COMMAND
Various scanners
SYSTEMS AFFECTED
WinNT platform
PROBLEM
Following is based on Nomad Mobile Research Centre Lab Report.
The top commercial vulnerability scanners have little to no
security surrounding their licensing, making them excellent
script kiddie tools. These scanners are actively being used by
the underground against targets. Testing was done with the
following configuration:
Platform:
Microsoft NT 4.0 Server and Workstation with SP3 (no additional hotfixes)
Microsoft NT 4.0 Server and Workstation with SP5 (with Csrss, LSA-3, RAS, WinHelp hotfixes)
Products:
Bindview's HackerShield Product Version 1.10.1106, Package Version 11
ISS' Internet Scanner Version 5.8.1
NAI's CyberCop Scanner Version 5.0
WebTrends' Security Analyzer v2.1b
First off, you can ask how NMRC chose our products, and why they
didn't choose some over others. Well, they have limited resources
and time, so they chose to limit testing to a few, and not all of
the vulnerability scanners out there. They chose only commercial
products instead of freeware, since the freeware products by
nature offer no security features themselves. Arguably, their
"scientific" selection of products was limited, and mainly
consisted of two important questions -- "What is popular", which
got ISS and NAI into the picture, and "What is currently loaded
we can play with" which landed us Bindview and WebTrends products.
They also had to have a demo version available for download from
their web site. After testings started, Security Focus ran a poll
on the most popular network security scanners, and three of our
four choices made the top four. The fourth, NetSonar by Cisco,
does not have a downloadable demo version.
So what was the testing method? Download the eval, install it, and
try to start scanning sites they have no business performing a
vulnerability scan against, and do it within 5 minutes of
installation. NMRC did not test the security of the product once
it was installed. For example, all of these products had access
controls around the installation directories, and most required
you have local admin access to run them, or at least take
advantage of all of their features.
Commercial vulnerability scanners all tout themselves as being
more robust, more thorough, and better designed than their
freeware counterparts. The idea is simple -- to stay ahead of the
intruders, you need a powerful tool that can perform assessments
of entire corporate networks with dozens and dozens of
vulnerability checks. To ensure their scanners are the most
thorough and complete scanners available, the larger software
developers of vulnerability scanners have research teams that
scour the Internet for the latest vulnerabilities, and hire
coders to help add checks for these vulnerabilities to their
scanners.
The top scanners are developed for large-scale scanning, and are
capable of looking at thousands of hosts for hundreds of
vulnerabilities. They have a myriad of reporting features, most
have some type of automation, and they are even capable of actual
compromise (through password guessing, file grabbing, etc). NMRC
recently looked at four scanners -- Bindview's HackerShield, NAI's
CyberCop, ISS' Internet Scanner, and WebTrend's Security Analyzer.
All four have the ability to perform detailed and thorough scans
of target systems, each with various reporting capabilities. And
while their intent is to give the corporate or government system
administrator an advantage over the potential intruder by
providing the most comprehensive tool for finding vulnerabilities,
due to the lack of decent security surrounding the demo versions
of these tools, some are being downloaded and (ab)used by the
intruder community.
NAI's CyberCop Scanner
----------------------
Minutes to start scanning : 0
Large-scale Usability : 100%
Favorite feature : CASL (Custom Audit Scripting Language)
There are no target restrictions on this product. Download the
demo from NAI's web site, point it at anything you want, and begin
gathering data. When NAI's technical support line was contacted
(see Appendix A below), NMRC asked if they were on the honor
system as they could not find any restrictions. The individual
at tech support laughed and said yes, but stated the download was
a limited time demo of thirty days. NMRC could find no such time
restriction ourselves. Large scale scanning was a piece of cake
-- simply add in your hosts and start whacking away. Script
kiddie bonus: Hollywood-influenced script kiddies will love the
network mapping features, which allow you to fly around in a
virtual 3D world looking at network nodes. Use only the Trace
Route to Host module to create a nifty 3D model of the network
you plan to compromise.
Bindview's HackerShield
-----------------------
Minutes to start scanning : 2
Large-scale Usability : 95%
Favorite feature : HSMapper, the remote OS identifier that
automatically identified target systems
To keep track of what vulnerabilities were checked against what
systems, and what IP addresses are allowed to be checked,
HackerShield uses a database. Unfortunately, they use a MS Access
database, and rely on Access' built-in password protection to
protect the database. The password is stored in plaintext in the
HackerShield.exe program, which renders the security surrounding
the database useless. Even if it were obfuscated, it is easy to
recover (see Appendix B below). When downloading the demo version
of the HackerShield program from the Bindview web site, you are
emailed a 5-IP address license that is good for two weeks. The
license file is loaded into the database. Opening the
HackerShield.mdb file in Access (using the recovered password)
allows an intruder to manipulate all of the tables inside,
including the licensing parameters. You can increase the number
of hosts you can scan, the network segments to scan hosts on, and
you can adjust the expiration date. Anyone with basic database
knowledge should be able to make the adjustments fairly quickly.
Large scale scanning was limited to editing the database, although
it wasn't a hard thing to do. Script kiddie bonus: Use the
automation features to schedule scans to run unattended on your
NT workstation. The scheduled jobs can run even if you are not
logged in, as they use a Service User to perform automation.
ISS' Internet Scanner
---------------------
Minutes to start scanning : 1
Large-scale Usability : 95%
Favorite feature : Can run in command line mode if properly coaxed.
