What is the difference between Implicit SSL and Explicit SSL?

FTP over SSL (Explicit)
Explicit security requires that the FTP client issues a specific command to the FTP server after establishing a connection to establish the SSL link. In explicit SSL (or in TLS) the FTP client needs to send an explicit command ( i.e. "AUTH SSL" or "AUTH TLS") to FTP server to initiate a secure control connection. The default FTP server port is used. This formal method is documented in RFC 2228.

FTP over SSL (Implicit)
Implicit security is a mechanism by which security is automatically turned on as soon as the FTP client makes a connection to an FTP server. In this case, the FTP server defines a specific port for the client (990) to be used for secure connections.

FTP over SSL (ftps) - Explicit SSL vs. Implicit SSL / Active mode vs Passive mode:

Shunichi Mikame (smikame@ipv4sec.com) - 09/11/2004

======================================================================================


My understanding about traffic flow of 'ftp over ssl' (ftps) is below.



Explicit SSL operates such that a connection to the server is made on the normal service port (TCP-21 for ftp-control channel, TCP-20 for ftp-data in active ftp mode). Communication initially starts in plain text until the client issues an authentication command, which then leads to certificate verification and a secure SSL connection being negotiated. In active mode, ftps client initiates 'control session' to port 21 of server (outbound from client), but server initiates data session back (sourcing from tcp port 20) to client (inbound to client). In passive mode, client initiates both control (tcp-21) and data sessions (port range specified by server/client negotiation) to the server (both are outbound from client).



Implicit SSL allows the server to specify a different port dedicated to SSL communication (TCP-990 for ftp-control channel, TCP-989 for ftp-data in active ftp mode). Any connections made to this port require immediate negotiation of certificates and SSL, avoiding any communication in plain text whatsoever. In active mode, ftps client initiates 'control session' to port 990 of server (outbound from client), but server initiates 'data session' back (sourcing from tcp port 989) to client (inbound to client). In passive mode, client initiates both control (tcp-990) and data sessions (port range specified by server/client negotiation) to the server (both are outbound from client).



Below are traffic flow examples with my understanding:



Explicit SSL with active FTP





ftp-ssl-control: (outbound from client)

FTPS client src port (greater than 1024) ==> FTPS server dst port 21



ftp-ssl-data: (inbound from server)

FTPS server src port (port 20) ==> FTPS client dst port (range specified by server/client negotiation)





Explicit SSL with passive FTP





ftp-ssl-control: (outbound from client)

FTPS client src port (greater than 1024) ==> FTPS server dst port 21 (request)



ftp-ssl-data: (outbound from client)

FTPS client src port (range specified by server/client negotiation) ==> FTPS server dst port (range specified by

server/client negotiation).





Implicit SSL with active FTP





ftp-ssl-control: (outbound from client)

FTPS client src port (greater than 1024) ==> FTPS server dst port 990.



ftp-ssl-data: (inbound from server)

FTPS server src port (port 989) ==> FTPS client dst port (range specified by server/client negotiation)





Implicit SSL with passive FTP





ftp-ssl-control: (outbound from client)

FTPS client src port (greater than 1024) ==> FTPS server dst port 990.



ftp-ssl-data: (outbound from client)

FTPS client src port (range specified by server/client negotiation) ==> FTPS server dst port (range specified by server/client

negotiation).





End of document:

======================================================================================

SSL

SSL Server Authentication

During the SSL handshake, the server sends the client a certificate to authenticate itself. The client uses the certificate to authenticate the identity the certificate claims to represent.

An SSL-enabled client goes through these steps to authenticate a server's identity:
Is today's date within the validity period? The client checks the server certificate's validity period. If the current date and time are outside of that range, the authentication process does not go any further. If the current date and time are within the certificate's validity period, the client goes on to step 2.

Is the issuing Certificate Authority (CA) a trusted CA? Each SSL-enabled client maintains a list of trusted CA certificates. This list determines which server certificates the client will accept. If the distinguished name (DN) of the issuing CA matches the DN of a CA on the client's list of trusted CAs, the answer to this question is yes, and the client goes on to step 3. If the issuing CA is not on the list, the server is not authenticated unless the client can verify a certificate chain ending in a CA that is on the list.

Does the issuing CA's public key validate the issuer's digital signature? The client uses the public key from the CA's certificate (which it found in its list of trusted CAs in step 2) to validate the CA's digital signature on the server certificate that is being presented. If the information in the server certificate has changed since it was signed by the CA, or if the CA certificate's public key doesn't correspond to the private key that was used by the CA to sign the server certificate, the client does not authenticate the server's identity. If the CA's digital signature can be validated, the client treats the server's certificate as a valid "letter of introduction" from that CA and proceeds. At this point, the client has determined that the server certificate is valid. It is the client's responsibility to take step 4 before it takes step 5.

Does the domain name in the server's certificate match the domain name of the server itself? This step confirms that the server is actually located at the same network address that is specified by the domain name in the server certificate. Although step 4 is not technically part of the SSL protocol, it provides the only protection against a form of security attack known as a "Man-in-the-Middle Attack." Clients must perform this step and must refuse to authenticate the server or establish a connection if the domain names do not match. If the server's actual domain name matches the domain name in the server certificate, the client goes on to step 5.

The server is authenticated. The client proceeds with the SSL handshake. If the client does not get to step 5 for any reason, the server that is identified by the certificate cannot be authenticated, and the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established.

ARP Attack

The difference between a hub and a switch
With a hub, every port receives all network traffic. When a hub receives
a packet, it has no clue where the recipient is plugged. So it simply rebroadcasts
the packet to all hosts plugged into the hub. The recipient "knows" its own
IP address and responds to the packet, while all other devices on the network
segment ignore it.

A switch, on the other hand, is smarter. A switch actually pays attention to
where each device is plugged. When a switch receives a packet, it knows exactly
where the intended recipient is and sends the packet to only that device. This
security feature prevents hackers from intercepting all your network's traffic
using a packet sniffer.



