Saturday, November 24, 2012

Wireless Networking: Beacon Frames

Beacon Frames are the management packets broadcasted from Access Points(AP) to announce its presence. Beacon Frames contain critical information which is used by Clients to establish connections.


If Type is Zero and Subtype is 8 of a wireless packet then it is a Beacon Frame.

Critical information sent from AP areTimestamp for syncing between AP and Client.
Beacon Interval tells Client at what intervals AP sends Beacon Frames.
BSS ID or MAC Address of Access Point.
Service Set IDentifier(SSID) of AP, NETGEAR here.
Channel (11) being used which tells the frequency in which signals are transferred.
Rate at which AP can transmit data.

The receiver radio(Client) Interfaces/NIC's frequently scan all 802.11 radio channels and listen to beacons and interpret the to associates with AP with given credentials.
There are three main types of wireless packets
        Management (Type 0)
        Control (Type 1) and
        Data (Type 2)
Beacon Frames are sub classified under management packets, under these types of wireless packets there are many subtypes of packets.

Other posts which might be of interest to you.
http://darshanams.blogspot.in/2012/04/certifications-for-ids-ips-fw-webemail.html
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html

Saturday, November 17, 2012

Enabling Wireless Interface (NIC Card) to Sniff Traffic


    Unlike wired sniffing, wireless sniffing is not straight forward. In this post we will figure out how to enable wireless interface/NICcard into Promiscuous Mode. In wireless parlance promiscuous mode is called as Monitor mode. For wireless hacking we use aircrack-ng tool suite.

iwconfig or ifconfig must detect your interface. If your interface is not getting detected install proper drivers.


airmon-ng without arguments shows available list of wireless interfaces and drivers loaded.
   
Below command creates virtual interface mon0 which is used for sniffing traffic.
airmon-ng start wlan0

If we are able to successfully execute above command iwconfig should show below output. mon0 is the virtual interface which is used for sniffing.

Wireless cards can be on only one channel at a time so wireless card cannot sniff on all channels and bands at the same time. To Sniff on specific channel (default)
airodump-ng --channel 1 mon0
 

To sniff on all channels present in bands b and g, run below command.

airodump-ng --band bg mon0
hops on all channels present in b and g bands else by default hops on 2.4GHz channel only. Output after hopping on all channels is shown in below snapshot.
 
Running wireshark on interfaces wlan0 and mon0 shows below output. We can see 802.11 in Protocol filed.

For better understanding of Bands, Channels, Sniffing visit
http://www.securitytube.net/video/1757
This post is mostly based on above video.

If you are interested in Snort IDS related follow
http://www.darshanams.blogspot.in/search/label/snort
For l7-proto
http://www.darshanams.blogspot.in/search/label/l7proto
For VoIP
http://www.darshanams.blogspot.in/search/label/VoIP

Friday, August 24, 2012

VoIP STUN Request/Response Packet Structure


STUN stands for Session Traversal Utilities for NAT mainly used in NAT Traversal for IP Applications (say Voice, Video, Messaging).

Below snapshot shows STUN Request Packet

Below snapshot shows STUN Response Packet 
Text view of full capture
Request
No.     Time        Source                Destination           Protocol Length Info
    264 200.289545  10.0.0.2              77.72.169.158         CLASSIC-STUN 62     Message: Binding Request

Frame 264: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
    Arrival Time: Aug 23, 2012 16:36:32.609220000 India Standard Time
    Epoch Time: 1345719992.609220000 seconds
    [Time delta from previous captured frame: 7.022449000 seconds]
    [Time delta from previous displayed frame: 15.027355000 seconds]
    [Time since reference or first frame: 200.289545000 seconds]
    Frame Number: 264
    Frame Length: 62 bytes (496 bits)
    Capture Length: 62 bytes (496 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:classicstun]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Vmware_ef:18:30 (00:0c:29:ef:18:30), Dst: (00:bb:f7:00:8b:1f)
    Destination: (00:bb:f7:00:8b:1f)
        Address: (00:bb:f7:00:8b:1f)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Vmware_ef:18:30 (00:0c:29:ef:18:30)
        Address: Vmware_ef:18:30 (00:0c:29:ef:18:30)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.0.0.2 (10.0.0.2), Dst: 77.72.169.158 (77.72.169.158)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 48
    Identification: 0x3eea (16106)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (17)
    Header checksum: 0xfaea [correct]
        [Good: True]
        [Bad: False]
    Source: 10.0.0.2 (10.0.0.2)
    Destination: 77.72.169.158 (77.72.169.158)
User Datagram Protocol, Src Port: 8006 (8006), Dst Port: stun (3478)
    Source port: 8006 (8006)
    Destination port: stun (3478)
    Length: 28
    Checksum: 0x1f88 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Simple Traversal of UDP Through NAT
    [Response In: 265]
    Message Type: Binding Request (0x0001)
    Message Length: 0x0000
    Message Transaction ID: 000000007e5634120000000000000000


