Photo Courtesy Sean Hawkey
Our lab contains this very expensive hardware based traffic generator. This device is not easily configured and can be a pain to used. But once you set it up the device can generate any type of traffic and network transactions. The problem comes in that somebody changed the admin password, and nobody knew the new one. Now the device can still be used without the admin password however you cannot configure the interfaces without it. We were in a time crunch and needed to perform a simple network test, and did not have time to reset the password. The problem came in that whoever reset the admin password changed the IP address on the interface. The problem is we needed to figure out the IP address of the interface in order to configure the test. Easy, there are only 4 billion addresses to ping, by the way the device was set to respond to pings. Well it gets better we knew the address was 10.x.0.11, so we only have to try at the most 255 addresses. Well my co-worker starts pinging one at a time, and i think he is crazy, we are programmers, lets write a quick vbscript and run it with wsh. Basically this script runs through 10.0-255.0.11 addresses and parses the output from the ping. If it receives a Reply then the script prints that address and exits. The script could be modified with more loops to go through more addresses however the script is slow because it only processes one ping at a time, if you need more pings a c program would work much faster.
Basic operation - for loop going through 0-255 (each number is output the screen), a variable is used to build the ping statement, a shell is created for the ping command to be executed, the output from the ping command which is in stdout is parsed looking for the word Reply, if Reply is found then the ip address is echoed to the screen and the script exits. When running this script ensure you use cscript or you will have windows popping up for each ping. This script worked extremely well, we took a break while the script ran and came back and the magic number was 42 - imagine that.
for i = 0 to 255
y = 1
wscript.echo i
a = "ping -n 1 10." & i & ".0.11"
Set objShell = CreateObject("WScript.Shell")
Set objWshScriptExec = objShell.Exec(a)
Set objStdOut = objWshScriptExec.StdOut
While Not objStdOut.AtEndOfStream
strLine = objStdOut.ReadLine
if mid(strLine,1,5) = "Reply" then
y = y + 1
end if
Wend
if y > 1 then
wscript.echo a
exit for
end if
next
Wednesday, February 27, 2008
Let Loose the Pings
Tuesday, February 19, 2008
Are you on the Juice?
Altris, now owned by Symantec, has developed application virtualization called the Software Virtualization Solution (SVS). Did I mention, its free for personal use, how cool is that. I am going to give a brief overview of the software, but you should visit the Altris Juice site to get in on this action. The Juice web site provides articles, tools, and tips to help you maximize the benefits of Software Virtualization Solution.
I think of Application Virtualization as VMWare for applications, why virtualize the whole operating system when virtualizing the application will do. With SVS the following things are possible:
- If an application becomes corrupted, reset it to its original installed state, with ability to save user data.
- Allow multiple versions of the same application to be installed, or the ability to install applications without causing conflicts.
- Prevent applications from corrupting the operating system, such as preventing the installation of older versions of DLLs.
SVS supports Window OS's from 2000 thru Vista. However some applications do not work well, such as drivers, virus checkers, file encryption products, OS patches, computer management agents, and applications that have dedicated drivers.
SVS works using filters that intercept all file and registry calls and can redirect them to a folder. Basically a user creates a Virtual Software Package (VSP) for the application they want to install
. SVS then builds a virtual environment for the application that mimics the Windows Registry and File system. For example, if you have an application that overwrites a DLL file with an older version, this could cause issues with other installed software. Using SVS, the application would instead be redirected to write the older DLL to a folder associated with that application. When the application is executed and calls for the DLL , the SVS filter redirects the request to the folder associated with that application. In essence the application cannot modify the operating system, however to the end user there is no difference between a virtual application and a non-virtual application.
Once the VSP is installed it can be activated, deactivated, and reset to the original configuration (like a VMWare Snapshot). Once activated all the files and settings for the application will appear to end user just like the application is actually installed. Once deactivated all the files and settings disappear from the user's view. When building a VSP, everything that is captured is contained in a “layer.” The layer represents all the files and registry settings that make up the virtualized application. Multiple layers can be used to create a layer for user data and a layer for the application itself, this allows you to reset the application without losing the user data contained in the application.
You can also create Virtual Software Archive (VSA) files which allow you to install the application on any computer by just importing the file into SVS. There are sample VSA files that you can download off Juice, try it out (Reminds me of Virtual Appliances in VMWare). These would be helpful in an enterprise environment, the administrator can deploy these VSA files to all the users and have the ability to easily reset them once the user screws up the application.
Sunday, February 17, 2008
Software Assessement 3.0
The basic process is to start a capture with Wire Shark, and then open the software and perform some basic functions. I usually go through the menu system and try out the features. We are especially looking for features that cause network traffic. The vendor documentation can be useful by giving a clue to what ports and protocols the software uses to connect to a server or other clients. Once you are finished trying out features in the software, stop the Wire Shark capture. Now it is time to analyze the capture file.
After reading the Wire Shark documentation and you have basic idea of TCP/IP protocol you should have the basic idea of how to look at the packets. One of the useful features in Wire Shark is follow TCP Stream, which shows the conservation between the software and the server or clients it is talking to in one screen. Of course this is only helpful if the software is using TCP. Also ensure that you have a filter set to only show traffic from the computer you are testing and only run the software under test, it can be annoying to have to sort through network traffic that has nothing to do with the software that is being tested.While reading through the capture file, keep track of all the ports and protcols that are being used. Usually the software will select random ports above 1024 to send packets on, the random ports are not as important as the listening port on the server or client that is recieving the packets. The endpoint conversation window can be useful to view the ports and IP addresses that were connected to during the test.
What are we looking for?
- Ensure the software will comply to current firewall policy, if the software requires a range of ports to be opened on the firewall this can be a risk, I have seen software that requires 1,000 ports on the firewall to be opened to allow the server to make connections to the client, this was considered too much risk and the software was not allowed to be used. Now if the network communications are contained within the LAN instead of connecting outside to the Intrenet, this could be considered a lower risk.
- Is the data being encrypted or passed in clear text, In the past when security was an afterthought, we used to see username and passwords passed in clear text, some protocols are designed like this such as telnet and ftp this is why sftp and ssh were developed.
- Bandwidth, How much bandwidth does the software require, will it cause a denial of service to the other programs running on the network. If the software is downloading large image or video files constantly then this could tie up the network and not allow other services required to operate. This is a judgement call, but Wire Shark will give you an idea of the amount of traffice that is being generated and based on your current network use you should decide if the network can handle this new software.
An interesting example is you have a software product that performs periodic updates to istself, and we see this type of dialog
DNS request for the vendor website
Connect to the website, website sends a list of the program files with version numbers
Client checks the versions it recieved with the versions installed
Client downloads any files that have a newer version
Is this a risk?
If I was attacking this system, all I would have to do is ensure the DNS request points to my malicious server, then the client would automatially download any file I deemed as an updated. It is not that diffcult to modify and add code to a dll that is called evertime a program is run. Without any logins or encryption this could become a serious risk, the risk also depends on how important is the system that is running this software.