ARP Refresher -http://www.watchguard.com/infocenter/editorial/135324.asp

In Foundations: What Are NIC, MAC, and ARP?, we explained that Address Resolution Protocol (ARP) is how network devices associate MAC addresses with IP Addresses so that devices on the local network can find each other. ARP is basically a form of networking roll call.

ARP, a very simple protocol, consists of merely four basic message types:

An ARP Request. Computer A asks the network, "Who has this IP address?"

An ARP Reply. Computer B tells Computer A, "I have that IP. My MAC address is [whatever it is]."

A Reverse ARP Request (RARP). Same concept as ARP Request, but Computer A asks, "Who has this MAC address?"

A RARP Reply. Computer B tells Computer A, "I have that MAC. My IP address is [whatever it is]"

All network devices have an ARP table, a short-term memory of all the IP addresses and MAC addresses the device has already matched together. The ARP table ensures that the device doesn't have to repeat ARP Requests for devices it has already communicated with.

Here's an example of a normal ARP communication. Jessica, the receptionist, tells Word to print the latest company contact list. This is her first print job today. Her computer (IP address 192.168.0.16) wants to send the print job to the office's HP LaserJet printer (IP address 192.168.0.45). So Jessica's computer broadcasts an ARP Request to the entire local network asking, "Who has the IP address, 192.168.0.45?" as seen in Diagram 1.

All the devices on the network ignore this ARP Request, except for the HP LaserJet printer. The printer recognizes its own IP in the request and sends an ARP Reply: "Hey, my IP address is 192.168.0.45. Here is my MAC address: 00:90:7F:12:DE:7F," as in Diagram 2.

Now Jessica's computer knows the printer's MAC address. It sends the print job to the correct device, and it also associates the printer's MAC address of 00:90:7F:12:DE:7F with the printer's IP address of 192.168.0.45 in its ARP table.

Hey ARP, Did You Know Gullible Is Not in the Dictionary?

The founders of networking probably simplified the communication process for ARP so that it would function efficiently. Unfortunately, this simplicity also leads to major insecurity. Know why my short description of ARP doesn't mention any sort of authentication method? Because in ARP, there is none.

ARP is very trusting, as in, gullible. When a networked device sends an ARP request, it simply trusts that when the ARP reply comes in, it really does come from the correct device. ARP provides no way to verify that the responding device is really who it says it is. In fact, many operating systems implement ARP so trustingly that devices that have not made an ARP request still accept ARP replies from other devices.

OK, so think like a malicious hacker. You just learned that the ARP protocol has no way of verifying ARP replies. You've learned many devices accept ARP replies before even requesting them. Hmmm. Well, why don't I craft a perfectly valid, yet malicious, ARP reply containing any arbitrary IP and MAC address I choose? Since my victim's computer will blindly accept the ARP entry into its ARP table, I can force my victim's gullible computer into thinking any IP is related to any MAC address I want. Better yet, I can broadcast my faked ARP reply to my victim's entire network and fool all his computers. Muahahahahaa!

Back to reality. Now you probably understand why this common technique is called ARP Cache Poisoning (or just ARP Poisoning): the attacker lies to a device on your network, corrupting or "poisoning" its understanding of where other devices are. This frighteningly simple procedure enables the hacker to cause a variety of networking woes, described next.

All Your ARP Are Belong To Us!

The ability to associate any IP address with any MAC address provides hackers with many attack vectors, including Denial of Service, Man in the Middle, and MAC Flooding.

Denial of Service

A hacker can easily associate an operationally significant IP address to a false MAC address. For instance, a hacker can send an ARP reply associating your network router's IP address with a MAC address that doesn't exist. Your computers believe they know where your default gateway is, but in reality they're sending any packet whose destination is not on the local segment, into the Great Bit Bucket in the Sky. In one move, the hacker has cut off your network from the Internet.

Man in the Middle

A hacker can exploit ARP Cache Poisoning to intercept network traffic between two devices in your network. For instance, let's say the hacker wants to see all the traffic between your computer, 192.168.0.12, and your Internet router, 192.168.0.1. The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer's MAC address with 192.168.0.12 (see Diagram 3).

Now your router thinks the hacker's computer is your computer.

Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with 192.168.0.1 (see Diagram 4).

Now your machine thinks the hacker's computer is your router.

Finally, the hacker turns on an operating system feature called IP forwarding. This feature enables the hacker's machine to forward any network traffic it receives from your computer to the router (shown in Diagram 5).

Now, whenever you try to go to the Internet, your computer sends the network traffic to the hacker's machine, which it then forwards to the real router. Since the hacker is still forwarding your traffic to the Internet router, you remain unaware that he is intercepting all your network traffic and perhaps also sniffing your clear text passwords or hijacking your secured Internet sessions.

MAC Flooding

MAC Flooding is an ARP Cache Poisoning technique aimed at network switches. (If you need a reminder about the difference between a hub and a switch, see this sidebar.) When certain switches are overloaded they often drop into a "hub" mode. In "hub" mode, the switch is too busy to enforce its port security features and just broadcasts all network traffic to every computer in your network. By flooding a switch's ARP table with a ton of spoofed ARP replies, a hacker can overload many vendor's switches and then packet sniff your network while the switch is in "hub" mode.

Scared? Good, Now Calm Down!

This is scary stuff. ARP Cache Poisoning is trivial to exploit yet it can result in very significant network compromise. However, before you jump to Defcon-7, notice the major mitigating factor: only local attackers can exploit ARP's insecurities. A hacker would need either physical access to your network, or control of a machine on your local network, in order to deliver an ARP Cache Poisoning attack. ARP's insecurities can't be exploited remotely.

That said, hackers have been known to gain local access to networks. Good network administrators should be aware of ARP Cache Poisoning techniques.

Since ARP Cache Poisoning results from a lack of security in a protocol that is required for TCP/IP networking to function, you can't fix it. But you can help prevent ARP attacks using the following techniques.

For Small Networks

If you manage a small network, you might try using static IP addresses and static ARP tables. Using CLI commands, such as "ipconfig /all" in Windows or "ifconfig" in 'NIX, you can learn the IP address and MAC address of every device in your network. Then using the "arp -s" command, you can add static ARP entries for all your known devices. "Static" means unchanging; this prevents hackers from adding spoofed ARP entries for devices in your network. You can even create a login script that would add these static entries to your PCs as they boot.

