| 6/12/2002
-- The value of a computer's information determines its desirability as a target
for hacking -- but only in part. Even valueless machines can serve as jumping-off
sites for additional attacks once compromised, or be used to gather information
about an ostensibly "private" network in preparation for a later intrusion. And
of course, mischief is an endless source of motivation. Knowledge of what the
network should look like is worthless unless regularly compared to the way it
is. I’m using "network" here to refer to the sum of all networked computers, not
to router and switch security, which is a completely different matter. "Securing
the network," in this sense, means preventing remote users from gaining access
to your machines.
Intrusion detection systems are one way to maintain network integrity. However,
a commercial IDS -- properly called NIDS, for Network IDS -- can be costly to
install and maintain. Even open-source systems such as Snort may require an
investment of time in order to set up the necessary rule sets and databases.
Either way, a NIDS usually assumes that you have several reasonably powerful
machines lying around for use as detection hosts. These machines sit on a vulnerable
segment of the network, collecting and comparing network traffic to known attack
signatures. As networks get faster, this becomes more difficult—older machines
are simply incapable of running at Gigabit Ethernet speeds, much less capturing
and analyzing all the traffic that passes through a GE link. Newer, more capable
hardware, of course, is usually being put to more profitable uses.
If you can't afford a NIDS, basic network mapping techniques are still beneficial.
Start by regarding your network not as something you maintain, but as something
you want to break into. Begin collecting intelligence about the machines on
your network, using the same tools available to the intruder. I’ll ignore the
complex subject of local host security for the moment and focus on eliminating
network vulnerabilities, for several reasons. First, local host security --
i.e., preventing security breaches by authorized local users -- involves questions
of policy that can't be addressed through technology, such as how to explain
to your boss that just because he's the boss doesn't mean he needs the root
password to your transaction server jotted down on a Post-It stuck to his monitor.
Secondly, for this exercise, we'll want to assume that a determined local user
can become root at will—therefore, any unauthorized access to the system via
the network is unacceptable. Never forget, of course, that most security breaches
occur from the inside. Don’t focus exclusively on securing the network.
Establishing a Baseline Using nmap
The best tool for network scanning, also known as port scanning, is the open-source
Nmap. Because of the sensitive nature
of this tool -- improper use can shut down entire networks -- I recommend against
downloading a binary distribution of this tool unless absolutely necessary.
The source code is very clean, and if you've never compiled anything before,
it's a good utility to start with. However, relatively trustworthy Linux binaries
are available at the host site. To find binaries for other operating systems,
stick to well-known sites such as Sunfreeware.com.
Nmap performs all sorts of network scans, from simple ping scans to see what
hosts on a network are "alive" to more advanced scans by protocol and packet
type. It's even possible to distribute scans across multiple hosts to hide your
true identity. Nmap is clearly designed to enable rapid pinpointing of hosts
vulnerable to attack, and that's exactly its strength -- and the source of much
criticism in the security community. In my opinion, the mere existence of such
a tool has done much to level the playing field and increase awareness of security
among vendors, which is never a bad thing. By the same token, SANS contends
that there are legitimate groups devoted to mapping the entire Internet—so there
are undoubtedly more nefarious ones as well, probably using the same tools.
Reading Nmap Output
Nmap scans a list of target machines and outputs a list of the interesting ports
on each. A network "port" is simply an abstraction that describes a communication
channel. "Open" ports are associated with running processes. Such processes
are said to be "listening" on the network. Thus, a listening process does something
with the data it receives over its port. This makes open ports dangerous. For
instance, a web server process, under normal circumstances, accepts properly
formatted HTTP requests and sends back the corresponding web pages. However,
if the web server process accepts improperly formatted requests, or responds
unpredictably to properly formatted ones, sensitive information might be divulged.
Network traffic directed to closed ports also generates responses, informing
the requesting machine that the ports are "closed." This is normally accomplished
via an ICMP "port-unreachable" message. ICMP is a network protocol (similar
to the more familiar TCP and UDP) used to determine the state of a network connection.
When you "ping" another machine on the network, you’re actually sending an ICMP
message. Although it’s often simpler and more effective to direct denial-of-service
attacks at listening TCP or UDP ports, certain ICMP requests can overwhelm a
target machine, or force the machine to divulge information about itself. These
types of attacks may seem like mere annoyances, but may lay the foundation for
actual intrusions. For instance, the ICMP "timestamp" request can be used to
help predict TCP sequence numbers, which aids in IP spoofing. When scanning
your own network for vulnerabilities, don’t assume that having all ports closed
makes your machine invulnerable -- read up on how the networking on your particular
machine operates, or you may be surprised.
Here’s a scan of a single hypothetical machine.
