Network Security Profiles - Simson Garfinkelsimson.net/ref/2004/Network_Security_Profiles_2004.pdf · rtmp:l/ddp, nbp:2/ddp, echo:4/ddp, zip:6/ddp, kerberos_master:751, krbupdate:760,

{ c ( ( ( (. ( ( e (. ( i i i i ( c ( i i (

System EXPERTSL E A D E R S H I P I N S E C U R I T Y

i t ( i ( c i i i t i i i i i a i

Network Security Profiles:Protocol Threats, Intrusion Classes, and

How Hackers Find Exploits

Copyright SystemExperts Corporation,1997-2004 and beyond...

All rights reserved.

©Copyright SystemExperts 1997-2004"and beyond. Network Security Profiles version 4.3. Brad C. Johnson

Just checking...

This is line 1 (24 pt font - TITLES)

. This would be line 2 (20 pt font - BULLETS)

. This is clearly line 3 (20 pt font - SUB BULLETS)

. This is definitely line 4 (18 pt font - legal and commentary stuff :-)

Can you hear me? Check 1.. .2.. .3.. .Check

PLEASE turn-off or silence your phones, pagers, etc.

Is it too hot? Too cold?

©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson

A {• r ( i ( A ( ( ( ( ( f ( f f c f ( ( f f ( ; ( ( ( ( ( ( r ( i c c f { ( ( C ( ( ( ••( ( ' ( ( ( . ( i A. ( (

t ( ( ( I ( ( ( ( ( I I ( I ( I (. ( ( ( I I C t I I I ( L t t ( I I I I I t I I I t I (. ( ( I (. I I I I

What the course is...

A overview of various ways that people can learn thedetails of your environment: and how that works to theiradvantage in "finding" exploits to use against you• Tools, techniques, URLs, recommendations and

• Examples: high-level, detailed tool output, screen-shots,

article snippets, security group statistics, etc.

Tool examples are largely public domain (so you can try it)- Some commercial tools also described briefly

Focus on what's happening "now"

Did I mention "It's the Protocols?"


Reader's Digest of the Tutorial

Hacker = Determined Intruder = Diligence- Learn exactly what components are in place (the profile) to enable

focused research (and almost guarantee some level of intrusion

success)

. Paying attention to small details in both what you see and don't see

The amount of traffic (other than some DoS) needed toprofile your site is small and the amount of informationavailable to research vulnerabilities to discover exploits ishuge

Sigh.. .the protocols we depend on are responsible formany of the hard to see, catch, or stop exploits


[ • ( . ( ( ( f ( ( ( ( ( ' { ( ( . ( . ( ' • ( f f ( ' ( . ' ( ( . ( T { ( ( ( { ( ( ( C ( ( ( . ( , ( ( . ( ( ( ( { ( ( ( ( ( ' . ( (

I, ( ( ( ( ( i ( ( ( f ( i. ( ( ( ( I ( C I C I ( I t C I t l I t I I i ( t i I ( ( I I I I t t

It's the FrotocolsWWW.HELMIG.CUM

Either thebits get there,or they doift!

-E3-

1

B -u :

-E3-ns

pc1.mvnet.com207.46.131.11

pc'2.mynet.com207.46.131.12

pc3.mynet.com207.46.131.13


It's the Protocols (cont.)

dient proqram

Application Layer

Presentation Layer

Session Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

OSI stack

Network Layer

Data Link Layer

• H Physical Layer

s e r v ? i' program

Appli cat ton Layer

Presentation Layer

Session Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

IVOi >. ."1 . ' J ' l ' l " " 1 t ! l " I '"' '."! Cl '•• '•• ' I '"1?;

serverIcfient (your com p titer)

©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson6

( , { { , ( ( , { i ( > ( , { • ( ( [ A ( ( ( . { . ( ( ( ( , ( ( ( ; ( - ( . { A A ( A A A ( ( C ( ( . ( • ( ( / I

( ( I I I L t I ( I. (. ( ( ( t I I ( I I ( I I I I t I I I (. ( I ( I I I I I t I ( I I. I. I I I I I I I I I


Standard TCP/IP services:ports

rje:5, echo:7, discard:9, systatll, daytime:13, qotd:17, msp:18, chargen:19, ftp-data:20, ftp:21, ssh:22, telnet:23, smtp:25, time:37, rlp:39,nameserver:42, nicname:43, tacacs:49, re-mail-ck:50, domain:53, whois++:63, bootps:67, bootpc:68, tftp:69, gopher:70, netrjs-l:71,netrjs-2:72, netrjs-3:73, netrjs-4:74, finger:79, http:8O, kerberos:88, supdup:95, hostname: 101, iso-tsap:102, csnet-ns:105, rtelnet:107,pop2:109, pop3:110, sunrpc:lll, auth:113, sftp:115, uucp-path:117, nntp:119, ntp:123, netbios-ns:137, netbios-dgm:138, netbios-ssn:139,imap:143, snmp:161, cmip-man:163, cmip-agent: 164, mailq:174, xdmcp:177, nextstep:178, bgp:179, prospero:191, irc:194, smux:199, at-rtmp:201, at-nbp:202, at-echo:204, at-zis:206, qmtp:209, z39.50:210, ipx:213, imap3:220, link:245, link:245/ucp::ttylink, fatserv:347,rsvp_tunnel:363, rpc2portmap:369, codaauth2:370, ulistproc:372, ldap:389, svrloc:42, mobileip-agent:434, mobilip-mn:435, https:443,snpp:444, microsoft-ds:445, kpasswd:464, ph oturis:468, saft:487, gss-http:488, pim-rp-disc:496, isakmp:500, gdomap:538, iiop:535,dhcpv6-client:546, dhcpv6-server:547, rtsp:554, nntps:563, whoami:565, submission:587, npmp-local:610, npmp-gui:611, hmmp-ind:612,ipp:631, ipp:631/ucp, ldaps:636, acap:674, ha-cluster:694, kerberos-adm:749, kerberos-iv:750, webster:765, phonebook:767, rsync:873,telnets:992, imaps:993, ircs:994, pop3s:995, exec:512, login:513, shell:514, printer:515, utime:519, efs:520, ripng:521, timed:525,tempo:526, courier:530, conference:531, netnews:532, uucp:540, klogin:543, kshell:544, afpovertcp, remotefs:556, socks: 1080,bvcontrol:1236, h323hostcallsc:1300, ms-sql-s:1433, ms-sql-m:1434, ica:1494, wins:1512, ingreslock:1524, prospero-np:1525,datametrics:1645, sa-msg-port:1646, kennit:1649,12tp:1701, h323gatedisc:1718, h323gatestat:1719, h323hostcall:1720, tftp-mcast:1758,hello:1789, radius:1812, radius-acct:1813, mtp:1911, hsrp:1985, licensedaemon:1986, gdp-port:1997, nfs:2049, zephyr-srv:2102 , zephyr-clt:2103, zephyr-hm:2104, cvspserver:2401, venus:2430, venus-se:2431, codasrv:2432, codasrv-se:2433, hpstgmgr:2600, discp-client:2601, discp-server:2602, servicemeter:2603, nsc-ccs:2604, nsc-posa:2605, netmon:2606, corbaloc:2809, icpv2:3130, mysql:3306,trnsprntproxy:3346, rwhois:4321, krb524:4444, rfe:5002, cfengine:5308, cvsup:5999, xl 1:6000, afs3-fileserver:7000, afs3-callback:7001,afs3-prserver:7002, afs3-vlserver:7003, afs3-kaserver:7004, afs3-volser:7005, afs3-errors:7006, afs3-bos:7007, afs3-update:7008, afs3-rmtsys:7009, sd:9876, amanda:10080, pgpkeyserver: 11371, h323callsigalt: 11720, bprd:13720, bpdbm:13721, bpjava-msvc: 13722,vnetd:13724, bpcd:13782, vopied:13783, wnn6:22273, wnn6:22273/ucp:wnn4, quake:26000, wnn6-ds:26208, traceroute:33434,rtmp:l/ddp, nbp:2/ddp, echo:4/ddp, zip:6/ddp, kerberos_master:751, krbupdate:760, kpop:l 109, knetd:2053, krb5_prop:754,eklogin:2105, supfilesrv:871, supfiledbg:1127, netstat:15, linuxconf:98, poppassd:106, smtps:465, gii:616, omirr:808, swat:901, rndc:953,skkserv:1178, xtel:1313, support: 1529, cfinger:2003, ninstall:2150, afbackup:2988, squid:3128, prsvp:3455, postgres:5432, fax:4557,hylafax:4559, sgi-dgl:5232, noclog:5354, hostmon:5355, canna:5680, xl l-ssh-offset:6010, ircd:6667, xfs:7100, tircproxy:7666, http-alt:8008, webcache:8080, tproxy:8081, jetdirect:9100, kamanda: 10081, amandaidx: 10082, amidxtape: 10083, isdnlog:20011,vboxd:20012, wnn4_Kr:22305, wnn4_Cn:22289, wnn4_Tw:22321, binkp:24554, asp:27374, tfido:60177, fido:60179



"Strange Attractors and TCP/IP Sequence NumberAnalysis" by Michal Zalewski, let's dive in- Seminal paper considered to be one of the original descriptions of

t h e p r o b l e m t h a t COUld (spoken in a deep, echoed voice)

"Bring down the Internet."

• In a nutshell• TCP/IP connection (3 way handshake) includes.... Initial Sequence Number (ISN) which is used...• to track each packet and ensure the tenets of the TCP/IP

session are upheld for the packets.. .like- in order, only once, and hopefully from the right source

8©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson

( ( A A ; ( A A . ( . . ( A I { A A A A i , ( A A. A A \ l A A A C C C ( ( A A i ( , ( A A A A { I ( ( ( A A A ( ( A A A

( ( I I ( I ( ( ( C• I I ( ( ( ( I I t t ( C C t t I ( I I. I I I I I I t (. ( I I I I I I I I I t. I I t t i I


- In the mid 80's it was decided to add this TCP sequence numberfield to help ensure the integrity of a connection

• So, to create a malicious packet that would be accepted in aconnection stream would require

- attacking a protocol that isn't using cryptography for dataintegrity

- knowing/guessing this sequence number• All of this to defend against "blind spoofing"

• RFC 1948: Defending Against Sequence Number Attacks bySteve Bellovin

. also called sniffer attacks, network eavesdropping,spoofing sets, DoS



So this sequence number needs to be as unpredictable as possible:that is, random

- computers are very bad at generating random number.. .so- algorithms need to be used to generate random numbers

Michal Zalewski decide to use Phase Space Analysis, which deals

with strange attractors, to "show" how random the various OS

random number generators are for TCP/IP sequence numbers!

- http://razor.bindview.com/publish/papers/tcpseq.html• http://lcamtuf.coredump.cx/newtcp/ (1 year later)

- Oh boy, let's just look at some pictures, my brain hurts


A < ( • • ( . . ( , f , c f o e r r ' ( : c ; c ; f r , ( : ( : t .• c ( , f. .c f f ; c ; i ( ( n c . (

I i { I i i I { { ( i t ( 1. I I (.. I ( I I C C I I I I I C I I i i. ( I ( I 1 I I I i I I I I I i I I i I ( I


- • • • •

* *

Windows 98' SE100% Attack FeasibilityRadius of 0

• Windows 95, Windows NT4 SP3 hadessentially the same "rating"• Windows 2000 and NT4 SP6 + hotfixeshad about a 12-15% Feasibility and a Radius of 10

Linux 2.2< .05% Attack FeasibilityRadius of 1000



Cisco IOS 12.020% Attack FeasibilityRadius of 10

Cisco IOS 12.2.10a0% Attack FeasibilityRadius of 100,000


f : f • • ( ; ( ; • ( { • • ( . ( ' : ( , { : ( . C ( : l ( ; ( ; ( ( ; ( ; f ( ; ( ' ( • ('• ( ; C ; ( : C ( K , ( : i (:{ A (:(((• C j C ; ( , C ( ; O C ; C

c. c c i i i i (: i t i i i i i i i. i. i ( i ( i i ( i i i ( i i i i i i i

Security is a Hodgepodge:You gotta' be kiddin' me!

Security is a hodgepodge because- Most sites are under several spans of control

- organizational, geographical, political

• Most sites have many operating systems- different versions of the same OS are DIFFERENT

• Most sites have many security vendors

- Most sites use a variety of security products and services• the building blocks = authentication, authorization, auditing• the mortar = firewalls, proxies, routers, intrusion detection,

gateways, virus services, etc.

All of the above are at varying levels of maturity- and integration is VERY hard, ergo hodgepodge


Hacker/Intruder Mentality

Motivation: access to resources that were intended to beprivate or restricted

Methods: exploit loopholes, configuration weakness,protocol oddities, and application & Operating Systemimplementation "mistakes"- Your profile specifics will "tell" what's possible!

Means: any means• Via the network is most suitable for lack of detection, wealth of

resources, and difficulty in "prosecuting"


{ A A A A A ( . : ( A O i ( . . ( • { ] ( ( . : ' ( f ( A. A A A A i A A A A A A A i A A A A A A A A A I A A . A \ A A f ( A : A A A

( 1 ( I I I i I ( ( I ( ( ( ( I i I I I 1 f ( f I ( I I I I i 1 ( I i. i I I I I. I I I I t I I I I I I I I t

What the Hacker KnOwZ...ALREADY!

Profiling is easy• Lots of tools

- Lots of techniques

- Lots of research data

Today's networks arehard to manage- Integration is hard

- Keeping systems and services

up to date is VERY hard

next... Profiling

AchillescURLdigdiscover

Dsniff

eEyeetherape

ISS

Jizz

mscan

nessusnetcat

NetStumbler

nikto

nmap

nsatntop

nslookup

ping

queso. SAINT

• SARA

• SATAN

scottyshowmountSneakinsscan

strobetcp_scantraceroutetyphonudp_scanurlsnarf

• WebSleuth

Whisker

whois


Where are We?

Profiling• Methodology. Example Profile #1

• Example Profile #2

Discovery andProfiling Tools. typhon, nessus, dsniff, Nikto,

and lots more!

Intrusions. Awareness/Statistics

. Examples

. Common Areas

Protocols. DNS

. SNMP

- Handheld (PocketPC)

. Web Infrastructure


f f f ( A A { A A A : ( : ( • ( A A A A A A A A [ : { : ( ( A A L C ( : ( I A : ( ( ; ( : ( A A { ( A A [ A A A C , ( : ( : f

( ( ( ( ( ( ( t ( ( ! ( ( ( I. 1 I I ( I I I I I I I ( I t. I I I ( I I 1 I 1. I I I I I I I I I 1. I M I I I

Methodology: Process

Iterative cycle of• Gathering response data• Focusing on real opportunities• Research• Careful testing

Reconnaissance:•Inventory next level of detail

Test & Validate:•Attempt tools or techniques

Preparation:*Be similar (OS, protocol) towhat the target is looking for

Preparation:'Remember testing goals

'Focus on business issues

Catalogue & Prioritize:•Put potential exposures into categories

•Order based on goals and success guestimate

Research:•Review previous testing

'Research Web data•Discuss options


Methodology: Technical

Workstation flexibility

• System capable of running various forms of

Linux*, BSD*, UNIX*,

Windows* Operating Systems

• I have separate OS installations/disks (Linux, Windows)

Be as compatible with the systemyou are profiling as possible!


{ • : { • { } ( • • ( c ; c • c ; ( . ( : ( • • ( • c . ( • ( , : ( . ( . f ; c : r ; r : ( . ( r . ( ( ; c . f f ; ( , : ( : ( a ;• ( i t : ; c ; f c - r • c : r t n c • ( , ( ( ( ; c , (

( ( ( i (. I [ { { i { i { { { { I I ( { I I I t I I I I I 1 i M I ( ( I I I { i i I I I I I L I I I I I I

Rudimentary Data Gathering

Network Sniffer • Traffic and protocol flow

. see what really happens...and what doesn't happen

Internet • ^ sPace> rate of change, name andmail servers, contact information

. whois -h arin.net

. whois -h internic.net

. whois -h icann.net

. whois-hregister.com

. smart whois- http://namespace.pgmedia.net/search/• www.swhois.com/

SCOTTY • Reachable hosts (particularly useful on. discover-icmp X.y.z Internal probe)

.. • latency: for timeouts. discover -snmp x.y.z tr .

• Management, topology, and gatewaydata


Port, DNS, and SNMP Data Gathering

For host in liststrobe and nmap $host

For host in listnslookup $hostdig $hosttraceroute $host

Attempt DNS zonetransferdig axfr @place zone.com

For host in snmp_listScotty < DONEsnmp session -address $hostsnmpO walk x "mib-2" { puts $x }DONE

Gather list of potential TCF/W servicesand well-known exploits

Gather naming information,conventions

Understand routing paths

Understand server relationships (e.g.,mail, DNS)

Gather MIB information (neighbors, IPaddresses,HW profile)


r r r : r r t (; r r • r . r ; r r x. ( ( : ( ( . r f t ; (; f . ( f ( ( . ( r r K : r . r ; (.• ( : c • c . r t r f f ( \ ( {,( f:C

{ ( I [ ( i (. ( I ( ( (. I . { I C I t I I I ! I I t I I 1 I I I ( I I I I I i I I I I I I 1. I

Service and Exploit Data Gathering

For host in ftp_listecho QUIT | nc -v -w 5 -r $host ftp

For host in telnet_listtcp_scan -b -w 5 $host telnet

For host in rpc_listscotty -c "sunrpc info $host"

For host in smtp_listtcp_scan -b -w 5 $host smtp

For host in http_listscotty -c "http head http://$host"curl $host and whisker $host

For host in listsscan $hostnsat $hostnessus $hostnikto $host

Gather service version, platform, and actualexploit data

Notice all the tools just used(in the last few slides)

. NetCat (nc)

. SATAN7SAINT7SARA

• tcpjscan

. SCOTTY

m discover

. cURL

m Whisker

• SScan

. ' Nsat

• Nessus

• Strobe

m Nmap

• Dig, nslookup, traceroute


Profiling Exploit Research

General Internet security. wwwxert.org/ CERT (funded by DoD Homeland Security). www.ciac.org/ciac/ Computer Incident Advisory Capability (CIAC). http://cve.mitre.org/ Common Vulnerabilities and Exposures (CVE)

. www.osvdb.org/ Open Source Vulnerability Database (OSVD)

Security archives. www.packetstormsecurity.org/- http://xforce.iss.net- WWW.securityf0CUS.C0m/ Vulnerabilities Link

• www.securitytracker.com/• http://archives.neohapsis.com/

General news• www.google.com/

22©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson

c ( r.- r : c f f r ; c • t c c : ( c . c .• ( . c • ( . r : f c f'; c : t ( r e ( i. ( r \ c ; c • r . c . u c ( ; ( f ( ( r f r : r t ; r \ r c.

t ( t I t I ( t ( ( ( i I. ( { M ( I ( I I I I I I I I I I M I I i I 1 L ( I I I l I I I { I I I I I 1 t

Profiling Exploit Research (cont.)

Hackerz• www.defcon.org

• www.antionline.com/• including "Hacking Profiling"

www, antionline. com/hacker-profiling/- http://cultdeadcow.com- http://www.26QQ.com/

OS or Application Specific- www.ntsecurity.net/, www.ntbugtraq.com/- www.isc.org/bind.html, www.dns.net/dnsrd/

Vendors. Microsoft, Sun, HP, IBM, Red Hat, etc.



