Abstract
The purpose of this exercise is to discover usable attack methods by reverse engineering security documents. First, a source of security configuration information is chosen, namely the “Security Compliance Management Toolkit for Windows XP.” Following, literature related to the topic is evaluated, and applied within the scope of the exercise. Methods are then developed by which to categorize this information into vulnerable areas, and attack tools are proposed to exploit these areas. A subset of these tools is tested against a Windows XP host with these possible vulnerabilities, and the results reported.
Introduction
When staging an attack on a defended position, it is useful to know what measures the opponent has taken to strengthen his position, as these ‘strong points’ can be avoided in favor of those of a weaker nature. In computer security, this is true also, but an additional opportunity is presented in this scenario. A situation arises were the ‘opponent’ is actually many similar installations (e.g. Microsoft XP), with some being ‘strong’ from hardening measures and others remaining weak as these measures are not taken. The interesting corollary is that these ‘hardening’ measures are well known, and published in standard documents. It then becomes an exercise in reverse engineering to discover what areas have been fortified, and to use these areas of perceived weakness against installations which have not taken any provisions to address them.
It is with this idea in mind that we propose two primary research tasks. First, we work to discover areas of weakness implied in the “Security Compliance Management Toolkit for Windows XP” which we hypothesize to be present in this ‘hardening kit.’ Secondly, we attempt to use these hypothetical areas of weakness in conjunction with common attack tools to exploit a virtual host; i.e. we undertake verification steps with regard to our assertions.
Literature Review
Up to this point our labs have focused on the tools used in penetration testing. We have discovered penetration testing tools and classified them against the OSI 7 layer model and McCumber cube. We have also classified tools as either being active or passive. Active tools are the tools that may draw attention from those managing the system we intend to target. A primary example of an active tool is a port scanner, because of its ease of detection on the network. Alternatively, passive tools are used quietly so that they will not draw attention to themselves. An example of a passive tool would be a packet sniffer that is placed on a network, but doesn’t participate in network traffic. This week we expand our discussion of penetration testing by looking at other methods of finding vulnerabilities within systems. One such method involves reverse engineering a vendor’s security documentation. Other methods involve examining viruses, hostile data streams, and environmental security faults as possible methods of attack. Yet another method involves using multiple vulnerabilities to breach the system. This section discusses some of these alternative methods for discovering vulnerabilities.
One major cause for concern in computer security is viruses. The University of Calgary has begun holding a class in computer viruses. According to the authors of Viruses 101(Aycock and Baker, 2006, p152-156) “Malware is a valid area of study, and such computer security research is becoming vital to our increasingly computer dependent society”. The course covers virus and antivirus techniques as well as the legal and ethical aspects. Closely related to the study of viruses is the study of hostile data streams. In Testing with Hostile Data Streams (Jorgensen, 2003, p1-6) the author discusses how systems that process data from external sources are vulnerable if malicious data is not processed properly. A buffer overrun occurs when data that is being processed by a program is larger than the memory area assigned to store it. A hacker can create program input that causes a buffer overrun to occur. The data in the overrun can contain hostile code, such as a virus, that will execute on the system. In his paper, Jorgensen recommends inspecting the source code of a program to determine buffer overrun vulnerabilities when the source code is available. When program source code is unavailable, he recommends a system of black box testing. In black box testing, randomly deformed data is entered into the program to determine the results. If the program does not properly process the deformed data, then it is considered a failure.
Another similar situation is the security vulnerabilities that occur due to environmental security faults. According to the article Vulnerability Testing of Software System Using Fault Injection (Du & Mather, 1998, p1-20) “most security flaws are triggered by a flawed interaction with the environment”. As with the article Testing with Hostile Data Streams (Jorgensen, 2006, p1), Du and Mather also advocate testing the fault tolerance of software to determine security vulnerabilities. They state that programmers tend to assume that their software will be running in a safe environment and write the code with this in mind. Du and Mather extend their testing beyond user input to include other environmental factors such as shared resources and file properties. What we’ve found during our own analysis of the Windows XP Security Guide (Microsoft, 2009) is that many of the best practices that they recommend involve creating a secure environment for applications. According to Assessment Tools (Wales, p 17) “Network scanning tools basically looking for open ports in a network, or unsecured servers or unsecured systems, they do not reveal anything about applications. Scanning at the application level is a hugely different matter because an application attack is so subtle”.
Assessment Tools (Wales, p 15-17) advocates using at least two or three different security assessment tools, and then following it with an analysis of the results. This article recommended that vulnerability testing be included in a full risk assessment rather than just an IT audit. Instead of just performing penetration tests on a network, it suggests looking at the overall security of hardware, software and important data. Although we don’t necessarily disagree with all of the statements made in this article, the article seems to be somewhat biased toward hiring professional penetration testers. Many of the quotes made in this article are from professional penetration testers who seem to be trying to sell their services. Any statements made in that article should be viewed with that in mind. This article makes the statement that those who don’t hire professional penetration testers don’t really care about their information security and are only doing it for compliance purposes. The article also states that companies have the choice between purchasing penetration testing tools and running them themselves, or hiring professional penetration testers. This is not accurate since companies also have other options such as having their own IT personnel trained as penetration testers and using open source tools.
Testing is also being done in the area of using multiple vulnerabilities to achieve the desired objective. The article Topological Analysis of Network Attack Vulnerability (Jajodia, Noel, O’berry, 2006, p247-266) discusses the need to consider the possibility of vulnerabilities used in combination. Whereas a single vulnerability may not be a threat, a combination of vulnerabilities may allow an attacker to breach critical resources within the system. To analyze this, vulnerabilities are broken down into preconditions and post conditions. A graph is made with the precondition and post condition dependencies of the exploits. The attack paths take a sequence of steps from the initial configuration to its final objective, matching the post condition of one point of vulnerability with the precondition of the next. Securing the system is accomplished by eliminating the initial vulnerabilities in the attack paths.
Vulnerability assessments go beyond the active and passive reconnaissance tools that act upon the network that we investigated in previous labs. The assessment should look at product security documentation to fully understand the vulnerabilities of the system. It includes software level investigations such as viruses, environmental effects on software, and buffer overruns. It is also important to examine vulnerabilities that may be used in combination to compromise the system. Lastly, it’s important to look beyond simply assessing vulnerabilities and look at the risks involved to the system.
Methodology and Procedure
The security document was read and evaluated. We began by dividing our research into to broad categories: what Microsoft (2009) refers to as Windows XP ‘baseline security’ and ‘additional hardening methods’, in which we group software policy (pp. 4-5). Microsoft recommends implementing a software policy to control third party applications installed on XP based PCs, with the intent to protect against malicious software (p. 37). Therefore, the bulk of the effort was related to the ‘baseline security’ settings and software policy, but some attention was given to Windows Firewall. Windows Firewall is enabled by default in the most recently patched version of Windows; as a consequence it is not addressed in the security guide. However, we felt it bore mentioning here since, turned off it potentially opens up an XP machine to several vulnerabilities.
It was noted that the ‘baseline security’ addressed by the document was actually described by a Microsoft Group Policy table of setting changes that was included in the document package: we used this table as a primary source for change recommendations. We began by putting these ‘baseline settings’ into a separate table, and removing entries which did not apply to our test scenario, such as Domain and Active Directory settings. We were also careful only to include entries which could be applied to a Local security policy, i.e. a standalone workstation. The remaining settings were evaluated on an individual basis, with reference to Microsoft Developer Network (MSDN) made when the nature of the setting change was not readily apparent. These were then grouped into specific layers of the OSI networking model, and McCumber cube coordinates assigned. As many of the settings could affect multiple layers, some decisions were made about multiple layer classification. We determined that the lowest OSI layer affected would become the default setting classification, unless specific reason existed to suggest otherwise.
Once this table of setting changes was complete, we categorized classes of settings into general areas of perceived vulnerability. As many of these settings affected the same issue, or close variants of the same issue, we grouped these into classes of vulnerability (also categorized by OSI layer). These became the areas of vulnerability which directed our research with respect to attack tools. When actual tools were found, these were noted in the table; it must be stated that some methods of attack needed no other implement than those already present in the operating system, or relied on simple human interaction with the host. Additionally, some avenues of attack proved untenable with respect to the test setup, as they were dependent on certain user actions, such as the employment of Internet Explorer to install plug-ins: these we note but do not attempt to test.
