_______________________________________________________________________________ Nomad Mobile Research Centre L A B R E P O R T "Crackers and Commercial Vulnerability Scanners" or "I'm a lame cracker and can't get BASS to compile, how can I download a commercial vulnerability scanner and start checking the entire Internet in 5 minutes?" www.nmrc.org Simple Nomad [thegnome@nmrc.org] 11Oct1999 _______________________________________________________________________________ Synopsis -------- The top commercial vulnerability scanners have little to no security surrounding their licensing, making them excellent script kiddie tools. These scanners are actively being used by the underground against targets. Tested configuration -------------------- Testing was done with the following configuration : Platform: Microsoft NT 4.0 Server and Workstation with SP3 (no additional hotfixes) Microsoft NT 4.0 Server and Workstation with SP5 (with Csrss, LSA-3, RAS, WinHelp hotfixes) Products: Bindview's HackerShield Product Version 1.10.1106, Package Version 11 ISS' Internet Scanner Version 5.8.1 NAI's CyberCop Scanner Version 5.0 WebTrends' Security Analyzer v2.1b How We Selected and Tested -------------------------- First off, you ask how we chose our products, and why we didn't choose some over others. Well, we have limited resources and time, so we chose to limit testing to a few, and not all of the vulnerability scanners out there. We chose only commercial products instead of freeware, since the freeware products by nature offer no security features themselves. Arguably, our "scientific" selection of products were limited, and mainly consisted of two important questions -- "What is popular", which got ISS and NAI into the picture, and "What is currently loaded we can play with" which landed us Bindview and WebTrends products. They also had to have a demo version available for download from their web site. After we had started testing, Security Focus (http://www.securityfocus.com/) ran a poll on the most popular network security scanners, and three of our four choices made the top four. The fourth, NetSonar by Cisco, does not have a downloadable demo version. So what was the testing method? Download the eval, install it, and try to start scanning sites we have no business performing a vulnerability scan against, and do it within 5 minutes of installation. We did not test the security of the product once it was installed. For example, all of these products had access controls around the installation directories, and most required you have local admin access to run them, or at least take advantage of all of their features. Why We Did This --------------- We had heard of hackers using commercial vulnerability scanners to map out networks before they were compromised, plus we found traces of an ISS scan on a host that should not have had ISS run against it, and wondered who did it. When we determined who had done it, we could not believe someone so lame could figure out the security surrounding ISS, and hence..... Products Background ------------------- Commercial vulnerability scanners all tout themselves as being more robust, more thorough, and better designed than their freeware counterparts. The idea is simple -- to stay ahead of the intruders, you need a powerful tool that can perform assessments of entire corporate networks with dozens and dozens of vulnerability checks. To ensure their scanners are the most thorough and complete scanners available, the larger software developers of vulnerability scanners have research teams that scour the Internet for the latest vulnerabilities, and hire coders to help add checks for these vulnerabilities to their scanners. The top scanners are developed for large-scale scanning, and are capable of looking at thousands of hosts for hundreds of vulnerabilities. They have a myriad of reporting features, most have some type of automation, and they are even capable of actual compromise (through password guessing, file grabbing, etc). NMRC recently looked at four scanners -- Bindview's HackerShield, NAI's CyberCop, ISS' Internet Scanner, and WebTrend's Security Analyzer. All four have the ability to perform detailed and thorough scans of target systems, each with various reporting capabilities. And while their intent is to give the corporate or government system administrator an advantage over the potential intruder by providing the most comprehensive tool for finding vulnerabilities, due to the lack of decent security surrounding the demo versions of these tools, some are being downloaded and (ab)used by the intruder community. Legality Note ------------- Using these commercial products without paying for them, or altering or bypassing any licensing restrictions, is illegal. Of course one would assume that any potential intruder getting ready to commit an illegal intrusion into someone else's computer system is probably going to disregard the licensing restrictions of most commercial software, including vulnerability scanners. We are not advocating you download and point a demo product at a .mil site just to see if it works. This is more than port scanning, which for the most part is legal. The Denial of Service and file-grabbing features alone of some of these products could land you in jail if you are not careful. NAI's CyberCop Scanner ---------------------- Minutes to start scanning : 0 Large-scale Usability : 100% Favorite feature : CASL (Custom Audit Scripting Language) There are no target restrictions on this product. Download the demo from NAI's web site, point it at anything you want, and begin gathering data. When NAI's technical support line was contacted (see Appendix A below), we asked if we were on the honor system as we could not find any restrictions. The individual at tech support laughed and said yes, but stated the download was a limited time demo of thirty days. We could find