514 Chapter 11 • Detecting and Performing Security Breaches with Sniffer Pro Introduction If we were previously reading the Cadillac of books, we just jumped into a Ferrari for a spin. In this chapter, we look at using Sniffer Pro with security in mind.This is not a chapter on hacking. Rather, this chapter shows you how to find vulnerabilities in your own network. It discusses the importance of security analysts who have a working knowledge of the basic operations of Sniffer Pro or other similar protocol analyzers. The first few sections cover issues inherent within IPv4 and how Sniffer Pro can be used to exploit the protocol stack’s weakness. N OTE Using this technology for mischief is not recommended; such activity could result in serious legal consequences. Using Sniffer Pro to Find Holes in Your Network The terrorist attacks of September 11, 2001, changed the focus of security for- ever. Many commentators have compared the events’ worldwide ramifications to those of December 7, 1941.The resulting awareness of information security and privacy has created new and demanding challenges for the network professional. Today’s cyber marketplace does not offer a better addition to a conscientious “white hat” hacker’s arsenal than Sniffer Pro. Because Sniffer Pro is adept at ana- lyzing network and application problems, it is an effective tool in the detection and prevention of network vulnerabilities. One only need open morning newspapers to be made aware that threats from the Internet are escalating.The names of viruses,Trojans, and, worms—once rele- gated to the “techno-geek” realm—are now mainstream water-cooler conversa- tion. Code Red, Nimda, SirCam, Melissa, Lovebug—the list goes on and on. These names, now relegated to the past, should be of concern to the Sniffer Certified Professional (SCP), whose challenges lie in defending against new and yet unnamed malware. www.syngress.com 219_sniffer_11.qxd 6/28/02 12:03 PM Page 514 www.syngress.com NOTE A vast amount of information can be found on the Internet covering the subjects of malware, viruses, and Trojans. Some good URLs with which to start your research are www.sarc.com, www.sans.org, and www.cert.org. In this chapter, we cover the complex subject of vulnerabilities.The military has long been confronted with the detection and elimination, or at least the mitigation, of vulnerabilities and threats.The military terms used to describe the mechanics of these efforts have made their way into the information security world.We use some of these terms and define them in their information security sense. Delivery and Payload Let’s begin with two frequently used terms: delivery and payload.What do they mean? The military uses a nuclear missile for a delivery mechanism and a warhead for the payload.This terminology actually means that the military is defining how a weapon gets to its destination (delivery) and what it delivers once it arrives (pay- load). Other examples might be a B-52 bomber as a delivery mechanism and a 15,000-pound daisy-cutter bomb as a payload, or a 20-millimeter cannon as a delivery mechanism and its shell as a payload. Delivery and payload are fairly simple concepts that can be easily applied to information warfare as well. For example, the SirCam virus’s delivery mechanism was e-mail and its payload was a malware attachment.The Jill.c exploit by Dark Spyrit used an HTML Get request to deliver a buffer overflow payload.A final example is the Code Red worm, whose delivery mechanism was an Internet HTML connection and whose payload was a malformed request exploiting a hole in Microsoft’s Internet Information Server.We cover Code Red in more detail later in this chapter, demonstrating how—using Sniffer Pro—we detected its presence and mitigated the exploit. Concerning delivery and payload, the preceding definition implies one delivery mechanism and one payload.This is not always the case. Just as there are nuclear missiles with multiple warheads, the information warfare world has its Nimdas with multiple delivery techniques and payloads—exploiting e-mail, Internet Explorer browsers, and network shares, all at the same time. It is the job of the security-minded SCP to constantly research and understand these con- cepts, in order to implement a defense by building and utilizing the various fil- tering capabilities of Sniffer