Bit of Everything! Vulnerability Research, Reverse Engineering, Malware Analysis, Exploits etc...
Friday, August 24, 2012
VoIP STUN Request/Response Packet Structure
STUN stands for Session Traversal Utilities for NAT mainly used in NAT Traversal for IP Applications (say Voice, Video, Messaging).
Below snapshot shows STUN Request Packet
Below snapshot shows STUN Response Packet
Text view of full capture
Request
No. Time Source Destination Protocol Length Info
264 200.289545 10.0.0.2 77.72.169.158 CLASSIC-STUN 62 Message: Binding Request
Frame 264: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Arrival Time: Aug 23, 2012 16:36:32.609220000 India Standard Time
Epoch Time: 1345719992.609220000 seconds
[Time delta from previous captured frame: 7.022449000 seconds]
[Time delta from previous displayed frame: 15.027355000 seconds]
[Time since reference or first frame: 200.289545000 seconds]
Frame Number: 264
Frame Length: 62 bytes (496 bits)
Capture Length: 62 bytes (496 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:classicstun]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Vmware_ef:18:30 (00:0c:29:ef:18:30), Dst: (00:bb:f7:00:8b:1f)
Destination: (00:bb:f7:00:8b:1f)
Address: (00:bb:f7:00:8b:1f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Vmware_ef:18:30 (00:0c:29:ef:18:30)
Address: Vmware_ef:18:30 (00:0c:29:ef:18:30)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.0.0.2 (10.0.0.2), Dst: 77.72.169.158 (77.72.169.158)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 48
Identification: 0x3eea (16106)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (17)
Header checksum: 0xfaea [correct]
[Good: True]
[Bad: False]
Source: 10.0.0.2 (10.0.0.2)
Destination: 77.72.169.158 (77.72.169.158)
User Datagram Protocol, Src Port: 8006 (8006), Dst Port: stun (3478)
Source port: 8006 (8006)
Destination port: stun (3478)
Length: 28
Checksum: 0x1f88 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Simple Traversal of UDP Through NAT
[Response In: 265]
Message Type: Binding Request (0x0001)
Message Length: 0x0000
Message Transaction ID: 000000007e5634120000000000000000
Response
No. Time Source Destination Protocol Length Info
265 200.465322 77.72.169.158 10.0.0.2 CLASSIC-STUN 98 Message: Binding Response
Frame 265: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
Arrival Time: Aug 23, 2012 16:36:32.784997000 India Standard Time
Epoch Time: 1345719992.784997000 seconds
[Time delta from previous captured frame: 0.175777000 seconds]
[Time delta from previous displayed frame: 0.175777000 seconds]
[Time since reference or first frame: 200.465322000 seconds]
Frame Number: 265
Frame Length: 98 bytes (784 bits)
Capture Length: 98 bytes (784 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:classicstun]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: (00:bb:f7:00:8b:1f), Dst: Vmware_ef:18:30 (00:0c:29:ef:18:30)
Destination: Vmware_ef:18:30 (00:0c:29:ef:18:30)
Address: Vmware_ef:18:30 (00:0c:29:ef:18:30)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: (00:bb:f7:00:8b:1f)
Address: (00:bb:f7:00:8b:1f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 77.72.169.158 (77.72.169.158), Dst: 10.0.0.2 (10.0.0.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 84
Identification: 0x19c5 (6597)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 238
Protocol: UDP (17)
Header checksum: 0x71eb [correct]
[Good: True]
[Bad: False]
Source: 77.72.169.158 (77.72.169.158)
Destination: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: stun (3478), Dst Port: 8006 (8006)
Source port: stun (3478)
Destination port: 8006 (8006)
Length: 64
Checksum: 0xac24 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Simple Traversal of UDP Through NAT
[Request In: 264]
[Time: 0.175777000 seconds]
Message Type: Binding Response (0x0101)
Message Length: 0x0024
Message Transaction ID: 000000007e5634120000000000000000
Attributes
Attribute: MAPPED-ADDRESS
Attribute Type: MAPPED-ADDRESS (0x0001)
Attribute Length: 8
Protocol Family: IPv4 (0x0001)
Port: 8006
IP: 61.12.12.132 (61.12.12.132)
Attribute: SOURCE-ADDRESS
Attribute Type: SOURCE-ADDRESS (0x0004)
Attribute Length: 8
Protocol Family: IPv4 (0x0001)
Port: 3478
IP: 77.72.169.158 (77.72.169.158)
Attribute: CHANGED-ADDRESS
Attribute Type: CHANGED-ADDRESS (0x0005)
Attribute Length: 8
Protocol Family: IPv4 (0x0001)
Port: 3479
IP: 77.72.169.159 (77.72.169.159)
Other articles of your interest might be
http://darshanams.blogspot.in/2012/06/sip-security1-scanning-voippbx-servers.html
http://darshanams.blogspot.in/2008/11/deciphering-google-talk-jabber.html
http://darshanams.blogspot.in/2009/03/i-was-just-checking-my-mails.html
Thursday, August 9, 2012
Testing Maximum UDP Sessions Limit using netcat
As we know that User Datagram Protocol is connectionless it would be slightly challenging to test UDP Session Limit. In this blogpost we are going to see how to test UDP sessions using netcat (nc) tool.
