{ c ( ( ( (. ( ( e (. ( i i i i ( c ( i i (
System EXPERTSL E A D E R S H I P I N S E C U R I T Y
i t ( i ( c i i i t i i i i i a i
Network Security Profiles:Protocol Threats, Intrusion Classes, and
How Hackers Find Exploits
Copyright SystemExperts Corporation,1997-2004 and beyond...
All rights reserved.
©Copyright SystemExperts 1997-2004"and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Just checking...
This is line 1 (24 pt font - TITLES)
. This would be line 2 (20 pt font - BULLETS)
. This is clearly line 3 (20 pt font - SUB BULLETS)
. This is definitely line 4 (18 pt font - legal and commentary stuff :-)
Can you hear me? Check 1.. .2.. .3.. .Check
PLEASE turn-off or silence your phones, pagers, etc.
Is it too hot? Too cold?
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
A {• r ( i ( A ( ( ( ( ( f ( f f c f ( ( f f ( ; ( ( ( ( ( ( r ( i c c f { ( ( C ( ( ( ••( ( ' ( ( ( . ( i A. ( (
t ( ( ( I ( ( ( ( ( I I ( I ( I (. ( ( ( I I C t I I I ( L t t ( I I I I I t I I I t I (. ( ( I (. I I I I
What the course is...
A overview of various ways that people can learn thedetails of your environment: and how that works to theiradvantage in "finding" exploits to use against you• Tools, techniques, URLs, recommendations and
• Examples: high-level, detailed tool output, screen-shots,
article snippets, security group statistics, etc.
Tool examples are largely public domain (so you can try it)- Some commercial tools also described briefly
Focus on what's happening "now"
Did I mention "It's the Protocols?"
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Reader's Digest of the Tutorial
Hacker = Determined Intruder = Diligence- Learn exactly what components are in place (the profile) to enable
focused research (and almost guarantee some level of intrusion
success)
. Paying attention to small details in both what you see and don't see
The amount of traffic (other than some DoS) needed toprofile your site is small and the amount of informationavailable to research vulnerabilities to discover exploits ishuge
Sigh.. .the protocols we depend on are responsible formany of the hard to see, catch, or stop exploits
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
[ • ( . ( ( ( f ( ( ( ( ( ' { ( ( . ( . ( ' • ( f f ( ' ( . ' ( ( . ( T { ( ( ( { ( ( ( C ( ( ( . ( , ( ( . ( ( ( ( { ( ( ( ( ( ' . ( (
I, ( ( ( ( ( i ( ( ( f ( i. ( ( ( ( I ( C I C I ( I t C I t l I t I I i ( t i I ( ( I I I I t t
It's the FrotocolsWWW.HELMIG.CUM
Either thebits get there,or they doift!
-E3-
1
B -u :
-E3-ns
pc1.mvnet.com207.46.131.11
pc'2.mynet.com207.46.131.12
pc3.mynet.com207.46.131.13
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
It's the Protocols (cont.)
dient proqram
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
OSI stack
Network Layer
Data Link Layer
• H Physical Layer
s e r v ? i' program
Appli cat ton Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
IVOi >. ."1 . ' J ' l ' l " " 1 t ! l " I '"' '."! Cl '•• '•• ' I '"1?;
serverIcfient (your com p titer)
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson6
( , { { , ( ( , { i ( > ( , { • ( ( [ A ( ( ( . { . ( ( ( ( , ( ( ( ; ( - ( . { A A ( A A A ( ( C ( ( . ( • ( ( / I
( ( I I I L t I ( I. (. ( ( ( t I I ( I I ( I I I I t I I I (. ( I ( I I I I I t I ( I I. I. I I I I I I I I I
It's the Protocols (cont.)
Standard TCP/IP services:ports
rje:5, echo:7, discard:9, systatll, daytime:13, qotd:17, msp:18, chargen:19, ftp-data:20, ftp:21, ssh:22, telnet:23, smtp:25, time:37, rlp:39,nameserver:42, nicname:43, tacacs:49, re-mail-ck:50, domain:53, whois++:63, bootps:67, bootpc:68, tftp:69, gopher:70, netrjs-l:71,netrjs-2:72, netrjs-3:73, netrjs-4:74, finger:79, http:8O, kerberos:88, supdup:95, hostname: 101, iso-tsap:102, csnet-ns:105, rtelnet:107,pop2:109, pop3:110, sunrpc:lll, auth:113, sftp:115, uucp-path:117, nntp:119, ntp:123, netbios-ns:137, netbios-dgm:138, netbios-ssn:139,imap:143, snmp:161, cmip-man:163, cmip-agent: 164, mailq:174, xdmcp:177, nextstep:178, bgp:179, prospero:191, irc:194, smux:199, at-rtmp:201, at-nbp:202, at-echo:204, at-zis:206, qmtp:209, z39.50:210, ipx:213, imap3:220, link:245, link:245/ucp::ttylink, fatserv:347,rsvp_tunnel:363, rpc2portmap:369, codaauth2:370, ulistproc:372, ldap:389, svrloc:42, mobileip-agent:434, mobilip-mn:435, https:443,snpp:444, microsoft-ds:445, kpasswd:464, ph oturis:468, saft:487, gss-http:488, pim-rp-disc:496, isakmp:500, gdomap:538, iiop:535,dhcpv6-client:546, dhcpv6-server:547, rtsp:554, nntps:563, whoami:565, submission:587, npmp-local:610, npmp-gui:611, hmmp-ind:612,ipp:631, ipp:631/ucp, ldaps:636, acap:674, ha-cluster:694, kerberos-adm:749, kerberos-iv:750, webster:765, phonebook:767, rsync:873,telnets:992, imaps:993, ircs:994, pop3s:995, exec:512, login:513, shell:514, printer:515, utime:519, efs:520, ripng:521, timed:525,tempo:526, courier:530, conference:531, netnews:532, uucp:540, klogin:543, kshell:544, afpovertcp, remotefs:556, socks: 1080,bvcontrol:1236, h323hostcallsc:1300, ms-sql-s:1433, ms-sql-m:1434, ica:1494, wins:1512, ingreslock:1524, prospero-np:1525,datametrics:1645, sa-msg-port:1646, kennit:1649,12tp:1701, h323gatedisc:1718, h323gatestat:1719, h323hostcall:1720, tftp-mcast:1758,hello:1789, radius:1812, radius-acct:1813, mtp:1911, hsrp:1985, licensedaemon:1986, gdp-port:1997, nfs:2049, zephyr-srv:2102 , zephyr-clt:2103, zephyr-hm:2104, cvspserver:2401, venus:2430, venus-se:2431, codasrv:2432, codasrv-se:2433, hpstgmgr:2600, discp-client:2601, discp-server:2602, servicemeter:2603, nsc-ccs:2604, nsc-posa:2605, netmon:2606, corbaloc:2809, icpv2:3130, mysql:3306,trnsprntproxy:3346, rwhois:4321, krb524:4444, rfe:5002, cfengine:5308, cvsup:5999, xl 1:6000, afs3-fileserver:7000, afs3-callback:7001,afs3-prserver:7002, afs3-vlserver:7003, afs3-kaserver:7004, afs3-volser:7005, afs3-errors:7006, afs3-bos:7007, afs3-update:7008, afs3-rmtsys:7009, sd:9876, amanda:10080, pgpkeyserver: 11371, h323callsigalt: 11720, bprd:13720, bpdbm:13721, bpjava-msvc: 13722,vnetd:13724, bpcd:13782, vopied:13783, wnn6:22273, wnn6:22273/ucp:wnn4, quake:26000, wnn6-ds:26208, traceroute:33434,rtmp:l/ddp, nbp:2/ddp, echo:4/ddp, zip:6/ddp, kerberos_master:751, krbupdate:760, kpop:l 109, knetd:2053, krb5_prop:754,eklogin:2105, supfilesrv:871, supfiledbg:1127, netstat:15, linuxconf:98, poppassd:106, smtps:465, gii:616, omirr:808, swat:901, rndc:953,skkserv:1178, xtel:1313, support: 1529, cfinger:2003, ninstall:2150, afbackup:2988, squid:3128, prsvp:3455, postgres:5432, fax:4557,hylafax:4559, sgi-dgl:5232, noclog:5354, hostmon:5355, canna:5680, xl l-ssh-offset:6010, ircd:6667, xfs:7100, tircproxy:7666, http-alt:8008, webcache:8080, tproxy:8081, jetdirect:9100, kamanda: 10081, amandaidx: 10082, amidxtape: 10083, isdnlog:20011,vboxd:20012, wnn4_Kr:22305, wnn4_Cn:22289, wnn4_Tw:22321, binkp:24554, asp:27374, tfido:60177, fido:60179
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
It's the Protocols (cont.)
"Strange Attractors and TCP/IP Sequence NumberAnalysis" by Michal Zalewski, let's dive in- Seminal paper considered to be one of the original descriptions of
t h e p r o b l e m t h a t COUld (spoken in a deep, echoed voice)
"Bring down the Internet."
• In a nutshell• TCP/IP connection (3 way handshake) includes.... Initial Sequence Number (ISN) which is used...• to track each packet and ensure the tenets of the TCP/IP
session are upheld for the packets.. .like- in order, only once, and hopefully from the right source
8©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
( ( A A ; ( A A . ( . . ( A I { A A A A i , ( A A. A A \ l A A A C C C ( ( A A i ( , ( A A A A { I ( ( ( A A A ( ( A A A
( ( I I ( I ( ( ( C• I I ( ( ( ( I I t t ( C C t t I ( I I. I I I I I I t (. ( I I I I I I I I I t. I I t t i I
It's the Protocols (cont.)
- In the mid 80's it was decided to add this TCP sequence numberfield to help ensure the integrity of a connection
• So, to create a malicious packet that would be accepted in aconnection stream would require
- attacking a protocol that isn't using cryptography for dataintegrity
- knowing/guessing this sequence number• All of this to defend against "blind spoofing"
• RFC 1948: Defending Against Sequence Number Attacks bySteve Bellovin
. also called sniffer attacks, network eavesdropping,spoofing sets, DoS
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
It's the Protocols (cont.)
So this sequence number needs to be as unpredictable as possible:that is, random
- computers are very bad at generating random number.. .so- algorithms need to be used to generate random numbers
Michal Zalewski decide to use Phase Space Analysis, which deals
with strange attractors, to "show" how random the various OS
random number generators are for TCP/IP sequence numbers!
- http://razor.bindview.com/publish/papers/tcpseq.html• http://lcamtuf.coredump.cx/newtcp/ (1 year later)
- Oh boy, let's just look at some pictures, my brain hurts
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson10
A < ( • • ( . . ( , f , c f o e r r ' ( : c ; c ; f r , ( : ( : t .• c ( , f. .c f f ; c ; i ( ( n c . (
I i { I i i I { { ( i t ( 1. I I (.. I ( I I C C I I I I I C I I i i. ( I ( I 1 I I I i I I I I I i I I i I ( I
It's the Protocols (cont.)
- • • • •
* *
Windows 98' SE100% Attack FeasibilityRadius of 0
• Windows 95, Windows NT4 SP3 hadessentially the same "rating"• Windows 2000 and NT4 SP6 + hotfixeshad about a 12-15% Feasibility and a Radius of 10
Linux 2.2< .05% Attack FeasibilityRadius of 1000
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson11
It's the Protocols (cont.)
Cisco IOS 12.020% Attack FeasibilityRadius of 10
Cisco IOS 12.2.10a0% Attack FeasibilityRadius of 100,000
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson12
f : f • • ( ; ( ; • ( { • • ( . ( ' : ( , { : ( . C ( : l ( ; ( ; ( ( ; ( ; f ( ; ( ' ( • ('• ( ; C ; ( : C ( K , ( : i (:{ A (:(((• C j C ; ( , C ( ; O C ; C
c. c c i i i i (: i t i i i i i i i. i. i ( i ( i i ( i i i ( i i i i i i i
Security is a Hodgepodge:You gotta' be kiddin' me!
Security is a hodgepodge because- Most sites are under several spans of control
- organizational, geographical, political
• Most sites have many operating systems- different versions of the same OS are DIFFERENT
• Most sites have many security vendors
- Most sites use a variety of security products and services• the building blocks = authentication, authorization, auditing• the mortar = firewalls, proxies, routers, intrusion detection,
gateways, virus services, etc.
All of the above are at varying levels of maturity- and integration is VERY hard, ergo hodgepodge
13©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Hacker/Intruder Mentality
Motivation: access to resources that were intended to beprivate or restricted
Methods: exploit loopholes, configuration weakness,protocol oddities, and application & Operating Systemimplementation "mistakes"- Your profile specifics will "tell" what's possible!
Means: any means• Via the network is most suitable for lack of detection, wealth of
resources, and difficulty in "prosecuting"
14©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
{ A A A A A ( . : ( A O i ( . . ( • { ] ( ( . : ' ( f ( A. A A A A i A A A A A A A i A A A A A A A A A I A A . A \ A A f ( A : A A A
( 1 ( I I I i I ( ( I ( ( ( ( I i I I I 1 f ( f I ( I I I I i 1 ( I i. i I I I I. I I I I t I I I I I I I I t
What the Hacker KnOwZ...ALREADY!
Profiling is easy• Lots of tools
- Lots of techniques
- Lots of research data
Today's networks arehard to manage- Integration is hard
- Keeping systems and services
up to date is VERY hard
next... Profiling
AchillescURLdigdiscover
Dsniff
eEyeetherape
ISS
Jizz
mscan
nessusnetcat
NetStumbler
nikto
nmap
nsatntop
nslookup
ping
queso. SAINT
• SARA
• SATAN
scottyshowmountSneakinsscan
strobetcp_scantraceroutetyphonudp_scanurlsnarf
• WebSleuth
Whisker
whois
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson15
Where are We?
Profiling• Methodology. Example Profile #1
• Example Profile #2
Discovery andProfiling Tools. typhon, nessus, dsniff, Nikto,
and lots more!
Intrusions. Awareness/Statistics
. Examples
. Common Areas
Protocols. DNS
. SNMP
- Handheld (PocketPC)
. Web Infrastructure
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson16
f f f ( A A { A A A : ( : ( • ( A A A A A A A A [ : { : ( ( A A L C ( : ( I A : ( ( ; ( : ( A A { ( A A [ A A A C , ( : ( : f
( ( ( ( ( ( ( t ( ( ! ( ( ( I. 1 I I ( I I I I I I I ( I t. I I I ( I I 1 I 1. I I I I I I I I I 1. I M I I I
Methodology: Process
Iterative cycle of• Gathering response data• Focusing on real opportunities• Research• Careful testing
Reconnaissance:•Inventory next level of detail
Test & Validate:•Attempt tools or techniques
Preparation:*Be similar (OS, protocol) towhat the target is looking for
Preparation:'Remember testing goals
'Focus on business issues
Catalogue & Prioritize:•Put potential exposures into categories
•Order based on goals and success guestimate
Research:•Review previous testing
'Research Web data•Discuss options
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson17
Methodology: Technical
Workstation flexibility
• System capable of running various forms of
Linux*, BSD*, UNIX*,
Windows* Operating Systems
• I have separate OS installations/disks (Linux, Windows)
Be as compatible with the systemyou are profiling as possible!
18©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
{ • : { • { } ( • • ( c ; c • c ; ( . ( : ( • • ( • c . ( • ( , : ( . ( . f ; c : r ; r : ( . ( r . ( ( ; c . f f ; ( , : ( : ( a ;• ( i t : ; c ; f c - r • c : r t n c • ( , ( ( ( ; c , (
( ( ( i (. I [ { { i { i { { { { I I ( { I I I t I I I I I 1 i M I ( ( I I I { i i I I I I I L I I I I I I
Rudimentary Data Gathering
Network Sniffer • Traffic and protocol flow
. see what really happens...and what doesn't happen
Internet • ^ sPace> rate of change, name andmail servers, contact information
. whois -h arin.net
. whois -h internic.net
. whois -h icann.net
. whois-hregister.com
. smart whois- http://namespace.pgmedia.net/search/• www.swhois.com/
SCOTTY • Reachable hosts (particularly useful on. discover-icmp X.y.z Internal probe)
.. • latency: for timeouts. discover -snmp x.y.z tr .
• Management, topology, and gatewaydata
19©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Port, DNS, and SNMP Data Gathering
For host in liststrobe and nmap $host
For host in listnslookup $hostdig $hosttraceroute $host
Attempt DNS zonetransferdig axfr @place zone.com
For host in snmp_listScotty < DONEsnmp session -address $hostsnmpO walk x "mib-2" { puts $x }DONE
Gather list of potential TCF/W servicesand well-known exploits
Gather naming information,conventions
Understand routing paths
Understand server relationships (e.g.,mail, DNS)
Gather MIB information (neighbors, IPaddresses,HW profile)
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson20
r r r : r r t (; r r • r . r ; r r x. ( ( : ( ( . r f t ; (; f . ( f ( ( . ( r r K : r . r ; (.• ( : c • c . r t r f f ( \ ( {,( f:C
{ ( I [ ( i (. ( I ( ( (. I . { I C I t I I I ! I I t I I 1 I I I ( I I I I I i I I I I I I 1. I
Service and Exploit Data Gathering
For host in ftp_listecho QUIT | nc -v -w 5 -r $host ftp
For host in telnet_listtcp_scan -b -w 5 $host telnet
For host in rpc_listscotty -c "sunrpc info $host"
For host in smtp_listtcp_scan -b -w 5 $host smtp
For host in http_listscotty -c "http head http://$host"curl $host and whisker $host
For host in listsscan $hostnsat $hostnessus $hostnikto $host
Gather service version, platform, and actualexploit data
Notice all the tools just used(in the last few slides)
. NetCat (nc)
. SATAN7SAINT7SARA
• tcpjscan
. SCOTTY
m discover
. cURL
m Whisker
• SScan
. ' Nsat
• Nessus
• Strobe
m Nmap
• Dig, nslookup, traceroute
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson21
Profiling Exploit Research
General Internet security. wwwxert.org/ CERT (funded by DoD Homeland Security). www.ciac.org/ciac/ Computer Incident Advisory Capability (CIAC). http://cve.mitre.org/ Common Vulnerabilities and Exposures (CVE)
. www.osvdb.org/ Open Source Vulnerability Database (OSVD)
Security archives. www.packetstormsecurity.org/- http://xforce.iss.net- WWW.securityf0CUS.C0m/ Vulnerabilities Link
• www.securitytracker.com/• http://archives.neohapsis.com/
General news• www.google.com/
22©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
c ( r.- r : c f f r ; c • t c c : ( c . c .• ( . c • ( . r : f c f'; c : t ( r e ( i. ( r \ c ; c • r . c . u c ( ; ( f ( ( r f r : r t ; r \ r c.
t ( t I t I ( t ( ( ( i I. ( { M ( I ( I I I I I I I I I I M I I i I 1 L ( I I I l I I I { I I I I I 1 t
Profiling Exploit Research (cont.)
Hackerz• www.defcon.org
• www.antionline.com/• including "Hacking Profiling"
www, antionline. com/hacker-profiling/- http://cultdeadcow.com- http://www.26QQ.com/
OS or Application Specific- www.ntsecurity.net/, www.ntbugtraq.com/- www.isc.org/bind.html, www.dns.net/dnsrd/
Vendors. Microsoft, Sun, HP, IBM, Red Hat, etc.
23©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Profiling Exploit Research (cont.)
- | D | x |
File Edit View Go Bookmarks l_oo\s Help
iiviM-d Foundations Microsoft UN!X IDS Incidents Virus Pen-Test Firewalls
• Vu»n«abltrt»s " Library " Catsndar " Tools " SerVie«WndorS " Security Job*
VULNERABILITIESby veneer by lilte by k by bugtraq \6 by c*e kf by publish ot! date
Vendor Microsoft
Title IIS
Version Any
Submit
200^-03-10: Micrcscft IIS - Redirect Remote Buffer Cve'flc.v Vulre-ability200--05-21: Microsoft IIS 5.0 .printe" ISARI Extension Suffer Cverflo-A Vulnerability200--02-L-i: Microsoft IIS Unspecified Remote Denial Of Service Vulnerability2003-12-29: Micrcscft IIS Failu-e To Leg Undocumented TRAC'*' Requests 7ulne"-ability2003-11-11: Multiple Vendo-- Invalid >' 509 Ce'"tificate Chain Vulnerability2003-07-22: Miccscrt Multiple IIS 6.0 Web Admin Vulnerabilities2003-06-03: Micrcscft IIS VvebDAV CRGDFIHD and SEARCH Method Denial cF Se-vice Vulne-abilitv2003-05-30: Mic-c=cft IIS SSINC.DLL Se-ve- Side Includes Buffe- Cve'flcv. V.ilns'-ability2003-05-23: Micrcicft IIS ASC Header Denial Of Service Vulpe'-ability
Sorry, I had to cut the screen off,
it went on WAY too long... i
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson24
r r T r r f r r • r f t r r. r ( c r : r : f ( ( ( ( • r . ( r = c • r r ( c c c • ( r ( f r c r ; c t
I i I I I I ( 1 I I ( ( I ( I C (. ( I I I 1 I i i I I I I I I I I I I I 1 I t i I i i I t t I I I I I
Profiling Exploit Research (cont.)
