_______________________________________________________________________________

                          Nomad Mobile Research Centre
                               L A B   R E P O R T

                 "Crackers and Commercial Vulnerability Scanners"

                                       or

              "I'm a lame cracker and can't get BASS to compile, how 
               can I download a commercial vulnerability scanner and
                 start checking the entire Internet in 5 minutes?"

                                  www.nmrc.org
                        Simple Nomad [thegnome@nmrc.org]
                                    11Oct1999
_______________________________________________________________________________



Synopsis
--------

The top commercial vulnerability scanners have little to no security 
surrounding their licensing, making them excellent script kiddie tools. These
scanners are actively being used by the underground against targets.


Tested configuration
--------------------

Testing was done with the following configuration :

 Platform:

  Microsoft NT 4.0 Server and Workstation with SP3 (no additional hotfixes)
  Microsoft NT 4.0 Server and Workstation with SP5 (with Csrss, LSA-3, RAS,
   WinHelp hotfixes)

 Products:

  Bindview's HackerShield Product Version 1.10.1106, Package Version 11
  ISS' Internet Scanner Version 5.8.1
  NAI's CyberCop Scanner Version 5.0
  WebTrends' Security Analyzer v2.1b


How We Selected and Tested
--------------------------

First off, you ask how we chose our products, and why we didn't choose some
over others. Well, we have limited resources and time, so we chose to limit
testing to a few, and not all of the vulnerability scanners out there. We 
chose only commercial products instead of freeware, since the freeware 
products by nature offer no security features themselves. Arguably, our 
"scientific" selection of products were limited, and mainly consisted of two
important questions -- "What is popular", which got ISS and NAI into the 
picture, and "What is currently loaded we can play with" which landed us 
Bindview and WebTrends products. They also had to have a demo version 
available for download from their web site.

After we had started testing, Security Focus (http://www.securityfocus.com/)
ran a poll on the most popular network security scanners, and three of our
four choices made the top four. The fourth, NetSonar by Cisco, does not have
a downloadable demo version.

So what was the testing method? Download the eval, install it, and try to
start scanning sites we have no business performing a vulnerability scan
against, and do it within 5 minutes of installation.

We did not test the security of the product once it was installed. For
example, all of these products had access controls around the installation
directories, and most required you have local admin access to run them, or
at least take advantage of all of their features.


Why We Did This
---------------

We had heard of hackers using commercial vulnerability scanners to map out 
networks before they were compromised, plus we found traces of an ISS scan 
on a host that should not have had ISS run against it, and wondered who did 
it. When we determined who had done it, we could not believe someone so lame 
could figure out the security surrounding ISS, and hence.....


Products Background
-------------------

Commercial vulnerability scanners all tout themselves as being more robust,
more thorough, and better designed than their freeware counterparts. The idea
is simple -- to stay ahead of the intruders, you need a powerful tool that
can perform assessments of entire corporate networks with dozens and dozens
of vulnerability checks. To ensure their scanners are the most thorough and 
complete scanners available, the larger software developers of vulnerability
scanners have research teams that scour the Internet for the latest 
vulnerabilities, and hire coders to help add checks for these vulnerabilities
to their scanners.

The top scanners are developed for large-scale scanning, and are capable of
looking at thousands of hosts for hundreds of vulnerabilities. They have a
myriad of reporting features, most have some type of automation, and they are
even capable of actual compromise (through password guessing, file grabbing,
etc).

NMRC recently looked at four scanners -- Bindview's HackerShield, NAI's
CyberCop, ISS' Internet Scanner, and WebTrend's Security Analyzer. All four
have the ability to perform detailed and thorough scans of target systems, 
each with various reporting capabilities. And while their intent is to give
the corporate or government system administrator an advantage over the 
potential intruder by providing the most comprehensive tool for finding 
vulnerabilities, due to the lack of decent security surrounding the demo
versions of these tools, some are being downloaded and (ab)used by the 
intruder community.


Legality Note
-------------

Using these commercial products without paying for them, or altering or
bypassing any licensing restrictions, is illegal. Of course one would assume
that any potential intruder getting ready to commit an illegal intrusion
into someone else's computer system is probably going to disregard the
licensing restrictions of most commercial software, including vulnerability
scanners.

We are not advocating you download and point a demo product at a .mil site
just to see if it works. This is more than port scanning, which for the most
part is legal. The Denial of Service and file-grabbing features alone of some
of these products could land you in jail if you are not careful.


NAI's CyberCop Scanner
----------------------

Minutes to start scanning : 0
Large-scale Usability     : 100%
Favorite feature          : CASL (Custom Audit Scripting Language) 

There are no target restrictions on this product. Download the demo from
NAI's web site, point it at anything you want, and begin gathering data. 

When NAI's technical support line was contacted (see Appendix A below), we 
asked if we were on the honor system as we could not find any restrictions. 
The individual at tech support laughed and said yes, but stated the download
was a limited time demo of thirty days. We could find no such time restriction
ourselves.

Large scale scanning was a piece of cake -- simply add in your hosts and start
whacking away.

Script kiddie bonus: Hollywood-influenced script kiddies will love the 
network mapping features, which allow you to fly around in a virtual 3D world
looking at network nodes. Use only the Trace Route to Host module to create a
nifty 3D model of the network you plan to compromise.


Bindview's HackerShield
-----------------------

Minutes to start scanning : 2
Large-scale Usability     : 95%
Favorite feature          : HSMapper, the remote OS identifier that 
                            automatically identified target systems.

To keep track of what vulnerabilities were checked against what systems, and
what IP addresses are allowed to be checked, HackerShield uses a database.
Unfortunately, they use a Microsoft Access database, and rely on Access'
built-in password protection to protect the database. The password is stored
in plaintext in the HackerShield.exe program, which renders the security
surrounding the database useless. Even if it were obfuscated, it is easy to
recover (see Appendix B below).

When downloading the demonstration version of the HackerShield program from
the Bindview web site, you are emailed a 5-IP address license that is good 
for two weeks. The license file is loaded into the database.

Opening the HackerShield.mdb file in Access (using the recovered password)
allows an intruder to manipulate all of the tables inside, including the
licensing parameters. You can increase the number of hosts you can scan, the 
network segments to scan hosts on, and you can adjust the expiration date.
Anyone with basic database knowledge should be able to make the adjustments 
fairly quickly.

We pointed this out to Bindview, and they were already aware of this flaw in
their licensing. Their attitude surprised us, but essentially they'd prefer
to focus programming resources toward enhancing their product than securing it
from license defeating. They are aware the steps they have taken are weak, but
insist the main goal is to help the commercial user stay within the limits of
what they paid for, not protect it from nefarious use.

Large scale scanning was limited to editing the database, although it wasn't
a hard thing to do.

Script kiddie bonus: Use the automation features to schedule scans to run
unattended on your NT workstation. The scheduled jobs can run even if you are
not logged in, as they use a Service User to perform automation.


ISS' Internet Scanner
---------------------

Minutes to start scanning : 1
Large-scale Usability     : 95%
Favorite feature          : Can run in command line mode if properly coaxed.

Downloading ISS' Internet Scanner allows you to demo the product in localhost
mode. To use the scanner against network targets requires a key. To give the
appearance of sophisticated encryption, the key looks similar to a PGP public
key, with "-----BEGIN ISSKEY5----" at the beginning of the key and 
"-----END ISSKEY5----" at the end of the key. Between these lines are a series
of lines of "secret cipher text".

While it is fairly obvious that the encryption used here is weak (it is U.S.
exportable) and it is a symmetrical algorithm, it has apparently been broken
to some degree. A quick search in AltaVista using the key words "keygen" and 
"iss" should reveal the program that a number of Russian and Eastern European
hackers have been making use of for months.

When contacted about this, ISS responsed:

"Internet Scanner restricts the range of IP addresses reachable by a given
customer. The IP address restrictions protect a customer from accidentally
scanning outside their own network or it can be used to keep Administrator
Jane from scanning Administrator Bob's portion of the network.

"Over the years we have advanced the security around the license key
mechanism that controls this feature. The latest version of our license key
mechanism uses a DSS signature on a SHA hash of both the license as a whole
and individual pieces of information within the key to insure integrity, and
then uses blowfish for encrypting the key as a packaging mechanism. The
cracker discovered a flaw in the signing and signature verification
implementation and exploited those flaws, providing a method to bypass the
control mechanism. Despite the signing/verification flaw, defeating the
license mechanism required considerable expertise and effort.

"Internet Scanner is designed to be easy to detect when scanning a network.
By design Internet Scanner also leaves "fingerprints" in the logs of scanned
machines. These fingerprints provide a means for determining the computer
performing the scan.

"We will continue to enhance the security of Internet Scanner's control
mechanisms.   Despite the difficulties and inconvenience of controlling
Internet Scanner's range we believe it is the appropriate action for a
security company and the behavior expected by our customers."

This was the best response. We'll _assume_ they will fix the signing and
verification flaw in later releases of their software. 

Large-scale scanning was easy to set up, but was dependent on the key you
generated using the keygen program. New class Bs and Cs to target required new
keys.

Script kiddie bonus: Print detailed reports with exactly how to correct the
problems and leave them behind at cracked sites for the poor admins to use (ISS
has excellent reporting capabilities). In fact, replace the index.html with the
generated HTML report you used to attack the site. Probably would be much more 
interesting than most web defacements anyway.


Webtrends' Security Analyzer
----------------------------

Minutes to start scanning : 18
Large-scale Usability     : 0%
Favorite feature          : Had a vulnerability test for the HackerShield 
                            service user we reported on recently.

Security Analyzer was quick to set up and get going, but the web demo version
is hard-wired for localhost. We decided to give it a whirl anyway, especially
after we discovered that the "localhost" hard wiring was simply to grab the
first adapter configured. We were able to scan hosts we didn't own by deleting
and configuring adapters until 10.10.10.10 was grabbed first by Security
Analyzer. Once that was done, locally loaded proxy software or software that 
does NAT (Network Address Translation) allowed us to direct traffic to outside
sites.

We did go over our 5 minute goal, and we were only able to scan one host at a
time. To scan a new host required proxy/NAT reconfiguration each time, and this
was very time consuming considering the fact we had three other scanners that
allowed much more freedom. Therefore large-scale scanning was simply 
impractical for our purposes.

Webtrends had also put in a 14-day limit on the trial version, which worked as
advertised. We did not try to defeat this limit.

NMRC did not contact Webtrends as we felt we really didn't have much to report.
They probably shouldn't use the first adapter on the list, and use 127.0.0.1
instead, but loading and configuring a proxy or NAT to invoke network scans is
a lot of effort. As far as asking which proxy/NAT software to use, take your
pick. We encountered problems with every package we tried as various 
vulnerability checks would cause the setup to crash or malfunction.

Script kiddie bonus: Sorry, more trouble that it's worth.


Conclusions
-----------

If you are a system administrator, please bear in mind that using one of the
commercial scanners does not give you any tactical advantage over the intruders
you are trying to keep out of your system. When one of these commercial vendors
state that their tool allows you to see your systems the way a potential 
intruder does, they are not kidding.

It is true (as stated in ISS' response above) that these software packages
will leave footprints in systems. This can be a blessing and a curse. If you
have an "outer perimeter" computer system you scan with CyberCop (leaving a
footprint), if compromised the intruder can see what is used to test the
security of the system, and could conceivably turn that against you by starting
a general mapping of your internal systems using CyberCop. It is possible that
a sys admin will overlook the intruder's CyberCop footprints, thinking they are
his own. 


