http://www.eeye.com/database/advisories/ad06081999/ad06081999.html


Retina vs. IIS4, Round 2 The Brain File

The followng is a listing of the Brain.ini file that Retina uses for it's miner module.
this is the actual file listing that uncovered the crash in IIS4. We trimed out some
variables that are not being used. We will explain more about how the brain file
works below. To install the brain file just copy it to the following path:
c:\program files\retina\modules\retina\miner\brain.ini


Downloads:  brain.ini <http://www.eeye.com/database/advisories/ad06081999/brain.ini>


  [General]
  Title=HTTP Miner 

  [Commands]
  1=GET /%%passwordpath%%/%%$RPT(65,40,10)%%.%%extention%% HTTP/1.0

  [Variables]
  cgi-bin=cgi-bin,cgi,bin,cgibin,data,dat,exec,apps,secure,hide,
  extention=html,htx,asp,exe,xml,ini,htr,txt,dat,dbf,lst,data,
  passwordpath=password,passwords,pass,users,clients,admins,store,
  passwordfile=password,passwords,pass,users,clients,admins,store,


How the brain file works

To explain the brain file we need to explore some of Retina's features and explain
how brain files are constructed.

Retina's AI (Artificial Intelligence) Engine

The most limiting trait of a program is the rigidity of the code (Logic) built into it.
It is written by a human to handle a set feature of logic. So in the case of a
network auditing tool, the logic is designed to handle what the programmer has
instructed it to do. But what if the program has its own knowledge base, i.e. it
records what it finds, then compares all of its findings and then it catalogs the
information based on a defined set of rules. As the application runs it will become
familiar with the norm and be able to recognize the exception to the norm and
then be able to report the exception. This is one of the most powerful
technologies in Retina, and is being used in two of the existing modules in a limited
way, because of security reasons we did limit the capability of this feature set as
we define how we can protect it from being abused. Yes this feature is very
powerful and can be used to DoS (Denial of Service) servers and do data mining
on server content. 

The AI Engine at work

Here we will describe some of the data mining capabilities we have currently in
Retina, the following capabilities might be disabled in current beta releases because
of the security reasons mentioned above. 

The Browser Module is used to collect links and action URLs from a web site to
identify all third level domain names associated with the domain being scanned, as
the domain list is built Retina provides the list as an optional scan list. This
capability will allow the auditor to identify all possible servers, applications and IP
addresses that might be a weak link in the chain of security surrounding the
domain.

The Tracer Module is used to perform simple trace route to the target IP
address, very simple in nature but the information collected along the way can be a
list of possible gateways, routers and / or proxies that need to be scanned to
make sure that the security is audited at all entry points to the network.

The Scanner Module is used to scan for open ports, but when an IP address has
different open ports than the rest of the sub net, it is a possibility that special
applications are running on that server or a user is using client application that has
that port open. This can be used to identify the port and add it to a list warnings
that need to be checked. 

The Brain File

The findings from the above mentioned are then logged in what we call a brain file,
the brain file is a list of commands, variables and actions to be used in a time
consuming auditing operation, much like brute forcing, but the variables are
intelligently limited so the results are more accurate. Currently The only module we
are releasing that acts upon this data is the Miner Module, which takes a brain file
and constructs queries against web servers and reports anything other than (File
not found).

In the above example brain file, the Miner module generates commands based on a
query command and all varaibles collected within the barin file. The underlined
directive "%%$RPT(65,40,10)%%" is an overflow generator, 65 is the ascii
character we want to repeat, 40 is the number of times we want to repeat the
loop, and 10 is the length to increment the string by.

In the variables section we list all different words we want to try in all possible
combinations. the underlined htr extention is what brought our server down. 

Copyright (c) 1999 eEye Digital Security Team

Permission is hereby granted for the redistribution of this alert 
electronically. It is not to be edited in any way without express consent of eEye. If
you wish to reprint the whole or any part of this alert in any other medium
excluding electronic medium, please e-mail alert@eEye.com for permission.

Disclaimer:

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. 
In no event shall the author be liable for any damages whatsoever arising out of or
in connection with the use or spread of this information. Any use of this
information is at the user's own risk.

Please send suggestions, updates, and comments to: 

eEye Digital Security Team

info@eEye.com 
www.eEye.com 


Retina vs. IIS4, Round 2 
<http://www.eeye.com/database/advisories/ad06081999/ad06081999.html>
Retina vs. IIS4, Round 2 - The Exploit
<http://www.eeye.com/database/advisories/ad06081999/ad06081999-exploit.html>