TECH 581 W Computer Network Operations: Laboratory 2, Team 2

Abstract

The exploration of network penetration does not stop with just an overview of penetration testing.  Digging deeper, just below the umbrella topic of penetration testing is network reconnaissance.  Network reconnaissance, the act of observing network activity, can be classified into active network reconnaissance and passive network reconnaissance.  This is based on whether the network being targeted could be aware of the efforts (active), or could not be aware of the efforts (passive).

In the second lab for course we deal with network reconnaissance.  Specifically we deal with active network reconnaissance, and the tools and techniques that go with it.  As before the first part of the lab is a current literature review on the topic, followed by the methods used to answer the questions presented, the answers themselves and finally our conclusions.  The focus these activates being the TCP/IP model and how they relate to SCADA systems.

Literature Review

About Penetration Testing, by Matt Bishop

The article, About Penetration Testing by Matt Bishop of the University of California, Davis, talks about red teaming and what red teaming is. Bishop answers different questions in his article, such as what is a penetration test, what do the attackers know, and what resources do the attackers have?  He gives an example of a police officer examining a car that they are unfamiliar with to see how a car thief would steal the car. The examining is an example of penetration testing, “it’s an analysis of some aspect of a system  (Bishop, About Penetration Testing, 2007).” Bishop describes that penetration testing needs to have a goal such as informing the sponsors “how easy (or hard) breaking into the system is  (Bishop, About Penetration Testing, 2007)?” Bishop continues on to talk about how a skilled attacker may have more of a willingness to break into the system if the desire is great enough over a penetration tester. He also says that attackers have more time then a tester to bypass and acquire the desired information. Bishop states that if the goal of the test is to handle all classes, then the testers should have access to all tools unless there is a way to deny them of that resource.

Bishop makes some good point that attacks do have more time to spend running recon against a system they want to infiltrate. An attacker(s) with the desire and enough motivation can find ways into a system that a penetration tester may not find. New tools and modified tools may arise that unlock a path that was previously blocking an attacker and penetration testers. A motivated attacker can quickly take advantage of this opening of the systems thus while a penetration tester is learning and finding ways to protect the system from this tool.
Security Plan for Red Team Testing, by Matt Bishop

According to Matt Bishop “The goal of security plan is to ensure that proprietary and confidential information remains proprietary and confidential (Bishop, Security Plan for Red Team Testing, 2007)”. He goes on to describe proprietary as “the vendor and the Secretary of State agree that the information or device is proprietary… (Bishop, Security Plan for Red Team Testing, 2007)” They plan on having two types of secure facilities at a remote institution and at the Secretary of State’s office. The remote institution is to be used for planning and preparation while at the Secretary of State’s office will house the testing. At these facilities they will be testing the e-voting systems and there source code. While at the remote facility no actual e-voting machines will be there, only the access to the source code. Bishop does not have a research question but is simply running tests against source code.

Bishop takes good tests to ensure data is protect by keeping an internal network, physically secure and unconnected to the outside world. He goes on to mark the internal network with red to clearly identity which systems are for sensitive information. He also has another set of systems that is connected to the outside world by way of DSL line. This network is identified by green tape or tags. This is a great why to retrieve information from the internet while not contaminating the internal private network.

Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs by Michael Gegick and Laurie Williams
This article is about software patches that fix vulnerabilities and how these patches can cost several times more than the release. They go on to talk about how vulnerabilities shows patterns in which can lead to where the vulnerable areas exist in a system. Applied within the software community was Christopher Alexander’s, “where a problem recurs and provides a solution that can be applied regardless of the environment in which the problem occurs  (Gegick & Williams, 2005)” They try to use the SAFE-T as a means of security to identify the potential vulnerabilities that can exits. They have researched four different web-based security vulnerability databases which lead to 244 previously reported vulnerabilities. These four web-based security vulnerability companies that house the vulnerability databases are SecurityFocus, Help Net Security, Secunia, and SecurityTracker. Gegick and Williams’ study targeted undergraduate students mainly because of there inexperience and how they are not security experts. They used the students as a test bed for how easily software systems can be inclined to attacks.

