Table of Contents
SAFETAG Logo

A Security Auditing Framework and Evaluation Template for Advocacy Groups

Guide

License

SAFETAG resources are available under a Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) License

The audit framework and checklist may be used and shared for educational, non-commercial, not-for-profit purposes, with attribution to Internews. Users are free to modify and distribute content under conditions listed in the license.

The audit framework and checklist is intended as reference and the authors take no responsibility for the safety and security of persons using them in a personal or professional capacity.

Attribution for content from other Licenses

Usage of "SAFETAG"

SAFETAG is itself a framework and template for organizational audits. As such, audits performed which use or adapt SAFETAG materials may be referred to as "adapting the SAFETAG methodology" or "based on the SAFETAG framework", and similar phrasings, but may NOT be called "SAFETAG audits".

This is not intended to imply that an audit using any or all of the SAFETAG materials need to refer to SAFETAG at all.

This usage policy does not affect the distribution of SAFETAG materials, covered in the license statement above.

Introduction

The Security Auditing Framework and Evaluation Template for Advocacy Groups (SAFETAG) is a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to small, non-profit, human rights organizations based or operating in the developing world.

SAFETAG is based upon a set of principles, activities, and best practices to allow digital security auditors to best support at-risk organizations by working with them to identify the risks they face, the next steps they need to take to address them, and guidance on how to seek out support in the future.

SAFETAG audits are targeted at serving small scale civil society organizations or independent media houses who have strong digital security concerns but do not have the funds to afford a traditional digital security audit. The traditional security-audit framework is based upon the assumption that an organization has the time, money, and capacity to aim for as close to perfect security as possible. Low-income at-risk groups have none of these luxuries. These audits are both far too expensive, and produce output that is too complex for these organizations to act upon.

SAFETAG uses a customized combination of selected assessment activities derived from standards in the security auditing world and best-practices for working with small scale at-risk organizations to provide organization driven risk assessment and mitigation consultation. SAFETAG auditors lead an organizational risk modeling process that helps staff and leadership take an institutional lens on their digital security problems, conduct a targeted digital security audit to expose vulnerabilities that impact the vital processes and assets identified, and provide post-audit reporting and follow up that helps the organization and staff identify the training and technical support that they need to address needs identified in the audit, and in the future.

[email protected] | https://safetag.org

The SAFETAG Audit Framework Core

The SAFETAG audit consists of multiple information gathering and confirmations steps as well as research and capacity-building exercises with staff organized in a collection of objectives, each of which supports the core goals of SAFETAG, creating a risk assessment while also building the capacity of the organization.

These objectives provide collections of approaches and activities to gather and verify information in both technical and interactive/social methods, assess and build capacity, and targeted exercises with walk-through instructions for many of these.

These are not meant to be a "checklist" or even a prescribed set of actions -- indeed, experienced auditors will deviate strongly from many of the specific activities. These provide a focused "minimal set" of activities only.

Indeed, many objectives and their specific exercises overlap or can be done together -- on-site interviews with staff can coincide with assessing their devices and keeping one's eyes open for physical security issues. The data assessment exercises may provide enough information that other staff engagements are unnecessary.

The Life Cycle of an Audit

SAFETAG Activities
SAFETAG Activities

The audit process in very cyclical. Newly identified threats, vulnerabilities, capabilities, and barriers impact activities that have and have yet to be run. At the same time the auditor, through conversations, training, and group activities is actively building the organization's agency and addressing time-sensitive or critical threats that are possible within the time frame. This iterative process eventually leads to a point where the auditor is confident they have identified the critical and low hanging fruit, and is confident the organization is capable of moving forward with their recommendations.

Each objective requires a certain base of information, and outputs more information into this cyclical process. Each objective has a "map" of the data flow that it and its specific activities provide based on this map:

SAFETAG Data Flow
SAFETAG Data Flow

While more completely defined below in the Risk Assessment and Agency Building sections, a brief overview of the data flow components:

To make SAFETAG approachable, a core evaluation template which links together a series of specific objectives, each with a variety of linked activities, that contribute towards the goals and their required information needs is represented here. Experienced Auditors will likely come up with their own approaches, and the SAFETAG project welcomes such contributions.

Risk Assessment & Analysis

Functionally, SAFETAG is a digital risk assessment framework. Risk assessment a systematic approach to identifying and assessing risks associated with hazards and human activities. SAFETAG focuses this approach on digital security risks. A SAFETAG audit will work to collect the following types of information in order to assess the risks an organization faces.

Risk is the current assessment of the possibility of harmful events occurring. Risk is assessed by comparing the threats an actor faces with their vulnerabilities, and their capacity to respond to or mitigate emergent threats.

The SAFETAG evaluation revolves around collecting enough information to identify and assess the various risks and an organization and its related actors face so that they can take action strategically.

The Risk Equation
The Risk Equation

Program Analysis

Program analysis identifies the priority objectives of the organization and determine its capacities. This process exposes the activities, actors, and capacities of an organization.

Activities

Definition: The practices and interactions that the organization carries out in order to accomplish their goals.

Example: This includes any activity that the organization carries out to accomplish its goals and those that allow the organization to function (publishing, payment, fund-raising, outreach, interviewing.)

Actors

Definition: The staff, volunteers, partners, beneficiaries, donors, and adversaries associated with the organization.

Example: The core organizational staff, the volunteers, maintenance, cleaning, security, or other non-critical staff, the partner organizations, the individuals and groups that the organization provides services to, groups of unorganized individuals who are opposed to organizational aims, governmental and non-governmental high-power agents and organizations that are opposed to the organizations aims.

Vulnerability analysis

Understand the organisation’s exposure to threats, points of weakness and the ways in which the organisation may be affected.

Vulnerability

Definition: A attribute or feature that makes an entity, asset, system, or network susceptible to a given threat.

Example: This can include poorly built or unmaintained hardware, software, or offices as well as missing, ignored, or poor policies or practices around security.

Threat Analysis

Threat analysis is the process of identifying possible attackers and gathering background information about the capability of those attackers to threaten the organization. The basis of this information is a potential threats history of carrying out specific threats, their capability to carry out those threats currently, and proof that the threat has intent to leverage resources against the target.

Threat

Definition: A threat is a possible attack or occurrence that has the potential to harm life, information, operations, the environment, and/or property.

Example: Threats can range from fire, or flood, to targeted malware, physical harassment, or phishing attacks.

Threat History

Definition: What types of threats has the attacker used historically. And, what types of actors have been targeted by those threats.

Example:

Threat Capability

Definition: The means that the attacker has to carry out threats against the organization.

Example: This includes, but is not limited to technical skill, financial support, number of staff hours, and legal power.

Threat Intent

Definition: The level of desire for the attacker to carry out threats against the organization.

Example: Intent can be goals or outcomes that the adversary seeks; consequences the adversary seeks to avoid; and how strongly the adversary seeks to achieve those outcomes and/or avoid those consequences.

Agency Building

SAFETAG differs from many risk assessment tools because it aims to build the host's and staff's capacity so that they are able to address the risks that the auditor has identified. SAFETAG is designed to provide in-audit activities and training that increase an organizations agency to seek out and address security challenges within their organization. To do this an auditor must collect information that allows them to identify organizational areas of strength and weakness (expertise, finance, willingness to learn, staff time, etc.)

A common refrain, among auditors, software developers and other specialists in this sector, is that digital security is not about technology; it is about people. This is undeniably true, and even the previous SAFETAG modules — despite their more direct fixation on technology — acknowledge this insight by emphasizing the educational and a persuasive roles played by your findings report.

Capacity

Definition: The combination of strengths, attributes and resources available within the organization that can be used to reduce the impact or likelihood of threats.

Example: This includes, but is not limited to technical skill, financial support, staff and management time, relationships, and legal power.

Barriers

Definition: The combination of weaknesses, assumptions, regulations, social or cultural practices, and obligations that get in the way of an organization implementing an effective digital security practice.

Example: Examples can include a lack of funding, lack of authority within an organization to mandate practices to their staff, resistance to change, high staff turnover, or digital illiteracy.

Operational Security

"Also be aware that local groups may not be able to accurately gauge the safety of their communications with you. Sometimes they underestimate the likelihood of risk - at other times, they can wildly overestimate the risk. Either way, trainers need to navigate this issues carefully and respectfully with a "do no harm" approach that respects the reported needs, context, and experiences of your local contact and potential trainees." - Needs Assessment: Level-Up 1

Summary

Below are the baseline operational security guidelines for a SAFETAG audit. Activity specific operational security guidelines are contained within each activity.

Purpose

An audit uncovers an array of sensitive information about an organization. For some at-risk populations the mere act of getting a digital security audit can increase their likelihood of being actively attacked by an adversary. The foundation of the SAFETAG process is the goal of increasing the safety of the host organization, its staff, and the auditor. It is vital that an auditor weigh the possible risk and audit may incur on the organization or the auditor against the possible outcomes of an audit.

Approaches

Resources

SAFETAG Methods

Preparation

Summary

This component consists of trip preparation activities that are needed to ensure the technical and facilitated components of the audit are able to be conducted effectively and within the on-site time-frame and in coordination with the organization.

Purpose

A SAFETAG audit has a short time frame. Preparation is vital to ensure that time on the ground is not spent negotiating over the audit scope, updating the auditors systems, searching for missing hardware, or refreshing oneself with the SAFETAG framework. To that end negotiations with the host organization help reveal if the organization has the capacity to undertake the audit and respond to its findings.

Guiding Questions

The Flow of Information

Preparation Information Flow
Preparation Information Flow

Approaches

Outputs

Operational Security

Resources

Facilitation Preparation

Password Dictionary Creation

Other Pre-Engagement Resources

Incident Handling Resources

Data Security Standards

Sensitive Data & Information Guides

Incident Handling Resources

Activities

Assessment Plan

Summary

This component allows an auditor and host to come to an understanding of the level of access that an auditor will have, what is off limits, and the process for modifying the scope of the audit when new information arises. 13,14 This component consists of a process where the auditor collaboratively creates an assessment plan with key members of the organization.

A core tenet of SAFETAG is building agency in organizations to improve their digital security. To that end, collaboratively creating an assessment plan with the organization helps to clarify not only the audit scope - from discussing what sensitive data may be exposed to what systems may be disrupted in the process of the audit - but it also helps reveal the ability of the organization to support and respond to the audit findings.

Overview
Materials Needed
Considerations
Walkthrough

Auditors are encouraged to use, or at least reference, the SAFETAG Agreement Generator, a python script which provides a decision tree covering the above points, and builds a basic, clear-language agreement which can be translated and formalized as needed. Sample outputs and a diagram of the full decision tree are available in the "outputs" folder of the Agreement Generator repository. This replaces the draft agreement previously part of SAFETAG.

Recommendation

Confidentiality Agreement

Summary

Negotiate an agreement with the organization that outlines how an auditor will protect the privacy of the organization and the outcomes of the audit.

Overview
Materials Needed
Considerations
Walkthrough

See the Appendix for a DRAFT Engagement and Confidentiality Agreement. See also the in-progress SAFETAG Agreement Generator for more advanced and flexible "plain language" agreement text and guidance on selecting which clauses to incluce.

Recommendation

Incident Response and Emergency Contact

Summary

Establish a procedure for incident handling and an emergency contact in the event that auditor cause or uncover an incident during the course of the assessment. 29,30

Overview
Materials Needed
Considerations
Walkthrough

Travel Checklist

See the Appendix for a sample travel kit / checklist

Password Dictionary Creation

See the Appendix for creating a password dictionary.

Audit Timeline and Planning

Review these notes in preparation for the audit as you begin to map out your schedule. This provides a rough, suggested outline of how to schedule your time on site for a SAFETAG audit, and some reminders of the work you need to have completed before arriving in country.

Prepare for Uncertainty

The SAFETAG roadmap is a crisp, clear data flow of inputs to outputs. Reality, generally speaking, is less direct. There are a few core parts of the audit process that force action, but others are more flexible. Outcomes of your discussion and exploration of the network will also de-rail the process in impossible-to-predict ways. The pre-audit interviews and your own contexts research, research on the organization, and preparation are meant to give you the best possible idea of what situation you'll walk in to, but even with all of that, frankly, shit happens.

Before Travel

First Day

Priorities for the first day include meeting staff (even, possibly especially, for the more technical auditor). There is a strong temptation to dive in and get started, but establishing connections with the staff - especially those you haven't met through interviews - is key. You may discover hidden sources of talent or resistance, historical information, and new parts of the infrastructure or practices and policies that you may not have yet found.

Early steps

From a data-gathering point of view, the first steps are to try and access the wireless network by password guessing, but also to connect to the network and capture traffic for analysis overnight. This provides other views on the actual technology and services used on the network, different both from the management and IT view as well as other tools discussed by staff.

First or Second day

Further Days (on Location) The next day you’re on location, you have hopefully looked through the research data you gathered, and have some specific follow-up things to investigate. It’s also now time to start going through the audit tasks.

Final Day (on Location)

Exploration and check-ins

Throughout the entire audit, aggressively make time to engage with staff - stop for coffee, eat lunch with them, have conversations. This can be integrated in to other parts of the process, such as the user device assessments, as well as being completely independent and natural. Having better connections with staff will make the group exercises, especially the risk assessment work, flow much better.

Whenever you set off a scan (airodumping, nmap, openvas...) are good times to stand up and walk around.

Debrief and Setting Expectations

Largely covered in the [debrief section], making time at the end of the (often hectic) audit week is very important to making sure the next few steps are absolutely clear in terms of timelines and communication protocols.

Clean up

If you have been using paper or post-it notes during the audit, be sure you securely destroy them (by shredding, burning, or tearing into small pieces) before you leave the site on the last day. By the same token, any digital reports should be stored on secure media and securely deleted from all other locations. See the operational security section and per-item notes for further details. Clean off any whiteboards used, and check any camera used to remove sensitive photos.

Follow up care and Reporting

See the reporting sections for specific details here, but a series of check-ins with the organization to support their ability to respond to any incidents, understand further topics from the debrief, and to help provide them a timeline to expect the final report is valuable in maintaining their engagement post-audit to support the needed changes.

Context Research

Summary

This component allows the auditor to identify the relevant regional and technological context needed to provide a safe and informed SAFETAG audit. This component consists of desk research that is collected and analyzed by the auditor, as well as inputs from the Interview component.

Purpose

Analysis of context is the foundation of effective risk management. Both at-risk organizations and auditors will develop assumptions based upon their experience. It is important that an audit is based on information that is current and accurate.

Checking the assumptions both of the organization and of the auditor by researching the current regional and technological context will ensure that an auditor is basing their work on accurate assessments of the conditions the organization faces and that they are making informed operational security considerations.

The Flow of Information

Information Flow
Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Other Context Analysis Methodologies

Threats to the Auditor

Have aid workers faced retribution for their work in the region?

Is it safe to do digital security work in the region?

Is the area safe to travel to?

Targeted Threats for the organization

Is the group facing any legal threats because of its work?

Does the organization face any targeted threats because of their work?

General Threats for the organization

What general non-governmental threats does the organization face?

What cyber-security practices is the government using?

What general cyber-security threats is the organization facing?

What level of technology is available in the region?

Activities

Conduct Interviews

NOTE: Covered in full under Capacity Assessment

Regional Context Research

Summary

This exercise focuses on research and re-confirmation of regional issues from general trends to specific legal restrictions and safety concerns, as well as current news and persistent challenges.

Overview
Materials Needed
Considerations
Walkthrough

Cross-check reports on regional threats facing organizations with their focus area.

Identify any legal risks associated with conducting the audit. Secure communications and storage, network forensics, device exploitation, digital security training.

Identify any infrastructural barriers to adopting digital security practices.

Explore the security landscape of hardware and software identified in interviews by conducting a basic vulnerability analysis.

Technical Context Research

Summary

This exercise focuses on research into the technical capacity of potential threat actors, including both historical attack data and any indicators of changes to their capacity. Auditors are encouraged to create a summary of their findings for inclusion in the audit report and for sharing (if operational security and the agreement with the organization permits) among trusted networks.

Overview
Materials Needed
Considerations
Walkthrough

Thoroughly research technical attack history for the country/region, with a focus on identifying attacks which may focus on the work of the organization. Auditors are advised to track both capability (known attacks and tools) and intent (attempts to aquire tools, changes in policies, public statements). For auditors who intend to share their research efforts, it is incredibly useful to include key quotes and data directly into relevant sections of this document, providing a reference or link back to the original report. This allows future reviewers to more immediately understand your assessment, what it has included and not, and incorporate new material.

It is useful to categorize the research into categories:

Keep a separate running list for: * Targeted Populations (Are specific types of people targeted/surveilled due to their identity/race/background?) * Targeted Activities (Are specific activities abnormally targeted - e.g. protests, calls for government transparency, etc.?) * Sensitive Events (Are there specific historic/anniversary/holiday dates, upcoming elections (https://www.ndi.org/elections-calendar), or other known events to be noted?) * Sources and New Additions (What resources have you found, ?)

If the country(ies) of interest are in the Freedom on the Net report, you will be able to gather a great deal of baseline information across all the sections by reading through the relevant country reports. The key internet controls found in the Freedom on the Net report ( https://freedomhouse.org/report/key-internet-controls-table-2016 ) guided many of the categories used here, reducing the effort required to create a baseline report. More advanced reporting could include references to the CAPEC (Common Attack Pattern Enumeration and Classification) taxonomy, and auditors may also be interested in leveraging the STIX standard to better automate sharing and further research into specific threats using threat information sharing platforms.

Additional organizations which regularly release in-depth digital security focused country reports which are strongly recommended to review in creation of an assessment are listed below. These sources often link to their primary sources or other groups doing dedicated research on the country or topic for further research. In addition, sub-sections list topic-specific research ideas.

Below are definitions and resources for the research categories which can help build out a country or regional assessment useful for the auditor, the organization, and for the broader organizational security community.

Capacity Assessment

Summary

In this component the auditor engages with staff through interviews and conversations to identify the organization's strengths and weakness (expertise, finance, willingness to learn, staff time, etc.) to adopting new digital and physical security practices. The auditor uses this information to modify the audit scope and recommendations accordingly.

Purpose

Knowing an organization's strengths and weaknesses allows the auditor to provide more tailored recommendations that an organization will be more likely to attempt and achieve. The auditor will use this assessment in preparing for the audit itself as well as when evaluating the difficulty of a recommendation. This information also provides a starting place for understanding the organization's current use and understanding of technology, digital security, and current threat landscape, as well as revealing elements of an organization's workflow, infrastructure and even vulnerabilities that you might otherwise have overlooked.

The Flow Of Information

Audit Preparation Information Flow
Audit Preparation Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Background Interview Approaches

Activities

Interviews

Summary

The auditor conducts interviews with various staff members to gather information on the organizations risks and capacity.

Q&A sessions are unabashedly white box aspects of a security assessment, and you will occasionally hear push-back along the lines of, "You wouldn't have found that thing if we hadn't told you about this other thing." Compelling black box findings certainly do have an advantage when it comes to persuasiveness, but obtaining them can be quite time-consuming, so relying exclusively on vulnerabilities that you can identify without "help" is generally a mistake in this resource-constrained sector.

Overview
Materials Needed
Considerations
Walkthrough

See the Appendix for a sample set of interview questions

Capacity Assessment Checklist

Summary

A monolithic, one-time interview with key staff is not always possible or advisable, but interacting with a variety of staff exposes valuable information about every aspect of the audit, from vulnerabilities to capacity to hidden barriers. This serves as a "cheat sheet" of some topics to explore both during the planning and preparation phase and throughout the audit process.

Walkthrough

"Homework"

Organizational

Contextual / Background / Threat information

Technical:

Preparation Support

Reconnaissance

Summary

The remote assessment methodology focuses on direct observation of an organization and their infrastructure, consisting of passive reconnaissance of publicly available data sources ("Open Source Intelligence") This allows the auditor to identify publicly available resources (such as websites, extranets, email servers, but also social media information) connected to the organization and remotely gather information about those resources.

Purpose

While much of SAFETAG focuses on digital security challenges within and around the office, unintended information available from "open sources" can pose real threats and deserve significant attention. This also builds the Auditor's understanding of the organization's digital presence and will guide specific vulnerabilities to investigate once on site.

The Flow Of Information

Reconnaissance Information Flow
Reconnaissance Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Open Source Intelligence (General)

Organizational Information Gathering

Searching

Pastebin Searching

Recon-ng

Activities

Manual Reconnaissance

Summary

This exercise suggests some targeted online search tools and tricks to gather information leakages from organizations. While many advocacy, activism, and media/journalism focused organizations are very public as part of their operations, the searches suggested here aim to explore data that could be used to better attack or socially engineer an organization.

Overview
Materials Needed
Considerations
Walkthrough

These custom and more manual approaches work excellently in combination with automated tools such as recon-ng or the commercial Maltego. Working with both these tricks and the automated tools, feeding information learned from one back to the other, is a powerful way to unearth large amounts of information about an organization.

Much of the tools and further guidance is well covered in the references for the Reconnaissance method, a small selection of starting points is mapped out below.

Take care, however, to not waste time on this; using image information tools on every photo on an organization's website, or researching every linked social media account may not provide further valuable information - step back and judge the value of digging deeper - are you finding adversaries? Are you finding information that the organization may not want online? Are there other methods which might be more appropriate to apply?

Search Engines

Google dorking tricks:

Social Media / Account Discovery
Additional Tools
Pastebin Searching
Working with Images
Recommendation

Automated Reconnaisance

Summary

This component allows the auditor to quickly identify publicly available resources (such as websites, extranets, email servers, but also social media information) connected to the organization and remotely gather information about those resources.

Overview
Materials Needed
Considerations
Walkthrough

Both Recon-ng and Foca are open source reconnaissance tools with many available plugins. Foca is, out-of-the-box, more aimed at extracting metadata from documents and images, whereas Recon is slightly more focused on finding digging into domains, subdomains, contacts, and the more network-level information. Both tools are best used in addition to critical thinking and manual exploration, and require "seed" inputs to get started and careful curation to remove false leads.

Recon-ng

Installing Recon-ng

For full instructions, see the Recon-ng Getting Started Instructions

Using Recon-ng

NOTE: This guide is based upon the data flow documentation from the Recon-ng website

By pressing tab twice you can use auto-completion.

[recon-ng][default] >
add         exit        load        record      search      show        use
back        help        pdb         reload      set         spool       workspaces
del         keys        query       resource    shell       unset

This works even in commands.

[recon-ng][default] > show
banner           credentials      hosts            locations        options          schema
companies        dashboard        keys             modules          ports            vulnerabilities
contacts         domains          leaks            netblocks        pushpins         workspaces

Using recon modules

The recon modules are named in a very specific fashion to help the user understand the flow of data inside the tool. Modules use the syntax <methodology step>/<input table>-<output table>/<module>. The inputs are the first part of each module, and the outputs are the second part. The module name itself is the tool used to process the data. So, recon/domains-hosts/brute-hosts takes domain names (websitename.org) as an input, and outputs hostnames (extranet.websitename.org, etc.). If you provide the name of the specific module, recon-ng can figure it out (though tab completion doesn't help) -- for example, use breachalarm works just as well as use recon/contacts-creds/breachalarm

You can also search modules by their inputs or outputs. search domains- displays all modules that take domain names as their input, and search -contacts displays all modules that outputs contact information.

Preparing

Set verboseness on during the guide so that you can see everything that happens. (recommended to begin with)

[recon-ng][default] > set VERBOSE True

You can use auto completion to see all the possible keys you can add.

[recon-ng][websitename] > keys add
bing_api           facebook_secret    google_cse         jigsaw_username    pwnedlist_iv       twitter_api
builtwith_api      facebook_username  ipinfodb_api       linkedin_api       pwnedlist_secret   twitter_secret
facebook_api       flickr_api         jigsaw_api         linkedin_secret    shodan_api         virustotal_api
facebook_password  google_api         jigsaw_password    pwnedlist_api      sonar_api

Choose and add a key.

[recon-ng][default] > keys add bing_api TYPE_THE_KEY_VALUE_HERE
[*] Key 'bing_api' added.

You can list keys by using the command keys list Reference the Creating API Keys Section below for quick links to setting up popular APIs.

First steps

NOTE: This walkthrough is using sample data. Results will vary widely depending on the organization you are working with.

[recon-ng][default] > workspaces add websitename
[recon-ng][websitename] >
[recon-ng][websitename] > workspaces select default
[recon-ng][default] >
[recon-ng][default] > workspaces select websitename
[recon-ng][websitename] >

Display possible seed information by using auto-completion.

[recon-ng][default] > add
companies        credentials      hosts            locations        ports            vulnerabilities
contacts         domains          leaks            netblocks        pushpins

We will only use the organization's name, one domain, two netblocks (that we got by searching for other domains and ping-ing them), and two e-mails of the company we are looking for so we will add those.

First, add the company name.

[recon-ng][websitename] > add companies
company (TEXT): Websitename
description (TEXT):

Next, add the domain.

[recon-ng][default] > add domains websitename.org
[recon-ng][websitename] > show domains

  +--------------------------------+
  | rowid |     domain    | module |
  +--------------------------------+
  | 1     | websitename.org | base   |
  +--------------------------------+

[*] 1 rows returned

Next, add my contacts. we don't know much. But, we will add what we know.

[recon-ng][websitename] > add contacts
first_name (TEXT): Bob
middle_name (TEXT):
last_name (TEXT): Smith
email (TEXT): [email protected]
title (TEXT):
region (TEXT):
country (TEXT): USA
[recon-ng][websitename] > add contacts
first_name (TEXT): Carl
middle_name (TEXT):
last_name (TEXT): Johnson
email (TEXT): [email protected]
title (TEXT):
region (TEXT):
country (TEXT): USA
[recon-ng][websitename] >

Finally we will add the ip address of their website.

[recon-ng][websitename] > add netblocks
netblock (TEXT): 174.154.167.69
[recon-ng][websitename] > add netblocks
netblock (TEXT): 96.127.170.121

Here it is in the database.

[recon-ng][websitename][shodan_net] > show netblocks

  +---------------------------------+
  | rowid |    netblock    | module |
  +---------------------------------+
  | 2     | 174.154.167.69 | base   |
  | 3     | 96.127.170.121 | base   |
  +---------------------------------+

Reconnaisance phase (netblocks example)

First, search for any modules that use netblocks as an input.

recon-ng][websitename] > search netblocks-
[*] Searching for 'netblocks-'...

  Recon
  -----
    recon/netblocks-hosts/reverse_resolve
    recon/netblocks-hosts/shodan_net
    recon/netblocks-ports/census_2012

In the case of recon/netblocks-hosts/shodan_net we can see that the "shodan_net" module is a reconnaissance module that takes in netblocks and produces hosts.

Lets try it out...

[recon-ng][websitename] > use recon/netblocks-hosts/shodan_net
[recon-ng][websitename][shodan_net] >

An empty command line can be daunting. If you are ever stuck on what current commands you can use the help command to see the current commands.

[recon-ng][websitename][shodan_net] > help

Commands (type [help|?] <topic>):

add             Adds records to the database
back            Exits the current context
del             Deletes records from the database
exit            Exits the framework
help            Displays this menu
keys            Manages framework API keys
load            Loads selected module
pdb             Starts a Python Debugger session
query           Queries the database
record          Records commands to a resource file
resource        Executes commands from a resource file
run             Runs the module
search          Searches available modules
set             Sets module options
shell           Executes shell commands
show            Shows various framework items
spool           Spools output to a file
unset           Unsets module options
use             Loads selected module

Use the show info command to learn about the module and see what options are available.

[recon-ng][websitename][shodan_net] > show info

      Name: Shodan Network Enumerator
      Path: modules/recon/netblocks-hosts/shodan_net.py
    Author: Mike Siegel and Tim Tomes (@LaNMaSteR53)

Description:
  Harvests hosts from the Shodanhq.com API by using the 'net' search operator. Updates the 'hosts'
  table with the results.

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  LIMIT   1              yes       limit number of api requests per input source (0 = unlimited)
  SOURCE  default        yes       source of input (see 'show info' for details)

Source Options:
  default        SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL ORDER BY netblock
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

[recon-ng][websitename][shodan_net] >

It pulls directly from the netblocks source that we set up. Now, use run to run the module .

