09hakin9 09 2012_en_ebook
Upcoming SlideShare
Loading in...5

09hakin9 09 2012_en_ebook






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

09hakin9 09 2012_en_ebook 09hakin9 09 2012_en_ebook Document Transcript

  • Atola Insight That’s all you need for data recovery.Atola Technology offers Atola Insight – the only data recovery device that coversthe entire data recovery process: in-depth HDD diagnostics, firmware recovery,HDD duplication, and file recovery. It is like a whole data recovery Lab in one Tool.This product is the best choice for seasoned professionals as well as start-up datarecovery companies. • Case management • Real time current monitor • Firmware area backup system • Serial port and power control • Write protection switch
  • If our FREE antivirus for home outperforms competitors end-point products, imagine what our business solutions can do for you. e most popular antivirus in the world. www.avast.com/best-antivirus
  • Dear hakin9 ExtraManaging: followers,Michał Wiśniewskim.wisniewski@software.com.pl this month’s issue of hakin9 Extra is totally de-Senior Consultant/Publisher: voted to webserver security. Recently, it has re-Paweł Marciniak -surfaced as one of the hottest topics on the IT-Security market. In this issue we covered both:Editor in Chief:Grzegorz Tabaka the most obvious, and not-so-obvious topics thatgrzegorz.tabaka@hakin9.org fall within the scope of webserver security. In this issue you can read about: Web ApplicationArt Director: Firewalls, DDoS attack mitigation techniques, we-Marcin Ziółkowski bserver SED filtering, sockets and TCPIP. I ge- nuinely hope that you will be satisfied with theDTP: content and the quality of the articles presen-Marcin Ziółkowski ted. Next month, we are preparing an issue total-www.gdstudio.pl ly devoted to Snort. I hope that you will enjoy that one as well.Production Director:Andrzej Kucaandrzej.kuca@hakin9.org Michał Wisniewski, hakin9 Extra m.wisniewski@software.com.plMarketing Director:Grzegorz Tabaka grzegorz.tabaka@hakin9.orgProofreadres:Dan Dieterle,Michael Munt,Michał WiśniewskiTop Betatesters:Ruggero Rissone, David von Vistauxx,Dan Dieterle, Johnette Moody,Nick Baronian, Dan Walsh,Sanjay Bhalerao, Jonathan Ringler,Arnoud Tijssen, Patrik GangePublisher: Hakin9 Media Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1www.hakin9.org/enWhilst every effort has been made to ensurethe high quality of the magazine, the editorsmake no warranty, express or implied,concerning the results of content usage.All trade marks presented in the magazinewere used only for informative purposes.All rights to trade marks presented in themagazine are reserved by the companies whichown them.To create graphs and diagrams we usedprogram by Mathematical formulas createdby Design Science MathType™ DISCLAIMER!The techniques described in our articles mayonly be used in private, local networks. Theeditors hold no responsibility for misuse of thepresented techniques or consequent data loss.
  • Get trained today through our exclusive 7-months hands-on course.Gain access to our complex LAB environment exploiting vulnerabilities across many platforms.Receive a trainer dedicated to you during the 7 months.10 different hands-on engagements, 2 different certifications levels. MONTH 1 Vulnerability Assessment - level 1 Vulnerability Assessment - level 2 Vulnerability Assessment - level 3 MONTH 2 Network Penetration Testing - level 1 Network Penetration Testing - level 2 MONTH 3 Network Penetration Testing - level 3 MONTH 4 Web Application Penetration Testing - level 1 Web Application Penetration Testing - level 2 MONTH 5 Web Application Penetration Testing - level 3 MONTH 6 Certification Exam 1 - Certified Cyber 51 Pentesting Professional - (CC51PP) MONTH 7 Certification Exam 2 - Certified Cyber 51 Pentesting Expert - (CC51PE)
  • Hakin9 EXTRA8. DDoS Attack and Mitigation Techniques By Valerio Sorrentino Nowadays the most common reason that criminals attack internet services is still to extort money, ensuring that targeted systems will no longer be attacked. DDoS Attacks are costing the average enterprise company about five million euro for a 24-hour outage and attacks can be performed from anywhere in the world with total anonymity, using software such as ToR. This software was created to defend citizens from network surveillance that threatens personal freedom and privacy. However, criminals can also use it to hide their physical location, bouncing a network signal around a number of computers.14. Understanding and Mitigating Distributed Denial of Service Attacks By Hari Kosaraju The mechanism in which a TCP connection is established is called a Three Way Handshake. During this pro- cess, the client will first send the server a TCP SYN packet. In response, the server will send a SYN ACK packet to the client. When the client receives this SYN ACK packet, it will send an ACK packet to the server. At this point, the TCP Connection is considered established between the client and the server. In a Denial of Ser- vice attack, there are two ways that an attacker can interrupt this process. They can send a TCP SYN packet to the server with a spoofed source IP address so that the server never receives an ACK because the spoofed source IP doesn’t know anything about establishing this TCP connection and will not send the TCP ACK to this server. The other way to do this is by using a legitimate source IP but not sending a TCP ACK packet. By doing this trick repeatedly, the attacker confuses the server into maintaining numerous half open connec- tions and exhausting the connection queue. Once this connection queue is exhausted, no new legitimate clients will be able to connect to the server [4].20. Web Application Firewall – From Planning to Deployment By Yen Hoe Lee and Fernando Perez The WAF tuning process requires the WAF to be set to monitoring mode. In this mode, all web request traf- fic for the application is allowed through the web application firewall without blocking the traffic. The WAF is set to capture and report these violations. The WAF implementation team needs to review these viola- tions, and choose to accept these violations as legitimate traffic, or choose to tweak the rules so that there will not be violations. This process is repeated until all violations are addressed. When a positive model is used, the tuning effort will always be higher. The complexity of the application will impact the level of effort needed also. In this case, the complexity is determined by the number of input, the type of input expected, and how dynamic the application pages are generated.26. Web Server SED Filtering By Colin Renouf One important thing to note, however, is that C represents strings as character arrays, usually with 8 bit ASCII characters, terminated with a NULL character. Java uses Unicode and under the covers stores the length of the String. The machine may represent the individual bytes in one ordering and the network in another, i.e. Big en- ded or little endian. These different representations can be used by the clever hacker to produce an attack that makes use of the data representation conversions that take place on the boundaries to bypass security in one layer by relying on the conversion going on behind it to create an attack string. We will cover this in another article; but the thing to understand is that each layer must have its own defences and not rely entirely on what sits in front of it. Many attacks often come from within the external firewalls, e.g. from staff, so even in a simple case where the same technologies are used throughout and no conversion occurs defences are still needed in each layer.
  • Hakin9 EXTRA32. Web Application Firewalls, how tough are they now? By Manfred Fereira If the reader is running for the first time the Siege application, must run “siege.config” to be able gene- rates the configuration file. If the reader wants to test a partial page or a group of pages, one of the parameters to past is the URLs, for this tests we will provide just two URLs. But for better performance and analyses the principals URLs should be included. The more URLs in the list, the better notion of the actions taken from the WAF and LoadBalancer will the reader have. Edit the file “/etc/urls.txt” with vi command, and input the most URLs that the reader can, always asso- ciated with the Web site that you want to test. Commands executed in Backtrack distribution, over command line: # vi /etc/urls.txt36. Sockets and TCPIP – Core of an Attack By Colin Renouf With the sockets API from a client perspective, a socket is declared as a particular type, is opened or more accurately connected using a “connect” call, then is written to or read from, and finally is closed; all much like reading or writing to a file. From the server perspective the server will bind the socket to a port, will listen to that port for requests, and when each request comes in it will accept the request. Where only a single packet is to be handled simpler sendto and recvfrom calls are available. The API suite all contains functions to look up hosts by name, and convert between the host byte represen- tation and the network representation. All of these are documented heavily elsewhere and are gene- rally well understood.40. Web server Log Analysis - Detecting Bad Stuff Hitting Your Web Server By Kim Halavakoski Web Servers on the Internet are under constant attack. Defending your web server requires vigilant res- ponse times and in-depth log analysis to be able to detect, remediate and track ongoing attacks. WAFs are today a common tool in defending high-profile websites. One often forgotten aspect of any technology is the log analysis. Products and technologies are often installed as a countermeasure to observed attacks, but the real valuable part is usually forgotten: Log analysis. Without properly analy- sing the logs defending against the ever changing threat landscape and evolving attack methods can be challenging. This article will show some basic methods, tools and products for analysing the logs and detecting the bad stuff targeting your website.46. Special Edition for Forensic Professionals: The Most Advanced and Effective New Tools from Atola Technology By ATOLA Team The Atola Forensic Imager is a high-quality professional tool designed that meets all expectations in advanced forensic operations. It’s an all-in-one solution that easily works with damaged or unstable hard disk drives. It combines a fast imager with strong data recovery capabilities for creating accurate forensic images. The powerful Atola Imaging Software is bundled with the Atola DiskSense Ethernet Unit, which utilizes the most efficient interface connections. This professional tool has been developed with the ability to Customize every step. Key parameters can be adjusted during the Imaging process to make it more effective and successful for each specific case. The Quick and accurate erasing of hard drives works at maxi- mum speed using any specified HEX pattern to overwrite the sectors. It can also execute the Security Erase function and perform Zero-Fill, NIST 800-88 and DoD 5220.22-M compliant wiping. The Case Management System works automatically recording all important data such as date, time and hash values in one place. Archives of all past cases are stored on the host PC. The Automatic password removal function removes any user and level ATA password from a locked hard drive and displays the password to the technician. 
  • Hakin9 EXTRA DDoS Attack and Mitigation Techniques Valerio Sorrentino This overview of DDoS threat scenarios will give you the tools needed to comprehend and help you to independently use this technology in order to avoid falling victim to these attacks. This easy-to-follow practical approach is given from a professional standpoint and is intended to be utilized by all levels of students, researchers, security professionals, engineering teams, as well as entities involved in Incident and IT Resource Management. O nce you read this article you will be able to understand the following concepts and technologies: In the beginning, the attacker-source addresses were not spoofed and the IT team could contact those launching the at- tacks in order to disinfect their systems. It did not take long for • History of denial of service attacks during the last decades. the attackers to change the tool code so that they could spoof • Reasons behind attacks such as ransom, hactivism and different IP addresses. These days, DDoS and DoS have both business impacts. become more sophisticated as shown in the following exam- • Definitions and differences between various types of deni- ples. al-of-service attacks. The first well-publicized DDoS attacks in the public press • Prevention, detection and mitigation of denial-of-service was in February 2000. On February 7th, Yahoo! was the victim attacks. of a DDoS attack, during which the internet portal was inac- • How to test your infrastructure and configure Anti-DoS pro- cessible for three hours. On February 8th, CNN, eBay, Ama- grams and tools. zon and Buy.com were all hit by DDoS attacks that caused them to either stop functioning completely or slowed them Body down considerably. On February 9th, ZDNet and E*Trade ex- perienced DDoS attacks as well. Analysts have estimated that History during the period that Yahoo was down, it withstood a loss of Denial-of-service attacks have been around for decades, e-commerce and advertising revenue that amounted to about but what was the first DOS Attack? €400,000. The incident took place at CERL, the Computer-based Edu- Amazon.com considers its loss to amount to around €500,000 cation Research Laboratory at the University of Illinois. At the subsequent to its widely publicized attack, which brought its age of thirteen David Dennis executed the -ext- TUTOR com- web servers down for more than ten hours. IT experts estimate mand on the PLATO system in order to put all the terminals that with a company earning 6.5 billion euro monthly in online offline. It worked and he never got caught. trades, any downtime would produce an enormous financial im- However, during the years, single-source DoS attacks pact derived also from loss of reputation. turned out to be less effective as more and more people be- came increasingly aware of them. This led to attacks from 2002 – DNS Root Server Attacks multiple sources, which have been aptly named, Distributed The largest DDoS attack ever was also the most significant Denial of Service (DDoS) attacks. The first well-documented DDoS attack to date, due to the fact that it threatened the very ex- DDoS attack seems to have taken place against the University istence of the Internet itself. The thirteen Root DNS servers, which of Minnesota in August 1999 by Trinoo a DDoS tool. It was propagate changes to all the other servers, came under attack on deployed in at least 227 systems, of which at least 114 were October 21st, 2002. It is considered by many to have been an at- on the Internet, in order to flood a single computer. It was una- tack on the Internet itself since it hit it at its most vulnerable point. vailable for over 48 hours. The attack lasted beyond an hour and was well coordinated with8 9/2012 (16)
  • DDoS Attack and Mitigation Techniquesall thirteen DNS servers, which came under fire at the same a network signal around a number of computers.time. The amount of data that was thrown at the servers in total The Russian Business Network (RBN), extorted potentialwas over 900 Megabits/second and comprised various types of clients into using of their “specialized” hosting services by theprotocols including TCP and UDP. use of a DDoS attack as well as controlling botnets such as The fallout of the attack was substantial. Although the serv- Storm. Apart from the obvious example of an RBN “hired gun”,ers did not crumble under the load, there were so many attack the distributed-denial-of-service attack on Estonia in Mayqueries that some genuine queries from around the world timed 2007, virtually shut the nation down.out due to being unreachable. In many ways, the experience Furthermore, these criminal organizations exercise denial-was a victory for the DNS servers since they were massively of-service attacks in order to divert the attention of the IT teamover provisioned; they were able to successfully cope with the so that they are forced to deal with the attack at hand. Thishigh volume of traffic thrown at them. It validated the principle of is the perfect moment for the criminal to launch a real attackover provisioning in order to account for further future attacks. towards company or government entities.2007 - DNS Attacks HacktivismOn February 6th, 2007, six of the thirteen DNS servers were Hacktivism can refer to politically constructive forms of civil diso-once again attacked in an attempt to “bring the Internet down.” bedience. It could pertain to various types of protests, whetherThe first wave of the attack lasted 2.5 hours. After a gap of three they be anti-capitalist or political. It has been suggested by thehours, the servers were hit once more for another three hours. critics that DoS attacks are an attack on our free speech, have Nevertheless, this time, engineers who worked on the sys- unintentional results, waste resources and could possibly taketems protecting the DNS servers had learned critical lessons us to a “DoS war” that will be won by no one. An example is thefrom the first attack in 2002. Anycast, a new technology, had DDoS attack against the FBI. The FBI site was down for a briefbeen developed. It allowed the DNS servers to mitigate the period of time after only seven minutes of attack. This attackeffects of this type of attack. Unfortunately, two of the servers was feasible due to the amount of people that participated inlacked the technology that had been installed and, in turn, were attacking internet censorship. Anonymous or anon is one of thetaken down by the attacks. world’s most well-known hacktivist collectives, especially after Essentially, the 2007 attacks were a positive experience. launching DDoS attacks on the American, Russian, MexicanThe engineering teams had demonstrated that they had had and Polish, governments.the ability to withstand a coordinated DDoS attack. The at- As demonstrated in ramp file extract posted by anonymoustacks were believed to have arrived from the Asian-Pacific re- in February 2012 on Pastebin, the battle is fought at variousgion. However, they were most likely carried out by “zombie” levels by Anonymous, in fact, it is not made merely of trivialcomputers used by unsuspecting users and therefore, could DDoS attacks, but also by making the government conscioushave come from anywhere. of their own mistakes and waking up the citizens when laws It was discovered that end-users could help to prevent their infringe on their privacy and civil liberties: systems from being hijacked by changing the default pass- To protest SOPA, Wallstreet, our irresponsible leaders andwords on their home routers. We all have numerous family the beloved bankers who are starving the world for their ownmembers that continue to use their default passwords even selfish needs out of sheer sadistic fun, On March 31, anony-after we have informed them of the dangers in doing so. For mous will shut the Internet down.obvious reason, the adoption of this recommendation is still “Who sacrifices freedom for security deserves neither.”quite low worldwide. Benjamin Franklin The year 2010 marks the point when distributed denial-of- We know you won’t’ listen. We know you won’t change. Weservice (DDoS) attacks broke through the 100Gbps traffic know it’s because you don’t want to. We know it’s becausebarrier. DDoS became a by-word for any politically-motivated you like it how it is. You bullied us into your delusion. We haveattack that year. Arbor Networks’ sixth annual worldwide in- seen you brutalize harmless old woman who were protestingfrastructure security report announced that the attacks be- for peace. We do not forget because we know you will onlycame mainstream, while numerous high-profile attacks were use that to start again. We know your true face. We know youlaunched against popular internet services as well as other will never stop. Neither are we. We know.well-known targets. We are Anonymous. According to Arbor Networks, 5% of the world’s leading data We are Legion.centres deal with over 500 DDoS attacks every month. Cur- We do not Forgive.rently, cloud services are particularly targeted. An analysis We do not Forget.conducted by Alcatel-Lucent has shown that cloud security is You know who you are, Expect us.what needs improving most. The increase of groups like Anonymous and LuzSec, as well as continuous cyber-wars, has finally revealed the issues of cyber-Aim of the attack security. The risk is authentic and it is progressively shifting intoNowadays the most common reason that criminals attack in- political and military action.ternet services is still to extort money, ensuring that targetedsystems will no longer be attacked. DDoS Attacks are costing Cyber-warthe average enterprise company about five million euro for a A cyber-war is a new way for military groups and terrorists to24-hour outage and attacks can be performed from anywhere perpetrate war via internet. In this way, war no longer has to in-in the world with total anonymity, using software such as ToR. volve physical weapons, since it could be performed from com-This software was created to defend citizens from network sur- puters located anywhere in the world. A cyber-war DDoS attackveillance that threatens personal freedom and privacy. However, is able to stop critical infrastructures of the targeted country suchcriminals can also use it to hide their physical location, bouncing as banks, hospitals, media and transportation systems.www.hakin9.org/en 9
