Security Unplugged !!!

Wednesday, July 25, 2012

Port/Service Scanning using SNMP

Simple Network Management Protocol (SNMP) is used for remote monitoring and managing of hosts, routers, switches or any device connected to network SNMP works on 161/UDP, SNMP Trap on 162/UDP.

By default SNMP comes with two community strings
public (read only access)
private (read/write access)

Community strings or User names with read only access rights can also be used to Scan a machine remotely for open TCP/UDP ports. The community string which I am using is "mysnmp" with read/write permissions.

Below snapshot gives information about process/service names running on the machine.

Evading IDS/IPS
Generally we use NMAP for scanning a remote machine to figure out open TCP or UDP ports. Most of the IDS/IPS might detect the Scans and flag an alert. SNMP scan might evade IDS/IPS because we are sending a legitimate SNMP request to remote devices.

Protection
Remove unnecessary MIBs which are not being used.

Other articles which might be of interest
http://darshanams.blogspot.in/2010/11/wireshark-remote-packet-capture-bit-of.html
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html

Enjoy !!!

Wednesday, July 4, 2012

Bittorrent: Detection Mechanisms

Bittorrent is a Peer to Peer(P2P) protocol used to share files and data in internet. In this article we are going to see what are the different mechanisms which can be used to detect and block Bittorrent communication across network.

Below snapshot shows HTTP request which Bittorrent Client uses to communicate with Bittorrent Servers. In the request we can see different parameters like client id, port number.

We can observe that Bittorrent client uses different User Agent request headers like BTWebClient, Bittorrent etc.

UDP is using Source port as 24615, which is being communicated to Bittorrent Server as HTTP Request.

So we can detect or block Bittorrent based on HTTP Request URI or User-Agent header strings or UDP protocol communication.

Below are few Signatures which we can use to detect Bittorrent.

alert udp any any -> any any ( msg: "Bit Torrent UDP"; content:"41 02"; offset:0; depth:2; content:"38"; offset:13;depth:1; content:"08"; offset:21;depth:1; sid:8888881; rev: 1; )
alert udp any any -> any any ( msg: "Bit Torrent Protocol"; content:"|13|bittorrent|20|protocol"; offset:0; sid:8888882; rev: 1; )
alert udp any any -> any any ( msg: "Bit Torrent UDP Communication"; content:"d1|3a|ad2|3a|id20|3a|"; sid:8888883; rev: 1; )

Below Signature triggers and alerts when the content is seen in HTTP Request URI
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP Request"; content:"info_hash="; pcre:"/announce\?info_hash=/Ui"; sid:8888884; rev: 1; )

Observed following User-Agent strings as part of HTTP Requests
        User-Agent: BitTorrent/7610(27328)
        User-Agent: BTWebClient/7610(27328)
which can be detected using following Signatures
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP User Agent 1"; content:"User-Agent: BitTorrent"; sid:8888885; rev: 1; )
alert tcp any any -> any 80 ( msg: "Bit Torrent: HTTP User Agent 2"; content:"User-Agent: BTWebClient"; sid:8888886; rev: 1; )

Posts related to Snort IDS/IPS which might be of interest to you.
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html
http://darshanams.blogspot.in/2010/06/snort-preprocessors-and-alerts.html
http://darshanams.blogspot.in/2012/05/installing-snort-from-source-as-ips.html

To know about Google Talk Jabber protocol communication
http://darshanams.blogspot.in/2008/11/deciphering-google-talk-jabber.html

For Zebra/Bittorrent protocol communication
http://darshanams.blogspot.in/2009/03/i-was-just-checking-my-mails.html

P.S Signatures given above are neither tested nor fine tuned. Just an
idea how to detect Bit Torrent communication.

Friday, June 22, 2012

SIP Security1: Scanning VoIP/PBX Servers

To find out a device/machine which is providing VoIP service, scan for ports 5060/5061 on both UDP and TCP. By default VoIP devices run on UDP 5060 port.

