Heap Size

• -Xms: initial java heap size.
• -Xmx: maximum java heap size.

Stack Size

• -Xss:     the stack size for each thread.

The snippet for Java Option.

JAVA_OPTS=”-Xms256m -Xmx2200m -Xss384k…

Generally, a JVM is using the following rules to manage memory:

• When a JVM is invoked to run an application, it will ask the operating system for enough memory to run the JVM itself and some free memory for the application to create new objects.
• When a new object is created, the JVM will allocate memory for that object out of the free memory area.
• When the free memory area is getting too small, the JVM will ask the operating system for more.
• When a object is no longer used by the application, it will be destroyed. Its memory will be freed up and merged back to the free memory area.
• When the free memory area is used up, and there is no more additional memory available from the operating system, the JVM will stop the application and issue the “Out of memory error”.

We can go to Control Panel -> User Account. We need to click on “Turn User Account Control on or off”.

Then, we can enable/disable User Account Control. System asks to restart. After restart, we can see the firewall policy is applied or disabled.

sudo mount -t cifs -o username=henrydu //172.17.93.105/Swap-1Day /mnt/Swap-1Day

Microsoft open a security hole to many people who haven’t set up Administrator’s password. In the early time, people can easily share others C:\WINDOWS directory:

\\172.17.93.105\ADMIN$

Even with password, malicious people still can figure out by port 139 and 445. This article is not for how to hack others by port 139 and 445. We will see how SMB and NETBIOS work.

SMB is the most popular protocols for Windows PCs lets us share files, disks, directories, printers, and (in some cases) even COM ports across a network. SMB-based networks use a variety of underlying protocols, but the most popular are “NetBIOS over TCP/IP”.

Here is a solid example. SMB-client (Hacker) send TCP 445 SYN to SMB-server (Victim). Without waiting for SYN/ACK package, it sends TCP 139 SYN to SMB-server immediately. TCP 445 is to set up SMB session and TCP 139 is to set up NETBIOS session. SMB need NETBIOS protocol. We can see from screen shot that, after TCP 139 and TCP 445 session is up, SMB protocol start to run. From package hierarchy we can see, SMB is over NETBIOS protocol.

After Microsoft noticed this security issue, TCP 139 and 445 is blocked by default. Thus, SMB-server never reply SYN package if the firewall is on. We can use NMAP to do a test.

Firewall is off.

nmap -PN -p139,445 -n -v 172.17.93.105
…..
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Firewall is on

PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Therefore, please make sure these two ports are protected by firewall.

<criteria operator=”AND” comment=”JScript 5.7 on Microsoft Windows XP SP3″>
<criterion comment=”jscript.dll version is less than 5.7.6002.22145″ test_ref=”oval:com.vendor.oval:tst:102792″/>
</criteria>

We can see there is a test reference defined by oval:com.vendor.oval:tst:102792. Then, what’s the definition of test? The following is test definition. We can see that there are two parts, one is object, the other is state. The basic idea in here is, to verify if the object has the state. If yes, then the OVAL test is passed. Otherwise, OVAL test is failed.

<test id=”oval:com.vendor.oval:tst:102792″/>
<object object_ref=”oval:org.mitre.oval:obj:564″/>
<state state_ref=”oval:com.vendor.oval:ste:102792″/>
</test>

The object and state are defined as:

<file_object id=”oval:org.mitre.oval:obj:564″/>
<path var_ref=”oval:org.mitre.oval:var:200″ var_check=”all”/>
<filename>jscript.dll</filename>
</file_object>
…
…
<file_state id=”oval:com.vendor.oval:ste:102792″/>
<version datatype=”version” operation=”less than”>5.7.6002.22145</version>
</file_state>

It basically said that, in specified path, if jscript.dll version less than 5.7.6002.22145, then this is a vulnerability.

Right now, we can see that OVAL is a language to define vulnerabilities and how to do the test by using XML format. Obviously, the repository need people to maintain and put more released/observed vulnerabilities. Thanks,

OVAL is Open Vulnerability Assessment Language which is well adapted by the industry. The language is written by XML format. Many communities and groups contribute for the OVAL definition and test. The major one is OVAL Repository which is hosted by The MITRE Corporation. Before we go detailed about OVAL, let’s think about how to do the vulnerability assessment test intuitively.

• Firs, we need define what was vulnerability.
• Then, we need to give several criteria, which refer to the real test result.
• Then, in the test phase, we need to define the object, such as Windows registry definition.
• Last, we need to retrieve values to compared with the object. Then, the one test is done.

Here is a solid example for OVAL. Microsoft announced one vulnerability “Excel Cache Memory Corruption Vulnerability (KB973471)”. Then, we give one definition for that vulnerability.

<definition id=”oval:com.vendor.oval:def:10383″ version=”1″>
</definition>

In the definition there are some nested categories: metadata and criteria.

The metadata provides some description including definition title, affected family, reference CVE and status etc. For example, the following is reference for this definition.

<reference source=”CVE” ref_id=”CVE-2009-3127″ ref_url=”http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3127″ />

The criteria provides test definition and some comments.

<criterion comment=”Microsoft Excel 2002 SP3 or later is installed” test_ref=”oval:org.mitre.oval:tst:8677″/>

At this point, the definition is completed. Next, we will go to see how to define and perform test.

1. Nmap the whole subnet.

sudo nmap -A -O -T4 112.55.82.0/24

2. The scan result will be shown as follows.

Interesting ports on ******* (112.55.82.202):
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.2 (protocol 2.0)
62078/tcp open tcpwrapped
….
Running (JUST GUESSING) : Apple embedded (93%), Apple iPhone OS 1.X (89%)

3. Then, the most likely what the people want to do is:

ssh root@112.55.82.202
Password: alpine

4. Then, as you can guess, they want to do whatever they want.

John-Smiths-iPod:/ root# ls
Applications@  Library/  User@  boot/   dev/  lib/  private/  tmp@  var@
Developer/     System/   bin/   cores/  etc@  mnt/  sbin/     usr/

The solution is very simple: just to change root password after jailbreak. We can go to terminal application in the iPod.

• Type su – to enter super user mode
• Type passwd to enter the new password
• Type again the new password
• Type exit. We are done.

Good luck and Thanks,

• Windows QEMU
• Windows VMWare

However, I found one site that is really useful to install ASA image to QEMU on Linux. I followed the steps and make my own ASA environment. Please note that this solution is not user friendly like dynamips or dynagen. Select the two ways above maybe a good choice. So, let’s see how it works in my site.

We need QEMU first

sudo apt-get install qemu

We need asa802-k8.bin

???

We assume that we are working on $ASA_WORKSPACE. Under the directory, create an hexadecimal dump of image:

hexdump -C asa802-k8.bin > asa802-k8.hex

Search for the ZIP header. We can see that the ZIP file starts at offset 1228b0.

grep “1f 8b 08 00 1d” asa802-k8.hex
001228b0  1f 8b 08 00 1d 3d 73 46  00 03 ec 3a 6d 54 14 57  |…..=sF…:mT.W|

Find the image size.

ls -la asa802-k8.bin
-rw-r–r– 1 hengdu hengdu 14524416 2010-01-28 21:27 asa802-k8.bin

Now we need to find out where in the file we can start extracting the ZIP part.

echo “14524416 ; ibase=16 ; last – 1228B0″ | bc | tail -n 1
13334352

Extract the zipped part of the ASA image:

tail -c 13334352 asa802-k8.bin > asa802-k8.gz

Decompress it with gzip:

gzip -d asa802-k8
gzip: asa802-k8.gz: decompression OK, trailing garbage ignored

Make a tmp directory and extract the archive with cpio.

mkdir tmp
cd tmp
sudo cpio -i –no-absolute-filenames –make-directories < ../asa802-k8
cpio: Removing leading `/’ from member names
61039 blocks

Copy the Linux kernel to the upper directory:

cp vmlinuz ../asa802-k8.kernel

Make startup script file to ./asa/scripts/first_start.sh. I basically copy all script from the site. However, some part has to be modified in my environment.

#!/bin/sh

FIRST_START=no
if test ! -e /mnt/disk0/lina_monitor
then
fdisk /dev/hda << EOF
n
p
1
5
979
t
4
w
EOF
mkdosfs -F 16 /dev/hda1
mount -o umask=0000,noatime,check=s,shortname=mixed /dev/hda1 /mnt/disk0
cp /asa/bin/lina /mnt/disk0/lina
cp /asa/bin/lina_monitor /mnt/disk0/lina_monitor
FIRST_START=yes
fi
modprobe e100
modprobe e1000
ifconfig eth0 up
ifconfig eth1 up
ifconfig eth2 up
ifconfig eth3 up
ifconfig eth4 up
ifconfig eth5 up
if test $FIRST_START = yes
then
echo “”
echo “”
echo “This is your first boot, please wait about 1 min and then type the following commands:”
echo “cd /mnt/disk0″
echo “/mnt/disk0/lina_monitor”
echo “”
echo “Please note to use the following command under ASA to save your configs:”
echo “copy run disk0:/.private/startup-config”
echo “”
exit
fi
cd /mnt/disk0
/mnt/disk0/lina_monitor

Chmod for the script

sudo chmod +x ./asa/scripts/first_start.sh

Now you can compress all the file and have the initrd ready to use in Qemu:

sudo find . | cpio -o -H newc | gzip -9 > ../asa802-k8.initrd.gz

At this point, the Linux kernel files are ready for QEMU to use.

Create a virtual hard disk

qemu-img create FLASH 256M
Formatting ‘FLASH’, fmt=raw size=268435456

Then start QEMU

qemu -hda FLASH -kernel asa802-k8.kernel -hdachs 980,16,32 \
-initrd asa802-k8.initrd.gz -m 512 -nographic -append \
“console=ttyS0,9600n8 hda=980,16,32 bigphysarea=16384 auto nousb ide1=noprobe”

After many lines output, you will see # prompt. Then, we start ASA.

/bin/lina

Finally, I saw the familiar prompt.

ciscoasa#

So far, I still have some issues to figure it out, such as interface setup and working with my dynamips router. Hopefully I will figure out later time. Please feel free to join my discussion.

Thanks,

The first step is to collect information. The commonly used tool is nmap, which is open source application and can be download for both Windows OS and Linux. The other commonly used tool is whois, which still can collect many information. Of course, there are many sophisticate tools, such as Qualys. Those techs are core property of those vendors. In terms of collecting information, there are two approaches in practise. One is non-sensor-based and the other is sensor-based. Apparently, sensor-based approaches can provide more information, such as users, configurations, processes running on the assets, devices registered on the assets, etc. Sensor-based approach can overcome NAT topology, while non-sensor-based scanner could not find the assets behind NAT.

The second step is enumerate information. The scanner should have knowledge from collected information about: 1) what OS is running on the asset? 2) How many TCP ports are open on the asset? 3) How many UDP ports are open on the asset? etc.

The last step is detection. This is core part of vulnerability assessment. This part is also described in details in the following chapters. When we try to identify what is a vulnerability, we need a definition, or precisely, a benchmark. Here is the one example of benchmark – FDCC Major Version. We can use Benchmark Editor to open it. Basically, one benchmark is a collection of many rules. For example, the one rule could be Password Policy -> Maximum Password Age -> 7776000. If scanner detects that the maximum password age is larger than that, then this is a vulnerability because the hacker may brute-force password during the time.

The first chapter gave us a clear vision about what is vulnerability. How to define it and how to score it.

Over the years, the definition of vulnerability has evolved into a software or hardware bug or misconfiguration that a malicious individual can exploit. A vulnerability can be publicly diclosed before a vendor patch, or can even be used quietly by attackers. An organization experiences multiple levels of risk to a vulnerability, depending on how the discoverer of the vulnerability deals with the information and how long it takes the vnedor affected to issue a patch or workaround.

Here is a solid example for my Windows 2008 Server, which is a network security asset. After scan, the one of vulnerability results shows CVE ID is CVE-2008-4844. The description is: “Use-after-free vulnerability in mshtml.dll in Microsoft Internet Explorer 5.01, 6, and 7 on Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a crafted XML document containing nested SPAN elements, as exploited in the wild in December 2008.”

CVE stands for Common Vulnerabilities and Exposures, and a list of CVE numbers was created several years ago to help standardize vulnerability naming. The CVE created a list of all vulnerabilities and assigned each one a CVE ID in the format CVE-year-number. Vendors have been encouraged to use CVE numbers when referencing vulnerabilities.

Right now, we knew we have one vulnerability which has been defined by CVE ID, but how could we know the severity of that vulnerability? Theoretically, the risk is the products of four attributes: Vulnerability, Attacks, Threat and Exposure. However, different vendor has different scoring system. Therefore, CVSS is attempt to solve the problem by providing sophisticate scoring system. For example, for CVE ID: CVE-2008-1446, the CVSS base score is 9 and the CVSS vector is: (AV:N/AC:L/Au:S/C:C/I:C/A:C). The detailed CVSS guide is in here.

After we have realized that we have one vulnerability in our server, we need to patch a remedy to it, which will be mentioned in the following chapters. But in here, I would like to mention the windows of vulnerbility. It mainly talked about the gap between the vulnerability has been discovered and the patch has bee delivered. Because during that time frame, the attacker can easily launch the action to try to attack. How to solve that problem, the book put a lot of efforts on that. However, there is no panacea for solve all the problem. Again, no network security means no network.

Thanks,