Archive

Archive for the ‘Security’ Category

Scapy Guide: Bad checksum, naughty checksum

These posts will eventually make it into the guide but I don’t have the time currently so I will do a series of short posts as and when I can.

Today we are going to look at packet checksums and how to ensure that when you are using packets within Scapy that you don’t send packets with “bad checksums”.

Wikipedia has this to say about checksums:

The checksum field is the 16 bit one’s complement of the one’s complement sum of all 16-bit words in the header and text. If a segment contains an odd number of header and text octets to be checksummed, the last octet is padded on the right with zeros to form a 16-bit word for checksum purposes. The pad is not transmitted as part of the segment. While computing the checksum, the checksum field itself is replaced with zeros.(sourced from http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Checksum_computation)

So how does this relate to packets we create or re-use in Scapy?? Well lets start at the beginning. First off we are going to create a simple packet for testing:

>>> pkt=(IP(dst="10.1.99.2")/ICMP()/"HelloWorld")

We’ve given this packet a name of pkt so we can reference it easier later on. So lets look at it’s default values.

>>> pkt.show()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= icmp
chksum= None
src= 10.1.99.25
dst= 10.1.99.2
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= None
id= 0x0
seq= 0x0
###[ Raw ]###
load= 'HelloWorld'

Notice how the chksum value in both the IP layer and the ICMP layer show None? That’s because the show() function doesn’t show the checksum values of a packet before it’s sent (the checksums are generated by Scapy when the packet is sent)

If you want to see the actual checksum value for that packet when it gets sent, you need to use a different Scapy function. Today we are going to use show2().

Lets have a look and see what the difference is:

>>> pkt.show2()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 38
id= 1
flags=
frag= 0L
ttl= 64
proto= icmp
chksum= 0xa0b9
src= 10.1.99.25
dst= 10.1.99.2
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= 0xf7ff
id= 0x0
seq= 0x0
###[ Raw ]###
load= 'HelloWorld'

Now we can actually see the chksum value for each layer. Lets send the packet (pkt) to Wireshark.

>>> wireshark(pkt)

This should load Wireshark in a seperate window and display the ICMP packet, if we expand the IP and ICMP layers within Wireshark we can verify the checksums are correct against what we saw above in the show2() output.

Header checksum: 0xa0b9 [correct] (IP Layer)
Checksum: 0xf7ff [correct] (ICMP Layer)

OK so lets get to the bad checksum part of this post, we are going to save this packet to a pcap file and then reload it back into Scapy. We are doing it this way so I can show you a more realistic reason why you need to “sort” bad checksums.

>>> wrpcap("/tmp/ping.pcap",pkt)
>>> t=rdpcap("/tmp/ping.pcap")
>>> t.summary()

IP / ICMP 10.1.99.25 > 10.1.99.2 echo-request 0 / Raw

The first command writes the pkt to a pcap file in my /tmp directory, we then re-read it as t and display a summary to show it’s the same packet. Once we are happy with that we store the single packet as bad and show it’s values

>>> bad=t[0]
>>> bad.show()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 38
id= 8
flags=
frag= 0L
ttl= 128
proto= icmp
chksum= 0x60b2
src= 10.1.99.25
dst= 10.1.99.2
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= 0xf7ff
id= 0x0
seq= 0x0
###[ Raw ]###
load= 'HelloWorld'

Oh what’s that you say, you used show() and saw the chksum value?? Yes well spotted, bad checksum’s only seem to be an issue when you are reading packets from another source (i.e. a pcap file). If you generate new packets within Scapy the checksum is only generated when you send it, which means changing the values on our original packet (pkt) doesn’t generate a bad checksum message (before you send it).

Lets change the TTL again and then send the new packet (bad).

>>> bad.ttl=213
>>> bad
>>> wireshark(bad)

This is what I saw in Wireshark (and you as well I hope).

Header checksum: 0x60b2 [incorrect, should be 0x0bb2 (maybe caused by "IP checksum offload"?)

Yep seems that my checksum is all messed up, this means that the packet (bad) is not really any good for anything and you can’t send it due to the bad checksum. So how do we deal with this??

First off, lets wipe out the old bad packet and recreate it again.

