electronic.brain.core

Developing secure applications

2009-06-05T22:36:00.007-05:00

So you are a small company that develops software, and your customers are becoming more paranoid about the security of your code. With companies being held responsible for their sloppy coding practices, no more "As long as it works, that's all you need". One of the first instances I saw of this was the "The Trustworthy Computing Security Development Lifecycle" developed by Microsoft.

"Security development lifecycle (SDL)
Microsoft designed SDL to ensure that the development of software is as secure as possible.

The process is made up of a series of security-focused activities and targets for each of the phases of Microsoft's software development process.

These include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing.

Before software can be released, it must undergo a final security review by a team independent from its development group."

Microsoft used this methodology in order to develop the Vista Operating System. Microsoft claims from implementing this methodology Vista has had fewer first-year vulnerabilities then Windows XP, Red Hat, Mac OSX, etc... Now Microsoft does release this methodology free for anyone to use and they are implementing this in their development tools. You can read all about on the SDL website linked to above.

Another checklist I have found useful for software developers is the Application and Development Checklist developed by the Defense Information Systems Agency. I find this an easy to use checklist to show software buyers that any software being developed is going through a strict security engineering process to ensure security is not an after thought.

Another great resource is the SAFECode, they have multiple publications on ensuring you are developing secure code.

"The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp."

If you are developing software, customers are requesting not only working code but also secure code. There is also an on-going trend in the software industry that business are including "secure code clauses" in their contracts with application developers.

Keep the code secure, use a secure engineering process!

Let Loose the Pings

2008-02-27T17:54:00.006-06:00

Photo Courtesy Sean Hawkey
Our lab contains this very expensive hardware based traffic generator. This device is not easily configured and can be a pain to used. But once you set it up the device can generate any type of traffic and network transactions. The problem comes in that somebody changed the admin password, and nobody knew the new one. Now the device can still be used without the admin password however you cannot configure the interfaces without it. We were in a time crunch and needed to perform a simple network test, and did not have time to reset the password. The problem came in that whoever reset the admin password changed the IP address on the interface. The problem is we needed to figure out the IP address of the interface in order to configure the test. Easy, there are only 4 billion addresses to ping, by the way the device was set to respond to pings. Well it gets better we knew the address was 10.x.0.11, so we only have to try at the most 255 addresses. Well my co-worker starts pinging one at a time, and i think he is crazy, we are programmers, lets write a quick vbscript and run it with wsh. Basically this script runs through 10.0-255.0.11 addresses and parses the output from the ping. If it receives a Reply then the script prints that address and exits. The script could be modified with more loops to go through more addresses however the script is slow because it only processes one ping at a time, if you need more pings a c program would work much faster.

Basic operation - for loop going through 0-255 (each number is output the screen), a variable is used to build the ping statement, a shell is created for the ping command to be executed, the output from the ping command which is in stdout is parsed looking for the word Reply, if Reply is found then the ip address is echoed to the screen and the script exits. When running this script ensure you use cscript or you will have windows popping up for each ping. This script worked extremely well, we took a break while the script ran and came back and the magic number was 42 - imagine that.

for i = 0 to 255
y = 1
wscript.echo i
a = "ping -n 1 10." & i & ".0.11"
Set objShell = CreateObject("WScript.Shell")
Set objWshScriptExec = objShell.Exec(a)
Set objStdOut = objWshScriptExec.StdOut
While Not objStdOut.AtEndOfStream
strLine = objStdOut.ReadLine
if mid(strLine,1,5) = "Reply" then
y = y + 1
end if
Wend
if y > 1 then
wscript.echo a
exit for
end if
next

Are you on the Juice?

2008-02-19T18:30:00.007-06:00

Altris, now owned by Symantec, has developed application virtualization called the Software Virtualization Solution (SVS). Did I mention, its free for personal use, how cool is that. I am going to give a brief overview of the software, but you should visit the Altris Juice site to get in on this action. The Juice web site provides articles, tools, and tips to help you maximize the benefits of Software Virtualization Solution.

I think of Application Virtualization as VMWare for applications, why virtualize the whole operating system when virtualizing the application will do. With SVS the following things are possible:

- If an application becomes corrupted, reset it to its original installed state, with ability to save user data.
- Allow multiple versions of the same application to be installed, or the ability to install applications without causing conflicts.
- Prevent applications from corrupting the operating system, such as preventing the installation of older versions of DLLs.

SVS supports Window OS's from 2000 thru Vista. However some applications do not work well, such as drivers, virus checkers, file encryption products, OS patches, computer management agents, and applications that have dedicated drivers.

SVS works using filters that intercept all file and registry calls and can redirect them to a folder. Basically a user creates a Virtual Software Package (VSP) for the application they want to install. SVS then builds a virtual environment for the application that mimics the Windows Registry and File system. For example, if you have an application that overwrites a DLL file with an older version, this could cause issues with other installed software. Using SVS, the application would instead be redirected to write the older DLL to a folder associated with that application. When the application is executed and calls for the DLL , the SVS filter redirects the request to the folder associated with that application. In essence the application cannot modify the operating system, however to the end user there is no difference between a virtual application and a non-virtual application.

Once the VSP is installed it can be activated, deactivated, and reset to the original configuration (like a VMWare Snapshot). Once activated all the files and settings for the application will appear to end user just like the application is actually installed. Once deactivated all the files and settings disappear from the user's view. When building a VSP, everything that is captured is contained in a “layer.” The layer represents all the files and registry settings that make up the virtualized application. Multiple layers can be used to create a layer for user data and a layer for the application itself, this allows you to reset the application without losing the user data contained in the application.

You can also create Virtual Software Archive (VSA) files which allow you to install the application on any computer by just importing the file into SVS. There are sample VSA files that you can download off Juice, try it out (Reminds me of Virtual Appliances in VMWare). These would be helpful in an enterprise environment, the administrator can deploy these VSA files to all the users and have the ability to easily reset them once the user screws up the application.

So what is all this good for - how about securing your computer against untrusted software. Browsing around the Internet one night you find some tool guaranteed to do what you have always wished for, how can this be true especially since the tool is located on the trojans -r-us site. But you just gotta try it, so you use SVS to virtualize the application. That way if you find out it is a malicious program all you have to do is deactivate the program and it cannot corrupt your operating system, awesome! Another thought is if they offer an API into SVS this could be used to perform security testing of an application akin to strace.