  • Hakin9 EXTRA on their computer such as a virus. This is the case of systems For example, US websites were under a DDoS attack from a that without their owner’s cognizance, have become part of a botnet consisting of about 20,000 nodes, based on a MyDoom botnet and that attackers can use to issue commands in order worm. The agents were launching a mix of ICMP ECHO, UDP to trigger a DDoS attack toward a website. Since the malicious packets, HTTP GET requests. packets come from several IP addresses, DoS defenses based on monitoring the volume of packets coming from a single ad- Definitions dress or network would fail, due to the fact that the attacks could In a nutshell, DoS and DDoS attacks are executed by send- come from all over world. For example, instead of receiving ing several crafted requests to targeted systems, consuming a thousand gigantic pings per second from a single attacking their resources such as processing cycles, memory resources, node, the victim could receive one ping per second from thou- network bandwidth and preventing them from providing the in- sands of attacking sources. tended service or communication to the legitimate users. Per- petrators of these attacks usually target sites or services hosted Typology on web servers, credit-card-payment gateways, e-mail and root The following are some examples of denial of service at- DNS servers. tacks: What is the difference between DoS and DDoS attacks? Ping-Flood Attacks DoS: Denial-of-Service attacks are defined as resource- A Ping-Flood attack is the most rudimentary of all attacks and is exhaustion flooding attacks and logic attacks from one source. actually considered a brute-force attack that utilizes ICMP Echo This also makes the geolocation of the attacker easy to trace Request also known as ping packets. These require the target and for that reason relatively easy to prevent. The attacks to have a smaller bandwidth than the source but may also be based on resource-exhaustion flooding determine the server’s launched from a single source. A sufficient number of machines or network’s resources to be consumed to the point where the are compromised, and then turned into Zombies. They are sub- service no longer responds or is reduced. Logic attacks take sequently used to ping the victim, who is unable to operate when advantage of security vulnerabilities in order to crash a server the sum of all the attack bandwidths are greater than that of or to drastically reduce its performance. the victim. Blocking becomes improbable when the ping source DDoS: Distributed-Denial-of-Service attacks originate from addresses are spoofed, since one does not know the infected more than one source and multiple locations at the same time. machine that is attacking. In contrast, the attacker brings down The tools used for denial-of-service attacks tend to create dif- the target’s total network, which might be an undesired result. ferent types of malicious or legitimate traffic that, when clus- Significant resources are necessary to mount this kind of attack. tered together with hundreds and thousands of other comput- This could be challenging to assemble. However, if the target is ers, create a massive attack, thus, overwhelming the target working with their ISP, the attack can be blocked. server. The term distributed stems from a battery system of zombies - which in many cases is infected with malware - that SYN-Flood Attacks is often used in order to make the aggression effective. SYN-Floods were developed from the Ping-Flood. After all, they say necessity is the mother of invention. In a SYN-Flood at- tack, the attacker takes advantage of the protocol by sending the server many SYN packets. Since the server must handle every packet as if it were a connection request, it responds with a SYN-ACK. The attacker could choose not to respond to the SYN-ACK and, in turn, the server will have a half-open connec- tion. Nonetheless, the server could block subsequent packets from the attacker’s IP address and therefore, end the attack prematurely. Figure 1. DDoS Attack Schema Figure 2. SYN Flood UML Diagram The users are typically unaware that their computer has been Another option is for the attacker to spoof the client’s IP address. compromised by malicious code, after they have accessed an The server will then respond to the IP address, but since a con- infected web site or have inadvertently run malware programs nection has not been initiated, this client would then drop the10 9/2012 (16)
  • DDoS Attack and Mitigation TechniquesSYN-ACK. The server would then be left to wait for a response monitoring tools continue to work during the attack.while using up resources on the server with these half-openconnections. No new connections can be made after all the re- Monitoring Network Trafficsources are consumed, regardless of their legitimacy. The result In order to understand normal network traffic patterns, compa-is a successful attack. nies should regularly collect sample packets as well as other pertinent information from switches, routers and other devicesThe Slow Loris Attack in order to establish a baseline for normal traffic. It is required toA Slow Loris attack holds the connection open at layer 7 by know what sort of traffic comes in, monitoring it over a period ofsending incomplete HTTP requests to the web server. The con- six months. This information should be incorporated into a cor-nection is opened by the server and it will wait to receive a com- relation engine in order to detect threats, alerts and reporting,plete header. It will receive only false header lines keeping the that can be used to avoid future attacks.connection allocated. Network Firewall Firewalls use some mechanisms in order to defend servers from DoS attacks such as black-listing IP-addresses and other applications. While Network firewalls can halt classic DOS at- tacks like a Ping of Death or Land, it is virtually impossible for a common network firewall to be able to distinguish it, in order to stop advanced DDoS. In addition, network security devices us- ing state-full inspection technology could be quite vulnerable to DDOS attacks. Attackers know that these security applications are exposed, so they attack them overloading the TCP Stack in order to stop them. Nonetheless, network firewalls can obtain evidence of attacks such as source and destination IP address- es, protocol and packet length. This information is important for the ISP in order to filter out the abnormal traffic. Load BalancersFigure 3. Slow Loris Attack It is conventional wisdom that if your infrastructure is behind aEx: POST /somepage.com HTTP/1.1rn Host: some_url_or_ hardware load balancer, then you are not vulnerable to DoS/other.comrn User-Agent: Mozilla/4.0 rn Content-Length: DDos. In fact, a DoS attack could pass through load balancers42rn if they are not properly configured. Delayed binding features X-a: brn also known as TCP Splicing must be activated in order to pro- Notice that everything up to the final line is legitimate. In- tect the infrastructure against a DoS attack. Delayed bindingstead of finishing with an additional rn, if should finish with permits the load balancer to perform an HTTP request headerX-a: brnrn. completeness check, ensuring that your web server will never Many web servers wait five minutes, by default, resulting in receive incomplete requests. Delayed binding is a very effectiveusing up one resource for up to five minutes. In many cases, way to protect against a Slow Loris attack.it will take very little time for an attacker to use up the remain-ing resources for new connections. In order to keep each re- SYN Cookiessource busy, a new header with the missing CRLF will be sent SYN Cookies has proved to be one method of protecting againstagain. By varying this, writing Intrusion Detection signatures SYN-Flood attacks by eliminating the use of half-open connec-are difficult without stopping legitimate traffic. Therefore, with tion resources used by the server. Instead of storing the infor-a single packet, an attacker can keep a connection busy for mation locally, the new connection information is embedded inup to five minutes. the TCP sequence number. It then passes it back to the client in the SYN-ACK packet. Once the server receives the ACK clientDetection, prevention and mitigation methods: response, it reconstructs the entry for the SYN queue after the ACK holds the sequence number incremented by one. In this• Scalability and Overprovisioning way, the attack is unable to dominate all of the resources and is• Monitoring Network Traffic therefore reduced to the level of a Ping-Flood attack.• Network Firewall• SYN Cookies Web Application Firewalls• Load Balancers Avoiding both layer 4 and layer 7 DoS attacks, WAF servers• Web Application Firewall continue to provide services to applications without a degrada- tion in performance. WAFs automatically understand applicationScalability and Overprovisioning structure such as application URLs, methods, parameters andProtecting a server against denial-of-service attacks, DoS/ cookies in order to precisely detect attack patterns. This infor-DDoS, is an arduous endeavor. Using a server with many re- mation is used to create a traffic baseline also known as a whitesources such as CPU and memory, is perhaps the simplest way list of acceptable user behavior.as well as building the server application to scale up well. If fea-sible, it is recommended to use a distributed model to maintain Live Testsredundancy for critical services and applications. It is very im- Note that I have no liability resulting from use of the programsportant to provide scalability of monitoring tools, assuring that mentioned below. DoS and DDoS attacks constitute law viola-www.hakin9.org/en 11
  • Hakin9 EXTRA tions around the globe. Furthermore it is recommended to use dow open to the site, press F5 or the refresh button on the a virtual machine with no access to internet or any internal lan browser. Are you able to connect? in order to avoid any problems. After just 30 seconds the following appeared when I was requesting the server page: Step 1: Setup a web server In order to install Apache web server in Linux first of all log on to your Linux machine. Then open a terminal and enter this command: sudo apt-get install tasksel Figure 7. Web Server output after DoS attack STEP 3. Stop Slowloris attack In order to block the Slowloris attack you could install DoSDe- flate. In order to install the program you should enter the follow- Figure 4. tasksel installation output ing command: Once completed the installation type from terminal: Sudo tasksel wget http://www.inetbase.com/scripts/ddos/install.sh To download the program installation script and after you will change the permission of the file in order to execute it chmod 0700 install.sh Finally you can lunch the installation hit this command: ./install.sh Figure 5. tasksel software selection output Note that during the installation you will be asked to enter the password for the Mysql, (default username is root). To confirm that your web server is working, open a browser on the same machine and type in it localhost otherwise from another machine enter the Linux machine’s internal IP address into the URL bar. A default usable web page should appear. That’s All Folks! In Ubuntu with just one click you can install LAMP , if your linux machine use a different package manager than use your package manager’s syntax to install it. Note that Apache is called “httpd” in Red Hat and some other reposito- ries. Step 2: Attack web server via the Slowloris attack Initially you need to download the Slowloris script from pastebin If it doesn’t workout, it is simple to uninstall too. To uninstall or sourceforge. After download the script enter this command enter this command: to start it: wget http://www.inetbase.com/scripts/ddos/uninstall.ddos perl slowloris.pl -dns <WebServerIPaddress> After you will change the permission of the file in order to ex- Note that this script require a the Perl interpreter with the mod- ecute it: ules IO::Socket::INET, IO::Socket::SSL, and GetOpt::Long. In case that you don’t have already installed these modules. You chmod 0700 uninstall.ddos can install modules using CPAN and enter the following com- mands: Then you can lunch the unistall program entering this command: perl -MCPAN -e ‘install IO::Socket::INET’ ./uninstall.ddos perl -MCPAN -e ‘install IO::Socket::SSL I have found that these mitigation techniques will stop 90% of In a browser window, attempt to connect to the Apache web the attacks that currently exist. Naturally firewalls rules and / server hosted on the Linux machine. If you already have a win- or ACL rules configured at the router or switch level also help.12 9/2012 (16)
  • DDoS Attack and Mitigation TechniquesConclusion sionals must have hands-on expertise; Manage and defendAttacks are increasing in their sophistication and moving up against DDoS attacks as well as infiltrate and stop DDoSthe OSI Model from brute-force attacks at the network layer to command-and-control servers. Unless companies learn howmore refined attacks at the application layer; the most elemen- to read that data and take appropriate countermeasures, eventary being from the cutting cable attack at physical layer, mov- the best monitoring and reporting statistics are completely anding through attacks such as Ping and SYN-Flood attacks at the utterly useless. network and transport layer and continuing up to the applicationlayer, thus providing the attackers various options. At the sametime, there is an increase of botnets as well as sophisticatedcommand and control (C&C). Launching brute-force attackslike SYN-Flood or reflected attacks is simply the easier option References and Resourcesbecause they work against the majority of targets. Attacks are • http://www.platohistory.org/blog/2010/02/perhaps-the-first-denial-of-becoming progressively common such as the attacks on Face- -service-attack.html • http://www.prolexic.com/book and Twitter. • http://deflate.medialayer.com/ In fact, this quarter, as reported by Prolexic, DDoS attacks • http://www.rfxn.com/projects/were evenly spread across all vertical industries including fi-nancial services, e-Commerce, SaaS, payment processing,travel/hospitality, and gaming. As in previous attack reports,China (33%) is the top source country for distributed denial-of- Valerio Sorrentinoservice attack traffic. Moreover, this quarter it is joined at the CISM, CISA, ISO 27001 Lead Auditor, CCNA   is an author, train-top of the list by Thailand (23%) and the United States (8%), er and security consultant, who has been working in the IT indus-although the United States, UK and Hong Kong consider de- try for over 12 years for Defence, Space, Financial, Telecommunica-nial-of-service attacks as the biggest security risk of them all. tions and Manufacturing companies. His extensive experience in- I believe that it is necessary to perform analysis of attack cludes design, development and implementation of enterprise ap-patterns in order to rapidly identify upcoming attacks as well plications, infrastructure and security solutions in order to achieveas share lessons learned between different incident response organizational business objectives. Valerio performs informa-teams. Therefore, it is extremely important to subscript to tion security demonstrations and training for both technical andthird-party intelligence service providers and with some par- non-technical audiences. He is also a member of numerous asso-ticipation in industry security groups or forums (e.g. CERT). ciations in the industry such as the Cloud Computing Communi-Nevertheless, in order to discriminate suspicious traffic from ty, itSMF, ISACA and Clusit. This article marks his 4th collaborationlegitimate ones and dealing with botnets, security profes- with Hackin9 Magazine. .org/en hakin9 w. wwwww.hakin9.org/en 13
  • Hakin9 EXTRA Understanding and Mitigating Distributed Denial of Service Attacks Hari Kosaraju One of the most common and costly cyber attacks on the Internet is the Distributed Denial of Service attack (DDoS). Enterprises across the globe are scrambling to prevent their critical systems from being taken down by amateur hackers using readily available DDoS toolkits. DDoS attacks have been accelerating lately and an adequate solution to preventing them still evades security researchers. This article will discuss the technical details of how a DDoS attack occurs and offers steps on how they can be mitigated. A Denial of Service attack is defined as when an at- During most DDoS attacks, spoofed or forged IP addresses tacker disrupts access to a server or application of are used which makes it more challenging to trace the source the victim. They disrupt networks in many ways but of the attack. When an IP packet with a spoofed source address typically they deny access to a particular server or applica- is responded to by a host, this causes IP backscatter. These tion service by bombarding it with an abnormal number or backscattered packets will not be responded to. Researchers format of requests. Due to the lack of authentication of IP have looked at measuring backscatter and applying statisti- addresses, they can be spoofed and it becomes incredibly cal analysis to determine how frequent DDoS attacks are on difficult to determine the source of the attack and stop it. To the internet. Their research however makes the assumption make matters worse, these attacks are usually orchestrated that the attacker chooses spoofed addresses randomly. This through the use of a number of zombie machines that are part assumption is not necessarily valid because attackers don’t of a command and control Botnet. These machines gener- necessarily pick IP addresses randomly and some IP packets ate the malicious traffic denial of service traffic and are not destined for spoofed IP addresses are filtered before they ever owned by the attacker but have been compromised through reach their intended destination. Finally, the attacker may use malware to be under the attacker’s control. In most cases, the a non random reflector address to amplify their attack. One owner of these machines does not even know that they have particular study estimated that there were about 12805 DDoS been involved in an attack. When multiple hosts are involved attacks across 2000 organizations in a three week period [2]. in a coordinated Denial of Service attack, it is referred to as In the first part of this article we will introduce various types a Distributed Denial of Service(DDoS) attack. of Denial of Service attacks and how they work at the protocol DDoS attacks are an unfortunately common occurrence on level. Next we will discuss what a Distributed Denial of Service the internet and are growing at an alarming rate. A report by attack is, and how current DDoS toolkits work. Finally, we will Arbor Networks shows that distributed denial of service at- discuss how to mitigate DDoS attacks from an enterprise, and tacks have now surpassed the 100 Gbps of malicious traffic Internet Service Provider perspective. generation barrier [1]. What makes DDoS attacks so devastat- ing is that it can be very simple for an attacker to set the attack Types of Denial of Service Attacks up with the latest generation of toolkits. However, it is very Denial of Service attacks can be classified as those that are expensive for an organization to mitigate and/or trace back the executed on a local machine through a shell and those that DDoS attack to its source. This asymmetry makes it one of the are network based. Once a user has an account on a host sys- most pressing security issues for enterprises globally. tem, they can launch any number of Denial of Service attacks.14 9/2012 (16)
