Upgrading To Graylog Enterprise

We have covered Graylog a fair bit, but to make the most of all it’s functionality we need to upgrade to an Enterprise license. Now before you start screaming “I want a FREE solution” Graylog Enterprise is free for up to 5GB of data a day, and if you are using more than that then you should be paying for it. 

First we need to create an account by going to https://www.graylog.org/downloads and completing the form shown below.

NOTE: To get your Cluster ID log in to your Graylog instance, go to the “System” Tab and select “Overview”. 

You will receive an email with contains instructions for getting your license key. Once you have your key you need to head back to Graylog and import our key. Go to the “Systems” Tab and select “License”. Then select the “Import New License” button and paste in your license.

Paste your license key here.

You will then receive a message that your instance is activated, and your license will show under installed licenses on the same page.

That’s it, we are now licensed and ready to make use of other tools. Check back for a tutorial for adding thread feeds to our Graylog server.

How To Install Nessus Vulnerability Scanner

In our previous post we showed how to download and verify the hash of the Home edition of Nessus, and here we will show how to install, setup and run your first scan. This is a very basic setup to get you up and running quickly with the free version of Nessus. If you are going to be using in a live production environment, don’t use this guide.

If you have not read the initial post go here then come back.

You should be where we left off which is just after checking our hash and confirming against the checksum as below

Get used to running the “ls” cmd to check the directory you are in and that you have access to the correct files.

We “ls” to check as mentioned above then use “dpkg -i” which will de-package and then install Nessus.

While that runs and installs we need to go back to tenable.com and get an activation code.

Fill in the details and wait for your email with the activation code.

Go back to your Terminal where the install should now have completed. Check the Window for errors and if there are none we are good to continue.

Run the following “/etc/init.d/nessusd start”

Nessus is now running, so open a browser on the same machine and go to https://localhost:8834 and you should get the login screen.

Create a Username and a Password to login  for the first time (don’t forget these!) and you will get the activation page.

Leave the scanner type, and enter your activation key which you will have received by email.

If correct you will see the next screen, now is the time to make a coffee as this stage may take some time as Nessus sets up.

Once completed you will see the “New Scan” screen.

Select New Scan as shown, then select “Basic Network Scan”. This will allow us to do a basic scan of our internal home network.

We will need to find out the IP of our network for the next step, the easiest way to do this is to use either “ifconfig” on a Linux box or “ipconfig” on a Windows box. Run this from a Terminal Window and make a note of your ip address. (This is a simple step so if unsure how to do it you really shouldn’t be installing Nessus to be honest!)

Name and description can be whatever you want, but the IP Address in the targets box needs to be the IP address you want to scan. In the example it shows “192.168.0.0-255” which means that we are going to scan every address on our network. The scan an individual host you would use a single address, for example “192.168.0.5”. Now save as shown below and you’ll go back to the main page.

To start your scan click the chevron, as outlined below, then wait for your scan to complete.

Once the scan completes, the real fun starts!

How to verify a file hash in Linux

We have recently shown how to do this in Windows so we will now show how to do this in Linux. Here we will be using Kali but it will work with most Linux distros.

We want to download the free Home Version of Nessus but want to make sure the file has not been tampered with before we install.

We browse to the download site and download the version we need but also copy the hash checksums to simple text files for comparison later. You can do this by simply copying to your clipboard and then paste into a blank text file.

We will download everything to our download folder to make things simple. Once everything is done you should have 3 files in your download folder as shown below.

Now off to the cmd line so open a Terminal and “cd” to the Downloads folder as shown, then use “ls” to list the directory to also confirm you are in the correct location and the correct files are there.

Now we run “sha256sum Nessus-7.2.0-debian6_amd64.deb”. The cmd part is “sha256sum” and the next part is just the file name you want to hash.

You should see the output of the cmd which is your file hash to compare to the one from the site that you had copied earlier.

Now copy that hash output and paste underneath the one you have from the site. We used sha256sum and so will need to compare against the sha256 checksum. 

As you can see, the highlighted one is our output, and they are a perfect match. Excellent, we can now install Nessus with confidence that it has not been tampered with or had malicious code added.

