Running Kali on Corporate Domain

[Captain Redbeard]

Hello all,

It's been a while since I have posted, but I could use some input. After several recent attacks on our company network I have decided to deploy Kali on a few PCs in order to do some security testing and monitoring. Firstly, has anyone here deployed Kali one a company domain, and if so what challenges did you run into? I can already see the Windows Active Directory giving me at least a few problems, but I fully expect that. Additionally, is there any advice on this topic prior to diving into this task? I have just finished building the PC, please see below for specs:

Motherboard: ASUS M4A78LT-M
Processor: AMD (I'll post make later)
RAM: 14GB
Storage: 1x 1TB (Win 7 Pro), 1x 1TB (Kali) 1x 1TB (Data/Storage) - 3TB total
Optical: 2x DVD-RW

The plan is to use this machine primarily as a diagnostic machine, but additionally I would like to be able to scan our network for intrusions. We have had several attacks prior to me taking over this position, including ransomware (to which the ransom was paid!). Since my employment, I have stopped several attacks but I can't always get to the infected PC's as I am providing administration to remote locations as well. Ideally I would like to identify our weak points (some of which I have already identified) and mitigate those vulnerabilities. Any feedback is welcome.

[grid]

I'm currently running Kali in a corp environment. Had to get a static IP for the Kali box, and whitelist it so that IDS/IPS wouldn't flag it as malicious. More a policy thing, but before I embark on any security testing, I notify the networking, programming, & infrastructure staff of the dates & times of my test, along with the IP address of my Kali box.

A couple things I do are: running scheduled scans using OpenVAS, and use cron entries to nmap various subnets. Don't neglect monitoring your wireless network, if you have it; Kismet and/or airodump-ng are great for that.

I'd start locking down outbound traffic at your perimeter firewall. This will help contain data exfiltration & any malware "phone home" behavior.

[_defalt]

I'm running LAMP with L being kali-linux. Security testing tools in kali help you to analyze vulnerabilities. There is nothing challenging if you know how to use them professionally and not like a beginner. It's sad to hear that you became the victim of ransomware. There was a chance that the attacker might refuse to give you the decryption key after paying him bitcoin. Always keep backup of your database. That's the easiest way to recover from ransomware.

[Captain Redbeard]

I'm running LAMP with L being kali-linux. Security testing tools in kali help you to analyze vulnerabilities. There is nothing challenging if you know how to use them professionally and not like a beginner. It's sad to hear that you became the victim of ransomware. There was a chance that the attacker might refuse to give you the decryption key after paying him bitcoin. Always keep backup of your database. That's the easiest way to recover from ransomware.

It's sad, this company has been running without backup/disaster recovery for far longer than they are willing to admit. One of my first questions when I started was 'what is our disaster recovery plan/policy', to which I received and embarrassed look and 'we don't have one'. I have had so much cleanup to do since I started, and am currently the only line of defense against intruders. I have successfully stopped all of recent attacks, with the exception of a successful phishing attack to which the target revealed sensitive information to someone outside of our domain who then filed a good chunk of our employee's tax returns. It's things like this that I would like to monitor and investigate, as this company has become a target, largely because of it's lack of security. In the short amount of time that I've been with this company I have made major improvements to our physical security, as well as our network. But end-user training is the only thing that is going to protect against phishing, and right now it is a touchy subject and I have been told to put off doing any training on it until emotions calm down. Personally I think it would be better to do it while it is fresh in everyone's mind, but I gotta make the boss happy I guess.

[grid]

Holy cow, my sympathies, Captain Redbeard I'm surprised there hasn't been an employee revolt after the tax problem. Congrats on hanging in there, in what is obviously a very difficult environment! I agree completely: end-user training must be done while all these problems are fresh...the employees will retain it better.

My guess is the bad guys have traded info & know your company is susceptible, so they are hammering you with attacks. Forgive my fatalism, but how many more successful attacks can the company take? Do you think upper management would be amenable to hiring more security staff to assist you?

[_defalt]

You should guide your management about zero day attacks. No security tool can analyze zero day exploits. To prevent phishing attacks you need to set up poxy server with running kali on it. Then you can scan entire traffic and block them which you find illegitimate. You should also install Root CA certificate in your corporate PCs to decrypt https traffic for deep packet inspection.

Can't you replace windows with linux entirely from every employee's PC? This would make them less vulnerable to attacks. I will always suggest linux server over windows server.

[Captain Redbeard]

Holy cow, my sympathies, Captain Redbeard I'm surprised there hasn't been an employee revolt after the tax problem. Congrats on hanging in there, in what is obviously a very difficult environment! I agree completely: end-user training must be done while all these problems are fresh...the employees will retain it better.

My guess is the bad guys have traded info & know your company is susceptible, so they are hammering you with attacks. Forgive my fatalism, but how many more successful attacks can the company take? Do you think upper management would be amenable to hiring more security staff to assist you?

My suspicions have been that it was indeed an inside job. They really don't seem to want to give me or anybody else too many details, and judging by the way in which the two IT guys that I replaced left I'd bet my money that one of them leaked our lack of security to the wrong people or where a part of it. As for hiring more staff, I would love some help but don't want to bring anybody on until I can sort out the mess that was left behind by past IT guys. Our documentation is a mess, and I have literally had to dive in and figure everything out by getting my hands dirty, reverse engineering, and basically getting my hands dirty. No simple feat.

You should guide your management about zero day attacks. No security tool can analyze zero day exploits. To prevent phishing attacks you need to set up poxy server with running kali on it. Then you can scan entire traffic and block them which you find illegitimate. You should also install Root CA certificate in your corporate PCs to decrypt https traffic for deep packet inspection.