Software Assessement 3.0

2008-02-17T20:29:00.002-06:00

Determining Network Resources, finishing out the series on software assessment, let's discuss how to determine the network resources required to operate the software. For this you will need a protocol analyzer to be able to capture the transactions that are happening. For my testing, I use Wire Shark, I am not going into great details on how to use Wire Shark, the documentation on Wire Shark is very detailed and easy to understand.

The basic process is to start a capture with Wire Shark, and then open the software and perform some basic functions. I usually go through the menu system and try out the features. We are especially looking for features that cause network traffic. The vendor documentation can be useful by giving a clue to what ports and protocols the software uses to connect to a server or other clients. Once you are finished trying out features in the software, stop the Wire Shark capture. Now it is time to analyze the capture file.

After reading the Wire Shark documentation and you have basic idea of TCP/IP protocol you should have the basic idea of how to look at the packets. One of the useful features in Wire Shark is follow TCP Stream, which shows the conservation between the software and the server or clients it is talking to in one screen. Of course this is only helpful if the software is using TCP. Also ensure that you have a filter set to only show traffic from the computer you are testing and only run the software under test, it can be annoying to have to sort through network traffic that has nothing to do with the software that is being tested.

While reading through the capture file, keep track of all the ports and protcols that are being used. Usually the software will select random ports above 1024 to send packets on, the random ports are not as important as the listening port on the server or client that is recieving the packets. The endpoint conversation window can be useful to view the ports and IP addresses that were connected to during the test.

What are we looking for?

- Ensure the software will comply to current firewall policy, if the software requires a range of ports to be opened on the firewall this can be a risk, I have seen software that requires 1,000 ports on the firewall to be opened to allow the server to make connections to the client, this was considered too much risk and the software was not allowed to be used. Now if the network communications are contained within the LAN instead of connecting outside to the Intrenet, this could be considered a lower risk.

- Is the data being encrypted or passed in clear text, In the past when security was an afterthought, we used to see username and passwords passed in clear text, some protocols are designed like this such as telnet and ftp this is why sftp and ssh were developed.

- Bandwidth, How much bandwidth does the software require, will it cause a denial of service to the other programs running on the network. If the software is downloading large image or video files constantly then this could tie up the network and not allow other services required to operate. This is a judgement call, but Wire Shark will give you an idea of the amount of traffice that is being generated and based on your current network use you should decide if the network can handle this new software.

An interesting example is you have a software product that performs periodic updates to istself, and we see this type of dialog
DNS request for the vendor website
Connect to the website, website sends a list of the program files with version numbers
Client checks the versions it recieved with the versions installed
Client downloads any files that have a newer version

Is this a risk?

If I was attacking this system, all I would have to do is ensure the DNS request points to my malicious server, then the client would automatially download any file I deemed as an updated. It is not that diffcult to modify and add code to a dll that is called evertime a program is run. Without any logins or encryption this could become a serious risk, the risk also depends on how important is the system that is running this software.

Staying on top with ntop

2008-01-31T17:13:00.000-06:00

People have been complaining that not enough bandwidth is available on the lab network for performing testing. To get management to spend some extra money on a faster connection, we needed proof that in fact there is not enough bandwidth.

The lab network consists of a cable modem connection to the Internet. The cable modem connects through a firewall to an internal switch. From the switch multiple internal networks are connected. We needed to find a solution with the capability to easily track network statistics.

Within a short time a solution was theorized consisting of an old Dell laptop, Linux Mint 4.0 Live CD, and ntop. Using these tools, we were able to setup an awesome monitoring station.

By now you are asking what the heck is ntop, well check it out, ntop is a network traffic probe that shows network usage. ntop is based on libpcap and written to virtually run on every Unix platform and Win32. Users use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status and statistics. That sounds awesome right - well it is.

We used Linux Mint because, why not, somebody in the office had just downloaded it and wanted to try it out. Linux Mint is known to have excellent hardware support which is a good thing when using old hardware. Plugged the laptop into an empty switch port and turned on port mirroring in order to capture all the traffic on the network.

Install process:

- Boot machine with the Linux Mint CD

- Use Synaptic Package Manager to install ntop version 3.2, the current version in the Debian tree

- Part of the installation uses an init script to get the groundwork completed

- start ntop; ntop needs to be run as root from the command line. (sudo ntop -w 54321)

54321 denotes the port to run the the web server on that displays. As a side note, you can also use -W to create an https server ifsecurity is more of an issue.

ntop gives all sorts of stats like total bytes/packets sent and received, list all hosts that have sent packets, organizes traffic by application and protocol, and a whole host of other stats. Using the Round Robin Database plugin, you can keep detailed, long term statistics, and can print out nice fancy graphs. Hopefully with our new data statistics from ntop we will be upgrading the Internet connection.

CyberWars

2008-01-25T17:26:00.000-06:00

Photo courtesy of altemark
Reading the latest news about Project Chanology, defined as a digital assault on the Church of Scientology, I amazed how people are using the Internet to spread their message. Here you have a site YouTube that lets people upload videos of anything they want. What a great creative outlet, I even admit I am one of the YouTube junkies. I mean, just the other day USA Today had a story about YouTube hooking up with World economic forum:

“What is different is the venue. The forum is not easy to attend and not cheap, either, but by linking up with YouTube, the forum is providing numerous clips of its sessions and speeches for all to see, hear and comment on.”

Through YouTube people have access to information they did not before, of course that can be said about the Internet in general. Now you find out YouTube is being used to instigate a cyberwar. It started when a video of Tom Cruise talking about Scientology was uploaded to YouTube. Parodies of the video were soon made (My Favorite). Anyway, the Church of Scientology steps in and claims copyright infringements and pressures YouTube to remove the video.

Once the video is removed, a group named “Anonymous” posts a video declaring cyberwar against the Church of Scientology because “campaigns of misinformation, your suppression of dissent and your litigious nature. All of these things have caught our eye. With the leakage of your latest propaganda video into mainstream circulation the extent of your malign influence over those who have come to trust you as leaders has been made clear to us. Anonymous has therefore decided that your organization should be destroyed.".

