Abstract
This lab will allow us to gain an understanding of the reverse engineering process. In this lab our team will examine leakage through the process of engineering and the inadequacies and issues with configuration guides. In addition during the course of this lab we will evaluate the process of reverse engineering and determine the threat categories and taxonomy mitigations. All of this will be done using the pre-approved document we selected. Using this document and with specific testing we will be able to identify configuration changes and what the changes will accomplish, identify where these changes fit into the OSI 7 layer model, associate on the McCumber model which services are being acted upon, and put together the reverse engineering exploit matrix.
Literature Review
The readings for this week’s lab dealt with vulnerability assessments. The common thread running throughout all the articles was that vulnerability assessments are a necessary process in protecting network security and that using automated tools to do so was a much more efficient way. The articles also discussed that vulnerability assessments should be done by experienced IT experts and great care should be taken during the assessment process so as not to crash servers or cause network outages.
Article: Vulnerability Testing Using Fault Injection
In their paper “Vulnerability Testing of Software Using Fault Injection”, Aditya P. Mathur and Wenliang Du describe fault injection as “the deliberate insertion of faults into an operational system to determine its response”. Du & Mathur (1998) introduce the idea of fault injection into systems. In this approach they inject faults into an environment to perturb it; which by their definition is to determine how the system will respond and to see if there will be any security violations. If there are none, the system is considered secure. The Environment-Application Interaction (EAI) fault model is used to provide a high level of confidence of the validity of the security flaws. The EAI model seeks to emulate what a real hacker would do.
Environment fault injections have several advantages. In practice it is hard to trigger certain issues in an environment, because knowing how to trigger them depends on a tester’s knowledge of the environment. Fault injections emulate the environment’s issues without needing to be concerned with how they would occur in practice. Fault injection also provides a systematic approach to deciding when to emulate environment faults and provides an automated way of performing the testing process (Du, & Mathur, 1998).
Article: Topological Analysis of Network Attack Vulnerability
In their paper “Topological Analysis of Network Attack Vulnerability”, Sushil Jajoida, Steven Noel, and Brain O’Berry introduce us to Topological Vulnerability Analysis (TVA) which they describe as a tool that “automates the labor-intensive type of analysis usually performed by penetration testing experts”. TVA analyzes dependencies among modeled attacker exploits, in terms of attack paths to specific network targets. As mentioned in the first article as to how Environment-Application Interaction (EAI) automates the testing process, TVA also seeks to automate the labor intensive testing process. The TVA works by merging together three component, modeled exploits, network of interest, and the specification of the attack scenario. The TVA analyzes these three components, graphs the precondition/post condition dependencies which then provide the attack paths (Jajoida, Noel, & O’Berry,2007).
Article: Testing with Hostile Data Streams
The article “Testing with Hostile Data Streams”, written by Alan J. Jorgenson from the Florida Institute of Technology, presents us with his Malformed Data Stream Testing System which is a testing method that creates malicious data streams, applies them to a software application and then checks the appropriateness of the application response (Jorgensen, 2003). Systems that process data streams obtained from external sources such as the internet are vulnerable to security issues if malicious data is not processed correctly (Jorgensen, 2003). The problem to be solved is that there is an inadequate testing of software response to malicious streams. As was done in the second article Jorgensen divides his testing system into components. A system block diagram with details of the functions of each component is discussed. The author acknowledges the prevalence of the buffer overflow attack; however he has two schools of thought on buffer overruns. A conservative view is that they are a security risk; the other is that they are no more of a risk than denial of service.
The system was applied to Adobe Acrobat Reader was used as a cast study Test results from the case study indicated there were failures with the application, an infinite loop, failure to respond, and file deformation. All were considered to be a denial of service (Jorgensen, 2003).
Article: Viruses 101
In their article “Viruses 101” J. Aycock and K Barker introduce us to a controversial course being offered at the University of Calgary on computer viruses and malware.
The course teaches students about malware by having them create their own within a controlled environment. The announcement of this course and the specifics of the curriculum brought about much opposition from those in the anti-virus Community. The University took great care in the selection process of students for the course. Students had to have a grade point average of 3.0 or better, be in the computer science program, be a senior or graduate level student and have a passing grade in operating systems and computability theory courses. The only criterion absent was a criminal background check. The course focused studying malware but also combined ideas from across computer science as well as other disciplines; operating systems, programming language, implementation, networking, security, automata theory, law, ethnics, psychology, and human-computer interfaces (Aycock, & Barker, 2005).
The courses deliberately covered law and ethics before the students began their programming assignments, this was essential to establishing a secure environment. The University ensured the environment was secure by adhering to five categories of safeguards; Legal, Ethical, Social, Behavorial, and Technical (Aycock, & Barker, 2005).
Article: Vulnerability Assessment Tools
In her paper “Vulnerability Assessment Tools” Elspeth Wales tells us many companies are complacent about the security state of their networks and this should be cause for concern. Network hacks are on the rise but conducting vulnerability assessments on a regular basis can help prevent exploits. However, vulnerability assessments are only one part of the process, and should be used in conjunction with other network tests to determine the status of network security. Most companies perform vulnerability tests for two reasons; an incident has triggered the assessment, or they have to perform vulnerability assessments for compliance purposes. Companies have several options in carrying out vulnerability assessments. They could by an automated tool, providing they have an expert IT staff to do so, hire a third party to perform the test , or do a combination of both. Whatever the choice may be processes need to put in place and care should be taken when conducting vulnerability assessments so as not to crash servers or cause system outages. When used with the appropriate degree of expertise vulnerability assessment tools can provide a real insight into a network’s weak spots (Wales, 2003).