- | D | x |

File Edit View Go Bookmarks l_oo\s Help

iiviM-d Foundations Microsoft UN!X IDS Incidents Virus Pen-Test Firewalls

• Vu»n«abltrt»s " Library " Catsndar " Tools " SerVie«WndorS " Security Job*

VULNERABILITIESby veneer by lilte by k by bugtraq \6 by c*e kf by publish ot! date

Vendor Microsoft

Title IIS

Version Any

Submit

200^-03-10: Micrcscft IIS - Redirect Remote Buffer Cve'flc.v Vulre-ability200--05-21: Microsoft IIS 5.0 .printe" ISARI Extension Suffer Cverflo-A Vulnerability200--02-L-i: Microsoft IIS Unspecified Remote Denial Of Service Vulnerability2003-12-29: Micrcscft IIS Failu-e To Leg Undocumented TRAC'*' Requests 7ulne"-ability2003-11-11: Multiple Vendo-- Invalid >' 509 Ce'"tificate Chain Vulnerability2003-07-22: Miccscrt Multiple IIS 6.0 Web Admin Vulnerabilities2003-06-03: Micrcscft IIS VvebDAV CRGDFIHD and SEARCH Method Denial cF Se-vice Vulne-abilitv2003-05-30: Mic-c=cft IIS SSINC.DLL Se-ve- Side Includes Buffe- Cve'flcv. V.ilns'-ability2003-05-23: Micrcicft IIS ASC Header Denial Of Service Vulpe'-ability

Sorry, I had to cut the screen off,

it went on WAY too long... i


r r T r r f r r • r f t r r. r ( c r : r : f ( ( ( ( • r . ( r = c • r r ( c c c • ( r ( f r c r ; c t

I i I I I I ( 1 I I ( ( I ( I C (. ( I I I 1 I i i I I I I I I I I I I I 1 I t i I i i I t t I I I I I


Wg> Secuntvfocus HOME VtAis btfnc -JPlxlFile Edit View bo Bookmarks Tools Help

VULNERABILITIES

Microsoft IIS 4 Redirect Remote Suffer Overflow Vulnerability

infc d scussion excloil ere si" help

bugtraq id 107G6

object

class Boundary Condition Error

eve Ci.N-2004-020 5

remote Yes

local No

published Dul 13.. 2004

updated Aug 10. 2004

vulnerable Avava DefinityOne Media Serversivava IP500 Media ServersAvava S3400 Message Application Server-Avaya SS100 Media ServersMicrosoft IIS 4.0

4- Cisco Building Broadband Service Manager 5.0+ Cisco Call Manager 1.0+ Cisco Call Manager 2.0

+ Cisco Call Manager 3.0


Profiling Results

Rudimentary- Internet registration data

• IP addresses

- SNMP agents

Expanded data gathering• OS types

- DNS names and

conventions- ISP routes. TCP & UDP services

. SNMPMIBs

• HTTP server type

What we now know. Known high-level service

exposure opportunities. Related hacker successes and

tools

. Recent exploits

. Detection and prevention tools

and techniques- Relevant articles and

techniques to research andunderstand

What we do now?. Drill to the next level of detail

and start again


( { ( ( ( ( { { { { { { I ( ( ( { i ( ( ( ( ( ( { ( ( { ( ( { ( ( ( I I I t I I I i ( I (

1 ( ( I (. I [ ( [ i I ( ( I I I I t t I t (. i I I I t I ( 1 I I I I 1 ( I ( I I I I ( L I I I i L I t

Where are We?

Profiling. Methodology


. Example Profile #2

Discovery andProfiling Tools

. typhon, nessus, dsniff, Nikto,

and lots more!

• Intrusions

- Awareness/Statistics

. Examples

• Common Areas

Protocols. DNS

- SNMP

. Handheld (PocketPC)



Example Profile #1# whois -h internic.net =usenix.org[internic.net]

Whois Server Version 1.3

Server Name: USENIX.ORGIP Address: 131.106.3.1Registrar: NETWORK SOLUTIONS, INC.Whois Server: whois.networksolutions.comReferral URL: www.networksolutions.com

Domain Name: USENIX.ORGRegistrar: NETWORK SOLUTIONS, INC.Whois Server: whois.networksolutions.comReferral URL: www.networksolutions.comName Server: NS.UU.NETName Server: UUCP-GW-1.PA.DEC.COMName Server: DNS.USENIX.ORGUpdated Date: 05-nov-2001


f r f f r i [ i { f f ( f f f r f t f • i f t { [ ( r ( { { { f i { f ( ( ( c f f c ( ( ( i i ( (

( i ( I ( ( I I ( ( ( ( ( I ( [ I (. I . I [ I I I t I { I 1 I I I I I, I I I. I I I I I i I I ( I I I

Example Profiling #1 (cont.)

dig dns.usenix.org; « » DiG 9.2.0 <• dns.usenix.org

;; QUESTION SECTION:;dns. usenix.org

;; ANSWER SECTION:

IN

dns.usenix.org

;; AUTHORITY SECTION:usenix.org.usenix.orgusenix.orgusenix.orgusenix.org

;; ADDITIONAL SECTION:ns.usenix.org.authOO.ns.UU.NET.uucp-gw-1 .pa.dec.com.uucp- gw- 2 .pa.dec.com.nsl .orng.twtelecom.NET.

76257625762576257625

57952573368046317131

10546

INININININ

INININININ

IN

NSNSNSNSNS

AAAAA

A 131.106.1.57

ns.usenix.org.authOO.ns.UU.NET.uucp-gw-1 .pa.dec.com.uucp- gw- 2 .pa.dec .com.nsl .orng.twtelecom.NET.

131.106.1.57198.6.1.65204.123.2.18204.123.2.19168.215.210.50

;; Query time: 63 msec;; SERVER: 18.71.0.151#53(18.71.0.151);; WHEN: Wed Oct 2 13:25:21 2002

©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3, Brad C. Johnson29


# dig axfr @ns.usenix.org usenix.org

; « » DiG 8.3

db

dnsvoyagermailgw-conferencelocalhostconf-regsage-webwwwip2www. sageimapdecconference

« » axfr @ns.usenix.org usenix.org4HINNS4HINNS4HINMX 1004HINMX4HINA4HINA4HINMX4HINA4HINA4H IN CNAME4H IN CNAME4HINA2DINNS4HINA4H IN CNAME4HINA4H IN CNAME4HINA4HINA4HINNS

nsauthOO.ns.UU.NETmail.UU.NET.10 voyager131.106.1.57131.106.3.25310 voyager131.106.1.57131.106.3.1voyagergw.conference127.0.0.1ns131.106.3.2db131.106.1.56www.sage.org.131.106.3.13131.106.3.1ns


r f f r f ( f f ( M ' ( r ( ( ( f r \ { { { ( { ( i ( t

{ { { { { { I { { { { { { I i, i { { { ( ( { { { { I { [ { ( { [ I I I I { [ { I { ( I ( I

Example Profile #1

# discover -snmp 131.106.1131.106.1.104 Sun SNMP Agent,131.106.1.200 Shiva LanRover/8E, Version 5.7 98/11/06131.106.1.220 Base Station V3.81 Compatible131.106.1.221 Base Station V3.81 Compatible131.106.1.211 Sun SNMP Agent, Ultra-250

# strobe -bl -el28 ns.usenix.orgstrobe 1.03 (c) 1995 Julian Assange ([email protected]).ns.usenix.org domain

53/tcp Domain Name Server [81,95,PM1]



# nslookupDefault Server: delta.mellis.comAddress: 4.40.156.51Aliases: 51.156.40.4.in-addr.arpa

> server ns.usenix.orgDefault Server: ns.usenix.orgAddress: 131.106.1.57

> set querytype=txt> set class=chaos> version.bind

Server: ns.usenix.orgAddress: 131.106.1.57

VERSION.BIND text = "8.2.4-REL"


( ( ( { { i ( ( ( ( ( ( { ( ( { ( ( ( ( ( ( ( ( { ( ( ( ( ( ( { ( ( I ( { I ( ( { ( ( ( ( ( ( ( ( (

\ I I ( ( I ( I I t ( I i ( I ( I ( I. I I 1 I I I I I i. I I I (. I I I I. I I I I I I I ( . I. I I i I


Research on BIND 8.2.4- www.kb.cert.org/vuls/id/803539

- DNS stub vulnerable to buffer overflow, execute arbitrary code

• www.sfu.ca/~siegert/linux-security/msg00127.html- buffer overflow in resolver library, execute arbitrary code

Note on BIND• Let's look at the "Summary" section in

www, isc. org/products/BIND/bind- security.html

for a table of (some) exploits per BIND release



43 DifferentBINE) versions!

X\

\\

\Doesn't includeMicrosoftvariations

3.1:-: i. 1

•n 2

a •>".,* * " " • / - ••_'- £- -u'i

3 2 1•-' "!• 0

•j.z. - |J1

•~J ".-• O | ~ ' V* - * . .• 1 • .•

;j Z12 p J

3 :> Z p--\

\ o 2 2 pE

+

+"'

1

+

l-

i

+

+

+

i

+

i

+4 +i!

*

-

-

+

-(• + -4-

+ \ ++ i - I+ j _ j

1 ! + :

1' ! , .. S i i

4 - — + 1 — 1 — j

i ! > j i

4*

. j

i

' •"."I

•

- i - —L.

+

+

• • " ' •

y i . u:. '

ji

. j •.i

ii!I

4-

4-

i i i

! +-. 1 , 1 ,

4- ;

i

1 + 1 + '.i- - i { -i

— 1 + j -r

- ! + S -j i

| i - t - |

." I " " ' " - :- ! • i -\ t

i -


c t r c ( ( C ( r c f r r f r r c [ I C

( • ( I { ( { ( ( ( I I { ( ( {. i ( i { ( t ( ( I C C I I I I I I ( ( I I M I I I ( t { {. 1 I (. I I t I I I

Where are We?






and lots more!

Intrusions- Awareness/Statistics

. Examples

. Common Areas

Protocols

- DNS

. SNMP




Example Profile #2

Run nessus• Notice 3 IP systems apparently running Cisco IOS

Run Nmap to double-check OS identification- It matches

All 3 are running unsecured TELNET- But that's not enough, let's keep looking...

IP Address

x.y.171.251

x.y.171.254

x.y.140.126

Operating System

Ciscol600/3640/7513 Router (IOS 11.2(14)P)

Cisco AS5200

Cisco IOS 12.0(5)WC3 - 12.0(16a)


i ( ( ( ( ( ( ( ( ( • ( ( ( i ( ( {' C ( ( C M ' f ( . ( ( ( ( ( . • ( ( C M ' C C ( ( f ( ( ( f ( I C I ( ( (. ( (

r ( ( ( i i ( i ( i ( i (. ( ( i i i. i. { t ( i i \ t i i. i i i. i i i i. i i i i

Example Profile #2

Starting nmap V. 3.00 (www.insecure.org/nmap/ )

Host (x.y. 171.254) appears to be up ... good.Initiating Connect() Scan against (x.y. 171.254)

Adding open port 23/tcpThe Connect() Scan took 10 seconds to scan 1601 ports.

For OS Scan assuming that port 23 is open and port 1 is closed and neither are fire walledInteresting ports on (x.y.171.254):(The 1598 ports scanned but not shown below are in state: closed)Port State Service23/tcp open telnet79/tcp open finger2065/tcp open dlsrpnRemote OS guesses: AS5200, Cisco 2501/5260/5300 terminal server IOS 11.3.6(T1),

Cisco IOS 11.3-12.0(11)TCP Sequence Prediction:

Class=random positive incrementsDifficulty=32281 (Worthy challenge)IPID Sequence Generation: All zeros



Research on Cisco IOS- Hmm, various things to bring down a CISCO router

• www.osvdb.org/displayvuln.php7osvdb id=4030m www.uniras.gov.uk/vuls/20Q4/236929/index.htm• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-Q23Q• www.us-cert.gov/cas/techalerts/TA04-l 11 A.html

. which refers to: www.cert.org/advisories/CA-2Q01-Q9.html"Statistical Weaknesses in TCP/IP Initial Sequence Numbers"which is about 3 years old

. hmm, ISN, that sounds familiar, doesn't it?

. works on implementations of the Border Gateway Protocol (BGP)

- Which is used by almost all Internet TCP/IP routers, that's all!

- TCP Reset Spoofing

. All Cisco IOS versions


r c ( r r c ( ( ( ( ( ( ( { ( ( ( ( c i i e t c r ( ( i ( ( ( c i

( ( 1 (. I I 1 I t 1 I ( I { I I ( I I I t ( ( I i I I I I M I ( I . I t t I I I I I I ( t I I t I ! I I I. I

Example Profile #2 (cont.)

• Use Google to find example code

- http://fuxOr.phathookups.com/sploits/os/hardware/routers/cisco/firewall_reset.c

/* reset_state.c (c) 2000 Citec Network Securities *//* The code following below is copyright Citec Network Securities *//* Code was developed for testing, and is written to compile under *//*FreeBSD*//*

tcphead = (struct tcphdr *) (evilpacket + sizeof(struct ip)); /* Declare packet */

tcphead->th_flags = TH_RST; /* Reset packet */

/* Copy info to src and dst for printing */printf("TCP RESET: [%s:%d] -> [%s:%d]\n", src, ntohs(tcphead->th_sport), dst, ntohs(tcphead->th_dport));sendto(sock, &evilpacket, sizeof(evilpacket), 0x0,

(struct sockaddr *) & sockstruct, sizeof(sockstruct));



Let's uo soine more researcn on Cisco IOS• Let's try Google with "Cisco hacking"

• That list yields, among other things, "Hacking toolkit for Cisco"

• That URL mentions "Cisco Global Exploiter"

• Using that in Google yields "Multiple Cisco Products Vulnerabilities

Exploit (Cisco Global Exploiter)"

• That URL is a perl script with the code that will try 9 different

Cisco vulnerabilities


i ( ; ( . ( . r f ( f c ( f ( f c i ( i { { { ( ( { { ( . ( ( ( ( c . c f r . c ( s ( ( ( ( ( ( ( ( ( ( ( ( I ( t . c . (

i t i ( ( i ( ( r. i i ( ( ( i i t i ( ( i ( i t i t i. i i i t t i i I i i ( i i i i i i i i i i i i i

Example Profile #2 (cont.)

# Cisco Global Exploiter############# .........# Functions ##############sub usage{printf M\nUsage :\n";printf "perl cge.pl-h <host>-v Vulnerability number>\n\n";printf "Vulnerabilities list :\n";printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability^";printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n";printf "[3] - Cisco IOS HTTP Auth Vulnerability^";printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability^";printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability^";printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n";printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability^";printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability^";printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n\n";exit(l);


Profiling Medicine

Poor detection and escalation- Write down 10 critical events and create (even if brute force)

scripts to review logs and generate events

Configurations tend to degrade over time andOS/application upgrades are a pain- Make a clone when you upgrade your deployment systems

Many organizations think in terms of inside and outside• Be just as concerned about what goes out as what comes in

Integrating disparate layered technologies on multiple OS

environments is time consuming- Consolidate versions to reduce complexities and variables


( i X X X C T ; ( XX X ( : ( X X X I f f ( . ( X X X ( X X i i X ( X ( X I i X X ( • ( ( ( ( . . ( ( f f ( ; ( • (

( I i [ I { { { I { ( ( ( ( i. C ( ( I i ( . C f f f t ! ( ( 1 I i M i l I t . i I i I 1. 1. 1 I I I I t I I I

What the Hacker KnOwZ...about profiling

• You don't need sophisticated resources- Almost any UNIX or Windows machine

will do finem CPU speed is no issue• memory size is no issue

• Simple tools can generate fme-grained information• Research is easy, will likely reveal lots of good

information, and is likely to be compelling

• next... Intrusions


Notes:


C ( ( • ( ; ( ( f ( • • ( ( I { .{ { ' { • ( I A ( A i ( f C ( A A ( ' ( A A i i i i i ( t { ( A , i \ i ( f ( • ( ( ; i l A A A A

(. ( ( I I i i ( ( I ( [ t I i ( ( I I ( { { I t I I ( ( { I (. I I I I 1 f I I I I I. I I I I I I I I I I I

Where are We?


- Example Profile #1



- typhon, nessus, dsniff, Nikto,

and lots more!

Intrusions• Awareness/Statistics

. Examples

• Common Areas

Protocols. DNS

. SNMP


- Web Infrastructure


Intrusion Awareness

scannerssstrobe, sscan, netcat, netstumbler, nsat, nessus, nmap, SAINT,SARA, eEye Retina, Typhon, scotty

Third party applications• ISS - Internet Security Scanner - www.iss.net• NetRecon-

http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=46- SuperScan (Foundstone) -

www.foundstone.com/index.htm?subnav::=resources/navigation.htm&subcontenWresources/proddesc/superscan.htm

Lists of scanners (and other tools). www.linuxgazette.com/issue57/sharma.html. www.insecure.org/tools.html- www.eccouncil.org/312-50.htm. www.hackingexposed.com/tools/tools.html. www.thenetworkadministrator.com/2003MostPopularHackingTools.htm


{ , ( • ( . ( . : ( ; ( : ( ; ( ' ( ( i A P I • { ; [ • . { \ { [ A { . ( { : ( : { ( ' [ ; . { , ( ' : { . { ; ( C ( ( i d . C . ( J C ( .

i. i i ( i. ( ( t i t i ( i i i ( t i i i t i. i i i. i t M . i i t. i i i i i

Intrusion Readiness?4/13/03: Boston student receives 5 yearsprobation for using keystroke logger

www.keyghost.comJ-^ 3/24/04: Man indicted for "buggin"

KeyGhost Standard 500K $99, keyboard $ 129 boss'pc w/ "Key Katchei"

KeyGhost Pro 1M $150, keyboard $29010/4/04: FBI uses keystroke logger to

(with 128bit encryption) capture passwords and get evidenceBut remember troian recording software! T .. . v _, +

J ° Integrated internal KeyGhost

Before After


Intrusion Statistics

CERT Advisories- 2004: only 2 so far

- US-CERT Windows advisory (Windows Security Update April 04)

. http://www.us-cert.gov/cas/alerts/SA04-104A.html

- 2003: 28- buffer overflows. Microsoft SQL, Windows Shares, Windows. OpenSSH, SSL/TLS• Snort (www.cert.org/advisories/CA-2003-13.html)

- 2002:37• buffer overflows- SSH/SSL/Radius- Microsoft (in particular IIS)

- 2001:37. Microsoft (in particular IIS)• buffer overflows- worm/virus/trojan


c ; ( c ; ( • c : r ; c • c :• ( : c ; f •• c • r . c ( • i . i c : f (A'• ( ! i ( : ( . ( J C :; f n ( ( ; • t ( t ( ; c : c ; ( ( ; • ( ( t i n c ; ( i ( ; c

( t ( 1 I I I ( ( ( ! I ( ( I ( I ( I. I I (. I I I I I I I I I t I I I I t I ! I I t I I I I. I I 1 t I t I I

Intrusion Statistics (cont.)

• CERT incidents thruend of 2003. 1998: 3,734

« 1999: 9,859

B 2000: 21,756

. 2001: 52,658

. 2002: 82,094

. 2003: 137,529

. 2004: CERT: incidents

have become "meaningless"so they are stopping this

category

• CERT vulnerabilities thruend of 2003. 1998: 262

. 1999: 417

. 2000: 1,090

. 2001: 2,437

. 2002: 4,129

. 2003: 3,784

. 2004: 1,740 thru 2Q

• For complete details, see:• www.cert.ors/stats/


FBI/SANS Top 10: Windows and UNIX

• Windows- us. MDAC

. SQL

- IE

- Windows Scripting Host

. Windows Authentication

. Windows Remote Access

- Outlook/Express

. P2P

. SNMP

www, sans. org/top20/#index

UNIX- BIND/DNS

- RPC

- Apache

. General Authentication

. Sendmail

- SNMP

- SSH

- Clear Text Services

. NFS/NIS

- SSL

Tools that find these

- Qualys, ISS, Foundstone

EVMS, Nessus, and Sara


f f { A A A r • r • f \ A. f f A f ! ( • ( " ( { l ( A A A ( f ( ; ( , T { A A A A { A A A A A A A A ( . A { A { C i { • {

{ { t. l I i I (. I I I ( I I I I ( i. I C I ( M . i i 1 I I I I I I I I I I I I I I I I I t I I I I I I

Where are We?






and lots more!


• Examples

. Common Areas

» Protocols. DNS

- SNMP




Intrusion #1 Combinations

NO detection!= Main Web server fine.. .let's look around• Staging server not so fineB Exploit well known Web server bug to initiate

interactive login session• Exploit trust relationship between staging server and

main Web server• Change main Web pages!

Typical big exploit is a combination of lower levelproblems


( ( I f ( • f { ; ( ( : ( f I ( I { • { • { • { . ( ( f . • ( . • ( ' f • C ( • • f i C I C ;• ( ; ( ; t ( ( : ( C f f ; C ; C : ( f f ; ( . C ; ( ( C : (

t ( I ( I I ( ( I ( I I ( { t. I ( ( ( I ( I. M I I I I I I I I I (. I I t I I. I t I i I I I 1. I I ( I I I

Intrusion #1 Combinations (cont.)

Vulnerabilities to achieve critical access• ICMP echo allowed in

• Non default but easily guessed SNMP

community string

• Non production quality HTTP server configuration on

non production system

• Trust relationship between 2 systems within a "close"

IP address space

• Xterm from DMZ address allowed out through firewall


Intrusion #2 Escalation

vvCCJS. yiyyy/ijus uui vciy icicvaflij

PC Week Labs invited people to hack Web site running on Linux• www.spirit.com/Network/netl099.txt

Result: ability to change any Web pages• didn't require interactive session!

