A Marathon, Not A Sprint

April 2, 2009 2 comments

Our scanners improve!  A new nmap Beta 7 is out (Windows, OSX, Source), with slightly more accurate scan logic research by Renaud Deraison of Nessus.  This tends to find a few extra boxes per network, so it’s definitely worth grabbing.  It doesn’t take too much work to spin up another scan, and heh, it’s an opportunity to play with ndiff, the nmap diffing engine.

McAfee also has a really nice Windows based scanner out the door — check it out.

Of course, you may be thinking:  The world didn’t come to an end.  Clearly, this whole thing was just a Y2K hypefest.  I’m sorry the bad guys aren’t quite the eschatologists some people would like them to be, but somebody’s been investing extraordinary amounts of resources making a worm very difficult to kill.  It’s not like there was a contingent of rogue coders, sitting around figuring out where they could put two-character date fields after January 1st, 2001.  There’s a bad guy out there, and while we shouldn’t panic, we shouldn’t quite ignore the situation either.  Botnets — even much smaller botnets than would have otherwise have been created, thanks to rapid patching and automatic updates by Microsoft — are big business.  As my friend Jason Larsen says, it’s not about ownage, it’s about continued ownage.

What to do?  That’s what makes these scanners nice.  They represent clean, actionable, operationally viable guidance for IT staff that aren’t exactly bursting at the seams with free time.  I continue to be appreciative of all the developers who worked this last weekend to push Tillmann and Felix’s code into their products.  It goes a long way towards moving us closer to less fear, more certainly, and no doubt.

Categories: Security

More Conficker Toolage

March 30, 2009 2 comments

There be news!

First off, the Honeynet Project has released Know Your Enemy:  Containing Conficker.  Tillmann and Felix have done a tremendous job of analyzing Conficker, and their paper makes for a great read.  Plus, you get to find out exactly what Conficker is doing differently on the anonymous network surface.

Secondly, nmap has released 4.85Beta5 (Windows, OSX, Source), with the Conficker detection logic.  Cool, no more hacking up Beta4.

Please, be careful to actually use –script-args=safe=1 , like so:

nmap -PN -d -p 445 –script=smb-check-vulns –script-args=safe=1

Third, I’ve rebuilt the py2exe versions of Tillmann and Felix’s scs code, now with Core’s impacket library safely embedded.  See here.  Source code, of course, is at their site (see scs.zip).

Finally, commercial scanning products continue to make steady progress protecting their customers, with nCircle and Qualys coming online.

There’s something else cool, but I’m pretty exhausted.  More in the morn.

Categories: Security

Tools, Tools, Tools

March 30, 2009 Leave a comment

Couple useful things for IT admins out there.  I’ve packaged up Werner and Feder’s PoC scanner via py2exe here.  You can now simply run:


Simple Conficker Scanner
scans selected network ranges for
conficker infections
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de

[WARNING] seems to be infected by Conficker!


Simple Conficker Scanner
scans selected network ranges for
conficker infections
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de

[WARNING] seems to be infected by Conficker!

Note that scs.exe will also take an IP list, so if you can generate that in a fast sweeper, scs.exe will go much faster.

Of course, what would be really helpful is getting nmap going — and the code is in fact in SVN!  I believe the nmap guys are working on packages right now, but in the meantime, here’s what their dev says to do if you’re on Unix:

If you prefer to install it:
svn co –username=guest –password=” svn://svn.insecure.org/nmap
cd nmap
./configure && make
sudo make install
nmap -PN -d -p445 –script=smb-check-vulns –script-args=safe=1 <host>

If you don’t want to install it:
svn co –username=guest –password=” svn://svn.insecure.org/nmap
cd nmap
./configure && make
export NMAPDIR=.
./nmap -PN -d -p445 –script=smb-check-vulns –script-args=safe=1 <host>

Building nmap is a little tricky on Windows apparently, but happily enough, this isn’t necessary.  Follow these steps to get high speed scanning on Windows:

