Sockets and Services from a Security Point of View

Sockets and Services from a Security Point of ViewOverview In Chapter 3, you saw the first four layers of the OSI stack—those layers which transfer data, irrespective of what that data i

Sockets and Services from a Security Point of View

Overview

In Chapter 3, you saw the first four layers of the OSI stack—those layers which transfer data,

irrespective of what that data is, from one computer to another over the Internet This chapter

focuses on the security implications of the types of data exchanged between computers using theselower−level protocols We'll talk about common protocols, such as HTTP and FTP, hidden or

problematic ones, such as RPC and Finger, as well as obscure ones, like DHCP and SNMP

A network intruder will look for security weaknesses at every point in your network architecture If

you have adequately locked down the Physical, Data Link, Network, and Transport layers of your

network, the wily hacker will simply move up to those protocols and services your network does

expose to the Internet These application−specific protocols are actually much easier to exploit, somany hackers start there and drop down to the Network or Transport level when they need tocircumvent a protocol's security mechanisms

In this chapter, we'll go over each of the most commonly used Internet services, briefly examining

each for their weaknesses and abuse potential First, however, we'll discuss sockets and services in

general, identifying typical service vulnerabilities so you can identify potential problems when you

need to install services on your own network

Evaluating Socket−Based Services

Which services are safe to allow through your firewall, which are not safe, and which ones do you

do need to keep an eye on? When a new service becomes popular, or when you want to give yournetwork clients a new Internet−based tool, what do you look for when you evaluate the service?Later in this chapter, we will examine the most common protocols that use IP as a transport and are

passed through firewalls For those protocols, and for any others you may want to support in your

network, you should ask the following questions:

How complex is the service?

How might the service be abused?

What information does the service dispense?

How much of a dialog does the service allow?

How programmable or configurable is the service?

What other services does the service rely on?

What sort of authentication does the service use?

How Complex Is the Service?

Complex services are easier to exploit than simple services The Echo service, for example, simply

transmits back to the client whatever the client sends to it The Echo service is useful for debugging

and for network connectivity testing, but it is difficult to see how the Echo service could be exploited

to gain control of the computer running the service Since the Echo service accepts data from the

client, however, it must be programmed to correctly handle being fed too much data at once

77

The mail service, on the other hand, is a large, complex piece of software that accepts data (mail)from and returns data to the client, as well as reads and stores data and configuration information

on the computer's hard drive Many mail services (POP and IMAP, for example) require

authentication before the client can use the service SMTP, on the other hand, allows any

connecting user to send mail as though it came from any user—even a non−existent one If theauthentication mechanism can be subverted, the passwords hacked, or the service tricked into

sending out private data (such as your password file), the hacker can use the service to get enough

information to break into your computer through other means, such as FTP or Telnet

Buffer Overruns and Denial−of−Service FloodsBuffer overruns, as described in Chapter 2, are a potential weakness of any service that receives

data from clients Optimistic programmers expect network clients to play by the rules and only send

as much data as would be appropriate for the protocol For example, the destination address portion

of an SMTP message should be somewhere between 4 and 200 characters But what if the client

sends several mega−bytes instead?

A correctly written implementation of the protocol will simply discard the excess data and return an

error An incorrectly written implementation, which does not check how much data is being received,

may overwrite its own program code and either crash or (if the sender of the data sent it maliciously)

begin executing the excess data as a program

Early versions of Sendmail had exactly this kind of security hole, and the infamous Internet Wormused this weakness to gain control of target computers and bring the whole Internet to its knees

A related attack for computers that store data (such as mail) is to keep sending data until the

storage space on the server runs out This is a denial−of−service attack that, although it does notgive the hacker control of the computer, renders the computer unusable by its intended clients

How Might the Service Be Abused?

Some services might be simple and innocuous in themselves, but can be turned to unexpected anddetrimental uses Chargen, for example, is a simple Unix service that sends out ASCII characters

over and over Chargen is a useful network programming and testing tool, because there are certain

classes of networking problems that become evident when you can look at a stream of data

spanning a whole range of binary representations A communications channel that clears (or sets)

the top two bits of every data word, for example, becomes obvious because the pattern of

characters from Chargen will change as well

An unscrupulous hacker, however, might exploit this protocol by forging a SYN packet (connectionrequest) that redirects the output of Chargen to another computer and port This way the hacker canflood the target computer with data that doesn't even originate from his own computer!

What Information Does the Service Dispense?

Some services may be simple, terse, and still dangerous to your network security Finger, for

example, was designed to help Unix users contact each other A Finger request will tell you whether

or not there is an account for an individual on a computer, what that account name is, when the user

last logged on, additional contact information for the user, and whatever else that user would like to

tell the world

That information is certainly useful if you need to know a coworker's e−mail address or phoneextension It is also incredibly useful for a hacker who wants to verify the existence of an account,

find a dormant one, or get clues to the identity and personality of an account holder You won't find

many computers on the modern Internet that support the Finger protocol The Whois service is

another one that you might not want to run on your network due to the amount of information it can

give to a network intruder

Services such as Whois and Finger are excellent timesaving tools for use within an organization,but you should never allow access to these services from beyond your internal network or yourintranet

How Much of a Dialog Does the Service Allow?

A simple service with a regular interface is easier to secure than a complex service that uses an

extensive dialogue with the client to provide its functionality HTTP, for example (disregarding CGI,

server applets, and Active Server Pages for the moment), is easy to secure because all the client

can do is ask for a resource, and the server does not maintain data about the state of the

connection between client requests (i.e the protocol is stateless)

A stateful protocol is more difficult to secure, especially if the protocol requires client authentication

at the beginning of the session and allows for many requests, replies, and state changes after

authentication A stateful protocol must be tested for security holes for every state the client may

place the server in It is possible, for example, to hijack a Telnet session after an authorized clienthas established the connection and provided correct credentials

Also, the more dialog a service allows, the more dangerous the service is when compromised If a

hacker arranges the Finger service to run at the wrong permissions level (such as root or

Administrator), the hacker would still just get account and contact information from it An FTP

session at the supervisor level, however, could send the hacker any file in the computer A root

Telnet session would allow the intruder to do anything at all, including running programs, shutting

down or starting services, replacing operating system code, as well as creating and deleting

accounts

Service SeparationFTP sites, websites, and Telnet hosts perform vital functions in today's Internet−connected

networks They create an Internet presence and facilitate communication within the organization aswell as with outside customers and the rest of the world You can't just decide not to run theseservices, but you can be careful about how you do it

Because computers running these services are more vulnerable to being compromised, theseservices should not be run on computers that also host other internal services (i.e the file server or

a database server) Ideally, each Internet service would be run on its own server, but some serviceswork well together (FTP is often used to update web server content, for example)

Most common Unix utilities were developed before Internet security was a serious problem New,

more secure utilities and services can replace nearly all common Unix utilities You should seriouslyconsider replacing Telnet with SSH, FTP with SFTP, and POP with SPOP These utilities are

basically the same except that they perform secure authentication and stream encryption ratherthan sending passwords and data in the clear If you don't have the option of changing non−secureutilities, use a VPN

How Programmable or Configurable is the Service?

The more configurable a service, the easier it is to get the configuration wrong The more

programmable the service, the more likely bugs are to pop up, creating loopholes for network

intruders to jump through So, Exchange Server (which has more configuration options than you canshake a stick at) and Internet Information Server (or any other web server that allows you to run

arbitrary scripts to generate web pages) are more likely to contain security weaknesses than simpler

services, such as the POP service that comes with the NT 4 Resource Kit

What Sort of Authentication Does the Service Use?

Any service that requires authentication from the client is a potential security risk for two reasons:

the authentication protocol may be weak, and users tend to use the same account names and

passwords across multiple services

POP is one example of weak authentication The username and password are sent from the client

to the server unencrypted, and the password is sent complete and unsalted In POP, the server

asks for the username and password, and the client just sends them Compare this to MAPI (used

by Microsoft Exchange), which uses a challenge−and−response protocol With MAPI, the serverrequests the username and password, but also sends a value for the client to salt (prepend to) thepassword before the client hashes (scrambles) the password The username and hashed passwordare then sent to the server The server can compare the hash to a known hashed password todetermine if the client should have access to the service No eavesdropping computer can

determine what the password is from the hash, and the same hash cannot be used more than once

because the server changes the hash every time

Another common problem with authentication is insufficiently long passwords LAN Manager−style

passwords, which are used in Windows for Workgroups and Windows 95, are weak because

case−sensitivity is ignored in the hash, and because the hash comprises two sections using thesame seed that may be cracked in parallel In addition, older Microsoft networking clients send the

s a m e p a s s w o r d h a s h e d w i t h b o t h t h e L A N M a n a g e r p r o t o c o l a n d t h e W i n d o w s N T

challenge−and−response protocol, seriously compromising the Windows NT hash

Password hashing works by storing an encrypted version of a password rather than storing the

password itself The encryption algorithm is similar to a public−key protocol in that it can only be

used to encrypt the password, not to decrypt it Retrieving a stored password then doesn't revealthe password because the hash cannot be reversed

Challenge−response protocols are used to ensure that a hacker can't use a password hash In a

challenge−response protocol, a random number is transmitted by the server to the client The clientthen encrypts the random number using the password hash and transmits the result back to theserver, which uses its copy of the hash to decrypt the random number If the decrypted randomnumber matches the original random number, then the client has proven that it knows the hash andthe server can trust it On the wire, only a random number and permuted random number havebeen transmitted, both of which are worthless and cannot be reused

The purpose of a challenge−response protocol is to keep the hacker from intercepting the

passwords as they travel from the client to the server If the hacker can't intercept the password, hemay just try to guess it This is another area in which many protocols fail A properly implementedprotocol will detect an unusual number (three or greater) of failed password attempts, after which it

will not allow any more logon attempts to that username or from that client A weak protocol will

allow as many attempts as the hacker can perform, and a clever hacker can write a program to

perform hundreds of attempts per second, determining the true password by brute force Windows

will by default lock out any account but the Administrator account when there are too many failed

password attempts

Warning Initially, VNC, the popular open−source remote control software, did not lock out

intruders and would respond rapidly to attempts The protocol could bebrute−forced in just a few hours This problem was fixed in 3.3.3r7, so be certainyou stay up to date

It is easier to remember one password than a half−dozen, so many computer users use exactly thesame password for all of their computer accounts This means that if a network intruder penetrates

one computer and captures the password list for that computer, one or more passwords and

usernames from that computer are very likely to also work in another computer that is otherwise

secure Your password−protected service gives the hacker a double resource—if the hacker can

find a password that works on that service, she'll try it elsewhere, and if she can find a passwordelsewhere, she'll try it on that service as well

One Key Fits All

For convenience's sake, some services use the operating system username and password instead

of recording a separate username and password pair for the service While this feature makes life

easier for the user, it also makes life easier for the hacker When the hacker has obtained access to

the service, it means that he has also obtained access to the underlying operating system InternetInformation Server (for password−protected web pages) works this way, as do the POP and SMTPservices that can be installed with it

Your Network Profile

One thing that you should realize as you consider which services you will expose to the Internet is

that the more services you choose to expose, the less secure your network will be Each protocol

you decide to allow may have a low probability of being compromised, but those probabilities are

additive and it only takes one hole to negate all your security efforts So remember, less is more—in

this case, fewer services exposed is more security for your network

In addition, hackers use the services you expose to profile your servers and they use that

information to select which attacks to run in an attempt to penetrate your network If you expose all

of the ports that a default Windows server exposes, then the hacker is much more likely to pull out

his Windows hacking scripts rather than his Linux hacking scripts, for example

DNS, The Essential Service

One of the most important higher−level services in the Internet Protocol Suite is the Domain Name

Service, and it deserves a bit more explanation than the rest of the protocols because it is so

intimately tied with the operation of the Internet The lower−level Internet protocols all use IP

addresses to identify source and destination computers, but people have a hard time remembering

numbers So, the architects of the Internet developed a service that would translate human−friendly

Internet addresses like http://www.microsoft.com/ and http://www.linux.org/ into their correspondingcomputer−friendly IP addresses

Dot Com and All That

In the beginning, people just kept a list of the human−friendly Internet addresses and their

corresponding IP addresses (the host file is a remnant of this), but as the Internet grew these filesgot unwieldy and a more flexible method was needed The Internet architects came up with a new

scheme that allowed an organization (or a person) to request an Internet address from a central

authority and then expand on that name using their own authority Thus was born the Internet

Domain Name Registration system

Human−readable Internet addresses, like IP addresses, contain dots But Internet addresses canhave as few as one dot or many more than four (although it is a rare address that will have more

than a half−dozen) The dots function as separators, and the last portion of the address is called the

top−level domain Common top−level domains include com, org, net, mil, gov, edu, and

two−character country codes such as uk, us, cz, au, and oz

W h e n y o u r e q u e s t a d o m a i n n a m e s u c h a s m e m e t e c h c o m , l i t v a u l t o r g , o r

robinsoncrusoefamily.org, you are staking out space on the Internet in a similar manner to when you

obtain a range of IP addresses It is up to you to further subdivide the name space When you

request the name, you provide the top−level service with the IP address of two servers that will

h a n d l e n a m e r e q u e s t s f r o m y o u r n a m e s p a c e W h e n a c o m p u t e r w a n t s t o c o n t a c t

www.memetech.com, for example, it is up to the domain name servers that you specify to perform

the translation from www.memetech.com to the actual IP address Your servers can put any

server is the computer that contains that information How does that information get from the

Microsoft DNS server into your computer?

Your computer has the IP addresses of one or two DNS servers that it can ask about domain

names (and unless you work in Redmond, neither one is likely to be the Microsoft DNS server that

has the resolution you need) Your DNS servers most likely contain only Internet address−to−IPaddress mappings for your local network and for a few frequently accessed external locations

When your local DNS server cannot satisfy a DNS mapping request, it will either redirect your

computer to another DNS server or query that DNS server itself and pass the results back to yourcomputer

If the mapping query is for an address in a domain foreign to the DNS server, the DNS server

redirects the query up the chain of servers toward (or to) a root server (such as the server for the

.com, edu, or gov domains) A server that has recorded and delegated name service for a domain

will redirect the query down to the DNS server that has responsibility for the domain See Figure 4.1for an example

Figure 4.1: The DNS system distributes control of Internet domain names.

DNS Messages

Your computer makes a DNS request by sending a UDP packet in the DNS message format to port

53 of the DNS server DNS uses UDP rather than TCP because it has one short message that will

fit in a UDP packet to send to the server, and the connection establishment overhead of TCP is not

necessary for DNS The message has a fixed 12−byte header and 4 variable−length fields, asshown in Figure 4.2

Figure 4.2: A single DNS message may contain multiple address resolution queries or responses inthe Question RR and Answer RR fields of the DNS UDP packet.

The DNS message fields are as follows:

Identification This is set by the client, so that it can identify the DNS server response

Flags This field classifies the message as follows (See Figure 4.2):

♦QR 0 for query or 1 for response

♦Opcode 0 for Standard Query, 1 for Inverse Query, or 2 for Server Status Request

♦AA Authoritative Answer (True/False)

♦TC Truncated (True/False)

♦RD Recursion Desired (True/False)

♦RA Recursion Available (True/False)

♦Zero These three bits are zero

♦Rcode 0 for No Error, or 3 for Name Error

Number of Questions 1 or more for query, 0 for reply

Number of Answer RRs 0 for query, 1 or more for reply

Number of Authority RRs 0 for query, 1 or more for reply

Number of Additional RRs 0 for query, 1 or more for reply

Questions Each question is composed of a string containing the Internet address beingqueried, a query type, and a query class (which is 1 for Internet addresses) Common typesare as follows:

♦

2 NS

The IP AddressThe Name Server for the domain

5 CNAME The Canonical Name (if a computer responds to more than one name,

this is the main one)

12 PTR The Pointer Record (looks up the name corresponding to an IP

address)

13 HINFO Host Information (computer details)

15 MX The Mail Exchange Record (which host handles mail for this Internet

Address)

252 AXFR The Request for Zone Transfer

255 ANY The Request for all records

Answers, Authority, and Additional Information All share the same Resource Record

format, as follows:

♦Domain Name This is the Internet address that information was requested for

♦Type This is the same as the Type field in the query

♦Class This is usually set for 1 for Internet addresses

♦Time−To−Live This is the number of seconds that the data may be cached by the

client (typically two days)

♦Resource Data Length This is he amount of space taken by the resource data

♦Resource Data This is the four−byte IP address for a type 1 (a record) response

So when you type http://www.microsoft.com/ into your web browser, your computer fires off a UDPpacket to your DNS server asking where Microsoft is The DNS server either sends back a UDPpacket containing that information, or it redirects your computer to another DNS server that might

have it instead Eventually, your computer gets back an Answer record containing the IP address,

and the web browser can then use it to open a TCP socket to Microsoft's web server

Reverse Name Lookup

Sometimes you already have the IP address to a computer, and you want to know what the Internet

address for that computer is Web server administrators, for example, often need to know which

domains most of their traffic is coming from More importantly, if you suspect that a hacker is

breaking into your system, you need to be able to translate the hacker's IP address into a domain sothat you can contact the administrator of the network that the hacker is coming from How do youlook up an IP address?

Note The different kinds of Internet addresses can be confusing to people who are just learning

how the Internet protocols work Just remember—IP addresses are for computers and are

made up of four numbers separated by dots Internet addresses (also called Internet names)

on the other hand, are meant to make sense to humans, and have the familiar endings such

as com, edu, mil, net, or org

When you are allocated a block of IP addresses and you request a domain name to go with it, you

are also given control of a portion of the DNS name space that corresponds to the IP addresses you

have control over The top−level domain name for this portion of DNS is not com or org, but rather

.in−addr.arpa, which (like the rest of the DNS system, and unlike IP addresses) gets more specific

as values are added to the left of it

If you want to look up the address 128.110.121.144, you would request the PTR record for

144.121.110.128.in−addr.arpa, and you would receive back the actual Internet address for thatcomputer, if there is one registered for it This is why your own DNS server must be configured forthat weird numerical in−addr.arpa domain in it as well as the domain you requested

Reverse Lookup

Many services will not allow a network client to connect to it if the client does not have an Internet

name as well as an IP address configured for it While a computer without an Internet name is not

proof−positive of hacking, it is indicative of a domain with lax administration If the protocols you

support allow it, and your network can handle the overhead of looking up every IP connection

attempt, lock out these nameless computers

Coordinating Name Servers (and Subverting Them)

When you obtain a domain name (or more than one), you are required to provide the IP addresses

of at least two DNS servers that will handle DNS requests for your domain(s) Why two? So that if

one fails, the other can take over its responsibilities One is designated the primary DNS server andhas several secondary servers to backup its data

Primary and secondary DNS servers are typically configured to stay in sync through the exchange

of zone transfer messages The primary can preemptively send the zone transfer message, or the

secondary can request that the primary send one Zone transfers can be incremental or complete.DNS servers make juicy targets for hackers because the hacker can use a compromised nameserver to redirect unwitting clients to her own computer As a result, impersonation and

man−in−the−middle attacks are easy to perform If your DNS servers aren't particular about where

zone transfer packets come from, the hacker can feed false information to the secondary server and

then perform a denial−of−service attack on the primary (perhaps through a ping−of−death or smurf

attack) The hacker is then in charge of your network name space, not you

Note With a very small network you can disable zone transfers and simply update the tables of your

internal DNS servers by hand For larger networks this becomes impractical, and you must

either have firewall software that discriminates between regular DNS queries and zone

transfers, configure your DNS server to allow zone transfers only for your secondary servers,

or you must have DNS proxy software that will allow only safe domain name requests

Common Internet Services

This section profiles the "hackability" of various common Internet services Internet services at the

Application layer are themselves not layered; they do not have a unified authentication service, a

uniform encryption service, or any other dependence upon other protocols with the exception of

DNS This means that each of these services has implemented its own security procedures—some

well, some very naively

The following services (and their Port and Protocol types) are covered in this section:

While this protocol is a prime target for network intruders, you can't disable it without disabling all

your network clients as well You should protect your DNS servers (as described later) by blocking

zone transfer packets or by using a DNS proxy service

The following bulleted items summarize this protocol's security profile (we'll provide a similar