340 likes | 495 Views
ENSDV. Enhance Network Scanning for Discovering Vulnerabilities Master Thesis by Raymond Cordova. Introduction. Emerging Technology Early-to-market technologies ideal targets for attack Vulnerabilities with wireless and Internet Protocol
E N D
ENSDV Enhance Network Scanning for Discovering Vulnerabilities Master Thesis by Raymond Cordova
Introduction • Emerging Technology • Early-to-market technologies ideal targets for attack • Vulnerabilities with wireless and Internet Protocol • Tenable Nessus scanner - de-facto industry scanner • [Nessus Network Vulnerability Scanner 2010] • Design and Implementation of an Enhanced Network Scanner • Performance Analysis of ENSDV • Lessons Learnt and Future Directions • Conclusion ENSDV / Cordova
Emerging Technology • NIST 800-82 Guide to Industrial Control Systems Security (ICS) [Stoufer 2009] • Emerging Technology integrates wireless and Internet with ICS infrastructure • Integration introduces all the vulnerabilities and problems of Wireless and the Internet Protocol into ICS [Journal of Energy Security, 2009] [Weiss, 2009] • Manual vulnerability discovery impossible ENSDV / Cordova
Vulnerabilities • Common Vulnerability Exploits (CVE) • [list of vulnerabilities and security exposures information 2010] • Several production meters identified as vulnerable • [Journal of Energy Security 2009] • $8.1 billion stimulus to secure the Smart Grid • [Smart Grid Stimulus Funding Revealed 2009] • many vulnerabilities ignored • TI’s encryption bug in CC2430 u-controller • PRNG predictable • Regulation, Management and Guidelines • reduces the risk to Smart Grids ENSDV / Cordova
Industrial Control Systems Adapted from Juniper Network White Paper on ICS 2009 ENSDV / Cordova
Secure the Smart Grid Smart Meter Implementation Percentages by Country [Adapted from Global Smart Energy 2009] ENSDV / Cordova
Nessus Vulnerability Scanner • Centralized automatic scanning tool for most Operating Systems • Vulnerability scanning and Compliance checking • local or remote • Server/Client with GUI or CLI • Nessus Knowledgebase • share and use script results in other scans • Script Methodology -> write custom script • execute only if necessary • use other script results by use of dependency statements • share by saving to KB, upload report results, plug-ins • Plug-in is written and scans for only one vulnerability at a time ENSDV / Cordova
Nessus Vulnerability Scanner, cont’d • Nessus automatic scanning solution approved by NERC CIP for use with SCADA, AMI/AMR [NERC CIP Approval, 2010] • Vulnerability scanning relies on signatures of “known bad things” • Compliance checks compare a system against the “known good” • Flexible, reliable, robust, open source, customizable, automatic, GUI, CLI, option for safe checks/scans and still it is inadequate • cannot detect 0-day vulnerabilities or unique compliance • Customize plug-ins to enhance operation • detect 0-day vulnerabilities and non-compliance ENSDV / Cordova
Methodology for Vulnerability Scanning • Select the target and develop a baseline “gold” standard • Perform baseline scan and patch as necessary • Develop an enhanced plug-in for any newly indentified vulnerability and compliance check • Test plug-ins on prototype, lab, or test equipment • Compare baseline and subsequent scans • Repeat process at scheduled intervals per policy ENSDV / Cordova
Prototype Layout ENSDV / Cordova
Vulnerability Script Structure Header Section include scripts to be used with nessusd “compat.inc” Description Section register information “script_name(english:" iepeers.dll 0-day vulnerability …“ Attack Section Script code functions port = get_kb_item("Services/ssh"); if(!port)port = 22; ENSDV / Cordova