An important way to help discover attacks is by creating an attack tree. This diagram will help “show the goals of an attacker (Gegick & Williams, 2005)”. Another form of diagram is an attack net which is a graphical representation of a where a system penetration test should happen. There are three taxonomies that were examined, forty-nine attack patterns, answers there questions: “How did it enter the system? When did it enter the system? Where in the system is the vulnerability manifest?  (Gegick & Williams, 2005)”, and four hierarchical classes: “Design Flaws, Environmental Flaws, Coding Flaws, and Configuration Flaws  (Gegick & Williams, 2005)”.

They have substantial amount of research and data about vulnerabilities with systems. They also supply ways of discovering vulnerabilities before software is released to the public and save on releasing patches that the user may not install. The use of the three taxonomies is also a great way for software developers to answer while software is still being developed.

Grammar Based Whitebox Fuzzing by Patrice Godefroid, Adam Kiezum, and Michael Y. Levin

This article is about how they “enhance whitebox fuzzing of complex structured-input applications with a grammar based specification  (Godefroid, Kiezun, & Levin, 2008)” and they test there algorithm on a JavaScript interpreter in Internet Explorer 7. This algorithm increased the grammar-based coverage from 53% to 81%. They give examples of code for interpreter and algorithm. There new algorithm two key components, high-level symbolic constraints and custom constraint solver. With grammer-based whitebox fuzzing, more paths and deeper processing maybe done instead of possible going into a infinite loop because of where a path lead.
Fast Model-Based Penetration Testing by Sankalp Singh, James Lyons, and David M. Nicol

In this article they propose a different approach to penetration testing called Model-Based Penetration Testing. This new approach gathers detailed information about the host such as the “configurations, attacks, vulnerabilities, critical assets, and connectivity  (Singh, Lyons, & Nicol, 2004)” then it will create independent attack paths. Model-checking tools attempts to determine the capabilities the attacker may have during the current state then generates the next states. There is a major difficulty when using model-checking, it can quickly explode the number of hosts and exploits available to the attacker thus increasing the number of vulnerabilities to the host. They present a mechanism which will build repeated random paths and can estimate “the total number of paths or the total number of paths of a particular length or less  (Singh, Lyons, & Nicol, 2004)”. Through out the paper they use three levels of privilege, none, user, or root.

They provide several formulas for ternary relation, binary relation, estimating the probability and more.

Attack Net Penetration Testing by J.P. McDermott

McDermott talks about how penetration testing is more of an art then science, and how testers need to have knowledge of products and systems. This article is about usefulness of penetration testing as a Petri net. This technique has the depicting refinement of specific attacks and attack alternatives which is similar to attack trees. He then draws out an attack tree for opening a safe. Open Safe is at the top, then four ways of opening the safe are listed below from there the tree counties to grow blackmail, eavesdrop and so forth in order to open the safe. Looking at every possible way to access what is desired is important for an attack tree. He also talks about six flaw hypothesis approach, ”

1. Define penetration testing goals.

2. Perform background study.

3. Generate hypothetical flaws.

4. Confirm hypothesis.

5 Generalize discovered flaws

6. Eliminate discovered flaws.  (McDermott, 2001)”

McDermott then goes on to give an example using Mitnick attack, which using SYN flooding, TCP session hijacking, and UNIX .rhosts trust relationship spoofing, to represent the exploit.

McDermott attack net approach to penetration testing is a good approach to follow. He may not provide any supporting data but does have several diagrams that show an adherent to the brainstorming activity while at the same time not restricting the free range of ideas.

Three Different Shades of Ethical Hacking: Black, White and Gray by David M. Hafeele

Hafeele starts off talking about how corporations have to defend there networks against several different kinds of attacks. They have several different type of tools, such as firewalls, intrusion detection devices, which help organizations fight off attacks. Hafeele claims that his paper “seeks to investigate the rationale for using there penetration experts in order to determine the level of security (Hafele, 2004)” he also examines the philosophy behind black, white and gray box testing. Hafeele says “I think my network is secure, therefore, it is secure, no matter what the security experts may say (Hafele, 2004).” He explains that his is a common assumption among management because there may be a firewall in place, not knowing how it works completely. The ethical hacker needs not to be kept out of the loop “when it comes to assessing the business and political climate of the customer (Hafele, 2004)”. The ethical hacker has three different models, black box, white box, and gray box model. The black box model is when the ethical hacker is left with little information and needs to gather information to discover the rest. White box model is when they are given an unreserved amount of knowledge. Gray box model is when the ethical hacker is given certain information about the system. He explains that retrieving information by way of black box testing can be possible by means of different databases such as WHOIS. This paper is about how ethical hacking is needed, is a tool, and which can provided useful understand of weaknesses that can be exploited on a network.

Ethical hacking is something that is needed. Ethical hackers provide more of an insight to protecting systems that are constantly attacked. Each model has there advantages and different viewpoint.

Automated Red Teaming: A Proposed Framework for Military Application by Chwee Seng Choo, Ching Lian Chua, and Su-Han Victor Tay

This paper is about automated red teaming using evolutionary algorithm, parallel computing and simulation. They have an overall goal “to reduce surprises, improve and ensure the robustness of the Blue ops concepts (Choo, Chua, & Tay, 2007)”. According to Choo, Chua, and Tay the military commonly uses red teaming as a technique to gather system vulnerabilities or to discover gaps which can be exploitable. They describe the concept of automated red teaming using evolutionary algorithm in the military context using an architecture design of the automated red teaming framework. They processed the MANA model with an automated red teaming 26 nodes processor cluster which tool around 8 hours for a total of 40 iterations. There results indicated “effective Red force would be highly stealthy (Red Inf Stealthiness = 89.19), slightly aggressive individually (Red Inf Individual Aggression = 6.879) and as a group Red Inf Squad Aggressiveness = 16.30) with a propensity to move towards fellow injured Red (Red Inf Response To Injured Red = 11.04) (Choo, Chua, & Tay, 2007)”. This shows that the “Red Force survivability can be improved by 27% just by modifying behavioral parameters alone (Choo, Chua, & Tay, 2007)” There results show an increase for red force survivability, which is always good. A 27% increase for the military is good however further work should be done to develop further the automated red teaming framework; this could scientifically increase the percentage.

Methods

The methods for completing this lab are based around an existing literature driven empirical study of topics in penetration testing and active network recon. The completion of the second lab in the course involved five steps.  The first step as before was the literature review of a selection of current literature on active network reconnaissance which is detailed above.

The second step was the installation of tools such as NAMP and NESSUS to perform active network reconnaissance.  These tools came from the grid in lab one, as well as a reading on obscuring actual location on the part of the penetration tester. The installation of the active recon tools was rather simple since the all of the tools that were defined by team two in lab one were the tools of the backtrack tool suite.  These tools are available as a pre-built Linux virtual machine for VMware which was downloaded from the backtrack website and copied into our lab virtual machine repository.  That pre-built VM was added to team two’s VM team configuration inside VMware workstation.  Once the VM was booted all the tools of the suite were available to us for testing.

The third step was to complete an active network recon exploit taxonomy based on the nine layers of the OSI reference model as presented in Lab one. This was completed by locating the documentation on the tools of Backtrack through the backtrack website and using their tool categorization as well as the penetration testing taxonomy from lab one to create a new active recon taxonomy.

The fourth step was to align the layers of the TCP/IP model to the layers of the OSI model as well as answer the question does the TCP/IP model have four or five layers? The alignment performed and questions answered through studying existing research in the TCP/IP model.

The fifth and final step of the lab was to align the given SCADA protocols to the TCP/IP and OSI model layers in a second grid and add a couple of our own SCADA protocols while explaining the chosen alignment. Again this was accomplished through studying existing research on SCADA and the TCP/IP model.

Findings & Answers

The installation of the active recon tools was rather simple since the all of the tools that were defined by team two in lab one were the tools of the backtrack tool suite.  These tools are available as a pre-built Linux virtual machine for VMware which was downloaded from the backtrack website and copied into our lab virtual machine repository.  That pre-built VM was added to team two’s VM team configuration inside VMware workstation.  Once the VM was booted all the tools of the suite were available to us for testing.

Active Network Recon Taxonomy

The use of this active recon taxonomy is not in and of itself without issue.  As pointed out in the lab obscuring the true source of the recon tool (aka system hosting the tool being used) can also be quite valuable.  The article presented by Professor Liles suggests that using an encrypted write blocking USB storage device containing a Virtual Machine image to boot on a system is part of the answer. Besides the use of the USB storage device creating a routine that prevents writing to the systems hard drive is also required.  Where the exploit taxonomy comes in is with the routing of information across the network. The network packets would make singling out the “invaded” system quite easy.  Making use of a VPN connection over the Onion router or TOR network is Professor Liles approach.  Taking this stance would create an active recon system that would be untraceable to a forensic expert (Liles, Anti-forensics: Obfuscating the path to forensic examination, 2009)

OSI to TCP/IP Model Comparison

According to Comer in Internetworking with TCP/IP Principals Protocols and Architectures Fourth Edition the TCP/IP model is a four layer plus one model.  There are four major software layer which build on a fifth hardware layer.  That fifth layer consists of network specific frames of information (Comer, 2000).  This is because TCP/IP was designed to be physical connection agnostic. There needs to be a consideration of how information is sent to the hosts requesting information possibly not using TCP/IP connected by the numerous methods of physical interconnect available today.

In aligning the OSI & TCP/IP models with SCADA protocols the first consideration was determining if various SCADA protocols can be molded to fit the OSI seven layer model.  The answer is an unequivocal yes.  Professor Sam Liles has stated in his review of Securing SCADA Systems by Ronald Krutz that SCADA systems use the OSI seven layer model and are often simply layered on top of the OSI model (Liles, Review: Securing SCADA systems by Ronald Krutz, 2009).  With that consideration in mind five SCADA protocols are considered for review.

SCADA MODBUS

MODBUS is a SCADA protocol that according to the MODBUS organization is an application-layer messaging protocol, positioned at level seven of the OSI model. It provides client/server communication between devices connected on different types of buses or networks.  MODBUS is available to be used through serial interconnect or TCP/IP.  MODBUS has a common port reserved for it in the TCP stack that port is 502 (Modbus Organization).  Based on this information MODBUS fits very nicely into the OSI / TCP/IP model because it is DIRECTLY accessible via TCP port 502.  This is why there is a MODBUS TCP layer in its implementation stack.  In order for network traffic to be translated to MODBUS traffic that layer must be present, hence its existence above the transport layer, and positioned at the OSI session and Presentation layers.

SCADA DNP3

According to the DNP users group The development of DNP3 was a comprehensive effort to achieve open, standards-based Interoperability between substation computers, RTUs, IEDs (Intelligent Electronic Devices) and master stations (except inter-master station communications) for the electric utility industry (DNP Users Group).  DNP3 was designed to work in a round robin fashion (like Token ring), polling each station that is connected to a DNP3 network.  DNP3 was also designed to be carried over TCP/IP.  DNP3 does not have a dedicated port like MODBUS. DNP3 is also not a Layer 7 protocol but rather, primarily a layer 2 protocol.  Not in conflict with Ethernet, but rather encapsulating it’s communications in Ethernet layer 2 frames (Curtis, 2005).  Hence the addition of the pseudo transport layer above the Data Link layer.  Like MODBUS, this layering approach makes DNP3 fit very nicely if in even more simply into the OSI model.  Interaction can occur without the need for any specialized tools.

SCADA DeviceNet

The ODVA states that DeviceNet is a digital, multi-drop network that connects and serves as a communication network between industrial controllers and I/O devices.  DeviceNet Follows the OSI reference model.  DeviceNet was DESIGNED from the beginning with the OSI model in mind (ODVA).  Making DeviceNet fit the model even better than MODBUS, or DNP3.  There is no need to consider any additional or “vender-controlled” layers in the DeviceNet system.  Not only does this make for a SCADA protocol that is easy to implement and troubleshoot for facilities that already have Ethernet networks, it is also an attackers dream.  The only way to insure that a DeviceNet system would not be broken into would be the air-gap firewall method.  By not connecting the SCADA network to any publicly addressable network and by not making use of wireless LAN technologies could a production company be reasonably sure their DeviceNet systems were secure (except for physical connection issues such as cable breaks and interference).

SCADA PROFIBUS

Profibus is a more propriety SCADA protocol.  While Profibus International claims that Profibus is the world’s most successful field bus technology through it being a very open and vendor independent protocol they do not follow the OSI model very well at all (Profibus International).  Profibus has created its own protocol stack that bypasses many of the standard layers of the OSI model to create what would seem to be an independent and secure system.  This is however not the case.  Even though Profibus was not designed with the OSI model in mind, the Physical or Bit-Transmission layer makes use of RS485 (PROFIBUS, 2002).  Therefore, anything that connects RS485 to a network, like an RS485 “modem” if you will can make a Profibus network attackable.  This presents a major issue because based on the Profibus layer design security was probably not a major issue for the makers of Profibus.  Finally, Profibus is based on a single cable bus technology; any break in the cable would render the system useless (Profibus International).

