Pen test free_01_2012
Upcoming SlideShare
Loading in...5

Pen test free_01_2012






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Pen test free_01_2012 Pen test free_01_2012 Document Transcript

  • FREE
  • ITOnlinelearning offers Network Security courses for the beginner through to the professional.From the CompTIA Security+ through to CISSP, Certified Ethical Hacker (CEH),Certified Hacking Forensic Investigator (CHFI) and Security Analyst/Licensed Penetration tester (ECSA/LPT). Tailored Advice and Discounts 0800-160-1161 or Please Call one of our Course Advisors for help and Tailored Advice -during office hours (Mon-Fri 9am-5.30pm) Telephone: 0800-160-1161 International: +44 1795 436969 Email: Registered Office: 16 Rose Walk, Sittingbourne, Kent, ME10 4EW
  • Global I.T. Security Training & Consulting IS YOUR NETWORK SECURE? In February 2002, Mile2 was established in response to the TM critical need for an international team of IT security training experts to mitigate threats to national and corporate secu- rity far beyond USA borders in the aftermath of 9/11. mile2 Boot Camps A Network breach... Could cost your Job! Available Training Formats 1. F2F Classroom Based Training GENERAL SECURITY TRAINING 2. CBT Self Paced CBT CISSPTM CISSP & Exam Prep 3. LOT Live Online Training C)ISSO Certified Information Systems Security Officer 4. KIT Study Kits & Exams C)SLO Certified Security Leadership Officer 5. LHE Live Hacking Labs (War-Room) ISCAP Info. Sys. Certification & Accred. Professional Worldwide Locations PENETRATION TESTING (AKA ETHICAL HACKING) Other New Courses!! C)PTETM Certified Penetration Testing Engineer ITIL Foundations v.3 & v.4 C)PTCTM Certified Penetration Testing Consultant CompTIA Security+, Network+ ISC2 CISSP & CAP SECURE CODING TRAINING C)SCETM Certified Secure Coding Engineer SANS GSLC GIAC Sec. Leadership Course SANS 440 Top 20 Security Controls WIRELESS SECURITY TRAINING SANS GCIH GIAC Cert Incident Handler C)WSETM Certified Wireless Security Engineer C)WNA/PTM Certified Wireless Network Associate / Professional We practice what DR&BCP TRAINING we teach..... INFORMATION ASSURANCE DR/BCP Disaster Recovery & Business Continuity Planning SERVICES Other Mile2 services available Globally: 1. Penetration Testing VIRTUALIZATION BEST PRACTICES 2. Vulnerability Assessments C)SVMETM Certified Secure Virtual Machine Engineer 3. Forensics Analysis & Expert Witnesses 4. PCI Compliance DIGITAL FORENSICS 5. Disaster Recovery & Business Continuity C)DFETM Certified Digital Forensics Examiner(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of 1-800-81-MILE2CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC. +1-813-920-6799 11928 Sheldon Rd Tampa, FL 33626 View slide
  • F R E E Editors noteDear Readers! Attacks Get it on with ZAP 06by Gareth WattersTo thank you for your support with creating PenTestcommunity we decided to publish PenTest Free.Every month you will get five great articles that will Let’s take a look around Zed Attack Proxy and see whatteach and keep you up to date with IT security is- it’s all about, but before we go on let’s emphasize some ofsues. the greatest ZAP’s attributes. It’s easy, it’s free and open In the first issue you will find articles devoted to source, ZAP in fully internationalized, has extensive userattacks. We have chosen the most popular titles and guides and unlike some similar tools, has the ability tohere you can read the best articles devoted to Zed save sessions to go back to later for reports, which is anAttack Proxy, internationalized, free and of great imperative requirement for pen testers as report writinghelp as far as report writing is concerned. Probe Re- tends sometimes not to be our strongest Based Attack article is a great technical tuto- Wireless Eurynomus: A Wireless 14(802.11) Probe Request Based Attackrial for anyone interested in wireless attacks. Can wetrain a computer user to be sufficiently security liter-ate? Whats the best way to defend one from phish- by Hitesh Choudhary and Pankaj Moolrajaniing attacks? You can read about this in the article of In the recent years, the proliferation of laptop computersIan Moyse. and smart phones has caused an increase in the range of In the section Cyberwar you can read about digi- places people perform computing. At the same time, net-tal frontier and the impact of cyber attacks on our work connectivity is becoming an increasingly integrallives. Are we living in the times of an ongoing cy- part of computing environments.berwar? See what our author has to say about this Securing Users from Phishing, 18Smishing & Social Media Attacksproblem. Last but not least, we would like you toread article about pentesting SCADA written by ourregular author Stefano Maccaglia. by Ian Moyse I hope that you will find this issue a valuable com- Some experts believe one of the best solutionspilation and encouragement to stay with us for good. to thwart phishing attacks is end-user training,If you have any suggestions for us concerning top- but can we really train every computer userics, problems you want to read about or people you to be sufficiently security literate? Will itwould like to know better thanks to PenTest please, ever be the case that anyone can distin-feel free to contact us at guish a phishing message from a genu- ine bank email? Thank you all for your great support and invalu-able help. Enjoy reading! Malgorzata Skora & PenTest Team 01/2012 View slide
  • F R E CONTENTS ECyberwar Digital Apocalypse: The Artillery of Cyber22War by Cecilia McGuireCyberspace is now the digital frontier of choice for executingmany combat operations, by extending the medium in whichgreater levels of power can now be accessed by Machiavelliagents, militants and nation-states. Squads of cyber militantsgoing under the banner of Anonymous and LulzSecare, moti-vated by the ease in which they can now execute high impact TEAMoperations whilst avoiding detection, are just a few of the much Supportive Editor: Ewa Dudzicpublicized names synonymous with cyber terrorism. The multi- characteristics of cyber space have dissolved the Product Manager: Małgorzata Skóraboundaries between digital landscape and physical security, fa- malgorzata.skora@pentestmag.comcilitating cyber-attacks that produce devastating impacts to criti- Betatesters / Proofreaders: Robert Keeler, Daniel Wood,cal infrastructure, as well as Corporate and Government assets. Scott Christie, Massimo Buso, Hussein Rajabali, Aidan Carty, Jonathan Ringler, Thomas Butler, Dan Felts, Gareth Watters,SCADA Stefanus Natahusada, Francesco Consiglio, Harish Chaudhary, Wilson Tineo Moronta, Scott Stewart, Richard Harold, The Box holes. Pen Testing a SCADA plat- Ryan Oberto, William R. Whitney III, Marcelo Zúñiga Torres28 form Senior Consultant/Publisher: Paweł Marciniak by Stefano Maccaglia In the last decade SCADA systems have moved from propri- CEO: Ewa Dudzic etary, closed, networks to open source solutions and TCP/ IP enabled networks. Their original “security through ob- Art Director: Ireneusz Pogroszewski scurity” approach, in terms of protection against un- authorized access, has fallen, together with their in- DTP: Ireneusz Pogroszewski terconnection limits. This has made them open to Production Director: Andrzej Kuca communicate with the rest of the world, but vul- nerable, as our traditional computer networks. Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used program by Mathematical formulas created by Design Science MathType™ DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
  • F R E E attackGet it on with ZedAttack ProxyLet’s take a look around Zed Attack Proxy and see what it’s allabout, but before we go on Iet’s emphasize some of the greatestZAP’s attributes. Its easy, it’s free and open source, ZAP is fullyinternationalized, has extensive user guides and unlike somesimilar tools, has the ability to save sessions – a great help as far aswriting reports is concerned.Y ou can download Zed Attack Proxy from Note: If ies. you don’t already have it installed, you need When you open ZAP for the first time you will beto download and install java prompted to create an SSL Root CA Certificate as ZAP is at it’s heart an interception proxy and has in Figure 2. In the context of this article, we will beto be configured in-line between your browser and working with the secure login to a vulnerable webyour application. For instructions to configure ZAP application. Therefore we shall create a SSL Rootas a proxy for all the major browsers go to http:// CA certificate.Figure 1. Setup of ZAP for use in a Penetration Test 01/2012 Page 6
  • F R E EOption Dynamic SSL Certificates tem (browser). In other words when you’re notOWASP ZAP allows you to transparently decrypt testing in a safe environment, but on productiveSSL connections. For doing so, ZAP has to encrypt machines, be aware that you could be opening aneach request before sending to the server and de- additional attack vector to your system if your cer-crypt each response, which comes back. But, this tificate was in the wrong hands. ZAP generates ais already done by the browser. That’s why, the on- certificate that is unique to you, so keep this cer-ly way to decrypt or intercept the transmission, is tificate do a ‘man in the middle’ approach. Next you configure ZAP’s Local Proxy port: Go To Tools -> Options -> Local Proxy -> localport Set-Overview tings: Localhost 8090.In other words, all data sent to and received from Then configure your browser to use ZAP as athe server is encrypted/decrypted by using the proxy. In this example we are using Firefox run-original server’s certificate inside ZAP. This way, ning Foxyproxy: Go To Edit ->- Preferences -> Net-ZAP knows the plain text. To establish a SSL pro- works – > Settings -> Choose to Use ZAP for alltected session from you (your browser), ZAP is URLs.using it’s own certificate. This is the one you can Now you’re ready to go. All you need is your tar-create. Every certificate created by ZAP will be get application (Pentester) or your own Web Appli-signed for the same server name. This way, your cation that’s under development (Developer). forbrowser will do regular SSL encryption. the context of this article we will use DVWA (Damn Import Certificate in to Mozilla Firefox – Firefox Vulnerable Web Application)is using it’s own certificate store. Installation andlate on validation is done in the same preferences DVWA – Damn Vulnerable Web Appdialog: (User: admin Password: password) Damn Vulnerable Web App (DVWA) is a PHP/• Go to Preferences MySQL web application that is damn vulnerable.• Tab Advanced It’s main goals are to be an aid for security profes-• Tab Cryptography/Certificates sionals to test their skills and tools in a legal envi-• Click View certificates ronment, help web developers better understand• Click tab Trusted root certificates the processes of securing web applications and• Click Import and choose the saved owasp_ aid teachers/students to teach/learn web applica- zap_root_ca.cer file tion security in a class room environment.• In the wizard choose to trust this certificate to identify web sites (check on the boxes) WARNING!• Finalize the wizard Damn Vulnerable Web App is damn vulnerable! Do not upload it to your hosting provider’s pub-Attention Risks lic html folder or any working web server as it willWhen adding self generated Root CA certificates be hacked. I recommend downloading and install-to your list of trusted root certificates, anyone with ing XAMPP onto a local machine inside your LANthe root certificate can smuggle data into your sys- which is used solely for testing. com/p/dvwa/ Tip If you fancy skipping past the installation and setup of dvwa, I suggest downloading SamuraiWTF, you will find that this great distro already has DVWA al- ready installed setup and ready to go. The next thing to do for a beginner new to de- velopment or pentesting is explain how ZAP’s ad- vanced components can be useful as a tools in a basic web application penetration test. Basic Web Application Penetration Test: Recon -> Mapping -> Discovery/Enumeration -> Exploi-Figure 2. SSL Root CA Certificate tation. 01/2012 Page 7