Response
No.     Time        Source                Destination           Protocol Length Info
    265 200.465322  77.72.169.158         10.0.0.2              CLASSIC-STUN 98     Message: Binding Response

Frame 265: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
    Arrival Time: Aug 23, 2012 16:36:32.784997000 India Standard Time
    Epoch Time: 1345719992.784997000 seconds
    [Time delta from previous captured frame: 0.175777000 seconds]
    [Time delta from previous displayed frame: 0.175777000 seconds]
    [Time since reference or first frame: 200.465322000 seconds]
    Frame Number: 265
    Frame Length: 98 bytes (784 bits)
    Capture Length: 98 bytes (784 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:classicstun]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: (00:bb:f7:00:8b:1f), Dst: Vmware_ef:18:30 (00:0c:29:ef:18:30)
    Destination: Vmware_ef:18:30 (00:0c:29:ef:18:30)
        Address: Vmware_ef:18:30 (00:0c:29:ef:18:30)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: (00:bb:f7:00:8b:1f)
        Address: (00:bb:f7:00:8b:1f)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 77.72.169.158 (77.72.169.158), Dst: 10.0.0.2 (10.0.0.2)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 84
    Identification: 0x19c5 (6597)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 238
    Protocol: UDP (17)
    Header checksum: 0x71eb [correct]
        [Good: True]
        [Bad: False]
    Source: 77.72.169.158 (77.72.169.158)
    Destination: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: stun (3478), Dst Port: 8006 (8006)
    Source port: stun (3478)
    Destination port: 8006 (8006)
    Length: 64
    Checksum: 0xac24 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Simple Traversal of UDP Through NAT
    [Request In: 264]
    [Time: 0.175777000 seconds]
    Message Type: Binding Response (0x0101)
    Message Length: 0x0024
    Message Transaction ID: 000000007e5634120000000000000000
    Attributes
        Attribute: MAPPED-ADDRESS
            Attribute Type: MAPPED-ADDRESS (0x0001)
            Attribute Length: 8
            Protocol Family: IPv4 (0x0001)
            Port: 8006
            IP: 61.12.12.132 (61.12.12.132)
        Attribute: SOURCE-ADDRESS
            Attribute Type: SOURCE-ADDRESS (0x0004)
            Attribute Length: 8
            Protocol Family: IPv4 (0x0001)
            Port: 3478
            IP: 77.72.169.158 (77.72.169.158)
        Attribute: CHANGED-ADDRESS
            Attribute Type: CHANGED-ADDRESS (0x0005)
            Attribute Length: 8
            Protocol Family: IPv4 (0x0001)
            Port: 3479
            IP: 77.72.169.159 (77.72.169.159)

Other articles of your interest might be
http://darshanams.blogspot.in/2012/06/sip-security1-scanning-voippbx-servers.html
http://darshanams.blogspot.in/2008/11/deciphering-google-talk-jabber.html
http://darshanams.blogspot.in/2009/03/i-was-just-checking-my-mails.html

Thursday, August 9, 2012

Testing Maximum UDP Sessions Limit using netcat

As we know that User Datagram Protocol is connectionless it would be slightly challenging to test UDP Session Limit. In this blogpost we are going to see how to test UDP sessions using netcat (nc) tool.

Assuming we have configured our Firewall (FW) or Intrusion Prevention Systems (IPS) with a maximum of 4 UDP Sessions. If we try to establish a new connection greater than 4 it should not be allowed. As we don't have connection establishment phase (3-way Handshake) in UDP, connection is identified at the time of data transfer and dropped.

Running nc command to listen on UDP ports in the background.



Once UDP Server is up and running, we will connect to different ports on Server from Client machine.



Snapshot showing active sessions (ESTABLISHED state) on server.




 Snapshot showing sessions on Client side.



If we go for a 5th connection it will successfully establish s Session but if we try to transfer data ot UDP Sessions Limit rule kicks in and the connection will be blocked


If we successfully transfer data on 5th Session, it means “UDP Maximum Connections” set on FW/IPS is not working properly.

Connection blocking is reported back to Client using ICMP UDP Port unreachable error message. In the case of TCP Client gets a packet from Server with RESET flag set.