  • Understanding and Mitigating Distributed Denial of Service AttacksRemember that a Denial of Service attack is one that denies In a mail attack, the attacker will overwhelm a target byservices to legitimate users. Therefore, attacks such as forking sending its email address a lot of mail. This mail will fill up theprocesses repeatedly until an operating system’s process limit target’s inbox and likely overwhelm the target’s mail server [7].is reached, creating files repeatedly to exhaust file handles, and DNS flooding attacks are also a common attack. In a DNSfilling up disk space with random data are all examples of local flood, an attacker will send a DNS Request packet withDenial of Service attacks. Once a system has been compro- a spoofed Source IP address of the target machine. This willmised such that a malicious user has shell access, any num- cause the DNS server to send a response that happens to beber of local attacks are possible [3]. In contrast to local Denial much bigger. In some cases, a DNS request of 60 bytes canof Service attacks, network based Denial of Service attacks do generate a 512 byte response [4 pp 48]. This large amplifi-not require any type of user credential. In fact, many attackers cation is exactly what an attacker is looking to accomplish inwill first spoof the source address of any network based attack order to overwhelm a host.to hide their tracks. This is possible because of the fact that IP HTTP flooding is when a large number of http requests areaddresses are not authenticated. sent to a web server with the intention of denying service. This The mechanism in which a TCP connection is established is attack is popular because HTTP requests are typically notcalled a Three Way Handshake. During this process, the cli- blocked on the path to the victim because they are difficult toent will first send the server a TCP SYN packet. In response, discern from legitimate HTTP traffic.the server will send a SYN ACK packet to the client. When A Slowloris attack is a specific HTTP based Denial of Ser-the client receives this SYN ACK packet, it will send an ACK vice attack. It is when Slowloris client keeps a connectionpacket to the server. At this point, the TCP Connection is open to an HTTP server for an extended period of time. Thisconsidered established between the client and the server. In exhausts the connection queue of the server thereby makinga Denial of Service attack, there are two ways that an attacker additional connections impossible. The client will send por-can interrupt this process. They can send a TCP SYN packet tions of the request slowly and thereby keep the connectionto the server with a spoofed source IP address so that the open much longer than normal. Slowloris is an example ofserver never receives an ACK because the spoofed source IP a low bandwidth denial of service attack [9].doesn’t know anything about establishing this TCP connectionand will not send the TCP ACK to this server. The other way Distributed Denial Of Service Attack (DDoS)to do this is by using a legitimate source IP but not sending A Distributed Denial of Service attack is a Denial of Servicea TCP ACK packet. By doing this trick repeatedly, the attacker that is orchestrated by using many hosts or “zombie” machinesconfuses the server into maintaining numerous half open con- that are scattered over the internet to target one victim. Typi-nections and exhausting the connection queue. Once this con- cally these zombie machines have been previously hacked andnection queue is exhausted, no new legitimate clients will be have had DDoS malware installed. This malware allows an at-able to connect to the server [4]. tacker to control these zombies from a control server. By add- Another common Denial of Service attack is called a Smurf ing this hierarchy, the attacker can cover their tracks insteadattack. In this particular type of attack, an ICMP echo request of trying to launch the attack directly from their servers. Also,packet is sent to a list of IP broadcast addresses. These lists from a cost perspective it makes a lot of sense for an attackerare shared between hackers for this type of attack. The ICMP to leverage existing hosts rather than trying to set up their ownecho request packet that is sent again has a spoofed source IP network of dedicated machines. These attacks are problematicaddress. All hosts that receive the broadcast will send an ICMP because they are much more powerful than just a handful ofecho response to the victim, thereby multiplying the effect and hosts. In many cases, an attacker will harness a Botnet withoverwhelming the target machine with network traffic [5]. 100000 hosts that are involved in the attack (Figure 1). Some denial of service attacks are low volume attacks In this DDoS architecture shown above, a command andthat use carefully crafted packet formats. For instance, in control setup is used. A number of bots are infected withthe Ping of Death attack, a single ICMP packet could ren- a piece of DDOS malware that allows for them to be remotelyder a host inoperable. This packet was unique in that it has controlled. These Zombie machines are controlled by DDoSa length of 65536 bytes. However, the IP protocol speci- Controller machines. The attacker commands the DDoS Con-fies that the largest size possible is 65535 bytes. It is pos- troller machines to instruct the Zombie machines on who to at-sible to construct the ping of death packet by fragmenting tack and how to perform the Denial of Service. In order to set-the packet over multiple Ethernet frames and setting the up this architecture, an attacker must go through many steps.last frame to have the maximum offset but provide a large First of all, it must create the Botnet malware. If an attackeramount of data in that frame. This will create an IP packet doesn’t have the software development skills, they will usegreater than 65535 bytes which is the largest allowed by a publically available DDoS toolkit. The next step is to infectRFC 791. Since TCP/IP stacks were not designed to handle a large swath of machines with this malware. Classic ap-IP packets larger than dictated by the RFC, this causes the proaches to installing malware on a machine are used: click-system to crash. Note that this bug has subsequently been ing on a malicious link, installing an application with the mal-fixed on most systems [8]. ware embedded in it and other exploits that can run malicious Another network based Denial of Service Attack is called code on the machine are used. Often an attacker will scanthe Land attack. In this type of attack an attacker sends large portions of the internet for an un-patched vulnerabilitya spoofed TCP SYN packet with the source and destination IP and take advantage of it to load their malware. Once the mal-address set to the target machine. This will cause susceptible ware has been installed, the Zombie machine communicatesmachines to lock up [6]. with the DDoS Controller. The source address of the DDoS All of the attacks thus far have been layer 4 and lower at- Controller is often spoofed to further throw investigators offtacks. There are numerous application layer Denial of Service track. This communication is encrypted in some instances butattacks that are possible: in some instances it is not. The Controller to Zombie commu-www.hakin9.org/en 15
  • Hakin9 EXTRA DDoS Botnet Architecture Attacker Encrypted, IRC, HTTP, Peer to Peer or TCP, UDP Communications DDoS DDoS DDoS DDoS Controller Controller Controller Controller Encrypted, IRC, HTTP, Peer to Peer or TCP, UDP Communications Zombie Zombie Zombie Zombie Zombie Zombie Zombie TCP SYN Flood, HTTP Flood, DNS Flood, Slowloris Attack Victim Figure 1. Source: [4] pp 40/43 nication in unencrypted instances uses ICMP echo response differ in their communication schemes, the Denial of Service packets. These networks are also known to use IRC channels exploits they perform and encryption of their communica- for communication. These communication mechanisms are tion channels. These are the tools of choice for the amateur used are because they often are allowed to traverse firewalls. hacker because they do not require any intricate knowledge More recent DDoS systems have been using peer to peer of how to exploit a computer in order to generate a powerful communication channels. DDoS attack. These DDoS Botnet toolkits in general use a few major The Rise of DDoS toolkits modes of communication between their nodes. Some use cus- In the past, Distributed Denial of Service attacks were done by tom protocols over TCP or over UDP. Some use ICMP in order lone hackers with protocol expertise and software development to get through firewalls that allow it to pass through enterprise skills. This is unfortunately no longer the case. DDoS attacks gateways. Others use protocols such as IRC or HTTP. When are now orchestrated mainly by organized crime, political activ- IRC is used as the communication channel, a bot will connect ists or amateur hackers. There are different ways in which these to a specific IRC server or list of servers that are hardcoded different actors setup and activate a DDoS attack. into the malware. Once it has connected to the IRC server, Organized crime will typically infect a large number of un- it will listen for commands or monitor a specific channel for knowingly host machines with malware. This malware will commands. Using IRC as a communication channel has de- be commanded from specific controller machines. The hosts clined in popularity though because it is relatively easy to filter that are infected are known as Zombies. This approach dif- on. For instance, the TCP port range for IRC communications fers from political activist hackers or “Hacktivists” as they are of 6666-6669 can easily be blocked with an IDS rule. More called. An example of this type of group is Anonymous. In recent Botnets have turned to HTTP as a communication pro- the case of the Hacktivist, they will actually produce a toolset tocol for command and control messages. With the volume of and have their sympathizers download and install it on their http traffic over most networks today, it is easier to hide these machine. Typically, groups like Anonymous will use social command and control messages [11]. Some DDoS toolkits media to persuade their followers to take up the cause and also use encrypted communications to conceal these com- download the tool to help execute the denial of service at- mand and control messages. tack [20]. Examples of Anonymous DDoS tools are the Low Some DDoS toolkits are smart about preventing tracing. Impact Ion Cannon (LOIC) or the High Impact Ion Cannon They know that ISPs will typically trace a spoofed IP back, (HOIC). An even more recent trend is in the “build your own router interface by router interface to locate the source. How- DDoS Botnet” segment of toolkit. This way, any person can ever, this process takes time. Therefore, the DDoS Botnet will set up their own Botnet and then sell their ability to launch pulse the attack on and off over intervals of time [3 pp 538]. DDoS attacks to others. There are numerous DDoS toolkits A new and somewhat alarming trend is the recent adop- available. They can be found in hacker forums, advertised on tion of build your own DDoS Botnet solutions. These products youtube.com or even downloaded from paste.bin [10]. They which many security researchers group into the “Dirt Jumper”16 9/2012 (16)
  • Understanding and Mitigating Distributed Denial of Service Attacksfamily of DDoS Botnets are targeted towards hackers who this section, we will discuss how these technologies work andwant to stand up their own Botnet. The hacker’s motivation for where on the network they would typically be deployed.using these toolkits vary but they range from wanting to bring There are two classes of these solutions: The first class isdown a competitive player in an online game through what is deployed in front of a server that requires high availability andcalled “host booting” to helping one company try to run their thus needs protection from Denial of Service attacks. Thesecompetitor out of business by making their website unavail- solutions are typically probe based and require a person toable [12]. One thing that makes this class of DDoS toolkits so manage them onsite. They generally do not have a monthlytroubling is that the source code is also available which makes fee associated with them. They also cannot prevent a denialit possible to create spin offs of the original. This is why Dirt of service from depleting bandwidth upstream from the serverJumper is considered more of a family of DDoS toolkits rather being protected. The Arbor Networks Pravail system is an ex-than a single toolkit. ample of such a solution. It actually can work in two different As these new DDoS toolkits become more commercialized areas: in front of critical servers or as part of an ISP’s DDoSand require higher levels of development, they become more protection. When placed in front of a critical server, the Pravailsusceptible to exploitable code. Ironically, the best way to de- probe will look for application layer denial of service attacksfeat a command and control based DDoS Botnet is to attack (HTTP, DNS, SSL and VOIP) and also look for DDoS Botnetit using well known hacking methods such as buffer overflows communication. Pravail links to Arbor Networks threat intel-and SQL Injection attacks. It was reported recently that the Dirt ligence to find the latest Denial of Service and Botnet commu-Jumper family of DDoS Botnet toolkit is susceptible to SQL nications [14]. Corero Network Security also provides a probeInjection attacks against a control node. Once compromised, that is similar in deployment and function. It is called Coreroit is possible to gain access to the database behind the control DDS and is deployed similarly [15].node to shutdown the DDoS Botnet [13]. This is a much eas- The second class of solutions are called cloud based DDoSier approach to take than trying to shutdown every individual protection or Managed Protection. In this class of solution, theZombie machine of a large DDoS Botnet. provider will reroute a customer’s traffic to their servers as a first line of defense. Imperva offers a cloud based DDoS pro-Reducing the Incidence of DDoS Attacks tection service. This service basically routes a customer’s webThe current architecture of the internet makes it nearly impos- traffic through Imperva’s DDoS protection service by changingsible to quickly stop a large DDoS attack. Multiple ISPs and law a DNS entry. They claim to support up to 4 Gbps of customerenforcement typically need to be involved to shutdown a large traffic [16]. This has the obvious advantage of not requiringDDoS Botnet. However, there are some steps that Enterprises any customer premise equipment and not needing dedicatedcan take to minimize the risk of their machines being involved staff to operate the service. Another advantage is that the cus-in such an attack. If these steps proliferate across the internet, tomer does not need to overprovision their network resourcesthe incidence of DDoS attacks will decline. which is another method that organizations use to protect their online resources. Imperva is not the only company to take this• Keep your hosts up to date with the latest security patches. approach as Verisign also has a similar cloud based DDoS The first step in setting up a DDoS Botnet is to infect an ar- protection system available [17]. Akamai also offers a similar my of hosts and turn them into zombies. The way this oc- managed service called DDoS Defender [18]. Many service curs is by exploiting published and well known compromis- providers offer their own DDoS protection at the network level es. Make this harder for an attacker by religiously installing which is an ideal place to protect your network because they software patches as they become available. can impact upstream routers by communicating with other ser-• Do not run more services than are typically required. vice providers. The larger the attack surface, the larger the probability of The correct solution for your organization depends on nu- a compromise [3]. merous factors: The type of uptime you require and the cost• Do not grant users more privileges than they need to do of downtime. Cloud based DDoS solutions involve a recurring their job. cost but have a lower upfront cost. The probe based DDoS• Look for suspicious port scan activity. Scans for known vul- protection will require ongoing management and does not nerabilities are a known first step in the setup of a DDoS necessarily prevent points upstream from the probe from be- Botnet. ing congested. Therefore, both protection paradigms should• Survey your network traffic for unexpected service traffic be carefully considered before committing to one or the other. from certain hosts to unknown public servers. This could be an indication of Zombie hosts on your network that are How Does an ISP Track a DDoS Attack? contacting command and control servers. As discussed earlier, there are many different types of Denial• Look for instances of IP spoofing on your network. For ex- of Service attacks. When an attack occurs, an ISP will receive ample, source addresses that don’t match internally allo- an alarm that a customer’s service level agreement is not being cated addresses could indicate a problem. met. This could be because their link is saturated with unwanted• Look for large flow volumes of traffic or really long flows. traffic. The ISP’s first step is to figure out what type of attack it This can be done by deploying a Netflow probe at the net- is. One way that this can be done is by using tcpdump to cap- work’s egress point to monitor flow volume. Both of these ture network traffic. Then one can run the tcpdstat tool to gather cases could be a Denial of Service effort. summary statistics on this sample of traffic [19]. Another way that this can be accomplished by an ISP setting up access listsCommercial Available Anti-DDoS Solutions: for various services on their routers. Once they have determinedThere are numerous advertised commercially available today how which of the various types of DDoS attack it was, the nextfrom vendors such as Arbor Networks, Imperva, Corero Network step is to throttle that specific type of traffic. There are many dif-Security and Akamai technologies along with many others. In ferent types of DDoS attacks, be they TCP SYN floods, ICMPwww.hakin9.org/en 17