However, static ARP entries are hard to maintain; impossible in large networks. That's because every device you add to your network has to be manually added to your ARP script or entered into each machine's ARP table. But if you manage fewer than two dozen devices, this technique might work for you.

For Large Networks

If you manage a large network, research your network switch's "Port Security" features. One "Port Security" feature lets you force your switch to allow only one MAC address for each physical port on the switch. This feature prevents hackers from changing the MAC address of their machine or from trying to map more than one MAC address to their machine. It can often help prevent ARP-based Man-in-the-Middle attacks.

For All Networks

Your best defense is understanding ARP Poisoning and monitoring for it. I'd highly recommend deploying an ARP monitoring tool, such as ARPwatch, to alert you when unusual ARP communication occurs. This kind of vigilance is still the greatest weapon against all kinds of attack -- for, as Robert Louis Stevenson wrote, "The cruelest lies are often told in silence."

Resources:
Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks

Securing the Network from Within (Part 2)

http://www.windowsecurity.com/pages/article_p.asp?id=1598

So far I have only talked of various methods in general to harden the operating system, and have as of yet not addressed anything really specific. What I shall now do is put things into context by detailing some steps to address a typical medium to large enterprise network from the workstation on outwards.

One of the first things to do again is to control physical access to your workstations. Next you should also make sure to have a BIOS password set so as to limit access to it. You should also have in place one of the standard security templates that will allow you to leverage the power of GPO’s for your W2K and XP environment. The amount of settings afforded to you via GPO is truly impressive, and can be customized for most every environment. I will not go any further on the subject of GPO as I don’t consider myself an expert in them. There is an excellent article on them in Microsoft’s Technet Magazine. In it Derek Melber details what he considers to be the Top 10 GPO settings that you should take advantage of. Derek’s number four GPO setting is one that I rarely ever see used, and as he says will slow down an attackers brute force attempts to log into the computer.

Going hand in glove with a GPO lockdown of the workstation is the need to have a corporate software baseline. This baseline of approved corporate network software should then be complimented with further software installation requiring sys admin privileges. This is not a perfect solution as there are ways around this, but it is another hurdle for the trusted insider to work around. Also, offering your employee’s an image of the software baseline will also help secure your network when, and if, they connect their laptops to it. Too many times work laptops are the vector for infection and malware outbreaks. There have been examples of some companies targeted for corporate espionage where the employee was targeted at home. This is a tried and true method of infiltration to the hardened corporate network as often company employees do not have the same level of protection on their home computer. That is why it is rather important to offer your employees a company software baseline image for their home use. If nothing else then perhaps some a/v and f/w solution should be offered. If you are in a big company then likely your licensing allows for this.

Another technology that should be applied to the workstation is that of a host intrusion protection system, or HIPS. Having a HIPS in place can protect against a plethora of client side exploits which may not be patched as quickly as they should. Quite often Microsoft patches have to be tested out first prior to application in case they break some functionality on the network. This technology will also protect the workstation for the all too common buffer overflow, format string, and canonicalization attacks. A trusted insider can, with a little knowledge, quickly find out via SNMP exchanges what servers have been patched or not. Should you doubt this, then simply think of the uptime query issued to a server. That would give you a good indication of whether or not it has been patched for a specific exploit. If its uptime is longer then the newly released exploit then you can surmise it has not been patched due to it requiring a reboot for the exploit patch to take effect.

With the above noted said, it is also time to look at overall network architecture design. For the medium to large enterprise network it only makes sense to segment it into logical divisions. This can be done using routers to not only segment various departments, but also it can be used to control resource access. A tangible side benefit of this segmentation via routers is that of malware containment. If for whatever reason a worm makes its way into say the marketing department it would be contained there. That would be because all routers in your network are not forwarding NetBIOS traffic. This is one of the ways that worms propagate. Only ports that are deemed absolutely necessary should be open to allow intranet access. This point gets hammered home time, and again when a new worms tears a hole through a flat network. By making simple changes such as this you are able to contain these malware outbreaks. That at least will afford you the opportunity to clean up the mess without having to take down the entire network. Such a drastic solution to clean up will quickly have the dollar cost of the malware outbreak add up.

Beyond using routers for department segmentation it is a good idea to hang an IDS off of the switch behind it. This will also give you a heads up into any illicit activity on a department to department basis. That way it is also easier to spot any trouble departments that may be in need of further security measures. Another excellent way to also manage your network is to incorporate weekly, monthly, or as you see fit, traffic mining. You really should do so on a regular basis, log all network traffic and then sift through it looking for packets that don’t belong. That way you can also find programs that have somehow made their way into your network. The ever-present issue of P2P and IRC traffic for one can be found via this traffic analysis.

Should your in-house staff not have the skills to do this then contract out for it or get your staff trained in it. There are normally always nuggets of interesting traffic that can be ferreted out via network traffic analysis or data mining as it is also called. P2P and IRC are ways that the normally well hardened network can be breached by a well meaning employee. There have been many times that I have done data mining for a client, and ended up telling them of issues which resulted from the use of P2P and IRC. These protocols should be strictly disallowed for internal network use.

It is also good practice to also observe normal hardening for the switches in your network. All MAC addresses should be statically mapped to prevent the normal ARP attacks. Further to this should be proper hardening at the router as well. There is no need to have any bogon range allowed in or out of your network. We as network security professionals and system administrators need to remember that we provide a service. That service is to give the end user a simple and easy way to conduct business via their computer. Complicating this task for them will only lead to them attempting to circumvent those security policies and or result in reduced productivity. Blaming the end user for all network problems is not only unacceptable, it is the very reason we are employed ie: to keep things simple and secure.

I sincerely hope you enjoyed this article. Once again I would remind you that I have not attempted to provide highly detailed advice, but rather a generic overview of how you can help secure your network from the operating system on outwards. Till next time!