no such time restriction ourselves. Large scale scanning was a piece of cake -- simply add in your hosts and start whacking away. Script kiddie bonus: Hollywood-influenced script kiddies will love the network mapping features, which allow you to fly around in a virtual 3D world looking at network nodes. Use only the Trace Route to Host module to create a nifty 3D model of the network you plan to compromise. Bindview's HackerShield ----------------------- Minutes to start scanning : 2 Large-scale Usability : 95% Favorite feature : HSMapper, the remote OS identifier that automatically identified target systems. To keep track of what vulnerabilities were checked against what systems, and what IP addresses are allowed to be checked, HackerShield uses a database. Unfortunately, they use a Microsoft Access database, and rely on Access' built-in password protection to protect the database. The password is stored in plaintext in the HackerShield.exe program, which renders the security surrounding the database useless. Even if it were obfuscated, it is easy to recover (see Appendix B below). When downloading the demonstration version of the HackerShield program from the Bindview web site, you are emailed a 5-IP address license that is good for two weeks. The license file is loaded into the database. Opening the HackerShield.mdb file in Access (using the recovered password) allows an intruder to manipulate all of the tables inside, including the licensing parameters. You can increase the number of hosts you can scan, the network segments to scan hosts on, and you can adjust the expiration date. Anyone with basic database knowledge should be able to make the adjustments fairly quickly. We pointed this out to Bindview, and they were already aware of this flaw in their licensing. Their attitude surprised us, but essentially they'd prefer to focus programming resources toward enhancing their product than securing it from license defeating. They are aware the steps they have taken are weak, but insist the main goal is to help the commercial user stay within the limits of what they paid for, not protect it from nefarious use. Large scale scanning was limited to editing the database, although it wasn't a hard thing to do. Script kiddie bonus: Use the automation features to schedule scans to run unattended on your NT workstation. The scheduled jobs can run even if you are not logged in, as they use a Service User to perform automation. ISS' Internet Scanner --------------------- Minutes to start scanning : 1 Large-scale Usability : 95% Favorite feature : Can run in command line mode if properly coaxed. Downloading ISS' Internet Scanner allows you to demo the product in localhost mode. To use the scanner against network targets requires a key. To give the appearance of sophisticated encryption, the key looks similar to a PGP public key, with "-----BEGIN ISSKEY5----" at the beginning of the key and "-----END ISSKEY5----" at the end of the key. Between these lines are a series of lines of "secret cipher text". While it is fairly obvious that the encryption used here is weak (it is U.S. exportable) and it is a symmetrical algorithm, it has apparently been broken to some degree. A quick search in AltaVista using the key words "keygen" and "iss" should reveal the program that a number of Russian and Eastern European hackers have been making use of for months. When contacted about this, ISS responsed: "Internet Scanner restricts the range of IP addresses reachable by a given customer. The IP address restrictions protect a customer from accidentally scanning outside their own network or it can be used to keep Administrator Jane from scanning Administrator Bob's portion of the network. "Over the years we have advanced the security around the license key mechanism that controls this feature. The latest version of our license key mechanism uses a DSS signature on a SHA hash of both the license as a whole and individual pieces of information within the key to insure integrity, and then uses blowfish for encrypting the key as a packaging mechanism. The cracker discovered a flaw in the signing and signature verification implementation and exploited those flaws, providing a method to bypass the control mechanism. Despite the signing/verification flaw, defeating the license mechanism required considerable expertise and effort. "Internet Scanner is designed to be easy to detect when scanning a network. By design Internet Scanner also leaves "fingerprints" in the logs of scanned machines. These fingerprints provide a means for determining the computer performing the scan. "We will continue to enhance the security of Internet Scanner's control mechanisms. Despite the difficulties and inconvenience of controlling Internet Scanner's range we believe it is the appropriate action for a security company and the behavior expected by our customers." This was the best response. We'll _assume_ they will fix the signing and verification flaw in later releases of their software. Large-scale scanning was easy to set up, but was dependent on the key you generated using the keygen program. New class Bs and Cs to target required new keys. Script kiddie bonus: Print detailed reports with exactly how to correct the problems and leave them behind at cracked sites for the poor admins to use (ISS has excellent reporting capabilities). In fact, replace the index.html with the generated HTML report you used to attack the site. Probably would be much more interesting than most web defacements anyway. Webtrends' Security Analyzer ---------------------------- Minutes to start scanning : 18 Large-scale Usability : 0% Favorite feature : Had a vulnerability test for the HackerShield service user we reported on recently. Security Analyzer was quick to set up and get going, but the web demo version is hard-wired for localhost. We decided to give it a whirl anyway, especially after