  • Hakin9 EXTRA based or UDP based. Therefore, we need to know exactly which Conclusion mechanism the attacker is using before we can start to mitigate DDoS attacks are some of the most troubling attacks on the inter- the damage. The following ACL rules will help us to discover the net because they are extremely costly to defend against in terms appropriate type of attack: access-list 169 permit icmp any any of both time and money. Unfortunately, they are very inexpensive echo access-list 169 permit icmp any any echo-reply access- to orchestrate even for a novice attacker based on the availabil- list 169 permit udp any any eq echo access-list 169 permit udp ity of DDoS Botnet toolkits. Therefore, we have not seen the last any eq echo any access-list 169 permit tcp any any established of these attacks and there is evidence to suggest they are ac- access-list 169 permit tcp any any access-list 169 permit ip any celerating. Some best practices to prevent DDoS attacks are to any interface serial 0 ip access-group 169 in make sure your hosts have been patched with the latest security Source: [19] updates and to verify that your network is not sending spoofed Another mechanism that can be used to determine the type traffic or excess traffic. Further, an organization may consider pur- of attack is by using Netflow. Netflow is a mechanism to report chasing a dedicated DDoS protection probe to better guarantee on sets of packets. A flow is actually a set of a packets between availability of a server but the more robust solution is to mitigate a given sender and receiver on a set of ports. Netflow reports the problem at the ISP level. For high availability servers, a cloud flow summaries including the number of packets in the flow based DDoS protection service may be an effective and fast so- as well as layer 3 and layer 4 information. From these Netflow lution to deploy. Enterprises should also discuss with their ISP reports, we can determine if there is an increase in either the to understand the services they offer to prevent DDoS attacks. number of flows or the volume of the flows. Either can indicate a denial of service attack. Many routers support Netflow inher- ently thus is a useful mechanism. Most ISPs will actually use Hari Kosaraju Netflow to monitor service level agreements along with SNMP has over 10 years of software engineering experience focused on Linux Ap- so it serves a dual purpose. plication Development in C/C++, Real Time Embedded Systems, Protocol Once an ISP has determined the type of traffic that is at- Design and Deep Packet Inspection. He is currently a lead engineer on the tacking the victim, the next step is mitigating its effect. Since Mantaro SessionVista™ product line of Network Intelligence Technology. there are so many senders in a DDoS attack and they are us- This product line is used for Network Forensics, Lawful Intercept and Cyber ing spoofed addresses, we would need to back track through Security through industry leading deep packet inspection at high data rates. many routers using a combination of the MAC address and Hari’s interests lie in understanding network based threats and developing router interface that the packet was received on to trace the technologies to detect and stop them. back to the attacker [19]. This would need to be repeated Hari holds a bachelors degree in Systems and Computer Engineering from for many zombies if they are geographically diverse and nu- Carleton University in Ottawa, Canada. He also completed a joint MBA/MS merous. This not only requires cooperation of many ISPs, it at the Robert H. Smith School of Business at the University of Maryland, Col- also requires time. Note that a DDoS attack is very costly to lege Park. an organization when the server being attacked is one that generates revenue 24/7. Any downtime of this server costs significant amounts of money. Therefore, most ISPs will first References: try to mitigate the damage by setting up an access control [1] [http://www.informationweek.com/security/attacks/ddos-targe- list to throttle the specific Denial of Service traffic. For ex- ting-firewalls-intrusion-preve/229200274] ample, perhaps ICMP packets are the attack method so the [2] [Inferring Internet Denial-of- Service Activity, David Moore, Geof- frey M. Voelker and Stefan Savage. http://www.caida.org/publica- ISP will immediately rate limit them to alleviate problems at tions/papers/2001/BackScatter/usenixsecurity01.pdf.] the victim until the attacker is found. In order to really help [3] [ Counter Hack Reloaded. Ed Skoudis and Tom Liston. Prentice the victim, the offending traffic needs to be stopped further Hall. 2006] up the chain than at their Enterprise IDS or even their border [4] [ An Introduction to DDoS Attacks and Defense Mechanisms. BB gateway router because at this point much of their bandwidth Gupta. Lambert Academic Publishing. 2011] [5] [http://en.wikipedia.org/wiki/Smurf_attack] has been consumed. It becomes clear that to really mitigate [6] [http://en.wikipedia.org/wiki/LAND] a DDoS attack with any success, you must coordinate with [7] [http://en.wikipedia.org/wiki/Email_bomb] your ISP. Therefore, a clear plan of attack in terms of who [8] [http://en.wikipedia.org/wiki/Ping_of_death] exactly at the ISP to call in the case of a DDoS attack should [9] [http://en.wikipedia.org/wiki/Slowloris] be established. [10] [http://www.securityweek.com/flaws-dirt-jumper-ddos-attack- As you can see, DDoS attacks are extremely difficult to stop tool-let-defenders-fight-back] [11] [http://tools.cisco.com/security/center/viewAlert.x?alertId=8127] based on the current architecture of the internet. As an opera- [12] [http://www.infosecisland.com/blogview/20997-Dirt-Jumper- tor of a corporate or enterprise network, there are some steps DDoS-Botnet-Variants-Continue-to-Proliferate.html] that one can use to lower the chance that your network will [13] [http://www.securityweek.com/flaws-dirt-jumper-ddos-attack- be the source of such an attack. First of all, you should moni- tool-let-defenders-fight-back] tor your network for evidence of spoofed source addresses. [14] [http://www.arbornetworks.com/pravail] [15] [http://www.corero.com/en/products_and_services/dds/dds_ There are commands on routers to verify Unicast IP address overview] sources to prevent spoofed addressing from your network. An- [16] [http://www.infosecurity-magazine.com/view/20580/imperva-in- other check is to make sure that reserved IP addresses that troduces-cloudbased-ddos-protection/]. are not allocated on your network are not transmitting large [17] [http://www.verisigninc.com/en_US/products-and-services/ne- volumes of traffic. Finally, try to ensure that your systems are twork-intelligence-availability/ddos/mitigation-services/index. patched for various exploits. This goes a long way to ensuring xhtml] [18] [http://www.akamai.com/html/solutions/ddos_defender.html] your machines aren’t inadvertently comprised to act as part of [19] [http://www.symantec.com/connect/articles/closing-floodgates- a DDoS Botnet. -ddos-mitigation-techniques] [20] [http://www.pcmag.com/article2/0,2817,2400842,00.asp]18 9/2012 (16)
  • IT Security Courses and Trainings IMF Academy is specialised in providing business information by means of distance learning courses and trainings. Below you find an overview of our IT security courses and trainings.Certified ISO27005 Risk Manager Information Security ManagementLearn the Best Practices in Information Improve every aspect of your informationSecurity Risk Management with ISO security!27005 and become Certified ISO 27005Risk Manager with this 3-day training! SABSA Foundation The 5-day SABSA Foundation trainingCompTIA Cloud Essentials provides a thorough coverage of theProfessional knowlegde required for the SABSAThis 2-day Cloud Computing in-company Foundation level certificate.training will qualify you for the vendor-neutral international CompTIA Cloud SABSA AdvancedEssentials Professional (CEP) certificate. The SABSA Advanced trainings will qualify you for the SABSA PractitionerCloud Security (CCSK) certificate in Risk Assurance & Govern-2-day training preparing you for the ance, Service Excellence and/or Architec-Certificate of Cloud Security Knowledge tural Design. You will be awarded with(CCSK), the industry’s first vendor-inde- the title SABSA Chartered Practitionerpendent cloud security certification from (SCP).the Cloud Security Alliance (CSA). TOGAF 9 and ArchiMate Foundatione-Security After completing this absolutely uniqueLearn in 9 lessons how to create and distance learning course and passingimplement a best-practice e-security the necessary exams, you will receivepolicy! the TOGAF 9 Foundation (Level 1) and ArchiMate Foundation certificate.For more information or to request the brochureplease visit our website:http://www.imfacademy.com/partner/hakin9IMF Academyinfo@imfacademy.comTel: +31 (0)40 246 02 20Fax: +31 (0)40 246 00 17
  • Hakin9 EXTRA Web Application Firewall – from planning to deployment Yen Hoe Lee and Fernando Perez Web application firewall (“WAF”) has been around in the information security industry for more than a decade now. However its use is still not as widespread as desired. S everal reasons come into mind – it is a relatively large port off a network device. This class of technology generally investment for an IT shop, and the operation of it takes works this way – there is a hook into the functions in memory specialized skills that are currently not in abundance in of the application. The rest of the operations are similar to a the market. In the last couple of years, WAF is definitely grow- “traditional” WAF - the request for data would be inspected ing to become more popular because of the need for compliance and if it violates any rules, the request will be terminated. to standards and regulations such as the Payment Card Indus- The advantage of this kind of WAF is, because it is not try Data Security Standard (PCI-DSS). There is also a better merely inspecting input data at the web request layer like a awareness in general among IT professionals, of the threat vec- traditional WAF, it is more accurate in forestalling an imminent tors used for attacking the web application layer, and the need data leak due to exploits such as SQL Injection. to protect against this class of attack. The flip side is, the application has to run on a platform that This article will focus on helping you plan a deployment and lends itself to this kind of “hook” – while both Microsoft .NET operation of WAF protections to your web applications start- and Oracle Java platforms are well established platforms for ing from conception, planning, design, tests, deployment, and this kind of hook, other platforms support should be examined operation. If you have already deployed a WAF deployed, you carefully. Another consideration is compatibility with profiler. could gain some insight into practices that you can incorporate Profilers that generate performance data often used the same in expanding your WAF coverage to more web application, or mechanism to “hook” into applications. If a profiler is running to improve the operation aspects of WAF. alongside, there should be compatibility test to ensure both runs together without glitches. Is a Web Application Firewall right for you? If a web application is designed from the ground up with Obviously, WAF protects web applications, especially Internet secure coding practice, and has passed extensive penetration facing ones, from application layer exploits such as SQL Injec- testing, does it require a WAF? After all, WAF protects ap- tion and Cross Side Scripting, among other exploits. Howev- plication layer vulnerabilities that application should mitigate er the type of applications may determine the effectiveness of anyway. Practically, that is an ideal state that often take tre- WAF protection. For example, web application that is content mendous resource to achieve all the time, but at the very least, management in nature requires either extensive tuning or re- WAF should help block probing type of traffic, and that would moval of some WAF protection rules in order for the application translate to a slight improvement to the load of the servers; to continue to function as design. In a defense in depth archi- the data that it logs could also be used as data for security tecture, there would need to be more reliant on protection on analysis of web application traffic. other layers. In a situation like this, something other than a “traditional” Choices between a “traditional” WAF, and a cloud WAF may be considered. A “traditional” WAF is one that sits based WAF in the span port off a network device (see Figure 2). There If you are thinking of using WAF to protect your web applica- are some WAF technologies that would allow a more context tion today, there is one more option than a couple of years ago. aware protection of the application that does not sit in the span Besides the “traditional” WAF that you can purchase and put it20 9/2012 (16)
  • Web Application Firewallinto your data center, there is a cloud offering of web applica- not be tuned to a level where it could differentiate legiti-tion firewalls. mate from the offensive ones, that rule may have to be lift- If you are a small or medium business and the web applica- ed (or waived, turned off) so that the application could con-tion presence is an important asset to the company, using the tinue to function.cloud based WAF will allow you avoid making one big invest-ment and also avoid the operation cost of keeping in-house If you have a small set of applications targeted for the proof ofresources for operation and maintenance. There is an op- concept, obviously testing on these applications would help youportunity to choose from different cloud based WAF providers. make your decision. If you are protecting an enterprise withIt would be interesting to consider the other aspects around many different kinds of application, you may not get to test theaccessing WAF such as the fact that the application in some WAF on every application. You should try to pick applicationcases will be in a different hosting environment; however, this based on the kind of input that is taking. This would be the sug-article will not go into choosing a cloud based WAF. This arti- gestion on the kinds of application to pickcle will focus on helping you implement a WAF from concept todeployment and the continuous operation of this technology. • Transactional application such as an online shopping appli-Much of the material discussed is applicable to cloud based cation.WAF as well. • Content management application or application allows ed- iting of HTML pages.How to evaluate WAF • Off the shelf application that is deployed some customiza-There are online resources available to help you get started tion only.with evaluating WAF products. There are a lot of criteria that • Web Servicesare listed in The Web Application Firewall Evaluation Criteria(http://projects.webappsec.org/WAFEC-1-HTML-Version). This Each of these application types would give the WAF a differentwebsite has a spreadsheet that takes evaluates many aspect of set of challenge to the two high level areas for evaluation statedWAF, such as the deployment architecture, detection and pro- earlier. The test would help you with a better understanding oftection techniques, management and performance. If you send the extent and limit of the protection of each of the WAF prod-this document to major WAF vendors hoping that you could uct under evaluation.score and differentiate from their responses, you may be dis-appointed because most of the major vendors would be able to Deploying your first application under WAFachieve most if not all the criteria set out. protection If you have a proof of concept phase where you put the tech- Deploying a WAF protection for application should not be treat-nology to the test, there are really two high level areas that you ed as merely the implementations of a tool; instead it should becould focus your evaluation: treated as program. The WAF implementation should be a com- bination of activities designed to successfully meet the WAF’s• How fast the WAF product could be deployed to blocking ultimate goal of providing an effective layer of protection for the mode. Blocking mode is where web request that violates organizations Internet facing web applications. At a minimum rules will not be allowed to complete. The other mode is the WAF program should consider the following: monitoring mode where the web request is inspected for violation but nothing else is performed. • WAF Models• The flexibility of tuning rules to allow maximal coverage, • Operational Skills and Resources and minimal “waiver”. Some legitimate web request may • WAF Tuning look like an offensive one that violates rules. If a rule can- • Logging and MonitoringFigure 1. Basic Network Layer Firewall Diagramwww.hakin9.org/en 21