$ /usr/local/bin/nmap -sT 10.0.0.1
Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
Interesting ports on fake.host.name.com (10.0.0.1):
(The 1545 ports scanned but not shown below are in
state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap run completed -- 1 IP address (1 host up) scanned
in 2 seconds
This machine looks pretty secure. Only 3 ports are active, meaning someone has
secured this machine—almost no Unix systems ship this way by default. Nmap makes
a best guess as to the services running on each port: in this case, the machine
is probably running a Secure Shell server and a web server with SSL enabled. However,
"pretty secure" may as well mean "wide open." A single open port is as good as
a thousand, if the single port is connected to a badly programmed application.
The web server is the most likely port of entry into this system. For now, let's
see if we can determine the version of Secure Shell running on this machine.
$ /usr/local/bin/ssh -v 10.0.0.1
< output snipped for clarity >
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
The "-v" switch to the SSH program tells us that the remote machine is running
a relatively recent version of the OpenSSH project's Secure Shell program, version
3.1 patch 1, probably unlikely to be vulnerable. Someone is probably paying attention
to this machine, making it an unattractive target. Let's move on:
$ /usr/local/bin/nmap -sT 10.0.0.2
Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
Interesting ports on hypothetical.host.com (10.0.0.2):
(The 1525 ports scanned but not shown below are
in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
19/tcp open chargen
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
37/tcp open time
80/tcp open http
111/tcp open sunrpc
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
540/tcp open uucp
1501/tcp open sas-3
4045/tcp open lockd
6000/tcp open X11
7100/tcp open font-service
32777/tcp open sometimes-rpc17
32778/tcp open sometimes-rpc19
32779/tcp open sometimes-rpc21
32780/tcp open sometimes-rpc23
Nmap run completed -- 1 IP address (1 host up)
scanned in 1 second
There are many, many more opportunities here. In fact, it appears as though this
machine might never have been secured after it was initially placed on the network.
The "-O" switch to nmap will try and identify the operating system for us:
$ /usr/local/bin/nmap -O 10.0.0.2
Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
TCP/IP fingerprinting (for OS scan) requires root
privileges which you do not appear to possess.
Sorry, dude.
QUITTING!
A common mistake is to set nmap up with the suid privilege (permissions
string r-sr-xr-x), so that scans performed as non-root users execute with root
privileges. This opens up your system to any number of local attacks, and would
also provide any intruders with a powerful hacking tool, nicely preconfigured
with root privileges, so don’t do this. The appropriate permissions string for
the nmap program itself is r-xr-xr-x, or read-and-execute only for all users.
Clearly, the scanning host must be protected as well. Let's log in as root and
try again:
# ./nmap -O 10.0.0.2
< output snipped for brevity >
Remote operating system guess: Sun Solaris 8 early
access beta through actual release
Uptime 38.959 days (since Mon Mar 1319:39:06 2002)
Nmap run completed -- 1 IP address (1 host up)
scanned in 9 seconds
Nmap has provided us the probable operating system and a large list of potentially
vulnerable ports on this host. Compromising it is probably merely a matter of
additional research.
Massive Attack
Nmap offers many more capabilities than those listed above. The "-sT" switch
I used to scan the above two hosts uses the simplest form of scan, a TCP connect
scan. This scan is easily detectable, and is likely to betray itself in the
target system's logs. Also, a TCP scan only scans TCP ports, ignoring the equally
vulnerable UDP ports. UDP is the connectionless protocol used in applications
such as streaming video, while TCP is the connection-oriented protocol used
for interactive tasks such as HTTP and telnet sessions. Many hall-of-fame security
holes rely on the UDP protocol.
Now that we know what nmap can do, we can use it to establish a baseline of
all our hosts:
nmap -iL list -sS -sU -sR -O -oA results -v -v
The above command runs a "stealthy" TCP scan (so it doesn't set off alarms or
fill up the logs on our own servers), a UDP scan, and a remote procedure call
(RPC) scan on the list of hosts contained in the file "list." That’s a total of
65,536 ports: 32,768 for TCP and UDP (the RPC scan simply tries to gather additional
information about what UDP-based services are running on the target). Nmap then
attempts to identify the operating system, and outputs the results to three files
with the prefix "results":
results.gnmap machine-readable results
results.nmap human-readable results
results.xml XML-formatted results for
use by other applications
The duplicated "-v" switches at the end simply increase the verbosity of nmap’s
output slightly. The type of scan desirable for your network may vary. The nmap
manual page describes all these options in much more detail. In any case, the
resultant list gives us two imperatives. First, we need to secure any ports
we don’t absolutely need running by shutting down their associated processes.
Secondly, we need to be able to compare these results to a more current scan
on a regular basis.
Securing Hosts
Managing applications, closing ports, and setting up host-based IP filtering
is a topic for another article, but a few words are in order. Networking gurus
tend to assume that you want your host to be visible on the network, or that
allowing any and all traffic to reach the host is a good thing. Exactly the
opposite is true, as most system administrators know; thus, the prevalence of
firewalls. However, the "protected" areas behind firewalls are frequently left
unrestricted. This is folly: most security breaches are inside jobs, and a firewall
is no substitute for good host-based security. On a properly secured host, ALL
network traffic should be accounted for, incoming and outgoing.