Securing the Network from Within (Part 1)

Introduction
There have been many excellent papers, and books written on securing computer networks. They all largely address how to harden your network from the router on down to the switch, then eventually to the actual workstation itself. In many document cases of compromised networks, the end goal of the hacker was to suborn the actual workstation itself. The router, and sometimes a server of some kind, was not actually the end state of the hacker. It was normally to gain a toehold on the internal network via a client side exploit. Whether that be an operating system exploit or other vulnerability is a moot point. To be able to gain access to the, all too often, soft underbelly of the internal network is quite often the goal of a network hack. Once a foothold has been established, it is then that the keylogger, packet sniffer, rootkit, and other types of programs to further or hide exploitation are then ferried over to the now compromised computer.

Much, as I mentioned above, the actual workstation is often the goal of a hack. Funny thing is though, I have often heard some computer security people say “but they cut right through our router and other security….”. Well that is the whole point of hardening from the operating system outwards. One should assume that eventually a determined attacker will make their way to the aforementioned workstation. With that in mind, one should begin to harden what is often seen as the weakest link in the network security chain; the workstation. This article will attempt to address this concept of “secure from within” with some recommendations. We must remember also that computer security, and complexity, really don’t get along. The more complex the security the more likely it is that it will not be followed by the end user. One final note before beginning this article is that the security measures described below are written with a medium to large enterprise network in mind.

The first steps
I would like to take the chance first to say that this article will not attempt to list each and every option available to harden your network from the o/s on out. There are far too many variables in play for me to do this, let alone various network architecture designs. The focus of the information from here on out tries to be a bit more general vice specific.

To begin with, one should realize that the very first step one should take in protecting the workstation is that of physical security. You do not need to allow everyone access to the workstation outside of normal working hours. Once a department is done work for the day, the door to that section should be locked. No reason to have anyone else drop into the accounting department from your telemarketing staff is there. You should also bear in mind the trustworthiness of the cleaning staff you probably have coming in after hours to vacuum and clean your office spaces. These people typically have unfettered access to the corporate work area with no one else around. Make sure the cleaning staff are properly vetted by the company you hired to do your cleaning.

We can see already with a couple of examples that physical access to the workstation is largely our biggest threat. Due to this you should always treat these workstations as if they have been exploited. This may sound rather paranoid, but it will help you in the possible redesign of your network architecture. Now there is a series of steps that should be taken in an attempt to harden access to the workstation. Such tried and true methods as having a BIOS password are greatly encouraged. This would by extension also make it far more difficult for someone to drop a live Linux distro into the CD tray, as they would be then prompted for the BIOS password. It is also rather important to restrict BIOS access, as you will hopefully have turned off USB support via the BIOS settings. There is little point in making changes in the BIOS if you allow someone else to simply change them after again.

The subject of USB stick based attacks has been receiving a great deal of attention as of late and deservedly so. These memory sticks can have pretty much anything you want on them, and they are of course very portable. That makes for a fairly stealthy attack as these can fit into anyone’s pocket. Disabling this type of support can also be enforced via GPO. Group policy objects are one of the best tools that you can use to help enforce security, policy, and standards on your Windows 2K/XP/K3 network. There is an excellent link to various types of network scenarios at this link provided by Microsoft. Microsoft have themselves published a lot of excellent information on ways to harden your network. Unlike much of the rhetoric you may hear about Microsoft’s security you would be well advised to peruse their security section. There are many, many excellent pieces of information there to be had. Why go for a third party software solution if Microsoft already has one for you.

Through the use of various GPO’s you should restrict access to the places that you do not want a user to access to. Area’s such as the registry, cmd.exe, control panel, can greatly help you in your task of hardening the operating system. These measures are not foolproof due to the proliferation of live Linux distributions. You should also bear in mind that administrative controls such as GPO’s for one can be bypassed at times. A perfect example of this would be the system administrator blocking access to regedit via the cmd.exe but forgetting about regedt32.

This is where the link in the second above paragraph comes in handy. You will need to segment your network into various groups, and then decide with management what those groups of users should have access to. Take for instance the management group, which could be composed of the company’s executives. One measure that should be implemented is the use of PKI for all emails coming from the management group. This is by definition probably some of the most sensitive data flying around on your network. You certainly don’t want someone to be able to intercept and then read those emails do you, as Base64 is hardly an encryption scheme. It may appear to you as a mass of undecipherable characters, however it is easily and quickly converted.

You may have just moved into a new job and inherited a network design not your own, however that should not stop you from recommending a new architecture to your management team. Redesigning your network can yield great dividends. One such dividend we will see later is malware containment through some thoughtful network design considerations. We will break this two part article series at this point. See you in part II!

Packet analysis tools and methodology (Part 1)

Port scanners and scan types
When one thinks of the internet several things come to mind readily. First and foremost is probably spam, but a close second are the endless port scans. These endless port scans are also one of the most misunderstood things by anyone else but the seasoned network security analyst. There is little reason really for the average computer enthusiast to learn the miscellanea of port scanning and TCP/IP stimulus. It is in their best interest to understand the various scan types though, and to realize just what a scan is and means.

On the forum message boards www.security-forums.com we are often asked about these evil port scans. New computer users often panic when their firewall fires off an alert like “attempted subseven connection on port 27374” and the such.

Meet the heavyweights!
Pretty much in every area of endeavor there are products that stand out above others. The world of computer security/hacking, is no exception to this phenomenon. When it comes to tools for the computer security savvy, linux still rules the sea's. There is no arguing that Windows still reigns as the de-facto operating system of choice for computer networks. Realizing this one should try and leverage the best of both worlds. With this in mind some of the most popular linux based security tools have been ported to the win32 environment. Most notable among them is the undisputed King of network scanners nmap. Another heavyweight port scanner is hping. The main difference between them is that nmap can scan a range of IP addresses, while hping can only port scan one individual IP address. I like to compare them as “the broadsword to the rapier”. While nmap can scan ranges of IP addresses, hping is far stealthier, but can only scan one IP address at a time. More on the stealth later. Another network scanner worthy of mention is superscan. While superscan is not as functional, or fully featured as nmap, it is still a good scanner nonetheless. One last note on these scanners; make sure you install the dependencies. All of these scanners, whether they are in win32 or linux, require winpcap or libpcap respectively to work.