Anonymous has been successful in knocking out the Scientology website, they accomplished this using a Distributed Denial of Service Attack (DDoS). Linuxhaxor.net has a good article on how the attack is being performed and how to participate.

This is just the latest in a list of cyber attacks that will be written about in the history books. Cyberspace has no boundaries, allowing people to accomplish anything they want. Who makes the judgment call to say that the Church of Scientology is bad and should not be allowed to pull videos that shows them in a bad light, well in cyberspace anybody can and actually have the power to attack. Of course if you are claiming free speech then that means everybody has free speech even if you don’t like them.

Establishments need to recognize, once it’s out there it’s there and you just have to wait for it to pass (Gawker.com still has the video posted). Establishments should realize that tactics that work in the real world do not necessary translate to the cyber world.

Note: CyberWar, Frontline has done an excellent program on the history of cyberwar and what it means to America. I highly suggest watching it.

Software Assessment 2.0

2008-01-22T19:03:00.000-06:00

Up to this point, we have logged all the file and registry changes, and sorted through these changes to determine that the changes made by installing the software is a low risk to our secure machine. The next step, Research the product. As I think about it, this actually should be the first step.

Vendor Documentation, read through the documentation in order to get an understanding of what the software does and how it does it. I usually look for technical details, such as the ports and protocols the software uses. Note read through the user agreement, I have seen many times where it says if you install this software it gives us the right to collect information on your system or this software will phone home every so often.

An example is from the Google Earth license:

The Software may communicate with Google servers from time to time to check for available updates to the Software, such as bug fixes, patches, enhanced functions, missing plug-ins and new versions (collectively, "Updates"). By installing the Software, you agree to automatically request and receive Updates.

Your security policy might state not to allow automatic updates, so you would not allow this software.

Also you need to know the type of data that the software processes and ensure that data is protected. For example if you are working with health care data and the software has an internal database, then you need to ensure the software protects according to HIPAA policy by encrypting the data and only allowing authorized access. Vendor documentation usually states the safeguards, if not contact someone at the company and ask them.

Next a vulnerability check, check the software for known vulnerabilities and issues through the use of online vulnerability databases. You can quickly search for information regarding the security of the product on the following sites:

- National Vulnerability Database: U.S. government repository of standards based vulnerability management data
- SecurityFocus: vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs
- milw0rm:site promotes open source security by posting exploits found in popular programs

By searching these sites will give you an understanding of the vulnerabilities and problems with the software, and usually mitigation techniques.

Example if we search the National Vulnerability Database for Google Earth we get (I really don't mean to pick on Google its just an easy example):

Which basically says by introducing a bad mapping file you can cause a buffer overflow in the application. Now we know buffer overflows are possible through mapping files, to mitigate the risk, we would enact policy to state that users can only connect to a specific mapping server (Google Earth server) or only to trusted servers. Vulnerability websites can be very useful for determining the amount of risk brought to the network and to the secure computer. If you can't find anything on those sites try Google.

Another useful site is The National Checklist Program which is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. The checklist program can give detailed guidance to securely install certain software. Based on experiences it always good to have a configuration/checklist for installing software, this is to ensure that whenever or wherever the software is installed it is always in the same configuration. Most of the time it will be up to the security professional to create this list however sometimes there is already a checklist developed that can be used.

Do your research, if you want to introduce new software to your secure configuration, then you need to ensure all the homework has been done. As I said above I would actually perform this step first, you might be able to rule out installing software just based on the vulnerabilities found. If everything turns out good, then I highly suggest having an configuration/checklist guide for the software. Happy researching.

Software Assessment 1.2

2007-12-29T19:27:00.000-06:00

File Changes, what constitutes a high risk file change. If you have been following along 1 & 1.1, what we have is a list of file changes. This is a list of all modified, deleted, and added files from installing a piece of software. As before we obtained this list from running InstallWatch.

First lets look at some guidance from the source itself - Microsoft. The logo program from Microsoft is a a certification that basically says that the software follows good programing guidelines and is compatible with the microsoft windows operating system. This document is the specifications for XP logo program (If you are looking for the Vista one its here). These are the requirements from the logo document that apply:

2.1 Do not attempt to replace files that are protected by Windows File Protection (.sys, .dll,.exe, .ocx os files)
2.3 Do Not overwrite non-proprietary files with older versions
2.5 Install to Program Files by default
3.1 Default to the correct location for storing user-created data
3.2 Classify and store application data correctly

From these requirements, two general rules can be developed:

- All files written to the Program Files folder are considered okay
- Review the files written everywhere else

Just by using these two general rules will reduce our list down from couple hundred to only having to review about 10 - 20 changes. Again I use excel to filter down the results.

Basically the excel sheet logs all folders under program files where file changes are made, by doing this we can review our list quickly to ensure the program is not writing to another program's folder.

The second list created (usually a short list ~10-20) is all the files and paths that are modified, created, or deleted outside of the program files folder. Especially focus on changes made to the Windows directory (windows, system32, ..), for this I use google to look up the .dll and .ocx files that are installed, in order to determine what function they are providing. I have come across software that installs hundreds of files to the system32 folder, I then go back to the people requesting the software and ask then to find something else as this software does not following good programming practices and is a risk to the secure system.

You should have anti-virus software on your computer, the anti-virus should alert you if any of the installed files are known to be malicious. Remember the point of this exercise is not to determine if the software is malicious, but to get a general idea of how the software operates and if changes the security of our secure system. We are trying to perform a quick risk assessment of a piece of software to our secure system.

A book that talks about this subject is Professional Windows Desktop and Server Hardening by Roger A. Grimes - This book talks about malicious files, the following website, with downloadable files, one file to look at is the MasterTable file.

Another test that should be performed, is to see if the software can be run as a limited user under windows xp. Log into the computer as limited user, and run the program to see if it runs without errors. If a program cannot run without administrator privileges, consider this as a risk to the system - to have a secure system all users on the network should be logging in as a standard user.