  • F R E E attack ZAP is useful in the Mapping context using the • Sites tab – A Hierarchical representation ofproxy and spider. ZAP is useful in the Discovery con- your applicationtext with the active vulnerability scanner and fuzzer, • History Tab – Lists all the requests (GET/brute forcing web directories and files with DirBuster. POST) and the order they are made ZAP is useful in the Exploitation phases when • Search tab – Search ZAP gathered informationyou combine it’s findings with exploitation tools • Port Scan – a basic port scanner allows you tosuch as like SQLMap,BeEf and Metasploit. scan and shows which ports are open on the target sites.Basic Web Application Penetration Test • Output tab – This shows various informational– Mapping messages.These can include the stack tracesTo do comprehensive mapping, you must navigate of unexpected exceptionsthrough your web application. Ensure to follow and • Alerts tab – Shows you any potential issuesexplore through all of the functionality of the appli- and vulnerabilities ZAP has found. (See Ex-cation. Click each link, traverse through all tabs and ploitation for more info.)areas of your application. Press all buttons, fill inand submit all forms. If your application supports Click on entries in Sites or History – correspond-multiple roles then do this for each of the roles e.g. ing requests and responses will be visible in theUser, Admin. Note: In order to use multiple roles, it’s Request and Response Tabs If you right-click onbest to save each role as a separate ZAP sessions. any item – A whole load of extra options and func- Zap maps out the web application in a hierarchi- tionality becomes manner as in the sites tab displayed in Figure 3. Zap passively scans the Requests and Re- The lower pane brings together all the tabs for web sponses and reports any potential problems,application pen. testing in a universal status bar. but does not submit any responses on your behalf.TipIn Zap – Double click on a tab and it the tab for a Spiderbetter view – Double click and it will revert back to Can be activated by the play button on the Spiderthe lower status bar. tab or Right-Click Attack on the sites tree.Figure 3. A completed mapping of DVWA 01/2012 Page 8
  • F R E E The spider looks for pages that weren’t found in those hidden files and directories. And if that wasthe manual recon/mapping. Running the spider, not enough DirBuster also has the option to per-will crawl the website and find URLs that you may form a pure brute force, which leaves the hiddenhave missed are hidden. It places them in the directories and files nowhere to hide!Sites page with a spider icon. It is recommend tomanually explore and map the web application Tipfirst and then use spider. If the spider does find ZAP also allows for custom files to be used, in theunseen links, revert back through the application SamuraiWTF training course we used CeWL (Cus-through your browser and visit those URLs. tom Word List generator) by DigiNinja. CeWL is a ruby app which spiders a given url to a specifiedTip depth, optionally following external links, and re-A good crawl will enable you to have a better ac- turns a list of words which can then be used fortive scan. password crackers such as John the Ripper. John the Ripper can aswell be used to create a wordlistBasic Penetration Test – Discovery that has different versions of the words that CeWLActive scanner collected for example – ex@mpl3 These customActive vulnerability scanner attacks the application wordlists can then be imported and used by ZAPand performs a number of known attacks. for Brute Forcing and Fuzzing. Active scanner is there to find basic vulnerabili-ties (Only to be used in development environment Fuzzerunless explicitly permitted in writing by the Web ZAP also has fuzzing capabilities through its in-App. owner in case of a Penetration test – It is ille- tegrated use of yet another OWASP Projectgal to run active scans without legal consent). JBroFuzz. ‘Fuzz testing or fuzzing is a software Damn Vulnerable Web Application (DVWA) as it testing technique, often automated or semi-au-is aptly named is an excellent resource for viewing, tomated, that involves providing invalid, unex-and learning about vulnerabilities. Once you’ve pected, or random data to the inputs of a com-completed the above steps above you should be puter program. The program is then monitoredable to see the results of the mappings and vulner- for exceptions such as crashes or failing built-inabilities in your application in the Alerts tab Imme- code assertions or for finding potential memorydiately you can see a number of alerts for vulner- leaks. Fuzzing is commonly used to test for se-abilities found. curity problems in software or computer systems’ - Wikipedia’Brute Force To Fuzz a request string such as a password:Use the brute force scanner to find unreferencedfiles and directories. You can use the built in or • Select a request in the Sites or History tabcustom input files for Brute Force Scanner. ZAP • Highlight the string you wish to fuzz in the re-Uses OWASP DirBuster and Fuzzing using anoth- quest taber OWASP Project JBroFuzz and Fuzzdb • Right-click in the Request tab and select ‘Fuzz’ ZAP uses OWASP DirBuster, a multi threaded • Select the Fuzz Category and one or more ofjava application designed to brute force directories the Fuzzersand files names on web/application servers. Often • Press the Fuzz Buttonis the case now of what looks like a web server in • The results will then be listed in the Fuzzer taba state of default installation is actually not, and • Select them to see the full requests and re-has pages and applications hidden within. DirBus- sponsester attempts to find these. However tools of this nature are often as only Additional fuzzing text files are added continu-good as the directory and file list they come with. A ously with each ZAP release and as stated earli-different approach was taken to generating Dirbus- er you can also create and import your own cus-ter. The Dirbuster list was generated from scratch, tom crawling the Internet and collecting the direc-tory and files that are actually used by develop- Manual testers! DirBuster comes a total of 9 different lists, The above steps will find basic vulnerabilities. Morethis makes DirBuster extremely effective at finding vulnerabilities become apparent when you to manu- 01/2012 Page 9
  • F R E E attackally test the application by giving it some data, try- mation about a particular alert in the ‘Other info’.ing loginsetc. In an advanced web application pen- tab, and best of all there is a solution and refer-etration test scenario, a number of other tools such ence material provided for the Nikto, Curl, SQLMap, Cewl etc would be used, You will see how intuitive and educationally ben-See the OWASP Testing Guide for more details on eficial ZAP really is to developers/pentesters, es-comprehensive Penetration Testing at https://www. pecially ones in the early stages of their Break PointsBasic Penetration Test – Exploitation: A break point allows you to intercept a request fromOnce you have performed your basic pentest map- your browser and to change it before is is submit-ping and discovery, you are ready for exploitation ted to the web application you are testing. You canor remediation depending on your role, develop- also change the responses received from the appli-er or pentester. The considerable information that cation.The request or response will be displayed inZAP provides under the Alerts tab is key to a pen- the Break tab which allows you to change disabledtester’s next move. or hidden fields, and will allow you to bypass cli- ent side validation (often enforced using javascript).Alerts It is an essential penetration testing technique. YouZAP provides comprehensive information relating can set a ‘global’ break point on requests and/or re-to all alerts and vulnerabilities it finds. All the exploi- sponses using the buttons on the top level toolbar.tation material you need is here listing active and All requests and/or responses will then be inter-passive vulnerabilities. Each alert gets flagged in cepted by ZAP allowing you to change anythingthe History tab, gets a Risk Rating – Informational, before allowing the request or response to con-Low, Medium or High. Also, they get an alert reli- tinue. You can also set break points on specificability rating – False Positive, Suspicious, Warning. URLs using the “Break...” right click menu on the Sites and History tabs. Only those URLs will beTip intercepted by ZAP. URL specific break points areI find it easiest at this point to review the alerts if shown in the Break Points expand the Alert tab by double clicking it as inFigure 4. Anti CSRF Tokens For each alert a description is provided. You can Another advanced feature of ZAP that is not read-save your own developer/pentester specific infor- ily available in similar, free versions of tools in thisFigure 4. Alerts tab expanded 01/2012 Page 10
  • F R E Earea is Anti-CSRF token handling and token gen- was an app built by a developer, for a developereration. CRSF vulnerabilities occur by the way that and you can tell. It has subsequently been adoptedbrowsers automatically submit cookies back to an by an international community of information secu-issuing web server with each subsequent request. rity professionals.If a web application relies solely on HTTP cook-ies for tracking sessions, it will inherently be at risk ZAP – Fully Automated Security Testsfrom an attack like this. To conclude this extensive article, I am going to Anti CSRF tokens are (pseudo) random param- change the context of how we see use of ZAPeters used to protect against Cross Site Request and show how functional testing can be improved,Forgery (CSRF) attacks. even fully automated and with adding security in to They tokens may make a penetration testers job the process. sounds good eh!hard if the tokens are regenerated every time a Many Web developers use applications like Se-form is requested. ZAP detects anti CSRF tokens lenium, Webdriver and Watir to test their Web-Ap-by attribute names – the list of attribute names plications. In this example we are using Seleniumconsidered to be anti CSRF tokens can be edited to drive the browser. Selenium records your ac-using the Tools->Options->Anti-CSRF screen. tions in the browser such as mapping, clicking, in- When ZAP detects these tokens it records the to- puts etc.. and then can re-test doing exactly theken value and which URL generated the token. The same tests while you complete iterations of say aactive scanner and the fuzzer both have options web application under development.which cause ZAP to automatically regenerate thetokens when it is required. If fuzzing a form with an Seleniumhq.organti CSRF-tokens on it, ZAP can regenerate the to- ‘Selenium automates browsers. That’s it. What youken for each of the payloads you want to fuzz with. do with that power is entirely up to you. Primar- If you are a developer testing your own web ap- ily it is for automating web applications for testingplication make sure the names of your anti-csrf to- purposes, but is certainly not limited to just that.kens are included in ZAP for ease of use. Boring web-based administration tasks can (and It’s clear to see that considerable effort has been should!) also be automated as well.embedded in Zed Attack Proxy by Simon Bennetts Selenium has the support of some of the largestand Axel Neumann and also the Global communi- browser vendors who have taken (or are taking)ty of developers and individuals contributing. ZAP steps to make Selenium a native part of their brows-Figure 5. Example ZAP setup for fully automated regression tests with security testing 01/2012 Page 11