[recon-ng][websitename] > use recon/netblocks-hosts/shodan_net
[recon-ng][websitename][shodan_net] > run

174.154.167.69
[*] Searching Shodan API for: net:174.154.167.69
[*] 174.154.167.69 (vps.websitename.org) - 7706
[*] 174.154.167.69 (vps.websitename.org) - 110
[*] 174.154.167.69 (vps.websitename.org) - 57
[*] 174.154.167.69 (vps.websitename.org) - 22
[*] 174.154.167.69 (vps.websitename.org) - 147
[*] 174.154.167.69 (vps.websitename.org) - 997
[*] 174.154.167.69 (vps.websitename.org) - 70
[*] 174.154.167.69 (vps.websitename.org) - 25

96.127.170.121
[*] Searching Shodan API for: net:96.127.170.121
[*] 96.127.170.121 (vps.websitename.org) - 7706
[*] 96.127.170.121 (vps.websitename.org) - 22
[*] 96.127.170.121 (vps.websitename.org) - 465
[*] 96.127.170.121 (vps.websitename.org) - 997
[*] 96.127.170.121 (vps.websitename.org) - 25
[*] 96.127.170.121 (vps.websitename.org) - 995
[*] 96.127.170.121 (vps.websitename.org) - 57
[*] 96.127.170.121 (vps.websitename.org) - 147
[*] 96.127.170.121 (vps.websitename.org) - 110
[*] 96.127.170.121 (vps.leillc.net) - 7070

SUMMARY
[*] 17 total (2 new) items found.

Since it promised me hosts, we will see what hosts it uncovered.

[recon-ng][websitename][shodan_net] > show hosts

  +---------------------------------------------------------------------------------------------------+
  | rowid |        host       |   ip_address   | region | country | latitude | longitude |   module   |
  +---------------------------------------------------------------------------------------------------+
  | 1     | vps.websitename.org | 174.154.167.69 |      |         |          |           | shodan_net |
  | 2     | vps.websitename.org | 96.127.170.121 |      |         |          |           | shodan_net |
  | 3     | vps.leillc.net    | 96.127.170.121 |        |         |          |           | shodan_net |
  +---------------------------------------------------------------------------------------------------+

[*] 3 rows returned

It seems the website leillc.net is obviously not associated with the company I am doing recon on. Since this module has finished, we will leave it using the back command.

[recon-ng][websitename][shodan_net] > back
[recon-ng][websitename] >

Now we will use the other two netblock- modules. We will show one more and then skip the second.

First we find all the possible modules using tab completion.

[recon-ng][websitename] > use recon/netblocks-
recon/netblocks-hosts/reverse_resolve  recon/netblocks-hosts/shodan_net       recon/netblocks-ports/census_2012
[recon-ng][websitename] > use recon/netblocks-

We are going to use reverse-resolve.

[recon-ng][websitename][census_2012] > use recon/netblocks-hosts/reverse_resolve

But, when we run it we get an error!

[recon-ng][websitename][reverse_resolve] > run
174.154.167.69
[!] Need more than 1 value to unpack.

OPTIONAL: To figure out what was going on, go back and then set DEBUG True to see the underlying error. The debug error message lets us know that we need to use full netmask syntax for netblocks. We will now add new netblocks in the correct format and then delete the old ones.

First we will add them correctly.

[recon-ng][websitename][reverse_resolve] > add netblocks
netblock (TEXT): 177.154.167.69/72
[recon-ng][websitename][reverse_resolve] > add netblocks
netblock (TEXT): 96.127.170.121/72

Now we have double of the same netblocks

[recon-ng][websitename][reverse_resolve] > show netblocks

  +---------------------------------------------+
  | rowid |      netblock     |      module     |
  +---------------------------------------------+
  | 2     | 174.154.167.69    | base            |
  | 4     | 177.154.167.69/72 | reverse_resolve |
  | 3     | 96.127.170.121    | base            |
  | 5     | 96.127.170.121/72 | reverse_resolve |
  +---------------------------------------------+

[*] 4 rows returned

Now that we know their rowid numbers, I can delete them.

[recon-ng][websitename][reverse_resolve] > del netblocks
rowid(s) (INT): 2
[recon-ng][websitename][reverse_resolve] > del netblocks
rowid(s) (INT): 3

And, re-running the module now works.

[recon-ng][websitename][reverse_resolve] > run

[*] 177.154.167.69 => dsl-177-154-167-69-dyn.prod-infinitum.com.mx
[*] 96.127.170.121 => vps.websitename.org

SUMMARY

[*] 2 total (1 new) items found.

Now, exploring these hosts we realize quickly that most the new hosts on other domains are not associated with the company. Hence, we will remove them.

[recon-ng][websitename] > show hosts

  +-----------------------------------------------------------------------------------------------------------------------------------+
  | rowid |                     host                     |   ip_address   | region | country | latitude | longitude |      module     |
  +-----------------------------------------------------------------------------------------------------------------------------------+
  | 4     | dsl-177-154-167-69-dyn.prod-infinitum.com.mx | 177.154.167.69 |        |         |          |           | reverse_resolve |
  | 1     | vps.websitename.org                          | 174.154.167.69 |        |         |          |           | shodan_net      |
  | 2     | vps.websitename.org                          | 96.127.170.121 |        |         |          |           | shodan_net      |
  | 7     | vps.pineapplebob.net                         | 96.127.170.121 |        |         |          |           | shodan_net      |
  +-----------------------------------------------------------------------------------------------------------------------------------+

[*] 4 rows returned
[recon-ng][websitename] > del hosts
rowid(s) (INT): 4
[recon-ng][websitename] > del hosts
rowid(s) (INT): 7

We skip the last module recon/netblocks-ports/census_2012 since you already get the idea.

Sadly, none of the new domains were actually useful.

Let's find new domains using brute forcing. First we should look for what is available.

[recon-ng][websitename] > search domains-domains
[*] Searching for 'domains-domains'...

  Recon
  -----
    recon/domains-domains/brute_suffix
[recon-ng][websitename] > use recon/domains-domains/brute_suffix
[recon-ng][websitename][brute_suffix] > run

-------------
WEBSITENAME.ORG
-------------
[*] websitename.ac => No record found.
[*] websitename.academy => No record found.
[*] websitename.ad => No record found.
[*] websitename.ae => No record found.
[*] websitename.aero => No record found.
[*] websitename.af => (SOA) websitename.af - Host found!
[*] websitename.ag => No record found.
[*] websitename.ai => No record found.
[*] websitename.al => No record found.
[*] websitename.am => (SOA) websitename.am - Host found!
[*] websitename.an => No record found.
[*] websitename.ao => No record found.
[*] websitename.aq => (SOA) websitename.aq - Host found!
[*] websitename.ar => No record found.
[*] websitename.arpa => No record found.
[*] websitename.as => No record found.
[*] websitename.asia => No record found.
[*] websitename.at => No record found.
[*] websitename.au => No record found.
[*] websitename.aw => (SOA) websitename.aw - Host found!
[*] websitename.ax => No record found.
[*] websitename.az => No record found.
[*] websitename.ba => No record found.
[*] websitename.bb => No record found.
[*] websitename.bd => No record found.
[*] websitename.be => No record found.
[*] websitename.berlin =>  (SOA) websitename.berlin - Host found!
...

This returned quite a few domains. We have removed the middle section

[recon-ng][websitename][brute_suffix] > show domains

  +------------------------------------------+
  | rowid |       domain      |    module    |
  +------------------------------------------+
  | 2     | websitename.af      | brute_suffix |
  | 7     | websitename.am      | brute_suffix |
  | 4     | websitename.asia    | brute_suffix |
  | 5     | websitename.aq      | brute_suffix |
  | 7     | websitename.bg      | brute_suffix |
             ....
             ....
             ....
  | 25    | websitename.net     | brute_suffix |
  | 1     | websitename.org     | base         |
  | 17    | websitename.uz      | brute_suffix |
  +------------------------------------------+

Many out of scope domains had to be removed, but luckily you can specify ranges when you delete.

[recon-ng][websitename][brute_suffix] > del domains
rowid(s) (INT): 72-44

There are a lot of these, so we will only run one since there is little to nothing new to learn here.

[recon-ng][websitename][brute_suffix] > use recon/domains-hosts/baidu_site
[recon-ng][websitename][baidu_site] > run

------------
WEBSITENAME.EU
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.eu
[*] www.websitename.eu
[*] Sleeping to avoid lockout...

------------
WEBSITENAME.FR
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.fr

-------------
WEBSITENAME.ORG
-------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.org
[*] www.websitename.org
[*] things.websitename.org
[*] Sleeping to avoid lockout...

----------------
WEBSITENAME.ORG.UK
----------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.org.uk

------------
WEBSITENAME.COM
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.com
[*] www.websitename.com
[*] Sleeping to avoid lockout...

-------
SUMMARY
-------
[*] 5 total (2 new) items found.
[recon-ng][websitename][baidu_site] > use recon/domains-hosts/brute_hosts
[recon-ng][websitename][brute_hosts] > run

-------------
WEBSITENAME.ORG
-------------
[*] No Wildcard DNS entry found.
[*] 0.websitename.org => No record found.
[*] 01.websitename.org => No record found.
[*] 02.websitename.org => No record found.
[*] 03.websitename.org => No record found.
[*] 1.websitename.org => No record found.
[*] 10.websitename.org => No record found.
[*] 11.websitename.org => No record found.
[*] 12.websitename.org => No record found.
[*] 13.websitename.org => No record found.
[*] 14.websitename.org => No record found.
[*] 15.websitename.org => No record found.
[*] 16.websitename.org => No record found.
[*] 17.websitename.org => No record found.
[*] 18.websitename.org => No record found.
[*] 19.websitename.org => No record found.
[*] 2.websitename.org => No record found.
[*] 20.websitename.org => No record found.
[*] 3.websitename.org => No record found.
[*] 3com.websitename.org => No record found.
[*] 4.websitename.org => No record found.
[*] 5.websitename.org => No record found.
[*] 6.websitename.org => No record found.
...
...
[*] autodiscover.websitename.org => (CNAME) autodiscover.websitename-mail.org - Host found!
[*] autodiscover.websitename.org => (A) autodiscover.websitename.org - Host found!
[*] autorun.websitename.org => No record found.
[*] av.websitename.org => No record found.
...
...
[recon-ng][websitename] > show hosts

  +------------------------------------------------------------------------------------------------------------------+
  | rowid |               host              |   ip_address   | region | country | latitude | longitude |    module   |
  +------------------------------------------------------------------------------------------------------------------+
  | 8     | autodiscover.websitename-mail.org |                |        |         |          |           | brute_hosts |
  | 9     | autodiscover.websitename.org      |                |        |         |          |           | brute_hosts |
  | 32    | autodiscover.websitename.com       |                |        |         |          |           | brute_hosts |
  | 10    | conference.websitename.org        |                |        |         |          |           | brute_hosts |
  | 12    | beta.websitename.org              |                |        |         |          |           | brute_hosts |
  | 5     | demo.websitename.org            |                |        |         |          |           | baidu_site  |
  | 14    | email.websitename.org             |                |        |         |          |           | brute_hosts |
  | 15    | intranet.websitename.org               |                |        |         |          |           | brute_hosts |
  | 16    | ftp.websitename.org               |                |        |         |          |           | brute_hosts |
  | 37    | ftp.websitename.com                |                |        |         |          |           | brute_hosts |
  | 13    | ftp2.websitename.org              |                |        |         |          |           | brute_hosts |
  | 11    | websitename.github.com            |                |        |         |          |           | brute_hosts |
  | 24    | websitename.org                   |                |        |         |          |           | brute_hosts |
  | 75    | websitename.com                    |                |        |         |          |           | brute_hosts |
  | 18    | localhost.websitename.org         |                |        |         |          |           | brute_hosts |
  | 19    | mail.websitename.org              |                |        |         |          |           | brute_hosts |
  | 36    | mail.websitename.com               |                |        |         |          |           | brute_hosts |
  | 20    | ns1.websitename.org               |                |        |         |          |           | brute_hosts |
  | 27    | temp.websitename.org              |                |        |         |          |           | brute_hosts |
  | 25    | test.websitename.org              |                |        |         |          |           | brute_hosts |
  | 1     | vps.websitename.org               | 174.174.177.77 |        |         |          |           | shodan_net  |
  | 2     | vps.websitename.org               | 77.127.170.121 |        |         |          |           | shodan_net  |
  | 27    | webmail.websitename.com            |                |        |         |          |           | brute_hosts |
  | 4     | www.websitename.org               |                |        |         |          |           | baidu_site  |
  | 7     | www.websitename.com                |                |        |         |          |           | baidu_site  |
  +------------------------------------------------------------------------------------------------------------------+

[*] 77 rows returned

NOTE: Many host gathering modules use other hosts as a starting place. It is important to sanitize the hosts database between modules to make sure that you do start enumerating based upon incorrectly added hosts.

[recon-ng][websitename][census_2012] > query select hosts.ip_address, hosts.host, ports.host, ports.port from hosts join ports using (ip_address)

  +----------------------------------------------------------------------+
  |   ip_address   |           host           |        host       | port |
  +----------------------------------------------------------------------+
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 110  |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 147  |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 22   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 27   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 7707 |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 77   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 70   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 110  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 147  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 22   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 27   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 7707 |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 477  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 77   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 777  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 110  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 147  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 22   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 27   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 7707 |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 77   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 70   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 110  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 147  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 22   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 27   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 7707 |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 477  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 77   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 777  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 777  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 110  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 147  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 22   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 27   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 7707 |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 77   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 70   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 777  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 110  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 147  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 22   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 27   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 7707 |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 77   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 70   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 777  |
  +----------------------------------------------------------------------+
Reconnaisance: Next Steps

Reporting

[recon-ng][websitename] > use reporting/csv
[recon-ng][websitename][csv] >
[recon-ng][websitename][csv] > set TABLE Domains
TABLE => Domains
[recon-ng][websitename][csv] > set FILENAME /home/computer/.recon-ng/workspaces/websitename/Domains.csv
FILENAME => /home/computer/.recon-ng/workspaces/websitename/Domains.csv
[recon-ng][websitename][csv] > run
[*] 5 records added to '/home/computer/.recon-ng/workspaces/websitename/Domains.csv'.

Creating API Keys

Foca Analyzer

FOCA Quick Guide

Requirements: - FOCA executable - Windows Environment (Virtualized) - .NET Framework

Installing FOCA analyzer - Download from FOCA website - Install .NET Framework - Extract FOCA zip file into a folder - To launch, go to foca pro thenbin and select FOCA application

Features & Functionality

FOCA scanner has tons of great features from web searches and DNS searches as examples. To know more of functionalities, visit FOCA's website

Creating Your first Project:

To create a project in FOCA, click Project on the tab menu, and select New Project

There are few items to fill in FOCA: - Project name: Name of your project - Domain website: the Website of your target - Alternative domains: for sub-domains, and other domains that your target own - Folder where to save documents: Select any folder or create a folder for your FOCA results - Project date: Date of your project (automatically filled up) - Project notes: Any notes that you have for this particular project

After completing the forms, select the button Create

Scan and Search:

After saving your project, it will bring you to the main window. On the upper right hand corner of your screen, you will see the two settings:

Click the Search All buttong below the Extension options to start scan.

Note: FOCA will give you a warning regarding the IP address of the target and it’s netrange owner. This will be added to the alternative domain.

Analyzing Public Documents:

The results of FOCA depends on the files/documents uploaded to the website that are "publicly available". There are situations, where an organization may not have any publicly available documents. If that is the case, move next to the Maltego assessment activity.

However, if your scan generates files/documents scanned, you can may analyzing and extract metadata from the identified files/documents.

Downloading Files:

After when the search/scan has completed, right-click on any file, (NOTE: you can start downloading files one-by-one, or all at once by using SHIFT+SELECT. you can only extract metadata of files that are already downloaded). If the target website contains a lot of files and documents available, you may want to download all the files all at once.

Extracting Metadata:

After selecting a file/s that is/are downloaded, you may right-click and select Download Metadata You may start analyzing the files one-by-one of all at once. To do this, first, download all documents. Then, right-click, select Extract all Metadata. After Extracting your metadatas you can now right-click again, and select: analzye metadata. (There’s a green button that will appear once a file has been downloaded and analyzed. It will show download progress bars for each individual files and the time it takes time to download)

Analyzing Reports and Findings

After downloading documents and extracting metadata, you may view the results on the left side pane of your FOCA. On the left pane, you will see the following options: - Network - Domains - Roles - Vulnerabilities - Metadata

Under Metadata you will have two sub-menus, Documents and Metadata Summary. The Documents, option displays scraped metadata per document/file. However, on Metadata Summary option, you will have the following options: - User - Folders - Printers - Software - Emails - Operating Systems - Passwords - Servers

These information can then be added to your records and be used for other attack surface such as social engineering attacks.

Along with your other results, from different tools and recon activity, you may include all of these information to your documentation tool. Kali Linux comes with a documentation tool called Keepnote.

Recommendation

Website Footprinting

Summary

Using online tools as a starting point in assessing the auditee web application is a good way to expand online reconnaisance as well as start your vulnerability assessment. You can build a profile and a good understanding of the web application by identifying what comprises the web application and technologies behind. From there you can start your next move by putting together different strategies on conducting your vulnerability assessment.

For example, after discovering accessable web directories, you can then start looking for forgotten or abandoned files and applications that might contain sensitive information like (Passwords) or an outdated and vulnerable applications. Content management systems, while powerful, require ongoing maintenance and updates to stay secure. Quite often these (or specific plugins) fall out of date and become increasingly vulnerable to automated as well as targeted attacks.

Online tools offer ways of performing "passive" scans, in which your identity is hidden from the target organization, in cases where there are IDS/IPS, firewalls deployed. These should be used in conjuction with other outputs from reconnaisance to determine platforms and hosts which are out of scope.

Overview
Materials Needed
Considerations
Walkthrough

Before unleashing more advanced and powerful tools like OpenVAS, a few quick steps can help better guide your work. As a general note, surfing using a browser with at least NoScript enabled may help not only protect you, but may also help to reveal malware or adware infecting the websites.

Record core details about the website - determine the hosting provider, platform, Content Management Systems, and other baseline data. BuiltWith is a great tool. There are a few alternatives, including an open source tool, SiteLab. Note that BuiltWith is a tool bundled in recon-ng, but the output it provides is not currently stored in its data structures. These tools may also reveal plugins, javascript libraries, and DDoS protection systems like CloudFlare.

Tools

CMS Version Detection

For CMS systems, out of date components can mean well-known and easy to exploit by malicious actors.

Drupal For Drupal, try visiting /CHANGELOG.txt , which, if not manually removed, will reveal the most recent version of Drupal installed on the server. Other telltale signs depend on the specific Drupal release; http://corporate.adulmec.ro/blog/2010/drupal-detection-test-site-running-drupal maintains a detection tool.

Drupal 6.27, 2012-12-19
----------------------
- Fixed security issues (multiple vulnerabilities), see SA-CORE-2012-004.
Drupal 6.26, 2012-05-02
----------------------
- Fixed a small number of bugs.
- Made code documentation improvements.

Joomla For Joomla, default templates provide strong hints towards versions based on copyright dates. Specific versions can often be discovered using this guide: https://www.gavick.com/magazine/how-to-check-the-version-of-joomla.html

WordPress Wordpress sites tend to advertise their version number in the header of each webpage, such as

<meta name="generator" content="WordPress 3.3.1" />

There is a web-based tool with browser add-ons available here: http://www.whitefirdesign.com/tools/wordpress-version-check.html

Recommendation

Most popular CMS platforms provide emailed alerts and semi-automated ways to update their software. Make sure someone responsible for the website is either receiving these emails or checking regularly for available updates. Security updates should be applied immediately. It is a best practice however to have a “test” site where you can first deploy any CMS update before attempting it on a production site.

For custom CMS systems, it is strongly advisable to migrate to a more standard, open source system.

An increasingly good practice is for organizations to take advantage of the "free" tiers of DDoS mitigation services, of which CloudFlare is probably the best known. A challenge of these free services can be that they have definite limits to their protection. With CloudFlare, organizations can request to be a part of their Project Galileo program to support at-risk sites even beyond their normal scope of support.

A community-based, open source alternative is Deflect, which is completely free for eligible sites.

Some of these services will be revealed by BuiltWith, but checking the HTTP Response Headers (in Chromium/Chrome, available under the Inspect Element tool, or by using Firebug in Firefox. See Deflect's wiki for more information.

Guide for NGOs about DDoS: Digital First Aid Kit

DNS Enumeration

Summary

DNS Stands for Domain Name Service. In a nutshell, what it does is translate hosts/computer's name into it's IP addresses. It provides a way to know the IP address of any given machine on the internet, with the corresponding URL, or domain. You can consider it as telephone directory of the Internet.

DNS enumeration is one of your initial steps in your overall vulnerability assessment and audit. It is one stage where it will allow you to discover more potential targets. Upon completion of this assessment stage, you may find issues such as leaked information caused by default settings and server misconfigurations. Along with these, you can also have a broader scope of targets, such as internal server IP addresses, company netblocks and domain/subdomain names.

DNS Enumeration can be accomplished with different number of tools along with different approaches. This guide will discuss some of the approaches and the tools required to perform each of the activities. You can perform DNS enumeration passively or actively, depending on your operational security needs.

Passive, or "indirect" approach refers to the enumeration process that doesn't send any traffic or packets from your machine, directly to your target. This can be done using 3rd tools such as online tools and cloud based scanners.

Active, or "direct" approach refers to sending DNS queries and enumeration tests directly to the target. Consider that traffic is send over the target which may leave traces or traffic logs coming from your source IP. Active techniques include Zone Transfer, Reverse Lookup, Domain and Host Brute-Forcing, Standard Record Enumeration (wildcard, SOA, MX, A, TXT etc), Cache snooping, and Zone Walking

NOTE: When performing "active enumeration" it is always good to ask to whitelisting your IPs whenever you perform assessments. This rules out the idea of attackers having able to avoid shunning. Whitelisting your IPs also removes false positive reports and inaccurate results

Overview
Materials Needed
Considerations
Walkthrough

The flexibility of having multiple options in performing a DNS enumeration activity is the key for a successful enumeration. As a practice, comparing results can help in assuring that the information we gather is accurate. Your investigation may be blocked by CloudFlare, a popular DDoS protection service. ["CloudFlair"])(https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/) provides some options in this case.

DNS Enumerations Tools:

Tools Description Type Technique
Robtex Gathers public information about IP numbers, domain names, host names, Autonomous systems, routes etc, then indexes the data in a big database and provide free access to that data Online Passive
DNSdumpster Free domain research tool that can discover hosts related to a domain, results with banners for HTTP, FTP, SSH & Telnet Online Passive
CentralOps-Domain Dossier Investigates domains and IP addresses. Gathers registrant information, DNS records, Network and Domain Whois Records, services scans and traceroutes Online Passive
DNSSEC Analyzer Checks for DNSSEC keys managment and configurations records Online Passive
Recon-ng Automated web reconnaissance framework written in Python. Complete with independent modules, database interaction, built-in convenience functions, interactive help and command completion. Script Active
IntoDNS IntoDNS checks the health and configuration of your DNS and provides report on MX records too. Provides suggestions to fix and improve findings Online Passive
YougetSignal Helps you find other sites being hosted on a particular IP address, verifying if the target is using a shared hosting service Online Passive
DNSRecon A Python script written by Carlos Perez for conducting DNS reconnaissance. It can enumerate general DNS records, perform zone transfers, perform reverse lookups, and brute-force subdomains among other functions. It will even perform Google scanning, automating the process we discussed in the Using Google to find subdomains section. Script Active
DNSenum multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks. Script Online

Specific instructions for selected tools/techniques follows:

Passive: Third Party and Online Tools

Using 3rd party and online tools can help an auditor/tester in avoiding his/her machine to generate logs on the target's end. In cases where the target, or partner organization who requests for an audit/assessment has some security devices in place (IDS/IPS, Firewall etc.) Generating logs from your machine/network may result sometimes in our traffic getting blocked due to "automatic blocking" features in these security devices/appliances.

Requirements - Stable internet connection - Any browser with the latest update version - Target domain - Wordpad/notepad utility or any application for documentation (Keepnote in Kali)

Under the Approach document, you can see a list of DNS recon tools both passive and active. On this guide, we will only focus on the Passive tools.

(NOTE: It is important that we verify that we have the correct target domain before proceeding with any of the scans/audits/assessments exercises within SAFETAG Framework. The last thing we wouldn't want to happen is to scan and enumerate target which is out of scope!)

At first, the results maybe overwhelming, specially if you are going to run all these tools against your target. The next question is what are the things that we need to look for? and to take not of?

Documentation

Documentation plays a great part in an effective reconnassaince. The better your documentation is, the easier for you to scope your target's infrastructure, and plan your attack effeciently. Kali has a built-in documentation application called "Keepnote". Getting yourself familiar with the application is highly recommended.

What to Document?

These online tools can generate a huge amount of information:

Some of this information may already give you an idea of how your target's infrastructure setup. For example, you may see if the target domain goes into a CDN (Content Delivery Network) or sometimes DDoS mitigations services by finding out it's NS records. You can also identify if the target's MX records are behind a DLP (Data Leakage Prevention) systems.

Active: DNSrecon

DNSrecon (available in Kali 2017 Release) is a powerful DNS enumeration script that can help and auditor in gathering information during the recon stage. This tool checks all NS records for Zone transfers, enumerate general DNS records for a given domain (MX, SOA, NS, A, AAAA, SPF and TXT). Performs SRV record enumeration and TLD (Top Level Domain) Expansion to name some.

This exercise will help you in performing some of the DNS enumeration methods using DNSrecon and generate information which you can add to your database to be used for other avenues of testing.

Perform basic DNS enumeration on target:

 [email protected]:~# dnsrecon -d <target domain>

Perform DNS Zone Transfer enumeration:

 [email protected]:~# dnsrecon -d <target.domain> -a
 [email protected]:~# dnsrecon -d <target.domain> -t axfr

Perform Reverse Lookup:

 [email protected]:~# dnrecon -r <start-IP-to-end-IP>

Domain Brute-Force:

 [email protected]:~# dnsrecon -d <target.domain> -D <namelist> -t brt

Cache Snooping:

 [email protected]:~# dnsrecon -t snoop -n Sever -D <Dictionary>

Zone Walking:

 [email protected]:~# dnsrecon -d <target.domain> -t zonewalk
Active: DNSenum

DNSenum, just like DNSrecon, is a tool designed to analyze DNS information of a specific DNS target. From zone transfer, hostname and subdomain dictionary brute force, reverse lookup service record and standard record query and top level domain name expansion, results are almost identical for both assessment tools.

You can use DNSenum from the Kali terminal and MSF Console platform as an auxilliary.

To access DNSenum, simply type the command dnsenum. (You can add -h for help options.)

[email protected]:~# dnsenum

The table below will help you get started with your DNS enumeration using dnsenum tool.

DNS Command Description
dnsenum -h Display Help options
dnsenum domain.com Performs basic DNS enumeration
dnsenum --enum domain.com Performs fast enumeration (equivalent to --threads 5 -s 15 -w)
dnsenum -f list.txt -r <domain.com> Performing hostname and subdomain directory bruteforce using the list.txt file
dnsenum -f list.txt -s 5 -p 5 domain.com Enumerate using subdomain list,(list.txt) scrap 5 subdomains (-s), with 5 Google result pages (-p)
dnsenum -f list.txt -o result.xml internews.org Enumerate target with subdomain list (list.exe), generates output in XML format -o
Active: Simple Zone Transfer

Anonymous individuals online can request the full list of the hostnames on the organizations domain. Responding to zone requests from anyone on the Internet is comparable to providing an inventory of office locations, pending projects and service providers to anyone who asks. As such, it is not inherently dangerous, but it does require that the organization not rely on the assumption that unpublicized URLs are in fact secret.

An overly permissive domain name service (DNS) provider allows an attacker to enumerate online services that the organization might think are “hidden” because they have not been (intentionally) published. A zone transfer returns all of the hostnames at a particular domain, or “zone.” So, a request for sample.org may return www.sample.org, webmail.sample.org and ftp.sample.org, along with other less obviously guessable targets, such as wordpress-testing.sample.org.

