Code Red:The Attack As can be seen in Figure 11.5, if this capture filter is placed on the ingress/egress to the Internet, it will trap both incoming and outgoing exploit attempts.Theout
Trang 1If we were previously reading the Cadillac of books, we just jumped into a
Ferrari for a spin In this chapter, we look at using Sniffer Pro with security inmind.This is not a chapter on hacking Rather, this chapter shows you how tofind vulnerabilities in your own network It discusses the importance of securityanalysts who have a working knowledge of the basic operations of Sniffer Pro orother similar protocol analyzers
The first few sections cover issues inherent within IPv4 and how Sniffer Procan be used to exploit the protocol stack’s weakness
NOTE
Using this technology for mischief is not recommended; such activity could result in serious legal consequences
Using Sniffer Pro to Find
Holes in Your Network
The terrorist attacks of September 11, 2001, changed the focus of security ever Many commentators have compared the events’ worldwide ramifications tothose of December 7, 1941.The resulting awareness of information security andprivacy has created new and demanding challenges for the network professional.Today’s cyber marketplace does not offer a better addition to a conscientious
for-“white hat” hacker’s arsenal than Sniffer Pro Because Sniffer Pro is adept at lyzing network and application problems, it is an effective tool in the detectionand prevention of network vulnerabilities
ana-One only need open morning newspapers to be made aware that threats fromthe Internet are escalating.The names of viruses,Trojans, and, worms—once rele-gated to the “techno-geek” realm—are now mainstream water-cooler conversa-tion Code Red, Nimda, SirCam, Melissa, Lovebug—the list goes on and on.These names, now relegated to the past, should be of concern to the SnifferCertified Professional (SCP), whose challenges lie in defending against new andyet unnamed malware
Trang 2A vast amount of information can be found on the Internet covering the subjects of malware, viruses, and Trojans Some good URLs with which to start your research are www.sarc.com, www.sans.org, and www.cert.org.
In this chapter, we cover the complex subject of vulnerabilities.The military haslong been confronted with the detection and elimination, or at least the mitigation,
of vulnerabilities and threats.The military terms used to describe the mechanics ofthese efforts have made their way into the information security world.We use some
of these terms and define them in their information security sense
Delivery and Payload
Let’s begin with two frequently used terms: delivery and payload.What do they mean? The military uses a nuclear missile for a delivery mechanism and a warhead for the payload.This terminology actually means that the military is defining how
a weapon gets to its destination (delivery) and what it delivers once it arrives
(pay-load) Other examples might be a B-52 bomber as a delivery mechanism and a
15,000-pound daisy-cutter bomb as a payload, or a 20-millimeter cannon as a
delivery mechanism and its shell as a payload.
Delivery and payload are fairly simple concepts that can be easily applied toinformation warfare as well For example, the SirCam virus’s delivery mechanismwas e-mail and its payload was a malware attachment.The Jill.c exploit by DarkSpyrit used an HTML Get request to deliver a buffer overflow payload A finalexample is the Code Red worm, whose delivery mechanism was an InternetHTML connection and whose payload was a malformed request exploiting ahole in Microsoft’s Internet Information Server.We cover Code Red in moredetail later in this chapter, demonstrating how—using Sniffer Pro—we detectedits presence and mitigated the exploit
Concerning delivery and payload, the preceding definition implies onedelivery mechanism and one payload.This is not always the case Just as there arenuclear missiles with multiple warheads, the information warfare world has itsNimdas with multiple delivery techniques and payloads—exploiting e-mail,Internet Explorer browsers, and network shares, all at the same time It is the job
of the security-minded SCP to constantly research and understand these cepts, in order to implement a defense by building and utilizing the various fil-tering capabilities of Sniffer Pro
Trang 3con-Vulnerabilities in Detail
We begin our discussion of network vulnerabilities by examining three exploits
that utilized the programming oversight known as a buffer overflow.This exploit,
resulting from a failure to check the input to a function in a program, can cause asystem crash, allowing a hacker to have full control of your machine.The bufferoverflow is arguably the most common and notorious hacker technique in usetoday
Code Red:The Exploit
On June 19, 2001, the CERT Advisory CA-2001-13 Buffer Overflow in IIS
Indexing Service DLL was released As usual, it had very little impact on the
infor-mation community and went relatively unnoticed by system admins However,this small but costly programming oversight would prove to be only the begin-ning of what would become a billion-dollar exploit
NOTE
The CERT Coordination Center (CERT/CC) is a center of Internet security expertise located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
The System Administration, Networking, and Security (SANS) Institute, founded in 1989, is a cooperative research and education orga- nization through which more than 156,000 security professionals, audi- tors, system administrators, and network administrators share the lessons they are learning and find solutions to the challenges they face Global Information Assurance Certification (GIAC) certification, spon- sored by SANS, provides assurance that a certified individual holds the level of knowledge and skill necessary for a practitioner in key areas of information security.
The advisory stated that vulnerability existed in the indexing service used byMicrosoft IIS 4.0 and IIS 5.0 running on Windows NT,Windows 2000, and betaversions of Windows XP.This vulnerability allows a remote intruder to run arbi-trary code on the victim’s machine.The advisory description stated that there was
a remotely exploitable buffer overflow in one of the ISAPI extensions installedwith most versions of IIS 4.0 and 5.0.The specific Internet/indexing Service
Trang 4Application Programming Interface was IDQ.DLL.The vulnerability was ered by eEye Digital Security.
discov-On July 19, 2001, the CERT Advisory CA-2001-19 “Code Red”Worm
Exploiting Buffer Overflow in Indexing Service DLL was released.The overview
stated that CERT/CC had received reports of a new self-propagating malicious
code that exploits IIS systems susceptible to the vulnerability described in CERT
Advisory CA-2001-13 Buffer Overflow in Indexing Service DLL.The report
explained that two variants of the Code Red worm had already affected morethan 250,000 servers It was obvious that someone had found a use for the hole
in IIS One of the specific uses for this exploit was a payload designed to generate
a denial-of-service (DoS) attack on the White House Web server Fortunately forthe president’s IT staff, the payload did not utilize the DNS service that maps(translates) a name to an IP address Furthermore, it hardcoded the IP address inthe binary payload It would prove to be a simple process to change the WhiteHouse Web server’s address in DNS, and that is precisely how the IT staff dealtwith the threat
Code Red:The System Footprint
In order to detect this type of malicious activity, the SCP should study theexploit and carefully examine the system footprint when available For thisexploit, the system footprint was provided by the advisory and stated that theCode Red worm activity can be identified on a machine by the presence of theentry in the Web server log files shown in Figure 11.1
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6805%ucbd3% u7801 etc.
The presence of the entry in the log does not necessarily indicate mise Rather, it indicates that a Code Red worm attempted to infect themachine Armed with this knowledge and the old IP address of the White HouseWeb server, the security-minded SCP has the information necessary to detect thisexploit both coming and going.We accomplish this task by building a filter todetect the system footprint (coming) and the old IP address of the White House
Trang 5compro-Web server (going).The Sniffer Pro interface is placed on the ingress/egress tothe Internet.
NOTE
A system footprint is a group of characters or bytes of data that uniquely
identify the payload as belonging to a specific exploit In some cases, the system footprint is simply a group of characters, as in Code Red’s
default.ida? NNNNNN (see Figure 11.1) In more complex payloads, the
system footprint can be a string of binary data representing the actual code Some security professional refer to a system footprint as a
Signature.
In Chapter 4, we go into greater detail about building filters to capture andview these exploits; here we briefly touch on configuring this filter
Code Red:The Filter
To configure the Footprint filter:
1 Select Capture | Define Filter | Profiles | New.
2 Enter a name such as CodeRed (see Figure 11.2).
Next we will configure the Advanced tab:
1 Select OK | Done | Advanced tab.
2 Select the HTTP check box under TCP (see Figure 11.3).
3 Select OK.
4 Select Capture | Define Filter.
5 Select CodeRed from the Settings For: panel.
Figure 11.2New Capture Profile
Trang 66 Select Data Pattern | Add Pattern.
7 Offset (hex): equals 36 in hex.
8 Format equals ASCII.
9 Enter the data from the footprint into Field 1 and 2, GET /default.ida
10 Name: equals Code Red Pattern.
11 Select OK (see Figure 11.4).
Code Red:The Attack
As can be seen in Figure 11.5, if this capture filter is placed on the ingress/egress
to the Internet, it will trap both incoming and outgoing exploit attempts.Theoutgoing attempts could be from compromised computers or disgruntledemployees using your network to launch their hacking exploits.The Trojansinstalled on your machines might be the launching pads for a huge DDOS attack
as your machines are turned into “zombies,” blindly acting out the will of thehacker.The summary window of Figure 11.5 displays the system footprint inpacket 10 of a captured exploit attempt
Figure 11.3Code Red Advance Setting
Figure 11.4Code Red Pattern
Trang 7The complete payload is visible in the Sniffer Pro Hex display of the capture(see Figure 11.6) Line 1 in the display starts the buffer overflow, and line 5 injectsthe binary payload.
NOTE
If you are interested in the mechanics of this type of exploit, we highly
recommend that you read Chapter 8, “Buffer Overflow” in Hack Proofing Your Network, second edition, from Syngress Publishing This highly
detailed treatise on the subject will prepare you to recognize and develop your own system footprints when you design filters
Code Red:The Hacker’s Intent
The SCP, having researched this exploit, knows that a DoS attack will be formed by a zombie (an infected Web server) using the old IP address of theWhite House Web server.With these facts in hand, someone can design and build
per-a simple per-address filter to detect per-any per-attempts to perform per-a DoS per-attper-ack on thper-atspecific address By doing this the SCP will be aware of any internally compro-mised servers and can give that information to the system administrators, in orderfor them to remove the exploit and patch the machine
Figure 11.5Code Red Attack Summary
Figure 11.6Code Red Payload
Trang 8The following is an excerpt from the payload of the Code Red ida worm.
The analysis was performed by Ryan Permeh and Marc Maiffret of eEye DigitalSecurity A disassembly (complete with comments) was done by Ryan “ShellcodeNinja” Permeh.The attack consists of the infected system sending 100k bytes ofdata (1 byte at a time + 40 bytes overheard for the actually TCP/IP packet) toport 80 of www.whitehouse.gov.This flood of data (410 megabytes of data everyfour and a half hours per instance of the worm) would potentially amount to aDoS attack against www.whitehouse.gov
The assembly code in Figure 11.7 contains the White House IP address.Theaddress (5BF089C6) is displayed in line 2.The entry is in hexadecimal notationand in reverse order.When the order is reversed, the value becomes C6 89 F0 5B
in hex Using Microsoft Windows’ calculator in scientific mode, the SCP canverify this address by converting the entry to decimal.The address decodes to C6
=198, 89 = 137, F0 =240, 5B =91 Next, reassemble the four numbers, addingperiods between the numbers, and it equals 198.137.240.91—the old IP address
The www.whitehouse.gov address was changed to 198.137.240.92 shortly afterthe first attack
Seg000:000008EB C7 85 80 FE FF+ mov dword ptr[ebp-180h]
5BF089C6h ; set ip (www.whitehouse.gov)
Code Red:The White House Filter
To configure the filter:
1 Select Capture | Define Filter | Profiles | New.
2 Enter a filter name such as WhiteHouse.
3 Select OK | Done | Advanced.
4 Under TCP, select the HTTP check box (see Figure 11.8).
5 Select the Address tab.
6 Enter the White House address 198.137.240.91 to Any (see Figure 11.9).
Next we place Sniffer Pro on the egress of the network with the capturefilter selected Figure 11.10 is a display of three captured packets from an infectedhost attempting to perform a DoS attack on the old White House IP address
Trang 9Using the information obtained from the capture filter, the system trator can be alerted to the existence of any compromised computers on his orher network Using the IP addresses, the machines can be removed from the net-work and patched or reloaded as necessary.Without this filter, the administratorwould be unaware of the clandestine transmissions leaving the network and pos-sibly subject to downstream litigation.
adminis-Code Red II:The Exploit
On August 4, 2001, a variant of Code Red, dubbed Code Red II, or CR-II, wasdiscovered It was named Code Red II because the delivery mechanism was thesame as Code Red, exploiting the buffer overflow fault in IIS Web servers
Figure 11.8Advanced Window
Figure 11.9White House IP Address Selection
Figure 11.10DoS on the White House
Trang 10However, the payload of CR-II was very different from Code Red and did notattempt a DoS on the White House Web server It did allow the attacker to havefull remote access to the Web server.This access is referred to in hackerdom as
OWN3D, which is a somewhat dyslexic spelling of the word owned.
The filter to detect CR-II is very similar to the one we built for Code Red
A simple modification is all that is needed.To configure the filter, simply changethe system footprint from NNNNNN to XXXXXX and the job is done
Figure 11.11 is a display of the summary line of a CR-II capture.The payload
is displayed in Figure 11.12
Figure 11.12 displays the initial buffer overflow of Code Red II using the
character X to overflow the input array and then injecting the binary payload.
As we did with Code Red, placing the filter for CR-II on the ingress/egress
to the Internet will accomplish two things First, it will detect external Webservers attempting to infect your internal servers; second, it will alert you to anyzombies attempting to compromise random servers on the Internet.The filterwill, in effect, mitigate the possibility of downstream litigation, a term that is nowoften mentioned in the Internet legal community At the very least, it mightdecrease the amount of annoying e-mails from irate network administrators withthe subject line, “YOUR COMPUTER IS ATTACKING US STOP IT!”
Figure 11.11Code Red II Summary
Figure 11.12Code Red II Payload
Trang 11Nimda:The Exploit
In September 2001, an industrious hacker or hackers, not desirous of reinventingthe wheel (or the exploit), developed what would become one of the most dev-astating Internet worms to date Said hacker(s) simply bundled together some ofthe better current exploits and added a few new ones.The resulting exploitwould soon be known around the globe as Nimda
On September 18, 2001, an advisory describing the third in a related group
of exploits was posted on the CERT.org site At that time, no one knew this
exploit would cost over a billion dollars to clean up.The CERT Advisory
CA-2001-26 Nimda Worm overview stated that CERT had received reports of a new
malicious code known as the W32/Nimda worm.This new worm appeared tospread by multiple delivery mechanisms:
■ Client to client via e-mail
■ Client to client via network shares
■ From Web server to client via browsing of compromised Web sites
■ Client to Web server via active scanning for and exploitation of variousIIS 4.0/5.0 directory traversal vulnerabilities
■ Client to Web server via scanning for the back doors left by the CodeRed II and sadmind/IIS worms
Talk about a Swiss army knife of exploits! This one raised the bar on the art
of hacking and created a new awareness in security never before seen in
govern-ment or the corporate information world So War Games could actually happen?
The apprehension and paranoia experienced by most system administrators was
to be proven justified in the days to come
Nimda:The System Footprint
The system footprint described in the CERT advisory read more like a nary of exploits than a footprint or signature.The following are just a fewexploits delivered in its payload
Trang 12The system footprint offers many signatures from which to choose when one
is building a filter Furthermore, because the zombie machine or hacker scriptcycles through the complete list, any entry could be used.The most obvious one
to use (from a security point of view) is GET /scripts/root.exe GET root.exe in
a HTML request is mighty suspicious! Actually, it turns out that root.exe is acopy of the CMD.exe in Windows
To configure the filter as shown in Figure 11.13:
1 Select Capture | Define Filter | Profiles | New.
2 Enter a name such as Nimda Capture.
3 Select OK | Done | Data Pattern | Add Pattern.
4 Format equals ASCII.
5 Enter the following data in Field 1: GET /scripts/roo.
6 Enter the following data in Field 2: t.exe?.
Trang 13Nimda:The Attack
Figure 11.15, “Attack of the Zombies,” is a capture summary displaying an
infected machine’s attempt to compromise other servers.The filter was placed onthe ingress/egress to the Internet
Figure 11.14Nimda HTTP Window
Figure 11.15Attack of the Zombies
ET, Phone Home
The W97M/Marker:C virus infects Word 97 documents, templates, and the NORMAL.DOT file of Word 97 The virus appends user information
at the end of its code and tries to upload this information through a FTP client on the first of every month The FTP site address hardcoded in the payload is 209.201.88.110
Even if you do not have a sophisticated e-mail filtering system, you can mitigate the effects of this type of exploit and detect host machines that are infected with this particular virus using a simple filter placed atDesigning & Planning…
Continued
Trang 14Capturing Clear-Text Passwords
From your grade school and kindergarten days, building and defending dirt forts
or constructing secret club houses, you have been exposed to passwords “What’sthe password?” is a familiar phrase to us all.What is that magic key that grantsyou entrance into a private world of your own? It is that special word that youand only you know
This section deals with one of the most basic security implementations: the
password and its associated vulnerabilities Chances are, if you purchased this book
online, you were required to use a password.You might have had to use a word to gain access to your local computer or to send e-mail.The examples ofpassword usage are so numerous that we need not belabor the point As an SCP,you need to ask the following questions about passwords:
pass-■ How secure are these secret magic keys to the kingdom?
■ What can we do to help prevent passwords from being compromised?
IPv4 and Clear-Text Transfer of Information
IPv4 packets are unencrypted by default By nature of their functionality, theheader must be able to be read and updated by routers and gateways along a trans-mission path from source to destination.The time to live (TTL) field needs to bedecremented, and the Media Access Control (MAC), or hardware address, will
the ingress/egress to your Internet connection The filter configuration would include the FTP protocol from the Advanced tab and the IP address of 209.201.88.110 to Any from the Address tab The display resulting from the implementation of this filter is shown in Figure 11.16.
Packets 1 through 3 in Figure 11.16 are initial FTP SYN requests to the hacker’s site The FTP site could be any site that allows anonymous logons Hackers store their tool kits and messages on any site that is available, including government sites After detecting this packet, the SCP could inform the system administrator about the existence of the compromised host by providing the IP source address.
Figure 11.16W97M/Marker:C FTP Attempt
Trang 15change for each intermediate network segment In some applications, NetworkAddress Translation (NAT) and Port Address Translation (PAT) are required; theyalter IP addresses and/or port numbers.These requirements create special problemswhen you try to implement encryption to protect the privacy of the data.Withoutspecial tunneling protocols, the encryption of both header and data is impossible.The most common tunneling mechanisms are router-to-router, using an encryp-tion protocol such as IPSec or standard virtual private networks (VPNs).
Telnet
Telnet is an old, yet very reliable communication protocol It was originallydeveloped as a character-oriented terminal emulation protocol used in the UNIXenvironment.Today Telnet is used extensively for system administration of
routers, switches, and remote servers as well as basic text communication inwhich graphics are not required Although Telnet still remains a simple
client/server protocol, new enhancements have been added to some products,utilizing additional local (client) processing
After the initial TCP handshake, the Telnet protocol performs a variety ofbasic housekeeping tasks known as Telnet option negotiations.These options are:
■ DO
■ DON’T
■ WILL
■ WON’T The options are covered in various RFCs, such as RFC 856 for BinaryTransmission, RFC 857 for ECHO, and RFC 858 for Suppress Go Ahead Some
of these options are displayed in Packets 4 and 5 (see Figure 11.17) An in-depthanalysis of the Telnet options is not necessary to understand its vulnerabilities and
so is not covered in this section.We refer the reader to the pertinent RFCs for anauthoritative source of information:
■ www.rfcindex.org/rfcs/rfc856.html
■ www.faqs.org/rfcs/rfc857.html
■ www.faqs.org/rfcs/rfc857.html
Trang 16Telnet Echo
One of the first observations a SCP makes in examining a Sniffer Pro trace of aTelnet session is that it seems to be repeating itself (see Figure 11.18).This obser-vation is correct—it does repeat itself More accurately, the server echoes thecharacters back to the client In the original implementation, the keyboard outputwas sent to the server and not displayed on the screen It was the server’s respon-sibility to format and display the characters on the monitor Each transmissionincludes a one-character payload.This makes Telnet an inefficient protocol fortransmission of large amounts of data As we know, in today’s computers the char-acters are usually displayed by the local client’s machine, and the server is
instructed to “Not echo.”There is often a feature on the client for turning echo
on and off whereby you can control it However, echo is not a desired setting,because it produces two characters on your screen
Figure 11.17Telnet Option Negotiation
Figure 11.18Telnet Login
Trang 17Second, the security-minded SCP will immediately observe that the sion is in clear and readable text.This is a gaping security hole in the Telnet pro-tocol For the would-be hacker, the transmission readily answers the question,
transmis-“What’s the password?” If you refer to Figure 11.18, starting at packet 42, you
will see the word password Packet 44 contains the letter r Packets 46 through 54 contain the remaining letters of the password, redhat, in clear unencrypted text.
This is precisely the information a hacker needs to compromise the server
The Telnet protocol uses destination port 23 to communicate Hackers use a
technique called reconnaissance probing to determine if your server is listening on
port 23 Any scanner (such as Nmap or Snake) is ideal for this purpose
Obviously, a simple Telnet request from the command line of a host directed to aspecific server will accomplish the same thing However, the fact that a server islistening on port 23 more often results from reconnaissance information gatheredduring a complete scan for network vulnerabilities
NOTE
You can determine if your server is listening on port 23 using the
com-mand-line utility netstat –n.
If the hacker does not have the ability to sniff your local network for Telnettraffic and passwords but knows you are running a Telnet server, he or she canattempt to connect to the server and guess the login/password pair.This processcan be automated using a simple repetitive script
If you have reason to suspect this type of malicious activity, you can build aSniffer Pro filter to detect failed logins Placed on the ingress/egress of your net-work, this filter will alert you to password-cracking attempts on all Telnet servers
in your network.The filter will produce a minimal amount of false positives, such
as typos, by legitimate users
The Telnet Login Filter
To configure the Data Capture window to trap the text pattern Login incorrect,
perform the following (see Figure 11.19):
1 Select Capture | Define Filter | Profiles | New.
2 Enter a name such as Telnet: Login error.
3 Select OK | Done | Data Pattern | Add Pattern.
Trang 184 Offset (hex): equals 36 in hex.
5 Format equals ASCII.
6 Enter the following data in Field 1:Login incorrect.
7 Enter Telnet: Login error in the Name field.
8 Enter OK.
The Boolean of Figure 11.20 performs an AND operation on every packet If
a packet is a valid packet ANDed with the ASCII pattern “Login incorrect” atoffset 36, Sniffer Pro will detect and trap it.We can optimize this filter’s efficiency
by adding another criterion to the Boolean operation Let’s use the Advance tab
to restrict the packet inspection to Telnet port 23 packets only
To complete the Telnet login filter configuration (see Figure 11.21):
1 Select the Advanced tab.
2 Scroll down and select the Telnet check box.
3 Select OK.
The results of this filter’s implementation can be seen in Figure 11.22 It is
clear that the machine with IP address 161.243.60.37 is under a hacking attack by the computer with IP address 161.243.60.5
password-Figure 11.19The Data Capture Window
Figure 11.20Boolean Search Order
Trang 19SSH and Encryption
The method of choice for replacing the process of Telnet with a better solution isusing the now-favored Secure Shell (SSH).The SSH protocol utilizes port 22 forreceiving connection requests Upon receiving a connection request, two systemsvalidate each other’s credentials by exchanging certificates using RSA After asuccessful credential validation has occurred, the information exchange is
encrypted using triple DES (3DES).This forms a secure and encrypted pipe forauthentication A unique security feature of this protocol is that it periodicallychanges the encryption keys.This feature severely restricts a hacker’s ability toperform a brute-force attack
Capturing E-Mail Logins
Today we are encountering problems in password security brought on by the media nature of cable modems If you have had experience working with the old
shared-10Base5 (Thicknet) or 10Base2 (Thinnet) technologies, you will quickly understand the concept of cable modem vulnerabilities Although 10Base5 and 10Base2 Ethernet con- nections are baseband, not broadband, transmission methods, they still possess one very important similarity to cable: both are shared-medium technologies.The SCP who has had to locate and remove a faulty transceiver from a link with 50 stations on it is fully
Figure 11.21The Telnet Advanced Window
Figure 11.22A Telnet Password Attack
Trang 20aware of the effect that one station can have on the others One station can affect the entire link because the stations share the link.The cable-addressing schemes use varying amounts of addresses per segment or link—usually around 1000 Response time can suffer if this number becomes too large.
Every packet on a segment is inspected by every device on the link to mine whether or not the address belongs to the device If the packet’s address matches the device’s configured address, or if the packet is a broadcast (sent to every device), the interface passes the packet up the network operating system stack to be inspected If the address does not match the configure address, the device ignores the packet, unless the
deter-device is operating in what is known as promiscuous mode Promiscuous mode should be a
familiar term to the SCP.The interface used by Sniffer Pro is placed in this mode in order to receive all packets on a link.When a cable modem is using this mode, it func- tions in the exact same manner It captures all data, including the clear-text data of POP3 (e-mail), File Transfer Protocol (FTP), and Telnet Hundreds of articles on the Internet describe these vulnerabilities Here are a few:
is using the POP3 protocol.This trace could have been easily obtained by aneighbor who shares the same cable segment, utilizing a promiscuous mode
interface and a sniffer For example, packet 9 contains the username dheaton in clear text More important, packet 12 contains the clear-text password leroy12.
Figure 11.23Outlook Password Capture
Trang 21Attacks: Password Capture and Replay
File Transfer Protocol (FTP) represents another security concern.The clear-textnature of the FTP transmission stream reveals the username and password As thename implies, FTP is a file transfer protocol that can be used to transfer files overthe Internet FTP operates over TCP/IP and is a client/server protocol In themost basic implementation, the client requests a TCP connection from the server
on port 21, the control port After session setup, the data is transmitted using thedata port 20.The connection dialog box can be seen in Figure 11.24
After a successful connection has been established between the client and theserver, the authentication process begins (see Figure 11.25).The server with IPaddress 172.16.60.5 sends the welcome dialog in packet 6 requesting the user-
name.The client with IP address 172.16.60.37 replies with a username wally in
packet 8.The server then notifies the client in packet 10 that a password isrequired to authenticate the connection.The client responds in packet 12 with
the clear-text password redhat1.The server, in this case, accepts the password and
allows access in packet 14
Capturing the Password, Step by Step
In Figure 11.25, the SCP should notice in packet 12 the word PASS preceding the client-supplied password (redhat1).The ASCII text is located in the FTP
client’s packet at offset 36.The text (PASS) will be at this location regardless ofthe content of the password.We can use this protocol consistency to design andbuild a filter that will capture both valid and invalid passwords
To configure an FTP password capture filter to trap on the word PASS,
per-form the following steps (see Figure 11.26):
Figure 11.24An FTP Three-Way Handshake
Figure 11.25FTP Welcome
Trang 221 Select Capture | Define Filter | Profiles | New.
2 Enter a name for the filter, such as FTP-Password.
3 Select OK | Done | Data Pattern | Add Pattern.
4 Format equals ASCII.
5 Enter the following data in Field 1: PASS.
6 Enter Capture PASS Field in the Name field.
7 Enter OK.
Figure 11.27 displays the Boolean search order for the filter If we stop ourconfiguration at this point, the filter will inspect every packet it encounters for
the pattern PASS at offset 36 For efficiency and accuracy, we will add another
criterion to the filter so that it will inspect only FTP packets
To complete the FTP-Password filter configuration (see Figure 11.28), form the following steps:
per-1 Select the Advanced tab.
2 Scroll down and select the FTP check box.
3 Select OK.
Figure 11.26FTP Password Capture
Figure 11.27Boolean Search Order
Trang 23Replaying the Password
The FTP-Password filter we have designed can be used to capture a single word For some applications, this could be all that is required Figure 11.29 is acapture display resulting from the use of this filter.The captured data contains
pass-one packet displaying the password redhat1.
FTP Password Guessing
The SCP can use the FTP-Password filter very effectively to detect an attempt tocompromise an FTP server In this situation, there would be many attempts toguess the password, possibly using a brute-force script.The script would repeat-edly try passwords from a password dictionary.The SCP would need to capturemany attempts and look for a common IP address.To do this, we use the SnifferPro trigger function
To configure the trigger using our FTP-Password capture filter:
1 Select Capture | Trigger Setup.The Trigger Setup Window will be
displayed (see Figure 11.30)
2 Select the Enable check box under the Stop Trigger (see Figure 11.31).
3 Select Define under the Stop Trigger heading (see Figure 11.32) Figure 11.28The Advanced Filter Window
Figure 11.29A Clear-Text Password
Trang 24Figure 11.30The Trigger Setup Window
Figure 11.31Stop Trigger Enabled
Figure 11.32Stop Trigger Defined
Trang 25Perform the following steps, referring to the screen shown in Figure 11.33 toconfigure the Trigger Event filter:
1 Select New.
2 Enter a name for the Stop trigger, such as FTP-Password Trigger.
3 Enter OK.
4 Select the Event Filter check box.
5 Scroll down and select the filter FTP-Password.
6 Select OK.
To complete the Trigger and configure it to capture 100 password attempts:
7 Enter 100 in the Capture packets after stop trigger happened field.
8 Select Repeat Mode (see Figure 11.34).
Figure 11.33Trigger Event Filter Selection
Figure 11.34Repeat Mode
Trang 26The Trigger/Filter combination can be adjusted to detect as many guessing attempts as desired As shown in Figure 11.35, the user/client machinewith IP address 172.16.60.37 is trying to guess the FTP password for the serverwith IP address 172.16.60.5.
password-Simple Network Management Protocol
Simple Network Management Protocol (SNMP), developed in the late 1980s, hasbecome a standard for network management SNMP is a client/server modelwith a Network Management Station (NMS) that functions as a client querying
an agent that contains a Management Information Base (MIB) database.The most
common implementation utilizes a management console to perform NMS tions and agents running on routers, hubs, bridges, and network servers.Theseagents respond to queries, collect information, and send traps to the console fordisplay (see Figure 11.36)
func-The management information stored in the MIB on each agent is vendorspecific Each manufacturer provides a standard MIB and proprietary extensionsfor its products An MIB is a collection of managed objects Each agent (routers,switches, and the like) in Figure 11.36 contains an MIB of managed objects
Figure 11.35Password Guessing
Figure 11.36SNMP Network Topology
NETWORK Network
Management Station
Graphical Display Server AgentNetwork
HUB Agent
Router Agent Switch Agent BRIDGE Agent
Trang 27Each management object is represented by an object ID (OID).The OID isrepresented by a group of numbers separated by periods (.) defining the object’sposition in the MIB object tree.Without going into greater detail, suffice it to saythat each OID is unique and is used to define a name, metric, or physical condi-tion of a device For example, a Cisco router OID would be 1.3.6.1.4.1.9.1.1; asysDescr OID would be 1.3.6.1.2.1.1.1.0 Each SNMP managed object belongs
to a community defined by a community name
At the time of this writing, there are three versions of SNMP:
security It has five main operations: Get, Set, GetNext, Response, andTrap (RFC 1155, 1157, 1212)
secu-rity, remote configuration in IETF draft (RFC 1441–1452)
authenti-cation model and remote agent configuration (RFC 2271–2275)
From a security point of view, SNMP’s authentication method is inadequate
to prevent the system from being compromised In Figure 11.37, which shows an
SNMP community string, line 3 displays the clear-text community string public.
This is a type of default pseudo password, if you will, and can be read by any work analysis tool on the market Hence, it creates a gaping security hole that isjust waiting to be exploited.The default community string for read-only access is
net-public, and the default community string for read/write access is private As shown
in line 2, the packet is a capture of SNMP version 1 (SNMPv1)
Altering SNMP control information can render your network useless In fact,
as we shall see, it could potentially have devastating effects on the entire Internet
On February 12, 2002, CERT Advisory CA-2002-03 was issued, announcing
that there were multiple vulnerabilities in many implementations of SNMP.Tonetwork security professionals, the advisory heading read more like an overused
Figure 11.37SNMP Community String
Trang 28item on a security conference agenda than current news of a new exploit.Theadvisory overview stated that numerous vulnerabilities had been reported in mul-tiple vendors’ SNMP implementations.These vulnerabilities could allow unau-thorized privileged access, allow DoS, or cause unstable behavior if a site usesSNMP in any capacity.
The Oulu [Finland] University Secure Programming Group (OUSPG)reported the following vulnerabilities:
In summary, the CERT advisory gives many recommendations to mitigatethis vulnerability, including ingress/egress filtering, disabling the SNMP services,applying the appropriate vendor patches, and changing the default communitystrings Refer to www.cert.org for the specific impact and solutions for this advisory
Domain Name Service Vulnerabilities
To paraphrase Bill Shakespeare, “A rose is a rose by any other name.” Followingthat line of reasoning, FileServer1 is FileServer1 by any other name if it has regis-tered its IP address in a Domain Name System (DNS) DNS enables you to usefriendly, readable names to locate resources on a TCP/IP network by linkingnames to IP addresses.Which of the following would be most easily remembered:
Syngress.com or 216.238.176.55?
Prior to the implementation of DNS, computers used the hosts file to resolvenames to IP addresses.The hosts file still exists today On a UNIX or Linuxsystem, the file is located in the /etc directory at /etc/hosts.To read the contents
of the file, simply enter more /etc/hosts at the command prompt On a Microsoft NT/2000 machine, enter C:\> type winnt\system32\drivers\
the available text editors to read the file.The hosts file in the Microsoft directorygives you a sample of the various types of entries (see Figure 11.38)
Every line of the file in Figure 11.36, with the exception of the last line, is a
comment.The pound sign (#) at the beginning of a line instructs the program to
ignore the line.The only line that would be processed in this file as currentlyconfigured is the last line:
127.0.0.1 localhost
Trang 29The statement maps the IP address 127.0.0.1 to localhost, which is the name used for the local machine.This mapping is sometimes referred to as the loopback
mapping because a reference to this name or address loops back without
transmit-ting packets onto the network interface
The third line from the bottom would map 102.54.94.98 to rhino.acme.com
if the pound sign were removed.You configure the file by adding mappingswithout the pound sign.This file requires manual editing and is therefore subject
to error.The hosts file, albeit state of the art for its time, developed into anadministrative nightmare System administrators and network engineers began tolook for a better way.The result of their efforts is known as the Domain NameSystem, or DNS
NOTE
A successful ping operation on the address 127.0.0.1 reveals a great amount of information about the state of the installed networking soft- ware The reply packets will display successfully regardless of the condi- tion of the network, providing that the network software is functioning properly In fact, the interface cable can be completely disconnected from the network
Figure 11.38The Windows Hosts File
Trang 30DNS Basics
DNS is hierarchical in structure Figure 11.39 is a simplified view of the domainnamespace tree.The logical tree is viewed as being upside down, with the root atthe top level
DNS is a client/server distributed database management system.The DNScommunication protocol utilizes TCP and UDP via port 53 As shown in Figure
11.37, the root of the DNS hierarchy is called the root domain This root name
server is configured to recognize the top-level domains and name servers for eachdomain just below the root.This server is the authority when it comes to pro-viding information about the top-level name servers—in other words,
authoritative (responsible) for the root domain.
The next group of servers at the top level are responsible for the variousdomains, such as com and gov Some of these domains should be familiar toyou, such as the com domain.This domain is used by commercial organizations
Recently some of these organizations received a great deal of press in the called “dot-com meltdown.” Many dot-com companies consequently filedChapter 11 bankruptcy protection and/or went bankrupt.The following is a listand general description of some of these domains:
so-■ .com Commercial organizations
■ .gov Governmental organizations
Figure 11.39The DNS Tree
ROOT
.com gov edu mil net org int
Cisco Microsoft White House MIT UCLA Army NFS Island Attrition NATO
Trang 31■ .edu Educational organizations
■ .mil Military organizations
■ .net Networking organizations
■ .org Noncommercial organizations
■ .int International organizations
As you move down the various branches of the tree, you add a prefix to the
name of your location For example, cisco is located at the third level of the com
branch.Therefore, the complete name for the Cisco domain at that point is
cisco.com If there were a domain under cisco for the department named sales, the
complete domain name for the department would be sales.cisco.com.What wehave just described is known as a fully qualified domain name (FQDN).Thename ends with a period for the root in DNS
Resource Records
The information contained in the DNS database defining the various computersand services are stored in resource records.The resource records are grouped intozones.We cover zones later, in the section on zone transfers.The following is abrief list of some of the resource records of interest to us in this section:
■ SOA Start of authority (the beginning of the zone of authority)
■ NS Name server (the name servers for the zone)
■ A Address record ( maps a FQDN of a host to an IP address)
■ PTR Pointer record ( maps an IP address to a FQDN)
■ MX Mail exchange record (specifies mail exchange servers)
PrimaryDNS, at IP address 172.16.60.37; and a host computer named Training01
at IP address 172.16.60.60 All these computers are members of the DNS domain
named domain.com.Their FQDNs are:
Trang 321 Select Capture | Define |Filter | Profiles | New.
2 Enter a name for the filter such as DNS.
3 Select OK | Done | Advanced.
4 Select the TCP check box.
5 Select the DNS [TCP] check box (see Figure 11.42).
Figure 11.40Ping by Name
BackupDNS 172.16.60.55
PrimaryDNS 172.16.60.37
HOST 172.16.60.56
Training01 172.16.60.60
Figure 11.41DNS Recursion Summary
Trang 336 Select the UDP check box.
7 Select the DNS [UDP] check box (see Figure 11.43).
We see in Figure 11.44 four packets of interest Using this figure, let’s followthe data flow from beginning to end of a recursive name query Before we begin,
we need to discuss the functions of the resolver service
Resolver
The client software running on the Host machine is called the resolver.The
resolver functions as a name resolution interface between the application and thename server In the example illustrated in Figure 11.42, a ping-by-name opera-tion on Training01.domain.com, the resolver initiates a name query on the con-figured DNS server if the name was not in the resolver’s local cache It should benoted that the computer named Host is configured to use a secondary DNSserver named BackupDNS.domain.com
Figure 11.42The DNS TCP Window
Figure 11.43The DNS UDP Window
Trang 34For troubleshooting on computers running Windows 2000, the DNS
cache on the client, referred to as DNS resolver cache, can be viewed
using the command:
ipconfig /displaydns
The local cache of DNS query hits can be cleared using the command:
ipconfig /flushdns.
The resolver service can be stopped and started using the commands:
net stop "dns client"
net start "dns client"
To continue with our discussion of DNS, the computer named Host doesn’tknow the IP address of Training01 Host needs this information to perform theping-by-name operations.Therefore, it initiates a DNS name query to its config-ured DNS server BackupDNS in packet 1 of Figure 11.41 In this case, the sec-ondary name server, BackupDNS, doesn’t know the IP address of Training01,either, so BackupDNS initiates its own name query request to PrimaryDNS inpacket 2 PrimaryDNS responds to BackupDNS’s request in packet 3
BackupDNS responds to Host’s original request in packet 4.This responseincludes the necessary information (the IP Address) of Training01 for Host tostart the ping operation
Figure 11.44A DNS Recursive Name Query
BackupDNS 172.16.60.55
PrimaryDNS 172.16.60.37
HOST 172.16.60.56
Training01 172.16.60.60
PING Packet
Packet # 1 Packet # 2
Packet # 3 Packet # 4