SIEM: Windows Client Monitoring with Splunk

at 8:18 AM Tuesday, September 8, 2020 0 comments

In our previous article, we have covered with Splunk master server setup with a brief demonstration of Dashboard setup or Log monitoring you can visit that article from here. Once done with a complete server setup we need to focus on how to bring the logs from the network environment into Splunk for indexing. We are going to import data from the client machine or a network of 100 or 1000’s of pc into the Splunk server that we setuped previously and what else needs to be indexed.

Now let us see how to forward the logs or Data from client-server to Splunk Enterprise.

Table of Content
·         Prerequisites
·         Configure a receiving on Splunk Enterprise
·         Configure the receiver using command line
·         Configure receiver using configuration file
·         Environment
·         Download and install Universal Forwarder
·         Configure Universal Forwarder to send data Splunk Enterprise
·         Windows Log Monitoring
·         Threat monitoring

Prerequisites
To configure Splunk universal Forwarder on your client-server, there are some prerequisites required for installation.
§  Windows, Linux systems, or cloud servers with admin access.
§  Splunk Universal forwarder
§  Attacker: Kali Linux

Configure a Receiving on Splunk Enterprise
On your Splunk Dashboard you must configure an indexer to receive data before you can send data to it. If you did not do this, then your data not going anywhere.
Use Splunk web interface to configure a receiver for Splunk-to-Splunk (S2S) communication. To do this follow the below steps
·         Log into Splunk web using your credentials
·         On Splunk web go to Settings > Forwarding and Receiving



·         Select “configure Receiving”.


·         Verify the existing ports are open or not. If there are no ports available, then add a port also you cannot create a duplicate receiver port. The most suitable receiver port on indexers is port 9997.
·         Select “New receiving port.”


·         Add a port number and save and do not forget to verify that port is available or not reserved to any other service or instance.


·         Check the status for receiving port, it should enable for listening the traffic.


Alternative method: Configure a receiver using the command line
Use the command-line interface with Admin privilege in windows 10 or terminal with root user to configure a receiver for S2S communications. To do this follow the steps as described below.
·         Open a shell with admin rights or terminal with root user
·         Change the path to $SPLUNK_HOME/bin
·         (For Linux) Type:
./splunk enable listen 9997 -auth admin:password
·         (For windows) Type:
Splunk enable listen 9997 -auth admin: password
·         Restart Splunk for the changes to take effect by going into Splunk web interface setting > server control > restart Splunk.
or
Alternative method: Configure a receiver using a Configuration file
For windows

Configure an inputs.conf file for S2S communication:

·         Open a shell prompt
·         Change the path to $SPLUNK_HOME/etc/system/local
·         Edit the inputs.conf file.
·         Edit the input.conf file with [ splunktcp ] stanza and define the receiving port. Example:
[splunktcp://9997]
disabled = 0
·         Save the file.
·         Restart Splunk to take effect of the saved changes.

For Linux

Open the Splunk forwarder directory wherever it installs and locate the file named input.conf and make changes as described above or as per your requirements.

Environment
In this blog, we will target to install a Splunk Universal Forwarder on a Windows Machine or server. You can download Splunk forwarder by following the below link.

https://www.splunk.com/en_us/download/universal-forwarder.html

Choose your installation package

·         Create a Splunk Account and download Splunk universal forwarder for Windows version by the given above link.
·         We choose Windows 10 64 bit .msi Package for the installation in windows. You can choose it as per your system requirements.


Or also for Linux systems, you can go with the options are available to download on the Splunk website by drop down the option Linux then select and download package as per your choice as shown below.


Install Splunk Universal Forwarder on Windows 10

To install Universal forwarder into your operating systems, follow the steps as described below:

Visit the Splunk official website and select and download universal forwarder for Windows 10 .msi file. It will download a Zip file into your downloads as shown below.


When it gets downloaded open it and start the installation process and accept the license agreement then go to customize options as shown below:


Further, select the installation directory wherever you want to install it as shown below


Further, it will ask you to for an SSL certificate for the encryption with your encryption key if you do not have the SSL certificate then don’t worry forwarded Splunk data will still be encrypted with the default Splunk certificate all you need to do is go with Next option.