Details highlight how a series of incremental learning on small details revealed HUGEvulnerabilityIn a nutshell

• Web site running 3rd party AD package• intruder acquired and reviewed package source code• scrutinized several server-side package scripts• minor coding glitch allowed a <7K "image" to be uploaded and OS had a

well known SUID exploit

• image was actually a VERY short program:execlp(7tmp/.bs'7'ls",n-c","cp /tmp/xx /home/httpd/html/index.html"^);


i ; i ( f ( r •. i • t f : ( { : { • { • { i i { { i , { . ( f r .• c ; c •. ( t t - . c . i f r ; ( ; ( . ( ( . ; c : ( : r r r . f > ( ( t ( i ( ( t r . (

I I { { { { { { { I I { i I [ { { C I 1 I C (. I 1 I I I 1 L I I I. I t I i I t I i I I I I I I ( I I I I I I

Intrusion #3 Protocol Exploit

NO detection!- DNS poisoning

• populate with new bogus entries, or• www.foobar.edu — w.x.y.z

- update already populated entries (i.e., add addresses). www.yahoo.com ~ w.x.y.z, a.b.c.d, e.f.g.h

• Original victim www.internic.net: root DNS servers poisoned topoint to www.alternic.net

• continues to be one of the more sought after exploits- examples include

> Verisign/WorldNIC domain redirection (2002). Birthday Attack (2003) - brute force attack to get transaction ID

www.securityfocus.com/guest/17905- Symantec Gateway DNSd Cache Poison (6/2004)

www3.ca.com/securitvadvisor/vulninfo/vuln.aspx?id=28508


Intrusion #4 Design Exploits

Begin secure session (SSL) with legit login ID

Download all (possible) pages to review

Find possible application design flaw- modify session ID in (dynamically generated) page• modify client side state data (in local file, or registry, or...)- modify cookie (on disk OR in memory!)• modify data in transit

. Achilles - proxy server to intercept, change datawww.mavensecurity.com/achilles

Begin authorized transactions on any other account• .. .because server assumed one time authentication and

didn't re-validate (THE most common design error)


C M ( f ( f [ i { { { { { { ( { { ( • { > { f f r C T . f ( ( C : ( f - ( ; ( ( > ( ( f • f : C ; f ( { • { ( ( ( ( ' , ( ( ( C C

( i ( { ( ( (. ( ( I (• ( ( ( { I { { ( i. ( (. ( I ( { { I I I 1 I I I I. I { I i I I ( I I I I I I I I I I I I

Where are We?

Profiling

- Methodology





and lots more!


. Examples

. Common Areas

Protocols. DNS

- SNMP




Intrusion Detection: Common Areas(low-hanging fruit!)

Quick e of intre of intrusion detection (ID)usiwith respect to what hackers spend their time onOverview of why intrusions are successful despite IDsystems and focus on the relationship to hacker effortsCover primary intrusion areas, tools, andtechniques hackers use:• Web servers- Web applications

• Wireless 802.1 lb (access points)

• Modems• Email (trojans, worms, etc.)

. I'm not going to talk about this '. but install a virus detector on EVERY system!


c c c f t •{ ( f ( ( ( t ( (

i i i i { [ ( ( ( ( [ ( ( ( i i { { i i i i i i L i { i i i i i i L i i i r t i

ID Areas

Many ID tools for various areas- Network

• ManTrap, ManHunt, Cisco IDS, RealSecure, NFR, Tripwire,StormWatch, Snort, Intruder Alert, Shadow, Dragon, etc.

- Host• Entercept, Intruder Alert, Swatch, etc.

• Firewalls, routers, virii. SurfControl, Cisco PIX, Cyber Armor, McAfee, Norton,

StormWatch, CheckPoint, Netscreen, SecurellS, StoneGate,WatchGuard, Zone Alarm, etc.

• Integrity Checkers- AIDE, chkrootkit, SecureEXE, Tripwire, etc.


ID Awareness

of*-mtrncinn Hptprtirm tr»n1c to Vinoc^ frnmX_ X. i l l t l U U 1 V 1 1 V-#-W VW ^ t l V-'XX t V / vy X k_? V -y ^ X A V-' V/ L-? / X.X N_/XXX

• Most of them will only help you with anything but generic problems(e.g., port scans, block ports/services)

There are many sites, conferences, and educational classes dedicated tointrusion detection and yet• Most sites have little to no functional ID services. Many intrusions are successful and most are not detected... .WHY?

Site specific intrusion detection systems require significant:- Hands-on configuration- Development• Expertise• Iterations of testing to figure out

• a) what's normal• b) reasonable thresholds

- ... and... (next page)


( { i i. ( ( ( i t { { { \ { { { I ( { i { ( { ( ( ( ( ( ( i t i ( { i ( i i i ' i i

i. i. ( i i i i c ( ( i ( i. i ( i i i ( ( t (. i i i i i i t i i i i t L i i i. i i. y i i i

ID Awareness (cont.)

ID "gateways" are (generally) NOT end-systems

- The only way to know the intention of the data-stream is to recreate the

entire context (session) of what the end-system will see: some ID "gateways

do packet reconstruction (e.g., of packet fragments), but most do not do the

entire session reconstruction

network

ID Gateway:Inspect Data

event actions

End-SystemInterpret Data


Hacker News: A Little Quiz

How many have heard of rootkits?- Can you think of one file on any distribution?

What does it do?

How many have a web site?> Tell me what Whisker does.

How does it work?

How many have an 802.1 lb access point?• Tell me what MiniStumbler is.

How does it work?

How many have any modems?- Tell me what THC-Scan is.

What are its good and bad points?


r [ f i n { \ r ( f r r r r r \ \ \ \ r r r r r r r r T e r r

[ ( ( I 1 t ( ( (. [ t C I I I I C 1 M I I I ( I I i I M I I I [ t I i I I ( I I I I I I I I

Hacker News: Answers

Name one exact file on any distribution• _root_040.zip: NT: deploy.exe, _root_.sys

- hxdeflOO.zip: Hacker Defender: Windows: Hidden Ports (uh, hide

ports)

- rootkitLinux.gz: Linux: netstat (hides activities)

- rootkitSunOS.tgz: SunOS: fix.c (change checksums)

. rootkit.zip: UNIX: es (ethernet sniffer), z2 (remove log entries)

- fbrkl-imps.tar.gz: FreeBSD: sizer (change file size)

- sol24.zip: Solaris: psrace.c: set UID to 0

Tell me what Whisker does. How does it work?• Looks for well-known Web server distribution exploits and simply

makes a series of GET requests for specific file names


Hacker News: Answers (cont.)

T^H 1.~-<- iv/r* : c i ^ 1.1 : ~ T T A :± i_o

icn me wiiciL iviiriicnuiiiuici is. nuw uucs n wum:

- Program to find 802.lib access points and it runs on a handheld

PocketPC• other programs include Kismet, Wellenreiter,

THC-WarDrive

. It sends out probe-request packets (management packet type 00 sub-

type 0100) and logs the responseTell me what THC-Scan is. What's good and bad?- The Hacker's Choice (phone) Scanner: i.e., phone phreaking, model

dialer: other programs include Toneloc and Sandstorm

• Does a great job against very large sets of numbers, doesn't try to be

too smart, but has a limited number of target devices that it can

automatically detect


r c c ( f c ( ( r r r ( i { { ( r ( ( ( ( ( ( r c ( ( (. ( ( { ( ( ( ( ( ( ( ( f ( ( ( ( f ( { (

{ ( i ( i ( ( i c i c ( t ( ( ( ( t i i ( ( i ( t i { e c c ( ( ( i i i i i i i t t t i i i i

Where do Intrusions Happen?

• The tenet of most "older" hacking efforts were for. Getting something for free- Showing off and/or embarrassing somebody else

• The tenet of newer hacking efforts are for. Identity theft and intellectual property

• this is, in a nutshell, THE most important factor behind host, network,and Web application intrusions!

. Nature of threat model new: organized crime, foreign governments- Well funded, subtle changes, done over a long period of time

• Other than email and IE, four of the common areas for successfulintrusions include:

. Web Servers

. Web Applications

. Wireless Infrastructure

. Modems - this is where it all started


Web Servers

Intrusion Area• Server deployment: every Web server comes with its own set of

configuration, deployment, setup, security, and problems!

Typical Problems• Insecure package contents

• Insecure default options/settings- check every possible configuration setting!

Methodology- Very easy: cut/paste a well-known URL

Practical Tips• Use "CGI" scanning tools: e.g., whisker, Nikto, or Nessus web tests- Check your Web server logs for well-known problematic server-side

files and programs

66©Copyright SystemExperts 1997-2004 arid beyond. Network Security Profiles version 4.3. Brad C. Johnson

f ( ( ( C M C ( ( M M f ( ( ( ( ( ( I ( ( ( ( { ( ( ( < . ( ( ( ( ( ( ( ( ( C M M ' ( M M M l

C ( ( ( . ( { f ( ( i I ( ( I ( ( ( ( C I t ( C C ( . ( I i i ( ( ( . t . C I 1 ( I I I I I. i i I i t I ( . 1 1 C I I

Whisker: CGI scanner

Scans for well-known exploitable filesUses the server or OS type to be selectiveOptions to by-pass IDS using URL encoding- /cgi-%62in/ph%66 instead of/cgi-bin/phf

Directories searched (125)- /cgi-bin, /cgi-local, /htbin, /cgibin, /cgis, /cgi, /wwwthreads, /scripts,

/app*, /backup*, and other common root directories

Log directories searched (85). /cache-stats, /log*, /scripts/weblog, /stat, /wwwstatus, /server_stats,

/wusage and other common log directories

Files searched (there are hundreds)- iissamples/query.asp, iisadmpwd/aexp4b.htr, tools/newdsn.exe, cgi-

win/uploader.exeO, testcgi.exe, cgitest.exe, webdist.cgi, pfdisplay.cgi


Web Applications

Intrusion AreaInternet applications: most programs have not been either developed or tested for theinsecure, untrustworthy, anonymous network world

Typical ProblemsServer doesn't validate incoming data

- Code should validate any incoming parameter data (even if it's comingfrom another "safe" function!)

Design assumes client won't change data

1 -time authentication and authentication implies authorization

Methodology« Moderately difficult: Change data on the client and send it back: e.g., cookie, URLs,

environment variables, forms, IDs- let's talk about this later in more detail.. .in the Web section

Practical TipsUnderstand and/or use tools designed to find these types of problems: e.g., WebSleuth

• Scan Web application logs for "unexpected" errors: e.g., references to odd locations in

the file system, invalid data, special characters


( \ \ { { ( ( i ( ( ( c r ( < i ( ( c • { r ( ( ( ( ( ( ( ( ( ( ( ( ( i (

C ( { ( ( ( { ( (. C 1 C ( I ( ( t C ( 1 I ( ( I ( I ( i I I i I (. C I 1 i I I I i ( I C i i (- t J I t ( I I

Wireless Infrastructure

Intrusion Area- 802.lib: wireless technology is often not installed by the IT/Security

team, it's difficult to chart where the radiation pattern goes, andalmost all access points come configured in their least secure setup

Typical Problems• The access point is accessible from unwanted places

• Default configurations allow access to your internal network

Methodology• Moderately easy: Install and use "WarDriving" programs and

mapping software

Practical Tips• Install and use "WarDriving" programs and mapping software: e.g.,

NetStumbler or MiniStumbler (free),Network Sniffer (more than $10K), AiroPeek (a few $K)


NetStumbler: Access Point Finder

Windows utility for "WarDriving" -that is, finding Access Points (AP). MiniStumbler available for handhelds. MacStumbler available for Apple

Gives critical AP informationincluding

. MAC address, SSID, network

name, broadcast channel, vendor,

WEP flag, GPS coordinates (if

attached to the serial port), and all

sort of other stuff...

rMiniStumblef

MAC Chan SSID SNR

O0090D100BF6C 11 WLAN 5

O0090D100B93B 11 WLANQ0090D100CC6F 11+ WLAN 10Q0090D100BEC5 6 WLAN

O 004033 AFC3D1 10 WirelessO0090D100CAA5 11 WLAN 17O0090D10QBE02 1 WLAN

Ready 3 APs GPS Off 7/7

File View Options t> %


f { f ( ( ( ( ( ( I < J C •( I ( C f ( ( : i ( , ( ( ( ( C ( . l ( ( ( ( • ( ( ( 1 C C (. (

( ( ( t ( { ( ( ( (. I ( ( ( I I I ( ( [. L ( ( ( ( I { ( I I I I ( ( I. ( I ( I ( t. I ( I I I I ( I I I I I I

NetStumbler (cont.)

60 seconds on one corner in a major city

4 Network StuinbIMFile Edit View Options Window Help

j D & y 1 t>\%\ fia > t::|i-i Cl$" Channels

\ If! T 1i it; "$J 3; 1+1^6

• '+I *$•' 7

i [+! '%' 8

M i i (</f 10\ w «w* -] 1

:-i i i - SSIDs! [ i i i t 12345: iii i t 204582; i+i u i AIPDPV

1 I+J -it Aleuev+d• 1 • '- ' J-t i-l i-.ir-.t i l l

: !+!••-£*• defau l t

iii ii- EP1I iii -ii- EP4; ill i i- EP 5• !+i••-&. l i nksys

| iii i t imli; !+i Ji- pokemon-usa! i+i-Jt tibconyci ifl -ii- tmobilei m i t WaveLAN NetworkI i+i -ii- wv-wlan

ii] ^ Filters

Hi . - . i fMAC

G00022DO...O0030AB1...G00045AE...O 00601D2...O00022D2...G00409G3...G 0040964...G 0040963...O00045A0...O00045AF...G00045AF...G 0050180...O 00045AF...G0004E20...G 0040965...O00022D0...O00045AE...O00022D2...O00022D0...

SSID

EPSpokemon-usalinksysEP4EP1tmobilewv^wlanwv^wlanlinksystibconycAleDev+2default.linksysAleDev12345WaveLAN NetworkImli204582WaveLAN Network

Name

Airport. 4Airport 1

Prism IPrism I

Prism I

200 Park-19th Floor

j

Chan18

e1111666616611636107

Vendor

Agere (Lucent) OrinocoDelta NetworksLinksysAgere (Lucent) WaveLANAgere (Lucent) OrinocoCisco (Aironet)Cisco (Aironet)Cisco (Aironet)LinksysLinksysLinksysAdvanced Multimedia Inter...Linksys

Cisco (Aironet)Aqere (Lucent) OrinocoLinksysAgere (Lucent) OrinocoAqere (Lucent) Orinoco

Type 1 WE

APAPAPAPAPAPAP YeAP YeAPAP YeAPAPAPAPAPAPAPAP YeAP

Ready Not scanning IGPS; Disabled


NetStumbler (cont.)

tYimn+ac in o troiti •frta\7'/=»l-fnrr nflicli rvir\n r\T\ i"HP» PoetiiiiiiutviJ xxx u- u win uw vvillig, uvikjli iiijL/ii v i i tiiC JLvdibl

s*.i n

u n i >„'<• r •.

fnulliK •fir":, :

link-.y,

t. U rim t

Monies

tJH.mlt

1 i n k i y %

Monies

dtlaull

1 i n k T y r.

clopw<itl i ipwi

•m.nr.w

i ty

tead Network

read Network

universitymull.!!•: A '- . f '

I.|Q4O

U0.40

DO 0 6

D d O G

U0:02

DO. 0-1

Oci Olj

V0.Q2

DO. 05

ftO-OG

U0:I0DO. 10DO-40

00:4 0

00.02

DO 40

, 9 b

?>;

2 D

,2O

~,D

?"\

L.r

L 7 .

on,

, 2DQ«

r,B ft!-

:0B.' 144 7.L>1r, r> D4

•68:OLJ:21:y7

CE.lCi

S i .1.9

.Cfi.16

1- b: S _i :IS. SO.

R7XTJ

^B:b^:OB. 14

4 7 D l

,D9

^ ^

Ob2 b

RS

7S

,2b

BS

7R

AOL y

>n

. i b

Chart1

1

11

t.

11i

rr

G

i i

6

GL 1

b

i3

M . I J

i :..

I '„

j >-;

i »,,

..' 1

•J-

! • • •

-•' 1

;-:

.,' >

*•"..

• i

j V;

I •;

' • !

6 rjg

V|,sr^Hj*>.l

Ad -hut

^li^n.nijrc!

VlîiOf^Cl

M^r-sitisti

VI .*!•! .1 p-f f!

M ^r: d i-iti U

•M^n-J in i t i

••• 1 ^ n jLi-crf

\\M-,xm>i\

M..ir-û.1 -t: iJM . . . .1

Ci4LO-Air<j'liSl

A(?«rt?-LucentI i«o AifC'iCi

unkô-.vii.Aq4TC-- 1 i.-c f-riT

Unk-.O'ATi

3CO-TI

Agere- Lu-t'i'nt

nut: nfiwii

D-Lmk

Aq<Ti-. 1 i.'C r r i t

f. i "it O— Air r_> J I ^ 1.-,,-

V.'F P

Vrj :•.

N o

Yc-,

N u

N o

Y f •.

Nr;.i

No

Yc:,

Nrr.

N o

Vt'i,

Y f ,

¥«•,

N o

K l . .


( { ( . ( ( ( , ( ( < ( ( . ( , ( ( . ( • ( i (i •( 'i t ( i c . ( . ( . ( (

( C ( I C ( I ( i t I I ( (. { { I ( ( I I ( I ( { ( \ I ( (. ( (. 1. I t I 1 I I. ( I I. I. I I I t I I t

NetStumbler (cont.)

Why is NetStumbler successful?Poor antenna selection

. Access point is in broadcast mode and

responds to probe-request packets

Two2^story buildings with different Access Point antenna antenna setups

VerticalLeakage

HorizontalLeakage

Good antenna design:coverage area is appropriate

Poor antenna design:coverage area is excessive

Antenna Design Considerations©Copyright SystemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson

73

WarDriving Update: WarChalking

WarChalking: making symbols (e.g., with chalk)on locations to indicate wireless 802.11connectivity

. Coined by Matt Jones- www.warchalking. orgm original chart on right

. http ://home .comcast.net/~j ay. deboer/wardriving/

• http: //www .wordspy. c om/words/warchalking. asp

let'i. waichalkJKEY

CfENNODE

CLOSEDNODE

WEPNODE

SYMBOL

ssd

Xbandwicith

ssid

O

bandrtidth

L blackbel tjones.com / warehal kinq A


r r ( r; f. r ( f ( c f , n ( . ( ( { , ( , { [ . ( ' • ( ( • { . ( i i A A A ( C C ( , ( ( . ( , ( , ( (

( ( ( ( C I f ( ( ( ( I ( t { 1. i. I ( I 1 ( ( (. I ( I I I I (. (. C I I I. I. I I I t ( I l l i ( l I I i. I l

WarChalking (cont.)

Open

Open & WEP

Interesting chalkings


WarChalking (cont.)

• ---DW. \ / i f m n 11 !-r£±'V

http ://www. gpsvisualizer.com/

Wirefess

O -Tracks:Kaslrupkrogen

bin i

Wireless •

Wireless [36/open]M : SO :C5 :$i:<}9:%2

TDC

birch

225 m

\

\

\K*trupkrogen

[20/openJ \

[26/VitP] ^

default00:t

!

[31 AVER]

i

I

# ^

Tka^Lniiihr::/

[33/open]

bxhapaiHKl acacity: vE-uHiJLMI


( i t : f . ( , ( ( ( ( • ( , ( . ( . ( A S A ( : ( ( ; { . ( ( f . . ( 1 ( :( A ( , ( ( ( . ( ( ( l ; C ( ( A ( , ( ( ( C • ( , ( • . ( , ( i ; ( . . C A (

i (. c i i i t c ( r t ( i t ( c t i i i i c i ( t ( i. i. i i i i i ( i i i ( i i i i i i

Modems

• Intrusion Area- Modems: phone based services exist for many different types of

devices and programs and are the least tested aspect of almost every

company• inventory all of your modems

• Typical Problems• Bypass almost all other security mechanisms

• Phones are usually not part of intrusion detection, event

management, SNMP, or audit services

- Phone based testmg programs are incomplete and generate false

positives and negatives


Modems (cont.)

• Very easy: insert phone list or range into program: when it finds a

connection, most are fairly easy to just use (e.g., router, printer)

• Very hard: if you want fine grained accurate data, you have to

monitor (baby-sit) the process and inject data, common sense, and

expertise- let's talk about this.. .false positives and negatives

Practical Tips- Use war dialing software to survey your phone space:

e.g., The Hacker's Choice (THC-Scan- free),

Sandstorm PhoneSweep (many $K to tens of $K)


( X A ( . ( . ( ; ( ( ( . ( ; ( , ( ( , ( ( : ( ( ( . 1 . { . ( : ( ; ( , ( , [ ' ( ( ; < : ( . . ( ( : ( ; ( . ( , ( , ( ; ( ( ( , ( ( ( ; ( ( ( ( . : ( , ( , ( I . • ( , ( ; ( ; (

( ( ( ( ( [ ( { ( ( . (N i ( I ( I ( . 1 ( 1 I I I i I I I I t C 1 I I 1 M I I I I I I I I. I ( I I 1 I I I I i

Intrusion Medicine

Use host remote scanners regularly(e.g., nessus, Sara, Typhon, nmap)Reduce the variety of OS and application instancesTake a look at the rootkits for your OS typesUse CGI scanning tools against your web site regularly(e.g., nikto) and instrument yourself to detect it!Perform a wireless survey periodically• Change your default SNMP community string and management

passwords for your access points

Run a wardialer against your phone numbers


What the Hacker KnOwZ...about intrusions

Most problems result from a combination of exploitingseveral low(er) level vulnerabilitiesMonitoring a heterogeneous distributed network is HARD• You should try and detect what you can't prevent

Many individuals, groups, and sites, are dedicated tomaking intrusions possible

next... Disco very


O C l 'i '( XAX ((A.AAA i AA (AAXA lAAAAAAA (A ( A. A A i A A ( A AA A C ((,(,[ .•( C;(> C;(

I i { ( (. l ( ( C I I i ( 1 ( I ( 1 (. 1 I I i t I. C I C I I ( I C W . C I I I I i I I C I ( l I 1. I I I 1 I

Notes:


Where are We?

