Entries Tagged as 'Security'

router-traffic for CBAC

CBAC is the upgrade version of flexible access control. Since access list is not stateful control, which means, if very strict access list applied in Outside interface for inbound traffic, most of traffic initialized from Inside subnet will be blocked. CBAC help us to inspect specified outgress traffic and put state in the state table. When the traffic comes back, the Outside interface won’t block them out.

However, the interesting problem is, if the traffic initilized from local router, the inspection won’t take effect. Like we want to capture transit package by issue “no ip route-cache”, we need to add “router-traffic” option when define CBAC.

ip inspect name INSIDE_OUT tcp router-traffic

Understanding Cisco IDS Signature Series

It is important to understand what a signature is, and what exactly a signature does. A signature is a known type of activity. It has already been detected in the wild and someone has captured the personality or traffic pattern of the attack or intrusive activity and documented it. In many ways, the signature is something akin to a fingerprint. The fingerprint is unique to a person just like the signature is unique to a certain attack or type of activity. A Cisco IDS sensor then compares traffic against the signatures it has configured and will match up this activity when it appears on your network. The parameters you set for the signature will tell the sensor how to respond to the threat. The sensor can send an alarm to your IDS management device, log the event, send e-mail alerts, or even block the suspect traffic at the router, switch, or firewall. Now we are going to discuss each of the signatures. I have taken the time to separate them into the numbered series. The signatures range from 1000 all the way into the 11000s. Besides numerically grouping signatures, the series number represents another type of grouping. They help the administrator narrow down what type of attack is generating the alarms. Are they atomic? Is the attack a string, sweep, or web site exploit? Although the numbers do cover multiple signature types, they help the administrator narrow down his search.

The following list gives a brief description of each signature series.

  • The 1000 series covers the signatures that analyze the content of IP headers.
  • The 2000 series focuses on ICMP signatures.
  • The 3000 series is all about TCP-based signatures.
  • The 4000 series is all about UPD connections and ports on the network.
  • The 5000 series is probably the largest. It covers web (HTTP) traffic.
  • The 6000 series focuses on multiprotocol signatures.
  • The 7000 series has the ARP signatures.
  • The 8000 series is string-matching signatures.
  • The 9000 series covers Back Doors.
  • The 10000 series has signatures that focus on policy enforcement.

The detailed article is in here.

Windows Vista Firewall Turn On/Off

Windows Vista has three level of firewall profile: Domain Profile, Private Profile and Public Profile. All firewall is on by default. If we want to turn off firewall for our own user, we may go to Windows Vista System Administraion -> Firewall and Advanced Security Center. We see the configuration is complicated. There are tons of rules and policies for inbound and outbound traffic. Is there any simple way to turn on or turn off the firewall for our own user? Of course, the default firewall is turn on. The answer is YES.

We can go to Control Panel -> User Account. We need to click on “Turn User Account Control on or off”.

Then, we can enable/disable User Account Control. System asks to restart. After restart, we can see the firewall policy is applied or disabled.

Windows TCP 139 and 445 Vulnerability

Although those two ports are well known for security reason for a long time, we still hope to know something in details. As we know, NFS (Netwrok File Systems) is developed by Sun. It’s mainly for sharing directories and files between UNIX machines. Microsoft invented a protocol called SMB (Sever Message Blocks), by which, people can share directories and files with other Windows machines. Microsoft is trying to rename SMB-based networking to “Windows Networking” and the protocol to “CIFS”. When we try to mount SAMBA server directory to our Linux machine, we most likely do the following command.

sudo mount -t cifs -o username=henrydu //172.17.93.105/Swap-1Day /mnt/Swap-1Day

Microsoft open a security hole to many people who haven’t set up Administrator’s password. In the early time, people can easily share others C:\WINDOWS directory:

\\172.17.93.105\ADMIN$

Even with password, malicious people still can figure out by port 139 and 445. This article is not for how to hack others by port 139 and 445. We will see how SMB and NETBIOS work.

SMB is the most popular protocols for Windows PCs lets us share files, disks, directories, printers, and (in some cases) even COM ports across a network. SMB-based networks use a variety of underlying protocols, but the most popular are “NetBIOS over TCP/IP”.

Here is a solid example. SMB-client (Hacker) send TCP 445 SYN to SMB-server (Victim). Without waiting for SYN/ACK package, it sends TCP 139 SYN to SMB-server immediately. TCP 445 is to set up SMB session and TCP 139 is to set up NETBIOS session. SMB need NETBIOS protocol. We can see from screen shot that, after TCP 139 and TCP 445 session is up, SMB protocol start to run. From package hierarchy we can see, SMB is over NETBIOS protocol.

After Microsoft noticed this security issue, TCP 139 and 445 is blocked by default. Thus, SMB-server never reply SYN package if the firewall is on. We can use NMAP to do a test.

Firewall is off.

nmap -PN -p139,445 -n -v 172.17.93.105
…..
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Firewall is on

PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Therefore, please make sure these two ports are protected by firewall.

Network Vulnerability Assessment – OVAL Test

Last time I briefly introduced OVAL Definition, I’ll continue for OVAL Test. Please note that both definition and test are defined in the same XML file. The OVAL test is subroutine of criteria defined in definition section. Here is an example of criteria for JScript 5.7 on Microsoft Windows XP SP3.

<criteria operator=”AND” comment=”JScript 5.7 on Microsoft Windows XP SP3″>
<criterion comment=”jscript.dll version is less than 5.7.6002.22145″ test_ref=”oval:com.vendor.oval:tst:102792″/>
</criteria>

We can see there is a test reference defined by oval:com.vendor.oval:tst:102792. Then, what’s the definition of test? The following is test definition. We can see that there are two parts, one is object, the other is state. The basic idea in here is, to verify if the object has the state. If yes, then the OVAL test is passed. Otherwise, OVAL test is failed.

<test id=”oval:com.vendor.oval:tst:102792″/>
<object object_ref=”oval:org.mitre.oval:obj:564″/>
<state state_ref=”oval:com.vendor.oval:ste:102792″/>
</test>

The object and state are defined as:

<file_object id=”oval:org.mitre.oval:obj:564″/>
<path var_ref=”oval:org.mitre.oval:var:200″ var_check=”all”/>
<filename>jscript.dll</filename>
</file_object>


<file_state id=”oval:com.vendor.oval:ste:102792″/>
<version datatype=”version” operation=”less than”>5.7.6002.22145</version>
</file_state>

It basically said that, in specified path, if jscript.dll version less than 5.7.6002.22145, then this is a vulnerability.

Right now, we can see that OVAL is a language to define vulnerabilities and how to do the test by using XML format. Obviously, the repository need people to maintain and put more released/observed vulnerabilities. Thanks,

Network Security Assessment – OVAL Definition

I have briefly mentioned network security assessment part 1 and part 2, here I’d like to introduce how to do the vulnerability test. In terms of penetration test, this test is white box test because the tester has put the sensor or agent in the asset. This operation is allowed by the firm.

OVAL is Open Vulnerability Assessment Language which is well adapted by the industry. The language is written by XML format. Many communities and groups contribute for the OVAL definition and test. The major one is OVAL Repository which is hosted by The MITRE Corporation. Before we go detailed about OVAL, let’s think about how to do the vulnerability assessment test intuitively.

  • Firs, we need define what was vulnerability.
  • Then, we need to give several criteria, which refer to the real test result.
  • Then, in the test phase, we need to define the object, such as Windows registry definition.
  • Last, we need to retrieve values to compared with the object. Then, the one test is done.

Here is a solid example for OVAL. Microsoft announced one vulnerability “Excel Cache Memory Corruption Vulnerability (KB973471)”. Then, we give one definition for that vulnerability.

<definition id=”oval:com.vendor.oval:def:10383″ version=”1″>
</definition>

In the definition there are some nested categories: metadata and criteria.

The metadata provides some description including definition title, affected family, reference CVE and status etc. For example, the following is reference for this definition.

<reference source=”CVE” ref_id=”CVE-2009-3127″ ref_url=”http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3127″ />

The criteria provides test definition and some comments.

<criterion comment=”Microsoft Excel 2002 SP3 or later is installed” test_ref=”oval:org.mitre.oval:tst:8677″/>

At this point, the definition is completed. Next, we will go to see how to define and perform test.

iPod Touch Vulnerability after Jailbreak

As you may know or may not know, there is a vulnerability for iPod Touch after jailbreak. The root password is hard-coded as “alpine”. If your iPod Touch connect to the hotspot network, people who is in the same subnet can do the following:

  1. Nmap the whole subnet.
  2. sudo nmap -A -O -T4 112.55.82.0/24

  3. The scan result will be shown as follows.
  4. Interesting ports on ******* (112.55.82.202):
    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 5.2 (protocol 2.0)
    62078/tcp open tcpwrapped
    ….
    Running (JUST GUESSING) : Apple embedded (93%), Apple iPhone OS 1.X (89%)

  5. Then, the most likely what the people want to do is:
  6. ssh root@112.55.82.202
    Password: alpine

  7. Then, as you can guess, they want to do whatever they want.
  8. John-Smiths-iPod:/ root# ls
    Applications@  Library/  User@  boot/   dev/  lib/  private/  tmp@  var@
    Developer/     System/   bin/   cores/  etc@  mnt/  sbin/     usr/

The solution is very simple: just to change root password after jailbreak. We can go to terminal application in the iPod.

  • Type su – to enter super user mode
  • Type passwd to enter the new password
  • Type again the new password
  • Type exit. We are done.

Good luck and Thanks,

ASA Simulation on Ubunut QEMU

When I tried to find the Cisco ASA simulator by Linux keyword, there are few related results came out. Two popular ways are setting up on Windows QEMU and VMWare. People who are using Windows can refer to that.

However, I found one site that is really useful to install ASA image to QEMU on Linux. I followed the steps and make my own ASA environment. Please note that this solution is not user friendly like dynamips or dynagen. Select the two ways above maybe a good choice. So, let’s see how it works in my site.

We need QEMU first

sudo apt-get install qemu

We need asa802-k8.bin

??? 🙂

We assume that we are working on $ASA_WORKSPACE. Under the directory, create an hexadecimal dump of image:

hexdump -C asa802-k8.bin > asa802-k8.hex

Search for the ZIP header. We can see that the ZIP file starts at offset 1228b0.

grep “1f 8b 08 00 1d” asa802-k8.hex
001228b0  1f 8b 08 00 1d 3d 73 46  00 03 ec 3a 6d 54 14 57  |…..=sF…:mT.W|

Find the image size.

ls -la asa802-k8.bin
-rw-r–r– 1 hengdu hengdu 14524416 2010-01-28 21:27 asa802-k8.bin

Now we need to find out where in the file we can start extracting the ZIP part.

echo “14524416 ; ibase=16 ; last – 1228B0” | bc | tail -n 1
13334352

Extract the zipped part of the ASA image:

tail -c 13334352 asa802-k8.bin > asa802-k8.gz

Decompress it with gzip:

gzip -d asa802-k8
gzip: asa802-k8.gz: decompression OK, trailing garbage ignored

Make a tmp directory and extract the archive with cpio.

mkdir tmp
cd tmp
sudo cpio -i –no-absolute-filenames –make-directories < ../asa802-k8
cpio: Removing leading `/’ from member names
61039 blocks

Copy the Linux kernel to the upper directory:

cp vmlinuz ../asa802-k8.kernel

Make startup script file to ./asa/scripts/first_start.sh. I basically copy all script from the site. However, some part has to be modified in my environment.

#!/bin/sh

FIRST_START=no
if test ! -e /mnt/disk0/lina_monitor
then
fdisk /dev/hda << EOF
n
p
1
5
979
t
4
w
EOF
mkdosfs -F 16 /dev/hda1
mount -o umask=0000,noatime,check=s,shortname=mixed /dev/hda1 /mnt/disk0
cp /asa/bin/lina /mnt/disk0/lina
cp /asa/bin/lina_monitor /mnt/disk0/lina_monitor
FIRST_START=yes
fi
modprobe e100
modprobe e1000
ifconfig eth0 up
ifconfig eth1 up
ifconfig eth2 up
ifconfig eth3 up
ifconfig eth4 up
ifconfig eth5 up
if test $FIRST_START = yes
then
echo “”
echo “”
echo “This is your first boot, please wait about 1 min and then type the following commands:”
echo “cd /mnt/disk0”
echo “/mnt/disk0/lina_monitor”
echo “”
echo “Please note to use the following command under ASA to save your configs:”
echo “copy run disk0:/.private/startup-config”
echo “”
exit
fi
cd /mnt/disk0
/mnt/disk0/lina_monitor

Chmod for the script

sudo chmod +x ./asa/scripts/first_start.sh

Now you can compress all the file and have the initrd ready to use in Qemu:

sudo find . | cpio -o -H newc | gzip -9 > ../asa802-k8.initrd.gz

At this point, the Linux kernel files are ready for QEMU to use.

Create a virtual hard disk

qemu-img create FLASH 256M
Formatting ‘FLASH’, fmt=raw size=268435456

Then start QEMU

qemu -hda FLASH -kernel asa802-k8.kernel -hdachs 980,16,32 \
-initrd asa802-k8.initrd.gz -m 512 -nographic -append \
“console=ttyS0,9600n8 hda=980,16,32 bigphysarea=16384 auto nousb ide1=noprobe”

After many lines output, you will see # prompt. Then, we start ASA.

/bin/lina

Finally, I saw the familiar prompt.

ciscoasa#

So far, I still have some issues to figure it out, such as interface setup and working with my dynamips router. Hopefully I will figure out later time. Please feel free to join my discussion.

Thanks,

Network Security Assessment Reading Notes – Vulnerability Assessment

This chapter is called vulnerability assessment 101. I guess this is because the topic is too huge to fit in the one chapter, even in the one book. According to the book, the assessment basically divided to three steps.

The first step is to collect information. The commonly used tool is nmap, which is open source application and can be download for both Windows OS and Linux. The other commonly used tool is whois, which still can collect many information. Of course, there are many sophisticate tools, such as Qualys. Those techs are core property of those vendors. In terms of collecting information, there are two approaches in practise. One is non-sensor-based and the other is sensor-based. Apparently, sensor-based approaches can provide more information, such as users, configurations, processes running on the assets, devices registered on the assets, etc. Sensor-based approach can overcome NAT topology, while non-sensor-based scanner could not find the assets behind NAT.

The second step is enumerate information. The scanner should have knowledge from collected information about: 1) what OS is running on the asset? 2) How many TCP ports are open on the asset? 3) How many UDP ports are open on the asset? etc.

The last step is detection. This is core part of vulnerability assessment. This part is also described in details in the following chapters. When we try to identify what is a vulnerability, we need a definition, or precisely, a benchmark. Here is the one example of benchmark – FDCC Major Version. We can use Benchmark Editor to open it. Basically, one benchmark is a collection of many rules. For example, the one rule could be Password Policy -> Maximum Password Age -> 7776000. If scanner detects that the maximum password age is larger than that, then this is a vulnerability because the hacker may brute-force password during the time.

Network Security Assessment – Reading Notes 1

Recently I found the blog is good place to put my reading notes. So, let me start the first one. Since I am involving in network vulnerability scan job, This book is really fundamental and provides a lot of easy understanding definition and terminologies rather than jargons. The book name is Network Security Assessment: From vulnerability to patch.

network_security_assessmentThe first chapter gave us a clear vision about what is vulnerability. How to define it and how to score it.

Over the years, the definition of vulnerability has evolved into a software or hardware bug or misconfiguration that a malicious individual can exploit. A vulnerability can be publicly diclosed before a vendor patch, or can even be used quietly by attackers. An organization experiences multiple levels of risk to a vulnerability, depending on how the discoverer of the vulnerability deals with the information and how long it takes the vnedor affected to issue a patch or workaround.

Here is a solid example for my Windows 2008 Server, which is a network security asset. After scan, the one of vulnerability results shows CVE ID is CVE-2008-4844. The description is: “Use-after-free vulnerability in mshtml.dll in Microsoft Internet Explorer 5.01, 6, and 7 on Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a crafted XML document containing nested SPAN elements, as exploited in the wild in December 2008.”

CVE stands for Common Vulnerabilities and Exposures, and a list of CVE numbers was created several years ago to help standardize vulnerability naming. The CVE created a list of all vulnerabilities and assigned each one a CVE ID in the format CVE-year-number. Vendors have been encouraged to use CVE numbers when referencing vulnerabilities.

Right now, we knew we have one vulnerability which has been defined by CVE ID, but how could we know the severity of that vulnerability? Theoretically, the risk is the products of four attributes: Vulnerability, Attacks, Threat and Exposure. However, different vendor has different scoring system. Therefore, CVSS is attempt to solve the problem by providing sophisticate scoring system. For example, for CVE ID: CVE-2008-1446, the CVSS base score is 9 and the CVSS vector is: (AV:N/AC:L/Au:S/C:C/I:C/A:C). The detailed CVSS guide is in here.

After we have realized that we have one vulnerability in our server, we need to patch a remedy to it, which will be mentioned in the following chapters. But in here, I would like to mention the windows of vulnerbility. It mainly talked about the gap between the vulnerability has been discovered and the patch has bee delivered. Because during that time frame, the attacker can easily launch the action to try to attack. How to solve that problem, the book put a lot of efforts on that. However, there is no panacea for solve all the problem. Again, no network security means no network.

Thanks,