Software Assessment 1.1

2007-12-21T17:31:00.000-06:00

Understanding the windows registry. This is following the previous post Software Assessment 1 . What we have done is installed the software using InstallWatch. This has given us a listing of all deleted, added, and modified registry keys and files. Now it's time to process this information. Let's talk about the windows registry. Basically the registry is just a database to hold settings for the operating system and the software installed. The five main trees of the registry are:

- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE
- HKEY_USERS
- HKEY_CURRENT_CONFIG

I don't have a link for HK_USERS, but basically that just contains information about each active user who has a user profile. So this information is nice and good but how does it help. For example with a typical software installation you might see about 10,000 registry changes. The proper thing would be to go through each one and ensure that the key change does not affect the security of our machine. But in the real world there is not enough time. So I have broken down this task using the following:

The information contained in HKEY_CLASSES_ROOT is identical to information found in the subkey HKEY_LOCAL_MACHINE\Software\Classes. Actually, these two objects are physically the same. A change made in one will automatically modify the other. - So we will ignore all HKEY_CLASSES_ROOT changes.

Then I like to focus in on these keys:
HKEY_LOCAL_MACHINE\Hardware\ - hardware changes
HKEY_LOCAL_MACHINE\SAM\ - account changes
HKEY_LOCAL_MACHINE\Security\ - security settings
HKEY_LOCAL_MACHINE\System\ - contains information about the system and system configuration

Changes in these keys can have the effect of changing the system causing it to be inoperable or change the security of the system. Should review all changes made in the above areas.

Key to look out for is the:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run or RunOnce - these keys will auto run a program

HKEY_CURRENT_CONFIG, key is basically the hardware profile. I usually review these changes to see what is going on. An example of something to look for is HKLM\System\Current ControlSet\Services\Tcpip\Parameters\ - this changes the tcp/ip parameters. Info on CurrentControlSet.

It should be noted the information in HKEY_CURRENT_CONFIG is the same as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware Profiles

Our last two are the HKEY_USERS and the HKEY_Current_USER, the data in the current_user is actually a pointer to HKEY_USERS\Security. To make things easier I would just review the changes made to HKEY_USERS to see if anything seems out of place.

So basically you can now sort the information into two categories:
- HKEY_LOCAL_MACHINE\Software\Classes

- Everything else (except the HKEY_CLASSES_ROOT).

The HKLM\Software\Classes keys will contain all the information about the software you are installing, however they usually do not affect the security of the machine - I do keep a log of them as reference if a question arises. These keys can affect compatibility.

If you want to do an in-depth analysis, then you should check each key to ensure that this program is not affecting another already installed program. I find that by splitting up the keys into these two categories we go from about 10,000 to review into 30-40 keys to review. Basically just by looking at the keys it is easy to determine what they are doing or use google!

So how to parse the big list? Why the power of excel of course. I have an automated script that imports the output from InstallWatch and
performs the following:
1. Ignore all HKEY_Classes_Root
2. Log all HKEY_LOCAL_MACHINE\Software\Classes\*\*\ to 5 places, if another key change is the same to 5 places then we ignore it
3. Log anything else to 5 places *\*\*\*\*\, if another key change is the same to 5 places then we ignore it
4. Separate the entries from steps 2 and 3 into 2 different spreadsheets
5. Just review entries from step 3, to see if any key changes affect the security of the system.

Now is this perfect, not always, but allows us to assess the software in a relative short time frame, when we need just to get an understanding of how the software will affect our secure system. Also from this we will have log files that we can go back and review if a problem arises.

Two good books on this subject are:

Mastering Windows XP Registry by Peter Hipson
Professional Windows Desktop and Server Hardening by Roger A. Grimes - This book has the following website, with downloadable files, one file to look at is the MasterTable file. Happy Registry Analyzing!

Software Risk Assessment - 1

2007-12-12T20:51:00.000-06:00

At some point, if you work in the computer security arena, you will be asked – hey we just got some software can you check it out to see if it is okay to use? So what do you do.

This task can be broken down into 3 parts - determine how the software affects the computer, determine the software’s vulnerabilities, and determine the network resources required to operate the software. As a side note I am going to limit this discussion to windows, since that is 90% of the world and what you often see in the business environment. Also the focus is on desktop software, web and server software is a whole another ballpark. One more assumption the source code is not available to us.

The first step; determine how the software modifies the computer’s current configuration.

There are a couple of ways to track changes in windows:

- Use regedit to export registry settings
- Install the software
- Use regedit to export registry settings
- Use windiff to find differences in the two registry files
- Determine file changes by using the search command to search for all files *.* , select when it was modified and enter the date the software was installed. Then sort the search results by date modified. Using the timestamps you can tell what files where modified by the installation of the software.

Now that is one way, but an easier way is to use an automated program that can perform all these functions at once. InstallWatch is a free software program that will track all registry and file changes, and provides an easy to use interface. The program will also allow you to export the data into text file, for an automated means of processing.

InstallWatch Process

- Install InstallWatch

- Use Installwatch to take a Snapshot of the computer

- Install the software

- Use Installwatch to take a Snapshot of the computer

- Installwatch will automatically compare the two snapshots and you can Review the results

InstallWatch gives a nice interface that shows modified, deleted and added registry and file changes. Now we have to determine which registry and file changes matter – I will talk on this later.

Wifi Pirate

2007-12-02T07:50:00.000-06:00

Arr!!!, I worked on this wifi project awhile back. I had read on several sites, on multiple people using satellite dishes to receive wifi signals over long distances. Just so happens I had a JVC satellite dish laying around. My goal was to see if I could create a connection with the coffee shop (has free wifi) that is ~5miles away.

I built a Cantenna and mounted it to the front of the dish with electrical tape. Mounted the dish to a swivel (the swivel was for a boat seat).

I tweaked the angle of the cantenna to the dish, by first pointing the dish at my neighbor’s wireless network, then using wood shims to lower or raise the angle of the can until I received the highest signal level. I was using netstumbler with a dell truemobile wireless card.

I was unable to receive the coffee shop’s wifi signal, so what does a pirate do? Well mount it to your pirate ship and sail the seas. So I ended up driving around with the dish just to see how many access points I could receive. After about 40 minutes, I already had logged 200 access points, with about half of them unsecured.