Pronimg

. Methodology





and lots more!


. Examples

. Common Areas

Protocols- DNS

. SNMP




. c , c f ( ; i ( H i i ; < ; ( ; ( . ( ( : ( ; ( ; ( • ( ; ( ) ( ; { ; ( .

( ( ( ( (. ( I ( ( ( (. 1 ( I ( I { { ( i 1 I ( I ( C I C i I ( I I. C I I I 1 t 1 I ( I I I 1 I I I I I I

Discovery - Port Scans

Direct- TCP connect (strobe, SATAN-tcp_scan, netcat, nmap). UDP "connect" (SATAN-udp_scan, netcat, nmap)- Service protocols (sscan, nessus, SARA, whisker, Nikto)

Indirect. Tunneling

. Nmap FTP Bounce

. telnet through ICMP (sneakin.tgz on PacketStorm)

. LoopHole (very much like sneakin: ~$40)• server runs at home, client at work- goes through HTTP and offers encryption for IM, Web,

email, FTP, and news

• Stealth scansnote: what is "stealthy" changes with time

. FIN or NULL

. fragmented packets- TCP SYN (half open)


Discovery - strobe

[-v(erbose)][-V(erbose_stats][-m(inimise)][-d(elete_dupes)][-g(etpeername_disable)][-q(uiet)][-o output_file][-b begin_port_n]

S services_file][-i hosts_input_file][-l(inear)] [-f(ast)][-a abort_port_n][hostl [...host_n]]


J l i A . I. ; ( > ( • . [ A A J C f

! ( ( ( [ ( ( i i i t i ( ( i i ( i i l c l ( i i l c i i i i i i i i i i

Strobe Example

strobe 127.0.0.1

strobe 1.03 (c) 1995 Julian Assange([email protected])

127.0.0.1127.0.0.1

127.0.0.1

127.0.0.1

127.0.0.1

127.0.0.1

ftptelnet

smtp

sunrpc

lockd

unknown

21/tcp

23/tcp

25/tcp mail

111/tcp rpcbind

4045/tcp

6000/tcp


SATAN

Released in Anril 1995 by Wietse Venema and Dan Farmer to muchfanfare (many negative reactions)- Seminal hacking paper

"Improving the Security of Your Site by Breaking Into It"• www.fish.com/security/admin-guide-to-cracking.html

Help administrators assess their network securityModular design with (very) easy to use GUIFind well known problems

• NFS file systems exported to arbitrary hosts• NFS file systems exported to unprivileged programs• NFS file systems exported via the portmapper• NIS password file access from arbitrary hosts- Old (i.e. before 8.6.10) sendmail versions. REXD access from arbitrary hosts. X server access control disabled• arbitrary files accessible via TFTP. remote shell access from arbitrary hosts- writable anonymous FTP home directory


: ( , ( ( ( A • - ( , r . ( ; C i A j i A A A A A A i A A { A , X A I ( A X X . X . A A A A { A X A A X X A A t X X X \ { A ( X X X ] i

c i i ( \ ( i ( i i ( ( i. i i ( t i' c i c. 1 1 . 1 c c i i i i i t i i i i i

SATAN GUI(SAINT & SARA)

•9 SATAN - Microsoft Internet Explorer provided by DellFile Edit View Favorites Lielp I ! Links

SATAN Control Panel

(Security Administrator Tool for Analyzing Networks)

SATAJT Data Management

SATAN Target selection

SATAN Reporting & Data Analysis

SATAN Configuration Management

SATAN Documentation

SATAN Troubleshooting

* Getting the Latest version of SATAN* Couldn't you call it some tiling other than "SATAN"?• 'Bout the SATAN image• "Bout the authors

Done Internet


Discovery - SAINT

C A TATT TM C C 1 ^ T ~ ; 1 ~ U 1 ~ ~ , ~ ^ T

orvnN i — J.J.J avanciuic nuw

(expensive!). Based on SATAN

• www.wwdsi.com/products/saint engme.html. SAINTWriter

• SAINTexpress

- WeBSaint

• Latest scanning features include• Microsoft Virtual Machine's JDBC class exploits• Microsoft RDP vulnerabilities• IBM WebSphere buffer overflow• HTTPd heap overflow


( , C ( ( . ( • ( ; ( ; ( ( , ( . ; ( , ( , ( . ( ( { ( { , { ; { i X U X A X i ( ; [ ; ( ( . ; ( ; ( , ( H . ( , ( : ( A > { I . { ; . ( ( ( C ( ; ( j ( C j C J C : C . : C

( i I ( { { ( ( (. I I I ( I ( ( i ( ( ( I ( ( 1 I ( I I t i I C i. I I I I 1 I t I t I C I ( I I I I I I. I t

SAINT (cont.)

rffi|lBcrosoft liifernetJSptoref

File Edit View Favorites Tools Help

Reports •

Vulnerabilities •

Host Information •

Trust

The Standard

BAINTvvriter

Bv Approximate Danger Level

Bv Vulnerability Count

Bv Class of ServiceBv System TypeBv Internet DomainBy SubnetBv Host Name

Trusted HostsTrusting Hosts

Exclusions • : Manage exclusions; List exclusions

t i j http://'A[ww.saintcorporation,com/demo/saint/saintJn ' Internet

<3 Data Analysis - Microsoft InternetExptoreh,:.

File Edit Favorites Tools Help

The Standard

Number of Hasts perVulnerability Typs •

Shew excluded records

Hosts may appear inmultiple categories.

Hosts Vulnerability TypeInternet Explorer vulnerabilitiesWindows updates neededApache module vulnerabilitiesCross site tracing

guessed account passwordNull sessionsOpenSSL vulnerabilitiespacket flooding problemsSendmail vulnerabilitiesWorm detectedApache vulnerabilitiesBizTalk Server vulnerabilitycachefsd vulnerabilitycalendar manager

Siihnrnrpt;^ rnnlrnl daemon

•J6 Internet


SAINT (cont.)

Show gxcluded records

0" Critical Problems

Hre35 of Concern

0 Potential Problems

Tutorial: DNS vulnerabilities

2 Vulnerable / 2 Total Host(s).

Sort hosts by:name | domain i system type I subnet 1 problem count

Host i) 0 Total

• ) •*••• 1 3 4 15 3 2 <

0 hosb3.domain.com 18 3 32 S3

fej Done Internet

•|i DataAnalysis- MicrosoftInternet Explorer

File Edit View Favorites Tools

General Hast

Information •

Network Services >

99999

Q

0Q

Host type: SunOS 5

Subnet 172,16,1

1 Trusted host's"!

Scanning level: hea!.

Last scan: Mon Mar

DNS server

FTP server

Finger server

R Series server

SAINT server

SMTP server

6

y16:26:34 2004

'•> SNMP server« Telnet server

0 XDM :'X login') serverQ 19 other services ''show all services')

Fictions • ; 9 Scan this host

&j http://vvvff/.saintcorporaton.corn/demo/saint/saint_infb_serversriTiai I Internet


( ; ( [ ; ( . ( i ; ( . : ( • ( { A A ( • ( ; ! ( ; ( : ( ( i t . A ( A A A n i A A A A , ( i A l ( . ( ; ( ; ( ; (

( t. i t ( i t i i ( i ( i ( ( (• ( i ( i (. c i i i i i e i i i i i i i t i i i i i i. i i i (

SAINT (cont.)


Information from rusersdcould help hacker

sunrpc services mav bevulnerable

CVE-2002-0391 CAN-2003-0Q2S

buffer overflow in telnetd CVE-2001-0554teircv

j ! l | j j

-')

j ! l | j j mav be vulnerable

Information from rstatdcould help hacker

rexec is enabled and couldhelp attacker

possible vulnerability inlogin

possible format stringvulnerability in tooltalk

tooltalk version mav bevulnerable to buffer

Ml

CAN-1999-0624 • '

CAN-1999-0618

CVE-20Q1-0797

CVE-2001-0717

CVE-1999-0003 CVE-1999-0593 CVE-2002-0679

>

•SB Internet


Discovery - SARA(SATAN and SAINT Derivative)

. Two versions (5.1.1a version out). Generic SARA and SARA PRO

• Author of SAINT was on the original team

• Approved by SANS for checking top 20 problems

• http ://www-arc. com/sara/

• Philosophy is to integrate with existing tools- Uses Nmap for OS identification (like SAINT)

. Uses SAMBA for SMB analysis

. SARA PRO includes• Report writer

. Monthly updates (much like virus detection programs)


( , ( . : ( l , ( : f : ( ( r ( . ( ( ( f ; ( : ( ; ( ( . ( : ( ( , ( , ( • ( l . C C C t ( , ; f ( ( ; { : ( . [ ; ( I A K A

I I i ( ( 1 ( ( f ( I ( ( I I ( ( ( ( i 1 t t ( ( I t t C t ( I t I i: ( ( I. 1. I I I I I I I I t I I I I I i

Discovery - eEyeRetina Network Security Scanner

. Accounts ' NetBIOS

. CGI Scripte H Remote AccessCHAM „ R p c ServicesDatabase • Service ControlDNS Services a SNMP Servers

H SSH ServersT^T. o

H Web ServersFTP ServersIP Services

Mail Servers

Miscellaneous

• Wireless

www. eey e. com/html/Products/Retina/


eEye Retina Network Security Scanner GUI"3 Show - Microsoft Internet Explorer provided by Dell

Letina - FUntitledl 1-lPlxlFile Edit View Action Tools Help

Address: www. ee.ve. corn + - A, nf • -Retina

oaQQ

•B Policies

QQQ

Scan complete

R eportReport Start Date

• Report End Date• Total CommandsTotal Found

j CommandI CommandCommand

Complete Scan

Add

Preferences

P? S.mart S can (Perform protocol identification on found open ports)

W Force Scan (Perform scan on hosts that do not respond to pings)

W ^rute Force. (Perform password and other brute force operations)

11/2/1999 1:34:44 AM: 11/2/1999 1:36:02 AM6,720 Commands Generated

i 73 Commands Reported

! GET /bin/pass/adrnins.exe HTTP/1.0GET /data/pass/password.dat HTTP/1.0GET /dat/pass/users.exe HTTP/1.0

HTTP/1.0il HTTP/1.0HTTP/1.0:.rds.lstHTTP/1.0htx HTTP/1.0ini HTTP/1.01st HTTP/1.0.html HTTP/1.0.txt HTTP/1.b'ord.lst HTTP/1JDxt HTTP/1.0

Delete.

Select a policy to edit from the drop down list. If you would like to |create a new policy, select a policy to base the new one of off,then click on Add.

Note: The selected policy mill be used for scheduled scans. |

Cancel SaveOK by HTTP:// e.g. http://www.eEye.com Next tip


: • ( . ; ( : ( ( C C : ( : ( f C C C : ( . ( ; C : ( : ( ( A A • • ( X ( X IX ( X X X X X X X :( C . C - C '• C . C ; C ( , C . ( ( X X ( ( ( X X X

{ I I I { ( ( t ( ( I I i (. ( 1 ( I I I I ( t ( ( I 1 1 I. ( t I I I i I I I 1 I I t 1 I I I I I I. I 1 I I I

Discovery - Typhon III

• Web Spidering

• Cross-site Scripting

• SQL Injection

. SMTP

. FTP

. POP3

. SNMP

. RPC

. DNS

• Finger

. NetBIOS

• NT Audit, Registry &Service

• IE Browser

• RServices

. LDAP

• Oracle

- SSH

• Report features• Export to HTML, database,

text, or RTF

. Runs on Windows NT/2000

&XP


Typhon III GUI

File

<S M -t •2-j

Selected host: 10.1.1.2Web checksSMTP checksFTP checksP0P3 checksSNMP checksRPC checksDNS checksFinger checksNetBIOS checksNT Registry checksNT Service checksSQL Server checksIE Browser checksNT Audit checksProtocol checksRServices checksLDAP checksOracle checksSSH checks

Modules Advanced] Ports |

r Check All

F Web Checks P SSL

i F FTP Checks

j F NetBIOS Checks

| F NT Audit Settings

| F NT Registry Checks

F NT Services Checks

F IE Browser Checks

F RPC Checks

F RServices Checks

F Finger Checks

F

F

F

F

P

P

P

W

r

r

UncheckAII

MS SQL Checks

Oracle Checks 1

P0P3 Checks P SSL

SMTP Checks P SSL

SSH Checks

DNS Checks

LDAP Checks

SNMP Checks

Protocol Checks

TCP Portscan

UDP Portscan

OK Cancel

36 Internet

©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson96

. ( : ( • ( r t . ( ; ( > f f ( . ( , ( : ( ( ( . ( X X . : ( . C ( • • ( : ( ( f C ( f . - C ( XX i i

{ l I { i { { ( I I { I { I { { i I i I I { i 1 ( I I I C. C C I I 1 I I 1 f I I. C I I I I 1 I I I. I . L . - L I I

O r a S c a n (same company that does Typhon III -- NGSSoftware)

Assess Oracle Web front-endOraScan 1.1

File View Scan Help

|All jobs finished - scan complete

i+J L_i Cross Site Scripting ^r+i :_J formsH !_J OraScan: r+i ( f ) Admin Paths; !+i (T) DADS; {+' ^ Default packages; l+ © Default Pages: r+; ^ ^ Directory Traversal

r+' !_J scriptsw - ^ J Spider Results1 !• fir apache_pb.gif\ ' fc* bc4j.htmlj '•+• C * bc4jdoc: !+! &f demoj '•+' fc% fastcgi; i+i fcg fcgi-bini : C * footerl.gif! ;•• t * header.gif

! I- t w headerl.gif'•• f+' ^ p iconsi f+i £v jservdocsI t+j ^ % jspdocs

i f+i (V) main] f+i M i manual

i Gjl mod ose.html

; r+i © mI r+i @ servlet

1 f+i ^ soapdocs

I © xsql:-] I_J SQL Injection

1+' (J ) forms>+' © scripts —

pisHTTP Response code: 302

The requested URL was:http://10.1.1.120:7778/pls/

The paqe linked to the following URLs:http://10.1.1.120:7778/pls/simpledad/

The page was referenced from the following URLs:http://10.1.1.120:7778/pls/admin /aatewav.htmhttp://10.1.1.120:7778/pls/admin /http://10.1.1.120:7778/pls/simpledad/htt p: in 0.1.1.120:7778/p I s/s i rn p I e d a d/a d rn i n la at e wa v. htm ?s c he ma= samplehtt p: //10.1.1.120:7778/p I s/s i m p I e d a d/a d rn i n /http://10.1.1.120:7778/pls/simpledad/admin /dadentries.htmhtt p: in 0.1.1.120:7778/p I s/s i m p I e d a d/a d m i n /a d d d a d. ht rn ?<ADVAIMCEDDAD>htt p: in 0.1.1.120:7778/p I s/s i m p I e d a d/a d m i n /a d d d a d. ht m ?<BASICDAD>htt p: 111 0.1.1.120:7778/p 1 s/s i m p 1 e d a d/a d rn i n /a d d d a d. ht rn ?<BLANKDAD>http://10.L1.120:7778/p I s/s i m p I e d a d/a d m in /a d d d a d. ht m ?SIMPLEDADhttp.7/10.1.1.120:7778/pls/simpledad/adrnin /adddad.htm?SSODADhtt p: //10.1.1.120:7778/p I s/s i m pled a d/a d rn i n /q at e wa y. ht rnhtt p: 111 0.1.1.120:7778/p I s/s i m pled a d/a d rn i n fa I o h a I s ett i n qs.ht T |


Discovery - Mscan

Focused, application level scanner

Next (2nd) generation scanner

"Current" popular vulnerabilities- statd. IMAP/POP• IRIX lp accounts• BIND buffer overflow• cgi-bin programs: phf, handler, test-cgi• NFS exports• X server


( ( f f ( ( • ( ' ( C • ( . . ( ( { • ( • { ; { . [ C : C " f : C , - C • C • C ( ( ( . ( . ( ' • ( : ( ( ( ; ( ; ( ( I ( ( ; ( • ( i C ( C ( C C I i , ( ( . • (

I ( I i. ( I. I I i ( { { I [ { I I I { { I ( I 1 i I { I I I t { I i. I I ( ( I I I. t I 1 I I I I I I. I.

Discovery - Sscan

Mscan derivative- Another focused, more powerful application level scanner with a

scripting language built-in

• Multi part probe• TCP ACK check - if any response, do the other checks

. telnet, smtp, pop3, imap, www- vulnerability check

. telnet, smtp, pop3, imap, www, sunrpc, xl 1, finger, domain,Back Orifice, lp

• connection check. netbios, ftp, ssh, mSQL, tcpmux

• OS check. telnet banner and "Queso" like check (5 packets vs. 7) - not as

robust/successful as nsat or nmap, respectively


Discovery - FTP Bounce (Tunneling)

• Normal FTP operation (non-passive)- Client tells server host/port and server opens "data" connection

back to client. client need not tell server to come back to itself

• Tell an anonymous ftp server to connect to machines inside its

firewall: to map the inside network

• Hard to do something other than chain FTP's but still ofconcern. Can PUSH data to services/ports: e.g., SMTP, HTTP


c c ( f c ( ( (

( I f I I I ( I ( ( [ ( I I ( ( I I [ I I I ( H I I I U 1 ( 1 U I I H I I I I U I M I I ! I [ I

FTP Bounce Example (cont.)

telnet 128.0.254.217 80Connected to 128.0.254.217.Escape character is I A ] \

PROPFIND/HTTP/1.1 « —Host:Content-Length: 0

HTTP/1.1 207 Multi-StatusServer: Microsoft-IIS/5.0Date: Tue, 20 January 2004 18:49:26 GMTContent-Type: text/xmlTransfer-Encoding: chunked

316<?xml version-" 1.0"?><a:multistatus xmlns:b="urn:uuid: c2f41010-65b3 -11 dl -a29f-00aa00cl4882/" xmlns:c="xml:" xmlns:a="DAV:"><a:response><a:hrefMittp://10.44.10.12/</a:hre£> « - —


FTP Bounce Example (cont.)

strobe -b21 =e80 10.44.10.12Host Unreachable

strobe -b21 -e80 128.0.254.217Port Number Protocol Service21 tcp ftp80 tcp http

nmap -ports 2 0-32 anonymous:foobar© 128.0.254.21710.44.10.12Attempting connection to ftp://anonymous:foobar®128.0.254.217:21Initiating TCP ftp bounce scan against 10.44.10.12Open ports on 10.44.10.12:Port Number Protocol Service21 tcp ftp22 tcp ssh23 tcp telnet


i t; •{ [ ( i t ( c ( f r

( ( ( ( ( ( ( ( ( I ( I ( ( ( ( ( ( ( I ( [ ( ( 'I ( ( ( ( I ( ( I ( ( ( I { ( ( ( I I I ( [ < I I i I t < I t

Tunneling (cont.)

Bypassing (packet) firewalls with "messed up" TCP/IPheader settings

. www.securitvfocus.com/archive/l /296122/2002-10-19/2002-10-25/2

• For example, odd 3 -way handshake sequence. set SYN AND FIN bits

• Firewall looks at FIN bit and allows it in- to close a supposed connection

- Host looks at SYN bit- to establish a connection

Worked on following OS's• Linux (2.4.19 Kernel)

- Solaris 5.8

- FreeBSD 4.5

. Windows NT 4.0103


Discovery - Host and Network Management

• Network management• traceroute

• latency, domains, dynamic/static routes

. SNMP scans- management agents

• Host management. ICMP scans

- reachability (not necessary but speeds discovery)

• Remote OS Identification (fingerprinting)- Mscan- Nmap (note: SAINT & SARA use Nmap)


r ( (.

