Security Art Work

(Update 20/feb/2013: New signatures added)

As many of you probably know, Mandiant has issued a report accusing the Chinese People’s Liberation Army of being behind the attacks that different companies, both American and other nationalities, have been suffering in recent years.

The report, which is accessible from its website, provides a variety of technical details and the body of evidence supporting the theory that the Chinese government is actually behind the attacks, as has been advocating for the past years. Although some security experts point to analytical flaws in the study by Mandiant (Mandiant APT1 Report Has Critical Analytic Flaws), I think that there is no doubt that China has cyber espionage programs via the Internet. Does that surprise you? Just as no one should be surprised, as pointed out by @antoniosanzalc on Twitter, that other militar powers such as Israel and U.S. have in place cyber espionage programs. Indeed, one might almost say that it would be unwise not to.

Returning to Mandiant report, annexes show information that could help identify infected systems or organizations, either by connecting to DNS systems, use of SSL certificates or other. Although it is possible that after the publication of the report —provided that the information and conclusions of Mandiant are true— the systems and resources used in the attacks are reduced drastically, based on the information of the annexes we have created a set of Snort signatures that can help identify circumstances and suspicious connection destinations, which can be downloaded from the link below.

Snort signatures from the Mandiant report: apt1-unit68398.rar

The signatures are based in the Mandiant Report annexes, and have been developed by S2 Grupo Security Area and more specifically by Roberto Amado and Raúl Rodriguez. To send any comments, questions, information or requests, use the comments or contact us at admin@securityartwork.es.

Please note that we are not responsible for any undesirable consequences (increased alerts, etc.) that may cause the signatures provided. Your use of the signatures is at your sole risk.

A few days ago we published a new challenge in this blog. We need to get the exact point where the gang was going to meet, using one file that had been sent by one of the gang’s member and two SMS saved in the mobile phone of another gangster recently arrested. In this post we are going to explain the solution :)

If we analyse the captured file, we can see it is an encoded text in base64, but if we do the decoding, we get a new encoded file in base64. To solve this, we have to focus on the first SMS, that said: “Recuerda, la quinta es la importante.”, that translates to: “Remember, the fifth is the important.”, what means we have to decode five times to get the original file. So, the only thing we have to do is decode the files until the fifth decoding.

With previous steps we get the following GIF image: a Barcelona street map (city what can be easily identified because of the “Sagrada Familia”).

Now, if we try “Barcelona” in the first validator we see that we open the file and get the solution for the first part of the challenge.

If we analyse a little bit more this image, the only thing we can find is a comment what says there is nothing more around here, what means we have to keep searching in other place ;)

The next part of the challenge focuses in the content of the second SMS. It said: “Te esperamos en:uÖ%äFeM!”, that translates to: “We will wait you in:uÖ%äFeM!”. It seems to point us to the exact address of the meeting. The problem lies in the text “uÖ%äFeM!”, because it does not look like a usual codification.

The clue in this case is the fact that we are working with an SMS text message. This messages use the GSM 3.40 specification, that establishes that the text messages will be encoded using PDU format.

Studying this format, we see the text characters are encoded with 7 bits instead of 8 in order to send longer messages. In the next image we can see how this codification works.

On the Internet, there are some sites which allow encode/decode PDU messages, thus using one of these (for example http://twit88.com/home/utility/sms-pdu-encode-decode) and getting the PDU codification of the second message, we get the hexadecimal chain “756E696F2C3743” (extracting the parts we don’t need: SMSC number, receiver’s number, length message, etc.). Decoding it to ASCII we get “unio,7C”. Now trying this result as a password in the second validator we can open it and check out the name of the address and the number where the meeting will be, getting the challenge solution :D

In this point concludes the solution for the challenge. Like always, congratulations to those people who solved the challenge and those who did not, I hope you have had a great time trying it ;)

During a recent audit I wanted to try the strongness of the passwords used and I tried a simple dictionary attack against the login form of Joomla! just in case there was any account with one of those weak passwords. The form was as follows:

