I’ve been pretty busy the past few weeks. I’ve just had an article published in InSecure Magazine entitled “Using Packet Analysis for Network Troubleshooting”, which can be seen here. Also, the great folks over at TechGenix just published my article entitled “Deploying Microsoft Windows Server Update Services (WSUS)” on WindowsNetworking.com, which can be seen here.

More coming soon!

Thanks to all of those who attended the sessions I spoke at on Packet Analysis in the St. Louis area. As promised, I have posted the PowerPoint for this presentation as well as the course files we reviewed. Please don’t hesitate to e-mail me with any questions!

Click here for the download!

Unfortunately, sniffing packets isn’t always as easy as plugging into an open port and firing up Wireshark. In fact, it is sometimes more difficult to place a packet sniffer on a network’s cabling system than it is to actually analyze the packets. In the grand ole days of packet analysis when everybody used hubs you could plug in and sniff all of the traffic on a network segment. As most of you know now however, the advent of switched networks prevents this. When you plug a sniffer in to a port on a switch, you can only see broadcast traffic and the traffic transmitted and received by your machine. Because of that we have had to come up with a few alternative techniques to getting the traffic we need.

The three most popular techniques for doing this are port mirroring, hubbing out, and ARP cache poisoning. The goal of this article is to give a brief overview of port mirroring and hubbing out, which are very commonly used, and then to give a detailed explanation of ARP cache poisoning, the least well known of the trio.

The Common Techniques

Port Mirroring is probably one of the easiest ways to capture the traffic you are looking for. Also called port spanning, this is a feature available on most managed network switches. This is configurable by accessing the command line or GUI management for the switch the target and sniffer systems are plugged in to and entering commands which mirror the traffic of one port to another. For instance, to capture the traffic of a device plugged in to port 3 on a switch, you could plug your sniffer into port 6 and enter a vendor specific mirroring command that mirrors port 3 to port 6.

Hubbing out is a technique in which you localize the target device and your analyzer system on the same network segment by plugging them directly in to a hub. In order to do this, all you need is an old hub and a few network cables. Simply go to the switch that the target computer resides on and unplug it from the network. Plug the targets network cable, along with the cable for your sniffer, into the hub, and then plug the hub into the network switch. This will put your sniffer and the target machine on the same broadcast domain and allow you to see all of the packets going to and from the target machine, as well as yours. Since this does involve a brief moment of connectivity loss, I do highly recommend letting the user of the target system know that you will be briefly disrupting their connectivity, especially if it is someone in management!

Poisoning the ARP Cache

The ARP protocol was designed out of necessity to facilitate to translation of addresses between the second and third layers of the OSI model.  The second layer, or data-link layer, uses MAC addresses so that hardware devices can communicate to each other directly on a small scale. The third layer, or network layer, uses IP addresses (most commonly) to create large scalable networks that can communicate across the globe. The data link layer deals directly with devices connected together where as the network layer deals with devices that are directly connected AND indirectly connected. Each layer has its own addressing scheme, and they must work together in order to make network communications happen. For this very reason, ARP was created with RFC 826, “An Ethernet Address Resolution Protocol”. I’m not going to go into detail on the whole ARP process here, but I highly recommend reading my Packet School 201 write up on it here in order to better understand this process.

ARP cache poisoning is a more advanced form of tapping into the wire on a switched network. It is commonly used by hackers to send falsely addressed packets to client systems in order to intercept certain traffic or cause denial of service (DoS) attacks on a target, but ARP cache poisoning can still serve as a legitimate way to capture the packets of a target machine on a switched network.

ARP cache poisoning, sometimes referred to as ARP spoofing, is the process of sending ARP messages to an Ethernet switch or router with fake MAC (Layer 2) addresses in order to intercept the traffic of another computer.

Using Cain & Abel 

When attempting to poison the ARP cache, the first step is to download the required tools and collect some necessary information. We’ll use the popular security tool Cain & Abel from Oxid.it (http://www.oxid.it). The installation is pretty straight forward so I won’t go through that here.

Once you have installed the Cain & Abel software, you need to collect some additional information including the IP addresses of your analyzer system, the remote system you wish to capture the traffic from, and the router that the remote system is downstream from.

When you first open Cain & Abel, you will notice a series of tabs near the top of the window. (ARP cache poisoning is only one of a variety of Cain & Abel’s features.) For our purposes, we’ll be working in the Sniffer tab. When you click this tab, you will see an empty table. In order to fill this table you will need to activate the program’s built-in sniffer and scan your network for hosts.