Most host-based network filtering packages have the capability to block traffic
bi-directionally. An excellent tutorial on restricting IP traffic in this manner
is the How-To document for the IP Filter package. IP Filter is a free firewall
package included with the FreeBSD and NetBSD operating systems, but is compatible
with many others. Incoming and outgoing traffic should both originate from trusted
users. For incoming traffic, this is almost never possible—if you run a Web
server, it’s usually available to the entire world. Filtering outgoing traffic
ensures that an intruder cannot use the machine to launch additional attacks,
nor local personnel use the machine for purposes other than originally intended.
It should go without saying that for this to work, the filtering program must
be immune to interference. This can usually be accomplished by running the filter
as a different user than any listening process, and by limiting root access
to trusted personnel.
Comparing Periodic Nmap Scans
Comprehensive nmap scans of any size can be time-consuming. I’ve personally
had a scan of 25 machines take over 5 hours to run. Unfortunately, a faster
machine is not the answer—this delay is imposed by the need for various types
of scans to timeout. UDP scans progress slower than TCP scans, in general. However,
as UDP ports have historically been the source of major security woes, I can’t
recommend skipping them.
Once you have a baseline scan, peruse nmap’s Related Projects page. Two tools
are of interest here. For a network of medium to large size, the nlog CGI scripts
are useful. These generate a searchable database of your nmap scan results—essential
for a network of any size. Search terms include port, protocol, IP address,
and more. Secondly, the ndiff Perl scripts can be used to generate a list of
changes between two machine-readable nmap output files. Ndiff is analogous to
a Tripwire program for your network.
Store a baseline scan of your network somewhere inaccessible to the average
user—perhaps even on read-only media—and compare it to a regularly scheduled
scan using the cron facility. This works on the assumption that an intruder
will want to do something with your machine once he/she’s gained access: open
up an IRC client, start an FTP server, or begin attacking other machines. Evidence
of such activity should emerge in an nmap scan.
Since some programs, especially those that use the RPC facility, tend to use
high-numbered UDP ports and to change them when the application is restarted,
you’ll also want to compare your baseline to a list of known applications and
ports to differentiate false alarms from real ones. The netstat tool included
with nearly all UNIX systems is useful for this. Here’s sample output from the
10.0.0.1 machine we scanned earlier (some extraneous columns of data have been
removed for formatting purposes):
| $ |
netstat
-a |
|
|
| |
|
|
|
| |
UDP |
|
|
| |
Local Address |
Remote Address |
|
| |
--------------- |
---------------- |
|
| |
|
|
|
| |
TCP |
|
|
| |
Local Address |
Remote Address
|
State |
| |
--------------- |
---------------- |
------- |
| |
|
*.22 |
*.* |
LISTEN |
| |
|
*.443 |
*.* |
LISTEN |
| |
|
*.80 |
*.* |
LISTEN |
Since netstat’s output shows the same three open ports, we’re assured of the
accuracy of our nmap scan. Netstat will also show you any open network connections.
For instance, here’s evidence of an established Secure Shell connection (again,
some extraneous columns of data have been removed for formatting purposes):
| |
TCP |
|
|
|
| |
Local Address |
Remote Address
|
State |
| |
--------------- |
---------------- |
------- |
| |
|
| |
10.0.0.1.2 |
10.0.0.2.1075 |
ESTABLISHED |
Netstat’s output should be checked during your first scan, to ensure that your
baseline isn’t already corrupted. Nmap, along with a few extra tools to parse
its output, can be used to as a simple yet effective network integrity checker.
While not as proactive as a full-fledged intrusion detection system—nmap scans
can only alert you after something unwonted has occurred—this model serves a
different purpose in any case. A NIDS detects attempted intrusions as they occur,
in real time, but often generating multiple false alarms. However, a NIDS is
only as good as its database of attack signatures. If an intrusion does occur
despite the best efforts of the NIDS, monitoring of individual hosts is the
next line of defense. Periodic nmap scans, like Tripwire and other file integrity
checkers, are a key component of any well-rounded security infrastructure.
Simple, Yet Effective
Nmap, along with a few extra tools to parse its output, can be used
to as a simple yet effective network integrity checker. While not as proactive
as a full-fledged intrusion detection system—nmap scans can only alert you after
something unwonted has occurred—this model serves a different purpose in any
case. A NIDS detects attempted intrusions as they occur, in real time, but often
generating multiple false alarms. However, a NIDS is only as good as its database
of attack signatures. If an intrusion does occur despite the best efforts of
the NIDS, monitoring of individual hosts is the next line of defense. Periodic
nmap scans, like Tripwire and other file integrity checkers, are a key component
of any well-rounded security infrastructure. 
|