For the majority of the common tools, we relied on experience with these implements against similarly configured hosts (e.g. Windows XP variants) to qualify as a ‘test.’ Specifically, firmware upgrade tools, ‘nbtscan,’ ‘net use,’the ‘Metasploit’ plug-ins, and debugging tools have all been verified to be capable of the prescribed attack roles in prior usage. Additionally, such tools as proxies are commonly used, and the use of these as attack tools has been witnessed, specifically in the correction of malware ridden hosts. Similarly, we have in the past devised ‘imposter’ dynamic link libraries (DLLs) and have observed how this can be utilized to override system DLLs based on the ‘load local directory first’ policy of Microsoft based operating systems. We did not test tools related to the ‘additional hardening methods’ vulnerabilities.
There were, however a number of tools listed which were tested in this exercise. We evaluated such tools as Microsoft remote registry editor, auto-run configuration of removable media, and compromised executables via the ‘FU’ rootkit trojan inserted with Micro-joiner. Furthermore, we examined the information returned by such built-in tools as ‘nbtstat,’ ‘arp,’ ‘route,’ and ‘systeminfo.’ Finally, an evaluation of the state of the Windows XP firewall was made via the Nmap security tool.
Results and Discussion
The results of the reverse engineering of the “Security Compliance Management Toolkit for Windows XP” for attack areas are presented in tables one and two respectively. These tables essentially sum of the ‘baseline security’ concerns. With relation to ‘hardening procedures,’ we include results addressing software policy in the aforementioned tables, and further give specific attention to the areas relating to error reporting and simple service discovery protocol / universal plug and play (SSDP/UPNP).
Microsoft (2009) recognizes the need to disable automatic error reporting in some cases as it is theorized knowledgeable attackers could take advantage of debuggers (p. 19). A quick search of both NIST NVD and Secunia turned up no XP specific vulnerabilities for the debugger (National Institute of Standards and Technology 2009; Secunia 2009). The log files and crash dumps could be useful places to gather system information, as well as prime targets for deletion in an anti-forensic maneuver. Remote monitoring or reporting may send the same information in clear text.
UPNP and its discovery service, SSDP are used to find and configure compliant devices (printers for example) on the network. A search of the NIST NVD and Secunia finds that un-patched versions of XP are susceptible to buffer overflows, and denial of service based on these two protocols (National Institute of Standards and Technology 2009; Secunia 2009). Microsoft (2009) recognizes that in many cases, such as enterprise and high security installations, that it may be beneficial to disable this setting (p. 19).
As for the results of tests, foremost, we found the results of the ‘auto-run’ configuration to not behave as expected, as we were not able to successfully create an ‘auto-run’ USB thumb drive. This was due to file system requirements: ‘autorun.inf’ files work on fixed removable optical media, and it appears that thumb drives must be partitioned to include a small ‘cd iso’ files system in order for this technique to work (we know that it ‘does’ work, as many commercial thumb drives arrive preconfigured in this way). We believe this concept to have serious security implications, as witnessed by the incident of USB thumb drives infected with malware targeting banking software deliberately left in a London car park (Leyden, 2007).
The aspect of software policy was tested by embedding the FU root kit inside a whack-a-mole game using Micro-joiner. ‘Software policy’ refers to checks which can be enabled on executable files and libraries; specifically: hash (MD5 or SHA-1), certificate, path rules, and Security Zone checks. Without any software policy enabled on a Windows XP SP 3 machine, the game ran, and the root kit was installed. With a software policy in place (we set it to deny all applications, regardless of user rights) the Whack-a-mole program did not execute. While perhaps a trivial example, this proves that the ‘lack’ of a software policy is vulnerability, and can be effectively attacked.
Further, Microsoft’s remote registry function was tested. We were able to connect to a remote Windows XP host on the network and view portions of the registry, but security restrictions did not allow us to modify any keys. We believe this an attack of some use, but the remote host which was tested had its firewall disabled, along with any account passwords: not a typical deployment scenario. We must therefore conclude that an attack of this sort, while possible, may be of less use than at first anticipated.
Built-in tools were tested, including Microsoft’s implementations of ‘nbtstat’ and ‘arp.’ These tools provided useful information when run, about not only the Windows host, but about the local network, ‘Nbtstat -r’ provided a full list of all NetBIOS names available on the local network. ‘Arp -a -v’ provided a nicely formatted list of MAC addresses associated with IP addresses for all hosts on the local network. Additionally, ‘systeminfo’ provided a very detailed list of local system parameters, including hardware configurations, system time, and installed ‘hotfixes.’ These tools did not disappoint us: they are at the very least powerful means by which an attacker who has gained user access can quickly evaluate a Windows host (if permissions are not stringent).
Finally, for thoroughness, Windows Firewall was evaluated with ‘Nmap.’ We ran ‘Nmap’ against Windows XP SP3 with the firewall on: ‘NMap’ found that all ports were filtered, and could not determine the operating system. With the firewall off, ‘Nmap’ found 1694 closed ports, 3 open ports, and the MAC address. It also noted that the machine was running in a VM, showed the TCP/IP fingerprint, and indicated that the OS was Windows. We feel this shows that the lack of a firewall in conjunction with the operation of a Windows XP host is indeed a real point of vulnerability, as shown by the differing results from ‘Nmap.’
Problems and Issues
This exercise proved challenging, in that many issues of configuration change did not easily fit into the OSI model layer. For instance, what layer does a machine power down affect? We chose to put this in layer two, as it does not change any physical attribute of the network, but essentially disables the NIC. Additionally, some of the vulnerabilities which we speculated to exist may not have known attack tools: we were unable to locate any compromised network card drivers, or specific firmware attacks. Further, we simply became overwhelmed by the amount of information in the first chart, and found it difficult to work with. In response to this, we used index numbering in the second table to reference the first. However, we discovered we could not easily modify the first table once the second table was created, as the indexes were row relative: we likely will not use this system of indexing in the future for this reason. Finally, we found much of the security document to address non-specific issues, but rather generic types of vulnerabilities. For instance, much of the NetBIOS and SMB vulnerabilities are addressed by general Windows service parameters, and do not directly betray the extent or number of vulnerabilities known to exist.
Conclusions
In conclusion then, we have determined that reverse engineering a security document for vulnerabilities is feasible. A method was devised to disassemble the document with respect to the OSI model and McCumber cube, which were then grouped into classes of vulnerabilities. These vulnerabilities were used to run tests against a virtual host, which included the use of rogue executables such as the ‘FU’ Trojan, various common tools such as ‘Nmap’ employed against Windows firewall, and built-in operating system tools such as ‘arp’ and ‘nbstat’ also being employed successfully. Additionally, we experimented with the concept of ‘autoplay’ attack tools, with limited success. Finally, we indicate that problems exist with this method, as many issues were only addressed in a very general way within the security document: this high-level treatment provides only the barest stepping stone by which to locate specific attacks known in the security community.