we discovered that the "localhost" hard wiring was simply to grab the first adapter configured. We were able to scan hosts we didn't own by deleting and configuring adapters until 10.10.10.10 was grabbed first by Security Analyzer. Once that was done, locally loaded proxy software or software that does NAT (Network Address Translation) allowed us to direct traffic to outside sites. We did go over our 5 minute goal, and we were only able to scan one host at a time. To scan a new host required proxy/NAT reconfiguration each time, and this was very time consuming considering the fact we had three other scanners that allowed much more freedom. Therefore large-scale scanning was simply impractical for our purposes. Webtrends had also put in a 14-day limit on the trial version, which worked as advertised. We did not try to defeat this limit. NMRC did not contact Webtrends as we felt we really didn't have much to report. They probably shouldn't use the first adapter on the list, and use 127.0.0.1 instead, but loading and configuring a proxy or NAT to invoke network scans is a lot of effort. As far as asking which proxy/NAT software to use, take your pick. We encountered problems with every package we tried as various vulnerability checks would cause the setup to crash or malfunction. Script kiddie bonus: Sorry, more trouble that it's worth. Conclusions ----------- If you are a system administrator, please bear in mind that using one of the commercial scanners does not give you any tactical advantage over the intruders you are trying to keep out of your system. When one of these commercial vendors state that their tool allows you to see your systems the way a potential intruder does, they are not kidding. It is true (as stated in ISS' response above) that these software packages will leave footprints in systems. This can be a blessing and a curse. If you have an "outer perimeter" computer system you scan with CyberCop (leaving a footprint), if compromised the intruder can see what is used to test the security of the system, and could conceivably turn that against you by starting a general mapping of your internal systems using CyberCop. It is possible that a sys admin will overlook the intruder's CyberCop footprints, thinking they are his own. Solution/Workaround ------------------- There is no solution or workaround. This is the old "please Dan, don't release Satan" argument. We are happy to see that there are commercial vulnerability scanners with fine research behind them. We are also happy that users can download demo products to test before they buy. Just bear in mind these tools can and more importantly ARE being used by the underground (which is the main reason we are releasing this paper). If you are using an IDS, you might want to make sure it can detect some of the more exotic exploits these products can produce, especially if these exotic exploits actually compromise systems or perform DoS attacks. If you've adjusted your IDS to ignore certain patterns, for example a standard ISS scan, them perhaps you should review those rules. Comments -------- NMRC believes that if you are charging money for a security product that has little to no security built in to protect itself from abuse, it is in fact a poor message. There are five approaches: 1) Do nothing (NAI). 2) Do a minimal amount to keep the end user within the license restrictions (Bindview). 3) Come up with something the *looks* like state-of-the-art encryption and licensing, and hope it isn't broken (ISS). 4) The downloadable demo version is crippled (Webtrends). 5) Use a combination of copy protection techniques coupled with encryption and registration keys so that your killer app scanner will not be used by the people you're trying to defend against (anybody? nobody?). Thanks to Yan for the Access 97 byte string used to recover passwords. Appendix A ---------- We prefer contacting vendors via email due to the natural electronic paper trail it produces. If that doesn't work, we will start calling tech support. For more info on NMRC's disclosure policy, please see http://www.nmrc.org/advise/policy.txt. Appendix B ---------- This program will end the lame Access password recovery shareware industry. Sorry, but information wants to be free. /************************************************************************* ACC_REC - Access 97 Password Recovery Written by Simple Nomad [thegnome@nmrc.org] 17Sept99 http://www.nmrc.org/ Compile using DJ Delorie's excellent port of the GNU compiler, which is available from http://www.delorie.com/ Thanks to Yan for pointing us to the sekrit string! *************************************************************************/ /* includes */ #include #include /* * Main program.... */ int main(int argc, char *argv[]) { FILE *fDatabase; int i; unsigned char recover[13]; unsigned char password[13]; unsigned char sekrit[13]={0x86,0xFB,0xEC,0x37,0x5D,0x44,0x9C,0xFA,0xC6,0x5E,0x28,0xE6,0x13}; /* Say hello... */ printf("ACC_REC - Recover the password for Microsoft Access databases\n"); printf("Comments/bugs: thegnome@nmrc.org\n"); printf("http://www.nmrc.org/\n"); printf("1999 (c) Nomad Mobile Research Centre\n"); printf("Database filename must be in 8.3 format\n\n"); if (argc!=2) { printf("USAGE: acc_rec \n\n"); printf("EXAMPLES:\n"); printf(" acc_rec secretz.mdb\n"); exit(-1); } fDatabase=fopen(argv[1],"rb"); if (fDatabase == NULL) { printf("Unable to open database file %s.\n",argv[1]); exit(1); } fseek(fDatabase,66,SEEK_SET); fread(&recover,13,1,fDatabase); fclose(fDatabase); if (!memcmp(recover,sekrit,13)) { printf("There is no password set for database %s\n",argv[1]); exit(0); } for (i=0;i<13;i++) password[i]=recover[i]^sekrit[i]; printf("The password is - "); for (i=0;i<13;i++) { if (isprint(password[i])) printf("%c",password[i]); } printf("\n"); } _______________________________________________________________________________