Dan Griffin's Blog
Comments on security, PKI, smart cards, cryptography, and entrepreneurship.
Running Nmap on Vista
November 22, 2006
I installed the latest Alpha version (4.20RC1) of Nmap (from http://insecure.org/nmap/download.html) on my Vista RC1 x86 machine. Unfortunately, nmap fails to run out of the box. Here’s what I found and how I fixed it.
First, I got a runtime error due to a missing dll dependency:
"nmap.exe - Unable To Locate Component.
This application has failed to start because NPPTools.dll was not found."
and nmap spews a console message to the effect that iphlpapi.dll is missing. The console message appears to be wrong. As a work-around, I copied the npptools.dll that I happened to have on my XPSP2 machine to the same directory as nmap.exe on the Vista machine. Problem solved.
Note, I don’t know where that dll actually came from - is it present on a pristine XP machine? Add/Remove Programs on my XP machine shows no indication of having installed netmon, which is where I thought that dll came from. But then I installed Netmon Beta 3 from http://connect.microsoft.com on the Vista machine to see if it includes npptools.dll. It doesn’t.
Anyway, once you get past the dependency error, you’ll next see the following error, which is documented in the newsgroups:
C:\Program Files\Nmap>nmap -v -A some_machine
Starting Nmap <-- snip -->
getinterfaces: intf_loop() failed
QUITTING!
I couldn’t find a documented fix, though. My fix is to line 20 of libdnet-stripped\src\intf-win32.c in the latest nmap code distribution, based on ipifcons.h from the Vista Platform SDK.
#define MIB_IF_TYPE_MAX MAX_IF_TYPE /* XXX - ipifcons.h */
Without the fix, at runtime, the Vista machine enumerates at least one network interface of a type outside the range of those recognized by nmap, causing the tool to give up. With the fix, plus the above dll, everything seems to work. I’ve submitted the code change, but I don’t know when a patched binary will be made available for download.
Permalink | Comments (0)Open Network Ports on XPSP2
November 16, 2006
Sitting in my hotel room in the middle of the night, dealing with jet lag and severe boredom, inspired me to dig into Windows Internet Connection Firewall (ICF) a bit on my XPSP2 laptop. It’s a Lenovo, domain-joined, though currently on a ‘foreign’ network; these details become relevant.
My first step was to write a simple program which exercises various ICF COM interfaces, including INetFwProfile, INetFwOpenPorts, INetFwAuthorizedApplications, and INetFwServices ICF COM interfaces. A summary of what I found:
- According to ICF, there are no globally open ports on this machine.
- “Enabled” applications (i.e. those granted exceptions) include C:\Program Files\Messenger\msmsgs.exe (i.e. Messenger). I take this to mean that the binary at that path can open any port at will, although I didn’t confirm.
- “Enabled” services include UPnP Framework, with ports 1900 and 2869, as well as Remote Desktop, with port 3389.
I subsequently discovered two additional ways to obtain this information directly from ICF:
- Read it directly from the registry under HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy.
- Using a built-in command-line tool plus a list of arguments, namely: “netsh.exe firewall show config verbose = ENABLE”
Beware – one confusing thing I found about netsh.exe is the way it reports the two separate ICF policies configured on this machine: Domain and Standard. Since I’m off the corporate LAN, the latter is in effect. It’s clear that netsh.exe knows this. Nevertheless, I wasn’t able to find a combination of command-line options that would give verbose output regarding only the profile in effect, i.e. Standard (I haven’t tried it from the corp LAN yet; it may behave better in that situation). So be sure to read the output carefully, especially if you’re offsite.
Anyway, this ICF configuration raises some interesting questions. Such as, what do I need to do if I want all of the exceptions closed, and is there anything it’s not telling me?
Next step: use a port scanner to find out which ports have listeners. Actually, I ran nmap.exe in a self-scan configuration; the results of a scan from a remote machine (something I don’t have access to at the moment) may be different. Still, it’s an interesting data point.
>nmap -sT -P0 my_machine
…
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3389/tcp open ms-term-serv
For a while, forgetting the loopback consideration, I wasn’t sure how to rationalize the output of nmap with my ICF config. Specifically, why are 135, 139, and 445 open, and what the heck is 1025?
Some web searching taught me the following.
- 139 and 445 are automatically bound by System and are used for Server Message Block (SMB). I’m led to believe that Workstation (i.e. domain-joined client) functionality will fail unless these ports are opened at least outbound, but if you don’t care to offer File and Printer Sharing from this machine, they can safely be disabled inbound. I did not confirm this.
- 1025 is opened by a 3rd party VPN client (IPSSVC.exe) that comes pre-installed on Lenovo machines. It’s considered benign, but again, what the heck?
- 135 is the RPC port mapper. Again, I’m led to believe that notorious DCOM can (and should!) be disabled by blocking inbound connections on this port – especially on a client machine. But loopback still needs to work. And again, I did not confirm this.