  • F R E E attacker. It is also the core technology in countless other ner would be run. The REST API is asynchronousbrowser automation tools, APIs and frameworks.’ and the will poll the scanner to see how it has pro- A build tool such as Apache Ant can control a tool Selenium which will drive the browser. ZAP will detect passive vulnerabilities such as We can then insert ZAP as a proxy and also drive missing HttpOnly or Secure Cookie Flags where-zap from the Apache Ant build tool as in Figure 5. as the active scanner finds critical XSS and SQ- So selenium records and drives a browser with Li other vulnerabilities It is important to rememberZAP inserted as in intercepting proxy. This can be that there are some types of errors that can not bevery useful for functional and regression tests and found with automated scanning, so its important ifis a very effective way of testing web UI’s. Devel- security is taken seriously in your organisation, toopers can write test cases to use their apps in the have the security team to have a review and pen-way they expect users to use them and then imple- etration test of your application.ment and record and re-test them with Selenium. By using ZAP in this way, the basic vulnerabilities Regression tests give you a level of confidence in your web application should have been foundthat any changes you have made haven’t caused and then are able fixed in the early stages of theany issues or broken anything. They can’t test ev- development lifecycle.erything, so you still want QA to give your applica- For more information and a full video exampletion a good independent test. go to Simon Bennetts video tutorial: http//code. In the above example we would use Apache Ant control ZAP by the rest api, to kick off things likespider and active scanner. This gives some lev- Summaryels of automated security testing that you can use If you’re a developer interested in security or a pro-in your continuos integration. The mapping/spi- fessional pen tester, ZAP definitely has somethingder can be set to complete first, then active scan- for you. It is a powerful tool to aid developers and QA testers with easily integrating security in to the References SDLC and also serves from beginner up to ad- Thanks to Simon Bennetts (@psiinon ) and Axel Neu- vanced penetration testers in their line of duty. man (@a_c_neumann), OWASP, ZAP Guide & Creative It’s going to take a lot of work to change the cul- Commons Attribute Share-alike License: ture of Information Security. It’s a risk management • project on a grand scale. Get involved, educate, • spread the work, take action and help change the tack_Proxy_Project culture. • http:/// The extensible architecture and constant devel- • opment of ZAP makes for an exciting future for this DirBuster_Project • Open Source project. • For full instructions and a wealth of ZAP informa- • Justin Searle (@meeas) tion, see the OWASP project page: Google Summer Of Code 2012 Projects There are 3 ZAP related google summer of code proj- WARNING Active scans must not be performed on Public ects: websites without the owners written permission as it • Redesign of site crawler with sessions awareness – illegal. Student: Cosmin Stefan – Org: OWASP – Mentor: Si- mon Bennetts • Enhanced AJAX integration – Student: Guifre Ruiz – Org: OWASP – Mentor: Skyler Onken • Websocket Testing Tool – Student: robert Koch – Gareth Watters (@gwatters) – CISSP, Org: Mozilla – Mentor: Yvan Boily CISA, CPTE, MCSE, ITIL Gareth Watters is an Information ‘This is really great news – its a great opportunity for Security specialist based out of Mel- the students to work on a high profile security project, bourne Australia. and ZAP will be significantly enhanced by their work!’ – Simon Bennetts GSoC2012. 01/2012 Page 12
  • Virscent Technologies Pvt. Ltd. a Brainchild of a team of IIT Kharagpur Graduates has Ltd., Graduates,been Incubated in E-Cell IIT Kharagpur It is an IT Solutions & Training Company, Cell Kharagpur.Offering Web, Security and Network Solutions, IT Consulting and Support Services to fferingnumerous clients across the Globe.We provide the following services: a. Penetration Testing b. Multimedia Services c. Web Development d. Training: a. Corporate Training b. Classroom Training c. Training programs for Educational Institutions.Our Partners: 1. E-Cell IIT Kharagpur 2. Education Project Council of IndiaWebsite: www.virscent.comBlog :
  • F R E E attackWireless EurynomusA Wireless (802.11) Probe Request Based AttackIn the recent years, the proliferation of laptop computers andsmart phones has caused an increase in the range of places peopleperform computing. At the same time, network connectivityis becoming an increasingly integral part of computingenvironments.A s a result, wireless networks of various connect is a simple and one of the most conniving kinds have gained much popularity. But facility provided by all the clients of wireless Ac- with the added convenience of wireless ac- cess Points. This feature can also be used to com-cess come new problems, not the least of which promise a client and the attack is counted as oneare heightened security concerns. When transmis- of the deadliest silent attacks.sions are broadcast over radio waves, interceptionand masquerading becomes trivial to anyone with Target Audiencea radio, and so there is a need to employ additional This attack can affect any of the technical and nonmechanisms to protect the communications. technical users of the 802.11 interface. But the In this article we want to focus on some of the technical details of this attack require usage ofhidden flaws that were never taken seriously. Auto- Wireshark, a little understanding of packet detailsFigure 1. Non-data transferFigure 2. Data transfer to the Internet 01/2012 Page 14
  • F R E Eover wireless and some of the details about theprobe and beacon frames.Scope Of AttackThis attack is almost new born to the world of wire-less and the Internet. This attack is fully capableof creating an intermediate connection betweenany client and attacker. Talking about the scope ofthis attack, it can be of wide variety. For exampleif an attacker walks into a company premises andjust by monitoring the air, he can easily find out theprobes in air and can attack any laptop or he canattack any smartphone and can collect contact de- Figure 4. Implementationtails of clients. This is just a simple scenario; cases Hardware And Software Requirementscan be like T.J maxx credit card incident. (http:// To perform this attack, we will need an entire setup with specific software requirements and some hardware requirements. Hardware require-Flow Diagrams For Attacks ments include:Case -1Attacker just wants to have connectivity (Non-data • Access pointtransfer; Figure 1). In this scenario, the attacker • 2 laptop (1 as attacker and 1 as victim)just wants to have connectivity over the victim, af- • Wireless card (internal or external)ter that he might be interested to do some of the • 1 smartphone (optional requirement)post tasks like launching a Metasploit module orsome of the custom coded exploits. And since the Software requirementvictim is only sending the gratuitous request, hewill only get some connectivity to the attacker’s fic- • Backtrack operating system (4-revision2 ortitious network. After that no data transfer will hap- higher version).pen because of lack of internet connectivity. • All other required tools are preconfigured in it.Case – 2 Understanding Probes And BeaconsAttacker wants to have connectivity as well as data When a client turns on its wireless interface, attransfer to the Internet (Figure 2). In this scenar- the same time the wireless interface starts to sendio, the attacker wants the victim to connect with many probe requests to find if there is an accessthe attacker’s machine so he could send the data point available or not. Similarly any access point ispackets to the Internet. In this case he only wantsto monitor the data.Figure 3. Connecting over the Acess point Figure 5. Probe requests by clients 01/2012 Page 15
  • F R E E attackFigure 6. airbase-ngalso sending the beacon frames to show its pres- Figure 8. # ifconfig -aence. Once the client gets connected to an accesspoint, there is a facility provided by different ma- is destined for it or not. This is very similar to pro-chines to remember that access point. Whenev- miscuous mode over the wired network, used forer the client comes into the range it automatically the purpose of sniffing. After finding the probesgets connected. This is simply because the client of the clients, we will create a soft AP or knownis continuously sending probe requests in the air to as virtual AP. A soft access point is created by afind if any saved AP is available. set of software which continuously sends out the beacon frames to show all nearby clients about itsTypes Of Attacks presence. Since the client is already attempting to connect to that access point. It will automatically• IP level connectivity attacks (Metasploit based) connect to the attacker. Now, if a DHCP is running• Relay the packets to AP (MITM based attacks) over the attacker it will automatically receive an IP• Depending upon the usage, attacks can be in- or if there is no DHCP is running then client will re- tegrated and the client is still unknown. ceive an IP of the range will sent gratuitous packets. Once the IP is assigned, theAttack Scenario tap interface created by soft AP, can have IP levelTo understand (Figure 3) this attack, the working connectivity with the client and the best part is thatof the Access Point must be clear. So, what we the client remains unaware of the situation.are trying to implement is, a client who is not con-nected to any wireless AP and having his wireless Implementationinterface up and running. The wireless interface al- We have used a BackTrack machine (attacker) andways transmits some probe request from its PNL a I-Phone (victim) to implement our attack scenar-i.e. Preferred Network List. It is just a sense of in- io. A monitor mode interface is being created at thesecurity and a shocking fact that it is independent top of a wireless interface, this monitor mode inter-of any AP. First of all we will try to make a moni- face can be easily created by using airmon-ng settor mode interface in the air, which can accept all of tools. The wlan0 (wireless) interface is up andthe packets over the air regardless if the packet running (Figure 4). # airmon-ng start wlan0 Monitor mode enabled on mon0 indicates that the monitor mode has been created and now we can monitor the air. To monitor the air, simply airodump can be used over the mon0 interface. This alongFigure 7. Connection to Hitesh network Figure 9. # ifconfig at0; # ping 01/2012 Page 16