Methods
The first step of the process that the group had to perform was to research a security guide document. This document was used for this entire lab experiment. The document that this group found is Solutions for Security and Compliance: Threats and Countermeasures Security Settings in Windows Server 2003 and XP. Even though this document covers both Windows Server 2003 and Windows XP, this group will be focusing only on Server 2003. The document was downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=en. This document was then examined thoroughly in order to see why each change or configuration is accomplished. Once each changed is identified, the next step the team determined which layer of the OSI 7 layer model resides in. The way to determine what layer the change/configuration goes into to was based on what the possible vulnerability would affect the most, if exploited. After the layer was determine, the team then proceeded to identify where the change/configuration fits into the McCumber cube. This was determined by what part of the system the change/configuration would affect the most, all are going to fit into the technology section, since it deals with operating systems. The table that contains the changes/configurations and their location is located in the findings section of this lab report.
For the exploit list, the group searched throughout the document and recorded all of the vulnerabilities that were discussed. Next, Automatic Updates were researched and potential vulnerabilities were recorded. These vulnerabilities were then formatted into a table and all security tools that pertained to them were listed. Finally, the potential vulnerabilities were tested using an example tool from the table.
Findings
Each change/configuration was made for a reason. The document laid out the changes to Windows Server 2003, the vulnerabilities, and the reasons why countermeasures were put into place. Each configuration change affects the technology level. Each change/configuration is listed below with what it was supposed to accomplish. Table 1.1 has the changes/configurations and where they fit into the OSI 7 layer model and the McCumber cube dimensions.
Domain Level Policies
Change the Enforce password history to 24. This ensures that the password reuse problem solved by making users can’t use the same password for at least 24 password changes. The maximum password age is recommended to be set to 90 days. Passwords are easy to crack no matter the length, if the user must change their password every so 90 days are opposed to a shorter time, this can raise security because users are less likely to write down their password. Minimum password length can be set, a more complex password is required and increasing security by making the password harder to crack. Store password using reversible encryption for all users in the domain can use CHAP authentication through remote access, but is recommended to be disabled to ensure that a weaker version of the password doesn’t exist on the server. Kerberos policy settings should not need to be changed; the best defaults are already selected.
Audit Policy
Audit logon events specify whether to audit login successes and failures. If turned on, a DoS attack can be used by generating millions of logon failures, filling the security event log and shutting down the server. All of the audit policies can be used and the same attack will work on them, they are if enabled: audit process tracking, audit account management, audit directory service access, audit policy change, audit object access, and audit system events.
User Rights
Access this computer from the network is used for users to connect to shared printers and folders. The problem with this is if not set properly all users can access folders they should not. Make sure to block all users except those who are authorized. Only administrators should have the ability to add workstations to domain. This prevents normal users from adding workstations to the domain, only authorized users should be part of the domain and only administrators should be determining who is on the domain. Allow log on locally restricts unauthorized users to logon to any workstation and download and execute malicious code. Make sure to restrict only authorized users to login to any local workstation. Users should not be able to change the system time. If users have the ability to change the time can mess up event logs for the system administrator, because it would mess up the time log. Deny access to this computer from the network prevents unauthorized users from accessing the computer from any network. The only users that should have access to the computer are administrators and the authorized user of the computer (if needed). Force shutdown from a remote system is a good item for administrators to have, but is dangerous to have. Unauthorized remote users could get the ability to shutdown systems remotely, which is bad for security. Load and unload device drivers allows authorized users to update and reload drivers for systems. This change was made to ensure that only authorized users only have the ability to update systems. If not set properly unauthorized users could make potential dangerous changes to systems.
Security Options
Only administrators should have Administrator account status. Administrators are the only ones that have the ability to make others have the account status of administrator. There is an option to Shut down system immediately if unable to log security audits. This means that if not set properly the inability to log security audits could shut down a system. All one would need to do is to stop logging from occurring then the system could shut down. Restrict CD-ROM access to locally logged-on user only is a setting that needs to be set so not anyone can put a CD into a system and not have it automatically run. Malicious code could be put onto a CD and put into a system and be automatically executed. The same reasoning exists for the change Restrict floppy access to locally logged-on user only. When users let their systems go idle and not locked their system, the Amount of idle time required before suspending session can be used to ensure that only an administrator or the authorized user can unlock the system. If no lockout time was set, all someone would have to do is move the mouse and they would have complete access to the system. For network access, shares that can be accessed anonymously this option should be turned off. Only authorized users should have access to shared folders. When the logon time expires, the user is forced to logoff. The setting is Force logoff when logon hours expire. Allow system to be shut down without having to log on enables users to not have to login to shutdown the system. This is very dangerous because this means that unauthorized users could shutdown the systems without having their login logged. Allow automatic administrative logon allows administrators to go into the Recovery Console without putting in a password. This allows anyone have the access to the Recovery Console without needing the password.
Event Log
Maximum event log size can be set to make sure that the log file does not get too large. The problem is that when the log file reaches its maximum size, the oldest entries are overwritten. This means that an attacker can access the system then create log entries to cover up their work.
Computer Configuration Settings
Disable remote Desktop Sharing makes sure that unauthorized users can’t share an authorized user’s desktop. Another way to make sure that security is kept high, one can Disable Periodic Check for Internet Explorer software updates. This ensures that Internet Explorer updates are checked by the administrator before being installed by the end user. Do not allow users to enable or disable add-ons makes sure that users are not able to add items to Internet Explorer. Check for signatures on downloaded programs ensures that only Microsoft signed programs are downloaded. Another way to ensure that inappropriate programs are not downloaded, the administrator can set the Restrict File Download. If the administrator has not approved the download, then the file can’t be downloaded. Automatic Windows Update should be turned off for the server. Updates should be applied to a test environment before applying to any system.