On the next dialogue you will have two options:

·         Local System. If you specify the Local System user during the installation process, the universal forwarder can access all your data on that is available on your local system or forwarded to this machine.

·         Domain account. This option installs the forwarder as the Windows user specifies this lets you collect logs and metrics from remote machines as well as local and forwarded data. You can set the permissions of account in the next dialogue, as a local administrator or a reduced privilege user It does not collect data from resources that the Windows user does not have access to.

So, we go with the option Local Systems and Install the forwarder as a Local account to do any of the following:

·         Read Event Logs remotely
·         It Collects all your system performance counters remotely
·         Read network shares for log files
·         It can Access the Active Directory schema, using Active Directory monitoring if you select it


Then, it will ask you to select the applications or log files that you want to forward to Splunk Enterprise or receiver and then proceed with the next option as shown below.



 In the next dialogue, it will ask you to create credentials for the administrator account to encrypt all your files on Splunk Enterprise.



On the next dialogue, it will be (optional) to configure your forwarder as a deployment server if you choose it then enter the hostname or IP address and management port for your deployment server and click next
 In my case, I will leave it blank and prefer to go with the next option.

On the next dialogue setup Receiving indexer by entering the Hostname or IP and port as shown below




And then finally select option Install it will install Splunk forwarder in your windows environment



After that finish, the installation process.




Let’s verify the output.conf file to check is it forwarded to the Receiver or not.
To do this follow the steps as described below.
Go to file manager and open the directory where Splunk Universal forwarder installed.



Open the file SplunkUniversalForwarder file and then open the output.conf file it will be found in under etc > system > local


By opening it we can verify it either it is redirected to the correct IP or not as entered during the installation process if not you can make changes by editing it.


Configure Universal Forwarder to Send Data to Splunk Enterprise

Open CMD as Admin privilege and follow the steps described below:

cd c:\Program Files\SplunkUniversalForwarder
cd bin
splunk add-forward-server 192.168.0.196:9997
splunk enable eventlog system
splunk restart


Congratulations! You have successfully added Windows as a client

Let’s check what happens to the Splunk GUI interface is it added or not


As you can see our client is successfully added
Now search your client into Search and reporting application by simply running a query index=”main”


Windows Log Monitoring

Let’s check it shows or not suspicious activity happened on our client end

To do this I m going take RDP session of my client


Now I have an RDP session of my Client let’s check what happens on Splunk web


Whoa! It works 😊
Great!
Now you can Dig down deeper it with running search Queries.

Threat Monitoring
Let’s monitor what illegal or suspicious activity happens on your client end or server
To do this I m going to perform a brute-force attack with the help of an Attacker machine: Kali Linux
To perform this attack run the following command below.

hydra -L user.txt -P pass.txt 192.168.0.196 ssh

where 192.168.0.196 is my client-server IP


Let’s check what happens to Splunk web
hold tight! It’s gonna a little bit special
Run a Query in the Application search and Reporting “sshd: session” and then see


Owsm! AS we can see it have multiple invalid logins Attempts of invalid user
 Now you can monitor your whole Environment by using these steps.

Let’s end here.
Labels:

Understanding the CSRF Vulnerability (A Beginner’s Guide)

at 1:21 PM Sunday, September 6, 2020 0 comments

You always change your account’s password when you desire for, but what, if your password is changed whenever the attacker wants, and that if when you are not aware with it?  Today in this article, we’ll learn the basic concepts about CSRF attacks or how an attacker forces the user to execute some unwanted actions that they(user) never intended to.

Table of content
·         What are cookies and Session ID?
·         What is an SOP?
·         Introduction to CSRF attacks
·         Impact of CSRF vulnerability.
·         Manipulating user-account details
·         CSRF over Change Password
·         CSRF over Bank Transfer.
·         Mitigation steps.

What are cookies and Session ID?
Before jumping into CSRF attacks and how such attacks are executed, we need to understand some important terminologies that somewhere or the other empowers the applications to be secure.

