Wednesday, July 19, 2006

Public DNS & Network record queries

One of the first steps in a security review conducted via the public Internet networks, is to gather the information available publicly about the target of the test.

You might also want to query these records to confirm that the information that needs to be publicised about a network is in fact publicly available, or being publicised correctly.

This information is freely available since it is necessary for devices to be able to resolve IP address details and plot the routes to get to the servers as part of normal communications via the Internet.

There are many places where you can get the information, but I like to make use of these two services:

Here are some examples of the outputs obtained from them. I will pick on google.com again for my examples:

http://nwtools.com

  • There are a number of individual utilities available (e.g. Ping, Lookup, DNS Records, Network Lookup, etc), but they also have a handy one which executes them all at once to give you a nice complete output to work with - they call it Express. The example below is what resulted upon submitting this request for "google.com":

    http://nwtools.com/default.asp?prog=express&host=google.com

IP address: 64.233.167.99
Host name: google.com

TraceRoute to 64.233.167.99 [google.com]
Hop (ms) (ms) (ms) IP Address Host name
1 0 0 0 66.98.244.1 gphou-66-98-244-1.ev1.net
2 0 0 0 66.98.241.16 gphou-66-98-241-16.ev1.net
3 0 0 0 66.98.240.14 gphou-66-98-240-14.ev1.net
4 1 1 1 129.250.11.141 ge-1-3-0.r02.hstntx01.us.bb.gin.ntt.net
5 9 7 7 129.250.5.30 as-0.r20.dllstx09.us.bb.gin.ntt.net
6 8 7 6 193.251.241.189 so-0-1-0-0.dalcr2.dallas.opentransit.net
7 32 32 30 193.251.128.114 po0-0.chicr2.chicago.opentransit.net
8 29 29 27 193.251.249.30 -
9 27 29 29 66.249.95.253 -
10 29 27 27 66.249.95.247 -
11 30 29 30 66.249.94.133 -
12 41 35 37 64.233.175.42 -
13 29 29 30 64.233.167.99 -

Trace complete

Xwhois query for google.com...
Results returned from whois.markmonitor.com:

MarkMonitor.com - The Leader in Corporate Domain Management
----------------------------------------------------------
For Global Domain Consolidation, Research & Intelligence,
and Enterprise DNS, go to: www.markmonitor.com
----------------------------------------------------------

The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com
for information purposes, and to assist persons in obtaining information
about or related to a domain name registration record. MarkMonitor.com
does not guarantee its accuracy. By submitting a WHOIS query, you agree
that you will use this Data only for lawful purposes and that, under no
circumstances will you use this Data to: (1) allow, enable, or otherwise
support the transmission of mass unsolicited, commercial advertising or
solicitations via e-mail (spam); or (2) enable high volume, automated,
electronic processes that apply to MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.

Registrant:
Google Inc. (DOM-258879)
Please contact contact-admin@google.com 1600 Amphitheatre Parkway Mountain View CA 94043 US

Domain Name: google.com
Registrar Name: Markmonitor.com
Registrar Whois: whois.markmonitor.com
Registrar Homepage: http://www.markmonitor.com

Administrative Contact:
DNS Admin (NIC-14290820) Google Inc.
1600 Amphitheatre Parkway Mountain View CA 94043 US
dns-admin@google.com +1.6506234000 Fax- +1.6506188571
Technical Contact, Zone Contact:
DNS Admin (NIC-1340144) Google Inc.
2400 E. Bayshore Pkwy Mountain View CA 94043 US
dns-admin@google.com +1.6503300100 Fax- +1.6506181499

Created on..............: 1997-Sep-15.
Expires on..............: 2011-Sep-14.
Record last updated on..: 2006-May-17 11:10:55.

Domain servers in listed order:
NS3.GOOGLE.COM
NS4.GOOGLE.COM
NS1.GOOGLE.COM
NS2.GOOGLE.COM

MarkMonitor.com - The Leader in Corporate Domain Management
----------------------------------------------------------
For Global Domain Consolidation, Research & Intelligence,
and Enterprise DNS, go to: www.markmonitor.com
----------------------------------------------------------

Retrieving DNS records for google.com...
DNS servers
ns4.google.com [216.239.38.10]
ns3.google.com [216.239.36.10]
ns2.google.com [216.239.34.10]
ns1.google.com [216.239.32.10]

Answer records
google.com 1 A 72.14.207.99 300s
google.com 1 A 64.233.187.99 300s
google.com 1 A 64.233.167.99 300s
google.com 1 TXT v=spf1 ptr ?all 300s
google.com 1 MX
preference: 10
exchange: smtp1.google.com
3600s
google.com 1 MX
preference: 10
exchange: smtp2.google.com
3600s
google.com 1 MX
preference: 10
exchange: smtp3.google.com
3600s
google.com 1 MX
preference: 10
exchange: smtp4.google.com
3600s
google.com 1 NS ns1.google.com 345600s
google.com 1 NS ns2.google.com 345600s
google.com 1 NS ns3.google.com 345600s
google.com 1 NS ns4.google.com 345600s
google.com 1 SOA
server: ns1.google.com
email: dns-admin@google.com
serial: 2006071803
refresh: 7200
retry: 1800
expire: 1038800
minimum ttl: 60
86400s

Authority records
google.com 1 NS ns1.google.com 345600s
google.com 1 NS ns2.google.com 345600s
google.com 1 NS ns3.google.com 345600s
google.com 1 NS ns4.google.com 345600s

Additional records
smtp1.google.com 1 A 216.239.57.25 600s
smtp2.google.com 1 A 64.233.167.25 600s
smtp3.google.com 1 A 64.233.183.25 600s
smtp4.google.com 1 A 66.102.9.25 600s
ns1.google.com 1 A 216.239.32.10 345600s
ns2.google.com 1 A 216.239.34.10 345600s
ns3.google.com 1 A 216.239.36.10 345600s
ns4.google.com 1 A 216.239.38.10 345600s

Network IP address lookup:

Xwhois query for 64.233.167.99...
Results returned from whois.arin.net:
OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

NetRange: 64.233.160.0 - 64.233.191.255
CIDR: 64.233.160.0/19
NetName: GOOGLE
NetHandle: NET-64-233-160-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
Comment:
RegDate: 2003-08-18
Updated: 2004-03-05

RTechHandle: ZG39-ARIN
RTechName: Google Inc.
RTechPhone: +1-650-318-0200
RTechEmail: arin-contact@google.com
OrgTechHandle: ZG39-ARIN
OrgTechName: Google Inc.
OrgTechPhone: +1-650-318-0200
OrgTechEmail: arin-contact@google.com

# ARIN WHOIS database, last updated 2006-07-18 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database

http://geektools.com

; <<>> DiG 8.2 <<>> @ google.com ANY
; Bad server: -- using default server and timer opts
; (3 servers found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0 ;; QUERY SECTION: ;; google.com, type = ANY, class = IN

;; ANSWER SECTION:
google.com. 3d13h49m20s IN NS ns4.google.com.
google.com. 3d13h49m20s IN NS ns1.google.com.
google.com. 3d13h49m20s IN NS ns2.google.com.
google.com. 3d13h49m20s IN NS ns3.google.com.

;; AUTHORITY SECTION:
google.com. 3d13h49m20s IN NS ns4.google.com.
google.com. 3d13h49m20s IN NS ns1.google.com.
google.com. 3d13h49m20s IN NS ns2.google.com.
google.com. 3d13h49m20s IN NS ns3.google.com.

;; Total query time: 0 msec
;; FROM: gp.centergate.com to SERVER: default -- 204.74.68.5
;; WHEN: Wed Jul 19 04:26:09 2006

;; MSG SIZE sent: 28 rcvd: 15

Friday, July 14, 2006

OpenSSL – cipher strength

A vulnerability scanner may identify that the target website supports weak or Null strength ciphers.

Vulnerability Scanner

Scanner check Information

Nessus

Nessus Plugin 10863 “SSL ciphers”

Nessus Plugin 21643 “Supported SSL Ciphers Suites” may report “The remote service supports the use of weak SSL ciphers” and “Solution : Reconfigure the affected application if possible to avoid use of weak ciphers”


OpenSSL can be used to perform manual tests to confirm what sorts of cipher strengths a website is configured to support. In the examples below, I have only used a few of the cipher categories available to demonstrate the differences in the responses received.


Testing connections with Null ciphers

When the Null cipher suite is used, there is no encryption taking place, i.e. the messages are being sent in plain text.

The examples below show how neither google.com nor the natwest.com site support Null ciphers


$>
openssl s_client -connect www.google.com:443 -cipher NULL

CONNECTED(00000003)

3716:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562:

$>

$>
openssl s_client -connect www.natwest.com:443 -cipher NULL

CONNECTED(00000003)

4088:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

$>


Testing support of LOW encryption (up to 64 bit) ciphers

These examples show that google.com does support weak ciphers, but natwest.com does not.


$> openssl s_client -connect www.google.com:443 -cipher LOW

CONNECTED(00000003)

depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
[..snip..]


$> openssl s_client -connect www.natwest.com:443 -cipher LOW


CONNECTED(00000003)

1412:error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned:s3_clnt.c:728:

$>


Testing support of MEDIUM encryption (128 bit) ciphers

Here you can see that both sites support medium strength ciphers.


$> openssl s_client -connect www.google.com:443 -cipher LOW


CONNECTED(00000003)

depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
[..snip..]


$> openssl s_client -connect www.natwest.com:443 -cipher MEDIUM


CONNECTED(00000003)

depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CP
S Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=GB/ST=Lothian/L=Edinburgh/O=Royal Bank of Scotland Group/OU=E-Services/OU=Terms of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust Network/CN=www.natwest.com
i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
[..snip..]


Testing support of HIGH encryption (greater than 128 bit) ciphers

Obviously both these sites support encryption ciphers of greater than 128 bits in strength.


$> openssl s_client -connect www.google.com:443 -cipher HIGH


CONNECTED(00000003)

depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
[..snip..]


$> openssl s_client -connect www.natwest.com:443 -cipher HIGH


CONNECTED(00000003)

depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CP
S Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=GB/ST=Lothian/L=Edinburgh/O=Royal Bank of Scotland Group/OU=E-Services/OU=Terms of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust Network/CN=www.natwest.com
[..snip..]


For further information, you may want to refer to the OpenSSL ciphers manual page:

http://www.openssl.org/docs/apps/ciphers.html

Tuesday, July 11, 2006

Using OpenSSL

The OpenSSL command-line utility is very useful for testing various aspects of connecting to a website that implements Secure Socket Layer or Transport Layer Security encryption.

From a security testing perspective, I use OpenSSL in the following ways:

* Information Gathering

Checking connectivity with an encrypted site; viewing the information available within the certificate; confirming what cipher strengths the server permits client browsers to use when communicating with it; etc

* Target Identification

Mostly this step is left to the automated tools like nmap, but connecting to ports that are running SSL (or TLS) services (not only TCP port 443, but many others) could be useful in helping to confirm that you want to include a particular target system as part of a test.

* Service Enumeration
Mostly this step is left to the automated tools like nmap, but being able to confirm that a service listening on a target is running SSL/TLS could help narrow the focus of the testing activities performed against the target.

* Manual Testing
Being able to manually perform (or re-perform) examples of the communications that normally are automatically performed between a web browser and a web server has become one of the cornerstones of any Web Application Vulnerability Assessment I have ever performed.

* Automated Testing
Generally, I will use manual testing to validate the key results identified by automated tools, e.g. vulnerability scanners like Nessus, ISS, Retina, WebInspect, AppScan, etc, with a primary aim being to eliminate false-positive results.

OpenSSL is available for many platforms. I use the OpenSSL package that comes with CygWin on my Microsoft Windows machines.

For information about command line switches and options available with openssl, refer to: http://dev.openssl.org/docs

When connecting to a web server, there are two main HTTP protocol standards used: HTTP/1.0 and HTTP/1.1

The basic command format needed to connect to a website so that you can interact with it as though you were mimicking a web browser is:
openssl s_client -connect web.site.address:port

== Example 1 Start ==
Example connection to a site, requesting the contents of the default root directory:
-- Step 1: Establish the connection to the site, by inputting "openssl s_client -connect www.google.com:443" at the command prompt and pressing [Enter]
-- Step 2: Issue the basic HTTP command "GET / HTTP/1.o" and press [Enter] twice

$ openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIQS6WuWd7dHMeAfIkikfDiQzANBgkqhkiG9w0BAQQFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNjA1MTUyMzE4MTFaFw0w
NzA1MTUyMzE4MTFaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcw
FQYDVQQDEw53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA5sXGjc0LowME3K7MyUa+vcydvHM0SP7TdWTQycl2J3IPqZYaO4HzFPaukFbn
GdJzaKeFpK7KJBQwALroNl2BczpxBY+xrxGH2lzxPr9TUYRvRA636CbXL7Jv8vJd
36fPjKXpHm8wSJQhCwGtug5xAQ0Q77/uLNON/lSo/tOXj8sCAwEAAaOB5zCB5DAo
BgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEATA2BgNVHR8E
LzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU0dDQ0EuY3Js
MHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3Rl
LmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRv
cnkvVGhhd3RlX1NHQ19DQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF
AAOBgQBXS7ykQ+fgAZKgljX5GAiIHXtwGY/5NrIFOgXKFFlNJA7liq9Oh1r3HCqW
j8thQJ7StDhAISTBTx/LE0qPlQLfkT3WQOsRb5sQoW/OkV4w9m0TXhWkLsIYngDD
2DJnR/y4HprZmo7M/3wStwO/UiDPIfTzd90SFfCU+pDV41logQ==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 1777 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 565454E28BCFC41C7704F9E67AD0A0AA70A36995464AE1D1A2C 1450F218F27B7
Session-ID-ctx:
Master-Key: 9579BF349BA3A4DFE3EF0E72E63DC3DF5303E33643FC4DC37D3 78ADBABCEFD57EA440EFCEFA39A7E81695DF2A717E999
Key-Arg : None
Start Time: 1152582311
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
GET / HTTP/1.0


HTTP/1.0 302 Found
Location: http://www.google.com
Date: Tue, 11 Jul 2006 01:45:16 GMT
Content-Type: text/html
Server: GFE/1.3
Connection: Close
Content-Length: 218


<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com">here</A>.
</BODY></HTML>
read:errno=0

== Example 1 End ==

P.S. I see there is a new project that is being worked on, which will be interesting to watch: OpenTLS.org