Assuming we have configured our Firewall (FW) or Intrusion Prevention Systems (IPS) with a maximum of 4 UDP Sessions. If we try to establish a new connection greater than 4 it should not be allowed. As we don't have connection establishment phase (3-way Handshake) in UDP, connection is identified at the time of data transfer and dropped.
Running nc command to listen on UDP ports in the background.
Once UDP Server is up and running, we will connect to different ports on Server from Client machine.
Snapshot showing active sessions (ESTABLISHED state) on server.
Snapshot showing sessions on Client side.
If we go for a 5th connection it will successfully establish s Session but if we try to transfer data ot UDP Sessions Limit rule kicks in and the connection will be blocked
If we successfully transfer data on 5th Session, it means “UDP Maximum Connections” set on FW/IPS is not working properly.
Connection blocking is reported back to Client using ICMP UDP Port unreachable error message. In the case of TCP Client gets a packet from Server with RESET flag set.
Following posts might be of interest to you
http://darshanams.blogspot.in/2012/08/web-server-security-php-hardening.html
http://darshanams.blogspot.in/2012/07/portservice-scanning-using-snmp.html
http://darshanams.blogspot.in/2012/06/sip-security1-scanning-voippbx-servers.html
Thank You!!!
Assuming we have configured our Firewall (FW) or Intrusion Prevention Systems (IPS) with a maximum of 4 UDP Sessions. If we try to establish a new connection greater than 4 it should not be allowed. As we don't have connection establishment phase (3-way Handshake) in UDP, connection is identified at the time of data transfer and dropped.
Running nc command to listen on UDP ports in the background.
Once UDP Server is up and running, we will connect to different ports on Server from Client machine.
Snapshot showing active sessions (ESTABLISHED state) on server.
Snapshot showing sessions on Client side.
If we go for a 5th connection it will successfully establish s Session but if we try to transfer data ot UDP Sessions Limit rule kicks in and the connection will be blocked
If we successfully transfer data on 5th Session, it means “UDP Maximum Connections” set on FW/IPS is not working properly.
Connection blocking is reported back to Client using ICMP UDP Port unreachable error message. In the case of TCP Client gets a packet from Server with RESET flag set.
Following posts might be of interest to you
http://darshanams.blogspot.in/2012/08/web-server-security-php-hardening.html
http://darshanams.blogspot.in/2012/07/portservice-scanning-using-snmp.html
http://darshanams.blogspot.in/2012/06/sip-security1-scanning-voippbx-servers.html
Thank You!!!
Wednesday, August 8, 2012
SOC Interview Questions 2
Below are few Security Operations Center (SOC) interview questions.
Already published similar post related to SOC interview questions at
http://blog.disects.com/2012/01/soc-interview-questions-1.html
Q. What is a Proxy?
Q. What is the use of a proxy?
Q. What is the difference between HTTP, HTTPS, HTML?
Q. Explain 3-way handshake?
Q. Following hacks are happening simultaneously. Which one will you try to protect first and why?
a. Bruteforce attack
b. Data leakage attacks
Q. How do you protect from data leakage attacks.
Q. Out of Financial loss, reputation loss and data loss, which would you protect from and why?
Q. What is 503 error from Proxy/Cache server
Q. Lots of connections are made from LAN to Internet on a particular IP. What are your immediate steps to mitigate it.
Q. Any recent hack/compromise you came across. How did you resolve it.
Q. How do you identify data leakage hack.
Q. On what parameters will you classify the data as critical to an organization?
Q. Name few well known application protocols and on what TCP/UDP ports they run on.
Q. What is NOP sled? What is it's HEX value.
Q. Explain SYN Cookie.
Q. Different Port Scanning mechanisms.
Leave answers as comments so it might be useful to others who visit the blogpost :-) !!!