We can use tools like SIPVicious svmap.py or SIPSCAN(windows only).
svmap.py is a CLI (Command Line Interface) tool whereas SIPSCAN is a GUI (Graphical User Interface) tool. SIPSCAN is username enumerator rather than a Scanner.

Both the tools support OPTIONS, INVITE and REGISTER methods to find User Agent Server (UAS). But svmap.py can be used to pass any SIP method, infact we can pass invalid argument to detect the VoIP Server.

By default SIPSCAN tries with following extensions/usernames
thisisthecanary, test, echo, admin, dave, 101 to 110 excluding 109, 201 to 210 excluding 209, 401 to 410 excluding 409 and 501 to 510 excluding 509.

While scanning with SIPSCAN leave "Target SIP Domain" as default value to example.com or add domain or IP of your SIP Server. If you leave "Target SIP Domain" blank will not show any results but with

Happy Week end :-) !!!

Monday, June 18, 2012

svwar.py: Bad user = SIP/2.0 401 - svwar will probably not work!

Running sipwar.py from SIPVicious was throwing below error

#/home/praveen/sipvicious-0.2.7#./svwar.py --force -e100-110 3.3.3.10
WARNING:TakeASip:Bad user = SIP/2.0 401 - svwar will probably not work!
WARNING:TakeASip:We got an unknown response
ERROR:TakeASip:Response: 'SIP/2.0 401 Unauthorized\r\nVia: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK-2777087671;received=172.16.1.5;rport=5060\r\nFrom: "100";tag=3130300131353239383436353338\r\nTo: "100";tag=as4442a546\r\nCall-ID: 3403670806\r\nCSeq: 1 REGISTER\r\nServer: Asterisk PBX 1.8.13.0\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH\r\nSupported: replaces, timer\r\nWWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="5858df28"\r\nContent-Length: 0\r\n\r\n'
WARNING:root:found nothing
IP Address 3.3.3.10 is the Asterisk PBX Server.

Googled for the error but couldn'd find solution so thought of going through the SIP Configuration file /etc/asterisk/sip.conf where we can find below description.
    When an incoming INVITE or REGISTER is to be rejected, for any reason, always reject with '401 Unauthorized 'instead of letting the requester know whether there was a matching user or peer for their request .i.e. PBX server will always respond with "401 Unauthorized" error to not disclose user details.

Add below line to sip.conf, by default the value is yes.
alwaysauthreject = no

Restart Asterisk PBX for above changes to reflect.

$sudo /etc/init.d/asterisk /stop/start
or

execute below commands
#asterisk -vvr
asterisk*CLI>sip reload

Now we can successfully run svwar.py which gives below output
#/home/praveen/sipvicious-0.2.7#./svwar.py -e100-1010 3.3.3.10
| Extension | Authentication |
------------------------------
| 1004      | reqauth        |
| 102       | reqauth        |
| 101       | reqauth        |
| 1003      | reqauth        |
| 1002      | reqauth        |
| 1001      | reqauth        |
Articles which might be of interest
Packet level view of REGISTER, SUBSCRIBE and NOTIFY methods
http://www.darshanams.blogspot.in/2012/06/x-lite-client-registering-with-pbx.html

Configuration and Registration of Softphone and Analog Phone( with ATA) and Asterisk PBX
http://www.darshanams.blogspot.in/2012/06/softphone-registration-with-asterisk.html

Thank You !!!

Sunday, June 17, 2012

HTTP Response Headers for Mitigating Web Hacks

HTTP (Hyper Text Transfer Protocol) is an Application Protocol which has different headers for each Requests sent and Responses received based upon the content being exchanged between Web Server, Proxy Server, Cache Server, User-Agent etc.

HttpOnly
Example below shows the syntax used within the HTTP response header:
Set-Cookie: =[; =][; expires=][; domain=][; path=][; secure][; HttpOnly]

Majority of XSS attacks target theft of session id's, cookies etc. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.

X-Frame-Options
Used to prevent Clickjacking by not allowing page to be rendered in a frame. There are two possible values for X-Frame-Options
DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.