The method pointed by Rafa in is post: THC-Hydra: Obtaining user credentials by brute-force is fully valid for simple forms but in this case we can’t use it. If you look at the form HTML code we see that in addition to the parameters username and passwd, it has a hidden field that changes in each session. Let’s see the code:

We can see that the last field, which has a value of 1, consists of 32 hexadecimal digits that are generated every time, so we can not know a priori its value and include it the request for THC-Hydra. The petition using the above tool would be something (security parameter remarked in bold):

$ hydra -l admin -p admin1234 <server> http-post-form "/index.php:username=^USER^&
passwd=^PASS^&lang=&option=com_login&task=login&d0da78038c5132dcd84f11a4ddc83ed3=1:no 
encontrados"

However, it will not work because the generated code is different every time, so the result will be a message “Invalid Token“. Because of this, and after several unsuccessful attempts trying to retrieve and include unsuccessfully that value in the THC-Hydra request, I jumped to nmap to see if there was any script that could help me in this situation.

Indeed, after searching for information on Google I found a script that seemed to do what I wanted: http-joomla-brute. I checked código“>the code and I saw that it was using the parameter “security token” to build the request, so I figured it would work in this situation.

[...]
if response.body then 
	_, _, security_token = string.find(response.body, '<input type="hidden" 
                                           name="(%w+)" value="1" />') 
end 
if security_token then 
	stdnse.print_debug(2, "Security Token found:%s", security_token) 
else 
	stdnse.print_debug(2, "The security token was not found.") 
	return false 
end 
[...]

The above code searches the token in the form returned by the server and stores it in security_token, that will be used later to send the POST. Therefore, in case that the form includes this kind of safety mechanism we could use nmap as follows:

$ nmap -p80 --script http-joomla-brute --script-args 'userdb=user.txt,passdb=~/john-1.7.9/run/
password.lst,http-joomla-brute.hostname=,http-joomla-brute.threads=3,
brute.firstonly=true' <server>

Starting Nmap 6.00 ( http://nmap.org ) at 2013-01-30 14:49 CET 
Stats: 0:07:45 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 
NSE Timing: About 0.00% done 
Stats: 0:09:06 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 
NSE Timing: About 0.00% done 
Nmap scan report for <server> (192.168.XXX.XXX) 
Host is up (0.0038s latency). 
PORT   STATE SERVICE 
80/tcp open  http 
| http-joomla-brute: 
|   Accounts 
|     No valid accounts found 
|   Statistics 
|_    Performed 3546 guesses in 605 seconds, average tps: 5 

Nmap done: 1 IP address (1 host up) scanned in 604.97 seconds 

I hope it helps you and saves some time since I spent some time with THC-Hydra trying the tool to take that parameter automatically. However, if anyone knows another way to do this please say it in the comments.

After a while without proposing any challenge, we return with our research team, which believes to be really close to know the next gang’s meeting point that they have been investigating for the last few months.

Thanks to the last actions performed, our team got the following file: captured_file, which despite being coded, seems to provide the location about the place where the next exchange will be carried. In addition, in the arrest of one of the members who was going to participate in the exchange, the team got a mobile phone that had only two SMS in its memory.

[Read more…]

(Please note this post was published last 4th february 2013 in the Spanish version of Security Art Work. See original post: THC-Hydra: Obtener credenciales de usuario por fuerza bruta)

THC-Hydra is a software used to crack login systems of different services such as HTTP, FTP, TELNET, IMAP, SMB, SSH, etc. in a very easy and fast way. Its latest version (7.4.2) was released last 7th January.

This tool has earned a great reputation thanks to its console mode both in Linux and Windows systems (also offering Linux users the option to use a graphical interface) and the possibility to execute the attacks using threads, giving the user the option to choose the number of threads used to perform the attack.

[Read more…]

A Darknet is a portion of network, a certain routed space of IP Addresses in which there are no active servers o services. I.e., externally no packet should be directed to that address space.