So does this work, yes. Without the dish and just the cantenna I am able to pick-up about 6 wireless signals, that number doubled once the cantenna was mounted to the dish, some of the signals are very weak but I was still able to receive them. Also the dish setup has to be aligned exactly, half-inch off and the signal is completely gone, that’s why I recommend mounting it to a swivel, this made the aligning a simple task. Next step mount the dish to a motorized swivel, it would be great if the dish would auto scan the area and find the best wifi signals to use.

One Packet For Each IPv4

2007-11-30T09:11:00.000-06:00

We need a program to send out a packet for every possible IPv4 address to a specific destination address. Sounds simple enough, right. Crafted up a quick bash script, uses four for loops that increment each octet of the ip address. Then the address is passed to netwox, where it sends out a tcp packet for each address.
3 Days later – This is still running, what’s the deal? Few calculations:
Total IPv4 addresses 2^32 = 4,294,967,296
Transmission rate ~ 500 packets per second (seems fast)
Total Time for completion ~ 99 days
Wow, we don’t have that much time!

Should of started off in C, why am I so lazy all the time. So here it is a C program to send one packet for each IPv4 address. The program actually uses UDP packets, we did not want to clog the network with SYN/ACK packets. The point of the test was to test the logging capabilities of a hardware device. The device classifies received packets into separate categories based on IP address. We are using the libnet libraries, I am including a link to good article that tells how to use libnet, also it was compiled on Fedora Core 6, with newest libnet installed. I hard coded the mac addresses so that an ARP would not have to be performed (speeds up performance). This program was able to exhaust the IPv4 space in less than 3 days. Again the formatting of code is a little off after pasting into the blog, so review the code before using. What about IPv6 - good luck being able to do this in less than a year :)

#include "libnet.h" /* replace " with <> */

int main(void)
{
libnet_t *l;
libnet_ptag_t t1, t2, i1, i2, e1, e2;
char errbuff[LIBNET_ERRBUF_SIZE];
u_char src_eth[6] = {0x00, 0x0B, 0xDB, 0x1E, 0x55, 0x74}; // source mac change these
u_char dst_eth[6] = {0x00, 0x0B, 0xDB, 0x1E, 0x58, 0x0C}; //dest mac
u_long src_ip = 0, dst_ip = 0x02046E0A; //dst_ip network byte order format
u_short src_port = 23456, dst_port = 80, payload_s = 0;
char *payload = NULL;
int c;

l = libnet_init(
LIBNET_LINK,
NULL,
errbuff);

t1 = libnet_build_udp(
src_port,
dst_port,
LIBNET_UDP_H + payload_s, /*size*/
0, /*checksum */
payload,
payload_s,
l, /*libnet handle*/
0);

i1 = libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_UDP_H + payload_s,
0,
242,
0,
48,
IPPROTO_UDP,
0,
htonl(src_ip),
dst_ip,
NULL,
0,
l,
0);

e1=libnet_build_ethernet(
dst_eth,
src_eth,
ETHERTYPE_IP,
NULL,
0,
l,
0);
c = libnet_write(l);

while (src_ip < 0xffffffff)
{
src_ip++;
i2=i1;
i1 = libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_UDP_H + payload_s,
0,
242,
0,
48,
IPPROTO_UDP,
0,
htonl(src_ip),
dst_ip,
NULL,
0,
l,
i2);

c = libnet_write(l);

}
libnet_destroy(l);
printf ( "all done\n");
return(0);
}

Nmap - not for every occasion

2007-11-23T10:10:00.000-06:00

Nmap, if you are a practitioner in the computer security field, then you know about nmap. Basically nmap is free quick and easy to use port scanner. I have no qualms about the program, but what people must learn is that there is a time to use nmap and a time not to.

Just to give some background, computers have software ports, these ports are used to map data to a particular process on a computer. For example, when you browse the web your computer uses port 80 to query web servers in order to receive the web pages. For every process that you have running on your computer that transmits and receives data across the network, there is a specific port associated with it. So in theory using a port scanner allows us to determine the processes that are running. This in turns allows us to determine if any vulnerable services are running. Now port scanning is performed on TCP and UDP ports, because these are the two protocols designated by IP

Now for TCP protocol port scanners work really well, because as part of the protocol there exists the three-way handshake. Your computer sends a packet to say hi (SYN) and the other computer answers back ( hi (SYN-ACK), and then your says lets transfer some data (SYN-ACK-ACK). So for TCP port scanning unless a firewall is filtering or blocking the target computer, it will answer back on all open TCP ports to SYN packets.

Now for UDP there is no handshake process, basically a UDP service just accepts all data it receives and processes it with no response back to your computer. So unless the UDP service is set to answer back or the operating system sends a message saying that port is closed, you will never know the status of a UDP port.

Back to my compliant, I deal with computer security people on a daily basis. I am not knocking them, but at least 50% think that nmap is the be all end all in the security world. We receive software to test, we load it up and the first thing they want to do let’s run nmap. My response is why? – for some reason by running nmap makes you some super uber hacker – hey look guys I can run nmap yeah!

Our setup:
- we are in a network lab and not on an operational network, so we have control of all resources on the network
- we are dealing with <3 machines, with admin access to each machine

Remember a port scan is only useful if a port answers back, and we can track that port back to a single process (For uber hackers, at least ensure the software is running when you perform a port scan)

Countless times, I receive responses that this software does not use any network resources, because we ran nmap and there were no ports showed up.
My first two questions:
- Did you have the software running during the port scan? (usually No)
- Is the firewall blocking your scan? (usually I don’t know)
Then the response…But I can run nmap so I am an uber haxor!

So what do I suggest, why not netstat, yes the built-in windows utility (same for linux). If you are in a testing environment, and you only have a few computers to determine open ports – why even consider nmap. Netstat –nb will give you all the open ports and the process that opened it. I know running netstat is not as cool as running nmap, but with netstat you don’t have to rely on the computer to answer you back. So there is no guess work with determining if a port is open.

But ecore what about software that only opens a port every so often to communicate, guess what you can script netstat to run every so often. netstat –nb 5 > log.txt , will write all port information into the log file every 5 seconds (If you are doing this consider using a protocol analyzer.. WireShark).

