Click on our Sponsors to help Support SunWorld
Security: Pete's Wicked World by Peter Galvin

Do you need a penetration test? We look at the use and abuse of penetration testing

SunWorld
February  1997
[Next story]
[Table of Contents]
[Search]
Subscribe to SunWorld, it's free!
Abstract
Even if your company has spent the requisite time and money to secure the data center or a specific facility, how can you be sure it really is secure? You can perform your own penetration test of the facility, or you can hire a consultant or firm to do it for you. This month's column includes the composition of a penetration test, its benefits and risks, and information on performing one yourself or hiring a company to do so.

Also in Pete's Wicked World this month: the bookstore has a roundup of sites providing information about intellectual property on the Internet (and how to protect it). In the buglist, information on a serious bug in wu-ftp. And, if you have Solaris security questions, visit the just-updated Pete's Security FAQ. (3,600 words)


Mail this
article to
a friend
Many sites write security policies, review system and security logs, implement firewalls, run tools to secure machines, and monitor network traffic. (If you're not one of these sites, you should be!) Be warned, however, even all of this work leaves open a some security questions:

How can these questions be answered satisfactorily? Through a penetration test. This test is usually performed by an outside agency that has teams dedicated to just this sort of work. The test could be performed by employees of your company, but one of the points of the test is to throw out all assumptions. Consider how many times you've told yourself (as a security officer at your company) "Well, that machine's patches are out of date" or "I wonder how Bill configured that system"? Although insiders are one of the best sources of information about the state of security within a facility, sometimes it takes an outsider, or a security expert at your company who is not involved with the facility, to rationally analyze the security.

Because penetration testing can be useful in the right setting when executed in the right way, this month's column looks at the details of the who, when, why, and how's of penetration testing.

Unfortunately, if you run to your bookshelf to read all about these site inspections chances are you won't find much. A search of all the security books in my library found just one paragraph on the topic.

What goes into penetration testing?
Why all the secrecy about penetration testing?

  1. Most formal penetration testing is done by commercial companies that are shy about spelling out their methods and tools.
  2. Sites that have had a penetration test done usually don't advertise the fact or the findings. Companies could actually be more susceptible to attack if there is a problem with the methodology of a penetration team and that fact is known to crackers.
  3. Until recently, penetration testing wasn't done commonly, so there is little documentation.
  4. No formalization of the techniques and methods has occurred, and little has been done on penetration testing by research security groups, such as those at universities and research labs.

Penetration test teams evaluate one or more of these aspects of your site:

The methodology used may vary, but a penetration test usually consists of four steps:

  1. Preliminary information gathering -- on-site discussions to scope out the work, determine which machines and networks to test and the types of testing, learn about known and suspected security problems in the facility.
  2. Penetration information gathering -- use DNS to find all public information, the NIC, mail headers, rpcinfo, showmount, finger, et al; search the 'Net for people talking about the site and other information that's available.
  3. Penetration testing via the Internet, leased lines, or dial-up connections. Sometimes, these tests start from the publicly-available machines (Web servers, databases) to determine damage that can occur upon break-in to sites reachable from the outside.
  4. Penetration testing within the facility, if internal security is part of the evaluation.

Within these four steps, various methods can be used to aid in the testing. For instance, social engineering could be used for information gathering, or it could be used to decide that no social-engineering attacks should be attempted. Also, various software and hardware tools can be used.

SAIC, a company that does penetration testing and more, recently completed an evaluation of a secure banking site that I implemented. They were kind enough to share a list of some of the software tools they have available for their testing. Check the Penetration Tools sidebar.

What are the drawbacks to testing?
Of course, there is a down side to penetration testing.

The net result of a penetration test is a report that spells out what was done and what was found. This report will go through multiple revisions as the testees respond and the testers modify and generate a new report. Don't underestimate the time that this cycle takes. If you have a facility that is "going live" at a fixed date, be sure to plan for adequate testing time.

