TECH 581W Computer Network Operations: Laboratory 2, Team 3

Abstract

The purpose of this exercise is essentially two-fold in areas of research: active reconnaissance methods and automated process control protocols.  First, the concept of ‘active reconnaissance’ is examined along with the tools used in these types of attacks. A functional installation of a subset of these tools is implemented for use within a mock-up penetration testing environment.  In addition, network and security model classification of these tools are presented, along with methods for concealment in their use. Furthermore, existing literature presented on these topics is evaluated. In relation to the second area of research, a number of Supervisory and Data Acquisition (SCADA) protocols are listed and their relationship to common network models is explored.  Finally, the possibilities associated with the malicious use of these SCADA protocols are examined.

Introduction

In the execution of the first part of this exercise, it became increasingly apparent that the definition of ‘active reconnaissance’ would set the direction our research would take. It also became obvious that classification of an attack tool was much clearer within the scope of a specific scenario: the intent with which a tool was used was more discernable within the context of an entire attack taken as a whole, rather than individual events. It is with these factors in mind that we define ‘active reconnaissance’ as having these necessary components: presence, risk, and limitation of scope.

Presence, within this definition, refers to the idea that the attacker must be identifiable as an agent within the bounds of the target’s controlled resources, whether this is a physical presence, or an electronic presence via software or packets in transmission. The factor of risk is closely associated with presence: simply put, the attacker must be put in a position where the threat of detection is real. To clarify the need for this definition, take for example a typical name server query: the hypothetical attacker is present and engaging the target’s resources directly, but there is no element of risk as it is information ‘intended’ to be freely given in the normal course of operation (we would classify this as ‘passive reconnaissance’) .

Finally, the ‘limitation of scope’ is much harder concept to state concisely: we present that ‘active reconnaissance’ must be ‘a means to an end’ and not the ultimate objective of an attack. It must be admitted that this ‘limited scope’ may only exist transitionally, as the speed of electronic attack may put the definable ‘phases of attack’ into the frame of milliseconds. Ultimately then, we must loosely define this ‘limited scope’ as: attacks which are ‘preparatory’ in nature, any damage being a side effect of the primary process of collecting information about the target’s structure and defense mechanisms.

It is with this definition in mind that we address the first area of research: What is an ‘active reconnaissance’ attack tool? Additionally, we ask: what tools of this nature are readily available, and what areas of networking and security models do they attack? Furthermore, we explore means by which a user of these tools can be concealed from a target. We then research a variety of Supervisory and Data Acquisition (SCADA) protocols available, and fit them into the scope of existing network models and exploit tools.

Literature Review

The bulk of this week’s readings pertain to penetration testing procedures and techniques.  The readings also cover some definitions used in Red Teaming and describe the difference between black, white and gray ethical hacking. Automated Red Teaming as it applies to military applications is also covered. This section describes the readings in more detail. It also ends with a review of the readings and explains how they pertain to our lab.

In “About Penetration Testing” (Bishop, 2007) the author states that it’s not enough to set the goal as “break into the system” (p. 84). It is necessary to define goal of penetration testing, such as read a file or impersonate a user. He also states that those performing the penetration test should know everything about the system prior to performing the testing. This helps to make up for the lack of time and resources that are usually available to the attackers. He further warns against “security through obscurity” (p. 85), which means relying on an attacker’s lack of knowledge of the system to keep the system safe.

In “Three Different Shades of Ethical Hacking: Black, White and Gray” (Hafele, 2004) the author details the need for penetration testing and then describes the difference between the three approaches to ethical hacking, black, white and gray. He describes penetration testers as “ethical hackers” (p. 2), and further states that a good penetration tester should be able to recommend solutions to solve the security problems that were identified (p. 4). In the Black Box model, very few members of the organization being tested are aware that the test is taking place. In this model, the penetration testers have very little initial knowledge of the system and are therefore forced to gather the information from whatever sources are available prior to performing the test (p. 6). The Black Box Model most closely emulates the steps that a real hacker would have to perform to penetrate the system. In the White Box method, many members of the organization know about the testing project. The penetration testers gather large amounts information about the system from within the organization prior to conducting the penetration test (p. 12). The Gray Box approach is a hybrid between the two. In this method, penetration testers are fed only certain information, while they are forced to gather other information on their own (p. 17).