) I ) ) ) J J J ) ) ) J J ) ) J ) ) ) ) I ) J ) ) J I ) J ) ) I ) ) ) J ) ) J ) ) ) 1 ) ) ) 1 I ) ) )

Discovery - traceroute^ http://www.playground.net/cgi-bin/traceroute.cgi-MicrosoftInternetExplorer

£le

y

101112131415161718

4

Edit View Favorites Jools Help

U . 3 O - 2 - U - U . AL1 . C i l l i . AL l&K.lMli 1 1 li>2 . bJ . b / . 12 b0 . 3 O - 7 - 0 - 0 . E R 6 . C H I 2 . A L T E R . N E T ( 1 5 2 . 6 3 . 7 1 . 9 4 )top r l - s o - 6 - 0 - 0 . C h i c ago E qu i n i x . c w . n e t ( 2 0 8 . 1 7 4a g r 1 - l o o p b a c k . C h i c a g o . c w . n e t (2 0 8 . 1 7 2 . 2 . 1 0 1 )

i j U . .' y i2 5 . 2 2 7

. 2 2 6 . 1 )3 2 . 1 7 1

dc r 2 - 3 o - 6 - 0 - 0 . C h i c a g o . c w . n e t ( 2 0 8 . 1 7 5 . 1 0 . 1 7 7 ) 3 1 . 5 8 4dc r 2 - 1 o o pb a c k .Was h i n g t o n . c w . n e t ( 2 0 6 . 2 4 . 2 2 6 .

tohr1-p o 3 - u - u . S t e r l i n g 1 d c 2 . c w . n e t ( 2 0 6 . 2 4 . 2 3 acs i :03 - v e 2 4 0 . 3 1 n g O 1 . e x o d u s . n e t ( 2 1 6 . 3 3 . 9 8 . 2 022 1 6 . 3 5 . 2 1 0 . 1 2 2 ( 2 1 6 . 3 5 . 2 1 0 . 1 2 2 ) 3 9 . 8 8 2 msw9 . dc x . y a h o o . c om ( 6 4 . 5 8 . 7 6 . 2 3 0) 3 9 . 4 9 0 i ts

100) 4 1 .

. 3 4 ) 4 0 .) 91 .57939 . 606 ms3 9 .3 04 ms

msHIS

27 .2ms

HIS

8936 U 6

ms3 93 9

J L

2 5 .593 1 .

3 1ms

ms44

.82

Pi

. uut249ms5 9 1.74742 .4 U .

.20F1 ins

.514 ms

•1

msms2 6 .ms

ire2 10

42 bms

i y

2 5 .296

7 4 .3 1

ms

ms43

"'PUT

. a i y4 4 1ms

3 07.43::dc r 1

4 u ..3 57

1ins

ms2 6.480ms

HIS

If*]|]—

- loopbac}y44 ms

HIS JH

L I

^ http://www.playground.net/cgi-bin/traceroute.cgi - Microsoft Internet Explorer

File

910111213

J. I

151617

Edit View Favorites Jools Help

0.so-7-0-0.BR6.CHI2.ALTER.NET (152.63 . 7 1topr1-so-6-0-0.Ch i cago E qu i n i x.c w . n e t (2 0Sa g r 1 - 1 o o pb ac k.C h i c a g o . c w.ne t (208.172dc r 2 - s o - 6 - 0 - 0 . C h i c a g o . c T,J . ne t (2 0 8 .17 5dc r 1 - 1 o o pb ac k .Has h i n g t o n . c w.ne t (2 0 6.

c s r 0 3 - ve 2 4 2 . s t ngO1.e x o d u s . n e t (216.3 32 1 6 . 3 5 . 2 1 0 . 1 2 2 ( 2 1 6 . 3 5 . 2 1 0 . 1 2 2 ) 3 6 . 3w4.dc x . y a h o o . c om ( 6 4 . 5 8 . 7 6 . 2 2 5) 3 5 .3

. 2 ,

. HI2 4 .

. 9E

8879

.94)

. 1 7 4 . 2101). 177)

222

226 .99)

.219)ins 3 5ms 3 4

1.12 36.1)7 .7302 7 . 9 9 7

ms- • -

£* c* .

msins

4 0 . 0 63

•

3 5.97E412 ms844 ins

ins

3

2 0 .

5 5 4

3 6 .2 f

H—

944ms2 0 6.479

ms2 1 .ms

HIS

2C9 5 9

272

.713ins

.2186 . 54;

ins - -12 1 . 8 69 in:ms

HIS

ins dc r 2 - 1 o o pb ac k. Was h i ng t o n.

3 55 . 5 6

3 4 . 5 7

.3 925 ms9 ire

ms 3 4 .987 ins

±J

©Copyright System Experts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson105

J J J i J j J J i J J j J J i J J J } J J J ) ) J ) J J J J J J j J J J J ) J j J J J J J ) J J ' J J

Discovery - SCOTTY

Protocol engine. DNS, HTTP, ICMP, NTP, RPC, SNMP, Syslog, UDP

- UDP {open, connect, send, receive, bind}. HTTP {proxy, head, get, put, post, delete}- SUNRPC {info, probe, stat, mount, exports, pcnfs}

Discover- TCL subroutine packaged with the program- Usage: discover [-d delay] [-r retries] [-t timeout] [-w window]

[-snmp] [-icmp] networks. ICMP

. discover -icmp w.x.y- SNMP

. discover -snmp w.x.y. Over 2 8.8 PPP dial-up line

- 1 "Class C" address space (256 hosts) in 15 seconds- Over Ethernet LAN

- 1 "Class B" address space (65,536 hosts) in 15 minutes


traceroute (cont.)

What did we just learn from traceroute?- Latency times to plug into other time based

(wait period) programs

• Intermediate domains

• IP addresses• small (Class C) or large (Class A or B) address space

• If polled at various times and days of the week• static vs. dynamic routing (single point of failure?)• return times change dramatically (variable latency?)• IP class size changes (ISP load balancing?)• DNS names not available (hard coded IP addresses?)


J j J ) J } J j J } J } , ) } J J ) 1 } > J ) > > J J } J ) 1 J ) J j ) ] ] ) ) ) ) J ) J J J ) J j J )

Discovery - ICMP Scan

Routers: icmpush- Use ICMP Type 10, Router Solicitation- Send to a system we think is a router, then check to see if an ICMP Type 9,

Router Advertisement, packet was responded with

#icmpush -vv -rts 10.10.1.16-> Outgoing interface = 10.10.1.1-> ICMP total size = 20 bytes-> Outgoing interface = 10.10.1.1-> MTU =1500 bytes-> Total packet size (ICMP + IP) = 40 bytesICMP Router Solicitation packet sent to 10.10.1.16 (10.10.1.16)

Receiving ICMP replies...10.10.1.16-> Router Advertisement (10.10.1.16)icmpush: Program finished OK


SCOTTY SNMP Usage

• discover -snmp 13.231.244

13.231.244.32 IBM RISC System/6000Machine Type:0x0100 Processor id: 000001436700The Base OperatingSystem AIX version: 03.02.0000.0000 TCPIPApplications version: 03.02.0000.0000

13.231.244.170 RISC System/6000ArchitectureMachine Type: 0x0400 Processor id:000047467200Base Operating System Runtime AIXversion: 04.02.0000.0000TCP/IP Client Supportversion: 04.02.0000.0000

13.231.244.191 IBM RISC System/6000Machine Type:0x0400 Processor id: 000038687900The Base OperatingSystem AIX version: 03.02.0000.0000 TCPIPApplications version: 03.02.0000.0000


<• r r f < ( ( ( r ( r f ' ' - • ' - - ' ' ' ' • - ' . ^ { { I < t ( '

J J . ) ) J > J I ) J j ) ] ) J > ) ) ) I } ) ) ) ] > ) ) ) ) ] ) I .1 ) ) ) i 1 } > } } ) ) ) ) J J ) ) )

etherape (cont.)

Etherape

File Edit View Settings Help

oNew Open Save

Protocols

DOMAIN

X WINDOWS

TCFJJNKNOWN

HTTP 3

Number of nodes:

www2.va11nux.comb.root-servers.net

ns2.valtnux.comf es-d008. i ^

whois.apnic.netwww2*freshmeat.net

128.8:10.90

20G.43:192.76

212.491

198.17j208.67

128.63.2.53

f es-dO28 . icq j-ao L» com __.,_.

i mages. sourtef orge .net

ads.Freshmeat»net

dns-02.ns.aol.com

209.207?224.246

AAfl-KELL^NIPR.MIL

192.18^.1.255

lasaro.tattoine.es

enco])ifix,.es

tatteine.es

mx.arc.nasa.90v

ns2.enComix.es ^*-~' *-"a .jôotêrver s . net

time.nlst.gov .,---"'.J.-'""' nsl.ar-l.mil

ns3.dn.net..,-"'" 20G.19?.81.10

ns.eunet,esE.ROOT-SERVERS.NET


Discovery - ntop

Network traffic probe- Embedded web server- intop for network shell on top of ntop engine

What does it do?* Sort traffic by protocolB Display network statistics- Passively (i.e., without sending probe packets) identify OS type• Act as a collector for flow programs in routers (e.g., Cisco) or

switches (e.g., Foundry Networks)


/ / / r . /- y >• ' ' ' ' ' ' ' ' • • , j ^ / ,-

J ; ) J i J i ) ) ) > i > > ) > i i ) ( ) ) > J ) ) ) i ) ) i ) J ) ) .1 ) ) ) > ) ) i ) ) ) ) J i J ) ) )

ntop (cont.)

File Edit Vie1.1; Go Bookmarks loo ls Help

if -ft] Vfftoome to t>>.'!p! t-tefii'.-' fOsgW <<j; zr'iptj'rAXS} ••

T File Edit View j3o Bookmarks lools Window Help

a j http://]abber:300(V

T <2jHorne (^Bookmarks <2j. Red Hat Network (^Support (^Products (QjTraining (§>. snark.ntop_ord...

About i DaEa Rcvd [ Data Sent Stats fP Traffic ; IP Protos i Admin

> Statistics

Multicast

Traffic

Hosts

Hetv/ork Load

Domain

Piugins

© 1998-2002by Luca Deri

Hw Interface Type

Local Domain Haine

Sampling Since

Packets

iTotal

llnicast

Btmadcast

Multicast

Ethernet [iprbOjJtecsrei.it j

I U ! J U LL 1 9 : ! 9 : 0 3 zooz t.1:Z8)l" | 1,1 sqj

_ __ ]| 51.6%!. 609|_ || 33.7%]! 398]

' ___'__ || 14.7%j;_173J

Hulticas

Shortest

Average Size

Longest

« 64 bytes

<128bvtes

< 256 bytes

J[ZljB_bytesj||_ iMbytes,|| 1,514 bytes)

|l 46.0%|: 543

Ij 3P.4%! 4Z9|

]! 7.8%!: 92;

y S3 Qf (Si @ Document: Done (0.531 sees)


ntop (cont.)

WAP Plug-in

Total217 7 Kb146 3 Kb64 5 Kb93 D Kh

demeterutip19379AI9,?


<" f / f / / / c i <•' - -• r >' ( I ( r

>. V V V v I V k. V V V

Discovery - QueSO

First tool to focus on OS identification• Type

. Solaris, Linux, BSD, Windows, AIX, CISCO, Novell, etc.• Kernel version

• About 100 current versions identified

Old methods were brute-force- rpcinfo• SNMP. TELNET• sendMail version- Download binaries from the public-ftp

- (analyzing its format)


QueSO Objective

Has been leap-frogged (crushed?) by Nmap

- Nmap is more accurate

• Has more OS fingerprints

QueSO sends TCP 7 packets• 1 st packet is legit.. .the other 6 are bogus

• The fingerprint of all 7 combined identifies the OS

• All packets have a random seq_num and a 0x0 ack_num.


X I I V V. V V. ^ "v V V v.

Discovery - Nmap (v3.70)

Scanning flexibility- Striving to be undetected• Striving to by-pass barriers

• firewalls- intrusion detection. DMZs

Account for network latencies and provide robust port andhost designations- Dynamic delay time calculations

• Retransmission for failed port requests. Flexible port and target host specification


Nmap Features

Scanning types- TCP connect() (like most other scanners)

. TCP SYN (half open)

. TCP FIN (stealth)

. TCP ftp proxy (bounce attack)

. SYN/FIN using IP fragments

. UDP recvfrom()

- UDP raw ICMP port unreachable

. ICMP (ping-sweep)

OS recognition using TCP/IP fingerprinting• www.insecure.org/nmap/nmap-fmgerprinting-article.html


v v. V i . V C, I .

Nmap Usage

-t tcp connect() port scan-s tcp SYN stealth port scan (must be root)-u UDP port scan, will use MUCH better version if you are root-U Uriel Maimon (P49-15) style FIN stealth scan-1 Do the lamer UDP scan even if root. Less accurate-P ping \"scan\". Find which hosts on specified network(s) are up-b <ftp_relay_host> ftp \"bounce attack\" port scan-f use tiny fragmented packets for SYN or FIN scan-i Get identd (rfc 1413) info on listening TCP processes-p <range>-F fast scan. Only scans ports in /etc/services, a la strobe(1)-r randomize target port scanning order-S If you want to specify the source address of SYN or FYN scan-v Verbose. Its use is recommended. Use twice for greater effect-w <n> delay, n microsecond delay. Not recommended unless needed-M <n> maximum number of parallel sockets.-q quash argv to something benign, currently set to \"%s\"Optional '/mask1 specifies subnet, cert.org/24 or 192.88.209.5/24scan CERT's


Nmap GUI

I

Nrnap Front End v3.49

File View

Targ et(s): www. i n s e c u re. o rg

Scan Discover Timing Files

Scan Type

Options

SYN Stealth Scan *

Relay Hi"t |

Scan Extensions

• RPC Scan rjiiJeritd Info

j

0 OS Detection [7] Version Probe

Scanned Ports

Most Important [fast] *

Rnrnji:: j j

Starting nmap 3.49 ( http://uuM.insecure.org/nnap/ ) at 2003-12-19 14:28 PSTInteresting ports on www.insecure.org (205.217,153.53):(The 1212 ports scanned but not shown below are in state; filtered)PORT STHTE SERVICE VERSION22/tcp open ssh OpenSSH 3.1pl (protocol 1.99)25/tcp open sntp qmail sntpd53/tcp open domain ISC Bind 9.2.130/tcp open http Apache httpd 2.0.39 ((Unix) rnod_perV1.99_07-dev Perl/v5.6.1>113/tcp closed authDevice type: general purposeRunning: 2.4.XI2.5.KOS details: Kernel 2.4.0 - 2.5.20Uptime 212.119 days (since Wed Hay 21 12:38:26 2003)

Nrnap run completed — 1 IP address (1 host up) scanned in 33.792 seconds

Command: .nrnap -sS -sV -O -F -PI -T4 vw-M.insecure.org


I V

-.. v V. V V I I I -., .. v. v v v. V. V. V

New Windows NMap

It looks like you are runninga port scan.

Would you like helplaunching a:

d Connect Scan© Half-Open Scan (SYN)© ACK Scan© FIN Scan

v See more.,,

Options Search

The targetfs) you have selected includeaddresses registered to Microsoftcorporation. This tool is built so that itcannot be used to scan Microsoft's ownsystems.

However, Microsoft Nmap will automaticallyredirect your scan to one of Microsoft'sadversaries.

V'/hich Microsoft enemy would you like toscan?

© AOL© Assorted Open Source Site (Slashdot,

linux.org, etc.)© US Department of Justice6 State Attorney General Offices

Options Search


I

Nessus

Robust security scanner• Plug-in architecture: each test is a unique plug-in

• you can use their NASL scripting language to build them

• Recognizes services on non-standard ports

• Smart testing: only tests what it can/should• e.g., doesn't test for anonymous FTP if it doesn't exist

note: this is a problem area for many other scanners

• 3 step execution. configure nessusd• setup the client• view the results

• Versions 2.0.12 and 2.1.3 (beta) now available- server runs on POSIX UNIX* systems. clients on POSIX for UNIX*, Win32, and Java


> I i \ )

V. V. ( I I. V V V V V V V

Nessus Plug-in Families

Backdoors

CGI abuses

Denial of Service

Finger abuses

Firewalls

FTP

Gain a shell remotely

Gain root remotely

General

Miscellaneous

NIS

Port scanners

Remote file access

RPC

SMTP problems

SNMP

Useless services

Windows


Nessus Setup

Client setup• Plug-ins

• enable all, enable all but "dangerous", disable

• Preferences- scanning technique (e.g., socket, SYN, FIN), include UDP or

RPC, ping host, identify remote OS, get Identd info, etc.

• Scan options• port range, maximum threads, do reverse DNS lookup

• Target selection• target IP address (range), request a DNS zone transfer


- • •- "* • "•> V > y ' / \ ' ) \ '• - \ \ \ \

I. I. I

Nessus Setup GUIa sii

Nessusd host Plugins Prefs. Scan options Target selection User

Plugin selection

CGI abusesFTP

KB Credits

rr

^ H Windows B1Sain a shell remotelyDenial of ServiceBackdoorsWindows: User managementRemote file accessSNMPDefault Unix AccountsRPC

rrrrrrrr /

Enable all Enable all but dangerous plugins Disable all| Upload plugin...

-Enable dependencies at runtime Filter

Unchecked Buffer in XP Redirector (Q810577)

DCE Services Enumeration

Unchecked Buffer in PPTP Implementation Could Enable DOS Attacks

The messenger service is running

Microsoft's SQL TCP/IP listener is running

SMB Registry : is the remote host a PDC/BDC

SMB Registry : value of SFCDisable

Unchecked Buffer in Decompression Functions(Q329048)

WM_TIMER Message Handler Privilege Elevation (Q328310)

Telnet Client NTLM Authentication Vulnerability

Ooenina Grouc Poiicv Files (Q3180891

^l 1

_\

J

Start the scan Load report Quit

Nessusd host Plugins Prefs. |Scan options| Target selection

Scan options

| Port range :

j _| Consider unscanned ports as closed

User KB Credits

1-1500

Number of hosts to test at the same time : 10

10Number of checks to perform at the same time :

Path to the CGIs: |/cgi-bin:/scripts

j Do a reverse lookup on the IP before testing it

_) Optimize the test

J Safe checks

_J Designate hosts by their MAC address

j Detached scan

_] 'J mjfjiis seal?

D«i5A; i iv.'o stsn?

Port scanner:

tcp connectO scanNmapscan for LaBreatarpitted hosts

Start the scan Load report

A

J

Quit


Nessus Report GUIj—

Porl

I js$ S 1C.I 63.1 56.1M ^ 10.163.156.9

i O . i 6 3 . i 5 6 . i Oi f t 1 f i3 1RR.1R1 0 . 1 6 3 . r 5 B . 2 0 5

U:il ni'vf- 1.1 035/If:[r_t i-i *:.n iz --.-•--•I" M O £ i 3 . ' t C | ) )

ne1bic-s-iii f I37,''un am 91. e rv e t (-1 i-'t |?)

f_:f.: 1 rThe hoj1 aio ccultl be us?cl tooi 1hi host.(wl! (Ull - iirHjri;i-r:i1.!'J u:M!i!- rifirnifcr perto i ni ance is as- o n )I his give?- ei'trs Kncf'.'-Iedge 10 an 5,fi?c>v?r. v<Mic-h!!-- nul n (Jiii.'i.i Ihrr'jq •- Acin inisirtfl'Ji ace cunt -uma : Adrrinisiraioi fM S30)- Gue-51 account name . ''jue-Ji (id S0T)

ser (id i 000)^nruii:'!: ': (i'J 1pni i

Admlrilst-stoi-s c;=c) "OCt)

ihe iifmes of the !ocsi users

. l'-.V'\rvi_G/'.RRO i;,ii " (1041

- DHCP 1.1-5sis (Ki ! 00E)- DHCP AdnHniM- WIMi Lifer? (id

Risk, factoi . I/led:Urts

iout ion . rntei mcoioin-j comscticns thi-5- port

CVE CVr-SOCO-l £0C


< I I I I v. v..

Nikto: Web Server Scanner

Has outdistanced (crushed?) whisker

Not stealthy by design• However does support LIB Whisker's anti-IDS methods

Snapshot of some features (v 1.34) includes:•Uses rfp's LibWhisker as a base for all network funtionality•Main scan database in CSV format for easy updates•Determines "OK" vs "NOT FOUND" responses for each server, if possible•Determines CGI directories for each server, if possible•SSL Support•Output to file in plain text, HTML or CSV•Checks for outdated server software•Proxy support (with authentication)•Host authentication (Basic)•Watches for "bogus" OK responses•Attempts to perform educated guesses for Authentication realms•Captures/prints any Cookies received•Scan multiple ports on a target to find web servers(can integrate nmap for speed, if available)•Multiple IDS evasion techniques•Supports automatic code/check updates (with web access)


Nikto (cont.)

-Nikto vl.32/1.23

+ Target IP: x.y.86.31+ Target Hostname: www.xy.org+ Target Port: 443

+ SSL Info: Ciphers: RC4-MD5

- Scan is dependent on "Server" string which can be faked, use -g to override+ Server: Microsoft-IIS/5.0- Retrieved X-Powered-By header: ASP.NET+ IIS may reveal its internal IP in the Content-Location header. The+ value is "https://10.0.10.31/site is down.htm". http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0649.+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD+ HTTP method 'TRACE' is typically only used for debugging. It should be disabled.+ Microsoft-IIS/5.0 is outdated if server is Win2000 (4.0 is current for NT 4)+ / - TRACE option appears to allow XSS or credential theft.