iepeers_dll_0day.nasl Code excerpts . . . include("compat.inc"); if (description) { script_id(50003); . . . script_name(english:" iepeers.dll 0-day vulnerability in Internet Explorer versions 6 or 7 "); script_summary(english:"Checks Internet Explorer version for 0-day free-after-use vulnerability."); . . . script_set_attribute(attribute:"risk_factor", value: "Medium"); . . . script_family(english:"Windows"); . . . script_dependencies("smb_hotfixes.nasl"); . . . script_require_ports(139, 445); . . . if ( int(v[0]) > 5 && int(v[0]) < 8 ) . . . } Header Description Attack Script ENSDV / Cordova
Nessus Vulnerability Enhanced Scan Result,cont’d Recommended Solution ENSDV / Cordova
Audit File Script Structure Check Type Section Define type of check and plugin version <check_type: “Unix”> … </check_type> Custom Item Section Custom script contents <custom_item> type:FILE_CONTENT_CHECK … expect:"PermitRootLogin no" </custom_item> ENSDV / Cordova
FC12 Audit File Script Check Type • <check_type:"Unix> • <custom_item> • type:FILE_CONTENT_CHECK • description:"Check if PermitRootLogin is set to no and not commented for server." • file:"/etc/ssh/sshd_config" • regex:"^ *[^#]*PermitRootLogin *" • expect:"PermitRootLogin no" • </custom_item> • </check_type> Custom Item Closing Tags ENSDV / Cordova
Enhanced Nessus Audit Scan Result, cont’d ENSDV / Cordova
Non-Credential Scan Results of ISSG lab subnets 60 and 62 6 out of 31 High Risk Problems Found ENSDV / Cordova
Credential Scan Results of ISSG lab subnets 60 and 62 19 out of 34 High Risk Problems Found 3 machines powered on since last scan ENSDV / Cordova
Target Machines Specifications • Athena - PowerEdge 2410 • 4GB RAM, L1 I 16K, L1 D 16K, L2 512K • Dual Pentium III CPU 1.3 GHz • Linux version 2.6.26.8-57 fc8 Fedora release 8 (Werewolf) Fedora 8 • 7.2K rpm HDD • Blanca - Precision 670 • 4GB RAM, L2 2M • Quad Xeon Irwindale CPU, 3.6 GHz • Linux version 2.6.18-128.1.10.e15 CentOS release 5.3 • 7.2K rpm HDD • Gandalf – Dell Optiplex 960 • 8 GB RAM, , L1 I 32K, L1 D 32K, L2 6144K • Quad core Q9550 CPU, 2.83 GHZ • Linux version 2.6.32.9-67.fc12.x86_64 Fedora 12 • 7.2K rpm HDD • Viva - Optiplex GX 620, • 4 GB RAM, L1 D 16K, L2 1MB • Dual W9446 Processor Pentium D Smithfield for Desktops, 3.2 GHz • 2.6.30.10-105.2.23.fc11.i686.PAE (Leonidas) Fedora 11 • 7.2K rpm HDD ENSDV / Cordova
Scanned Target Machines Service Ports [rcordova@athena ~]$ nmapathena Interesting ports on localhost.localdomain (127.0.0.1): Not shown: 1707 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 443/tcp open https 631/tcp open ipp 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 0.216 seconds [rcordova@blanca ~]$ nmapblanca Interesting ports on blanca.uccs.edu (128.198.162.60): Not shown: 1667 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 443/tcp open https 714/tcp open unknown 913/tcp open unknown 979/tcp open unknown 3306/tcp open mysql 5801/tcp open vnc-http-1 5901/tcp open vnc-1 6001/tcp open X11:1 8443/tcp open https-alt Nmap finished: 1 IP address (1 host up) scanned in 0.182 seconds [rcordova@athena ~]$ nmapgandalf Interesting ports on gandalf.csnet.uccs.edu (128.198.60.194): Not shown: 1707 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 443/tcp open https 902/tcp open iss-realsecure-sensor 8009/tcp open ajp13 Nmap done: 1 IP address (1 host up) scanned in 0.216 seconds [rcordova@viva ~]$ nmapviva Nmap scan report for viva (128.198.60.192) Host is up (0.0011s latency). rDNS record for 128.198.60.192: viva.csnet.uccs.edu Not shown: 992 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 443/tcp open https 5901/tcp open vnc-1 5902/tcp open vnc-2 6001/tcp open X11:1 6002/tcp open X11:2 Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds 7 Services 7 Services 13 Services 8 Services ENSDV / Cordova
Performance Results ENSDV / Cordova Non-Credential Scan Credential Scan