Can't you replace windows with linux entirely from every employee's PC? This would make them less vulnerable to attacks. I will always suggest linux server over windows server.

My management team work entirely from a lack of understanding, a deep-seeded fear of change, and the old adage: "if it aint broke, don't fix it". While you and I can easily see that their system is flawed/broke, convincing them is going to take some time. I would love to convince them to rid themselves of this flawed Windows environment and go total Linux, but I have to prove just how advantageous that would be first. My first step is adding several Linux devices to our current network and getting interests peaked. Next, when we decide to upgrade our server platform I plan to give a very detailed presentation on how going Linux can mitigate our current challenges while saving us money. We are currently running Windows Server 2012, so I imaging that conversation will take place sooner rather than later.

The proxy server is a great idea! I will run that past my managers and see if I can get the green light to deploy. How difficult will that be to deploy on our current Windows setup?

[_defalt]

This site https://serverfault.com deals with corporate and business networks and their security. I really want you to have experts answer on this. You can ask these questions there or even search if they are already exist.

Setting proxy server is very easy for both Windows and Linux but you have to deploy the firewall in it for deep packet inspection. I don't remember the exact guide to set up but you will find one with little search at server fault.

[grid]

Oh yuck, insider threat is always the worst! Depending on how much evidence you have, it's worth considering a lawsuit against these past employees. You definitely have a big task on your hands. Hope you can get some help soon.

[Captain Redbeard]

This site https://serverfault.com deals with corporate and business networks and their security. I really want you to have experts answer on this. You can ask these questions there or even search if they are already exist.

Setting proxy server is very easy for both Windows and Linux but you have to deploy the firewall in it for deep packet inspection. I don't remember the exact guide to set up but you will find one with little search at server fault.

We use a Dell SonicWall as our firewall. As far as I know it has a Linux configuration that I can download for any Linux machines that we deploy. I will definitely check out serverfault. I know I've read an article or two on their site before.

Oh yuck, insider threat is always the worst! Depending on how much evidence you have, it's worth considering a lawsuit against these past employees. You definitely have a big task on your hands. Hope you can get some help soon.

As I said, it's just a suspicion and I have nothing to back it up. Especially since they haven't let me do any digging on the matter. Mostly because I've only been here a little over three months. What I have uncovered is that the Phisher was using a very obvious gmail address, re-enforcing the need for end-user training in a very bad way! I put together a 20 slide PowerPoint on the topic, but have been asked to hold off until emotions calm down a bit. I have complied, but I have not help my tongue when approached by people asking my opinion on the matter. That's really the best I can do until they greenlight my presentation.

Thank you both for the input. I'm sure I will have more questions down the line, as it is going to be a while before I convince them that this is the best course of action for this company. The proxy server is my starting point, and I'm sure that upon successful deployment I can prove to them that this will be a huge benefit if deployed company-wide. I just need to wait for the right moments.

[_defalt]

If you replace windows with linux in your company PCs and server, phishing attacks and ransomware will reduce to good extent. However your database can still be tampered and stolen so installing only linux server is not enough.

[grid]

No problem, Captain Redbeard Hope things work out

[sicinthemind]

One thing you need to make sure you're doing is always collecting evidence. It must be regular practice to retain logs for a period of time if they're ever to be viable for evidence in court.

As far as Kali... I believe you should use the right tool for the right job. You might find SIFT Workstation more directly what you need as it's directly from the Digital Forensics & Incident Response site. It's a free from Sans. (https://digital-forensics.sans.org/community/downloads) Also keep in mind Nessus scanning Requires a license for businesses, its roughly $1500.

Basically you just need to install Ubuntu and run this: wget --quiet -O - https://raw.github.com/sans-dfir/sif...r/bootstrap.sh | sudo bash -s -- -i -s -y

Hardening Tips:
Install use application firewalls like snort and audit your router/firewall configurations. Audit host-based firewalls for ingress/egress filtering and setup alerts for Firewall Changes. For Example, a web server that is not used as a fileserver... block ingress and egress port 445. Block other basic intranet-only protocols if the server is also in a DMZ. Enforce functional accounts for processes instead of using local admin accounts. Create accounts that run simply as a service to prevent lateral movement if a compromise is to happen. Monitor everything! Successful/failure login attempts and where they originate from. You should use
a central log monitoring/analytics application and creating different views for Web/Authentications/Firewalls/VPN Authentications/DHCP Assignments/DNS Lookups. You can also use these views to help marketing for any web views and key points of interest. Also monitoring your web facing components can also help you determine if your web presence is being crawled or someone is using BurpSuite/dirbuster/wfuzz brute-force style detection against your hosts for information gathering.

If they're not logging everything, they should be. Check out a log analysis app like Splunk or other free alternatives. Personally I dig Splunk and I'm a certified admin for it but there's a bunch of open source alternatives you could look into. http://www.infoworld.com/article/306...-analysis.html I think 500MB is free to index to start. You could first get all your authentications logging to Splunk and see where your indexing needs are. If your company gives you a green-light to move forward, you can expand and add more logging to the splunk server w/ forwarders.

Without knowing more, that's about all I got.


For hosts that may have been compromised, there are powershell scripts out there to gather forensic evidence.
https://github.com/gfoss/PSRecon

SIFT has a bunch of IR Tools... check out Live Response as well. You can gather memory dumps and review tons of metadata w/ Volatility to determine who authenticated, which accounts, where from etc... For example, there's a mimikatz plugin in Volatility that will extract the user login and credentials from a memory dump of a cmd.exe process. This DOC should guide you in the right direction, good luck on your security endeavors sir!
https://www.sans.org/reading-room/wh...wershell-34302