Wg> Secuntvfocus HOME VtAis btfnc -JPlxlFile Edit View bo Bookmarks Tools Help
VULNERABILITIES
Microsoft IIS 4 Redirect Remote Suffer Overflow Vulnerability
infc d scussion excloil ere si" help
bugtraq id 107G6
object
class Boundary Condition Error
eve Ci.N-2004-020 5
remote Yes
local No
published Dul 13.. 2004
updated Aug 10. 2004
vulnerable Avava DefinityOne Media Serversivava IP500 Media ServersAvava S3400 Message Application Server-Avaya SS100 Media ServersMicrosoft IIS 4.0
4- Cisco Building Broadband Service Manager 5.0+ Cisco Call Manager 1.0+ Cisco Call Manager 2.0
+ Cisco Call Manager 3.0
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson25
Profiling Results
Rudimentary- Internet registration data
• IP addresses
- SNMP agents
Expanded data gathering• OS types
- DNS names and
conventions- ISP routes. TCP & UDP services
. SNMPMIBs
• HTTP server type
What we now know. Known high-level service
exposure opportunities. Related hacker successes and
tools
. Recent exploits
. Detection and prevention tools
and techniques- Relevant articles and
techniques to research andunderstand
What we do now?. Drill to the next level of detail
and start again
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson26
( { ( ( ( ( { { { { { { I ( ( ( { i ( ( ( ( ( ( { ( ( { ( ( { ( ( ( I I I t I I I i ( I (
1 ( ( I (. I [ ( [ i I ( ( I I I I t t I t (. i I I I t I ( 1 I I I I 1 ( I ( I I I I ( L I I I i L I t
Where are We?
Profiling. Methodology
• Example Profile #1
. Example Profile #2
Discovery andProfiling Tools
. typhon, nessus, dsniff, Nikto,
and lots more!
• Intrusions
- Awareness/Statistics
. Examples
• Common Areas
Protocols. DNS
- SNMP
. Handheld (PocketPC)
. Web Infrastructure
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson27
Example Profile #1# whois -h internic.net =usenix.org[internic.net]
Whois Server Version 1.3
Server Name: USENIX.ORGIP Address: 131.106.3.1Registrar: NETWORK SOLUTIONS, INC.Whois Server: whois.networksolutions.comReferral URL: www.networksolutions.com
Domain Name: USENIX.ORGRegistrar: NETWORK SOLUTIONS, INC.Whois Server: whois.networksolutions.comReferral URL: www.networksolutions.comName Server: NS.UU.NETName Server: UUCP-GW-1.PA.DEC.COMName Server: DNS.USENIX.ORGUpdated Date: 05-nov-2001
28©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
f r f f r i [ i { f f ( f f f r f t f • i f t { [ ( r ( { { { f i { f ( ( ( c f f c ( ( ( i i ( (
( i ( I ( ( I I ( ( ( ( ( I ( [ I (. I . I [ I I I t I { I 1 I I I I I, I I I. I I I I I i I I ( I I I
Example Profiling #1 (cont.)
dig dns.usenix.org; « » DiG 9.2.0 <• dns.usenix.org
;; QUESTION SECTION:;dns. usenix.org
;; ANSWER SECTION:
IN
dns.usenix.org
;; AUTHORITY SECTION:usenix.org.usenix.orgusenix.orgusenix.orgusenix.org
;; ADDITIONAL SECTION:ns.usenix.org.authOO.ns.UU.NET.uucp-gw-1 .pa.dec.com.uucp- gw- 2 .pa.dec.com.nsl .orng.twtelecom.NET.
76257625762576257625
57952573368046317131
10546
INININININ
INININININ
IN
NSNSNSNSNS
AAAAA
A 131.106.1.57
ns.usenix.org.authOO.ns.UU.NET.uucp-gw-1 .pa.dec.com.uucp- gw- 2 .pa.dec .com.nsl .orng.twtelecom.NET.
131.106.1.57198.6.1.65204.123.2.18204.123.2.19168.215.210.50
;; Query time: 63 msec;; SERVER: 18.71.0.151#53(18.71.0.151);; WHEN: Wed Oct 2 13:25:21 2002
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3, Brad C. Johnson29
Example Profiling #1 (cont.)
# dig axfr @ns.usenix.org usenix.org
; « » DiG 8.3
db
dnsvoyagermailgw-conferencelocalhostconf-regsage-webwwwip2www. sageimapdecconference
« » axfr @ns.usenix.org usenix.org4HINNS4HINNS4HINMX 1004HINMX4HINA4HINA4HINMX4HINA4HINA4H IN CNAME4H IN CNAME4HINA2DINNS4HINA4H IN CNAME4HINA4H IN CNAME4HINA4HINA4HINNS
nsauthOO.ns.UU.NETmail.UU.NET.10 voyager131.106.1.57131.106.3.25310 voyager131.106.1.57131.106.3.1voyagergw.conference127.0.0.1ns131.106.3.2db131.106.1.56www.sage.org.131.106.3.13131.106.3.1ns
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson30
r f f r f ( f f ( M ' ( r ( ( ( f r \ { { { ( { ( i ( t
{ { { { { { I { { { { { { I i, i { { { ( ( { { { { I { [ { ( { [ I I I I { [ { I { ( I ( I
Example Profile #1
# discover -snmp 131.106.1131.106.1.104 Sun SNMP Agent,131.106.1.200 Shiva LanRover/8E, Version 5.7 98/11/06131.106.1.220 Base Station V3.81 Compatible131.106.1.221 Base Station V3.81 Compatible131.106.1.211 Sun SNMP Agent, Ultra-250
# strobe -bl -el28 ns.usenix.orgstrobe 1.03 (c) 1995 Julian Assange ([email protected]).ns.usenix.org domain
53/tcp Domain Name Server [81,95,PM1]
31©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Example Profiling #1 (cont.)
# nslookupDefault Server: delta.mellis.comAddress: 4.40.156.51Aliases: 51.156.40.4.in-addr.arpa
> server ns.usenix.orgDefault Server: ns.usenix.orgAddress: 131.106.1.57
> set querytype=txt> set class=chaos> version.bind
Server: ns.usenix.orgAddress: 131.106.1.57
VERSION.BIND text = "8.2.4-REL"
32©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
( ( ( { { i ( ( ( ( ( ( { ( ( { ( ( ( ( ( ( ( ( { ( ( ( ( ( ( { ( ( I ( { I ( ( { ( ( ( ( ( ( ( ( (
\ I I ( ( I ( I I t ( I i ( I ( I ( I. I I 1 I I I I I i. I I I (. I I I I. I I I I I I I ( . I. I I i I
Example Profiling #1 (cont.)
Research on BIND 8.2.4- www.kb.cert.org/vuls/id/803539
- DNS stub vulnerable to buffer overflow, execute arbitrary code
• www.sfu.ca/~siegert/linux-security/msg00127.html- buffer overflow in resolver library, execute arbitrary code
Note on BIND• Let's look at the "Summary" section in
www, isc. org/products/BIND/bind- security.html
for a table of (some) exploits per BIND release
33©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Example Profiling #1 (cont.)
43 DifferentBINE) versions!
X\
\\
\Doesn't includeMicrosoftvariations
3.1:-: i. 1
•n 2
a •>".,* * " " • / - ••_'- £- -u'i
3 2 1•-' "!• 0
•j.z. - |J1
•~J ".-• O | ~ ' V* - * . .• 1 • .•
;j Z12 p J
3 :> Z p--\
\ o 2 2 pE
+
+"'
1
+
l-
i
+
+
+
i
+
i
+4 +i!
*
-
-
+
-(• + -4-
+ \ ++ i - I+ j _ j
1 ! + :
1' ! , .. S i i
4 - — + 1 — 1 — j
i ! > j i
4*
. j
i
' •"."I
•
- i - —L.
+
+
• • " ' •
y i . u:. '
ji
. j •.i
ii!I
4-
4-
i i i
! +-. 1 , 1 ,
4- ;
i
1 + 1 + '.i- - i { -i
— 1 + j -r
- ! + S -j i
| i - t - |
." I " " ' " - :- ! • i -\ t
i -
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson34
c t r c ( ( C ( r c f r r f r r c [ I C
( • ( I { ( { ( ( ( I I { ( ( {. i ( i { ( t ( ( I C C I I I I I I ( ( I I M I I I ( t { {. 1 I (. I I t I I I
Where are We?
Profiling. Methodology
. Example Profile #1
• Example Profile #2
Discovery andProfiling Tools
. typhon, nessus, dsniff, Nikto,
and lots more!
Intrusions- Awareness/Statistics
. Examples
. Common Areas
Protocols
- DNS
. SNMP
. Handheld (PocketPC)
. Web Infrastructure
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson35
Example Profile #2
Run nessus• Notice 3 IP systems apparently running Cisco IOS
Run Nmap to double-check OS identification- It matches
All 3 are running unsecured TELNET- But that's not enough, let's keep looking...
IP Address
x.y.171.251
x.y.171.254
x.y.140.126
Operating System
Ciscol600/3640/7513 Router (IOS 11.2(14)P)
Cisco AS5200
Cisco IOS 12.0(5)WC3 - 12.0(16a)
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson36
i ( ( ( ( ( ( ( ( ( • ( ( ( i ( ( {' C ( ( C M ' f ( . ( ( ( ( ( . • ( ( C M ' C C ( ( f ( ( ( f ( I C I ( ( (. ( (
r ( ( ( i i ( i ( i ( i (. ( ( i i i. i. { t ( i i \ t i i. i i i. i i i i. i i i i
Example Profile #2
Starting nmap V. 3.00 (www.insecure.org/nmap/ )
Host (x.y. 171.254) appears to be up ... good.Initiating Connect() Scan against (x.y. 171.254)
Adding open port 23/tcpThe Connect() Scan took 10 seconds to scan 1601 ports.
For OS Scan assuming that port 23 is open and port 1 is closed and neither are fire walledInteresting ports on (x.y.171.254):(The 1598 ports scanned but not shown below are in state: closed)Port State Service23/tcp open telnet79/tcp open finger2065/tcp open dlsrpnRemote OS guesses: AS5200, Cisco 2501/5260/5300 terminal server IOS 11.3.6(T1),
Cisco IOS 11.3-12.0(11)TCP Sequence Prediction:
Class=random positive incrementsDifficulty=32281 (Worthy challenge)IPID Sequence Generation: All zeros
37©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Example Profiling #2 (cont.)
Research on Cisco IOS- Hmm, various things to bring down a CISCO router
• www.osvdb.org/displayvuln.php7osvdb id=4030m www.uniras.gov.uk/vuls/20Q4/236929/index.htm• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-Q23Q• www.us-cert.gov/cas/techalerts/TA04-l 11 A.html
. which refers to: www.cert.org/advisories/CA-2Q01-Q9.html"Statistical Weaknesses in TCP/IP Initial Sequence Numbers"which is about 3 years old
. hmm, ISN, that sounds familiar, doesn't it?
. works on implementations of the Border Gateway Protocol (BGP)
- Which is used by almost all Internet TCP/IP routers, that's all!
- TCP Reset Spoofing
. All Cisco IOS versions
38©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
r c ( r r c ( ( ( ( ( ( ( { ( ( ( ( c i i e t c r ( ( i ( ( ( c i
( ( 1 (. I I 1 I t 1 I ( I { I I ( I I I t ( ( I i I I I I M I ( I . I t t I I I I I I ( t I I t I ! I I I. I
Example Profile #2 (cont.)
• Use Google to find example code
- http://fuxOr.phathookups.com/sploits/os/hardware/routers/cisco/firewall_reset.c
/* reset_state.c (c) 2000 Citec Network Securities *//* The code following below is copyright Citec Network Securities *//* Code was developed for testing, and is written to compile under *//*FreeBSD*//*
tcphead = (struct tcphdr *) (evilpacket + sizeof(struct ip)); /* Declare packet */
tcphead->th_flags = TH_RST; /* Reset packet */
/* Copy info to src and dst for printing */printf("TCP RESET: [%s:%d] -> [%s:%d]\n", src, ntohs(tcphead->th_sport), dst, ntohs(tcphead->th_dport));sendto(sock, &evilpacket, sizeof(evilpacket), 0x0,
(struct sockaddr *) & sockstruct, sizeof(sockstruct));
39©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Example Profiling #2 (cont.)
Let's uo soine more researcn on Cisco IOS• Let's try Google with "Cisco hacking"
• That list yields, among other things, "Hacking toolkit for Cisco"
• That URL mentions "Cisco Global Exploiter"
• Using that in Google yields "Multiple Cisco Products Vulnerabilities
Exploit (Cisco Global Exploiter)"
• That URL is a perl script with the code that will try 9 different
Cisco vulnerabilities
40©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
i ( ; ( . ( . r f ( f c ( f ( f c i ( i { { { ( ( { { ( . ( ( ( ( c . c f r . c ( s ( ( ( ( ( ( ( ( ( ( ( ( I ( t . c . (
i t i ( ( i ( ( r. i i ( ( ( i i t i ( ( i ( i t i t i. i i i t t i i I i i ( i i i i i i i i i i i i i
Example Profile #2 (cont.)
# Cisco Global Exploiter############# .........# Functions ##############sub usage{printf M\nUsage :\n";printf "perl cge.pl-h <host>-v Vulnerability number>\n\n";printf "Vulnerabilities list :\n";printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability^";printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n";printf "[3] - Cisco IOS HTTP Auth Vulnerability^";printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability^";printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability^";printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n";printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability^";printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability^";printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n\n";exit(l);
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson41
Profiling Medicine
Poor detection and escalation- Write down 10 critical events and create (even if brute force)
scripts to review logs and generate events
Configurations tend to degrade over time andOS/application upgrades are a pain- Make a clone when you upgrade your deployment systems
Many organizations think in terms of inside and outside• Be just as concerned about what goes out as what comes in
Integrating disparate layered technologies on multiple OS
environments is time consuming- Consolidate versions to reduce complexities and variables
42©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
( i X X X C T ; ( XX X ( : ( X X X I f f ( . ( X X X ( X X i i X ( X ( X I i X X ( • ( ( ( ( . . ( ( f f ( ; ( • (
( I i [ I { { { I { ( ( ( ( i. C ( ( I i ( . C f f f t ! ( ( 1 I i M i l I t . i I i I 1. 1. 1 I I I I t I I I
What the Hacker KnOwZ...about profiling
• You don't need sophisticated resources- Almost any UNIX or Windows machine
will do finem CPU speed is no issue• memory size is no issue
• Simple tools can generate fme-grained information• Research is easy, will likely reveal lots of good
information, and is likely to be compelling
• next... Intrusions
43©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Notes:
44©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
C ( ( • ( ; ( ( f ( • • ( ( I { .{ { ' { • ( I A ( A i ( f C ( A A ( ' ( A A i i i i i ( t { ( A , i \ i ( f ( • ( ( ; i l A A A A
(. ( ( I I i i ( ( I ( [ t I i ( ( I I ( { { I t I I ( ( { I (. I I I I 1 f I I I I I. I I I I I I I I I I I
Where are We?
Profiling. Methodology
- Example Profile #1
. Example Profile #2
Discovery andProfiling Tools
- typhon, nessus, dsniff, Nikto,
and lots more!
Intrusions• Awareness/Statistics
. Examples
• Common Areas
Protocols. DNS
. SNMP
. Handheld (PocketPC)
- Web Infrastructure
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson45
Intrusion Awareness
scannerssstrobe, sscan, netcat, netstumbler, nsat, nessus, nmap, SAINT,SARA, eEye Retina, Typhon, scotty
Third party applications• ISS - Internet Security Scanner - www.iss.net• NetRecon-
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=46- SuperScan (Foundstone) -
www.foundstone.com/index.htm?subnav::=resources/navigation.htm&subcontenWresources/proddesc/superscan.htm
Lists of scanners (and other tools). www.linuxgazette.com/issue57/sharma.html. www.insecure.org/tools.html- www.eccouncil.org/312-50.htm. www.hackingexposed.com/tools/tools.html. www.thenetworkadministrator.com/2003MostPopularHackingTools.htm
46©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
{ , ( • ( . ( . : ( ; ( : ( ; ( ' ( ( i A P I • { ; [ • . { \ { [ A { . ( { : ( : { ( ' [ ; . { , ( ' : { . { ; ( C ( ( i d . C . ( J C ( .
i. i i ( i. ( ( t i t i ( i i i ( t i i i t i. i i i. i t M . i i t. i i i i i
Intrusion Readiness?4/13/03: Boston student receives 5 yearsprobation for using keystroke logger
www.keyghost.comJ-^ 3/24/04: Man indicted for "buggin"
KeyGhost Standard 500K $99, keyboard $ 129 boss'pc w/ "Key Katchei"
KeyGhost Pro 1M $150, keyboard $29010/4/04: FBI uses keystroke logger to
(with 128bit encryption) capture passwords and get evidenceBut remember troian recording software! T .. . v _, +
J ° Integrated internal KeyGhost
Before After
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson47
Intrusion Statistics
CERT Advisories- 2004: only 2 so far
- US-CERT Windows advisory (Windows Security Update April 04)
. http://www.us-cert.gov/cas/alerts/SA04-104A.html
- 2003: 28- buffer overflows. Microsoft SQL, Windows Shares, Windows. OpenSSH, SSL/TLS• Snort (www.cert.org/advisories/CA-2003-13.html)
- 2002:37• buffer overflows- SSH/SSL/Radius- Microsoft (in particular IIS)
- 2001:37. Microsoft (in particular IIS)• buffer overflows- worm/virus/trojan
48©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
c ; ( c ; ( • c : r ; c • c :• ( : c ; f •• c • r . c ( • i . i c : f (A'• ( ! i ( : ( . ( J C :; f n ( ( ; • t ( t ( ; c : c ; ( ( ; • ( ( t i n c ; ( i ( ; c
( t ( 1 I I I ( ( ( ! I ( ( I ( I ( I. I I (. I I I I I I I I I t I I I I t I ! I I t I I I I. I I 1 t I t I I
Intrusion Statistics (cont.)
• CERT incidents thruend of 2003. 1998: 3,734
« 1999: 9,859
B 2000: 21,756
. 2001: 52,658
. 2002: 82,094
. 2003: 137,529
. 2004: CERT: incidents
have become "meaningless"so they are stopping this
category
• CERT vulnerabilities thruend of 2003. 1998: 262
. 1999: 417
. 2000: 1,090
. 2001: 2,437
. 2002: 4,129
. 2003: 3,784
. 2004: 1,740 thru 2Q
• For complete details, see:• www.cert.ors/stats/
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson49
FBI/SANS Top 10: Windows and UNIX
• Windows- us. MDAC
. SQL
- IE
- Windows Scripting Host
. Windows Authentication
. Windows Remote Access
- Outlook/Express
. P2P
. SNMP
www, sans. org/top20/#index
UNIX- BIND/DNS
- RPC
- Apache
. General Authentication
. Sendmail
- SNMP
- SSH
- Clear Text Services
. NFS/NIS
- SSL
Tools that find these
- Qualys, ISS, Foundstone
EVMS, Nessus, and Sara
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson50
f f { A A A r • r • f \ A. f f A f ! ( • ( " ( { l ( A A A ( f ( ; ( , T { A A A A { A A A A A A A A ( . A { A { C i { • {
{ { t. l I i I (. I I I ( I I I I ( i. I C I ( M . i i 1 I I I I I I I I I I I I I I I I I t I I I I I I
Where are We?
Profiling. Methodology
. Example Profile #1
. Example Profile #2
Discovery andProfiling Tools
. typhon, nessus, dsniff, Nikto,
and lots more!
Intrusions- Awareness/Statistics
• Examples
. Common Areas
» Protocols. DNS
- SNMP
. Handheld (PocketPC)
. Web Infrastructure
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson51
Intrusion #1 Combinations
NO detection!= Main Web server fine.. .let's look around• Staging server not so fineB Exploit well known Web server bug to initiate
interactive login session• Exploit trust relationship between staging server and
main Web server• Change main Web pages!
Typical big exploit is a combination of lower levelproblems
52©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
( ( I f ( • f { ; ( ( : ( f I ( I { • { • { • { . ( ( f . • ( . • ( ' f • C ( • • f i C I C ;• ( ; ( ; t ( ( : ( C f f ; C ; C : ( f f ; ( . C ; ( ( C : (
t ( I ( I I ( ( I ( I I ( { t. I ( ( ( I ( I. M I I I I I I I I I (. I I t I I. I t I i I I I 1. I I ( I I I
Intrusion #1 Combinations (cont.)
Vulnerabilities to achieve critical access• ICMP echo allowed in
• Non default but easily guessed SNMP
community string
• Non production quality HTTP server configuration on
non production system
• Trust relationship between 2 systems within a "close"
IP address space
• Xterm from DMZ address allowed out through firewall
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson53
Intrusion #2 Escalation
vvCCJS. yiyyy/ijus uui vciy icicvaflij
PC Week Labs invited people to hack Web site running on Linux• www.spirit.com/Network/netl099.txt
Result: ability to change any Web pages• didn't require interactive session!
