© Michael Sonntag 2012
Network investigation
Institute for Information Processing andMicroprocessor Technology (FIM)
Johannes Kepler University Linz, AustriaE-Mail: [email protected]://www.fim.uni-linz.ac.at/staff/sonntag.htm
Mag. iur. Dr. techn. Michael Sonntag
Michael Sonntag 2Vulnerability scanning
Source data
Requirements:
Administrative rights
» For installing software
Installed software (see CD)
Software:
Nmap
Wireshark
Nikto
Michael Sonntag 3Vulnerability scanning
Please note!
We are not going to attack anyone here!
We are trying to indentify problems for later fixing it
Permission is always required for vulnerability scanning
Which system(s)
At what time
What kinds of scans (destructive, …)
We will scan our own system here ONLY!
Michael Sonntag 5Vulnerability scanning
NMap
NMap (Network MAPper) is a network scanner
It tries to find all computers in a specific network and checks what ports are open, what OS they are running, whether there is a firewall, etc.
It does not look for specific vulnerabilities!
But it gives recommendations; e.g. services to disable
Some scans + vuln. systems Lock-up/crash!
Used as a tool for inventory generation in a network
Are there any computers which should not be there?
Can also be used to gather information for a later attack
» Which OS/software and which version is running
Stages: 1 = Host discovery, 2 = Port scan, 3 = Service/ version detection, 4 = OS detection, 5 = Scripting
Scripting may also include vulnerability/malware detection!
Michael Sonntag 6Vulnerability scanning
NMap
Usage:
Start program and enter IP address
Select profile for scanning
» Special options only available in the command line version or when constructing a new profile!
Your tasks:
Install NMap
Scan the local subnet for hosts
» Use a "Regular scan"
Scan the machine of your neighbour
» Use a “Quick scan plus"
Interpret the results
» Correct output?» Something surprising/dangerous found?
Michael Sonntag 9Vulnerability scanning
Sample result: Scripting
Compare: Local time of target
OS / Domain information
Michael Sonntag 10Vulnerability scanning
Wireshark
Wireshark is a network sniffer
Available for Windows and Linux
It will make a “copy” of every incoming and outgoing packet and present it to you
This would not be that useful…
It also parses a lot of protocols
So no binary display (also available!), but
layer 3 display (IP addresses, port numbers, …),
up to layer 5 (actual http content as text/binary file)
Practical problem: Network traffic is very large & frequent
Filtering is an absolute necessity or anything useful will get lost in a torrent of uninteresting traffic!
Michael Sonntag 11Vulnerability scanning
Wireshark Common display filtering expressions (1)
Operators: == != < > <= >= && || ^^ !
[…] or […:…] or […-…]: Offset / Offset:Length / Offset-End
» Only possible as comparison, e.g. eth.src[0:3]==08:15:47!
Layer 1/2: frame.??? / eth.???, arp.???, ppp.???
Usually not very interesting
Layer 3: ip.???, ipv6.???, icmp.???, icmpv6.???
Examples ip.???: .src, .dst, .addr, .src_host, .dst_host, .host, .flags, .fragment, .len, .proto, .ttl
» ip.tos, ip.tos.cost, ip.tos.delay, ip.tos.precedence, ip.tos.reliability, ip.tos.throughput
Examples icmp.???: .code, .type, .mtu
Layer 4: tcp.???, udp.???
Examples tcp.???: .syn, .ack, .fin, .checksum, .flags, .len, .srcport, .dstport, .port, .time_delta, .window_size
Examples udp.???: .srcport, .dstport, .port, .length
See also: http://packetlife.net/library/cheat-sheets/
Michael Sonntag 12Vulnerability scanning
Wireshark Common display filtering expressions (2)
Layer 5: http, ospf, rip, …
Examples http.???
» .accept, .accept_encoding, .accept_language, .cookie, .date, .host, .last_modified, .location, .referer, .request, .request.method, .request.uri, .response, .response.code, .server, .set_cookie, .user_agent, .transfer_encoding
Attention: This means that packets have been received and are stored, but will not be shown in the graphical UI!
There is also the possibility of filtering-before-storing
These are “capture filters”, which use the syntax on libpcap (or tcpdump, which is the same)
» Examples: ether host 08:15:47:11:CA:FE– Display filter for the same: eth.addr=08.15.47.11.CA.FE
» Note: Too many packets to store Some might be lost» But: Capture filter dropped it Gone forever
Michael Sonntag 13Vulnerability scanning
Wireshark
Interface: Select where to listen
Capture filter: Throw away packets before handling/storing them
Capture file: How/where to store data; especially useful for keeping a history (e.g. last 60 minutes), timing, ..
Display options: Personal prefer.
Name resolution: Be careful!
This might cause additional traffic!
Michael Sonntag 14Vulnerability scanning
Wireshark
Usage:
Start program and select interface to monitor
Investigate content while running (difficult) or stop the scan and the start evaluation (store to disk, …)
Your tasks:
Install Wireshark
» Might require reboot for the packet capturing library!