Point is if you are trying to determine ports on a computer you have admin access to, nmap is not the way to go. Reserve nmap for those remote scans or when you have to test hundreds of computers. Part of being an 31337 uber haxor is knowing when and when not to use your tools.

ICMPv6 Scanning

2007-11-18T07:25:00.000-06:00

I have touched on this topic in a previous post, however I would like to revisit the topic. Why would we want to perform ICMP scanning, I say why not. Everybody is always talking about performing port scans but never ICMP scans, I say ICMP should get equal time with TCP and UDP.

I know you probably have not heard of many flaws concerning ICMP but it happens. Example, I was testing an IPv6 stack trying to determine if their were any flaws. Found that by sending the target computer a ICMP Reply caused the target computer to send out an ICMP Request. How does this help an attacker - the target computer was running a firewall and it was set to block ICMP requests coming in, however since the target computer was sending out a ICMP request, the firewall did not block this (You might think the firewall should block random ICMP replies coming in, but it didn't). So this gives an attacker a way to scan the local lan and determine valid addresses of computers.

A little background, ICMP packets are defined by a type and code field. Each field is an 8 bit field meaning there are 256 possible combinations (0-255), so you have 256 codes for each of the 256 types. If you take a look at the RFC's, you will see not all the type and code combinations are valid, or are considered reserved or undefined (More Information). As part of a thorough security test, we should send the computer we are testing every possible combination and see what happens. This does not take up much time, and has very interesting results sometimes.

For this example I am going to concentrate on ICMPv6 scanning. Basic setup is a laptop running Fedora Core 6 (FC6) connected to the target computer through a generic hub. The FC6 computer has wireshark and the THC IPv6 libraries installed. Both computers have IPv6 enabled (you can give the FC6 an ipv6 address by using the ifconfig command). I have talked about performing this scan with NETWOX, however NETWOX will not send out undefined types and codes, so this is why we are using the libraries. Basically we start up wire shark to capture all the packets on the network and then use the THC IPv6 libraries to send out one ICMPv6 packet for each type and code. When performing the scan I usually set a display filter in wireshark to only display responses from the target computer. Note on IPv6, the protocol IPv6 gives the host two addresses a global address and an link-local address (info). The link-local address starts with fe80 and the global is basically everything else. I suggest performing the scan with both link-local and global addresses, you usually find differences.

I am posting the c-code I used to accomplish this scanning, again the formatting of the code gets thrown off when I paste it into the blog - so I apologize. Basically the code sets up two loops in order to scan all types and codes - it should be pretty self explanatory.

My main point is security professionals should be concerned with ICMP scanning instead of leaving it by the wayside. Happy Scanning!

(I scrapped the code together from memory and other sources, because I did not have access to my program when writing this post, however it should be enough to get you started)

#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "unistd.h"
#include "sys/types.h"
#include "sys/time.h"
#include "sys/resource.h"
#include "sys/wait.h"
#include "stdlib.h"
#include "time.h"
#include "pcap.h"
#include "thc-ipv6.h"
//all the includes are not needed, but I got lazy
//also I replaced the <> with " because blogger kept deleting the includes

int main(int argc, char *argv[]){

unsigned char *src6, *dst6, *dst61, *src61;
unsigned char *src61, *src612, *h;
unsigned char buf[1000];
int pkt_len = 600;
char *interface;
unsigned char *pkt = NULL;
int rawmode = 0, buf_len = 0;
unsigned char *srcmac, *dstmac; //can define as null to auto generate
int type, code, flags=0, checksum=0, i, j=0;
thc_ipv6_hdr *hdr;

//Initializing Variables
rawmode = 1;
interface = "eth0";
// source and destination ipv6 addresses
src6 = "fe80000000000000020bdbfffe1e580c\0";
dst6 ="fe800000000000001c26fea710f768fd\0";

src61 = thc_string2ipv6(src6);
dst61 = thc_string2ipv6(dst6);
printf("Sending Packets to %s\n", dst6);

srcmac = thc_get_own_mac(interface);
dstmac= thc_get_mac (interface, src61, dst61);

for (type=0; type<256;type++)
{
for (code=0; code<256;code++)
{

//build the packet

if ((pkt = thc_create_ipv6(interface, PREFER_GLOBAL, &pkt_len, src61, dst61, 60, 0, 0, 0, 0)) == NULL)
printf ("Packet Creation Failed\n");

//add icmp part
if (thc_add_icmp6(pkt, &pkt_len, type, code, flags, NULL, 0, checksum)<0)
return -1;

//generate packet

if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) <0)
{
printf("generate failed\n");
return -1;
}

// send the packet out

if (thc_send_pkt(interface, pkt, &pkt_len) <0)
printf ("packet not sent \n");

thc_destroy_packet(pkt); //destroy the packet
usleep(1000);

}
}
return 0;
}

Scripting Netwox (IPv6 Port Scanning)

2007-11-08T15:48:00.000-06:00

As you may found out there are not currently that many tools for testing IPv6, what does one do when you need to perform a IPv6 port scan? I accomplished this through the use of a tool called Network Toolbox (http://www.laurentconstantin.com/en/netw/netwox/) or simply called NETWOX. This tool supports a variety of protocols including IPv6. On a side note use of the TCP reset tool included in NETWOX is always fun, this will sniff the network and send a TCP RST packet for each TCP connection it detects, effectively closing all TCP connections – Great fun watching the network gurus trying to diagnose that problem.

Back to IPv6 port scanning, so you are required to perform a port scan in IPv6. I know nmap has some IPv6 capabilities but I have not had much luck with it. So basically NETWOX lets you send out a specific packet one at a time. By automating the process we can effectively create a port scanner. Basic methodology is I send out a IPv6 TCP packet with SYN flag set and use a protocol sniffer (wireshark) to capture the response. All I need to do is send out one packet for each port I want to scan and then examine the sniffer file.