In “Security Plan for Red Team Testing” (Bishop, 2007) the author discusses the security methods used when conducting penetration testing on a voting system. The system is divided into two separate systems, red and green (p. 2). Any data transferred between the two machines is done so only by removable media. The green system is attached to internet while the red system is stand-alone. The red system contains the sensitive data. Personal electronic devices are considered green devices (p. 3).

In “Automated Red Teaming: A Proposed Framework for Military Applications” (Choo, 2007) the author discusses using computer applications using the evolutionary algorithm for simulated red teaming. Although the article discusses automated red teaming for military combat situations, the concept can be extended to red team penetration testing of computer systems.

In “Grammar Based Whitebox Fuzzing” (Godefroid, 2008),  Whitebox fuzzing is described as “automatic dynamic test generation, based on symbolic execution and constraint  solving, designed for security testing large applications”(p. 206).  Whitebox fuzzing uses an initial well formed input for the dynamic test generation (p. 206). Blackbox fuzzing on the other hand is described as randomly modifying inputs and testing the results to find security vulnerabilities (p. 206). This article proposes an enhancement to whitebox fuzzing in cases that require highly structured inputs, such as interpreters and compilers (p. 206). Because interpreters and compilers process inputs in stages, malformed input often doesn’t make it to the deeper stages of the processing. Grammar based whitebox fuzzing uses grammar based specifications of valid inputs to avoid rejection of unparsable inputs in the early stages of processing (p. 213).  Grammar-based whitebox achieves the best total coverage in the deepest module, the code generator (p. 213).

According to “Matching Attack patterns to security vulnerabilities in software intensive designs” (Gegick, 2005) many intrusions are based on a small number of known attacks (p. 1). These attack patterns can be identified, stored in a library and used to identify vulnerabilities early in the software development process (p. 5). Because the attack patterns are abstract, they can be used regardless of programming language. Attack patterns that are specific to a particular product are ignored. The graphical models used are attack trees and attack nets (p. 2). The author defines attack trees as “tree diagrams (that can also be converted to text) whose nodes show the goals of an attacker” (p. 2). Attack trees show the point of view of an attacker completing steps toward his or her final objective. Attack nets “show specific components of a system [and are used] to identify precisely where in the system penetration testing should occur” (p. 2).

In “Attack Net Penetration Testing” (McDermott, 2001) the author advocates using process models to make penetration testing more efficient (p. 15). Two approaches to penetration testing are described, flaw hypothesis and attack tree. Flaw hypothesis model describes 6 steps that are used in penetration testing; Define goals, Perform background study, Generate hypothetical flaws, Confirm hypothesis, Generalize discovered flaws, and Eliminate discovered flaws (p. 15). The attack tree uses a work breakdown structure chart borrowed from project management. The target of the attack is root of the tree, with the nodes being the possible steps that can be taken to reach the root (p16). This paper introduces a new approach to process modeling, the use of a Petri net (p. 16).  With this approach, places represent the state of the system and transitions represent events that act on the system to change the state. A token represents the current progress of an attacker (p. 17). When a token is located at a place, the attacker has gained control of that place. Tokens move from place to place via directed arcs by transitions toward the target (p. 17).

“Fast Model Based Penetration Testing” (Singh, 2004) proposes performing repeated penetration testing using detailed system models to obtain statistically valid estimates of security metrics (p. 309). This approach is called “Model-Based Penetration Testing” (p. 309). In this approach, a complex model of the system is built that allows for automatically generated repeated attacks (p. 309). The model uses hosts, trust relationships, services, and states. It advocates determining probabilities based on these metrics. Of particular interest are the number of paths and total number of steps to achieve a goal. They are used to indicate difficulty of achieving that goal (p. 311).