Details highlight how a series of incremental learning on small details revealed HUGEvulnerabilityIn a nutshell
• Web site running 3rd party AD package• intruder acquired and reviewed package source code• scrutinized several server-side package scripts• minor coding glitch allowed a <7K "image" to be uploaded and OS had a
well known SUID exploit
• image was actually a VERY short program:execlp(7tmp/.bs'7'ls",n-c","cp /tmp/xx /home/httpd/html/index.html"^);
54©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
i ; i ( f ( r •. i • t f : ( { : { • { • { i i { { i , { . ( f r .• c ; c •. ( t t - . c . i f r ; ( ; ( . ( ( . ; c : ( : r r r . f > ( ( t ( i ( ( t r . (
I I { { { { { { { I I { i I [ { { C I 1 I C (. I 1 I I I 1 L I I I. I t I i I t I i I I I I I I ( I I I I I I
Intrusion #3 Protocol Exploit
NO detection!- DNS poisoning
• populate with new bogus entries, or• www.foobar.edu — w.x.y.z
- update already populated entries (i.e., add addresses). www.yahoo.com ~ w.x.y.z, a.b.c.d, e.f.g.h
• Original victim www.internic.net: root DNS servers poisoned topoint to www.alternic.net
• continues to be one of the more sought after exploits- examples include
> Verisign/WorldNIC domain redirection (2002). Birthday Attack (2003) - brute force attack to get transaction ID
www.securityfocus.com/guest/17905- Symantec Gateway DNSd Cache Poison (6/2004)
www3.ca.com/securitvadvisor/vulninfo/vuln.aspx?id=28508
55©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Intrusion #4 Design Exploits
Begin secure session (SSL) with legit login ID
Download all (possible) pages to review
Find possible application design flaw- modify session ID in (dynamically generated) page• modify client side state data (in local file, or registry, or...)- modify cookie (on disk OR in memory!)• modify data in transit
. Achilles - proxy server to intercept, change datawww.mavensecurity.com/achilles
Begin authorized transactions on any other account• .. .because server assumed one time authentication and
didn't re-validate (THE most common design error)
56©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
C M ( f ( f [ i { { { { { { ( { { ( • { > { f f r C T . f ( ( C : ( f - ( ; ( ( > ( ( f • f : C ; f ( { • { ( ( ( ( ' , ( ( ( C C
( i ( { ( ( (. ( ( I (• ( ( ( { I { { ( i. ( (. ( I ( { { I I I 1 I I I I. I { I i I I ( I I I I I I I I I I I I
Where are We?
Profiling
- Methodology
. Example Profile #1
. Example Profile #2
Discovery andProfiling Tools
- typhon, nessus, dsniff, Nikto,
and lots more!
Intrusions. Awareness/Statistics
. Examples
. Common Areas
Protocols. DNS
- SNMP
. Handheld (PocketPC)
- Web Infrastructure
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson57
Intrusion Detection: Common Areas(low-hanging fruit!)
Quick e of intre of intrusion detection (ID)usiwith respect to what hackers spend their time onOverview of why intrusions are successful despite IDsystems and focus on the relationship to hacker effortsCover primary intrusion areas, tools, andtechniques hackers use:• Web servers- Web applications
• Wireless 802.1 lb (access points)
• Modems• Email (trojans, worms, etc.)
. I'm not going to talk about this '. but install a virus detector on EVERY system!
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson58
c c c f t •{ ( f ( ( ( t ( (
i i i i { [ ( ( ( ( [ ( ( ( i i { { i i i i i i L i { i i i i i i L i i i r t i
ID Areas
Many ID tools for various areas- Network
• ManTrap, ManHunt, Cisco IDS, RealSecure, NFR, Tripwire,StormWatch, Snort, Intruder Alert, Shadow, Dragon, etc.
- Host• Entercept, Intruder Alert, Swatch, etc.
• Firewalls, routers, virii. SurfControl, Cisco PIX, Cyber Armor, McAfee, Norton,
StormWatch, CheckPoint, Netscreen, SecurellS, StoneGate,WatchGuard, Zone Alarm, etc.
• Integrity Checkers- AIDE, chkrootkit, SecureEXE, Tripwire, etc.
59©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
ID Awareness
of*-mtrncinn Hptprtirm tr»n1c to Vinoc^ frnmX_ X. i l l t l U U 1 V 1 1 V-#-W VW ^ t l V-'XX t V / vy X k_? V -y ^ X A V-' V/ L-? / X.X N_/XXX
• Most of them will only help you with anything but generic problems(e.g., port scans, block ports/services)
There are many sites, conferences, and educational classes dedicated tointrusion detection and yet• Most sites have little to no functional ID services. Many intrusions are successful and most are not detected... .WHY?
Site specific intrusion detection systems require significant:- Hands-on configuration- Development• Expertise• Iterations of testing to figure out
• a) what's normal• b) reasonable thresholds
- ... and... (next page)
60©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
( { i i. ( ( ( i t { { { \ { { { I ( { i { ( { ( ( ( ( ( ( i t i ( { i ( i i i ' i i
i. i. ( i i i i c ( ( i ( i. i ( i i i ( ( t (. i i i i i i t i i i i t L i i i. i i. y i i i
ID Awareness (cont.)
ID "gateways" are (generally) NOT end-systems
- The only way to know the intention of the data-stream is to recreate the
entire context (session) of what the end-system will see: some ID "gateways
do packet reconstruction (e.g., of packet fragments), but most do not do the
entire session reconstruction
network
ID Gateway:Inspect Data
event actions
End-SystemInterpret Data
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson61
Hacker News: A Little Quiz
How many have heard of rootkits?- Can you think of one file on any distribution?
What does it do?
How many have a web site?> Tell me what Whisker does.
How does it work?
How many have an 802.1 lb access point?• Tell me what MiniStumbler is.
How does it work?
How many have any modems?- Tell me what THC-Scan is.
What are its good and bad points?
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson62
r [ f i n { \ r ( f r r r r r \ \ \ \ r r r r r r r r T e r r
[ ( ( I 1 t ( ( (. [ t C I I I I C 1 M I I I ( I I i I M I I I [ t I i I I ( I I I I I I I I
Hacker News: Answers
Name one exact file on any distribution• _root_040.zip: NT: deploy.exe, _root_.sys
- hxdeflOO.zip: Hacker Defender: Windows: Hidden Ports (uh, hide
ports)
- rootkitLinux.gz: Linux: netstat (hides activities)
- rootkitSunOS.tgz: SunOS: fix.c (change checksums)
. rootkit.zip: UNIX: es (ethernet sniffer), z2 (remove log entries)
- fbrkl-imps.tar.gz: FreeBSD: sizer (change file size)
- sol24.zip: Solaris: psrace.c: set UID to 0
Tell me what Whisker does. How does it work?• Looks for well-known Web server distribution exploits and simply
makes a series of GET requests for specific file names
63©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Hacker News: Answers (cont.)
T^H 1.~-<- iv/r* : c i ^ 1.1 : ~ T T A :± i_o
icn me wiiciL iviiriicnuiiiuici is. nuw uucs n wum:
- Program to find 802.lib access points and it runs on a handheld
PocketPC• other programs include Kismet, Wellenreiter,
THC-WarDrive
. It sends out probe-request packets (management packet type 00 sub-
type 0100) and logs the responseTell me what THC-Scan is. What's good and bad?- The Hacker's Choice (phone) Scanner: i.e., phone phreaking, model
dialer: other programs include Toneloc and Sandstorm
• Does a great job against very large sets of numbers, doesn't try to be
too smart, but has a limited number of target devices that it can
automatically detect
64©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
r c c ( f c ( ( r r r ( i { { ( r ( ( ( ( ( ( r c ( ( (. ( ( { ( ( ( ( ( ( ( ( f ( ( ( ( f ( { (
{ ( i ( i ( ( i c i c ( t ( ( ( ( t i i ( ( i ( t i { e c c ( ( ( i i i i i i i t t t i i i i
Where do Intrusions Happen?
• The tenet of most "older" hacking efforts were for. Getting something for free- Showing off and/or embarrassing somebody else
• The tenet of newer hacking efforts are for. Identity theft and intellectual property
• this is, in a nutshell, THE most important factor behind host, network,and Web application intrusions!
. Nature of threat model new: organized crime, foreign governments- Well funded, subtle changes, done over a long period of time
• Other than email and IE, four of the common areas for successfulintrusions include:
. Web Servers
. Web Applications
. Wireless Infrastructure
. Modems - this is where it all started
65©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Web Servers
Intrusion Area• Server deployment: every Web server comes with its own set of
configuration, deployment, setup, security, and problems!
Typical Problems• Insecure package contents
• Insecure default options/settings- check every possible configuration setting!
Methodology- Very easy: cut/paste a well-known URL
Practical Tips• Use "CGI" scanning tools: e.g., whisker, Nikto, or Nessus web tests- Check your Web server logs for well-known problematic server-side
files and programs
66©Copyright SystemExperts 1997-2004 arid beyond. Network Security Profiles version 4.3. Brad C. Johnson
f ( ( ( C M C ( ( M M f ( ( ( ( ( ( I ( ( ( ( { ( ( ( < . ( ( ( ( ( ( ( ( ( C M M ' ( M M M l
C ( ( ( . ( { f ( ( i I ( ( I ( ( ( ( C I t ( C C ( . ( I i i ( ( ( . t . C I 1 ( I I I I I. i i I i t I ( . 1 1 C I I
Whisker: CGI scanner
Scans for well-known exploitable filesUses the server or OS type to be selectiveOptions to by-pass IDS using URL encoding- /cgi-%62in/ph%66 instead of/cgi-bin/phf
Directories searched (125)- /cgi-bin, /cgi-local, /htbin, /cgibin, /cgis, /cgi, /wwwthreads, /scripts,
/app*, /backup*, and other common root directories
Log directories searched (85). /cache-stats, /log*, /scripts/weblog, /stat, /wwwstatus, /server_stats,
/wusage and other common log directories
Files searched (there are hundreds)- iissamples/query.asp, iisadmpwd/aexp4b.htr, tools/newdsn.exe, cgi-
win/uploader.exeO, testcgi.exe, cgitest.exe, webdist.cgi, pfdisplay.cgi
67©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Web Applications
Intrusion AreaInternet applications: most programs have not been either developed or tested for theinsecure, untrustworthy, anonymous network world
Typical ProblemsServer doesn't validate incoming data
- Code should validate any incoming parameter data (even if it's comingfrom another "safe" function!)
Design assumes client won't change data
1 -time authentication and authentication implies authorization
Methodology« Moderately difficult: Change data on the client and send it back: e.g., cookie, URLs,
environment variables, forms, IDs- let's talk about this later in more detail.. .in the Web section
Practical TipsUnderstand and/or use tools designed to find these types of problems: e.g., WebSleuth
• Scan Web application logs for "unexpected" errors: e.g., references to odd locations in
the file system, invalid data, special characters
68©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
( \ \ { { ( ( i ( ( ( c r ( < i ( ( c • { r ( ( ( ( ( ( ( ( ( ( ( ( ( i (
C ( { ( ( ( { ( (. C 1 C ( I ( ( t C ( 1 I ( ( I ( I ( i I I i I (. C I 1 i I I I i ( I C i i (- t J I t ( I I
Wireless Infrastructure
Intrusion Area- 802.lib: wireless technology is often not installed by the IT/Security
team, it's difficult to chart where the radiation pattern goes, andalmost all access points come configured in their least secure setup
Typical Problems• The access point is accessible from unwanted places
• Default configurations allow access to your internal network
Methodology• Moderately easy: Install and use "WarDriving" programs and
mapping software
Practical Tips• Install and use "WarDriving" programs and mapping software: e.g.,
NetStumbler or MiniStumbler (free),Network Sniffer (more than $10K), AiroPeek (a few $K)
69©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
NetStumbler: Access Point Finder
Windows utility for "WarDriving" -that is, finding Access Points (AP). MiniStumbler available for handhelds. MacStumbler available for Apple
Gives critical AP informationincluding
. MAC address, SSID, network
name, broadcast channel, vendor,
WEP flag, GPS coordinates (if
attached to the serial port), and all
sort of other stuff...
rMiniStumblef
MAC Chan SSID SNR
O0090D100BF6C 11 WLAN 5
O0090D100B93B 11 WLANQ0090D100CC6F 11+ WLAN 10Q0090D100BEC5 6 WLAN
O 004033 AFC3D1 10 WirelessO0090D100CAA5 11 WLAN 17O0090D10QBE02 1 WLAN
Ready 3 APs GPS Off 7/7
File View Options t> %
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson70
f { f ( ( ( ( ( ( I < J C •( I ( C f ( ( : i ( , ( ( ( ( C ( . l ( ( ( ( • ( ( ( 1 C C (. (
( ( ( t ( { ( ( ( (. I ( ( ( I I I ( ( [. L ( ( ( ( I { ( I I I I ( ( I. ( I ( I ( t. I ( I I I I ( I I I I I I
NetStumbler (cont.)
60 seconds on one corner in a major city
4 Network StuinbIMFile Edit View Options Window Help
j D & y 1 t>\%\ fia > t::|i-i Cl$" Channels
\ If! T 1i it; "$J 3; 1+1^6
• '+I *$•' 7
i [+! '%' 8
M i i (</f 10\ w «w* -] 1
:-i i i - SSIDs! [ i i i t 12345: iii i t 204582; i+i u i AIPDPV
1 I+J -it Aleuev+d• 1 • '- ' J-t i-l i-.ir-.t i l l
: !+!••-£*• defau l t
iii ii- EP1I iii -ii- EP4; ill i i- EP 5• !+i••-&. l i nksys
| iii i t imli; !+i Ji- pokemon-usa! i+i-Jt tibconyci ifl -ii- tmobilei m i t WaveLAN NetworkI i+i -ii- wv-wlan
ii] ^ Filters
Hi . - . i fMAC
G00022DO...O0030AB1...G00045AE...O 00601D2...O00022D2...G00409G3...G 0040964...G 0040963...O00045A0...O00045AF...G00045AF...G 0050180...O 00045AF...G0004E20...G 0040965...O00022D0...O00045AE...O00022D2...O00022D0...
SSID
EPSpokemon-usalinksysEP4EP1tmobilewv^wlanwv^wlanlinksystibconycAleDev+2default.linksysAleDev12345WaveLAN NetworkImli204582WaveLAN Network
Name
Airport. 4Airport 1
Prism IPrism I
Prism I
200 Park-19th Floor
j
Chan18
e1111666616611636107
Vendor
Agere (Lucent) OrinocoDelta NetworksLinksysAgere (Lucent) WaveLANAgere (Lucent) OrinocoCisco (Aironet)Cisco (Aironet)Cisco (Aironet)LinksysLinksysLinksysAdvanced Multimedia Inter...Linksys
Cisco (Aironet)Aqere (Lucent) OrinocoLinksysAgere (Lucent) OrinocoAqere (Lucent) Orinoco
Type 1 WE
APAPAPAPAPAPAP YeAP YeAPAP YeAPAPAPAPAPAPAPAP YeAP
Ready Not scanning IGPS; Disabled
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson71
NetStumbler (cont.)
tYimn+ac in o troiti •frta\7'/=»l-fnrr nflicli rvir\n r\T\ i"HP» PoetiiiiiiutviJ xxx u- u win uw vvillig, uvikjli iiijL/ii v i i tiiC JLvdibl
s*.i n
u n i >„'<• r •.
fnulliK •fir":, :
link-.y,
t. U rim t
Monies
tJH.mlt
1 i n k i y %
Monies
dtlaull
1 i n k T y r.
clopw<itl i ipwi
•m.nr.w
i ty
tead Network
read Network
universitymull.!!•: A '- . f '
I.|Q4O
U0.40
DO 0 6
D d O G
U0:02
DO. 0-1
Oci Olj
V0.Q2
DO. 05
ftO-OG
U0:I0DO. 10DO-40
00:4 0
00.02
DO 40
, 9 b
?>;
2 D
,2O
~,D
?"\
L.r
L 7 .
on,
, 2DQ«
r,B ft!-
:0B.' 144 7.L>1r, r> D4
•68:OLJ:21:y7
CE.lCi
S i .1.9
.Cfi.16
1- b: S _i :IS. SO.
R7XTJ
^B:b^:OB. 14
4 7 D l
,D9
^ ^
Ob2 b
RS
7S
,2b
BS
7R
AOL y
>n
. i b
Chart1
1
11
t.
11i
rr
G
i i
6
GL 1
b
i3
M . I J
i :..
I '„
j >-;
i »,,
..' 1
•J-
! • • •
-•' 1
;-:
.,' >
*•"..
• i
j V;
I •;
' • !
6 rjg
V|,sr^Hj*>.l
Ad -hut
^li^n.nijrc!
Vl^iiOf^Cl
M^r-sitisti
VI .*!•! .1 p-f f!
M ^r: d i-iti U
•M^n-J in i t i
••• 1 ^ n jLi-crf
\\M-,xm>i\
M..ir-^u.1 -t: iJM . . . .1
Ci4LO-Air<j'liSl
A(?«rt?-LucentI i«o AifC'iCi
unk^o-.vii.Aq4TC-- 1 i.-c f-riT
Unk-.O'ATi
3CO-TI
Agere- Lu-t'i'nt
nut: nfiwii
D-Lmk
Aq<Ti-. 1 i.'C r r i t
f. i "it O— Air r_> J I ^ 1.-,,-
V.'F P
Vrj :•.
N o
Yc-,
N u
N o
Y f •.
Nr;.i
No
Yc:,
Nrr.
N o
Vt'i,
Y f ,
¥«•,
N o
K l . .
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson72
( { ( . ( ( ( , ( ( < ( ( . ( , ( ( . ( • ( i (i •( 'i t ( i c . ( . ( . ( (
( C ( I C ( I ( i t I I ( (. { { I ( ( I I ( I ( { ( \ I ( (. ( (. 1. I t I 1 I I. ( I I. I. I I I t I I t
NetStumbler (cont.)
Why is NetStumbler successful?Poor antenna selection
. Access point is in broadcast mode and
responds to probe-request packets
Two2^story buildings with different Access Point antenna antenna setups
VerticalLeakage
HorizontalLeakage
Good antenna design:coverage area is appropriate
Poor antenna design:coverage area is excessive
Antenna Design Considerations©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
73
WarDriving Update: WarChalking
WarChalking: making symbols (e.g., with chalk)on locations to indicate wireless 802.11connectivity
. Coined by Matt Jones- www.warchalking. orgm original chart on right
. http ://home .comcast.net/~j ay. deboer/wardriving/
• http: //www .wordspy. c om/words/warchalking. asp
let'i. waichalkJKEY
CfENNODE
CLOSEDNODE
WEPNODE
SYMBOL
ssd
Xbandwicith
ssid
O
bandrtidth
L blackbel tjones.com / warehal kinq A
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson74
r r ( r; f. r ( f ( c f , n ( . ( ( { , ( , { [ . ( ' • ( ( • { . ( i i A A A ( C C ( , ( ( . ( , ( , ( (
( ( ( ( C I f ( ( ( ( I ( t { 1. i. I ( I 1 ( ( (. I ( I I I I (. (. C I I I. I. I I I t ( I l l i ( l I I i. I l
WarChalking (cont.)
Open
Open & WEP
Interesting chalkings
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson75
WarChalking (cont.)
• ---DW. \ / i f m n 11 !-r£±'V
http ://www. gpsvisualizer.com/
Wirefess
O -Tracks:Kaslrupkrogen
bin i
Wireless •
Wireless [36/open]M : SO :C5 :$i:<}9:%2
TDC
birch
225 m
\
\
\K*trupkrogen
[20/openJ \
[26/VitP] ^
default00:t
!
[31 AVER]
i
I
# ^
Tka^Lniiihr::/
[33/open]
bxhapaiHKl acacity: vE-uHiJLMI
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson76
( i t : f . ( , ( ( ( ( • ( , ( . ( . ( A S A ( : ( ( ; { . ( ( f . . ( 1 ( :( A ( , ( ( ( . ( ( ( l ; C ( ( A ( , ( ( ( C • ( , ( • . ( , ( i ; ( . . C A (
i (. c i i i t c ( r t ( i t ( c t i i i i c i ( t ( i. i. i i i i i ( i i i ( i i i i i i
Modems
• Intrusion Area- Modems: phone based services exist for many different types of
devices and programs and are the least tested aspect of almost every
company• inventory all of your modems
• Typical Problems• Bypass almost all other security mechanisms
• Phones are usually not part of intrusion detection, event
management, SNMP, or audit services
- Phone based testmg programs are incomplete and generate false
positives and negatives
77©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Modems (cont.)
• Very easy: insert phone list or range into program: when it finds a
connection, most are fairly easy to just use (e.g., router, printer)
• Very hard: if you want fine grained accurate data, you have to
monitor (baby-sit) the process and inject data, common sense, and
expertise- let's talk about this.. .false positives and negatives
Practical Tips- Use war dialing software to survey your phone space:
e.g., The Hacker's Choice (THC-Scan- free),
Sandstorm PhoneSweep (many $K to tens of $K)
78©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
( X A ( . ( . ( ; ( ( ( . ( ; ( , ( ( , ( ( : ( ( ( . 1 . { . ( : ( ; ( , ( , [ ' ( ( ; < : ( . . ( ( : ( ; ( . ( , ( , ( ; ( ( ( , ( ( ( ; ( ( ( ( . : ( , ( , ( I . • ( , ( ; ( ; (
( ( ( ( ( [ ( { ( ( . (N i ( I ( I ( . 1 ( 1 I I I i I I I I t C 1 I I 1 M I I I I I I I I. I ( I I 1 I I I I i
Intrusion Medicine
Use host remote scanners regularly(e.g., nessus, Sara, Typhon, nmap)Reduce the variety of OS and application instancesTake a look at the rootkits for your OS typesUse CGI scanning tools against your web site regularly(e.g., nikto) and instrument yourself to detect it!Perform a wireless survey periodically• Change your default SNMP community string and management
passwords for your access points
Run a wardialer against your phone numbers
79©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
What the Hacker KnOwZ...about intrusions
Most problems result from a combination of exploitingseveral low(er) level vulnerabilitiesMonitoring a heterogeneous distributed network is HARD• You should try and detect what you can't prevent
Many individuals, groups, and sites, are dedicated tomaking intrusions possible
next... Disco very
80©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
O C l 'i '( XAX ((A.AAA i AA (AAXA lAAAAAAA (A ( A. A A i A A ( A AA A C ((,(,[ .•( C;(> C;(
I i { ( (. l ( ( C I I i ( 1 ( I ( 1 (. 1 I I i t I. C I C I I ( I C W . C I I I I i I I C I ( l I 1. I I I 1 I
Notes:
81©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Where are We?