See www.cgisecurity.com/whitehat-mirror/WhitePaper screen.pdf for details (TRACE)+ /readme.txt - Default file found. (GET)+ /scripts - Redirects to https://www.xy.org/scripts/, Remote scripts directory is browsable.+ /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:%5c-

May be able to issue arbitrary commands to host. (GET)+ /localstart.asp- Needs Auth: (realm "www.xy.org")+ /localstart.asp- This may be interesting... (GET)

+ 2645 items checked - 6 item(s) found on remote host(s)


V \, 4. V. V v • V V.. V K V ^ V. < V V. V V V

Nikto (cont.)

Cool Stuff!

Niktoikfo


Secure Web Tools - cURL

Command line URL grabber.. .and much more!transferring files with URL syntax (v7.12.1). HTTP and HTTPS (uses SSLeay or OpenSSL)

. PUT and POST (including FORMS!)- HTTPS certificates

- FTP• including upload

. Gopher, TELNET, DICT, LDAP

. Miscellaneous support• passwords. port numbers- proxies


• ) • • < } ~-

V

Secure Web Tools cURL (cont.)

-help [note: edited output]tons: (Hi meaTTs41TTP only (F) means FTP only

-d/--e/--E/--¥/•

-V-

-cookie <string>-continue^data"referer

Pass the string as cookie (H)Resume a previous transfer where we left it (F)POST data (H)Referer page (H)

-cert <cert:passwd> Specifies certificate file and password (HTTPS)-form <name=content> Specify HTTP POST data (H)

-ml--o/--p/--P/--Q/-r/--u/--U/-

Fetch the HTTP-header only (HEAD) (H)List only names of an FTP directory (F)Maximum time allowed for the transferWrite output to <file> instead of stdoutUse port other than default for current protocolUse PORT with address instead of PASV when ftping (F)Send QUOTE command to FTP before file transfer (F)Retrieve a byte range from a HTTP/1.1 server (H)

-user <user:password> Specify user and password to use-proxy-user <user:password> Specify Proxy authentication

headlist-only•-max-time <seconds>-output <file>-port <port>-ftpport <address>-quote <cmd>range <range>



A few examples• curl -o thatpage.html http://www.netscape.com/

. curl -d "name=Rafael%20Sagula&phone=3320780M

http://www.where.com/guest.cgi

- curl ftp://name:[email protected]:port/full/path/to/file- http://curl.haxx.se/docs/readme.curl.html for manual

URL• http: //curl .haxx. se

. "a client that groks URLs"

Comparison to snarf, wget, greed, pavuk, fget, and fetch• http://curl.haxx.se/docs/comparison-table.html



File Edit Vie'.v Favorites Tools Heip: MlJ http^//curl,haxx.se/docs/comparison-table.html

pots Ihdex(3ugjs '• " \\jjgharigeiog ,fibmoaniesiIComparison

( features;History Iitetall 1

Compare cURL Features with OtherFTP+HTTP Tools

This comparison onlv involves entirely free andopen source software -

FeatureFTP ResumeHTTP ResumeFollow HTTP RedirectsMultiple URLsHTTP ProxyFTP Active ModeSOCKS

Us emame P as swordHTTP POSTHTTP PersistentConnectionsCookie SupportTiny ExecutableIPv6 SupportHTTP 1.1.netrc SupportHTTPSHTTP Digest AutliRecursive DownloadFTP SSL

Related:List of FeaturesRelated ToolsCompare HTTP Libraries.

c u rl 1 sn a rf 1 wq etl pa vu k 1 fa etl fetc h

yes

yes

yes

' yes! yes

f yeslyes

i yes

S- yes

noI yes!*ves •

't %

'- yesF yesjyes

noKyes

yesyesyesyesyesyesnono

noyesnonononononono

yes

yes

yes

yes

yes

yes

yes

yes

yes

yes

yesnonono

yesyesyesyesno

y e s

yes

yes

yes

yes

yes

yesnono

yesno

yesyesyesyes

no yesno yesno yesno yes

yes yesno yesno no

yes yesno nono no

no no

yes yes

yes yes

no •' yes

no no

no no

no no

no no

no no


Secure Web Tools: dsniff

• dsniff 2.3- Among many other things,

exploit flaws in both SSL

and SSH

1 - arpspoof: hijack IP address

• dnsspoof: forge DNS

replies

. tcpkill: block TCP by

forcing connection to close

2

3

filesnarf: NFS sniffer

mailsnarf: SMTP sniffer

msgsnarf: IM sniffer

urlsnarf: Web sniffer

sshmitm: SSH protocol 1

attack. "fix": only use protocol 2

webmitm: SSL attack. "fix": client-side certs

www.monkey,org/~dugsong/dsniff/faq.html


\ N X \ > , A \ • A " \ " \

v. ~. V <v. V. «.. *. 1. V C V. . . H X.. V % \ ^ 1 . V <- V V. V t. V. k. V V V V ^ V

Top 75 "Security" (testing) Tools

www.insecure.org/tools.html- vulnerability assessment: nessus, nmap, SAINT

- IDS: snort

- network sniffer/monitor: ethereal, TCPdump,

ettercap (for switched networks)

kismet and NetStumbler (for wireless)

• CGI scanner: whisker, Nikto

- Password cracker: John the Ripper, LOphtCrack

- all purpose: netcat, Sam Spade

135©Copyright SystemExperts "(997^2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson

I

Tools Medicine

At a minimum, get common public domain tools and runthem against your site resources. nessus or SAINT or SARA

• nmap

• nikto (said it before, but saying it again!)

Think about specialty tools too• database (e.g., orascan)- traffic sniffers (e.g., dsniff: mailsnarf)

Think about simple, brute-force, coarse level scripts- Web server logs

• Web application logs

. SNMPlogs- Detect what you can't prevent or is in the "top 10" list


X \ > ~i-t "•) N " " N "^ x N X 1 > -) i \ . 1 "S • \ • \ 1

v v *. < V I < I . ^ i I. ,. S -v V v V _ <, V <•. k. k. V •> V_ I.

What the Hacker KnOwZ...about discovery

Well...

if 40+ slides on discovery tools that reveal a wealth ofinformation about your site hasn't already generated a lotof concern and a large"To Do" or "To Check-out" list...

NOTHING WILL!

next... Protocols


Notes:


• \ - • " - . : - * " ) . | 1 • • > ;V • "\ . \ ' \

V. <. 1. I C V

Where are We?

Profiling

. Methodology





and lots more!

Intrusions

. Awareness/Statistics

. Examples

. Common Areas

Protocols

• 2NS. SNMP




DNS (Domain Name Service) Functionality

• Names instead of addresses• Hierarchical and distributed for scaling

• Standard record types> A - addresses

. www, systemexperts.com. 207.155.248.12,207.155.252.14,

207.155.252.72, 207.155.252.12

- CNAME - canonical name• HINFO - host information

. MX - mail exchanger

- NS - name server

. PTR - reverse pointer resolution. 12.248.155.207.in-addr.arpa

- SOA - start of authority- TXT-text. WKS - well-known services


\.

V V ' ^ A \ X K I. I (. I.. I I \ •» V V V v. V V

DNS(An Unbelievable Demonstration of Scale)

File Edit Vie1/-: Go Bookmarks Tools Help

'•'--_} " %p I ji r ^ httpi/WKW.iscorg/

r Firefox Help Firefox Support PlugHnFAQ

1

I INTERNET SYSTEMS CONSORTIUM

ISO Country CodesRFC 1296: Internet Growth (1981-1991). How the old survey worked.Data files from old surveys (through July 1997} gzipped format.

.OFTWARE

OPERATION

RESOURCES

&irJan 03Jul 02Jan 02Jul 01Jan 01Jul 00Jan 00Jul 99Jan 99Jul 98Jan 98

Internet Domain Survey Host Count

250,000.000

200.000,000 -•

150,000,000 - -

100,000,000 - •

50,000,000 -•

Support

©2004 ISC, Inc.;

Done

Souice: Internet Software Consortium [www.isc.org}


DNS Exposures

One (ish) common complex implementation- BIND (Berkeley internet name daemon)

. Used for authentication (i.e., TRUST) in FTP, NFS, mail,TELNET, WWW, browser CERT validation, etc.

• Ok, maybe it's two: BIND and Microsoft's BiNd

- Ok, it's really three: pre v9 BIND, v9+ BIND, and Microsoft'sBiNd

Can offer too much information• Hosts behind firewalls/internal addressing, outside (ISP) services,

mail servers, alternate name servers, OS types

Spoofing- Poison DNS server and redirect: without breaking in

• get the target to ask you a question and return bogus unrelatedinfo: this info is believed by older BIND versions


V.. V v t. \ i. V, I I V I C t I I I (. I I V V V V

DNS Tools

Dig, nslookup, hostSpecial and OS specific toolswww.dns.net/dnsrd/tools.html• Checker, DDT, dnswalk, NSLint, Sleuth, ZoneCheck

- debug cached data - DDT. ftp://ftp.is.co.za/networking/ip/dns/ddt/

- find inconsistencies in DNS files - NSLint- ftp://ftp.is.co.za/networking/ip/dns/nslint/

Seminal sites• www.isc.org/bind.html

- www.dns.net/dnsrd/


DNS Tools DIG NS Records

dig ns usenix.org; <<>> DiG 2.1 <<>> ns usenix.org

;; QUESTIONS:

;; usenix.org, type = NS, class = IN

;; ANSWERS:

usenix.org.

usenix.org.

usenix.org.

usenix.org.

usenix.org.

usenix.org.

164133 NS

164133 NS

164133 NS

164133 NS

164133 NS

164133 NS

NS.UU.NET.

XINET.COM.

UUCP-GW-1.PA.DEC.COM,

UUCP-GW-2.PA.DEC.COM,

authOO.NS.UU.NET.

usenix.org.

;; ADDITIONAL RECORDS:

NS.UU.NET. 172772 A 137.39.1.3


"I > "I I 1 \

k I. t I \ I 1 I I t I (

DNS Zone Transfer

Zone transfer [email protected] (131.106.3.1)...Query for usenix.org type=252 class=lusenix.org SOA (Zone of Authority) Primary NS:usenix.ORG Responsibleperson: jrl(fl)usenix.org

serial: 199905114refresh:432000s (5 days)retry:3600s (60 minutes)expire:864000s(10days)minimum-ttl: 172800s (2 days)

usenix.org NS (Nameserver) uucp-gw-1.pa.dec.comusenix.org HINFO (Host Info) Cpu:Sun Sparc 10 Os:SunOSusenix.org MX (Mail Exchanger) Priority: 10 mail.usenix.ORGusenix.org MX (Mail Exchanger) Priority: 100 relayl.UU.NETusenix.org A (Address) 131.106.3.1

What did we learn?- Name time-outs/refresh, outside name server, SunOS OS type,

primary and second mail server, and (potential) valid username(let's take a look at that email first)


DNS Zone Transfer (cont.)

toutsj '-i Mfcfosdft frtttef t K S p t e


••!•••••:--: :..g] http://'.vlA'iA',phaster,corn/findJnfo_net_t]'affic,htniil

Utilities

FYI a '"hacker" is someone programs for enjoyment but the term has become synonymousrath "cracker," a person that performs an illegal act- If you are -worried about crackers (andyou should if you use any Microsoft products and the internet) perform an internetconnection security analysis (of common!--7 probed ports) and then consider using a Mac.

BTW if ya have a questioii then read the Hacking FAQ's else try the graffiti ""all to post aquestion or share a comment about a solar pew ere d 502-11 AP. I designed and built for alocal community based hotspot.

! [email protected]

( j Domain Lookup

('••efvlail Dossie

O Finger

search

Enter a domain (for example COM or CHwliicli is short Switzerland), and you canset the name of the counttv for -s-liich thatdomain is associated.

Validate and investigate eMail addresses(for example USERg HOST NAME).

If vou can pull a "msef. {for exampleUSERfHOSTNAME) this ^.-fflteUyou-,-arious infonnation about that account.

c j http:..''/'AiiAclAl.phaster.com/golden_hill_free_web/ Internet

www.phaster.com/find info net traffic.html


<v ^ 1. 'V v I I I ' <• I I. I I I I. I I V V k. v '• v v V V k. k. V \ V V


j S Email C^ê^-Jlriyestigate email addresses -Microsoft Internet Explorer.

Rle Edit Vjev.1 Favorites X o o ' s Help

' "'•-"••" ;Btl http://centralops.net/co/EmailDossier.vbs.asp v ; |

Validation results

confidence rating: 3 - SMTPThe email address passed this level of validationwithout an error. However, it is not guaranteed tobea good address. : \ •• • '

canonical address: <[email protected]>

IV1X records

preference exchange IP address (if included)

10 voyager.usenix.org [131.106.3. l j

SMTP session

22Z> U 3 e i i x . o r g S3M-P Ser . ; i r . a i l : . 1 2 . 1 O / 5 .12 . 1 3 ; l u e , 3D Apr

2 O 3 t 3 5 : O 3 : Z' 6 — O ~ 3 3 ( EET)

2 53 ^3eE ix . s r c S e l l c p o r t - 2 - 6-S D~ ^ £ 6.5-

eslSO . device3 . i jatsrecurr. . ocir. I 2 1 6 . •? 6 . 2 3 6 . 2 S3 " , p res sed to ir.eetyou

2 52 2 .5 .2 Car.not "RFY ^3er ; t r v RCFT to a t t s c p t ae l i ' r e ry (cr

o <: r l iussr.LX. o r o . . - rcecicier.t ok'

ESJ' Done



Hie Edit View Favorites Tools Help $*

• . ' s j httpi/Vvvvvv:Jiexillion.com/docs/guides/HexValidEm3il/conceptsflnterpret.him ^ L J Go

Interpreting HexValidEmail results

HexValidEmail is a multi-level., server-side, bad-address filter. When anemail address passes this filter, however, it isn't necessarily a goodaddress. The following table summarizes what the confidence rating doesand does not tell you.

{highest successful valid»6on level)

Address is definitely bad forthe reason specified by theError property-

Syntax is CK

Domain exists

Domain has a '.vcrking mailserver

Mail server did net reject-address

Local part (username) is valid

0Bad

Y

1Syntx

Y

"7

DNS

Y

Y

3SMTP

Y

Y

•v

Y

Cbak

Y

Y

Y

Y

Y

Y

Y

'

Y

Address reaches the recipientyou intend and thus isdefinitely good

*A and BNot supplied by HexValidEmail. These are optional tests that requireactually sending email and are something you would need to custom-develop for your own system.

fej Done Internet


') '> 1

(. V '.. Iv V 1 I t <- I I. I I L I I I I v . . V V V V v.


What else did we learn?• Refresh: how often the secondary server should check

that their data is up-to-date

• Retry: if the secondary server can't reach the master site,retry at this interval

• Expire: if the secondary fails to contact the master site for thisamount of time, expire the cache data(i.e., STOP ANSWERING REQUESTS)

• Minimum: how long data can live in memory (i.e., cache)- note: when you see "non authoritative" when you do a nslookup,

that means the data was fetched from the cache (it doesn't meanthe results are questionable!)



spock.usenix.org A (Address) 131.106.3.24quark.usenix.org A (Address) 131.106.3.16offquadra.usenix.org A (Address) 131.106.3.19picard.usenix.org A (Address) 131.106.3.103khan.usenix.org A (Address) 131.106.3.106borg.usenix.org A (Address) 131.106.3.104guinan.usenix.org A (Address) 131.106.3.17

What did we learn?"Special/fun" names tend to be administrative hosts

ask yourself: what are the names of the hosts for your adminfolk?

<•<•<


I. V V V i l I I I I I I I I t t I I


conference.usenix.org NS (Nameserver) cs.colorado.eduusenix-fw.usenix.org A (Address) 131.106.1.253mail.usenix.org CNAME (Canonical Name) usenix.ORGusenix-gw.usenix.org A (Address) 131.106.1.254db.usenix.org A (Address) 131.106.3.253mtgusenix.usenix.org HINFO (Host Info) Cpu:Sun 3/80 Os:?mtgusenix.usenix.org A (Address) 198.4.88.2fw.usenix.org CNAME (Canonical Name) usenix-fw.usenix.orggw.usenix.org A (Address) 131.106.3.254www.usenix.org CNAME (Canonical Name) db.usenix.ORGftp.usenix.org CNAME (Canonical Name) db.usenix.org

What did we learn?- Another outside name server, hosts that are probably firewall and

gateway systems (usually VERY helpful), also systems that are

likely database and FTP servers


DNS Poisoning

Jizzwww.packetstormsecurity.org/spoof/unix-spoof-code/

[ PacketStorm ]

• A small DNS server

• When queried responds with bogus info in additional records• we have modified it to support general purpose replies (not the

hard coded one that comes with the program)

• Need to get victim DNS server to ask your Jizz server a question


I V I V l . I I I. I I I. I t I I I I. I

Running Jizz

Run Jizz on your systemRegister yourself as an authoritative DNS server for some(made up) domainQuery the target DNS server (the one you want to poison)for a name that only your DNS server (Jizz) would know theanswer to• dig @target xxx. foobar.com

• Send email to "[email protected]" through target- remember the email name from the zone transfer?

Jizz responds with an answer to the original host query ANDbogus additional records


Jizz Diagram

1

DNS request

server=target.com

hostl.foobar.com

DNS

2

1. BIND request to target DNS serverfor host name it can't resolve

2. target DNS server redirects request toDNS server (Jizz) that CAN resolve the name

3. Jizz server returns name/address informationAND "additional information" as well:like: new address for microsoft or yahoo or WHATEVER!

foobar.com


V I \ i V I I t v v. V.

Jizz Process Flow

Jizz hostl. foobar.comw w w . b r a d c j . g o v IN A 5 . 6 . 7 . 8

3 DNS Poison Server - BIND cache vu lnerab i l i ty

Poison Data: www.bradcj.gov IN A 5.6.7.8

Packet from target : Port 53 hos t l . foobar.com.

dig ©target hostl.foobar.com<>> DiG 2.1 <<>> ©target hos t l . foobar.comQUESTIONS:t e s t , foobar.com, type=A, class=IN

4 ;; ANSWERS:

hostl. foobar.com. 600 A 127.0.0.1

;; ADDITIONAL RECORDS:

www.bradcj.gov. 600 A 5.6.7.8


DNS Poisoning Methods

DynamicUpdates

(2)

Network/RemoteAdmin

PrimaryMaster

Master

Queries

(1) ^ r

Transfers

(3)(4)

RemoteCaching

(5)4—

Resolver

Queries

ZoneFiles

SysAdmin TSIGServer-Server

•• Server-Client

Resolver


"i ^ •> ^ i > ~i i i i i

V I I k 1,. k 1.. I I. I < \ I. I V I < K I • _ .. „ _

DNS Poisoning Methods (cont.)

jizz is a demonstration program that exploits a weakness in"earlier" versions of BIND; it is an EXAMPLE of DNSpoisoning, there are MANY ways to achieve the same result• Force data into a DNS server cache (e.g., jizz)

- Reply to a client's BIND request before a server does- Birthday attack: DNS transaction ID• dsniff: dnsspoof

• Force data into the client OS name server cache

• Force data into the client OS name server file definition

- Force data into the client browser name cache


DNS Medicine

Run "as current" BIND version as you can- Upgrade to at least 8.4, or better yet...

- Upgrade to version 9• DNS Security

. DNSSEC (signed zones)

. TSIG (signed DNS requests)• IP version 6

- Answers DNS queries on IPv6 sockets- IPv6 resource records (A6, DNAME)

• Rewritten code base. smaller, less complex, attention to coding practices

(e.g., buffer overflow problems)• Push your ISP to run current BIND if they handle your DNS

- how many ISPs do you have?

• Disallow, control, or wrap DNS queries- Many sites use external/internal (split) DNS servers


US Cyber Security Strategy counciladmits that DNS Security is anunderpinning of the architectureand yet is too complex andexpensive for many ISPs andcompanies to deploy: assignment,management, and processing ofkeys, signatures, and certificatesand operator support is just toomuch.

158

1 1 VI 1

V V. v V_ V v V V. V V V

DNS Medicine

L I

(cont.)

Foiling DNS attacks - Jay Bealewww.bastille-linux.org/jay/defending-dns.html

Configuration decisions- Define appropriate allow-transfer and allow-query values

• chroot the server

- HINFO and TXT record decision- remove from zone data file or use split DNS

- Header decision• obscure or change version - to make it hard for script kiddies

Other DNS help• www.acmebw.com/resources/papers/securing.pdf


What the Hacker KnOwZ...about DNS

DNS exploits are a HUGE opportunity- Is the underpinning and "authentication" mechanism for most of

the common and important services (e.g., HTTP, FTP, TELNET,mail, NFS, login*, SSH, etc.)