Enough talk, more action!
Well now that we have the main players introduced it is time to get down to business. What we shall do is use hping to document at the packet level the various types of scans that you may, or realistically, probably will see on your network. While I will chronicle the command syntax for hping I won’t spend a great deal of time on it. There are many excellent tutorials for it out there. We will show the main scan types in use today by all and sundry; syn scan, rst scan, ack scan, and the udp scan. While this is not an exhaustive list, it does cover the most often seen ones. It is not really enough to only read about these things, it is most important to also visualize them. With that statement in hand I shall create a specific scan type, whilst also showing it at the packet level.

SYN scan

hping -S 192.168.1.100 -c 1 -p 80

14:08:49.973455 IP (tos 0x8, ttl 64, id 64574, offset 0, flags [none],
length: 40) 192.168.1.102.2640 > 192.168.1.100.80: S [tcp sum ok]
1104445670:1104445670(0) win 512
0x0000: 4508 0028 fc3e 0000 4006 fa6e c0a8 0166 E..(.>..@..n...f
0x0010: c0a8 0164 0a50 0050 41d4 80e6 4ad4 27ec ...d.P.PA...J.'.
0x0020: 5002 0200 e9ac 0000 P.......

The SYN is perhaps one of the most common scans out there today. Doing such a scan will give you a definite answer, as to whether or not there is a service listening on a specific port. If there is a service such as say HTTP listening on port 80 then that would elicit a SYN/ACK. That response would mean that there is indeed something listening on that port for connections to it. Conversely if your SYN resulted in a RST/ACK then that would mean that there is no service listening on the port you targeted.

RST scan

hping –R 192.168.1.100 –c 1 –p 80

19:54:57.669980 192.168.1.102.1239 > 192.168.1.100.80: R 1975237774:1975237774(0) win 512
0x0000 4500 0028 890e 0000 4006 00bf xxxx xxxx E..(….@....r.|
0x0010 xxxx xxxx 04d7 0050 75bb bc8e 631c a4e4 .r……r…c….
0x0020 5004 0200 7dbb 0000 P…}..

What we have here is a RST scan. That would be a scan in which only the RST bit is set in the TCP flags byte. That specific byte would be offset 13 in the TCP header. Remember that you should start counting from 0. In this case that would be byte 04 on line 00x0020. You can see that the value represented there is 04 in hexadecimal, which is also four in decimal. That numerical value denotes the RST flag in the TCP flag field. Looking at this field in the future will always tell you what, if any, flags are set.

What are RST scans used for? Well an RST scan is also known as inverse mapping. This scan type is not as well known as the SYN scan seen above, but is nonetheless very effective. Not only that, but it is also largely ignored on some intrusion detection systems. If you send out an RST packet to scan a port, you will get one of two things; no response, or an ICMP host unreachable packet. If you get no response, and by that I mean literally no packet is sent back to you, then that means the host you have probed is in all likelihood up and running. Should you get the ICMP host unreachable packet then that means that the IP address you probed is not assigned. Not a bad scan now is it? Pretty sneaky I would say.

ACK Scan

hping –A 192.168.1.100 –c 1 –p 80

14:14:43.545975 IP (tos 0x8, ttl 64, id 42390, offset 0, flags [none],
length: 40) 192.168.1.102.2497 > 192.168.1.100.80: . [tcp sum ok] ack
473846278 win512
0x0000: 4508 0028 a596 0000 4006 5117 c0a8 0166 E..(....@.Q....f
0x0010: c0a8 0164 09c1 0050 1f48 d03f 1c3e 5206 ...d...P.H.?.>R.
0x0020: 5010 0200 c1dc 0000 P.......

What we have here is known as the ACK scan. What are its uses? If you know your TCP/IP then you know that it should probably be of limited value. Not quite really. This type of scan is useful in determining what type of firewall is in use on a specific network. By that I mean, does the firewall employ SPI or stateful packet inspection. What that means in essence is that the firewall will track the sessions as they traverse it. If a client computer on the inside of the network fires up its browser and brings down the homepage of Google for instance, a series of events take place. The firewall will make note of the source and destination address plus the source and destination ports used. That way only a packet inbound to the client computers IP address (which in all likelihood has been nat’ed) and source port, with a matching destination address and port, will be allowed in.

This is an excellent way of disallowing inbound connection attempts. So if you send an ACK packet to a network which has a firewall with SPI it will simply be quietly discarded. If the network or host does not have such a firewall then you will get a RST packet back. This happens because the computer receiving it is not aware of any such connection, thus the RST packet is sent back to you.

UDP Scan

hping -2 192.168.1.100 –c 1 –p 53

14:27:09.947037 IP (tos 0x10, ttl 64, id 22934, offset 0, flags [none],
length: 28) 192.168.1.102.2695 > 192.168.1.100.53: [udp sum ok] [|domain]
0x0000: 4510 001c 5996 0000 4011 9d10 c0a8 0166 E...Y...@......f
0x0010: c0a8 0164 0a87 0035 0008 7107 ...d...5..q.

Rounding out our scan types is the UDP scan. This is useful for discovering UDP based services such as DNS. If you send a UDP packet to a computer which has a service listening you will get nothing back. Should that same computer have no service listening on that port you will get an ICMP port unreachable message back. Pretty nifty isn’t it? That is the way that UDP communicates such conditions; via ICMP messages. If you remember, had we sent a SYN packet which is TCP it would of elicited a RST packet if there was no service listening.

Final thoughts
This type of information should be second nature to a pen-tester, or one interested in the minutiae of TCP/IP. Secondly, while nmap is a very powerful network scanner, whether it be win32 or linux based, it has many intrusion detection signatures for it. If you are doing a pen-test where stealth is the key, then hping is far superior due to its ability to send only one packet at a time or more if desired. That can be useful to probe firewall configurations. Lastly, due to the granular control that hping offers you, there are no known signatures for it that I am aware of. Before I forget as well, there is another excellent packet crafter for the win32 world; nemesis. It will not only do routed protocols, but also routing ones. While there are a great many tools for the win32 environment to help you secure your networks, you would be wise to delve down in the weeds every now and again at the packet level.