Then I finally discovered the proper built-in tool for obtaining some of this information myself. The output below has been trimmed.
>netstat.exe -a -o
Active Connections
Proto Local Address Foreign Address State PID
TCP my_machine:epmap my_machine.domain:0 LISTENING 1244
TCP my_machine:microsoft-ds my_machine.domain:0 LISTENING 4
TCP my_machine:1025 my_machine.domain:0 LISTENING 2012
TCP my_machine:3389 my_machine.domain:0 LISTENING 1176
TCP my_machine:netbios-ssn my_machine.domain:0 LISTENING 4
UDP my_machine:microsoft-ds *:* 4
>tlist | findstr 2012
2012 IPSSVC.EXE
>sc queryex termservice
SERVICE_NAME: termservice
STATE : 4 RUNNING
PID : 1176
>sc queryex rpcss
SERVICE_NAME: rpcss
STATE : 4 RUNNING
PID : 1244
So at least all open ports are accounted for. For the first attempt at locking my machine down, I took the following steps.
- Disable Messenger via the Windows Firewall control panel
- Disable Remote Desktop/RDP via Computer Properties
- Disable Remote Assistance via Computer Properties while I’m at it …
- Disable UPnP via the Firewall cpl
- Disable IPSSVC via the Services cpl
>nmap -sT -P0 my_machine
…
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
So now we’re down to just the three ports opened by System (i.e. PID = 4 in the above netstat output). How do I go about locking those ports down as mentioned above? This handy script, created by Microsoft PSS in response to the Blaster worm. Among various options, the script applies IPSec policies to Web and RPC ports, as well as the additional Blaster-related ports, blocking inbound TCP and UDP. That doesn’t prevent an infected machine from spreading via outbound traffic, but my machine isn’t infected …
I don’t have a good way to test the new config until I can run a scan from a separate machine. And I’m curious to run the same barrage of checks against Vista as well. Stay tuned!
Permalink | Comments (0)Just saw an interesting talk entitled “Securing Your Certificate Authorities [CA] Private Keys” by Brian Komar of IdentIT, Inc. Included was a demo of installation and configuration of two vendors’ Hardware Security Module (HSM) and accompanying Cryptographic Service Provider (CSP). The demo was quite smooth.
During the demo, one thing in particular caught my attention from a security perspective: while interacting with one of the CAs, I’m pretty sure I saw one of the HSM CSPs display a dialog box. What are the ramifications of this behavior? Well, the Certificate Authority service is probably running as Local System. The CSP is loaded into that process. Hence, the dialog box is system, yet interacting with the user desktop. This exposes the CA process to a so-called “Shatter Attack,” referring to a potential Elevation of Privilege accessible to processes within a given session.
Unfortunately, due to the architecture of Microsoft Crypto API and the behavior of session zero, there’s really no way to avoid this. What to do? Easy – lock down your CA server. There’s a good summary of how to do this here. Note that even non-admin users, if given logon privilege to the console session of your server, can launch a Shatter Attack. So think about who has logon rights to your CA!
By the way – in Longhorn Server, this situation improves dramatically, since interactive logons to session zero are disallowed. How will legacy CSPs in the above scenario function in this environment? Vista client has the built-in capability to notify a logged-on user that a session zero process is attempting to display a dialog. In response, the user can switch to the session zero desktop, respond to the dialog, and switch back.
Permalink | Comments (0)Is Debug.exe Secure By Default?
November 14, 2006
Another quick follow-up point to yesterday’s security presentation at TechEd: Marcus Marray showed a SQL injection exploit (based on the Hacme Bank demo, the XP_CMDSHELL stored procedure, and Sec-1 injector.pl) which results in a remote shell.
What surprised me is that the tool used by that attack script to assemble (as in, translate to machine code) the shell – debug.exe – is in fact present on my XPSP2 machine. It got me thinking – is that tool present by default on Windows Server 2003 machines, as well as Vista and Longhorn Server? Since I’m currently traveling and don’t have access to those images, I’ll have to check on that.
When I’ve read in the past about locking down Linux machines, one piece of common advice is essentially this: don’t make a hacker’s job easier by leaving a compiler installed on your hardened server. A quick search on the net shows that there may be some best-practice docs out there regarding debug.exe and Windows, but it’s not obvious.
On the other hand, if an attacker gets far enough that the only thing blocking him is the minor inconvenience of uploading some compiler/assembler/interpreter, then perhaps it’s already too late.
Permalink | Comments (0)How to Mitigate Wireless Spoofing?
November 13, 2006
One of the cool demos from the TechEd-IT security talk today was a WEP based spoofing attack. The Truesec guys have a script that will listen for client 802.11 beacon packets advertising familiar SSIDs. In response, the script will immediately configure an access point to respond to that SSID and allow the client to bind.