  • Hakin9 EXTRA It is important to understand the differences between a WAF • Blocking of specific file types; and a network layer firewall. While both WAF and network • Defining expected length of an application request; and layer firewall are policy enforcement points in the network, they • Blocking of specific parameters or characters that are not inspect different layer of the traffic. expected in the user input. A network firewall primary objective is to control the inbound and outbound network traffic by analyzing the data packets By using targeted policy checks in the WAF positive model and and determining whether it should be allowed or blocked. It the negative model, there is a balance between the effective- creates a policy enforcement point between a segment of the ness of the WAF and the level of resources needed for tuning network that is considered to be trusted or secured, and the In- and supporting the tool. ternet or another segment that may deemed insecure or high risk. Operational Resources A WAF inspects the OSI layer 7 traffic for violations based It is important to understand the set of skills needed to deploy on a predefined security policy. It is used as a policy enforce- and operate WAF protection for applications. While network ment point between the organizations presentation layer and and server administrators are important resources with the skill the web servers. to participate in the deployment and the infrastructure support A “traditional”, appliance-based WAF will be placed directly of the WAF, networking and server administration skills are not behind an organization’s outmost firewall or network device enough to run, manage and operate the WAF deployment and like a switch or load balancer typically; and in front of the web operation end-to-end. servers. In some cases, WAF can be found as an addition- It takes a team with different skills to deploy and operate al module in some of the most popular commercial firewalls WAF protection for applications. An organization deploying switches and load balancers, so a separate appliance is not WAF will need to involve at a minimum the following groups: needed. • Network Engineering – This team will be responsible for WAF Models managing the infrastructure supporting the WAF and po- There are generally 2 security models available in WAFs - the tentially manage the operational aspect of the WAF. In positive and the negative model. some organizations this role may be performed by a Secu- The positive model will white-list the application traffic to rity Operations team. known, legitimate web requests only and block all other web • Information Security, specifically Application Security – request. Generally, this model will require more effort of tun- This team will define the policy configuration for the WAF. ing before going into blocking mode, but will provide a higher This team will review any suspicious web application re- level of protection, than the negative model. From a resource quests identified as violations by the WAF, and be respon- perspective, this model requires more attention and processes sible for approving changes to the WAF rules. The security built around it to ensure proper continual operation. With the practitioners involved must be proficient in web application positive model, every time the application changes, monitoring security and vulnerabilities. They should also have a good and tuning will be required to ensure that the WAF learns the understand of the web application threat landscape. new application traffic and changes to the application do not • Application Development – This team is often overlooked trigger violations. in the deployment of WAF. They provide the crucial infor- The negative model, on the other hand, will block web re- mation on what are legitimate web request, and what are quest only when it matches a black-list or signatures file. This not, since they have the most reliable knowledge about the model analyzes the web application requests against a pre- application. defined set of signatures that identify known web application attack vectors and vulnerabilities. These attack vectors are These groups will need to work in collaboration, as an imple- identified by different resources in the industry such as: mentation team, in order to achieve a successful WAF imple- mentation. • research performed by industry groups such as: – The SANS Internet Storm Center WAF Tuning – The Open Web Application Security Project (OWASP) The WAF tuning process requires the WAF to be set to monitor- • research performed by the WAF vendor ing mode. In this mode, all web request traffic for the application • known attacks is allowed through the web application firewall without blocking the traffic. The WAF is set to capture and report these viola- These signature files are updated by the WAF vendor. It has tions. The WAF implementation team needs to review these some similarity to the way an antivirus system update its sig- violations, and choose to accept these violations as legitimate nature. Compare to the positive model, the negative model traffic, or choose to tweak the rules so that there will not be viola- requires less effort in monitoring and tuning. This translates to tions. This process is repeated until all violations are addressed. less resources and time to deploy. When a positive model is used, the tuning effort will always A recommended approach to achieve a balance of effort be higher. The complexity of the application will impact the and level of protection is to use a combination of the positive level of effort needed also. In this case, the complexity is de- and negative models. This approach combines the use of the termined by the number of input, the type of input expected, signature based protection (negative model) and targeted pol- and how dynamic the application pages are generated. icy checks to filter based on criteria that the application team A negative model requires less tuning effort comparatively. know would be unnecessary for the normal operation of the However, there needs to be careful consideration to ensure application (positive model). For example: that vulnerability is not left unaddressed by relaxing signatures22 9/2012 (16)
  • Web Application Firewallthat allows exploitation. It is important to remember that in a Challenges in deploying WAFdefense in depth architecture, application security vulnerability The success of a WAF program could have unintended conse-should still be addressed in the application itself. It is impera- quences. “Now with the WAF in place ALL of our problems withtive that applications are developed or patched following se- application security are resolved.” In a defense in depth archi-cure coding guidelines. tecture, this is a self-defeating proposition. Defining an operational process that will support WAF can When using a hybrid model (positive and negative model), be another challenge. First, a WAF policy or standard mustthere will still be the need for tuning. However, it will not re- be defined to ensure that the guiding principles around WAFquire as much time as a positive model only implementation. are set in the organization. Secondly, it is important to involveWhen tuning a hybrid model, the level of effort required for the appropriate team to support and manage not only the WAFtuning will be impacted by the complexity of the application. infrastructure, but the expansion of coverage of WAF to appli-Since the policy checks enforced are selected based on what cations. Thirdly, the organization must ensure that the teamsis pertinent to the application, the tuning level of effort usually involved work in collaboration to properly define the process-does not increase drastically. es, procedures, roles and boundaries of the WAF program. The assumption is during the tuning period, there should Finding the best protection model for your application land-only be legitimate web request traffic. If the application is in scape could be a challenge. The following questions shoulda network environment that has penetration testing or other serve as a guide to help with this challenge: What is the or-probing traffic running against the application, it will add to the ganization’s application universe? How complex are the ap-complexity and effort of the tuning process. plications in this universe? Does the organization have the Given this assumption, it is best to do tuning of a WAF in expertise and skills needed to deploy and support the WAF?a non-production environment. The non-production environ- Does the organization have the right amount of resources toment should resemble the production environment, but with support the WAF?access to the development team to generate application traffic While a WAF will protect against the majority of applicationto mimic legitimate production traffic. Usually regression test- security threats, there will be one threat that the WAF may noting can help generate the desired traffic. be able to protect against. This threat is undetected applica- Some organizations may decide to use a pre-production tion defects and logical flaws. This part can only by mitigatedenvironment, where there is Internet traffic, to ensure that an by ensuring that proper development testing is performed priorenvironment that resembles production is used during the tun- to production rollout. Testing should include at a minimum QAing. However, this would often raise the level of effort because testing, user acceptance testing, security source code re-there needs to be evaluation of both legitimate and illegitimate views, web application security assessments and exploitationtraffic (attack or probes). The use of this environment should testing via web application penetration analysis. WAF tuningbe after, not before, tuning is completed. may help to protect defects and logical flaws once these are discovered and known, but this should always be consideredLogging and monitoring a temporary solution.An important part of a WAF product is the capability of originat-ing event logs. As part of the WAF implementation an event Conclusionlogging and monitoring process must be implemented. While WAF is an important application security tool that would raisethe WAF should block most of the attack vectors coming for the the security posture of an organization. However, its deploy-application, monitoring the event logs generated can help deter- ment would involve a cross-disciplined team of resources thatmine if there are any threats occurring against the application. often would not otherwise have reasons to work closely togeth- The use of a Security Information and Event Manager er. It is not only important to select the right tool for the job,(“SIEM”) tool could simplify the monitoring of event logs for the but also setup the right organization and work flow that wouldWAF. Since a SIEM is often supported in a Security Opera- support the expansion of coverage of WAF protection beyondtions Center (“SOC”), an Incidence Response team could help a few web applications.define security triggers to look for threats. Another benefit of reviewing the WAF event logs is that itcan help identify possible issues in the application code orlogic or simply poor practices by the application development.As an example, consider the following scenario: An application team opens a trouble ticket reporting that aneeded application request has been blocked by the WAF. Yen Hoe LeeWhen reviewing the event logs collected it is noted that the CISSP, CSSLP is currently a Director of Security Solutions Architecture atweb application request blocked, was triggered by a directory a Fortune 100 Healthcare Company in the US. He has more than 10 yearstraversal attack vector. When the information security team of Information Security experience in many large organizations in US andinquired the application team of this requests, the application Europe.team discloses that this is a built-in functionality of the applica-tion that allows the use of directory traversal via a user input Fernando Perezfield. is currently a Manager of Application Security Architecture at This is an inherently high risk behavior for a web application. a Fortune 100 Healthcare Company in the US. He has more than 10It would not have been discovered unless the event logs are years of Information Security experience, and a former PCI Qualifiedmonitored and reviewed. Security Assessors (QSA).www.hakin9.org/en 23
  • Now Hiring Teamwork Innovation QualityIntegrity Passion Sense of Security Compliance, Protection and Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally. Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12. info@senseofsecurity.com.au www.senseofsecurity.com.au
  • Hakin9 EXTRA Web Server SED Filtering Colin Renouf The principles underlying a good security solution are that it should be multi-layered, consider each component as being at risk in itself, and should consider all of the components interacting together as a whole as both the solution and an area of potential exploitation. It is this last principle that is often neglected. I n this article, and the related ones to follow, we will consider may represent the individual bytes in one ordering and the net- some new additions that can be applied to some of the lay- work in another, i.e. Big ended or little endian. These different ers to provide both local and distributed protection, and that representations can be used by the clever hacker to produce are flexible enough to allow immediate tuning to protect against an attack that makes use of the data representation conver- many newly found industry vulnerabilities before official fixes sions that take place on the boundaries to bypass security in are available. The aim of all of these articles is to introduce a one layer by relying on the conversion going on behind it to flexible and powerful distributed security solution that will fit into create an attack string. We will cover this in another article; but almost any environment. the thing to understand is that each layer must have its own defences and not rely entirely on what sits in front of it. Many Distributed Layers attacks often come from within the external firewalls, e.g. from Most web-based systems these days consist of a number of staff, so even in a simple case where the same technologies common layers that can essentially be considered standard are used throughout and no conversion occurs defences are commodities configured and used the same way in all environ- still needed in each layer. ments. Commonly, SQL Injection attacks are used to get unauthor- One of the most common eCommerce deployment archi- ized access to data in the database and cross-site scripting tectures builds upon an application server probably written in (XSS) attacks are used to embed scripts into web pages to Java using some servlet engine that builds upon the Apache exploit unsuspecting users. Thus, these two threats must be Tomcat reference implementation to add additional features, countered to reduce related vulnerabilities. e.g. web service standards support, clustering and manage- It is within this context that the sed filtering capabilities of ment facilities. More recently, for media and some simple sites the web server layer are introduced. Essentially, this layer in- PHP based technologies are growing in importance and there troduces regular expression filtering into the request and re- are examples on the web of the configuration (although not sponse flow into and out of the web server layer. In a another the security filtering technique) for PHP deployments. article we will examine similar facilities in the Java application Knowledge of the deployment architecture gives inroads to server layer in Java servlet filters, and look at techniques to the mischievous or criminal fraternity to more easily explore ensure the request-responses pairs stay related. Here, the the vulnerabilities that may exist in the environment. This may web server layer; usually written in C and derived from earlier start with the simple task of using a search engine to look up Apache or Netscape httpd implementations with plug-in mod- known vulnerabilities, or for open source based products ex- ules to extend them, will be our focus. amining the source code. With PHP there are many avenues There have been filtering functions within web servers for a of attack documented, but due to the lesser prevalence of while, but this article will concentrate on the recent related sed documented Java engine exploits systems administrators of- SAF filter (for iPlanet and derivates) and mod_sed filter (for ten feel safer than they should; ignoring the easy approaches Apache and defivatives) that implement the Unix stream editor to reverse engineering Java code using tools such as jad, or SED functionality in a plugin module for the web server itself to the Java JVM class:verbose, and reflection features. Assum- provide considerable functionality for checking and manipulat- ing safety in today’s world is foolish, so various techniques are ing web server requests and responses. For example, it would implemented by the astute security administrator. be possible to check for credit card patterns being displayed One important thing to note, however, is that C represents on a web page and obfuscate them to meet the Payment strings as character arrays, usually with 8 bit ASCII characters, Cards Industry (PCI) objectives. terminated with a NULL character. Java uses Unicode and un- The sed filter functionality is based on the Solaris 10 sed, der the covers stores the length of the String. The machine stream editor, executable source code, which processes one26 9/2012 (16)
  • Web Server SED Filteringor more basic regular expressions as part of a script. Actually, if used).it’s a little more complex than this as there are two different For example, to replace the “<” symbol by the more appro-sed implementations on Solaris, one from the BSD compatible priate “&lt;” processing instruction the filter expression is:implementation, which is used in the Apache mod_sed con-tent filter, and the other a new pure “post SVR4” implementa- “s/</&lt;/g”tion, as used in the Oracle iPlanet Web Server 7 (formerly SunJava System Web Server 7) sed filter implementation. TheApache version is written to the Apache APR portable module Oracle iPlanet Web Server 7functionality, and the Oracle iPlanet Web Server is written to With the Oracle iPlanet Web Server 7 the sed filter functionalitythe NSAPI module functionality. The basic regular expression is delivered as an NSAPI filter in the form of the libsed.so sharedsupport, rather than the extended regular expression support, object that ships with the product. To configure the web serverincludes branching and saving of a buffer for later use. to perform filtering requires merely configuration in the obj.conf To change the string “Hello” to “Goodbye” anywhere in a configuration file for the given web site.line with the traditional sed functionality with a basic regularexpression the command Input fn=”insert-filter” method=”(GET|HEAD|POST|PUT)”“s/Hello/Goodbye/g” filter=”sed-request” sed=”s/</&lt;/g”is used where the “s” instigates the search, the two slash “/” de- sed=”s/%3c/&lt;/g”limited strings identify the string to replace and its target replace- sed=”s/%3C/&lt;/g”ment, and the “g” indicates the operation is to be performed sed=”s/>/&gt;/g”globally within the line up to the newline character. … To perform option “if-else” type operations the branch “b”syntax is used; which in reality is more of a “goto” operation. Here the Input fn directive is used to initiate the “insert-filter”For example, to change a string containing the text “STATUS” function for GET, HEAD, POST, and PUT HTTP methods, withto say “closed” if the day is “Sunday” and “open” otherwise, the “sed-request” filter interceding in requests, but nothing isthe following set of commands is used: configured for interceding in responses. Then each “sed=” regular expression instruction is executed in order for each/Sunday/ b ifpart request.s/STATUS/open/gb end Apache-based Web Servers:ifpart For Apache-based web servers derived from the v2.2 ands/STATUS/closed/g above code base things may be a little more complex as the:end mod_sed.so module is not usually shipped with the default build, but is an add on module that makes use of the ApacheTo encode the basic regular expressions in the Oracle iPlanet 2 DSO (Dynamic Shared Object) support that should be com-Web Server 7 the obj.conf is updated with “s=” to signify each piled into the product via the mod_so.c module and is enabledsed instruction, with the “Input fn” or “Output fn” directives iden- using LoadModule statements in httpd.conf. First, checks aretifying whether the input or output streams are to be modified. needed to make sure the mod_so module has been compiledFor the Apache and Oracle Http Servers the “InputSed” and in, so run “httpd –l”“OutputSed” directives are used in the httpd.conf file. $ httpd -lHow it works Compiled in modules:The concept of the sed filter and how it helps protect a site from core.csome attacks is a simple one. The filter sits in the request and prefork.cresponse flow of the web server and examines each request as http_core.ca string for comparison against a set of configured regular ex- mod_so.cpressions. It doesn’t get access to the headers, only the requestcontents as it implements in-process content filtering functional- Next the module must be built for installation into the web serverity. The set of regular expressions that are implemented using code. The mod_sed code can be downloaded from the Apachethe basic regular expressions syntax must not be large to avoid web site http://httpd.apache.org.impacting performance, but must be substantial enough to pro- To build the module the httpd-devel package must be in-tect against major threats at the web server layer. stalled, i.e. as root execute “yum install httpd-devel”; which will The filters can intervene in both HTTP requests and re- install the necessary “Apache Extension Tool” apxs into the /sponses, but for the exercise here only request filters are used usr/sbin directory.to remove any key strings identified in the instruction after the Download the files for the modules themselves from the“s”, with the search string between the first set of “/” forward Apache httpd trunk using subversion; i.e.slashes and the string to replace it with – in most cases noth-ing – between the second set of forward slashes. The “g” says svn co http://svn.apache.org/repos/asf/httpd/httpd/trunk/to perform the change globally. Some characters are special modules/filters/characters and must be “escaped” with a backslash “”. The complete set of “sed” instructions are compiled and ex- From the filters directory that this creates copy the following filesecuted against the buffer for the request contents (or response into a separate directory:www.hakin9.org/en 27