If you would like to see the other articles in this series please read

Packet analysis tools and methodology (Part 2)
Packet analysis tools and methodology (Part 3)
Packet analysis tools and methodology (Part 4)

Use NTLMv2 to prevent cracks on authentication

Use NTLMv2 to prevent cracks on authentication
When Microsoft decided to make Windows NT backward compatible with LAN Manager, I wonder whether the company realized the security problems that backward compatibility would cause. This decision certainly eased the implementation of NT for existing LAN Manager environments and for sites with Windows 95, Windows 3.x, DOS, and OS/2 installed because you can take advantage of the LAN Manager client software already present in those client OSs. But backward compatibility caused NT to inherit some significant security weaknesses from the way LM—the LAN Manager authentication protocol—hashes passwords and authenticates the network. (For information about LM authentication weaknesses, see "Protect Your Passwords," October 1998.) LM authentication uses a challenge/response mechanism for logon to eliminate the need to transmit the password over the network. But LM's vulnerabilities let intruders eavesdrop on a network segment, capture the challenge/response, and crack the logon. NT has the same vulnerabilities because, to support pre-NT clients and servers, it automatically sends and accepts the LM responses, which is a dangerous weakness.

Posing a threat to NT is L0phtCrack, a popular password-cracking tool from L0pht Heavy Industries. L0phtCrack comes with a challenge/response sniffer that can capture logons as they occur on the network. Using these challenge/response pairs, L0phtCrack further exploits LM's weaknesses to recover the actual password. L0phtCrack 2.5 has an enhanced GUI sniffer integrated into the main L0phtCrack engine, as Screen 1 shows. The new GUI sniffer, SMB Packet Capture Output, eliminates the need for a special packet driver, which the previous version required. This shrink-wrapped tool lets even novice intruders easily learn the passwords of everyone logging on to the intruder's network segment.

Before Service Pack 4 (SP4) came along, systems administrators needed to combat this problem with the post-SP3 hotfix—lm-fix. Lm-fix added the LMCompatibilityLevel Registry setting so that you could instruct NT not to support LM authentication, thereby defeating the L0phtCrack sniffer. However, this scenario meant you could use NT only on client workstations because Win9x, Windows 3.x, DOS, and OS/2 support only LM authentication. Unfortunately, lm-fix caused some stability problems, so Microsoft removed it from the Web. The removal of lm-fix left administrators without a fix for a serious problem.

When SP4 came out, I was anxious to verify that Microsoft had included lm-fix's functionality. What I found was a revision of the network authentication protocol NTLM, which Microsoft designed specifically for NT to improve security. NTLMv2 has several enhancements that address authentication problems and session security requirements for confidentiality, integrity, and 128-bit encryption. In this article, I explain NTLMv2's options and make you privy to several undocumented details and bugs that are crucial to security. I also discuss how each option stands up to attacks from L0phtCrack 2.5 and address possible future attacks. Finally, I finish up with practical recommendations for implementing the best security while preserving compatibility.

Background of NTLM Authentication
When a user needs to connect to a server, the server authenticates the user with a challenge/response protocol. The server issues a random string of bytes called a challenge to the client. The client encrypts the challenge with the hash of the user's password and sends the encrypted challenge back as the response. The server decrypts the response with the official password hash stored in the user's account. If the decrypted response matches the original challenge, the user is authentic.

NT clients send two responses in reply to the server's challenge: the LM response and the NTLM response. Because the client sends both responses, the NTLM hash and response are irrelevant. But the LM response lets NT connect to or accept connections from non-NT systems including the downlevel systems: Win9x, Windows 3.1, DOS, and OS/2. When L0phtCrack captures an authentication, the tool displays the responses in two separate columns called the LanMan Hash and the NT Hash, as Screen 2 shows. Originally, these columns held their correspond-ing response types. Since lm-fix, these columns have different response types than you might expect because of Microsoft's creation of new LM response and NT response versions for security and backward compatibility. In NTLMv2, the Registry value LMCompatibilityLevel controls the authentication enhancements, and LMCompatibilityLevel has enhanced functionality.

Authentication has a few other problems to keep in mind regarding pass-through and local network authentication. Because NT and downlevel systems can be clients, servers, or both clients and servers, an NT server can be a member server and also a domain controller. When a client connects to an NT or downlevel server using a domain account, that system doesn't perform the authentication but forwards authentication to the domain controller. This process is pass-through authentication. Otherwise, when a client connects to a server using a local account or share-level security (possible with downlevel OSs), that server must use the local SAM to handle the authentication. This process is local network authentication. As I later explain, pass-through and local network authentication further complicate Microsoft's efforts to minimize NT's network authentication vulnerabilities.

L0phtCrack Threatens NTLM Authentication
Now, let's examine the other dimension of security, the intruder tools. L0phtCrack 2.0 can crack only captured authentications that contain the standard combination of the LM and NT response. The L0phtCrack Server Message Block (SMB) authentication sniffer, READSMB, captures an authentication to a text file that it feeds to L0phtCrack for cracking. (Lm-fix disables LM authentication, but READSMB can still capture the NT response.) L0phtCrack will process READSMB's output file of the LM and NT responses and ignore the NT response. L0phtCrack cracks the weaker LM response by using dictionary attacks, which crack poor-quality passwords in mere seconds. L0phtCrack subjects an LM response that isn't in the dictionary to a brute force algorithm that takes days to crack.

L0phtCrack 2.5 has more flexible cracking options. Screen 3 shows a new hybrid crack that uses brute force in combination with a dictionary. This hybrid crack calculates how a user might used a common word (with some additional numbers or symbols) to meet the password policies that the Microsoft Windows NT Server 4.0 Resource Kit PassProp utility defines. Although this method takes longer than a dictionary attack, attacks using this method decipher passwords such as Apple1 or 2Blue3 much faster than brute force takes. In addition, intruders can easily change the character set for brute force attacks to control crack time or find higher-quality passwords. But the most significant enhancement to L0phtCrack lets an intruder run dictionary attacks on the NT response only. A dictionary crack on the NT response takes longer than an LM response crack takes, but takes only a matter of hours.