Pronimg
. Methodology
. Example Profile #1
. Example Profile #2
Discovery andProfiling Tools
. typhon, nessus, dsniff, Nikto,
and lots more!
Intrusions. Awareness/Statistics
. Examples
. Common Areas
Protocols- DNS
. SNMP
. Handheld (PocketPC)
. Web Infrastructure
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson82
. c , c f ( ; i ( H i i ; < ; ( ; ( . ( ( : ( ; ( ; ( • ( ; ( ) ( ; { ; ( .
( ( ( ( (. ( I ( ( ( (. 1 ( I ( I { { ( i 1 I ( I ( C I C i I ( I I. C I I I 1 t 1 I ( I I I 1 I I I I I I
Discovery - Port Scans
Direct- TCP connect (strobe, SATAN-tcp_scan, netcat, nmap). UDP "connect" (SATAN-udp_scan, netcat, nmap)- Service protocols (sscan, nessus, SARA, whisker, Nikto)
Indirect. Tunneling
. Nmap FTP Bounce
. telnet through ICMP (sneakin.tgz on PacketStorm)
. LoopHole (very much like sneakin: ~$40)• server runs at home, client at work- goes through HTTP and offers encryption for IM, Web,
email, FTP, and news
• Stealth scansnote: what is "stealthy" changes with time
. FIN or NULL
. fragmented packets- TCP SYN (half open)
83©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Discovery - strobe
[-v(erbose)][-V(erbose_stats][-m(inimise)][-d(elete_dupes)][-g(etpeername_disable)][-q(uiet)][-o output_file][-b begin_port_n]
S services_file][-i hosts_input_file][-l(inear)] [-f(ast)][-a abort_port_n][hostl [...host_n]]
84©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
J l i A . I. ; ( > ( • . [ A A J C f
! ( ( ( [ ( ( i i i t i ( ( i i ( i i l c l ( i i l c i i i i i i i i i i
Strobe Example
strobe 127.0.0.1
strobe 1.03 (c) 1995 Julian Assange([email protected])
127.0.0.1127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
ftptelnet
smtp
sunrpc
lockd
unknown
21/tcp
23/tcp
25/tcp mail
111/tcp rpcbind
4045/tcp
6000/tcp
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson85
SATAN
Released in Anril 1995 by Wietse Venema and Dan Farmer to muchfanfare (many negative reactions)- Seminal hacking paper
"Improving the Security of Your Site by Breaking Into It"• www.fish.com/security/admin-guide-to-cracking.html
Help administrators assess their network securityModular design with (very) easy to use GUIFind well known problems
• NFS file systems exported to arbitrary hosts• NFS file systems exported to unprivileged programs• NFS file systems exported via the portmapper• NIS password file access from arbitrary hosts- Old (i.e. before 8.6.10) sendmail versions. REXD access from arbitrary hosts. X server access control disabled• arbitrary files accessible via TFTP. remote shell access from arbitrary hosts- writable anonymous FTP home directory
86©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
: ( , ( ( ( A • - ( , r . ( ; C i A j i A A A A A A i A A { A , X A I ( A X X . X . A A A A { A X A A X X A A t X X X \ { A ( X X X ] i
c i i ( \ ( i ( i i ( ( i. i i ( t i' c i c. 1 1 . 1 c c i i i i i t i i i i i
SATAN GUI(SAINT & SARA)
•9 SATAN - Microsoft Internet Explorer provided by DellFile Edit View Favorites Lielp I ! Links
SATAN Control Panel
(Security Administrator Tool for Analyzing Networks)
SATAJT Data Management
SATAN Target selection
SATAN Reporting & Data Analysis
SATAN Configuration Management
SATAN Documentation
SATAN Troubleshooting
* Getting the Latest version of SATAN* Couldn't you call it some tiling other than "SATAN"?• 'Bout the SATAN image• "Bout the authors
Done Internet
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson87
Discovery - SAINT
C A TATT TM C C 1 ^ T ~ ; 1 ~ U 1 ~ ~ , ~ ^ T
orvnN i — J.J.J avanciuic nuw
(expensive!). Based on SATAN
• www.wwdsi.com/products/saint engme.html. SAINTWriter
• SAINTexpress
- WeBSaint
• Latest scanning features include• Microsoft Virtual Machine's JDBC class exploits• Microsoft RDP vulnerabilities• IBM WebSphere buffer overflow• HTTPd heap overflow
88©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
( , C ( ( . ( • ( ; ( ; ( ( , ( . ; ( , ( , ( . ( ( { ( { , { ; { i X U X A X i ( ; [ ; ( ( . ; ( ; ( , ( H . ( , ( : ( A > { I . { ; . ( ( ( C ( ; ( j ( C j C J C : C . : C
( i I ( { { ( ( (. I I I ( I ( ( i ( ( ( I ( ( 1 I ( I I t i I C i. I I I I 1 I t I t I C I ( I I I I I I. I t
SAINT (cont.)
rffi|lBcrosoft liifernetJSptoref
File Edit View Favorites Tools Help
Reports •
Vulnerabilities •
Host Information •
Trust
The Standard
BAINTvvriter
Bv Approximate Danger Level
Bv Vulnerability Count
Bv Class of ServiceBv System TypeBv Internet DomainBy SubnetBv Host Name
Trusted HostsTrusting Hosts
Exclusions • : Manage exclusions; List exclusions
t i j http://'A[ww.saintcorporation,com/demo/saint/saintJn ' Internet
<3 Data Analysis - Microsoft InternetExptoreh,:.
File Edit Favorites Tools Help
The Standard
Number of Hasts perVulnerability Typs •
Shew excluded records
Hosts may appear inmultiple categories.
Hosts Vulnerability TypeInternet Explorer vulnerabilitiesWindows updates neededApache module vulnerabilitiesCross site tracing
guessed account passwordNull sessionsOpenSSL vulnerabilitiespacket flooding problemsSendmail vulnerabilitiesWorm detectedApache vulnerabilitiesBizTalk Server vulnerabilitycachefsd vulnerabilitycalendar manager
Siihnrnrpt;^ rnnlrnl daemon
•J6 Internet
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson89
SAINT (cont.)
Show gxcluded records
0" Critical Problems
Hre35 of Concern
0 Potential Problems
Tutorial: DNS vulnerabilities
2 Vulnerable / 2 Total Host(s).
Sort hosts by:name | domain i system type I subnet 1 problem count
Host i) 0 Total
• ) •*••• 1 3 4 15 3 2 <
0 hosb3.domain.com 18 3 32 S3
fej Done Internet
•|i DataAnalysis- MicrosoftInternet Explorer
File Edit View Favorites Tools
General Hast
Information •
Network Services >
99999
Q
0Q
Host type: SunOS 5
Subnet 172,16,1
1 Trusted host's"!
Scanning level: hea!.
Last scan: Mon Mar
DNS server
FTP server
Finger server
R Series server
SAINT server
SMTP server
6
y16:26:34 2004
'•> SNMP server« Telnet server
0 XDM :'X login') serverQ 19 other services ''show all services')
Fictions • ; 9 Scan this host
&j http://vvvff/.saintcorporaton.corn/demo/saint/saint_infb_serversriTiai I Internet
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson90
( ; ( [ ; ( . ( i ; ( . : ( • ( { A A ( • ( ; ! ( ; ( : ( ( i t . A ( A A A n i A A A A , ( i A l ( . ( ; ( ; ( ; (
( t. i t ( i t i i ( i ( i ( ( (• ( i ( i (. c i i i i i e i i i i i i i t i i i i i i. i i i (
SAINT (cont.)
File Edit View Favorites Tools Help
Information from rusersdcould help hacker
sunrpc services mav bevulnerable
CVE-2002-0391 CAN-2003-0Q2S
buffer overflow in telnetd CVE-2001-0554teircv
j ! l | j j
-')
j ! l | j j mav be vulnerable
Information from rstatdcould help hacker
rexec is enabled and couldhelp attacker
possible vulnerability inlogin
possible format stringvulnerability in tooltalk
tooltalk version mav bevulnerable to buffer
Ml
CAN-1999-0624 • '
CAN-1999-0618
CVE-20Q1-0797
CVE-2001-0717
CVE-1999-0003 CVE-1999-0593 CVE-2002-0679
>
•SB Internet
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson91
Discovery - SARA(SATAN and SAINT Derivative)
. Two versions (5.1.1a version out). Generic SARA and SARA PRO
• Author of SAINT was on the original team
• Approved by SANS for checking top 20 problems
• http ://www-arc. com/sara/
• Philosophy is to integrate with existing tools- Uses Nmap for OS identification (like SAINT)
. Uses SAMBA for SMB analysis
. SARA PRO includes• Report writer
. Monthly updates (much like virus detection programs)
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson92
( , ( . : ( l , ( : f : ( ( r ( . ( ( ( f ; ( : ( ; ( ( . ( : ( ( , ( , ( • ( l . C C C t ( , ; f ( ( ; { : ( . [ ; ( I A K A
I I i ( ( 1 ( ( f ( I ( ( I I ( ( ( ( i 1 t t ( ( I t t C t ( I t I i: ( ( I. 1. I I I I I I I I t I I I I I i
Discovery - eEyeRetina Network Security Scanner
. Accounts ' NetBIOS
. CGI Scripte H Remote AccessCHAM „ R p c ServicesDatabase • Service ControlDNS Services a SNMP Servers
H SSH ServersT^T. o
H Web ServersFTP ServersIP Services
Mail Servers
Miscellaneous
• Wireless
www. eey e. com/html/Products/Retina/
93©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
eEye Retina Network Security Scanner GUI"3 Show - Microsoft Internet Explorer provided by Dell
Letina - FUntitledl 1-lPlxlFile Edit View Action Tools Help
Address: www. ee.ve. corn + - A, nf • -Retina
oaQQ
•B Policies
QQQ
Scan complete
R eportReport Start Date
• Report End Date• Total CommandsTotal Found
j CommandI CommandCommand
Complete Scan
Add
Preferences
P? S.mart S can (Perform protocol identification on found open ports)
W Force Scan (Perform scan on hosts that do not respond to pings)
W ^rute Force. (Perform password and other brute force operations)
11/2/1999 1:34:44 AM: 11/2/1999 1:36:02 AM6,720 Commands Generated
i 73 Commands Reported
! GET /bin/pass/adrnins.exe HTTP/1.0GET /data/pass/password.dat HTTP/1.0GET /dat/pass/users.exe HTTP/1.0
HTTP/1.0il HTTP/1.0HTTP/1.0:.rds.lstHTTP/1.0htx HTTP/1.0ini HTTP/1.01st HTTP/1.0.html HTTP/1.0.txt HTTP/1.b'ord.lst HTTP/1JDxt HTTP/1.0
Delete.
Select a policy to edit from the drop down list. If you would like to |create a new policy, select a policy to base the new one of off,then click on Add.
Note: The selected policy mill be used for scheduled scans. |
Cancel SaveOK by HTTP:// e.g. http://www.eEye.com Next tip
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson94
: • ( . ; ( : ( ( C C : ( : ( f C C C : ( . ( ; C : ( : ( ( A A • • ( X ( X IX ( X X X X X X X :( C . C - C '• C . C ; C ( , C . ( ( X X ( ( ( X X X
{ I I I { ( ( t ( ( I I i (. ( 1 ( I I I I ( t ( ( I 1 1 I. ( t I I I i I I I 1 I I t 1 I I I I I I. I 1 I I I
Discovery - Typhon III
• Web Spidering
• Cross-site Scripting
• SQL Injection
. SMTP
. FTP
. POP3
. SNMP
. RPC
. DNS
• Finger
. NetBIOS
• NT Audit, Registry &Service
• IE Browser
• RServices
. LDAP
• Oracle
- SSH
• Report features• Export to HTML, database,
text, or RTF
. Runs on Windows NT/2000
&XP
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson95
Typhon III GUI
File
<S M -t •2-j
Selected host: 10.1.1.2Web checksSMTP checksFTP checksP0P3 checksSNMP checksRPC checksDNS checksFinger checksNetBIOS checksNT Registry checksNT Service checksSQL Server checksIE Browser checksNT Audit checksProtocol checksRServices checksLDAP checksOracle checksSSH checks
Modules Advanced] Ports |
r Check All
F Web Checks P SSL
i F FTP Checks
j F NetBIOS Checks
| F NT Audit Settings
| F NT Registry Checks
F NT Services Checks
F IE Browser Checks
F RPC Checks
F RServices Checks
F Finger Checks
F
F
F
F
P
P
P
W
r
r
UncheckAII
MS SQL Checks
Oracle Checks 1
P0P3 Checks P SSL
SMTP Checks P SSL
SSH Checks
DNS Checks
LDAP Checks
SNMP Checks
Protocol Checks
TCP Portscan
UDP Portscan
OK Cancel
36 Internet
©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson96
. ( : ( • ( r t . ( ; ( > f f ( . ( , ( : ( ( ( . ( X X . : ( . C ( • • ( : ( ( f C ( f . - C ( XX i i
{ l I { i { { ( I I { I { I { { i I i I I { i 1 ( I I I C. C C I I 1 I I 1 f I I. C I I I I 1 I I I. I . L . - L I I
O r a S c a n (same company that does Typhon III -- NGSSoftware)
Assess Oracle Web front-endOraScan 1.1
File View Scan Help
|All jobs finished - scan complete
i+J L_i Cross Site Scripting ^r+i :_J formsH !_J OraScan: r+i ( f ) Admin Paths; !+i (T) DADS; {+' ^ Default packages; l+ © Default Pages: r+; ^ ^ Directory Traversal
r+' !_J scriptsw - ^ J Spider Results1 !• fir apache_pb.gif\ ' fc* bc4j.htmlj '•+• C * bc4jdoc: !+! &f demoj '•+' fc% fastcgi; i+i fcg fcgi-bini : C * footerl.gif! ;•• t * header.gif
! I- t w headerl.gif'•• f+' ^ p iconsi f+i £v jservdocsI t+j ^ % jspdocs
i f+i (V) main] f+i M i manual
i Gjl mod ose.html
; r+i © mI r+i @ servlet
1 f+i ^ soapdocs
I © xsql:-] I_J SQL Injection
1+' (J ) forms>+' © scripts —
pisHTTP Response code: 302
The requested URL was:http://10.1.1.120:7778/pls/
The paqe linked to the following URLs:http://10.1.1.120:7778/pls/simpledad/
The page was referenced from the following URLs:http://10.1.1.120:7778/pls/admin /aatewav.htmhttp://10.1.1.120:7778/pls/admin /http://10.1.1.120:7778/pls/simpledad/htt p: in 0.1.1.120:7778/p I s/s i rn p I e d a d/a d rn i n la at e wa v. htm ?s c he ma= samplehtt p: //10.1.1.120:7778/p I s/s i m p I e d a d/a d rn i n /http://10.1.1.120:7778/pls/simpledad/admin /dadentries.htmhtt p: in 0.1.1.120:7778/p I s/s i m p I e d a d/a d m i n /a d d d a d. ht rn ?<ADVAIMCEDDAD>htt p: in 0.1.1.120:7778/p I s/s i m p I e d a d/a d m i n /a d d d a d. ht m ?<BASICDAD>htt p: 111 0.1.1.120:7778/p 1 s/s i m p 1 e d a d/a d rn i n /a d d d a d. ht rn ?<BLANKDAD>http://10.L1.120:7778/p I s/s i m p I e d a d/a d m in /a d d d a d. ht m ?SIMPLEDADhttp.7/10.1.1.120:7778/pls/simpledad/adrnin /adddad.htm?SSODADhtt p: //10.1.1.120:7778/p I s/s i m pled a d/a d rn i n /q at e wa y. ht rnhtt p: 111 0.1.1.120:7778/p I s/s i m pled a d/a d rn i n fa I o h a I s ett i n qs.ht T |
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson97
Discovery - Mscan
Focused, application level scanner
Next (2nd) generation scanner
"Current" popular vulnerabilities- statd. IMAP/POP• IRIX lp accounts• BIND buffer overflow• cgi-bin programs: phf, handler, test-cgi• NFS exports• X server
98©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
( ( f f ( ( • ( ' ( C • ( . . ( ( { • ( • { ; { . [ C : C " f : C , - C • C • C ( ( ( . ( . ( ' • ( : ( ( ( ; ( ; ( ( I ( ( ; ( • ( i C ( C ( C C I i , ( ( . • (
I ( I i. ( I. I I i ( { { I [ { I I I { { I ( I 1 i I { I I I t { I i. I I ( ( I I I. t I 1 I I I I I I. I.
Discovery - Sscan
Mscan derivative- Another focused, more powerful application level scanner with a
scripting language built-in
• Multi part probe• TCP ACK check - if any response, do the other checks
. telnet, smtp, pop3, imap, www- vulnerability check
. telnet, smtp, pop3, imap, www, sunrpc, xl 1, finger, domain,Back Orifice, lp
• connection check. netbios, ftp, ssh, mSQL, tcpmux
• OS check. telnet banner and "Queso" like check (5 packets vs. 7) - not as
robust/successful as nsat or nmap, respectively
99©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Discovery - FTP Bounce (Tunneling)
• Normal FTP operation (non-passive)- Client tells server host/port and server opens "data" connection
back to client. client need not tell server to come back to itself
• Tell an anonymous ftp server to connect to machines inside its
firewall: to map the inside network
• Hard to do something other than chain FTP's but still ofconcern. Can PUSH data to services/ports: e.g., SMTP, HTTP
100©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
c c ( f c ( ( (
( I f I I I ( I ( ( [ ( I I ( ( I I [ I I I ( H I I I U 1 ( 1 U I I H I I I I U I M I I ! I [ I
FTP Bounce Example (cont.)
telnet 128.0.254.217 80Connected to 128.0.254.217.Escape character is I A ] \
PROPFIND/HTTP/1.1 « —Host:Content-Length: 0
HTTP/1.1 207 Multi-StatusServer: Microsoft-IIS/5.0Date: Tue, 20 January 2004 18:49:26 GMTContent-Type: text/xmlTransfer-Encoding: chunked
316<?xml version-" 1.0"?><a:multistatus xmlns:b="urn:uuid: c2f41010-65b3 -11 dl -a29f-00aa00cl4882/" xmlns:c="xml:" xmlns:a="DAV:"><a:response><a:hrefMittp://10.44.10.12/</a:hre£> « - —
101©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
FTP Bounce Example (cont.)
strobe -b21 =e80 10.44.10.12Host Unreachable
strobe -b21 -e80 128.0.254.217Port Number Protocol Service21 tcp ftp80 tcp http
nmap -ports 2 0-32 anonymous:foobar© 128.0.254.21710.44.10.12Attempting connection to ftp://anonymous:foobar®128.0.254.217:21Initiating TCP ftp bounce scan against 10.44.10.12Open ports on 10.44.10.12:Port Number Protocol Service21 tcp ftp22 tcp ssh23 tcp telnet
102©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
i t; •{ [ ( i t ( c ( f r
( ( ( ( ( ( ( ( ( I ( I ( ( ( ( ( ( ( I ( [ ( ( 'I ( ( ( ( I ( ( I ( ( ( I { ( ( ( I I I ( [ < I I i I t < I t
Tunneling (cont.)
Bypassing (packet) firewalls with "messed up" TCP/IPheader settings
. www.securitvfocus.com/archive/l /296122/2002-10-19/2002-10-25/2
• For example, odd 3 -way handshake sequence. set SYN AND FIN bits
• Firewall looks at FIN bit and allows it in- to close a supposed connection
- Host looks at SYN bit- to establish a connection
Worked on following OS's• Linux (2.4.19 Kernel)
- Solaris 5.8
- FreeBSD 4.5
. Windows NT 4.0103
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Discovery - Host and Network Management
• Network management• traceroute
• latency, domains, dynamic/static routes
. SNMP scans- management agents
• Host management. ICMP scans
- reachability (not necessary but speeds discovery)
• Remote OS Identification (fingerprinting)- Mscan- Nmap (note: SAINT & SARA use Nmap)
104©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
r ( (.
