July 23, 2008

NETinVM: A whole network in a single virtual machine

Have you ever wished you had a full network lab available to you, full with different networks and systems, where you could try out different tools and techniques whenever you wanted? Maybe to learn about some tool, or to teach or demonstrate some tool to others, or to develop and test a new tool?

Well, we have, and that's why we developed NETinVM.

Consider the following network diagram:

The system labeled "VMWARE" (base.example.net) is a VMware virtual system running in the system labeled "REAL COMPUTER". All other computers depicted in the diagram are User Mode Linux virtual systems running inside the VMWARE system (base.example.net).

Here is the beauty of it: all you need to set up and run this whole network environment is just one real computer running VMware Player (or Workstation or Server) and a copy of the image of the VMWARE system (base.example.net). That image is what we call NETinVM and we have made it publicly available. You can download a copy of NETinVM from http://www.netinvm.org, where you will also find documentation and more details about the tool.

In future posts I'll describe some of the features of NETinVM but if you can't wait you are most welcome to go ahead, download and start using it, and, if you are kind enough, let us know what you think of it via e-mail or blog commment.

We hope you find it useful.

David Perez
Carlos Perez


July 18, 2008

Security Book Review: "Penetration Tester's - Open Source Toolkit Volume 2"

"Penetration Tester's - Open Source Toolkit Volume 2"
Authors: Aaron Bayles, et. al.
Editorial: Syngress
Publication date: October 12, 2007
ISBN-10: 1597492132
ISBN-13: 978-1597492133

NOTE: My copy of the book is not authored by Chris Hurley, as other book references on the Internet show, although they have the same ISBN, ¿?.

Summary: A good generic penetration testing reference guide. It includes a wide range of topics, and it is just based on open-source tools.

: 4/5

Penetration testing is definitely a recommended security discipline that helps you find real vulnerabilities and security wholes before the adversary does. This book is a reference guide of the different penetration testing stages and considerations, covering a wide range of technologies and tools. It is just focused on open-source and freely available tools, and do not include any commercial counterparts, like Core Impact or the specialized Web application testing suites. Perhaps this is a good addition for a future edition without the "open-source" term on its title.

The wide scope of the book is one of the reasons why it is not extremely cutting-edge and does not go into the deep details required to master each topic covered. I completely understand it is not possible to create such a book (at least with less than 9999 pages), covering a wide range of topics and including in-depth details. Overall, this book is a good reference guide (in fact one of the few generic references) that will open the door for more advanced knowledge from other books focused on specific areas, such as wireless, Web applications, databases, etc.

Something that can be quickly appreciated is the involvement of multiple authors, as the quality and look and feel of chapters varies. I specially liked the first two chapters, focused on Recon, Enumeration and Scanning. Even if you're an experience pen-tester, I've been doing penetration tests since 2000, you can easily identify the positive SensePost influence on these chapters, and the section contains valuable tips and tricks. At some extent, the "you always have something new to learn" principle applies here.

The book is really good emphasizing best practices and suggestions from a professional pen-testing perspective. When running tests over production environments, there are lots of considerations to need to have in mind, beyond the pure attack techniques. The book does an excellent work on this area, and this is also ratified by the final chapter detailing how to build your own pen-testing lab, including common political and technical issues (I can confirm I've seen lots of them in real world situations). Once you run pen-tests frequently, you need to customize and build your own scripts and tool set. The book also emphasizes this by explaining how to customize the Backtrack CD with your own additions. Definitely, it is a good approach as Backtrack is the reference pen-testing Linux Live CD distribution nowadays.

