It happens with bad implementations where the DNAT (destination NAT) and the SNAT (source NAT) use a different IP because of a wrong rule or because the outbound and inbound interfaces are separated.

As a result, the operating system of the client will discard right away such a reply (with a TCP RST), because it does not match an existing TCP session.

The idea is that a pentester auditing such an infrastructure with a classic scanner will miss some entry points. A typical scanner relies on the network stack of the system : it will not receive the reply and will consider the port as filtered.

So Jonathan came with a proof-of-concept to illustrate his purpose.

It is composed of a B-Router and a client. The B-Router will intercept the reply and maintain the session by sending an ACK. This way, it handles an asymetric routing scheme for the client. Just add a filtering rule to block your system’s RST (iptables -A OUTPUT -p tcp –tcp-flags RST RST -j DROP ), and you are good to go.

Simple but brilliant, isn’t it ? The great thing is that the code has now been included in Metasploit, so it is even more straightforward.

Check the slides of Jonathan at DEFCON for more info. You can download the source there (or just update your Metasploit and look for it in auxiliaries).

Hacking: the next generation

The purpose of this book is to give to the readers an overview of the most common attacks nowadays. It covers all fields : social engineering, web attacks, networking, etc.
It was easy to read : the authors are straight to the point and their sentences are clear.

I especially appreciated their state of art about XSS and CSRF attacks. It is certainly the best I have read so far, greatly illustrated with exciting and real case studies.

On the other hand,  I quickly passed over the networking stuff (both wired and wireless). It was too basic and didn’t show anything new – maybe it is because I specialize in those fields.

Anyway, globally, I strongly recommend this book. It is worth while your money if you want to know more on web attacks or to have a good overview of modern threats.

Beautiful Security

This is a collection of essays by some of the best security experts and hackers.

Well, I won’t go around, I have been quite disappointed by this book. The overall lacks coherence and after a while you start wondering what this book is trying to demonstrate. At the end, there is a crual lack of connection between the essays and it globally makes it appear very confusing.

It also sometimes lacks technical references and the writing style is too verbose, too literal for a technical book to be attractive.

There are however some good essays, like one about PGP (by Philip Zimmermann himself, though). It is hard to find some good and complete documentation about it, and this essay is definitely a good one, which I will probably read again when I feel the need of it.

But I wouldn’t recommend this book only for this short piece of writing. Lack of cohesion, too much litterature and not enough technical stuff actually bored me, though that’s just my personal taste.

Though not many details are given, I am quite skeptical about the possibility of such a massive attack.

However, it shows well that security is not just a technical matter. It has many implications in law, politics, economics, and a whole information system must be prepared to that, starting with our leaders.

That would be a HUGE effort for our politicians here in France – if they ever care…

I found a lot of interest reading it as I was already using ModSecurity – and I think anyone exposing an Apache web server should.
I was actually using it partially. It is not trivial to secure a web application, and the rule engine of ModSecurity is very powerful but it is also quite complex.

So this book was a good opportunity for me to dig into it further.

The book covers all topics : from the set-up to a real use-case.
The author explains how to write rules, how to deal with the performance impact, logging and gives us a range of various core rules to implement to get a good security basis.

The difficulty goes up progressively and the author doesn’t forget the beginners.
The set-up of the module is precisely described. All requirements are also explained and there are some good recalls about regular expressions, common attacks on systems, server and client sides, and other stuff like that.

After reading the book, I could harden my rules, reorganize and optimize them for better performance – something I hadn’t cared about before.

So I have nothing else to say but to recommend this book.
It is definitely a great handbook about ModSecurity that’s worth having next to you. The variety of configuration patterns makes it a reference.

Check it there. I also appreciated the availability of PDF version, so that I can carry it everywhere with my laptop and index it with Beagle.

This time, it is about Yersinia and the ncurses library. I made the following yersinia-opensuse11.1 patch which should work for openSUSE 11.1 and maybe other versions or distros.

I encountered some path issues with the Makefile and openSUSE 11.1 64 bits to compile it, so here is the packETH-opensuse patch to compile correctly.

If you are on a 32 bits system, all you will have to do is editing the CPPFLAGS line and replace all lib64 occurences with lib.

I hope one will find it useful.

Prads is a fingerprinting scanner, coded in Perl. I am fond of this kind of tool, so I enjoyed checking it out.

Prads operates differently from Nmap or SinFP that I already introduced on this blog. It works passively, meaning that it aims to scan systems without sending out a single packet. It does this by capturing the traffic silently though an interface in promiscuous mode.
The advantage, of course, is that it is much more stealth than a classic scanner, which leaves usually a lot of log entries in firewalls or IDS.
It works on several layers and is based on all the common protocols, that should make it efficient and fast : TCP, UDP, ICMP, ARP.

Using Prads is very simple, just look at prads –help for more info.