  • F R E E References • Type/model of wireless cards have been used for te- sting – an alfa wireless external card AWUS036H se- [1] ries, but anyone can use their laptop inbuilt card [2] • Victim can have any operating system like windows [3] xp or 7 or even linux machine, the probe request [4] Interception Mobile Communications, The Insecuri- will always be sent into the air, since this is how the ty of 802.11 – ISAAC the wireless auto connect feature works in all ope- mobicom.pdf rating system. I didn’t tested it on MAC, and cannot [5] An Overview of 802.11 Wireless Network Security say much about it. Regarding the antivirus that co- Standards & Mechanisms mes to the post exploitation task, and if any ATTAC- [6] By: Luis Wong (posted on January 19, 2005) KER wants to have Man In the Middle attack to per- [7] Remote Access Point/IDS form, then a fully patched (with antivirus and firewall) [8] By: Jared Kee (posted on April 10, 2012) machine can be compromised. because its the victim who is trying to connect to us. Comments • I used a IOS4 – jail breaked version for this experi- • Type of access point used for testing – a zxdsl router ment purpose. for this attack as a lab setup, but it will hardly matter Acknowledgment if you use any other also, since all router broadcast Acknowledgment to Igneustech for providing appropri- same beacon frames ate equipment and lab environment.with the AP will also give the details of the clients to send DHCP request and failing so that finally it isthat are associated or trying to associate with the getting an IP range 0f the meannetwork in the surroundings (Figure 5) while one can also set a DHCP and can easily trans- fer the packets to the Internet via its bridge interface# airodump-ng mon0 and can perform Man In The Middle Attacks. Now the final step is to just up the at0 interface and setAfter finding the probe request name, the attacker the ip of the same range and same subnet that cancan easily create a soft AP or virtual access point be easily done with the ipconfig utility (Figure 8)with any of the bssid as well as any essid. HereI have used an essid of name Hitesh just for the # ifconfig -asake of example. Finally the proof of the IP level connectivity, Post# airbase-ng -a <bssid> -e <essid/name> mon0 that one can easily launch some Metasploit mod- ules or other various set of attacks (Figure 9).The Airbase set of tools has got a lots of options,it can send responses to any of the probe re- # ifconfig at0quests that client is transmitting via its radio but # ping the sake of simplicity we have used this sce-nario. The interesting thing about this soft AP is Hitesh Choudharythat it also creates a tap interface. It’s little basic Hitesh Choudhary is a Jaipur based eth-that our access point always have 2 cards in it, ical hacker serving free to Rajasthanone is wireless and other is for wired interface. police to handle cyber crimes as well asThis tap interface is the same clone of wired in- pursuing his wireless research at M.I.T. ,terface named as at0. (Figure 6). As a result of California. He has completed his RHCE,this client will automatically get connected to this RHCSA, CEH and various other security“hitesh” network since there is no DHCP running certifications.over the attacker machine (Figure 7). The client will get an IP address of the range 169. Pankaj and will try to send gratuitous packets. Pankaj Moolrajani is Jaipur based se-One can also use these packets as an ARP packet curity researcher at Igneustech. He isto send it back to the IP. So, there is can be attack at RHCE & RHCSS Certified.every phase. One can also verify this by using Wire-shark and capturing each and every packet. Thesepacket will show that client is again and again trying 01/2012 Page 17
  • F R E E attackSecuring Usersfrom Phishing, Smishing & Social Media AttacksSome experts believe one of the best solutions to thwart phishingattacks is end-user training, but can we really train every computeruser to be sufficiently security literate? Will it ever be the case thatanyone can distinguish a phishing message from a genuinebank email?T he volume of phishing attacks has in- attains financial or personal login details that can creased, as have their variety and sophis- be used to commit fraud or theft. Of course, it was tication. Even security experts struggle to only a matter of time before people caught on toidentify some of the fakes. The phishers cast their email scams. Users read again and again not torods farther and with more efficiency than ever be- click on such links. Mail solutions became betterfore. They can easily download phishing site cre- at spotting phishing emails and filtering them intoation tools and produce convincing messages and a junk email folder. Even free Web mail providerspages. Expecting an average PC user to beat now catch the majority of these attacks.these guys without any help is tantamount to pit- Once cybercriminals noticed their tradition-ting an average golfer against Tiger Woods. al phishing approaches were returning lower re- It can seem at times the only people who like sponse rates, they rapidly adjusted to new medi-change are Internet attackers. And they don’t just ums. As a result, a new trend emerged: smishinglike it – they need it. Technology’s rapid chang- (social media phishing and SMS phishing) becamees give cybercriminals new attack vectors to ex- the new trend in cyber attacks.ploit, and new ways to turn a profit out of someone The underlying concept is the same, but the at-else’s misfortune. tack mechanism is different. Instead of targeting Internet attackers have made a profession out users via email, cybercriminals use social mediaof rapid change of a multitude of factors – attack messaging and text messaging advertising to lurevector, sophistication, volume and approach. The victims.malware market has been monetised and we are For hackers, it’s the perfect opportunity. They canseeing the strongest ever driving forces to come cheaply buy lists of Facebook login details, hack in-up with new approaches to beat security products to users’ accounts, and send personal-looking mes-and users common sense. sages to an individual’s entire friend list. The majority For example, take phishing. The concept is sim- of users are more trusting of a post from a friend thanple: Send an email disguised as a message from a suspicious email in their in-box, making smish-a bank, PayPal, or UPS. Wait for the user to click ing more effective at luring users to phishing sites.a link in the message, and enter their private de- We seem to take phishing attacks for grantedtails into a phishing site, and presto! The attacker these days, in much the same way that we’ve ac- 01/2012 Page 18
  • F R E Ecepted spam as a natural, and inevitable, by-prod- ple into losing their wallet at Three-card Monte. Weuct of email. Some experts believe one of the best let curiosity get the best of us, and at times can besolutions to thwart phishing attacks is end-user gullible. Like street hustlers, cybercriminals aren’ttraining, but I doubt training alone is a viable solu- afraid to experiment with hacking our inclinationstion. Can we really train every computer user to be (or, as many security experts call it, social engi-sufficiently security literate, such that anyone can neering). The volume of phishing attacks has in-distinguish a phishing message from a genuine creased, as have their variety and email? I doubt its possibility, especially given Even security experts struggle to identify some ofhow specific the details in spear phishing (phishing the fakes.targeted at specific people and/or companies) at- The phishers cast their rods farther and with moretacks have become. efficiency than ever before. They can easily download It used to be that thieves could satiate their hunger phishing site creation tools (yes they exist) and pro-for evil (and money) merely through the emulation of duce convincing messages and pages. Expectinga consumer bank or a PayPal login screen. While an average PC user to beat these guys withoutthese low-hanging-fruit scams show no signs of any help is tantamount to pitting an average golferabating, even following major busts of phishing against Tiger Woods (albeit a few years ago; no of-rings, we’ve seen new types of phishing attacks fense, Tiger). The criminal’s job is to create onlinethat wear the mask of a Web security product, scams that work, and the returns on their invest-persuading users to follow through on fake spam ments are huge. Why would we expect non-crim-quarantine messages, or security update alerts, inally-minded users to be more adept at spottingsometimes using the name of real vendors. It’s all scams, than scammers are at reeling in the users?very plausible. Technology has to step up its game. We need to Unfortunately, the average user is not a trained continue to make it harder and less lucrative forsecurity expert – and why should he or she be? online scammers to do their “jobs.” That’s reallyCriminals lure users into phishing and email scams the most effective way to stop phishers from at-in much the same way street cons lure some peo- tacking our end users. a d v e r t i s e m e n t
  • F R E E attack Phishing is a good example of how the Cy- to all linked friends of the individual, sending abercriminal utilises Social Engineering tech- ‘have you see this site’ message, an advert orniques combined with technology to grift mon- simply a link to a fake site. Users are lulled intoey from an innocent Internet bystander. Send an a greater trust of the message, having not beenemail to the victim purporting to be from some- use to receiving this sort of message in this newone else, be it a bank, paypal or from a spy- more trusted medium.ware infected machine disguising the email in the SMS Phishing involves criminals switching theirform of a genuine email from a friends address. attacks to target a weaker link. Users are constant-Wait on the susceptible user to click on it believ- ly educated to maintain suspicion when openinging it to be genuine, enter their private details into messages in email on a PC device and typical-a fake site and hey presto the attacker has hood- ly have security software running on these ma-winked you and has financial or personal login de- chines, be it antivirus, spyware protection, firewallstails of yours. The average phishing site that stays and other mediums of protection. Users have be-online for an average of 5.9 days does enough come rapidly more mobile and take for granted thedamage to afford change (stat from – ability to now access the internet from devices oth-the Anti-Phishing Workgroup). er than their PC. Text messaging has become a Users have read again and again in articles, ‘taken for granted’ communications medium within warnings on bank sites, in email services and many youngsters sending/receiving upwards offrom friends not to click on such links, but they still 100 messages a! Mail solutions have gotten better at discerning Attackers have found ways to send masses ofPhishing attacks and putting them correctly in to automated and believable looking text messagesanti-spam filters. Even in free webmail solutions to users including URL links for the user to view.Phishing attacks are put into the junk folder the Major PC based web browser software now hasmajority of the time. So users believe the Phish- phishing protection built in to alert the user to sus-ing mails won’t reach them and they think twice picious sites, and users generally can hover overbefore they click on a suspicious email. a link to display the true web site, but on mobile So have the criminals sat on their laurels!? When phones we are not seeing the same browsers, thethey noticed the traditional Phishing approaches same versions nor the same protection levels toreturning a lower response rate they rapidly ad- help users avoid malicious fake sites.justed to new mediums and we now have this new So user beware, what you see may not alwaysformat of Smishing with two definitions, both harm- be what you get, particularly in the world of the cy-ful and both sophisticated enough to be impacting ber transaction. When you see a message fromusers. Variously termed as meaning Social Media someone you think you know, don’t assume it wasphishing or SMS Phishing they are both a progres- them who sent it from their account, look once,sion of attackers approaches. think twice before you click, whether it be an email, Social Media Phishing means instead of a social media message or a text message!sending the advert, fake link, or message inemail they are utilising social media messag- IAN MOYSEing and advertising to direct the user through to Ian Moyse has over 25 years of ex-their fake site location. Getting a posting on- perience in the IT Sector, with nineto your Facebook page for example or receiving of these specialising in security Fora Social Media message seemingly has more trust the last 8 years he has been focusedequity with users than email, with users believing in Cloud Computing and has be-fakes only come to them in email as Spam. On So- come a thought leader in this are-cial web sites they seemingly have entered into a na. He now holds the role of Sales Di-different mindset of trust. rector at Cloud CRM provider He also You can cheaply buy lists of Facebook login de- sits on the board of Eurocloud UK and the Governancetails on the web – for example a recent site was Board of the Cloud Industry Forum (CIF) and in earlyseen offering 1000 facebook account login de- 2012 was appointed to the advisory board of SaaSMax.tails for L16.50, very affordable at the worst of He was named by TalkinCloud as one of the global toptimes. With such easy ammunition it’s not a big 200 cloud channel experts in 2011 and in early 2012 Ianstep for someone to utilise each of these ac- was the first in the UK to pass the CompTIA Cloud Essen-counts and to send personal looking messages tials specialty certification exam. 01/2012 Page 20