The rogue network includes a DNS server as well. The point being that if a client surfs to a sensitive web site via their wireless NIC (most likely on a laptop), gets redirected to a spoofed site, and attempts to authenticate via a login form, then that password is compromised. Further, the attack can be launched from a safe distance via a high-gain antenna, placing the attacker at less risk.
The threats are all old news, but much of it was demonstrated via live demo and it went well. Much of the audience was in shock, which is shocking in itself, given that this is old news.
Anyway, someone asked if a PKI-based deployment (802.11x) with server and client certificate-based auth would mitigate the above threats. Answer: No. Although the presenter neglected to explain this, I understood the purpose of their attack to be Spoofing (and not Man in the Middle, for example). To my knowledge, there’s no way to prevent an XP laptop from affinitizing (great word) and connecting to a given SSID, as described above – even if it’s presently connected to a wired LAN – provided the antenna is enabled. And even if the attacker uses a bogus server-auth certificate on the spoofed site, the majority of users will ignore the error and happily type in the password if the site looks convincing.
What would mitigate this threat? Perhaps a machine policy preventing connection to a WLAN if the wired network is connected. Or a policy requiring user confirmation before connecting to any WEP based network (and always give priority to an 11x network). Not sure about this one.
I’m currently attending Microsoft TechEd IT in Barcelona, sitting in the pre-conference "Know The Enemy" session being given by Marcus Murray, Senior Security Advisor of Truesec.
So far, he’s done live demos with an impressive array of publicly available tools.
- ConTEXT
- Foundstone Hacme Bank
- GSecDump
- Hydra
- Institution (trojan)
- Kaspersky
- Metasploit
- Netcat
- Nmap
- OllyDbg
- PeachFuzz.pl
More later …
Permalink | Comments (0)Scary Skype Security by Obscurity
November 3, 2006
I recently had the privilege of seeing an impressive presentation on reverse engineering Skype by two security researchers from EADS.
These guys did some hard-core work on this. In summary, the researchers found Skype to be a monolithic application binary built with extensive obfuscation and anti-debugging measures, as well as a proprietary wire protocol. Unfortunately, while they provided great detail about their reverse engineering process, they were quite cagey about their overall conclusions, citing a vague confidentiality requirement.
They hinted at two concerns:
- Skype periodically phones home, transmitting undisclosed data to other nodes. Could this include personal information or other private data?
- Skype nodes can be compromised, as can supernodes potentially, creating trust problems in the network.
Finally, although this isn’t mentioned in the slide deck, it was reported that EADS banned Skype from its networks as a result of this research.
Permalink | Comments (0)The best thing about yesterday’s Entrepreneur University (EU), put on by the Northwest Entrepreneur Network in downtown Seattle, was the professional networking opportunity. The seminars were a little dull, but it’s also possible that I simply wasn’t in the mood to sit in uncomfortable chairs all day.
The keynotes were entertaining. Jim Sinegal, CEO of Costco, has a great presentation about the history of the company. Their focus on efficiency is inspiring. Interesting comparison to, say, WalMart: while Costco claims to pay its employees $17/hr avg + benefits, WalMart reportedly pays $10/hr avg with fewer or no benefits. When re-stocking certain inventory items, Costco can simply drop the pallet in the warehouse floor and be done with it. Customers just grab the items from there. WalMart, on the other hand, has to incur the additional labor cost of un-wrapping the larger boxes and placing the smaller boxes on shelves. Of course, if you don’t want to buy a two-month supply of Cheerios, you’ve got to be willing to pay the overhead A comment about one of the seminars – the President of All-Star Directories gave a talk about Operations Planning. That’s not the kind of topic that interests me, but what does interest me is that founder Mike Mathieu had just sold ASD to an Austin-based VC for an undisclosed sum. Given that the start-up was self-funded, had been profitable for four straight years, and last year’s revenue was $15 million, speculation yesterday was that the sale was worth $50 million, with a healthy portion going to the founder. Nice score. More. On the networking side – a couple of start-ups I learned about doing cool stuff. First, shelfari lets users post info about books they own, wishlists, comments, etc. It could turn into a cool book discussion site, and the overall design is slick, but I don’t see too many people moving their wishlists or book reviews efforts away from Amazon. I hope I’m wrong. Then there’s Leancode founded by Bernie Thompson, a former development manager and technical trainer who I knew back at Microsoft. I was actually kind of shocked to hear that he left, but I’m glad to see he’s out doing cool stuff. I also met Trent Dyrsmid of Dyrand Systems who gave me some advice about doing my homework as an entrepreneur. In essence, if you’re going to spend 5 – 10 years building something, try to make sure it’s worth it. Or, before you start the race, pick the fastest horse … Finally, an interesting, albeit very brief, chat with a local VC. What’s hot on their radar right now? Computational Biology and anything involving the Media/Internet/Advertising intersection, particularly media on a cellphone and internet video. YouTube 2.0, anyone?