Therefore, any packet entering a Darknet should not be legitimate. It could reach it due to errors such as poor security policies or poor configuration (such as broadcast messages sent to a segment to which the issuer doesn’t belong). However, most of these packages would be associated to some action by a suspicious malware (see Responding to Zero Day Threats) or attacker who is in our network actively searching vulnerable devices.

If we install within our Darknet a server that collects, analyzes and processes the traffic entering it, it would help us to gather more information on the anomalous traffic / malware that may be circulating in the network infrastructure of our organization. This will allow us to reduce the number of false positives, detect attacks in real time and new attack trends making use of forensic analysis of the Darknet traffic.

We can monitor, among others, some strange behaviours, such as (see Aprendiendo del enemigo – Spanish) :

• Suspicious traffic grouped by ports (TCP, UDP, ICMP, etc.) or related to certain services (SSH, FTP, WEB, etc), brute force attacks against services, scanning, DoS attacks, etc..
• Specific attacks that use spoofing techniques.
• IP addresses and domains blacklisted.
• Certain patterns generated by malware (scans, increased traffic, unavailability of service, spread of worms, bots, etc.).
• Botnet identification patterns inside and outside of P2 networks.
• Possible malicious traffic to external networks
• New attack trends.

From the project “The Darknet Project” by Team Cymru, we have a couple of practical examples of anomaly detection thru monitoring traffic from a Darknet. For example, we know that there are bots that exploit open shares of Microsoft Windows 2000. A common feature of such bots is the scanning of systems listening on port 445/TCP, and looking at the monitoring tools integrated in the collector server of the Darknet we can detect whether there has been a scan to the 445/TCP. Be this confirmed, it would be a warning as packets detected within the Darknet are not legitimate.

Another practical example is about the Slammer, which performs a DoS attack to SQL servers by sending multiple files with the worm code to port 1434. One symptom of the presence of Slammer is the significant increase in network traffic through UDP port 1434 (SQL Server Resolution Service Port). Detecting this in our Darknet would be a warning about the possible presence of the worm in our network.

In short, collecting data on all traffic will allow us to analyze patterns of interest and subsequently automate the entire process through an IDS installed (e.g.) on our collector server.

Before creating a Darknet in our organization it is important to consider, among others, these two aspects:

• Define the characteristics of the network (topology, scope, visibility).
• Define hardware and software to install, taking into account what type of data we want to collect, how we want to process it (traffic capture tools, traffic analysis tools, possibility of implementing honeypots, etc.) and the financial budget we have.

Creating a Darknet

• The first step in the deployment of a Darknet is to place it in a right place, so you should choose a segment(s) of network IP addresses that will be routed to it. We recommend using an address space of at least /24 (the higher the reserved space the higher the visibility achieved).
• The next step is to reserve physical and logical space for the Darknet. As Team Cymru points, you should not put a Darknet in the same collision domain or VLAN than other subnets; the objective of the Darknet is to supply us with reliable data, so it is important to avoid “poisoning” the Darknet with legitimate traffic nor is recommended to put the IP of the Darknet publicly visible on our DNS.

The CLCERT brings a darknet proposal would be similar to the following architecture (see Diseño e implementación de una Darknet para monitoreo de la red en Chile – CLCERT – Spanish):

• Darknet Router : configured to forward all content that enters the Darknet. It will forward incoming traffic to the server collector of the Darknet. The router must be configured to accept only inbound traffic (traffic input) directed to Darknet, but not the inverse (output traffic). It must alert when it detects outgoing traffic from the Darknet (in this case, we have a ‘black hole’-type Darknet) since all traffic in the Darknet, as mentioned, is not legitimate. The router also must be configured for SNMP to provide traffic statistics —using tools such as MRTG— because new malware can be easily detected solely on the traffic statistics of the interface darknet.
• Collector Server: This server will be connected to the Darknet and will analyze the traffic received. It would be interesting to install an IDS, a protocol analyzer, log analysis tools, and you can even think about implementing some type of honeypot, depending the installation of these tools on the type of analysis and processing that you want to perform.
• Administrative Network: Network especially secured since it will continuously receive malicious traffic. It will also process the data received from the collector server, and generate statistics and reports on detected traffic.