Cookies

Cookies are basically some small text files with a maximum of size 4KB that are stored over on the client’s browser in the form of name-value pair. Cookies are majorly used to track or monitor the client’s activity on the web application and even stores some sensitive data such as username, session ID’s, password preferences, etc, which thus can be sent back to the server for an authentication request.

Session ID’s

Similar to the cookies, sessions are some small files too, but they are generated and stored at the server’s end. Each session is associated with a session ID. Whenever a user logs in, thus a session is created with a session ID, thereby this session ID blends up into the cookie and stored at the client’s browser and thus passed back to the web server whenever the browser makes an HTTP request.
So whenever the client logs out or the browser is closed, these sessions are terminated. And with every new login, a new session with a session ID is generated.

Let’s make this more clear with the following case scenario –

When a new user creates up his account over the web-application, the following procedure happens


Now, when the user visits some other section of the same application, the session ID stored over in the user’s browser is sent to the server for validation.



What is an SOP?
SOP is an abbreviation for Same-Origin Policy which is one of the most important concepts in the web application security model. Under this policy, a web browser permits scripts contained in a first web page to access data in a second web page, but this occurs only when both the web pages are running over on the same port, protocol and origin.
For example –

Say the web-page  “https://www.ignitetechnologies.com/ceh/module1.pdf” can directly access the content at “https://www.ignitetechnologies.com/network/RDP/module7.docx”.
But it can not access the data from “https://www.ignitetechnologies.com:8080/bug/xss.pdf”. As the port has been changed between the two now.

Introduction to CSRF Attacks
CSRF is an abbreviation for Cross-Site Request Forgery, also known as Client-Site Request Forgery and even somewhere you’ll hear it as a one-click attack or session riding or Hostile Linking or even XSRF, basically over in this attack, the attacker forces a user to execute unwanted actions on a web application in which they’re currently authenticated.

To be more clear, let’s check out the following case scenario –

Here the user “Aarti” receives a mail from the attacker, while she was doing a bank transfer to Mr Raj Chandel’s account. She left the transaction incomplete and checks her mail over in the new tab.
There she got the generic URL, with a content stating that “You’ve received an amount as a reward”. Now, as she opens the URL in the next tab, she got the Grab button there. The transaction page was over in the other tab and this malicious page is on the next one. As soon as, she hits the submit button, the query executes up and the amount has been deducted from Aarti’s account without her knowledge, or concern.




Impact of CSRF vulnerability
CSRF is an attack that forces the victim or the user to execute a malicious request on the server on behalf of the attacker. Although CSRF attacks are not meant to steal any sensitive data as the attacker wouldn't receive any response as whatever the victim does but this vulnerability is defined as it causes a state change on the server, such as –
·         Changing the victim’s email address or password.
·         Purchasing anything.
·         Making a bank transaction.
·         Explicitly logging out the user from his account.
Therefore, this vulnerability was listed as one of the OWASP Top10 in 2013. And thereby now has been reported with a CVSS Score of “6.8” with “Medium” severity under
·         CWE-352: Cross-Site Request Forgery (CSRF)

CSRF Exploitation

Let’s Start!!

For this section, I’ve used bWAPP the vulnerable web-application and created an account with the user Raj : ignite to login inside the webserver.


Manipulating user-account details
Over in the above image, you can see that for creating a new user, the user “Raj” has set his secret value as “who are you”, now if he wants to change this secret value, he can change it from here.


But what, if his secret value gets changed with the attacker’s desired value without his knowledge?
Let’s check it out how!!

Let’s open the target IP in our browser, and we will set the “Choose Your Bug” option to Cross-Site-Request-Forgery (Change Secret).

Here, we’ll be redirected to the web-page which is suffering from the CSRF vulnerability, where you can see that we’re having the option to change the secret value.



Now, let’s “hit the change button and capture the passing HTTP Request.

Form the below image, you can see we have successfully captured the request. Time to create a Fake HTML form, to accomplish this, do a right-click anywhere on the screen and select the engagement tools further hit the Generate CSRF PoC option.