1) Install the latest development build, of nmap, 4.85Beta4, from here.
2) Retrieve this package, extracted from SVN, and merge it into your c:\Program Files\nmap directory.
3) Enjoy:

C:\Documents and Settings\dan>nmap -PN -d -p 445 –script=smb-check-vulns –script-args=safe=1

Winpcap present, dynamic linked to: WinPcap version 4.0.2 (packet.dll version 4.
0.0.1040), based on libpcap version 0.9.5

Starting Nmap 4.85BETA4 ( http://nmap.org ) at 2009-03-30 08:42 Pacific Daylight
————— Timing report —————
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
mass_rdns: Using DNS server
Initiating Parallel DNS resolution of 1 host. at 08:42
mass_rdns: 0.38s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 08:42, 0.36s elapsed
DNS resolution of 1 IPs took 0.38s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF:
0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:42
Scanning 21Cust103.tnt1.kingston.on.da.uu.net ( [1 port]
Packet capture filter (device eth0): dst host and (icmp or ((tcp o
r udp) and (src host
Discovered open port 445/tcp on Completed SYN Stealth Scan at 08:42, 0.75s elapsed (1 total ports)
Overall sending rates: 1.33 packets / s, 58.67 bytes / s.
NSE: Initiating script scanning.
NSE: Script scanning foo (
NSE: Initialized 1 rules
NSE: Matching rules.
NSE: Running scripts.
NSE: Runlevel: 2.000000
Initiating NSE at 08:42
Running 1 script threads:
NSE (1.438s): Starting smb-check-vulns against
NSE: SMB: Extended login as \guest failed, but was given guest access (username
may be wrong, or system may only allow guest)
NSE (6.001s): Finished smb-check-vulns against
Completed NSE at 08:42, 4.58s elapsed
NSE: Script scanning completed.
Host foo ( appears to be up … goo
Scanned at 2009-03-30 08:42:46 Pacific Daylight Time for 6s
Interesting ports on foo (
445/tcp open  microsoft-ds syn-ack

Host script results:
|  smb-check-vulns:
|  MS08-067: NOT RUN
|  Connficker: Likely INFECTED
|_ regsvc DoS: NOT RUN (add –script-args=unsafe=1 to run)
Final times for host: srtt: 360000 rttvar: 360000  to: 1800000

Read from C:\Program Files\Nmap: nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.00 seconds
Raw packets sent: 1 (44B) | Rcvd: 1 (44B)

I’m sure there’s some way to use the NMAP GUI too — if someone wants to post a doc for that, I’ll link to it.

Categories: Security

Taming Conficker, The Easy Way

March 30, 2009 4 comments

We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out.  Maybe they don’t have to:  I’ve been working with the Honeynet Project’s Tillmann Werner and Felix Leder, who have been digging into Conficker’s profile on the network.  What we’ve found is pretty cool:  Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly.  You can literally ask a server if it’s infected with Conficker, and it will tell you.  Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis‘ Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys.

We figured this out on Friday, and got code put together for Monday.  It’s been one heck of a weekend.

The technical details are not complicated — Conficker, in all its variants, makes NetpwPathCanonicalize() work quite a bit differently than either the unpatched or the patched MS08-067 version — but I’ll let Tillmann and Felix describe this in full in their “Know Your Enemy” paper, due out any day now with all sorts of interesting observations about this annoying piece of code.  (We didn’t think it made sense to hold up the scanner while finishing up a few final edits on the paper.)

Categories: Security

Infrastructure Attacks: A Growing Concern

March 24, 2009 1 comment

So the general theme of my talks for the last year has been about the extraordinary damage that infrastructure attacks are capable of. I do believe it’s possible to bolster endpoint security — to achieve end-to-end trust — but it will take more than what we’re doing right now. It will take, somewhat to my surprise, DNSSEC.

It will also take treating infrastructure itself with more care, and more security due diligence, than we do today. Forget patching infrastructure. When my DNS bug hit, a remarkable number of sites suddenly found themselves simply identifying the DNS servers they were dependent on. We can do better. We need better operational awareness of our infrastructure. And we need infrastructure, over time, to become a lot safer and easier to update. That means automatic update isn’t just for desktops anymore, that firmware patches need to have a much higher likelihood of not bricking the hardware, and possibly, that we need fewer builds with more testing for the new production environment, that is increasingly under attack.

The reality is the bad guys are out there, and they’re learning.  Just as attackers moved from servers to clients, some are moving from compromising a single client to compromising every client behind vulnerable infrastructure.  Psyb0t, a worm that has been bouncing around since January, was recently found by DroneBL and reported on by Ryan Naraine.  It targets home routers, and early estimates are that it has hit over 100K of them.  Home routers are a wonderful, enabling technology for users, and even for security, they carried us through 2001-2004’s years of widespread server side vulnerabilities.  So we shouldn’t be too down on them.  But they do have vulnerabilities, and they are getting exposed.

This, of course, is something quite a few people have been talking about.  CSRF — Cross Site Request Forgery — attacks have affected everyone from Linksys to Motorola to Siemens to Cisco.  More problematically, the DNS Rebinding attacks discussed by myself, David Byrne, Dan Boneh/Adam Barth/Collin Jackson, and others in 2007 still affect home routers. And I’m not talking about Java and Flash sockets, like at this year’s CanSecWest talk.  I’m talking about simply running rebinding against the browser itself, to make a remote website and a local router appear to be the same name, thus able to script against one another.

This should sound familiar, because this is what I discussed at RSA last year.

Yep, that still works, in all browsers. It has to. Moral of the video, please don’t have a default password on your home router — and, maybe, home routers can someday only allow default passwords to work 10 minutes after power cycling.

Why can’t this be fixed in the browser? Now that’s a fascinating question, which we’ll discuss in another blog post.

Categories: Security

Cansec Slides, Now With More TCP NAT2NAT Goodness

March 21, 2009 Leave a comment

Slides from Cansec, replete with TCP NAT2NAT goodness.

(In my defense, this trick is way less hideous than my 2001 IP TTL game!)

Staring Into The Abyss

Categories: Security

Staring Into The Abyss, A Bit Before Cansec

March 9, 2009 1 comment

I’m just going to come out and say it:  I miss packet craft.  Sure, we can always pull out Scapy, and slap amusing packets together, but everything interesting is always at the other layers.

Or is it?

For CanSecWest this year, I thought it’d be interesting to take a look at the realm of Deep  Packet Inspectors. It turns out we were doing a lot of this around 2000 through 2002, and then…well, sort of stopped.  So, in this year’s CanSecWest paper, “Staring Into The Abyss:  Revisiting Browser v. Middleware Attacks In The Era Of Deep Packet Inspection” (DOC, PDF), I’m taking another crack at the realm — and I’m seeing really interesting capabilities to fingerprint, bypass, and otherwise manipulate systems that watch from the middle of networks, using protocol emulation abilities that have been part of browsers and their plugin ecosystem from the very beginning.

Ah, but here’s where I need some help.  I’ve worked pretty closely with Robert Auger from Paypal, who just published his own paper, “Socket Capable Browser Plugins Result In Transparent Proxy Abuse”.  We independently discovered the HTTP component of this attack pattern, and as I describe in my paper, we’ve kind of forgotten just how much can be done against Active FTP Application Layer Gateways.