At first sight, the book structure is a bit strange and it seems there is a lot of repetition on each and every chapter, but once you get used to it, I think is a great approach. Each chapter introduces the goals and scope, then covers the technologies (or pen-testing phases) analyzed, plus the hacking techniques and vulnerabilities involved, and after that it focuses on the tools required to implement the attacks and how to use them, with practical and detailed examples.
It is crucial to differentiate between the techniques and foundations, and the tools, as multiple tools can be used for the same attack, sometimes you do not even need any hacking tool, and new tools will come in the future. I recommend you to master the techniques, the attack principles, and understand the vulnerabilities, and from there, select the best tool on each case. All this structure is complemented with a final case studies subsection on each chapter that exemplifies real-world situations where the techniques and tools can be applied, and how.

The databases, wireless and network devices hacking chapters are good. They provide some insight in the methodology, hacking tools and techniques available for these type of targets. The database hacking focuses on MS SQL Server and Oracle, for sure the most common DB's available out there. The wireless section mainly focuses on WiFi, and Bluetooth is barely mentioned; not enough. And finally, the network devices chapter is a must, as these systems are typically forgotten, although they manage all the network traffic and are a critical IT component of any organization.

In particular, I didn't like too much the Web application chapter. Although it contains lots of tools references, the structure and methodology presented is not very clear, and there is a kind of mix of tools to perform different tasks. Because Web application pen-testing is one of the cutting-edge areas we are dealing with today, I'd have liked to see more quality and in-depth material on it.

From my point of view, the forensic chapter is not related at all with the book and I would completely remove it. There are other very good forensic books available, so I guess it has been included because the tools and infrastructure for basic forensic analysis is available on Backtrack.
Instead, I would have liked to see more details, practical examples, and resources about vulnerable testing environments, such as the DVL (Damn Vulnerable Linux) distro, WebGoat, the Foundstone hackme suites; just to name a few, as well as Capture-the-Flag scenarios and conference references. It would be great to provide an overview on how to build and break into these testing environments using the tools and techniques covered throughout the book.

I strongly recommend this book to people thinking about, or starting on, the penetration testing field. It provides a good and wide overview of topics you need to master, tools available to launch the appropriate attacks, and other pen-testing best practices. As the book is directly aligned with the Backtrack CD, unfortunately version 2 and not the latest version 3 (time for a new edition, including more Bluetooth stuff and adding VoIP hacking ;)), it has a direct and very strong hands-on component, that allows the reader to test the different tools and examples, and makes it very valuable.

UPDATE: Amazon review (1st) and Bookpool review (1st)


Security Book Review; "Virtual Honeypots: From Botnet Tracking to Intrusion Detection"

"Virtual Honeypots: From Botnet Tracking to Intrusion Detection"
Authors: Niels Provos and Thorsten Holz
Editorial: Addison-Wesley Professional
Publication date: July 26, 2007
ISBN-10: 0321336321
ISBN-13: 978-0321336323

: This book is THE current reference about honeynet technologies and solutions. Definitely a must read if you are interested on improving the intrusion detection capabilities of your IT infrastructure, and who is not? :)

: 5/5

Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots.

Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens.

The detection of honeypots has always been one of the main concerns in the honeynet community, basically because if the attacker can identify them, they are useless. For this reason, one of the chapters is just focused on providing some light, tips, and tricks about what an adversary can really accomplish. In fact, we have not seen lots of real-world incidents where the attacker actively checks the existence of honeynet setups.

I have been working with honeynets during the last 5 years. We founded the Spanish Honeynet Project on 2004, and almost at the same time we became part of The Honeynet Project and released the Scan of the Month 32. The main honeynet/pot book reference till last year was the book published by the Honeynet Project. As this is a rapidly evolving field, definitely it has been replaced by this book, written by two project members.

The first chapter is a very brief introduction to honeynet technologies and basic tools. You can jump through it if you are not new to this field. Then, the book covers the main two honeypots types: high and low interaction. The high interaction section provides details about the tools to virtualize your honeypots: VMware, UML, or more specific solutions, such as Argos. The low interaction section provides details about some the most relevant honeypot types to cover lots of detection scenarios: worms, traditional server attacks, Google Hacking, Web-based attacks, etc. It is a wide overview that will give you lot of ideas for new deployments.

The whole book has been cooked with a how-to mentality , and it explains in detail how to install and configure the different tools and software elements covered. Additionally, it provides guidelines, best practices, and analysis recommendations for each tool based on the authors experience. However, for the how to portions take into account that most of the solutions are Linux-based, and the installation and setup process will vary based on the tool version and the Linux distribution you are using (library dependencies, etc). In any case, the step by step guides are very useful as a general setup reference.

From my perspective, the most valuable part of the book is chapters 4 to 6. The authors, Niels Provos and Throsten Holz, are the lead developer/architect for honeyd (chapter 4 and 5) and strongly related with nephentes (chapter 6), respectively. These two are the most famous and advanced low-interaction server-based honeypot and malware honeypot. They know what they are talking about :), and you cannot find a better reference out there for these two tools. The book is an excellent guide, covering from the design principles and innovative deployment ideas, to all kinds of configuration options and possibilities, including limitations on real-world scenarios. Chapter 6 is complemented with other less popular malware-based honeypots (except for Honeytrap).

The book includes some extra material, covering academic and research hybrid solution, still on their early stages, but that can give you and idea of where these technologies are evolving to and the major challenges we are facing nowadays. This pretty much theoretical content is well balanced with the case studies chapter, where real incidents involving different honeypot types are presented. These are always a fun read and a way of getting experience and learn how to deal with intrusions.

Finally, one of the main expansion areas we are involved today is the creation of new client-based honeypot technologies. This book section (highly recommended) does a great job introducing multiple high and low interaction honeyclients currently available, their benefits and drawbacks (chapter 7). This information is perfectly complemented by the last two chapters, focused on tracking botnets and analyzing malware with sandbox environments. Once a client is compromised, it typically becomes a member of a botnet, and for easy and quick categorization, we start by performing a malware analysis of the specimens. I recommend you to add all this knowledge to your incident handling and response capabilities.

Something I would have liked to see in the book is a section about a fully virtualized honeynet environment, showing how using VMware, you can build up a virtual Honeywall (just slightly mentioned on chapter 2) and different honeypots, creating a complete, cheap, mobile and multi-purpose virtual honeynet infrastructure. Also, we receive multiple questions related to this kind of setup in the Honeynet Project mailing lists, because all the previous whitepapers are obsoleted now. I've been deploying these type of solutions for fun and professionally during the last few years and I strongly recommend you to start using them. You won't be disappointed about how much you can learn of what is going on in your networks and systems, and this book is the best starting point.

If you have any relationship with the intrusion detection, incident handling and forensics, threat analysis, or SOC and CERT security side of things, definitely this book is for you. Go through it and improve your capabilities with easy to deploy virtual honeypot solutions. You just need a (not so new) computer, virtualization software, and some time!

UPDATE: Amazon review & Bookpool review (1st) & Slashdot (1st)


July 10, 2008

Security Book Review: "LAN Switch Security: What Hackers Know About Your Switches"

"LAN Switch Security: What Hackers Know About Your Switches"
Authors: Eric Vyncke and Christopher Paggen
Editorial: Cisco Press
Publication date: Sep 6, 2007
ISBN-10: 1-58705-256-3
ISBN-13: 978-1-58705-256-9

: The layer 2 attack and defense master piece. One of the best security books I have read, covering a topic that is a hole in the infosec industry.

: 5/5

I have been promoting the need to protect access to local network infrastructures (against the insider threat) for so many years that I'm even tired of sending the same message again and again these days, but I do not give up. I never understood why if we require authentication to each and every technology resource, such as your computer operating system, servers, databases, applications, and even physical facilities, why this has not been the case to access the network. Still today, lots of local networks from big companies and organizations are "free", that is, if the attacker gets physical access to an Ethernet port (RJ-45 connector) he is in! (the network). This is one of the attacker's dreams, and we can simply mitigate this threat through the 802.1X protocol. The expansion of wireless networks has helped a lot to promote it, but still it must be applied to most wired networks out there.