Charts, Tables, and Illustrations
Table 1: Setting Changes Indicated in the “Security Compliance Management Toolkit for Windows XP”
| Change Number | Targeted Setting Change | OSI Layer affected | McCumber Cube Coordinate |
| 1 | Devices: Allow undock without having to log on | 1 | Technology, Storage, Confidentiality |
| 2 | Force shutdown from a remote system (who can) | 2 | Technology, Processing, Availability |
| 3 | Load and unload device drivers (who can) | 2 | Technology, Processing, Integrity |
| 4 | Modify firmware environment values (who can) | 2 | Technology, Processing, Integrity |
| 5 | Shut down the system (who can) | 2 | Technology, Processing, Availability |
| 6 | Devices: Unsigned driver installation behavior | 2 | Technology, Processing, Integrity |
| 7 | Shutdown: Allow system to be shut down without having to log on | 2 | Technology, Processing, Availability |
| 8 | Audit: Shut down system immediately if unable to log security audits | 2 | Technology, Processing, Availability |
| 9 | Security Zones: Do not allow users to change policies | 3 | Technology, Transmission, Integrity |
| 10 | Security Zones: Do not allow users to add/delete sites | 3 | Technology, Transmission, Integrity |
| 11 | Security Zones: Use only machine settings | 3 | Technology, Transmission, Integrity |
| 12 | Intranet Sites: Include all network paths (UNCs) | 3 | Technology, Transmission, Integrity |
| 13 | Disable changing Automatic Configuration settings | 3 | Technology, Processing, Integrity |
| 14 | Disable changing connection settings | 3 | Technology, Transmission, Integrity |
| 15 | Disable changing proxy settings | 4 | Technology, Transmission, Integrity |
| 16 | Make proxy settings per-machine (rather than per-user) | 4 | Technology, Transmission, Integrity |
| 17 | Create a token object (Which accounts available for API access tokens) | 4 | Technology, Processing, Confidentiality |
| 18 | Replace a process level token (who can) | 4 | Technology, Processing, Integrity |
| 19 | Take ownership of files or other objects (who can) | 4 | Technology, Storage, Integrity |
| 20 | Maximum system log size | 4 | Technology, Processing, Integrity |
| 21 | Retain system log | 4 | Technology, Processing, Integrity |
| 22 | Retention method for system log | 4 | Technology, Processing, Integrity |
| 23 | Access this computer from the network (who can) | 5 | Technology, Storage, Confidentiality |
| 24 | Audit account logon events | 5 | Technology, Storage, Confidentiality |
| 25 | Audit account management | 5 | Technology, Storage, Confidentiality |
| 26 | Audit logon events | 5 | Technology, Storage, Confidentiality |
| 27 | Enable computer and user accounts to be trusted for delegation (local service, remote credentials) | 5 | Technology, Processing, Integrity |
| 28 | Manage auditing and security log (who can) | 5 | Technology, Processing, Confidentiality |
| 29 | Allow log on locally (who can) | 5 | Technology, Storage, Confidentiality |
| 30 | Allow log on through Terminal Services (who can) | 5 | Technology, Storage, Confidentiality |
| 31 | Generate security audits (who can) | 5 | Technology, Processing, Confidentiality |
| 32 | Log on as a batch job (who can) | 5 | Technology, Storage, Confidentiality |
| 33 | Log on as a service (who can) | 5 | Technology, Storage, Confidentiality |
| 34 | Accounts: Rename administrator account | 5 | Technology, Processing, Integrity |
| 35 | Accounts: Rename guest account | 5 | Technology, Processing, Integrity |
| 36 | Network access: Allow anonymous SID/Name translation | 5 | Technology, Storage, Confidentiality |
| 37 | Accounts: Administrator account status | 5 | Technology, Processing, Integrity |
| 38 | Accounts: Guest account status | 5 | Technology, Storage, Confidentiality |
| 39 | Accounts: Limit local account use of blank passwords to console logon only | 5 | Technology, Storage, Confidentiality |
| 40 | DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax | 5 | Technology, Processing, Integrity |
| 41 | DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax | 5 | Technology, Processing, Integrity |
| 42 | Devices: Restrict CD-ROM access to locally logged-on user only | 5 | Technology, Storage, Integrity |
| 43 | Devices: Restrict floppy access to locally logged-on user only | 5 | Technology, Storage, Confidentiality |
| 44 | Interactive logon: Do not display last user name | 5 | Technology, Storage, Confidentiality |
| 45 | Interactive logon: Do not require CTRL+ALT+DEL | 5 | Technology, Storage, Confidentiality |
| 46 | Interactive logon: Prompt user to change password before expiration | 5 | Technology, Storage, Confidentiality |
| 47 | Interactive logon: Message text for users attempting to log on | 5 | Technology, Processing, Confidentiality |
| 48 | Interactive logon: Message title for users attempting to log on | 5 | Technology, Processing, Confidentiality |
| 49 | Interactive logon: Require smart card | 5 | Technology, Storage, Confidentiality |
| 50 | Microsoft network client: Digitally sign communications (always) | 5 | Technology, Transmission, Integrity |
| 51 | Microsoft network client: Digitally sign communications (if server agrees) | 5 | Technology, Transmission, Integrity |
| 52 | Microsoft network client: Send unencrypted password to third-party SMB servers | 5 | Technology, Storage, Confidentiality |
| 53 | Microsoft network server: Amount of idle time required before suspending session | 5 | Technology, Transmission, Availability |
| 54 | Microsoft network server: Digitally sign communications (always) | 5 | Technology, Transmission, Integrity |
| 55 | Microsoft network server: Digitally sign communications (if client agrees) | 5 | Technology, Transmission, Integrity |
| 56 | Microsoft network server: Disconnect clients when logon hours expire | 5 | Technology, Transmission, Availability |
| 57 | Network access: Do not allow anonymous enumeration of SAM accounts and shares | 5 | Technology, Storage, Confidentiality |
| 58 | Network access: Do not allow storage of credentials or .NET Passports for network authentication | 5 | Technology, Storage, Confidentiality |
| 59 | Network access: Let Everyone permissions apply to anonymous users | 5 | Technology, Storage, Confidentiality |
| 60 | Network access: Restrict anonymous access to Named Pipes and Shares | 5 | Technology, Storage, Confidentiality |
| 61 | Network access: Sharing and security model for local accounts | 5 | Technology, Storage, Confidentiality |
| 62 | Network security: Do not store LAN Manager hash value on next password change | 5 | Technology, Storage, Confidentiality |
| 63 | Network security: LAN Manager authentication level | 5 | Technology, Storage, Confidentiality |
| 64 | Recovery console: Allow automatic administrative logon | 5 | Technology, Storage, Confidentiality |
| 65 | Maximum security log size | 5 | Technology, Processing, Integrity |
| 66 | Prevent local guests group from accessing application log | 5 | Technology, Processing, Confidentiality |
| 67 | Prevent local guests group from accessing security log | 5 | Technology, Processing, Confidentiality |
| 68 | Prevent local guests group from accessing system log | 5 | Technology, Processing, Confidentiality |
| 69 | Retain security log | 5 | Technology, Processing, Integrity |
| 70 | Retention method for security log | 5 | Technology, Processing, Integrity |
| 71 | Do not process the legacy run list (at logon) | 5 | Technology, Processing, Integrity |
| 72 | Do not process the run once list (at logon) | 5 | Technology, Processing, Integrity |
| 73 | Restrictions for Unauthenticated RPC clients | 5 | Technology, Processing, Integrity |
| 74 | RPC Endpoint Mapper Client Authentication | 5 | Technology, Processing, Integrity |
| 75 | Require trusted path for credential entry | 5 | Technology, Storage, Confidentiality |
| 76 | Always prompt client for password upon connection | 5 | Technology, Storage, Confidentiality |
| 77 | Do not allow drive redirection | 5 | Technology, Storage, Confidentiality |
| 78 | Do not allow passwords to be saved | 5 | Technology, Storage, Confidentiality |
| 79 | Prompt for password on resume from hibernate / suspend | 5 | Technology, Storage, Confidentiality |
| 80 | Logon options (IE) | 5 | Technology, Storage, Confidentiality |
| 81 | Turn on the auto-complete feature for user names and passwords on forms | 5 | Technology, Storage, Confidentiality |
| 82 | Disable remote Desktop Sharing | 5 | Technology, Storage, Confidentiality |
| 83 | Password protect the screen saver | 5 | Technology, Storage, Confidentiality |
| 84 | Change the system time | 6 | Technology, Processing, Integrity |