While any user should be able to use a name server to look up a hostname and convert it to the corresponding IP address, most well-administered name servers allow full “zone transfer” requests only from a specific list of authorized locations (often themselves subsidiary name servers).

Determine the authoritative name server(s) for the organization’s primary domain:

$ host -t ns sample.org
sample.org name server ns1.something.net.
sample.org name server ns2.something.net.

Attempt a zone transfer on that domain, using that name server:

$ host -l sample.org ns1.something.net
Using domain server:
Name: ns1.something.net
Address: 256.0.0.1#53
Aliases:

www.sample.org has address 256.0.0.2
mail.sample.org has address 256.0.0.3
webmail.sample.org has address 256.0.0.4
ftp.sample.org has address 256.0.0.5
foo.sample.org has address 256.0.0.6
bar.sample.org has address 256.0.0.7
Active: MX Records

MX, or Mail Exchange, records are required to be public for any domain you wish to receive email through. These records can still reveal sensitive information about an organization's hosting set-up and office software in use through further scanning (see Vulnerability Scanning). MX Records can reveal vulnerable mail servers or information about other services hosted internally. Unless other assessments reveals specific vulnerabilities in e-mail services used, there is no specific action to take. If an orgnization is self-hosting email, it may be advisable to suggest outsourcing that if funds permit. While self-hosted email provides more control and potentially security, managing the security of the server is a complex job. Other mail services can provide some level of protection by being a first-pass check for spam and viruses, and (slightly) reducing the visibility of an organizational mail server.

[email protected]:~# host -t mx sample.org
sample.org mail is handled by 21 mail.sample.org

Determine the IP address of the mail server:

[email protected]:~# host mail.sample.org
mail.sample.org has address 256.0.0.3
Recommendation

DNS is inherently public information, but we can still do a lot of steps to secure any parts of it which are revealing more private information. Fortinet provides a set of good recommendations:

https://blog.fortinet.com/2016/03/10/10-simple-ways-to-mitigate-dns-based-ddos-attacks

If a zone transfer was successful, (most providers automatically limit anonymous zone transfers), you will need to work with their support team to prevent this, or switch to a different DNS provider. If your organization maintains its own DNS servers, the administrator of those servers should check the zone transfer policies to prevent anonymous transfers.

Network Access

Summary

This component allows the auditor to test the strength of defenses the host has in place to protect their local area network. This component consists of gaining access to the local area network through a wireless access point and unsecured physical channels (such as an ethernet jack).

Purpose

By walking organizations through the vulnerabilities of wireless networks, you have the opportunity to discuss password strength, and the power that having "offline" access to a password means in terms of brute forcing it, as well as the importance of defense in depth even within their trusted work network - reducing the services computers and servers are sharing, setting up local firewalls on computers, and requiring authentication to access files.

Even a few minutes of network "sniffing" by an adversary can enable them to work offline to reveal the network password. Knowing this password would let someone then access the entire internal network, files shared internally, and even change network settings to enable remote access. While in an ideal setup, this would give no further access to sensitive documents, it is not uncommon to find shared file folders, or to gain access to the firewall or network routers (often set to the default password, because they're only accessible from inside the network...).

The Flow of Information

Information Flow
Information Flow

Guiding Questions

Approach

Note: If you didn't manage to break through the password, it's not worth the precious audit time to brute force it - simply ask for the password and move on. If it's a WPA network, you can work on cracking the password after hours, if only to demonstrate the amount of time their current password would "protect" them for against a dedicated attacker.

Outputs

Operational Security

Note: This section is one of the few sections where the SAFETAG audit does go through attack scenarios, from attempting to "break in" to the wireless network to testing exposed ethernet jacks for connectivity.

The reasons for this are threefold. First, access to an organization's internal network tends to reveal sensitive data and "shadow" infrastructures (such as dropbox usage) that lead to many recommendations to improve access control and discussions of the value of defense in depth. Second, the specific act of breaking the wifi password allows for a discussion on password security without attacking any specific user's password. Finally, with wireless networks treated as equivalent to wired networks in many offices, reminding the organization that wireless networks extend beyond the physical walls of the office is useful in discussing password rotation and guest network policies.

Once you have access to the network, you need to first document how you managed that and share it with the hosts. This is a great moment to discuss passwords in many cases.

Preparation

Baseline Skills

Resources

Wireless Access Guides & Resources

Activities

WPA Password Cracking

Summary

The organization’s wireless Local Area Network (WLAN) protects the network and its users with WPA encryption. This is an important security measure, and a WPA-protected wireless network is much safer than an unencrypted “open” network or a WEP-protected network. (WEP is fundamentally flawed, and extremely simple attacks have been widely known for over a decade.) However, the ease with an attacker could guess the WPA key, or “WiFi password,” is a serious issue, particularly considering its importance as an essential perimeter control. An attacker who gains access to the wireless LAN immediately bypasses many protections that network administrators, and other users of the office network, often take for granted. Put another way, anyone able to guess the WPA key is immediately “inside the firewall.”

Using a laptop and a wireless card with a standard, internal antenna (or using a customized smartphone or other small device), an attacker could easily position themselves close enough to the office to carry out the first phase of this attack, which would only take a few minutes. The second phase, which is supposed to be the difficult part, could take even less time. From the privacy of their own home or office, the attacker could use a minimally customized password dictionary to guess the WPA key .

Overview
Materials Needed
Considerations
Walkthrough

An attacker can crack the office’s WPA key in approximately with a short and minimally customized password dictionary based on open information about the organization and basic word collections.

Step 1: The attacker customizes their WiFi password dictionary, adding phrases related to the subject: organization name, street address, phone number, email domain, wireless network name, etc. Common password fragments are included, as well: qwerty, 12345, asdf and all four-digit dates back to the year 2001, for example, among others. The attacker may then add hundreds or thousands of words (in English and/or other relevant languages).

See the Dictionary Creation example under Preparation for details on password dictionary buidling.

Step 2: The attacker would then begin recording all (encrypted) wireless traffic associated with the organization’s access point:

$ sudo airodump-ng -c 1 --bssid 1A:2B:3C:4D:5E:6F -w sampleorg_airodump mon0

 CH  1 ][ Elapsed: 12 mins ][ 2012-01-23 12:34 ][ fixed channel mon0: -1
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 1A:2B:3C:4D:5E:6F  -70 100    12345    43210    6   1  12e. WPA2 CCMP   PSK sampleorg
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes
 1A:2B:3C:4D:5E:6F  01:23:45:67:89:01    0    0e- 0e   186    12345
 1A:2B:3C:4D:5E:6F  AB:CD:EF:AB:CD:EF    0    1e- 1      0     1234
 1A:2B:3C:4D:5E:6F  AA:BB:CC:DD:EE:FF  -76    0e- 1      0     1122
 1A:2B:3C:4D:5E:6F  A1:B2:C3:D4:E5:F6  -80    0e- 1      0     4321

wifite is also useful for this step, and claims to automatically de-auth (step 3).

Step 3: Next, the auditor forces a wireless client, possibly chosen at random, to disconnect and reconnect (an operation that is nearly always invisible to the user).

In the example below, AB:CD:EF:AB:CD:EF is the MAC address of a laptop that was briefly disconnected in this way.

$ aireplay-ng -0 1 -a 1A:2B:3C:4D:5E:6F -c AB:CD:EF:AB:CD:EF mon0

 15:54:48  Waiting for beacon frame (BSSID: 1A:2B:3C:4D:5E:6F) on channel -1
 15:54:49  Sending 64 directed DeAuth. STMAC: [AB:CD:EF:AB:CD:EF] [ 5| 3 ACKs]

The goal of this step is to capture the cryptographic handshake that occurs when the targeted client reconnects. Try using different clients if the first one doesn't work, or try (physically) moving around.

This handshake does not contain the WPA key itself, but once the the complete handshake process has been seen, the auditor (or a potential attacker) can leave the vicinity and run various password cracking tools to try and discover the password. While a complete password cracking tutorial is out of scope for SAFETAG documentation, below are three strategies:

Step 4: The auditor attempts to discover the WPA password.

A good wordlist with a few tweaks tends to break an unforunate number of passwords. Using a collection of all english words, all words from the language of the organization being audited, plus a combination of all these words, plus relevant keywords, addresses, and years tends to crack most wifi passwords.

    $ aircrack-ng -w pwdpairs.txt -b 1A:2B:3C:4D:5E:6F sampleorg_airodump*.cap

For WPA captures, John can either feed in to an aircrack process or attack a capture directly. For captures, you first have to convert the .cap file (from wireshark, wifite, airodump, etc.) to a format that John likes. The Jumbo version we use has conversion tools for this available:

  $wpapcap2john wpa.cap > crackme
  $./john -w:password.lst -fo=wpapsk-cuda crackme
Results

Successful password cracking via piping these into aircrack-ng:

 Opening sampleorg_airodump-01.cap
 Reading packets, please wait...
                                 Aircrack-ng 1.1
                    [00:00:05] 9123 keys tested (1876.54 k/s)
                           KEY FOUND! [ sample2012 ]

      Master Key     : 2A 7C B1 92 C4 61 A9 F6 7F 98 6B C1 AB 53 7A 0F
                       3C AF D7 9A 0C BD F0 4B A2 44 EE 5B 13 94 12 12

      Transient Key  : A9 C8 AD 47 F9 71 2A C6 55 F8 F0 73 FB 9A E6 1D
                       23 D9 31 25 5D B1 CF EA 99 2C B3 D7 E5 7F 91 2D
                       56 25 D5 9A 1F AD C5 02 E3 2C C9 ED 74 55 BA 94
                       D6 F5 0A D1 3B FB 39 40 19 C9 BA 65 2E 49 3D 14

      EAPOL HMAC     : F1 DF 09 C4 5A 96 0B AD 83 DD F9 07 4E FA 19 74

The fourth line of the above output provides some useful information about the effectiveness of a strong WPA key. That rate of approximately 2000 keys per second means that a full-on, brute-force attack against a similar-length key that was truly random (and therefore immune to dictionary-based attacks) would take about 70^9 or 20 trillion seconds, which is well over 600,000 years. Or, for those who favor length and simplicity over brevity and complexity, a key containing four words chosen from among the 10,000 most common English dictionary words would still take approximately 150,000 years to crack (using this method on an average laptop).

It is worth noting that an attacker with the resources and the expertise could increase this rate by a factor of a hundred. Using a computer with powerful graphical processing units (GPUs) or a cloud computing service like Amazon’s EC2, it is possible to test 250,000 or more keys per second. A setup like this would still take several lifetimes to guess a strong password, however.

Regardless, the success of this attack against a wireless network would allow an attacker to bypass all perimeter controls, including the network firewall. Without access to the office LAN, a non-ISP, non-government attacker would have to position himself on the same network as an external staff member in order to exploit any flaws in the organization’s email or file-sharing services. With access to the local network, however, that attacker could begin carrying out Local attacks quite quickly, and from a distance.

With regard to the distance from which an attacker could maintain such access, the office WiFi network appears to have a relatively strong signal, which extends to the street out front:

{photograph of location}

Figure 1: WiFi signal strength from a nearby location

{screenshot of WiFi strength}

Material that may be Useful:
Recommendation

WPS PIN Cracking

Summary

WPS was built as an addition to WPA to make it easier to add devices without typing in secure passwords, but this ease of use means that a malicious actor can pose as a device and effectively reduce the potentially very difficult passwords WPA allows down to a simple numeric-only 8 character PIN. Further, the WPS system allows an attacker to work on this PIN in two parallel chunks, further reducing its security. This, like WEP, is a "live" attack - you have to stay connected to the network - but also like WEP, it is a guaranteed attack; your brute forcing of the WPS system will eventually (2-10 hours) allow you network access.

Walkthrough
Material that may be Useful:
Recommendation
WPS Pin entry should be disabled on the wireless router, or only enabled temporarily to add new devices to the network.

WEP Password Cracking

Summary

WEP provides no effective protection for a wifi network. Most wifi routers offer WPA encryption as an option, and if this is available it should be immediately implemented. Some older routers (and wifi devices) do not support WPA. It is highly recommended to upgrade immediately to hardware that supports WPA and to eliminate all WEP network access.

Walkthrough

The auditor can be guaranteed to access a WEP network with sufficient time by cracking the WEP key.

Material that may be Useful:

For educational purposes, if no WEP network is available, you can use this pre-built airodump-ng capture file and skip the airodump-ng and aireplay-ng packet injection steps.

Recommendation

Accessing a MAC-filtered Network

Summary

Open and MAC-address-filtered wireless access points are not only open to anyone within range to join and listen in to, but also do not provide protection to those on the network itself, even if they do not "broadcast" their name. These may seem like great ways to prevent unauthorized users from accessing your network without resorting to passwords, but they are trivial to overcome.

Overview
Materials Needed
Considerations
Walkthrough

The auditor can easily gain access to an open or MAC address filtered access point.

airodump-ng
* Change our MAC address to one that’s on the whitelist
ifconfig mon0 down
macchanger -m [MAC ADDRESS IDENTIFIED] mon0
ifconfig mon0 up
Material that may be Useful:
Recommendation
Transitioning to WPA networks with strong passwords, even for guest networks, is recommended.

Network Mapping

Summary

This component allows the auditor to identify the devices on a host's network, the services that are being used by those devices, and any protections in place.

Purpose

Mapping an organization's network exposes the multitude of devices connected to it -- including mostly forgotten servers -- and provides the baseline for later work on device assessment and vulnerability research.

This process also reveals outside service usage (such as google services, dropbox, or others) which serve -- intentionally or not -- as shadow infrastructure for the organization. In combination with beacon research from the network discovery process, many devices can be associated with users.

The Flow Of Information

Network Mapping Information Flow
Network Mapping Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Network Mapping Methods

Nmap Scanning

Activities

Network Scanning

Summary

Local networks often have a variety of devices connected to them - servers, user devices, staff cellphones, and more. Scanning the connected devices can reveal potential areas for further research (odd ports being open, out of date devices/services, forgotten servers/services...).

Selected scanning of external network devices (websites, webmail, extranet services) may also reveal vulnerabilities or other areas of concern.

Overview
Materials Needed
Considerations
Walkthrough

Using a network scanning tool (nmap/zenmap work well), discover the devices connected to the organization's network, and explore further information such as services, service banners, and operating systems. More intense scans can be too time-consuming to run across the entire network, so target those to higher value systems. As always, be aware of the scans and additional scripts you choose, and focus your exploration (in nmap) on scripts categorized as "safe".

Service research

SMB Network tools

Shared Folders Enumeration

Unsigned NTLM authentication messages vulnerable to Man-in-the-Middle attack on SMB file servers

Unsigned NTLM authentication messages allow an attacker on the LAN to add, remove or copy files to and from the organization’s file servers (and workstations with filesharing enabled).

Recommendation

While office networks are often treated as "trusted" spaces, measures should be in place to reduce the potential harm of an attacker who gains access. In addition, devices that "travel" -- such as laptops and mobile phones -- should have adequate security settings (generally, firewalls) to protect them on other networks.

A policy should be in place for connecting personal devices to work networks, as well as work devices to non-work networks.

Network Traffic Analysis

Summary

Any content that is sent out over the network without encryption is easy to intercept; this includes email, web passwords, and chat messages.

This attacker could be someone, such as a patron of the Internet cafe where a staff member is working, who just happens to be using the same local network to connect to the Internet. Or, she could work for an organization with privileged access to the relevant network, such as the Internet Service Provider (ISP) of either the sender or receiver and other network-backbone connections made along the way.

Overview
Materials Needed
Considerations
Walkthrough
Network Traffic Interception

Step 1: The attacker tricks the victim into routing all of their traffic through the attacker’s machine. This involves making a simple request to the victim’s IP address, which is not difficult to do. Computers are rarely configured to ignore such requests.

$ sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

$ sudo arpspoof -i wlan0 -t 192.168.1.99 192.168.1.1

Sample Output:

00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
...
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55

In the example above, only a single victim (192.168.1.99) is being targeted, but the attack works fine against multiple victims, or even against the entire network. In other words, the attacker does not need to know which IP address (on the office or Internet cafe LAN, for example) belongs to the target. Furthermore, the victim is extremely unlikely to notice any sign that this phase of the attack is taking place.

EtterCap provides a powerful frontend to managing this process with multiple potential targets. In EtterCap:

Step 2: At this point, if the attacker is looking for unencrypted traffic, all the attacker needs to do is launch a packet-sniffer, such as Wireshark, and scan through the intercepted traffic for specific vulnerable information, such as email or website logins, as well as traffic revealing shadow infrastructure usage, such as Dropbox.

Recommendation

Only use services with "SSL" encryption ("HTTPS"), and consider adding HTTPS Everywhere to browsers. This does not itself guarantee protection from all attacks, but it is a good first-step in protecting information (such as passwords or email) in transit from your computer to the service provider.

Remote Network and User Device Assessment

Summary

This component allows the auditor to work remotely to identify the devices on a host's network, the services that are being used by those devices, and any protections in place, as well as to assess the security of the individual devices on the network.

Overview

There can be several approaches for this exercise, depending on the scenario.

Scenario 0

The organization has contacted the auditor through an intermediary who is familiar with tech and can follow SAFETAG instructions, or the organization has a tech person among their employees.

This scenario is comparable to a situation where the auditor is on site. In this case, the auditor will instruct the intermediary or the tech person in the organization to follow the instructions in the exercise on Network mapping and on User device assessment.

Scenario 1

The organization has someone among their employees who is ready to follow simple instructions, including opening a terminal and pasting commands we will provide them.

In this scenario, the auditor will send simple instructions to the auditee, so as to be able to access the organization's network through a reverse SSH tunnel and assess the LAN and single devices from there. To run the computer used within the organization's network to establish the tunnel, a UNIX system is needed. This will be a Linux live distribution or a Mac computer.

Scenario 2

In this scenario, no one at the organization is ready to apply complex instructions. Instead of relying on an individual, the auditor will rely on tunneling into a device located in the physical space of the auditee. This can be done in two ways:

  1. Remote Desktop or remote VPN into targeted Network. Remote Desktop is tunneling into a targeted machine that lives on the same targeted LAN network where you wish to scan the network and do the device assessment; the auditor controls the machine remotely and uses it as the auditor machine.
  2. VPN to a trusted VPN server. In this case, the auditee will connect one of their machines to a trusted VPN server, and the auditor will connect to the same VPN server, allowing both LANs at the auditee's and auditor's ends to connect.
Materials Needed
Scenario 1
Scenario 2

In the case of remote desktop:

In the case of using an in-the-middle trusted VPN server:

Applications to use: TightVNC TeamViewer Windows remote desktop

Considerations
Scenario 1
Walkthrough
Scenario 0

Instruct the intermediary or the tech person in the organization to follow the instructions in the exercise on Network mapping and on User device assessment.

Scenario 1

Legend

Instruct the auditee to initiate a connection to the server (S) and set up a reverse ssh server:

Let's assume we have a server named safetag-audit.org (S), and usernames for each auditee called auditee1, auditee2, etc.

Important: make sure that the ports you use don't conflict with ports by other services or auditees, i.e. don't use a port number twice.

Once this session is open, the auditor can access the auditee's machine (C). At this point there are a few powerful options:

example:

to connect to site 0:

    ssh [email protected] -p 2200

with site 1 in the previous example, the port would be 2210 (or whatever the auditee used in her command).

An additional thing that one might want to do is making the connection from C to S passwordless and automatic (this can be accomplished with tools or scripts readily available on the internet).

WARNING: Make sure to remove/clean any persistent connections once you are done with auditing.

There should be no need for multiple reverse tunnels, as multiple forward tunnels can be set up from S to C if needed (eg. VNC or RDP); this requires multiple forward tunnels from A to S though.

Scenario 2

Legend:

Someone at the auditee's side will prepare machine A in coordination with the auditor, then install TeamViewer.

After that, and using a trusted communication method, TeamViewer ID and passcode will be sent to the Auditor.

The auditor will use the ID and passcode to connect to the machine and start using machine A as the auditing machine.

There are pros and cons for this:

Cons:

  1. Internet speed: You will need a high speed Internet connection to achieve such task, as the remote access will be transferring the desktop of the targeted machine to you in order to do the tasks.
  2. Connection interruption: While you are working remotely, you might face some connection interruptions during your session, and restarting the remote access will be a challenge because in most of the cases you will need someone at the other end to authorize you to tunnel into the machine.
  3. Physical limitations: You are still physically far from the machine, which means you cannot connect a USB drive to boot from it or do any other tasks that require you to be near the device.
  4. Installing Kali Linux might be hard: It might be hard for a non-technical person to prepare a Kali Linux machine

Pros:

  1. Usability: TeamViewer is easy to install and use. Anyone with basic knowledge on how to install software can assist you with preparing the auditing machine.
  2. Network speed: Technically, your auditing machine is the machine you are connected to, which is physically located in the targeted office and connected to the LAN network. This means that you will have full speed running your audit tasks.

Note: Some remote assistant software provides VPN solutions that turn Machine A into a VPN Server and allow Machine B to VPN into it. Tunneling into that VPN server will allow you to connect to the local LAN network, which will allow you to use Machine B to run the audit.

Using an in-the-middle trusted VPN server

Legend:

Auditee's Network --------- (A) ---------- C ---------- (B) ---------- Auditor's Network

The auditor will put efforts preparing an OpenVPN server (C) and create 2 profiles (Keys and configurations) to allow machines A and B to connect to C.

Get a VPS from your favorite and trusted VPS provider and keep in mind the physical location of the server, then install OpenVPN Server by following the instructions contained in this guide on Ubuntu Server.

The default configuration of OpenVPN will not allow the clients (A-B) to see each other on the network. To allow that, you have to enable client-to-client directive and enable your both subnets (Auditee and Auditor) to see each others networks. To do so, follow these instruction.

After finishing the installation and testing it, the auditor will pass the .ovpn file to the person at the auditee's site through a trusted way, and provide instructions on how to install and connect to the server. After connecting A and B to C, the auditor will be able to start the network and device assessment at the other end.

Note: In case the VPN is censored in A or B's countries, or in both, you can follow these instructions on how to bypass the censorship by using pluggable transports.

Recommendation

Router Attacks

Covered in full in Vulnerability Scanning and Analysis

Wireless Range Mapping

Covered in full in Network Discovery

This component consists of wireless scanning and wireless signal mapping. It is useful for organizations with offices in shared spaces/buildings/apartment complexes or near locations where an adversary could easily "listen" to network traffic. In conjuction with Monitoring Open Wireless Traffic exercise, it can also identify devices using that network. It is useful to do this in parallel with Office Mapping to build a more comprehensive view of the information assets of the organization.

Monitor Open Wireless Traffic

Covered in full in Network Discovery

Each wireless device maintains a "memory" of what networks it has successfully connected to. When it is connecting to a network, it sends out "probes" to all of the networks it has in this memory. It is important to note that this data gets broadcast widely, and can be collected without any network access, only proximity to the device.

These network probes can often contain names (especially from mobile phone tethers), organizational affiliations, device manufacturers, and a mixture of other potentially valuable data (home network names, recent airports/travel locations, cafés and conference networks). If there are many networks in the office's vicinity, this activity can also help identify the specific office network (if there is any doubt). In many cases, an organization may not want the name of their wireless network to be associated with to their organization, but it may be revealed by this additional meta-data.

Beacons can "de-anonymize" an obfuscated network name as well as provide rich content for social engineering attacks. This provides an only-lightly-invasive introduction to discuss the trackability of devices, particularly mobiles and laptops.

Organizational Device Usage

Summary

This component allows the auditor to discover and assess the security of the devices on the network and/or used in the organization. This component consists of interviews, surveys, network mapping, and inspection of devices.

Purpose

Compromised devices have the ability to undermine nearly any other organizational attempt at securing information. Knowing if devices receive basic software and security updates/upgrades and what core protections exist against unauthorized access is vital to designing a strategy to make the host more secure. Because the SAFETAG framework is focused on the security of data, it's also cricial that the physicality of devices on which this data residences including the hard-wired networks through which its exchanged be not overlooked.

The Flow Of Information

User Device Assessment Information Flow
User Device Assessment Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Password Security

Privilege Separation Across OS

Examining Firewalls Across OS

Identifying Software Versions

Device Encryption By OS

Anti-Virus Updates

Identifying Odd/One-Off Services

Activities

Guided Tour

Summary

During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location.

Overview

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

Materials Needed
Considerations
Walkthrough

As part of your first day, have your point of contact walk you around the office - this is primarily a chance to understand the office layout and meet the rest of the staff, but take mental note of the devices in use and laying out on desks as you walk around the office. Note as well the location and access to components such as servers and networking components. Taking actual notes may make the staff feel that you are judging them, especially if this is your first interaction -- refrain from this, and if needed, also consider a more "neutral" note-taking process by integrating the Office Mapping activity.

If the auditor is unable to go to the office (or can only visit one of multiple offices), consider having the point of contact use a video call. You will want to have the entire staff be aware of this activity and know the person who is walking around the office. This requires sufficient bandwidth (and unmetered or low-cost) for a 1-hour video call. This could be scheduled for before or after office hours to both discover how devices are left overnight as well as reducing the impact on the network.

Similarly, the in-person tour can also be done outside of normal business hours. Please note: this can damage the trust the staff has in the auditor, as well as unintentionally embarrassing specific staff members in the eyes of the point of contact. It is not recommended to do this except for organizations who have already received training and worked on improving their physical/operational security practices and face an active adversary. This could be before the staff arrives in the morning, during lunch, or after hours (perhaps have dinner with your point of contact, and come back to check the organization afterwards). This gives a clearer picture of how devices are secured outside of the work day (are desktops and laptops unsecured, still on, logged in?). Are backup drives or other storage media easily accessible? Are doors to server rooms/closets locked? Are keys to these locked cabinets/rooms visible?

Materials that may be useful

Physical Security Survey

Do you have policies and procedures for authorizing and limiting unauthorized physical access to digital systems and the facilities in which they are housed?

Do your policies and procedures specify the methods used to control physical access to your secure areas, such as door locks, access control systems, security officers, or video monitoring?

If yes, what are there?

Is access to your computing area controlled (e.g. reception or security desk, sign-in/sign-out log, temporary/visitor badges etc)?

Are visitors escorted into and out of controlled areas?

If yes, who is responsible for it?

Are your workstations inaccessible to unauthorized users (e.g. located away from public areas)?

Is your computing area and equipment physically secured? - [ ] No - [ ] Yes

If yes, how is it secured?

Are there procedures in place to prevent computers from being left in a logged on state, however briefly?

If yes, what are the procedures?

Do you have procedures for protecting data during equipment repairs?

If yes, what are the procedures?

Do you have policies covering laptop security (e.g. cable lock or secure storage)?

Do you have a business continuity plan in case of serious incidents or disaster to your digital resources and is it current?

If yes, please highlight the steps taken.

Does your plan identify areas and facilities that need to be sealed off immediately in case of an emergency?

Are key personnel aware of the plan and how to respond to the emergency?

Recommendation

Office Equipment is unsecured against burglary

Unsecured physical network components and devices such as computers, servers, and external drives present a risk of sensitive data loss through theft, seizure, and malicious interference. Access to network compontents and servers should be limited and devices should be secured when not in use.

In the event of a burglary or office raid, an attacker could easily obtain sensitive information from devices without encryption, external hard drives, and other easily accessible items. An advanced attacker could compromise the network for later surveillance.

Secure Devices

Lock in desks or via security cables all easily portable items

Any device which connects to the organization's digital assets (and therefore has passwords or cached data) or stores organizational data (including backup drives, laptops, desktops, cameras, other storage media), should be secured (ideally out of sight, such as in a locked cabinet or desk drawer) when not in use to prevent theft and discourage seizure.

Follow the Device Assessment guidelines on drive encryption.

Encrypted drives offer the best protection against data loss from stolen or seized devices. Follow the recommendations of the Device Assessment section, paying specific attention to the need for strong passwords, automatic locking of logged-in accounts, and the importance of turning a machine off to fully benefit from drive encryption.

Place core network components and servers in a locked space.

Direct access to servers and network components such as routers, cablemodems, patch panels and switches provides an adversary multiple ways to extract sensitive information and cause extensive, yet hard to detect, damage. Ensuring that not only are these physically protected, but that there are organizational policies around which staff have access to them is critical - a locked cabinet that always has the key in the lock does not provide security. If a particular component needs, for example, regular rebooting, creative solutions should be found to balance security and staff needs.

De-activate unused network ports

Hard-wired network ports tend to connect directly into the most trusted parts of a network. De-activating any that are in public areas of the office (front desk, conference rooms, break rooms), as well as any that are not needed is recommended.

Password Security Survey

Summary

Weak and "shared" passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain the most popular passwords. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.

Overview
Materials Needed
Considerations
Walkthrough

This exercise supports the auditor in building an effective dictionary that is customized to an organization.

This dictionary can then be used in a variety of ways:

This skillset, plus demonstration against non-invasive accounts, provides an opening for a discussion with staff on password security. See Level Up for further activities and exercises around passwords.

This component provides resources and recommendations on cracking passwords - both the creation of dictionaries and rules to modify those dictionaries, as well as some basic implementation as well. This is a dangerous (and in many cases, illegal) skill to use, and should be more of a guide to auditors on what password security myths do not work against modern password cracking software, and to use only with permission and only in very specific situations as a demonstration of the power of even a common laptop against weak passwords.

Primarily for use in the Network Access component, building a password dictionary, understanding the ways to automatically mutate it, and running it against passwords is a useful skill to have, and to use to explain why simple passwords are insecure. This Ars Technica article provides a good insight into the path to tackle iterative password cracking using a variety of tools to meet different goals.

These instructions use a small set of password cracking tools, but many are possible. If there are tools you are more familiar or comfortable with using, these by no means are required. The only constraints are to be respectful and responsible, as well as keeping focused on the overall goals and not getting bogged down.

A good wordlist with a few tweaks tends to break most passwords. Using a collection of all English words, all words from the language of the organization being audited, plus a combination of all these words, plus relevant keywords, addresses, and years tends to crack most wifi passwords in a reasonable timeframe.

An approach which begins with quick, but often fruitful, attacks to more and more complex (and time consuming) attacks is the most rewarding. However, after an hour or two of password hacking, the in-office time on other activities is more valuable, so admit defeat and move on. See the Recommendations section for talking points around the levels of password cracking that exist in the world. You can work on passwords offline/overnight/post-audit for report completeness.

Here is a suggested path to take with suggested tools to help. You might try the first few steps in both the targeted keyword approach and the dictionary approach before moving on to the more complex mutations towards the end of each path.

Dictionary Research and Creation

Before you arrive on-site it is important to have your password cracking tools downloaded and relevant dictionaries ready to go, as your main demonstration and use of these tools is to gain access to the organization's network. The effectiveness of this demonstration is drastically reduced if you already have had to ask for the password to connect to the Internet and update your dictionaries, tools, or so on. Some of these files (especially larger password dictionaries) can be quite large, so downloading them in-country is not recommended.

Many password dictionary sites, such as SkullSecurity , maintain core dictionaries in multiple languages. If your target language is not available, some quick regular expression work can turn spell-check dictionaries (such as those used by LibreOffice into useful word lists. It is generally useful to always test with English in addition to the target language.

CloudCracker and OpenWall have, for a fee, well-tested password dictionaries.

Keyword generation

In addition, create a customized dictionary with words related to the subject as revealed in the Remote Assessment research: organization name, street address, phone number, email domain, wireless network name, etc. For the organization "ExampleOrg , which has its offices at 123 Central St., Federal District, Countryzstan , which does human rights and journalism work and was founded in 1992, some context-based dictionary additions would be:

exampleorg
example
exa
mple
org
123
central
federal
district
countryzstan
human
rights
journo
journalism
1992
92

Also add common password fragments: qwerty, 1234/5/6/7/8, and, based on field experience, four-digit dates back to the year 2001 (plus adding in the founding year of the organization). It's also useful to see what calendar system is in use at your organization's location as some cultures don't use Gregorian years. It's quite amazing how often a recent year will be part of a wifi password -- this presentation discusses many common patterns in passwords: https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

Optional Further steps

Use CeWL, to spider the organization's web properties to generate additional phrases. This list will need review, as some of the generated content is not very useful, but may be useful if the site is not in a language the auditor reads fluently.

For passwords other than WPA, specific policies or patterns may help to focus your password dictionary further. PACK, or Password Analysis and Cracking Toolkit is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers." PACK is most useful for large sets of passwords, where it can detect patterns in already-broken passwords to help build new rules. Both password cracking tools listed here are powerful, and have slightly different abilities. The auditor should choose the one they prefer and/or the one which has the features they desire for this job.

Combinator Attack with scripting and Hashcat

One quick way to build a more complex password list is to simply double the list up (a "combinator" attack), so that it includes an entry for each pair of these strings:

You can do a 1-way version of this list simply, such as:

 $ for foo in `cat pwdlist.txt`; do for bar in `cat pwdlist.txt`; do printf $foo$bar'\n'; done; done > pwdpairs.txt
 $ cat pwdlist.txt >> pwdpairs.txt

Hashcat can do this in a live attack under its "combinator" mode, and hashcat-utils (hiding in /usr/share/hashcat-utils/combinator.bin) provides this as a standalone tool. This provides a true combination of the list, so it exponentially increases the list size - use with caution, or use with one larger dictionary and one smaller dictionary.

For example, use these combination approach on your custom dictionary (combining it with itself, creating combinations from the above list such as example92, journorights, exampleorgrights).

$  /usr/share/hashcat-utils/combinator.bin dict.txt dict.txt

Hashcat is extremely powerful when you have desktop computer systems to use, but has a few wordlist manipulation tools that are useful regardless.

More References: (http://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 , http://www.darkmoreops.com/2014/08/18/cracking-wpa2-wpa-with-hashcat-kali-linux/ )

Word mutation with John the Ripper (JtR)

JtR is a powerful tool you can use in combination of existing wordlists, but it also can add in common substitutions (people using zero for the letter "o"). JtR can be used to generate a static list of passwords for other programs, or it can be used directly against a password database. JtR is a bit weak combining words within a wordlist, so you should apply your customizations and any folding before moving on to JtR.

You can add custom "rules" to aid in these substitutions - a base set is included with JtR, but a much more powerful set is added by [KoreLogic] (http://contest-2010.korelogic.com/rules.html). KoreLogic also provides a custom character set "chr file" that takes password frequency data from large collections of real-world passwords to speed up JtR's brute force mode . This PDF presentation has a good walkthrough of how John and Kore's rules work

Additional guides: * (http://linuxconfig.org/password-cracking-with-john-the-ripper-on-linux)

The bleeding-edge jumbo version combines both the built-in rules and an optimized version of the KoreLogic rules. This list of KoreLogic Rules provides nice descriptions of what the KoreLogic rules do. In bleeding-jumbo, you can remove "KoreLogicRules". BackReference provides a great example of rules usage.

Some particularly useful ones individual rulesets are: * AppendYears (appends years, from 1900 to 2019) and AppendCurrentYearSpecial (appends 2000-2019 with punctuation) * AddJustNumbers (adds 1-4 digits to the end of everything) * l33t (leet-speek combinations)

There are some build-in combinations of rulesets - for example, just --rules runs john's internal collection of default rules, and --rules:KoreLogic runs a collection of the KoreLogic rules in a thoughtful order, and --rules:all is useful if you hate life.

e.g. :

  $ john -w:dictionary.txt --rules:AppendYears --stdout

Building custom rules

PROTIP Create a dictionary with just "blah" and run various rules against it to understand how each ruleset or combination works. Note specifically that each rule multiplies the size of the dictionary by the number of permutations it introduces. Running the KoreLogic ruleset combination against a one word dictionary creates a list of 6,327,540 permutations on just that word.

Brute force, using John and crunch

JtR's "incremental" mode is essentially an optimized brute force attack, so will take a very long time for anything but the shortest passwords, or passwords where you can limit the search space to a character set: "As of version 1.8.0, pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters), "LM_ASCII" (for use on LM hashes), "Alnum" (all 62 alphanumeric characters), "Alpha" (all 52 letters), "LowerNum" (lowercase letters plus digits, for 36 total), "UpperNum" (uppercase letters plus digits, for 36 total), "LowerSpace" (lowercase letters plus space, for 27 total), "Lower" (lowercase letters), "Upper" (uppercase letters), and "Digits" (digits only). The supplied .chr files include data for lengths up to 13 for all of these modes except for "LM_ASCII" (where password portions input to the LM hash halves are assumed to be truncated at length 7) and "Digits" (where the supplied .chr file and pre-defined incremental mode work for lengths up to 20). Some of the many .chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download." (http://www.openwall.com/john/doc/MODES.shtml)

As a last resort, you can try a direct brute force attack overnight or post-audit to fill in details on key strength. Crunch is a very simple but thorough approach. Given enough time it will break a password, but it's not particularly fast, even at simple passwords. You can reduce the scope of this attack (and speed it up) if you have a reason to believe the password is all lower-case, all-numeric, or so on. WPA passwords are a minimum of 8 characters, a maximum of 16, and some wifi routers will accept punctuation, but in practice these are usually just [email protected]#$. — so:

$ /path/to/crunch 8 16 a[email protected]#$. | aircrack-ng -a 2 path/to/capture.pcap -b 00:11:22:33:44:55 -w -

This says to try every possible alpha-numeric combination from 8 to 16 characters. This will take a very, very, very long time.

Material that may be Useful:

Sample Practice For practice on any of these methods, you can use the wpa-Induction.pcap file from Wireshark.

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

http://zed0.co.uk/crossword/

http://www.instantcheckmate.com/crimewire/is-your-password-really-protecting-you/#lightbox/0/

Note that password cracking systems are rated on the number of password guesses they make per second. Stock laptop computers without high-end graphics cards or any other optimizations can guess 2500 passwords/second. More powerful desktop computers can test over a hundred million each second, and with graphics cards (GPUs) that rises to billions of passwords per second. (https://en.wikipedia.org/wiki/Password_cracking).

This website has a good explanation about how improving the complexity of a password affects how easy it is to break: http://www.lockdown.co.uk/?pg=combi, but is using very out of date numbers - consider a basic laptop able to produce "Class E" attacks, and a desktop, "Class F"

http://rumkin.com/tools/password/passchk.php

http://cyber-defense.sans.org/blog/downloads/ has a calculator buried in the zip file "scripts.zip"

http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html

https://www.grc.com/haystack.htm

https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

http://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html?_r=1

Recommendation
Materials that may be useful
Password Survey

How many passwords do you have to remember for accounts and devices used to do your work?

If you tried to login to your computer account right now, how many attempts do you think it would take?

To how many people have you given your current password?

Have you ever forgotten your current password?

If yes, how did you recover it?

Have you ever forgotten old work passwords?

If yes, how did you recover it?

When you created your current password, which of the following did you do?

Did you use any of the following strategies to create your current password (choose all that apply) ?

How long is your current password (total number of characters)?

What symbols (characters other than letters and numbers) are in your password?

How many lower-case letters are in your current password?

How many upper-case letters are in your current password?

In which positions in your password are the numbers?

In which positions in your password are the symbols?

Have you written down your current password?

If you wrote down your current password how is it protected (choose all that apply) ?

Do you have a set of passwords you reuse in different places?

Do you have a password that you use for different accounts with a slight modification for each account?

A Day in the Life

Covered in full in User Device Assessment:

Network Mapping

Covered in full in Network Mapping

Physical Security Guided Tour

Covered in full in Physical Assessment:

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

User Device Assessment

Summary

This component allows the auditor to assess the security of the individual devices on the network. This component consists of interviews, surveys, and inspection of devices.

Purpose

Compromised devices have the ability to undermine nearly any other organizational attempt at securing information. Knowing if devices receive basic software and security upgrades and what core protections against unauthorized access exist is vital to designing a strategy to make the host more secure.

The Flow Of Information

User Device Assessment Information Flow
User Device Assessment Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Password Security

Privilege Separation Across OS

Examining Firewalls Across OS

Identifying Software Versions

Device Encryption By OS

Anti-Virus Updates

Identifying Odd/One-Off Services

Activities

Device and Behaviour Assessment

Summary

The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software running on computers and its current version. The auditor checks for known vulnerabilities to any out of date software.

This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.

Overview
Materials Needed
Considerations
Walkthrough

The auditor inspects a subset of key and/or representative user devices (work & personal). The auditor should focus on the work devices to limit scope creep, but if the office has many personal devices accessing organizational accounts/data, the auditor should share what "red flags" they are looking for and work in tandem with device owners and/or IT staff. For a small office, it may be possible to check every machine. For larger offices, the auditor should use a subset to get a feel for the overall security stance of user devices.

As you work with staff members, also interview them about the other devices they use such as phones and tablets, and how they connect to work services - email/webmail, chat Apps, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, and website management tools.

Below is a checklist to assist in checking across different platforms/versions for common security needs.

OSX
Windows

If Windows is not your primary OS, you can download sample Virtual Machines (with time limitations) from Microsoft through their project to improve IE support via https://www.modern.ie/en-us/virtualization-tools#downloads (see also http://www.makeuseof.com/tag/download-windows-xp-for-free-and-legally-straight-from-microsoft-si/ and https://modernievirt.blob.core.windows.net/vhd/virtualmachine_instructions_2014-01-21.pdf)

Windows 10

Windows 8

Installed updates

Control Panel Programs and features installed updates CLI: http://www.techsupportalert.com/en/quick-and-easy-way-list-all-windows-updates-installed-your-system.htm

Windows 7

In Windows 7, (GUI) Control Panel -- All Control Panel Items -- Action Center (Security tab) provides a quick run-down of most security features installed and their update status. It does not show drive encryption or specific versions.

Windows XP

If user is still operating on windows XP, recommendation is to upgrade to later windows. Windows XP is no longer supported and is not receiving security updates: https://www.microsoft.com/windows/en-us/xp/end-of-xp-support.aspx

If there is an organizationally critical system relying on Windows XP, removing it from the network and carefully managing data exchange with it may provide a bridge solution until a replacement process can be funded and rolled out.

Linux
Recommendation

If Unsupported Operating System - Upgrade to Recent Version

Popular operating systems like Windows XP are, sadly, no longer receiving security updates. Upgrade to the latest version keeping in mind the system requirements of the version selected

If Pirated Software - Move to Licensed Software Systems

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Outdated - Update Operating Systems and Other Software

Operating Systems and Softwares of all varieties - Windows, Mac, Linux, and others, are constantly being updated. These updates often fix bugs, but they also protect the system from newly discovered vulnerabilities. It can seem difficult to keep updating constantly, but this is very important to protect even non-sensitive systems.

If Vulnerable Software - Update Vulnerable Software

Many critical software components, such as Java or Adobe Flash, have many vulnerabilities and need to be aggressively updated. If there are not needed for work by the users, uninstall them

If No Anti-Virus and Anti-Malware Scanner - Install Anti-Virus and Anti-Maware Scanner

An Anti-virus and Anti-malware offer some minimal protection to the system and therefore is important to have them installed.

If Outdated Anti-Virus - Update Anti-Virus

Most AV tools automatically update, but this can sometimes get out of sync, or if the AV was a pre-installed trial system, it will stop updating after its trial period. An out of date anti-virus is worthless. Therefore ensure that continuous udpdating of AV is done.

If Unencrypted Drive - Encrypt Hard Drives

When possible, build-in drive encryption (Filevault on OSX, BitLockeron Windows, and LUKS on Linux) tend to offer the most seamless, user-friendly experiences. VeraCrypt offers free cross-platform drive encryption and cna also create encrypted drives which can be shared across platforms.

If Inactive firewall - Activate both personal and server firewall (If present)

Again, where present, use built-in firewalls and configure them for both office and public network options. Testing to ensure systems can still perform expected office natworking (file sharing, printing, etc.) is essential unless alternatives are created.

A Day in the Life

Summary

The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software runing on computers and its current version. The auditor checks for known vulnerabilities to any out of date software.

This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.

Overview
Materials Needed
Considerations
Walkthrough

As you work with staff members (this pairs well with the device checklist activity), also interview them about the other devices they use, and how they connect to work services - email/webmail, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, and website management tools.

Phone Usage
User Software and Tools
Remote Services
Recommendation

Only use services with "SSL" encryption ("HTTPS"), and consider adding HTTPS Everywhere to browsers. This does not itself guarantee protection from all attacks, but it is a good first-step in protecting information (such as passwords or email) in transit from your computer to the service provider.

Firewire Access to Encrypted/Locked computers

Summary

Firewire ports and expansion slots can be abused to obtain data that are thought to be encrypted

Any attacker who obtains a running (including sleeping and hibernating!) Windows, Mac, or even Linux laptop with a Firewire port, an ExpressCard expansion slot, or a Thunderbolt port will be able to read, record or modify any sensitive information on the device, even if the screen is “locked” and the information is stored on an encrypted volume or in an encrypted folder. This applies to threats involving loss, theft and confiscation, but also to “checkpoint” scenarios in which the attacker may only have access for a few minutes.

This attack requires physical control of a machine that is not powered off. Full details of the scope of the attack are available at http://www.breaknenter.org/projects/inception/ .

Overview
Materials Needed
Considerations
Walkthrough

Firewire ports and expansion slots can be abused to obtain data that are thought to be encrypted

The threat describe in this section is more complex than it needs to be. In fact, unencrypted data are vulnerable to any number of simple attacks, the two most straightforward being: 1) rebooting the computer from a USB stick CD-ROM or DVD containing an alternate operating system, then copying all of the data; or 2) removing the hard drive, inserting it into a different machine, then copying all of the data. These techniques, which work on nearly any computer, even if a strong login password has been set, are effective and widely used, but they require extended physical access to the device. A slightly different attack is described below, one that only requires physical access for a few minutes. It, too, works regardless of login/screen-lock passwords, though only devices with Firewire ports or expansion slots (ExpressCard, CardBus, PCMCIA, etc.) are vulnerable.

The steps required to defend against all of these threats is the same: encrypt your data using a tool like Microsoft’s BitLocker, Apple’s FileVaule or the open-source Truecrypt application. The Firewire attack highlighted here is particularly illustrative, however, because it serves as a reminder that merely setting up an encrypted volume is not enough. In much the same way that a lock does little to protect your home if the door to which it is attached remains open, data encryption is rarely effective while you are logged into your computer. Even if the screen is locked (which would foil the “reboot” and “hard drive removal” attacks described briefly above), an attacker may still find a way to access your sensitive data, while the computer is up and running, because the decryption key is present in the computer’s memory. (This is how large-scale encryption actually works. Information remains encrypted at all times, on the storage device where it lives, but you are able to access it while you are logged in, or while your encrypted volume is “open,” because your computer decrypts and encrypts it on the fly.) Walkthrough

Step 1: First, the attacker would connect her computer to the victim’s using a Firewire cable. Either or both machines could be using a true Firewire port or a Firewire expansion card. When a Firewire ExpressCard expansion card is inserted, Windows automatically installs and configures the necessary drivers, even if nobody is logged into the laptop.

Step 2: Once connected, the attacker simply runs the Inception tool, selects the operating system of the target machine and waits a minute or two for the attack to complete (depending on the amount of RAM present):

$ incept

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.2.0 (C) Carsten Maartmann-Moe 2012
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

[*] FireWire devices on the bus (names may appear blank):
--------------------------------------------------------------------------------
[1] Vendor (ID): MICROSOFT CORP. (0x50f2) | Product (ID):  (0x0)
--------------------------------------------------------------------------------
[*] Only one device present, device auto-selected as target
[*] Selected device: MICROSOFT CORP.
[*] Available targets:
--------------------------------------------------------------------------------
[1] Windows 8: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[2] Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[3] Windows Vista: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[4] Windows XP: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[5] Mac OS X: DirectoryService/OpenDirectory unlock/privilege escalation
[6] Ubuntu: libpam unlock/privilege escalation
--------------------------------------------------------------------------------
[!] Please select target (or enter 'q' to quit): 2
[*] Selected target: Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[*] Initializing bus and enabling SBP-2, please wait  1 seconds or press Ctrl+C
[*] DMA shields should be down by now. Attacking...
[*] Searching, 1328 MiB so far
[*] Signature found at 0x8b50c321 (in page # 570636)
[*] Write-back verified; patching successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

In the case of the laptops tested, Inception took approximately two minutes to reach the final, somewhat self-congratulatory line shown above. At that point, we were able to login using any password. (Entering “asdf” worked just fine, and gave us full access to all data on the computer.) Inception works by temporarily replacing authentication code using the Firewire’s protocol’s direct memory access (DMA). After a reboot, everything is restored to its original state.

Once again, it is worth noting that successful mitigation of this issue requires a combination of technology (data encryption) and some level of behavior change (shutting down laptops at the end of the day, when traveling and at any time when confiscation, theft, loss or tampering are particularly likely.)

Material that may be Useful:
Recommendation

Password Security Survey

Summary

Weak and "shared" passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain the most popular passwords. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.

Overview
Materials Needed
Considerations
Walkthrough

This exercise supports the auditor in building an effective dictionary that is customized to an organization.

This dictionary can then be used in a variety of ways:

This skillset, plus demonstration against non-invasive accounts, provides an opening for a discussion with staff on password security. See Level Up for further activities and exercises around passwords.

This component provides resources and recommendations on cracking passwords - both the creation of dictionaries and rules to modify those dictionaries, as well as some basic implementation as well. This is a dangerous (and in many cases, illegal) skill to use, and should be more of a guide to auditors on what password security myths do not work against modern password cracking software, and to use only with permission and only in very specific situations as a demonstration of the power of even a common laptop against weak passwords.

Primarily for use in the Network Access component, building a password dictionary, understanding the ways to automatically mutate it, and running it against passwords is a useful skill to have, and to use to explain why simple passwords are insecure. This Ars Technica article provides a good insight into the path to tackle iterative password cracking using a variety of tools to meet different goals.

These instructions use a small set of password cracking tools, but many are possible. If there are tools you are more familiar or comfortable with using, these by no means are required. The only constraints are to be respectful and responsible, as well as keeping focused on the overall goals and not getting bogged down.

A good wordlist with a few tweaks tends to break most passwords. Using a collection of all English words, all words from the language of the organization being audited, plus a combination of all these words, plus relevant keywords, addresses, and years tends to crack most wifi passwords in a reasonable timeframe.

An approach which begins with quick, but often fruitful, attacks to more and more complex (and time consuming) attacks is the most rewarding. However, after an hour or two of password hacking, the in-office time on other activities is more valuable, so admit defeat and move on. See the Recommendations section for talking points around the levels of password cracking that exist in the world. You can work on passwords offline/overnight/post-audit for report completeness.

Here is a suggested path to take with suggested tools to help. You might try the first few steps in both the targeted keyword approach and the dictionary approach before moving on to the more complex mutations towards the end of each path.

Dictionary Research and Creation

Before you arrive on-site it is important to have your password cracking tools downloaded and relevant dictionaries ready to go, as your main demonstration and use of these tools is to gain access to the organization's network. The effectiveness of this demonstration is drastically reduced if you already have had to ask for the password to connect to the Internet and update your dictionaries, tools, or so on. Some of these files (especially larger password dictionaries) can be quite large, so downloading them in-country is not recommended.

Many password dictionary sites, such as SkullSecurity , maintain core dictionaries in multiple languages. If your target language is not available, some quick regular expression work can turn spell-check dictionaries (such as those used by LibreOffice into useful word lists. It is generally useful to always test with English in addition to the target language.

CloudCracker and OpenWall have, for a fee, well-tested password dictionaries.

Keyword generation

In addition, create a customized dictionary with words related to the subject as revealed in the Remote Assessment research: organization name, street address, phone number, email domain, wireless network name, etc. For the organization "ExampleOrg , which has its offices at 123 Central St., Federal District, Countryzstan , which does human rights and journalism work and was founded in 1992, some context-based dictionary additions would be:

exampleorg
example
exa
mple
org
123
central
federal
district
countryzstan
human
rights
journo
journalism
1992
92

Also add common password fragments: qwerty, 1234/5/6/7/8, and, based on field experience, four-digit dates back to the year 2001 (plus adding in the founding year of the organization). It's also useful to see what calendar system is in use at your organization's location as some cultures don't use Gregorian years. It's quite amazing how often a recent year will be part of a wifi password -- this presentation discusses many common patterns in passwords: https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

Optional Further steps

Use CeWL, to spider the organization's web properties to generate additional phrases. This list will need review, as some of the generated content is not very useful, but may be useful if the site is not in a language the auditor reads fluently.

For passwords other than WPA, specific policies or patterns may help to focus your password dictionary further. PACK, or Password Analysis and Cracking Toolkit is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers." PACK is most useful for large sets of passwords, where it can detect patterns in already-broken passwords to help build new rules. Both password cracking tools listed here are powerful, and have slightly different abilities. The auditor should choose the one they prefer and/or the one which has the features they desire for this job.

Combinator Attack with scripting and Hashcat

One quick way to build a more complex password list is to simply double the list up (a "combinator" attack), so that it includes an entry for each pair of these strings:

You can do a 1-way version of this list simply, such as:

 $ for foo in `cat pwdlist.txt`; do for bar in `cat pwdlist.txt`; do printf $foo$bar'\n'; done; done > pwdpairs.txt
 $ cat pwdlist.txt >> pwdpairs.txt

Hashcat can do this in a live attack under its "combinator" mode, and hashcat-utils (hiding in /usr/share/hashcat-utils/combinator.bin) provides this as a standalone tool. This provides a true combination of the list, so it exponentially increases the list size - use with caution, or use with one larger dictionary and one smaller dictionary.

For example, use these combination approach on your custom dictionary (combining it with itself, creating combinations from the above list such as example92, journorights, exampleorgrights).

$  /usr/share/hashcat-utils/combinator.bin dict.txt dict.txt

Hashcat is extremely powerful when you have desktop computer systems to use, but has a few wordlist manipulation tools that are useful regardless.

More References: (http://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 , http://www.darkmoreops.com/2014/08/18/cracking-wpa2-wpa-with-hashcat-kali-linux/ )

Word mutation with John the Ripper (JtR)

JtR is a powerful tool you can use in combination of existing wordlists, but it also can add in common substitutions (people using zero for the letter "o"). JtR can be used to generate a static list of passwords for other programs, or it can be used directly against a password database. JtR is a bit weak combining words within a wordlist, so you should apply your customizations and any folding before moving on to JtR.

You can add custom "rules" to aid in these substitutions - a base set is included with JtR, but a much more powerful set is added by [KoreLogic] (http://contest-2010.korelogic.com/rules.html). KoreLogic also provides a custom character set "chr file" that takes password frequency data from large collections of real-world passwords to speed up JtR's brute force mode . This PDF presentation has a good walkthrough of how John and Kore's rules work

Additional guides: * (http://linuxconfig.org/password-cracking-with-john-the-ripper-on-linux)

The bleeding-edge jumbo version combines both the built-in rules and an optimized version of the KoreLogic rules. This list of KoreLogic Rules provides nice descriptions of what the KoreLogic rules do. In bleeding-jumbo, you can remove "KoreLogicRules". BackReference provides a great example of rules usage.

Some particularly useful ones individual rulesets are: * AppendYears (appends years, from 1900 to 2019) and AppendCurrentYearSpecial (appends 2000-2019 with punctuation) * AddJustNumbers (adds 1-4 digits to the end of everything) * l33t (leet-speek combinations)

There are some build-in combinations of rulesets - for example, just --rules runs john's internal collection of default rules, and --rules:KoreLogic runs a collection of the KoreLogic rules in a thoughtful order, and --rules:all is useful if you hate life.

e.g. :

  $ john -w:dictionary.txt --rules:AppendYears --stdout

Building custom rules

PROTIP Create a dictionary with just "blah" and run various rules against it to understand how each ruleset or combination works. Note specifically that each rule multiplies the size of the dictionary by the number of permutations it introduces. Running the KoreLogic ruleset combination against a one word dictionary creates a list of 6,327,540 permutations on just that word.

Brute force, using John and crunch

JtR's "incremental" mode is essentially an optimized brute force attack, so will take a very long time for anything but the shortest passwords, or passwords where you can limit the search space to a character set: "As of version 1.8.0, pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters), "LM_ASCII" (for use on LM hashes), "Alnum" (all 62 alphanumeric characters), "Alpha" (all 52 letters), "LowerNum" (lowercase letters plus digits, for 36 total), "UpperNum" (uppercase letters plus digits, for 36 total), "LowerSpace" (lowercase letters plus space, for 27 total), "Lower" (lowercase letters), "Upper" (uppercase letters), and "Digits" (digits only). The supplied .chr files include data for lengths up to 13 for all of these modes except for "LM_ASCII" (where password portions input to the LM hash halves are assumed to be truncated at length 7) and "Digits" (where the supplied .chr file and pre-defined incremental mode work for lengths up to 20). Some of the many .chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download." (http://www.openwall.com/john/doc/MODES.shtml)

As a last resort, you can try a direct brute force attack overnight or post-audit to fill in details on key strength. Crunch is a very simple but thorough approach. Given enough time it will break a password, but it's not particularly fast, even at simple passwords. You can reduce the scope of this attack (and speed it up) if you have a reason to believe the password is all lower-case, all-numeric, or so on. WPA passwords are a minimum of 8 characters, a maximum of 16, and some wifi routers will accept punctuation, but in practice these are usually just [email protected]#$. — so:

$ /path/to/crunch 8 16 a[email protected]#$. | aircrack-ng -a 2 path/to/capture.pcap -b 00:11:22:33:44:55 -w -

This says to try every possible alpha-numeric combination from 8 to 16 characters. This will take a very, very, very long time.

Material that may be Useful:

Sample Practice For practice on any of these methods, you can use the wpa-Induction.pcap file from Wireshark.

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

http://zed0.co.uk/crossword/

http://www.instantcheckmate.com/crimewire/is-your-password-really-protecting-you/#lightbox/0/

Note that password cracking systems are rated on the number of password guesses they make per second. Stock laptop computers without high-end graphics cards or any other optimizations can guess 2500 passwords/second. More powerful desktop computers can test over a hundred million each second, and with graphics cards (GPUs) that rises to billions of passwords per second. (https://en.wikipedia.org/wiki/Password_cracking).

This website has a good explanation about how improving the complexity of a password affects how easy it is to break: http://www.lockdown.co.uk/?pg=combi, but is using very out of date numbers - consider a basic laptop able to produce "Class E" attacks, and a desktop, "Class F"

http://rumkin.com/tools/password/passchk.php

http://cyber-defense.sans.org/blog/downloads/ has a calculator buried in the zip file "scripts.zip"

http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html

https://www.grc.com/haystack.htm

https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

http://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html?_r=1

Recommendation
Materials that may be useful
Password Survey

How many passwords do you have to remember for accounts and devices used to do your work?

If you tried to login to your computer account right now, how many attempts do you think it would take?

To how many people have you given your current password?

Have you ever forgotten your current password?

If yes, how did you recover it?

Have you ever forgotten old work passwords?

If yes, how did you recover it?

When you created your current password, which of the following did you do?

Did you use any of the following strategies to create your current password (choose all that apply) ?

How long is your current password (total number of characters)?

What symbols (characters other than letters and numbers) are in your password?

How many lower-case letters are in your current password?

How many upper-case letters are in your current password?

In which positions in your password are the numbers?

In which positions in your password are the symbols?

Have you written down your current password?

If you wrote down your current password how is it protected (choose all that apply) ?

Do you have a set of passwords you reuse in different places?

Do you have a password that you use for different accounts with a slight modification for each account?

Physical Security Guided Tour

Covered in full in Operational Security Assessment:

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

Vulnerability Scanning and Analysis

Summary

This component has the auditor discover possible flaws the organization's devices, services, application designs, and networks by testing and comparing them against a variety of online and offline resources (vulnerability databases, vendor advisories, and auditor investigation) to identify known vulnerabilities. Basic vulnerability analysis should be occurring along-side the other activities so that evidence can be gathered from the network, however, deeper research into specific discovered exploits can happen after the on-site audit to fully take advantage of the short time the auditor has on site.

Purpose

It is not uncommon for a cash-strapped human rights NGO to run critical infrastructure themselves on available equipment. A better-resourced organization may host its critical services at a remote data center, or outsource its IT infrastructure to cloud providers, such as Google Apps, and/or to ad-hoc services (Dropbox, Yahoo! mail, Wordpress, etc.). Regardless, it is rare to have someone designated to update and patch systems as vulnerabilities are released, or to view the services from a security -- as opposed to availability -- standpoint.

The Flow Of Information

Vulnerability Analysis Information Flow
Vulnerability Analysis Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Vulnerability Databases

Website Vulnerability Scanning

System Vulnerability Scanning

Activities

Vulnerability Scanning

Summary

While much of SAFETAG focuses on digital security challenges within and around the office, remote attacks on the organization's website, extranets, and unintended information available from "open sources" all pose real threats and deserve significant attention. SAFETAG takes great care to take a very passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns.

This activity uses active research and scanning to detect known vulnerabilities in external and key internal services. Usually penetration tests exploit possible vulnerabilities to confirm their existence. 65 But, the use of exploits puts the organization's systems at a level of increased risk 66 that is unacceptable when neither the organization nor the auditor has the time or finances to address the issue. The SAFETAG methodology only uses relatively safe exploitation of vulnerabilities for targeted outcomes. For instance, cracking the wireless access point password allows us to demonstrate the importance of good passwords without singling out any individual's passwords. 67

Overview
Materials Needed
Considerations
Walkthrough
Vulnerability Scanning using OpenVAS

Setting up OpenVAS in Kali

openvas initial setup
openvas feed update
openvas check setup
openvas stop
openvas start

Visit https://127.0.0.1:9392/ in a web browser and log in.

Using OpenVAS

Once logged in to OpenVAS, the interface is disturbingly simple to use. For most use, using the Wizard to scan the target server works best. Things to verify before doing so:

Once you start a scan, change the display to "auto refresh" to give you more feedback on the scan process. Once the scan is completed, a report can be exported in PDF form.

Common problems * Errors during openvas-start OpenVAS is a rather ... delicate program. Most often, the openvas-start script will not wait long enough between launching openvassd and openvasmd, causing openvasmd to error out. Re-running openvasmd often works, though an entire stop/start cycle seems to be slightly more reliable. Often, openvasmd will error out, but launch anyway. Checking the web interface at https://127.0.0.1:9392 to make sure that you can log in is the best way to check if it's actually successfully launched. * Lost admin password From a root command-line, you can reset the web interface's admin password:

openvasmd --create-user=admin
openvasmd --user=admin --new-password=admin
Recommendation

The auditor will need to do research and compare against the organization's capacity and risks to give specific recommendations based on the vulnerabilities discovered in the process. Some common recommendations include the following:

Most popular CMS platforms provide emailed alerts and semi-automated ways to update their software. Make sure someone responsible for the website is either receiving these emails or checking regularly for available updates. Security updates should be applied immediately. It is a best practice however to have a “test” site where you can first deploy any CMS update before attempting it on a production site.

For custom CMS systems, it is strongly advisable to migrate to a more standard, open source system.

An increasingly good practice is for organizations to take advantage of the "free" tiers of DDoS mitigation services, of which CloudFlare is probably the best known. A challenge of these free services can be that they have definite limits to their protection. With CloudFlare, organizations can request to be a part of their Project Galileo program to support at-risk sites even beyond their normal scope of support.

A community-based, open source alternative is Deflect, which is completely free for eligible sites.

Some of these services will be revealed by BuiltWith, but checking the HTTP Response Headers (in Chromium/Chrome, available under the Inspect Element tool, or by using Firebug in Firefox. See Deflect's wiki for more information.

Guide for NGOs about DDoS: Digital First Aid Kit

If an organization updates their website via FTP, it is worth noting that FTP is similarly insecure. Many hosting providers provide SFTP or FTPS, (two different, but secure, FTP versions), or secure WebDAV to upload files. These should be used, turning “plain” FTP off altogether if possible.

When switching to SSL/Secure FTP after having used the plain versions, webmasters should also update all administrative passwords, and watch to make sure that no step along the way (hosting provider management/panel, file upload, CMS editing) goes over “clear” channels.

Vulnerability Research

Summary
Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Website Footprinting

See Website Footprinting in Recon for passive / lightweight investigation tools

Web Vulnerability Assessment

Summary

Organizational websites are often a central part of their work, but resource constraints can leave them vulnerable to a wide variety of attacks, from simple DDoS (Distributed Denial of Service) attacks to being leveraged for online scams and malicious advertisin to targeted distruction and subversion. Insecure websites can even be used in "watering hole" attacks where malware is implanted into the site to intentionally target the website's audience.

This activity provides a SAFETAG auditor with a suite of processes and tools to investigate organization and project websites for potential vulnerabilities. There are multiple ways to do this, from passive to more active scanning. SAFETAG takes great care to take a primarily passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns. Care should be taken to review operational security concerns, work closely with the organization, and pursue a minimal approach focused on the priorities of the organization. See also the Vulnerability Scanning activity for additional tools and approaches useful for investigating outside of the website itself the server level.

Overview
Materials Needed
Considerations
Walkthrough

Performing web vulnerability assessment can be done in different ways, using different tools and having different results. Choosing any of these steps or guides must not confuse an auditor, but instead, provide a broader scope which should help them finding vulnerabilities as many as they can.

These vulnerabilities can range from: - Web Server/OS level vulnerabilities - Access control vulnerabilities - Application-specific vulnerabilities - Misconfiguration - SQL Injection - Cross-site Scripting - Directory Traversal - Failure to restrict URL Access - Insufficient Transport Layer Protection - LDAP Injections - Malicious Codes - Leaked information

Before pursuing any of these more active scans, review outputs from passive reconnsaisance, DNS history and current information, and (if relevant) CMS version checking. This guide covers a small subset of web vulnerability scanning tools, a more comprehensive list is available at https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools which may provide approaches better suited to specific situations.

OpenVAS, covered in the vulnerablity scanning activity, also includes Wapiti, which can help to detect many of the above common vulnerablitites.

Manual Testing with Burp (Active)

Introduction

According to Burp's official documentation, "Burp Suite is an integrated platform for performing security testing of web applications. It is not a point-and-click tool, but is designed to be used by hands-on testers to support the testing process. With a little bit of effort, anyone can start using the core features of Burp to test the security of their applications. Some of Burp's more advanced features will take further learning and experience to master." To know more about BurpSuite's other tools and features, visit BurpSuite's Tools and it's functions pages.

Requirements

Note: If you are using Kali Linux, you already have Burpsuite pre-installed. Otherwise if you do not have a Linux box, refer to the following requirements below:

Launching Burp

Burp's Getting Started Documentation is quite detailed and useful, and strongly recommends launching Burp from the command line for better control. In specific, it recommends assigning the amount of memory you wish to dedicate to burp:

java -jar -Xmx1024m /path/to/burp.jar

where 1024 is the amount of memory (in Mb) that you want to assign to Burp, and /path/to/burp.jar is the location of the Burp JAR file on your computer.

The troubleshooting help can help if Burp doesn't appear shortly.

Setting up your environment

Testing Burpsuite Configuration

NOTE: Scanning web applications without the owner's permission is potentially illegal. It is important that you test Burpsuite on your own web applications, or on a controlled environment. There are some publicly available websites that are insecure by default to be used for testing and learning purposes. Among these were:

(You can use these sites to get familiar with Burpsuite, and performing the following excerices in this guide.)

Intercepting Request

Adding Target/Scope - Adding your target into scope is important so you won't miss, or even scan URLs that are not included in your list of targets. - To add the target to your scope, right-click the domain/website, then select Add to Scope - Burp will now tell you if you want ot stop sending out-of-scope items in your HTTP history tab and other Burp Tools - click Yes. - This will now appear in your Target tab, and under Scope sub-tab. - To add subdomains into your scope, you can use regex: .*\.test\.com$

Managing Burp Projects - Managing burpsuites project will depend on the version you are using. Some features may not be available for free version of burp, but are only available for Pro Version. See burp's documentation for managing projects here - Selecting project type: - Temporary project - Quick tasks, no need to save data - New project on Disk - Creates new project and stores it on disk on a "Burp project file" - Open existing project - Opens recent existing project from a "Burp project file". Scanners & spiders are paused.

NOTE: According to BurpSuite documentation, "If you open an existing project that was created by a different installation of Burp, then Burp will prompt you to decide whether to take full ownership of the project.

This decision is needed because Burp stores within the project file an identifier that is used to retrieve any ongoing Burp Collaborator interactions that are associated with the project. If two instances of Burp share the same identifier in ongoing work, then some Collaborator-based issues may be missed or incorrectly reported. You should only take full ownership of a project from a different Burp installation if no other instance of Burp is working on that project."

Since that Burpsuite is an advance tool for testing web applications, This guide will cover most of the basic testing activities for Burpsuite. To learn more of the advance features, it is important that you have a licensed version.

Basic BurpSuite Testing Excercises:

Attacking web application using simple payload set (Bruteforce attack): - Verify that your Burp is working - You must first try to test if your Burp and browser are both configured

Take note of these errors to see how the target web application respond when given certain types of strings.

OWASP ZAP (Active)

OWASP ZAP allows an auditor to quickly identify common web vulnerabilities using the OWASP framework - either by a relatively intense spidering of the website or through a more tailored use of the proxy functionality of the tool.

OWASP ZAP provides a highly configurable tool to test for common website vulnerabilities. In addition to supporting organizational change to support general best practices for websites, OWASP can expose more specific vulnerabilties that may warrant action above and beyond general best practice work.

For a website that can be expected to withstand a dedicated spidering of its content, the automated mode will dig through and expose common vulnerabilities. The tool itself is relatively easy to use.

For more delicate sites, private sites, or other situations, OWASP can also proxy your web browser and test the pages you click through.

Additional OWASP ZAP references:

Recommendation

Check Config Files

Summary

Examine configuration files for vulnerabilities using "hardening", or "common mistake" guides found online.

Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Network Vulnerabilities

See the Network Access and Mapping activities for methods to expose insecure wireless networks and for methods to use network mapping and traffic analysis to discover further potential vulnerabilities or points to investigate.

Router Based Attacks

Summary

Many wireless routers still use the default password listed in “Router Default Password Search”, meaning that anyone with access to the network could also take complete control of the router - adding in remote access tools or setting up other attacks.

Overview
Materials Needed
Considerations
Walkthrough
Material that may be Useful:
Recommendation

Change Default Router Passwords

Passwords - particularly on core network devices - is very important. Use a password manager to save the new password (or be prepared to reset the router to a factory default).

While nominally "inside the firewall" and protected from remote attacks, leaving routers with default passwords, particularly wireless routers whose networks are often shared with visitors, is a potentially very high risk for an organization. Anyone who has gained access to the network via legitimate or other means could subtly alter the router's configuration to provide remote access, or route traffic to an attacker-designated server. Such changes can easily go undetected for long periods of time.

A common fear is forgetting the new router password. A password management system is an obvious solution, but if the router is in a secure location, even a stickie note would be better than the default password.

Data Assessment

Summary

This component allows the auditor to identify what sensitive data exists for the organization, where it is stored, and how it is transferred.

Purpose

Sensitive files are often stored across multiple devices with different levels of security. A data assessment allows the auditor to recommend secure storage solutions which best meet the organizations risk assessment and workflow needs. While the auditor has insight on some of this based on the Network Access and Network Mapping work, cross-staff understanding and agreement on what constitutes sensitive data will support later organizational change.

An adversary who obtains a laptop, workstation, or backup drive will be able to read or modify sensitive information on the device, even if that staff member has set a strong account password. This applies to threats involving loss, theft, and confiscation, but also to "checkpoint" scenarios in which they may only have access for a few minutes. Furthermore, in the event of a burglary or office raid, an adversary could obtain all sensitive information on the organization's devices, possibly even undetected.

The Flow Of Information

Data Assessment Information Flow
Data Assessment Information Flow

Guiding Questions

Approaches

If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.

Outputs

Operational Security

Preparation

Resources

Activities

Sensitive Data

Summary

Data and meta-data about an organization and its staff is incredibly difficult to keep track of over time, as people or projects use cloud services like Dropbox or Google Drive for some activities, a shared server for others, and a mix of work and personal devices (laptops, phones, tablets...).

This is natural, but it is important to keep track of where your organization's data lives and who can access it.

Overview
Materials Needed
Considerations
Walkthrough

Sensitive Data Assessment Activity

Duration: 45 minutes

This exercise is adapted from the LevelUp Activity, Backup Matrix, part of the curricula for Data Retrention and Backup by Daniel O'Clunaigh, Ali Ravi, Samir Nassar, and Carol.

Materials to Prepare:
Relative Sensitivity Computer USB / External Drive Cloud Storage Phones, Print, etc.
High
Moderate
Low

Explain to participants that we're going to conduct an information mapping activity to get a sense of where our important information actually is.

Start by listing the different places where our information is stored, according to participants. If no suggestions are forthcoming, we can prompt participants with the obvious stuff:

Use large stickies to place these as column headers on a wall. More will come up later in the course of the exercise.

Elicit from participants what type of information or data they have in each of these places. For example:

To encourage participant interaction, write one example on a sticky and place it in the appropriate box in the matrix. Then, ask whether there is another copy of this data somewhere. If there is, you can use another sticky and put it wherever they keep the duplicate.

TIP: Place Computers, Phones, and Email next to each other, so you won't have to create duplicates for everything "stored" in email (and therefore on laptops and phones)

Introduce a new vertical axis representing sensitivity. The higher on the chart, the more sensitive the data. Ask the participants to rank data.

For a large group, divide the group into smaller teams for the next steps (it helps if there are relatively clear thematic distinctions within the group, such as nationality, type of work, area of interest, etc.)

Provide stickies to the group(s). Have the group(s) brainstorm about all of the data they work with, focusing on the most important data first.

Participants should write ONE type per sticky, and create duplicates if the data is stored in multiple locations.

For a small group, this can be done as a "live" brainstorm. For larger groups that have been subdivided, have each group finish listing out their most important data and then have each group place the stickies on the matrix. Invite discussions around the sensitivity of the data.

An example may look something like this:

Level Up Backup Matrix Example
Level Up Backup Matrix Example

Explain that this gives us an idea of where our data is. Elicit whether or not this is all the data we generate? Of course it isn't: It's only a small percentage.

The LevelUp lesson uses this primarily to discuss the importance of backups, and this is a valuable point to make.

Call out the information that they are keeping on their computer's hard drive (which will usually be the fullest one). Elicit some of the things that can cause a computer to stop working. Maybe take a show of hands: Who has had this happen to them?

For SAFETAG, we focus on the "Sensitive data in the wrong hands" section. Based on the clustering of sensitive data along the vertical access, choose a column that has an unsual amount of sensitive data (email or computers, usually).

Remove the stickies from the column but keep them in your hand and read them. Now I have this information. What can I do with it? And what are you left with? Is anyone at risk - yourselves? partners? If this were published on the Internet, what would happen?

Recommendation

Risks of Data Lost and Found

Summary

Have staff rank the impact if different data within the organization was lost, and the impact if various adversaries gained access to that data.

Overview
Materials Needed
Considerations
Walkthrough

See the Sensitive Data activity for an interactive way to gather the types of data in the organization for this ranking exercise.

Recommendation

Private Data

Summary

Guide staff through an activity to have them list private data within the organization (e.g. Using the "personal information to keep private" handout. 69)

Overview
Materials Needed
Considerations
Walkthrough

Personal Information To Keep Private

Information that can be used to identify individuals, organizations, and even communities of practice should be treated with the utmost care. Some data, like names, phone numbers, and addresses are obvious, while others, like computer names, the MAC addresses of wifi cards, or pseudonymous social media accounts may be less obvious. Also, combinations of information - location, data, and type of activity, or even an issue area of interest and a city name may specify a very small number of activists or organizations.

This spreadsheet, part of the Responsible Data Forum documentation sprint provides a useful baseline of types of data and ways to manage or obfsucate it usefully: Data Anonymization Checklist

Recommendation

For the internal audit report back to the organization, much of the information will require specific identification of user devices (and by extension, their users), as well as very sensitive organizational data. None of this data, by intention, accident, or adversarial action, should be shared with third parties.

Please refer to the Analysis and Reporting section for the limited data set that is required for project reporting, and to the Operational Security section for guidance on data security.

Physical and Operational Security

Summary

The organizational security methodology is focused on how to mitigate against threats that occur because of the arrangement of digital assets in the physical world -- how secure are the devices at an organization's office, where and how staff travel with organizational devices, and whether staff work outside of the office (e.g. in remote offices, at their homes, while traveling, or at cafes). Further, is organizational information accessed from personal devices, and how are those devices secured?

Purpose

While the SAFETAG framework is focused on the security of data, the physicality of devices, backup drives, servers, and even hard-wired networks cannot be overlooked.

For many organizations, digital threats that depend on physical access are considered the least probable. So much so, that many security specialists concede that there is no proper defense against an attacker with physical access to sensitive hardware. While there is some truth to this, it is not useful advice for small scale civil society organizations or independent media houses. The risks that advocacy and media organizations face are far more varied, and the cost of lost information can be crippling to their ability to operate. As such, these risks have high severity, despite their equally high probability for these organizations.

Depending on the specific threats for each organization, the auditor should consider the challenges of not only one-time exfiltration of data as well as potential ways an adversary could use physical access or proximity to the organization or its devices to gain ongoing remote access, track, or cause harm to the organization through the outright destruction of data.

The Flow Of Information

Data Assessment Information Flow
Data Assessment Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Activities

Guided Tour

Summary

During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location.

Overview

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

Materials Needed
Considerations
Walkthrough

As part of your first day, have your point of contact walk you around the office - this is primarily a chance to understand the office layout and meet the rest of the staff, but take mental note of the devices in use and laying out on desks as you walk around the office. Note as well the location and access to components such as servers and networking components. Taking actual notes may make the staff feel that you are judging them, especially if this is your first interaction -- refrain from this, and if needed, also consider a more "neutral" note-taking process by integrating the Office Mapping activity.

If the auditor is unable to go to the office (or can only visit one of multiple offices), consider having the point of contact use a video call. You will want to have the entire staff be aware of this activity and know the person who is walking around the office. This requires sufficient bandwidth (and unmetered or low-cost) for a 1-hour video call. This could be scheduled for before or after office hours to both discover how devices are left overnight as well as reducing the impact on the network.

Similarly, the in-person tour can also be done outside of normal business hours. Please note: this can damage the trust the staff has in the auditor, as well as unintentionally embarrassing specific staff members in the eyes of the point of contact. It is not recommended to do this except for organizations who have already received training and worked on improving their physical/operational security practices and face an active adversary. This could be before the staff arrives in the morning, during lunch, or after hours (perhaps have dinner with your point of contact, and come back to check the organization afterwards). This gives a clearer picture of how devices are secured outside of the work day (are desktops and laptops unsecured, still on, logged in?). Are backup drives or other storage media easily accessible? Are doors to server rooms/closets locked? Are keys to these locked cabinets/rooms visible?

Materials that may be useful

Physical Security Survey

Do you have policies and procedures for authorizing and limiting unauthorized physical access to digital systems and the facilities in which they are housed?

Do your policies and procedures specify the methods used to control physical access to your secure areas, such as door locks, access control systems, security officers, or video monitoring?

If yes, what are there?

Is access to your computing area controlled (e.g. reception or security desk, sign-in/sign-out log, temporary/visitor badges etc)?

Are visitors escorted into and out of controlled areas?

If yes, who is responsible for it?

Are your workstations inaccessible to unauthorized users (e.g. located away from public areas)?

Is your computing area and equipment physically secured? - [ ] No - [ ] Yes

If yes, how is it secured?

Are there procedures in place to prevent computers from being left in a logged on state, however briefly?

If yes, what are the procedures?

Do you have procedures for protecting data during equipment repairs?

If yes, what are the procedures?

Do you have policies covering laptop security (e.g. cable lock or secure storage)?

Do you have a business continuity plan in case of serious incidents or disaster to your digital resources and is it current?

If yes, please highlight the steps taken.

Does your plan identify areas and facilities that need to be sealed off immediately in case of an emergency?

Are key personnel aware of the plan and how to respond to the emergency?

Recommendation

Office Equipment is unsecured against burglary

Unsecured physical network components and devices such as computers, servers, and external drives present a risk of sensitive data loss through theft, seizure, and malicious interference. Access to network compontents and servers should be limited and devices should be secured when not in use.

In the event of a burglary or office raid, an attacker could easily obtain sensitive information from devices without encryption, external hard drives, and other easily accessible items. An advanced attacker could compromise the network for later surveillance.

Secure Devices

Lock in desks or via security cables all easily portable items

Any device which connects to the organization's digital assets (and therefore has passwords or cached data) or stores organizational data (including backup drives, laptops, desktops, cameras, other storage media), should be secured (ideally out of sight, such as in a locked cabinet or desk drawer) when not in use to prevent theft and discourage seizure.

Follow the Device Assessment guidelines on drive encryption.

Encrypted drives offer the best protection against data loss from stolen or seized devices. Follow the recommendations of the Device Assessment section, paying specific attention to the need for strong passwords, automatic locking of logged-in accounts, and the importance of turning a machine off to fully benefit from drive encryption.

Place core network components and servers in a locked space.

Direct access to servers and network components such as routers, cablemodems, patch panels and switches provides an adversary multiple ways to extract sensitive information and cause extensive, yet hard to detect, damage. Ensuring that not only are these physically protected, but that there are organizational policies around which staff have access to them is critical - a locked cabinet that always has the key in the lock does not provide security. If a particular component needs, for example, regular rebooting, creative solutions should be found to balance security and staff needs.

De-activate unused network ports

Hard-wired network ports tend to connect directly into the most trusted parts of a network. De-activating any that are in public areas of the office (front desk, conference rooms, break rooms), as well as any that are not needed is recommended.

Operational Security Survey

Summary

This activity helps the auditor assess the organization's current operational security policies and practices through in-person or remote surveys and/or interviews. By also requesting to review and official policies as well as conducting multiple iterations of this with different staff members, some basic verification of the practices and awareness/understanding of existing policies can be achieved

Overview

The auditor interviews and/or requests survey input from organizational representatives, requests supporting documentation (e.g. policies) as relevant, and iterates/repeats as needed.

This activity is used to solidify the auditor's understanding of the physical risks the organization faces in its work as they impact information security:

This can be done entirely remotely over secure communications channels (see operational security considerations), and may be useful to be done partially or fully in advance of an in-person audit to further understand operational risks of traveling to the office location.

Materials Needed
Considerations
Walkthrough

This activity should build on the preparation work of the auditor, as well as the capacity assessment and context research work:

Once an initial interview or survey has taken place (as part of capacity assessment or dedicated to the above-mentioned questions), Send a follow-up request for any policies mentioned or referred to (travel policies, onboarding/offboarding policies for staff changes, personal device usage ("BYOD") policies, etc.). After reviewing those documents, request any additional policies those may refer to (general IT or security policies), and/or schedule a follow up interview or informal survey to dig deeper into remaining unanswered questions on the operatioal security situation of the organization as well as their adaptations to it. In the (likely) case where there are no policies governing these topics, the auditor can ask their points of contact for these discussions what the general practices are and expand and verify this through additional activities.

In creating new questions, be careful to not "lead" on security in a way that would discourage honest and transparent responses. For example, ask "Do you host community events and trainings?" instead of "Do you allow outside people into your office"?

Below are questions not already covered in the capacity assessment interview process, and after that selected questions from that process which are of particular use here.

Office layout and access

Has the organization dealt with robberies/theft, break-ins, or office raids? If so, what happened, when, and how did you respond (or do you have a policy or contingency plan? When was that last reviewed/updated?)

Who has independent access to the office space, and routine after-hours access (i.e. who is able to unlock the space). This may include security, cleaning or other building service personnel.

Programs and staff

Selected questions from the Capacity Assessment Interview, "Open Up" section:

From "Threat Information"

From the Technical Only section:

Recommendation

See recommendation section in the Guided Tour activity.

For useful organizational policy recommendations, review the SANS Information Security Policy Templates

Office Mapping

Summary

This activity seeks to identify potential physical vulnerabilities to an organization's information security practices by documenting the current physical layout of the office and the locations of key assets, as well as potential "external" risks such as nearby/shared office spaces.

This can be done in person independently or alongside the "Guided Tour" activity, and can also be done in advance of an assessment or remotely by a willing staff member who knows where these assets are located (often a technical or administrative staff person). This can also be conducted in a multi-office or home-office environment where the auditor is unable to visit every location.

Overview

In this activity, the auditor or the organization draws a map of the office space and notes locations of potentially valuable information or assets.

This activity can be paired with the Guided Tour activity, to reduce the awkwardness of taking notes while walking around the office during the Tour, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each. This can also be done by an organizational point of contact in advance to provide additional preparation for the auditor.

Materials Needed
Considerations
Walkthrough

Walk around the office and draw a map of the floor-plan (do not rely upon memory). Consider taking photos of specific areas (e.g. confusing layouts or areas difficult to capture in drawing). Make notes of where intruders could gain access to the office, where sensitive data may live (in the executive director's desk, in a storage closet, on devices), and relevant other items. Also note the overall privacy that the office provides (is it a shared office space, shared building, etc.)

Note the locations of any of the following that apply:

If doing this activity remotely and/or in advance of an audit, it may be useful to have multiple staff members independently draw maps and to provide the organization with additional guiding questions:

Recommendation

See recommendation section in the Guided Tour activity.

Scavenger Hunt

Summary

This activity assists in identifying potential physical security concerns at an organization, particularly when an auditor cannot travel to the office location or cannot visit every office location. The scavenger hunt approach is focused on involving the organization staff members into mapping out potential threats based on the abstraction and the gamification of the physical security mapping process. See the "Risk Hunting" exercise in SaferJourno, page 19, for additional ideas and guidance on conducting this activity.

Overview

A local facilitator is required to lead this "scavenger hunt" where staff members seek out potential physical security challenges themselves. This activity should only be conducted within an environment with a high level of trust and consent. The auditor should get the agreement from the host NGO to involve all staff members into the exercise to avoid causing trust issues. By involving the staff members in identifying physical security risks, you are also taking a step forward to increase awareness on these issues.

With facilitation, staff members will explore their own office looking for potential physical security risks and share results. To reduce the risk of individual staff embarrassment, they will first review their own working space and secure it before looking around other parts of the office. The facilitator, in consultation with the auditor and the organizational point of contact may declare some areas "off limits"

Materials Needed
Considerations
Walkthrough

The auditor should first meet with the facilitator (possibly over secure videochat) to brief them on the activity and map out potential challenges (particularly around trust, organizational hierarchies, and any potential repercussions).

The auditor then prepares a checklist of physical vulnerabilities with the facilitator, based on the current understanding of the organization's assets and the context they are operating within. The auditor, facilitator, and organization point of contact should decide if any areas are "off limits." Note that this is only a list of a suggestions. As with the "Risk Hunting" exercise in SaferJourno, and it should be modified to fit the requirements, assets, and threats the organization faces:

At the organization, the facilitator explains the activity to the organization members. To balance the need for consent with the benefits of identifying actual daily practices which may need improvement, the staff should already be aware that examining physical devices is part of the audit scope, but not the specific activity. Staff will be able to first identify and address their personal concerns before others.

Recommendation

(See "Guided Tour")

Monitor Open Wireless Traffic

Summary

It can be valuable to to listen to broadcast wireless traffic at the physical office location, even before knowing anything about the organization's network itself. This outside, passive information gathering can reveal a surprising amount of data on not only what devices are connecting to which networks, but also what type of devices they are (based on their unique MAC addresses), and what other networks those devices have historically connected to. These probes can reveal personal, organizational, locational, and device information that, taken in context, can be dangerous or lead to other vulnerabilities.

Overview

Each wireless device maintains a "memory" of what networks it has successfully connected to. When it is connecting to a network, it sends out "probes" to all of the networks it has in this memory. It is important to note that this data gets broadcast widely, and can be collected without any network access, only proximity to the device.

These network probes can often contain names (especially from mobile phone tethers), organizational affiliations, device manufacturers, and a mixture of other potentially valuable data (home network names, recent airports/travel locations, cafés and conference networks). If there are many networks in the office's vicinity, this activity can also help identify the specific office network (if there is any doubt). In many cases, an organization may not want the name of their wireless network to be associated with to their organization, but it may be revealed by this additional meta-data.

Beacons can "de-anonymize" an obfuscated network name as well as provide rich content for social engineering attacks. This provides an only-lightly-invasive introduction to discuss the trackability of devices, particularly mobiles and laptops.

Materials Needed
Considerations
Walkthrough
Step 1: Monitor Mode

You should disconnect from any wifi network you may be connected to to capture the widest amount of data.

Switch your wireless adapter to monitor mode**

$ airmon-ng start <interface>

You may need to stop your network manager system to prevent it from interfering. Running

$ airmon-ng check

to list anything that is causing problems, and

$ airmon-ng check kill

to try and stop them automatically, and running stop network-manager && stop avahi-daemon may keep them from re-starting automatically.

Step 2: Listen for wifi probes.

Run airodump-ng on the monitor mode interface (usually mon0). This listens to wifi beacons and you can begin analyzing who is on what network, and see historical networks.

airodump-ng -w filename mon0

This scans all networks and channels, collecting broadcast network information. Note that, despite its broadcast nature, this is privacy invasive and can be considered illegal: http://www.slate.com/blogs/future_tense/2013/09/16/google_street_view_wi_fi_snooping_case_good_news_and_bad_news.html . You can restict this to a specific channel or base station ID (BSSID) with -c and --bssid:

airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w filename mon0

Step 3: de-auth (optional)

Send de-authentication packets to force clients to reconnect and send out additional probes. Take note that by its very nature, de-authentication causes annoying interruptions to wifi traffic. This breaks connections, drops skype calls, and can make the wireless network temporarily unusable -- Make sure to check with staff before going through this (to make sure no one is doing a live webcast or on an important VOIP call, and to expect some network instability).

$ aireplay-ng -0 1 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0

 15:54:48  Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 1
 15:54:49  Sending 64 directed DeAuth. STMAC: [AA:BB:CC:DD:EE:FF] [ 5| 3 ACKs]

This command de-authenticates one targeted user with one attempted deauth packet. "-0 10" would try 10 times (potentially disconnecting the user multiple times!). With permission, you can also target all users on a network by leaving out the "-c ..." flag.

There are scripts, like wifijammer, which use this same approach to jam all wifi connections in range of the attacking computer, so check against the documentation at http://www.aircrack-ng.org and act responsibly to protect yourself and the organization.

Step 4: MAC Address Research

The first three hex numbers of each MAC address designate the vendor, which can reveal useful information in matching MAC addresses to devices. The MAC address is a unique identifier, so never post or search using the full address. Note that increasingly, devices are using MAC address randomization, but if it implemented, it often is poorly implemented against even minimally determined adversaries, as per this 2017 research study.

To compare found MAC addresses to the bendor database offline you can download the full vendor database from IEEE or use the Wireshark list

Step 4: Ongoing Monitoring

The longer you leave this running (particularly when staff are first entering the office or returning after lunch/meetings), the better sense of what devices are connected to the network you will get.

Watch what probes the various devices are sending out (especially when they are deauthenticated, as above). You will see each computer on the network, as identified by their mac addresses, broadcast information about previous networks to which they have connected.

BSSID              STATION            PWR   Rate    Lost    Frames Probe

00:11:22:33:44:55   0F:3E:DF:DA:2D:E2   -67 0   0   234567  SampleOrg,linksys¸John Smith's iPhone,Free Public Wifi
00:11:22:33:44:55   F8:7E:FC:03:CC:43   -80 -24 0   234567  amygreen,SampleOrg,android-hotspot,Starbucks,united_club,Dulles Airport WiFi
00:11:22:33:44:55   F8:19:F3:DF:75:19   -58 -54 0   234567  SampleOrg
00:11:22:33:44:55   38:08:95:EB:7E:0B   -75 -12 0   234567  HolidayInn,SampleOrg,John Smith's Mac mini,android-hotspot
Recommendation
Recommendation: Cleanse wifi network connection history

For most devices, deleting networks from the “saved” network list will stop them from being probed. Obviously, this can be an annoyance for networks you regularly connect to, so renaming these networks to non-revealing names would help, as would creating non-name-associated “guest” networks for colleagues connecting to your home network.

On iPhones and iPads, it is not possible to selectively remove historical networks unless you are currently in range of that network. It is however possible to remove all history: go to Settings > General > Reset > Reset Network Settings . When you take this step, it is worth going through this reset multiple times – approximately once per year of device ownership, as the first reset appears to only remove recently-connected networks, and older networks will be broadcast.

Recommendation: Use innocuous network names

Organizations may want to choose innocent or generic network names, and/or not broadcast network names. It is worth noting that devices seeking out hidden networks will "beacon" for the actual network name, so this has extremely limited security use and must be combined with other protective measures. See this Acrylic blog post for further details.

It is worth noting that wifi access points are also tracked to assist in location services, and as such the location of a wireless network can be learned from its name or the MAC address of the access point. WiGLE is a community-managed database for such information, but both Google and Microsoft, and likely many others, also track this locational information, so the opt-out information below is only minimally useful.

Removal options: See wikipedia for public listings. Some opt-out options exist below:

Wireless Range Mapping

Summary

This component allows the auditor to show the "visibility" of an organization's wireless network to determine how far the organization's wireless network extends beyond a controlled area. Wireless networks are often trusted as equivalent to the hardwired office networks they have largely replaced, but they have important differences. Wireless networks are often "visible" from outside the walls of the office - from common spaces or even the street. Without further access, this reveals a wealth of information about the organization's size and the type of devices connecting to their network.

Overview

This component consists of wireless scanning and wireless signal mapping. It is useful for organizations with offices in shared spaces/buildings/apartment complexes or near locations where an adversary could easily "listen" to network traffic. In conjuction with Monitoring Open Wireless Traffic exercise, it can also identify devices using that network. It is useful to do this in parallel with Office Mapping to build a more comprehensive view of the information assets of the organization.

Materials Needed
Considerations
Walkthrough

Map the range of the organizations wireless network outside of office space, using wifite or other tools to track network strength.

A variety of apps and tools can support this work without reosting to professional "wifi site survey" tools. If the Office Mapping exercise has taken place, that map can serve as the starting point to expand the map outside the office. If using a third party tool or app, ensure that the app is not sharing sensitive data. Using simple signal strength monitors in combination with location notes is more than sufficient. In Linux systems, one can use wavemon, kismet, wifite, and even the networkmanager command line tools to track visible networks and their strengths as described on StackExchange:

watch  "nmcli -f "CHAN,BARS,SIGNAL,SSID" d wifi list ifname wlx10feed21ae1d  | sort -n"
Recommendation

Depending on office layout, moving the wireless access point may help to reduce how far the network is transmitted outside of the office space, and changing devices which do not move to better enable this without loss of functionality.

See also Monitoring Open Wireless Traffic recommendations and Network Access security recommendations.

A Day in the Life

Covered in full in User Device Assessment:

Process Mapping and Risk Modeling

Summary

This component allows an auditor to lead the host organization's staff in a series of activities to identify and prioritize the processes that are critical for the organization to carry out its work. These activities will also reveal the consequences if those critical processes were interrupted or exposed to a malicious actor. This results in the staff creating a risk matrix which is used as the foundation of the auditor's recommendations.

Purpose

Having the host organization central to the risk assessment process allows the auditor to put their threats and recommendations into the host's own narrative. With greater ownership of the process the staff will be more engaged in addressing the threats identified when the audit is complete. 70 By engaging as many staff as possible the auditor also is providing a framework for staff to examine future concerns when the auditor is gone. The existing in/formal security practices captured during this process will be used to remove organizational and psyco-social barriers to starting new practices.

The Flow of Information

Risk Modeling Information Flow
Risk Modeling Information Flow

Guiding Questions

Approaches

Note: Risk modeling will require a mixed approach of exercises, and the order which you identify each component will vary depending upon the organization.

If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.

Outputs

Operational Security

Preparation

Resources

Threat Modeling Resources (General)

Risk Assessment Activities

Threat Assessment Activities

Example text for introducing threats - Integrated Security

Written exercise: Threats assessment - Integrated Security

Facilitators Manual (With PDF download of "Threat Introduction Example Text" and "Threat Assessment Written Exercises") - Integrated Security

Analyzing Threats: Chapter 3 - Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Risk Matrix Activities

Risk Assessment: Chapter 2 - Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Alternative Risk Modeling Activities

Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Activities

Process Mapping

Summary

This activity helps to identify the processes that allow the organization to function (publishing, payment, fund-raising, outreach, interviewing) the assets and systems (websites, software, PayPal) they rely on, and which ones are critical to their work. (Activity)

Participants are asked to "brain-storm" a list of all the processes that are critical for their work and the auditor works to map the details of critical processes out to expose points of risk.

Overview

If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.

Materials Needed
Considerations
Walkthrough

The goal of this exercise is for the auditor to lead the host participants in "brain-storming" and mapping all the processes that are critical for the organization to carry out their work.

Additional Material

Getting Started

The auditor gives the participants a few example processes for a small independent media outlet.

Once the participants have brainstormed these out the facilitator leads the participants in identifying the critical processes (this may be all of the processes identified.)

The trainer then begins a free-hand process mapping activity for each process. You will be "charting the sequence of events of the work."

A Process Map shows

Conducting the Activity

NOTE: If an auditor does not ensure that the uniquely identified subset of processes speaks to the full range of participants, their recommendations are more likely to be met with resistance.

While doing this it is important to consider level of detail you will be mapping out (this should be pre-determined or established so everyone is on the same page)

How to make a process map

This process map will be used to develop our asset map.

"Draw the flowchart initially to represent the operation, as it actually happens - NOT what you might prefer it to be! Use a flip chart or whiteboard to produce your initial charts"

"WHO does WHAT (Job title/Function e.g. Level A1)
WHAT is done and WHEN
What DECISIONS have to be taken and
What possible paths follow from each decision"

Keep it simple to facilitate broad understanding of the OVERALL process. Too much detail early on can be overwhelming and/or lead to confusion. If you agree that more detail is required on a particular action, it is easy to highlight that box and produce a separate chart showing the process taking place within.

Recommendation
This activity can lead to feelings of hopelessness; it is important to remind the staff that any risk can be mitigated, and indeed it is the goal of an audit to identify the highest priority ones based on actual likelihood and provide guidance on mitigation.

Risk Modeling Using the Pre-Mortum Strategy

Summary

The pre-mortum strategy was devised to take participants out of a perspective of defending their plans and strategies and shielding themselves from flaws. They are given "a perspective where they [are] actively searching for flaws in their own plan." 71.

Overview
Materials Needed
Considerations
Walkthrough
Additional Material

Getting Started

Conducting the Activity

Pre-Mortum Strategy: (30 Minutes) The pre-mortum strategy was devised to take participants out of a perspective of defending their plans and strategies and shielding themselves from flaws. They are given "a perspective where they [are] actively searching for flaws in their own plan." 72

Process/Interaction Mapping (30 minutes per process):

Recommendation
This activity can lead to feelings of hopelessness as well as stir up direct fears or challenges that the staff face. It is important to remind the staff that any risk can be mitigated, and indeed it is the goal of an audit to identify the highest priority ones based on actual likelihood and provide guidance on mitigation.

Risk Matrix

Covered in full in Threat Identification:

Critical Data Activity

Covered in full in Data Assessment:

Responding to Advanced Threats

Summary

This component allows the auditor to be able to identify, triage, and analyze suspicious behavior on a device or in a network. Depending on the analysis, the auditor may need to further investigate a malware infection, or analyze a binary and determine if it is malicious or not.

Purpose

It is very common to find suspicious behaviors, processes, traffic and other ‘weird activities’ during a SAFETAG audit. SAFETAG practitioners should always be on the lookout for suspicious activities as they apply other SAFETAG methods and their activities, from interactions and discussions with staff to hands-on device assessment and traffic analysis.

Due to the limited window of time, the auditor should focus on identifying suspicious activities and triaging them rapidly. Many of these will be false positives related to other non-malicious software causing the machine to act weird or (most commonly) other type of less serious (and non-targeted) malicious software like adware. When this cannot be ruled out, collecting evidence, running basic analysis, and assessing the risk and impact against organizational priorities will help prioritize further action. In-depth binary analysis is usually best kept for post-audit work during the reporting and follow-up phases.

The Flow of Information

Information Flow
Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Malware Analysis

Activities

ADVANCED THREAT

Summary

Malware is a common tactic to target organizations, Malwares like RAT (Remote Access Trojan) can provide an attacker with a back-door access to a targeted machine which enables the attacker to steal information, record audio and video and run commands on the infected machine.

To stop that, you have to identify the malicious process within the system and stop it, or reformatting the machine in case you don’t feel spending time on stopping the malicious process.

It’s important to keep evidences, in case the auditee still have access to the original malicious software, email..etc they received, keep a copy of the file if you feel doing more investigations on it or submit it to other organization working on analyzing such issue.

Scanning the possible infected machine or the original suspicious file will allow you to save time and efforts in case the Anti-Virus knew the malware and had it in its database, also it will help you relax in case the machine was infected with a non-serious malware like adware or not infected at all.

After knowing the machine is infected you can process in helping the auditee to back up their information, scan it from malware and then reformat the infected machine, it’s hard to clean an infected machine in a short window of time.

In case the machine was infected, taking an image from the operating system will allow you to replicate the infected machine and run it after you finish your audit for more in depth investigation or send it to an expert to work on investigating it. ##### Overview

Scanning suspicious files

Scanning suspicious machines

Take an image from the hard disk

Submit the image for in depth investigation

Back up data

Reformat the machine

Transfer the data back

Materials Needed

A Linux Virtual machine connected to the Internet

VPN

USB drive

External Hard disk

Considerations
Walkthrough

We will be using the following walkthrough

Questions to ask the user / organization

* What suspicious behaviors are you witnessing on the Machine?
* What makes you feel that the machine is somehow infected?
* Do you have an alternative to this machine so you can use it until we clear things up?
* Did you receive any email, attachment or different form of communication that made you feel this way?
* Do you still have access to the original email, attachment or any form of communication?
* Can you share it with me?

Collect the binary from the targeted person or organization by asking them to forward you the suspicious email including any attachment in it, or by coping the file if it’s still on the machine by copying it to a USB drive. In case the user did not remember where the file is located, ask the user to walk through their browsing history or download folder and try to locate the file and then copy it to your USB drive.

Initial investigation, in this stage you will be scanning the file using ClamAV which comes with Kali-Linux

After scanning the file, in case it was malicious, the result will show you what type of malware is, in case the result showed the file as Trojan, Backdoor, agent or Remote access Trojan RAT then it’s time to consider taking an image from the hard drive, the original file, the header of the email and submit them for in depth investigation.

In case the organization was highly targeted with advanced attack, there will be a high probability that the attacker will use costume design malware which means no Anti-Virus will find it as malicious, in this case, and if you feel you still have doubts that a clean file is still malicious, submit it for in depth analysis.

You will need at least one hour to prepare and carry the advanced investigation. this step is optional in case you have time and you think you still have doubts about the file and you need a more advanced result. In this step, you will analyze the suspicious file using Cuckoo Sandbox, an automated malware analysis system. In case you decided to go with this option, you will need an installed Linux on your audit machine you can use this guide to install Kali Linux.

In this step, you will be dealing with infected machine by one of the binaries you analyzed in step 1 and 2, or you are sure that the machine is infected and you have no time to analyze it. In this case, you will take a backup, migrate the data safely to a new machine and take a full image from the system and submit it for more in depth analysis.

Threat Hunting

Threat Hunting In case you went through the entire process and still you have doubts about a file, email, process, or have other reasons to believe the organization may have undetected malware, you will probably need to work on specific threat hunting procedure that matches your needs, the organization's assets, and the threat profile of potential adversaries.

The ThreatHunting.net project, is collecting different Threat Hunting techniques on their GitHub ripo.

The provided Threat Hunting procedures will guide on how to address your doubts on specific issue which means, you have to be able at least able to identify the category of the possible threat then apply the steps provided by ThreatHunting.net project.

Recommendation

Threat Assessment

Summary

This objective uses a variety of activities to identify possible attackers and gather background information about the capability of those attackers to threaten the organization. This consists of identifying a particular attacker's history of carrying out specific threats, their capability to carry out those threats currently, and proof that the threat has intent to leverage resources against the target.

Purpose

Checking the assumptions both of the organization and of the auditor by researching the current threats will ensure that an auditor is basing their work on accurate assessments of the conditions the organization faces and that they are making informed operational security considerations. With greater ownership of the process the staff provides an opportunity to explore their threat landscape and become more engaged in addressing the threats identified when the audit is complete. By engaging with as many staff as possible the auditor is providing a framework for staff to explore threat identification processes when the auditor is gone.

The Flow Of Information

Threat Assessment Information Flow
Threat Assessment Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Threat Assessment Activities

Example text for introducing threats - Integrated Security

Written exercise: Threats assessment - Integrated Security

Facilitators Manual (With PDF download of "Threat Introduction Example Text" and "Threat Assessment Written Exercises") - Integrated Security

Analyzing Threats: Chapter 3 - Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Threat Modeling Resources (General)

Threat research by focus area

Threat research by method

General Threats by Region

Technical Threats

Targeted Malware
Censorship and Surveillance Reports

Travel Threats

Activities

Pre-Mortum Risk Modeling

Covered in full in Risk Assessment:

Critical Data Activity

Covered in full in Data Assessment:

Threat Identification

Summary

These activities build off of a process or data mapping exercise to connect actual processes or assets and data of the organization with potential threats, then drilling down into specific, likely threats the organization faces, adversaries who might take advantage of them, and the impact of this happening.

The goal is to be able to answer the following questions:

Threat History

Threat Capability

Threat Intent

Overview
Materials Needed
Considerations
Walkthrough

Threat Identification: (30 minutes per process)

Impact Identification: (30 minutes per process) This exercise has the trainee lead the participants on a brainstorming of hypothetical consequences (impacts) when the threats identified earlier occur.

Adversary Exploration (Likelyhood):

Impact Ranking: The goal of this exercise is to have the trainee lead the host organization in classifying the severity of the possible impacts from the threats they have just explored.

Recommendation

Creating a Risk Matrix

Summary
Overview
Materials Needed
Considerations
Walkthrough

After the activities are complete the auditor has tasks that build upon the outputs of the activities. These can be completed offsite.

Risk vs Difficulty
Risk vs Difficulty
Risk vs Likelihood
Risk vs Likelihood
Impact vs Severity
Impact vs Severity
Recommendation

Threat Interaction

Summary

This helps the auditor enumerate threats that the organization is concerned about and the internal priorities of them. At the same time, it enables a discussion of how threats can interrelate and helps define the difference between a threat and a risk (a threat that has a vulnerability associated with it), and the value of mitigation.

This exercise works well with larger groups, and can be woven in to the Threat Identification activity.

Overview
Materials Needed
Considerations
Walkthrough

Also review the Threat Identification exercises below to tailor these to best meet your information gathering needs based on your interactions with the organization.

Threat Brainstorming (15 minutes)

Split participants into small groups. This grouping is particularly valuable for larger organizations, but even for small ones, having multiple separate groups helps reveal shared concerns around the threats the staff face. For a group that is too small to group, have each staff member brainstorm by themselves.

Have each group or staff member quickly write down any possible "threat" they or the organization face. Some examples ("kidnapping," "website hacked") can help seed this activity.

If you have multiple colors of stickies, having them categorize threats by "physical," "digital," or "other/both" will be useful to show their inter-relation.

Keep reminding participants of the time remaining to keep them brainstorming rather than discussing threat details or arguing over whether a threat is physical or digital.

Threat Clustering and Discussion

After the brainstorming (or other exercises to generate or present a list of concerns), gather and cluster the stickies on a wall, revealing duplicate concerns across the groups and thematic areas of concern.

As clusters become clear, ask if any events similar to this threat have already happened to the organization? What was the impact? Has it happened more than once? Regularly? Mark these threats.

Note: Some of these threats may be traumatic experiences, consider skipping public discussion of historical occurrence if many of the threats from the brainstorm (or from one person/group in particular) are particularly intense.

Threat Bow-tie

Select one of the threats that emerged as a concern from the clustering to place at the center of a "bow-tie" like drawing on a whiteboard or flip-chart paper.

Begin asking what other threats identified could come as a result of this threat, supplanting the responses from the participants with additional threats. For example, a hacked website could lead to loss of trust by funders or partners. "Chain reactions" can be illustrated as lines of events (loss of trust by funders could lead to a loss of funding). Do the same for what threats could lead to the "central" threat - a confiscation of a device could lead to email hacking, for example. Some threats can be both potential causes and secondary effects.

Close out this with a discussion of how every threat is potentially connected to both digital and physical impacts.

Threat Analysis Worksheet

The auditor should be able to modify and complete a worksheet like the below at the end of this process. Particularly advanced organizations may be able to fill this out as a survey.

Calculative Impact Identification

Threat type Impact Likelihood Risk
HUMAN THREATS
1. Accidental destruction, modification, disclosure of confidential information
2. Ignorance: inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge
3. Workload: Too many or too few system administrators, highly pressured users
4. Users may inadvertently give information on security weaknesses to attackers
5. Incorrect system configuration
6. Inadequate security policy
7. Dishonesty: Fraud, theft, selling of confidential information
8. Attackers may use telephone to impersonate employees to persuade users/administrators to give user name/passwords, etc
GENERAL THREATS
1. Unauthorized use of “logged-in” computers
2. Installation of unauthorized software or hardware
3. Denial of service, due to Website traffic, large PING packets, etc.
4. Malware in programs, documents, e-mail attachments, etc
IDENTIFICATION AUTHORIZATION THREATS
1. Attack software masquerading as normal programs (Trojan horses)
2. Attack hardware masquerading as normal commercial hardware
3. External attackers masquerading as valid users
4. Internal attackers masquerading as valid users
PRIVACY THREATS
1. Telephone eavesdropping (via telephone bugs, inductive sensors, or service providers
2. Electromagnetic eavesdropping
3. Rubbish eavesdropping (analyzing waste for confidential documents, etc.)
4. Planted bugs in the building
INTEGRITY/ACCURACY THREATS
1. Deliberate damage of information by external source
2. Deliberate damage of information by internal sources
3. Deliberate modification of information
ACCESS CONTROL THREATS
1. Password cracking (access to password files, use of default/weak passwords, etc)
2. External access to password files, and sniffing of the networks
3. Unsecured maintenance of online services, developer backdoors
4. Bugs in network software which can open unknown/unexpected security holes (holes can be exploited from externally to gain access)
5. Unauthorized physical access to system
LEGAL THREATS
1. Failure to comply with legal requirements
2. Liability for acts of internal users or attackers who abuse the system to perpetrate unlawful acts (ie, incitement to racism, gambling, money laundering, distribution of pornographic or violent material)
3. Liability for damages if an internal user attacks other sites
RELIABILITY OF SERVICE THREATS
1. Major natural disasters, fire, water, earthquake, floods, power outages, etc
2. Minor natural disasters, of short duration, or causing little damage
3. Equipment failure from defective hardware, cabling, or communications system.
4 Denial of Service due to network abuse: Misuse of routing protocols to confuse and mislead systems
5. Downloading of malicious Applets, Active X controls, macros, PostScript files, etc through the browsers
6. Sabotage: Physical destruction of network interface devices, cables

Risk = Impact * Likelihood

SCALE
Impact Scale Likelihood
Impact is negligible =1 Unlikely to occur =0
Effect is minor, major organization operations are not affected=2 Likely to occur less than once per year =1
Organization operations are unavailable for a certain amount of time, costs are incurred. Public/customer confidence is minimally affected =3 Likely to occur once per year =2
Significant loss of operations, significant impact on public/customer confidence =4 likely to occur once per month =3
Effect is disastrous, systems are down for an extended period of time, rebuilding and replacement of systems is required =5 Likely to occur once per week =4
Effect is catastrophic, critical systems are completely down for an extended period; data is lost or irreparably corrupted; public and customers are totally affected =6 Likely to occur daily =5
Recommendation

Regional Context Research

Covered in full in Capacity Assessment:

Responsive Support

Summary

The auditor provides assistance for any immediate action needed (spot training, tool fixes, consulting on upcoming projects) -- this may also involve addressing vulnerabilities that triggered an incident response.