>>> bad=t[0]

Then we can quickly check the chksum value currently stored:

>>> bad.show()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 38
id= 8
flags=
frag= 0L
ttl= 213
proto= icmp
chksum= 0x60b2
src= 10.1.99.25
dst= 10.1.99.2
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= 0xf7ff
id= 0x0
seq= 0x0
###[ Raw ]###
load= 'HelloWorld'

Now before we change the TTL again, we need to delete the old chksum value so that it gets recreated again after we modify the TTL.

>>>del bad[IP].chksum

Now we change the TTL:

>>> bad[IP].ttl=222

Do a quick check to make sure that’s worked:

>>>bad.summary

Now if we look at the stored chksum value in the packet (bad) what do you notice?

>>bad.show()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 38
id= 8
flags=
frag= 0L
ttl= 222
proto= icmp
chksum= None
src= 10.1.99.25
dst= 10.1.99.2
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= 0xf7ff
id= 0x0
seq= 0x0
###[ Raw ]###
load= 'HelloWorld'

The old stored chksum value is missing. Now if we send this to Wireshark what happens?

Header checksum: 0x02b2 [correct]

Once again the checksum is good because it gets recreated when we send the packet. We can verify the checksums match by using the show2() function again.

>>> bad.show2()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 38
id= 8
flags=
frag= 0L
ttl= 222
proto= icmp
chksum= 0x2b2
src= 10.1.99.25
dst= 10.1.99.2
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= 0xf7ff
id= 0x0
seq= 0x0
###[ Raw ]###
load= 'HelloWorld'

Well I hope that all makes sense to you? If you are modifying existing packets that display a chksum value when you use the show() function, you need to delete them before sending the packets.

A general guideline would be if you modify a value in a layer that has another layer above it, delete the chksum value from both layers. Some layers checksum’s are generated from the information in the layers below them (if that makes sense). If in doubt just delete all the chksum values..

Adam

 

Categories: Scapy, Scapy Guide

Scapy Guide – The Release

Two weeks ago I posted about my intention to write a “dummies” guide to Scapy. So here it is “The Very Unofficial Dummies Guide to Scapy”. If you have read the online version it’s still worth a look as I’ve made it look all nice and shiny and added some additional content that wasn’t in the online version.

The whole point of this guide was to write a beginner’s guide for scapy, and when I say beginners I include myself. Up until I starting writing this guide I hadn’t used Scapy so I’ve learnt as I’ve gone. The guide covers the basic Scapy functions and abilities, it won’t make you a Scapy expert but I hope it will give you a start.

I actually really enjoyed writing this, and using Scapy and as such I intend to carry on updating the guide. I’ve already thought of some more things to add into the next few chapters and once I’ve finished studying for my Security+ exam in June I will carry on working on this guide.

I’m not expecting the guide to be perfect, I’ve read through it a few times now, and made changes as suggested by the people who have proof read it for me. I only ask 2 things of the people who take the time to read this guide.

1. Please provide feedback and comments, good or bad I don’t mind and if you post them on this post I will make them public. It’s important for me to understand if you actually find this useful and if there is anything else you want to see in it.

2. I’m also still looking for ideas and examples of what can be done with Scapy, both for the next release of the guide and for my own personal knowledge. So if you use Scapy in anger then let me know for what.

So enjoy and please share the love that is Scapy.

Adam

Categories: Scapy

Coming Soon: The very unofficial dummies guide to scapy..

So the last few weeks have been busy for me in terms of throwing myself into learning more about InfoSec, I’ve attended my first BSides event, made some new friends and published my year-long training plan.

One of the outcomes from attending BSides was my declaration that next year I would do a track 3 talk, and I decided that it would be on scapy (not sure why it just seems like a really cool tool). So I have included scapy on my aforementioned training plan and since then I’ve started playing around with it.

Then a week or so ago (time flies by so quick) @balgan tweeted about the lack of a scapy guide, at the time I thought it would be cool if such a thing existed but gave no more thought about it. That is until today, today I decided that I was going to write what shall now be known as “The very unofficial dummies guide to scapy”… no I’m not making up I’ve decided that as an official scapy dummy why not write a guide as I go, that will both enforce what I learn and maybe give back to the InfoSec community in some small way.

Now this guide is not going to be a huge bible of commands and examples, what is it going to be is a concise guide to building packets, seeing the results and providing examples of actual things you can do with it, basically something you can read in a few hours, follow the examples and write some packets.