Our next post will see us install Nessus.

 

How to add SCSI drive to Ubuntu Server

While messing about in my home lab I found I needed to add a SCSI drive to a virtual machine and had no idea how to do it. Although this doesn’t have anything to do with security I’ve posted it here as I know I will definitely need to do this again at some point. Here we have already attached the new VHD to a SCSI connection in the Virtual machine management console, so the disk is physically connected but needs to be formatted, labelled, and initialised.

To list all connected disks run

ls /dev/sd*

this will return the following

If you are unsure which is the new disk, then the easiest way to check is to disconnect the new SCSI drive and run this command, then reconnect the disk and run the same command again and compare the results. The disk that wasn’t there the first time is obviously your new disk. The disks should be labelled “sd” then with a corresponding letter. The primary disk is usually “sda” with the partitions numbered – so sda1 would be the first partition on the first disk. In our example sdb is our new disk so we will be applying changes to this, if your disk is named differently then you will need top replace “sdb” with the name of your own disk in the following instructions.

Once we have identified the new disk we are ready to launch “fdisk” utility.

sudo fdisk /dev/sdb

Always look at the help menus when using new tools as it will help you gain an understanding of it rather than just blindly following instructions. Help menu is shown below

From here we type “n” for a new partition, then “p” for primary and accept all the defaults.

You must then select “w” to write and save the changes, if you don’t do this then the partition will not be created.

Now that we’ve created our partition we need to create the file system

sudo mkfs.ext3 -L DATA /dev/sdb1

The “-L” switch sets the partition label, here we have used “DATA” but you can chose anything, and we are setting it on our new partition which is “/dev/sdb1”

Now we mount the filesystem

sudo mount /dev/sdb1/DATA

To check the location is mounted we can run

Df -l

Next we make a directory

sudo mkdir /Documents

The final thing we need to do is change a configuration so that this new location is mounted every time the server is restarted.

We do this by editing the following file.

sudo nano /etc/fstab

Then add the following line as shown below. (If you named your partition differently then use your label name instead

/dev/sdb1          /Data        auto       defaults    0  0

That’s it. Check this config by restarting your machine then running the list disk, and show mounted commands again and you should see that your new partition is already mounted as shown in the screen shots below.

 

 

 

Certutil – Verify a File Hash in Windows

Welcome back, and this is a quick post on something you should 100% be doing with everything you download. You should be verifying the file hash.

Let’s cover the basics first.

A file hash is basically a file which is put through an algorithm to produce a string of characters. There are many different algorithms MD5, SHA1 and SHA256 to name a few.

In our example here we are going to download the new kali Linux Virtualbox ova file shown below. (note the hash is displayed along side, and the heading tells us which hash algorithm was used)

First we download the file and copy the hash into a text file for later. Make sure you check you have copied the whole hash, and that it is the correct hash for the file you are downloading.

Now we have our file and hash text file as below.

Now while in this folder, and without highlighting the 2 files hold SHIFT and right click on the mouse. This will bring up a menu with “open powershell window here” or “open cmd window here” if you are still on Windows 7. Select whichever option you have and the windows should open.

Next we need to confirm file names and location by simply running  “dir” as shown

Then from the same Window we run our certutil command which hashes our ova file.

Let’s quickly break down the command.

certutil -hashfile

This is the tool we are using and the command instruction

.\kali-Linux-2018.2-vbox-amd64.ova

This is the file we wish to hash

sha256

This is the hashing algorithm we want it to use.

Obviously if you don’t use the same algorithm the hashes wont match and you wont get an accurate result.

The idea is that you run the same algorithm and you should get the same result. If you don’t it means that the file has been tampered with or changed and you should not use it.

Copy the hash created in our window above and paste it into our hash file we created earlier so we can compare the two.

Excellent! A perfect match. We can now go ahead and use our file.

If a download has a hash file to check the integrity, please use it!

 

Forward Windows Firewall log to Graylog (Using nxlog)

Was just about to finish for the day when I got this working so wanted to post before I forgot lol!

We have covered how to enable Windows Firewall logging, and how to enable and install Nxlog to allow Event Logs to be forwarded into Graylog, however up to this point I hadn’t figured out how to forward Windows log files into Graylog.