Solution/Workaround
-------------------

There is no solution or workaround. This is the old "please Dan, don't 
release Satan" argument. We are happy to see that there are commercial
vulnerability scanners with fine research behind them. We are also happy that
users can download demo products to test before they buy. Just bear in mind 
these tools can and more importantly ARE being used by the underground (which 
is the main reason we are releasing this paper).

If you are using an IDS, you might want to make sure it can detect some of the
more exotic exploits these products can produce, especially if these exotic
exploits actually compromise systems or perform DoS attacks. If you've 
adjusted your IDS to ignore certain patterns, for example a standard ISS scan,
them perhaps you should review those rules.


Comments
--------

NMRC believes that if you are charging money for a security product that has
little to no security built in to protect itself from abuse, it is in fact a 
poor message. There are five approaches: 

        1) Do nothing (NAI). 
        2) Do a minimal amount to keep the end user within the license 
           restrictions (Bindview). 
        3) Come up with something the *looks* like state-of-the-art 
           encryption and licensing, and hope it isn't broken (ISS). 
        4) The downloadable demo version is crippled (Webtrends).
        5) Use a combination of copy protection techniques coupled with 
           encryption and registration keys so that your killer app scanner
           will not be used by the people you're trying to defend against
           (anybody? nobody?).

Thanks to Yan for the Access 97 byte string used to recover passwords.


Appendix A
----------

We prefer contacting vendors via email due to the natural electronic paper
trail it produces. If that doesn't work, we will start calling tech support.
For more info on NMRC's disclosure policy, please see
http://www.nmrc.org/advise/policy.txt.


Appendix B
----------

This program will end the lame Access password recovery shareware industry.
Sorry, but information wants to be free.

/*************************************************************************
  ACC_REC - Access 97 Password Recovery
  Written by Simple Nomad [thegnome@nmrc.org] 17Sept99
  http://www.nmrc.org/
 
  Compile using DJ Delorie's excellent port of the GNU compiler, which is
  available from http://www.delorie.com/

  Thanks to Yan for pointing us to the sekrit string!
 *************************************************************************/

/* includes */
#include <stdio.h>
#include <stdlib.h>

/*
 * Main program....
 */
int main(int argc, char *argv[])
{
  FILE *fDatabase;
  int i;
  unsigned char recover[13];
  unsigned char password[13];
  unsigned char sekrit[13]={0x86,0xFB,0xEC,0x37,0x5D,0x44,0x9C,0xFA,0xC6,0x5E,0x28,0xE6,0x13};

/* Say hello... */
  printf("ACC_REC - Recover the password for Microsoft Access databases\n");
  printf("Comments/bugs: thegnome@nmrc.org\n");
  printf("http://www.nmrc.org/\n");
  printf("1999 (c) Nomad Mobile Research Centre\n");
  printf("Database filename must be in 8.3 format\n\n");

  if (argc!=2)
  {
    printf("USAGE: acc_rec <database>\n\n");
    printf("EXAMPLES:\n");
    printf("  acc_rec secretz.mdb\n");
    exit(-1);
  }

  fDatabase=fopen(argv[1],"rb");
  if (fDatabase == NULL)
  {
    printf("Unable to open database file %s.\n",argv[1]);
    exit(1);
  }
  fseek(fDatabase,66,SEEK_SET);
  fread(&recover,13,1,fDatabase);
  fclose(fDatabase);

  if (!memcmp(recover,sekrit,13))
  {
    printf("There is no password set for database %s\n",argv[1]);
    exit(0);
  }

  for (i=0;i<13;i++) password[i]=recover[i]^sekrit[i];
  printf("The password is - ");
  for (i=0;i<13;i++) 
  {
    if (isprint(password[i]))
      printf("%c",password[i]);
  }
  printf("\n");
}
_______________________________________________________________________________