Henry's Points

Windows Vista has three level of firewall profile: Domain Profile, Private Profile and Public Profile. All firewall is on by default. If we want to turn off firewall for our own user, we may go to Windows Vista System Administraion -> Firewall and Advanced Security Center. We see the configuration is complicated. There are tons of rules and policies for inbound and outbound traffic. Is there any simple way to turn on or turn off the firewall for our own user? Of course, the default firewall is turn on. The answer is YES.

We can go to Control Panel -> User Account. We need to click on “Turn User Account Control on or off”.

Then, we can enable/disable User Account Control. System asks to restart. After restart, we can see the firewall policy is applied or disabled.

Tags: How-to, Security by hengdu
No Comments »

Although those two ports are well known for security reason for a long time, we still hope to know something in details. As we know, NFS (Netwrok File Systems) is developed by Sun. It’s mainly for sharing directories and files between UNIX machines. Microsoft invented a protocol called SMB (Sever Message Blocks), by which, people can share directories and files with other Windows machines. Microsoft is trying to rename SMB-based networking to “Windows Networking” and the protocol to “CIFS”. When we try to mount SAMBA server directory to our Linux machine, we most likely do the following command.

sudo mount -t cifs -o username=henrydu //172.17.93.105/Swap-1Day /mnt/Swap-1Day

Microsoft open a security hole to many people who haven’t set up Administrator’s password. In the early time, people can easily share others C:\WINDOWS directory:

\\172.17.93.105\ADMIN$

Even with password, malicious people still can figure out by port 139 and 445. This article is not for how to hack others by port 139 and 445. We will see how SMB and NETBIOS work.

SMB is the most popular protocols for Windows PCs lets us share files, disks, directories, printers, and (in some cases) even COM ports across a network. SMB-based networks use a variety of underlying protocols, but the most popular are “NetBIOS over TCP/IP”.

Here is a solid example. SMB-client (Hacker) send TCP 445 SYN to SMB-server (Victim). Without waiting for SYN/ACK package, it sends TCP 139 SYN to SMB-server immediately. TCP 445 is to set up SMB session and TCP 139 is to set up NETBIOS session. SMB need NETBIOS protocol. We can see from screen shot that, after TCP 139 and TCP 445 session is up, SMB protocol start to run. From package hierarchy we can see, SMB is over NETBIOS protocol.

After Microsoft noticed this security issue, TCP 139 and 445 is blocked by default. Thus, SMB-server never reply SYN package if the firewall is on. We can use NMAP to do a test.

Firewall is off.

nmap -PN -p139,445 -n -v 172.17.93.105
…..
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Firewall is on

PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Therefore, please make sure these two ports are protected by firewall.

Tags: Networks, Security by hengdu
No Comments »

Last time I briefly introduced OVAL Definition, I’ll continue for OVAL Test. Please note that both definition and test are defined in the same XML file. The OVAL test is subroutine of criteria defined in definition section. Here is an example of criteria for JScript 5.7 on Microsoft Windows XP SP3.

<criteria operator=”AND” comment=”JScript 5.7 on Microsoft Windows XP SP3″>
<criterion comment=”jscript.dll version is less than 5.7.6002.22145″ test_ref=”oval:com.vendor.oval:tst:102792″/>
</criteria>

We can see there is a test reference defined by oval:com.vendor.oval:tst:102792. Then, what’s the definition of test? The following is test definition. We can see that there are two parts, one is object, the other is state. The basic idea in here is, to verify if the object has the state. If yes, then the OVAL test is passed. Otherwise, OVAL test is failed.

<test id=”oval:com.vendor.oval:tst:102792″/>
<object object_ref=”oval:org.mitre.oval:obj:564″/>
<state state_ref=”oval:com.vendor.oval:ste:102792″/>
</test>

The object and state are defined as:

<file_object id=”oval:org.mitre.oval:obj:564″/>
<path var_ref=”oval:org.mitre.oval:var:200″ var_check=”all”/>
<filename>jscript.dll</filename>
</file_object>
…
…
<file_state id=”oval:com.vendor.oval:ste:102792″/>
<version datatype=”version” operation=”less than”>5.7.6002.22145</version>
</file_state>

It basically said that, in specified path, if jscript.dll version less than 5.7.6002.22145, then this is a vulnerability.

Right now, we can see that OVAL is a language to define vulnerabilities and how to do the test by using XML format. Obviously, the repository need people to maintain and put more released/observed vulnerabilities. Thanks,

Tags: Networks, Security by hengdu
No Comments »

I have briefly mentioned network security assessment part 1 and part 2, here I’d like to introduce how to do the vulnerability test. In terms of penetration test, this test is white box test because the tester has put the sensor or agent in the asset. This operation is allowed by the firm.

OVAL is Open Vulnerability Assessment Language which is well adapted by the industry. The language is written by XML format. Many communities and groups contribute for the OVAL definition and test. The major one is OVAL Repository which is hosted by The MITRE Corporation. Before we go detailed about OVAL, let’s think about how to do the vulnerability assessment test intuitively.

• Firs, we need define what was vulnerability.
• Then, we need to give several criteria, which refer to the real test result.
• Then, in the test phase, we need to define the object, such as Windows registry definition.
• Last, we need to retrieve values to compared with the object. Then, the one test is done.

Here is a solid example for OVAL. Microsoft announced one vulnerability “Excel Cache Memory Corruption Vulnerability (KB973471)”. Then, we give one definition for that vulnerability.

<definition id=”oval:com.vendor.oval:def:10383″ version=”1″>
</definition>

In the definition there are some nested categories: metadata and criteria.

The metadata provides some description including definition title, affected family, reference CVE and status etc. For example, the following is reference for this definition.

<reference source=”CVE” ref_id=”CVE-2009-3127″ ref_url=”http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3127″ />

The criteria provides test definition and some comments.

<criterion comment=”Microsoft Excel 2002 SP3 or later is installed” test_ref=”oval:org.mitre.oval:tst:8677″/>

At this point, the definition is completed. Next, we will go to see how to define and perform test.

Tags: Networks, Security by hengdu
No Comments »

As you may know or may not know, there is a vulnerability for iPod Touch after jailbreak. The root password is hard-coded as “alpine”. If your iPod Touch connect to the hotspot network, people who is in the same subnet can do the following:

1. Nmap the whole subnet.

sudo nmap -A -O -T4 112.55.82.0/24

2. The scan result will be shown as follows.

Interesting ports on ******* (112.55.82.202):
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.2 (protocol 2.0)
62078/tcp open tcpwrapped
….
Running (JUST GUESSING) : Apple embedded (93%), Apple iPhone OS 1.X (89%)

3. Then, the most likely what the people want to do is:

ssh root@112.55.82.202
Password: alpine

4. Then, as you can guess, they want to do whatever they want.

John-Smiths-iPod:/ root# ls
Applications@  Library/  User@  boot/   dev/  lib/  private/  tmp@  var@
Developer/     System/   bin/   cores/  etc@  mnt/  sbin/     usr/

The solution is very simple: just to change root password after jailbreak. We can go to terminal application in the iPod.

• Type su – to enter super user mode
• Type passwd to enter the new password
• Type again the new password
• Type exit. We are done.

Good luck and Thanks,

Tags: Cool Stuff, Linux, Security by hengdu
No Comments »

When I tried to find the Cisco ASA simulator by Linux keyword, there are few related results came out. Two popular ways are setting up on Windows QEMU and VMWare. People who are using Windows can refer to that.

• Windows QEMU
• Windows VMWare

However, I found one site that is really useful to install ASA image to QEMU on Linux. I followed the steps and make my own ASA environment. Please note that this solution is not user friendly like dynamips or dynagen. Select the two ways above maybe a good choice. So, let’s see how it works in my site.

We need QEMU first

sudo apt-get install qemu

We need asa802-k8.bin

???

We assume that we are working on $ASA_WORKSPACE. Under the directory, create an hexadecimal dump of image:

hexdump -C asa802-k8.bin > asa802-k8.hex

Search for the ZIP header. We can see that the ZIP file starts at offset 1228b0.

grep “1f 8b 08 00 1d” asa802-k8.hex
001228b0  1f 8b 08 00 1d 3d 73 46  00 03 ec 3a 6d 54 14 57  |…..=sF…:mT.W|

Find the image size.

ls -la asa802-k8.bin
-rw-r–r– 1 hengdu hengdu 14524416 2010-01-28 21:27 asa802-k8.bin

Now we need to find out where in the file we can start extracting the ZIP part.

echo “14524416 ; ibase=16 ; last – 1228B0″ | bc | tail -n 1
13334352

Extract the zipped part of the ASA image:

tail -c 13334352 asa802-k8.bin > asa802-k8.gz

Decompress it with gzip:

gzip -d asa802-k8
gzip: asa802-k8.gz: decompression OK, trailing garbage ignored

Make a tmp directory and extract the archive with cpio.

mkdir tmp
cd tmp
sudo cpio -i –no-absolute-filenames –make-directories < ../asa802-k8
cpio: Removing leading `/’ from member names
61039 blocks

Copy the Linux kernel to the upper directory:

cp vmlinuz ../asa802-k8.kernel

Make startup script file to ./asa/scripts/first_start.sh. I basically copy all script from the site. However, some part has to be modified in my environment.

#!/bin/sh

FIRST_START=no
if test ! -e /mnt/disk0/lina_monitor
then
fdisk /dev/hda << EOF
n
p
1
5
979
t
4
w
EOF
mkdosfs -F 16 /dev/hda1
mount -o umask=0000,noatime,check=s,shortname=mixed /dev/hda1 /mnt/disk0
cp /asa/bin/lina /mnt/disk0/lina
cp /asa/bin/lina_monitor /mnt/disk0/lina_monitor
FIRST_START=yes
fi
modprobe e100
modprobe e1000
ifconfig eth0 up
ifconfig eth1 up
ifconfig eth2 up
ifconfig eth3 up
ifconfig eth4 up
ifconfig eth5 up
if test $FIRST_START = yes
then
echo “”
echo “”
echo “This is your first boot, please wait about 1 min and then type the following commands:”
echo “cd /mnt/disk0″
echo “/mnt/disk0/lina_monitor”
echo “”
echo “Please note to use the following command under ASA to save your configs:”
echo “copy run disk0:/.private/startup-config”
echo “”
exit
fi
cd /mnt/disk0
/mnt/disk0/lina_monitor

Chmod for the script

sudo chmod +x ./asa/scripts/first_start.sh

Now you can compress all the file and have the initrd ready to use in Qemu:

sudo find . | cpio -o -H newc | gzip -9 > ../asa802-k8.initrd.gz

At this point, the Linux kernel files are ready for QEMU to use.

Create a virtual hard disk

qemu-img create FLASH 256M
Formatting ‘FLASH’, fmt=raw size=268435456

Then start QEMU

qemu -hda FLASH -kernel asa802-k8.kernel -hdachs 980,16,32 \
-initrd asa802-k8.initrd.gz -m 512 -nographic -append \
“console=ttyS0,9600n8 hda=980,16,32 bigphysarea=16384 auto nousb ide1=noprobe”

After many lines output, you will see # prompt. Then, we start ASA.

/bin/lina

Finally, I saw the familiar prompt.

ciscoasa#

So far, I still have some issues to figure it out, such as interface setup and working with my dynamips router. Hopefully I will figure out later time. Please feel free to join my discussion.

Thanks,

Tags: Linux, Security by hengdu
3 Comments »

This chapter is called vulnerability assessment 101. I guess this is because the topic is too huge to fit in the one chapter, even in the one book. According to the book, the assessment basically divided to three steps.

The first step is to collect information. The commonly used tool is nmap, which is open source application and can be download for both Windows OS and Linux. The other commonly used tool is whois, which still can collect many information. Of course, there are many sophisticate tools, such as Qualys. Those techs are core property of those vendors. In terms of collecting information, there are two approaches in practise. One is non-sensor-based and the other is sensor-based. Apparently, sensor-based approaches can provide more information, such as users, configurations, processes running on the assets, devices registered on the assets, etc. Sensor-based approach can overcome NAT topology, while non-sensor-based scanner could not find the assets behind NAT.

The second step is enumerate information. The scanner should have knowledge from collected information about: 1) what OS is running on the asset? 2) How many TCP ports are open on the asset? 3) How many UDP ports are open on the asset? etc.

The last step is detection. This is core part of vulnerability assessment. This part is also described in details in the following chapters. When we try to identify what is a vulnerability, we need a definition, or precisely, a benchmark. Here is the one example of benchmark – FDCC Major Version. We can use Benchmark Editor to open it. Basically, one benchmark is a collection of many rules. For example, the one rule could be Password Policy -> Maximum Password Age -> 7776000. If scanner detects that the maximum password age is larger than that, then this is a vulnerability because the hacker may brute-force password during the time.

Tags: Networks, Security by hengdu
No Comments »

Recently I found the blog is good place to put my reading notes. So, let me start the first one. Since I am involving in network vulnerability scan job, This book is really fundamental and provides a lot of easy understanding definition and terminologies rather than jargons. The book name is Network Security Assessment: From vulnerability to patch.

The first chapter gave us a clear vision about what is vulnerability. How to define it and how to score it.

Over the years, the definition of vulnerability has evolved into a software or hardware bug or misconfiguration that a malicious individual can exploit. A vulnerability can be publicly diclosed before a vendor patch, or can even be used quietly by attackers. An organization experiences multiple levels of risk to a vulnerability, depending on how the discoverer of the vulnerability deals with the information and how long it takes the vnedor affected to issue a patch or workaround.

Here is a solid example for my Windows 2008 Server, which is a network security asset. After scan, the one of vulnerability results shows CVE ID is CVE-2008-4844. The description is: “Use-after-free vulnerability in mshtml.dll in Microsoft Internet Explorer 5.01, 6, and 7 on Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a crafted XML document containing nested SPAN elements, as exploited in the wild in December 2008.”

CVE stands for Common Vulnerabilities and Exposures, and a list of CVE numbers was created several years ago to help standardize vulnerability naming. The CVE created a list of all vulnerabilities and assigned each one a CVE ID in the format CVE-year-number. Vendors have been encouraged to use CVE numbers when referencing vulnerabilities.

Right now, we knew we have one vulnerability which has been defined by CVE ID, but how could we know the severity of that vulnerability? Theoretically, the risk is the products of four attributes: Vulnerability, Attacks, Threat and Exposure. However, different vendor has different scoring system. Therefore, CVSS is attempt to solve the problem by providing sophisticate scoring system. For example, for CVE ID: CVE-2008-1446, the CVSS base score is 9 and the CVSS vector is: (AV:N/AC:L/Au:S/C:C/I:C/A:C). The detailed CVSS guide is in here.

After we have realized that we have one vulnerability in our server, we need to patch a remedy to it, which will be mentioned in the following chapters. But in here, I would like to mention the windows of vulnerbility. It mainly talked about the gap between the vulnerability has been discovered and the patch has bee delivered. Because during that time frame, the attacker can easily launch the action to try to attack. How to solve that problem, the book put a lot of efforts on that. However, there is no panacea for solve all the problem. Again, no network security means no network.

Thanks,

Tags: Networks, Security by hengdu
No Comments »

The command that we can see originate prefixs in BGP is “show ip bgp reg ^$” . There are four ways to originate prefix.

1. aggregate-address

Aggregate-address in BGP is summarization or superneting like IGP summary-address. When execute this command, the specific route must be in BGP routing table. BGP will advertise both aggregated address and specific routes to the neighbor. If we don’t want specific routes to be advertised, “summary-only” key word need to be used.

2. network statement

When configure “network 192.168.50.0 mask 255.255.255.0″, it actually tell router to import network 192.168.50.0 with subnet mask 255.255.255.0 from IGP route table to LocRIB. If there is no such entry on IGP table, nothing will be installed in LocRIB. If importing is successful, there is an entry on LocRIB which originated by router itself.

3. redistribute

If we have been asked to let router advertise a summary major network 191.1.0.0/16 into BGP, we can create a static route point to Null0. Then, redistribute static route into BGP

router bgp 200
redistribute static
ip route 191.1.0.0 255.255.0.0 Null0

4. inject-map

Inject-map is opposite operation of aggregate-address. Sometimes we call it “de-aggregate”. We need two route-map. One route map is declare injected prefix by using set ip address prefix-list <inject-prefix-list> and some attributes which is needed to be setup. (Weight is default 0 in stead of 32768). The other route map is existed aggregate prefix and its originator by using match ip address prefix-list <aggregate-prefix-list> and match ip route-source prefix-list <originator-prefix-list>.

Tags: BGP, Networks by hengdu
No Comments »

Cisco IOS provides two features to prevent IP packets spoofing. One is called uRPF (Unicast Reverse Path Forwarding), which is handled on Layer 3 (Network Layer). The other is called IP Source Guard, which is handled on Layer 2 (Data Link Layer), consequently, it applies to LAN Switches.

uRPF is the concept of verifying the routing path for the source IP address found in an IP packet. As we have known, packets arrive on the interfaces that are on the shortest path to the source of the packets. However, with IP spoofing attacks, a malicious user may inject packets with IP address not belonging to its segment or network. Under uRPF check, such packets may appera on the interfaces not on the shortest path to their source. This feature has two modes

- Strict Mode: ip verify unicast source reachable-via rx command. The source IP address must match an explicit IP route in the routing table, and, the most important, the next hop for this entry should point out of the interface the packet was received from.

- Loose mode: ip verify unicast source reachable-via any. It just checks that it has an IP route matching the source address in the packet. It doesn’t matter whether the next hop for this route points out the receiving interface or not.

IP Source Guard is intended to prevent IP packet spoofing at Layer 2. When you enable IP Source Guard on a port, the switch applies a Layer 3 filter to this port, only accepting the packets with source IP addresses matching DHCP snooping bindings created for the port. Enabling DHCP snooping is a prerequisite. As soon as you enable IP Source Guard, the switch only permits IP packets that match the DHCP snooping database or static IP to MAC addresses and port bindings. The switch also allows ingress DHCP packets for hosts to obtain IP addresses.

interface FastEthernet 0/1
ip verify source port-security
switchport port-security maximum 1
switchport port-security

Tags: Networks, Security by hengdu
2 Comments »