Notice that all testing begins at the beginning -- with your site security policy. If you don't have a policy to implement, it is very difficult to tell if you're meeting your security policy goals. It is even more difficult for an external testing team to evaluate your site. They could point out all the weakness of your site, but this list can be quite extensive even at relatively secure sites. Rather, they want to compare the state of your site with your goal to determine the differences. In this way they can concentrate on the security aspects that are important to your company (e.g., the security of a Web server).

For more reading on penetration testing, check the Concept Five web site, and the information provided by US Host about the testing they perform.

Bug of the Month Club
It's painful when a program you know and love develops a large security hole. This just happened with wu-ftp. Because the only good coverage has only been in the best-of-security mailing list (see the FAQ for more info), the full text of the message is included here. If you run wu-ftp 2.4, beware. it was also pointed out that the fix given below may not be sufficient. Wietse Venema also reports a similar problem in his logdaemon program, which is included in the newest version. Wietse also speculates that all Unix FTP programs may have this bug, so again, beware. 

Subject: serious security bug in wu-ftpd v2.4
From: dg@root.com (David Greenman)

Summary
-------
   There is a serious security bug in wu-ftpd v2.4 (including the
version from Academ) which may allow both regular and anonymous users
to access files as uid 0 (root). The same bug is also responsible for
an advisory lock not being unlocked -- potentially resulting in blocked
access to future ftp logins and filling up the process table and swap
space until the server dies.

Description
-----------
   The ftpd server installs two signal handlers as part of its startup
procedure: one to catch SIGPIPE for control/data port connection closes,
and one to catch SIGURG for when out-of-band signaling is used with the
ABOR (abort file transfer) command. The SIGPIPE handler is:

lostconn(int sig)
{
    if (debug)
        syslog(LOG_DEBUG, "lost connection to %s [%s]", remotehost,
remoteaddr)
;
    dologout(-1);
}

   ...which causes the ftpd server to exit via dologout() whenever the
control or data connection is unexpectedly closed. The function
dologout() is:

dologout(int status)
{
    if (logged_in) {
        (void) seteuid((uid_t) 0);
        logwtmp(ttyline, "", "");
    }
    syslog(LOG_INFO, "FTP session closed");
    if (xferlog)
        close(xferlog);
    acl_remove();
    /* beware of flushing buffers after a SIGPIPE */
    _exit(status);
}

   ...which changes the effective uid to 0, adds a logout record to wtmp,
closes the xferlog log file, removes this instance of the server from
the PID file for his class, and exits.
   The initial part of the SIGURG handler is:

myoob(int sig)
{
    char *cp;

    /* only process if transfer occurring */
    if (!transflag)
        return;
    cp = tmpline;
    if (getline(cp, 7, stdin) == NULL) {
        reply(221, "You could at least say goodbye.");
        dologout(0);
    }
    upper(cp);
    if (strcmp(cp, "ABOR\r\n") == 0) {
        tmpline[0] = '\0';
        reply(426, "Transfer aborted. Data connection closed.");
        reply(226, "Abort successful");
        longjmp(urgcatch, 1);
    }
(...)

   ...which does nothing if transflag is 0 -- not currently doing a file
transfer, but if you are and an ABOR command was issued along with the
"urgent" data that caused this signal, then the procedure does a longjmp()
restoring the "urgcatch" saved state, which ultimately returns back to the
server main command loop.
   Now, some FTP client programs will abort a file transfer by BOTH
closing the data connection AND issuing an ABOR with out-of-band
signaling.
In many instances, the ftpd server gets the SIGPIPE due to the closed data
connection and begins the dologout() procedure. While it is uid 0 and sometimes
while it also has the pid file advisory lock (which occurs in the acl_remove()
procedure), the ftpd server will sometimes be interrupted by the SIGURG that is
delivered as part of the ABOR command. Since transflag is not 0 (a file
transfer WAS occuring), the signal handler does a longjmp which ultimately
returns to the main command loop...and presto, you are uid 0, and to make
things even better, the xferlog log file is closed so nothing you do is even
logged.