  • scanning isn’t enoughCyber Security Auditing Software Device Auditing Scanners Nipper Studio• Device information remains Audit without Network Traffic confidential Authentication Configuration• Settings that allow you to hide Authorization Configuration sensitive information in the Accounting/Logging Configuration report Intrusion Detection/Prevention Configuration• Low cost, scalable licensing Password Encryption Settings• Point and click GUI or CLI Timeout Configuration scripting Physical Port Audit• Audit without network traffic Routing Configuration VLAN Configuration Network Address Translation It was refreshing Network Protocols to discover Nipper and to find that it supported so many Device Specific Options devices that Cisco produces. Time Synchronization Nipper enables Cisco to test these devices in a fraction of Warning Messages (Banners) * the time it would normally take Network Administration Services * to perform a manual audit. For many devices, it has eliminated Network Service Analysis * the need for a manual audit to Password Strength Assessment * be undertaken altogether. Software Vulnerability Analysis * Cisco Network Filtering (ACL) Audit * Business Benefits to Cisco Wireless Networking * • Nipper quickly produces VPN Configuration * detailed reports, including * Limitations and constraints will prevent a detailed audit known vulnerabilities. • By using Nipper, manual Nipper Studio reduces manual auditing time by quickly producing a consistent, testing has been altogether clear and detailed report. This report will; eliminated for particular 1. Summarize your network’s security Cisco devices. 2. Highlight vulnerabilities in your device configurations 3. Rate vulnerabilities by potential system impact and ease of exploitation (using CVSSv2 or the established Nipper Rating System) Multi-Platform Support for 4. Provide an easy to action mitigation plan based on customizable settings that reflect your organizations systems and concerns. 5. Allow you to add previous reports and enable change tracking functionality. You can then easily view the progress of your network security. for free at T: +44 (0)845 652 0621
  • F R E E CyberwarDigital ApocalypseThe Artillery of Cyber WarCyberspace is now the digital frontier of choice for executing manycombat operations, by extending the medium in which greater levelsof power can now be accessed by Machiavelli agents, militants andnation-states. Squads of cyber militants going under the banner ofAnonymous and LulzSecare, motivated by the ease in which they cannow execute high impact operations whilst avoiding detection, are justa few of the much publicised names synonymous with cyber terrorism.T he multi-dimensional characteristics of cy- the world is really prepared for the possibility of a ber space have dissolved the boundaries “digital apocalypse”. Throughout the analysis this between digital landscape and physical se- paper aims to emphasise that deterring Cyber Warcurity, facilitating cyber-attacks that produce dev- is the key to addressing this challenge.astating impacts to critical infrastructure, as well asCorporate and Government assets. Cyber Warfare – A Definition Global security experts face the challenge of at- Over the past few decades experts and academicstempting to develop techniques to deter and prevent have explored whether the possibility of a Cyberthese global threats. This challenge is complicated War was in fact a plausible threat. Early pioneersfurther by the rate at which the digital paradigm con- navigating through this new landscape had con-tinues to evolve at a rate which is often considerably jured up post-apocalyptic visions of the impact offaster than the ability to keep up with these develop- Cyber War, bearing resemblances to scenes fromments. This disparity has, unsurprisingly, created an a science fiction film. Today, Cyber War is no lon-impression, shared throughout the cyber communi- ger being examined from a theoretical perspective,ty, that implementing strategies to control the digi- as these dynamic threats have emerged through-tal domain has become unachievable. As a result of out the global systems and networks. Experts arethese challenges and many others, Cyber Warfare no longer debating the possibility of Cyber War butis set to be one of the greatest challenges posed to what can be done to stop these threats.the 21st Century. Despite the widespread acknowledgement of This article will examine the characteristics of Cyber War, the definition of these threats remainsCyber War operations in order to clarify the ambi- under scrutiny. Experts such as Bruce Schneierguities surrounding these concepts. Such an ex- have stated that many definitions of Cyber War inamination is necessary in order to ensure that the current circulation are flawed as they confuse acomponents of Cyber War are not confused with in- range of other computer security related conceptsterrelated disciplines such as Information Warfare. such as Information Warfare, Hacking and Net-Real world examples of Cyber Attacks will then be work Centric Warfare. In order to, clarify ambigui-discussed in order to assess the “nuts and bolts” ties surrounding Cyber War, for the purpose of thisof cyber-attack operations and to examine whether discussion, Cyber War is defined as: 01/2012 Page 22
  • F R E E worm. First launched in to the digital landscape in“Internet-based conflict involving politically motivated at- June 2009, Stuxnet has become one of the heavilytacks on information and information systems. Cyber war- scrutinised, real world examples of Cyber Warfarefare attacks can disable official websites and networks, dis- attacks, with global security and technology com-rupt or disable essential services, steal or alter classified da- munities still struggling to fully comprehend the com-ta, and cripple financial systems – among many other possi- plexities of its design almost two years on since itsbilities.” (Rouse, 2010) initial release. Stuxnet’s international attention has been achieved from the sheer sophistication in de-For the purpose of this discussion, the focus of sign which is composed of a comprehensive array ofCyber War conflicts will be examined in terms of attack exploits and covert methods for avoiding de-its impact to the physical realm, in particularly to tection. Stuxnet is the magnum opus in the malwareits impact to critical infrastructures. hall of fame. The Stuxnet worm infects computers runningThe First Warning Shots Windows OS, and is initially distributed via USBRecorded examples of the impact of cyber-attacks drives thereby enabling it to gain access to sys-on critical infrastructures have been around for over tems logically separated from the Internet. Oncea decade. One of the earliest cyber-attacks on criti- access has been gained it then orchestrates a va-cal infrastructure took place in January 2000, in riety of exploits from its toolkit designed to specifi-Queensland, Australia. Where a disgruntled former cally target vulnerabilities its intelligent design isemployee at a manufacturing company hacked into able to identify in the target host.the organisations computer, using privileged knowl- Stuxnet’s artillery includes uses an array of ex-edge of the system, and took control of the Super- ploit methods, meticulously designed to circumventvisory Control and Data Acquisition (SCADA) sys- the logical sequence security measures, one lay-tem. The protagonist was able to maliciously attack er at a time. Exploits included Stolen Digital Cer-the system causing physical pumps to release raw tificates, Rootkits, Zero-Day Exploits, methods forsewage, producing a considerable amount of dam- evading Anti-Virus detection, hooking codes, com-age. Although this attack is not constituted as cyber plex process injections, network injection, to namewarfare, it demonstrated the possibility for a digital a few. These exploits however do not affect just anyattack to create a detrimental financial impact and old computer, aside from propagating further. Thecreate havoc on critical infrastructures. Since this extraordinarily designed piece of malware has onetime, there have been a number of attacks classed solitary target in mind – Industrial Control Systems/as acts of cyber war, such as the 2007 attacks, Supervisory Control and Data Acquisition* (ICS/launched against the Government of Estonia. In SCADA) and attached computer systems. With athis example, attackers utilised a variety of different specific ICS/SCADA being targeted in Iran, Stux-attack methods such as Denial of Services (DoS), net reprograms the Programmable Logic Controllerwebsite defacement and other malware. This was (PLC), made by Siemens, to execute in the mannerone of the earliest examples demonstrating the in- that the attack designers have planned for them tocreased level of sophistication of cyber-attacks to operate launched against a nation-state. * Bruce Schneier argues that Stuxnet only targets ICS and press re- leases have mis-referenced Stuxnet to also target SCADA “is technical-The Digital Artillery ly incorrect”. For further details refer to: arsenal of a Cyber War attack consists of the chives/2010/10/stuxnet.htmlusual suspects, such DoS, attacks on DNS infra-structure, anti-forensic techniques, and wide-scale While experts are still dissecting Stuxnet, it is ap-use of Worm, Zombies, Trojan and clichéd meth- parent that the creation is the work of a team ofods of electronics attack. However Cyber War rep- highly skilled professionals. Some estimatesresents much more than a DoS attack. When as- have stating that it would have taken a team of 8sessing state-of-the-art Cyber War Artillery, one – 10 security experts to write over the course ofname comes to mind – Stuxnet. 6 months (Schneier). Many are referring to Stux- net’s creation as a “marksman’s job” due to its tar-State-of-the-Art: Stuxnet geted approach and expert precision.The ultimate state-of-the-art weapon identified in Given Stuxnet is considered to be one of thethe cyber warfare arsenal, so far, is the Stuxnet greatest malware masterpieces the temptation 01/2012 Page 23
