Episode 425 — USB Device Tracking and PFsense
In this episode Peter Giannoulis joins us from TheAcademyPro.com. Chris Gerling is back in studio talking about USB Device Tracking. And Matt is building the new HakHouse firewall/router with PFsense. Plus a ton of haksnax to get your grub on.
USB Device Tracking
If you’ve ever used a USB storage device and wondered how stealthy you can be with them, you’re in for a scare. Windows XP logs pretty much everything you’d want to know about that USB key in the registry each time it’s plugged in and written to.
When you plug in your USB drive, the Plug and Play manager gets notified and queries the device descriptor in the firmware for information about the device. This helps it locate a driver, which is referenced in the %SystemRoot%/inf folder by various .inf files. Once the device is identified and a driver selected, the information is dropped into HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR with a format similar to Disk&Ven_###&Prod_###&Rev_### which will identify the device ID, manufacturer and more. An important number you will find here is the ParentID prefix, which I did not actually say during the segment but this is something that will appear in virtually every registry entry regarding the device.
Microsoft uses serial numbers on the devices to distinguish between devices with the same manufacturer or model. In the case that the serial number is not unique (or even not present), the PnP manager will create a unique instance ID for the device.
All of the numbers you find related to each device should be logged if you’re doing any sort of investigation or trying to track a device across computers.
If you’re trying to determine whether data was perhaps pilfered from your machine/network, you will want to look at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses, where you will find the ParentID prefix and will be able to correlate to the device. You should also see the manufacturer name here. We are looking for the Last Write time which will help in determining whether data was pilfered by giving you a timeframe as to when someone last copied data to the device. In order to do this, you’re going to right click on the entry that has the ParentID prefix and manufacturer name for the device you want, and then click Export. Change the file extension to .txt and name it anything you want, remembering where you save the file. Upon opening this file up, you will find the last write time.
There are many applications for this data, and you’ll probably never be in the registry doing it quite this way, as there are many tools, both commercial and free that will simplify all of this. This data is also used in tools/services which help track your devices, such as iHound (ihoundsoftware.com), which helps you track devices if they’re stolen.
If you have any questions feel free to contact me here and visit my website. Many thanks to Harlan Carvey, author of the 2007 book Windows Forensic Analysis (I think I might’ve errantly said 2005, sorry) for without this book I wouldn’t have known as much as I do about the windows registry.
While our smoothwall is and has been working well for us for the past two years, I recently had the need for something a little more robust.
I came across a fork of the monowall project, pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.
Here’s a short summary of some of the eye catching features.
- Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
- Able to limit simultaneous connections on a per-rule basis
- pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
- Option to log or not log traffic matching each rule.
- Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
- Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
- Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
- Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”
- Enabled in pfSense by default
- Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
- Disable filter – you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.
- pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP.
There’s a ton of other great features that you can read up on at http://is.gd/iauk
The LiveCD ISO is available from http://www.pfsense.org/mirror.php?section=downloads and for VMware folks, a prebuilt VM is available at http://files.pfsense.org/vmware/pfSense-1.2.2-VM.zip
This month, we are playing Left4Dead and Zombie Panic! Join us for our LAN Party on Saturday, February 28th at L4D.hak5.wpengine.com or ZP.hak5.wpengine.com for a good ol’ zombie apocalypse.
Last week’s trivia was: “In PHP, which is faster and why? echo”Hello World”; or print(“Hello World”);?” Zoltan answered right with: “Echo is faster because it doesn’t set a return value and ‘print’ is a more complex function.” Zoltan wins a copy of Pronobozo’s CD ‘Zero=One=Everything’. You can check out more of Pronobozo’s music at his website.
If you want to win this week’s giveaway, enter the letters you see popping up during the episode into our trivia page and answer the trivia question in the first 24 hours from when this episode releases. We will choose a random winner out of the correct answers!
Remember to subscribe to our new HD feed on iTunes at Hak5.org.
Have a segment suggestion, constructive feedback, or a snack idea for Kerby? Email your ideas to [email protected]. Thank you!
Don’t forget! We’ve got brand new sticker packs as thanks for your donations at Hak5.org/stickers. Without your help, we wouldn’t be HD right now.
We will be at Shmoocon this weekend, February 6-8 in Washington DC. If you are in the area, join us for the annual podcaster’s meetup. Meet our cast and crew as well as lots of other great podcasters from PaulDotCom, Securabit, Sploitcast, Cyber Speak, Security Justice, and more! Get the info at Podcaster’s Meetup.com.
We’re conducting a survey to get some additional information about our viewer. We would love your feedback. If you have a few minutes to spare, please do us a favor and take the survey at the survey page.
For those of you who complete the survey, you will be treated to a sneak peek at a new show that Revision3 has been working on and get a back stage look at the pre-production of a Hak5 episode.
Trust your Technolust!