I am running a version of linux called BackTrack (http://www.remote-exploit.org/backtrack.html) and using a bash script to automate NETWOX. BackTrack has wireshark builtin, so run it during the script execution and filter by responses from the target (ex. ip.src == ipaddress). I have found this method to be reliable way to port scan IPv6 computers. Here is the bash script for performing this:

#!/usr/bin/bash

source=aaaa::20b:dbff:fe1e:5574;
dest=aaaa::1c26:fea7:10f7:68fd
for ((port=0 ; port<=65535 ; port+=1)); do
netwox 146 --ip6-src $source --ip6-dst $dest --tcp-dst $port --tcp-syn --tcp-window 32000
done

To use, save the file as something then make it executable (chmod 777 filename), replace the source and dest addresses with your correct addresses then ./filename to run. (make sure the line that starts with netwox through –tcp-window 32000 are on the same line – formatting problems in blogspot again) and of course make sure you netwox installed.

Reviewing the capture, any TCP packet for a particular port from the target computer means that port is open, cool huh? (again if you don’t understand, let me know so I can explain better)
Now sometimes you recieve an icmp response, what does that mean depends on the response but probably that the port is closed, so whats next - ICMPv6 port scanner:

#!/usr/bin/bash
source=fe80::20b:dbff:fe1e:5574;
dest=fe80::1c26:fea7:10f7:68fd;
for ((type=129 ; type<=130 ; type+=1)); do
for ((code=0 ; code<=255 ; code+=1)); do
netwox 147 --ip6-src $source --ip6-dst $dest --icmp-type $type --icmp-code $code
done
done

It sends out all possible type and code icmpv6 combinations. However netwox will not send out illegal type and code combinations. For true icmpv6 scanning (illegal combinations) I like to use the thc libraries written about in the IPv6 Firewall testing post (Nov)

This is one for UDP scanning, so any response from the target on specific port means that port is open:

#!/usr/bin/bash

source=8888::20b:dbff:fe1e:5574;
dest=aaaa::1c26:fea7:10f7:68fd;
for ((port=0 ; port<=65535 ; port+=1)); do
netwox 145 --ip6-src $source --ip6-dst $dest --udp-dst $port --udp-src $port
done

So you get the idea, a neat little way to perform port scanning in IPv6. Netwox is neat little collection of tools that is easy to use and very useful (especially the make coffee tool) I have also used it to perform IPv4 ICMP scans, its amazing sometimes what happens when you send some weird ICMP Packets to a computers, sometimes it answers back even if it programmed to not answer ICMP packets!

EtherSnoop Debacle (Parsing an EtherSnoop file)

2007-11-05T21:48:00.000-06:00

I just love a good problem in the morning, So I receive a capture file to analyze from a fellow professional. Him not being super familiar with protocol analyzers, asked me to look at it. He could not find any program (WireShark, tcpdump, netmon..) to open this file. It had an .cap file extension and he was told that it was a network capture of UDP packets. Basically the capture file consisted of UDP packets from some type of GPS IP enabled device. Each packet had waypoints and time stamps, and these needed to be extracted. I open the file in notepad, and sure enough, I can pick out longitude and latitude coordinates scrambled in the data. So my task , if I choose to accept, is to get the time stamps and gps data out of each packet, sure why not. Off I go, now of course picking these out by hand was not going to work, there were over 4,000 gps points in this file. And it was not possible to repeat the test with a different known sniffer.

Hey lets try excel and some vba - I know everybody is laughing but excel and vba is some powerful stuff, I have analyzed quite a few capture files this way. I import the file and of course get meaningless crap. I try some manipulations, I notice that "gE#" seems to proceed the data I need (sometimes?), so I write some code to put everything between "gE#" on separate rows and it seems to work kinda of. There is still a lot of useless data in my pseudo packets. Punk go ahead and make my day and lets pull out the big guns.

Here they come, the infamous hex editor specifically my favorite because it is free is Cygnus Hex Editor (http://www.softcircuits.com/cygnus/) . After an hour of staring at the file, it starts to make sense? There seems to always be an "<" or hex 3C after the data. Since I was told the device sends out a standard formatted UDP packet at a set period of time, you would think it would be easy to pick out a pattern. But once I think I got a pattern, the next set of data ruins it. What a mess. ZOWIE!!! (yes like in the batman show) I get an e-mail from the guy that performed the capture, yep you guessed it he used ethersnoop (http://www.arechisoft.com/). Just what I needed , so I download and install ethersnoop and open the file, yep it works and then the realization hits. This capture file is full of extra packets, no filter was used for capturing, so all network traffic for about 4 hours was captured, no wonder the data was not uniform. But I was right packets always start with hex 3C or "<". After realizing the facts, back to excel (why excel - its awesome at manipulating data). Import the file as delimited, but don't specify a delimiter. So you have a spreadsheet with stuff everywhere and the fun starts. First script (I do apologize for the code some reason my formatting keeps getting thrown off): Function clean()

x = 0
For i = 1 To 65535

If Sheet4.Cells(i, 1) = "" Then
x = 1
End If

If Sheet4.Cells(i, 1) = "" Then
Sheet4.Rows(i).Delete
x = 0
End If

If x = 1 Then
Sheet4.Rows(i).Delete
i = i - 1
End If

If Sheet4.Cells(i, 1) = "" Then
Sheet4.Rows(i).Delete
If Sheet4.Cells(i, 1) = "" Then
Exit For
End If
End If
Next i
End Function

This script will get rid of all the non-packet data - data that lies between the Body tags in the file. I have no idea why but you have packets grouped together then a some data . I have no idea what this data is, but it looked useless to me. So after the script is run you have just the packets. Next we want to put each packet on a separate row, to make it easier to parse packets:

Function pullbrackets()

g = ""
v = 1
For i = 1 To 65535

If Sheet4.Cells(i, 1) = "" Then
Exit For
End If

For j = 1 To Len(Sheet4.Cells(i, 1))
y = Mid(Sheet4.Cells(i, 1), j, 1)
b = Mid(Sheet4.Cells(i, 1), j, 1)

If y = "<" Then
Sheet5.Cells(v, 1) = g
v = v + 1
g = ""
End If
g = g & b
Next j
Next i
End Function

The above code looks for "<" and puts all data between successive "<" on one row. Now we have an excel spreadsheet with one packet per row. So that is the basics, of course to use the code you should modify it for your use (change the sheet designations ...) I am thinking if you are reading this you understand vba, but if not leave me a message and I can explain it more. I did write a little more code to get the packets I wanted, but I won't bore you with that (script to sort out UDP packets then pull the data from those packets and get rid of non-ASCII data). But anyway there you go my experiences with EtherSnoop. In my opnion EtherSnoop is lacking since there is no way to export data, but any free program I am not going to bad mouth. But I do prefer WireShark (http://www.wireshark.org/) The next task what can you use to plot out 4,000 GPS points?