Table 1.1
| OSI 7 Layer Model Layer | Tool Name | McCumber Cube coordinate |
| Application /7 | Store password using reversible encryption for all users in the domain, add workstations to domain, Allow log on locally, Load and unload device drivers, Administrator account status, Maximum event log size, | Confidentiality, storage, technology |
| Application /7 | Enforce password history, maximum password age, Minimum password length, Kerberos policy settings, change the system time, Force shutdown from a remote system | Confidentiality, processing, technology |
| Application /7 | Audit logon events, audit process tracking, audit account management, audit directory service access, audit policy change, audit object access, Access this computer from the network and audit system events. | Confidentiality, transmission, technology |
| Application /7 | Shut down system immediately if unable to log security audits | Integrity, storage, technology |
| Application /7 | Allow automatic administrative logon, Do not allow users to enable or disable add-ons, Check for signatures on downloaded, Automatic Windows Update programs | Integrity, processing, technology |
| Application /7 | Disable Periodic Check for Internet Explorer software updates. | Integrity, transmission, technology |
| Session/5 | Amount of idle time required before suspending session, | Integrity, processing, technology |
| Session/5 | Force logoff when logon hours expire. Allow system to be shut down without having to log on | Availability, transmission, technology |
| Transport/4 | Restrict File Download | Confidentiality, storage, technology |
| Network/3 | Disable remote Desktop Sharing | Integrity, processing, technology |
| Network/3 | shares that can be accessed anonymously | Integrity, transmission, technology |
| Physical/1 | Restrict CD-ROM access to locally logged-on user only, Restrict floppy access to locally logged-on user only, | Availability, processing, technology |
1. SMB and default shares with the Everyone permission can allow for full access to a machine.
2. The Act as part of the operating system user right can allow complete control of a system while leaving little to no evidence.
3. The Add workstations to domain user right can allow a user to use an unauthorized operating system to give themselves administrator privileges.
4. The Adjust memory quotas for a process privilege can allow a user to perform a DoS attack against a network application.
5. The Allow log on locally privilege can allow attackers the ability to execute code for privilege escalation.
6. The Allow log on through Terminal Services privilege can allow attackers the ability to execute code for privilege escalation.
7. Back-up privileges can allow non-domain computers, which have administrator privileges to restore the data.
8. The Bypass traverse checking by default allows for accessing of child folders for which a user may not have rights to the parent folder.
9. The system time changing privilege may allow for an attacker to attack the integrity of time stamps, deny logons to the domain or deny access to Kerberos tickets.
10. The privilege to change the system page file can significantly reduce the performance of the machine.
11. The privilege that allows for a user to create or modify tokens can allow an attacker to perform privilege escalation or a DoS attack.
12. The ability to create global objects can affect other users processes and create a DoS attack.
13. The Create permanent shared objects can expose data to the network.
14. The Debug programs user right can allow an attacker to access memory, the system kernel and hashed passwords. This is set by default to administrators.
15. Network logons can allow an attacker to view lists of accounts, groups and shares.
16. The Deny log on as a batch job user right can allow an attacker to schedule obs and cause a DoS attack.
17. Accounts set up to log on as a service can be used to launch unauthorized services.
18. Accounts that can log on locally can be used to log the console.
19. Accounts with privileges to use Terminal Services can be used to log onto the remote console.
20. The user right Enable computer and user accounts to be trusted for delegation could be used to impersonate other users.
21. Rights to shut down the computer could be used as a DoS attack.
22. Accounts with rights to the Security log can log arbitrary events or delete important logs.
23. The Impersonate a client after authentication user right can allow an attacker to perform access escalation.
24. Users with the Load and unload device drivers rights can install malicious code.
25. The Lock pages in memory right can allow attackers to perform a DoS attack against the system’s RAM.
26. The Log on as a service user right can allow attackers to launch unauthorized network services.
27. The Modify firmware environment values user right can allow an attacker to modify hardware firmware and cause a DoS attack.
28. The Perform volume maintenance tasks right can allow attackers to delete data on a volume, which leads to data loss or a DoS attack.
29. An attacker with the Remove computer from docking station privilege can, obviously, remove a computer from a docking station.
30. The Replace a process level token privilege can allow an attacker to launch processes as other users.
31. The Restore files and directories user right can allow an attacker to destroy data or perform a DoS attack.
32. The Synchronize directory service data user right can view all entries in the domain.
33. The Take ownership of files or other objects user right can allow an attacker to take control of an object, regardless of the privileges.
34. Administrator account should be disabled or renamed to prevent unauthorized access.
35. Guest account can allow an unauthorized user to gain access and should be disabled or renamed.
36. Blank passwords can allow for easy brute force attack by an attacker.
37. Globally visible object names can be attacked by malicious software to crash the program that created said object.
38. COM applications allow unauthenticated access to the process that an attacker could exploit.
39. Physical access to removeable media can take ownership of any file on another computer (go figure).
40. Installing printer drivers on servers can allow an attacker to install malicious code.
41. Shared CD-ROM drives or Floppy drives can allow remote attackers to access sensitive data.
42. Privileges to install unsigned drivers can allow for attackers to install malicious .sys files.
43. Man-In-The-Middle attacks can allow for injection of false records to an LDAP directory.
44. By disabling local machine password changes, the passwords are more susceptible for attack.
45. Disabling the 30-day force password change policy, an attacker can use a stolen password for a long time.
46. Windows operating systems that pre-date Windows 2000 should use stronger encryption keys when accessing a domain to prevent the encryption keys from being broken by attackers.
47. Attackers with access to the console have the ability to view the username of the last user who logged onto the system.
48. Passwords can be intercepted if the workstation does not require the user to press CTRL+ALT+DEL.
49. Attackers who gain access to the console can access the logon credentials of the last 10 users that are cached on the system. These credentials can be brute-forced.
50. Short simple passwords are easier for an attacker to brute-force.
51. Smart cards can fail to secure a system if the system is not locked after they are removed.
52. Session hijacking allows for an attacker to steal a session in progress and inherently steal their network access.
53. SMB can be enabled to transmit passwords in plaintext which can be intercepted by attackers.
54. An attacker can open server null SMB sessions to cause a DoS attack to the file server.
55. An attacker can obtain extra time to attack the network if logon hours are not set.
56. The Allow anonymous SID/Name translation setting can allow an attacker to discover the Administrator account, even if it has been renamed.
57. An attacker can perform social engineering or password attacks if they gain information for account names if the Do not allow anonymous enumeration of SAM accounts is disabled.
58. Cached .Net passwords can be accessed if they are set to be stored.
59. An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks.
60. A remote attacker could change values in the registry if an administrator allows remotely accessible registry paths.
61. An attacker can exploit null sessions through SMB shares.
62. An attacker can gain access to unauthorized data by accessing share anonymously.
63. An attacker can gain remote access to shares through a guest account.
64. A remote attacker can intercept hashed passwords and brute-force them.
65. Attackers using man-in-the-middle attacks can intercept unsigned network traffic.
66. Recovery console can allow an attacker, with local access to the server, full control.
67. An attacker with local access to a computer can access the page file and view contents of paged memory.
68. An attacker can gain access to locally stored keys if they keys were created with the same password as the login password.
69. Digital encryption can be brute-forced by an attacker if the strongest encryption is not used.
70. An attacker can create new objects if the policy does not indicate that only administrators can own objects.
71. An attacker may be able to access processes of another user if the process is a POSIX process.
72. Unauthorized code can be executed if there is not software restriction policy that denies it.
73. An attacker can perform a DoS attack against a system with a large security log file.
74. An attacker with guest privileges can access event logs to gain information about a system.
75. An attacker may be able to remotely access a desktop if it is enabled.
76. Exploit code may be automatically executed if the Automatic Install of Internet Explorer components is enabled.
77. Internet explorer can be exploited due to the lack of updates or the automatic installation of an untested update.
78. A computer may become unsecure or corrupt due to an improperly installed update.
79. Users with the ability to change policies may change IE settings to allow for execution of unauthorized code.
80. Unauthorized code can be run from IE if ActiveX controls are allowed to run even if the signature is invalid.
81. An attacker may gain access to a computer if the resource they are attempting to access has been compromised.
82. An attacker may be able to discover sensitive information from cached SSL-secure pages.
83. An attacker may be able to discover sensitive information from the Temporary Internet Files.
84. An attacker may be able to compromise a system using the Local Machine zone to escalate privileges.
85. An attacker may be able to compromise a system by delivering exploit code using a non-executable MIME type and trick the user into actually executing it.
86. Malicious web sites may attempt to transfer zones in order to escalate privileges.
87. Malicious sites may be able to allow a user to automatically download a file.
88. An attacker that has access via terminal services can deny other connections and create a DoS attack.
89. An attacker may be able to modify data on a local machine if they are connected to a compromised Terminal Server.
90. An attacker may be able to remotely access a Terminal Server without the login credentials by using a RDP shortcut with stored credentials.
91. Full shell protocol functionality can allow for unauthorized code to be executed.
92. If computers cannot restart after an update, the update will not be applied an will still be vulnerable to attack until it is restarted.
93. Organizations that do not use an internal Software Update Service can risk a faulty update to be installed.
94. Autoplay can allow an attacker to access data on a system or run malicious code from a removable media device.
95. A malicious user could configure a program to be run each time Windows starts that could compromise data on the computer or cause other harm.
96. A malicious user can use the run once list to install malicious code.
97. If the Process even if the Group Policy objects have not changed is disabled, unauthorized changes configured locally are not forced to match the Group Policy setting and an attacker can use said changes.
98. An attacker may use the Offer Remote Assistance tool to trick a user to accepting to grant full control or users may request assistance from malicious users.
99. Improperly written COM components may be attacked across the network, which can result in possible information disclosure, denial of service, or privilege escalation attacks.
When considering large-scale security patches, the document indicates a few things about Automatic updates. First Automatic updates, obviously, installs updates automatically. Therefore, if an update causes another vulnerability, most systems will be vulnerable immediately. Next, most updates require a restart in order for the changes to take place. The restart is up to the user, so if the user refuses to update, that computer is still vulnerable for attack. Finally, automatic updates can be configured to work with an internal Software Update Services (SUS) server. If an attacker can gain access to this server, then malicious updates could be distributed to all machines on the network. Below is a table that indicates some possible tools that could be used to accomplish these attacks. Since these attacks do not rely on a specific exploit a general set of tools used for penetration and privilege escalation is used.
| Issue | Tool |
| Vulnerable Update | Framework3-MsfC
Framework3-Msfcli Framework3-Msfweb Init Pgsql (autopwn) MsfCli MsfConsole OpenSSL-To-Open Pirana Ascend attacker CDP Spoofer Crunch Dictgen DHCPX Flooder DNSspoof Driftnet Dsniff Etherape EtterCap File2Cable HSRP Spoofer Hash Collision Httpcapture Hydra Hydra GTK ICMP Redirect ICMPush IGRP Spoofer IRDP Responder IRDP Spoofer John Lodowep Medusa Nemesis Spoofer NetSed Netenum PHoss PackETH Rcrack SIPdump SMB Sniffer Sing THC PPTP TcPick URLsnarf VNCrack WebCrack Wireshark Wireshark Wifi WyD chntpw |
| Vulnerable Until Restart | Framework3-MsfC
Framework3-Msfcli Framework3-Msfweb Init Pgsql (autopwn) MsfCli MsfConsole OpenSSL-To-Open Pirana Ascend attacker CDP Spoofer Crunch Dictgen DHCPX Flooder DNSspoof Driftnet Dsniff Etherape EtterCap File2Cable HSRP Spoofer Hash Collision Httpcapture Hydra Hydra GTK ICMP Redirect ICMPush IGRP Spoofer IRDP Responder IRDP Spoofer John Lodowep Medusa Nemesis Spoofer NetSed Netenum PHoss PackETH Rcrack SIPdump SMB Sniffer Sing THC PPTP TcPick URLsnarf VNCrack WebCrack Wireshark Wireshark Wifi WyD chntpw |
| Software Update Services | Framework3-MsfC
Framework3-Msfcli Framework3-Msfweb Init Pgsql (autopwn) MsfCli MsfConsole OpenSSL-To-Open Pirana Ascend attacker CDP Spoofer Crunch Dictgen DHCPX Flooder DNSspoof Driftnet Dsniff Etherape EtterCap File2Cable HSRP Spoofer Hash Collision Httpcapture Hydra Hydra GTK ICMP Redirect ICMPush IGRP Spoofer IRDP Responder IRDP Spoofer John Lodowep Medusa Nemesis Spoofer NetSed Netenum PHoss PackETH Rcrack SIPdump SMB Sniffer Sing THC PPTP TcPick URLsnarf VNCrack WebCrack Wireshark Wireshark Wifi WyD chntpw |
For the Vulnerable Update attack, this would depend on what update is vulnerable. However a tool to test this would be Metasploit, because the attack code could be easily injected to the client with the bad update. For the Vulnerable Until Restart attack, the group used MetaSploit to attack a Windows XP SP0 machine. The machine was set to install all of the latest updates. Once the updates completed, the user was prompted for a restart. Before restart was selected, using backtrack Metasploit was launched and the Win32 Bind Shell exploit was used to obtain a remote shell on the target system. This exploit worked because the update had not yet been applied. For the Software Update Services attack, the group was unable to perform the attack because the group would have to actually write a virus (which is beyond the scope of this lab) as opposed to using provided exploit code, such as the code used in Metasploit in the previous test.
Issues
The only issues experienced with this portion of the lab were the tests. The first test could not be tested because it requires specific environmental circumstances, such as Microsoft releasing a vulnerable update. The last test could not be performed either, due to the complexity of the attack. A new exploit or tool must be created for that attack to work properly.
Conclusions
One item that this group found really interesting is the entire concept of the lab experiment. No one in this group had thought of looking at a security guide and turning it around to see what vulnerabilities were patched/fixed and finding systems that have not been updated. This information can be used to exploit un-patched systems while using documentation for vendors like Microsoft. All of the vulnerabilities found in the documentation, lie within the technology dimension of the McCumber cube. This is because the security guide is for operating systems, and therefore can’t attack humans or policy/procedures.
Works Cited
Aycock, J., & Barker, K. (2005). Viruses 101.
DU, W., & Mathur, A. P. (1998). Vulnerability Testing of Software Systems Using Fault Injection.
Jajodia, S., Noel, S., & O’Berry, B. (2007). Topological Analysis Of Network Attack Vulnerability.
Jorgensen, A. A. (2003). Testing with Hostile Data Streams.
Wales, E. (2003). Vulnerability Assessment Tools.
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=en. Retrieved July 6th, 2009.
The abstract for this group covers about everything that this lab accomplishes. One thing I did not see was the examination of patches and the types of tools that could be used in the exploit of that vulnerability. The abstract also could have done a little bit more explaining of what the purpose of this lab was and what it was trying to accomplish. In the literature review the group gives a nice overview of the articles explaining that the articles given in the lab all relate to vulnerability assessments and how important they are and how they make protecting a network more efficient. I would not say that all the articles relate to this thought. Take Viruses 101 (Aycock, Barker, 2005), this article was more about how to create a course on a subject that is looked at as being taboo. The article relates to the course in that this course is a very controversial course like the virus creating course in the paper. The group goes on giving a review of each paper in a list fashion. The group looks at each article separately, does not relate the article adequately to the other articles, and relate each article to the current lab. Each explanation of the article summarizes the paper, but gives no, or very little, information on the paper like the research question, research data, errors or omissions, or how they relate to the current lab. The method section of this group’s lab covered all the main steps involved in this lab. I did not see anything missing from the explanations of how they were going to accomplish this lab. In the findings when they created the table, the change was listed, but the vulnerability that the change was supposed to fix was not mentioned until after the table. At the beginning of the results the group states that all of the changes are related to the technology aspect of McCumber’s cube. I disagree, in that any changes made in the policies should still remain in the policies aspect of McCumber’s cube. The next section of the results gives a description of the changes in the document that the group selected. Each change is placed into a category of ether: Domain Level Policies, Audit Policies, User Rights, Security Options, Event Log, or Computer Configuration Settings. It seemed redundant to list explanations of each change and then give them in the table also. As mentioned earlier the group then gives a description of the vulnerability that the change is supposed to fix after the table. It was hard to relate some of these vulnerabilities to what changes were done. In the next section of the results the group talked about how a system is still vulnerable, even when the updates are loaded, until a restart of the system is done. Also the group mentions problems with patches causing secure systems to become unsecure. They also mention that the patching server needs to be very secure, because an attacker that compromises that server could distribute a malicious patch to all the computers on that network. The table the group put together did not make a lot of sense. The table gives some tools for attacking vulnerability update methods and processes. The lab asked for the actual issues that were patched by the updates. The way the group did this section is a subject that does need to be examined and addressed, but I do not think this is what the lab was asking. The group could have given more details on what was discovered when testing the vulnerabilities in this section. The group had some issues with testing the patch vulnerabilities that they mention in the issues section. The group’s conclusion mentions that the group learned some ideas of how to use a security document to reveal vulnerabilities in a system. The group also mentions that all the vulnerabilities attack the technology aspect of McCumber’s cube, because it is directed at securing an operating system. I have to disagree with this because even though it is changing settings on an operating system, the changes in the policies are also changing how an organization handles a way of doing a specific task.
The abstract is merely a restatement of the lab objectives from the lab assignment. A little more detail would be useful. The literature review started out well with identification of a common idea running through all of the articles but ended up being another list of assigned articles with summaries of each. Each article is handled only by itself and is not tied to the lab exercises in any way nor are they compared or contrasted with each other. The citations are confusing for each of the summaries. Instead of providing page numbers for the section being discussed, it’s just the same in-text citation over and over. The first one can be done with author, year, and page number, subsequent ones until you cite another reference can be done with just page numbers. This makes it much easier to read and cross check what is being referenced with the source material.
For the methodologies, I’m interested to know a little more on why automatic updates were addressed. The way it’s mentioned in the write up, it seems that this is separate from the handling of the security guide. Why was this done? The mention of the final part of the lab, testing the various tools against the virtual environment was far too brief. There was a process for identifying tools that should work vs. tools that did work. Was this done at all? Where were the tools from?
The first sentence of the findings section is confusing. Did you actually make the suggested changes from the guide on your virtual machine? I didn’t see anything referencing that activity in the methodologies. The layout of the findings from the document clearly follows the order found in the guide, while this makes it easier for the write up, some of the items from the guide that didn’t necessarily expose vulnerabilities were mentioned as well, the Kerberos policy settings for example. This reads more like a list of the settings and mentions of vulnerabilities if there were any instead of a carefully selected list with context. The audit policy section mentions a DoS based on filling up the log files, is this the only vulnerability that could result from turning on too much auditing? What about obfuscation of the actual activities? In the mention of changing the system time, is “mess up” the best way to state what an attacker might be doing by changing the system time? The vulnerability from loading and unloading device drivers was missed I believe, while “dangerous changes” could be made, the fact that driver installs are done with SYSTEM level privileges was not mentioned.
The list of 99 vulnerabilities after the table seems out of place and redundant. Weren’t these discussed before? Some of the vulnerabilities in the list are new, why weren’t they mentioned previously? The mention of automatic updates as a vulnerability seemed as out of place as it did in the methodologies. Why isn’t this mentioned above with the other vulnerabilities? Why were the tools meant to test the vulnerabilities discovered in the lab exercises only targeted at the automatic update process?
Team one provides an uneven effort with a wealth of information on portions of the lab, and almost nothing in others. They gloss over sections of the write up, giving minimal effort in some places and even less in others.
The abstract is well written and summarizes the document appropriately. The literature review should be more than just a list of articles. It should be one cohesive section. Your group’s introduction paragraph states that the common elements shared by all articles are the necessity of vulnerability testing, the efficiency of automated tools, and the need for IT professionals to perform the tests, but this is not the case. This leads me to suspect that proper attention was not given to the literature. Your review summarizes each of the articles briefly but lacks any analysis whatsoever; giving more proof that there was either a lack of attention or a lack of comprehension.
The group’s methods section is vague. I understand that it’s difficult to explain research methodology. Where did you look for your document? How did you decide on it? Where did you research automatic updates? How? How did you test the tools? How did you select which tools will be tested? Details like these will help flesh out the section, and provide a more rigorous report.
The Findings section is weighty, with a large amount of information considering the sparse literature review and methods sections. The team’s take on automatic updates is very insightful, especially the methods for exploitation. A minor criticism here is the steps for testing the concept are not located in the methods section. It may feel awkward to place them elsewhere, but they are not findings. This is the only test you run. Why? There are other tools that were listed in your document in order to take advantage of other vulnerabilities. Why not test those? Your issues section states that there was some difficulty with testing the other variations on automatic update vulnerabilities, but doesn’t mention anything else.
The team’s conclusion wraps up the lab well. It explains what the group learned. I disagree with the assertion that the attacks cannot be directed against humans or policy and procedures just because the guide is designed to secure a single technology (in this case an operating system). While there may be no direct links, is it possible there may be an indirect method? For example, if strong passwords are required, and a corporation indeed does use them, doesn’t that strengthen the argument for a social engineering attack?
In examining team one’s work, I found the literature review to be well crafted with respect to writing style. I also found interesting the way this team grouped the discussion of their findings, with general headings and a running prose summarizing areas of vulnerability. Also, the tables presented were neatly laid out and fairly easy to read. Finally, the vulnerability listing appeared to have a reasonable degree of detail, similar in depth to other teams’ listings which examined Windows 2003 Server.
Unfortunately, these positive qualities are muted by a fair number of serious flaws in this lab write-up. While the literature review was well written, it did not do much more than briefly summarize each article. Absent was any real critique of concepts, and no application to the current exercise was really entertained at any point. Certainly, this is a well discussed error at this point of the semester; so nothing more need be said except: “You should know better by now.”
Another point of criticism: the report was relatively disorganized, specifically in the ‘Methods’ and ‘Findings’ sections. The ‘Methods’ section was rather short, and some of the material which should have been in this section was located in the ‘Findings’ section. For instance, the description of how update vulnerability was tested should have been relocated. Additionally, the table heading ‘Tool Name’ seemed ill-chosen in the first table; something like ‘Vulnerability’ would have made far more sense: this was somewhat confusing. Also, the hundred or so item list in the ‘Findings’ section was presented without explanation or title. These appeared to be areas of vulnerability, but they were introduced abruptly to the reader with no lead in: rather confusing. The aforementioned list items were not associated with any OSI layer classifications, nor were McCumber cube coordinates determined: this was an omission according to the requirements of the laboratory.
This team at times seemed to discuss settings with more of an emphasis on ‘how to prevent attack and why’ rather than ‘how to use this for attack.’ There can be no doubt that these were the recommendations in the security document examined; however, it appears that relating how this team would attack the area in question would be more appropriate to the exercise at hand. For instance: “Guest account can allow an unauthorized user to gain access and should be disabled or renamed.” Helpful information in securing a system; but wouldn’t something like “Use of default guest account to gain access” be a more meaningful description?
Finally, the listing and discussion of the ‘update vulnerability’ testing seemed an afterthought and poorly conceived. Throwing a table together which was entirely redundant in the ‘Tool’ category, with little more than generic attack tools listed seemed spurious. Additionally, the question must be asked: why would a test against a Windows XP Service Pack 0 host be run when it was asserted that “this group will be focusing only on Server 2003” with regard to the security document? Without any rationalization for why this exercise was done, it just seems that this team was grasping at straws, as in reality ‘nothing’ concerning Windows Server 2003 vulnerability was tested within the scope of the exercise. Was it found that no vulnerabilities could be exploited with regard to Server 2003? It appears an explanation would have been in order.
In the abstract, when team one stated “In this lab our team will examine leakage through the process of engineering”, did the team mean reverse engineering? The remainder of the abstract gave a brief overview of what will occur in the laboratory assignment.
In the literature review section, team 1 gave brief summaries of each of the articles, but did not relate them to each other, describe the methodology used, point out any errors or omissions, or relate them to the laboratory assignment.
In the methodology section, group one informed the reader that they chose the document, Solutions for Security and Compliance: Threats and Countermeasures Security Settings in Windows Server 2003 and XP.
In the findings section, I could not figure out why group 1 placed changes under the heading that was labeled tools. Most of the changes were changes in policy or in configurations. I was not sure how the list of 99 exploits fit directly with the table. Other groups had created a column in the first table for exploits and described what could happen if the recommended change was not acted upon. In the second table, what specific areas of the vulnerable update did the tools affect?
Team one stated “This exploit worked because the update had not yet been applied. For the Software Update Services attack, the group was unable to perform the attack because the group would have to actually write a virus (which is beyond the scope of this lab) as opposed to using provided exploit code, such as the code used in Metasploit in the previous test.” However, these statements seemed contradictory. Did the group mean that theoretically the exploit would work or did the group find from elsewhere that id did indeed work? If you did not try it, how did the team come to this conclusion?
In the issues section, team one stated “The only issues experienced with this portion of the lab were the tests. The first test could not be tested because it requires specific environmental circumstances, such as Microsoft releasing a vulnerable update. The last test could not be performed either, due to the complexity of the attack. A new exploit or tool must be created for that attack to work properly.” I noticed that my group and other groups as well also ran into the same problems. Script kiddie’s tools are not sufficient enough for exploiting the vulnerabilities in specific services or programs.
In the conclusion section, I had to disagree with the statements “All of the vulnerabilities found in the documentation, lie within the technology dimension of the McCumber cube. This is because the security guide is for operating systems, and therefore can’t attack humans or policy/procedures.” Changing the requirements for a password would be a policy that must be agreed upon before it could be implemented via a technology.
In the references section, look into APA 5 procedures for citing an on-line reference. This may help the team in the future.
Team 1 begins with an abstract stating that “this lab will allow us to gain an understanding of the reverse engineering process”. This statement is a bit broad since reverse engineering may apply to a mechanical device, electronic component or software. Perhaps a better way to state it may have been “this lab will allow us to gain an understanding of the reverse engineering process with respect to determining system vulnerabilities by analyzing vendor security configuration documentation”. This statement would have been more specific and more descriptive of the purpose of the lab.
Team 1 proceeds with a review of the literature that was assigned for this week’s reading. They state that the common threads throughout our assigned readings is “vulnerability assessments are a necessary process” and “that using automated tools to do so was a much more efficient way”. Ironically, this week’s laboratory assignment was “Exploits Without Tools”. I found that the common thread between the laboratory assignment and the readings was using analysis to determine vulnerabilities outside of the penetration testing environment, rather than relying exclusively on the use of tools. Team 1 proceeded to list each document in the assigned reading list and give a short synopsis of each one. None of them included an explanation concerning how they fit the “common threads” that Team 1 stated in the first paragraph of the literature review. They also did not find any application of the readings to our current laboratory assignment.
In the next section Team 1 describes the methods used in this assignment. They discuss using Solutions for Security and Compliance: Threats and Countermeasures Security Settings in Windows Server 2003 and XP as their document that they plan to analyze, and state that they decided to focus their analysis on the Windows Server 2003 issues. They discuss analyzing the changes identified in the document and placing the changes on the OSI 7-layer model according to the layer that would be affected by the change. They stated that the changes would also be placed according to its McCumber Cube classification. They decided that all of the changes should be placed in the technology section of the McCumber Cube. I believe it could be debatable whether enforcing password history, age, and minimum length would be classified as technology or human factors in the McCumber Cube model.
In the findings section, Team 1 begins by stating “each change/ configuration was made for a reason”. This assessment is a bit obvious. Why else would they include it in the document if there were no reason to do so? Team 1 listed each configuration change that had been recommended. They included a brief description along with an explanation concerning what the change is supposed to accomplish. They also classified the changes according to change type. This section was very easy to read and informative. They used bold fonts for the title of each change. That made locating a particular change extremely easy.
Team 1 included an interesting discussion concerning problems with automatic updates. One problem is that it often takes a system restart for the change to take effect. If the update is designed to correct vulnerability, then the system remains vulnerable until the user reboots the system. They demonstrated this using the Win32 Bind Shell exploit by obtaining a remote shell in the time between the download of the update and the reboot of the system. They also discussed what could occur is the update itself caused vulnerability. Since the updates are automatic, several systems could be made vulnerable within a short period of time, and remain vulnerable until the next update.
The team starts with their abstract and states that they are going to be working on an approved topic but they never say the topic just what they are going to identify. Then they go onto the literature for this week’s lab and start with an overall summary and what the articles are going to be about. For some reason the team decided to split the articles again instead of keeping a cohesive literature review. The previous week they had a good cohesive literature review that talked about the subject, how the content relates to the course, and even had some arguments. This week it was lacking most of what they got right the previous week. Yes they did explain what happened within the articles but it did even have the reviews thoughts on the literature and opinions of their own. Next was the methodology section. In this section they described what they where actually going to be doing for the lab in more detail. Here they provided the information that they where going to be looking at Solutions for Security and Compliance: Threats and Countermeasures Security Settings in Windows Server 2003 and Windows XP. They then stat after examining the document they will determine where each “change” falls into the OSI model. At first glance the wording for this was confusing and may have thrown off some people reading the lab. They then state they are going to have a list for the exploits that where found in the document and to test potential vulnerabilities. The next section they described their findings after looking over what they had before the table and looking at the document that they where using for the lab, there were some items missing. They explains some of the vulnerabilities and the changes needed, but not all of the vulnerabilities where explained in this fashion. Next they had their tables list the tools and where they fall on the OSI 7 layer model and the McCumber coordinates but the tools are not tools they look like resolutions to the issues. These might have been better classified as resolutions instead. After this they then list exploits of the systems, which had no explanation before the list which throws the reader off. It was not a bad list it just came out of nowhere. They then list vulnerabilities and tools but they left out the OSI seven layer model part of the second table. Then the team went on to explain issues that they had and then went onto their conclusion. They stat that no one in their group had thought about using a hardening document as a way to attack an un-patched system. So my question is are the member of this group starting to think more about how an attack might think when look at the past labs and what has been done so far. Does this make the team more paranoid now and will make them think twice about everything now?