  • Hakin9 EXTRA Table 1. Regular Expression Operation Category “s/</&lt;/g” Removes left angle bracket “<” XSS “s/%3c/&lt;/g” Removes left angle bracket “<” XSS “s/%3C/&lt;/g” Removes left angle bracket “<” XSS “s/>/&gt;/g” Removes right angle bracket “>” XSS “s/%3e/&gt;/g” Removes right angle bracket “>” XSS “s/%3E/&gt;/g” Removes right angle bracket “>” XSS s/<[sS][eE][lL][eE][cC][tT]>.{0,40}<[uU][sS][eE][rR]>//g” Removes “select X user” SQL Injection “s/<[sS][eE][lL][eE][cC][tT]>.{0,40}<[sS][uU][bB][sS][tT] Removes “select X substring” SQL Injection [rR][iI][nN][gG]>//g” s/<[sS][eE][lL][eE][cC][tT]>.{0,40}<[aA][sS][cC][iI] Removes “select X ascii” SQL Injection [iI]>//g s/<[aA][lL][lL]_[oO][bB][jJ][eE][cC][tT][sS]>//g Removes “all_objects” (Oracle PL/SQL specific) SQL Injection s/<[dD][rR][oO][pP]>//g Removes “drop” SQL Injection s/<[sS][yY][sS][dD][bB][aA]>//g Removes “sysdba” (Oracle PL/SQL specific) SQL Injection s/<[sS][uU][bB][sS][tT][rR][iI][nN][gG]>//g Removes “substring” SQL Injection s/<[rR][oO][wW][nN][uU][mM]>//g Removes “rownum” (Oracle PL/SQL specific) SQL Injection s/<[uU][tT][lL]_[hH][tT][tT][pP]>//g Removes “utl_http” (Oracle PL/SQL specific) SQL Injection s/<[sS][eE][lL][eE][cC][tT]>.*?<[tT][oO]_[nN][uU][mM][bB] Removes “select X to_number” SQL Injection [eE][rR]>//g s/<[gG][rR][oO][uU][pP]>.*<[bB][yY]>.{1,100}?<[hH][aA] Removes “group by X having” SQL Injection [vV][iI][nN][gG]>//g s/<[sS][eE][lL][eE][cC][tT]>.*?<[dD][aA][tT][aA][tT][yY][pP] Removes “select X data_type” SQL Injection [eE]>//g s/<[iI][sS][nN][uU][lL][lL]>[^a-zA-Z_0-9]*?x28//g Removes “isnull X” SQL Injection s/<[uU][nN][iI][oO][nN]>.{1,100}?<[sS][eE][lL][eE][cC] Removes “union X select” SQL Injection [tT]>//g s/<[iI][nN][sS][eE][rR][tT]>[^a-zA-Z_0-9]*?<[iI][nN][tT] Removes “insert X into” SQL Injection [oO]>//g s/<[sS][eE][lL][eE][cC][tT]>.{1,100}?<[cC][oO][uU][nN] Removes “select X count Y from” SQL Injection [tT]>.{1,100}<[fF][rR][oO][mM]>//g s/x3B[^a-zA-Z_0-9]*?<[dD][rR][oO][pP]>//g Removes “[ X drop” SQL Injection s/<[dD][bB][mM][sS]_[jJ][aA][vV][aA]>//g Removes “dbms_java” (Oracle PL/SQL specific) SQL Injection s/<[nN][vV][aA][rR][cC][hH][aA][rR]>//g Removes “nvarchar” SQL Injection s/<[uU][tT][lL]_[fF][iI][lL][eE]>//g Removes “utl_file” (Oracle PL/SQL specific) SQL Injection s/<[iI][nN][nN][eE][rR]>[^a-zA-Z_0-9]*?<[jJ][oO][iI] Removes “inner X join” SQL Injection [nN]>//g s/<[sS][eE][lL][eE][cC][tT]>.{1,100}?<[fF][rR][oO][mM]>. Removes “select X from Y where Z” SQL Injection {1,100}?<[wW][hH][eE][rR][eE]>//g s/<[iI][nN][tT][oO]>[^a-zA-Z_0-9]*?<[dD][uU][mM][pP][fF][iI] Removes “into X dumpfile” SQL Injection [lL][eE]>//g s/<[dD][eE][lL][eE][tT][eE]>[^a-zA-Z_0-9]*?<[fF][rR][oO] Removes “delete X from” SQL Injection [mM]>//g s/x3B[^a-zA-Z_0-9]*?<[sS][hH][uU][tT][dD][oO][wW][nN]>//g Removes “[ X shutdown” SQL Injection s/<[dD][bB][aA]_[uU][sS][eE][rR][sS]>//g Removes any “dba_users” SQL Injection (Oracle PL/SQL specific) s/<[sS][eE][lL][eE][cC][tT]>.{1,100}?<[tT][oO][pP]>. Removes “select X top Y from” SQL Injection {1,100}?<[fF][rR][oO][mM]>//g “s/x5cjavafiles>//g” Removes “@javafiles” Host and Java Security s/<[lL][oO][cC][aA][lL][hH][oO][sS][tT]>//g Removes “localhost” Host Security s/<[aA][lL][eE][rR][tT]>//g Removes “alert” JavaScript s/<[sS][oO][uU][rR][cC][eE]>//g Removes “source” JavaScript s/<[fF][uU][nN][cC][tT][iI][oO][nN]>//g Removes “function” JavaScript s/<[wW][iI][nN][dD][oO][wW]>//g Removes “window” JavaScript28 9/2012 (16)
  • Web Server SED Filtering Web Server SED Filtering Get trained today through our exclusive 7-months hands- on course. Gain access to our complex LAB environment exploitingregexp.c vulnerabilities across many platforms.regexp.h Receive a trainer dedicated to you during the 7 months.sed0.c 10 different hands-on engagements, 2 differentsed1.c certifications levels.sed.hmod_sed.clibsed.h MONTH 1 Vulnerability Assessment - level 1Compile these into an Apache module using the apxs Apache Vulnerability Assessment - level 2extension tool as so: Vulnerability Assessment - level 3apxs –c mod_sed.c sed0.c sed1.c regexp.c MONTH 2 Network Penetration Testing - level 1 Network Penetration Testing - level 2When all has been compiled successfully, merely copy themod_sed.so shared object into the modules subdirectory of the MONTH 3web server (e.g /etc/httpd/modules on my CentOS servers). Network Penetration Testing - level 3SQL Injection and Cross-Site Scripting BasicRegular Expressions MONTH 4 Web Application Penetration Testing - level 1The following basic regular expressions provide some simple Web Application Penetration Testing - level 2and fast protections against cross-site scripting and SQL in-jection attacks at the web server level. However, with cross- MONTH 5platform attacks that rely on the different representations of in- Web Application Penetration Testing - level 3formation in different layers leading to some information oftengetting past basic filtering this sort of filtering should be appliedat additional layers behind the web server (i.e. the application MONTH 6 Certification Exam 1 - Certified Cyber 51server and database server) to provide real protection and pre- Pentesting Professional - (CC51PP)vent attacks from inside the firewall (e.g. from trusted staff). With the Oracle iPlanet Web Server each of these regular MONTH 7 Certification Exam 2 - Certified Cyber 51expressions, which allows for mixed-case, the entry is added Pentesting Expert - (CC51PE)within the “sed=” clause from where it is compiled, as outlinedabove (Table 1). Note that all of the above completely remove problem stringsand for real production implementations it may be preferable tojust obfuscate the strings with a ‘#’; in which case the remain-ing two slashes above would contain the appropriate num-ber of ‘#’ characters, e.g. s/<[wW][iI][nN][dD][oO][wW]>//gwould become s/<[wW][iI][nN][dD][oO][wW]>/######/g.TestingWith the implementations above one thing that requires carefulconfiguration is the ordering of the filtering and the proxying inthe web server modules; remembering that most Java applica-tion servers use a plugin module to proxy the application serverand forward requests. It is best to test the proxying independent-ly and then test the filtering with simple basic HTML and PHPbefore combining the two and getting into order of processingissues and complexities in configuration. For testing the combination I usually write a simple clientthat forwards some problem text and change the Apache sam-ple Snoop JSP to echo the response. To the example snoop.jsp just add: <br> Request: <% java.io.BufferedReader in = request.getReader(); StringBuffer sb = new StringBuffer(); String input; do {www.hakin9.org/en 29
  • Hakin9 EXTRA input = in.readLine(); sb.append(input); If all of the above configuration has been performed properly } while (input != null); the result should be that the problem strings are removed from out.write(sb.toString()); the request text. However, it should be noted that this configura- %> tion is hard and differs between application servers. The author here has had generally found the iPlanet deployments with the WebLogic Server easier, but that is more due to longer expe- And in the client code just open a socket, create a buffer with rience and many hours of trial and error with the help of the the problem strings – including some you want left alone – and original Sun/Oracle iPlanet developers who developed the sed send the request: filter/mod_sed modules rather than anything inherently more problematic with the technology. This technique has been suc- cessfully used for a large international bank and an international // Create the socket address to use for the call foreign exchange company to provide additional lockdowns. SocketAddress sockaddr = new InetSocketAddress( References to the technology can now be found on the addr, port); OWASP site. Further information can be found at: // Create an unbound socket Socket client = new Socket(); • httpd.apache.org/docs/trunk/mod/mod_sed.html • https://blogs.oracle.com/basant/entry/little_history _ int timeout = DEFAULT_TIMEOUT; behind_mod_sed if (args.length == 4) { timeout = Integer.parseInt(args[2]); } // This method will block no more than the timeout. // If the timeout occurs, SocketTimeoutException // is thrown. client.connect(sockaddr, timeout); // Build the data we are sending to the socket StringBuffer data = new StringBuffer(); for (int i=0; i < TESTS.length; i++) { data.append(URLEncoder.encode(KEY_TEXT + (new Integer(i+1)).toString(), UTF8_TEXT)); data.append(EQUALS_TEXT); data.append( URLEncoder.encode(TESTS[i], UTF8_TEXT)); data.append(AMPERSAND_TEXT); } // Now we have our socket we send requests to it, // and echo what we are sending to the screen System.out.println(LINE_TEXT); BufferedWriter wr = new BufferedWriter( new OutputStreamWriter( client.getOutputStream(), UTF8_TEXT)); wr.write( METHOD_TEXT + SPACE_TEXT + PATH_TEXT + SPACE_TEXT + HTTP_TEXT + CARRIAGE_RETURN_LINE_FEED); Colin Renouf wr.write(HOST_TEXT + SPACE_TEXT + is an Enterprise Architect and author in the UK financial services in- LOCALHOST_TEXT + CARRIAGE_RETURN_LINE_FEED); dustry; working with security, Java/JavaEE, networking, Unix/Linux wr.write(CONTENT_LENGTH_TEXT + and general architecture in the UK. He also more than dabbles in the SPACE_TEXT + data.length() + world of psychology, human learning, and astronomy with particle CARRIAGE_RETURN_LINE_FEED); physics etc ; having studied IT, aeronautical engineering, social sci- wr.write(CONTENT_TYPE_TEXT + ences and more in his life as an eternal part time student. When not CARRIAGE_RETURN_LINE_FEED); working, writing or being verbally abused by his children; he loves wr.write(CARRIAGE_RETURN_LINE_FEED); photography, singing, playing guitar, drinking wine, and chatting for hours on end with his friends elsewhere in the world – certain of // Send data whom he competes with, but would love to spend more real time on wr.write(data.toString()); the same country with. Colin is always happy to help anyone and wr.write(CARRIAGE_RETURN_LINE_FEED); loves fine technical debate that involves improving the state of the industry and mankind.30 9/2012 (16)
  • Pwn Plug. The Industry’s First CommercialAir Freshener? Pentesting Drop Box. Printer PSU? ...nope F E A T U R E S : J Covert tunneling J SSH access over 3G/GSM cell networks J NAC/802.1x bypass J and more! Discover the glory of Universal Plug & Pwn @ pwnieexpress.comt) @pwnieexpress e) info@pwnieexpress.com p) 802.227.2PWN
  • Hakin9 EXTRA Web Application Firewalls, how tough are they now? Manfred Ferreira What you will learn… What you should know… • How to identify a WAF • How to run Backtrack • How to run a vulnerability Assessment based on • Interconnect Backtrack to a network OWASP Top 10 Web Application Security Risks • Routing configuration, if needed, for laboratories and • How to run a stress tool application against a web ap- virtual environment’s plication W AF exist from last century, being implemented more 10 Web Application Security Risks and, WAF and Web Server than 15 years in regular cycles, now they are back capability against multiple simultaneous Web page requests with full capability and faster than never before. Due to I should advice all readers that all the actions described in this the exponential performance of the hardware, integrating in ap- article should be carry with the proper approval documentation pliances, the capability on layer 7 of OSI model is assured, spe- from the Web sites owners and Security managers, except cial the HTTP and HTTPS protocols are fully covered. The link in case of laboratories and virtual environment’s specific for throughput capabilities are amazing, being capable of 10 GB those tests. Keep in mind that doing such an attack without the analysis without any impact unless a few microseconds delay. right approval is illegal. We propose three steps to have metrics concerning the WAF There are multiple available applications capable of test identification, correct WAF configuration against OWASP Top WAF and Web Servers in the market, to me, lowering the Figure 1. Network Topology32 9/2012 (16)
  • Web Application Firewalls, how tough are they now?investment and having at the same time access to multiple As is showed in the last image, based on the output informa-tools, I prefer to use BackTrack distribution, the last version 5 tion, the company has a probability to have a WAF technologyrelease 2 or 3 are perfect. is considerable, but be carefully with the conclusions, in the last To have a vision at a semi-complex network topology, al- couple of years, some of the WAF technology available, whenways important to have references about what we are talking confronting to some type of requests, delivery http responseand testing, I have developed an illustration, Figure 1, to es- code 302 – temporarily redirect, that could represent an actualtablish a baseline. redirect to a generic information page error or just delivery this The network topology shows multiple equipment’s and tech- type of response. Nowadays, based on my last tests, the manu-nologies that are normally available, I could increase the com- factures have changed the response to a simple code 404 – Notplexity, imputing IPS/IDS or aggregate the technologies in a found. So, we could have a response from the web server orCloud environment, virtualizing the database and Web Serv- WAF technology. Based on the last state, I will show some dif-ers, but to a better visualization they are spread away. ferent obtained response to the reader have some references. From an external point of view, I prefer to put a group ofFirewalls, filtering all the traffic and protecting all the perimeternetworks, before reach the WAF group, that are more dedi-cated for Web Services and Databases. I leave an open discussion if the network topology shouldhave in the group of Firewalls, IPS/IDS functions and DNSservers represented, but for this purpose, at this level, I don’trepresent them to keep the topology as simple as possible. Initially we don’t know if the company has a WAF technol-ogy, so the first step is to verify if exist at all a WAF in the net-work, so opening the Backtrack distribution, and accessing thewaffit code, through the graphic interface, we reach the waffitdirectory, Figure 2. Figure 4. Waffit advanced response Has is verified in a different site, this company have a more complex topology, probably with WAF technology. The reader can verified, there is some closed connections that means that probably the WAF technology are interacting between the cli- ent/Server communications, closing some of them. The WAF technology is best demonstrated by the speed that is detects and interacts in the early requests.Figure 2. Waffit enviromentAfter open the waffit directory, we access the python code, de-veloped by Sandro Gauci and Wendel G. Henrique, wafw00f.py,that we have just to evoke the command follow by the web siteto test, don’t forget the “http://”, otherwise won’t work. Figure 5. Waffit second advanced response Comparing the third web site tested to the last tests, is veri- fied that the closed connections has increased, proving that the technology implemented in this company is far more capable. From the 10 requests, 3 were closed. At this point, the reader is wondering if all the companies’ sites have WAF technologies. In fact some of the best firewalls manufactures have introduced a simplified level of WAF tech- nology, integrated with the IPS function. To be able to distinct them, I introduce a typical IPS response from one of those manufactures.Figure 3. Waffit commandwww.hakin9.org/en 33
  • Hakin9 EXTRA When the application start, he will ask if the reader want’s to update the database of W3AF, it is always good to update the database weekly or just when is needed to work with. At this time, we just have to fill the target URL name or the IP address and in the profile list, chose OWASP_TOP10. The Plugin will be automatic active. After all in place, the button Start will run the Web tests. The type of alerts, high, medium and low are showed in the bottom, right corner, increasing when is detected a non-con- formity that can represent a vulnerability detected or just an incorrect link page. The results are aggregated and available in the third tab, after “scan config” and “log”. Figure 6. Firewall/IPS response The result has a lower number of tests and the numbers of closed connections are higher. The response from waffit code is similar, when not sure of the technology, delivers always the phrase - seems to be be- hind a WAF. After the first approach has been done, is time to step to the second phase. The WAF technology has to delivers at least the correct interaction when confronting to 10 Web Application Security Risks. One worldwide not-for-profit charitable organization fo- cused for those problems, denominated OWASP, Open Web Application Security Project has been address the top 10 risks through a dedicated project, they are listed: Figure 8. W3AF configuration • A1: Injection With the W3AF application is also possible to verify the HTTP • A2: Cross-Site Scripting (XSS) response, comparing to the Waffit code. The next illustration • A3: Broken Authentication and Session Management shows the response to one of our tests. • A4: Insecure Direct Object References To access the Fuzzy requests, chose the wheel on the top • A5: Cross-Site Request Forgery (CSRF) of W3AF application, mark in a green circle, change the host • A6: Security Misconfiguration identification to the URL web site. • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards The backtrack distribution have vulnerability scanner capabil- ity, executing a web site tests. One of them is the W3AF, Web Application Attack and Audit Framework from Andrés Riancho, which in fact have already a list of OWASP Top 10 security risks profile. So, we have simply our live easier than to run all the tests manually. To access the graphic interface of W3AF, just follow the next illustration. Figure 9. W3AF request Besides the typical information with system information and web application version, the reader can verify that the code “404 – Not Found” was generated against the “/$range(10)$” imputed web code. At this point, the third phase is starting, after the phase of identification and a common vulnerability scanning perform is the right period to test the principal equipment’s that support the communication Client/Server, specially the Web Servers, Load balancers and WAF response to a DoS attempt. I will introduce the Siege application from Jeffrey Fulmer, also available at Backtrack distribution, which has the capabil- ity of generating multiple requests. To access the Siege application, follow the next illustration. Figure 7. W3AF application.34 9/2012 (16)