| 85 | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | 6 | Technology, Transmission, Integrity |
| 86 | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | 6 | Technology, Transmission, Integrity |
| 87 | System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing | 6 | Technology, Transmission, Confidentiality |
| 88 | System cryptography: Force strong key protection for user keys stored on the computer | 6 | Technology, Transmission, Confidentiality |
| 89 | Set client connection encryption level | 6 | Technology, Transmission, Integrity |
| 90 | Prevent ignoring certificate errors | 6 | Technology, Transmission, Integrity |
| 91 | Disable changing certificate settings | 6 | Technology, Processing, Integrity |
| 92 | Check for server certificate revocation | 6 | Technology, Transmission, Integrity |
| 93 | Do not allow users to enable or disable add-ons (IE) | 7 | Technology, Processing, Integrity |
| 94 | Disable Automatic Install of Internet Explorer components | 7 | Technology, Processing, Integrity |
| 95 | Disable Periodic Check for Internet Explorer software updates | 7 | Technology, Processing, Integrity |
| 96 | Disable software update shell notifications on program launch | 7 | Technology, Processing, Integrity |
| 97 | Turn off Crash Detection (IE) | 7 | Technology, Processing, Integrity |
| 98 | Allow software to run or install even if the signature is invalid | 7 | Technology, Processing, Integrity |
| 99 | Act as part of the operating system (who can) | 7 | Technology, Processing, Confidentiality |
| 100 | Back up files and directories | 7 | Technology, Storage, Confidentiality |
| 101 | Bypass traverse checking (for directory permissions) | 7 | Technology, Storage, Confidentiality |
| 102 | Create a pagefile | 7 | |
| 103 | Create global objects (permission for Terminal Services sessions) | 7 | Technology, Processing, Availability |
| 104 | Create permanent shared objects ( directory objects) | 7 | Technology, Storage, Integrity |
| 105 | Debug programs | 7 | Technology, Processing, Confidentiality |
| 106 | Impersonate a client after authentication (similar to UNIX SUID) | 7 | Technology, Processing, Integrity |
| 107 | Increase scheduling priority (processes) | 7 | Technology, Processing, Availability |
| 108 | Lock pages in memory (who can) | 7 | Technology, Processing, Integrity |
| 109 | Profile single process (who can) | 7 | Technology, Processing, Confidentiality |
| 110 | Profile system performance (who can) | 7 | Technology, Processing, Confidentiality |
| 111 | Restore files and directories (who can) | 7 | Technology, Storage, Integrity |
| 112 | Network access: Remotely accessible registry paths and sub-paths | 7 | Technology, Processing, Integrity |
| 113 | Devices: Prevent users from installing printer drivers | 7 | Technology, Storage, Confidentiality |
| 114 | Shutdown: Clear virtual memory pagefile | 7 | Technology, Storage, Confidentiality |
| 115 | System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | 7 | Technology, Processing, Integrity |
| 116 | System objects: Default owner for objects created by members of the Administrators group | 7 | Technology, Processing, Integrity |
| 117 | System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies | 7 | Technology, Processing, Integrity |
| 118 | Maximum application log size | 7 | Technology, Processing, Integrity |
| 119 | Retain application log | 7 | Technology, Processing, Integrity |
| 120 | Retention method for application log | 7 | Technology, Processing, Integrity |
| 121 | Offer Remote Assistance | 7 | Technology, Storage, Confidentiality |
| 122 | Solicited Remote Assistance | 7 | Technology, Storage, Confidentiality |
| 123 | Turn off downloading of print drivers over HTTP | 7 | Technology, Processing, Integrity |
| 124 | Turn off the “Publish to Web” task for files and folders | 7 | Technology, Storage, Confidentiality |
| 125 | Turn off Internet download for Web publishing and online ordering wizards | 7 | Technology, Processing, Integrity |
| 126 | Turn off printing over HTTP | 7 | Technology, Storage, Confidentiality |
| 127 | Turn off Search Companion content file updates | 7 | Technology, Processing, Integrity |
| 128 | Turn off the Windows Messenger Customer Experience Improvement Program | 7 | Technology, Processing, Integrity |
| 129 | Turn off Windows Update device driver searching | 7 | Technology, Processing, Integrity |
| 130 | Turn off Autoplay | 7 | Technology, Processing, Integrity |
| 131 | Configure Automatic Updates | 7 | Technology, Processing, Integrity |
| 132 | Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box | 7 | Technology, Processing, Availability |
| 133 | No auto-restart for scheduled Automatic Updates installations | 7 | Technology, Processing, Availability |
| 134 | Reschedule Automatic Updates scheduled installations | 7 | Technology, Processing, Integrity |
| 135 | Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialog box | 7 | Technology, Processing, Availability |
| 136 | Do not allow Windows Messenger to be run | 7 | |
| 137 | Deny all add-ons unless specifically allowed in the Add-on List (IE) | 7 | Technology, Processing, Integrity |
| 138 | Internet Explorer Processes | 7 | Technology, Processing, Integrity |
| 139 | Do not preserve zone information in file attachments | 7 | Technology, Storage, Confidentiality |
| 140 | Hide mechanisms to remove zone information | 7 | Technology, Transmission, Integrity |
| 141 | Notify antivirus programs when opening attachments | 7 | Technology, Processing, Integrity |
| 142 | Disable Save this program to disk option | 7 | Technology, Processing, Integrity |
| 143 | Disable the Advanced Page | 7 | Technology, Processing, Integrity |
| 144 | Disable the Security Page | 7 | Technology, Processing, Integrity |
| 145 | Allow cut, copy or paste operations from the clipboard via script | 7 | Technology, Storage, Confidentiality |
| 146 | Allow drag and drop or copy and paste files | 7 | Technology, Storage, Confidentiality |
| 147 | Allow font downloads | 7 | Technology, Processing, Integrity |
| 148 | Allow installation of desktop items | 7 | Technology, Processing, Integrity |
| 149 | Allow script-initiated windows without size or position constraints | 7 | Technology, Transmission, Confidentiality |
| 150 | Allow status bar updates via script | 7 | Technology, Transmission, Integrity |
| 151 | Automatic prompting for file downloads | 7 | Technology, Processing, Integrity |
| 152 | Download signed ActiveX controls | 7 | Technology, Processing, Integrity |
| 153 | Download unsigned ActiveX controls | 7 | Technology, Processing, Integrity |
| 154 | Initialize and script ActiveX controls not marked as safe | 7 | Technology, Processing, Integrity |
| 155 | Java permissions | 7 | Technology, Processing, Integrity |
| 156 | Launching applications and files in an IFRAME | 7 | Technology, Processing, Integrity |
| 157 | Open file based on content, not file extension | 7 | Technology, Processing, Integrity |
| 158 | Use Pop-up Blocker | 7 | Technology, Processing, Integrity |
| 159 | Web sites in less privileged Web content zones can navigate into this zone | 7 | Technology, Transmission, Integrity |
| 160 | Allow active scripting | 7 | Technology, Processing, Integrity |
| 161 | Allow binary and script behaviors | 7 | Technology, Processing, Integrity |
| 162 | Allow file downloads | 7 | Technology, Processing, Integrity |
| 163 | Allow META REFRESH | 7 | Technology, Processing, Integrity |
| 164 | Run .NET Framework-reliant components not signed with Authenticode | 7 | Technology, Processing, Integrity |
| 165 | Run .NET Framework-reliant components signed with Authenticode | 7 | Technology, Processing, Integrity |
| 166 | Run ActiveX controls and plugins | 7 | Technology, Processing, Integrity |
| 167 | Script ActiveX controls marked safe for scripting | 7 | Technology, Processing, Integrity |
| 168 | Scripting of Java applets | 7 | Technology, Processing, Integrity |
| 169 | Disable adding channels | 7 | Technology, Processing, Integrity |
| 170 | Disable adding schedules for offline pages | 7 | Technology, Processing, Integrity |
| 171 | Disable all scheduled offline pages | 7 | Technology, Processing, Integrity |
| 172 | Disable channel user interface completely | 7 | Technology, Processing, Integrity |
| 173 | Disable editing and creating of schedule groups | 7 | Technology, Processing, Integrity |
| 174 | Disable editing schedules for offline pages | 7 | Technology, Processing, Integrity |
| 175 | Disable removing channels | 7 | Technology, Processing, Integrity |
| 176 | Disable removing schedules for offline pages | 7 | Technology, Processing, Integrity |
| 177 | Remove Security tab | 7 | Technology, Processing, Confidentiality |
| 178 | Prevent access to registry editing tools | 7 | Technology, Processing, Integrity |
| 179 | Screen Saver executable name | 7 | Technology, Processing, Integrity |
| 180 | Screen Saver timeout | 7 | Technology, Storage, Confidentiality |
| 181 | Screen Saver | 7 | Technology, Storage, Confidentiality |
| 182 | Configure Outlook Express | 7 | Technology, Storage, Confidentiality |
| 183 | Disable “Configuring History” | 7 | Technology, Storage, Confidentiality |
| 184 | Disable AutoComplete for forms | 7 | Technology, Storage, Confidentiality |
| 185 | Do not allow users to enable or disable add-ons | 7 | Technology, Processing, Integrity |
| 186 | Prevent “Fix settings” functionality | 7 | Technology, Processing, Integrity |
| 187 | Prevent deletion of temporary Internet files and cookies | 7 | Technology, Storage, Confidentiality |
| 188 | Turn off the Security Settings Check feature | 7 | Technology, Processing, Integrity |
| 189 | Allow software to run or install even if the signature is invalid | 7 | Technology, Processing, Integrity |
| 190 | Automatically check for Internet Explorer updates | 7 | Technology, Processing, Integrity |
| 191 | Navigate sub-frames across different domains | 7 | Technology, Transmission, Integrity |
| 192 | Access data sources across domains | 7 | Technology, Transmission, Integrity |
| 193 | Audit system events | 7 | Technology, Processing, Confidentiality |
| 194 | Audit: Audit the access of global system objects | 7 | Technology, Processing, Confidentiality |
| 195 | Perform volume maintenance tasks (who can) | 7 | Technology, Storage, Integrity |
| 196 | Audit: Audit the use of Backup and Restore privilege | 7 | Technology, Processing, Confidentiality |
| 197 | Devices: Allowed to format and eject removable media (who can) | 7 | Technology, Storage, Confidentiality |
| 198 | Recovery console: Allow floppy copy and access to all drives and all folders | 7 | Technology, Storage, Confidentiality |
| 199 | System objects: Require case insensitivity for non-Windows subsystems | 7 | Technology, Processing, Integrity |
| 200 | System settings: Optional subsystems (e.g. POSIX) | 7 | Technology, Processing, Integrity |
| 201 | Registry policy processing | 7 | Technology, Processing, Integrity |
| 202 | Disable downloading of site subscription content | 7 | Technology, Processing, Integrity |
| 203 | Remove CD Burning features | 7 | Technology, Storage, Confidentiality |
| 204 | Disable offline page hit logging | 7 | Technology, Processing, Confidentiality |
| 205 | Disable Automatic Execution of Windows Error Reporting | 7 | Technology, Processing, Confidentiality |
| 206 | Disable SSDP/UPNP | 7 | Technology, Processing, Integrity |
| 207 | File Integrity checking | 7 | Technology, Processing, Integrity |
| 208 | DLL integrity checking | 7 | Technology, Processing, Integrity |
| 209 | System config executable permissions (e.g. System32 files such as: regedit, debug, etc.) | 7 | Technology, Processing, Integrity |
| 210 | System net tool executable permissions (e.g. System32 files such as: arp,route, net, etc.) | 7 | Technology, Transmission, Integrity |
Table 2: Specific Areas of Vulnerability with Attack Tools
| Layer | Likely Vulnerability | Change Reference | Attack Tools |
| 1 | Laptop removal | 1 | Stealth, Impersonation, Theft |
| 2 | Host shutdown | 2, 5, 7, 8 | No other tools needed, appropriate permissions apply. |
| 2 | Hypothetical: NIC driver substitution | 3, 6 | Unknown |
| 2 | Hypothetical: Firmware corruption | 5 | Unknown, but many firmware ‘flashing’ programs can be misused, essentially a DOS. |
| 3 | Network Location impersonation | 9, 10, 11, 12, 13, 14 | Ettercap |
| 4 | Rogue proxy | 15, 16 | Normally a trojan proxy, but simple ‘non-malicious’ proxies such as DeleGate (note 1) could be used. |
| 4 | Low level socket spying | 18, 19, 20 | Win API |
| 4 | Windows Firewall | general category | Nessus, Nmap |
| 4 | Hypothetical: connection induced log truncation | 21, 22, 23 | Any means to generate many repeated connections, such as scripted tools. |
| 5 | User name discovery | 24, 25, 26, 28, 31, 44, 66, 67, 68 | Physical access to host login |
| 5 | User impersonation (old accounts, session credential hijacking, accessing a logged-on workstation when the user is absent, etc.) | 23, 27, 29, 30, 32, 33, 36, 49, 50, 51, 54, 55, 60, 61, 76, 78, 79, 80, 81, 82, 83 | Nbtscan, net use, etc. |
| 5 | Session availability (DOS) | 53, 56 | Unknown modern exploit for XP, nbtstream.c (note 2) for pre-2000 installations. Perhaps script attacks possible. |
| 5 | Account compromise (via keyloggers, sniffers, false login screens, weak passwords, null passwords etc.) | 42, 43, 45, 46, 52, 57, 58, 61, 62, 63, 64, 71, 72, 75 | Ophcrack, THC Hydra, Metasploit SMB_relay plugin |
| 5 | RPC/DCOM service abuse | 40, 41, 60, 73, 74, 77 | Metasploit plug-ins, and MS Windows (RPC2) Universal Exploit & DoS (RPC3) (MS03-039) (note 3) |
| 5 | Hypothetical: Security log truncation | 69, 70 | No specific tools, but simple actions which generate security events may be able to ‘push out’ prior events which betray specific attacks (dependent on logging settings) |
| 5 | Rogue account creation | 37, 38 | No other tools needed, appropriate permissions apply. |
| 5 | Banner grabbing | 47, 48 | Nmap |
| 6 | Weak encryption | 85, 86, 87, 88, 89 | Windows PRNG weakness known to exist (note 4) . No working exploit code found. |
| 6 | False certificates | 84, 90, 91, 92 | SSL strip (note 5) |
| 7 | HTTP vulnerabilities via IE | 93, 94, 95, 98, 125, 137, 139, 140, 149, 150, 151, 152, 153, 154, 156, 159, 162, 163, 166, 167, 169, 170, 171, 172, 173, 174, 175, 176, 177, 183, 184, 185, 187, 190, 191 | Many: cross site scripting attacks, rogue Active X plug-ins, etc. Requires user interaction, so unused. |
| 7 | Compromised executables, i.e. trojans | 98, 99, 106, 117, 142, 179, 189, 207, 209, 210 | Microsoft Visual Studio, used to created malicious executables. Also, trojan kits, such as the ‘FU’ rootkit with Micro-joiner. |
| 7 | Compromised libraries, data files | 142, 148, 207, 208, 192 | Microsoft Visual Studio, used to created malicious libraries and DLLs. |
| 7 | System resources DOS | 103, 107, 108 | Win API via object handles, or process priority flags. |
| 7 | System settings compromise | 178, 180, 181, 188, 201, 209, 210 | regedit, with remote registry option. |
| 7 | File peeking | 101 | No other tools needed, appropriate permissions apply. |
| 7 | Memory peeking | 102, 105, 115 | Debugging Tools for Windows, C pointers, etc. |
| 7 | System behavior discovery | 109, 110, 118, 119, 120 | No other tools needed beyond utilities built into the OS, but appropriate permissions apply. |
| 7 | File replacement | 104, 111, 115, 116, 195, 196 | No other tools needed, appropriate permissions apply. |
| 7 | Copying data | 100, 113, 124, 126, 145, 146, 197, 198, 203 | No other tools needed, appropriate permissions apply. |
| 7 | Windows Messenger | 128, 136 | MS Messenger Service Denial of Service Exploit (MS03-043) (note 6) |
| 7 | System updates | 96, 129, 131, 132, 133, 134, 135 | The tool is the actual prevention of update, and leaves possible areas of vulnerability unpatched. |
| 7 | Auto execution | 130, 157 | autorun.inf file or equivalent on removable media, etc. |
| 7 | Subsystem vulnerabilities (.NET, Java, Posix) | 156, 164, 165, 199, 200 | Sun Java System Identiy Manager Users Enumeration (note 7) |
| 7 | Automatic configuration (UPNP) | 206 | MS Windows Plug-and-Play (Umpnpmgr.dll) DoS Exploit (MS05-047) (note 8 ) |
| 7 | Utilization of built-in programs and functions for info gathering | 143, 144, 193, 194, 209, 210 | No other tools needed, appropriate permissions apply. |
| 7 | Remote Assistance | 122, 123 | Remote Assistance client, possibly with social engineering. |
| 7 | Inadvertent information disclosure | 127, 139, 205 | Normal login via appropriated credentials, or legitimate user access. |
| 7 | Outlook | 141, 182 | Many, including: MS Outlook Express NNTP Buffer Overflow Exploit (MS05-030) (note 9) |
| 7 | Scripts | 160, 161, 168 | Malicious scripts, many types. |
Table Notes:
1. http://www.delegate.org/delegate/
2. http://www.securiteam.com/exploits/5JP0R0K4AW.html
3. http://www.milw0rm.com/exploits/109
4. http://www.computerworld.com/s/article/9047179/Reverse_engineering_cracks_Windows_encryption
5. http://www.thoughtcrime.org/software/sslstrip/
6. http://www.milw0rm.com/exploits/111
7. http://www.securiteam.com/exploits/5EP0F0UQUO.html
8. http://www.milw0rm.com/exploits/1271
9. http://www.milw0rm.com/exploits/1066
References
Aycock, J., & Barker, K. (2005, February 27). Viruses 101. pp. 152-156.
Du, W., & Mathur, A. P. (1998, April 6). Vulnerability Testing of Software System Using Fault Injection. pp. 1-20.
Jajodia, S., Noel, S., & O’Berry, B. (n.d.). Topological Analysis of Network Attack Vulnerability. pp. 247-266.
Jorgensen, A. A. (2003, March). Testing with Hostile Data Streams. pp. 1-6.
Leyden, J. (2007, April 25). Hackers debut malware loaded USB ruse: litter bait used as phishing lure. Channel Register. Retrieved July 12, 2009, from http://www.channelregister.co.uk/2007/04/25/usb_malware/
Microsoft Corporation (2009, February). Windows® XP Security Guide Security Compliance Management Toolkit. Retrieved July 8, 2009 from http://download.microsoft.com/download/B/2/4/B24D224D-054A-46A2-BB30- 925B943F00E1/Security%20Compliance%20Management%20Toolkit%20_%20Windows%20XP.zip
National Institute of Standards and Technology. (2009, 7/4/2009). “National Vulnerability Database.” Retrieved 7/4/2009, 2009, from http://nvd.nist.gov/.
Secunia. (2009). “Secunia Vulnerability and Advisory Database.” Retrieved 6/25/2009, 2009, from http://secunia.com/advisories/search/?
Wales, E. (2003, July). Vulnerability Assessment Tools. Network Security , pp. 15-17.
The group’s abstract starts off with a very brief explanation of what the purpose of this lab is. This explanation could have been expanded on. Most of the abstract is about what needs to be done in this lab. The abstract could have included more on how this lab ties into the course and the importance of this lab was. The group then goes into an introduction. In the introduction the group does make up for the examination of the importance of this lab. The introduction does a great job at introducing the idea of reverse engineering a security document and using the vulnerabilities against a system that is not hardened by this document. The group explains that there are two sections to this lab. The first section being, exploring the vulnerabilities uncovered by reverse engineering the security document that was used in this group’s lab. The second section of the lab that the group talks about is the examination of tools that could be used in exploiting the vulnerabilities in the first section. This group seems to have missed a section of the lab in both the abstract and the introduction. The group does not mention anything about exploring vulnerabilities that service packs or patches fix. In the introduction they talk about finding tools that exploit the vulnerabilities in the first part of the lab. I believe that this part of the lab is supposed to be about finding tools that exploit vulnerabilities fixed by the patches and service packs. In the beginning of the literature review the group does a good job in transitioning past labs into what this lab is about. The beginning of the literature review is a little wordy. The group could have left out the definitions and examples of active and passive attacks, this seemed to be redundant. The literature review in this group’s lab was done very well. The only thing that the group could have done was to tie the literature into the current lab better. Also the methodology and research was not examined. Each of the articles showed how they tied into each other and also a good explanation of what each article was about. The methodology starts off with the group breaking down the security document into baseline security and they also include other securities the document did not cover, like firewall policies. The group does a very nice job in explaining how they went about setting up the table of vulnerabilities. They explain what they included and what the left out. Next they explain how the vulnerabilities were categorized and how tools were found to use in exploiting the vulnerabilities. They also described what tools they were going to test and what they were going to leave out of the tests. Again there was no mention of examination of security patches and service packs this group, among others, left this section out and tied the tools that needed to be found with the vulnerabilities that were listed in the first section of the lab. The group did a very good explanation of the tests they did on all the vulnerabilities that they determined could be done on their network. These tests covered all aspects of security on the computer that they were testing. The group even gave explanations on why a test might have failed and a possible solution was given. The results did not include anything else in them. As an example, the group did not discuss any patterns that might have been present in the tables that were created. The group mentioned a few issues they had with doing this lab. They mention that they had problems with matching vulnerabilities to the OSI model, finding tools to fit some of the vulnerabilities, the amount of changes that the document provided, problems with creating there tables, and issues in the document that did not pertain to security issues. In the conclusion the group found that the process of reverse engineering could be feasible. They broke down the how the lab was accomplished and gave explanations of each section of the lab. The conclusion could have had more to it. It could have included what was learned in doing this lab and what could be accomplished with this learned material.
I liked the correlation to military strategy in the introduction. It fits very well in the context of this lab. The literature review could use some work. The first paragraph is a tease by summarizing and relating all of the previous lab exercises, I thought it was going to be tied smoothly into the activities of this lab along with a discussion of the assigned literature. The first two pieces of assigned literature are merely summarized in a paragraph about viruses and buffer overflows yet nothing is tied to the lab activities. How does the class that taught virus writing relate? The virus class taught about virus defense through the process or reverse engineering how viruses were created in the first place. Are we not reverse engineering the security of the systems we’re attacking or testing from documentation on how they are configured or secured? Same concept applies to the testing of data streams, find out how the programs handle data inputs at different points except in this instance we’ll know how it should behave from the documentation. If we note one area that’secured sufficiently, maybe this left a hole somewhere else. The discussion on Jajodia et al.’s article was good but felt just shy of tying it in to the other articles. The attack path method is what we’re attempting to discover through these lab exercises by analyzing what may (or may not) be in place according to the guides, we can find other avenues of attack.
The methodologies section was very detailed and left very few questions. I liked the mention of referencing MSDN for information but is this really the best place to go? What about TechNet? The discussion about the tools used to test could’ve been a little more detailed. Instead of talking about what tools you were going to run against the VM, where you were going to run those tools from, and most importantly why, the section comes off more just like a list of tools from previous labs.
The paragraphs leading up to the tables in the finding section provide some useful information about various items discovered but seem disjointed from the activities as a whole. The tables are very well organized with ascending OSI layers and an incrementing key column for future use. My main concern with the table is the lack of detail or discussion on the elements discovered. Providing the name of the security change recommended by Microsoft doesn’t really tell the reader why this is done or, more importantly, what the implications of not making the change could have. Without this, the table lacks depth and relevance. The second table adds some depth to each of the items but lacks specificity. Instead a vague vulnerability is mentioned and the change references are fit into that reference.
The mention of difficulties with OSI layer is evident in some of the classifications but was handled pretty well by the statement in the methodologies. Whenever I didn’t necessarily agree with an item, I thought back to the methodology of tying it back to the lowest level it would affect. The conclusion could benefit from mentions of the overall topic or goals of the lab rather than restating some of the activities that were performed.
I think that this team could use a longer abstract. While it did mention some points that needed to be covered, it did not answer all of them. Maybe to add to the length of the abstract, some of the points talked about in the introduction could be added to the abstract, so it can meet all of the requirements of the lab report. As with this team’s use of single quotes in a lot of places, they are not needed and actually make reading the lab report more difficult. This is especially true when they use quotes for article names instead of italicizing the titles. The team never answered my question from last time, for the introduction items is this common knowledge that everyone in the team has , or did they find this information somewhere else and not cite it properly? Like in all of this team’s previous lab reports, they discuss how this lab experiment has built on the previous research and lab experiments. I don’t think that this part of the lab is needed in the literature review; it should go into the abstract or even the introduction. The team citations are in the wrong location. Citations go after the content from the article, not after the name of the article. This is not following APA 5 require format of lab reports. For some of the citations in the literature review, the team follows the author, year, page format, but from the middle of it on, the team did not follow APA 5 format, the year was missing.
I have one major problem with how the team handled the majority of the common tools. It states that the team relied on experience. This would not help anyone who was trying to duplicate the lab experiment and did not have this experience. The steps of the process need to be written so that the lab experiment can be duplicated by anyone. It may seem unnecessary, but all steps need to be written out. One thing that I did notice that this team did that no other team did, was spelling out the acronym before giving it to us. That is a nice touch for anyone that doesn’t know them. The team needs to stop writing “we” and use team or group instead. These are not the typical lab reports, and the reports should be written almost like a paper. Most of the findings section read like it should have been the methods section. The testing seemed random and seemed to skip from place to place. As stated before, the steps of the process seemed to skip around a lot, where did all of these findings come from? An issue for the team was time. Use time management, you have 3 members in your group, split the work equally. The last item I have to talk about is, how did the team not have a date for one of the article? Google it to find the date, n.d should never be an option.
Team 3’s abstract got right to the point. It was short but it did a good job of telling me what they were going to do in lab 5. The introduction was well written and helped me to understand more about this topic. Like their previous lab reports, they discuss how this lab experiment has built on the previous research and lab experiments. This probably should have been included in the introduction instead of the literature review. The literature review was well written. However, there were numerous formatting and citation errors They could have improved on their literature review by understating the correct way to format and cite with the APA 5 format and to make sure there is a correlation between the articles and the lab. The methodologies section was very thorough. However, the discussion of the tools used to test could have used more detail.
Team 3’s tables were very well organized. I thought they were very detailed. Their results and conclusions were well written and provided insight into the topic.
Team three’s abstract section seemed somewhat brief, but did give an overview of the laboratory assignment.
In the introduction section, I thought the military analogy was able to fit well with parameters of the assignment. I was unclear what the group meant when they stated “A situation arises were the ‘opponent’ is actually many similar installations (e.g. Microsoft XP), with some being ’strong’ from hardening measures and others remaining weak as these measures are not taken.” Did the group mean that improperly configured boxes are so much of a vulnerability that they are an opponent to themselves? Team three’s introduction also set them apart from the other groups because they would “work to discover areas of weakness implied in the “Security Compliance Management Toolkit for Windows XP” which we hypothesize to be present in this ‘hardening kit.’” Most of the other groups including my own interpreted exploits as meaning weaknesses that would exist if the recommendations were not followed.
Team three’s literature review contained a detailed introduction that recapped the past assignments and tied the laboratories assignment’s articles to the assignment itself by explaining how they are different approaches to discovering vulnerabilities. Team three seemed to also take from the Wales article, that the author had a bias for external penetration testers. I agree that the author of the article used several testimonies from consultants who preformed penetration test, but I gathered that the author thought that a hybrid solution between in house and external was best. There were other teams who also came to a similar conclusion as your team.
In the methodology section, team three described how the data that they retrieved from their chosen document would be categorized into their table. In regards to determining where some of the recommendations would fit within the OSI model, team three decided to fit the changes in question in the lowest layer possible. The group also discarded recommendations that would have no bearing on their test environment, such as active directory recommendations. The group also described the services that they tested by stating “We evaluated such tools as Microsoft remote registry editor, auto-run configuration of removable media, and compromised executables via the ‘FU’ rootkit Trojan inserted with Micro-joiner. Furthermore, we examined the information returned by such built-in tools as ‘nbtstat,’ ‘arp,’ ‘route,’ and ’systeminfo.’ Finally, an evaluation of the state of the Windows XP firewall was made via the Nmap security tool.”
In the results section, team three briefly described the contents of both of their tables. Team three was also able to describe the parameters of the tests they conducted with the outcomes that occurred.
In the issues section, team three listed a few issues. The team stated “This exercise proved challenging, in that many issues of configuration change did not easily fit into the OSI model layer.” The team also stated “some of the vulnerabilities which we speculated to exist may not have known attack tools:” Team three was also somewhat overwhelmed by the first table that they had created.
Team three gave a descriptive summary of what they learned and had problems with in the conclusion section. The team also revisited their test results.
Team 3 starts with their abstract and states that they will be going over Windows XP and using the management tool kit from windows during the lab. Then they go over their introduction and it went over reverse engineering and what they are going to use within the lab. The introduction seemed just to be a reiteration of the abstract and not needed. Then the group goes into the literature review. Again at the beginning of the literature review it seemed like they were giving another abstract. Some of the points at the beginning of the literature may have been able to go into the introduction and discussed in more depth upon. Then the start of the review of the actual articles begins. The team goes over each article and again this week is just a reiteration of what happened within the articles. At the end they talk shortly about vulnerabilities and using the resources to resolve any problems area within systems. The literature section of the document can still be improved upon. It can be improved by comparing the articles between each other and creating arguments on the issues within them. They then go onto the methodology section. This area of the lab is the strong point where they are able to go into detail what is going to occur within the hands on portion of the lab. The team then goes onto the findings for their hands on testing. Within this section they explained some of the vulnerabilities with Windows XP. At the end of the document is where they placed the tables that were part of the requirements for the lab. These table where will structured and had the information that provides information about the vulnerabilities and the tools that where, and can be used in attacking Windows XP. They then go onto the issue section and state they have an issue defining where powering down the system is at on the table and put it in too layer 2. Does there have to be a change to the network if the system is down? So can this still fall into the physical layer? The team then goes onto the conclusion section, and discusses the lab and reverse engineering. Within this section they added information that could have been added to the results and findings sections. Overall the group did a good job with lab, again the strong point is the methodologies and the literature could be work on to provide arguments on the articles.
I think that group 3’s write-up for lab 5 was good. The abstract and introduction for this lab was very good. The literary review was somewhat very good. Group answered all of the required questions for the literature review. All of the citing for the literary review was present, but not proper throughout the lab. The literature review was cited properly throughout. The author and year of the reference was included and all of the page numbers were present. For this lab, the group answered all of the desired questions. The group created a large and complete table that indicated all of the found vulnerabilities in their document and indicated their affected layer of the OSI model. However, in their issues and problems they indicated that they did not know which “layer does a machine power down affect?” This struck me as odd because it’s not a vulnerability or exploit. Powering down a machine is a legitimate function and may be an important action once the machine has been exploited, but it is not an exploit unless someone physically unplugs the computer. If someone physically unplugs the computer, this would be a physical attack. The group indicated that a shut down would be considered a layer 2 attack. As stated before, it must be physical; however, even if a legitimate shutdown IS an attack does the NIC turn off when the computer does? What about wake on LAN or link lights remaining on? Finally, the conclusion to this laboratory was also well done because it accurately sums up their procedures and findings.
The team starts off with a strong abstract. The team’s source of security configuration is from Security Compliance Management Toolkit for Windows XP. There synapse of the literature reivew was also strong.
In the Methodology and Procedures sections the team talks about how Microsoft divided this document into two sections, baseline security and additional hardening methods. The group also mention of Windows Firewall is enabled by default and would “bore” if mentioned. The team claims that if the firewall is turned off that the XP machine would be more open to vulnerabilities. I would agree that Windows Firewall does provide a Windows XP user with an extra security out of the box. After there is user interaction does the firewall still stand up to security? Windows firewall does pop-up often asking the users to block or unblock. Soon after a user may get irritated with all the Windows Firewall pop-up and disable the feature, rendering it useless. Also Windows Firewall would need to be configured properly to function best for a user, if novice users are attempting to connect to there workstation machine from home via VPN, the firewall would refuse connection leaving the employee dissatisfied. Perhaps more on Windows Firewall would have been less of a bore.
As usual team three presents a lab report for lab five that is complete and within the guidelines of the requirements. That is not to say that their report is not without issue. Team three’s abstract while explaining that was going to be performed in the lab, and not sounding like the lab design guide objectives, is not long enough. The syllabus states that the abstract for each lab report needs to be two paragraphs, and anything else will be considered poor scholarship. Team three regularly misses that point. The introduction provided by team three does a good job of explaining some of the background information to the information that will be provided as part of their lab report. In team three’s literature review their opening paragraph gives a good idea of the steps that have already been completed by team three in previous labs, and how they relate to this lab. In the actual literature review provided by team three there is a very high level of cohesion between the articles, and the discussion gives the reader a good insight into the state of the current literature as it relates to the topics discussed. The methods section as presented by team three does explain in a scholarly manor the strategy and technique used to answer the questions presented by the lab design. They do mention how their chosen security guide does not address Windows Firewall. This information belongs in the findings section and not in the methods section of the lab report. The findings and results section presented by team three do a very good job of explaining what the team found in regards to running their selected exploits based on their security guide. They also compare their results to two of the security databases team three reviewed in the previous lab. It is obvious that Windows did divulge three open ports, which is something it should be doing if those ports are open. I do have a question about the other items NMAP discovered. I question if NMAP gathered the info about the MAC address, and fingerprint from the VM itself or from the VMware vSwitch. It is not a secret that once “inside” VMware the treatment of packets and network info is not that well known. Also since this was VMware workstation, that might make the fingerprinting and MAC address even simpler to discover. In team three problems and issues section, I question a machine power off affecting the data link layer. Just turning the power off in the typical modern day server would not disable the NIC; it would still function for thinks like an IPMI controller or wake on LAN potentially. Unless the power was physically pulled from the server or power failed, I think this is a layer 3 issue. The tables presented by team three are rather complete, and I like the references between tables. That breakdown serves to keep the tables clean and easy to understand, and to relate all work between the two. The conclusions drawn by team three are accurate based on the methods they stated.
