yurisk.info » Scan of the week

Enable 2 factor authentication to protect your Gmail account if you have not done so already

Yuri — Wed, 26 Oct 2011 11:34:42 +0000

Today i did an improvised poll at work who is using the 2 factor authentication with their Gmail mail account and got only one positive answer – me . The question was in turn inspired by the article in Atlantic Monthly where James Fallows depicts in detail his wife’s Gmail account being hacked and how much trouble it was to get it back. I can only add that not using absolutely free and easy feature to safeguard your precious asset, mail account – is pretty reckless in our time . Just imagine what it would be to have ALL your Gmail inbox emptied and have your access to the account lost due to a hack …
I’ve always known that the best way to solve the problems is to prevent them from occurring at all, so go ahead and use this Gmail feature and have less problems in life to solve .
My personal experience of few months is that it works with any mobile provider in Israel and it is pretty much ‘ set and forget ‘ type of configuration, just be able to receive once a month SMS , it can’t be any easier I guess.
Advanced sign-in security for your Google account

You can be Nmap hacker too – contribute new signatures in few easy steps and feel proud of yourself

Yuri — Thu, 24 Mar 2011 09:07:19 +0000

NMAP is probably the most known long standing and community involved security-related project in the Open Source universe ever. And it is quite naturally to think that there is nothing left to be done to improve it by end users like us, and of course the opposite is the case. If we forget for a second all the complex C/C++/Lua/etc coding involved to sharpen the algorithms and performance of the Nmap, after all it is a signature based network scanner that is as good as its signatures are. And here you can never get enough.
Just find some over the shelf network equipment, run a scan on it , be surprised that it is not recognized by Nmap and contribute its signature back to the Nmap communa, then buy yourself a beer and put a sign in your cube ” I contributed to Nmap”
– So how do you do this? Piece of cake.
When running scan with -sV option (version detection of the software) if the target is not known to the Nmap it will print out as the output the Nmap-style fingerprint of the scanned service. It is ok to just take copy and paste it here : http://insecure.org/cgi-bin/submit.cgi, but then I wouldn’t write this article. So let’s do some practice.
There is a nice anti-spam and anti-virus appliance called PineApp Mailsecure , produced by Israel company named (surprise ..) Pineapp and which is quite popular at least here in Israel. Unfortunately Nmap does not recognize it beyond having an opened port of 25.
Here is the result of the Nmap scan.

nmap -v -n -sV -P0 12.12.12.12

Starting Nmap 5.21 ( http://nmap.org ) at 2091-03-17 15:41 IST
NSE: Loaded 4 scripts for scanning.
Initiating SYN Stealth Scan at 15:41
Scanning 12.12.12.12 [1000 ports]
Discovered open port 25/tcp on 12.12.12.12
Completed SYN Stealth Scan at 15:41, 4.88s elapsed (1000 total ports)
Initiating Service scan at 15:41
Scanning 2 services on 12.12.12.12
Completed Service scan at 15:41, 13.88s elapsed (2 services on 1 host)
NSE: Script scanning 12.12.12.12.
NSE: Script Scanning completed.
Nmap scan report for 12.12.12.12
Host is up (0.015s latency).
Not shown: 996 filtered ports

PORT STATE SERVICE VERSION
25/tcp open smtp
113/tcp closed auth

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port25-TCP:V=5.21%I=7%D=3/19%Time=4D14329D%P=i686-pc-linux-gnu%r(NULL,2
SF:5,”220\x20Ready\x20to\x20receive\x20mail\x20-=-\x20ESMTP\r\n”)%r(Hello,
SF:8E,”220\x20Ready\x20to\x20receive\x20mail\x20-=-\x20ESMTP\r\n250-Ready\
SF:x20to\x20receive\x20mail\x20-=-\r\n250-AUTH\x20LOGIN\x20PLAIN\r\n250-AU
SF:TH=LOGIN\x20PLAIN\r\n250-PIPELINING\r\n250\x208BITMIME\r\n”)%r(Help,28,
SF:”451\x20Rejected\x20due\x20to\x20illegal\x20pipelining\r\n”)%r(GenericL
SF:ines,28,”451\x20Rejected\x20due\x20to\x20illegal\x20pipelining\r\n”);

Read data files from: /usr/local/share/nmap

So let’s fix this,but first some preliminary knowledge of importance.
All its service signatures Nmap keeps in the file nmap-service-probes that has some predefined keywords that are easy to remember and use :
-First we want to create a probe to define what string to which port to send, it goes like this:
In our case the target service is SMTP so no changes are due to the existing probe,

Probe TCP Hello q|EHLO\r\n|

The above means send word EHLO once connected.
Next line starts with the word rarity and its value. The higher the number the less is the probability of running this service probe, leave it as is in our case, as it will be run if previous port scanning reports port 25 as open.
rarity 8
The rarity line is followed by the list of ports for which this service probe will be triggered once they are reported as open. Again , in our case we leave it as is:
ports 25,587,3025
Then goes sslports keyword to specify SSL enabled ports, finally followed by totalwaitms also of no interest here .
Now we come to the good stuff – many lines doing matches of different vendors/equipment that all and each start with keyword match. let’s have a closer look at it:
match m|matching regex pattern Perl style| [version/device/hardware optional info]
The best way to get it is via an existing match in the file:

match smtp m|^220\s+(DP-\d+)\r\n250-Hello\r\n250-DSN\r\n| p/Panasonic smtpd/ v/$1/ i/Panasonic printer/ d/printer/

It basically says:
Send EHLO command to the target,check output the output from the target and look for string that starts with 220 followed by printable string of variable length, followed
by word DP- then decimal number, note – here () allow to later reference the matched part of the string inside (), followed by Return and New Line char (\r\n), followed by word “250-DSN” and finally followed by return + new line (\r\n). If such match is found then print to the terminal string “Panasonic smtpd” , in version field (v/$1/) print what was matched by (DP-\d+) and in device type field print printer (d/printer/).
That is it to it. Now let’s create a signature for the PineApp.
We have 2 options here – to actually run a scan against the PineApp target and decipher the output, or , what I do here, use the common sense.
First I will try to do what Nmap Probe EHLo does – namely connect by telnet to port 25 and issue EHLO command. After that I will try to compile a regex expression matching the output.

[root@darkstar ~]# telnet 12.12.12.12 25

Trying 12.12.12.12…
Connected to earth.planet.co (12.12.12.12).

Escape character is ‘^]’.
220 Ready to receive mail -=- ESMTP
helo a
250 Ready to receive mail -=-
quit
221 Ready to receive mail -=-
Connection closed by foreign host.

Well, the regex is not that hard to do here:
match smtp m|^220 Ready to receive mail -=- ESMTP\r\n| p/PineApp Mail-secure/ i/PineApp Av and Antispam mail gateway/ o/Linux/
I edit /usr/local/share/nmap/nmap-service-probes and insert the above regex under Probe TCP Hello where the matches start, save it and run the Nmap on the same host not recognized before:

nmap -n -sV -P0 12.12.12.12

Starting Nmap 5.21 ( http://nmap.org ) at 2091-03-17 15:46 IST
Nmap scan report for 12.12.12.12
Host is up (0.012s latency).

Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp PineApp Mail-secure (PineApp Av and Antispam mail gateway)
113/tcp closed auth
Service Info: OS: Linux

RSA servers have been hacked

Yuri — Fri, 18 Mar 2011 08:36:05 +0000

Anything connected to the Internet will be hacked in someday and RSA is no exception.The
open letter is here Open Letter, but more interesting are best practices published in response to the attack – www.sec.gov

IP address pools of Facebook to block, if you need to

Yuri — Mon, 15 Nov 2010 12:14:15 +0000

Once upon a time I mentioned that blocking Facebook is easy as they have a uniform IP addresses pool . Since then they added more , here is the new and old pools:

NetRange: 69.63.176.0 – 69.63.191.255
CIDR: 69.63.176.0/20
OriginAS: AS32934
NetName: TFBNET2
NetHandle: NET-69-63-176-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Assignment
NameServer: NS5.FACEBOOK.COM
NameServer: NS3.FACEBOOK.COM
NameServer: NS4.FACEBOOK.COM
RegDate: 2007-02-07
Updated: 2010-07-08

NetRange: 66.220.144.0 – 66.220.159.255
CIDR: 66.220.144.0/20
OriginAS: AS32934
NetName: TFBNET3
NetHandle: NET-66-220-144-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Assignment
NameServer: NS5.FACEBOOK.COM
NameServer: NS3.FACEBOOK.COM
NameServer: NS4.FACEBOOK.COM
RegDate: 2009-02-13

The easiest way to disclose Cisco routers on the network and how to fix it

Yuri — Fri, 29 Oct 2010 15:43:10 +0000

Cisco gear has a well-known behaviour pattern that when you telnet to some weird and positively closed port on Cisco you get the uniform response of “Connection refused” . To add more precision it happens when a terminal line management access is enabled on the Cisco but your IP is not in the access-list allowing access to the device. The funny thing about that is that only Cisco seem to do it , and given so, it makes exposing a Cisco device a no-brainer. I tested it on few dozens of Cisco routers (I don’t talk about other equipment from the Golden Gate folks) and it only confirmed this observation. Also I tested telnetting to the other vendors’ equipment and always got back time out. So far I’ve tried Juniper, Brocade, IBM, Huawei. To somehow fix this situation Cisco actually have a feature in their Control Plane Protection toolbox just for that. Below I bring the configuration from IOS router that causes the router to time out connection attempts to the closed ports.

class-map type port-filter match-any CLOSED_PORTS
match closed-ports
policy-map type port-filter FILTER_CLOSED_PORTS
class CLOSED_PORTS
drop
control-plane host
service-policy type port-filter input FILTER_CLOSED_PORTS

Testing.
Before the configuration:

# telnet 19.6.24.51 444
Trying 19.6.24.51…
telnet: connect to address 19.6.24.51: Connection refused

After the configuration:

[root@darkstar ~]# telnet 19.6.24.51 444
Trying 19.6.24.51…
telnet: connect to address 19.6.24.51: Connection timed out
telnet: Unable to connect to remote host: Connection timed out

NB Unfortunately it is a half-solution cause if telnet access is enabled on the Cisco then connection attempts to the port 23 will elicit the same “Connection refused” . To close even this disclosure hole , disable telnet as the management protocol and switch to SSH.
NB2 The good news for the pentesters out there is that rare ISP implement such protections

Too much of the Zeus on TV

Yuri — Mon, 25 Oct 2010 12:26:22 +0000

At 19th of October the 1st Russia channel aired the TV show called “Пусть говорят, Однажды в Америке” , dedicated to Zeus trojan story. You all saw and heard about this FBI operation that brought some 38 people to the captivity. The talk show on the most
available and popular Russian public channel brought parents/relatives of the arrested
suspects and the girl that by her words took part in this scam a year before.
The majority of the people in the studio clearly stated that these guys and gals are
plain thieves (except their parents , understood) – a major progress I should say, over the years. The sum up of the main points comes next:
- Those are low rank droppers/mules;
- They didn’t have personal direct contact with any of the masterminds of the scam. All their communication was through ICQ/forums/ all things Internet
- For them it was just another way to earn the money. Sounds plausible as there were other youngsters at the same apartment that came through the same student exchange program and still choose NOT to get involved as had other income.
- All claim that agreed to do it only because were in a dire financial situation. Also
probably true. Even tough according to the exchange program they all are provided with work on their arrival to the US. Also the girl in studio (Anna Savenko [Анна Савенко]) noted that she agreed to be a scammer after she was fired from the work.
- All of them were recruited into this by people already in the business and were told the same story of ” Many American companies try to lower their taxes by transferring money to people like her ” . Lame story for those willing to believe and feel good about themselves.
- They were encouraged by the absence of the minimal vigilance by the US banks. Anna recalled that she opened the account (with fake passport) and when she came to the bank
to withdraw the money, the clerk asked her where she was expecting money from , and she could only say “Don’t know” and still was given the cash.
- Russia as a state pretty much doesn’t give a heck about those citizens in jail – pro bono
advocates is their way to go (if they only were spies …)
if your Russian is good enough try searching the Net for “”Пусть говорят, Однажды в Америке SATRIP” and you will get the show recording in full.
Link to the show forum , just in case: forum.1tv.ru

Darknet can’t lie – most of the attacks, scans and other interesting things indeed come from behind the Great Firewall of China.

Yuri — Tue, 12 Oct 2010 10:33:01 +0000

Working for ISP entitles me to various perks, one of them is unlimited connection to the Internet with wealth of unallocated yet IP addresses. So to use it somehow I set up a little Darknet (details what it means can be found here Darknet Project ) and gather some statistics. First the volume of unsolicited and malicious traffic is staggering . Mostly it is traffic to Windows sharing – port 445 , then brute force – port 22, then strange ports used by new malware in the wild .Second, the interesting information pretty much stops here – as nothing listens on my side of the Darknet I don’t get more insight. As comes from this I am working on the next stage of the Darknet – HoneyNet. Once done, I’ll post here the findings.
To give you a glimpse of the Ips and ports involved in probes here is the non-sanitized sorted list of the alien IPs , destination ports, protocols and number of packets seen.This is the day’s worth statistics Bad guys and gals IPs
To get this list from Tcpdump capture I used one-liner: [root@darkstar]# tshark -n -r honey_bunny.cap42 | awk ' $3~/[0-9]+\./ {print $3,$6,$9}' | sort -n -k1,1 | uniq -c > Darknet_probing_IPs.txt

You need no MX record to get mails

Yuri — Thu, 07 Oct 2010 07:51:52 +0000

That one is funny. One client of ours that is actually themselves provide ISP services
in a far-far-away land asked to add PTR record for their mail server . But that was dull,
the interesting part was that their domain had absolutely NO MX record ! Only A record for the mail server host . I had always thought if there is no MX record for the destination domain sending mail server should bail out and I was wrong. A SMTP RFC 5321 actually states that if there no MX record exists for the domain the sender should try delivering the mail to A record of the domain RFC 5321 section 5 . Be aware though that MX record should be completely absent, so say if MX record does exist but points to a not responding server is a different case – in such case sender should fail the delivery.
The funny thing about that is that they have been working without MX record for about 2 years and have had no problems with receiving the mails, just amazing how RFC-compliant mail servers in the wild are.