   A patch to fix this problem is simple:

*** ftpd.c.bak  Wed Jan  1 22:10:05 1997
--- ftpd.c      Wed Jan  1 22:10:14 1997
***************
*** 2503,2508 ****
--- 2503,2514 ----
  void
  dologout(int status)
  {
+     /*
+      * Prevent reception of SIGURG from resulting in a resumption
+      * back to the main program loop.
+      */
+     transflag = 0;
+
      if (logged_in) {
          (void) seteuid((uid_t) 0);
          logwtmp(ttyline, "", "");

   ...which does as the comment suggests.

-DG

David Greenman
Core-team/Principal Architect, The FreeBSD Project

The Bookstore
Are you reading this column from its original source or from a copy? If you print out some pages from a Web site and give them to a friend, are you violating copyright? How about if you duplicate a Web site wholesale?

Copyright issues were considered to be mostly academic issues until computers and the Internet came along. Publication has grown from an ability of the few to a daily-occurance of the many. Along with the excitement (and abuse) of trivial publication have come a blurring of the legal lines. For instance, you can now sit at your home in Oshkosh and gamble in Jamaica. Intellectual property is also under attack by the new technology. It's now time for everyone involved in creating content and protecting content to become at least passingly-familiar with the law and how it effects computing and intellectual property. There are several Web sites that contain information of interest:

If you're looking for a very high-level overview of security concepts and solutions, check out www.securityinfo.com. It's a bit of a sales pitch (it's sponsored by a bunch of security and consulting companies), but it provides a good summary of security concerns.

While you're surfing the Web, you might want to check out a report about information warfare written by the Defense Science Board. This is a lengthy report concerning information warfare on a large scale, and how the defense department can take steps to combat it.

DataNet Security '97 is an interesting-looking conference about security on the Web. Might be worth a visit to Miami in February.

While you're considering security conferences, don't forget SANS '97, surely one of the best bangs for the buck around. It's in April in Baltimore.


Click on our Sponsors to help Support SunWorld

Resources

What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
 -Too long
-Just right
-Too short
 -Too technical
-Just right
-Not technical enough
 
 
 
    

SunWorld
[Table of Contents]
Subscribe to SunWorld, it's free! 		[Search]
Feedback 		[Next story]
Sun's Site

[(c) Copyright Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-02-1997/swol-02-security.html
Last modified:

SidebarBack to story

Penetration Tools

Tools used by SAIC when they perform penetration tests:

arnUDP
Source code demonstrates how to send a single UDP packet with the source/destination address/port set to arbitrary values.

block.c
Prevents a user from logging in by monitoring utmp and closing down his tty port as soon as it appears in the system.

COPS
"Computer Oracle and Password System" checks for many common Unix system misconfigurations. I find this tool very valuable, as it is non-trivial to break a system which has passed a COPS check. I run it on all the systems I admin. It's getting a bit old, but it's still an excellent way to systematically check for file permission mistakes.

Crack
Crack is a tool for insuring that your Unix system's users have not selected easily guessed passwords which appear in standard dictionaries. (Only a very small dictionary is included so grab the one below if you wish.)

Crack Dictionary
A general 50,000 word dictionary for use with Crack.

ESniff.c
Source for a basic ethernet sniffer. Originally came from an article in Phrack, I think.

Fping
Like Unix ping(1), but allows efficient pinging of a large list of hosts.

hide.c
Code to exploit a world-writeable /etc/utmp and allow the user to modify it interactively.

ICMPinfo (V1.10)
ICMPinfo is a tool for looking at the ICMP messages received on the running host.

ISS (Shareware V1.3, Commercial V4)
The Internet Security Scanner is used to automatically scan subnets and gather information about the hosts it finds, including the guessing of YP/NIS domain names and the extraction of passwd maps via ypx. It also does things like check for versions of sendmail which have known security holes. The commercial version is updated regularly, and is probably the best tool used to scan remote systems for vulnerabilities.