In short, and since all traffic on the Darknet is potentially suspicious, it can be very useful to detect malicious traffic or device configuration anomalies in our organization.

If you are interested to pursue the subject, there are several projects related to darknets (also known as network telescopes; see Darknet y telescopios de red – Spanish) at a big scale whose main objectives are the monitoring of network traffic activity and detection of new trends in Internet:

• Internet Motion Sensor (IMS)
• CAIDA
• The Darknet Project (Team Cymru), previously mentioned
• ISINK (Internet Sink)
• The IUCC/IDC Internet Telescope
• IBN (Internet Background Noise)
• Shadowserver

In previous posts we saw a practical approach to the concept of auditing in general (currently only in Spanish) and then we discussed internal audits or first-party audits (currently only in Spanish). Let’s take now a leap, leaving the second-party audits for the next post and go directly to the third-party, external or certification audits.

Third party audits are carried out by certification authorities at the request of an organization. Its main purpose is to certify compliance with the requirements of a specific standard with the purpose to include the audited organization in a register or list of certified organizations. They are performed on a annual basis and, with some exceptions established by law, every organization, public or private, is free to choose to go through a certification process or not.

External audits are more centered in checking the efficacy in the way stated by the standard without getting into, usually, in issues related to efficiency and resource management. As we saw in the first-party or internal audits, the objectives are very different; in theory in an external audit it could be approved the use of cannons to kill flies.

As seen in the first post (currently only in Spanish) of the serie, for an audit to be carried out there are three essential ingredients:

• High degree of preparation and training in auditing techniques along with good technical knowledge of the activities to be audited (aptitude).
• Enough time, both a) prior to field work to prepare the site audit as well to b) carry it out in its entirety and then to document the results in a complete audit report appropriate to the objectives of the audit.
• Professional pride (attitude).

These three ingredients are necessary but not sufficient by themselves and this applies to internal audits, second and third party audits. With missing only one of them the result of the audit may have limited value or even be useless.

From the point of view of the degree of training and experience of auditors, the processes and criteria used by certification bodies for qualifying auditors are often too lax in my opinion, since no previous great experience is required usually to audit a specific activity. Unfortunately, you may find auditors that are not experts in the activity they must assess, or that they have excessive bias towards those standards they know further. At the other extreme, it is noteworthy that there are auditors with extensive experience and knowledge that make audits a process that can be very profitable for the audited organization.

On the other hand, as we have already said in this blog, certification bodies face the target in a way contradictory to get new customers and keep the ones they have, while having to maintain a certain rigor in audits, what can make them to lose customers. Moreover, the current crisis has in many cases led to price discounts (and consequently to the number of days necessary established by the national accreditation bodies) that give auditors less time than the necessary to carry out their work.

On bad sized audits (I dare to say that almost always auditors would like to have more time than they usually have) and auditors that do not audit we discussed in this blog a few months ago so we will not extend.

To finish this post, indicate that one of the benefits that are attributed at the time to certification audits is precisely to provide confidence to lay the foundation of a solid business relationship and mutually beneficial relationship with certified suppliers. This would save both customers and suppliers dedications and costs associated with the second party audits, since it was assumed that a certified company had gone necessarily through an external audit. Objective not accomplished. I know of no single organization that was previously doing audits of its suppliers and that stopped to do so simply because the provider had achieved some sort of certification. That is: in practice, third party audits have failed to reduce the number of second party audits, just as expected.

Long life for the second party audits. Moreover, while this powerful technique of selection and performance monitoring of strategic suppliers is not well known nor is so widespread (excepting large corporations), the second party audit is of great interest, as it is shown it can provide high benefits in terms of improvement of the standards of quality and safety (and therefore costs).

The next post will be dedicated to that interesting and powerful management tool that are second party audits.