Pro. Detecting and Performing Security Breaches with Sniffer Pro • Chapter 11 515 219_sniffer_11.qxd 6/28/02 12:03 PM Page 515 516 Chapter 11 • Detecting and Performing Security Breaches with Sniffer Pro Vulnerabilities in Detail We begin our discussion of network vulnerabilities by examining three exploits that utilized the programming oversight known as a buffer overflow.This exploit, resulting from a failure to check the input to a function in a program, can cause a system crash, allowing a hacker to have full control of your machine.The buffer overflow is arguably the most common and notorious hacker technique in use today. Code Red:The Exploit On June 19, 2001, the CERT Advisory CA-2001-13 Buffer Overflow in IIS Indexing Service DLL was released.As usual, it had very little impact on the infor- mation community and went relatively unnoticed by system admins. However, this small but costly programming oversight would prove to be only the begin- ning of what would become a billion-dollar exploit. N OTE The CERT Coordination Center (CERT/CC) is a center of Internet security expertise located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. The System Administration, Networking, and Security (SANS) Institute, founded in 1989, is a cooperative research and education orga- nization through which more than 156,000 security professionals, audi- tors, system administrators, and network administrators share the lessons they are learning and find solutions to the challenges they face. Global Information Assurance Certification (GIAC) certification, spon- sored by SANS, provides assurance that a certified individual holds the level of knowledge and skill necessary for a practitioner in key areas of information security. The advisory stated that vulnerability existed in the indexing service used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT,Windows 2000, and beta versions of Windows XP.This vulnerability allows a remote intruder to run arbi- trary code on the victim’s machine.The advisory description stated that there was a remotely exploitable buffer overflow in one of the ISAPI extensions installed with most versions of IIS 4.0 and 5.0.The specific Internet/indexing Service www.syngress.com 219_sniffer_11.qxd 6/28/02 12:03 PM Page 516 Detecting and Performing Security Breaches with Sniffer Pro • Chapter 11 517 Application Programming Interface was IDQ.DLL.The vulnerability was discov- ered by eEye Digital Security. On July 19, 2001, the CERT Advisory CA-2001-19 “Code Red”Worm Exploiting Buffer Overflow in Indexing Service DLL was released.The overview stated that CERT/CC had received reports of a new self-propagating malicious code that exploits IIS systems susceptible to the vulnerability described in CERT Advisory CA-2001-13 Buffer Overflow in Indexing Service DLL.The report explained that two variants of the Code Red worm had already affected more than 250,000 servers. It was obvious that someone had found a use for the hole in IIS. One of the specific uses for this exploit was a payload designed to generate a denial-of-service (DoS) attack on the White House Web server. Fortunately for the president’s IT staff, the payload did not utilize the DNS service that maps (translates) a name to an IP address. Furthermore, it hardcoded the IP address in the binary payload. It would prove to be a simple process to change the White House Web server’s address in DNS, and that is precisely how the IT staff dealt with the threat. Code Red:The System Footprint In order to detect this type of malicious activity, the SCP should study the exploit and carefully examine the system footprint when available. For this exploit, the system footprint was provided by the advisory and stated that the Code Red worm activity can be identified on a machine by the presence of the entry in the Web server log files shown in Figure 11.1. Figure 11.1 A Code Red Footprint /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6805%ucbd3% u7801 etc. The presence of the entry in the log does not necessarily indicate compro- mise. Rather, it indicates that a Code Red worm attempted to infect the machine.Armed with this knowledge and the old IP address of the White House Web server, the security-minded SCP has the information necessary to detect this exploit both coming and going.We accomplish this task by building a filter to detect the system footprint (coming) and the old IP address of the White House www.syngress.com 219_sniffer_11.qxd 6/28/02 12:03 PM Page 517 518 Chapter 11 • Detecting and Performing Security Breaches with Sniffer Pro Web server (going).The Sniffer Pro interface is placed on the ingress/egress to the Internet. NOTE A system footprint is a group of characters or bytes of data that uniquely identify the payload as belonging to a specific exploit. In some cases, the system footprint is simply a group of characters, as in Code Red’s default.ida? NNNNNN (see Figure 11.1). In more complex payloads, the system footprint can be a string of binary data representing the actual code. Some security professional refer to a system footprint as a Signature. In Chapter 4, we go into greater detail about building filters to capture and view these exploits; here we briefly touch on configuring this filter. Code Red:The Filter To configure the Footprint filter: 1. Select Capture | Define Filter | Profiles | New. 2. Enter a name such as CodeRed (see Figure 11.2). Next we will configure the Advanced tab: 1. Select OK | Done | Advanced tab. 2. Select the HTTP check box under TCP (see Figure 11.3). 3. Select OK. 4. Select Capture | Define Filter. 5. Select CodeRed from the Settings For: panel. www.syngress.com Figure 11.2 New Capture Profile 219_sniffer_11.qxd 6/28/02 12:03 PM Page 518 Detecting and Performing Security Breaches with Sniffer Pro • Chapter 11 519 6. Select Data Pattern | Add Pattern. 7. Offset (hex): equals 36 in hex. 8. Format equals ASCII. 9. Enter the data from the footprint into Field 1 and 2, GET /default.ida ? NNNNNNNNNNNNN. 10. Name: equals Code Red Pattern. 11. Select OK (see Figure 11.4). Code Red:The Attack As can be seen in Figure 11.5, if this capture filter is placed on the ingress/egress to the Internet, it will trap both incoming and outgoing exploit attempts.The outgoing attempts could be from compromised computers or disgruntled employees using your network to launch their hacking exploits.The Trojans installed on your machines might be the launching pads for a huge DDOS attack as your machines are turned into “zombies,” blindly acting out the will of the hacker.The summary window of Figure 11.5 displays the system footprint in packet 10 of a captured exploit attempt. www.syngress.com Figure 11.3 Code Red Advance Setting Figure 11.4 Code Red Pattern 219_sniffer_11.qxd 6/28/02 12:03 PM Page 519 520 Chapter 11 • Detecting and Performing Security Breaches with Sniffer Pro The complete payload is visible in the Sniffer Pro Hex display of the capture (see Figure 11.6). Line 1 in the display starts the buffer overflow, and line 5 injects the binary payload. NOTE If you are interested in the mechanics of this type of exploit, we highly recommend that you read Chapter 8, “Buffer Overflow” in Hack Proofing Your Network, second edition, from Syngress Publishing. This highly detailed treatise on the subject will prepare you to recognize and develop your own system footprints when you design filters. Code Red:The Hacker’s Intent The SCP, having researched this exploit, knows that a DoS attack will be per- formed by a zombie (an infected Web server) using the old IP address of the White House Web server.With these facts in hand, someone can design and build a simple address filter to detect any attempts to perform a DoS attack on that specific address. By doing this the SCP will be aware of any internally compro- mised servers and can give that information to the system administrators, in order for them to remove the exploit and patch the machine. www.syngress.com Figure 11.5 Code Red Attack Summary Figure 11.6 Code Red Payload 219_sniffer_11.qxd 6/28/02 12:03 PM Page 520 Detecting and Performing Security Breaches with Sniffer Pro • Chapter 11 521 The following is an excerpt from the payload of the Code Red .ida worm. The analysis was performed by Ryan Permeh and Marc Maiffret of eEye Digital Security.A disassembly (complete with comments) was done by Ryan “Shellcode Ninja” Permeh.The attack consists of the infected system sending 100k bytes of data (1 byte at a time + 40 bytes overheard for the actually TCP/IP packet) to port 80 of www.whitehouse.gov.This flood of data (410 megabytes of data every four and a half hours per instance of the worm) would potentially amount to a DoS attack against