) I ) ) ) J J J ) ) ) J J ) ) J ) ) ) ) I ) J ) ) J I ) J ) ) I ) ) ) J ) ) J ) ) ) 1 ) ) ) 1 I ) ) )
Discovery - traceroute^ http://www.playground.net/cgi-bin/traceroute.cgi-MicrosoftInternetExplorer
£le
y
101112131415161718
4
Edit View Favorites Jools Help
U . 3 O - 2 - U - U . AL1 . C i l l i . AL l&K.lMli 1 1 li>2 . bJ . b / . 12 b0 . 3 O - 7 - 0 - 0 . E R 6 . C H I 2 . A L T E R . N E T ( 1 5 2 . 6 3 . 7 1 . 9 4 )top r l - s o - 6 - 0 - 0 . C h i c ago E qu i n i x . c w . n e t ( 2 0 8 . 1 7 4a g r 1 - l o o p b a c k . C h i c a g o . c w . n e t (2 0 8 . 1 7 2 . 2 . 1 0 1 )
i j U . .' y i2 5 . 2 2 7
. 2 2 6 . 1 )3 2 . 1 7 1
dc r 2 - 3 o - 6 - 0 - 0 . C h i c a g o . c w . n e t ( 2 0 8 . 1 7 5 . 1 0 . 1 7 7 ) 3 1 . 5 8 4dc r 2 - 1 o o pb a c k .Was h i n g t o n . c w . n e t ( 2 0 6 . 2 4 . 2 2 6 .
tohr1-p o 3 - u - u . S t e r l i n g 1 d c 2 . c w . n e t ( 2 0 6 . 2 4 . 2 3 acs i :03 - v e 2 4 0 . 3 1 n g O 1 . e x o d u s . n e t ( 2 1 6 . 3 3 . 9 8 . 2 022 1 6 . 3 5 . 2 1 0 . 1 2 2 ( 2 1 6 . 3 5 . 2 1 0 . 1 2 2 ) 3 9 . 8 8 2 msw9 . dc x . y a h o o . c om ( 6 4 . 5 8 . 7 6 . 2 3 0) 3 9 . 4 9 0 i ts
100) 4 1 .
. 3 4 ) 4 0 .) 91 .57939 . 606 ms3 9 .3 04 ms
msHIS
27 .2ms
HIS
8936 U 6
ms3 93 9
J L
2 5 .593 1 .
3 1ms
ms44
.82
Pi
. uut249ms5 9 1.74742 .4 U .
.20F1 ins
.514 ms
•1
msms2 6 .ms
ire2 10
42 bms
i y
2 5 .296
7 4 .3 1
ms
ms43
"'PUT
. a i y4 4 1ms
3 07.43::dc r 1
4 u ..3 57
1ins
ms2 6.480ms
HIS
If*]|]—
- loopbac}y44 ms
HIS JH
L I
^ http://www.playground.net/cgi-bin/traceroute.cgi - Microsoft Internet Explorer
File
910111213
J. I
151617
Edit View Favorites Jools Help
0.so-7-0-0.BR6.CHI2.ALTER.NET (152.63 . 7 1topr1-so-6-0-0.Ch i cago E qu i n i x.c w . n e t (2 0Sa g r 1 - 1 o o pb ac k.C h i c a g o . c w.ne t (208.172dc r 2 - s o - 6 - 0 - 0 . C h i c a g o . c T,J . ne t (2 0 8 .17 5dc r 1 - 1 o o pb ac k .Has h i n g t o n . c w.ne t (2 0 6.
c s r 0 3 - ve 2 4 2 . s t ngO1.e x o d u s . n e t (216.3 32 1 6 . 3 5 . 2 1 0 . 1 2 2 ( 2 1 6 . 3 5 . 2 1 0 . 1 2 2 ) 3 6 . 3w4.dc x . y a h o o . c om ( 6 4 . 5 8 . 7 6 . 2 2 5) 3 5 .3
. 2 ,
. HI2 4 .
. 9E
8879
.94)
. 1 7 4 . 2101). 177)
222
226 .99)
.219)ins 3 5ms 3 4
1.12 36.1)7 .7302 7 . 9 9 7
ms- • -
£* c* .
msins
4 0 . 0 63
•
3 5.97E412 ms844 ins
ins
3
2 0 .
5 5 4
3 6 .2 f
H—
944ms2 0 6.479
ms2 1 .ms
HIS
2C9 5 9
272
.713ins
.2186 . 54;
ins - -12 1 . 8 69 in:ms
HIS
ins dc r 2 - 1 o o pb ac k. Was h i ng t o n.
3 55 . 5 6
3 4 . 5 7
.3 925 ms9 ire
ms 3 4 .987 ins
±J
©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson105
J J J i J j J J i J J j J J i J J J } J J J ) ) J ) J J J J J J j J J J J ) J j J J J J J ) J J ' J J
Discovery - SCOTTY
Protocol engine. DNS, HTTP, ICMP, NTP, RPC, SNMP, Syslog, UDP
- UDP {open, connect, send, receive, bind}. HTTP {proxy, head, get, put, post, delete}- SUNRPC {info, probe, stat, mount, exports, pcnfs}
Discover- TCL subroutine packaged with the program- Usage: discover [-d delay] [-r retries] [-t timeout] [-w window]
[-snmp] [-icmp] networks. ICMP
. discover -icmp w.x.y- SNMP
. discover -snmp w.x.y. Over 2 8.8 PPP dial-up line
- 1 "Class C" address space (256 hosts) in 15 seconds- Over Ethernet LAN
- 1 "Class B" address space (65,536 hosts) in 15 minutes
107©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
traceroute (cont.)
What did we just learn from traceroute?- Latency times to plug into other time based
(wait period) programs
• Intermediate domains
• IP addresses• small (Class C) or large (Class A or B) address space
• If polled at various times and days of the week• static vs. dynamic routing (single point of failure?)• return times change dramatically (variable latency?)• IP class size changes (ISP load balancing?)• DNS names not available (hard coded IP addresses?)
106©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
J j J ) J } J j J } J } , ) } J J ) 1 } > J ) > > J J } J ) 1 J ) J j ) ] ] ) ) ) ) J ) J J J ) J j J )
Discovery - ICMP Scan
Routers: icmpush- Use ICMP Type 10, Router Solicitation- Send to a system we think is a router, then check to see if an ICMP Type 9,
Router Advertisement, packet was responded with
#icmpush -vv -rts 10.10.1.16-> Outgoing interface = 10.10.1.1-> ICMP total size = 20 bytes-> Outgoing interface = 10.10.1.1-> MTU =1500 bytes-> Total packet size (ICMP + IP) = 40 bytesICMP Router Solicitation packet sent to 10.10.1.16 (10.10.1.16)
Receiving ICMP replies...10.10.1.16-> Router Advertisement (10.10.1.16)icmpush: Program finished OK
109©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
SCOTTY SNMP Usage
• discover -snmp 13.231.244
13.231.244.32 IBM RISC System/6000Machine Type:0x0100 Processor id: 000001436700The Base OperatingSystem AIX version: 03.02.0000.0000 TCPIPApplications version: 03.02.0000.0000
13.231.244.170 RISC System/6000ArchitectureMachine Type: 0x0400 Processor id:000047467200Base Operating System Runtime AIXversion: 04.02.0000.0000TCP/IP Client Supportversion: 04.02.0000.0000
13.231.244.191 IBM RISC System/6000Machine Type:0x0400 Processor id: 000038687900The Base OperatingSystem AIX version: 03.02.0000.0000 TCPIPApplications version: 03.02.0000.0000
108©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
<• r r f < ( ( ( r ( r f ' ' - • ' - - ' ' ' ' • - ' . ^ { { I < t ( '
J J . ) ) J > J I ) J j ) ] ) J > ) ) ) I } ) ) ) ] > ) ) ) ) ] ) I .1 ) ) ) i 1 } > } } ) ) ) ) J J ) ) )
etherape (cont.)
Etherape
File Edit View Settings Help
oNew Open Save
Protocols
DOMAIN
X WINDOWS
TCFJJNKNOWN
HTTP 3
Number of nodes:
www2.va11nux.comb.root-servers.net
ns2.valtnux.comf es-d008. i ^
whois.apnic.netwww2*freshmeat.net
128.8:10.90
20G.43:192.76
212.491
198.17j208.67
128.63.2.53
f es-dO28 . icq j-ao L» com __.,_.
i mages. sourtef orge .net
ads.Freshmeat»net
dns-02.ns.aol.com
209.207?224.246
AAfl-KELL^NIPR.MIL
192.18^.1.255
lasaro.tattoine.es
enco])ifix,.es
tatteine.es
mx.arc.nasa.90v
ns2.enComix.es ^*-~' *-"a .j^oot^erver s . net
time.nlst.gov .,---"'.J.-'""' nsl.ar-l.mil
ns3.dn.net..,-"'" 20G.19?.81.10
ns.eunet,esE.ROOT-SERVERS.NET
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson111
Discovery - ntop
Network traffic probe- Embedded web server- intop for network shell on top of ntop engine
What does it do?* Sort traffic by protocolB Display network statistics- Passively (i.e., without sending probe packets) identify OS type• Act as a collector for flow programs in routers (e.g., Cisco) or
switches (e.g., Foundry Networks)
112©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
/ / / r . /- y >• ' ' ' ' ' ' ' ' • • , j ^ / ,-
J ; ) J i J i ) ) ) > i > > ) > i i ) ( ) ) > J ) ) ) i ) ) i ) J ) ) .1 ) ) ) > ) ) i ) ) ) ) J i J ) ) )
ntop (cont.)
File Edit Vie1.1; Go Bookmarks loo ls Help
if -ft] Vfftoome to t>>.'!p! t-tefii'.-' fOsgW <<j; zr'iptj'rAXS} ••
T File Edit View j3o Bookmarks lools Window Help
a j http://]abber:300(V
T <2jHorne (^Bookmarks <2j. Red Hat Network (^Support (^Products (QjTraining (§>. snark.ntop_ord...
About i DaEa Rcvd [ Data Sent Stats fP Traffic ; IP Protos i Admin
> Statistics
Multicast
Traffic
Hosts
Hetv/ork Load
Domain
Piugins
© 1998-2002by Luca Deri
Hw Interface Type
Local Domain Haine
Sampling Since
Packets
iTotal
llnicast
Btmadcast
Multicast
Ethernet [iprbOjJtecsrei.it j
I U ! J U LL 1 9 : ! 9 : 0 3 zooz t.1:Z8)l" | 1,1 sqj
_ __ ]| 51.6%!. 609|_ || 33.7%]! 398]
' ___'__ || 14.7%j;_173J
Hulticas
Shortest
Average Size
Longest
« 64 bytes
<128bvtes
< 256 bytes
J[ZljB_bytesj||_ iMbytes,|| 1,514 bytes)
|l 46.0%|: 543
Ij 3P.4%! 4Z9|
]! 7.8%!: 92;
y S3 Qf (Si @ Document: Done (0.531 sees)
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson113
ntop (cont.)
WAP Plug-in
Total217 7 Kb146 3 Kb64 5 Kb93 D Kh
demeterutip19379AI9,?
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson114
<" f / f / / / c i <•' - -• r >' ( I ( r
>. V V V v I V k. V V V
Discovery - QueSO
First tool to focus on OS identification• Type
. Solaris, Linux, BSD, Windows, AIX, CISCO, Novell, etc.• Kernel version
• About 100 current versions identified
Old methods were brute-force- rpcinfo• SNMP. TELNET• sendMail version- Download binaries from the public-ftp
- (analyzing its format)
115©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
QueSO Objective
Has been leap-frogged (crushed?) by Nmap
- Nmap is more accurate
• Has more OS fingerprints
QueSO sends TCP 7 packets• 1 st packet is legit.. .the other 6 are bogus
• The fingerprint of all 7 combined identifies the OS
• All packets have a random seq_num and a 0x0 ack_num.
116©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
X I I V V. V V. ^ "v V V v.
Discovery - Nmap (v3.70)
Scanning flexibility- Striving to be undetected• Striving to by-pass barriers
• firewalls- intrusion detection. DMZs
Account for network latencies and provide robust port andhost designations- Dynamic delay time calculations
• Retransmission for failed port requests. Flexible port and target host specification
117©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Nmap Features
Scanning types- TCP connect() (like most other scanners)
. TCP SYN (half open)
. TCP FIN (stealth)
. TCP ftp proxy (bounce attack)
. SYN/FIN using IP fragments
. UDP recvfrom()
- UDP raw ICMP port unreachable
. ICMP (ping-sweep)
OS recognition using TCP/IP fingerprinting• www.insecure.org/nmap/nmap-fmgerprinting-article.html
118©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
v v. V i . V C, I .
Nmap Usage
-t tcp connect() port scan-s tcp SYN stealth port scan (must be root)-u UDP port scan, will use MUCH better version if you are root-U Uriel Maimon (P49-15) style FIN stealth scan-1 Do the lamer UDP scan even if root. Less accurate-P ping \"scan\". Find which hosts on specified network(s) are up-b <ftp_relay_host> ftp \"bounce attack\" port scan-f use tiny fragmented packets for SYN or FIN scan-i Get identd (rfc 1413) info on listening TCP processes-p <range>-F fast scan. Only scans ports in /etc/services, a la strobe(1)-r randomize target port scanning order-S If you want to specify the source address of SYN or FYN scan-v Verbose. Its use is recommended. Use twice for greater effect-w <n> delay, n microsecond delay. Not recommended unless needed-M <n> maximum number of parallel sockets.-q quash argv to something benign, currently set to \"%s\"Optional '/mask1 specifies subnet, cert.org/24 or 192.88.209.5/24scan CERT's
119©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Nmap GUI
I
Nrnap Front End v3.49
File View
Targ et(s): www. i n s e c u re. o rg
Scan Discover Timing Files
Scan Type
Options
SYN Stealth Scan *
Relay Hi"t |
Scan Extensions
• RPC Scan rjiiJeritd Info
j
0 OS Detection [7] Version Probe
Scanned Ports
Most Important [fast] *
Rnrnji:: j j
Starting nmap 3.49 ( http://uuM.insecure.org/nnap/ ) at 2003-12-19 14:28 PSTInteresting ports on www.insecure.org (205.217,153.53):(The 1212 ports scanned but not shown below are in state; filtered)PORT STHTE SERVICE VERSION22/tcp open ssh OpenSSH 3.1pl (protocol 1.99)25/tcp open sntp qmail sntpd53/tcp open domain ISC Bind 9.2.130/tcp open http Apache httpd 2.0.39 ((Unix) rnod_perV1.99_07-dev Perl/v5.6.1>113/tcp closed authDevice type: general purposeRunning: 2.4.XI2.5.KOS details: Kernel 2.4.0 - 2.5.20Uptime 212.119 days (since Wed Hay 21 12:38:26 2003)
Nrnap run completed — 1 IP address (1 host up) scanned in 33.792 seconds
Command: .nrnap -sS -sV -O -F -PI -T4 vw-M.insecure.org
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson120
I V
-.. v V. V V I I I -., .. v. v v v. V. V. V
New Windows NMap
It looks like you are runninga port scan.
Would you like helplaunching a:
d Connect Scan© Half-Open Scan (SYN)© ACK Scan© FIN Scan
v See more.,,
Options Search
The targetfs) you have selected includeaddresses registered to Microsoftcorporation. This tool is built so that itcannot be used to scan Microsoft's ownsystems.
However, Microsoft Nmap will automaticallyredirect your scan to one of Microsoft'sadversaries.
V'/hich Microsoft enemy would you like toscan?
© AOL© Assorted Open Source Site (Slashdot,
linux.org, etc.)© US Department of Justice6 State Attorney General Offices
Options Search
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson121
I
Nessus
Robust security scanner• Plug-in architecture: each test is a unique plug-in
• you can use their NASL scripting language to build them
• Recognizes services on non-standard ports
• Smart testing: only tests what it can/should• e.g., doesn't test for anonymous FTP if it doesn't exist
note: this is a problem area for many other scanners
• 3 step execution. configure nessusd• setup the client• view the results
• Versions 2.0.12 and 2.1.3 (beta) now available- server runs on POSIX UNIX* systems. clients on POSIX for UNIX*, Win32, and Java
122©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
> I i \ )
V. V. ( I I. V V V V V V V
Nessus Plug-in Families
Backdoors
CGI abuses
Denial of Service
Finger abuses
Firewalls
FTP
Gain a shell remotely
Gain root remotely
General
Miscellaneous
NIS
Port scanners
Remote file access
RPC
SMTP problems
SNMP
Useless services
Windows
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson123
Nessus Setup
Client setup• Plug-ins
• enable all, enable all but "dangerous", disable
• Preferences- scanning technique (e.g., socket, SYN, FIN), include UDP or
RPC, ping host, identify remote OS, get Identd info, etc.
• Scan options• port range, maximum threads, do reverse DNS lookup
• Target selection• target IP address (range), request a DNS zone transfer
124©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
- • •- "* • "•> V > y ' / \ ' ) \ '• - \ \ \ \
I. I. I
Nessus Setup GUIa sii
Nessusd host Plugins Prefs. Scan options Target selection User
Plugin selection
CGI abusesFTP
KB Credits
rr
^ H Windows B1Sain a shell remotelyDenial of ServiceBackdoorsWindows: User managementRemote file accessSNMPDefault Unix AccountsRPC
rrrrrrrr /
Enable all Enable all but dangerous plugins Disable all| Upload plugin...
-Enable dependencies at runtime Filter
Unchecked Buffer in XP Redirector (Q810577)
DCE Services Enumeration
Unchecked Buffer in PPTP Implementation Could Enable DOS Attacks
The messenger service is running
Microsoft's SQL TCP/IP listener is running
SMB Registry : is the remote host a PDC/BDC
SMB Registry : value of SFCDisable
Unchecked Buffer in Decompression Functions(Q329048)
WM_TIMER Message Handler Privilege Elevation (Q328310)
Telnet Client NTLM Authentication Vulnerability
Ooenina Grouc Poiicv Files (Q3180891
^l 1
_\
J
Start the scan Load report Quit
Nessusd host Plugins Prefs. |Scan options| Target selection
Scan options
| Port range :
j _| Consider unscanned ports as closed
User KB Credits
1-1500
Number of hosts to test at the same time : 10
10Number of checks to perform at the same time :
Path to the CGIs: |/cgi-bin:/scripts
j Do a reverse lookup on the IP before testing it
_) Optimize the test
J Safe checks
_J Designate hosts by their MAC address
j Detached scan
_] 'J mjfjiis seal?
D«i5A; i iv.'o stsn?
Port scanner:
tcp connectO scanNmapscan for LaBreatarpitted hosts
Start the scan Load report
A
J
Quit
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson125
Nessus Report GUIj—
Porl
I js$ S 1C.I 63.1 56.1M ^ 10.163.156.9
i O . i 6 3 . i 5 6 . i Oi f t 1 f i3 1RR.1R1 0 . 1 6 3 . r 5 B . 2 0 5
U:il ni'vf- 1.1 035/If:[r_t i-i *:.n iz --.-•--•I" M O £ i 3 . ' t C | ) )
ne1bic-s-iii f I37,''un am 91. e rv e t (-1 i-'t |?)
f_:f.: 1 rThe hoj1 aio ccultl be us?cl tooi 1hi host.(wl! (Ull - iirHjri;i-r:i1.!'J u:M!i!- rifirnifcr perto i ni ance is as- o n )I his give?- ei'trs Kncf'.'-Iedge 10 an 5,fi?c>v?r. v<Mic-h!!-- nul n (Jiii.'i.i Ihrr'jq •- Acin inisirtfl'Ji ace cunt -uma : Adrrinisiraioi fM S30)- Gue-51 account name . ''jue-Ji (id S0T)
ser (id i 000)^nruii:'!: ': (i'J 1pni i
Admlrilst-stoi-s c;=c) "OCt)
ihe iifmes of the !ocsi users
. l'-.V'\rvi_G/'.RRO i;,ii " (1041
- DHCP 1.1-5sis (Ki ! 00E)- DHCP AdnHniM- WIMi Lifer? (id
Risk, factoi . I/led:Urts
iout ion . rntei mcoioin-j comscticns thi-5- port
CVE CVr-SOCO-l £0C
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson126
< I I I I v. v..
Nikto: Web Server Scanner
Has outdistanced (crushed?) whisker
Not stealthy by design• However does support LIB Whisker's anti-IDS methods
Snapshot of some features (v 1.34) includes:•Uses rfp's LibWhisker as a base for all network funtionality•Main scan database in CSV format for easy updates•Determines "OK" vs "NOT FOUND" responses for each server, if possible•Determines CGI directories for each server, if possible•SSL Support•Output to file in plain text, HTML or CSV•Checks for outdated server software•Proxy support (with authentication)•Host authentication (Basic)•Watches for "bogus" OK responses•Attempts to perform educated guesses for Authentication realms•Captures/prints any Cookies received•Scan multiple ports on a target to find web servers(can integrate nmap for speed, if available)•Multiple IDS evasion techniques•Supports automatic code/check updates (with web access)
127©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Nikto (cont.)
-Nikto vl.32/1.23
+ Target IP: x.y.86.31+ Target Hostname: www.xy.org+ Target Port: 443
+ SSL Info: Ciphers: RC4-MD5
- Scan is dependent on "Server" string which can be faked, use -g to override+ Server: Microsoft-IIS/5.0- Retrieved X-Powered-By header: ASP.NET+ IIS may reveal its internal IP in the Content-Location header. The+ value is "https://10.0.10.31/site is down.htm". http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0649.+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD+ HTTP method 'TRACE' is typically only used for debugging. It should be disabled.+ Microsoft-IIS/5.0 is outdated if server is Win2000 (4.0 is current for NT 4)+ / - TRACE option appears to allow XSS or credential theft.