  • Web Application Firewalls, how tough are they now? If the reader have at the same time access to this tool and the monitoring console of the equipments, I advise to keep an eye on those equipments and when, if they reach 80% to 90% of his capability, It is time to stop, otherwise give a period of progres- sion/standstill, stopping at 5 minutes, after that, 15 minutes, and after that, 30 minutes. I do not recommend passing more than 2 hours running this type of tests. Always verify the log files to have a notion on the delay and stress impressed. Figure 12. Siege log output For conclusion compare the longest and shortest transaction, they shouldn’t have a difference above 3 to 5 seconds and check the logs or report concerning the action taken by the WAF application and firewalls. Take in account the number ofFigure 10. Siege application. closed connections and any information that could indicate aIf the reader is running for the first time the Siege application, Denial of Service attach. Look at the CPU allocation and net-must run “siege.config” to be able generates the configuration work bandwidth.file. If the reader wants to test a partial page or a group of pages, Conclusionone of the parameters to past is the URLs, for this tests we will As a resume of all actions taken through this article the readerprovide just two URLs. But for better performance and analy- is able to identify WAF applications, obtain comparison againstses the principals URLs should be included. The more URLs Firewalls and IPS system, execute a middle level of scanningin the list, the better notion of the actions taken from the WAF vulnerability and in the last phase, execute stress program veri-and LoadBalancer will the reader have. fication. Edit the file “/etc/urls.txt” with vi command, and input the Those metrics are essential to have a control over the busi-most URLs that the reader can, always associated with the ness and the company network, on level of identifying risks,Web site that you want to test. business continuity needs and accurate security measures. Commands executed in Backtrack distribution, over com- A special focus in patch management solution, code revi-mand line: sion and bandwidth control is normally needed for permanent problem solving actions.# vi /etc/urls.txtPress “i” for insert, write down all the URL, starting each linewith “http://”. At the end, when you don’t want to list more URLs, press “!”followed by “w” and “q”, that means write and quit. For morevi commands, just type “man vi” to access the manual of vi. After the configuration file, is time to execute the Siege, justtype siege to run. It will check the list of URLs in the “/etc/urls.txt” file and start running the stress program. Manfred Ferreira To stop the test, give a simultaneous “Ctrl + c” and the pro- is currently an Independent Information Security Consul-gram will be interrupt. tant & GRC Advisor, who worked 16 years in the informa- The Illustration above show the commands executed until tion security market, developing in the early years projectsthe end of the program. for the European committee. He is a Business-Oriented that provides Business Continuity Management and Informa- tion Security advisories. He is specialized on security solutions assessment and penetration testing in the context of risk identification and mitigation. Part of information is disclosed in the professional network LinkedIn: pt.linkedin.com/pub/manfred-ferreira/15/536/698 E-mail: manfredf@zonmail.pt Notes Software and information available to support the tests: Backtrack 5 r3, http://www.backtrack-linux.org/downloads OWASP, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_ ProjectFigure 11. Siege running W3AF, http://w3af.sourceforge.net VI, http://anaturb.net/vim_1.htmwww.hakin9.org/en 35
  • Hakin9 EXTRA Sockets API and TCP/IP Protocols – The core of an attack Colin Renouf Recently, whilst writing test tools for an implementation of a security defence mechanism a realisation came to the fore as to just how easy it is to write code for attacks. The truth is that the mechanisms put into the sockets API and TCP/IP protocols in the early days to make them easy to manage are also what now provides the core on which to mount an attack. As every good security professional knows, it is important to balance the security of a solution with the cost, which usually relates to ease of implementation and management as much as to new software and hardware. I n this article we will look at the problem at the core of the were essential in the early days and represent a risk to the sockets API, used on multiple platforms as the interface to modern TCP/IP network. Many IT professionals will be familiar the TCP/IP communications mechanisms, and a brief over- with the Ethereal or Wireshark for promiscous mode packet view of the TCP/IP and Ethernet protocols and how the very sniffing, but may not realise how easy it is to write your own mechanisms they use to ease management present a risk to implementation using nothing more than a few small changes any network. These two pieces of knowledge can be combined to the parameters of standard sockets calls. to produce what I refer to as the “network bomb”, a simple mech- Once the subtlety of the changes to the standard sockets anism to bring down all or a portion of a company network – with application code are understood it becomes evident that it is more damage possible the closer the “bomb” can be placed to easy to write code listen to wireless networks without actu- the central core of the network. ally connecting, or to write a TCP/IP packet or Ethernet frame for transmission with any source or destination parameters, or The Sockets API – PF_PACKET and IFF_PROMISC structure that you want. This represents a great risk as much Most people in the IT profession would have heard of the sock- of the TCP/IP protocol suite relies on some fair play. ets API. This was introduced into the early Unix world as part of First, lets look at a typical socket API call to create a socket. the Berkeley Software Distribution branch of Unix to ease the implementation of networking code; essentially abstracting the socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) network implementation code behind a file handling paradigm. With the sockets API from a client perspective, a socket is In this call, which is fairly standard in most sockets call, the API declared as a particular type, is opened or more accurately is told to open a standard IP socket, with a socket stream to read connected using a “connect” call, then is written to or read from it, and that the IP protocol to use is TCP. from, and finally is closed; all much like reading or writing to To provide direct access to the IP stack and below we simply a file. From the server perspective the server will bind the change the PF_INET to be PF_PACKET, and the underlying socket to a port, will listen to that port for requests, and when socket type to be SOCK_RAW to get access to a raw socket each request comes in it will accept the request. Where only including the Ethernet headers, rather than just the IP packet a single packet is to be handled simpler sendto and recv- as would be seen if SOCK_DGRAM were used. To see eve- from calls are available. The API suite all contains functions rything from the IP perspective only, as implemented on top of to look up hosts by name, and convert between the host byte an Ethernet frame we use a final parameter of ETH_P_IP. That representation and the network representation. All of these is almost all there is to it, but that isn’t quite all, in that using are documented heavily elsewhere and are generally well ETH_P_ALL for the last parameter allows the Ethernet comms understood. to be accessed. This gives us, What generally is not well understood is the variation in uses of the sockets API that have generally fallen into disuse, but socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)36 9/2012 (16)
  • Sockets API and TCP/IP Protocolswhere the htons converts the data byte ordering representation Code to listen to the packets by copying them to a big enoughfrom the host to network format and should always be used for buffer is now simply written by a call to recvfrom. On Linux theportable code. The PF_PACKET/SOCK_RAW code is actually user must have root access.an artifact of Linux, so it is here – usually the hackers platformof choice, that the tooling exists; so although the sockets API while (1) {itself is portable, the code examples here are not. n = recvfrom(sock,buffer,2048,0,NULL,NULL); To get structure for the output, the platform specific headers are used, such as linux/in.h or linux/if_ether.h. The returned packet will contain the Ethernet header, fol- lowed by the IP header fourteen bytes afterwards, and then the IP data. To output the Ethernet header for the source MAC address just use: ethhead = buffer; printf(“Source MAC: %02x:%02x:%02x:%02x:%02x:%02xn”, ethhead[0],ethhead[1],ethhead[2], ethhead[3],ethhead[ 4],ethhead[5]); To get at the IP header, just move to the relevant offset.Figure. 1 iphead = buffer+14; At this point, the network card is still only allowing access to printf(“Source IP: %d.%d.%d.%dn”, iphead[12],iphead[13],frames and the packets on top of them that are addressed to the iphead[14],iphead[15]);network card in this computer, as it is a function of the hardware/firmware combination to discard other frames and packets ob- Now this just allows us to read packets, but we can write themserved. To overcome this the card must be placed into promis- as well, using functions such as sscanf to fill the buffer withcuous mode, which allows examination of all traffic through card values we want and then the paired “sendto” call is made. Thiswherever it is addressed. On most computers administrative or root makes this mechanism the perfect tool for spoofing or for creat-access is required to switch the card to promiscuous mode, but the ing malicious packets that can exploit weaknesses in the TCP/code itself is simply a combination of a simple portable “ioctl” call IP protocols to create a denial of service attack that can destroyto get the current network card flags and a following call to flip the a network. Lets look at a few potential attacks in what we willpromiscuous flag itself, i.e. ethreq->ifr_flags |= IFF_PROMISC;. refer to as our “network bomb”. For a true Ethereal or Wireshark implementation on a heavilyloaded network this simple sockets code followed by printf callsto output the packet data would be too slow, but for most uses The Network Bomb Applicationthe code below followed by “printf” is all that is needed to watchEVERY packet that is seen by a WiFi card without actually be- Overviewing connected to a WiFi network itself; remember the card is in The objective of this application is cause chaos on a company net-promiscuous mode and is seeing radio waves that form frames. work and eventually bring down the whole network in a location.Similarly, if the “wlan0” device is replaced with a wired card device The code is broken down into a number of discrete attacksuch as “en0” then packets on a wired network can be monitored. vector elements that attack the network infrastructure by mak- ing use of vulnerable parts of standard network protocols to int sock; confuse PCs, firewalls, VoIP telephones and switches. Although unsigned char *iphead, *ethhead; TCP/IP and Ethernet are attacked there is no visibility of the struct ifreq *ethreq; device on the network as the sockets API PF_PACKET and ioctl promiscuous mode accesses are used to spoof the MAC and // First open a raw socket direct to the card, with the IP addresses. // ETH_P_ALL saying we want to see everything at the Ethernet Some parts of the attack cause inconvenience and confusion // level for a period of time and then “move on”, with an aim of occupy- if ( (sock=socket(PF_PACKET, SOCK_RAW, ing IT and network staff whilst the rest of the attack progresses. htons(ETH_P_ALL)))<0) { The code is written in C and consists of a small number of perror(“socket”); threads – one for each attack vector – mediating access to the exit(1); promiscuous PF_PACKET socket via a queue protected by } a socket, with a final thread running at a slightly higher authority // Now use ioctl to put the card into promiscuous mode that takes “packets” or “frames” from the queue and transmits ethreq = (struct ifreq *) malloc(sizeof(struct ifreq)); them. strncpy(ethreq->ifr_name, “wlan0”, IFNAMSIZ); ioctl(sock, SIOCGIFFLAGS, ethreq); Assumption ethreq->ifr_flags |= IFF_PROMISC; Most companies “trust” the wired LAN connections from their ioctl(sock, SIOCSIFFLAGS, ethreq); user sites. So, gaining physical access to the target site un- free(ethreq); der the premise of a meeting, delivery, or as cleaning staff and deploying a small credit card sized “cheap” PC running Linuxwww.hakin9.org/en 37
  • Hakin9 EXTRA (such as a Raspberry Pi) and placing it under a desk is all that is a topology map of the network so this will confuse the topology needed to deploy the “bomb” to a location. The code is activated map if the appropriate CDP packets are copied to emulate par- remotely or to a schedule, and must run under the root account. ticular devices and spoofed. Similarly, for wireless attacks the use of promiscuous mode means that the card does not need to connect to the network, Attack 6 – OSPF Attack but can spoof the unprotected early network connection ne- This attack thread periodically spoofs OSPF packets based on gotiations to perform an attack or can connect to a network the configuration traffic it monitors to confuse the network rout- access point with no or limited security protection. ing tables. Proper security and configuration should prevent this For the most damage, a wired connection is required. attack from working, but often network engineers assume that their environment inside their company is “safe”. Attack Implementation Attack 7 – RIPv2 Attack Discover Utility Function Thread This attack thread periodically spoofs RIPv2 packets based on This function listens for broadcasts continually and builds up the configuration traffic it monitors to confuse the network rout- a list of MAC addresses to reuse, DHCP server addresses, ing tables. Proper security and configuration should prevent this existing IP addresses (ordered by busiest so a packet count is attack from working, but often network engineers assume that maintained for each address), and existing DNS servers. their environment inside their company is “safe”. This simply uses the offsets in the known Ethernet frames and Packet headers, creates a network structure, and adds Attack 8 – BGP Attack the data to linked lists of IP and MAC addresses. This attack thread periodically spoofs BGP packets based on the configuration traffic it monitors to confuse the network rout- Attack 1- DHCP ing tables. Proper security and configuration should prevent this DHCP works by using the Discover, Offer, Request, Accept re- attack from working, but often network engineers assume that quest-response packets; with the first two as broadcasts. The their environment inside their company is “safe”. thread will listen for active TCP/IP addresses and will listen for discover packets, and will then respond with a a random IP ad- Attack 9 – Invalid TCP Packet Counter Reset dress in the packet source address and offer the address of an Periodically this thread will open a socket to any open port (usu- already active system. When the client requests that address it ally an MS standard port such as TCP 139), and will gradually will grant it. This will cause issues for both the active system and send out of sequence packets and will request resends. This the new client; and when the new client tries to call the DHCP will confuse the network and start to increase error rate mecha- random address the code will respond as if it were the DHCP nisms on network hardware, which will lead to inappropriate server. This code will also act with relay agents. management alerts for the network infrastructure and possibly inappropriate remedial action, or will lead to the network infra- Attack 2 – DNS structure deactivating itself in extreme circumstances, This thread will listen for DNS servers responding to requests AND will look for DNS blocks in DHCP packets. To handle Conclusion switches blocking the view to other communications it will first Many other types of attack are possible in addition to the above, listen for a MAC address to spoof in a DHCP request of it sees and some of the above may not even work if the network is none, and if not will use a dummy MAC address to make the properly configured and managed. There are, however, many DHCP request. When it has the IP address of the DNS servers variations possible that builds upon the above. it will start returning random IP addresses occasionally whilst The key point to take away from this article is the risk that impersonating the DNS server. the sockets PF_PACKET, SOCK_RAW combination repre- sents and the ease with which it can be used for snooping or Attack 3 – ARP to cause issues. So, always assume that internal networks are When ARP broadcasts are spotted in this thread a MAC address unsafe and build security into every aspect of network design. of a different host will be returned to the caller. Attack 4 – Switch This thread will periodically send large batches of Ethernet frames with every MAC address it has discovered, and will spoof Colin Renouf addresses close to those it has discovered to fill up the switch is an Enterprise Architect and author in the UK financial services in- MAC address cache and potentially cause redirection of pack- dustry; working with security, Java/JavaEE, networking, Unix/Linux ets. This works because Ethernet frames examine the source and general architecture in the UK. He also more than dabbles in the MAC address of every call and broadcast and stores it in the world of psychology, human learning, and astronomy with particle switch addressing table so it can copy frames addressed to that physics etc ; having studied IT, aeronautical engineering, social sci- target only out through the port it is connected to, so spoofing ences and more in his life as an eternal part time student. When not different values will foll the switch into thinking the given MAC working, writing or being verbally abused by his children; he loves address is connected to that port. photography, singing, playing guitar, drinking wine, and chatting for hours on end with his friends elsewhere in the world – certain of Attack 5 – Cisco CDP Neighbour Attack whom he competes with, but would love to spend more real time on This attack thread periodically spoofs Cisco Discovery Protocol the same country with. Colin is always happy to help anyone and (CDP) packets to confuse the network infrastructure. The CDP loves fine technical debate that involves improving the state of the protocol is used by Cisco, and some competitors, to build up industry and mankind.38 9/2012 (16)
  • Hakin9 EXTRA Web server Log Analysis – Detecting Bad Stuff Hitting Your Web Server Kim Halavakoski Web Servers on the Internet are under constant attack. Defending your web server requires vigilant response times and in-depth log analysis to be able to detect, remediate and track ongoing attacks. WAFs are today a common tool in defending high-profile websites. One often forgotten aspect of any technology is the log analysis. Products and technologies are often installed as a countermeasure to observed attacks, but the real valuable part is usually forgotten: Log analysis. Without properly analysing the logs defending against the ever changing threat landscape and evolving attack methods can be challenging. This article will show some basic methods, tools and products for analysing the logs and detecting the bad stuff targeting your website. R unning a website is fairly easy today. Websites are host- # rpm -i splunk_version_package_name.rpm ed by various hosting providers and are relatively easy to setup even for the novice webmaster / sysadmin. To install Splunk in a non-default directory run the installation I will not go into detail on how to setup a website in this article with the --prefix tag: but instead I will try to take a quick dip into the world of log man- agement. In this article I will show how to do some simple log # rpm -i --prefix=/another/directory/ splunk_version_package_ analysis for a web server. I will use Splunk(http://www.splunk. name.rpm com) for analysing the logs and setting up alerts and reports that will help in detecting bad stuff hitting the website. To upgrade an existing installation of Splunk installed in the /opt directory: Installing Splunk There are various different log management solutions out on the # rpm -U splunk_version_package_name.rpm market at various price levels. In this article I have used Splunk. Splunk is a commercial log engine that eats logs and makes To upgrade an existing installation of Splunk that was installed them searchable and reportable. Splunk has a free version that in a different directory use the --prefix flag: can index 500Mb per day. If more indexing power is needed, you’ll need to get a commercial license. # rpm -U --prefix=/opt/existing_directory splunk_version_ Installing splunk is easy. It comes packaged for Windows, package_name.rpm Linux, OS X, Solaris, AIX, FreeBSD and HP-UX. Just install the splunk package as you would normally install a package You should then have Splunk installed and can start index- on the OS you use. Installing Splunk on a RPM based system ing log files and doing log analysis on your logs. You can now goes like this: start Splunk by running the following command: Install the Splunk in the default /opt directory run the follow- ing command: # $SPLUNK_HOME/bin/splunk start40 9/2012 (16)