I am well aware that you can find a lot of scapy related documentation on the internet but although the end result might not be any different to a few hours googling for things, that’s not the point. The point is really the same as this blog, I write about stuff I want to, if you find it useful that’s awesome, if not oh well never mind.. :)

However, if you think this isn’t actually a bad idea and you’ve used scapy for real world things then let me know. If you know of something that scapy is really cool at doing drop me a line and I will include it in the guide. Remember this is a guide for the community so why not contribute if so inclined..

Categories: General, Security

Environment Disclosure via #shodan

First of a big thanks to @achillean and his awesome website over at http://www.shodanhq.com, the amount of information that gets collected and stored is mind-blowing. I had a brief email conversation with John when I decided to write this blog and at the time there were over 70 million records stored in ShodanHQ.

So to the point of this blog post, in my current job I work a lot on e-commerce type stuff, mostly because I’m responsible for the load balancers we use (if you’ve read this blog before you might be able to guess what they are..). Part of that work means every now and again I get sent the output of our regular pen tests to answer questions or fix “holes”.

One of the most common “holes” I fix is what the external pen testers call “Environment Disclosure Information“, which in layman’s terms means you are giving out more information that you should to external people when they visit your websites.

This is an example HTTP header extract from a website, which will highlight the sort of stuff I mean:

Access-Control-Allow-Origin: *
Cache-Control: no-cache, no-store, max-age=0, no-transform, private
Content-Length: 43
Content-Type: image/gif
Date: Sun, 13 May 2012 10:35:11 GMT
Etag: “4FAF8E5F-48B6-0D239661″
Expires: Sat, 12 May 2012 10:35:11 GMT
Last-Modified: Mon, 14 May 2012 10:35:11 GMT
Pragma: no-cache
Server: Omniture DC/2.0.0
Vary: *
X-C: ms-4.4.5
p3p: policyref=”/w3c/p3p.xml”, CP=”NOI DSP COR NID PSA OUR IND COM NAV STA”
xserver: www4

Now remember I’m no security expert but to me this amount of “free” information about your web environment is both unnecessary and well to be fair a bit sloppy.

Looking at the HTTP header above an unethical type of person can determine the type of server you are running (Server: Omniture DC/2.0.0) and the version its running. Which would make it easier when looking for known vulnerabilities, and you can tell that they have at least 4 web servers (xserver: www4) providing this content (which means some sort of load balancing).

This is another HTTP header from a rather “large” software company that like Marmite you either love or hate..

Cache-Control: max-age=0
Connection: close
Content-Length: 12941
Content-Type: text/html; charset=utf-8
Date: Sun, 13 May 2012 10:40:24 GMT
Expires: Sun, 13 May 2012 10:39:24 GMT
PPServer: PPV: 30 H: BAYIDSLGN1H57 V: 0
Server: Microsoft-IIS/7.5
Set-Cookie: MSPRequ=lt=1336905624&co=1&id=64855; path=/;version=1
MSPOK=$uuid-b9356970-ea8a-491c-8c62-f367d9460ca3;
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 0
p3p: CP=”DSP CUR OTPi IND OTRi ONL FIN”

Again you will see that the Server: HTTP header is still there, so is this really a security concern? Do pen testers just highlight it as something to put in a report??

Now onto the cool stuff (well it’s cool to me), if you have ever used ShodanHQ you will know that there is an API available, and if you pay a small amount of $$ you can get a lot of functionality. I decided to use that API and write a ruby script that would look through the 70 million records and give me the total number of results that matched some of the most popular HTTP server headers.

This is my code (I have compared the numbers against individual searches with the same server header).

#!/usr/bin/env ruby
require 'rubygems'
require 'shodan'

#Set your Shodan API Key
SHODAN_API_KEY = "enteryourapihere"

#Create the API object
api = Shodan::WebAPI.new(SHODAN_API_KEY)

#Define the array of Server headers you want to search for
array = ["Apache/2.4","Apache/2.3","Apache/2.2.21", "Apache/2.2.20", "Apache/2.2.19", "Apache/2.2.18", "Apache/2.2.17", "Apache/2.2.16", "Apache/2.2.15", "Apache/2.2.14", "Apache/2.2.13", "Apache/2.2.12", "Apache/2.2.11", "Apache/2.2.10", "Apache/2.2.9", "Apache/2.2.8", "Apache/2.2.6", "Apache/2.2.5", "Apache/2.2.4", "Apache/2.2.3", "Apache/2.2.2", "Apache/2.2.0", "Microsoft-IIS/7.5", "Microsoft-IIS/7.0", "Microsoft-IIS/6.0", "Microsoft-IIS/5.0", "Microsoft-IIS/4.0", "Microsoft-IIS/3.0", "Microsoft-IIS/2.0", "Microsoft-IIS/1.0", "nginx", "squid", "lighttpd"]
begin
#For each value in array, search through Shodan
array.each_index {|s| d = api.search("#{array[s]}")
#Print the array value and the total number of matches against the array value
puts "#{array[s]}: #{d['total']}"}
end

