[unisog] HXD

Hill, Dan danhill at umich.edu
Mon Feb 14 03:20:01 GMT 2005


Yes, we are using Bart's PE, and we are using MD5.  But to do a thorough
job, the tool would need to include the MD5 hashes of each file patched
by Microsoft.  Maintaining an XML database of MD5 hashes for every file
that MS ships is definitely a job for Microsoft.  Also, tracing the boot
sequence for a hard drive from an external boot CD is not so easy. 

Dan

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of SAWYER,JOHN H
Sent: Sunday, February 13, 2005 8:15 PM
To: UNIversity Security Operations Group
Subject: RE: [unisog] HXD

>   Last year at Tech-Ed I lobbied (unsuccessfully) for 
> Microsoft to provide a PE boot CD that would guarantee 
> authenticity of critical Windows OS pieces such as gina.dll, 
> lsass.exe and the windows APIs that lists running processes 
> and accepts passwords.  Such a disk could insure that a 
> system, when booted would not have replacement "shim" code 
> that captures passwords or hides processes.  There was 
> considerable interest, but no commitment.  

Why not create one yourself?  I am working on this exact same issue and
developing a custom CD for our server admins that uses McAfee to scan
the local disks and MD5 hashes to verify the system files have not been
tampered with.  The CD also allows you to verify Services and Registry
settings making sure that they have not been changed.  It is not very
difficult to do, and with a little effort, you can have a custom
incident response tool tailored specifically to your environment.
Below, I am including links to BartPE to build your own PE disk, links
to quite a few plugin sites, MD5 hashing tool for windows, and the
National Software Reference Library (NSRL)'s hashsets.

Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD
http://www.nu2.nu/pebuilder/

BartPE Plugin Repositories
http://www.bootcd.us/BartPE_Plugins_Repository.php
http://www.oion.net/qnd/bootcd/plugins.shtml
http://users.pandora.be/Robvdb/pebuilder_plugins.htm
http://www.blodau.de/petools/
http://www.irongeek.com/i.php?page=security/pebuilder (very handy)

Windows MD5 apps
http://www.fourmilab.ch/md5/
http://www.fastsum.com/
http://www.md5summer.org/
http://www.brandonstaggs.com/filecheckmd5.html
http://www.irnis.net/soft/acsv/?from=banner

National Software Reference Library (NSRL)
http://www.nsrl.nist.gov/Downloads.htm

-jhs

--------------------------------
John H. Sawyer - GCIH GCFW 
Systems Security Engineer
UF/IFAS Information Technologies
-------------------------------- 
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list