It always ends up being ridiculously simple, but hey, sometimes we have to learn the hard way!

If you haven’t setup Nxlog, or enabled Windows Firewall logging then go to the relevant blogs here and here first. as we will be assuming you already have Nxlog installed and forwarding to our Graylog server.

We just have to make a simple addition to the “nxlog.conf” file located by default at “C:\Program Files (x86)\nxlog\conf”

In the image below you will see the original “<input in>” field, and below that you can see the new “Input FileWatch” field.

Complete this as shown (unless of course you have changed the default location of your filewall log file. Mine is named “FSfirewall.log” but yours may be named differently. Browse to that location and check the name of your file before trying to configure this.

Also as you can see above, you need to add the “FileWatch” directive into the Route section of the config file. This will forward the logs through our “output” directive, which points to our Graylog logging server.

That’s it. Go to “services.msc” from powershell or cmd window and restart the nxlog service.

Now head over to Graylog and you should start seeing your Windows Firewall logs. Don’t forget if this is too noisy then you can reduce the logging conditions from within Windows Firewall Console.

Enable Windows Firewall Logging

Believe it or not but the Windows Host firewall does not log by default.

Some of you may not even have it enabled, but you really should. Security in depth right? If anyone believes differently please hit me up on Twitter, always happy to debate, and be educated if better practice exists.

“How do you enable firewall logging then?” I hear you shout! Well it’s actually very easy.

Let’s jump straight in. Open Windows Firewall With Advanced Security, then select “Properties” from the right-hand side of the page.

You can see from the top tab that “Domain Profile” is the active tab. If you are not sure which profile you are using you can enable for all profiles. We are using Domain so we select “Specify logging settings for troubleshooting”

Enable both options as shown below, and note the default location for the log file. Simply copy the path so you can create a shortcut or create a new folder somewhere else which is easier to find.

Click “OK” to save and that’s it.

We will look at how we use this Firewall Log in future blogs.

Sysmon Initial Setup

Recently we have been looking at a lot of Blue Team tools to help increase both the visibility of our network, and our ability to audit events.

I recently found a great Sysmon config by @SwiftOnSecurity and decided that is was time to give it a go.

The GitHub page for the config file is here and you can download Sysmon from here: so once you have downloaded both and have extracted them to the machine you are going to use, we can get started.

For this test machine I have created a folder in the root of C:\

And this this contains to contents of the extracted zip, and the config file we downloaded separately from GitHub.

The next step is to open a Powershell window with administrator privileges and install Sysmon.

First we need to move to the correct directory, then we can list the switches/options which are available. In my case the commands are as follows (If you have named your folder differently or placed it in a different location then you will need to specify the path and name you have used)

cd C:\Sysmon
.\sysmon.exe

Then your window should look as below

Reading through these options helps to give us a better understanding of what we are doing.

In the case I am installing on a 64 bit machine and I wish to use the config XML file we downloaded from GitHub. From looking through the options we can see that our command to install with this file should be:

.\sysmon.exe -accepteula -i sysmonconfig-export.xml

Below you can see the successful install.

By default the logs are stored with the other Windows Event Logs here “C:\Windows\System32\winevt\Logs” Shown below

Lets set up a custom View in Event Viewer to make them easy to find. First open “Event Viewer” and select “Create Custom View”

Complete the top half of the Windows as shown, selecting only the Sysmon option in the dropdown:

Then complete the bottom half of the window as shown, selecting all keywords from the 2nd dropdown.

The completed window should look like this:

Then we give a name a save it.

That’s it. Now we can easily check our sysmon alerts with our custom template. As shown below.

Sysmon is one of a whole suite of applications from the Sysinternals tool set created by Mark Rissinovich and in the future we will be looking into a few more of these, along with “SysmonView”, and “SysmonShell” by nshalabi which are available  here:

 

 

Forwarding Windows Event Logs into Graylog (Nxlog)

In previous posts we have covered using rsyslog to forward logs from Linux servers into Graylog, and also how to use Trend Micro’s OSSEC to forward alert logs to Graylog from both Linux and Windows, but here we will show you how to forward Windows logs into Graylog.

