Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
Plugins to check deviation of standard (RFC) compliance
jfernandez at germinus
May 28, 2002, 4:15 AM
Post #1 of 2 (460 views)
Permalink
Just recently I attended a conference regarding NIDS issues and one of the
things they pointed out is that most NIDS are unable to detect deviation
from the RFC standards when accessing a service. Sample: using "HELLO /
HTTP/1.0" as an HTTP request (since valid methods do not include HELLO). The
report [1] has been made public and, since I wrote an article recently for a
spanish information-security magazine talking about the issues around NIDS,
I am quite interested now in this issue.

Also, in the pen-test mailing list SnakeByte / Eric Sesterhenn
[snakebyte@gmx.de] has announced a tool that tries to do this for FTP (
www.kryptocrew.de/snakebyte/bed.html ).

¿Is anyone working in a similar tool for Nessus? ¿Is there one available? It
would be quite
useful to test both the server's and the IDS's implementations out there.

Ok, some code a simple HTTP test would be (bear with me, I have not tested
it and it's just an idea so you see what I'm talking about)


port = get_kb_item("Services/www");
if (!port) port = 80;

if (get_port_state(port))
{
soctcp80 = open_sock_tcp(port);

if (soctcp80)
{
for (i=0;i<=25;i=i+1) {
for (j=0;j<=25;j=j+1) {
for (k=0;k<=25;k=k+1) {
for (l=0;l<=25;l=l+1) {
data = string(raw_string(65+i,65+j,65+k,65+l)," / HTTP/1.0\r\n\r\n");
resultsend = send(socket:soctcp80, data:data);
resultrecv = http_recv_headers(soctcp80);
(... test the response.. ¿is it a proper HTTP error response? ...)

}
}
}
}

}
}

Best regards

Javi


[1] Available here http://www.criptored.upm.es/guiateoria/gt_m292a.htm (only
in Spanish though)
Re: Plugins to check deviation of standard (RFC) compliance [ In reply to ]
reinke at e-softinc
May 28, 2002, 4:42 AM
Post #2 of 2 (444 views)
Permalink
I don't know that this is entirely practical. While I haven't checked
into what Eric is trying to do, the difference between doing something
like this for NIDS and what you/Eric propose is that with NIDS, one
has an extremely well defined thing to look for: anything outside of
the RFC is flagged. With a testing tool, you essentially have an almost
open-ended problem. First, you need to know what is allowed, and then
you need to testing everything disallowed.

For example, take the HTTP protocol. Valid commands (that I recall)
are GET/HEAD/PUT/DELETE/POST. So what do you test for on as valid
coomands? NIDS could just flag ANYTHING that is not one of the 5
above. But to check for a web server accepting a command, you'd have
a limitless set of possibilities to pump in. Your example code gives
more than 450,000 commands it will initiate, and it will miss the
DELETE method above, not to mention numerous others.

I don't think that this is practical anywhere except for something
like a NIDS, or in a specialized tool that specifically attacks
applications looking for weaknesses, but where the attacks can be
configured into the weeks and months it will take to run the test.

Thomas

Of course, that's all just my opinion. Take it fwiw.

"Javier Fernández-Sanguino Peña" wrote:
>
> Just recently I attended a conference regarding NIDS issues and one of the
> things they pointed out is that most NIDS are unable to detect deviation
> from the RFC standards when accessing a service. Sample: using "HELLO /
> HTTP/1.0" as an HTTP request (since valid methods do not include HELLO). The
> report [1] has been made public and, since I wrote an article recently for a
> spanish information-security magazine talking about the issues around NIDS,
> I am quite interested now in this issue.
>
> Also, in the pen-test mailing list SnakeByte / Eric Sesterhenn
> [snakebyte@gmx.de] has announced a tool that tries to do this for FTP (
> www.kryptocrew.de/snakebyte/bed.html ).
>
> ¿Is anyone working in a similar tool for Nessus? ¿Is there one available? It
> would be quite
> useful to test both the server's and the IDS's implementations out there.
>
> Ok, some code a simple HTTP test would be (bear with me, I have not tested
> it and it's just an idea so you see what I'm talking about)
>
> port = get_kb_item("Services/www");
> if (!port) port = 80;
>
> if (get_port_state(port))
> {
> soctcp80 = open_sock_tcp(port);
>
> if (soctcp80)
> {
> for (i=0;i<=25;i=i+1) {
> for (j=0;j<=25;j=j+1) {
> for (k=0;k<=25;k=k+1) {
> for (l=0;l<=25;l=l+1) {
> data = string(raw_string(65+i,65+j,65+k,65+l)," / HTTP/1.0\r\n\r\n");
> resultsend = send(socket:soctcp80, data:data);
> resultrecv = http_recv_headers(soctcp80);
> (... test the response.. ¿is it a proper HTTP error response? ...)
>
> }
> }
> }
> }
>
> }
> }
>
> Best regards
>
> Javi
>
> [1] Available here http://www.criptored.upm.es/guiateoria/gt_m292a.htm (only
> in Spanish though)

--
------------------------------------------------------------
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com
Tel: 1-905-331-2260 Fax: 1-905-331-2504
Tollfree in North America: 1-800-799-4831

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal