Saturday, March 2, 2019

Tracking authentication information with JPCert's Logon Tracker - The Setup

This is a new tool I recently learned about as a result of the update to the SANS SEC504 - one of the classes I teach for the SANS institute. As I'm interested in this not only from a teaching perspective but more so a learning perspective and wanting to use it in my own environment, I decided to look into this via a blog post.

According to the description from the tool's GitHub page "LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used.
This tool can visualize the following event id related to Windows logon based on this research.

    4624: Successful logon
    4625: Logon failure
    4768: Kerberos Authentication (TGT Request)
    4769: Kerberos Service Ticket (ST Request)
    4776: NTLM Authentication
    4672: Assign special privileges"

For this install, I'm using Ubuntu 18 as shown below:
securitynik@securitynik.local:~# lsb_release --all
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.1 LTS
Release:        18.04
Codename:       bionic

Let's first install Java 8
sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer

Install neo4j Community Edition by first adding its repository:
wget -O - https://debian.neo4j.org/neotechnology.gpg.key | sudo apt-key add -
echo 'deb https://debian.neo4j.org/repo stable/' | sudo tee /etc/apt/sources.list.d/neo4j.list
sudo apt-get update

Let's now install neo4j:
sudo apt-get install neo4j

Now that neo4j is installed, let's make two quick configuration changes. Locate the following two lines:
#dbms.connector.bolt.listen_address=:7687
#dbms.connector.https.listen_address=192.168.0.4:7473

For me I specify the interface I would like neo4j to listen on and thus I made the following change:
dbms.connector.bolt.listen_address=0.0.0.0:7687
dbms.connector.https.listen_address=192.168.0.4:7473

Note above, I also removed the comment "#" from these two lines

Next step ... restart neo4j using systemctl

systemctl restart neo4j

If we next do a "netstat -nltp", we see the host is listening on those two ports above.
securitynik@securitynik.local:/tmp# netstat -nltp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

....
tcp6       0      0 :::7687                 :::*                    LISTEN      24537/java
tcp6       0      0 192.168.0.4:7473        :::*                    LISTEN      24537/java
tcp6       0      0 192.168.0.4:7474        :::*                    LISTEN      24537/java
....

Next up, connect to the server at http://192.168.0.4:7474 and login to the UI for neo4j.











Using the default credentials of username "neo4j" and password "neo4j", I was able to authenticate and then asked to change my password. I also added the user "securitynik" with password "Testing1". Once my password was changed, the next step was to clone LogonTracer
git clone https://github.com/JPCERTCC/LogonTracer.git


Once finished cloning the following was executed

Taking a loo at the requirements file before we install, we see:

securitynik@securitynik.local:~$ cat LogonTracer/requirements.txt
numpy
py2neo==3.1.2
python-evtx
lxml
changefinder
flask
hmmlearn
scikit-learn==0.19.2

Now that we know what it is trying to install, let's continue
pip3 install -r LogonTracer/requirements.txt

Ensure you have "python3-pip" installed. If not, run

apt-get install python3-pip

If all went well, I guess I will see you in the next post.

Reference:
https://github.com/JPCERTCC/LogonTracer
https://github.com/JPCERTCC/LogonTracer/wiki/for-linux
https://blogs.jpcert.or.jp/en/2017/11/visualise-event-logs-to-identify-compromised-accounts---logontracer-.html
https://gist.github.com/nepobef/0f378ded038b35324e0106fcff79303c
http://debian.neo4j.org/
https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf
https://neo4j.com/docs/operations-manual/current/installation/linux/debian/?_ga=2.249168388.2041192375.1507250087-893468657.1507250087
https://neo4j.com/docs/operations-manual/current/installation/linux/debian/
http://debian.neo4j.org/?_ga=2.45025828.1204700703.1550717522-969713451.1550717522
https://neo4j.com/docs/operations-manual/current/installation/linux/tarball/

No comments:

Post a Comment