Although lm-fix didn't defeat all possible attacks, it defeated typical attacks from intruders using available tools. Microsoft has since enhanced the NTLM protocol, and L0pht Heavy Industries has since enhanced L0phtCrack. Next, I examine how these mutual enemies presently stack up against each other.

LMCompatibilityLevel Protection
The LMCompatibilityLevel Registry value controls what logon responses the clients send to the server and what responses the servers accept. LMCompatibilityLevel is in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSetControl\ Lsa key, as Screen 4 shows. In SP4 or later, the NT response has two possible versions—NTLM and NTLMv2—and the LM response has two possible versions—LM and LMv2. The later versions are harder to crack. You can set LMCompatibilityLevel, of type REG_DWORD, between the levels 0 and 5, with level 5 offering the highest security and lowest backward compatibility. To provide the highest security, you need to prevent transmission of the LM response, which is vulnerable to shrink-wrapped intruder tools. Table 1 lists a brief description of the security function for each value of LMCompatibilityLevel.

Level 0. Because LMCompatibilityLevel 0 sends both the NT and the LM responses, this level is highly vulnerable to both dictionary and brute force attacks on the LM response. Level 0 is also the default value for LMCompatibilityLevel when you install SP4 or later. Therefore, merely installing SP4 or later doesn't improve security.

Level 1. Level 1 uses NTLMv2 session security if negotiated between the client and server. By its description, level 1 seems to automatically negotiate the highest level of authentication possible (i.e., NTLMv2). But level 1 falls back to LM authentication where necessary and doesn't improve authentication security.

To understand level 1, let's look at SP3 and the lm-fix hotfix. Fixing the vulnerabilities that LM authentication caused was more complicated than Microsoft estimated. This complication was because of pass-through authentication and the backward compatibility requirement with downlevel systems that support LM authentication only but can function as clients or servers to NT systems. If you use L0phtCrack 2.5 to capture authentications from an SP3 system with lm-fix loaded and LMCompatibilityLevel set to level 2, the SMB Packet Capture Output will display the normal NT response and will display zeros for the LM response to confirm that this configuration disables LM authentication. However, this solution was overly simplified because the negotiation of NT authentication between the client and server, which level 1 specifies, isn't really possible.

With SP3 and lm-fix, level 1 was broken in two ways. First, level 1 confused session security and authentication. Authentication can't safely use the LM response to negotiate, because the server doesn't make the decision—the domain controller does. The client and the server can negotiate session security only, because authentication requires that the client and the client's domain controller agree about what authentication to use. Second, session security negotiation is subject to man-in-the-middle attacks and thus doesn't provide real protection.

Microsoft considered disabling level 1 in SP4 but didn't. Microsoft discovered that if a user has an NT client and a Windows 3.x client and the user changes his or her password from the Windows 3.x machine, the NTLM hash isn't in the SAM. In this case, a user authentication from NT will fail at level 2. Therefore, Microsoft included level 1 in SP4 to let customers have the advantage of NTLMv2 session security.


According to documentation, level 1 still sends the LM response and the NTLMv2 response in place of NTLM when possible. Ordinarily, L0phtCrack 2.5 cracks the all-uppercase LM passwords, then quickly works through all possible case variations to determine the case-sensitive NT versions of the password. In theory, L0phtCrack would need to crack only the LM responses, leaving the intruder to figure out the case-sensitive version, because L0phtCrack can't crack NTLMv2 responses. However, with level 1, I fully cracked captured authentications to the case-sensitive level, which means the client sent the NTLM response instead of the NTLMv2 response and suggests some possible bugs with level 1 negotiation. The bottom line is that level 1 is vulnerable to both dictionary and brute force attacks on the LM response.

Level 2. Level 2 specifies NTLM authentication only. When using L0phtCrack's SMB Packet Capture mode against a level 2 system, intruders might expect to see only the NT Hash column filled with data and the LanMan Hash column filled with zeros. As Screen 2, line 3 shows, both response columns have the same value. With level 2, NT fills both the NT Hash and LanMan Hash columns with the NTLM response. This response pair lets SP4 or later level 2 clients connect to downlevel servers using a domain account without sending the LM response. Because the downlevel servers understand only LM authentication, they ignore the NT response and forward the LM response to the domain controller. If the domain controller has SP4 or later, the authentication will work.

Level 2 defeats L0phtCrack's default mode, which concentrates on the LM response. In this case, L0phtCrack uses the LM crack algorithm on an NT response. An intruder can still configure L0phtCrack to perform a dictionary attack on the NT response to find the password. But passwords that require the dictionary/brute hybrid attack will probably take too long to crack to be of interest to an intruder, and passwords that require brute force might take years to crack, even with many systems sharing the crack workload. So, to eliminate LM vulnerabilities, set your workstations to level 2, but remember that with level 2, low-quality passwords are still susceptible to cracking.

Level 3. Level 3 specifies NTLMv2 authentication only. When an intruder sniffs a level 3 authentication, the NT Hash column fills with the NTLMv2 response and the LanMan Hash column fills with a LMv2 response.

Microsoft had planned to substitute the LM response with the NTLMv2 response to provide pass-through authentication to downlevel servers, but NTLMv2 responses are longer than 24 bytes. The NTLM authentication protocol specifies that response slots have variable length, therefore downlevel servers should forward the whole response to the domain controller. However, downlevel OSs aren't protocol-compliant and forward only the first 24 bytes of the LM response to the domain controller. So, Microsoft created a 24-byte LMv2 response, which level 3 clients send as an LM response and L0phtCrack records in the LanMan Hash column.

LMv2 is more secure than NTLM, because it computes a 128-bit (rather than NTLM's 56-bit) secret from the password. L0phtCrack 2.5 can't crack responses that have the NTLMv2 and LMv2 combination.

Until L0pht Heavy Industries updates L0phtCrack to crack NTLMv2 responses, level 3 would be very secure, if it worked. In my repeated experiments, level 3 clients consistently failed to log on to SP4 or later servers, regardless of the server's LMCompatibilityLevel. Using an account on the domain controller, I issued the Net Use command to connect to a shared folder on a domain controller. In my testing, level 3 didn't work at all. At press time, Microsoft hadn't responded to the level 3 problem.