802.1X is just one of the multiple additions you can make to your layer 2 security stance in order to protect the local (layer 2) network infrastructure from several attacks. Definitely, you need to stop thinking about IP (layer 3) attacks only, and move one level down. Honestly, one of the layer 2 attacks that works 99% of the times I'm running an internal penetration test is ARP spoofing or poisoning. I tried to emphasize the impact of this attack and the associated defenses on my first GIAC paper for the Incident Handler (GCIH) certification in 2003, "Real World ARP Spoofing".

The book covers most of the vulnerabilities, design flaws, and security holes associated to the layer 2 protocols we currently and extensively use on our networks, such as MAC flooding and spoofing attacks, and STP, VLAN, DHCP, ARP, PoE, HSRP, VRRP, CDP, VTP, LAP and even layer-2 IPv6 related attacks. However, and starting with the minimum privilege principle (if you don't need it, why it is enabled?), the main focus of this book (and specially Part I) is to provide the reader with the knowledge and specific details to detect these attacks and protect the network and network devices (mainly switches) against all these threats. For each protocol and attack it describes the proper settings for a secure implementation.

Parts II of the book focuses on Denial of Service (DoS and DDoS) attacks on layer 2 devices and provide an excellent overview of switches architectures, internal implementation details (mainly Cisco focused), the relationships between the Control Plane and the Data Plane, the protocols each layer deals with, and the security implications on the internal operation of switches. If you want to know how your switches really work and the security implications of enabling/disabling certain capabilities, this is the section of the book you must read.

Part III then provides an introduction to more advanced access control options, through multiple ACL types, and layer-2 authentication (802.1X). It's a good introduction to go deeper into serious layer-2 access control and authentication projects and deployments.

Simplifying the threat, the attackers have a single tool (in fact they have multiple but this is THE tool) to do real damage at layer 2, Yersinia, co-develop by a Spanish security colleague, David. We, as defenders, need to properly design and deploy all the layer 2 technologies and protocols considering the security implications of its presence on the network. Fortunately enough, the countermeasures available to mitigate layer 2 risks are available in some current network devices, mainly switches. BTW, I encourage you to use the attack tools, like Yersinia, to audit your network. Some of the book countermeasures are trivial to apply, while some others require a very carefully thought-out planning. The book provides the guidance you need to start accomplishing the goal of getting a definitive layer 2 protected network by exposing the complexity, advantages and disadvantages of each solution.

The book is structured in small, easy to read, chapters that describe each of the technologies analyzed and its operation, the security issues and attack examples, and the detection and protection mechanisms you need to apply, straight to the most relevant implementation details. It also includes practical examples and describes multiple scenarios where each countermeasure can be applied, as well as the main decision factors to apply it in a given way. If you are busy (and who is not these days?), I recommend you to select a layer 2 protocol or technology you are using, select the appropriate chapter (a 30-45 minutes read at most), and start planning and applying the related security best practices. You can repeat this chapter selection process every couple of weeks, and in 2-3 months your network will be what I would like to see on all my customers. The book allows network administrators and infosec professionals to independently digest any of the chapters and start protecting the associated technology. Obviously, the main goal should be to apply all the book recommendations to your infrastructure in the short-mid term. Unfortunately, not all the countermeasures mentioned are available in all switches; there is still lot of work to be done by the vendors to implement all them.

The book opens the doors to a whole set of layer-2 threats, but it is not a complete guide to implement all the related protections, neither a command documentation book. It is up to the reader to check his switch documentation (Cisco or others) to get the full syntax details and multiple options for each of the countermeasures detailed. If you have managed Cisco devices, you know syntax also changes between IOS/CatOS versions, so I prefer this approach rather than a detailed syntax compendium that may be unusable on my specific IOS/CatOS version.