See www.cgisecurity.com/whitehat-mirror/WhitePaper screen.pdf for details (TRACE)+ /readme.txt - Default file found. (GET)+ /scripts - Redirects to https://www.xy.org/scripts/, Remote scripts directory is browsable.+ /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:%5c-
May be able to issue arbitrary commands to host. (GET)+ /localstart.asp- Needs Auth: (realm "www.xy.org")+ /localstart.asp- This may be interesting... (GET)
+ 2645 items checked - 6 item(s) found on remote host(s)
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson128
V \, 4. V. V v • V V.. V K V ^ V. < V V. V V V
Nikto (cont.)
Cool Stuff!
Niktoikfo
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson129
Secure Web Tools - cURL
Command line URL grabber.. .and much more!transferring files with URL syntax (v7.12.1). HTTP and HTTPS (uses SSLeay or OpenSSL)
. PUT and POST (including FORMS!)- HTTPS certificates
- FTP• including upload
. Gopher, TELNET, DICT, LDAP
. Miscellaneous support• passwords. port numbers- proxies
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson130
• ) • • < } ~-
V
Secure Web Tools cURL (cont.)
-help [note: edited output]tons: (Hi meaTTs41TTP only (F) means FTP only
-d/--e/--E/--¥/•
-V-
-cookie <string>-continue^data"referer
Pass the string as cookie (H)Resume a previous transfer where we left it (F)POST data (H)Referer page (H)
-cert <cert:passwd> Specifies certificate file and password (HTTPS)-form <name=content> Specify HTTP POST data (H)
-ml--o/--p/--P/--Q/-r/--u/--U/-
Fetch the HTTP-header only (HEAD) (H)List only names of an FTP directory (F)Maximum time allowed for the transferWrite output to <file> instead of stdoutUse port other than default for current protocolUse PORT with address instead of PASV when ftping (F)Send QUOTE command to FTP before file transfer (F)Retrieve a byte range from a HTTP/1.1 server (H)
-user <user:password> Specify user and password to use-proxy-user <user:password> Specify Proxy authentication
headlist-only•-max-time <seconds>-output <file>-port <port>-ftpport <address>-quote <cmd>range <range>
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson131
Secure Web Tools cURL (cont.)
A few examples• curl -o thatpage.html http://www.netscape.com/
. curl -d "name=Rafael%20Sagula&phone=3320780M
http://www.where.com/guest.cgi
- curl ftp://name:[email protected]:port/full/path/to/file- http://curl.haxx.se/docs/readme.curl.html for manual
URL• http: //curl .haxx. se
. "a client that groks URLs"
Comparison to snarf, wget, greed, pavuk, fget, and fetch• http://curl.haxx.se/docs/comparison-table.html
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson132
Secure Web Tools cURL (cont.)
File Edit Vie'.v Favorites Tools Heip: MlJ http^//curl,haxx.se/docs/comparison-table.html
pots Ihdex(3ugjs '• " \\jjgharigeiog ,fibmoaniesiIComparison
( features;History Iitetall 1
Compare cURL Features with OtherFTP+HTTP Tools
This comparison onlv involves entirely free andopen source software -
FeatureFTP ResumeHTTP ResumeFollow HTTP RedirectsMultiple URLsHTTP ProxyFTP Active ModeSOCKS
Us emame P as swordHTTP POSTHTTP PersistentConnectionsCookie SupportTiny ExecutableIPv6 SupportHTTP 1.1.netrc SupportHTTPSHTTP Digest AutliRecursive DownloadFTP SSL
Related:List of FeaturesRelated ToolsCompare HTTP Libraries.
c u rl 1 sn a rf 1 wq etl pa vu k 1 fa etl fetc h
yes
yes
yes
' yes! yes
f yeslyes
i yes
S- yes
noI yes!*ves •
't %
'- yesF yesjyes
noKyes
yesyesyesyesyesyesnono
noyesnonononononono
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yesnonono
yesyesyesyesno
y e s
yes
yes
yes
yes
yes
yesnono
yesno
yesyesyesyes
no yesno yesno yesno yes
yes yesno yesno no
yes yesno nono no
no no
yes yes
yes yes
no •' yes
no no
no no
no no
no no
no no
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson133
Secure Web Tools: dsniff
• dsniff 2.3- Among many other things,
exploit flaws in both SSL
and SSH
1 - arpspoof: hijack IP address
• dnsspoof: forge DNS
replies
. tcpkill: block TCP by
forcing connection to close
2
3
filesnarf: NFS sniffer
mailsnarf: SMTP sniffer
msgsnarf: IM sniffer
urlsnarf: Web sniffer
sshmitm: SSH protocol 1
attack. "fix": only use protocol 2
webmitm: SSL attack. "fix": client-side certs
www.monkey,org/~dugsong/dsniff/faq.html
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson134
\ N X \ > , A \ • A " \ " \
v. ~. V <v. V. «.. *. 1. V C V. . . H X.. V % \ ^ 1 . V <- V V. V t. V. k. V V V V ^ V
Top 75 "Security" (testing) Tools
www.insecure.org/tools.html- vulnerability assessment: nessus, nmap, SAINT
- IDS: snort
- network sniffer/monitor: ethereal, TCPdump,
ettercap (for switched networks)
kismet and NetStumbler (for wireless)
• CGI scanner: whisker, Nikto
- Password cracker: John the Ripper, LOphtCrack
- all purpose: netcat, Sam Spade
135©Copyright SystemExperts "(997^2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
I
Tools Medicine
At a minimum, get common public domain tools and runthem against your site resources. nessus or SAINT or SARA
• nmap
• nikto (said it before, but saying it again!)
Think about specialty tools too• database (e.g., orascan)- traffic sniffers (e.g., dsniff: mailsnarf)
Think about simple, brute-force, coarse level scripts- Web server logs
• Web application logs
. SNMPlogs- Detect what you can't prevent or is in the "top 10" list
136©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
X \ > ~i-t "•) N " " N "^ x N X 1 > -) i \ . 1 "S • \ • \ 1
v v *. < V I < I . ^ i I. ,. S -v V v V _ <, V <•. k. k. V •> V_ I.
What the Hacker KnOwZ...about discovery
Well...
if 40+ slides on discovery tools that reveal a wealth ofinformation about your site hasn't already generated a lotof concern and a large"To Do" or "To Check-out" list...
NOTHING WILL!
next... Protocols
137©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Notes:
138©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
• \ - • " - . : - * " ) . | 1 • • > ;V • "\ . \ ' \
V. <. 1. I C V
Where are We?
Profiling
. Methodology
. Example Profile #1
. Example Profile #2
Discovery andProfiling Tools
. typhon, nessus, dsniff, Nikto,
and lots more!
Intrusions
. Awareness/Statistics
. Examples
. Common Areas
Protocols
• 2NS. SNMP
. Handheld (PocketPC)
. Web Infrastructure
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson139
DNS (Domain Name Service) Functionality
• Names instead of addresses• Hierarchical and distributed for scaling
• Standard record types> A - addresses
. www, systemexperts.com. 207.155.248.12,207.155.252.14,
207.155.252.72, 207.155.252.12
- CNAME - canonical name• HINFO - host information
. MX - mail exchanger
- NS - name server
. PTR - reverse pointer resolution. 12.248.155.207.in-addr.arpa
- SOA - start of authority- TXT-text. WKS - well-known services
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson140
\.
V V ' ^ A \ X K I. I (. I.. I I \ •» V V V v. V V
DNS(An Unbelievable Demonstration of Scale)
File Edit Vie1/-: Go Bookmarks Tools Help
'•'--_} " %p I ji r ^ httpi/WKW.iscorg/
r Firefox Help Firefox Support PlugHnFAQ
1
I INTERNET SYSTEMS CONSORTIUM
ISO Country CodesRFC 1296: Internet Growth (1981-1991). How the old survey worked.Data files from old surveys (through July 1997} gzipped format.
.OFTWARE
OPERATION
RESOURCES
&irJan 03Jul 02Jan 02Jul 01Jan 01Jul 00Jan 00Jul 99Jan 99Jul 98Jan 98
Internet Domain Survey Host Count
250,000.000
200.000,000 -•
150,000,000 - -
100,000,000 - •
50,000,000 -•
Support
©2004 ISC, Inc.;
Done
Souice: Internet Software Consortium [www.isc.org}
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson141
DNS Exposures
One (ish) common complex implementation- BIND (Berkeley internet name daemon)
. Used for authentication (i.e., TRUST) in FTP, NFS, mail,TELNET, WWW, browser CERT validation, etc.
• Ok, maybe it's two: BIND and Microsoft's BiNd
- Ok, it's really three: pre v9 BIND, v9+ BIND, and Microsoft'sBiNd
Can offer too much information• Hosts behind firewalls/internal addressing, outside (ISP) services,
mail servers, alternate name servers, OS types
Spoofing- Poison DNS server and redirect: without breaking in
• get the target to ask you a question and return bogus unrelatedinfo: this info is believed by older BIND versions
142©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
V.. V v t. \ i. V, I I V I C t I I I (. I I V V V V
DNS Tools
Dig, nslookup, hostSpecial and OS specific toolswww.dns.net/dnsrd/tools.html• Checker, DDT, dnswalk, NSLint, Sleuth, ZoneCheck
- debug cached data - DDT. ftp://ftp.is.co.za/networking/ip/dns/ddt/
- find inconsistencies in DNS files - NSLint- ftp://ftp.is.co.za/networking/ip/dns/nslint/
Seminal sites• www.isc.org/bind.html
- www.dns.net/dnsrd/
143©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
DNS Tools DIG NS Records
dig ns usenix.org; <<>> DiG 2.1 <<>> ns usenix.org
;; QUESTIONS:
;; usenix.org, type = NS, class = IN
;; ANSWERS:
usenix.org.
usenix.org.
usenix.org.
usenix.org.
usenix.org.
usenix.org.
164133 NS
164133 NS
164133 NS
164133 NS
164133 NS
164133 NS
NS.UU.NET.
XINET.COM.
UUCP-GW-1.PA.DEC.COM,
UUCP-GW-2.PA.DEC.COM,
authOO.NS.UU.NET.
usenix.org.
;; ADDITIONAL RECORDS:
NS.UU.NET. 172772 A 137.39.1.3
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson144
"I > "I I 1 \
k I. t I \ I 1 I I t I (
DNS Zone Transfer
Zone transfer [email protected] (131.106.3.1)...Query for usenix.org type=252 class=lusenix.org SOA (Zone of Authority) Primary NS:usenix.ORG Responsibleperson: jrl(fl)usenix.org
serial: 199905114refresh:432000s (5 days)retry:3600s (60 minutes)expire:864000s(10days)minimum-ttl: 172800s (2 days)
usenix.org NS (Nameserver) uucp-gw-1.pa.dec.comusenix.org HINFO (Host Info) Cpu:Sun Sparc 10 Os:SunOSusenix.org MX (Mail Exchanger) Priority: 10 mail.usenix.ORGusenix.org MX (Mail Exchanger) Priority: 100 relayl.UU.NETusenix.org A (Address) 131.106.3.1
What did we learn?- Name time-outs/refresh, outside name server, SunOS OS type,
primary and second mail server, and (potential) valid username(let's take a look at that email first)
145©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
DNS Zone Transfer (cont.)
toutsj '-i Mfcfosdft frtttef t K S p t e
File Edit View Favorites Tools Help
••!•••••:--: :..g] http://'.vlA'iA',phaster,corn/findJnfo_net_t]'affic,htniil
Utilities
FYI a '"hacker" is someone programs for enjoyment but the term has become synonymousrath "cracker," a person that performs an illegal act- If you are -worried about crackers (andyou should if you use any Microsoft products and the internet) perform an internetconnection security analysis (of common!--7 probed ports) and then consider using a Mac.
BTW if ya have a questioii then read the Hacking FAQ's else try the graffiti ""all to post aquestion or share a comment about a solar pew ere d 502-11 AP. I designed and built for alocal community based hotspot.
( j Domain Lookup
('••efvlail Dossie
O Finger
search
Enter a domain (for example COM or CHwliicli is short Switzerland), and you canset the name of the counttv for -s-liich thatdomain is associated.
Validate and investigate eMail addresses(for example USERg HOST NAME).
If vou can pull a "msef. {for exampleUSERfHOSTNAME) this ^.-fflteUyou-,-arious infonnation about that account.
c j http:..''/'AiiAclAl.phaster.com/golden_hill_free_web/ Internet
www.phaster.com/find info net traffic.html
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson146
<v ^ 1. 'V v I I I ' <• I I. I I I I. I I V V k. v '• v v V V k. k. V \ V V
DNS Zone Transfer (cont.)
j S Email C^^e^-Jlriyestigate email addresses -Microsoft Internet Explorer.
Rle Edit Vjev.1 Favorites X o o ' s Help
' "'•-"••" ;Btl http://centralops.net/co/EmailDossier.vbs.asp v ; |
Validation results
confidence rating: 3 - SMTPThe email address passed this level of validationwithout an error. However, it is not guaranteed tobea good address. : \ •• • '
canonical address: <[email protected]>
IV1X records
preference exchange IP address (if included)
10 voyager.usenix.org [131.106.3. l j
SMTP session
22Z> U 3 e i i x . o r g S3M-P Ser . ; i r . a i l : . 1 2 . 1 O / 5 .12 . 1 3 ; l u e , 3D Apr
2 O 3 t 3 5 : O 3 : Z' 6 — O ~ 3 3 ( EET)
2 53 ^3eE ix . s r c S e l l c p o r t - 2 - 6-S D~ ^ £ 6.5-
eslSO . device3 . i jatsrecurr. . ocir. I 2 1 6 . •? 6 . 2 3 6 . 2 S3 " , p res sed to ir.eetyou
2 52 2 .5 .2 Car.not "RFY ^3er ; t r v RCFT to a t t s c p t ae l i ' r e ry (cr
o <: r l iussr.LX. o r o . . - rcecicier.t ok'
ESJ' Done
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson147
DNS Zone Transfer (cont.)
Hie Edit View Favorites Tools Help $*
• . ' s j httpi/Vvvvvv:Jiexillion.com/docs/guides/HexValidEm3il/conceptsflnterpret.him ^ L J Go
Interpreting HexValidEmail results
HexValidEmail is a multi-level., server-side, bad-address filter. When anemail address passes this filter, however, it isn't necessarily a goodaddress. The following table summarizes what the confidence rating doesand does not tell you.
{highest successful valid»6on level)
Address is definitely bad forthe reason specified by theError property-
Syntax is CK
Domain exists
Domain has a '.vcrking mailserver
Mail server did net reject-address
Local part (username) is valid
0Bad
Y
1Syntx
Y
"7
DNS
Y
Y
3SMTP
Y
Y
•v
Y
Cbak
Y
Y
Y
Y
Y
Y
Y
'
Y
Address reaches the recipientyou intend and thus isdefinitely good
*A and BNot supplied by HexValidEmail. These are optional tests that requireactually sending email and are something you would need to custom-develop for your own system.
fej Done Internet
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson148
') '> 1
(. V '.. Iv V 1 I t <- I I. I I L I I I I v . . V V V V v.
DNS Zone Transfer (cont.)
What else did we learn?• Refresh: how often the secondary server should check
that their data is up-to-date
• Retry: if the secondary server can't reach the master site,retry at this interval
• Expire: if the secondary fails to contact the master site for thisamount of time, expire the cache data(i.e., STOP ANSWERING REQUESTS)
• Minimum: how long data can live in memory (i.e., cache)- note: when you see "non authoritative" when you do a nslookup,
that means the data was fetched from the cache (it doesn't meanthe results are questionable!)
149©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
DNS Zone Transfer (cont.)
spock.usenix.org A (Address) 131.106.3.24quark.usenix.org A (Address) 131.106.3.16offquadra.usenix.org A (Address) 131.106.3.19picard.usenix.org A (Address) 131.106.3.103khan.usenix.org A (Address) 131.106.3.106borg.usenix.org A (Address) 131.106.3.104guinan.usenix.org A (Address) 131.106.3.17
What did we learn?"Special/fun" names tend to be administrative hosts
ask yourself: what are the names of the hosts for your adminfolk?
<•<•<
150©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
I. V V V i l I I I I I I I I t t I I
DNS Zone Transfer (cont.)
conference.usenix.org NS (Nameserver) cs.colorado.eduusenix-fw.usenix.org A (Address) 131.106.1.253mail.usenix.org CNAME (Canonical Name) usenix.ORGusenix-gw.usenix.org A (Address) 131.106.1.254db.usenix.org A (Address) 131.106.3.253mtgusenix.usenix.org HINFO (Host Info) Cpu:Sun 3/80 Os:?mtgusenix.usenix.org A (Address) 198.4.88.2fw.usenix.org CNAME (Canonical Name) usenix-fw.usenix.orggw.usenix.org A (Address) 131.106.3.254www.usenix.org CNAME (Canonical Name) db.usenix.ORGftp.usenix.org CNAME (Canonical Name) db.usenix.org
What did we learn?- Another outside name server, hosts that are probably firewall and
gateway systems (usually VERY helpful), also systems that are
likely database and FTP servers
151©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
DNS Poisoning
Jizzwww.packetstormsecurity.org/spoof/unix-spoof-code/
[ PacketStorm ]
• A small DNS server
• When queried responds with bogus info in additional records• we have modified it to support general purpose replies (not the
hard coded one that comes with the program)
• Need to get victim DNS server to ask your Jizz server a question
152©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
I V I V l . I I I. I I I. I t I I I I. I
Running Jizz
Run Jizz on your systemRegister yourself as an authoritative DNS server for some(made up) domainQuery the target DNS server (the one you want to poison)for a name that only your DNS server (Jizz) would know theanswer to• dig @target xxx. foobar.com
• Send email to "[email protected]" through target- remember the email name from the zone transfer?
Jizz responds with an answer to the original host query ANDbogus additional records
153©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Jizz Diagram
1
DNS request
server=target.com
hostl.foobar.com
DNS
2
1. BIND request to target DNS serverfor host name it can't resolve
2. target DNS server redirects request toDNS server (Jizz) that CAN resolve the name
3. Jizz server returns name/address informationAND "additional information" as well:like: new address for microsoft or yahoo or WHATEVER!
foobar.com
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson154
V I \ i V I I t v v. V.
Jizz Process Flow
Jizz hostl. foobar.comw w w . b r a d c j . g o v IN A 5 . 6 . 7 . 8
3 DNS Poison Server - BIND cache vu lnerab i l i ty
Poison Data: www.bradcj.gov IN A 5.6.7.8
Packet from target : Port 53 hos t l . foobar.com.
dig ©target hostl.foobar.com<>> DiG 2.1 <<>> ©target hos t l . foobar.comQUESTIONS:t e s t , foobar.com, type=A, class=IN
4 ;; ANSWERS:
hostl. foobar.com. 600 A 127.0.0.1
;; ADDITIONAL RECORDS:
www.bradcj.gov. 600 A 5.6.7.8
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson155
DNS Poisoning Methods
DynamicUpdates
(2)
Network/RemoteAdmin
PrimaryMaster
Master
Queries
(1) ^ r
Transfers
(3)(4)
RemoteCaching
(5)4—
Resolver
Queries
ZoneFiles
SysAdmin TSIGServer-Server
•• Server-Client
Resolver
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson156
"i ^ •> ^ i > ~i i i i i
V I I k 1,. k 1.. I I. I < \ I. I V I < K I • _ .. „ _
DNS Poisoning Methods (cont.)
jizz is a demonstration program that exploits a weakness in"earlier" versions of BIND; it is an EXAMPLE of DNSpoisoning, there are MANY ways to achieve the same result• Force data into a DNS server cache (e.g., jizz)
- Reply to a client's BIND request before a server does- Birthday attack: DNS transaction ID• dsniff: dnsspoof
• Force data into the client OS name server cache
• Force data into the client OS name server file definition
- Force data into the client browser name cache
157©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
DNS Medicine
Run "as current" BIND version as you can- Upgrade to at least 8.4, or better yet...
- Upgrade to version 9• DNS Security
. DNSSEC (signed zones)
. TSIG (signed DNS requests)• IP version 6
- Answers DNS queries on IPv6 sockets- IPv6 resource records (A6, DNAME)
• Rewritten code base. smaller, less complex, attention to coding practices
(e.g., buffer overflow problems)• Push your ISP to run current BIND if they handle your DNS
- how many ISPs do you have?
• Disallow, control, or wrap DNS queries- Many sites use external/internal (split) DNS servers
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
US Cyber Security Strategy counciladmits that DNS Security is anunderpinning of the architectureand yet is too complex andexpensive for many ISPs andcompanies to deploy: assignment,management, and processing ofkeys, signatures, and certificatesand operator support is just toomuch.
158
1 1 VI 1
V V. v V_ V v V V. V V V
DNS Medicine
L I
(cont.)
Foiling DNS attacks - Jay Bealewww.bastille-linux.org/jay/defending-dns.html
Configuration decisions- Define appropriate allow-transfer and allow-query values
• chroot the server
- HINFO and TXT record decision- remove from zone data file or use split DNS
- Header decision• obscure or change version - to make it hard for script kiddies
Other DNS help• www.acmebw.com/resources/papers/securing.pdf
159©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
What the Hacker KnOwZ...about DNS
DNS exploits are a HUGE opportunity- Is the underpinning and "authentication" mechanism for most of
the common and important services (e.g., HTTP, FTP, TELNET,mail, NFS, login*, SSH, etc.)