As we move forward with penetration testing labs in this course, process modeling will assist us in planning and organizing our attacks. Process modeling was discussed in “Fast Model Based Penetration Testing” (Singh, 2004, p309), “Matching Attack patterns to security vulnerabilities in software intensive designs” (Gegick, 2005), and “Attack Net Penetration Testing” (McDermott, 2001).  Penetration testers that use process models are more efficient (McDermott, 2001, p15).  “Grammar Based Whitebox Fuzzing” (Godefroid, 2008) discusses various fuzzing techniques that can be used in the penetration testing labs. This knowledge of fuzzing techniques will be useful when we perform penetration testing in our labs by showing us how generated input can be used to test software. “Three Different Shades of Ethical Hacking: Black, White and Gray” (Hafele, 2004) discussed categorizing ethical hacking based on the amount of knowledge that the penetration testers have of the system. The type of penetration testing we are using in this course would fit into the white box model due to our detailed knowledge of the target system. The article “About Penetration Testing” (Bishop, 2007) advocates the whitebox approach.

Of further interest with regard to theoretical attack models, “Automated Red Teaming: A Proposed Framework for Military Applications” (Choo, 2007) outlined a computerized system that simulates military combat. Although not directly related to computer penetration testing, it does further define Red Teaming. It also describes an automated system used to simulate military Red Teaming that may be extended to test distributed computer systems. “Security Plan for Red Team Testing” (Bishop, 2007) discussed the need for creating a completely stand alone system for conducting penetration testing when the system being tested involves sensitive information. Our labs are not going to involve sensitive information; therefore we are creating independent systems (although not isolated) by using VMware to create a virtual distributed system. With regard to the technical accuracy of the literature, no obvious errors or discrepancies were apparent.

Methodology

It was decided that the list of general exploit tools created in the previous week’s research would become the basis for further research in this exercise. We believe this truncated list to represent a significant sampling of the available ‘active reconnaissance’ tools available to persons involved in the data security field. It was also decided that existing security tool based distributions (in the form of image files) would become the basis for the ‘installable’ tools within our virtual testing environment via virtual machine creation. This was done for two reasons: these distributions represent a significant collection of tools in numerical count, and they also have been subject to a type of peer review intrinsic to creating a distribution ‘for the professional community.’

Additionally, to maximize the use of available resources, it was determined that those with prior experience in SCADA protocols would take the lead in exploring this area, and would submit a report to the rest of the team. This allowed the team to efficiently partition responsibilities, with the final research being disseminated to the team members for review and evaluation: the end result being a collaborative effort over the entire scope of the work.

Procedure

The previous week’s list of general exploit tools was evaluated, with tools obviously unsuited for active reconnaissance being eliminated in a first pass. Research was conducted via web search and documentation included with tool distributions to determine the capabilities of the remaining tools. Many more tools judged unsuitable were eliminated in this second pass. At this point, a concrete definition based on ‘presence, risk, limitation of scope’ had emerged by which to judge the remainder of the list. A third pass was made, with the aforementioned criteria used to remove any tools which did not fit this profile.

Various professional security tool distributions were downloaded from the internet. These included ‘Knoppix-STD’ and ‘nUbuntu,’ with the ‘Backtrack 4 Beta’ distribution already being available locally. The ‘Backtrack’ and ‘Knoppix-STD’ image files were burned to disc, and run on a live network with real hardware. Additionally, all of these distributions were run in VMware Player as guest operating systems on a Windows Vista host in bridged network mode, these VMs being evaluated for use within the Citrix shared test environment. A number of tools were tested on a live network, which included: FreeBSD, Windows XP SP3, Windows Vista, and embedded Linux hosts. Additionally, a Linksys SIP box, a Cisco-Linksys router/ wireless AP, and a Hewlett Packard print server were present for the tests.

Research was conducted on techniques for creating anonymous connections, with the sources related to the relatively well known ‘Tor’ network used as a starting point. This led to an extensive collection of work located at the ‘freehaven.net’ website, of which a number of the published papers proved informative. Predominately, uses of proxies and ‘onion routing’ techniques were examined. This proved to be a useful addition to the information previously acquired through security tool documentation.

Various sources considered to be authoritative were consulted with regard to the SCADA protocols. Additionally, the issues related to SCADA, OSI, and TCP/IP were examined with regard to informed sources of information. A synthesis of protocol definitions was created, and a diagram which reflected the classification of theses protocols with respect to the OSI model and TCP/IP was fashioned.

Results and Discussion

Summary of Results

A summary of the active reconnaissance and SCADA research are presented in tables one and two, respectively.

Active Reconnaissance Tools

The classification of the ‘active reconnaissance’ tools was relatively straight forward. It was found that creating a logical definition with relation to tool function was a great aid in classification. The construction of the testing environment for tool evaluation was fairly mundane, with only one relatively minor problem encountered in setup. The various network mapping tools appeared to work as indicated in the documentation, usually presenting a list of live IP addresses and/or active ports to the console. A number of the SIP based tools were employed against the Linksys SIP box, but the results were unremarkable. The researcher must confess that this may be due to unfamiliarity with the tools used and VOIP protocols in general: further investigation is in order as time allows. A number of the SNMP scanners were tested, and the Hewlett Packard print server was found to have an active interface available in the ‘public’ community. It was discovered that the quantities of printer consumables could be read via the SNMP scanners: a somewhat interesting result. No other devices with SNMP services were detected on the network, although unfamiliarity with the tools may have been a factor in this. In sum, we verified that these tools appear to function in the advertised manner, and so can be relied on in situations where verification of results by direct observation cannot be obtained.

Anonymizing the Attacker

Our research has led us to conclude that three general means can be used to ‘hide’ an attacker from the target. These can be grouped into: proxies, obfuscation, and ‘out-of-band’ communications. Generically, proxies are entities through which an attacker can route packet transmissions, and by doing so disguise the actual origin from which the packets came. A modern implementation of a network for anonymous communication is the Tor network, which relies on the principles of ‘onion routing’ by which to create nearly untraceable connections. Onion routing is effective in hiding connection details, as each node only ‘knows’ one link of the communication chain, with the remainder of the connection details and payload being hidden under multiple layers of encryption ( like an onion) (Goldschlag, Reed, and Syverson, 1996, p. 4).

An equally effective approach for a determined attacker is to create a ‘private’ proxy network using compromised internet connected hosts. The attacker may delete log files and records on these compromised machines at will, assuring nearly total anonymity (at the price of legality). Furthermore, it is difficult for an attacker’s victim to gain access to these compromised machines, as they often cross geo-political borders. While proxies are effective in hiding the origin of connections, the traffic generated is easily spotted on a network (usually encryption tunnels), and are relatively easily defeated using simple means, such as alteration of gateway firewall rules.

Obfuscation in the context of this discussion is used to describe any means by which a hidden communication channel is created utilizing the TCP/IP protocol suite.  Murdoch and Lewis (2005) described various means by which steganography, or the covert encoding of information within other information, can be performed on TCP/ IP packets (pp. 3 -7). Additionally, such security tools as ‘fragrouter’ are intended to defeat intrusion detection systems (IDS) by exploiting the inability of some systems to handle fragmented packets. In theory, these methods could be used to establish a covert data channel for passing information in and out of a target’s network in spite of security precautions. It should be mentioned that an attacker could use these obfuscation methods in conjunction with external proxies-creating multiple layers of separation from the target.

Finally, ‘out-of-band’ communications, when available, offer the attacker a means by which to bypass any security precautions in effect on the primary TCP/IP network. Gula (2001) spoke of the risk of out-of-band exploits originating from ISDN based data connections (p. 13) We propose, that rather than being the primary point of attack initiation,  these type of external connections could be used to create an unmonitored data channel extending outward from the target’s network ‘after’ a successful penetration has been attained via some other means. These channels could literally be any route which offers a communications path leaving the target’s facility, whether analog or digital. A simple example would be a network attached modem based fax server: a security tool such as ‘lanmap’ can create a .png based network map, which can then be sent to some external number via the fax server. In reality, this transmission would likely never be detected by the target; thereby effectively hiding the attack (and thus the attacker).

TCP/IP

We chose the traditional four layer model for TCP/IP.  The original RFC published by the Internet for communication layer requirements for Internet hosts designates the four layer model (Braden 1999 p. 9, 10). The document also states that “The system must tolerate a wide variety of networks”(Braden 1999, p.8). This means that while a physical medium must be in place for communication, there are no specific requirements as long as interoperability is assured.

It is true that some experts add a fifth, physical or hardware layer to model, William Stallings and Douglas Commer are prominent examples. Neither gives any explanation for why they added the additional layer, though again obviously it must exist (Commer 2005, p 116; Stallings 2006, p. 35). In reality, it’s a moot point the model is just that, a model. It is designed to visualize the communication process between two networked devices. Whether the physical portion is displayed or assumes depends on the needs and tastes of the user.

SCADA: Modbus

Modbus was originally designed in 1979 to provide serial communication to process automation devices. The current implementation of the Modbus protocol stack actually has two wings. One is for communication with on a TCP/IP network, the other is for device communication (Modbus-IDA; 2006, p. 2). The application communicates with a TCP interface layer and then the TCP/IP stack. The other wing uses a transmission control protocol to communicate over asynchronous serial links to process automation devices (Modbus-IDA; 2006, p. 2). The kinetic output noted in the chart is delivered through a motion controller or drive, though Modbus can be used with several different types of devices (Modbus-IDA; 2006 p. 2).

SCADA: DNP3

Distributed Network Protocol version 3.0 (DNP3) is designed to be used in sensor networks to monitor remote electric substations. It has found its way into widespread use across other utilities and industries as well. This protocol was developed simultaneously with the IEC 60870-5-101 standard (Triangle Microworks 2006, p.3). The protocol uses the stack shown to communicate to the sensors and interfaces with TCP/IP networks using an application layer using an Internet transport interface (Cole 2003, p. 2).

SCADA: DeviceNet

DeviceNet is part of the Common Industrial Protocol (CIP) suite designed by the Open DeviceNet Vendor Association (ODVA) (Voss 2008, p. 4). It uses a controller area network (CAN) at the data link layer (ODVA 2008, p. 5). DeviceNet interfaces with TCP/IP networks at the application layer via the broader CIP suite (ODVA 2008, p. 8).

SCADA: Other protocols

There are several other proprietary and open process automation protocols. The group researched Allen-Bradley’s DH+ protocol and the open PROFIBUS protocol designed by Siemens. Our research finds that the majority of the protocols all fit one of these models, having application, Data link, and physical layers and conforming to IEC 61158 (Zurawski 2005 p. 7-17).

SCADA: Exploitability

As Goodin (2008) noted, though SCADA systems are often assumed to be safe from exploit as they are not directly connected to the internet, this does not prevent attackers from attacking through unsecured local wireless networks or compromising control software accessible from the internet (par. 6). Additionally, at least one SCADA attack is known to the general public, and is available through the Metasploit framework, specifically in Kevin Finisterre’s CitecSCADA exploit (par. 3).  This exploit utilizes TCP/IP packet size manipulation to cause a buffer overflow on the CitecSCADA server through Open Database Connectivity (ODBC) flaws (par. 7).

The availability of publicly known SCADA exploits is a serious warning flag with regard to future SCADA attacks. While these attacks may require more sophistication and effort to execute than a typical network intrusion, this will not stop a determined saboteur.  This is particularly true when a saboteur is a disgruntled employee (possibly: former employee) or has access to these individuals. Additionally, the use of control software with standard TCP/IP protocols and services greatly increases the exposed ‘threat area’ available for indirect SCADA attacks.

Problems and Issues

Two significant problems emerged in the duration of this research. The first was the ambiguities associated with classifying an exploit tool as an ‘active reconnaissance’ type. It was realized that in many cases, the attacker will likely have already engaged in employing a direct exploit on a host in order to obtain access to the local network. We began to realize that attack patterns can develop in many ways, and that ‘exploits’ and ‘passive’ methods are often the stepping stone by which ‘active’ reconnaissance can be achieved (through a compromised host). The development of the ‘presence, risk, limitation of scope’ definition helped in dispelling some of these ambiguities, but it bears all of the characteristics of  a ‘nice’ theoretical model-in ‘real world’ application it may prove to be of little worth.

Secondly, stability problems were encountered with the ‘BackTrack 4 Beta’ release used for the tool-utilization test machines. These stability problems were the primary reason that alternative distributions were obtained and employed within the scope of this research. In retrospect, it was a mistake to rely on a ‘beta’ distribution for any serious application. In some respects, this became a positive factor, as it forced us to expand the breadth of our research to other avenues of inquiry. Overall, this problem was easily addressed by substitution with an equivalent stable release and presented no permanent roadblock in the execution of this exercise.