- Target of many "hacking" efforts

In all likelihood, you have to depend on servers that youdon't manage or own (e.g., your ISP)!

next...SNMP


V ^ > I. \ \ I I. v. v. ^ -. v. v v < ^ v v V V. V ^ L V >v V V, V

Notes:


Where are We?

Profiling

. Methodology





and lots more!


. Examples

. Common Areas

Protocols- DNS

. SNMP




\ 1 \ V 'I,

V v \ v V V V v. x

SNMP

Simple Network Management Protocol• Agents

- collect data (MIB), provide data tomanagers, and respond to commands

- Managers- interface for controlling and

observing agent data

Four functions (it is called Simple)

• get (read data)

• set (change data)

• trap (agent send an alert to a manager)

. inform (manager send an alert to another

manager)

Network Management PreferenceWhich melted do yflu primarily use far

managjiig your •etwwte?

Venrlof-|irc>|irietary mien is Neither1£* 1fi


SNMP Architecture

SNMP Message

Version Number >= 1 PDUs

Get/GetNextjSetOperations

Request ID

Error Index

Error Status

OIDItem/Value Pair(s)

Community String

TrapOperations

Triggered OID Agent IP Address

Generic ID Specific ID

Time StampOID

IternA/alue Pair(s)

SNMP Security

Message ispassed to agent

fommunity\String ">

.Validation /

Valid Invalid

IP AddressxxValidation

1Request is denied

Invalid

Resource accessgranted


\ s 'i \ x \

v v v v V V 1 V V V V V *..

Default MIB Overview MIB-II(Management Information Block)

System Group

Interfaces Group• quantity, type, characteristics

AT Group- interface address mappings

IP Group- metrics, mappings

ICMP Group• metrics

TCP Groupm metrics, connections

UDP Group- metrics, connections

EGP Group- metrics, neighbors

SNMP Group• metrics

©Copyright SystemExperts 1997-2004 and beyond, Network Security Profiles version 4.3. Brad C. Johnson165

MIB Group Example

tcpConnTable OBJECT-TYPESYNTAX SEQUENCE OF TcpConnEntryACCESS not-accessible {read-only, write-only, read-write}STATUS mandatory {optional, obsolete}DESCRIPTION

"A table containing TCP connection-specific information."::={ t cp l3}tcpConnEntry OBJECT-TYPE

SYNTAX TcpConnEntryACCESS not-accessibleSTATUS mandatoryDESCRIPTION

"Information about a particular current TCP connection."INDEX { tcpConnLocalAddress, tcpConnLocalPort,

tcpConnRemAddress, tcpConnRemPort}::= { tcpConnTable 1 }


• - \ \ --1 \

! V V V . , . v v V V. V V V V

Network Management Behavior27 Default Parameters that can Change

System contact, name, andlocation

Interface state (up, down)

Media physical address

Network (IP) address

IP state (gatewayforwarding or not)

IP TTL value

IP next HOP address

IP route age and mask

TCP state (terminateconnection)

Neighbor state (start andstop communication)

Enable SNMP traps

How about your wireless Access Points:.. ,you changed the strings on that, right?.. .and the management password too, right?


SCOTTY SNMP Overview

SNMP session -address w.x.y.z -community 2ez2ez-port, -version, -writecommunity, -user, -password, etc,

snmpO get sysDescr.O

snmpO get "sysDescr.O sysName.O sysContact.O

snmpO walk x "tcpConnTable" { puts $x }

snmpO set [list ipDefaultTTL.O "254"]

99


^ •-, y ) -,, - ^ •- -- *-1 K -> •> -• "• ^ N "i \ \ v A \ 'I

V V. V X V V

SCOTTY SNMP Source

proc SnmpDiscover{net delay window retries timeout}{for {set i l } {$i<255} {incri}

{set s [snmp session -address $net.$i-delay Sdelay -window Swindow -retries Sretries-community Spassword -timeout Stimeout]$s get sysDescr.O{if{"%E"=="noError"}

{set d [lindex [lindex {%V} 0] 2]regsub -all "\[\n\r\]M $d "" dputs lf[%S cget -address]\t$d"}

%S destroy}update}snmp wait}


SNMP Exposures

Data Gathering (this is huge)

• Hardware and software profiles• data is dynamic real-time information

• Network topology• data is dynamic real-time information

• Administrative environment characteristics. data is static and manually defined

Network management behavior (this is even• Modify administrative parameters


1 ~t,

V V. V k V V V

SNMP Medicine

SNMPv3 (RFC 2570) - used in conjunction with SNMPv2(preferred) or SNMPvl• Security features

- encryption and authentication

• Reference material« www.snmp.com/snmpv3/index.htmla www.ietf.org/html.charters/snmpv3-charter.html- www. 15seconds.com/issue/020723.htm- Sys Admin, Network Security, May 2000, Vol. 9 #5, Eric

Davis p. 43, "SNMPv3 — User Security Model"

• Vendors waiting in the wings• Bay Networks, BMC Software, Cisco Systems, Hewlett-

Packard Co., Liebert Corp., SNMP Research International andTivoli Systems

171©Copyright SyStemExperts 1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson

SNMP Medicine (cont.)

Community string naming strategy- Should be similar to username/password policies

Use router/firewall (DMZ) IP address andservice port filtering

Disable SNMP agents on systems not being probed bynetwork management software


v v v 1. V. \ . Y, V. V V. V. V V. v

What the Hacker KnOwZ...about SNMP

Incredibly rich, accurate, and relevant information

Many organizations either forget about managing SNMP,or manage it quite loosely

next.. .Handhelds (PocketPC)


Notes:


\ "< \

V V. V V v • V. <. C V V V, v. V V V. >.. V v v... v v

Where are We?

Profiling• Methodology





and lots more!


. Examples

- Common Areas

• Protocols. DNS

- SNMP




Handheld (PocketPC)

Essentially the same threats as a laptop or desktop• Except portability exacerbates many issues

. Full TCP/IP stack

PocketPC is running WindowsCE which has the versiondependent capability to do anything a Windows box can do(It's based off of the Windows source tree)

• Web server

- File sharing

- .NET framework• smart clients, web services, servers, developer tools


V V v. V. v. ' v. v.

Handheld (PocketPC) (cont.)

Obvious threats- Direct access

• Found, stolen, borrowed from cradle- Access to (confidential) data in memory or on storage cards

depending on security mechanisms- Storage cards without encryption

- Wireless sniffing- Eavesdropping, active content modification, packet injection

• Inappropriate authentication• No login password, obvious password

- Configuration problems• Unapproved applications loaded- Unapproved protocols or services ranning

• Synchronization issues- Virus/troj an download


Handheld (PocketPC) (cont.)

Not so obvious threats• Access to backup data

» Synchronized data copied to local or distributed file system. Files backed up to other media or systems

• File access to device in cradle• Which might be done over the network: PCAnywhere,

Remote Desktop (with Internet Explorer)

• Wireless network exposures• Active probing (scanning) of handheld in "foreign" wireless

networks• Network applications "waking up" and performing operations

in foreign networks (e.g., mail send)


\ -\. -\

Access to Backup Data

During the setup process• Select synchronize

• Create synchronization folder

Specify how to synchronize dataChoose to synchronize with your desktop and.br a server

You can synchronize data, such as e-mail messages andjdevice and this desktop computer. However, if you havServer with Exchange ActiveSync, you can also choosesynchronize directly with a server, getting the most up-to-desktop computer is turned off.

How do you want to synchronize with your device?

^Synchronize with this .desktop computerj

Synchronize with Microsoft Exchange S_erver and/o

(Note: You must have access to Microsoft Exchancor Microsoft Mobile Information Server.)

f Back Next >

A Synchronized Files folder will be created on your desktop computer.Place files that you want to synchronize into this folder,

Microsoft ActiveSync may need to convert files when synchronizingbetween your mobile device and this desktop computer. Note: A convertedfile may not contain all information found in the original file.

OK Help

Cancel Help


Access to Backup Data (cont.)

Insert handheld into cradle. no authentication required!

Notice Windows Explorer

My Docume

View Favorites Tools

V

File Edit

Folders

'-' :u™f MyPocketPC My Documents

'.„.'•: Business

':_j Personal

O Templates

< My Computer

+' j j> 3Yi Floppy [A:)

+' CAS Local Disk iC\)

•'+'• , i SystemExperts lo [D:}

+: 'Jj Backup [E:)

'+' f j - ' Control Panel

! j Mobile Device+: L.J Shared Documents

'+ '-.. J Brad Johnson's Documents

+; ** j Mv Network Places

'•gjjj IJoi'ton Protected Recycle Bin

}~J Mv Briefcase

Not incradleafter sync

22 objects 394 KB

H ! Mobfte Device

File Edit View Favorites Tools

- ••••• ! 0 *' L J G o

Folders

~! !LJ MyPocketPC r--1 v Documents• J Business:u_? Personal'LJ Templates

'-'• j | My Computer

'+! ,9=, 3Vi Floppy (A;)* t ^ Local Disk :C:)'+' .,';!* SvstemExperts lo [D:}ft: 2a Backup fE:

'+' Q I n it i il F-ii id- j ^ ^ " ^ f

+ J n Fn Jet PC' Businessi Persona!j Templates

+ L_J Shai ed Documents+ , I Bi ad Johnson's Documents

+: *• 5 MV Net' 'ork Places

•( My Computer

In cradleafter sync

4 object (s)


if •{ ,' / f ^ • / .r

/ .•> s s J J ..- J J >

File Access to Device in Cradle

Insert handheld into cradle

Automatic login and synchronization

Desktop object becomes "active"

File View Tools Help

a i

File Edit View Favorites Toe

Sync

Connected

Synchronized

Information Type

[ 3 Calendar

P I Contacts

0 Tasks

B Favorites

(''"'- Unbox

t»j Fiies

\\ Details Explore Options

Status

Synchronized

Synchronized

Synchronized

Synchronized

Updating folder hierarchy,,,

Synchronized

Folders

[ # Desktop;+ i-lj My Documents-' 4 My Computer

+! jgl 3 ^ Floppy (A:)

+' ,J.: SystemExperts lo [D:)•+l J j Backup (jE:)

+1 D" Control Panel•+! i j Mobile Device+t ;_ j shared Documents+i ' i J Brad Johnson's Documents

* j My Network Places>i£*j Norton Protected Recycle Bin'r_j Mv Briefcase

53 i 810 KB My Computer

Go


File Access to Device in Cradle (cont.)

Note created on handheld called "New File" is copied to local sync folder

File Edit View Favorites Tools Helpi "•••

- : ' : i i < :^ ii_) ' f ly Documents'Personal

Folders

v yJGox Name Size Type Modified

1-1 i|_J MyPocketPC My Documents A ji_Jt-le-A-file.pwi 424bytes Ink'A'riter/NoteTak.,, 4/21/2004 11:49:1..,

'•J) Business

' i^ j Personal

•-.,J Templates

• I Personal

< My Computer

+! | | , 31.': Floppy (A:)

+! is Local Disk [C:)l+' 2* SystemExperts lo (D:)!+! ,'Jj Backup [E:;l+l D ' Conti'ol Panel

:-i f j Mobile Device

'•+ ( ] MyPocketPC

•• J Business

! LJ Templates

•'+' !i_j Shared Documents

•+: ; _ j Brad Johnson's Documents

+ *} My Network Places

?$ Norton Protected Recycle Bin

hi My BriefcaseV !

1 object®

File Edit View Favorites loots Help

. - - " ^ j i r^ j C:\MV Stuff^MyPocketPC My I ^

Folders x

O i My PST Files

f? t D i MyPocketPC My Documents

:..„( Business

•:_j Templates- ! jr My Computer

* . ^ 3Vi Floppy (A:)

'+' t>-S Local Disk [C:)!+! ..Jj S!+' J , Backup (E:)

•+' Q"* Control Panel

y Mobile Device:*' ;:^!l Shared Documents

'+ ..... j Brad Johnson's Documents

+ * j My Net/vork Places

••$$ Norton Protected Recycle Bin

t J My Briefcase

Go

Name

! jni fr.n AntiviMj:- p j

5V-.1 file.pwi

1 objects

v- <

424 bytes _t My Computer


/ 1 ' - • • • • • y > x

J ./ •' J J, / J J J J i / J ..

File Access to Device in Cradle (cont.)

Second note created on handheld "Second New File"Handheld inserted into cradle WITHOUT automatic syncFile is copied from "Mobile" resource object and opened!

ittfer^crft AdiveSyrw;File View Tools Help

Sync :': ii Details Explore Options

Connected

3 items not synchronized

Information Type

Calendar

ontacts

Tasks

Favorites

r" Unbox

'*±| Files

Status

Synchronized

Synchronized

Synchronized

Synchronized

2 item? not synchronized

1 item not synchronized

| | i Second new fTle-pw - Microsoft Vifenl

File Edit View Insert Format Tools Table \Vmdo..

Help X

Tahoma - 10 - B / U g ;E A^ - **

D tc£ 72% - |^| ** Final Showing Markup - **

u . . / . . . | . . . i . . . | . . . ; , , . | , . . 3 , , . | , . , 4 . , A i

AutoShapes' \ \ D O 1

Sec 1 1/1 At 1 ' Col 1


Probing of handheld in "foreign" wireless networks

• Enable Apple Airport Extreme base station• Running firmware v5.4

- Connected via Ethernet to LinkSys Etherfast Cable Router- Router offering DHCP in the protected 192.168.1 range

starting at 100

• Enable the iPAQ Wireless WLAN service• Detects the wireless networks, associates with broadcast SSID

without WEP enabled

- Gets IP address from LinkSys DHCP server

- Establishes full connection


J > J

Probing of handheld in "foreign" wireless networks (cont.)

DHCP Active IP Table

DHCP Server IP Address:

Client Hostname IP Address

192.168.1.100

cx365547-a

Johns onDesktop

bradlaptop

bradlaptop

Refresh

MvPocketPC

192.168.1.101

192.168.1.102

192.168.1.103

192.168.1.104

192.168.1.105

192.168.1.106

Comma rid Prom

192.168.1,1

MAC Address

00-03-93-E3-1S-FB

00-01-03-1D-F9-BA

00-07-E9-4C-A2-6B

00-03-93-D6-18-C4

00-30-65-06-56-74

00-40-96-2A-40-69

00-02-8A-9E-FD-6F

Delete

••••••D

C:\>pinff 192.168.1 .106

Pinffinff 192.168.1 .106 with 32 bytes of data.:

Reply From 192.168.1.106= bytes=32 tine=4ins TTL=128Reply from 192.168.1.106= bytes=32 tiine=4ns TTL=128Reply From 192.168.1.106= bytes=32 tine=3ns TTL=128Reply From 192.168.1.106= bytes=32 tine=4ms TTL=128

Pinsf s t a t i s t i c s For 192.168.1.106 =Packets: Sent = 4 , Received = 4 , Lost = 0 <0Ji l o s sX

Approximate round t r i p t i n e s in nilli—seconds=Minimum = 3ms, Maximum = 4ms, Overage = 3ms

LLL.


What the Hacker KnOwZ...about Handhelds

Handhelds have (essentially) the same protocol and servicecapabilities as a laptopAll handhelds have a life-cycle that requires docking withthe mother-ship (the cradle and the synchronizationprocess)The device is a fully addressable wireless network objectthat "wants" to reach out and be touched

next.. .Web Infrastructure


..' / • ; J~ f . ; J ^ _- . , . . . - . • S ' . J , ^ . J . - • . • > - • . • • ,- • • . - > • • ** . s ~ s . j J ) J

Notes:


Where are We?

Profiling

. Methodology




• typhon, nessus, dsniff, Nikto,

and lots more!


. Examples

* Common Areas

Protocols- DNS

. SNMP




s ,' / <- / • s f t

/ J s j J ^ / . * ,' j • ) S J J J ^ ^ . . . . . . ,• J y ^ - j - > • - • -^ - .^ • ^ ^»- , ' .-• . y v J ) J

Web Exposures

Protocol Issues. HTTP, HTTPS

- SSL• Certificates (granting, revoking)- (DNS) Name lookup

• Web Spoofing

Application Source• FORMS and page input rewriting- HTML, ActiveX, Java*, other client-side code• Cookie modification

Server Issuer• Server configuration exploits

- Distribution example exploits


Web Protocol - Web Spoofing

Used to "take over" an entire site• You might ask for that!

• www.anonymizer.com/ (Anonymous surfing). e.g., anon.free.anonymizer.com/http://www.systemexperts.com

• www.shodouka.com/ (View Web in Japanese)

. e.g., www.lfw.org/shodouka/http://www.netscape.com/ja/

Allows traffic to be intercepted and changed

Requires some vigilance by user to detect. Detection not likely in mass market situations

e.g., does your mother, uncle, mechanic, or neighbor know...- What a URL is?. What a valid CERT looks like?• What a fingerprint is for?• How to read HTML source?


., ../ J > i

Anonymizer&m Anonymizer.com - Test tt5: Your Browser and Operating System -Microsoft Internet Explorer

File Edit View Favorites Xools Help

ANONYMIZERSCQM- . • " " •-'• ''---•'•••• " ; - P t i v i K v 4 s mm tight.

Click here to learn more about j\ Anonyrnizer and online safety. 1

PRIVACY DIAGNOSTICINDEX:TEST 1: Your IP Address

TEST 2: Hidden Tracking Files

TEST 3: Exposed Clipboard

TEST 4: Hack & Exploit Vulnerability

TEST 5: Browsers OS

TEST 6: Geographical Location

TEST 7: Your Network

HOME | PRODUCTS | SION UP | SUPPORT | MEMBERS | MEDIA | DOWNLOADS

TEST #5: YOUR BROWSER AND OPERATINGSYSTEM

Your Browser Is: Internet ExplorerMicro s oft Internet Explorer

Your Operating System is: Windows 98 J

-> JavaScript is working.


Web Spoofing ExampleSystemExperts - Literature[Protected b3F-proKy31.anonymizer.com}-Microsoft Internet Exploier

File £dit View Favorites lools JHelp

%r Hnonymizer* protection i s nouj

| SET t

actiue

USTQM I^jg

Jump

&

t o : |http://|

Upgrade How

IWhv Upgrade?

GO |

Search our site

SystemEXPERTSI t i. D E R S i I P M S t t I) R I T 1

r all r any > f the words

Literature

LL

Tel 888-749-9800Tel 978-440-9388

Technical White Papers in PDF format:

"Wireless 802.11 Lan Security: Understanding, the Key Issues"Brad C. Johnson, SystemExperts Corporation

" Wireless 802.11 Security: Questions and Answers to GetStarted"Brad C. Johnson, SystemExperts Corporation

"Internet Penetration Testing: A Seasoned Perspective "Brad C. Johnson, SysteniEsperts Corporation

"Hardening Windows 2000"Philip C. Cox, SystemExperts Corporation

"How Web Spoofing Works"Brad C. Johnson, SystemExperts Corporation


J )

Understanding URL Deconstruction

• Protocol://usemame:password@host:port/pathname#hash?searchProtocol is up to and including the first colon (client: e.g., browser)

. username:password for basic authentication, otherwise ignored data

. Host is the domain name/IP (DNS)

. The port that the server uses for communications (socket connect)

- Pathname is the URL-path (file) portion of the URL (file system)

Hash is an anchor name fragment in the URL, including the hash mark (#) ~ thisapplies to HTTP URLs only (HTTP server)

. Search is any query information in the URL, including the question mark

-- this applies to HTTP URLs only: the search string contains variable and value

pairs; each pair is separated by an ampersand (server application)

• Examples• http://www.systemexperts.com

. http://www.systemexperts.com:80/index.htm

• http://ignore:[email protected]:808Q/http://www.systemexperts.com

193©Copyright SystemExperts -1997-2004 and beyond. Network Security Profiles version 4.3. Brad C. Johnson

Web Spoofing explained

Walk through:- The wanted URL is prefaced with the intruder's URL

- Normal HTTP protocol will handle this just fine

• The intruder site calls the REAL site and asks for the requested URL

information

• The REAL site returns the page as requested to the intruder

• The intruder site massages the data (to change all URL references)

and returns it to you


> J S .S V > J y <t s s - J / > ) J ) J

Web Spoofing Diagram

You.Com

\Browser

Link

http://bad.eom/http://good.com/fileModified URL [ 7

Change data in thecopy of file-

Return to

Bad.Com

WWW Server

Call Good.Com toget file

Good.Com

WWW Server


Web Spoofing:How does that work again?

You, the bad guy, must have an HTTP server that somehowgets in the middle of the client and the intended target, to besuccessful you need:• Web server

• Apache, IIS, etc.

• An IP address

Your server does URL rewriting- http://www. SystemExperts.com ... is changed to...