www.whitehouse.gov. The assembly code in Figure 11.7 contains the White House IP address.The address (5BF089C6) is displayed in line 2.The entry is in hexadecimal notation and in reverse order.When the order is reversed, the value becomes C6 89 F0 5B in hex. Using Microsoft Windows’ calculator in scientific mode, the SCP can verify this address by converting the entry to decimal.The address decodes to C6 =198, 89 = 137, F0 =240, 5B =91. Next, reassemble the four numbers, adding periods between the numbers, and it equals 198.137.240.91—the old IP address. The www.whitehouse.gov address was changed to 198.137.240.92 shortly after the first attack. Figure 11.7 White House Socket Setup Seg000:000008EB C7 85 80 FE FF+ mov dword ptr[ebp-180h] 5BF089C6h ; set ip (www.whitehouse.gov) Code Red:The White House Filter To configure the filter: 1. Select Capture | Define Filter | Profiles | New. 2. Enter a filter name such as WhiteHouse. 3. Select OK | Done | Advanced. 4. Under TCP, select the HTTP check box (see Figure 11.8). 5. Select the Address tab. 6. Enter the White House address 198.137.240.91 to Any (see Figure 11.9). Next we place Sniffer Pro on the egress of the network with the capture filter selected. Figure 11.10 is a display of three captured packets from an infected host attempting to perform a DoS attack on the old White House IP address. www.syngress.com 219_sniffer_11.qxd 6/28/02 12:03 PM Page 521 522 Chapter 11 • Detecting and Performing Security Breaches with Sniffer Pro Using the information obtained from the capture filter, the system adminis- trator can be alerted to the existence of any compromised computers on his or her network. Using the IP addresses, the machines can be removed from the net- work and patched or reloaded as necessary.Without this filter, the administrator would be unaware of the clandestine transmissions leaving the network and pos- sibly subject to downstream litigation. Code Red II:The Exploit On August 4, 2001, a variant of Code Red, dubbed Code Red II, or CR-II, was discovered. It was named Code Red II because the delivery mechanism was the same as Code Red, exploiting the buffer overflow fault in IIS Web servers. www.syngress.com Figure 11.8 Advanced Window Figure 11.9 White House IP Address Selection Figure 11.10 DoS on the White House 219_sniffer_11.qxd 6/28/02 12:03 PM Page 522 Detecting and Performing Security Breaches with Sniffer Pro • Chapter 11 523 However, the payload of CR-II was very different from Code Red and did not attempt a DoS on the White House Web server. It did allow the attacker to have full remote access to the Web server.This access is referred to in hackerdom as OWN3D, which is a somewhat dyslexic spelling of the word owned. The filter to detect CR-II is very similar to the one we built for Code Red. A simple modification is all that is needed.To configure the filter, simply change the system footprint from NNNNNN to XXXXXX and the job is done. Figure 11.11 is a display of the summary line of a CR-II capture.The payload is displayed in Figure 11.12. Figure 11.12 displays the initial buffer overflow of Code Red II using the character X to overflow the input array and then injecting the binary payload. As we did with Code Red, placing the filter for CR-II on the ingress/egress to the Internet will accomplish two things. First, it will detect external Web servers attempting to infect your internal servers; second, it will alert you to any zombies attempting to compromise random servers on the Internet.The filter will, in effect, mitigate the possibility of downstream litigation, a term that is now often mentioned in the Internet legal community.At the very least, it might decrease the amount of annoying e-mails from irate network administrators with the subject line,“YOUR COMPUTER IS ATTACKING US. STOP IT!” www.syngress.com Figure 11.11 Code Red II Summary Figure 11.12 Code Red II Payload 219_sniffer_11.qxd 6/28/02 12:03 PM Page 523 [...]... state of the installed networking software The reply packets will display successfully regardless of the condition of the network, providing that the network software is functioning properly In fact, the interface cable can be completely disconnected from the network www .syngress. com 2 19 _sniffer_ 11.qxd 6/28/02 12:03 PM Page 543 Detecting and Performing Security Breaches with Sniffer Pro • Chapter 11 DNS... Figure 11.36 contains an MIB of managed objects Figure 11.36 SNMP Network Topology BRIDGE Agent Network Server Agent Graphical Display NETWORK Switch Agent Network Management Station Router Agent HUB Agent www .syngress. com 5 39 2 19 _sniffer_ 11.qxd 540 6/28/02 12:03 PM Page 540 Chapter 11 • Detecting and Performing Security Breaches with Sniffer Pro Each management object is represented by an object ID (OID).The... www.rfcindex.org/rfcs/rfc856.html ■ www.faqs.org/rfcs/rfc857.html ■ www.faqs.org/rfcs/rfc857.html www .syngress. com 2 19 _sniffer_ 11.qxd 6/28/02 12:03 PM Page 5 29 Detecting and Performing Security Breaches with Sniffer Pro • Chapter 11 Figure 11.17 Telnet Option Negotiation Telnet Echo One of the first observations a SCP makes in examining a Sniffer Pro trace of a Telnet session is that it seems to be repeating itself (see Figure... pattern Login incorrect, perform the following (see Figure 11. 19) : 1 Select Capture | Define Filter | Pro les | New 2 Enter a name such as Telnet: Login error 3 Select OK | Done | Data Pattern | Add Pattern www .syngress. com 2 19 _sniffer_ 11.qxd 6/28/02 12:03 PM Page 531 Detecting and Performing Security Breaches with Sniffer Pro • Chapter 11 Figure 11. 19 The Data Capture Window 4 Offset (hex): equals 36 in hex... 161.243.60.5 www .syngress. com 531 2 19 _sniffer_ 11.qxd 532 6/28/02 12:03 PM Page 532 Chapter 11 • Detecting and Performing Security Breaches with Sniffer Pro Figure 11.21 The Telnet Advanced Window Figure 11.22 A Telnet Password Attack SSH and Encryption The method of choice for replacing the process of Telnet with a better solution is using the now-favored Secure Shell (SSH).The SSH protocol utilizes... client is using the POP3 protocol.This trace could have been easily obtained by a neighbor who shares the same cable segment, utilizing a promiscuous mode interface and a sniffer For example, packet 9 contains the username dheaton in clear text More important, packet 12 contains the clear-text password leroy12 Figure 11.23 Outlook Password Capture www .syngress. com 533 2 19 _sniffer_ 11.qxd 534 6/28/02... use this protocol consistency to design and build a filter that will capture both valid and invalid passwords To configure an FTP password capture filter to trap on the word PASS, perform the following steps (see Figure 11.26): www .syngress. com 2 19 _sniffer_ 11.qxd 6/28/02 12:03 PM Page 535 Detecting and Performing Security Breaches with Sniffer Pro • Chapter 11 1 Select Capture | Define Filter | Pro les... 12:03 PM Page 537 Detecting and Performing Security Breaches with Sniffer Pro • Chapter 11 Figure 11.30 The Trigger Setup Window Figure 11.31 Stop Trigger Enabled Figure 11.32 Stop Trigger Defined www .syngress. com 537 2 19 _sniffer_ 11.qxd 538 6/28/02 12:03 PM Page 538 Chapter 11 • Detecting and Performing Security Breaches with Sniffer Pro Perform the following steps, referring to the screen shown in... trying to guess the FTP password for the server with IP address 172.16.60.5 Figure 11.35 Password Guessing Simple Network Management Protocol Simple Network Management Protocol (SNMP), developed in the late 198 0s, has become a standard for network management SNMP is a client/server model with a Network Management Station (NMS) that functions as a client querying an agent that contains a Management Information... characters on your screen Figure 11.18 Telnet Login www .syngress. com 5 29 2 19 _sniffer_ 11.qxd 530 6/28/02 12:03 PM Page 530 Chapter 11 • Detecting and Performing Security Breaches with Sniffer Pro Second, the security-minded SCP will immediately observe that the transmission is in clear and readable text.This is a gaping security hole in the Telnet protocol For the would-be hacker, the transmission readily . hacker’s arsenal than Sniffer Pro. Because Sniffer Pro is adept at ana- lyzing network and application problems, it is an effective tool in the detection and prevention of network vulnerabilities. One. White House www .syngress. com 2 19 _sniffer_ 11.qxd 6/28/02 12:03 PM Page 517 518 Chapter 11 • Detecting and Performing Security Breaches with Sniffer Pro Web server (going).The Sniffer Pro interface. For: panel. www .syngress. com Figure 11.2 New Capture Pro le 2 19 _sniffer_ 11.qxd 6/28/02 12:03 PM Page 518 Detecting and Performing Security Breaches with Sniffer Pro • Chapter 11 5 19 6. Select Data