Lessons Learned • Inaccessible SCADA systems – focus on Servers/Workstations • that control ICS, Smart Grids, LANs, WANs, Enterprise Systems • Attempted to procure meters and collection points • Cost prohibitive, proprietary constraints, minimal support • Nessus Scanner de-facto standard • inadequate – cannot detect all problems or unique issues • Nessus Attack Script Language • (NASL) [Deraison NASL and Compliance Check Manual] • new attack and audit language to learn • Credential scans take longer but are more comprehensive ENSDV / Cordova
Lessons Learned, cont’d • Full functionality disabled in trial versions of HomeFeed • “buggy” when creating plug-ins, display, results • No Access to Nessus ProFeed SCADA plug-ins • Requested ProFeed from Nessus for experiments • Consideration shifted to sharing plug-ins, reports, KB with Nessus community users for greater contribution • SCADA plug-ins pre-compiled as .nbin binary files • unreadable vendor specific compliance checks ENSDV / Cordova
Lessons Learned, cont’d • Create VM environment – VM Server incompatible • Fedora 12 – patched, telnet enabled • XP un-patched • Create custom plug-ins - unforgiving syntax, trial and error • 0-day vulnerability plug-in • [0-day info at cve.mitre.org and secunia.com 2010] • 3 audit scripts • NASL is specific to attack scripts only • NASL is not Perl, C+, JAVA, etc. ENSDV / Cordova
Future Work • Continue meaningful research in a lab setup of TI’s MPS2530 development kit controllers with Nessus • Research compiler and interpreter for .nbinscript development for Smart Grid applications • Audit file and C+ integration for automatic update • Create custom plug-ins to check the ZigBee stack • Pseudo Random Number Generator (PRNG) • versions earlier than 2.3 exhibit this vulnerability • Extend audit files for OS specific registry keys and files • System alert if plug-in is removed from directory ENSDV / Cordova
Conclusion • Provided a survey of emerging technology on Smart Grid and related vulnerabilities and compliance checks • Developed methodology to enhance network scans • Unique - requires in-depth research of target network to identify problems and compliance • Created plug-ins to enhance the network scanner • Uploaded plug-in, reports, KB to share with Nessus community • Applied scans to ISSG lab for performance and reports • Detected many “bugs” in a mix of hardware and OS’s • BO’s, Remote Root Login, Telnet and SSH • Recommend methodology to patch and maintain ENSDV / Cordova
Conclusion, cont’d • Suggested a Reference Manual appendix to include “Additional Information” on DB rebuild, V2, plug-in cache, templates, reports • Suggestion to Renaud Deraison at Tenable to provide a debugger for NASL scripting creation • Nessus Scanner can be enhanced to provide a more comprehensive scan result for vulnerability and compliance checking • Paper to be submitted to SNDS 2011 Conference ENSDV / Cordova
References [1] Common Vulnerabilities and Exposures (CVE) http://www-arc.com/sara/cve/cve.html [2] Deraison, Renaud, Reference Manual for Nessus Attack Scripting Language, Version 1.4.0, Manual at website at http://www.virtualblueness.net/nasl.html [3] Global Smart Energy White Paper at Website :http://www.smartgridnews.com/artman/uploads/1/Berst_NGA_Feb_2009. [4] Information on 0-day vulnerability discovered in the wild March 2010. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806 [5] Information on 0-day vulnerability discovered in the wild March 2010. http://secunia.com/advisories/cve_reference/CVE-2010-0806/ [6] Journal of Energy Security, Making a Secure Smart Grid a Reality, Sub-paragraph, Weaknesses in the Smart Grid, p. 3-7, October 2009. http://www.ensec.org/index.php?option= com_content&view=article&id= 218:making-a-secure-smart-grid-a-reality&catid=100:issuecontent&Itemid=352 [7] NERC approval of Nessus Scanner http://www.nessus.org/solutions/index.php?view=nerc [8] Smart Grid Stimulus Funding Revealed!, p.3, October 2009. http://earth2tech.com/2009/10/27/smart-grid-stimulus-funding-revealed/ [9] Stouffer,Keith and Falco, Joe and Scarfone, Karen Final Public Draft, Special Publication 800-82, Recommendations of the National Institute of Standards and Technology, Guide to Industrial Control Systems (ICS) Security http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf [10] Weiss, Joseph, “Current Status of Cyber Security of Control Systems”, Testimony of Joseph M. Weiss Control Systems Cyber Security Expert before the Committee on Commerce, Science, and Transportation U.S. Senate March 19, 2009 ENSDV / Cordova