I know it’s nothing flash, but it works.. :)

Now the results (drum roll please)…Bear in mind this isn’t all the web server versions, just the ones I could think of or find without spending hours crawling through the internet.

Results:

Apache/2.4: 465
Apache/2.3: 531
Apache/2.2.21: 229250
Apache/2.2.20: 72756
Apache/2.2.19: 72666
Apache/2.2.18: 4048
Apache/2.2.17: 351696
Apache/2.2.16: 444607
Apache/2.2.15: 328945
Apache/2.2.14: 517311
Apache/2.2.13: 141590
Apache/2.2.12: 81345
Apache/2.2.11: 346329
Apache/2.2.10: 89642
Apache/2.2.9: 743891
Apache/2.2.8: 420166
Apache/2.2.6: 97186
Apache/2.2.5: 63
Apache/2.2.4: 131883
Apache/2.2.3: 2854600
Apache/2.2.2: 28955
Apache/2.2.0: 65168
Microsoft-IIS/7.5: 681421
Microsoft-IIS/7.0: 749303
Microsoft-IIS/6.0: 3932895
Microsoft-IIS/5.0: 506169
Microsoft-IIS/4.0: 14731
Microsoft-IIS/3.0: 603
Microsoft-IIS/2.0: 37
Microsoft-IIS/1.0: 31
nginx: 1299084
squid: 192084
lighttpd: 503577

Yes yes I know, surely someone can’t be using IIS/1.0 but I did triple check that result.. :) To me that’s a lot of people who either don’t care about hiding this information, or like I said earlier it’s not really a big issue.

So lets take it one step further, ShodanHQ also lets you search the exploitdb using the API. Using the ruby script available from the documentation I ran it against Microsoft IIS/6.0 (the most popular IIS version from my research). Using the script I got 6 “known” exploits back (see below).

Results found: 6
3965: Microsoft IIS 6.0 (/AUX/.aspx) Remote Denial of Service Exploit
8704: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Vulnerability
8754: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)
8765: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)
8806: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (pl)
15167: Microsoft IIS 6.0 ASP Stack Overflow (Stack Exhaustion) Denial of Service (MS10-065)

Now most of these might not be valid because of patching, but out of the 3,932,895 results there might be one or two that hasn’t been patched??

I know that realistically you will never be able to hide everything that might or might not give unethical people an advantage if you become a target, but why make it easy for them??

So is this kind of free information really an issue? If you are pen tester does this kind of information help you when running a test or is it just accepted that it’s out there and available??

Let me know what you think.

What’s in your lab??

So to make things a bit easier as I wander along the path of self enlightenment (or in this case learning more about InfoSec) I thought it was about time I built some sort of “lab” at home, so I can get a better idea of what happens when I say run a nmap scan and to give me something to scan against.

Now it may come as a surprise to you but in the 15 years I’ve worked in IT I’ve never had a server at home.. nope never.. and to be honest I don’t think I need a server now to achieve the results I’m after. Now this is MY lab, its not huge, fancy or flash but it is portable and its low maintenance.

So what did I want from my lab:

1. Simple to maintain
2. Flexibility
3. Performs the tasks I want (always good)

You see some people would (and are entitled to) say that the point of a lab is so you can break things (and learn how to break things) for me, the purpose of my lab was the opposite, well sort of. You see I know what firewall logs say during a port scan, but I don’t know what a port scan looks like in terms of the actual packets sent/received. I’ve got a lot to learn and rather than download a “exploitable” VM and well exploit it I wanted to start at the very beginning.

So my lab setup is very simple.

I have a HP Mini Note 2133 running Security Onion, this is for a mixture of packet captures and IDS alerts. It uses a wireless NIC for the management interface and it’s onboard LAN for the sensor. I have a Checkpoint Safe@Office 500 firewall which will have it’s WAN connection plugged into my home network and I will open ports/services as I need to. Then finally I have my laptop which I will use to either scan the firewall and/or write packets with scapy and run packet captures as I go.