You can send me more questions related to SOC interviews which are not covered here to praveen_recker@sify.com, will update with your questions!!
Already published similar post related to SOC interview questions at
http://blog.disects.com/2012/01/soc-interview-questions-1.html
Q. What is a Proxy?
Q. What is the use of a proxy?
Q. What is the difference between HTTP, HTTPS, HTML?
Q. Explain 3-way handshake?
Q. Following hacks are happening simultaneously. Which one will you try to protect first and why?
a. Bruteforce attack
b. Data leakage attacks
Q. How do you protect from data leakage attacks.
Q. Out of Financial loss, reputation loss and data loss, which would you protect from and why?
Q. What is 503 error from Proxy/Cache server
Q. Lots of connections are made from LAN to Internet on a particular IP. What are your immediate steps to mitigate it.
Q. Any recent hack/compromise you came across. How did you resolve it.
Q. How do you identify data leakage hack.
Q. On what parameters will you classify the data as critical to an organization?
Q. Name few well known application protocols and on what TCP/UDP ports they run on.
Q. What is NOP sled? What is it's HEX value.
Q. Explain SYN Cookie.
Q. Different Port Scanning mechanisms.
Leave answers as comments so it might be useful to others who visit the blogpost :-) !!!
You can send me more questions related to SOC interviews which are not covered here to praveen_recker@sify.com, will update with your questions!!
Thursday, August 2, 2012
Web Server Security: PHP Hardening
PHP is a server-side (web) scripting language to produce dynamic web pages, HTML per se is a static language.
php.ini is PHP's default configuration file usually located at /etc/php.ini on most of the Linux distributions. If you install PHP from source /etc/php.ini file path can be modified as part of compilation
./configure
--with-config-file-path=/path/to/php.ini
php.ini has many PHP directives which can be used to secure web applications.
******************Configuration Start************************
;root of the PHP pages
doc_root = "/var/www/html:/etc/scripts/"
;directory under which PHP opens the script
user_dir = /etc/scriptsinclude_path =
;path to web root
;caution, include all directories which you use open_basedir = /var/www/html
save_path =
;disable global variables
register_globals = Offtrack_errors = yes
display_errors = Off
;will hide PHP version information
expose_php = Off
;remove few functions based on your requirement
disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfodisable_classes =
safe_mode = Off
use_trans_sid =
allow_url_fopen = Off
allow_url_include = Off
group_id = 100
magic_quotes_gpc = Off
;disable if files are not uploaded to Web server
file_uploads = On
upload_max_filesize =
;memory_limit is set to a very high value
;recommended value is 8M
memory_limit=128M
;set to a high value, server may lead to DoS
;recommended value is 2M
post_max_size = 8Mupload_tmp_dir =
user_id = 100
force_redirect = 1
cgi.force_redirect = 1
auto_prepend_file =
auto_append_file =
;Disable Remote File Includes
allow_url_fopen = Offallow_url_include = Off
;session.cookie_httponly = 1
;session.referer_check = your_url.tld
;session.cookie_secure = 1
******************Configuration End************************
HTTP Response Headers for Mitigating Web Hacks is inline with current blog post, might be useful to some of you.
To test php.ini configuration for security issues download PHPSecInfo, security auditing tool.
http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
Uncompress the archive to web server's root directory (say, /var/www/html) and access the URL as given below
https://testserver.com/phpsecinfo/phpsecinfo-20070406/index.php
NOTE: If php.ini is not used PHPSECINFO will try to read values from default configuration or httpd.conf/ lighttpd.conf
Below is an example snapshot giving notice on probable improper configuration.
Below snapshot gives warning on insecure configuration.
Snapshot showing "Tests not run" and Results Summary page.