@jeikenbe: What is the purpose of the abstract? I think you misunderstood the lab.We were to discuss the effect of patches and roll-ups, not to study them in depth.
@jverburg, mvanbode: good points all around.
@ tnovosel: no, we meant the opponent defends many possible targets, some strong, some weak. If other people agree with us, what does that tell you?
@prennick: If a machine is powered down as part of an attack on availability it’s an attack. you are correct, it should have been layer one.
@chaveza: You are abosolutly right about Windows firewall. It was mentioned here in spite of the fact that it is not formally part of the document for specifically those reasons. What part of our lab bored you? What could we have done to make it more exciting?
@nbakker: good point about Nmap. I’m honestly not certain. as I mentioned above, I think powering off is a layer 1 issue. I don’t see layer 3. Can you explain?
It has been our general strategy to respond thoughtfully to criticism and questions which show insight and indicate more than a trivial examination of our work. I must confess, however, that I cannot hold my tongue with respect to the often seen criticism of our choice of Abstract/Introduction any longer. To answer any criticism in the past or future, I lay out this argument, which is what drives our choice in paper organization.
We have from the very beginning attempted (unsuccessfully, in some regards) to create our entire lab report according to APA style rules. The APA style manual fifth edition defines an ‘abstract’ to be a “…brief, comprehensive summary of the contents of the article” (p. 12). Additionally, the abstract “…should not exceed 120 words” (p. 13). Finally, the guide asserts that “the body of the paper opens with an introduction that presents the specific problem under study and describes the research strategy” (pp. 15-16). So this is the reason our papers have been structured in such a way: an abstract is ‘not’ an introduction, and in reality should be no more than one paragraph in length if one were to abide by the style rules. Additionally, a separate introduction section is required to be stylistically correct.
It was hoped that other members of the class were capable of divining this for themselves, and that they would see that an ‘abstract/introduction’ format more than fulfills the requirements of the lab write-up, even though it is broken into two different sections. While most reviewers have apparently made this deduction, a stubborn few remain which have not. For those pedantic enough to insist that “the syllabus calls exactly for this,” I present a word-for-word outline of the syllabus ( pp. 5-7) :
The sections of the lab exercises are as follows:
Abstract
Literature Review
Methodology to answer the research questions
Findings in answering the research questions
Issues or problems on accomplishing the lab
Conclusions
Design methodology
Steps of the process
Issues or problems
Conclusions
I ask: do you follow the syllabus exactly as described? Does the layout even make sense with redundant sections? It appears that every group has been making some assumptions with regard to this ‘official’ layout: so why specifically attack our group for making these choices? I realize that criticism of this nature is easy and requires little thought: however, we have valid reasons for our choices; so please, examine the content and put a bit of additional effort into criticizing that instead.
@ jeikenbe: Your criticism of “not including security updates or service packs” may be valid, but we believed that the topic should only be addressed if a “recommendation of installation” was contained in the security document under review: we could locate no specific instructions with regard to this. It is likely Microsoft recognized that different enterprise deployments necessarily exist at different patch levels (installing security updates often breaks critical business applications, so some installations always remain at a much lower patch level than what is current). It appears that this document attempted to address security through basic configuration settings alone. Perhaps we should have mentioned this issue in our report. As for describing patterns in the results: we did not find this requirement listed in the lab instructions, and so did attempt to include it in the write-up. I think it is obvious that OSI layer seven is by far the largest target area according to our results table.
@ jverburg: You are correct about the MSDN issue; most of the information actually was referenced on TechNet. I am at heart a programmer, and nearly all the things I use from Microsoft come from MSDN. I incorrectly grouped Microsoft TechNet in with MSDN. The criticism involving the vagueness of the descriptions: you are essentially correct about this, also. Our security document discussed almost nothing involving the listed Group Policy changes; they were included in table form and as policy kits only. We made the decision to forgo detailed explanation of every single indicated change, and rather to concentrate on researching and testing the most promising vulnerabilities indicated by groups of changes. We believed that this would be the most efficient way of meeting all of the exercise requirements.
@ mvanbode: With respect to single quotation marks, you may have a point. It is a stylistic choice, and it is perhaps overused. As I am the one who is guilty of the behavior described, I can say only that I was instructed in a recent course on research writing ‘not’ to use italics, but rather single quotes for emphasis. Additionally, you are quite mistaken on the use of italics for article names, as the APA style guide reads: “Use double quotation marks…to set off the title of an article or chapter in a periodical or book when the title is mentioned in the text (p.82). Your insistence that we did not “answer… [your] question from last time” is actually fairly comical, as you never actually asked a question: you simply accused us of plagiarism. No, we do not plagiarize other’s writings or research; we simply take general knowledge and philosophically examine the logical implications within our experiment. No concept discussed is specific to one source; the military analogies are general concepts which appear in many writings, including works by such authors as Sun Tzu, John Keegan, Tom Clancy and David Drake. It is our own work: we do not take allegations of plagiarism lightly, and we are certain that they should not be lightly made. If we have committed any errors in these exercises, it is in being too willing to present our own ideas without consulting pre-existing research in the area under question.
@ tnovosel: Apologies if the statement on the ‘opponent’ was not clear. This simply attempted to describe the phenomenon of attacking many defended positions, all of similar configuration, with the defender’s own standardized attack countermeasures in hand. As these countermeasures address areas of weakness known to the defender; these same weaknesses are easily inferred by the attacker via examination of the ‘critical’ procedures to strengthen the positions. If it can be determined that some defensive position has not followed these instructions, then the smart aggressor will first probe for the flaws which the defensive countermeasures are designed to correct. I think this also explains what we meant by “areas of weakness implied” by the security document: corrective measures imply that flaws must exist; these flaws are what we attempted to ascertain with our research. This is the same goal as all other groups, just presented in a different way.
@ shumpfer, prennick, nbakker with regard to OSI layer two and power down: I am pleased to see questions raised about this issue. Foremost, with regard to power off being a vulnerable area: ‘anything’ can be used as a weapon, and therefore a means of attack. If an action is intended to cause damage, and it indeed does; then a wise system administrator would, with the benefit of hindsight, classify the area affected by this action as vulnerable. There are certain situations which exist where a machine can be made to reboot in an endless cycle, which usually ends with the physical failure of components: the ability to initiate this cycle is part of power state function, and so is a very real attack based on ‘power down’ functionality. Although this sounds like a physical, or layer one attack, the OSI model applies only to networking implements proper: as nothing has been physically changed with regard to physical network topology, I would still consider this a layer two issue, or a disabling of NIC functionality.
With respect to OSI classification, it is at first unclear which layer is correct, as it can vary with configuration. I agree with the assertions that in some cases, the NIC is not really ‘dead’ and is still responsive to MAC based communication. Certainly, it is incapable of negotiating IP traffic, so layer three seems like the safe choice. However, such things as Wake on Lan (WOL) and the Intelligent Platform Management Interface (IPMI) are not ubiquitous. Both WOL and IPMI must be specifically enabled in the BIOS, and though I have no statistical evidence to back my position up, I suspect a large number of machines worldwide are not configured to have the NIC ‘alive’ in power state S5. In view of the power cycle attack described, coupled with theoretical common configuration issues, I must still advocate layer two for this vulnerability. I noticed my partner feels it to be layer one: as no ‘physical’ reconfiguration of the network actually occurs in a shutdown attack, I am not comfortable in including it here. A really excellent discussion by all; I would be interested to see more comments on this.
It is interesting Mr. Decker that only you have said anything to the effect “I ask: do you follow the syllabus exactly as described? Does the layout even make sense with redundant sections? It appears that every group has been making some assumptions with regard to this ‘official’ layout: so why specifically attack our group for making these choices? ” It is interesting because you are exactly right. The syllabus was changed but in the cut paste changes the information after reasons for deduction were never removed. Only you brought up the error. It was a mistake on my part that nobody mentioned. I thought it was interesting. The previous section descriptions are from the APA5 manual as modified for the lab exercises. The second “should have been deleted” section are what most under graduates see.