Skynet got blacklisted – Google mail servers entered RBL of Sorbs.net

Yuri — Tue, 05 Oct 2010 16:11:59 +0000

When yesterday my client sent me the headers of blocked by eSafe (Aladdin) mails I was quite surprised – the message said ” Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 574 574 MAIL REFUSED – IP (74.125.82.172) is in RBL black list recent.spam.dnsbl.sorbs.net (state 18). ” What? Google servers got blacklisted ? No way .
I also expected Sorbs.net to be wiped out from the Earth rather quickly for such act of aggression against Skynet , also known as Google.com but nothing actually happened. So just for the fun of it I checked another IP of theirs – 74.125.82.48, also blocked. In short the class-C 74.125.82.0 got listed (screenshot follows). From
practical point of view – make sure if your device is using www.Sorbs.net to put this pool in exclusion list, as I did in the eSafe of the client.

Few questions you will most probably hear on your next job interview.

Yuri — Sat, 25 Sep 2010 15:49:39 +0000

Lately, for whatever reason it may be, many of my friends/colleagues/acquaintances switched the jobs and mostly because they wanted to. And hearing their accounts of job search I catch myself that while offered positions and employers differ there are ever returning themes/questions that arise on the job interviews pretty much universally.
So here I bring compendium of these questions planning to update it as I hear new stories.

Tell us about something at your current job that you did and it made you proud of yourself …

Bring us an example or few of initiatives you took at the current/previous job …

This probably tests that you actually have had some initiatives worth mentioning or in other words – Did you do something productive that didn’t come from your manager request directly?

What was the highest sign of appreciation you earned on the current/previous job and what was the cause ? …

They mean beyond the pay check that you got every month , or in other words – Did someone notice that you actually quit the job ?

Usage/Case studies .

This is rather a metacategory and will include slightly different subject depending on the sought title. I will bring united cases for the 2 titles – in enterprise networking and security.
Networking.

We are the internet enabled and reliant company. What are the key factors in designing network topology and connectivity and how you suggest to implement them ?

Key words here: Redundancy, reliability of connection, cost saving in managing the lines utilization.
How do you implement this:
Redundancy in Internet connectivity (different ISPs and infrastructure types with possible hot failover, routing advertisements of your IPs if you have them [BGP]).
Redundancy in network equipment (HSRP and VRRP for standby routers/Etherchannel for Cisco switches/ ) .Proprietary clustering implementations by some vendors (3COM,HP, Checkpoint firewalls – you think you can escape it ?).
Line utilization management – maximize bits for bucks ratio using traffic management or load balancing solutions like F5 Big-IP with Link Controller module for accessing the internet or if some webservers are hosted at the company premises then also using Local/Global Traffic Manager modules. On a cheaper side Radware load balancers like Linkproof for Internet access , Appdirector for webservers will do the job.
Implementing DRP procedure – remote hosting of database backups.
Security.

We are the Internet connected and publicly traded company that should safeguard against external and internal threats, what key factors in fulfilling this requirement would you list ? What would be actual implementation ?

Key factors:

Security in depth.
Accountability for security-related events in the company.
Ability to comply with external audit/standards requirements.
Data Leak/Lost Protection/Prevention (everyone says it differently anyway).
Ability to sustain determined and targeted external attacks.

How would you implement this ?
Perimeter security with Checkpoint firewall(s), possible with clustering for reliability.
Central log and events correlation and management system (ArcSight).
If there are web servers to be protected then Web Application Firewall – say Imperva.
For DLP – Websense/Symantec / maybe EMC Documentum as part of the more comprehensive task. Also endpoints data encryption – Symantec.
Antivirus ofcourse by default – Symantec or McAfee
To thwart and detect dedicated and highly skilled attacks IPS will be appropriate. Say
McAfee or Tipping Point .
Regarding compliance usually people didn’t mean to exam you on every point of PCI requirement , but at least awareness of such standards is expected.
That is all I could remember from the stories told so far. As I hear new ones I will update this post.
Cheers.