  • F R E E Cyberwarto examine its architecture in greater detail could The attack vector used is based on the operatingnot be resisted. Symantec’s “W32.Stuxnet Dos- system of the compromised computer. If the oper-sier Version 1.4” provides a detailed analysis de- ating system is Windows Vista, Windows 7, or Win-lineating the technical attributes composed with- dows Server 2008 R2 the currently undisclosedin Stuxnet and this 69 page document created Task Scheduler Escalation of Privilege vulnerabil-by members of their Security Response Team ity is exploited. If the operating system is Windowsis used as the basis for the following examina- XP or Windows 2000 the Windows Win32k.sys Lo-tion. The full array of technical features is outside cal Privilege Escalation vulnerability (MS10-073) isof the scope of this article so a brief overview of exploited.Stuxnet’s architectural components will be sum-marised below. Load Points Stuxnet loads the driver “MrxCls.sys” which is digi-Breaking Down Stuxnet tally signed with a compromised Realtek certificateThe Core – .DLL files (which Verisign previously revoked). Another ver-At the core of Stuxnet is a large .dll file containing an sion of this driver was also identified to be using aarray of resources, diverse exports as well as en- digital certificate from JMicron.crypted configuration blocks. In order to load these The aim of the Mrxcls.sys is to inject copies of.dll files, Stuxnet has the capability to evade detec- Stuxnet into specific processes therefore acting astion of a host intrusion protection programs which the central load-point for exploits. Targeted process-monitor any LoadLibrary calls. These .dlls and en- es include – Services.exe; S7tgtopx.exe; CCPro-crypted configuration blocks are stored in a wrapper jectMgr.exe.referred to as the ‘stub’. Two procedures are thenemployed to call Exported function. Extract .dll is The Target: Programmable Logic Controllersthen mapped into memory module and calls one of We now arrive at Stuxnet’s ultimate goal – in-the exports from mapped .dll. A pointer to the stub is fecting Simatic’s Programmable Logic Controllerthen passed as a parameter. Stuxnet then proceeds (PLC) devices. Stuxnet accomplishes this by load-to inject the entire DLL into another process, once ing blocks of code and data (written in SCL or STLexports are called. Injecting processes can include languages) which are then executed by the PLC inexisting or newly created arbitrary process or a pre- order to control industrial processes. In doing so,selected trusted process. Stuxnet is able to orchestrate a range of functions such as:The Process of InjectionTargeted trusted processes are directed at a num- • Monitoring Read/Writes PLC blocksber of standard Windows processes associat- • Covertly masks that the PLC is compromiseded with a range of security products, including – • Compromise a PLC by implementing its ownMcAfee (Mcshield.exe); Kaspersky KAV (avp.exe); blocks or infecting original blocks.Symantec (rtvscan.exe); Symantec Common Cli-ent (ccSvcHst.exe); Trend PC-cillin (tmpproxy.exe) The Grand Finaleto name a few. Stuxnet then searches the registry Now that Stuxnet has finally exploited the PLCfor any indication that McAfee, Trend PC-cillin or it has achieved it has reached its final destina-Kaspersky’s KAV (v.6-9) software is in operation. tion. Where Stuxnet is then able to execute itsIf Stuxnet is able to identify any of these technolo- final exploits which is to slow down or speed upgies it then extracts the version which is used to frequency motors. For example when the fre-target how to process injections or whether it is un- quency of motor is running between 807Hz andable to by-pass these security products. 1210Hz, Stuxnet adjusts the output frequency for shorter periods of time to 1410Hz and subse-Elevation of Administrative Access Rights quently to 2Hz and then back to 1064Hz. TheseAnother feature of Stuxnet is in its ability to elevate frequencies are typically used by centrifuges inaccess rights to run with the highest level of privi- uranium enrichment plants. Ultimately Stuxnet isleges possible. Stuxnet detects the level of privi- designed to destabilize ICS/SCADA by chang-leges assigned to it and if these are not Admin- ing the speeds in uranium centrifuges to sabo-istrative Access Rights it then executes zero-day tage operations, with the potential for devastat-privilege escalation attacks, such as MS10-073. ing consequences. 01/2012 Page 24
  • F R E ELittle Brother – Duqu • Like Stuxnet, Duqu’s utilities include stolenIn the September of 2011, researchers at the Bu- signing certificates for signing drivers stolendapest University’s Laboratory for Cryptography from a company in Taiwan, with an expiry dateand System Security (CrySyS) made the alarming of August 2nd 2011. These certificates werediscovery of a Trojan resembling Stuxnet. Their later revoked on October 14th 2011.fears were confirmed after dissecting this newthreat revealed components were close to being The resemblances in design of Stuxnet and Duquidentical to Stuxnet indicating that the writers were indicate that they were most likely developed byindeed the same authors, or persons with access the same authors. Kaspersky Lab’s Analysts ex-to the source code of Stuxnet. They labelled this amining the source code of both programs statenew threat “Duqu” due to its design in which it cre- that – “We believe Duqu and Stuxnet were simul-ates file names with the prefix ~DQ. taneous projects supported by the same team of Duqu is a remote access Trojan designed to developers”.steal information from the victim machine and isdesigned to act as a precursor to a future mal- The Launch Pad – Tildedware attack, similar to the Stuxnet operation. How did Stuxnet and Duqu manage to launchDuqu is designed to act in much the same way some of the most effective cyber-attacks on re-as a reconnaissance agent gathering intelligence cord so far? The “launch pad” for this cyber artil-from a variety of targets, and like Stuxnet; Duqu’s lery goes by the name of Tilded.primary targets are industrial infrastructure. Da- The Tilded platform is modular in nature and ista sources collected by this Trojan include design designed to conceal the activities of malicious soft-documents, keystrokes records and other sys- ware by employing techniques such as encryption,tem information. Once this intelligence has been thereby evading detection by anti-virus solutions.gathered by the Trojan, it is then returned to the By utilising the Tilded platform developers of cy-command and control servers, over HTTP and ber weapons can simply change the payload, en-HTTPS, positioned across global locations such cryption techniques or configuration files in orderas China, Germany, Vietnam, India and Belgium. to launch any number of exploits against a rangeThis information can then be used by Duqu’s cre- of targets. File naming conventions used by Til-ators to then launch a premeditated cyber assault ded’s developers employed the Tilde symbol andagainst the designated target. By default Duqu is the letter “d” combining the two resulted in adopt-designed to operate for a set period of time (either ing the name – Tilded. The Tilded team of develop-30 or 36 days depending on the configuration). ers however still remain unknown.After which the Duqu will automatically remove it- What we do know about Tilded is that it has un-self from the system. A comparison of Duqu and dergone significant changes since its inception inStuxnet demonstrates: 2007 with subsequent revisions created through to 2010. The researchers at Kaspersky have been• Duqu’s executables were created using the able to confirm that a number of projects were same source code as Stuxnet. undertaken between this period where programs• Duqu’s payload resembles no similarity to that based on the “Tilded” platform were circulated in of Stuxnet. Duqu’s payload is written with the cyberspace, Stuxnet and Duqu being two exam- intention of conducting remote access capabil- ples. While other researchers have indicated an- ities whereas Stuxnet’s payload is designed to other variant exists, the Stars worm (also target- sabotage an ICS/SCADA. ing ICS/SCADA systems) resembles Stuxnet. How• Duqu’s Payload aims to capture keystrokes many other programs have also been created but and system information rather than modify tar- may not yet have been detected remains to be de- get systems. termined. What is clear is that as Tilded and simi-• Duqu (being a Trojan) do not contain any self- lar programs continue to develop, we will see en- propagation capabilities as found in worms like hanced prototypes being catapulted into the digital Stuxnet. limelight.• Duqu in one example is distributed by attack- ers using specially crafted email containing a Are We Prepared for a Digital Apocalypse? word document which exploits an unpatched On the May 6th 2012, the US Department of 0-day vulnerability to Homeland Security reported that a major Cy- 01/2012 Page 25
  • F R E E Cyberwar References • Clayton, M. (2012). Alerts say major cyber attack aimed at gas pipeline industry. Retrieved 12th of May 2012 from: cyber-attack-aimed-gas-pipeline-industry/#.T65jgesti8D • Kamluk, V (2011). The Mystery of Duqu: Part Six (The Command and Control servers). Retrieved 12th of May 2012 from: • Kovacs, E. (2011). Stuxnet, Duqu and Others Created with ‘Tilded’ Platform by the Same Team. Retrieved 12th of May 2012 from: Team-243874.shtml • RAND (2009). Cyberdeterrence and Cyberwar. Retrieved 12th of May 2012 from: graphs/2009/RAND_MG877.pdf • Rouse, M. (2010) Cyberwarfare. Retrieved 12th of May 2012 from: berwarfare • Schneier, B. (2010) Stuxnet. Retrieved 12th of May 2012 from: xnet.html • Symantec (February 2011). W32.Stuxnet Dossier Version 1.4. Retrieved 12th of May 2012 from: http://www.syman- • Symantec (November 2011). The precursor to the next Stuxnet W32.Duqu Version 1.4. Retrieved 12th of May 2012 from: the_next_stuxnet.pdf • Teksouth Corporation (2010). Cyber Warfare in the 21st Century: Guiding Doctrine and an Initial Conceptual Fra- mework. Retrieved 12th of May 2012 from: • Westervelt, R. (2012). Tilded platform responsible for Stuxnet, Duqu evasiveness. Retrieved 12th of May 2012 from: Attack was being launched against computer foundation for understanding these multifacetedsystems used for a national gas pipeline compa- threats is now being established. The next chal-ny supplying a total of twenty five percent of the lenge being faced is in developing strategies/United States energy. The cyber strike has been frameworks to deter the motivational factors lead-traced back to a single source and many experts ing to the creation of these threats whereby influ-believe that this is an early indicator of a highly or- encing the mindset of cyber militants will be theganised Cyber Warfare operation. Early detection key defence mechanism available to preventing aof the warning signs of such an attack has instilled digital apocalypse.reassurance throughout the wider global commu-nity that adequate mechanisms are now in placeto ensure, at the minimum, a wide-scale cyber-at-tack will be detected and deterred prior to it ac-complishing any major impact. As discussed, the dynamic and often unpredict-able composition of emerging threats reveals thecritical need for developing new strategies withinthe Cyber Security community, so that detection Cecilia McGuireof these unconventional threats can be done so Cecilia McGuire is a dynamic freshwith greater accuracy and prior to them develop- thinker and quiet achiever. Like manying the capability to orchestrate operations. RAND Gen-Y’s, she has spent the past decadeCorporation has stated that as long as systems living a somewhat nomadic existencehave flaws, Cyber-attacks will be possible and “… having worked globally, expandingas long as nations rely on computer networks as a her awareness of international secu-foundation for military and economic power and as rity requirements and foresight into upcoming trends.long as such computer networks are accessible to She attributes much of her influence to growing up inthe outside, they are at risk”. Deterrence therefore an unconventional family in rural Australia, amongst ais the key. blend of western and eastern philosophical paradigms. Despite these challenges, real progress is being In 2010, she completed a Masters of Information Securi-made. As the nature of Cyber Warfare becomes ty and now lives in Sydney where she works as a Securi-better understood, in spite of its complexities, a ty Consultant. 01/2012 Page 26