Downloading ISS' Internet Scanner allows you to demo the product
in localhost mode. To use the scanner against network targets
requires a key. To give the appearance of sophisticated
encryption, the key looks similar to a PGP public key, with
"-----BEGIN ISSKEY5----" at the beginning of the key and
"-----END ISSKEY5----" at the end of the key. Between these lines
are a series of lines of "secret cipher text". While it is fairly
obvious that the encryption used here is weak (it is U.S.
exportable) and it is a symmetrical algorithm, it has apparently
been broken to some degree. A quick search in AltaVista using the
key words "keygen" and "iss" should reveal the program that a
number of Russian and Eastern European hackers have been making
use of for months. Large-scale scanning was easy to set up, but
was dependent on the key you generated using the keygen program.
New class Bs and Cs to target required new keys. Script kiddie
bonus: Print detailed reports with exactly how to correct the
problems and leave them behind at cracked sites for the poor
admins to use (ISS has excellent reporting capabilities). In fact,
replace the index.html with the generated HTML report you used
to attack the site. Probably would be much more interesting than
most web defacements anyway.
Webtrends' Security Analyzer
----------------------------
Minutes to start scanning : 18
Large-scale Usability : 0%
Favorite feature : Had a vulnerability test for the HackerShield
service user NMRC reported on recently.
Security Analyzer was quick to set up and get going, but the web
demo version is hard-wired for localhost. We decided to give it a
whirl anyway, especially after we discovered that the "localhost"
hard wiring was simply to grab the first adapter configured. NMRC
was able to scan hosts we didn't own by deleting and configuring
adapters until 10.10.10.10 was grabbed first by Security Analyzer.
Once that was done, locally loaded proxy software or software that
does NAT (Network Address Translation) allowed us to direct
traffic to outside sites. NMRC did go over our 5 minute goal, and
was only able to scan one host at a time. To scan a new host
required proxy/NAT reconfiguration each time, and this was very
time consuming considering the fact we had three other scanners
that allowed much more freedom. Therefore large-scale scanning
was simply impractical for our purposes. Webtrends had also put
in a 14-day limit on the trial version, which worked as
advertised. NMRC did not try to defeat this limit.
If you are a system administrator, please bear in mind that using
one of the commercial scanners does not give you any tactical
advantage over the intruders you are trying to keep out of your
system. When one of these commercial vendors state that their
tool allows you to see your systems the way a potential intruder
does, they are not kidding. It is true (as stated in ISS'
response) that these software packages will leave footprints in
systems. This can be a blessing and a curse. If you have an
"outer perimeter" computer system you scan with CyberCop (leaving
a footprint), if compromised the intruder can see what is used to
test the security of the system, and could conceivably turn that
against you by starting a general mapping of your internal systems
using CyberCop. It is possible that a sys admin will overlook the
intruder's CyberCop footprints, thinking they are his own.
Appendix
--------
This program will end the lame Access password recovery shareware
industry.
/*************************************************************************
ACC_REC - Access 97 Password Recovery
Written by Simple Nomad [thegnome@nmrc.org] 17Sept99
http://www.nmrc.org/
Compile using DJ Delorie's excellent port of the GNU compiler, which is
available from http://www.delorie.com/
Thanks to Yan for pointing us to the sekrit string!
*************************************************************************/
/* includes */
#include <stdio.h>
#include <stdlib.h>
/*
* Main program....
*/
int main(int argc, char *argv[])
{
FILE *fDatabase;
int i;
unsigned char recover[13];
unsigned char password[13];
unsigned char sekrit[13]={0x86,0xFB,0xEC,0x37,0x5D,0x44,0x9C,0xFA,0xC6,0x5E,0x28,0xE6,0x13};
/* Say hello... */
printf("ACC_REC - Recover the password for Microsoft Access databases\n");
printf("Comments/bugs: thegnome@nmrc.org\n");
printf("http://www.nmrc.org/\n");
printf("1999 (c) Nomad Mobile Research Centre\n");
printf("Database filename must be in 8.3 format\n\n");
if (argc!=2)
{
printf("USAGE: acc_rec <database>\n\n");
printf("EXAMPLES:\n");
printf(" acc_rec secretz.mdb\n");
exit(-1);
}
fDatabase=fopen(argv[1],"rb");
if (fDatabase == NULL)
{
printf("Unable to open database file %s.\n",argv[1]);
exit(1);
}
fseek(fDatabase,66,SEEK_SET);
fread(&recover,13,1,fDatabase);
fclose(fDatabase);
if (!memcmp(recover,sekrit,13))
{
printf("There is no password set for database %s\n",argv[1]);
exit(0);
}
for (i=0;i<13;i++) password[i]=recover[i]^sekrit[i];
printf("The password is - ");
for (i=0;i<13;i++)
{
if (isprint(password[i]))
printf("%c",password[i]);
}
printf("\n");
}
SOLUTION
There is no solution or workaround. This is the old "please Dan,
don't release Satan" argument. NMRC is happy to see that there
are commercial vulnerability scanners with fine research behind
them. NMRC is also happy that users can download demo products
to test before they buy. Just bear in mind these tools can and
more importantly ARE being used by the underground (which is the
main reason we are releasing this paper). If you are using an
IDS, you might want to make sure it can detect some of the more
exotic exploits these products can produce, especially if these
exotic exploits actually compromise systems or perform DoS
attacks. If you've adjusted your IDS to ignore certain patterns,
for example a standard ISS scan, them perhaps you should review
those rules.