Resistance is futile, or what I learned trying to secure the scanner

[dleblanc () MINDSPRING COM (David LeBlanc)]

I was in the middle of the effort to try and protect ISS' Scanner against
the licensing being cracked, so I've got some unique insight.  It took the
crackers about 3 months to crack the 4.0 release of the NT scanner (I was
honored that they'd rather crack the NT version I built instead of the UNIX
version, but...).

All they did was go in and no-op checks for whether the IP address we want
to play with was in range.  Did a pretty poor job of it, and the cracked
scanner would only scan one host at a time.  I considered this to be a shot
across the bow, and so we considered many things - first of all, you have
to run the scanner as an administrator-level user - one possible response
would be that if the image were tampered with, and an appropriate number of
levels of checking had been bypassed, that we could then change all the
passwords on the machine and reboot.  Other suggestions involved using the
modem to call 911 and scream "Help!".  As humorous as these responses might
have been, we figured that if it EVER went off by accident at say a .mil
site, the user would Not Be Amused, and neither would our management or
lawyers.  Another somewhat less ghastly response would have been to have
the scanner emit an executable that deletes issnt.exe, so all your careful
hex editing goes poof.

So what we did was decided to raise the bar - we recognized that anything
we can do to stop them, they can also undo after a long enough time spent
in SoftIce.  We pulled some really interesting tricks where setting a no-op
where you thought you ought to would cause the app to throw unhandled
exceptions, and instituted 2 layers of integrity checking on the binary.
We figured that would keep them busy, and every time we recompiled, the
offsets would all change, and with any luck, we'd have a new version out by
the time they cracked the old one.

Up until about the time 5.6 released, this scheme worked well - the
crackers never got the latest and greatest - but then someone figured out a
way to attack the key itself.  Whups.  I'm surprised 5.8 is still
vulnerable to this one, as it was first known a while back - I thought
they'd have fixed it by now.  I hope maybe they fixed it in the most recent
6.0 release.

So, now that we all know the script kiddiez all can go play with a really
powerful vulnerability scanner, how do we defend ourselves?

First of all, the scanner will put all sorts of lovely information about
the person running it and where they are coming from when it goes to
enumerate the network with the initial scatter ping.  IF you can snag one
of these packets, you can usually get enough information to call the script
kiddie's mom fairly quickly.  Try this at home, sniff the packets and see
just what comes out.  If you really ought to be running the scanner, this
shouldn't be a problem for you.

Secondly, the thing leaves as many tracks as a herd of rhinos.  It will
leave tons of entries in your sendmail and FTP logs, and NT users should
look for logon failures from a guy named 'issr0kz'.  It will also tend to
leave some very distinctive entries in your web server logs.  Many of the
entries will include the source IP address, and since it is NT, it is a
reasonable assumption (though there are exceptions) that the kiddie is
actually sitting in front of the machine in question.

Most of the commercial IDS systems will also pick up an ISS scan quite
quickly - depending on what they use to trigger it.

Bottom line here is that there really isn't anything you can do to
completely defeat the crackers - even stuff like dongles can be gotten
around, and it is a PITA for the users.  At best, the licensing will slow
them down, so hopefully only paying customers have the latest version.  It
is also a great way for someone to subdivide their scanning by admin, and I
can give the scanner to someone wanting to use it in a lab without worrying
that they are accidently going to scan places they shouldn't.  Lastly, no
self-respecting hacker would use such a thing, as running a commercial
scanner is like putting up a neon sign over your house saying "bust me!"
due to the fact they are so (intentionally) noisy.

David LeBlanc
dleblanc () mindspring com