In the previous post we considered the theoretical cost and feasibility of scanning all Internet IP addresses and it resulted to be very low. Therefore, we decided to conduct a little experiment: see if it was possible to scan the entire Internet, of course without doing anything harmful.

While the action may not be completely harmless (some may have IDS complaning), we have tried to do the experiment as innocuous as possible. In this sense, the safest action we thought was to launch a ping (ICMP echo) to each and every one of the Internet IP addresses. Although we have sent just a single packet per IP, we messed the scans to prevent a network receiving a high number of consecutive packets.

To do so we prepared two threads, in which work I have had the invaluable help of Nacho López, an experienced C programmer. The source code of ping could have been a good source of inspiration also:

Envia_echo-icmp ()
Recibe_echo_icmp ()

The process works in stateless mode: one thread sends the packets blindly, and the second one simply writes down the response packets received, so the connections do not consume any amount of memory.

The increased complexity came from the disk storage resources; it was necessary to adjust well and program the threads considering the disk performance, so the results received were not lost. After 10 hours, we got the following results:

Ping overall results answered: 284,401,158 IP addresses responded to the ping, i.e. 7% of systems. Graphically:

If we group the results in /8 networks we see the following percentages:

Grafically:

We need to keep in mind that we have scanned the entire address space without deleting reserved private addresses or networks. Obviously we see that the reserved addresses do not answer, which fits with what IANA says about the reserved networks.

We have also grouped the number of pongs that each /24 (class C) network has answered, so we can see the density level of IP addresses in these networks: From many C class networks did we receive 20 pongs?

Grafically:

We can see that many networks do not answer anything, mainly because they are reserved networks. Also, there are blocks with many IPs answering.

We have also performed the analysis on the least significant byte of the IP address, taking into account that we have treated them as if they were all normal IP addresses. It is clear that IP addresses finishing in .0 and .255 reply to the ping to a lesser amount. On the other hand we can also see that the IP ending in .1 is the one most answering the pings, because it usually corresponds to the router, and from there to inside the traffic is usually filtered. This can be seen by comparing the X% with the average. We see also some stripes corresponding to networks /25, /26, /27, etc.

Grafically:

Obviously from the number of answers it is not possible to draw conclusions about the density of IP population, as they may be conveniently filtered.

The % of IP addresses answering to ping seems reasonable, given that it is logical that the external equipment answers to this protocol to aid troubleshooting. It is also normal that many others do not answer, but in any case IPv4 does not appear to be so saturated as usually it is said.

This experiment is a proof of concept of how easy it is to make a global action against all Internet, with almost no cost, short time and basic knowledge. We can see that it would be possible to scan a TCP port, or even do some intrusion attack globally (always stateless), for which any UDP attack could be very effective (as it did with slammer). In any case these actions are and would be considered as attacks, so as expected we will not go further and evolve this project.

Probed that IPv4 is really small, we have another argument to answer the usual question: Why would somebody want to attack me? With IPv6, the attack vector is many orders of magnitude higher, preventing scans “so brute”.

Curiously, we did not have any counter response, or received hostile activity in response. However, we were receiving traffic from a server that sent us the pong for hours continuously and repeatedly (DUP!), we think that due to a IP error that we could not determine.

Although the experiment has been the most innocuous and harmless we could thought about, during the experiment we have received some complaints from organizations related to the the scan. However, taking into account the number of “attacked” sites, the complaints have been few and the hosting provider that received the pings acted in any case time communicating the complaint after the end of the experiment, which shows that such a global attack would be really unstoppable.

With the extracted data more interesting analysis can be done, that we leave for next entries, such as the issue with network and broadcast addresses (.0 and .255). I hope you liked the experiment, and in any case I apologize if I annoyed you with my ping.

After reading @chemaalonso‘s post about DHCP Ack Inyector, I remembered my college years back in 2005 when you just needed to go to the library, plug-in your laptop to the network and voilà, just “listening” network traffic you saw all those vulnerable or misconfigured protocols such as STP, HSRP, DTP, etc..