Serial Port in WSH (vbs)

2007-11-02T16:11:00.000-05:00

Ever Happen to you - Hey we need a program to send AT commands to a modem through the computer's serial port and store the responses to a text file and by the way we perfer a non-compiled language that will run on any windows computer.

So then I thought I know we will use Windows Scripting Host, anybody with a windows computer can run a .vbs file. Did some research, not much documentationon using serial port in a vbs file just some stuff about the MSComm32 - but you have register it ( just seemed annoying). Came across ActiveComport - now this is great. By installing ActiveComport, serial port programing becomes downright simple. So I write out the program and install ActiveComport - bam works perfect. And then discover you have to pay to use ActiveComport, of course there is no money to do that, so back to the drawing board.

Discovered this website http://www.hardandsoftware.net/, which has the NETCommOCX which is an ActiveX control that wraps the functionality of MSComm32.ocx. By the way check out the other cool stuff on the site, there are some neat thins there. NETCommOCX works perfect, and it is a free download with no restrictions. It does need to be installed on the computer you intend on using the program on.

So FYI, here is the program written in vbs, basically it needs two text files command.txt and out.txt already in the directory of the program. Command.txt contains one AT command per line, so the script loads each one into an array, then writes each command to the serial port. The program then waits 300ms for a response and writes the response to the out.txt file and to the screen. The commands are issued in an infite loop until the progam is stopped (Ctrl-c). The time to wait shoud be changed based on the device. There are more advanced ways to control the flow of the program, instead of waiting for specified time it can poll the serial port for data and pause until it recieves data.

program code, should be pretty self-explanatory (hopefully). The program is meant to be run with cscript - c:\cscript program.vbs
---------------------------------------------------
Set objComport = CreateObject( "NETCommOCX.NETComm" )

objComport.CommPort = 1
objComport.Settings = "9600,N,8,1"
objComport.InputLen = 0
objComport.PortOpen = True

wscript.echo "Port is open and ready"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("command.txt", 1)

i = 1

Do Until objTextFile.AtEndOfStream
Redim Preserve arrdata(i)
arrData(i) = objtextfile.ReadLine
i = i + 1
Loop

objTextFile.Close

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("out.txt", 2)

do while (1) ' wscript.stdin.atendofline
for j = 1 to (i-2)
str1 = arrdata(j)
wscript.echo str1
objComport.output = (arrdata(j)) & VBCR
wscript.sleep(300)
str = objComport.InputData
wscript.echo str
wscript.echo "------------"
objTextFile.Writeline ("command: " & arrdata(j))
objTextFile.Writeline (str)
objTextFile.WriteLine ("-------------------")
next
loop

objTextFile.close
objComport.PortOpen = False ' Close the port

Testing Firewalls IPv6

2007-11-02T08:23:00.001-05:00

So we have talked before about testing firewalls in IPv4 but what about IPv6. I was recently given the chance to test an IPv6 firewall. So again a testing methodology would be to throw a bunch IPv6 packets at it and see how well it filters. There is a tool called ip6sic (http://ip6sic.sourceforge.net/) that is a derivative of the isic tool used before. But I guess my skills are lacking, because I had problems using this tool (especially just getting the thing to compile). So going back to my great standby, I enlisted the help of google and found The Hacker’s Choice (http://thc.org/ ) – I have to say this is an awesome website and should be bookmarked as there is always some cool thing posted on the site. THC has some libraries (http://freeworld.thc.org/thc-ipv6/) THC-IPV6 that allows one to quickly develop a program to send out IPv6 packets. Using this library I was able to craft together some quick code to test the firewall. Basically the code created blank IPv6 packets and filled the fields and data with random bits. I then checked firewall logs and the sniffer capture files to determine if any packets snuck through. Guess what, IPv6 icmp packets with type codes not defined were allowed to pass even if it was told to filter out all ICMPv6. Even stranger certain type and code ICMPv6 packets caused the Firewall to send out an ICMP IPv6 reply packet. Just makes my day when I get to go back to developers and show my results, of course I get the standard answer, who would ever send the firewall non defined type and code ICMPv6 packets- who knows.

Testing Firewalls IPv4

2007-11-02T08:23:00.000-05:00

How do we go about doing this? That was my question. The general game plan was lets generate some packets on the external side, setup a sniffer on the internal side and see what makes it through. I was lucky and was given a default configuration of the firewall rules that would be implemented.

Now how about that packet generator - ????. Fumbling around in C with some libnet libraries might sound like fun but we were pressed for time. After some google searches, came across IP Stack Integrity Checker (ISIC) – http://www.packetfactory.net/Projects/ISIC/. This tool is awesome – here is the description from the website:

ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.) It generates piles of pseudo random packets of the target protocol. The packets be given tendencies to conform to. Ie 50% of the packets generated can have IP Options. 25% of the packets can be IP fragments... But the percentages are arbitrary and most of the packet fields have a configurable tendency.

We setup ISIC to send random IP packets with random source addresses at the firewall. While sending packets WireShark was used peform packet captures on the internal network. The capture file was reviwed to determine if the packets that made it through conformed to the firewall rules. We ran the test over a weekend (~3.5 days) and it passed, no leak packets - so we are done right?

Maybe for normal network security people, but we are uber security guys – so whats next? Lets just pick on the ports that we know that are open and bombard them with packets. Lets go back to isic and use specific ports and protocols – usually just started up isic (tcpsic, udpsic) and let it run and see if we notice anything. Wow when hitting one particular udp port; the firewall stops responding completely and when we stop it goes back to normal. Little more tweaking in ISIC playing with IP options (setting the percentages to 100% or 0%) we found out it’s the fragmented packets causing the problem. Back to our C programming using libnet libraries write a quick program, and voila we have a working program that can cause a DoS on this type of firewall. Are we done yet? – Are you kidding, firewalls are complex things that have to track a variety of variables, which of all have network attack surfaces – but how much can you get done, when you are given a week to test something.