A poor-man Tripwire-like system on Windows 9x/NT

["Adam Richard" <adam.richard2 () sympatico ca>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Header information plus first chapter.  Complete file is at
http://www.geocities.com/floydian_99/

Adam Richard
9
99
Ne jamais abandonner

A poor-man Tripwire-like system on Windows 9x/NT
by Floydman,
Bachelor in Computer Sciences
Floydian_99 () yahoo com
Floydman () hacker am
August 2nd, 2000

You can distribute this document freely, as long as no changes are made to
the file, or as long as credit for it is not pretended by someone else. 
All comments and suggestions about the material presented here should be
directed at floydian_99 () yahoo com.  If future versions of this document
include add-ons coming from other people than me, then proper credit to the
various authors will be clearly identified.  All version updates of this
document are to be released by me.

You can find it online at http://www.geocities.com/floydian_99/

Abstract

The goal of this paper is to present a simple and low-cost way to implement
Tripwire-like capabilities on a Microsoft Windows 95/98/NT/2000/* machine.

Preface

In my quest for better knowledge in the computer security field, I came
across a paper discussing the software Tripwire, then for Unix only but now
available for NT as well.  For those who have never heard of Tripwire, it
is a system integrity checker, i.e. it checks if your system had been
compromised, by comparing the current information state of your machine to
a "snapshot" previously done that was made from when the system was
considered as 100% not-compromised machine (preferably at installation
time, before the machine is put on the network).  If something's changed,
chances are that some cracker/script kiddie has compromised your system,
and what you see is the backdoors and other things like that they left for
themselves.  People who have read my previous paper "Virus protection in a
Microsoft Windows network, or How to stand a chance" know my love for batch
files.  It quickly came to my mind that I could probably do something
similar with some kind of batch files, and have it for free too!  But then
again, I also stumbled on another piece of software (freeware) that would
spare me the trouble and have a GUI too, all at the same price.

Disclaimer

I have never used any Tripwire software on any platform.  I gathered my
knowledge on Tripwire through reading documentation found on Internet.  I
am stating this for two things: 1) Tripwire could have some features that I
have not heard about and that could be not covered in this paper; 2) I have
no idea of the Tripwire interface and/or command line options, and the
solution covered in this paper may (or may not) be quite different from the
actual Tripwire interface.

Targeted audience

This document is presented to anyone who has interests in computer
security, network administration, intrusion detection and computing in
general.

Table of contents

1. A little bit about Tripwire
2. A little bit about InstallWatch
3. Same thing, but a different way
4. The experiment
5. The pros...
6. And cons
7. In conclusion

1. A little bit about Tripwire

Tripwire is an integrity checking software.  It was first developed on the
Unix platform as a university project designed by Gene H. Kim and Eugene H.
Spafford.  It is now a commercial product (www.tripwire.com, they have an
academic free version).

Tripwire works by comparing the current file system of a machine to a
previous snapshot done from when the machine was guaranteed as safe
(usually, at installation time).  The snapshot is actually a database of
the disk content, including (but not necessarily limited to) tree
structure, complete list of files, along with file properties and Time/Date
information, and a derived hash for each file.  (A hash could be seen as
some kind of encryption scheme, or a translation function, that translates
the actual binary content of a file into something unreadable but that
uniquely identifies that content)  So when you first run Tripwire (or when
you updated your machine with various patches and want to get a new
snapshot), it will build that database containing all system file
information.

The logic from this is that when you installed your system base, there is
no reason that system files should be updated "by themselves" afterwards. 
If it is so, then your system has probably been compromised, and an
intruder planted backdoors/trojans/sniffers in your machine.  The sad news
when you find this kind of things out is there are probably more machines
on your network that may be compromised as well.

So back to Tripwire.  It is strongly recommended, but not mandatory, to
store your "clean system snapshot" to a read-only media (such as CD-R
disc), because this will guarantee you that the snapshot cannot be tampered
with.  Tampering is mostly prevented from the hash encryption, but this is
not 100% fool proof, since the encryption algorithm is known (i.e.
vulnerable to brute force attack).  Having your database on read-only media
is your best guarantee, because you can safely store it where no intruder
can have access.

So, basically, when you want to run an audit on your system (let's say on a
weekly basis), Tripwire will re-scan the entire system, regenerating a
database similar in structure (along with derived hash) to the original
snapshot.  Any difference between these databases will show file integrity
compromise.  Added files can be imported tools.  Modified files are
trojaned system files; missing files could be vandalism.  To figure out if
a file has been modified, Tripwire does not only rely on the Date/Time
stamp, but also on the derived hash.

It's that simple.