Application :- Other
          • Download :- 26.4 Mb
          • Upload :- 30.1 GB
        • Microsoft One Drive
          • Download :- 20.7 Mb
          • Upload :- 284 MB
        • IIS Worker Process
          • Download :- 2.3 Mb
          • Upload :- 19 KB

 

Microsoft

Resource Monitor

Images

Image #1

Explanation
  1. Address
    • IP Address :- 71-47-51-11.res.bhn.net
      • 294KB
    • 153-46.vf.cgocable.ca
      • 204KB
    • ns2.teleturbo.net.br
      • 185 KB
    • r75-110-95-142.kntnccmtc01*suddenlink.net
      • 103 KB
    • 128.199.81.122
      • 42 KB
    • 109.95.233.71
      • 21 KB
    • 217-210-7-122-no149.tbcn.telia.com
      • 19 KB
    • ip-176-198-97-236.hsi05.unitymediagroup.de
      • 13 KB
  2. Listening Port
    • TCPSVCS.EXE
      • Port 19

 

Image #2

Explanation
  1. Processes with Network Activity
    • TCPSVCS.EXE
      • Send
        • 1.4 MB/sec
      • Receive
        • 375 Bytes/sec
  2. Listening Port
    • TCPSVCS.EXE
      • Port 7
      • Port 9
      • Port 13

NetBalancer

Image

Explanation

  1. TCPSVCS.EXE
    • Down Rate
      • 30.4 KB/sec
    • Up Rate
      • 767,6 KB/sec
    • Connections
      • 24
    • Downloaded
      • 14.0 MB
    • Uploaded
      • 318.3 MB
    • User
      • SYSTEM

 

Remediation

Microsoft

Services Applet

We will stop and disable the following services:

  1. Simple TCP/IP Services
    • simptcp
    • Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of Day
    • C:\Windows\System32\tcpsvcs.exe

Image

 

Netbios Over TCP/IP – Yea Or Nay

Background

Had an insomnia night last week.  And, so took to the laptop and wanted to troubleshoot an issue.

As part of that troubleshooting exercise I knew Network Traffic Pattern might be pertinent.

Wireshark

Network Traffic

Here is sample of some of what I noticed through capturing Network Traffic.

Image

 

Explanation

Noticed a lot of Name Resolution Traffic.

Inclusive of protocols that line up with Network Resolution issues are DNS & NBNS.

DNS stands for Domain Name Server and NBNS Stand for Netbios Name Server.

 

Netbios Name Server ( NBNS )

Though running Windows. it is no longer a Netbeui World.

Strictly TCP/IP.

Review Configuration

Let us review our Network Configuration on specific adapters.

As I am currently on wireless, let us focus on just the Wireless Adapter.

GUI

Here is how to do so through the GUI.

Wireless Network Connection 2

Advanced TCP/IP Settings – WINS
Image

 

Explanation

Currently, we are set to receive NetBIOS Settings from the DHCP Server; that appears to be the default MS Windows Setting.

 

Command Line Shell

And, here are a couple of options to do so via the Command Line Shell.

ipconfig

Script

ipconfig /all

Output

Explanation

NetBIOS over Tcpip is Enabled

WMI – Query – Win32_NetworkAdapterConfiguration

Script


set _hostname="."

set _propList="DHCP*,IPAddress,DefaultIPGateway,DNSDomainSuffixSearchOrder,DNSEnabledForWINSResolution,DNSServerSearchOrder,TcpipNetbiosOptions"

set _command="Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName %_hostname% | Select-Object -Property %_propList% "

powershell -Command %_command% 

Output

Explanation

  1. TcpipNetbiosOptions
    • 0
      • Default Setting; and we remember default settings is to get the setting from the DHCP Server

 

WMI – Set – Win32_NetworkAdapterConfiguration

Let us use wmic and pass along the nicconfig verb; calling the SetTcpipNetbios method and sending along argument 2.

Remember 2 mean Netbeui disabled.

Please pass along the right index, as well.

Each NIC Card has an index and it is displayed when one queries the Network Configuration.

Script

REM - Use NetBIOS setting from the DHCP server
set _netBiosSettingDHCPServer=0

REM - Enable NetBIOS over TCP/IP
set _netbiosSettingEnabled=1    

REM - Disable NetBIOS over TCP/IP
set _netbiosSettingDisabled=2  

set _hostname="."
set _index=15

wmic nicconfig where index=%_index% call SetTcpipNetbios %_netbiosSettingEnabled%

Image

 

Confirmed Change

GUI
Image

Console
Image – ipconfig /all

Wireshark – Take 2

Network Traffic

Went back to Wireshark and took another trace.

Image

Explanation

Noticed a slew of NBNS Traffic targeted at our DNS Server.

BTW, our local DNS Server are set for “Recursion Desired“.

That way they can forward unresolved Name Resolution traffic to our ISP…Which will be most of the requests we get.

 

Remediation

Connected to each of our internal DNS Servers and disabled Netbeui Name Resolution on the NIC Cards, as well.

 

Windows DHCP

If we had a Windows DHCP Server, would have disabled that option on the DHCP Scope, as well.

 

Wireless Access Point ( WAP )

I doubt that our Wireless Access Point supports DHCP and so will skip that step for now.