X-Content-Security-Policy
Example 1: Site wants all content to come from its own domain:
X-Content-Security-Policy: allow 'self'

Example 2: Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript:
X-Content-Security-Policy: allow 'self'; img-src *; \
object-src media1.com media2.com *.cdn.com; \
script-src trustedscripts.example.com

Example 3: Server administrators want to deny all third-party scripts for the site, and a given project group also wants to disallow media from other sites (header provided by sysadmins and header provided by project group are both present):
X-Content-Security-Policy: allow *; script-src 'self'
X-Content-Security-Policy: allow *; script-src 'self'; media-src 'self';

Example 4: Online payments site wants to ensure that all of the content in its pages is loaded over SSL to prevent attackers from eavesdropping on requests for insecure content:
X-Content-Security-Policy: allow https://*:443

Strict-Transport-Security (HSTS=HTTP Strict Transport Security)
The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.
Strict-Transport-Security: max-age=expireTime [; includeSubdomains]

expireTime
The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
includeSubdomains (Optional)
If this optional parameter is specified, this rule applies to all of the site's subdomains as well.

The HSTS policy helps protect website users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker

X-XSS-Protection
This header is exclusive to Internet Explorer 8 which turns on cross site scripting protection(Off by default as it could potentially break some websites).

X-Download-Options
Stops the opening of the files directly from the domain. The browser removes the file opening control from the download box when it encounters a noopen parameter in the X-Download-Options as a part of the HTTP response.

X-Content-Type-Options
Used to prevent MIME based attacks which may lead to code execution.

unset Server
Don't give verbose information about type of Web Server running, its version, extra plugins loaded etc.

Packet Level View: SIP UAC REGISTERing with PBX Server

Lets get into the capture level details of SIP User Agent Client (UAC) registering with User Agent Server (UAS). Also see how subscribe and notify work.

Asterisk PBX (Private Branch eXchange) Server (UAS) 3.3.3.10
X-Lite Phone (UAC) 3.3.3.101

REGISTER

SIP registration is a method used by a SIP device (Softphone, Analog Phone with ATA, PBX Server etc) to inform its registrar (VoIP provider, PBX) where SIP device is located.

Initial REGISTER request may be plain without without Authentication details for registering contact information. If Client need to authenticate, PBX Server responds back with "401 Unauthorized". REGISTER requests should be challenged for Authentication. Once Registration is successful VoIP provider will know where to forward incoming calls.

REGISTER requests add, remove and query bindings. A REGISTER request can add a new binding between an address-of-record and one or more contact addresses.  Registration on behalf of a particular address-of-record can be performed by a suitably authorized third party.  A client(Phone, UAC) can also remove previous bindings or query to determine which bindings are currently in place for an address-of-record.

Registrar 
A server that accepts REGISTER requests and places the information it receives in those requests into the location service for the domain it handles which registers one or more IP addresses to a certain SIP URI, indicated by the sip: scheme, although other protocol schemes are possible (such as tel:). More than one user agent can register at the same URI, with the result that all registered user agents will receive a call to the SIP URI.

SUBSCRIBE

The general concept of SUBSCRIBE is that entities in the network can subscribe (X-Lite softphone)

to resource or call state for various resources or calls in the network, and those entities (or entities

acting on their behalf) can send notifications (PBX, VoIP Service Provider) when those states change.

If SUBSCRIBE needs Authentication Server responds back with "401 Unauthorized".






NOTIFY 
NOTIFY the subscriber of a new Event by returning current state information.


Typical flow of SUBSCRIBE and NOTIFY messages are given below
 (X-Lite Phone)     (Asterisk PBX Server)
   Subscriber          Notifier
       |-----SUBSCRIBE---->|     Request state subscription
       | <--------200---------- |     Acknowledge subscription
       |<------NOTIFY------- |     Return current state information
       |--------200----------->|
       |<------NOTIFY------- |     Return current state information
       |--------200----------->|

Subscriptions are expired and must be refreshed by subsequent SUBSCRIBE messages. 
To configure X-Lite Softphone and Asterisk PBX go through below link http://darshanams.blogspot.in/2012/06/softphone-registration-with-asterisk.html