Kane Security Analyst (V4)
KSA is a very good tool used to scan the internal configuration of WindowsNT and Novell NetWare platforms. You need administrator/supervisor rights to the target, so it is not necessarily a "hacking" tool, but it is extremely useful in conducting on-site assessments and also day-to-day system security administration. The tool produces some of the best reports I've seen.

LSOF (V3.50)
List All Open Files. Displays a listing of all files open on a Unix system. Useful for nosing around as well as trying to locate stray open files when trying to unmount an NFS-served partition.

Mnt
This program demonstrates how to exploit a security hole in the HP-UX 9 rpc.mountd program. Essentially, it shows how to steal NFS file handles which will allow access from clients which do not normally have privileges.

netcat (V1.10)
Like Unix cat(1) but this one talks network packets (TCP or UDP). Very very flexible. Allows outbound connections with many options as well as life as a daemon, accepting inbound connections and allowing commands to be executed. Now at version 1.1!

NFS-Bug
Demonstrates a bug in NFS which allows non-clients to access any NFS served partition. AIX and HPUX patches included.

NFS Shell
A shell which will access NFS disks. Very useful if you have located an insecure NFS server.

RootKit
A suite of programs like ps, ls, and du which have been modified to prevent display of certain files and processes in order to hide an intruder. Modified Berkeley source code.

rpc_chk.sh
Bourne shell script to get a list of hosts from a DNS nameserver for a given domain and return a list of hosts running rexd or ypserve.

SATAN
System Administrator's Tool for Analyzing Networks

seq_number.c
Code to exploit the TCP Sequence Number Generator bug. A brief but clear explanation of the bug can be found in Steve Bellovin's sequence number comment.

Socket Demon (V1.3)
Daemon to sit on a specified IP port and provide passworded shell access.

SPI
Security Profile Inspector with appropriate BASIS authentication tables (available for US Government personnel through the Department of Energy, Lawrence Livermore National Labs).

Solaris Sniffer
A version of E-Sniff modified for Solaris 2.

Strobe (V1.03)
Strobe uses a bandwidth-efficient algorithm to scan TCP ports on the target machine and reveal which network server daemons are currently running. Version 1.03 is an update to 1.02.

System Security Scanner
From the makers of ISS in Atlanta, a modern day commercial quality version of "cops." The product monitors, in real-time, the security profile of individual hosts from the operating system (OS) perspective. System Security Scanner continuously checks for file ownerships and permissions, OS configurations, Trojan Horse programs, and signs of a hacker's presence. In addition, it provides a corrective action capability that allows the administrator to optionally automate the process of correcting the security vulnerabilities remotely, over a distributed network.

Telnetd Exploit
This tarfile contains source code to the getpass() and openlog() library routines which telnetd links at runtime via ld.so. Modified functions exploit the fact that the shared library can be specified at runtime by the end user via environment variables that are passed from telnetd's environment to the system. Root anyone? The fix is to make sure your telnetd is statically bound!

Tiger (V2.2.3)
Tiger attempts to exploit known bugs, holes, and misconfigurations in order to attain root. It is similar to COPS, but has system specific extensions for SunOS, IRIX, AIX, HPUX, Linux, and a few others.

Traceroute
Traceroute is an indispensable tool for troubleshooting and mapping your network.

xcrowbar.c
Source code demonstrates how to get a pointer to an X Display Screen, allowing access to a display even after "xhost -" has disabled access. Note that access must be present to read the pointer in the first place! (Originally posted to USENET 's comp.unix.security.)

xkey.c
Attach to any X server you have perms to and watch the user's keyboard.

X Watch Window
If you have access permission to a host's X server, XWatchWin will connect via a network socket and display the window on your X server.

YPX
YP/NIS is a horrible example of "security through obscurity." YPX attempts to guess NIS domain names, which is all that's needed to extract passwd maps from the NIS server. If you already know the domain name, ypx will extract the maps directly, without configuring a host to live in the target NIS domain. (gzip'd Bourne Shell Archive)

SidebarBack to story

About the author
Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at peter.galvin@sunworld.com.