SCADA RP570

RP570 was designed in the 1990’s by the ABB group to work at a low-level based on IEC 57 Part 5-1.  According to ABB the RP 570 protocol is a high-level communication protocol used between the front-end computer (FE) and the substation to be controlled (ABB, 1997).  Like Profibus RP570 bypasses OSI layers that it does not have any need for.  This make RP570 fit less well into the OSI model.  That does not mean fitting RP570 in would be impossible.  As shown above, while RP570 has just three layers, they do align at a high level with the OSI model.  RP570 is a serial based communications system.  RP570 would in its initial design not be connected to a network, but instead just a computer.  However, because RP570 is based in serial communications, and IEC 57, anything that would convert a Front End Computer to a network device would make RP570 a very possible attack vector.

Issues

There were no issues or problems with the lab.

Conclusions

This lab was a discovery of active network recon as it pertains to penetration testing.  The taxonomy that was built will help us in future labs by allowing us to better understand what tools we should use and when.  It also required that we take a deeper dive than usual into the workings of the “standard” TCP/IP model.  With a better understanding of the TCP/IP model it also got us thinking about how device automation systems, commonly used in major physical infrastructure such as electric utilities, could fall victim to network eavesdropping, and even service disruption through cyber activity.  This lab also made it very clear that SCADA systems are not considered to be part of the IT realm where standard practices of information security at least should be considered. Meaning that with a little “outside the box” thinking the lack of security minded design, install, and maintenance of SCADA system by electrical engineers could be used to potentially destroy plants, factories, or even the distribution of water and electricity.

Works Cited
ABB. (1997). REC 501 RP 570 Protocol Description Technical Description Manual. VAASA: ABB Oy.

Bishop, M. (2007). About Penetration Testing. IEEE Security & Privacy , 84-87.

Bishop, M. (2007). Security Plan for Red Team Testing. Davis: University of Califorina.

Choo, C. S., Chua, C. L., & Tay, S.-H. V. (2007). Automated Red Teaming: A Proposed Framework for Military Application. ACM , 1936-1942.

Comer, D. E. (2000). Internetworking with TCP/IP Principles, Protocols, and Archtiectures. Upper Saddle River: Prentice Hall.

Curtis, K. (2005). A DNP3 Protocol Primer. Calgary: DNP Users Group.

DNP Users Group. (n.d.). Overview of the DNP3 Protocol. Retrieved June 20, 2009, from DNP: http://www.dnp.org/About/Default.aspx

Gegick, M., & Williams, L. (2005). Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs. ACM , 1-7.

Godefroid, P., Kiezun, A., & Levin, M. Y. (2008). Grammar-based Whitebox Fuzzing. ACM , 206-215.

Hafele, D. M. (2004). Three Different Shades of Ethical Hacking: Black, White and Gray. SANS Institute.

Liles, S. (2009, January 4). Anti-forensics: Obfuscating the path to forensic examination. Retrieved June 20, 2009, from Selil Blog: http://selil.com/?p=518

Liles, S. (2009, June 3). Review: Securing SCADA systems by Ronald Krutz. Retrieved June 20, 2009, from Selil Blog: http://selil.com/?p=766

McDermott, J. (2001). Attack Net Penetration Testing. ACM , 15-21.

Modbus Organization. (n.d.). Modbus Specifications and Implamentation Guides. Retrieved June 20, 2009, from Modbus Organization: http://www.modbus.org/specs.php

ODVA. (n.d.). DeviceNet Technology Overview. Retrieved June 20, 2009, from ODVA: http://www.odva.org/Home/ODVATECHNOLOGIES/DeviceNet/DeviceNetTechnologyOverview/tabid/72/Default.aspx

Profibus International. (n.d.). THE WORLD’S MOST POPULAR FIELDBUS. Retrieved June 20, 2009, from PI – Profibus & Profinet International: http://www.profibus.com/index.php?id=63

PROFIBUS. (2002). Profibus Technology and Application System Description. Scottsdale: PROFIBUS Trade Organization PTO.

Singh, S., Lyons, J., & Nicol, D. M. (2004). FAST MODEL-BASED PENETRATION TESTING. Winter Simulation Conference (pp. 309-317). Urbana: University of Illinois at Urbana-Champaign.