Click the second icon on the toolbar, which resembles a network card. The first time you do this you will be asked to select the interface you wish to sniff. This interface should be the one that is connected to the network you will be performing your ARP cache poisoning on. Once you’ve selected this interface, click OK to activate Cain & Abel’s built-in sniffer. To build a list of available hosts on your network, click the icon that resembles a plus (+) symbol, and click OK.

The once-empty grid should now be filled with a list of all the hosts on your attached network, along with their MAC addresses, IP addresses, and vendor identifying information. This is the list you will work from when setting up your ARP cache poisoning.

At the bottom of the program window, you will see a set of tabs that will take you to other windows under the Sniffer heading. Now that you have built your host list, you will be working from the APR tab. Switch to the APR window by clicking the tab.

Once in the APR window, you are presented with two empty tables: an upper and a lower one. Once you set them up, the upper table will show the devices involved in your ARP cache poisoning, and the lower table will show all communication between your poisoned machines.

Continue setting up your ARP poisoning by clicking the icon resembling the plus (+) symbol on the program’s standard toolbar. The window that appears has two selection columns side by side. On the left side, you will see a list of all available hosts on your network. Click the IP address of the target computer whose traffic you wish to sniff. This will result in the right window showing a list of all hosts in the network, omitting the target machine’s IP address. In the right window, click the IP address of the router that is directly upstream of the target machine, and click OK.

The IP addresses of both devices should now be listed in the upper table in the main application window. To complete the process, click the yellow-and-black radiation symbol on the standard toolbar. This will activate Cain & Abel’s ARP cache poisoning features and allow your analyzing system to be the middleman for all communications between the target system and its upstream router.

You can now fire up your packet sniffer and begin the analysis process. When you are finished capturing traffic, simply click the yellow-and-black radiation symbol again to stop ARP cache poisoning.

A Final Note

As a final note on ARP cache poisoning, you should be very aware of the roles of the systems you implement this process for. For instance, do not use this technique when the target device is something with very high network utilization, such as a fileserver with a 1Gbps link to the network (especially if your analyzer system only provides a 100Mbps link). When you perform this rerouting of traffic, all traffic transmitted and received by the target system must first go through your analyzer system, therefore making your analyzer the bottleneck in the communication process. This can create a DoS-type effect on the machine you are analyzing, which will result in degraded network performance and faulty analysis data.

That is all there really is to ARP cache poisoning. This technique has always proved significantly useful in packet analysis experience and I hope it does in yours as well.

Dan Nerenberg over at TheLazyAdmin.com has just published a guest post from me about WSUS. If you have never heard of this site, then I’d highly recommend adding it to your daily reads. Originally started by former MVP and current Microsoft employee Rodney Buike, it contains a great deal of informative content.

The post is a detailed WSUS FAQ. If you are considering deploying WSUS but have some questions, then chances are that this FAQ will answer at least a couple of them. Check it out here.

SPAM and Phishing are both really big problems for pretty much an organization right now, and it appears to only be getting worse. One of the most common tactics used by spammers is to forge legitimate domain names in the e-mails this send. The goal here is to trick a user in to opening of these messages, or at least to get them through a SPAM filtering service to a users inbox.

The best way to prevent your e-mail domain from being spoofed is through the use of Sender Policy Framework (SPF) Records. This is basically a DNS TXT record that mail servers and spam filtering services access to verify the source of e-mail messages as they arrive.

In order to create a SPF record, start by opening the DNS MMC snap-in. From here, browse to the forward lookup zone for this DNS server, right click in the blank area, choose Other New Records, and select Text (TXT). The typical value for this record (minus the quotes) should be “v=spf1 a mx -all”. What this says is that all mail that is received from an IP address listed that’s listed in the sending domains A or MX records is legitimate. This will suffice for most companies, but in the case that you want to get a little stricter with this, you can use an entry of “v=spf1 a mx ip4:192.168.1.2 -all”. This basically specifies 192.168.1.2 as the only IP address that valid mail can be sent from.

It is considered a good proactive security principle to configure an SPF record for your domain, regardless of whether you are having SPAM/Phishing problems or not.

Very big news in the world of packet analysis, from Richard Bejtlich’s TaoSecurity Blog:

“The mission of OpenPacket.org is to provide quality network traffic traces to researchers, analysts, and other members of the digital security community. One of the most difficult problems facing researchers, analysts, and others is understanding traffic carried by networks. At present there is no central repository of traces from which a student of network traffic could draw samples. OpenPacket.org will provide one possible solution to this problem.

