If you’re interested in learning how to test the security of your network by attacking it, Irongeek.com has a number of flash/AVI videos that walk you through the mechanics of specific attacks.

Notable entries:
Using Cain and the AirPcap USB adapter to crack WPA/WPA2
Cracking Windows Vista Passwords With Ophcrack And Cain
Passive OS Fingerprinting With P0f And Ettercap
SSH Dynamic Port Forwarding
Basic Nmap Usage
Boot from Phlak and run Chkrootkit to detect a compromise
Cain to ARP poison and sniff passwords

These videos aren’t overly detailed, but do address the mechanics of specific attacks (i.e., how to run the tools). As such, they’re still useful for those who are interested in learning penetration testing and ethical hacking.

Popularity: 26% [?]

In addition to poorly protected wireless access points — ala TJX — rogue access points can be of great concern to a network administrator. Due to administration overhead, many environments are relatively lax in the preventative measures that would disallow employees from bringing in such devices and plugging them into the network. So how do we tell the difference between that test machine that Joe Engineer has under his desk and an unauthorized wireless access point? Luckily, rogue WAPs can be located over not one, but two mediums: the wireless network and the wired network. Given that most — if not all — ASVs focus on the wired side, we’ll explore techniques to locate rogue WAPs from an ASVs point of view.

HTTP Banner Grabbing
Many WAPs ship with embedded web-servers that are used for administration purposes. Fortunately, we can sometimes glean information from the web-server that allows us to identify the device as a WAP. For a quick-and-dirty way to grab HTTP banners for a particular IP range using nmap and netcat:

for i in $(nmap -sL -n 10.10.10.1-100 | grep -v finished | grep -v nmap | awk '{print $2}'); do echo -e "GET / HTTP/1.0\r\n\r\n" | nc -v -n -w 2 $i 80; done > http_output.txt

Some versions of echo don’t support the -e flag (which properly executes \r\n as carriage-return and line-feed respectively), in which case, create an input file with a well-formed HTTP request:

GET / HTTP/1.0
Host: 10.10.10.10

Remember to hit Enter twice at the end of the file, so that it has two carriage-returns. The new command will be:

for i in $(nmap -sL -n 10.10.10.1-100 | grep -v finished | grep -v nmap | awk '{print $2}'); do cat input.txt | nc -v -n -w 2 $i 80; done > http_output.txt

Look through the output at the Server header, WWW-Authenticate header (basic authentication is often enabled), and the HTML source for relevant keywords (e.g., Linksys, WRT54, DD-WRT, D-Link, etc). It’s a good idea to build up a keyword file and use it to search through your output file :

for i in $(cat wap_keywords.txt); do grep $i http_output.txt; done > danger.txt

Sample Output from a Netgear WGT624:

HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="WGT624"
Content-type: text/html

<html>
<head><title>401 Unauthorized</title></head>
<body><h1>401 Unauthorized</h1>
<p>Access to this resource is denied; your client has not supplied the correct authentication.</p></body>
</html>
Connection closed by foreign host.

Of course, not all access points (Cisco Aironets for example) give-up useful HTTP banner information.

FTP Banner Grabbing
Many WAPs also have FTP enabled by default. Banner grabbing with nmap and netcat is similar to HTTP:

for i in $(nmap -sL -n 10.10.10.1-100 | grep -v finished | grep -v nmap | awk '{print $2}'); do echo "quit" | nc -v -n -w 2 $i 21; done > ftp_output.txt

The output might be something like the following (note that VxWorks is an OS that is common to embedded devices):

Connection to 10.10.10.100 21 port [tcp/*] succeeded!
220 VxWorks (5.4.2) FTP server ready.
221 Goodbye.

Banners for just about any plaintext protocol are similarly trivial to mine for useful information, provided that the request is well formed.

SNMP SysDescr
SNMP is another great source of information for locating rogue WAPs — for devices with SNMP enabled that is. Net-SNMP is easily installed on most Linux machines. Simply do so and use snmpwalk to search for WAPs:

for i in $(nmap -sL -n 10.10.10.1-100 | grep -v finished | grep -v nmap | awk '{print $2}'); do snmpwalk -v 2c -c public $i sysDescr; done > snmp_output.txt

Output might be something like:


SNMPv2-MIB::sysDescr.0 = STRING: BT Voyager 2000 Wireless ADSL Router

Advanced Techniques
While the above techniques are useful for one-off checks, it’s certainly not very scalable. There are many tools that contain built-in fingerprint databases that aid in identifying common WAP services. For example, nmap will look up MAC addresses:

Host 10.10.10.100 appears to be up ... good.
Interesting ports on 10.10.10.100:
PORT STATE SERVICE VERSION
23/tcp closed telnet
MAC Address: 00:06:25:6D:6E:8F (The Linksys Group)

P0f (a passive fingerprinting tool) and nmap both do stack fingerprinting, which involves looking at specific packet options and matching them to a known fingerprint. Here are a few p0f fingerprints:

0:32:0:40:.:.:Xylan:OmniSwitch / Linksys WAP11 AP (dropped)
S2:64:0:44:M32728:A:D-Link:DSL-500
8192:64:0:44:M1460:A:Cisco,Nortel,SonicWall,Tasman:Aironet,BayStack Switch,Soho,1200
2048:255:0:44:M1400:A:Netgear:MR814

Network Awareness
The most effective technique is simple network awareness. Log new devices that get plugged into switches and routers. Control the use of DHCP (many WAPs, incidentally, serve DHCP requests by default). Map your network periodically and diff the results.

Though rogue APs may or may not be within the scope of your PCI effort, they should certainly be within the scope of your overall security effort. One measure of your ASVs thoroughness should be their accuracy in detecting wireless access points over the wired network.

Popularity: 34% [?]

The newest revision to NIST 800-44 was released on June 1st. While it’s not the complete answer, it’s certainly a useful document in the battle for web-application security.

Popularity: 36% [?]

You’re vulnerable.

Really? Don’t hold back or anything. How can you be so sure?

Because your ASV said so, and if your ASV says so, there’s a 99.999% chance that they’re right. Pretty-much everyone is vulnerable to XSS in one way or another.

Well how do they even test for it?

If they’re a “network” security ASV, then they’re probably just doing a generic “pop-up” test and simply looking at the resulting HTML page for their input to be spit back without being escaped. Not very elegant, but it works. If they’re an “application” security ASV, then their testing is likely a bit more complicated.

Then why can’t I get it to work with my browser? I don’t see a pop-up.

First of all, an attacker isn’t going to make anything pop-up on your screen. A test like that is only used as a proof-of-concept by your ASV. Second, not all browsers are vulnerable. The point of fixing XSS is to protect the end-user. Relying on the end-user to use a non-vulnerable browser is essentially making it incumbent upon them to provide for their own security. While that’s all well-and-good, it’s a bit idealistic. Web-browsers are embedded in all sorts of applications; you can’t just assume that everyone is using the latest version of IE or Firefox.

OK, but XSS isn’t really that important. So a hacker can steal cookies…big deal.

Not so grasshopper. Payloads delivered by XSS are becoming increasingly more malicious: Keylogging…worms…remote control…etc. There are plenty of tools available to demonstrate this.

Got it. So assuming that I wanted to fix it, can my ASV help out a little and tell me how?

Yes and no. They can’t tell you the exact details on how to fix it, because they probably don’t have intimate knowledge of your web-application. As you’re well aware, web-applications can be particularly complex; the XSS vulnerability can be within the web-server, the application server, cgi scripts, the database, etc… All your ASV knows is that they send a particular request to your application and get a response indicating that you’re vulnerable.

So where else can I go to get information on how to fix it?

OWASP is a good place to start; you can also read the upcoming and guru-authored XSS book; or you can even ask a real person. It really just boils down to input validation. Every point within your application that accepts user input — either directly or indirectly — should have mechanisms that filter all input except for that which your application requires. But don’t worry…implementing XSS filters isn’t nearly as difficult as determining where the filters should be implemented.

Popularity: 33% [?]

This is the first of what will — hopefully — be many posts that will deal with the technical aspects of PCI compliance. The intention is to provide substantive information for validating commonly encountered vulnerabilities — which is also useful for comparing ASVs — with a quick-start guide style of presentation. In keeping with the spirit of my previous post, we’ll take a look at checking for weak SSL encryption using OpenSSL.

The OpenSSL command-line tool has many useful features. It comes installed by default in most Linux distributions, though it can be had on Windows as well. Rather than installing OpenSSL on an existing system, an easy alternative would be to boot-up any of the popular LiveCD Linux distributions. Now, on to the fun!

PCI DSS requirement 4.1 states “Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks“. One common issue that merchants face in this regard is that SSLv2 — which is universally considered to be insecure — comes enabled by default in most web-servers.