We won’t be covering the use of IPSEC in this tutorial, but we will cover that in the future. If you haven’t installed Graylog yet then see the guide here:

First you’ll need to download Nxlog community edition from here:

Nxlog will facilitate the sending of your Windows logs to a logging server, which in this case is Graylog.

Once you have downloaded Nxlog it’s a one click install.

Accept the license agreement and install.

Once installed check the location of the root folder as described in the README file

If when you come to start Nxlog the service doesn’t start then this is the first thing to check.

Now we have to modify the config file located as in the README file above, named nxlog.conf.

In our test environment our Graylog server is on IP 10.1.1.57 however you will need to put the IP address of your Graylog Server instead. All the other settings can be left the same. GELF is simply the format we are telling Nxlog to use when sending the data to Graylog.

That’s it for configuring Nxlog, next is to allow Nxlog through the Windows firewall.

I hope you are using host-based firewall (security in layers right?) If you don’t know how to add a rule to Windows Firewall we will run through it very quickly here.

Open “Windows Firewall with Advanced Security” and right click “Outbound Rules” and select “New Rule”

Choose “Port”

Then “UDP”, “Specific remote ports” and type in “12201” (This is also the port specified in the Nxlog config file earlier) (CORRECTION: Image shows 11201 but this is incorrect. Should show 12201)

Allow the connection (We will cover the IPSEC connection at a later date)

Select the network Profile. (The profile your network is using. If you’re not sure then Windows Firewall will say which Firewall profile is active and that relates to your network profile. If Domain Firewall profile is active, then your network profile is domain).

Then give it a name and finish the Wizard. We still need to right click our new rule from the list and adjust a few settings.

The settings below tightens the port control a little more by us explicitly specifying the local port.

 

This locks things down a little further as we are specifying our Graylog Server by IP.

That’s it for Windows, go to “Services” , and restart Windows Firewall and then start the nxlog service.

Now we head over to Graylog to add our new input and accept the messages.

Before we do we need to open the port on our Graylog Server.

If you have been following the previous tutorials Graylog is installed on Ubuntu Server and is using ufw. The commands to open the port in this configuration is as follows. (Don’t forget that if you have chosen a different port you will need to specify that port number instead)

sudo ufw allow 12201/udp

Then check the status

sudo ufw status

Then login to Graylog’s web interface and go to “Inputs” as shown below

Select  “GELF UDP” from the dropdown and then “Launch new Input”

Select the correct node (If you only have one server then you will only have one to choose from), and complete as below except for the IP address which will be the IP of your Graylog Server.

Save then start the new input. If you receive no errors head over to the Nxlog Log file (on your Windows machine) and check for errors. (Check the README file mentioned earlier for the location).

There you have it. All done.

At this point if you have not received any messages into Graylog yet then go over to your Windows Server and restart the nxlog service. This should create a message. If not then you have either setup something wrong so retrace your steps and check through this tutorial, or if you are not receiving any errors in Graylog then it’s likely that issue is with Windows firewall. Check the nxlog file for clues. Fixing issues is where you really start to learn so don’t give up if you have issues!

 

 

 

 

Add Windows Server to OSSEC

We have already shown how to add linux servers to OSSEC, however we have not yet shown how add a Windows server.

This is just as easy as there is a Windows install package which you can get here:

Download and run the package accepting all the defaults, and you will be greeted with this.

As you can see you need the OSSEC Server IP and the Authentication key, so lets login to our OSSEC Server. Then elevate to run as root, the cd to the correct directory

sudo su
cd /var/ossec/bin/

Then to run the setup script for new clients run

./manage_agents

Select ‘a’ from the options and complete the details for the agent by adding the IP address, ID number (which will be suggested) and the name (which can be anything).

Now the agent is added we need to extract the unique key and import it to the agent server.

Select option ‘e’ then make a note of the key or paste it into a file.

When finished select ‘q’ to quit, then logout.

Back on the Windows server add these details to your OSSEC config box shown earlier and select “manage” from the top left of the pop up box and choose restart.

That’s it.