Even this is a Cisco Press book, and obviously it is focused on the current solutions available from Cisco, it is fair to admit that Cisco is leading the networking market and includes some of the most advanced layer 2 protection mechanisms in its switches, such as port security, UUFP, root and BPDU guard, BPDU filtering and rate-limiting, VLAN and layer-2 protocols best practices, DHCP snooping, DHCP rate-limiting and validation, IP source guard, DAI (Dynamic ARP Inspection), PoE defenses, HSRP and VRRP strong authentication, 802.1X, and lots of ACLs types: . RACL, VACL, PACLs, etc. Therefore, as this is the way to go, other vendors (if they do not already have these) should provide similar protection capabilities on their layer 2 network devices.

I specially liked how the book ends up (Part IV) covering LinkSec, 802.1AE and 802.1af, future standards that will finally provide confidentiality and integrity at layer 2 at wire-speeds, similarly to what be have today in wireless networks with 802.11i (WPA and WPA2). Why don't you start checking if these standards are supported by your endpoint (client, servers, printers, VoIP phones, etc) and network devices? The sooner we use it, the better.

The only portion missing on the book IMHO is the inclusion of layer 2 QoS protocols, such as 802.1p. Apart from that, chapter 1 is a light intro to security. If you have been in the field for a while, you can directly jump over it. I think it could have been omitted.

Before reading this book, I had an extensive previous experience on layer 2 security, switches, layer 2 penetration testing, and layer 2 network security architectures and design, and I really enjoyed the book, specially its practical focus, broad scope on layer 2 issues, the format and examples. If you are a penetration tester, I'm sure you will get a few ideas too for your next challenge, and you can easily apply them as most attack tools are publicly available and included on the latest Backtrack 3 version. Definitely, if you are a network security professional or network administrator in any way, shape or form, this book must be in your shelves.

UPDATE: Amazon review & Bookpool review (1st).


Security Books Reviews: A Humble Opinion

Something I wanted to add this year to the uncountable list of security-related tasks I'm involved in, is the publication of security books reviews. As I end up reading several security books, mainly technical, throughout the year, I thought it may be interesting for some people to know the opinion of other readers (myself included ;) before getting a copy of a specific book. I hope you find my comments and reviews valuable in your book buying decissions.

Apart of publishing the review in the RaDaJo blog, I plan to insert my reviews in Amazon and Bookpool.

The idea is to follow a common review format for each book I dig through, including:
- Book details: Title, author(s), editorial, publication date, ISBN, and book reference.
- Summary: A brief and descriptive sentence reflecting my overall impression about the book.
- Score: A numeric score from 1 to 5, being 5 the top score (an excellent book).
- Review: Several comments about the book contents, including what I enjoyed the most and the less, my previous experience on the book topic, as I'm convinced that the value of a book is highly conditioned by the knowledge the reader has on the topic, the type of audience that could benefit from reading the book, as well as any other comments and opinions that come to my mind at the time of writing it. Comments might be focused on the book or on the topic covered by the book.

BTW, most publishers provide a free sample (in PDF format) for their books, so I'm including the book reference so that you can get all the book details and also have access to the sample chapter. That way you can read one chapter and see if the book seems to be what you expected from my review ;)

Due to the huge amount of technical security books published yearly, you could easily spend your whole life (without doing anything else) buying and reading them. These book review posts try to provide you useful details and, as a result, save you some time.

I have a few books in the current queue, so you should see some reviews published in the following weeks. As I'm starting this new task, and typically very busy with other security research and services, you will see that some of the books on my queue were published some time ago. I still think people may be interested on buying them today, so this is why I'm reviewing them.

If you are interested on having me reading and reviewing a specific book (because your are a frequent reader or a publisher), send your suggestions to radajo@gmail.com. If I like the topic, most probably I will go for it, digest it, and publish a review.

Time to improve your security skills with additional literature!!