- Target of many "hacking" efforts
In all likelihood, you have to depend on servers that youdon't manage or own (e.g., your ISP)!
next...SNMP
160©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
V ^ > I. \ \ I I. v. v. ^ -. v. v v < ^ v v V V. V ^ L V >v V V, V
Notes:
161©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Where are We?
Profiling
. Methodology
. Example Profile #1
. Example Profile #2
Discovery andProfiling Tools
. typhon, nessus, dsniff, Nikto,
and lots more!
Intrusions• Awareness/Statistics
. Examples
. Common Areas
Protocols- DNS
. SNMP
- Handheld (PocketPC)
- Web Infrastructure
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson162
\ 1 \ V 'I,
V v \ v V V V v. x
SNMP
Simple Network Management Protocol• Agents
- collect data (MIB), provide data tomanagers, and respond to commands
- Managers- interface for controlling and
observing agent data
Four functions (it is called Simple)
• get (read data)
• set (change data)
• trap (agent send an alert to a manager)
. inform (manager send an alert to another
manager)
Network Management PreferenceWhich melted do yflu primarily use far
managjiig your •etwwte?
Venrlof-|irc>|irietary mien is Neither1£* 1fi
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson163
SNMP Architecture
SNMP Message
Version Number >= 1 PDUs
Get/GetNextjSetOperations
Request ID
Error Index
Error Status
OIDItem/Value Pair(s)
Community String
TrapOperations
Triggered OID Agent IP Address
Generic ID Specific ID
Time StampOID
IternA/alue Pair(s)
SNMP Security
Message ispassed to agent
fommunity\String ">
.Validation /
Valid Invalid
IP AddressxxValidation
1Request is denied
Invalid
Resource accessgranted
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson164
\ s 'i \ x \
v v v v V V 1 V V V V V *..
Default MIB Overview MIB-II(Management Information Block)
System Group
Interfaces Group• quantity, type, characteristics
AT Group- interface address mappings
IP Group- metrics, mappings
ICMP Group• metrics
TCP Groupm metrics, connections
UDP Group- metrics, connections
EGP Group- metrics, neighbors
SNMP Group• metrics
©Copyright SystemExperts 1997-2004 and beyond, Network Security Profiles version 4.3. Brad C. Johnson165
MIB Group Example
tcpConnTable OBJECT-TYPESYNTAX SEQUENCE OF TcpConnEntryACCESS not-accessible {read-only, write-only, read-write}STATUS mandatory {optional, obsolete}DESCRIPTION
"A table containing TCP connection-specific information."::={ t cp l3}tcpConnEntry OBJECT-TYPE
SYNTAX TcpConnEntryACCESS not-accessibleSTATUS mandatoryDESCRIPTION
"Information about a particular current TCP connection."INDEX { tcpConnLocalAddress, tcpConnLocalPort,
tcpConnRemAddress, tcpConnRemPort}::= { tcpConnTable 1 }
166©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
• - \ \ --1 \
! V V V . , . v v V V. V V V V
Network Management Behavior27 Default Parameters that can Change
System contact, name, andlocation
Interface state (up, down)
Media physical address
Network (IP) address
IP state (gatewayforwarding or not)
IP TTL value
IP next HOP address
IP route age and mask
TCP state (terminateconnection)
Neighbor state (start andstop communication)
Enable SNMP traps
How about your wireless Access Points:.. ,you changed the strings on that, right?.. .and the management password too, right?
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson167
SCOTTY SNMP Overview
SNMP session -address w.x.y.z -community 2ez2ez-port, -version, -writecommunity, -user, -password, etc,
snmpO get sysDescr.O
snmpO get "sysDescr.O sysName.O sysContact.O
snmpO walk x "tcpConnTable" { puts $x }
snmpO set [list ipDefaultTTL.O "254"]
99
168©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
^ •-, y ) -,, - ^ •- -- *-1 K -> •> -• "• ^ N "i \ \ v A \ 'I
V V. V X V V
SCOTTY SNMP Source
proc SnmpDiscover{net delay window retries timeout}{for {set i l } {$i<255} {incri}
{set s [snmp session -address $net.$i-delay Sdelay -window Swindow -retries Sretries-community Spassword -timeout Stimeout]$s get sysDescr.O{if{"%E"=="noError"}
{set d [lindex [lindex {%V} 0] 2]regsub -all "\[\n\r\]M $d "" dputs lf[%S cget -address]\t$d"}
%S destroy}update}snmp wait}
169©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
SNMP Exposures
Data Gathering (this is huge)
• Hardware and software profiles• data is dynamic real-time information
• Network topology• data is dynamic real-time information
• Administrative environment characteristics. data is static and manually defined
Network management behavior (this is even• Modify administrative parameters
170©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
1 ~t,
V V. V k V V V
SNMP Medicine
SNMPv3 (RFC 2570) - used in conjunction with SNMPv2(preferred) or SNMPvl• Security features
- encryption and authentication
• Reference material« www.snmp.com/snmpv3/index.htmla www.ietf.org/html.charters/snmpv3-charter.html- www. 15seconds.com/issue/020723.htm- Sys Admin, Network Security, May 2000, Vol. 9 #5, Eric
Davis p. 43, "SNMPv3 — User Security Model"
• Vendors waiting in the wings• Bay Networks, BMC Software, Cisco Systems, Hewlett-
Packard Co., Liebert Corp., SNMP Research International andTivoli Systems
171©Copyright SyStemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
SNMP Medicine (cont.)
Community string naming strategy- Should be similar to username/password policies
Use router/firewall (DMZ) IP address andservice port filtering
Disable SNMP agents on systems not being probed bynetwork management software
172©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
v v v 1. V. \ . Y, V. V V. V. V V. v
What the Hacker KnOwZ...about SNMP
Incredibly rich, accurate, and relevant information
Many organizations either forget about managing SNMP,or manage it quite loosely
next.. .Handhelds (PocketPC)
173©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Notes:
174©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
\ "< \
V V. V V v • V. <. C V V V, v. V V V. >.. V v v... v v
Where are We?
Profiling• Methodology
- Example Profile #1
. Example Profile #2
Discovery andProfiling Tools
- typhon, nessus, dsniff, Nikto,
and lots more!
Intrusions- Awareness/Statistics
. Examples
- Common Areas
• Protocols. DNS
- SNMP
- Handheld (PocketPC)
- Web Infrastructure
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson175
Handheld (PocketPC)
Essentially the same threats as a laptop or desktop• Except portability exacerbates many issues
. Full TCP/IP stack
PocketPC is running WindowsCE which has the versiondependent capability to do anything a Windows box can do(It's based off of the Windows source tree)
• Web server
- File sharing
- .NET framework• smart clients, web services, servers, developer tools
176©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
V V v. V. v. ' v. v.
Handheld (PocketPC) (cont.)
Obvious threats- Direct access
• Found, stolen, borrowed from cradle- Access to (confidential) data in memory or on storage cards
depending on security mechanisms- Storage cards without encryption
- Wireless sniffing- Eavesdropping, active content modification, packet injection
• Inappropriate authentication• No login password, obvious password
- Configuration problems• Unapproved applications loaded- Unapproved protocols or services ranning
• Synchronization issues- Virus/troj an download
177©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Handheld (PocketPC) (cont.)
Not so obvious threats• Access to backup data
» Synchronized data copied to local or distributed file system. Files backed up to other media or systems
• File access to device in cradle• Which might be done over the network: PCAnywhere,
Remote Desktop (with Internet Explorer)
• Wireless network exposures• Active probing (scanning) of handheld in "foreign" wireless
networks• Network applications "waking up" and performing operations
in foreign networks (e.g., mail send)
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson178
\ -\. -\
Access to Backup Data
During the setup process• Select synchronize
• Create synchronization folder
Specify how to synchronize dataChoose to synchronize with your desktop and.br a server
You can synchronize data, such as e-mail messages andjdevice and this desktop computer. However, if you havServer with Exchange ActiveSync, you can also choosesynchronize directly with a server, getting the most up-to-desktop computer is turned off.
How do you want to synchronize with your device?
^Synchronize with this .desktop computerj
Synchronize with Microsoft Exchange S_erver and/o
(Note: You must have access to Microsoft Exchancor Microsoft Mobile Information Server.)
f Back Next >
A Synchronized Files folder will be created on your desktop computer.Place files that you want to synchronize into this folder,
Microsoft ActiveSync may need to convert files when synchronizingbetween your mobile device and this desktop computer. Note: A convertedfile may not contain all information found in the original file.
OK Help
Cancel Help
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson179
Access to Backup Data (cont.)
Insert handheld into cradle. no authentication required!
Notice Windows Explorer
My Docume
View Favorites Tools
V
File Edit
Folders
'-' :u™f MyPocketPC My Documents
'.„.'•: Business
':_j Personal
O Templates
< My Computer
+' j j> 3Yi Floppy [A:)
+' CAS Local Disk iC\)
•'+'• , i SystemExperts lo [D:}
+: 'Jj Backup [E:)
'+' f j - ' Control Panel
! j Mobile Device+: L.J Shared Documents
'+ '-.. J Brad Johnson's Documents
+; ** j Mv Network Places
'•gjjj IJoi'ton Protected Recycle Bin
}~J Mv Briefcase
Not incradleafter sync
22 objects 394 KB
H ! Mobfte Device
File Edit View Favorites Tools
- ••••• ! 0 *' L J G o
Folders
~! !LJ MyPocketPC r--1 v Documents• J Business:u_? Personal'LJ Templates
'-'• j | My Computer
'+! ,9=, 3Vi Floppy (A;)* t ^ Local Disk :C:)'+' .,';!* SvstemExperts lo [D:}ft: 2a Backup fE:
'+' Q I n it i il F-ii id- j ^ ^ " ^ f
+ J n Fn Jet PC' Businessi Persona!j Templates
+ L_J Shai ed Documents+ , I Bi ad Johnson's Documents
+: *• 5 MV Net' 'ork Places
•( My Computer
In cradleafter sync
4 object (s)
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson180
if •{ ,' / f ^ • / .r
/ .•> s s J J ..- J J >
File Access to Device in Cradle
Insert handheld into cradle
Automatic login and synchronization
Desktop object becomes "active"
File View Tools Help
a i
File Edit View Favorites Toe
Sync
Connected
Synchronized
Information Type
[ 3 Calendar
P I Contacts
0 Tasks
B Favorites
(''"'- Unbox
t»j Fiies
\\ Details Explore Options
Status
Synchronized
Synchronized
Synchronized
Synchronized
Updating folder hierarchy,,,
Synchronized
Folders
[ # Desktop;+ i-lj My Documents-' 4 My Computer
+! jgl 3 ^ Floppy (A:)
+' ,J.: SystemExperts lo [D:)•+l J j Backup (jE:)
+1 D" Control Panel•+! i j Mobile Device+t ;_ j shared Documents+i ' i J Brad Johnson's Documents
* j My Network Places>i£*j Norton Protected Recycle Bin'r_j Mv Briefcase
53 i 810 KB My Computer
Go
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson181
File Access to Device in Cradle (cont.)
Note created on handheld called "New File" is copied to local sync folder
File Edit View Favorites Tools Helpi "•••
- : ' : i i < :^ ii_) ' f ly Documents'Personal
Folders
v yJGox Name Size Type Modified
1-1 i|_J MyPocketPC My Documents A ji_Jt-le-A-file.pwi 424bytes Ink'A'riter/NoteTak.,, 4/21/2004 11:49:1..,
'•J) Business
' i^ j Personal
•-.,J Templates
• I Personal
< My Computer
+! | | , 31.': Floppy (A:)
+! is Local Disk [C:)l+' 2* SystemExperts lo (D:)!+! ,'Jj Backup [E:;l+l D ' Conti'ol Panel
:-i f j Mobile Device
'•+ ( ] MyPocketPC
•• J Business
! LJ Templates
•'+' !i_j Shared Documents
•+: ; _ j Brad Johnson's Documents
+ *} My Network Places
?$ Norton Protected Recycle Bin
hi My BriefcaseV !
1 object®
File Edit View Favorites loots Help
. - - " ^ j i r^ j C:\MV Stuff^MyPocketPC My I ^
Folders x
O i My PST Files
f? t D i MyPocketPC My Documents
:..„( Business
•:_j Templates- ! jr My Computer
* . ^ 3Vi Floppy (A:)
'+' t>-S Local Disk [C:)!+! ..Jj S!+' J , Backup (E:)
•+' Q"* Control Panel
y Mobile Device:*' ;:^!l Shared Documents
'+ ..... j Brad Johnson's Documents
+ * j My Net/vork Places
••$$ Norton Protected Recycle Bin
t J My Briefcase
Go
Name
! jni fr.n AntiviMj:- p j
5V-.1 file.pwi
1 objects
v- <
424 bytes _t My Computer
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson182
/ 1 ' - • • • • • y > x
J ./ •' J J, / J J J J i / J ..
File Access to Device in Cradle (cont.)
Second note created on handheld "Second New File"Handheld inserted into cradle WITHOUT automatic syncFile is copied from "Mobile" resource object and opened!
ittfer^crft AdiveSyrw;File View Tools Help
Sync :': ii Details Explore Options
Connected
3 items not synchronized
Information Type
Calendar
ontacts
Tasks
Favorites
r" Unbox
'*±| Files
Status
Synchronized
Synchronized
Synchronized
Synchronized
2 item? not synchronized
1 item not synchronized
| | i Second new fTle-pw - Microsoft Vifenl
File Edit View Insert Format Tools Table \Vmdo..
Help X
Tahoma - 10 - B / U g ;E A^ - **
D tc£ 72% - |^| ** Final Showing Markup - **
u . . / . . . | . . . i . . . | . . . ; , , . | , . . 3 , , . | , . , 4 . , A i
AutoShapes' \ \ D O 1
Sec 1 1/1 At 1 ' Col 1
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson183
Probing of handheld in "foreign" wireless networks
• Enable Apple Airport Extreme base station• Running firmware v5.4
- Connected via Ethernet to LinkSys Etherfast Cable Router- Router offering DHCP in the protected 192.168.1 range
starting at 100
• Enable the iPAQ Wireless WLAN service• Detects the wireless networks, associates with broadcast SSID
without WEP enabled
- Gets IP address from LinkSys DHCP server
- Establishes full connection
184©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
J > J
Probing of handheld in "foreign" wireless networks (cont.)
DHCP Active IP Table
DHCP Server IP Address:
Client Hostname IP Address
192.168.1.100
cx365547-a
Johns onDesktop
bradlaptop
bradlaptop
Refresh
MvPocketPC
192.168.1.101
192.168.1.102
192.168.1.103
192.168.1.104
192.168.1.105
192.168.1.106
Comma rid Prom
192.168.1,1
MAC Address
00-03-93-E3-1S-FB
00-01-03-1D-F9-BA
00-07-E9-4C-A2-6B
00-03-93-D6-18-C4
00-30-65-06-56-74
00-40-96-2A-40-69
00-02-8A-9E-FD-6F
Delete
••••••D
C:\>pinff 192.168.1 .106
Pinffinff 192.168.1 .106 with 32 bytes of data.:
Reply From 192.168.1.106= bytes=32 tine=4ins TTL=128Reply from 192.168.1.106= bytes=32 tiine=4ns TTL=128Reply From 192.168.1.106= bytes=32 tine=3ns TTL=128Reply From 192.168.1.106= bytes=32 tine=4ms TTL=128
Pinsf s t a t i s t i c s For 192.168.1.106 =Packets: Sent = 4 , Received = 4 , Lost = 0 <0Ji l o s sX
Approximate round t r i p t i n e s in nilli—seconds=Minimum = 3ms, Maximum = 4ms, Overage = 3ms
LLL.
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson185
What the Hacker KnOwZ...about Handhelds
Handhelds have (essentially) the same protocol and servicecapabilities as a laptopAll handhelds have a life-cycle that requires docking withthe mother-ship (the cradle and the synchronizationprocess)The device is a fully addressable wireless network objectthat "wants" to reach out and be touched
next.. .Web Infrastructure
186©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
..' / • ; J~ f . ; J ^ _- . , . . . - . • S ' . J , ^ . J . - • . • > - • . • • ,- • • . - > • • ** . s ~ s . j J ) J
Notes:
187©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Where are We?
Profiling
. Methodology
- Example Profile #1
. Example Profile #2
Discovery andProfiling Tools
• typhon, nessus, dsniff, Nikto,
and lots more!
Intrusions• Awareness/Statistics
. Examples
* Common Areas
Protocols- DNS
. SNMP
. Handheld (PocketPC)
- Web Infrastructure
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson188
s ,' / <- / • s f t
/ J s j J ^ / . * ,' j • ) S J J J ^ ^ . . . . . . ,• J y ^ - j - > • - • -^ - .^ • ^ ^»- , ' .-• . y v J ) J
Web Exposures
Protocol Issues. HTTP, HTTPS
- SSL• Certificates (granting, revoking)- (DNS) Name lookup
• Web Spoofing
Application Source• FORMS and page input rewriting- HTML, ActiveX, Java*, other client-side code• Cookie modification
Server Issuer• Server configuration exploits
- Distribution example exploits
189©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Web Protocol - Web Spoofing
Used to "take over" an entire site• You might ask for that!
• www.anonymizer.com/ (Anonymous surfing). e.g., anon.free.anonymizer.com/http://www.systemexperts.com
• www.shodouka.com/ (View Web in Japanese)
. e.g., www.lfw.org/shodouka/http://www.netscape.com/ja/
Allows traffic to be intercepted and changed
Requires some vigilance by user to detect. Detection not likely in mass market situations
e.g., does your mother, uncle, mechanic, or neighbor know...- What a URL is?. What a valid CERT looks like?• What a fingerprint is for?• How to read HTML source?
190©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
., ../ J > i
Anonymizer&m Anonymizer.com - Test tt5: Your Browser and Operating System -Microsoft Internet Explorer
File Edit View Favorites Xools Help
ANONYMIZERSCQM- . • " " •-'• ''---•'•••• " ; - P t i v i K v 4 s mm tight.
Click here to learn more about j\ Anonyrnizer and online safety. 1
PRIVACY DIAGNOSTICINDEX:TEST 1: Your IP Address
TEST 2: Hidden Tracking Files
TEST 3: Exposed Clipboard
TEST 4: Hack & Exploit Vulnerability
TEST 5: Browsers OS
TEST 6: Geographical Location
TEST 7: Your Network
HOME | PRODUCTS | SION UP | SUPPORT | MEMBERS | MEDIA | DOWNLOADS
TEST #5: YOUR BROWSER AND OPERATINGSYSTEM
Your Browser Is: Internet ExplorerMicro s oft Internet Explorer
Your Operating System is: Windows 98 J
-> JavaScript is working.
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson191
Web Spoofing ExampleSystemExperts - Literature[Protected b3F-proKy31.anonymizer.com}-Microsoft Internet Exploier
File £dit View Favorites lools JHelp
%r Hnonymizer* protection i s nouj
| SET t
actiue
USTQM I^jg
Jump
&
t o : |http://|
Upgrade How
IWhv Upgrade?
GO |
Search our site
SystemEXPERTSI t i. D E R S i I P M S t t I) R I T 1
r all r any > f the words
Literature
LL
Tel 888-749-9800Tel 978-440-9388
Technical White Papers in PDF format:
"Wireless 802.11 Lan Security: Understanding, the Key Issues"Brad C. Johnson, SystemExperts Corporation
" Wireless 802.11 Security: Questions and Answers to GetStarted"Brad C. Johnson, SystemExperts Corporation
"Internet Penetration Testing: A Seasoned Perspective "Brad C. Johnson, SysteniEsperts Corporation
"Hardening Windows 2000"Philip C. Cox, SystemExperts Corporation
"How Web Spoofing Works"Brad C. Johnson, SystemExperts Corporation
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson192
J )
Understanding URL Deconstruction
• Protocol://usemame:password@host:port/pathname#hash?searchProtocol is up to and including the first colon (client: e.g., browser)
. username:password for basic authentication, otherwise ignored data
. Host is the domain name/IP (DNS)
. The port that the server uses for communications (socket connect)
- Pathname is the URL-path (file) portion of the URL (file system)
Hash is an anchor name fragment in the URL, including the hash mark (#) ~ thisapplies to HTTP URLs only (HTTP server)
. Search is any query information in the URL, including the question mark
-- this applies to HTTP URLs only: the search string contains variable and value
pairs; each pair is separated by an ampersand (server application)
• Examples• http://www.systemexperts.com
. http://www.systemexperts.com:80/index.htm
• http://ignore:[email protected]:808Q/http://www.systemexperts.com
193©Copyright SystemExperts -1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Web Spoofing explained
Walk through:- The wanted URL is prefaced with the intruder's URL
- Normal HTTP protocol will handle this just fine
• The intruder site calls the REAL site and asks for the requested URL
information
• The REAL site returns the page as requested to the intruder
• The intruder site massages the data (to change all URL references)
and returns it to you
194©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
> J S .S V > J y <t s s - J / > ) J ) J
Web Spoofing Diagram
You.Com
\Browser
Link
http://bad.eom/http://good.com/fileModified URL [ 7
Change data in thecopy of file-
Return to
Bad.Com
WWW Server
Call Good.Com toget file
Good.Com
WWW Server
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson195
Web Spoofing:How does that work again?
