Dale Brice-Nash

Network Security: MITM Assumptions

Dale Brice-Nash — Sun, 17 Dec 2006 01:40:32 +0000

In relation to security, one of my favorite concepts to educate on is MITM (man in the middle) attacks. The message is powerful... deliberate and exacting - you can capture all of the logins https or not, rdp traffic, I love it! When showing this everything is encapsulated within a small network with a switch, router a few clients going out to the web. I have found though, one of the critical pieces of information that I am trying to illustrate is not being made with all alacrity. Many assume that this is only if the attacker is on their network. This is a extremely incorrect assumption and dangerous as well. The attacker system can be on their network, the server's network and any network between the two. If an attacker is not in control of a system or network en-route, a sophisticated network attack can be used to reroute traffic through the networks that are under their influences. These attacks maybe route table poisoning, network redirection using ICMP or loose source routing. With packets being forwarded through where they can administer MITM attacks, they can perform authentication or application layer attacks without the detection of IDS/IPS that are present on the networks that client and server are attached. Even with TLS MITM there is little detecting the forging of a SSL authentication. We seriously can only help to stop this by educating users as to the appropriate rejection of certificates whose properties do not match through our organization security policies and user awareness training.

Happy Holidays

Cain & Abel 4.2 Released

Dale Brice-Nash — Sun, 10 Dec 2006 04:25:59 +0000

I am in constant amazement in the pure speed in which the Cain & Abel suite of security threat analysis tools have been versioned. Even within the minor versions fantastic features to exploit the ways in which we implement access, authentication and mitm (man in the middle) attacks are integrated with flawless precision. Bravo!

In the 4.2 release the focus is on SMB (Server Message Block) mitm attacks. Previous utilities used to exploit the attack have been SMB Proxy and SMB Relay. In Cain both down level authentication and session reset operations are possible with ARP cache poisoning (aka ARP Poison Routing / APR) so switching is necessary. It (Cain) just keeps getting better and better as a framework to explore the ways these security threats are being exploited be the crackers and company. Be forewarned however... it may seem irresistible to install this suite but may be in direct violation with your organizations security policies and may be performing covert operations as well (remember SUB7). I use it on disposable systems only, non-production that never touches real networks (classroom, lab and test). And still I wait with bated breath for what the next release may bring...

I Love This Tool: ADModify.Net

Dale Brice-Nash — Sat, 02 Dec 2006 19:11:32 +0000

Have you ever needed to edit a lot of Active Directory user objects at once... potentially even thousands! This capability typically has been limited to scripting, ldifde.exe or third party utilities ($). Now enter ADModify, a free utility available from www.gotdotnet.com. Just search for ADModify from the homepage and go to the link for workspaces and find ADModify from the listing. The tool does require the .Net framework to run, so make sure that it is installed to use it. I have found hundreds of scenarios and legitimate applications of this utility. It will alter properties for users, groups, MS Exchange contacts and MS Exchange public folders, but probably it's most powerful characteristic is the LDAP filtering on results. I can take any schema attribute of the classes of objects that you can modify and search resulting in only those that match the query string will be displayed for selection from it result set. You then can even sub-select using control and shift for multi select of what will be modified. If you make an error it will create an xml file after every run of the tool that allows you to have transactional roll back the changes just to object modified not those that may already have the attribute set. I cannot think of any exchange administrator that would not find this helpful at some time or another. That goes without saying any Active Directory administrator.

What is PE and Why Should You Care:

Dale Brice-Nash — Wed, 22 Nov 2006 14:01:39 +0000

Many of us are familiar with Linux Live CDs. These CDs are entire operating system (OS) that are fully bootable even when put on to a prepared flash drive, offering a full set of tools for simple browsing and workstation functionality, firewalls, and pentesting and forensics analysis plus many more. All without have to deal with dependencies and compiling of code. What about Windows? Well under the Software Assurance licensing model for Microsoft, many organizations are availed the same capabilities.