So, if I may ask, take a look, check out my paper, and if you have some thoughts, corrections, or interesting techniques, let me know so I can integrate them into my CanSecWest presentation.  Here’s the full summary, to whet your appetite:

DPI — Deep Packet Inspection — technology is driving large amounts of intelligence into the infrastructure, parsing more and more context from data flows going past. Though this work may be necessary to support important business and even security requirements, we know from the history of security that to parse data is to potentially be vulnerable to that data – especially when the parser is designed to extract context as quickly as possible. Indeed, companies such as BreakingPoint and Codenomicon have made their names building test tools to expose potential faults with DPI engines. But could anyone actually trigger these vulnerabilities? In this paper, we restart an old line of research from several years ago: The use of in-browser technologies to “tweak” Deep Packet Inspection systems.

Essentially, by controlling both endpoints surrounding a DPI system, possibly using the TCP (and sometimes UDP) socket code that plugins add to browsers, what behavior can we extract? We find three lines of attack worth noting.

First, firewalls and NATs — the most widely deployed packet inspectors on the Internet today — can still be made to open firewall holes to the Internet by having the browser trigger the Application Layer Gateway (ALG) for protocols like Active FTP. We extend older work by integrating mechanisms for acquiring the correct internal IP address of a client, necessary for triggering many inspection engines, we survey other protocols such as SIP and H.323 that have their own inspection engines, and we explore better strategies for triggering these vulnerabilities without socket engines from browser plugins. We also explore a potentially new mechanism, “Window Dribbling”, that allows an HTTP POST from a browser to be converted into a full bidirectional conversation by only allowing a remote sender to “dribble” a fixed number of bytes per segment.

Second, we (along with Robert Auger at Paypal) find that transparent HTTP proxies, such as Squid, will “override” the intended destination of browser sockets, allowing a remote attacker to send and receive data from arbitrary web sites. This allows (at minimum) extensive and expensive click fraud attacks, and may expose internal connectivity as well (HTTP or even TCP).

Third, and most interestingly, we find that active DPI’s — those that actually alter the flow of traffic between a client and a server — all seem to expose subtly different parsers and handlers for the protocols they manipulate. These variations of behavior can be remotely fingerprinted, allowing an attacker to identify DPI platforms so as to correctly target his attacks. This capability, understood particularly in light of Felix Lindner’s recent work on generic attacks against Cisco infrastructure, underscores the need for both DPI vendors to test their platforms extensively, and for IT managers to deploy critical infrastructure patches with at least as much vigor as desktop support receives today.

For remediation purposes, we recommend two lines of defense – one policy, one technical. As a matter of policy, we find the most important recommendation of this paper that industry reconsiders patching policies as they apply to infrastructure, especially as that infrastructure starts inspecting traffic at ever higher speeds in ever deeper ways. We are actively concerned that administrators have internalized the need to patch endpoints, but aren’t closely tracking the equipment that binds endpoints together – despite their ever increasing intelligence. This is as much a recommendation to vendors – to build patches quickly, and to code audit and fuzz with software from companies like Breakingpoint and Codenomicon – as it is a plea to IT departments to deploy the patches that are generated. Also from a policy perspective, while this paper does recognize the need for judicious use of DPI technology, systems that are deployed across organizational boundaries have particular need for correctness. There have been incidents in the past that have led to security vulnerability across entire ISPs.

On the technical front, we defend the existence of socket functionality in the browser, recognizing that constraining all networking to that which existed in 2001 is not leading to more stable or more secure networks. We explore a solution that potentially allow firewalls to integrate socket policies into their ALG’s, encouraging plugin developers to eventually join in with browser manufacturers and build a single, coherent, cross-domain communication standard. We also discuss more advanced transparent proxy caching policies, which will prevent the Same Origin Policy bypasses discussed above. Finally, we remind home router developers that browsers are still able to access their web interfaces from the Internet, and that this exposure can be repaired by tying default password effectiveness to either a button on the device or a power cycle.

The firewall fingerprinter should be online shortly, with source code for you to play with as well.  Thanks!

(Incidentally, yep, Source is this week, and I have something rather different in store for that event.  The times, they are busy.)

Categories: Security

Get every new post delivered to your Inbox.

Join 755 other followers