VoIP STUN Request/Response Packet Structure

STUN stands for Session Traversal Utilities for NAT mainly used in NAT Traversal for IP Applications (say Voice, Video, Messaging).

Below snapshot shows STUN Request Packet

Below snapshot shows STUN Response Packet 

Text view of full capture
Request
No.     Time        Source                Destination           Protocol Length Info
    264 200.289545  10.0.0.2              77.72.169.158         CLASSIC-STUN 62     Message: Binding Request

Frame 264: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
    Arrival Time: Aug 23, 2012 16:36:32.609220000 India Standard Time
    Epoch Time: 1345719992.609220000 seconds
    [Time delta from previous captured frame: 7.022449000 seconds]
    [Time delta from previous displayed frame: 15.027355000 seconds]
    [Time since reference or first frame: 200.289545000 seconds]
    Frame Number: 264
    Frame Length: 62 bytes (496 bits)
    Capture Length: 62 bytes (496 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:classicstun]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Vmware_ef:18:30 (00:0c:29:ef:18:30), Dst: (00:bb:f7:00:8b:1f)
    Destination: (00:bb:f7:00:8b:1f)
        Address: (00:bb:f7:00:8b:1f)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Vmware_ef:18:30 (00:0c:29:ef:18:30)
        Address: Vmware_ef:18:30 (00:0c:29:ef:18:30)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.0.0.2 (10.0.0.2), Dst: 77.72.169.158 (77.72.169.158)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 48
    Identification: 0x3eea (16106)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (17)
    Header checksum: 0xfaea [correct]
        [Good: True]
        [Bad: False]
    Source: 10.0.0.2 (10.0.0.2)
    Destination: 77.72.169.158 (77.72.169.158)
User Datagram Protocol, Src Port: 8006 (8006), Dst Port: stun (3478)
    Source port: 8006 (8006)
    Destination port: stun (3478)
    Length: 28
    Checksum: 0x1f88 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Simple Traversal of UDP Through NAT
    [Response In: 265]
    Message Type: Binding Request (0x0001)
    Message Length: 0x0000
    Message Transaction ID: 000000007e5634120000000000000000


Response
No.     Time        Source                Destination           Protocol Length Info
    265 200.465322  77.72.169.158         10.0.0.2              CLASSIC-STUN 98     Message: Binding Response

Frame 265: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
    Arrival Time: Aug 23, 2012 16:36:32.784997000 India Standard Time
    Epoch Time: 1345719992.784997000 seconds
    [Time delta from previous captured frame: 0.175777000 seconds]
    [Time delta from previous displayed frame: 0.175777000 seconds]
    [Time since reference or first frame: 200.465322000 seconds]
    Frame Number: 265
    Frame Length: 98 bytes (784 bits)
    Capture Length: 98 bytes (784 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:classicstun]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: (00:bb:f7:00:8b:1f), Dst: Vmware_ef:18:30 (00:0c:29:ef:18:30)
    Destination: Vmware_ef:18:30 (00:0c:29:ef:18:30)
        Address: Vmware_ef:18:30 (00:0c:29:ef:18:30)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: (00:bb:f7:00:8b:1f)
        Address: (00:bb:f7:00:8b:1f)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 77.72.169.158 (77.72.169.158), Dst: 10.0.0.2 (10.0.0.2)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 84
    Identification: 0x19c5 (6597)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 238
    Protocol: UDP (17)
    Header checksum: 0x71eb [correct]
        [Good: True]
        [Bad: False]
    Source: 77.72.169.158 (77.72.169.158)
    Destination: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: stun (3478), Dst Port: 8006 (8006)
    Source port: stun (3478)
    Destination port: 8006 (8006)
    Length: 64
    Checksum: 0xac24 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Simple Traversal of UDP Through NAT
    [Request In: 264]
    [Time: 0.175777000 seconds]
    Message Type: Binding Response (0x0101)
    Message Length: 0x0024
    Message Transaction ID: 000000007e5634120000000000000000
    Attributes
        Attribute: MAPPED-ADDRESS
            Attribute Type: MAPPED-ADDRESS (0x0001)
            Attribute Length: 8
            Protocol Family: IPv4 (0x0001)
            Port: 8006
            IP: 61.12.12.132 (61.12.12.132)
        Attribute: SOURCE-ADDRESS
            Attribute Type: SOURCE-ADDRESS (0x0004)
            Attribute Length: 8
            Protocol Family: IPv4 (0x0001)
            Port: 3478
            IP: 77.72.169.158 (77.72.169.158)
        Attribute: CHANGED-ADDRESS
            Attribute Type: CHANGED-ADDRESS (0x0005)
            Attribute Length: 8
            Protocol Family: IPv4 (0x0001)
            Port: 3479
            IP: 77.72.169.159 (77.72.169.159)

Other articles of your interest might be
http://darshanams.blogspot.in/2012/06/sip-security1-scanning-voippbx-servers.html
http://darshanams.blogspot.in/2008/11/deciphering-google-talk-jabber.html
http://darshanams.blogspot.in/2009/03/i-was-just-checking-my-mails.html

Testing Maximum UDP Sessions Limit using netcat

As we know that User Datagram Protocol is connectionless it would be slightly challenging to test UDP Session Limit. In this blogpost we are going to see how to test UDP sessions using netcat (nc) tool.