First a definition for PE (Preinstallation Environment)-it is a subset of XP (SP0/SP1/SP2), 2003 (SP1/R2) and Vista OSs that allows for a fully functional OS based on the original installation media. It was originally designed for OEM use (Dell, HP and others) later expanded for use in imaging technologies like Automated Deployment Services (ADS is a MS Feature Pack for Enterprise and Datacenter editions), Microsoft SMS with SP1 Operating System Deployment Feature Pack, down level configurable for Remote Installation Services (RIS) and third part VARs. It is designed to replace the old boot floppies within this context when used with a PXE server or as El Torrito compliant CD-ROM. In Vista, it is the installation environment replacing the old bluescreen mode (for lack of a better term the DOS mode, but not really) that was the intial preparation of the system during the install. It allows for a Windows Imaging (WIM) format of installation that is file based so service pack application to an master image is no longer a task necessary. WIM also allows applications to be installed, files to be added, or new drivers added to the $OEM$ directories and catalog in this same manner.

FYI:To get more guidance on using SMS, RIS and automated deployment of OS and Office techniques do a search on MS site for BDD. Some of it is project management oriented some technical.

With systems deployment and installation characteristics left aside... It also can extend the same Linux Live CD capabilities to the Windows OS. The most well known resource in this regard is Bart Lagerweij who's website is http://www.nu2.nu/ . His website is replete with documentation and resources to fully capitalize on this feature made available to Windows. It includes application plug-ins and offers guidance on how to add your own. With his set of tools it is easy to create recovery tools and virus removal disks using CD/DVD or flash disks. I have prepared a trilogy of video blogs that demonstrate how to do this and perform a virus scan on an infected machine so check it out!

Come Participate in the AZ Security Practitioners' Forum

Dale Brice-Nash — Sun, 19 Nov 2006 02:00:21 +0000

For those of you interested in a open forum security user group, I would like to invite you to come to the AZ Security Practitioners' Forum. It can be accessed at http://www.azspf.org . I have been involved with this group since it began more than 1 year ago. It also has resources and links other users' groups that are in the Phoenix area. It has a very wide base of topics that are covered. Policies, Physical Security, Law, overviews from BlackHat and DEFCON, and technical application of exploits are a few of the past meeting topics. The interests of the participants are the driving elements in its' topics and discussions also anonymity is encouraged. It also features a listserv for new events within the realm of security and meetings topics. I have found it to be an excellent resource in networking with other professionals with common interests within the vast scope of security and am constantly learning more by being involved. If you are up to it, we meet every fourth Monday of the month at 6:30 PM to 8:30 PM, December is excluded... location is Interface Technical Training Park Central Mall 3110 N. Central Ave, Ste 160 Phoenix, AZ. There is no charge to attend and I hope to see you there...

Part 2: My Thoughts: Security Vulerability Categories

Dale Brice-Nash — Sat, 11 Nov 2006 15:43:11 +0000

A few other attacks that come to mind are root bridge injection, management VLAN color tagging, dangling switch syndrome all of which are based IEEE 802.1"x" standards. Even an IP spoofing or loose-source routing attacks can be attributed to RFCs within the IAB's and the task-forces they govern. FISMA, SOX, HIPPA legal compliance also may be subjected to the same analytical debasement. In my opinion, it is the mirror of the struggle that is faced in the encryption realm of security... code makers battling the code breakers. Each struggling to out do the other in a constant ebb and flow of technological advance vs. interpretive application of exploits to leverage the designs described within the standard the other is creating.

I am strained to legitimize open systems within this context but also am aware that in today's environments this type of closure would lead to a critical path within telecommunications industries. Reducing us back into closed systems, islands of automation or proprietary extensions added to existing standards... breaking heterogynous network capability. Can you say "Into the way back machine Mr. Peabody". I cannot say that I have an answer to this conundrum but only offer my observations on how this is occurring in today's constant evolutionary cycle of attacks in Info Sec.

More next time.

My Thoughts: Security Vulnerability Categories

Dale Brice-Nash — Sat, 04 Nov 2006 00:30:46 +0000

I teach many disciplines in technology but by far my passion is security. One of my theories on vulnerability categories is that there is a meta-category that can transcend multiple categories that I call "Standards-Based Attacks". Many of us are familiar with the Social Engineering, Application, or Distributed/Denial of Service, etc... My thoughts is that in the analysis of standards in electronic communication, policies, encryption, Info Sec principles and such are being dissected and used as attack vectors by attackers. One such instance that comes to mind is arp cache poisoning, it is clearly based on switching concepts following the IEEE standards. I truthfully believe that we are slowly being forced back into closed system environments and vendor specific resolutions due to this behavior. Think about how many attacks are predicated on standards within our communications and Info Sec principles.

...to be continued