  • F R E E SCADAThe Box holesPen Testing a SCADA platformMidnight.It is hot and humid down here… Temperature is at 36 Celsius.The temperature processor should start computing the increasedlevel and begin to compensate.The core is up to 84 Celsius, but in less than a minute the injectorsshould start their work.Unless some problems…“I have not heard the fan starting Abder… what’s wrong?”T he voice erupts from a badly regulated radio speaker… “I don’t know Raman!...”, says Abderrahim quick- SCADA platform introduction Nobody wanna be in such condition isn’t it? In the last decade SCADA (Supervisory Controlly moving his wheeled chair between two segment and Data Acquisition) systems have moved fromof the main panel in the control room. proprietary, closed, networks to open source solu- Looking to the side panel Abderrahim found two tions and TCP/IP enabled networks. Their originalminor alarms… “what’s wrong?” abruptly says… “security through obscurity” approach, in terms of The alarms have been activated by two unau- protection against unauthorized access, has fall-thorized attempts to access the terminal remote- en, together with their interconnection… This has made them open to communicate with “Hey Abder… the fan hasn’t started to lower wa- the rest of the world, but vulnerable, as our tradi-ter temperature level… what’s wrong?” Raman tional computer networks.voice increases his intensity. As a result, some highly publicised successful in- “Buzzer begins to signal core overheating! You trusions has been told by the press, but many oth-must do something quickly!…”… a slight sense of er attacks against energy, transportation and otherpanic betray Raman words. A panic that Abderra- industrial fields have gone unnoticed or untold.him founds appropriate for the situation. One thing to keep in mind is that SCADA systems Ok. Let’s try our manual start procedure… but manage many critical infrastructures of our life, fromwhat means this new panel alarm? What’s on the power grids to railways, from aqueducts to airportsconsole?... and vulnerabilities discovered on such systems A yellow message over a black screen on other could have a deep impact on the overall security of theside of the panel says “Smile u been pwnd… your pot should blow up your ass!” Rest to be noted that, despite security testing Damn Kids! The manual start doesn’t work… has included corporate networks, systems, and “Raman! You hear me? The manual re- software, since the advent of ICT Security, SCADAstart of core injectors doesn’t work from here… systems have been relatively new as a target foryou must do something down there! Quick- Vulnerability Assessment and Penetration Testsly!...” due to the above-mentioned historic reasons. 01/2012 Page 28
  • F R E E Testing SCADA systems is not a usual task, in Often the customer thinks that security throughterms of complexity and strategy. obscurity ensure a sufficient level of protection… is In fact, every SCADA system has specific archi- up to us to demonstrate that recovering those pa-tectures and protocols and, despite the introduc- pers and studying the manuals allows an attackertion of TCP/IP, other aspects are completely differ- to bypass the few procedures enforced on the plat-ent from a platform to another. form… but this requires patience and competence. Therefore, test requires different skill and differ- In addition, despite it is not always applicable,ent planning to be carried out properly. the approach based on information gathering, In my experience, the main difference is due to scanning and exploiting continues to give satisfac-the communication architecture of the TOE (Target tory results, even on SCADA Testing.of Evaluation) and its access model. However, do not forget our motto: “think outside- If the TCP/IP is widely adopted on the SCADA the-box” it is a foundation on SCADA testing too.infrastructure and the Input System is based on aWindows or UNIX platform, then the testing strat- Testing the Boxegy can be moulded closely to a traditional Pen Several testing techniques are available, today, inTest. the SCADA field. If the TCP/IP is limited to small fraction of the Problems arise for testers when facing customenvironment and the Input System is a proprietary proprietary platforms. Another important aspect isplatform, then the test should be designed around related to the testing radius.different factors, such as the knowledge of the pro- If networking elements and platforms are includ-prietary platform and the adoption of known cus- ed as Targets of Evaluation (TOEs) then the com-tom scripting for attacking the environment. plexity and temporal extent of the analysis increas- This seriously affects the choice of the Team in es significantly.order to fulfil the task quickly and smoothly. In my experience, as SCADA/ATM Banking tes- In some cases, the knowledge of a very old SCA- ter, I have met very complex networking infrastruc-DA environment is limited to few operators and tures where the SCADA systems are just the partsome musty papers long forgotten by the original of the entire environment and testing them re-SCADA retailer. quires to properly planning the entire task identi-Figure 1. A typical networked SCADA Environment 01/2012 Page 29
  • F R E E SCADAfying specific skills needed to the team in order to Some SCADA platforms are just custom Win-fulfil the job. dows Operating Systems, mainly Windows CE, This means that, unlike traditional pen testing, in 2000 or XP, with tons of common vulnerabilities.this case the test should be organize around a very They are usually not patched by the vendor be-peculiar team made by properly skilled and expe- cause patching could affect operation availabilityrienced developers and Sysadmins, with specific of the platform, or because update them meansplatform knowledge. a very long job or because it has not included in In other words in a proprietary SCADA test you maintenance contract.should prepare a fire-and-forget team, with at least In these cases, the SCADA platform is composedone expert of the target platform. of a distributed system with a central “knowledge” During a funny, but important analysis made few that manages and monitors endpoint operations.years ago, on a public transportation platform, The SCADA platform is over the OS layer, as anwhere the distributed control RTU was an old and application running on core devices with a limited“forgotten” SCADA proprietary platform, my team part of it running on endpoints (Figure 1).has been rounded up with an old retiree, the only Testing strategy heavily depends on the charac-person we have found with skill good enough to teristics of the platform and its ecosystem.ensure a proper testing of the environment. In case of Windows boxes a traditional approach The retiree has been a key person in the test, could be applied, at least in specific areas, other-identifying several critical vulnerabilities. The fun wise a specific attack strategy must be developedwas the discovery of a vulnerability affecting toi- for the task. In particular it is very important to un-let service on the system… worst, with specific derstand the communication mechanism and thecommands, once the platform was under attack- networking protocol involved, especially if they relyer’s control, the automatic toilet flush could be re- on proprietary protocols and interfaces.versed (with a result that anyone can imagine… Often, the goal of system exploit could be reached However, environment complexity does not nec- through very simple and effective strategies byessarily mean testing complexity. adopting “out-of-the-box” attacking scheme.Figure 2. A complex SCADA environment 01/2012 Page 30
  • F R E E In other cases, for example during some SCADA In one of my first experience in this field our team,banking tests, the resort of “physical” electronics during a test for a network replay attack against adevices could be the best way to achieve the ob- Siemens System, wrongly define the number of re-jective. Nevertheless, all this means to study and play packets sent against the TOE creating a dev-customize the testing job accordingly and avoid re- astating Denial of Service for the System’s CPUlying on commercial or open source scanners. Use forced to replay the same action for eleven timesyour brain instead. in a row. Obviously, the scanner is a valuable tool, but the In another test, during an attempt to force au-tester must know how to use it accordingly to the thentication on a MTU unit the tester, ignoring theanalysis goal. presence of a limit on the attempt per seconds, In fact, the result taken from a scanner, if not has triggered a system reboot for overflow condi-properly verified, could lead to false positive or tion. Unfortunately, lately we have discovered thatfalse negative evidences, thus lowering the cogen- the password was very easy to guess…cy of the report. In another task we have successfully intercepted This is particularly true in SCADA testing. authentication by a MitM, but we have ignored that As a general recommendation a SCADA Secu- the system does not support double authenticationrity assessments should be bounded by a detailed with same credential thus leading to the isolationassessment plan that specifies a schedule and of the MTU from the rest of the environment whenbudget, targets and goals, expected deliverables, our team have logged to verify the intercepted cre-hardware and resource requirements, rules of en- dentials.gagement, and a recovery procedure. This is where experience and competence are It is of capital importance that the team assigned the sole chances to fulfil the perform the assessment should be involved in As you can imagine there are many ways a sys-the development of the assessment plan (Figure tem can be penetrated.2). Some rely on the same principle adopted in a traditional testing, for example MitM for passwordExploiting the box stealing or Drive-by attacks against system’s us-As stated previously, attacking a SCADA platform ers. For example, if we attack a laptop used to pro-is an action full of consequences, in particular on gram the PLC.production systems based on proprietary software Another potential way is to prepare an USB driverand protocols. and give it to internal personnel working on SCA- One of the most concerning aspect is related to DA system. This trick has been used by Stuxnet tothe possible interruption of service. attack Iranian WinCC systems in 2010. To avoid the risk, experience and competence Another interesting attack pattern relies on dial-are essential factors. up modems and wardialing. An experienced operator can predict the platform In fact, many SCADA producers provide remotebehaviour, a competent tester can, then, adapt the access to their platform so technical support staffattacking pattern in order to avoid predictable mal- can access the devices remotely. Remote accessfunctions without a too conservative approach that provides administrative level access to a system.could thwart the testing results. By using a war dialer, or programs that dial con- Only experience and competence can help the secutive phone numbers looking for modems, andteam to identify a correct attack sequence with a with password cracking software, it is possible tocorrect exploit selection and this is of capital im- gain access to systems. Last but not least, pass-portance when the analysis goes deep and im- words used for remote access are often commonposes to pwn the platform. to all implementations of a particular vendor’s sys- Often the platform complexity, in terms of num- tems and may have not been changed by the endber of elements, hides the simplicity of the code user.and its easy exploitability. But sometimes the lack Other techniques depend upon platform-relatedof information about the proprietary software, vulnerabilities, for example web-related exploits.or about custom specific customization, leads This is a recent trend. Many SCADA producersthe entire team into the sea of doubts, where a have integrated Web Services inside their prod-move in a wrong direction could be devastat- ucts in order to offer more flexible options to con-ing. nect and manage their platform. Obviously a vast 01/2012 Page 31
  • F R E E SCADAmajority of them has decided to adopt Apache as a Therefore, it should be done as grey box or whitewebserver, thus paving the way to Apache-related box test.attacks or other exploitation techniques based on In my experience, going black box could be donetraditional web attacks. only if potential compromise of the platform does To define the best attacking strategy initial knowl- not risk to block a critical infrastructure, but the op-edge based on experience and information gather- portunity is very are invaluable. However, the first step should aim to character- ize the platform in terms of software, firmware andBut let’s plan a SCADA Test architecture. To do this, in black box, extreme cau-First of all, SCADA test is not noob friendly and tion must be enforced on all the operative tasks.cannot be learned in Lab. Normally it is good to collect information from This means that to put your hands on a testing Internet through search engines and social engi-environment you should be an experienced pen neering.tester. Looking to company information should suffice. Nobody wants to risk a production platform put- In case of difficulties in finding reliable informa-ting it at mercy of an inexperienced tester, isn’t it? tion, a social engineering test on company opera- Usually behind SCADA rely an industrial pro- tors could be a valid next step.duction line or worst a public service such as aq- Many SCADA operators are field technicians andueducts, railways or nuclear power plants… The engineers without security must be confident and very experienced on In a task on a water extraction SCADA platform,pen testing. by talking with a pipeline designer has been suf- Normally SCADA testing cannot be practically ficient to identify all component of the platform inmade as black box testing, too much risks are at terms of hardware type, firmware version and prob-stake. lems recorded in the past. The engineer was eagerFigure 3. Different attack types and targets 01/2012 Page 32