Start a scan of your local interface
» Note: Wireless can be difficult/require additional libraries!
Ping your neighbour & analyze the traffic
Navigate to a website & analyze the traffic
Log in to this website through a form (unencrypted)
» Analyze the traffic
Do the same as before, but now using a TLS connection!
Michael Sonntag 20Vulnerability scanning
Wireshark HTTP - DNS
What‘s this? Investigate!
Note: Google Chrome used
Michael Sonntag 22Vulnerability scanning
Wireshark HTTP - Response
Redirect
P3P Compact Policy: http://www.p3pwriter.com/LRN_111.asp
Michael Sonntag 24Vulnerability scanning
Wireshark HTTP - Stream
Keep-alive: Requested by browser and accepted by sender
Result: After the end of the first response, there follows immedaitely the next request and response
Content-Encoding: gzip
The content would have to be saved as a binary file and then unzipped to access it (selecting & copying won‘t work!)
Response: Normal response headers, P3P information and lots of cookies!
7 cookies, but note: we didn’t send even a single one!
» Would have been in the request header
Careful: Second request in this stream already knows the headers and does send them with the request!
Michael Sonntag 26Vulnerability scanning
Wireshark HTTP authentication
Use www.gmx.at:
You can select whether you want to authenticate securely over TLS through a toggle switch
» TLS: „Ohne SSL“=“Without SSL” is shown (to deactivate this)– Default value when arriving there and after each failed login!
» Unencrypted: „Mit SSL“=“With SSL” is shown (for activation of security)
» This is very confusing for users!
Michael Sonntag 29Vulnerability scanning
Nikto
Nikto is a vulnerability scanner for web servers
Other vulnerability scanners exist, but today most of them are commercial, i.e. require a subscription
» For private/personal use often a free version exists
Example: Nessus. But it would require an individual subscription by each student, so we cannot use it here!
How do most of them work?
Building a database of known problems/vulnerabilities
» This is where most of the work is and what you pay for
Check the webserver against these
Nikto looks for
Server/software misconfiguration
Default files/programs (useless and often a security problem)
Insecure files and programs
Outdated servers and programs
Michael Sonntag 30Vulnerability scanning
Practical problems
Modern CMS never return an error code, instead they send "200 OK" and produce a custom error page
This is good from the security point of view, but is difficult for vulnerability scanners!
These may differ also for the problem/requested file/…
Nikto tries to get around these problems by
Inspecting the return code
Content matching (e.g. "could not be found" on the page)
Hashes: Remove date and time strings (always change!) from the response and create a hash and compare it with other responses
» This is done separately for each file type A huge "library" must be built up for each server
Nikto will only check the server itself – not any applications
I.e., whether the server software itself is vulnerable!
Michael Sonntag 31Vulnerability scanning
Nikto - Task
Nikto is pre-installed on the Linux Live-CD
Your task: Scan the local web server
This might take a very long time, so we will reduce the problems to be searched for
Command while running:
» <Space>: Show current status» v: Verbose mode» q: Terminate scan
Starting it:
perl nikto.pl –h 127.0.0.1 –no404 –T 349
» -no404: Skips recognition of missing files (far fewer requests)» Test 3: Information disclosure» Test 4: Injection (XSS/Script/HTML)» Test 9: SQL injection
Michael Sonntag 32Vulnerability scanning
Nikto – Results (1)
We get all three kinds of results:
None (T 9):
» "ETag header found on server": This is potentially interesting, but normal and not a problem
– ETag: Used for caching; to determine whether a resource has changed since the last request
» "Allowed HTTP Methods: GET, HEAD, POST, OPTIONS"– This is rather restrictive already a no problem in itself
False positive (T 4):
» "OSVDB-6659: /ODpshb … XQyV<font%20size=50>DEFACED <!--//--: MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later version."
– This server is using Apache, not MyWebServer– Try this URL manually to see, that it DOES echo the string to the
output, but that it is properly escaped!
Michael Sonntag 33Vulnerability scanning
Nikto – Results (2)
Real (T 3):
"OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc."
» Another false (?) positive. This URL is accessible, but it is not /usr/doc!
» Try to find out which directory it actually is and test it, by putting a file there and accessing it via the webserver!
– It is "/usr/share/doc" Potentially a big problem!
"OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate lines in httpd.conf or restrict access to allowed hosts."
» This is the Apache status page» Try to find out, whether this is a problem
– Actually it is restricted to the local host, but this is not necessarily secure: What if we were running a web proxy on this host? Requests from the proxy would originate from the local host!
Michael Sonntag 34Vulnerability scanning
Conclusions
Investigating network traffic: Speed is a problem
GBit MANY packets per second!
Filtering is essential
Despite help by the software, intimate knowledge of the protocol is still necessary
Many tools for finding vulnerabilities exist
Use them yourself, or someone will use them on you!
Interpreting the result is still often problematic
Is this really a problem? Or is it a false positive?
How do I fix this?
Commercial solutions are typically much better here, especially regarding the second problem!