  • Web server Log Analysis If you want to start Splunk automatically at boot time run thefollowing command:./splunk enable boot-startConfiguring SplunkTo get data indexed and searchable in splunk it needs to eatsome log data. The easiest way is to point splunk at the direc-tory where the log files exist and start indexing the log files inthat directory. There are many ways of adding data to splunk. To add data go to Splunk Manager and then click “Data Figure 5: Preview dataInputs”: Splunk will then proceed and let you preview the logfiles you are about to index and finally let you configure some settings for the indexed files. Just proceed and click save on the last page to index the logs. Splunk is very versatile and can index almost any data on disk and even from the network and func- tion as a regular syslog daemon, as well as receive data fromFigure 1: Data inputs other splunk instances. Pretty nice!Then on the next screen click “Add data”: For more detailed instructions on Splunk please go to the tutorial documentation pages at http://docs.splunk.com/Docu- mentation/Splunk/latest/User/WelcometotheSplunktutorial Analysing the log filesFigure 2: Add data The most useful feature of Splunk is analysing and correlatingThen proceed and click the “a file or directory of files” to point logs. If you have ever searched log files on a linux server usingSplunk at a directory where the log files exist: grep, uniq, awk, sed and similar tools to mangle the logs to your liking, then you will love Splunk. It’s like having all those tools, but on steroids, in your browser! It’s like Google for your logs! Here is the main search screen in Splunk. Looks pretty nor- mal and boring and nothing special here(yet):Figure 3: Adding data to splunk Figure 6: Splunk main search screenNext, choose the first option “Consume any file on this Splunk This is where most of the magic will happen. Now it is time toservrer” and click Next: dive into some log searching and correlating. We are supposed to do some web server log analysis, so one thing to look at might be web server HTTP status codes. I have configured my apache2 webserver with some extended logging to catch almost everything that apache2 can spit out. Here is my LogFormat di- rective in apache2.conf: LogFormat “remote-host=%h remote-ip=%a canonical-port=%p response-size=%B request-time-taken=%D request-protocol= %H keepalive=%k request-method=%m process-id=%P query-string=%q request-line=%r handler=%R http-status-code=%s http-request-time=%t request-time-taken=%T remote-user=%u http-request-url=Figure 4: Add files to be indexed %U servername-canonical=%v servername=%V http-connection-status=%X http-bytes-received=%IThen finally add the patch to the directory or log file you would http-bytes-sent=%O http-referer=”%{Referer}i”like to be splunked: http-user-agent=”%{User-Agent}i”” extendedwww.hakin9.org/en 41
  • Hakin9 EXTRA As you can see, I am logging almost all attributes possible and in key-value pairs, which makes Splunk field extraction much easier which you will see in a minute. So how do I find out what status codes are present in my web server logs? With the LogFormat above, just search type http in the search field and hit enter to see some results for the keyword http from the logs: Figure 9: HTTP status code timechart And voilá! There you can see how HTTP status codes are dis- persed in the log over the last 24 hours. Pretty neat or what? To optimize the chart you can stack the status code values in one column instead of having one column per code by clicking Options and choosing stacked mode: Figure 7: Searching for logs containing “http” So now we can see logs containing the keyword “http”. The timeline with columns shows the occurrence of “http” in the logs over a time period. The left area below shows the discovered fields. Here I have added some discovered fields by clicking edit and adding interesting fields to my splunk results window. Figure 10: Chart stacked mode selection With stacked mode the columns look nicer and compress more data into the same view and make it generally more pleasant to look at. I am no visualization expert, just an avid practitioner. However if you want good advice on data visualization then go get Raffael Martys Applied Security Visualization and Greg Con- tis Security Data Visualization books, which go into deep details about security data visualization theory. Figure 8: Add extracted fields to the search I have chosen the discovered fields http_status_code, http_ bytes_received, http_bytes_sent, http_request_time, http_re- quest_url and http_user_agent. You can see that these field names match with the Apache2 LogFormat directive that I have configured. You can choose whatever fields you like and they will show as fields in the main search view and can also be used Figure 11: HTTP status code timechart - stacked in splunk searches. From this graph we can easily find abnormal outliers in the logs. So if we now want to see the HTTP status codes we can What are those 404-errors that stick out? Let’s have a look! Just easily do that by searching for http_status_code, but now we’ll click on the chart and Splunk will adjust the search to the spe- add a nice twist to the search to a visualization on what status cific time and HTTP status code you clicked on. In this case, codes are present over a time period. Use the following search clicking on the purple 404 column will apply the following search query in the search window and hit enter: term: http | timechart count by http_status_code http http_status_code=”404” And show the results of that search:42 9/2012 (16)
  • Web server Log Analysis Now let’s dive into some more serious features, analysis and correlation. Splunk also has the ability to do File Integrity Monitoring(FIM), which is a way of tracking changes on files on the system. If a file is modified, alarms can be triggered. This becomes useful if one wants to track what is going on the system and if somebody is doing unauthorized changes on configuration files, web pages or other critical files on the system. The FIM feature is configured by adding a fschange stanza to the splunk /opt/splunk/etc/system/local/inputs.conf configuration file: [fschange:/etc/]Figure 12: HTTP status code timechart - clicked results This makes Splunk track all changes on files in the /etc directory.In this case it seems to be some missing attachments on my In order to track all commands and behaviour on my systemweb server that somebody has tried to access. I am using a program called snoopy. Snoopy is a library that Some other interesting information to search for in web gets preloaded to every executed file on a Linux system. Theserver logs are http_referer and http_user_agent strings. Who library is added to the /etc/ld.so.preload file and after that allis referring to your website and what does the HTTP User system level execs are logged.Agent strings in your logs tell about your users web browser Lets take a look at what we can find from these logs. All FIMpreferences? events are logged with source=”fschangemonitor” so search- Searching for http_referer and negating away my own do- ing for that source will show all file system changes:main from the results will give a nice overview chart showingme what referers are hitting my website. Here I have chosen source=”fschangemonitor”not to include my own domain referers in the results by usingthe NOT operator to negate results containing “blackcatsec”:http NOT http_referer=”*blackcatsec*” | timechart count by http_ referer Figure 15: Splunk File Integrity Monitoring Logs Here we can see files that have been changed in /etc during the last 30 days search span. One thing that pops out is the 2790 events on September 3rd. What happened on that day? Click- ing on the column in the timeline will again modify the search toFigure 13: HTTP Referers timechart only include events from that day.Searching for HTTP User Agents is equally easy: What immediately pops out is the /etc/compromised.file that has been added to the filesystem. What is that about? Whohttp | timechart count by http_user_agent did that? By searching for compromised.file in the search field we can now get a listing of all log events containing compro- mised.file:Figure 14: HTTP User Agent TimechartAs you can see, these kind of tools can be very effective insearching logs for anomalies and weird malicious behaviour. Figure 16: Splunk File Integrity Monitoring Details for /etc/compromised.filewww.hakin9.org/en 43
  • Hakin9 EXTRA Here we can see from the snoopy logs that the user root touched Log correlation the /etc/compromised.file and then proceeded to edit the file: One useful feature in Splunk is the ability to correlate logs from various sources. One simple and effective way of correlating dif- Sep 3 23:06:22 panther snoopy[3893]: [uid:0 sid:22035 ferent logs over a narrow time period is to first drill down on an tty:/dev/pts/0 cwd:/etc filename:/usr/bin/touch]: specific event to have Splunk narrow down the timeline. Then, touch compromised.file when the timeline is focused on a specific period in time, remove the search terms. Splunk will then show all events received Immediately followed by Splunks fschange event: during that specific time frame. This gives an opportunity to see what else happened during the time you are focusing your Mon Sep 3 23:06:24 2012 action=add, path=”/etc/compromised. search on. Perhaps you searched on a firewall event and want file”, isdir=0, size=0, gid=0, uid=0, modtime=”Mon Sep 3 to see what else happened around that time. Did something get 23:06:22 2012”, mode=”rw-r--r--”, hash= logged in apache, postfix, or some other daemon running on your server? Did the specific IP-address that hit your webserver Root then proceeded to edit and modify the file, again detected do something else? Perhaps it scanned your server and you can by Splunk: see traces of the scan in your firewall logs? Sep 3 23:07:12 panther snoopy[4093]: [uid:1000 sid:22035 Alerts tty:/dev/pts/0 cwd:/etc filename:/usr/bin/vi]: Another nice feature are the alerts. Splunk can be setup to send vi compromised.file alerts for saved searches. In the following examples I have set- Mon Sep 3 23:07:26 2012 action=update, up an email alert for each time my server running sshguard path=”/etc/compromised.file”, isdir=0, size=0, gid=0, uid=0, automatically blocks an IP-address using iptables when a pre- modtime=”Mon Sep 3 23:06:22 2012”, mode=”rw-rw-rw-”, defined number of failed logins occur. First I search for all ssh- hash=, chgs=”mode “ guard blocking events: From the snoopy logs we can see that the uid is 1000 and sid sshguard blocking is 22035. Searching for this information gives us a pretty clear picture of what happened on the system: Figure 18: SSH Guard blocking Then create an alert by clicking “Create” and then Alert. Fill in Figure 17: Splunk File Integrity Monitoring Details for /etc/compromised.file the alert name and proceed to fill in the details and email ad- with sid dress where the alert will be sent when found in the logs. Sep 3 22:27:00 panther snoopy[24092]: [uid:1000 sid:22035 tty:/dev/pts/0 cwd:/home/khalavak filename:/usr/bin/sudo]: sudo su Sep 3 23:06:17 panther snoopy[3887]: [uid:1000 sid:22035 tty:/dev/pts/0 cwd:/etc filename:/usr/bin/sudo]: sudo touch compromised.file Sep 3 23:06:34 panther snoopy[3911]: [uid:1000 sid:22035 tty:/dev/pts/0 cwd:/etc filename:/usr/bin/sudo]: sudo chmod 666 /etc/compromised.file Sep 3 23:07:12 panther snoopy[4093]: [uid:1000 sid:22035 tty:/dev/pts/0 cwd:/etc filename:/usr/bin/vi]: vi compromised.file Figure 19: Configuring Alert Schedule From these logs we can see that the user khalavak became root by using sudo and then proceeded to touch, chmod and vi the suspicious file.44 9/2012 (16)
  • Web server Log Analysis do the actual log analysis and decide what needs to be inves- tigated - what is a false positive, what is good and what is bad. Tools will take us half the way, but the people analysing the logs are the ones who make the difference.Figure 20: Configuring Alert ActionsFigure 21: Configure Alert SharingFigure 22: Alert Saved SuccessfullyCreating alerts for interesting and known issues helps in creat-ing good situational awareness and can help in cutting down theremediation time for an incident.ConclusionLog management and analysis can be difficult and time con-suming. It can be very hard to do without the right people who Kim Halavakoskipossess the right mindset and utilize the right tools. Tools that is the CSO of an undisclosed financial services provider, with a solid backgro-help administrators and security analysts to easily visualize and und in network security management and architecture. He also dreams ofcorrelate log events can be extremely useful. They help log ana- doing pentesting professionally in the near future. When not doing securitylysts to find and remediate issues found in the vast amount of work, he enjoys spending time with his fiancée, 3 children and 5 cats. Hob-logs which are generated by servers. But one has to remember bies include, but are not limited to, photography, robotics, RC-airplanes, qu-that the tool alone is not good enough, we still need people to adcopters and stuff with electronics.www.hakin9.org/en 45
  • Hakin9 EXTRA Special Edition for Forensic Professionals: The Most Advanced and Effective New Tools from Atola Technology Atola Technology deeply values each customer and strives to offer only the latest innovative technologies for the data recovery professional. Atola has specifically designed two new powerful data recovery tools with intuitive ease of use for forensic specialists: Atola Forensic Imager and Atola Bandura. Figure 1. Atola Forensic Imager T he Atola Forensic Imager is a high-quality professional fied HEX pattern to overwrite the sectors. It can also execute tool designed that meets all expectations in advanced the Security Erase function and perform Zero-Fill, NIST 800- forensic operations. It’s an all-in-one solution that easily 88 and DoD 5220.22-M compliant wiping. The Case Manage- works with damaged or unstable hard disk drives. It combines ment System works automatically recording all important data a fast imager with strong data recovery capabilities for creating such as date, time and hash values in one place. Archives accurate forensic images. The powerful Atola Imaging Software of all past cases are stored on the host PC. The Automatic is bundled with the Atola DiskSense Ethernet Unit, which utilizes password removal function removes any user and level ATA the most efficient interface connections. password from a locked hard drive and displays the password This professional tool has been developed with the ability to the technician.  to Customize every step. Key parameters can be adjusted The Atola Forensic Imager is the one of the best solutions for during the Imaging process to make it more effective and suc- forensic a professional. It guarantees careful attention to detail cessful for each specific case. The Quick and accurate eras- and precise data acquisition, and strong reliable security. All you ing of hard drives works at maximum speed using any speci- need is in one tool!46 9/2012 (16)
  • Special Edition for Forensic ProfessionalsMain features: face that allows launching any task simply in just 2 touches, making all forensic operations easy and natural.• Imaging damaged drives Main features:• Calculating checksum on the fly (MD5, SHA1, 224, 256, 384, 512) • Properly handles bad sectors and even severely damaged• Wiping/erasing hard drives – DoD 5220.22-M method • Super-fast on non-defective drives, functions at speeds up – NIST 800-88 method to 16 GB/min (265 MB/s) – Security Erase • Multi-pass imaging (gets most data as quickly as possible – Fill with pattern on the first pass, then reads the rest) – Zero fill • Ability to stop/resume duplication sessions anytime• Automatic Password Removal • Disk diagnosis – PCB, head stack, firmware, SMART, me-• Automatic Case Manager dia, file system checks • Checksum calculation: MD5, SHA1, SHA224, SHA256,Main adjustable imaging parameters: SHA384, SHA512 • Bad sector repair function• Calculate checksum on the fly (MD5, SHA1, 224, 256, • HPA and DCO max address management 384, 512) • Secure disk erasing with custom patterns at fast speeds up• Disable GList with auto reallocation to 17 GB/min (280 MB/s)• HEX pattern to fill skipped sectors (00 by default) • Super-easy to use. Features 3.3-inch full color touch• Image file size (chunk size) screen display.• Timeout length (after failed sector read attempt)• Number of sectors to skip after failed read attempt Main forensic applications:• Number of imaging passes• Apply Read-Long command on last pass • Recovering data from damaged hard drives• Reduce HDD operating speed to PIO mode • Secondary duplication tool to free up  more expensive• Copy direction (forward/linear or reverse) tools for other tasks• Specify read/write heads to transfer from • Test disk drives for failures• Abort duplication after “X” amount of HDD power cycles. • Secure data destruction (disk wipe) • Cloning only occupied sectors (quick cloning) • 1:1 write-protected data acquisitionAtola Bandura • Disk comparison (locate sectors that are different on twoThe Atola Bandura is a unique stand-alone (no PC required), drives)2-port, HDD duplicator, wiper and tester. This indispensabletool provides powerful high-speed imaging, automatic testing,comparison, and secure data wiping. It easily works with dam- Don’t miss a chance! Choose your own Atola tool!aged disk drives and properly handles all bad sectors. The For more information on Atola Technology and their industryBandura system features an intuitive touch screen user inter- leading professional tools, visit www.atola.comFigure 2. Atola Bandurawww.hakin9.org/en 47
  • SeagateDataRecovery.comBad things canhappen to your laptop.They don’t have tohappen to your data.Seagate Data Recovery Services work on any disk drive.Seagate takes the dread out of data mishaps. From accidental file deletions tophysical hard disk damage–from any brand–we make it easy to get your files back.With our No Data–No Recovery Charge Guarantee, our skilled professional datarecovery technicians use cutting-edge technology to retrieve your data. And foryour peace of mind, we also recover data from server applications and virtualtechnologies. Learn more at www.seagatedatarecovery.com.© 2012 Seagate Technology LLC. All rights reserved. Seagate, Seagate Technology and the Wave logo are registered trademarks of Seagate Technology LLCin the United States and/or other countries. Seagate reserves the right to change, without notice, product offerings or specifications.