The team starts out with a strong abstract and talks about how they did in the lab.
In the findings section the team has a sub-section labeled Domain Level Policies. In this section the team talks about changes to password history, password age, password length, storing password, and Kerberos policy. The team says to change the password history to 24 to ensure the password reuse problem is solved. Also the maximum password age should be changed to 90 days. With this combination users would be able to reuse a password 2,160 days or almost six years later, after the first use. If this is such a problem why not increase the number of password history from 24 to 34? This would increase to over eight years, by this time most users would have forgotten there original password.
The Audit Policy paragraph seems to be written in a way to scare administrators to keep audit policies off. Is audit policy unimportant and easily exploited to DoS attacks? What is the purpose for audit policies and would there be an environment that audit policies would not be exploitable to a DoS attack?
User rights, how much rights should non-administrative users be given? This topic can be highly debated over the amount to access to give users. If privileges to users are not enough, it can become difficult for users to complete tasks such as adding a printer or update a plug-in to properly view a website containing important information. A user may need to add a network share because of a promotion or added to an existing project, what is the turn over time for an administrator to add that users to the share, what is the cost of this turnover because security was stepped up so high? A feature this team has enabled is Force logoff when logon hours expire. Is this saying that employees do not work overtime? What about employees need to come in later for what ever personal reasons but is staying later for make-up the hours? What about users that are doing work at home and VPN into the company to retrieve information off the employee’s computer? Deciding when a user is going to able to access there computer can be tricky to decide exactly.
In lab five, team one begins by explaining their lab report through their abstract. That abstract does not fit the requirements of the syllabus, as it is not two paragraphs. The abstract also seems to read like the objectives of the lab as defined in the lab design guide. Team one’s literature review starts with an introduction as a method to tie together the assigned readings for the week. However beyond that there is no cohesion between the reviewed articles, rather a heading and then a synopsis of each article. This forms really just a list of articles with APA style citations. This literature does not improve the lab report, but rather detracts from it, and is a move in the wrong direction for team one. As there are only two labs left team one needs to improve in this aspect. It seems that team one didn’t even bother to answer the literature review questions that were outlined in the syllabus for the course. Team one’s methods section is also lacking. There is no clear definition of the strategy or technique used in the completion of the lab. This does not an academic or scholarly methods section make. While the methods section does explain the general process that team one followed in the completion of the lab, there is not enough information in those methods for an independent group to recreate the lab experiment and draw the same conclusions as team one did. In their findings section they do not cover what the findings are in answer to in the beginning and that leaves one wondering as they go directly into explaining what the changes in their source document represent. They depend on the information covered in the lab design document to give the reader that information which seems to be lacking. I seem to be confused as to their layout of information provided in the finding section. Team one explains what table 1.1 is used to represent, but that is really about it. Team one then goes right away into a list of polices hat contain bolded words that I can only assume represent changes that their source documents recommends. Team one then presents table 1.1 which explains where each tool lines up to the OSI model and McCumber Cube. Since this lab was titled exploits without tools I find it suspect to have a table with the word tool as a heading. While I agree with most of the entries that team one makes for their application layer information, I disagree with their lower layer information. Disabling remote desktop is not a layer three setting, nor are SMB shares. After table 1.1 they list 99 different settings that seem to be derived from the list presented before table 1.1. And then another table that has little information provided as to its use. Both tables also do not belong in the findings section, but rather a tables and figures section which would referenced in the findings section. Finally, the conclusions drawn by team one are high level, but based on their methods section, accurate.
@jeikenbe I can see your side of the comment about policies attacking the policy dimension of the McCumber cube. I have always taken policy to mean something else, such as computer use policy, or HR policies, not specifically policies on computers. I can’t attack policies on a computer if there is no computer. If a company does not use computers, I can still attack the policy dimension through HR.
@jverburg Automatic updates were addressed because they can be used as an attack vector. If we weren’t so worried about the consequences of automatic updates, then some companies wouldn’t test them first before deploying to client computers.
@mborton The document was found using Google, since our group was the last one to post the document, we chose this document since no other group used it, and it was actually a companion to 2 documents that other groups used. I see your point about the social engineering, and after thinking about it I would agree with you.
@gdekkerj Tool name was a poor choice of words. The table had the OSI layer and the McCumber cube coordinate.
@nbakker “This does not an academic or scholarly methods section make” This does not make a good sentence. I think the table has findings does in fact belong in the findings section. I find it difficult and annoying to have to read, then scroll down and back up, again and again, when a team mentions something in a section and points to another piece of the report. I think having the tables where the discussion is makes for better reading.
@mvanbode – I think you’re confusing Automatic Updates as a potential source of service interruption due to consequences of the patches and using the updates as an attack vector. There are a multitude of things an attacker would need to do that should be mentioned in order to use automatic updates to distribute malicious code. Compromising the server and forging the signature on the update packages to name a few.
@mvanbode
Hmm…fair enough; I’ll modify my criticism appropriately: many of the items of the list are not associated with OSI layers or McCumber cube coordinates. A quick count of the table shows 33 items; where are the rest of the 99?