There is a sample output, after running it a few seconds on my network :

% sudo perl prads.pl -d eth0 --os --service
Starting prads.pl...
Using eth0
DBD::SQLite::db prepare failed: table asset already exists(1) at dbdimp.c line 271 at prads.pl line 320.
 1243801518 [SYN       ] ip:  192.168.222.23 - Linux - 2.6 (newer, 7) [S4:64:1:60:M1460,S,T,N,W7:.] distance:0 link:"ethernet/modem"
 1243801518 [SYNACK    ] ip: 192.168.222.254 - Linux - 2.6 (newer, 0) [5792:64:1:60:M1460,S,T,N,W0:ZA] distance:0 link:"ethernet/modem"
; 3.0.10-1.1.1 Firefox [192.168.222.23:44555] distance:1 link:SERVICE
 1243801518 [SERVICE   ] ip: 192.168.222.254 - Unknown HTTP - HTTP;  [192.168.222.254:80] distance:1 link:SERVICE
; 3.0.10-1.1.1 Firefox [192.168.222.23:44556] distance:1 link:SERVICE
; 3.0.10-1.1.1 Firefox [192.168.222.23:44557] distance:1 link:SERVICE
; 3.0.10-1.1.1 Firefox [192.168.222.23:44558] distance:1 link:SERVICE
; 3.0.10-1.1.1 Firefox [192.168.222.23:44559] distance:1 link:SERVICE
 1243801536 [SYNACK    ] ip:    91.121.56.96 - Linux - 2.6 (newer, 5) [5792:64:1:60:M1380,S,T,N,W5:ZA] distance:7 link:"GPRS, T1, FreeS/WAN"
 1243801536 [SERVICE   ] ip:    91.121.56.96 - Generic TLS 1.0 SSL - ;  [91.121.56.96:443] distance:1 link:SERVICE
 1243801438 [UDP       ] ip:  192.168.222.23 - @Linux - 2.6 [20:64:1:.:2:0] distance:0 link:ethernet [OLD]
 1243801438 [UDP       ] ip:        89.2.0.1 - @Linux - 2.6 [20:64:1:.:2:0] distance:2 link:ethernet [OLD]
 1243801544 [SERVICE   ] ip:        89.2.0.1 - - - DNS; - [89.2.0.1:53] distance:1 link:SERVICE
 1243801549 [SYNACK    ] ip:   192.168.222.1 - Cisco - 7200, Catalyst 3500, etc [4096:255:0:44:M1460:A] distance:0 link:"ethernet/modem"
 1243801549 [SERVICE   ] ip:   192.168.222.1 - Cisco SSH - Protocol 1.5; 1.25 [192.168.222.1:22] distance:1 link:SERVICE
 1243801549 [SERVICE   ] ip:  192.168.222.23 - OpenSSH - Protocol 1.5; 5.1 [192.168.222.23:42208] distance:1 link:SERVICE
 1243801600 [SYN       ] ip:  192.168.222.23 - Linux - 2.6 (newer, 7) [S4:64:1:60:M1460,S,T,N,W7:.] distance:0 link:"ethernet/modem"  [OLD]
 1243802459 [SYNACK    ] ip:   192.168.222.2 - UNKNOWN - UNKNOWN [8192:128:1:60:M1460,N,W8,S,T:A] distance:0 link:"ethernet/modem"
 1243802459 [SERVICE   ] ip:  192.168.222.23 - Windows SMB - ;  [192.168.222.23:37748] distance:1 link:SERVICE
 1243802459 [SERVICE   ] ip:   192.168.222.2 - Windows SMB - ;  [192.168.222.2:445] distance:1 link:SERVICE
 1243801596 [SYNACK    ] ip:    91.121.56.96 - Linux - 2.6 (newer, 5) [5792:64:1:60:M1380,S,T,N,W5:ZA] distance:7 link:"GPRS, T1, FreeS/WAN"  [OLD]
 1243801596 [SERVICE   ] ip:    91.121.56.96 - Generic TLS 1.0 SSL - ;  [91.121.56.96:443] distance:1 link:SERVICE [OLD]
 1243801367 [UDP       ] ip:   192.168.222.2 - @Windows - MS [20:128:0:.:0:0] distance:0 link:ethernet [OLD]

As you can see, there is already some interesting output.
It detected quite well my Linux laptop running Firefox (UPDATE : according to the author, it is a bug as client detection has not been implemented yet) and surfing a few website, the provider’s DNS servers, another Linux machine and a Windows desktop. Concerning the last two, I guess that a more completed signature database would have allowed a more precise fingerprinting. The Linux box is a wifi Linksys router and the Windows one runs Vista.
Also, the gateway curiously did not show up itself, but the presence of a SSH connection helped to find it.
Finally, there is a little incoherence between the distance shown for the DNS server (=2, correct) and for the service (=1).

To be honnest, so far, I had never found interest in the existing passive scanners. There were POf but it is now pretty outdated and seems not to be developped anymore. Ettercap could fingerprint the system seen while sniffing (profiles), but it was definitely too limited and not really furtive. Moreover, Nmap with the right options, or SinFP itself can be quite stealth.

But now Prads has a place among the tools I use. It is efficient, straight forward and provide some useful info, beyond the OS detection : service and client info, distance, etc. It is nice because, once again, all these data are obtained withou sending out any request at all.

As it is in its early stage, it is very promising and I am looking forward to Prads and its signature database improving. Please keep up the good job !

That’s all for today. This tour was short but I will write again about this tool, as I will be using it. The next post will probably introduce the way the signature database is built and how it can be extended. So keep wired and don’t forget to check the Prads homepage.

It is incredible that Microsoft invests so much money in its security and that there are still such a bad security design for programs that in no way should be granted any administrator access (calc.exe or notepad.exe).

Also, I can’t imagine that no one could detect it in their teams during the quality process and security audit.

What the hell are they doing ?