This CSRF PoC generator will automatically generate an HTML form page. Now, click on Copy HTML in order to copy the entire HTML code, further past the copied data into a text file.


Great!! Let’s manipulate the secret value=“” parameter with “hackingarticles” and then we’ll save this file as “csrf.html”. Moreover, we need to set the user name “Raj” as for whom the secret value will get changed.


Now, we’ll use the social engineering technique to share this csrf.html file to the targeted user.

As soon as the victim Raj opens up this csrf.html, there he will get a submit button, as he clicks over it, his secret will get changed without his (victim) knowledge.


From the below image, you can see that he got the message as “The secret has been changed !”, over with this similar way a successful CSRF attack can even change up the email addresses, usernames and the other personal information of the user.



CSRF over Change Password form

“Change Your Password” feature is almost offered by every web-application, but many times the applications fail to provide the security measurements over such sections. So let’s try to exploit this “Change Password” feature over with the CSRF vulnerability, which is one of the most impactful CRSF attacks where the user’s password will get changed without his knowledge.

Back into the “Choose Your Bug” option select the Cross-Site-Request-Forgery (Change Password) and hit hack button.


Now, let’s again “fire up the Change button and capture the passing HTTP Request over in the Burpsuite.

Form the below image, you can see that we have successfully captured the request. Let’s follow up the same procedure to generate a “forged HTML form”.


Now, click on Copy HTML in order to copy the entire HTML code, further past the copied data into a new text file.



Once we’ve pasted the HTML code, let’s now add the new password value (attacker’s password) and the confirm password value, and then save the text document as csrf.html



Now, we’ll again use the social engineering technique to share this csrf.html file to the targeted user.

As soon as the victim opens up this csrf.html, there he will get a confirm button, as he clicks over it, the password will get changed without his knowledge.


From the below image, you can see that the CSRF attack changes the old password set by user “Raj”.


Cool !! Now when he(victim) tries to login with the old password, he’ll get the error message.



CSRF over Bank Transfer
“You might have heard some scenarios where the money is deducted from the victim’s bank account without his/her knowledge, or a fraud has been taken place where the victim receives an email and as soon as he opens it up his back account gets empty.”

Wonder how CSRF is related to all this? Let’s check out the following attack scenario.

Login inside bWAPP again, then choose the next vulnerability Cross-Site Request Forgery (Transfer Amount) and click on the hack button.

Over in the below screenshot, you can see that the user “Raj” is having only 1000 EUR in his account.



Let’s try to transfer some amount from this, as the account number is already there in the filed.

The procedure for the CSRF attack is similar as above, use burp suite to capture the sent request of the browser and then share the request over on the Engagement tools section.


Again it will create an HTML form automatically for intercepted data. Simply click on Copy HTML and paste it into a text file.


Great!! Time to manipulate the value“” field, add amount “200” (attacker’s desired amount) which to be transferred, save the text document as csrf.html and then share it with the targeted user.


As soon as the victim open’s this file up, and hit the submit button, the amount (entered by the attacker) will be transferred, without his (victim) knowledge.


From the given screenshot, you can see that the amount is left 800 EUR in user’s account which means 200 EUR has been deducted from his account.

Thereby over with such basic techniques, the attacker can make major changes over on the victim’s account.


CSRF Drawbacks

1.       The CRSF attack is having a major drawback, as these attacks are only successful when the attacker knows which parameter and what values are blended in the HTML form.
2.       And even these attacks need some good social engineering technique as sometimes the HTML forms require earlier used values as “Current Password” to change up the new password one.



Mitigation Steps
·        The developers should implement the use of “Anti-CSRF tokens”
·        Use of Same-Site cookies attributes for session cookies, which can only be sent if the request is being made from the origin related to the cookie (not cross-domain).
·         Do not use GET requests for state changing operations.
·         Identifying Source Origin (via Origin/Referer header)
·         One-time Token should be implemented for the defence of User Interaction based CSRF.
·         Secure against XSS attacks, as any XSS can be used to defeat all CSRF mitigation techniques!

Source :
           
https://owasp.org/www-community/attacks/csrf
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
Labels:
Subscribe to: Comments (Atom)