Analysts looking for network traffic of a particular type can visit OpenPacket.org, query the OpenPacket.org capture repo for matching traces, and download those packets in their original format (e.g., Libpcap, etc.). The analyst will be able to process and analyze that traffic using tools of their choice, like Tcpdump, Snort, Ethereal, and so on.”

A great tool for teaching and learning about packet analysis! Big thanks to Richard and his team for making this happen!

http://www.openpacket.org

One of the new features in Windows Server 2008 that is getting the most attention is the introduction of the Read-Only Domain Controller (RODC).

If you manage a network that utilizes more than one domain controller then you are aware of Active Directory’s multimaster replication structure. In this architecture, any change made to active directory on any domain controller is replicated to all of the others. This has made administration a breeze in the past since administrators could make a change at any remote site and it be reflected on all of the domain controllers in the network.

The problem here arises with the threat of a security breach. Managing network and physical security at remote office location has always been a challenge. If an intruder with malicious intentions gained access to an organizations domain controller at a branch office, he/she could easily destroy the whole active directory infrastructure throughout the ENTIRE organization.

Microsoft has addressed this issue with the development of an RODC. An RODC is designed for branch offices where the network conditions require a local source of authentication but a lack of physical security monitoring and localized administration makes placing a domain controller a security risk. The RODC only allows for one way replication. That means active directory information can be replicated to it from another domain controller, but it may not replicate information to any other domain controllers.

With an RODC deployed at a branch office, an individual with malicious intentions can not make modifications to the active directory infrastructure, therefor alleviating the security risks we have mentioned.

You can deploy an RODC by simply choosing the appropriate option when running the dcpromo utility during domain controller promotion.

As many of you who are trying to buy a copy of PPA have probably noticed, it is sold out pretty much everywhere. This is because the first printing was in such high demand that it sold out completely. As with most technical books, there were some errors that didn’t get caught in the technical editing phase, so we have been waiting on those to get fixed before reprinting the book. Those are now fixed and the book was sent back to the printers the early part of this week. This means that the book should be back on the shelf in 4-6 weeks. Thanks to all of those who have bought or plan on buying a copy!

Getting blacklisted is pretty much the worst thing that can happen as far as users are concerned. The typical result of your IP address getting blacklisted is that you can no longer send to anybody who subscribes to a spam filtering service. These services use databases such as the CBL to check whether or not an IP address is sending illegitimate e-mail.

Here are a couple of things you can do to prevent getting blacklisted:

1. Use virus protection on your server. I’d say 95% of the time when someone gets blacklisted it is because the e-mail server or a client within the network is sending out spam messages due to a compromise.
2. Block port 25 access from all machines except your e-mail server. By making this change in a firewall or router ACL, you can ensure that nobody is communicating through SMTP except your e-mail server.
3. Subscribe to a SPAM filtering service. Obviously, the less SPAM you receive means the less SPAM your users will be subject to. Even clicking on a link from one SPAM message can get a computer infected as part of a botnet that will cause you to get blacklisted. I personally recommend Appriver.
4. Filter inbound allowed servers. If you are using a SPAM filtering service that also queues inbound e-mail, make sure that your e-mail server is set to only receive incoming mail from the remote filtering servers.
5. Make sure that your e-mail server presents itself as valid. A lot of the time remote systems will perform checks on your server to make sure it is valid. The best way to make sure these checks come back to the remote system as they would like to see them is to set a masquerade domain to your domain name (i.e. domain.com) and make sure your ISP has your reverse DNS entry set correctly. You can work with them to make sure it is set to what it is supposed to be.
6. Make sure you are not set as an open relay. If you are, then anybody can relay mail through your server and cause you to get blacklisted. You can test this here.

Doing all of these things SHOULD keep you from getting blacklisted. If you do by chance happen to still get blacklisted then you should work with the organization that blacklisted you to get to the bottom of this. I have personally worked with the CBL on blacklisting issues several times and they have some pretty dedicated people who will help you.

Service Pack 1 for WSUS 3 has been released. You can download it here. Make sure and review the release notes (located under related resources) for all of the pertinent new stuff and update information. Microsoft will stop supporting non SP1 WSUS 3 a year from now, so better to get those upgrades scheduled and get them out of the way. There are a few upgrade considerations and some possible problems you may run into, and those are all covered in the release notes. Just make sure you get a backup of the WSUS database before proceeding!