NetForensics 3.1 - Defy the basics
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: NetForensics 3.1 - Defy the basics

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    NetForensics 3.1 - Defy the basics

    One of the things that I'm doing is evaluating an enterprise forensic solution. For those who are doing the same, here is what I found right off the bat with NetForensics 3.1:

    SETUP
    ==============================
    RedHat Advanced Server 9
    Dell PowerEdge 2650
    2 GIG RAM
    73GIG SCSI drives x 2

    SNIFFER
    ==============================
    Ethereal .9.11

    INITIAL DISQUALIFYING RESULTS
    ==============================
    The NetForensics box passes, username, password hash and user rights level in the clear.

    Anyway, since this is supposed to be a security product and since it would be housing all of our logs, I'd have to say that this initial finding removes it from the list of viable solutions, at least for shops that take security seriously.

    Hope this saves someone some time. I know that if we had this info from the start, we wouldn't have even bothered to ask for a demo.

    PS
    We pumped 8 records per second to the box and it was at about 98% utilization. Hate to see what would happen if I directed my firewall logs at this thing

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Hoss: You are $hitting me, right?.... that info in clear on a security box.....

    I suppose you have looked at their site and seen all the awards they have on the front page..... Makes you wonder how those people evaluate security products.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yes, no ****. I can throw the packet dump in here if anyone cares to take a peak. Also, after looking further, I see that with the proper XML code, I can monitor all events realtime because the database does not authenticate a damn thing.

    LOL!!!

    WooHOO!! Got my hammer out today!!! **EVIL grin*
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It makes you wonder how they can put up a page like this really, doesn't it! Along with all the awards they list here I'd like to know if anyone has even done as basic a test as you have.......

    If they had a clue as to the MO of a cracker they would know that step 2 after successful compromise is to cover your tracks. If the db authenticates nothing can I assume that it doesn't authenticate queries, delete queries to be precise? That being the case their phrase "Provides a SECURE, SCALABLE and FAULT TOLERANT solution for managing security data for key government infrastructures" is deeply rooted in BS.

    Final question..... They have been working with COACT for six months for the purpose of EAL2 designation - is there a chance they would get it with this build of the software? 'Cos if they can it doesn't say a lot for EAL2.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Feb 2003
    Posts
    109
    We should promote the W3C to deity status and pray to them to make bad people like these to go to the great big pit of discarded junkware in the ground.
    $person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
    SecureVision

  6. #6
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    I say this as a joke and with a smile.... but wouldn't it be nifty to get a list of their cutomer base and go to each one and charge 300 an hour to "clean" up their security holes?????

    I have been wanting a new cutom built cycle.... hmmm
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  7. #7
    Senior Member
    Join Date
    Feb 2003
    Posts
    109
    Im sure they would all agree
    $person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
    SecureVision

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Here is a snip of the dump. I tried this 6 times and the password hash never changes. Note the username, password and access level are all here...clear text!

    <password xsi:type="xsd:string">adpexzg3FUZAk</password>
    <timeZone xsi:type="xsd:string">EST</timeZone>
    <updatedBy xsi:type="xsd:string">none</updatedBy>
    <userId xsi:type="xsd:string">admin</userId>
    <userName xsi:type="xsd:string">Admin User</userName>
    <userType xsi:type="xsd:int">1</userType>
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    So...... Correct me if I'm wrong here..... With a password hash that never changes all I need to do is have a packet crafted ready to insert into the stream and begin a normal login stream. At the appropriate moment I should be able to inject the authentication information and it would be accepted? From this point onwards I am an admin of the system for the remainder of the session?

    That seems too easy..... I'm not really into the "breaking" part of this.... I work more on perimeter security than internal due to my user base.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    LOL, you don't even have to do that. I just figured out that the database engine does not auth a damn thing. What does this mean? It means that I can monitor realtime events on the box as they happen. If I'm an evil mean hax0r, I can probe the network to see what is logged and what isn't. After some recon of this type, I can plan a stealthy attack and no one would know the better.

    I have informed NetForensics about these problems. I have received no oral or written comment other than 4 bug tracking tickets from their helpdesk. Needless to say, my eval of the product is over .

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •