Entries Tagged as ''

Windows Vista Firewall Turn On/Off

Windows Vista has three level of firewall profile: Domain Profile, Private Profile and Public Profile. All firewall is on by default. If we want to turn off firewall for our own user, we may go to Windows Vista System Administraion -> Firewall and Advanced Security Center. We see the configuration is complicated. There are tons of rules and policies for inbound and outbound traffic. Is there any simple way to turn on or turn off the firewall for our own user? Of course, the default firewall is turn on. The answer is YES.

We can go to Control Panel -> User Account. We need to click on “Turn User Account Control on or off”.

Then, we can enable/disable User Account Control. System asks to restart. After restart, we can see the firewall policy is applied or disabled.

Tags: How-to, Security by hengdu
No Comments »

Windows TCP 139 and 445 Vulnerability

Although those two ports are well known for security reason for a long time, we still hope to know something in details. As we know, NFS (Netwrok File Systems) is developed by Sun. It’s mainly for sharing directories and files between UNIX machines. Microsoft invented a protocol called SMB (Sever Message Blocks), by which, people can share directories and files with other Windows machines. Microsoft is trying to rename SMB-based networking to “Windows Networking” and the protocol to “CIFS”. When we try to mount SAMBA server directory to our Linux machine, we most likely do the following command.

sudo mount -t cifs -o username=henrydu //172.17.93.105/Swap-1Day /mnt/Swap-1Day

Microsoft open a security hole to many people who haven’t set up Administrator’s password. In the early time, people can easily share others C:\WINDOWS directory:

\\172.17.93.105\ADMIN$

Even with password, malicious people still can figure out by port 139 and 445. This article is not for how to hack others by port 139 and 445. We will see how SMB and NETBIOS work.

SMB is the most popular protocols for Windows PCs lets us share files, disks, directories, printers, and (in some cases) even COM ports across a network. SMB-based networks use a variety of underlying protocols, but the most popular are “NetBIOS over TCP/IP”.

Here is a solid example. SMB-client (Hacker) send TCP 445 SYN to SMB-server (Victim). Without waiting for SYN/ACK package, it sends TCP 139 SYN to SMB-server immediately. TCP 445 is to set up SMB session and TCP 139 is to set up NETBIOS session. SMB need NETBIOS protocol. We can see from screen shot that, after TCP 139 and TCP 445 session is up, SMB protocol start to run. From package hierarchy we can see, SMB is over NETBIOS protocol.

After Microsoft noticed this security issue, TCP 139 and 445 is blocked by default. Thus, SMB-server never reply SYN package if the firewall is on. We can use NMAP to do a test.

Firewall is off.

nmap -PN -p139,445 -n -v 172.17.93.105
…..
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Firewall is on

PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Therefore, please make sure these two ports are protected by firewall.

Tags: Networks, Security by hengdu
No Comments »

Network Vulnerability Assessment – OVAL Test

Last time I briefly introduced OVAL Definition, I’ll continue for OVAL Test. Please note that both definition and test are defined in the same XML file. The OVAL test is subroutine of criteria defined in definition section. Here is an example of criteria for JScript 5.7 on Microsoft Windows XP SP3.

<criteria operator=”AND” comment=”JScript 5.7 on Microsoft Windows XP SP3″>
<criterion comment=”jscript.dll version is less than 5.7.6002.22145″ test_ref=”oval:com.vendor.oval:tst:102792″/>
</criteria>

We can see there is a test reference defined by oval:com.vendor.oval:tst:102792. Then, what’s the definition of test? The following is test definition. We can see that there are two parts, one is object, the other is state. The basic idea in here is, to verify if the object has the state. If yes, then the OVAL test is passed. Otherwise, OVAL test is failed.

<test id=”oval:com.vendor.oval:tst:102792″/>
<object object_ref=”oval:org.mitre.oval:obj:564″/>
<state state_ref=”oval:com.vendor.oval:ste:102792″/>
</test>

The object and state are defined as:

<file_object id=”oval:org.mitre.oval:obj:564″/>
<path var_ref=”oval:org.mitre.oval:var:200″ var_check=”all”/>
<filename>jscript.dll</filename>
</file_object>


<file_state id=”oval:com.vendor.oval:ste:102792″/>
<version datatype=”version” operation=”less than”>5.7.6002.22145</version>
</file_state>

It basically said that, in specified path, if jscript.dll version less than 5.7.6002.22145, then this is a vulnerability.

Right now, we can see that OVAL is a language to define vulnerabilities and how to do the test by using XML format. Obviously, the repository need people to maintain and put more released/observed vulnerabilities. Thanks,

Tags: Networks, Security by hengdu
No Comments »

Network Security Assessment – OVAL Definition

I have briefly mentioned network security assessment part 1 and part 2, here I’d like to introduce how to do the vulnerability test. In terms of penetration test, this test is white box test because the tester has put the sensor or agent in the asset. This operation is allowed by the firm.

OVAL is Open Vulnerability Assessment Language which is well adapted by the industry. The language is written by XML format. Many communities and groups contribute for the OVAL definition and test. The major one is OVAL Repository which is hosted by The MITRE Corporation. Before we go detailed about OVAL, let’s think about how to do the vulnerability assessment test intuitively.

  • Firs, we need define what was vulnerability.
  • Then, we need to give several criteria, which refer to the real test result.
  • Then, in the test phase, we need to define the object, such as Windows registry definition.
  • Last, we need to retrieve values to compared with the object. Then, the one test is done.

Here is a solid example for OVAL. Microsoft announced one vulnerability “Excel Cache Memory Corruption Vulnerability (KB973471)”. Then, we give one definition for that vulnerability.

<definition id=”oval:com.vendor.oval:def:10383″ version=”1″>
</definition>

In the definition there are some nested categories: metadata and criteria.

The metadata provides some description including definition title, affected family, reference CVE and status etc. For example, the following is reference for this definition.

<reference source=”CVE” ref_id=”CVE-2009-3127″ ref_url=”http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3127″ />

The criteria provides test definition and some comments.

<criterion comment=”Microsoft Excel 2002 SP3 or later is installed” test_ref=”oval:org.mitre.oval:tst:8677″/>

At this point, the definition is completed. Next, we will go to see how to define and perform test.

Tags: Networks, Security by hengdu
No Comments »