Following posts might be of interest to you
http://darshanams.blogspot.in/2012/08/web-server-security-php-hardening.html
http://darshanams.blogspot.in/2012/07/portservice-scanning-using-snmp.html
http://darshanams.blogspot.in/2012/06/sip-security1-scanning-voippbx-servers.html

Thank You!!!

Wednesday, August 8, 2012

SOC Interview Questions 2

Below are few Security Operations Center (SOC) interview questions.

Already published similar post related to SOC interview questions at
http://blog.disects.com/2012/01/soc-interview-questions-1.html

Q. What is a Proxy?
Q. What is the use of a proxy?
Q. What is the difference between HTTP, HTTPS, HTML?
Q. Explain 3-way handshake?
Q. Following hacks are happening simultaneously. Which one will you try to protect first and why?
        a. Bruteforce attack
        b. Data leakage attacks
Q. How do you protect from data leakage attacks.
Q. Out of Financial loss, reputation loss and data loss, which would you protect from and why?
Q. What is 503 error from Proxy/Cache server
Q. Lots of connections are made from LAN to Internet on a particular IP. What are your immediate steps to mitigate it.
Q. Any recent hack/compromise you came across. How did you resolve it.

Q. How do you identify data leakage hack.
Q. On what parameters will you classify the data as critical to an organization?
Q. Name few well known application protocols and on what TCP/UDP ports they run on.
Q. What is NOP sled? What is it's HEX value.
Q. Explain SYN Cookie.
Q. Different Port Scanning mechanisms.


Leave answers as comments so it might be useful to others who visit the blogpost :-) !!!

You can send me more questions related to SOC interviews which are not covered here to praveen_recker@sify.com, will update with your questions!!




Thursday, August 2, 2012

Web Server Security: PHP Hardening

PHP is a server-side (web) scripting language to produce dynamic web pages, HTML per se is a static language.

php.ini is PHP's default configuration file usually located at /etc/php.ini on most of the Linux distributions. If you install PHP from source /etc/php.ini file path can be modified as part of compilation
./configure --with-config-file-path=/path/to/php.ini

php.ini has many PHP directives which can be used to secure web applications.

******************Configuration Start************************
;root of the PHP pages
doc_root = "/var/www/html:/etc/scripts/"

;directory under which PHP opens the script
user_dir = /etc/scripts

include_path =

;path to web root
;caution, include all directories which you use 
open_basedir = /var/www/html

save_path =

;disable global variables
register_globals = Off

track_errors = yes
display_errors = Off

;will hide PHP version information
expose_php = Off

;remove few functions based on your requirement
disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo

disable_classes =

safe_mode = Off

use_trans_sid =

allow_url_fopen = Off

allow_url_include = Off

group_id = 100

magic_quotes_gpc = Off

;disable if files are not uploaded to Web server
file_uploads = On

upload_max_filesize =

;memory_limit is set to a very high value
;recommended value is 8M
memory_limit=128M

;set to a high value, server may lead to DoS
;recommended value is 2M
post_max_size = 8M

upload_tmp_dir =

user_id = 100

force_redirect = 1

cgi.force_redirect = 1

auto_prepend_file =
auto_append_file =

;Disable Remote File Includes
allow_url_fopen = Off
allow_url_include = Off

;session.cookie_httponly = 1
;session.referer_check = your_url.tld
;session.cookie_secure = 1
******************Configuration End************************

HTTP Response Headers for Mitigating Web Hacks is inline with current blog post, might be useful to some of you.

To test php.ini configuration for security issues download PHPSecInfo, security auditing tool.
http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip

Uncompress the archive to web server's root directory (say, /var/www/html) and access the URL as given below
https://testserver.com/phpsecinfo/phpsecinfo-20070406/index.php
NOTE: If php.ini is not used PHPSECINFO will try to read values from default configuration or httpd.conf/ lighttpd.conf

Below is an example snapshot giving notice on probable improper configuration.




Below snapshot gives warning on insecure configuration.




Snapshot showing "Tests not run" and Results Summary page.



To view Web server configuration and PHP configuration, write piece of code with phpinfo() API (application programming interface) and host on webservers root directory.

*********praveend.php************
root@praveend:~# cat praveend.php

<?
phpinfo();
?>
root@praveend:~#
*********praveend.php************

Access praveend.php as shown in below snapshot.



Below links might be useful for securing Web Servers running PHP scripts.
http://php.net/manual/en/index.php
http://www.madirish.net/node/229
http://phpsec.org/projects/guide/