Not only that. There wasn’t any type of control over the information the users could send, and using tools such as Gobbler, dsniff, ettercap, yersinia, etc., you could perform any man-in-the-middle attack. The most interesting part was that the networking devices used for traffic management were almost entirely Cisco. I.e. devices fully able to control and mitigate virtually most of these attacks, but that were configured to perform basic networking functions: routing, VLANS, ACL, QoS, etc. Either because of ignorance or carelessness, they were not being taken the performance that actually justified his acquisition.

Over time I have realized that this situation is quite common: it is really hard to find a company with strict configuration policies to secure the local network environment. I personally think that many organizations are unaware of the damage that a disgruntled employee could do in a network “poorly controlled”. Without using any sophisticated tools like Loki or Yersinia, it is possible to bring down an entire network with just a couple of packets. Using Scapy, you can perform MitM using ARP / DHCP / VRRP / HSRP or without much effort even more entertaining things like getting a pool of shells with Metasploit browser_autopwn and etterfilters.

[Read more…]

(Check the result of this experiment in the second part of this post: The result of pinging all the Internet IP addresses)

Internet, the World Wide Web. All modern organizations in the world are connected to the Internet. A large number of people have Internet access, at work, in the homes and on the mobile device.

This can make us think we’re talking about a vast range of addresses within which attackers can focus their attacks in a given organization. For now we will take the entire Internet address space of IPv4. When deployed IPv6, this will change and there will be an added level of complexity.

Let’s suposse we want to carry action against all the Internet addresses? Would it be viable? How much would it cost? Technical resources? Physical resources? Time? Money? Let’s do some maths and maybe then do a little experiment. To begin, we assume the following scenario:

• We want to do a ping (ICMP ECHO) to each and every one of the Internet IP addresses.
• We store the result of whether they have responded to ping or not (if they have made pong).

Here are some calculations:

How many IP addresses are there?

256^4 = 4,294,967,296, i.e. approx. 4 billion addresses.

How much bandwidth is consumed by a ping?

• In our case we will consider as 58 bytes per ping.
• Let the bandwidth necessary to ping all the Internet: 256^4 * 58 bytes = 232 GB.

If we store the response with only one bit per address it would take 512 MB. If for processing convenience we store one byte per response it would take 4GB.

Considering a bandwidth of 50 Mbit/sec we would finish the scan in approx. 10 hours.

Technical skills required: We need a program with two threads: one that continuously send packets blindly, and another that receives responses in a stateless manner (there is similar software for TCP scans called scanrand).

Technical capacity: Any person with some knowledge of sockets in C, looking at ping.c, could do this program.

Power required: With an average PC is more than enough. In our experiments we have done it without problems with a Dual-Core 2.66Ghz 4GB of RAM and a 100Mbits internet connection.

Cost of equipment and connection: In any known hoster it can cost 30 EUR per month. In server usage percentage it would be 0.42€.

So anyone with knowledge in C programming and 30 Euros can make a massive, global action to all Internet addresses in less than 10 hours. Another example that just by being connected to the Internet you can receive an attack (spanish link). In the history of Internet there have been many worms that have indiscriminately attacked all the Internet addresses. The networks of today and the power equipment can turn local problems into global incidents within minutes. A famous example of this was the SQL Slammer worm that in just under 10 minutes got Internet crashed, taking advantage of a vulnerability attacked with a single UDP packet of 376 bytes.

So, it is clear that the Internet is a very, very small place, and you have to be really well protected. As seen, just being on the Internet makes you an indirect target of global and automated attacks. And not being on the Internet is no longer an option.

In the next post we will see the result of implementing this theoretical exercise. To do so, we decided to make a simple and benign ping against all Internet IP addresses. While it is true that a ping can be the first step to a more sophisticated attack, this is not (obviously) the intention of this experiment. Furthermore, that ping can show us the filtering level or the population level of Internet IP ranges what may have some academic interest.

Do not miss the next post where we will describe the results of the experiment. What technical problems we encountered ? How many pongs we received? And complaints? Any counterattack? What networks do answer more?