Conclusions

Our research has covered active reconnaissance tools and automated process control modules. We prepared a review of selected readings, and applied these to the exercise. We crafted a clear definition of ‘active reconnaissance,’ specifically relating to the characteristics of: presence, risk, and limitation of scope. This definition was used to select relevant security tools. The tools were then classified by their placement within the OSI model, and respective McCumber cube coordinates assigned. We presented various means by which an attacker could evade identification; namely, by using: proxies, obfuscation, and out-of-band communications. In addition to this, active reconnaissance tools were tested against a live network and the results documented.  A number of Supervisory and Data Acquisition (SCADA) protocols were examined, and also classified by placement within the OSI model; additionally, the layers of the TCP/IP protocol suite were identified and classified by their placement on the OSI model. Finally, we discussed known SCADA vulnerabilities, and the reality of future attacks.

Charts, Tables, and Illustrations

Table 1 Active Reconnaissance Tools

Table 2 TCP/IP and SCADA Protocol Stacks

References

Bishop, M. (2007). Security Plan for Red Team Testing. pp. 1-3.

Bishop, M., & Frincke, D. A. (2007). About Penetration Testing. pp. 84-87.

Braden, R. (1999). Requirements for Internet Hosts – Communication Layers. RFC 1122, Internet Engineering Task Force Network Working Group: 116.

Choo, C. S., Chua, C. L., & Tay, S.-H. V. (n.d.). Automated Red Teaming: A Proposed Framework for Military Application. pp. 1936-1942.

Cole, G. B. (2003). Report 053-6: An Introduction to IEC 60870-5-104, A Standard for the Telecontrol of Electric Power Transmission Systems, Using Internet Communication Services, International Electrotechnichal Commission 5.

Commer, D. E. (2005). Internetworking with TCP/IP: Principles, Protocols and Architecture. Chicago, Prentice Hall.

Gegick, M. (2005, May 16). Matching Attack Patterns to Security Vulnerabilites in Software-Intensive System Designs. pp. 1-7.

Godefroid, P., Kiezun, A., & Levin, M. Y. (2008, June 13). Grammar-Based Whitebox Fuzzing. pp. 206-215.

Goldschlag, D. M., Reed, M. G., and Syverson, P. F. (1996). Hiding Routing Information. In R. J. Anderson (Ed.), Proceedings of the First international Workshop on information Hiding : Vol. 1174. Lecture Notes In Computer Science (pp. 137-150).  London: Springer-Verlag.

Goodin, D. (2008, September 8). Gas refineries at Defcon 1 as SCADA exploit goes wild. The Register. Retrieved June 20, 2009, from http://www.theregister.co.uk/2008/09/08/scada_exploit_released/

Gula, R. (2001). Broadening the Scope of Penetration-Testing Techniques. Enterasys Networks White Paper , pp. 1-  18.

Hafele, D. M. (2004, February 23). Three Different Shades of Ethical Hacking: Black, White and Gray. pp. 1-22.

McDermott, J. P. (2001). Attack Net Penetration Testing. pp. 15-21.

Modbus-IDA; (2006). MODBUS Application Protocol Specification V1.1b, Modbus IDA: 51.

Murdoch, S. J. and Lewis, S.( 2005). Embedding covert channels into TCP/IP.  In  M. Barni, J. Herrera-

Joancomarti , S. Katzenbeisser and F. P´erez-Gonz´alez  (Ed.),   Proceedings of the Workshop on Information Hiding (IH 2005), 247-261.

ODVA (2008). DeviceNet – CIP on CAN technology. Ann Arbor, ODVA: 8.

Stallings, W. (2006). Data and Computer Communications. Chicago, Prentice Hall.

Singh, S., Lyons, J., & Nicol, D. (2004). Fast Model-Based Penetration Testing. pp. 309-317.

Triangle Microworks (2006). DNP3 Overview. Raleigh, Triangle Microworks Inc. : 5.

Voss, K. (2008). The CIP Advantage: Proven and Future-Proof, CIP Provides A Unified Architecture For Delivering Standards-Based Open Networking Technologies Throughout the Enterprise. Ann Arbor, ODVA: 10.

Zurawski, R. (2005). The Industrial Communication Technology Handbook. Boca Raton CRC Press.