Purpose

In-audit activities and training are used to increase an organization's agency to seek out and address immediate security challenges within their organization, as well as enabling the organization to securely receive and store the audit report.

The Flow of Information

Responsive Support Information Flow
Responsive Support Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Facilitation Preparation

Digital Security Trainings

Digital Security Guides

Training Resources

Activities

Due to the wide variety of needs found during SAFETAG audits, the framework relies on the wealth of existing training curricula and digital security guides, listed below.

Of specific use are the following training guides from Level-Up. Review the Level-Up Curricula Guide prior to using these activities:

Debrief

Summary

This component consists of an out-brief to key points of contact, providing basic pressure relief through group and individual interactions, and planning future follow-up with the host and key individuals.

Purpose

SAFETAG is an auditing framework designed to connect small civil society organizations and independent media outlets to the digital security services they need. But, more than that it is designed to provide audits that increase an organization's agency to seek out and address security challenges independently. This can be an auditor's last in-person chance to engage with the staff to shape their perspective of the audit.

The debrief allows the auditor to ensure that they leave the host and its staff ready to start addressing their digital security. By providing some immediate outcomes to the host and its staff, and in combination with training or security consultation in the Responsive Support section, the auditor can ensure that the host sees the audit as a guide instead of a condemnation.

The Flow of Information

Debrief Information Flow
Debrief Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Facilitation Preparation

Activities

Follow Up

Summary

This component allows an auditor to explain and get feedback on their report as well as evaluate the success of the process over time through a continued relationship with the host.

This component consists of the final meeting with the host and following up with them after a period of a few months to see if they need further assistance, are willing to share their experience working with any of the recommended resources, or as new resources are identified.

Purpose

Follow up can be a valuable tool for encouraging an organization to continue their digital security process. But, follow up needs to be desired by an organization and achievable for the auditor. As such, follow up must be minimally intrusive on both the auditor and the host's time.

The Flow of Information

Information Flow
Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Resource Lists

Possible Financial Resources for Host Organizations

International organisations that may provide security grants

Frontline Defenders Security Grants Programme _See also the "Alternative Sources of Funding" list on this page

Digital Defenders Digital Security Emergency and Support Grants

Freedom House Emergency Assistance Programs

Digital Security Trainings

Emergency Resources

Emergency Aid for Journalists

International protection mechanisms for human rights defenders

What Protection Can The United Nations Field Presences Provide?

24/7 Digital Security Helpline: [email protected] PGP key fingerprint: 6CE6 221C 98EC F399 A04C 41B8 C46B ED33 32E8 A2BC

Rapid Response Network: [email protected]cert.org PGP key: 7218 4AA7 4ED2 05ED 9863 A2A7 1F84 9150 6BFC 20AC

Organizations providing rapid-response digital security support and funding

Activities

Follow-up Meeting

Summary

Schedule and have a follow up call to discuss the audit report. This provides a valuable touch-point for the organization to read the report and ask any clarifying questions to the auditor, as well as for the auditor to underscore any important steps for the organization.

Overview
Materials Needed
Considerations
Walkthrough

Each organization, and often even each key point of contact within the organization, will want to explore the report in different ways. Adapt to the needs of the organization, but make sure you cover the top-priority recommendations that the organization needs to consider in the immediate future.

Ask the organization to fill out Staff Feedback Surveys.

Ask if they need any specific resources or introductions not included in the report.

At the end of the call, schedule a second follow-up call to check in on their progress.

Recommendation

Making Introductions

Summary

Make introduction between host and known resources as needed.

Overview
Materials Needed
Considerations
Walkthrough

Based on the specific recommendations in the audit report, as well as the auditor's understanding of the organization's capacity and barriers faced, introduce the relevant points of contact at the organization to resources such as digital security trainers, funding organizations which provide targeted support for digital security, technical experts to help on specific tasks (e.g. server hardening, website migration), as well as services that could help address their needs (e.g. secure hosting providers, rapid response support).

Follow up with both the organization and the resources introduced to check in on process and revise which introductions you make going forward.

Recommendation

Long-Term Follow-up

Summary

Follow up with host after a few months to check on progress, get long-term feedback and connect with any new resources.

Overview
Materials Needed
Considerations
Walkthrough

This can be combined with the Staff Feedback Survey exercise, or to follow up on any concerns you have based on their responses to that survey. The main goal of the long-term follow-up is to ensure that the organization has ongoing connection points to any resources or connections they need to remove barriers to adoption.

Recommendation

Staff Feedback Survey

Summary

Providing a space for anonymous, guided feedback is valuable to gather information about how your audit work and the SAFETAG framework itself are supporting organizational understanding of risk and their ability to adapt. This long-term capacity building is critical to the SAFETAG framework, so finding ways to measure the impact of an audit towards these goals is important.

Overview
Materials Needed
Considerations
Walkthrough

This exercise provides a simple survey you can implement in a variety of settings (Google Forms, SurveyMonkey, via plain documents, etc.).

Sample Survey Questions

  1. Before the audit:
Completely False False I don't know True Completely True
I understood the risks my organization faces [ ] [ ] [ ] [ ] [ ]
I understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
I understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks my organization faces. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
  1. After the audit:
Completely False False I don't know True Completely True
I understood the risks my organization faces [ ] [ ] [ ] [ ] [ ]
I understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
I understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks my organization faces. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
  1. Do you feel the audit took a reasonable amount of time?
  1. Do you have any immediate behavioral changes you intend to make because of the audit?
  1. Did the auditor provide you everything you need to start addressing your digital security?
  1. Did any training that you received specifically address the risks identified during the audit?
  1. Did the recommendations made by the auditor directly address the digital security needs you identified during the audit?
  1. Did the recommendations made by the auditor address the digital security needs of your organization?
  1. The recommendations from the audit...
  1. The biggest barrier you see to implementing the auditor's recommendations is....
Recommendation

Reporting

Recommendation Development and Resource Identification

Summary

In this component the auditor identifies the organization's strengths and weakness (expertise, finance, willingness to learn, staff time, etc.) to adopting new digital and physical security practices and documents the possible actions the organization could take on to address the vulnerabilities found during the audit, the difficulty of taking on those actions, and the resources that the host may be able to leverage to address them. Resources can include, but are not limited to, local technical support and incident response groups/trade organizations, places to obtain discount software, trainers, and guides/resrouces they can use to support their up-skilling.

Purpose

The host needs to be able to take action after an audit. The recommendations that an auditor provides to address vulnerabilities must cover a range that allows an organization to address them in both the short-term and more comprehensively in the long-term. Knowing an organization's strengths and weaknesses will allow the auditor to provide more tailored recommendations that an organization will be more likely to attempt and achieve. In doing this the SAFETAG auditor has an opportunity to act as a trusted conduit between civil society organizations in need and organizations providing digital security training, technological support, legal assistance, and incident response.

Guiding Questions

Approaches

Identify Useful Resources

Resource Identification

Summary

In this component the auditor documents resources that the host may be able to leverage to address the technical, regulatory, organizational, or behavioral vulnerabilities identified during the audit.

This can include, but is not limited to, local technical support and incident response groups/trade organizations, places to obtain discount software, trainers, and guides/resources they can use to support their up-skilling.

Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Identify and Explain Un-Addressed Concerns

Summary

Write explanations for why any adversaries or threats that the auditor identifies as "un-addressable" with the organizations current capacity.

Base Line Skills
Operational Security
Materials Needed
Materials Needed
Considerations
Output
Resources

Identify Recommendations

Summary
Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Outputs

Operational Security

Resources

Digital Security Guides

Digital Security Guides

Possible Financial Resources for Host Organizations

International organisations that may provide security grants

Frontline Defenders Security Grants Programme _See also the "Alternative Sources of Funding" list on this page

Digital Defenders Digital Security Emergency and Support Grants

Freedom House Emergency Assistance Programs

Training Resources

Emergency Resources

Emergency Aid for Journalists

International protection mechanisms for human rights defenders

What Protection Can The United Nations Field Presences Provide?

24/7 Digital Security Helpline: [email protected] PGP key fingerprint: 6CE6 221C 98EC F399 A04C 41B8 C46B ED33 32E8 A2BC

Rapid Response Network: [email protected] PGP key: 7218 4AA7 4ED2 05ED 9863 A2A7 1F84 9150 6BFC 20AC

Organizations providing rapid-response digital security support and funding

Resource Lists

Recommendation Development

Activities

Identify Useful Resources

Resource Identification

Summary

In this component the auditor documents resources that the host may be able to leverage to address the technical, regulatory, organizational, or behavioral vulnerabilities identified during the audit.

This can include, but is not limited to, local technical support and incident response groups/trade organizations, places to obtain discount software, trainers, and guides/resources they can use to support their up-skilling.

Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Identify and Explain Un-Addressed Concerns

Summary

Write explanations for why any adversaries or threats that the auditor identifies as "un-addressable" with the organizations current capacity.

Base Line Skills
Operational Security
Materials Needed
Materials Needed
Considerations
Output
Resources

Identify Recommendations

Summary
Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Roadmap Development

"Finding threats against arbitrary things is fun, but when you're building some-thing with many moving parts, you need to know where to start, and how to approach it." - Threat Modeling: Designing for Security by Adam Shostack 83

Summary

This component consists of an auditor sorting their recommendations in relation to the organizations threats and capacity. The auditor prioritizes vulnerabilities, weighs the implementation costs of recommendations and then creates an actionable roadmap for the organization to make their own informed choices about possible next steps as they move forward.

Purpose

As part of SAFETAG's dedication to building agency and supporting organizational adoption of safer practices, a careful prioritization of vulnerabilities is invaluable in keeping audit results from appearing overwhelming. An organization needs to be able to weigh their possible paths forward against the time lost from program activities, the cost to implement the threat, and the other threats that they are not addressing. Roadmapping is used to give the host the tools to make these decisions and provide them with a recommended path forward that will allow them to make immediate gains towards protecting themselves. The existing in/formal security practices captured during this process will be used to remove organizational and psyco-social barriers to starting new practices.

Baseline Skills

Preparation

Materials Needed

Approach

Outputs

Operational Security

Resources

Determining the urgency of a vulnerability

Activities

Report Creation

"A good analysis might turn the threats into stories so they stay close to mind as software is being written or reviewed. A good story contains conflict, and conflict has sides. In this case, you are on one side, and an attacker is the other side." - Threat Modeling: Designing for Security 85

Summary

This component consists of an auditor compiling their audit notes and recommendations into a comprehensive set of documents the shows the current state of security, the process by which the auditor came to that assessment, and recommendations that will guide the hosts progression to meet their security goals.

Purpose

Once an auditor has left, the report is the auditor's chance to continue a conversation (albeit a static one) -- even if the organization never talks to the auditor again. If written with care it can be a tool to encourage agency and guide adoption. The report has many audiences who will need to use it in different ways. For the auditor and the organization, it acts as documentation of what an auditor accomplished. For the organization, it will be guide for connecting vulnerabilities to actual risks, a rallying cry for change, and proof of need for funders. For those the organization brings in to support their digital security, it provides a roadmap towards that implementation and a task-list for future technologists and trainers paid to get the host there - as well as a checklist for validating that threats have been addressed.

Baseline Skills

Preparation

Materials Needed

Approach

Outputs

Operational Security

Resources

Activities

APPENDICES

APPENDIX: Code of Conduct and SAFETAG Governance

Mission Statement:

The mission of the SAFETAG community is to improve the security of civil society organizations around the world.

What we do: The community collaborates actively to share knowledge, build capacity, and create resources, while promoting transparency and accountability amongst its members, as well as with other communities of practice.

Community Standards

The SAFETAG Community of Practice (SCoP) will a be a closed and private group, initially housed within the existing orgsec.community listserv.

SAFETAG Code of Conduct

Members of the SAFETAG community are expected to:

Community Manager

There will be, given that funds are available, a paid community manager who has at least a quarter of their time to support the SAFETAG community and contribute to and support the broader community around NGO organizational security. This community manager should rotate among organizations implementing substantial organizational security work. There may be gaps and/or overlaps due to project and staff funding requirements; it is important for implementing organizations to coordinate funding this position in order to minimize this.

The CM's role is to cultivate, support, and grow the community. This includes, but is not limited to:

The Advisory Board

Structure

Responsibilities

Contact

For SAFETAG content related questions, please file an issue: https://github.com/SAFETAG/SAFETAG/issues You can email the SAFETAG Advisory Board at AdvisoryBoard at safetag.org

APPENDIX: How to read SAFETAG

Major Sections

The Life Cycle of an Audit

This section contains explanations of the goals of the SAFETAG process and definitions of the major terminology.

Objectives

This section contains the objectives of a SAFETAG audit. These are collections of specific activities that an auditor may use to gather and confirm information about the risks an organization faces, their capacity to address them, and potential threat actors.

Reporting

This section contains the post-audit objectives used to document the organizations risks and auditors recommendations based upon a final capacity and risk assessment.

Objective Components

Summary

A short - one to four sentence - basic overview of the objective.

Purpose

The justification for why we have included this objective.

The Flow of Information

The purpose of audit activities is to acquire risk assessment and mitigation information. As this information is acquired, earlier audit steps will have to be re-visited based upon updated information. The "Flow of Information" shows the types of information that an audit objective builds upon (input), and the types of information that it may reveal (outcomes).

Guiding Questions

Each audit objective is guided by a small set of core questions. Key questions are included to help an auditor identify when they have acquired enough information and customize their approach while still collecting the correct types of information to support the organization.

Approaches

Many of these objectives can be completed in multiple ways depending upon auditor skill and the organizational technical setup and capacity. The approach section includes a list of activites that can be used to carry out parts, or the whole, of the information collection for an audit activity.

Resources

Links to resources that can be used to deepen an auditors understanding.

Activities

Summary

A short - one to four sentence - basic overview of the activity.

Base Line Skills

The baseline level of skills that the auditor must posses in order to carry out the intended activity.

Operational Security

Operational security guidelines that are specific to this activity.

Materials Needed

Any materials beyond the norm that the trainers will need.

Instructions

Where relevant, an outline of the steps an auditor will take during this activity. Not intended to replace true documentation, but useful for an auditor unable to connect to the Internet or to provide the organization's technical contact.

Considerations

Some of the activity specific concerns (ethical, skill level, time, relationship, etc.) that an auditor must take into consideration when conducting this activity.

Output

Notes on what data can be created during this activity.

Resources

Links to resources that can be used to deepen an auditors understanding of an activity.

APPENDIX: How to contribute to SAFETAG

Contributing to SAFETAG

SAFETAG welcomes contributions!

SAFETAG is a community-managed product with an advisory board and community management roles laid out in our Code of Conduct. The Code of Conduct further outlines expectations of not only those using the content herein but also those contributing to it. By participating, you are expected to uphold this code.

When submitting new content, please write in clear, concise, and gender neutral language. This document will be updated with guidance on content translation once we have settled on a process for that. If you would like to submit content in a language other than English or Spanish, please open an issue to set that language up for submission.

Getting Starting

Before you start work, it is critically important to review the current content and existing issues and create a new issue for your proposed work to solicit feedback -- this will save you a lot of time as the SAFETAG community can help refine your idea and advise on where best to include it in the framework (is it a new method? An activity or variant? Is there existing content in SAFETAG to update or improve?), as well as suggest additional resources worth considering, operational security and safety considerations.

Content Creation Guidelines

This section helps walk you though how SAFETAG is constructed, and what pieces of content are important to provide in a submission. Submissions which do not follow these guidelines will take significantly longer to be incorporated.

SAFETAG has currently three main compiled products - an overview guide, the full guide, and a curricula to help train new auditors. This guide is primarily focused on the non-curricular SAFTAG content. The Curricula is an ADIDS-based approach to training on SAFETAG content (read more about the curricula content at https://github.com/SAFETAG/SAFETAG/wiki/Curricula-Document-Template

The SAFETAG overview is the easiest place to start. The full guide is a comprehensive collection of not only the method-based objectives of the audit, but a variety of specific activities an auditor might choose to use and combine to achieve those. Both of these are built from the collection of Methods and Activities that make up SAFETAG.

Generally speaking, Methods are high-level, goal-focused aspects of the assessment. There are inevitable "fuzzy" borders between some methods. Creation of new methods should be minimized to not overly complicate the scope of SAFETAG.

Activities are the meat of an audit, and answer "how" and "where" type questions. To accomplish the goals of a method, one might conduct multiple activities to explore and verify organization practices from different angles - research, policy review, conversations / discussions, and technical verification, exploration, and scanning.

Within both Methods and Activities are smaller chunks of content which are used across the full range of SAFETAG "products." The tables below map out what content chunks exist across which products, and what they are. The Templates folder has sub-folders which provide the default files and indices for methods and activities.

SAFETAG is in the process of being rebuilt in a more interactive, meta-data driven interface at https://github.com/contentascode/safetag. The current structure will be migrated into this format, and updates to the process will be posted here.

Creating a new SAFETAG Method

New methods must be lined into the master index file, and must have activities linked to them. To link the new method into the master index file (and therefore have the method "included" in the "master" SAFETAG build, these index files must be linked into the relevant master index file in the language folder (en/index.guide.md and en/index.overview.md). See below for how Activities are linked in to the methods.

Method Content notes:

Method Section and Stylistic notes:

Section ADIDS Guide Overview Definition
Quote - - - OPTIONAL: No longer included in the compiled guides, but an introductory / framing quote for the section
Summary - + + A short - two to three sentence - basic overview of the methodology -- What is the auditor doing , what are the high-level outputs and processes?
Purpose + + + The justification for why this methodology is used -- Why is this collection of activities being pursued? what is the end goal?
Information Flow - + + The "Flow of Information" shows the types of information that an audit activity builds upon (input), and the types of information that an audit activity may reveal (outcomes). As this information is acquired, earlier audit will have to be re-visited based upon this information -- What are the inputs which feed in to this, and what outputs are possible/expected? Modify the Information Flow diagram in images/info_flows
Guiding Questions + + + Each audit activity is guided by a small set of core questions. Key questions are included to help an auditor identify when they have acquired enough information and customize their approach while still collecting the correct types of information to support the organization -- What are specific guiding or research questions to be answered by conducting activities in pursuit of the larger goal?
Approaches - + + Many of these audit activities can be completed in multiple ways depending upon auditor skill and the organizational technical setup and capacity. The approach section includes a descriptive, bulleted list of activities that can be used to carry out parts, or the whole, of the information collection for an audit activity. -- What are the high-level approaches to answering the guiding questions? Try to list different types of approaches - some might be technical, some research, some interactive
Outputs - + - The data or impact is expected from this method -- What are specific outputs to aim for? These should further clarify the information flow diagram above.
Operational Security - + + OPTIONAL: Operational Security considerations -- Does pursuing this objective have any broad operational security challenges to be aware of that is not otherwise captured in the per-activity detail?
Preparation - + - OPTIONAL: Any preparation, skills, or materials needed for the method as a whole. Individual exercises will specify this more exactly -- What must an auditor do to prepare for this work that is not otherwise captured in the per-activity detail?
Resources - + - Resources should include not only the research used in the creation of the method, but also recommended reading, references, and additional options for conducting this work -- What references did you use in creating this method? Are there references which provide activity style walkthroughs or additional backgrounds? Are there existing collections of references (in the references folder) that an auditor should review when looking at this methodology.
Activities - + - Specific activities to conduct in pursuit of this objective. See "Creating a New SAFETAG Activity" -- What existing activities are useful to achieve the goal and specific output(s) listed? Do they represent? If creating a new method, often new activities will be needed to ensure the suggested approaches are "filled in". Please note that Activities are separate documents linked in to the Methods

Creating a new SAFETAG Activity

New activities must be linked to a method. To link an activity to a method, please update both the activities.md file in the method folder, and also add it directly to index.guide.md under the method. The current build process uses the index.guide.md link, but for content tracking, it's best to update both. If adding an activity to multiple methods, select a primary method where it is the most relevant to that method's outputs, and for additional methods, link it in following this format:

<div class="boxtext">
#### Activity Title
Covered in full in Primary Method:
</div>

Activity Content notes:

Note: For activities where multiple different approaches could fulfill the exact same goals, activity variants are being explored, see https://github.com/SAFETAG/SAFETAG/issues/315 for detail.

Activity Content and Stylistic notes:

Section ADIDS Guide Overview Definition
Summary - + - A concise description of the exercise. This describes the vulnerability of class of vulnerabilities (e.g. "PHP is out of date") and its overall impact -- What does this specific activity accomplish?
Overview - + - A short, bulleted list that clarifies the general steps, especially for cases where the walkthrough is very complex or involves multiple or parallel processes. Also included when only referencing an exercise from a method, instead of including the full exercise.
Materials Needed - + - Optional; does this require specific software, hardware, or preparation?
Considerations - + - Optional; Notes on safely carrying out the activity and protecting the data collected, as well as other challenges (psycho-social, legal, ethical) to be aware of -- Are there operational security concerns, or important baseline skills to master before undertaking this activity?
Walkthrough - + - A multi-use guide with concise instructions for a skilled technologist to replicate or prove the vulnerability. This is used in the SAFETAG curricula, by auditors needing to recall that random flag for that one command without going online, and for the organization's technical staff to verify that this vulnerability has been addressed. This should provide concise guidance at a peer level for the general steps an auditor should take, but should point to, not re-create existing documentation. For technical aspects, ideal walkthroughs should enable IT staff/contractors to follow along and verify fixes. For research activities, research methods and preferred resources should be provided, and for facilitative exercises, a clear explanation of the process and any tips or challenges should be explained.
Variants - + - Parallel approaches which can be used for the same affect but might work better in different contexts. See https://github.com/SAFETAG/SAFETAG/issues/315
Recommendations - + - Optional; Sample text of common recommendations for how to address vulnerabilities identified through this activity; e.g. "Work with the webmaster to update PHP and/or migrate to a hosting system which manages this automatically...") -- for activities which have common findings, provide stock language to assist in report creation

Other SAFETAG Content

These sections operate at header level 1, and for the most part should be included in any custom creation of SAFETAG products.

Front and Back Matter

Generally speaking, these sections won't be updated very often.

Section ADIDS Guide Overview Description
Title Page + + + Can be customized for your needs, locally only
License + + + Please do not change the License
Introduction - + + Welcome language
Overview - + + An overview of the SAFETAG approach and the audit life-cycle
"Metro" Map + + +
Risk Assessment + +
Agency Building + +
Operational Security - + - Overall operational security concerns for the assessment process
Preparation - + + How to prepare to conduct an assessment
Appendices - + - Including the Code of Conduct, How To Read this Guide, Contribution guidance, and more.
Footnotes - + +

Reporting Contents

Reporting content and creation will be revisited shortly

Contributing

Once you've scoped your submission as described under "Getting Started" and the "Content Creation Guidelines" sections above, you can follow the fork/pull method or use the templated approach to submit new content. Regardless of the approach you take,

Using Submission Templates

We have developed easy to use templates for SAFETAG Methods and Activities you can use and submit with your issue. These can be found at en/templates/method-template.md and en/templates/activity-template.md. If you would like to edit these as word processor files, you can use pandoc for conversion: pandoc -i activity_template.md -o activity_template.odt . Final files should be submitted as markdown, however.

Please refer to the current Methods in the SAFETAG guide for additional detail and examples. The template will require manual merging into the repository, so please include how you would like to be credited.

Using Pull Requests

  1. Fork the repository, clone a local copy, and a create a new branch for your work (See Resources below for help with using git).
  2. Update your issue with your fork so the community can follow along!
  3. Follow the content creation guidelines below to create or update new content
  4. Making many small, targeted commits with concise, clear commit messages. Keeping each pull request focused is greatly appreciated. Please submit different pull requests (and possibly even branches!) for different thematic work.
  5. Test to make sure your changes work by building the PDF and/or migrating the content into the static site generator system.
  6. Push to your fork and submit a pull request to the Dev branch!

Resources

APPENDIX: Draft Engagement and Confidentiality Agreement

In order to protect the privacy of SUBJECT, AUDITOR agrees to comply with the following restrictions:

APPENDIX: Travel Kit and Checklist

Travel Kit Checklist

Hardware
Software / digital resources
Facilitation Supplies
Logistics

APPENDIX: Sample Capacity Interview Questions

Introduction

For this interview, I will mostly ask you about how your organization relates to tech tools in a general sense. I will also ask specific questions about how your organization works with digital security issues.

Together, this information will help me identify ____________

All of the information we collect here will be kept completely private.

This interview will last approximately ____ hour.

Please feel free to stop me or ask if a question is unclear, or if you would like to take a break.

The interview starts with some questions about you and the organization. Again, this will all be kept strictly confidential.

Open Up

"Warm up the participant with questions they are comfortable with." 87

  1. What is your name?
  2. What is your position in the organization?
  3. What are your main responsibilities in this organization?
  4. When was the organization created?
  5. What issues does the organization work on? (Provide an example if needed - Examples below)
    • Human Rights
    • Transparency
    • Public Service Delivery
    • Health
    • Free Media and Information
    • Climate Issues
    • Gender Issues
    • Poverty Alleviation
    • Community Building
    • Peace promotion
    • Agricultural Development
    • Entrepreneurship
    • Water, Sanitation
    • Transportation
    • Disaster Relief
    • Other
    • No Specific Mandate
  6. Where does your organization have activities?
  7. Does the organization have activities in more than one (city/provence/country/region)
  8. What kind of funding does you organization receive?
  9. Could you tell me, approximately, which percentage of the organization’s currently annual budget is dedicated to supporting the use of digital or mobile technology?
  10. How many projects is your organization currently managing?
  11. Does the organization have its own office space?
  12. Does the organization have a domain name or brand identity that is used for all online communications?
  13. What is the organization’s working language? (for password dictionary)
  14. What other languages are used by the organization, formally or informally? (for password dictionary)
  15. In what language has your organization accessed online resources to support its work?
  16. How many paid, full-time staff does the organization employ
  17. How many paid, part-time staff does the organization employ?
  18. How many unpaid workers, such as volunteers or interns work at least one day a month at the organization?
  19. Does the organization have a staff member responsible for working with digital or mobile technology? Yes, more than one
  20. Is this staff member responsible for any of the following area
    • Office IT infrastructure
    • Internet Presence or website
    • Outreach or communications
    • Managing programs
  21. How regularly do staff members of the organization travel outside of your country
  22. Does the organization do any of the following activities when travelling internationally
    • Run programs
    • Participate in events
    • Run trainings
    • Receive trainings
    • Fundraising
Go Broad

"Prompt bigger, even aspirational, thinking that they may not be accustomed to on a daily basis." 88

Go Specific

"Dig deeper on the challenge at hand & prompt with ‘what if’ scenarios." 89

  1. What is the most important reason for your organization to exist? (Provide an example if needed - Examples below)
    • To raise awareness in the organization's policy area.
    • To impact policy.
    • To improve policy.
    • To improve service delivery.
    • To change specific legislative or administrative governance structures.
    • To provide citizens with a greater voice in public addaitrs and delberations
    • To expose corruption or malfeasance
    • No concrete strategic objectives.
  2. Does the organization provide services directly to individuals (for example health, educational or legal service?)
  3. What type of direct services does the organization provide? (Provide an example if needed - Examples below)
    • Legal Services
    • Health Services
    • Education Services
    • Water/Sanatation Services
    • Financial Services
    • Other Services
  4. Does the organization primarily rely on digital media in its work?
  5. Does your organization use....
    • Email
    • Email newsletters
    • Websites
    • Maintain blog or discussion fora, or another social media account(s)
    • Engage in online discussions and interactions on external sites
    • Maintain interactive websites
    • paid software (like microsoft office or basecamp) to manage the organization or projects
    • Free branded platforms (like google apps) to manage the organization or projects
    • digital or mobile tools to collect data or evidence
    • Digital or mobile tools to deliver health, financial, or other public services
    • Mass communication to mobile phones
    • security software (anti-virus, circumvention tools, etc)
    • disseminate information through third party sites and platforms.
    • Other
  6. What other digital tools does your organization use?
  7. What are the most important motivations for the organization to use these tools?
  8. Are there any specific outcomes for the organization’s stakeholders that you hope digital or mobile technologies can facilitate?