Assuming we have configured our Firewall (FW) or Intrusion Prevention Systems (IPS) with a maximum of 4 UDP Sessions. If we try to establish a new connection greater than 4 it should not be allowed. As we don't have connection establishment phase (3-way Handshake) in UDP, connection is identified at the time of data transfer and dropped.

Running nc command to listen on UDP ports in the background.

Once UDP Server is up and running, we will connect to different ports on Server from Client machine.

Snapshot showing active sessions (ESTABLISHED state) on server.

 Snapshot showing sessions on Client side.

If we go for a 5th connection it will successfully establish s Session but if we try to transfer data ot UDP Sessions Limit rule kicks in and the connection will be blocked

If we successfully transfer data on 5th Session, it means “UDP Maximum Connections” set on FW/IPS is not working properly.

Connection blocking is reported back to Client using ICMP UDP Port unreachable error message. In the case of TCP Client gets a packet from Server with RESET flag set.

Following posts might be of interest to you
http://darshanams.blogspot.in/2012/08/web-server-security-php-hardening.html
http://darshanams.blogspot.in/2012/07/portservice-scanning-using-snmp.html
http://darshanams.blogspot.in/2012/06/sip-security1-scanning-voippbx-servers.html

Thank You!!!

SOC Interview Questions 2

Below are few Security Operations Center (SOC) interview questions.

Already published similar post related to SOC interview questions at
http://blog.disects.com/2012/01/soc-interview-questions-1.html

Q. What is a Proxy?
Q. What is the use of a proxy?
Q. What is the difference between HTTP, HTTPS, HTML?
Q. Explain 3-way handshake?
Q. Following hacks are happening simultaneously. Which one will you try to protect first and why?
        a. Bruteforce attack
        b. Data leakage attacks
Q. How do you protect from data leakage attacks.
Q. Out of Financial loss, reputation loss and data loss, which would you protect from and why?
Q. What is 503 error from Proxy/Cache server
Q. Lots of connections are made from LAN to Internet on a particular IP. What are your immediate steps to mitigate it.
Q. Any recent hack/compromise you came across. How did you resolve it.

Q. How do you identify data leakage hack.
Q. On what parameters will you classify the data as critical to an organization?
Q. Name few well known application protocols and on what TCP/UDP ports they run on.
Q. What is NOP sled? What is it's HEX value.
Q. Explain SYN Cookie.
Q. Different Port Scanning mechanisms.


Leave answers as comments so it might be useful to others who visit the blogpost :-) !!!

You can send me more questions related to SOC interviews which are not covered here to praveen_recker@sify.com, will update with your questions!!

Web Server Security: PHP Hardening

PHP is a server-side (web) scripting language to produce dynamic web pages, HTML per se is a static language.

php.ini is PHP's default configuration file usually located at /etc/php.ini on most of the Linux distributions. If you install PHP from source /etc/php.ini file path can be modified as part of compilation

./configure --with-config-file-path=/path/to/php.ini

php.ini has many PHP directives which can be used to secure web applications.

******************Configuration Start************************

;root of the PHP pages

doc_root = "/var/www/html:/etc/scripts/"

;directory under which PHP opens the script

user_dir = /etc/scripts

include_path =

;path to web root

;caution, include all directories which you use 
open_basedir = /var/www/html

save_path =

;disable global variables

register_globals = Off

track_errors = yes
display_errors = Off

;will hide PHP version information
expose_php = Off

;remove few functions based on your requirement

disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo

disable_classes =

safe_mode = Off

use_trans_sid =

allow_url_fopen = Off

allow_url_include = Off

group_id = 100

magic_quotes_gpc = Off

;disable if files are not uploaded to Web server
file_uploads = On

upload_max_filesize =

;memory_limit is set to a very high value

;recommended value is 8M

memory_limit=128M

;set to a high value, server may lead to DoS

;recommended value is 2M

post_max_size = 8M

upload_tmp_dir =

user_id = 100

force_redirect = 1

cgi.force_redirect = 1

auto_prepend_file =
auto_append_file =

;Disable Remote File Includes

allow_url_fopen = Off
allow_url_include = Off

;session.cookie_httponly = 1
;session.referer_check = your_url.tld
;session.cookie_secure = 1
******************Configuration End************************

HTTP Response Headers for Mitigating Web Hacks is inline with current blog post, might be useful to some of you.

To test php.ini configuration for security issues download PHPSecInfo, security auditing tool.
http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip

Uncompress the archive to web server's root directory (say, /var/www/html) and access the URL as given below
https://testserver.com/phpsecinfo/phpsecinfo-20070406/index.php
NOTE: If php.ini is not used PHPSECINFO will try to read values from default configuration or httpd.conf/ lighttpd.conf

Below is an example snapshot giving notice on probable improper configuration.




Below snapshot gives warning on insecure configuration.




Snapshot showing "Tests not run" and Results Summary page.



To view Web server configuration and PHP configuration, write piece of code with phpinfo() API (application programming interface) and host on webservers root directory.

*********praveend.php************
root@praveend:~# cat praveend.php

<?
phpinfo();
?>
root@praveend:~#
*********praveend.php************

Access praveend.php as shown in below snapshot.



Below links might be useful for securing Web Servers running PHP scripts.
http://php.net/manual/en/index.php
http://www.madirish.net/node/229
http://phpsec.org/projects/guide/