You, the bad guy, must have an HTTP server that somehowgets in the middle of the client and the intended target, to besuccessful you need:• Web server
• Apache, IIS, etc.
• An IP address
Your server does URL rewriting- http://www. SystemExperts.com ... is changed to...
• http://www.intruder.eom/http://www.SystemExperts.com
196©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
/ • ' / " ' . r
> J > J<' f J J J / -/ Jl > > } J J J J J J s J J t J J .> A J J I .) J J J J J ) ) )
Web Spoofing Example (cont.)
i « literature[1] - Notepad
Edit Search Help
<PXFONT CLASS="text") <fiHREF="http://anon.free.anonymizer.eom/http://www.systemexperts.com/tutors/HardenW2K101.pdf" TflRGET="_blank")<I) "Hardening
Windows 2800" <BR)</IX/fl)Philip C. Cox, SystemExperts Corporation</FONT)
TARGET=" blank") <I)HREF="http://anon.Free.anonyinizer.coni/http://wuw.systeiiiexperts.coni/tutors/uedspooF.pdf""How Web Spoofing Works" <BR></ IX/ f l> Brad C. Johnson, SystenExperts Corporation</F0NT>
<PXF0NT CLftSS="text"XflHREF="http://anon.free.anonyinizer.con/http://www.systenexperts.con/tutors/NT_Login_3.0.
HnfP Than Vnn FiiPt* tJarifpri 1~n Ifnniii flhnut- HT I nnjndf" TflRGET=" blank")
</IX/ft) Philip C. Cox, SystenExperts Corporation and<BR)Paul B. Hill, Massachusetts Institute of Technology</F0NT)
©Copyright SystemExperts 1997-2004 and tieyond. Network Security Profiles version 4.3. Brad C. Johnson197
How do you Get in the Middle?
Easier- DNS Poisoning (direct)
- Register a confusing or false URL entry in a search engine (indirect)
• Have a "convincing" message using FAX, email, ad, or letter that
encourages somebody to use your site (indirect)
Harder- Hack into the target server system (direct)
• Force (e.g., arpspoof) DNS requests to your special
DNS server (direct)
• You pay/bribe somebody who controls an
important DNS server (indirect)
198©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
f / - ( ( ( r f ( < • ' r • ' r ~ ' c • f • r < ' <~ ' r • ' ' ' r ' f ( ( (
How do you Get in the Middle? Part II
• Another new approach called:Web Page Pointer Theft(related to registering a confusing or false URL)
= People steal/copy your meta tag data
- potentially download your entire site!
. Then push their site (with your info) into search engines
. End-users get tricked into thinking the "bad guys" are offering some
desirable service and find themselves automatically transferred to
someplace elseCut/Paste HTML from Top 5 Bank Web Site
<meta name="robots" content="index,follo\V><meta name="keywords" content="bank, banks, banking, banking center, banking centers, finance, financial,financial institution, financial planning, invest, investing, investment advice, investment advisers, investors, checking,checking account, checking accounts, cds, certificate of deposit, certificates of deposit, savings, savings account, savings accounts,iras, investment retirement account, roth ira, education ira, traditional ira, online banking, bank online, online, mortgage,mortgages, fha, conventional mortgage, refinance, refi, consumer loans, home equity, heloc, home equity line of credit,equity builder, home equity loan, auto loan, auto insurance, automobile loan, automobile insurance, credit card, credit cards,visa, mastercard, check card, visa check card, business banking- small business banking- business checking, business savings.business center, online business">
199©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Web Application Source :Things are different from "before"
Web applications are fundamentally different thanhistorical business applications• Much of the code is on-line• Input data comes from an unpredictable sourcem More likely that bad guys have access
Classes of problems include• Keeping track of state
- modified pages
• Threshold input handling• special characters and practices
- Web server exposures• distribution exploits
200©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
.- ... .- .,.. s ^ J / J J ) ) J r j j J J ) J. > } )• / > ) J j J J ; > > J J j J J > J .1 J J -> i ) ) )
Web Application Security Initiative
. OWASPThe Open Web Application Security Project
• www.owasp.org
• Development projects• WebScarab: Java program to spider a Web site for vulnerabilities
- (Nikto, whisker)• filters: 10 sanitization components (check parameters)
• Documentation proj ects• Guide to building secure Web applications and Web services
- version 2.0 soon!• Guide to testing security of these applications and services
201©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
OWASP
lop 10 Web application vulnerabilities- Unvalidated parameters
• Broken access controlm Broken account and session management
- Cross scripting flaws
• Buffer overflows- Command injection flaws• Error handling problems
- Insecure storage- Denial of service
• Insecure configuration management
202©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
<• • f < f ( ( { ( ( ( { c ( • / • • < • < { ( ( I ( • r / '• • r r r • f r r r s r r • r r r r r ( ( (
J J J J J } J / ) > / J ) > ) .} J J > J J > ,' .' J .> i J > J J > > ) ) J )
WebSleuth
Log in to your Mutual Fund. Annuity-Fidelity Account5'-'
55M orCustomer ID
Pit! Login
Change your Start Page
Log in to your401(k). 403(b}. 401(a}. 457or Stock Plan accounts
Go to NetBenefits Lcain.
Log in to your Giving AccountSM
Go to Charitable Gift Fund Loci in
Personal Identification Number (PIN) HelpEstablish a PINChange your Pill or Password
Open an AccountOpen a Fidelity account online in as little as 20minutes
Trading in Fast Changing MarketsSystems availability and response time may beaffected by market conditions Before tradingonline with Fidelity please read our importantinformation on trading in fast changing markets
Browser JZ Cpticn= Notes
jhttps://login,?ideiity.com/ftgvv/Fidelity/RtlCust/Login/Init^Au C^^° ^ Back ^ Fwrd-> j£)
JUS1 Properties ; 'X* Toolbox j jj Plugins j §[] Favorites i ^ Fiitet" iLIKE \*=
.com/ :;
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson203
WebSleuth (cont.)
</TABLExSPAN class =ErrorMessagexB ><SCRIPT type=text/java scrip t x l - -
if {document.cookie.length>Oj <| •document, wri te("") \
elsedocument.writeln{"<table width=559 ce!lpadding=o cellspacing—0
border=Q class =ErrorMessagextrxtd he ight^ lBx / tdx / t rx t rx td>Your browserhas been configured to block cookies from being s e t x / t d x / t r x t r x t d height=5>< / t dx / t r x t r x t d>To log in to Fidelity-com, you must have cookies enabled. Learnmore <ahref=http://persona [.fidelity. com/qlobal/search/conten t/cookiesfaq. sh tml. cvsr>Abou tCookies</a> and how to enable them. </td></trx/table>");
you areavailable
</SCRIPT><NOSCRIPT>STOP! Your current browser does not have JavaScript enabled orusing a browser that does not support JavaScript. In order to benefit from aonline tools you will need to enable JavaScript. Click <.ahref="h t tp: / /personal. fidelity, cony global/search/con ten t/aboutja vascript. html" >he re</a> for information.</ N O S C RIPT ></ B > </ S P A N ><TABLE cellSpacinq=O cellPadding=O width=575 border=0:»<TBODY><TR><TD colSpan=3 height = 16>a.nbsp; </TDx/TR><TR><TD vAlign=top width=290x!--this is for the primary log in box--><FORM id=loginForm name=loginForm onsubmit="return disallowSpiacesInSSN{)"action =/ftgw/Fidelity/RtlCust/Login/Response method =poct> ^<TABLE class=DataTableBorder cellSpacing=O cellPadding=l width=290 border=0>
post Find Replace 11 Red " ] Color Find | r U/tap Colorize) UPDATE IE
S o u r c e X Ccticns JZ|https:// login.f idelity.com/ftgw/Fidelitv/RtlCust/Login/Inif Fwrd->
Properties Toolbox
http ://www .fidelity .com/https://login. fidality.com/ftgw/Fidelity/NBPart/Login/Inithttps://login. fidelity.com/ftgw/Fidelity/CgfCust/Login/Inithttps://rps.fidelity.com/ftgw/rps/EstablishPIN/Regis era tion/Init?r=Rhttp://person a! .fidelity, com/accounts/services/con ten t/pinchange.shtml. tvsr rf
https://openacct. fidelity.com/ftgw/olsc/Merlin/asp/re tail/common/ allopenanaccount. asphttp ://personal .fidelity, com/ global/ whatsnew/con ten t/74 09 8. html, tvsrhttp://personal .fidelity .com/misc/legal/sofclegal.html.cvsrhttp ://personal .fidelity .corn/misc/legal/launder.htrnl.cvsrhttps://scs .fidelity, com/webxpress/elec tronic_services_aqreement.sh tmlh ttps://scs. fidelity. com/ webxpress/license_3greement. htmlh ttp: //personal. fideli ty. com/global/search/con ten t/securi ty. sh tml.cvsr
Cookie Check
POST
Toolbox
Links/status
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson204
( i
J ) J J / J ) ) ) } J J J J I
WebSleuth (cont.)
File Edit Format View Help
Page: http://uuu.google.com/Cookie: PREF=ID=76a4c79838735da9:TM=1849822468:LM=1849822468:S=ZFjRUmo1XIEfe_nB
Links:
Images:
http ://ui'ju.google .con/imghp?hl=en&tab=ui&ie=UTF-8&oe=UTF-8http ://www.google .coni/gt-php?hl=en&tab=ug&ie=UTF-8&oe=UTF-8http://www.google.com/dirhp?hl=en&tab=wd:&ie=UTF-8&oe=UTF-8http://www.google.com/nwshp?hl=en&tab=wn&ie=UTF-8&oe=UTF-8http://uwu.google.com/aduanced_search?hl=enhttp://wwu.google.com/preferences?hl=enhttp://uwu.google.com/language_tools?hl=enhttp://www.google.com/ads/http://www.google.com/seruices/http://uww.google.con/options/http://uuw.google.con/about.html
http://uwu.google.com/images/logo.gif
Scripts:III
<*--lfunction sf(){document.f.q.focus();>ifunction c(p,l,e){uar f-document.F;if(f.action && document.getElementByld) {uar hf=document.getElementById("hf");iF(hF) -{uar t = "<input type=hidden name=tab Malue="+l+">";hF.innerHTML=t;>F.action= 'http://"+p;e.cancelBubble=true;F.submitf);return False;>return true;}!// -->
• ••{document.urite("<p><a//<T--lif (»hp.isHomePage("http://www.google.com/'
hreF=\"/mgyhp.htnl\"onClick=Vstyle.behagior='url(ttdefaulttthomepage)1;setHomePage("http://www.google.com/1);\">Make Google Vour Homepage*</a>");>•//—>Comments:
No Comments in DocumentMetaTags:
No Meta Tags in DocumentForms:
GET - f - /searchForm: f Method:GET
ACTION: /searchBflSE URL: http://uww.google.com/ 4HIDDEN - hl=enHIDDEN - ie=UTF-8HIDDEN - oe=UTF-8TENT - q=SUBMIT - btnG=Google SearchSUBMIT - btnl=l'm Feeling Lucky
Cookies
Forms Data
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson205
Keeping Track of State: What's the Deal?
• Fastest growing exploit area• It's all about state information
- HTTP is stateless, but.... Essentially any non-brochure site needs state information to keep track of
who's doing what, when, where, and how
• Where is state placed?. server (which is harder to develop and manage)
. client (which is harder to trust)
• How is state shared or stored?- cookies. environment variables
. URLs• dynamically generated page information• proprietary files• databases
206©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
f C ( ( f ( r < ( < < ( ( ( ( (' ( { ( f ( ' • f f C • ( • f < r f r f i- i' ( ( r • i ( (
J J ) ) J J J ) ) ) > ) )• ) I J I } J J > .' J J J } > -> J J J > J J ) -> > ) ) J
Modified (client-side) Pages
Change client-side HTML source- Download page
- Save to disk
- Edit page
- Reload into browser .It's "just" a file open
- Send to serverDebugging aid. file = "/etc/password" vs. file = "http://url'!
. file = "http://url/cgi-bin/" vs. file = "http://url"
. <Input TYPE=HIDDEN NAME="CHK_PSWD"VALUE="NO" SIZE=0>
. <AREA SHAPE="RECT" COORDS=" 15,170,290,228HREF=7directory/page-code?USER ID-1070">
. <TABLE.. .background=/file.img;accountNumber=l23456- HTTPS://www.company.com/file.jsp?TransactionNumber=567
ID state information
207©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Secure Web Exposures
Certificate problems• Not signed by a trusted Certificate Authority (CA)
- "unknown CA, do you want to accept certificates signed by Microsoftfrom now on?"
- Root CA certificates in browsers suspect- FORGED CERT PGP KEY
www.cert.org/contact cert/PGP warning.html- Unauthentic Microsoft Certificates
www.cert.org/advisories/CA-2001-04.html. Latent issues not resolved yet
- (large scale) certificate replacement- (large scale) certificate revocation
. IE SSL subject to undetected man-in-the-middle attack• www.thoughtcrime.org/ie-ssl-chain.txt- use arpspoof to take on the router's MAC address, make request to
target server, inspect certificate, create new certificate with identicalDistinguished Name and signs with end-entity certificate, and thenperform the SSL handshake with the client! Done. No detection!
. Windows SSL trojan. www.eweek.com/article2/0.1759.1573825.00.asp?kc=
EWRSS03119TX1K0000594- based on Windows exploits and patches in April '04
208©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
< f ( < < r r ( ( < ( ( f t (' ( ( • ( • f r ' r ( ( C < c i s •' < '' c <•' ( ( < ( (
. ) ) ) ) ) j ) J J J ) J ) J J ) ) J ) ) ; J J ) .) ) ) J J J ) J ) J ) > ) )
Secure Web Exposures (cont.)
Only real server authentication is that the DNS name in theURL matches the name in the Certificate- DNS lookup is NOT part of the SSL specification
- You could be fooled into using a wrong name
(www.delta.com vs. www.delta-air.com)
btw: they are now both for the airline!• again, see "How do you get in the middle?" in Web Spoofing
- SSL doesn't detect/stop DNS poisoning- www.webdevelopersjournal.com/articles/is ssl dead.html• you shouldn't count on SSL to protect your application just like
you don't count on WEP to protect wireless applications
209©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Internet Explorer 4 to 5 Advanced Options
Internet Options
General Security Content I Connection Programs Advanced
•Sj Security _i_
ElElElElElElEl&
nrj
Warn if forms submit is being redirected
SSL 3.0
SSL 2.0
V/arn about invalid site certificates
V/arn if changing between secure and not secure mode
PCT1.0Enable Profile Assistant
Cookies
0 Prompt before accepting cookies
O Disable all cookie use
© Always accept cookies —
Check for certificate revocation
Do not save encrypted pages to disk
Delete saved pages when browser closed
«T[ HTTP 1.1 settings
ElUse HTTP 1.1 through proxy connections
Use HTTP 1.1
Restore Defaults
OK Cancel Apply
New
New
New
Internet Properties
General | Security j Content j Connections | Programs Advanced
Settings:
O Do not search from the Address bar
O Just display the results in the main window
O Just go to the most likely site
Check for publisher's certificate revocation
Check for server certificate revocation (requires restart],
save encrypted pages to disk_
• Empty T emporary 1 niemet Files "older when browser is closed
PJ Enable Profile Assistant
PJ Use Fortezza
• Use PCTLO
p i Use SSL 2.0
i"* secure mode
RTV/arn if forms subrnittal is being redirected
Restore Defaults
OK Cancel
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson210
r r r < < ( ( r i < ( t < f r <' ' < < < ' ' '
) ) ) ) y ) ) J j J ) ) ) J J ) ) J > ) > r ) ) ) > > ) .> > J ) ) ) > ) > J
Internet Explorer 5 to 6 Advanced OptionsInternet Properties
General | Security | Content | Connections | Programs Advanced
S_ettings:
O Do not search from the Address bar
O Just display the results in the main window
O Just go to the most likely site
i2j Security
Check for publisher's certificate revocation
Check for server certificate revocation (requires restart)
Do not save encrypted pages to disk
Empty Temporary Internet Files folder when browser is closed
distant „ ,
Gone
Use SSL 3.0
• UseTLSLO
0 Warn about invalid site certificates
f j Warn if changing between secure and not secure mode
0 Warn if forms submittal is being redirected
Restore Defaults
Cancel
New
New
Internet Options
General] Security] Privacy] Content] Connections] Programs Advanced
S_ettings:
O Just display the results in the main window
© Just go to the most likely site
Security
n Check for publisher's certificate revocation
far, J « M lasrHUr a ^ j fz^K^Qjt^rym** restart)Check for signatures on downloaded program?
13=mporary Internet hies folder •
Enable Integrated Windows Authentication (requires: resti
0 Use SSL 2.00 Use SSL 3.00 UseTLSLO[ ] Warn about invalid site certificatesf j Warn if changing between secure and not secure mode
warn if forms submittal is being redirected
Restore Defaults
OK Cancel Apply
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson211
What the Hacker KnOwZ...about the Web
Web Spoofing is a BIG/HUGE opportunity- Lots of "hacking" efforts to increase the ways to do spooring
- #1 area (outside of general buffer overflow issues) for new and
high profile intrusions and exploits
Many network applications are not rigorously tested forinput handling issues
Front-end Web code (i.e., available to the client via thebrowser) reveals a LOT about design, intention,conventions, and expectations of the server
next... Finishing Up
212©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
( f ( ( ( ( ( ( ( ( ( ( i f ( f ( ( ' f ' ' ( ( < ( f f C f < f ( ! f ( ( ( \
) J ) ) ,! J ) I ) . ) ) ) ) I ) ) ) ) ) ) J J J J ) J J J J J J •> J J • * > J > ) J
Notes:
213©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Where are We?
Profiling
Methodology
• Example Profile #1
• Example Profile #2
Intrusions
Awareness/Statistics
• Examples
• Common Areas
Discovery and
Profiling Tools
typhon, nessus, dsniff, Nikto, and lots
more!
Protocols
. DNS
. SNMP
. Handheld (PocketPC)
• Web Infrastructure
Finishing Up• Things To Do
• Reference Links
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson214
r r ( ( ( ( ( ( ( ( f ( ( ( ' f f ( { ( ( ( c i- ( ( < • r r f f (
) ) ) i ) ) ) ) i > ) ) _j ) J i ) ) ) > ) ) / / J ) J ) ) ! J J J J J ) ) ) ) )
Top lOish Things To Do
Tools
- Vulnerability testing:• HTTP CGI checker:- 802.1 lbAP finder:- OS identification and
special scanner:
- IDS:
nessus or nsatNiktonetstumbler*
n map
network (e.g., snort) and
integrity checker
(e.g., Tripwire)
Make sure you have permission to use public domain tools!
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson215
Top 1 Oish Things To Do (cont.)
Development
> Use some scanner to create a template profile of your important
systems: run the scanner every day and generate an alarm/email if
the results are different
• Define a list of 5-10 important issues and create/use any kind of
script/program you can to check the logs for those things
• Upgrade every version of BIND you can to the latest version
(yours, your neighbors', your ISP)
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson216
<• r r
Remember the Themes..What to Watch for
It's the protocols
. DNS exploits
. SQL exploits
Web Applications• Servers with poor authentication
and, even worse, authorization
architectures
- Web Services
(1) "IT Security Pro Fears Stronger, Super Worms Coming"www.crn.com/components/weblogs/article.asp?ArticleID=49597Using P2P protocols, not just relying on SMTP and email client
(2) "Expert: Gaps still pain Bluetooth security"http://news.com.com/2100-1009 3-5197200.html?part=rss&tag=feed&subj=newsPIN theft to capture data
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
. SSL. Forged keys
. Certificate granting and
revocation issues
• Intrusion awareness
. More "clever" viruses, macros,
Trojan horses (1)
- New wireless and handheld
hacking techniques. e.g., rogue wireless card
firmware, aggressivetechnology wireless networks (2)
218
( < r r r \ < f ( ( r ( f ( r f f f f J < ( , r < . i ( f r
/ J J ) ) ) ) ) ) ) ) ) ) ) ) J ) ) J J J ) ) ) J J I ) ) ) ) ) ) ) > ) ) ) J ) > I i )
SystemEXPERTSL E A D E R S H I P I N S E C U R I 7 V
Brad C. JohnsonVice President
[email protected] direct401-348-3078 fax978-440-9388 mainwww. SystemExperts.com/
219©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson
Where have we Been?
Profiling- Methodology• Example Profile #1
• Example Profile #2
Intrusions- Awareness/Statistics
. Examples
Common Areas
Discovery and Profiling Tools. typhon, nessus, dsniff, Nikto, and
lots more!
Protocols
. DNS
. SNMP
. Handheld (PocketPC)
• Web Infrastructure
Finishing Up. Things To Do
Reference Links
Final Chance• Any Questions?
• Mistakes in Slides?
• Changes to Course• Things to Add?• Things to Remove?
- Other Comments?
©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson220
r r r ( (
> > ) ) y ) ) ) J ) ) ) ) ) ) ) ) ) > J > > > > ) ) i J ) ) J ) > ) ) ) ) ) ) \ )
The Penultimate.
Profiling is a big part of being prepared for an intrusionfrom a determined intruder (hacker)• Each part of your network infrastructure provide its own unique
opportunities and vulnerabilities
Many of the available profiling tools or techniques are easyto use or do• Try them against your own site
221©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson