Slowloris and RDP

I was reading up on one of the latest worms to be released this week. It uses RDP to initiate a session and then attempts a dictionary attack against windows based hosts. It would seem that this is one of the first attempts to utilize what is really thought of as a utility to initiate a penetration. If one were to be cleaver enough, RDP as a utility and terminal services could become a more prominent attack vector.

I remembered reading about a HTTP SYN flood utility in an IRC channel once a few months ago. Slowloris had been demonstrated at a defcon at one point (I'm not sure which one), but it made me wonder if there have been attempts to initiate half open sessions to terminal services in the past. It could be argued that since the TCP stack in slowloris actually initiates and completes a connection, many of the more common remote options could be targeted via DoS. Since most use the TCP stack and then hand off to another service, most of them could be real targets, especially ones which are not used in the main arena of remote connectivity, like TeamView or something similar.

Now I know that there are defenses against Slowloris, but it requires looking at the number of open connections and determining if that number is too many. This defense would need to be set against each type of remote connection across any number of ports for RDP, ARD, and VNC. Whitelists and constant monitoring would also have to be setup.

It also make me wonder if NetFlow can detect the number of simultaneous connections rather than leaving it to a script running on the host. I will look to see if snort has any specific signatures to determine a slowloris attack and if that sig can be tweaked to look at other services beyond HTTP. I also wonder if Metasploit has a similar vulnerability in the framework.

I guess it's time to go read more...

Fall Personal Project: Update 4 PHP/MySQL Install

So we have discussed the need to watch the install order. I have found that when installing things which require LAMP, inevitably you will need to make a change to the database at some point.

Since BASE, the software which stores and provides segmented analysis of the snort traffic, uses a MySQL backend (you can use postgres), it is a good idea to install an interface to the database if you are unfamiliar with the command line. This is even more useful if you are like me and have forgotten almost everything about the open source database systems (although MySQL isn't really open anymore). I prefer the phpmyadmin GUI. Of course there is a specific order to getting things installed here too, if you want it to work programmatically.

Step 1: PHP5
The current PHP core is 5, so make sure that is fully installed first. A full install of PHP will usually cover the database dependencies for MySQL, postgres and Apache2. Here are useful commands:
sudo apt-get install php5
sudo apt-get install php5-mysql
sudo apt-get install libapache2-mod-php5

Once you have this install completed. Run the phpinfo.php script we discussed in the last post. Verify. I know I have said the instructions for this before, but 20 seconds of verification can save you time later.

Step 2: MySQL 
The MySQL install is just as simple. Since you have already run the installer for the PHP libraries, this will just consist of the DBMS itself. The current version of MySQL DBMS is 5.1.x.
sudo apt-get install mysql-server


That's it. Seriously that is all it takes. Verify in the command line that the DBMS is working by typing mysql or sudo mysql depending on the user level. If you get "MYSQL>" it is working.

Step 3: phpmyadmin
The next step for easier DBMS manipulation is to install phpmyadmin located here: http://www.phpmyadmin.net. This will allow you to have a web front end to the DBMS and it makes the lives of visual people a lot nicer. Installing this uses (yes you guessed it) apt-get
sudo apt-get install phpmyadmin


I will not go into the configuration of it because this is well documented here on the Ubuntu Server Forums.

Follow that guide for the configuration and you will be ready to configure snort having your DB backend ready, your dependencies ready, and a front end to all of it. The next (and last installment) will cover the actual snort installation as well as the configuration guide and the resources I used to get it all working.

Fall Personal Project: Update 3

As promised today's post will be about some of the things I learned during the installation of Snort on my Ubuntu box. The things I learned are more about the process of the setup more than anything else and the correct order in which to run the installs. You have to love dependencies right? Let's get started.


Acquired Knowledge Bit #1: Client install over Server install
The client install went a little better for me on the Zino for one reason only, I have to install a second NIC. On the Zino that is an issue because of it's form factor and the lack of a second ethernet port. I used the Cisco 300M USB to RJ45 adapter. This functions as a second NIC. Although all the documentation I read said that this would work hands down on the server install, I could only get it to work easily in the client install of ubuntu. This is not to say it will not work, just that I could not get it to work in a reasonable amount of time. On the client install the process was simple. I plugged it in, scanned for new hardware, and let the updater download and install the drivers. This was my primary reason for sticking with the client install over the server install. Installation on the Zino was nice, fast, and easy.

Acquired Knowledge Bit #2: LAMP, Package Manager, and apt-get
The nice thing about a server install for the ubuntu distro is that it comes ready to install LAMP. In fact it's a toggle option during package selection. For those of you who do not know LAMP is an acronym for Linux Apache MySQL PhP. The four basic packages which will accomplish most anything. On the client this is not an option but the installation of the necessary components can be run after the OS is running. If you want a decent install guide, there's an app...un site for that...head over to www.lamphowto.com to get some guidance. Now here is what I learned in my post install LAMP, nothing works quite right unless you learn to love the apt-get command. Learn to use this over the package manager in the GUI. The command is faster, easier to script and chain, and leaves nothing to question. I found that the feedback from the terminal session was more informative than that of the GUI. Stick to apt-get install, you will be thankful.

Acquired Knowledge Bit #3: LAPM 
LAMP should really be called LAPM. The order matters. I like to make sure things are working. Apache 2.0 first. Be sure to check the browser first to make sure the host is responding on that port and that you can see the default index.html page in your browser. PHP is second. This is critical in my opinion. Installing PHP next will allow you to make sure that it is working and that you can install the necessary tools you will need to maintain your MySQLDB, mainly phpmyadmin. Even if you are missing some dependencies, you will want to follow Apache with PHP. Next you will want to create the phpinfo.php page with the following code:

This will show you all the php configurations you have running. A great tool to use when trying to install LAMP (LAPM).  Call this page (phpinfo.php or whatever you called it) in your browser. This will verify that Apache and PHP are talking and that you have PHP installed correctly.

MySQL deserves it's own time, so I will talk about that in the next installment as well as setting the snort.conf file and some of the pitfalls I learned there as well. So in the meantime have a great one!

Fall Personal Project: Update 2

And working!....The Snort home project is a success. At least the setup and configuration of the project is a success. I have not tried to mess with the rules yet, but I will get there. I'm sidetracked at the moment by a layoff, contract work, classes, and job hunting. Honestly I'm surprised I got any of it done at all.

All said and done this is pretty sweet, and I would like to thank the guys at the snort forums and on the snort mailing list for all the help. I would also like to thank the guide writer for the in depth guide. 

Here is a list of the equipment I used: 

1. Dell Zino (aka Inspirion 400)

2. 1 Router (any type with a built in switch)

3. 1 unmanaged hub or a switch which you can set as a repeater (I used a Netgear DS108)

3. 1 Cisco USB to Ethernet dongle (USB 300M)

4. Ubuntu 10.4 or higher

5. UTP patch cables

6. 1 UPS for the networking equipment.

I will go through the configuration in an upcoming post, but needless to say it does work. There are some tricks I learned outside of the guide which will help along the way.

Here some photos of the setup all completed:

I have cleared the DB several times and started traffic over and it is working like a charm. The next post will cover the guide, software installs, and getting LAMP running.

Fall Personal Project: Update 1

So the fall home NIDS project is going well. I have removed the old router and replaced it with a newer Netgear b/g/n router. I also took the opportunity to do some cable management.

There is one feature I wish manufacturers would add to the routers and that is to export the machine address ACL to a file. It would have been really nice. As it s I just copied the table from the html, but still, since I use MAC ACL filters, it would make things easier.

So the 10/100 hub is on the way, I will order my dell zino this week after I finish some papers which are due. I would really like to thank all the folks over at the snort forums for their assistance and guidance in this project. They really know what they are doing.

I spent some time this weekend looking up the literature in some major journals on snort usage. I'm almost positive that my final dissertation will somehow involve the use of snort, but I'm not sure how yet.

More updates as the equipment comes to me. I will post a topology diagram later on the next update once I make sure everything is running.

Fall Personal Project

So this fall's personal project will be to install a personal IDS at my home, then try like crazy to penetrate it. Snort snort snort. After writing several papers on the software I have come to respect it even more.

I often check the basics of a site or of a home network setup by using the "shields up" but I know that my router kills the majority of the traffic which the service tests for in a vulnerability test. I am looking to setup a fully functioning DMZ with a snort based NIDS and then slam it until I can break it (without cheating of course). I have ordered a new router simply because I have been a little lapse on keeping my encryption as strong as I can and it's time to do so. I also reall like some of the new functions in netgear's newer routers which allows the creation of a DMZ out of the box.

Also, I will probably use Ubuntu and some sort of small form factor like a mac mini or a dell zino since I need power to be a consideration. I would love to keep it in the ubuntu family line though, I need to beef up my skills in administrating one since it has been almost a year since I set a box up with ubuntu.

We will see how it goes. I will post to a page here or keep it updated in the blog.