The first check is to see if SSLv2 is enabled:
openssl s_client -connect IPADDR:PORT -ssl2

A server that doesn’t support SSLv2 will come back with a write-error, whereas one that does support SSLv2 will come back with something like the following:
[chris@toxic ~]$ openssl s_client -connect google.com:443 -ssl2
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify error:num=21:unable to verify the first certificate
verify return:1
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIDYzCCAsygAwIBAgIQYFbAC3yUC8RFj9MS7lfBkzANBgkqhkiG9w0BAQQFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA2MDQyMTAxMDc0NVoXDTA3MDQyMTAxMDc0NVow
aDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
dW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxFzAVBgNVBAMTDnd3dy5n
b29nbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/e2Vs8U33fRDk
5NNpNgkB1zKw4rqTozmfwty7eTEI8PVH1Bf6nthocQ9d9SgJAI2WOBP4grPj7MqO
dXMTFWGDfiTnwes16G7NZlyh6peT68r7ifrwSsVLisJp6pUf31M5Z3D88b+Yy4PE
D7BJaTxq6NNmP1vYUJeXsGSGrV6FUQIDAQABo4GmMIGjMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnRo
YXd0ZS5jb20vVGhhd3RlUHJlbWl1bVNlcnZlckNBLmNybDAyBggrBgEFBQcBAQQm
MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wDAYDVR0TAQH/
BAIwADANBgkqhkiG9w0BAQQFAAOBgQADlTbBdVY6LD1nHWkhTadmzuWq2rWE0KO3
Ay+7EleYWPOo+EST315QLpU6pQgblgobGoI5x/fUg2U8WiYj1I1cbavhX2h1hda3
FJWnB3SiXaiuDTsGxQ267EwCVWD5bCrSWa64ilSJTgiUmzAv0a2W8YHXdG08+nYc
X/dVk5WRTw==
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
—
No client certificate CA names sent
—
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
—
SSL handshake has read 1004 bytes and written 239 bytes
—
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: DBDEE2C376B3558FCFBD80F6B5C03973
Session-ID-ctx:
Master-Key: 4C049A470A30277D7B3A00E662CC2F5034A16FCAB3BD6A63
Key-Arg : E20F5A1477892F50
Krb5 Principal: None
Start Time: 1175614353
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
—

SSL protected mail-servers may be checked in the same manner, though one must add the starttls switch:
openssl s_client -connect IPADDR:25 -ssl2 -starttls smtp
openssl s_client -connect IPADDR:110 -ssl2 -starttls pop3

Ciphers of less than 128 bits should also be disabled. Luckily, OpenSSL has a built-in switch that makes testing easy:
openssl s_client -connect IPADDR:PORT -cipher LOW:EXP

Similarly — and relatively common — null ciphers (i.e. plaintext) should be disabled:
openssl s_client -connect IPADDR:PORT -cipher NULL

As well as ciphers that provide no authentication:
openssl s_client -connect IPADDR:PORT -cipher aNULL

Another issue that I see periodically is when the server certificate is valid, but another cert in the certificate chain is expired. To locate the offender, we must first pull down all certs in the chain:
openssl s_client -connect IPADDR:PORT -showcerts

Next, copy each certificate, paste it into a text file, and save it. It is important to get the whole cert:
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIQS6WuWd7dHMeAfIkikfDiQzANBgkqhkiG9w0BAQQFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNjA1MTUyMzE4MTFaFw0w
NzA1MTUyMzE4MTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcw
FQYDVQQDEw53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA5sXGjc0LowME3K7MyUa+vcydvHM0SP7TdWTQycl2J3IPqZYaO4HzFPaukFbn
GdJzaKeFpK7KJBQwALroNl2BczpxBY+xrxGH2lzxPr9TUYRvRA636CbXL7Jv8vJd
36fPjKXpHm8wSJQhCwGtug5xAQ0Q77/uLNON/lSo/tOXj8sCAwEAAaOB5zCB5DAo
BgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEATA2BgNVHR8E
LzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU0dDQ0EuY3Js
MHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3Rl
LmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRv
cnkvVGhhd3RlX1NHQ19DQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF
AAOBgQBXS7ykQ+fgAZKgljX5GAiIHXtwGY/5NrIFOgXKFFlNJA7liq9Oh1r3HCqW
j8thQJ7StDhAISTBTx/LE0qPlQLfkT3WQOsRb5sQoW/OkV4w9m0TXhWkLsIYngDD
2DJnR/y4HprZmo7M/3wStwO/UiDPIfTzd90SFfCU+pDV41logQ==
-----END CERTIFICATE-----

Finally, check each cert:
openssl x509 -noout -in cert.txt -enddate

If you want to check other details of the cert (e.g. issuer, subject, etc.):
openssl x509 -text -noout -in cert.txt

So there you have it. Please note that this is protocol-level testing and that mitigation could exist elsewhere in the connection establishment process.

If you’d like to see specific topics covered along these lines, please feel free to e-mail us.

Popularity: 26% [?]