Questions ? ? ENSDV / Cordova
Information on 0-day Vulnerability Original Page at CVE MITRE:CVE-2010-0806Description:Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object, as exploited in the wild in March 2010, aka "Uninitialized Memory Corruption Vulnerability." CVE Status:Candidate ENSDV / Cordova
Information on 0-day Vulnerabilities, cont’d http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx ENSDV / Cordova
Information on 0-day Vulnerabilities, cont’d http://secunia.com/advisories/graph/?type=imp&period=2010&prod=21625 ENSDV / Cordova
1. It was difficult to decide what vulnerability plug-in to develop. It was time consuming to determine if a plug-in could detect a 0-day vulnerability in the conventional sense that a particular malware signature could be detected such as those of virus pattern detection schemes. www.secunia.org provided the needed information to proceed with the detection algorithm.2. The scanner uses “version 2” plugins with backward compatibility for earlier versions of the scanner. An error occurred when using the “version 2” syntax with Unix scans but worked with Windows. Limited support to discussion forums did not reveal much except to append v2 to the file name and check_ type tag. I had no credentials at the time to login to Tenable’s knowledgebase. Using the only resource I had, an email correspondence to the NASL author at Tenable confirmed the syntax bug error in Unix and omit the “version 2” syntax. This was difficult to diagnose and time consuming to the Unix plugin ID 21157 did not require the V2 syntax. An updated reference manual provided by Renaud Deraison contained the needed information. The manual could only be accessed by exclusive subscription feed users.3. It was challenging to recommend the best development kit with the most flexibility and options. Research shows that many directions are possible, each with cost, recurring cost, options, and functionality. I found TI has a “try before you buy” and “free sample” options that help the developers make better decisions. The MPS2530 development kit offers compliant Z-Stack ZigBee, ZigBee PRO, and the Smart Energy and Home Automation application profiles. It was not an easy task to exhaust the resources to decide scanning the SCADA is not an option. It was a challenge to ensure the development kit would provide the functionality necessary for meaningful research. ENSDV / Cordova
Non-Trivial Problems The non-trivial problems I encountered were;1. When I extensively researched to find a way to test the Smart Grid to find out is inaccessible to network scanning. I thought that surely I could find a test-bed but eventually found that utility companies, vendors, and SCADA contactors are very reluctant to provide any information. Ultimately, no SCADA scanning could be done. 2. It took a long time to figure out if it was the programming in the NASL syntax or the HomeFeed version was causing the problems with the first version of the plugin.. The iepeers 0-day plugin used with the version of HomeFeed is unforgiving and buggy with the creation of custom scripts. The HomeFeed version intermittently updated the changes made in the custom script, even when going through the manual CLI update and DB rebuild process. Resulting scans were not consistent and I wasn’t sure if it was the plugin, my methodology, or the scanner. It was not till I requested the full version ProFeed that full functionality and stability was exhibited in the scanner with custom plugins. ENSDV / Cordova