• http://www.intruder.eom/http://www.SystemExperts.com


/ • ' / " ' . r

> J > J<' f J J J / -/ Jl > > } J J J J J J s J J t J J .> A J J I .) J J J J J ) ) )

Web Spoofing Example (cont.)

i « literature[1] - Notepad

Edit Search Help

<PXFONT CLASS="text") <fiHREF="http://anon.free.anonymizer.eom/http://www.systemexperts.com/tutors/HardenW2K101.pdf" TflRGET="_blank")<I) "Hardening

Windows 2800" <BR)</IX/fl)Philip C. Cox, SystemExperts Corporation</FONT)

TARGET=" blank") <I)HREF="http://anon.Free.anonyinizer.coni/http://wuw.systeiiiexperts.coni/tutors/uedspooF.pdf""How Web Spoofing Works" <BR></ IX/ f l> Brad C. Johnson, SystenExperts Corporation</F0NT>

<PXF0NT CLftSS="text"XflHREF="http://anon.free.anonyinizer.con/http://www.systenexperts.con/tutors/NT_Login_3.0.

HnfP Than Vnn FiiPt* tJarifpri 1~n Ifnniii flhnut- HT I nnjndf" TflRGET=" blank")

</IX/ft) Philip C. Cox, SystenExperts Corporation and<BR)Paul B. Hill, Massachusetts Institute of Technology</F0NT)

©Copyright SystemExperts 1997-2004 and tieyond. Network Security Profiles version 4.3. Brad C. Johnson197

How do you Get in the Middle?

Easier- DNS Poisoning (direct)

- Register a confusing or false URL entry in a search engine (indirect)

• Have a "convincing" message using FAX, email, ad, or letter that

encourages somebody to use your site (indirect)

Harder- Hack into the target server system (direct)

• Force (e.g., arpspoof) DNS requests to your special

DNS server (direct)

• You pay/bribe somebody who controls an

important DNS server (indirect)


f / - ( ( ( r f ( < • ' r • ' r ~ ' c • f • r < ' <~ ' r • ' ' ' r ' f ( ( (

How do you Get in the Middle? Part II

• Another new approach called:Web Page Pointer Theft(related to registering a confusing or false URL)

= People steal/copy your meta tag data

- potentially download your entire site!

. Then push their site (with your info) into search engines

. End-users get tricked into thinking the "bad guys" are offering some

desirable service and find themselves automatically transferred to

someplace elseCut/Paste HTML from Top 5 Bank Web Site

<meta name="robots" content="index,follo\V><meta name="keywords" content="bank, banks, banking, banking center, banking centers, finance, financial,financial institution, financial planning, invest, investing, investment advice, investment advisers, investors, checking,checking account, checking accounts, cds, certificate of deposit, certificates of deposit, savings, savings account, savings accounts,iras, investment retirement account, roth ira, education ira, traditional ira, online banking, bank online, online, mortgage,mortgages, fha, conventional mortgage, refinance, refi, consumer loans, home equity, heloc, home equity line of credit,equity builder, home equity loan, auto loan, auto insurance, automobile loan, automobile insurance, credit card, credit cards,visa, mastercard, check card, visa check card, business banking- small business banking- business checking, business savings.business center, online business">


Web Application Source :Things are different from "before"

Web applications are fundamentally different thanhistorical business applications• Much of the code is on-line• Input data comes from an unpredictable sourcem More likely that bad guys have access

Classes of problems include• Keeping track of state

- modified pages

• Threshold input handling• special characters and practices

- Web server exposures• distribution exploits


.- ... .- .,.. s ^ J / J J ) ) J r j j J J ) J. > } )• / > ) J j J J ; > > J J j J J > J .1 J J -> i ) ) )

Web Application Security Initiative

. OWASPThe Open Web Application Security Project

• www.owasp.org

• Development projects• WebScarab: Java program to spider a Web site for vulnerabilities

- (Nikto, whisker)• filters: 10 sanitization components (check parameters)

• Documentation proj ects• Guide to building secure Web applications and Web services

- version 2.0 soon!• Guide to testing security of these applications and services


OWASP

lop 10 Web application vulnerabilities- Unvalidated parameters

• Broken access controlm Broken account and session management

- Cross scripting flaws

• Buffer overflows- Command injection flaws• Error handling problems

- Insecure storage- Denial of service

• Insecure configuration management


<• • f < f ( ( { ( ( ( { c ( • / • • < • < { ( ( I ( • r / '• • r r r • f r r r s r r • r r r r r ( ( (

J J J J J } J / ) > / J ) > ) .} J J > J J > ,' .' J .> i J > J J > > ) ) J )

WebSleuth

Log in to your Mutual Fund. Annuity-Fidelity Account5'-'

55M orCustomer ID

Pit! Login

Change your Start Page

Log in to your401(k). 403(b}. 401(a}. 457or Stock Plan accounts

Go to NetBenefits Lcain.

Log in to your Giving AccountSM

Go to Charitable Gift Fund Loci in

Personal Identification Number (PIN) HelpEstablish a PINChange your Pill or Password

Open an AccountOpen a Fidelity account online in as little as 20minutes

Trading in Fast Changing MarketsSystems availability and response time may beaffected by market conditions Before tradingonline with Fidelity please read our importantinformation on trading in fast changing markets

Browser JZ Cpticn= Notes

jhttps://login,?ideiity.com/ftgvv/Fidelity/RtlCust/Login/InitÂu C^^° ^ Back ^ Fwrd-> j£)

JUS1 Properties ; 'X* Toolbox j jj Plugins j §[] Favorites i ^ Fiitet" iLIKE \*=

.com/ :;


WebSleuth (cont.)

</TABLExSPAN class =ErrorMessagexB ><SCRIPT type=text/java scrip t x l - -

if {document.cookie.length>Oj <| •document, wri te("") \

elsedocument.writeln{"<table width=559 ce!lpadding=o cellspacing—0

border=Q class =ErrorMessagextrxtd he ight^ lBx / tdx / t rx t rx td>Your browserhas been configured to block cookies from being s e t x / t d x / t r x t r x t d height=5>< / t dx / t r x t r x t d>To log in to Fidelity-com, you must have cookies enabled. Learnmore <ahref=http://persona [.fidelity. com/qlobal/search/conten t/cookiesfaq. sh tml. cvsr>Abou tCookies</a> and how to enable them. </td></trx/table>");

you areavailable

</SCRIPT><NOSCRIPT>STOP! Your current browser does not have JavaScript enabled orusing a browser that does not support JavaScript. In order to benefit from aonline tools you will need to enable JavaScript. Click <.ahref="h t tp: / /personal. fidelity, cony global/search/con ten t/aboutja vascript. html" >he re</a> for information.</ N O S C RIPT ></ B > </ S P A N ><TABLE cellSpacinq=O cellPadding=O width=575 border=0:»<TBODY><TR><TD colSpan=3 height = 16>a.nbsp; </TDx/TR><TR><TD vAlign=top width=290x!--this is for the primary log in box--><FORM id=loginForm name=loginForm onsubmit="return disallowSpiacesInSSN{)"action =/ftgw/Fidelity/RtlCust/Login/Response method =poct> ^<TABLE class=DataTableBorder cellSpacing=O cellPadding=l width=290 border=0>

post Find Replace 11 Red " ] Color Find | r U/tap Colorize) UPDATE IE

S o u r c e X Ccticns JZ|https:// login.f idelity.com/ftgw/Fidelitv/RtlCust/Login/Inif Fwrd->

Properties Toolbox

http ://www .fidelity .com/https://login. fidality.com/ftgw/Fidelity/NBPart/Login/Inithttps://login. fidelity.com/ftgw/Fidelity/CgfCust/Login/Inithttps://rps.fidelity.com/ftgw/rps/EstablishPIN/Regis era tion/Init?r=Rhttp://person a! .fidelity, com/accounts/services/con ten t/pinchange.shtml. tvsr rf

https://openacct. fidelity.com/ftgw/olsc/Merlin/asp/re tail/common/ allopenanaccount. asphttp ://personal .fidelity, com/ global/ whatsnew/con ten t/74 09 8. html, tvsrhttp://personal .fidelity .com/misc/legal/sofclegal.html.cvsrhttp ://personal .fidelity .corn/misc/legal/launder.htrnl.cvsrhttps://scs .fidelity, com/webxpress/elec tronic_services_aqreement.sh tmlh ttps://scs. fidelity. com/ webxpress/license_3greement. htmlh ttp: //personal. fideli ty. com/global/search/con ten t/securi ty. sh tml.cvsr

Cookie Check

POST

Toolbox

Links/status


( i

J ) J J / J ) ) ) } J J J J I

WebSleuth (cont.)

File Edit Format View Help

Page: http://uuu.google.com/Cookie: PREF=ID=76a4c79838735da9:TM=1849822468:LM=1849822468:S=ZFjRUmo1XIEfe_nB

Links:

Images:

http ://ui'ju.google .con/imghp?hl=en&tab=ui&ie=UTF-8&oe=UTF-8http ://www.google .coni/gt-php?hl=en&tab=ug&ie=UTF-8&oe=UTF-8http://www.google.com/dirhp?hl=en&tab=wd:&ie=UTF-8&oe=UTF-8http://www.google.com/nwshp?hl=en&tab=wn&ie=UTF-8&oe=UTF-8http://uwu.google.com/aduanced_search?hl=enhttp://wwu.google.com/preferences?hl=enhttp://uwu.google.com/language_tools?hl=enhttp://www.google.com/ads/http://www.google.com/seruices/http://uww.google.con/options/http://uuw.google.con/about.html

http://uwu.google.com/images/logo.gif

Scripts:III

<*--lfunction sf(){document.f.q.focus();>ifunction c(p,l,e){uar f-document.F;if(f.action && document.getElementByld) {uar hf=document.getElementById("hf");iF(hF) -{uar t = "<input type=hidden name=tab Malue="+l+">";hF.innerHTML=t;>F.action= 'http://"+p;e.cancelBubble=true;F.submitf);return False;>return true;}!// -->

• ••{document.urite("<p><a//<T--lif (»hp.isHomePage("http://www.google.com/'

hreF=\"/mgyhp.htnl\"onClick=Vstyle.behagior='url(ttdefaulttthomepage)1;setHomePage("http://www.google.com/1);\">Make Google Vour Homepage*</a>");>•//—>Comments:

No Comments in DocumentMetaTags:

No Meta Tags in DocumentForms:

GET - f - /searchForm: f Method:GET

ACTION: /searchBflSE URL: http://uww.google.com/ 4HIDDEN - hl=enHIDDEN - ie=UTF-8HIDDEN - oe=UTF-8TENT - q=SUBMIT - btnG=Google SearchSUBMIT - btnl=l'm Feeling Lucky

Cookies

Forms Data


Keeping Track of State: What's the Deal?

• Fastest growing exploit area• It's all about state information

- HTTP is stateless, but.... Essentially any non-brochure site needs state information to keep track of

who's doing what, when, where, and how

• Where is state placed?. server (which is harder to develop and manage)

. client (which is harder to trust)

• How is state shared or stored?- cookies. environment variables

. URLs• dynamically generated page information• proprietary files• databases


f C ( ( f ( r < ( < < ( ( ( ( (' ( { ( f ( ' • f f C • ( • f < r f r f i- i' ( ( r • i ( (

J J ) ) J J J ) ) ) > ) )• ) I J I } J J > .' J J J } > -> J J J > J J ) -> > ) ) J

Modified (client-side) Pages

Change client-side HTML source- Download page

- Save to disk

- Edit page

- Reload into browser .It's "just" a file open

- Send to serverDebugging aid. file = "/etc/password" vs. file = "http://url'!

. file = "http://url/cgi-bin/" vs. file = "http://url"

. <Input TYPE=HIDDEN NAME="CHK_PSWD"VALUE="NO" SIZE=0>

. <AREA SHAPE="RECT" COORDS=" 15,170,290,228HREF=7directory/page-code?USER ID-1070">

. <TABLE.. .background=/file.img;accountNumber=l23456- HTTPS://www.company.com/file.jsp?TransactionNumber=567

ID state information


Secure Web Exposures

Certificate problems• Not signed by a trusted Certificate Authority (CA)

- "unknown CA, do you want to accept certificates signed by Microsoftfrom now on?"

- Root CA certificates in browsers suspect- FORGED CERT PGP KEY

www.cert.org/contact cert/PGP warning.html- Unauthentic Microsoft Certificates

www.cert.org/advisories/CA-2001-04.html. Latent issues not resolved yet

- (large scale) certificate replacement- (large scale) certificate revocation

. IE SSL subject to undetected man-in-the-middle attack• www.thoughtcrime.org/ie-ssl-chain.txt- use arpspoof to take on the router's MAC address, make request to

target server, inspect certificate, create new certificate with identicalDistinguished Name and signs with end-entity certificate, and thenperform the SSL handshake with the client! Done. No detection!

. Windows SSL trojan. www.eweek.com/article2/0.1759.1573825.00.asp?kc=

EWRSS03119TX1K0000594- based on Windows exploits and patches in April '04


< f ( < < r r ( ( < ( ( f t (' ( ( • ( • f r ' r ( ( C < c i s •' < '' c <•' ( ( < ( (

. ) ) ) ) ) j ) J J J ) J ) J J ) ) J ) ) ; J J ) .) ) ) J J J ) J ) J ) > ) )

Secure Web Exposures (cont.)

Only real server authentication is that the DNS name in theURL matches the name in the Certificate- DNS lookup is NOT part of the SSL specification

- You could be fooled into using a wrong name

(www.delta.com vs. www.delta-air.com)

btw: they are now both for the airline!• again, see "How do you get in the middle?" in Web Spoofing

- SSL doesn't detect/stop DNS poisoning- www.webdevelopersjournal.com/articles/is ssl dead.html• you shouldn't count on SSL to protect your application just like

you don't count on WEP to protect wireless applications


Internet Explorer 4 to 5 Advanced Options

Internet Options

General Security Content I Connection Programs Advanced

•Sj Security _i_

ElElElElElElEl&

nrj

Warn if forms submit is being redirected

SSL 3.0

SSL 2.0

V/arn about invalid site certificates

V/arn if changing between secure and not secure mode

PCT1.0Enable Profile Assistant

Cookies

0 Prompt before accepting cookies

O Disable all cookie use

© Always accept cookies —

Check for certificate revocation

Do not save encrypted pages to disk

Delete saved pages when browser closed

«T[ HTTP 1.1 settings

ElUse HTTP 1.1 through proxy connections

Use HTTP 1.1

Restore Defaults

OK Cancel Apply

New

New

New

Internet Properties

General | Security j Content j Connections | Programs Advanced

Settings:

O Do not search from the Address bar

O Just display the results in the main window

O Just go to the most likely site

Check for publisher's certificate revocation

Check for server certificate revocation (requires restart],

save encrypted pages to disk_

• Empty T emporary 1 niemet Files "older when browser is closed

PJ Enable Profile Assistant

PJ Use Fortezza

• Use PCTLO

p i Use SSL 2.0

i"* secure mode

RTV/arn if forms subrnittal is being redirected

Restore Defaults

OK Cancel


r r r < < ( ( r i < ( t < f r <' ' < < < ' ' '

) ) ) ) y ) ) J j J ) ) ) J J ) ) J > ) > r ) ) ) > > ) .> > J ) ) ) > ) > J

Internet Explorer 5 to 6 Advanced OptionsInternet Properties

General | Security | Content | Connections | Programs Advanced

S_ettings:

O Do not search from the Address bar


O Just go to the most likely site

i2j Security

Check for publisher's certificate revocation

Check for server certificate revocation (requires restart)

Do not save encrypted pages to disk

Empty Temporary Internet Files folder when browser is closed

distant „ ,

Gone

Use SSL 3.0

• UseTLSLO

0 Warn about invalid site certificates

f j Warn if changing between secure and not secure mode

0 Warn if forms submittal is being redirected

Restore Defaults

Cancel

New

New

Internet Options

General] Security] Privacy] Content] Connections] Programs Advanced

S_ettings:


© Just go to the most likely site

Security

n Check for publisher's certificate revocation

far, J « M lasrHUr a ^ j fz^K^Qjt^rym** restart)Check for signatures on downloaded program?

13=mporary Internet hies folder •

Enable Integrated Windows Authentication (requires: resti

0 Use SSL 2.00 Use SSL 3.00 UseTLSLO[ ] Warn about invalid site certificatesf j Warn if changing between secure and not secure mode

warn if forms submittal is being redirected

Restore Defaults

OK Cancel Apply


What the Hacker KnOwZ...about the Web

Web Spoofing is a BIG/HUGE opportunity- Lots of "hacking" efforts to increase the ways to do spooring

- #1 area (outside of general buffer overflow issues) for new and

high profile intrusions and exploits

Many network applications are not rigorously tested forinput handling issues

Front-end Web code (i.e., available to the client via thebrowser) reveals a LOT about design, intention,conventions, and expectations of the server

next... Finishing Up


( f ( ( ( ( ( ( ( ( ( ( i f ( f ( ( ' f ' ' ( ( < ( f f C f < f ( ! f ( ( ( \

) J ) ) ,! J ) I ) . ) ) ) ) I ) ) ) ) ) ) J J J J ) J J J J J J •> J J • * > J > ) J

Notes:


Where are We?

Profiling

Methodology



Intrusions

Awareness/Statistics

• Examples

• Common Areas

Discovery and

Profiling Tools

typhon, nessus, dsniff, Nikto, and lots

more!

Protocols

. DNS

. SNMP


• Web Infrastructure

Finishing Up• Things To Do

• Reference Links


r r ( ( ( ( ( ( ( ( f ( ( ( ' f f ( { ( ( ( c i- ( ( < • r r f f (

) ) ) i ) ) ) ) i > ) ) _j ) J i ) ) ) > ) ) / / J ) J ) ) ! J J J J J ) ) ) ) )

Top lOish Things To Do

Tools

- Vulnerability testing:• HTTP CGI checker:- 802.1 lbAP finder:- OS identification and

special scanner:

- IDS:

nessus or nsatNiktonetstumbler*

n map

network (e.g., snort) and

integrity checker

(e.g., Tripwire)

Make sure you have permission to use public domain tools!


Top 1 Oish Things To Do (cont.)

Development

> Use some scanner to create a template profile of your important

systems: run the scanner every day and generate an alarm/email if

the results are different

• Define a list of 5-10 important issues and create/use any kind of

script/program you can to check the logs for those things

• Upgrade every version of BIND you can to the latest version

(yours, your neighbors', your ISP)


<• r r

Remember the Themes..What to Watch for

It's the protocols

. DNS exploits

. SQL exploits

Web Applications• Servers with poor authentication

and, even worse, authorization

architectures

- Web Services

(1) "IT Security Pro Fears Stronger, Super Worms Coming"www.crn.com/components/weblogs/article.asp?ArticleID=49597Using P2P protocols, not just relying on SMTP and email client

(2) "Expert: Gaps still pain Bluetooth security"http://news.com.com/2100-1009 3-5197200.html?part=rss&tag=feed&subj=newsPIN theft to capture data


. SSL. Forged keys

. Certificate granting and

revocation issues

• Intrusion awareness

. More "clever" viruses, macros,

Trojan horses (1)

- New wireless and handheld

hacking techniques. e.g., rogue wireless card

firmware, aggressivetechnology wireless networks (2)

218

( < r r r \ < f ( ( r ( f ( r f f f f J < ( , r < . i ( f r

/ J J ) ) ) ) ) ) ) ) ) ) ) ) J ) ) J J J ) ) ) J J I ) ) ) ) ) ) ) > ) ) ) J ) > I i )

SystemEXPERTSL E A D E R S H I P I N S E C U R I 7 V

Brad C. JohnsonVice President

[email protected] direct401-348-3078 fax978-440-9388 mainwww. SystemExperts.com/


Where have we Been?

Profiling- Methodology• Example Profile #1



. Examples

Common Areas

Discovery and Profiling Tools. typhon, nessus, dsniff, Nikto, and

lots more!

Protocols

. DNS

. SNMP


• Web Infrastructure

Finishing Up. Things To Do

Reference Links

Final Chance• Any Questions?

• Mistakes in Slides?

• Changes to Course• Things to Add?• Things to Remove?

- Other Comments?


r r r ( (

> > ) ) y ) ) ) J ) ) ) ) ) ) ) ) ) > J > > > > ) ) i J ) ) J ) > ) ) ) ) ) ) \ )

The Penultimate.

Profiling is a big part of being prepared for an intrusionfrom a determined intruder (hacker)• Each part of your network infrastructure provide its own unique

opportunities and vulnerabilities

Many of the available profiling tools or techniques are easyto use or do• Try them against your own site


THE END!

= Thank you for attending!

Thank you for your comments!

Please fill out the InstructorEvaluation Form!!


' >' '• I I I I ( ( f ( ( f ( ,1 f < ( r r ( ( r ( < < »' ( f ,( ( ( i- r f