  • F R E Eto share a technical talk with an outsider showing • Spoofingall his ability in overcome problems. • To masquerade as another in order to initi- In white box testing all that information should be ate an unauthorized actioncollected before the definition of the test. • Replay Once the team has the platform data it is good to • To record and retransmit valid data (manipu-proceed to the following steps: lating time variable) to trigger unpredictable results• Reconnaissance• Scanning Clearly, it could be possible, for an attacker, to• Protocol dissection perform DoS also, but usually the tester only eval-• Exploit uates it as a possibility. In my experience, only few customers ask you toThe final step (Exploit) identifies the direct or indi- go further by blocking a service. Rest assured thatrect approach to the Target Systems. in some environments a DoS could be practical for Usual attack pattern could be Client based, Net- a cybercriminal in order to delay or block the flowwork based or Platform related. of information. Client based attacks could be performed against Attack patterns in this case are defined bytraditional Client or Server Systems with SCADAapplication running in them. The attack strategy, in • physical destruction – but can be detectedthis case, relies on Operating System or Applica- through fault-handling programs.tion specific vulnerabilities and it is similar to tradi- • Communication jamming – no effective coun-tional pen testing analysis. termeasures exist. Microsoft Windows is extremely popular as a Cli-ent OS so we will not cover this part, as it is very Platform related attacks are dependent from thesimilar to usual testing techniques. technology in use and from the quantity of known In SCADA Network, we can use several tradition- vulnerabilities. Obviously not all the vulnerabilitiesal tests such as MitM, but we have the chance to disclosed are usable or reliable but a good scan-identify Maintenance Port or to use Spoofing, an ner could give us some good hints. The rest is upuncommon technique nowadays. to our Customer to let us try those vectors against Therefore, we can describe the attacks: his infrastructure. The security community has identified lot of vul-• Man-in-the-Middle (MITM) nerabilities. Nessus and other scanners have in- • To intercept, alter, and relay a communica- tegrated scan modules for SCADA systems, but if tion message you want to look to a good and reliable source, you• Maintenance port can point your browser to: • To install a malicious program vulndb/ics-vuln-ref-list.html.Figure 4. The MODBUS protocol family OSI stack representation 01/2012 Page 33
  • F R E E SCADAPayload and persistence However we must note that vulnerabilities andIn case of plain exploitation of a system, we can payloads, sometimes, are due to the burden ofconclude our task by adopting a custom payload. monitoring and keep update all system software This is where our fantasy could express itself. on all of the devices in the network. Traditionally a payload is used to describe theaction that will be performed once vulnerability has A real live one: Attacking ModBusbeen exploited. Usual persistence options are: communications The MODBUS is a serial communications proto-• Backdoor. In Windows end points a reliable col created in the 1970’s by the Modicon Corpora- backdoor can be installed quickly. In my expe- tion for use with its programmable logic controllers rience CyberGate RAT or DarkComet are the (PLCs). weapons of choice. The protocol’s simplicity and efficiency, combined• Platform setting modifications. By activating a with the publishing of its specifications by Modicon newest user profile with network access or by caused it to become widely adopted throughout modifying configuration settings (some reverse the industrial controls and SCADA world as a de- engineering may be needed). facto industrial standard.• Spoofing system operators. This attack pattern The original MODBUS system was a simple two- requires dumping platform user database and layer communication stack running on top of a se- breaking cryptographic protections, which is a rial EIA-232 link. very time consuming, and challenging process. As different physical layer options became avail-• Changes to instructions and commands (re- able (see Figure 4), it was subsequently marketed quires a skilled operator in the team). as a number of different of network products, the best known of which are MODBUS, MODBUS+Protocol manipulation, vulnerability exploitation and MODBUS/TCP.and the man-in-the-middle attacks are among the The common element in all of these MODBUSmost popular ways to manipulate insecure proto- networks is a client-server command structurecols, such as those found in control systems. commonly known as the MODBUS ApplicationFigure 5. Simply ModBus 01/2012 Page 34
  • F R E EProtocol (MBAP), a layer-7 protocol in the Open of ciphering the traffic, check the integrity of mes-Systems Interconnection Reference Model (OSI/ sages, and authenticate client and serverRM). On our scenario an attacker could send packets In ModBus Architecture are defined two kinds of to the control network either from inside or outsidedevices: and by doing this he could reset connection, send commands to the slaves (RTUs) or cheat masters• ModBus Master: is the device requesting the (HMI) with fake data pretending to be the PLCs. information. He could also sniff traffic and retrieve information• ModBus Slaves: are the devices supplying in- about memory addresses or common operations formation. performed on the system. But how to do this?In a standard Modbus network, there is one Mas- The answer is by collecting a Modbus simulator:ter and up to 247 Slaves, each with a uniqueSlave Address from 1 to 247. In addition the Mod- • Master can also write information to the • ht tp: // w w w.brothersof /simply- mod -Slaves. bus-117531.html The official Modbus specification can be foundat: and by interconnecting our PC with a serial inter- A simple request-reply scheme is used for all face.transactions. The network communications follow The configuration of the messages is very easy,this scheme: once we know what message or instruction to transmit.• The ModBus Master device initiates a request The following pane shows Simply ModBus inter- and the slaves replies. face: Figure 5. For example, when a Human Machine Inter- We can also try to intercept and replay ModBus face (HMI) workstation requires a value from streams in TCP/IP network, for this goal Cain&Abel, a PLC it sends a request message to start the Wireshark or Ettercap are a good tool to start with. data transfer process. In response the PLC Once we collect and replay the streams we will then sends the requested information. In our be able to exploit the communication thus comple- case, the device running the HMI will act as ting the initial goal. Of course, by studying the re- the client/master and the PLC act as the serv- quest/response mechanism we can force the pla- er/slave. tform to perform our will.• Each message contains a function code that Next time we will discuss more option on SCADA is set by the client/master and indicates to the testing, but also some mitigation techniques. server/slave what kind of action to perform. UP THE IRONS! Function codes are the same for requests and responses since the server simply reflects the function code back to the client.There are 127 possible function codes that fall in-to three general categories:• Public function codes.• User Defined function codes.• Reserved function codes.In order to define multiple actions or to allow fu-ture enhancements, other Sub-codes are addedto some function codes. The MODBUS protocol was not initially designedwith cybersecurity in mind; hence it lacks themechanism to avoid the classical information se-curity threats. The protocol does not include a way Stefano Maccaglia 01/2012 Page 35
  • Develop for theNext Big Platform!Attend the Windows Phone October 22-24, 2012Developer Conference and get Hyatt Regencythe best developer training! Burlingame, CA www.WPDevCon.netLearn from the top experts at theWindows Phone Developer Conference,including 12 Microsoft MVPs! 50+ Classes and Workshops focus on a variety of important topics: n Design implementation n User experience Darrin Michael Nick Jose Luis Bishop Cummings Landry Latorre n Location intelligence n Application design services n HTTP protocol n Rich data visualization n Building reusable and implementation components n Cloud-based mobile n Microsoft push Chris Colin Walt Lino solutions Love Melia Ritscher Tadros notification service n Development n Creating custom leveraging HTML5 animation n and many more! Kelly Shawn Chris Chris Visit for a full list of speakers, White Wildermuth Williams Woodruff bios, classes, workshops, and special events! Learn, network, Register Early and seize the for the opportunities biggest that discounts! Windows Phone at represents. www.WPDevCon.netWPDevCon™ is a trademark of BZ Media LLC. Windows® is a registered trademark of Microsoft.Produced by BZ Media @WPDevCon
  • In the next issue of F R E E Malware IS Risk Assessment Measurement DDoS Attacks Metasploit Penetration Testing Available to download on August 20thIf you would like to contact PenTest team, just send an emailto We will reply a.s.a.p.PenTest Magazine has a rights to change the content of the next Magazine Edition.
  • MOBILE SECURITY ONLINE SUMMIT LIVE 11th JULY Join this free summit to hear industry experts and experienced practitioners share how your business can profit from the mobile phenomenon without being exposed to threats such as data leakage, malware attacks and unauthorised data access. FIND 8 thought leadership webinars LEARN about the latest industry trends SHARE the knowledge To register for free and view the full lineup go to
  • CYBER CRIMELAWYERSPannone are one of the first UK firms to recognise theneed for specialist cyber crime advice. We can bothdefend and prosecute matters on behalf of privateindividuals and corporate bodies.We are able to examine material or secure evidencein-situ and will then represent your needs at every stepof the way. Our team has a wealth of experience in this growingarea and are able to give discrete, specialist advice.Please contact David Cook on0161 909 3000for a discussion in confidence or
  • Keep up to date on the latest developments in the world of digital forensics Read Feature Articles on: / Training and Certfication / Management issues / Tools and Techniques / eDiscovery/eInvestigation / Incident Response/First Response / Hardware and Software / Network Forensics / Cyber Forensics / and much more... Apple Autopsy: / A Digital Forensics look at all things Apple From the Lab: / In depth technical articles on products and techniques Legal Section: / In-depth articles on legal matters affecting Digital Forensics along with the latest legal news from around the world Visit for the latest news and views from the digitalforensic community with special articles for registered users. NEXT ISSUE OUT SOON SUBSCRIBE NOWProspective authors should contact for information on submissions.