 

References

  1. Client Configuration
    • Script
      • HOW TO DISABLE NETBIOS VIA COMMAND LINE ON WINDOWS
        Link
      • Configuring NetBIOS over TCP/IP
        Link
    • Tim Dunn
      • Tim Dunn – Is NetBIOS over TCP/IP Enabled?
        Posted On :- 2011-June-29th
        Link
    • Scripting Guy
      • Use PowerShell to Identify Your Real Network Adapter
        Posted On :- 2011-Oct-7th
        Link
    • T.dejesus
      • Simple powershell help
        Posted On :- 2014-April-14th
        Link
    • Dan Stolts, ITProGuru
      • Using PowerShell to Get or Set NetworkAdapterConfiguration-View and Change Network Settings Including DHCP, DNS, IP Address and More (Dynamic AND Static) Step-By-Step
        Link
    • Q/A
      • Slow Cross-Domain login to StoreFront site
        Link
    • Visual
      • Jim Boyce
        • Get IT Done: Improve network performance by disabling NetBIOS over TCP/IP
          Published On : -2002-Nov-5th
          Link
  2. Server Configuration
    • How to disable NetBIOS over TCP/IP by using DHCP server options
      Link

 

GlassWire on Windows 7

Background

The other Newtwork Monitoring tool that we found on the Net is GlassWire.

Unfortunately, it is not going to be much help for our Lab as the currently available versions does not support MS Windows 2003; and most of our Lab servers run that OS.

 

Download & Install

Downloaded GlassWire from here.

Though, can not install it on our Lab Servers, went ahead and installed it on my work laptop.

 

Usage

Eye Candy

The tool is a stunning eye candie.

It makes one forget the reason for installing it in the first place.

 

Usage

Day ( Monday April 3rd 2017)

Image

Usage_Day_20170403_0602PM (BrushedUp)

 

Explanation

Got off work @ 5 PM

  1. And, already ate up 1.3 GB of Network IO
    • 1.2 GB incoming
    • 143 MB outgoing
  2. Apps
    • Google Chrome (99% )
    • Remote Desktop
    • SQL Server
    • Reporting Sevices Service
  3. Hosts
    • where else by googlevideo.com ( better known as youtube)
  4. Traffic Type
    • HTTPS ( 90% )
    • HTTP ( 10% )

 

Week ( Monday March 27th to April 3rd 2017)

Image

Usage_Week_20170327_12AM__20170403_0621PM (Cropped Up)

 

Explanation

Between a week back and today, here is what our stats look like:

  1. And, already ate up 1.3 GB of Network IO
    • 5.9 GB incoming
    • 532 MB outgoing
  2. Apps
    • Google Chrome ( 72% )
    • Mozilla Firefox ( 25% )
    • SQL Server Windows NT
    • SSMS
    • Reporting Sevices Service
  3. Hosts
    • vimeovideo
    • where else by googlevideo.com ( better known as youtube)
    • akamai
  4. Traffic Type
    • HTTPS ( 77% )
    • HTTP ( 10% )
    • Other ( 8.5% )
    • SQL ( 3% )

 

Summary

GlassWire is very capable and it is easily accessible.

NetBalancer – v5.2 – Windows Server 2003

Background

Confessionally, I am stuck on MS Windows 2003 on my Lab computers.

I like it and it works well.

Just like that other guy who stayed on Windows XP.

 

ISP

Paying Me

Either way my ISP is being letting me know that I only have 2 months grace.

And, after this last month, they will be charging me every time I go over my allotted Network.

 

ISP Help

Tried to get them to help me to locate which server, what type of traffic, and which hosts I was talking to.

But, 3rd level support, kept asking me to just go up to next tier.

And, also less I forget, wanted me to get off my router and get on theirs.

 

Tools for Computer Network Monitoring

MS Windows 2008 comes with a nice Resource Monitor tool that allows one to monitor Network Usage at the individual process level.

Again, unfortunately, MS Windows 2003 does not come with Resource Monitor.

 

Networking Monitoring for Windows 2003

Thankfully found NetBalancer by SeriousBit.

 

 

NetBalancer

Download List

Here is the download list for NetBalancer from here.

 

Version

v5.2.1

Unfortunately, for MS Windows 2003, I have to use v5.2.1.

 

Downloaded & Installed

Downloaded & Installed it.

 

Usage

 

DNS

System Traffic

Image

Explanation
  1. Please review Current, Average, Maximum, Total
    • Broken down by Download & Upload
  2. Process Name
    • svchost.exe

 

Process Info

Image

 

Explanation
  1. Name : dns.exe
  2. Version :- 5.2.3790.4957 (srv03_sp2_gdr)
  3. File Creation Time :- 1/30/2012 4:39:57 AM
  4. Company :- Microsoft Corporation
  5. Started at : 4/2/2017 9:00:11 PM
  6. Parent :- services.exe ( 488 )

Connections

Image

Explanation
  1. TCP
    • We are listening on one of the Ports
  2. UDP
    • We have several UDP ports are just waiting to be used

 

TroubleShooting

Stats

Count Number of Ports assigned to DNS

Code

netstat -anb | find /I "dns.exe"  /c


netstat -anb | find /I "dns.exe"  /c

Output

Configuration

How many DNS Ports are we configured for

Code

dnscmd /Info /SocketPoolSize

Output

 

Summary

It does not seem that the DNS Server is the source of our network hog.