Week 3: On-Campus Lab Session

In the online session we are looking at the secure design process and how technology can help us to secure our systems.

In the on-campus labs we are going to take a closer look at the technological aspects. (as it gives us an excuse to do fun stuff)

IP Addresses, Ports and Sockets

Note

Hopefully this is just a recap....

To communicate with a device over a network we need to know its IP Address. This should give us a unique identifier for any machine connected to the network.

IPv4

Of course in the case of IPv4 and the Internet this whole unique thing is a blatant lie. Held together by spit, sticky tape and NAT.

As well as the address of the device, applications and services running on them also need an address a port.

Ports are numbered and use 16 bytes (65535) possible addresses. In the case of TCP:

• 0 - 1024 : Reserved ports

  Used for well known services such as HTTP, or FTP

• 1024-49151: Registered ports.

  Which can be registered for a particular service (for example, a VOIP client, or database service). While technically we shouldn't use these ports, they are not going to come after you (although your program may not work properly if it collides with another better known one).

• 49152-65535 Client Ports

  Are used for client services to connect. For example when we make a connection to a web server, we open a port in this range at our end, and use it for communication..

If you need more information (or a better recap) I recommend reading TCP/IP Ports and Sockets Explained.

Why are ports interesting to us from a security POV

Ports are interesting to us because they can tell us what devices are communicating over the network.

On our own systems, we should (ideally) know all of the services to expect as part of our audit process.

Therefore, if a new service starts listening, or a connection to the outside world is made. We should be able to detect it and take action. For example, a SIEM could monitor open ports and detect anomalous behaviour.

Port Scanning

Port scanning is a common activity in security audits and penetration-tests. Put simply, it is the process of checking what "ports" are closed or open on a given target or list/range of targets.

Note

We will get onto using "Proper tools" for port scanning in tomorrows session. Lets get some coding done.

Also, some times you need to get this stuff done with the tools you have available....

Legal Issues with port scanning

The legality of port scanning is a bit of a grey area. While in many countries its considered illegal, its also accepted that its an important part of a security audit.

Only scan devices you own or have been given permission to scan.

The Uni can take a dim view of port scanning, pointing a scanner at parts of their infrastructure tends to draw their attention.

The basic idea behind port scanning is that we try to connect to each port, if we get a response, then we can mark the port as open (and investigate it) otherwise we mark the port as closed.

Task Part 1: Writing a basic port scanner.

Our first task is to write a basic port scanner. Our port scanner should look at the reserved ports (0-1024) to see what is open.

Some Example Python Code to open a connection and attempt to connect is below

import socket

def checkPort(target, port):
    """
    Attempt to open a socket based connection to a host and port

    If the port is open on the target return True
    Otherwise return False
    """
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    returnCode = sock.connect_ex((target, port))

    #A return code of 0 means we have a successful connection
    if returnCode == 0:
        return True
    elif returnCode == 111:
        #111 is connection refused (ie Closed)
        return False


if __name__ == "__main__":
    isOpen = checkPort("127.0.0.1", 8000)
    print ("Port 8000 on Localhost open {0}".format(isOpen))

You can test this works by firing up a poor mans web server in python

To do this use the following command on the command line (works in both windows and Linux)

#Python 2
python -m SimpleHTTPServer

#Python 3
python -m http.server

Your Turn

Adapt the port scanner code above to scan the reserved ports (0-1024)

Task Part 2: Testing the Reserved ports

We now need a target for the scanner to look at. We will use docker to build a temporary machine on the Linux box.

Step 1: Use Docker Compose to build our target

Linux and Docker

• instructions for getting a copy of Linux
• Download links for pre made images

Docker let us run lightweight containerised Linux services. One of the really nice things about it is the services are logically separated from the underlying OS.

This means that (theoretically), you can run a consistent system, on top of any supporting base OS.

While Docker was designed for allowing the rapid deployment of services in things like data centres, and to give a clean environment for dev work. Its also really useful for security audit, as it allows us to test services, without effecting our core system.

Docker-Compose lets us build and manage "stacks" of containers using a script. It saves a lot of time hand linking containers.

Disc Space

You might be worrying about disc space, downloading all these diffrent targets. Another cool thing about docker is its concept of layers.

This means that unlike a traditional VM where we get a full copy of the FS each time, docker works on the differences between layers.

Take a note of the time it takes to get the first target. Later ones will be much quicker (and smaller) as they only grab the changes. For example, the web server will only need the site contents, rahter than the full web server code.

You can download get a copy of the target1 compose file

Starting the Target

$ docker-compose -f target1.yaml up
Starting scanningone_smtp_1 ... done
Starting scanningone_ssh_1  ... done
Starting scanningone_ftp_1  ... done
Starting scanningone_web_1  ... done

Stopping the Target

To stop the target you can either

1. hit Ctrl+C To stop the process
2. run docker-compose -f target1.yaml down

Task

1. Use docker-compose to start the services
2. On your Linux box Use the port scanner to see which services are open
3. On the Windows box, try scanning the VM to see which ports are open
   • Is there a difference in the way Windows and Linux scan? What could we do about it?

Part 3: Banner Grabbing

Another useful function for a port scanner is banner grabbing as this can help us confirm the services we are connecting to. It can be helpful when services are on a different port to what we expect them to be on, or for detecting which of several possible services services may be running on a registered port.

The principle behind banner grabbing is that we check the sockets first response and compare it against a library of known response.

Many services will provide some sort of message when we first connect. For example, an FTP server may display the message of the day, and let you know you are connected.

We can modify the checkPort() function to get the string sent at connection

import socket

def checkPort(target, port):
    """
    Attempt to open a socket based connection to a host and port

    If the port is open on the target return True
    Otherwise return False
    """
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    returnCode = sock.connect_ex((target, port))

    #A return code of 0 means we have a successful connection
    if returnCode == 0:
        banner = sock.recv(1024) #Grab 1024 Bytes of data
        ## DO SOMEHTING WITH THE DATA...
        return True
    elif returnCode == 111:
        #111 is connection refused (ie Closed)
        return False


if __name__ == "__main__":
    isOpen = checkPort("127.0.0.1", 8000)
    print ("Port 8000 on Localhost open {0}".format(isOpen))

Add Banner Grabbing

1. Modify the port scanner code to add banner grabbing, and implement lookups for the services you find in target1
2. In Target2.yaml The services may be running on different ports. Can your system detect them?

Some things to consider: - We only have a couple of services, use a dict{} to store the lookups - Some services may not send anything on connection. How do we deal with them? - If you modify the code to use select be sure to read the notes on this for windows.

Part 4: More Banner Grabbing

In the example above, we can see that some services may not send anything on connection. Instead they wait for the client to send data before responding.

One example of this is HTTP. Which waits for the client to request a page before responding.

Mozilla Documentation on HTTP Sessions

Testing Web servers

Modify the banner grabbing code to try and confirm if you are connecting to a web-browser.

NOTE: - Rather than sending the all open ports just consider browsers on common ports (80, 8080, 8000)

Part 5: Testing for known exploits

Another useful thing we might want to do is test for known exploits.

For example: A misconfigured FTP server may let us log in as the anonymous user, without requiring a password. This can let us read (and occasionally write) files remotely.

Poking FTP Servers

For this task we want to use target3

This target has anonymous FTP turned on, update the banner grabber to check for anonymous FTP access, and provide a directory listing if it does.

Extra Task

• There is a flag (called flag.txt) hidden on the server, can you find it?
• What can we do with anonymous FTP?
• HINT: What were we doing last week.
• HINT2: llehs
• HINT3: Little Horses are nice....

Important

If you are having issues, try conncting to FTP manually. If it complains about not being able to talk to 127.0.0.1 (this will depend on docker config) then use the IP address it says to talk to.