Level 4. Level 4 documentation is somewhat ambiguous. In some places, the documentation says level 4 refuses LM authentication, which could mean that level 4 will refuse any client that sends the LM response. Elsewhere, the documentation says level 4 refuses downlevel clients. On testing level 4, I verified that it applies to only downlevel clients. For example, on my server, level 4 refused a connection from my DOS workstation running LAN Manager client software, but level 4 didn't refuse connections from NT clients, even when they sent the LM response. Of course, level 4 doesn't apply to downlevel clients connecting to a non-domain-controller server with a domain account, because the server simply forwards the credentials to the domain controller.

Level 4 specifies that servers refuse connections from downlevel clients using a local account on that server and that domain controllers refuse any connection from downlevel clients. Therefore, you can use level 4 to make sure that you have no downlevel clients sending the vulnerable LM response. However, you can't use level 4 to prevent connections from NT clients that are still sending the LM response. For NT systems, you must prevent the transmission of the LM response at the workstation level by using SP4 or later and LMCompatibilityLevel 2 or above.

Level 5. Level 5 specifies the refusal of clients that send anything but NTLMv2 responses. (Level 5 observes the same exception as level 4 for pass-through authentication to non-domain-controller servers.) You could use level 5 to enforce the highest security and make sure that all clients are NTLMv2-compliant, but level 5 unfortunately has some bugs. In my testing, level 5 servers refused all connections, including properly configured NTLMv2 clients. Microsoft has acknowledged this serious bug, but hadn't released a fix as of press time. SP5 didn't address this problem.

Balancing Security and Compatibility
Of course, life is much simpler and safer if all workstations and servers are NT and SP4 or later. With legacy applications that require downlevel OSs, you need to consider the time needed to apply service packs and the possibility of introducing stability problems. You will want to know exactly which systems require updates in each scenario. You can save a lot of time by using System Policy Editor (SPE) to update the Registry and using the resource kit's Autoexnt utility to apply service packs. For information about using the resource kit's Autoexnt utility, see "Managing Service Packs and Hotfixes," http://www.winntmag.com, InstaNT document number 4996.

Whenever possible, you need to prevent your clients from transmitting the LM response. So, until Microsoft resolves the problems with level 3, I recommend implementing level 2. To avoid having workstations that can't connect to your servers, you need to follow these three steps to update your systems in the correct order.

Install SP4 or later on all domain controllers. (This rule doesn't apply to resource domain controllers because they forward responses to the domain controller in which the account resides.) If your current account is on an SP4 or later domain controller, you can use a level 2 or 3 workstation to map drives to a pre-SP4 server in a trusted domain in which the trusted domain controllers haven't applied SP4 or later.
Identify any downlevel systems such as file or print servers. You need to identify these systems, because level 2 NT workstations can't connect to downlevel computers that use share-level security and non-null passwords. Downlevel systems let you share files by using user-level or share-level security. Share-level security requires downlevel systems to validate the response locally against the share-level password, but on NT clients, the validation will fail because downlevel systems don't understand NTLM responses. If you're using a domain account, user-level security will work because the downlevel system will forward the response to the domain controller. You need to upgrade the downlevel servers to NT or switch to user-level security with domain accounts.
Identify any pre-SP4 NT servers using local accounts instead of domain accounts. You'll need to upgrade these servers to SP4 or later because they'll perform authentication locally and won't understand responses from level 2 clients.
A Few Last Words of Advice
I want to close this technical discussion by making sure you know where to go from here for best possible security. Remember the two main risks from sniffed authentication and subsequent cracking—dictionary cracks and brute force attacks. First, intruders will attack the captured response with a dictionary crack that will quickly uncover any poor password. All versions of the NT response are vulnerable to a dictionary attack. LM and NTLM responses are vulnerable to currently available intruder tools. The NTLMv2 response is vulnerable, but no intruder tools are yet available to exploit it. Second, intruders can launch brute force attacks to crack higher-quality passwords. LM responses built from even complex passwords are extremely vulnerable to brute force attacks—to the point of requiring only trivial effort. NTLM responses built from complex passwords are less vulnerable to brute force, but when hardware gets faster, this resistance will change. NTLMv2 provides much stronger protection against brute force attacks. But when L0pht Heavy Industries revises L0phtCrack, NTLMv2 might be vulnerable to dictionary attacks on poor-quality passwords.

A crucial distinction exists between threats that are theoretical and threats from currently available tools. Corporations suffer the most losses from intruders who don't know how to write a tool such as L0phtCrack but can definitely use one.

The moral of the security story is threefold. First, require long high-quality passwords from your users. As a start, I recommend that users create password phrases in which the first letter of each word makes up the password, then intersperse numbers and symbols. You need to use PassProp and password-notification packages (e.g., passfilt.dll) to enforce stronger password requirements. Second, use the strongest possible version of NT authentication. Try to eliminate LM authentication altogether, because intruder tools can easily crack high-quality passwords when using LM responses. To eliminate LM authentication, you'll need to upgrade your NT systems to SP4 or later and use LMCompatibilityLevel 2. When Microsoft makes fixes available for LMCompatibilityLevel 3 and 5, move your workstations to level 3 and your servers and domain controllers to level 5. As for the downlevel clients, the sooner you replace them, the better your security and total cost of ownership (TCO) will be. NTLM authentication will always be subject to sniffing and cracking, especially with low-quality passwords.

Finally, look forward to the future—Windows 2000 (Win2K) replaces NTLM with Kerberos and extends the Kerberos standard to support certificates stored on smart cards. Let's hope these enhancements will provide permanent protection for network authentication.

Ethereal

Top Ten Ethereal Tips and Tricks by Angela D. Orebaugh -- Ethereal evangelist Angela Orebaugh offers her top ten list of Ethereal tips and tricks. From installing the packet capture driver to using Ethereal to process other sniffer capture files, these tips will have you saying, "Wow, I didn't know Ethereal could do that!" Angela is a coauthor of the recently released Ethereal Packet Sniffing (from Syngress).