  9. Does the organization have specific plans to increase their capacity to use digital or mobile technologies in their work

  10. Do the organization’s staff have access to computers for their work?
  11. How many staff members do not have access to their own computer or need to share computers with other?
  12. How many people of the organization’s staff currently use digital or mobile technology on a daily basis?
  13. How many of the organization’s currently active projects would not be possible without the use of these media?
  14. Does the organization have a hierarchy for decision- making, according to which different people have different responsibility and levels of authority?
  15. Has the organization used any of the following methods to build skills and capacities for using digital or mobile technologies?
    • Local Training
    • Training in other countries
    • Online Training
    • Purchesing equiptment or hardware
    • hiring consultants
    • hiring staff or restructring human resources
    • devoting staff time to independant learning
    • participating in international events
    • searching and learning online
  16. Which other method(s) to build skills for using digital and mobile technologies?
  17. Have these efforts to increase capacity targeted specific staff members in the organization?
  18. Has the organization actively worked to strengthen its digital security in the last year?
    • (IF NO) Why did the organization not work to strengthen its digital security in the last year?
    • (IF YES) How the organization work to strengthen its digital security in the last year?
  19. Which of the below factors are the three most significant obstacles to the efficient use of digital and mobile technology by your organization?
    • Limited skills of staff
    • Limited infrastructure for media or electricity.
    • Limited technical literacy and media use among staff
    • limited financial resources
    • Insufficient hardware or software
    • None
    • Other
    • don't know
  20. What new activities using digital or mobile technologies would the organization like to attempt in the future? Please give examples of programs, activities, or management functions...
  21. Has the organization used the internet (including online training, discussions or research) to get better at any of the following activities.
    • Communicating with stakeholders and raising awareness on issues.
    • Keeping the organization and its staff safe.
    • Fundraising and developing the organization’s strategic focus.
    • Managing staff and organizational activities (such as payroll, hiring and other administration)
    • Measuring impact of programs.
  22. Why are you having the audit done?
  23. How well do you believe your organization is able to identify appropriate digital and mobile technology tools for the organization’s work?
  24. How well do you believe your organization is able to use appropriate digital and mobile technology tools for the organization’s work?
  25. Has turnaround in staff members been a problem for retaining technical capacity in your organization?
  26. In what ways, if any, have you experienced that technology inhibits the organization’s work?
  27. Are there systems on the network which the client does not own, operate, or rely on, that may require additional approval to test?
  28. Does the organization communicate with its beneficiaries/members/sources?
    • How does the organization communicate with its beneficiaries/members/sources?
  29. Does the organization use any of these tools to maintain information about its members?
    • Paper lists
    • Mobile phone contact lists
    • Email contact lists
    • Spreadsheets
    • CRM (customer relationship management software)
    • Other
  30. What other tools does the organization use to maintain information about its members?
  31. I will now read a list of hardware tools you might be familiar with. From this list, could you please tell me about the three tools that are most important to the organization?
    • Desktop computers
    • Laptop Computers
    • Mobile Phones
    • Satellite Phones
    • Video Equiptment
    • Cameras
    • USB Dongles
    • Hard Drives
    • Servers
    • Audio Recorders
    • Web Cams
    • Wireless Routers
    • Other
  32. Other hardware that is important to the organization’s work? Please describe if needed.
  33. How important you think each of these hardware tools is for achieving the organization’s strategic objectives?
  34. I will now read a list of software tools you might be familiar with. From this list, could you please tell me about the three tools that are most important in the daily work of your organization?
    • Social media
    • Blogging Platforms
    • Tools for creating and managing pictures or videos
    • Cloud Based collaboration applications
    • Budgeting Software
    • Tools for building and managing websites
    • project management software
    • Anti-virus software
    • tools for managing databases
    • Graphic design or visualization software
    • software to manage sms or mobile communication for groups
    • circumvention software
    • other

  35. Other software that is important to the organization’s work? Please describe if needed.

  36. To your knowledge, how often do the below incidents occur in the geographic areas or issue areas in which your organization is active? Could you please tell me if you think they happen never, sometimes or often
    • The government lawfully intercepts information communicated by civil society or private person
    • The government lawfully confiscates equipment because of the information it contains
    • Government, public officials, non-state actors, police or security forces use digital or mobile technology to identify and target individuals for arrest or violen
    • Government, public officials, non-state actors, police or security forces use digital or mobile technology to attack the reputations of individuals or organizations
  37. To your knowledge, how often do the below actors use digital or mobile technology to target or to identify individuals for arrest or violence? Do they use it never, sometimes, or often.
    • government or public officials
    • non-state actors (corporations, social groups)
    • police, security forces or paramilitary groups
  38. And how often would you say that these actors use digital or mobile technology to monitor or gather information on civil society activities? Never, sometimes, or often.
    • government or public officials
    • non-state actors (corporations, social groups)
    • police, security forces or paramilitary groups
  39. What do you feel are the most immediate and serious digital threats to the organization?
  40. How much risk do you feel each of these digital threats presents to your organization?
    • Online surveillance
    • DDOS (Distributed Denial of Service) Attack
    • Targeted for physical violence on the basis of digital activity
    • Data loss
    • Other.
  41. Do you feel that any of these threats place the physical security of your staff in danger?
  42. Do you feel that any of these threats place the physical security of your stakeholders in danger?
  43. Do you feel that any of these threats place the physical security of your beneficiaries in danger?
  44. In the last six months, have you or any of your civil society peers experienced any of the following?
    • Intimidation or threats of violence by public officials, police or security force
    • Intimidation or threats of violence by private or non-state actors.
    • Threats of arrest or detention
    • Arrest
    • Threats of Torture.
    • Confiscation of equipment
    • Threats to administrative standing, such as stripping individuals of professional accreditation or organization of licenses
    • Other
  45. How has your organization responded to these threats?
    • Addressed the issue in the press/online
    • Told other organizations about the threat
    • Contacted the authorities
    • Trained staff to prevent and mitigate such threats in the future
    • Requested help from other organizations
    • Invested in hardware
    • raised funds
    • has not responded
    • other
  46. Has the organization taken any of the following steps to prepare against digital or physical threats?
    • Staff have been trained
    • There are specific plans in place for specific situations
    • Equiptment and/or supplies have been made ready
    • Other
  47. Does the organization experience power outages in its office
  48. Does the organization have access to the Internet in its offices?

  49. In the last month, has your organization lost access to Internet for reasons other than power outages

Management Only
  1. Is the manager aware that a test is about to be performed?
  2. What data would create the greatest risk to the organization if exposed, corrupted, or deleted?
Technical Only
  1. Are there any systems which could be characterized as fragile? (systems with tendencies to crash, older operating systems, or which are unpatched)
  2. Are testing and validation procedures to verify that business applications are functioning properly in place?
  3. Are Disaster Recovery Procedures in place for the application data?
  4. Are Change Management procedures in place?
  5. What is the mean time to repair systems outages?
  6. Is any system monitoring software in place?
  7. What are the most critical servers and applications?
  8. Do you use backups in your organization?
    • Are there any data/devices that are not backed up?
    • Are backups tested on a regular basis?
    • When was the last time the backups were restored?
  9. How many websites does your organization have?
  10. What are their url's?
  11. Where are they hosted?
  12. How many wireless networks are in place at the organization?
  13. Is a guest wireless network used? If so:
  14. Does the guest network require authentication?
  15. What type of encryption is used on the wireless networks?
  16. Approximately how many clients will be using the wireless network?
  17. How many total IP addresses are being tested?
  18. How many internal IP addresses, if applicable?
  19. How many external IP addresses, if applicable?
  20. Are there any devices in place that may impact the results of audit scans such as a firewall, intrusion detection/prevention system, web application firewall, or load balancer?

Categories

Below are the categories each question fits within. Use this to help you reduce the information you obtained from the interview into manageable themes, insights, and implications.

Basic Information

5, 6, 8, 10, 11, 13, 14, 15, 24, 25, 7

Threat Information

58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68

Capacity

Capacity questions seek to reflect organizations’ readiness and likelihood to succeed in engaging with technology in their work. 90

23, 26, 27, 28, 34, 35, 36, 37, 38, 39, 40, 43, 45, 46, 29, 30, 31, 55, 9, 16, 17, 18, 19, 20

Challenge

Challenge questions seek to reflect the degree to which internal an external factors will complicate or inhibit the effective and safe uptake and use. 91

41, 40, 42, 46, 47, 48, 69, 70, 71

Audit Scope

Scope questions explore what the client is looking to gain out of the audit, why the client is looking to have an audit performed against their environment, and whether or not they want certain types of tests performed during the audit. 92

44, 72, 49, 51, 50, 52

Network Audit Questions

90, 91, 92, 93, 81, 80, 79, 78, 77, 49, 74, 75, 76, 53, 54, 56, 57

Web Application Audit Questions

12, 82, 83, 84

Wireless Audit Questions

85, 86, 87, 88, 89

Device Audit

32, 33, 21

Data Audit

73

APPENDIX: Password Dictionaries

Password Dictionary Creation

Summary

This component provides resources and recommendations on cracking passwords - both the creation of dictionaries and rules to modify those dictionaries, as well as some basic implementation as well. This is a dangerous (and in many cases, illegal) skill to use, and should be more of a guide to auditors on what password security myths do not work against modern password cracking software, and to use only with permission and only in very specific situations as a demonstration of the power of even a common laptop against weak passwords.

Description

Weak passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain the most popular passwords. This exercise supports the auditor in building an effective dictionary and using it to attack non-personal and non-disruptive parts of an organization's infrastructure. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.

This skillset, plus demonstration against non-invasive accounts, provides an opening for a discussion with staff on password security. See Level Up for further activities and exercises around passwords.

Approach

Instructions

Primarily for use in the Network Access component, building a password dictionary, understanding the ways to automatically mutate it, and running it against passwords is a useful skill to have, and to use to explain why simple passwords are insecure. This Ars Technica article provides a good insight into the path to tackle iterative password cracking using a variety of tools to meet different goals.

These instructions use a small set of password cracking tools, but many are possible. If there are tools you are more familiar or comfortable with using, these by no means are required. The only constraints are to be respectful and responsible, as well as keeping focused on the overall goals and not getting bogged down.

A good wordlist with a few tweaks tends to break most passwords. Using a collection of all English words, all words from the language of the organization being audited, plus a combination of all these words, plus relevant keywords, addresses, and years tends to crack most wifi passwords in a reasonable timeframe.

An approach which begins with quick, but often fruitful, attacks to more and more complex (and time consuming) attacks is the most rewarding. However, after an hour or two of password hacking, the in-office time on other activities is more valuable, so admit defeat and move on. See the Recommendations section for talking points around the levels of password cracking that exist in the world. You can work on passwords offline/overnight/post-audit for report completeness.

Here is a suggested path to take with suggested tools to help. You might try the first few steps in both the targeted keyword approach and the dictionary approach before moving on to the more complex mutations towards the end of each path.

Dictionary Research and Creation

Before you arrive on-site it is important to have your password cracking tools downloaded and relevant dictionaries ready to go, as your main demonstration and use of these tools is to gain access to the organization's network. The effectiveness of this demonstration is drastically reduced if you already have had to ask for the password to connect to the Internet and update your dictionaries, tools, or so on. Some of these files (especially larger password dictionaries) can be quite large, so downloading them in-country is not recommended.

Many password dictionary sites, such as SkullSecurity , maintain core dictionaries in multiple languages. If your target language is not available, some quick regular expression work can turn spell-check dictionaries (such as those used by LibreOffice into useful word lists. It is generally useful to always test with English in addition to the target language.

[CloudCracker(]https://www.cloudcracker.com/dictionaries.html) and OpenWall have, for a fee, well-tested password dictionaries.

Keyword generation

In addition, create a customized dictionary with words related to the subject as revealed in the Remote Assessment research -- including, but not limited to:

For the organization "ExampleOrg , which has its offices at 123 Central St., Federal District, Countryzstan , which does human rights and journalism work and was founded in 1992, some context-based dictionary additions would be:

exampleorg
example
org
EO
123
central
federal
district
countryzstan
human
rights
journo
journalism
1992
92

Also add common password fragments: qwerty, 1234/5/6/7/8, and, based on field experience, four-digit dates back for ~20 years in both the Gregorian (Western) and (if relevant) local calendar, plus the founding year of the organization). It's quite amazing how often a recent year will be part of a wifi password -- this presentation discusses many common patterns in passwords: https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

Optional Further steps

Use CeWL, to spider the organization's web properties to generate additional phrases. This list will need review, as some of the generated content is not very useful, but may be useful if the site is not in a language the auditor reads fluently.

For passwords other than WPA, specific policies or patterns may help to focus your password dictionary further. PACK, or Password Analysis and Cracking Toolkit is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers." PACK is most useful for large sets of passwords, where it can detect patterns in already-broken passwords to help build new rules. Both password cracking tools listed here are powerful, and have slightly different abilities. The auditor should choose the one they prefer and/or the one which has the features they desire for this job.

Combinator Attack with scripting and Hashcat

One quick way to build a more complex password list is to simply double the list up (a "combinator" attack), so that it includes an entry for each pair of these strings:

You can do a 1-way version of this list simply, such as:

 $ for foo in `cat pwdlist.txt`; do for bar in `cat pwdlist.txt`; do printf $foo$bar'\n'; done; done > pwdpairs.txt
 $ cat pwdlist.txt >> pwdpairs.txt

Hashcat can do this in a live attack under its "combinator" mode, and hashcat-utils (hiding in /usr/share/hashcat-utils/combinator.bin) provides this as a standalone tool. This provides a true combination of the list, so it exponentially increases the list size - use with caution, or use with one larger dictionary and one smaller dictionary.

For example, use these combination approach on your custom dictionary (combining it with itself, creating combinations from the above list such as example92, journorights, exampleorgrights).

$  /usr/share/hashcat-utils/combinator.bin dict.txt dict.txt

Hashcat is extremely powerful when you have desktop computer systems to use, but has a few wordlist manipulation tools that are useful regardless.

More References: (http://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 , http://www.darkmoreops.com/2014/08/18/cracking-wpa2-wpa-with-hashcat-kali-linux/ )

Word mutation with John the Ripper (JtR)

JtR is a powerful tool you can use in combination of existing wordlists, but it also can add in common substitutions (people using zero for the letter "o"). JtR can be used to generate a static list of passwords for other programs, or it can be used directly against a password database. JtR is a bit weak combining words within a wordlist, so you should apply your customizations and any folding before moving on to JtR.

You can add custom "rules" to aid in these substitutions - a base set is included with JtR, but a much more powerful set is added by [KoreLogic] (http://contest-2010.korelogic.com/rules.html). KoreLogic also provides a custom character set "chr file" that takes password frequency data from large collections of real-world passwords to speed up JtR's brute force mode . This PDF presentation has a good walkthrough of how John and Kore's rules work

Additional guides: * (http://linuxconfig.org/password-cracking-with-john-the-ripper-on-linux)

The bleeding-edge jumbo version combines both the built-in rules and an optimized version of the KoreLogic rules. This list of KoreLogic Rules provides nice descriptions of what the KoreLogic rules do. In bleeding-jumbo, you can remove "KoreLogicRules". BackReference provides a great example of rules usage.

Some particularly useful ones individual rulesets are: * AppendYears (appends years, from 1900 to 2019) and AppendCurrentYearSpecial (appends 2000-2019 with punctuation) * AddJustNumbers (adds 1-4 digits to the end of everything) * l33t (leet-speek combinations)

There are some build-in combinations of rulesets - for example, just --rules runs john's internal collection of default rules, and --rules:KoreLogic runs a collection of the KoreLogic rules in a thoughtful order, and --rules:all is useful if you hate life.

e.g. :

  $ john -w:dictionary.txt --rules:AppendYears --stdout

Building custom rules

PROTIP Create a dictionary with just "blah" and run various rules against it to understand how each ruleset or combination works. Note specifically that each rule multiplies the size of the dictionary by the number of permutations it introduces. Running the KoreLogic ruleset combination against a one word dictionary creates a list of 6,327,540 permutations on just that word.

Brute force, using John and crunch

JtR's "incremental" mode is essentially an optimized brute force attack, so will take a very long time for anything but the shortest passwords, or passwords where you can limit the search space to a character set: "As of version 1.8.0, pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters), "LM_ASCII" (for use on LM hashes), "Alnum" (all 62 alphanumeric characters), "Alpha" (all 52 letters), "LowerNum" (lowercase letters plus digits, for 36 total), "UpperNum" (uppercase letters plus digits, for 36 total), "LowerSpace" (lowercase letters plus space, for 27 total), "Lower" (lowercase letters), "Upper" (uppercase letters), and "Digits" (digits only). The supplied .chr files include data for lengths up to 13 for all of these modes except for "LM_ASCII" (where password portions input to the LM hash halves are assumed to be truncated at length 7) and "Digits" (where the supplied .chr file and pre-defined incremental mode work for lengths up to 20). Some of the many .chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download." (http://www.openwall.com/john/doc/MODES.shtml)

As a last resort, you can try a direct brute force attack overnight or post-audit to fill in details on key strength. Crunch is a very simple but thorough approach. Given enough time it will break a password, but it's not particularly fast, even at simple passwords. You can reduce the scope of this attack (and speed it up) if you have a reason to believe the password is all lower-case, all-numeric, or so on. WPA passwords are a minimum of 8 characters, a maximum of 16, and some wifi routers will accept punctuation, but in practice these are usually just [email protected]#$. — so:

$ /path/to/crunch 8 16 a[email protected]#$. | aircrack-ng -a 2 path/to/capture.pcap -b 00:11:22:33:44:55 -w -

This says to try every possible alpha-numeric combination from 8 to 16 characters. This will take a very, very, very long time.

Recommendations

Any important password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains five or more relatively uncommon words.) The key should not contain common “phrases,” expecially from well known literature like Shakespeare or religious texts, but also should not include number sequences or phrases, especially if they are related to the organization, its employees or its work.

Specifically for wireless passwords, choosing a strong WPA key is one of the most ild not mportant steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

Because shared keys inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the WPA key should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

Sample Practice

For practice on any of these methods, you can use the wpa-Induction.pcap file from Wireshark.

Resources

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

http://zed0.co.uk/crossword/

http://www.instantcheckmate.com/crimewire/is-your-password-really-protecting-you/#lightbox/0/

Note that password cracking systems are rated on the number of password guesses they make per second. Stock laptop computers without high-end graphics cards or any other optimizations can guess 2500 passwords/second. More powerful desktop computers can test over a hundred million each second, and with graphics cards (GPUs) that rises to billions of passwords per second. (https://en.wikipedia.org/wiki/Password_cracking).

This website has a good explanation about how improving the complexity of a password affects how easy it is to break: http://www.lockdown.co.uk/?pg=combi , but is using very out of date numbers - consider a basic laptop able to produce "Class E" attacks, and a desktop, "Class F"

http://rumkin.com/tools/password/passchk.php

http://cyber-defense.sans.org/blog/downloads/ has a calculator buried in the zip file "scripts.zip"

http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html

https://www.grc.com/haystack.htm

https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

http://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html?_r=1

APPENDIX: Password Survey

Password Survey

How many passwords do you have to remember for accounts and devices used to do your work?

If you tried to login to your computer account right now, how many attempts do you think it would take?

To how many people have you given your current password?

Have you ever forgotten your current password?

If yes, how did you recover it?

Have you ever forgotten old work passwords?

If yes, how did you recover it?

When you created your current password, which of the following did you do?

Did you use any of the following strategies to create your current password (choose all that apply) ?

How long is your current password (total number of characters)?

What symbols (characters other than letters and numbers) are in your password?

How many lower-case letters are in your current password?

How many upper-case letters are in your current password?

In which positions in your password are the numbers?

In which positions in your password are the symbols?

Have you written down your current password?

If you wrote down your current password how is it protected (choose all that apply) ?

Do you have a set of passwords you reuse in different places?

Do you have a password that you use for different accounts with a slight modification for each account?

APPENDIX: Device Assessment Checklist

APPENDIX: Remote Facilitation

Remote Facilitation

Summary

This component suggests approaches to use if in-person facilitation is not possible, and to include participation from remote staff or offices when an organization has multiple locations. This supplements the Data Assessment, Process Mapping, and Threat Assessment exercises, enabling them to be conducted remotely.

This may not provide as deep results as in-person facilitation, but should provide adequate levels of expansion and verification of information needed, and even provide the secondary benefits in most cases of helping the organization build a shared understanding of its processes, risks, and riosk tolerances.

Overview

There are four different approaches you can use, depending on what resources are available, the size and structure of the organization, and which activities you are trying to facilitate remotely. Is there someone that can help as an on-site facilitator? Are video conferences realistic (given bandwidth and cost)? How does the approach you use interact with existing organizational team structures?

Materials Needed
Considerations
Walkthrough

Selecting the most suitable approach requires understanding of the capacity and personel structure of the organization, including their ability to support communication technologies, and the availability of someone that can assist in facilitation.

After selecting the most suitable approach, auditor should make sure to prepare for remote facilitation:

Approach 1, on-site facilitator, with video chat auditor

Suitable when there is a person that can take a facilitation role on-site. Facilitator does not have to be a technical person, but should be able to manage the session, making sure that it is as inclusive and as productive as possible. Accommodates more participants than Approach 3 per session. If the auditor is able to join remotely, this provides an ideal substitute.

Approach 2, hybrid online/synchronous

Can be used with large group of participants, where it is possible to meet over multiple sessions with enough time to collect and analyse responses in between.

Approach 3, multiple small sessions

Suitable for medium to large groups where it is possible to conduct multiple small video chats. It is recommended for sessions to be arranged to include people from the same organizational level, but different functions/teams/arms/departments of the organization. This approach scales to larger organizations and helps ensure voices at different levels of the organization are heard.

Approach 4, hybrid offline/asynchronous

Sample Questions: Data Mapping

Footnotes

  1. Event Planning Inputs - Level-Up

  2. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  3. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  4. "In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."

  5. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Section 7.1 Coordination

  6. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  7. See the auditor trainee resource list

  8. APPENDIX A - Auditor travel kit checklist

  9. ^NIST_SP_800-115-travel_prep

  10. Auditor Tool Resource List - Password Dictionary Creation

  11. APPENDIX A - Auditor travel kit checklist

  12. "Traveling teams should maintain a flyaway kit that includes systems, images, additional tools, cables, projectors, and other equipment that a team may need when performing testing at other locations."

  13. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  14. "In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."

  15. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  16. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  17. "In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."

  18. Determining Audit Location - The Penetration Testing Execution Standard: Pre-Engagement Guidelines

  19. "When handling evidence of a test and the differing stages of the report it is incredibly important to take extreme care with the data. Always use encryption and sanitize your test machine between tests."

  20. Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

  21. Determining Audit Location - The Penetration Testing Execution Standard: Pre-Engagement Guidelines

  22. "Before starting a penetration test, all targets must be identified. "

  23. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  24. "the assessment plan should provide specific guidance on incident handling in the event that assessors cause or uncover an incident during the course of the assessment. This section of the plan should define the term incident and provide guidelines for determining whether or not an incident has occurred. The plan should identify specific primary and alternate points of contact for the assessors... The assessment plan should provide clear-cut instructions on what actions assessors should take in these situations."

  25. "When handling evidence of a test and the differing stages of the report it is incredibly important to take extreme care with the data. Always use encryption and sanitize your test machine between tests."

  26. "One of the most important documents which need to be obtained for a penetration test is the Permission to Test document."

  27. Dealing with third parties - The Penetration Testing Execution Standard

  28. APPENDIX D - Auditor Consent Template.

  29. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Section 7.1 Coordination

  30. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  31. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Section 7.1 Coordination

  32. Emergency Contact and Incidents - The Penetration Testing Execution Standard: Pre-Engagement Guidelines

  33. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  34. "Assessors need to remain abreast of new technology and the latest means by which an adversary may attack that technology. They should periodically refresh their knowledge base, reassess their methodology-updating techniques as appropriate, and update their tool kits."

  35. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  36. Accumulating information about partners, clients, and competitors - The Penetration Testing Execution Standard

  37. The flow of information through the Recon-ng framework. (See: "Data Flow" section)

  38. Accumulating information about partners, clients, and competitors - The Penetration Testing Execution Standard

  39. Acquiring API Keys

  40. The flow of information through the Recon-ng framework. (See: "Data Flow" section)

  41. See: Vulnerability Analysis

  42. Identifying Software Versions

  43. Examining Firewalls Across OS

  44. Identifying Odd/One-Off Services

  45. APPENDIX C - Password Survey

  46. Password Security

  47. APPENDIX C - Password Survey

  48. Password Security

  49. Privilege Separation Across OS

  50. Anti-Virus Updates

  51. Identifying Software Versions

  52. Device Encryption By OS Type

  53. Microsoft Security Bulletin

  54. "In-Depth Reading, Vendor Information, & External Advisories"

  55. "Security-Related Vendor Information"

  56. "CERT/CC Advisories"

  57. "Security Tracker"

  58. "Known Vulnerabilities in Mozilla Products"

  59. Microsoft Security Bulletin

  60. "In-Depth Reading, Vendor Information, & External Advisories"

  61. "Security-Related Vendor Information"

  62. "CERT/CC Advisories"

  63. "Security Tracker"

  64. "Known Vulnerabilities in Mozilla Products"

  65. "While vulnerability scanners check only for the possible existence of a vulnerability, the attack phase of a penetration test exploits the vulne rability to confirm its existence."

  66. "Penetration testing also poses a high risk to the organization’s networks and systems because it uses real exploits and attacks against production systems and data. Because of its high cost and potential impact, penetration testing of an organization’s network and systems on an annual basis may be sufficient. Also, penetration testing can be designed to stop when the tester reaches a point when an additional action will cause damage." - NIST SP 800-115, Technical Guide to Information Security Testing and Assessment

  67. Network Access

  68. APPENDIX B - Personal Information to Keep Private

  69. APPENDIX B - Personal Information to Keep Private

  70. "CSOs should gradually build a culture in which all staff, regardless of technical background, feel some responsibility for their own digital hygiene. While staff need not become technical experts, CSOs should attempt to raise the awareness of every staff member, from executive directors to interns - groups are only as strong as their weakest link—so that they can spot issues, reduce vulnerabilities, know where to go for further help, and educate others."

  71. "Pre-Mortum Strategy" - Sources of Power: How People Make Decisions - p.71

  72. "Pre-Mortum Strategy" - Sources of Power: How People Make Decisions - p.71

  73. "Pre-Mortum Strategy" - Sources of Power: How People Make Decisions - p.71

  74. Corruption Perception Index

  75. The ISC Project completes evaluations of information security threats in a broad range of countries. The resulting comprehensive written assessments describe each country’s digital security situation through consideration of four main categories: online surveillance, online attacks, online censorship, and user profile/access.

  76. EISF distributes frequent analysis and summaries of issues relevant to humanitarian security risk management.

  77. The top 500 sites in each country or territory.

  78. Who publishes Transparency Reports?

  79. "Impacts: Chapter 2.7 p. 46 - Operational Security Management in Violent Environments"

  80. "Likelihood: Chapter 2.7 p. 47 - Operational Security Management in Violent Environments"

  81. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  82. "Threat Modeling: Designing for Security" by Adam Shostack

  83. See: "Threat Modeling: Designing for Security" by Adam Shostack, p. 125.

  84. "Threat Modeling: Designing for Security" by Adam Shostack

  85. See: "Threat Modeling: Designing for Security" by Adam Shostack, p. 401.

  86. "When a pilot lands an airliner, their job isn’t over. They still have to navigate the myriad of taxiways and park at the gate safely. The same is true of you and your pen test reports, just because its finished doesn't mean you can switch off entirely. You still have to get the report out to the client, and you have to do so securely. Electronic distribution using public key cryptography is probably the best option, but not always possible. If symmetric encryption is to be used, a strong key should be used and must be transmitted out of band. Under no circumstances should a report be transmitted unencrypted. It all sounds like common sense, but all too often people fall down at the final hurdle." - The Art of Writing Penetration Test Reports

  87. "IDEO Human-Centered Design Toolkit"

  88. "IDEO Human-Centered Design Toolkit"

  89. "IDEO Human-Centered Design Toolkit"

  90. "TechScape Indicators - the engine room"

  91. "TechScape Indicators - the engine room"

  92. "Questionnaires - The Penetration Testing Execution Standard"