My plan (it’s always good to have a plan) is that to start with the firewall blocking everything, I can review the packet captures and actually see the real responses back (as opposed to the script telling me), when I start working with scapy I can write custom packets and see what effect that has. Then I can slowly start to open ports and compare the results with my initial baseline.

This of course might be the completly wrong way to do things, but to me it makes sense. If I can understand what happens in relation to the packets I hope it will give me a more complete understanding of how things work.

Below is a quick and simple diagram of my lab, written by the way with DroidDia (yes there is a droid version of Dia).

Let me know what you think (if you want) and I will let you know how I get on.

Adam

Categories: General, Pen Testing, Security

Man with a plan – My training plan

I’m not the most organised person, especially when it comes to staying focused on something (sorry was I talking about??). If you’ve read this blog before you would have picked up that I’ve decided to expand on my IT Security skills.

To that end I’ve created a 12 month training plan, nothing fancy just a list of technologies/software that I want to learn how to use better. It won’t make me an expert (I’m not that silly), but it will hopefully mean that come BSides London 2013 I might be able to give a track 3 talk.

The training plan includes, Ruby (not Python for the time being), wireshark, metasploit framework, nmap and a long period for scapy. I like the idea of being able to write packets so I’ve dedicated a lot of time to this.

Along the way I will blog about my progress and hopefully start getting some more InfoSec related posts up here instead of my ranting about stuff..

Below is the training plan, feel free to pass any comments if you think I’ve missed anything obvious, my goal is to be able to run pen tests (against my own systems), without resorting to “automated” tools.

I’m also looking (still) for a UK-based InfoSec mentor, if any of you lot are feeling generous (I’m not expecting a lot, just answering some questions when I get stuck). If you’re up for it let @infosecmentors know. :)

Adam

Popping my cherry – B-Sides London 2012

On April the 25th 2012 a group of crack InfoSec professionals, enthusiasts, hobbyist and newbies (that’s me by the way), descended on the Barbican Centre in London for the security event of the year (in my opinion).

That’s right; B-Sides London 2012 had arrived.

Most of you probably already know what the B-Sides events are all about, so I won’t bore you with going over that, If you don’t then you go find the main website here; http://www.securitybsides.com or the B-Sides London website is here; http://www.securitybsides.org.uk/.

This was going to be my first B-Sides event and as I was reading the website to find out as much as possible before the event, there were two comments on the front page that really stood out for me.

The first was this “built by the community for the community“,I’m still trying to find my way in InfoSec, but what makes it easier (and more fun) is the people that have the passion, drive, commitment and wiliness to share their knowledge with people like me. Without community events like B-Sides (and there is others) trying to navigate your way around the world of InfoSec would be a lot harder.

The second comment was “So make BSidesLondon whatever you want it to be“, for me this was really important I didn’t want to attend an event and be anonymous. I have a tendency in new environments to be a little bit shy and I wanted to make the most of the day, meet new people and try to become part of the community rather than a lurker in the corner.

So with less than a week to the event, I volunteered to help out on the day, yes that’s right I was now on the crew roster for B-Sides London 2012. Due to work commitments I wasn’t able to get to the Barbican early to help out with setting up, but I would just like to say at this point a HUGE thank you to Iggy (@geekchickuk) and the rest of the B-Sides London crew for getting everything ready for the day and in fact for all their work during the day.

Working as crew on the day for me was awesome; I met a lot of new people and had a lot of fun. What did I do on the day?, well if you bought raffle tickets between 10:00 – 12:00 from the table in the corner next to the guys from SANS that was me (sorry about making you write out your own tickets), and in the afternoon (from about 14:30) I was on the swag desk. I may or may not have also been involved in the nerf rocket war between the B-Sides crew and the guys from MWR InfoSecurity.

In the end I only attended one talk which was by Robin Wood on “Breaking in to Security” (check out the B-Sides London website because a lot of the talks were videoed and will be available to watch), but for the me day was still a success.

Would I help out again next year? Hell yeah, if fact I’ve already told Iggy I will, but next year I’m going to do a talk on Track 3 (that’s the turn up and talk about something track), I have no idea what about yet, but I’ve got a year to work that out.

See you all next year…

Adam

Categories: BSidesLondon, General, Security
Follow

Get every new post delivered to your Inbox.

Join 825 other followers