Resistance is futile, or what I learned trying to secure the scanner

[BlueBoar () THIEVCO COM (Blue Boar)]

> I was in the middle of the effort to try and protect ISS' Scanner against
> the licensing being cracked, so I've got some unique insight.  It took the
> crackers about 3 months to crack the 4.0 release of the NT scanner (I was
> honored that they'd rather crack the NT version I built instead of the UNIX
> version, but...).

David recognizes that this is essentially copy protection, aka client-side
security.   It can't be made totally secure.  He also makes use of the
word "cracker" in the 80's sense, someone who cracks copy protection.

I should note that In Real Life, I'm a licensed user of the ISS
scanner.

> All they did was go in and no-op checks for whether the IP address we want
> to play with was in range.  Did a pretty poor job of it, and the cracked
> scanner would only scan one host at a time.  I considered this to be a shot
> across the bow, and so we considered many things - first of all, you have
> to run the scanner as an administrator-level user - one possible response
> would be that if the image were tampered with, and an appropriate number of
> levels of checking had been bypassed, that we could then change all the
> passwords on the machine and reboot.

That would have been a bad choice.  There are any number of reason a
legitimate password file/executable might become corrupted.  Should my
copy have done that one day, I would have been peeved, probably enough
that I would write a crack for it out of annoyance.

> Other suggestions involved using the
> modem to call 911 and scream "Help!".  As humorous as these responses might
> have been, we figured that if it EVER went off by accident at say a .mil
> site, the user would Not Be Amused, and neither would our management or
> lawyers.  Another somewhat less ghastly response would have been to have
> the scanner emit an executable that deletes issnt.exe, so all your careful
> hex editing goes poof.

Well, I always edit a copy...  Again, you didn't do it... but if you're
thinking that you (ISS) would have been responsible for accidental
or intentional use of the scanner... well, then I would want to hold
you responsible for the 911 call costs as well.  (Yes, the local PD
charges us when they have to dispatch for false alarms at work.  Happens
several times per year.)

> So what we did was decided to raise the bar - we recognized that anything
> we can do to stop them, they can also undo after a long enough time spent
> in SoftIce.  We pulled some really interesting tricks where setting a no-op
> where you thought you ought to would cause the app to throw unhandled
> exceptions, and instituted 2 layers of integrity checking on the binary.
> We figured that would keep them busy, and every time we recompiled, the
> offsets would all change, and with any luck, we'd have a new version out by
> the time they cracked the old one.

Well, at least you gave the crackers some entertainment.  I would note that
many script kiddies would be nearly as happy with the older versions,
though.

> Up until about the time 5.6 released, this scheme worked well - the
> crackers never got the latest and greatest - but then someone figured out a
> way to attack the key itself.  Whups.  I'm surprised 5.8 is still
> vulnerable to this one, as it was first known a while back - I thought
> they'd have fixed it by now.  I hope maybe they fixed it in the most recent
> 6.0 release.

You don't have the 6.0 release? :)  Here's the problem I spotted right away
when
I poked at it for a few minutes... I'm given a "key" file that controls
what IP
addresses I can scan, etc.. as I recall, the middle is cleartext, however
it's
signed.. looks something like PGP signatures.  Anyway, as I "use" the
product, it
marks off IP addresses I've scanner, to count against my key... i.e. if
I've got
100 licenses, and my IP address range covers 256 hosts, I can only scan the
first 100 I come to.  It enforces this count by resigning the key file as
it goes.

That means there's a signing key embedded in the ISS executable.

> So, now that we all know the script kiddiez all can go play with a really
> powerful vulnerability scanner, how do we defend ourselves?

Umm... braindead legislation? (ba-dum bum)

> First of all, the scanner will put all sorts of lovely information about
> the person running it and where they are coming from when it goes to
> enumerate the network with the initial scatter ping.  IF you can snag one
> of these packets, you can usually get enough information to call the script
> kiddie's mom fairly quickly.  Try this at home, sniff the packets and see
> just what comes out.  If you really ought to be running the scanner, this
> shouldn't be a problem for you.

I know it says some things about who *licensed* the product... but how much
does
it say about who is running it?  (I haven't looked at it much.)  If it's my
key
that is "stolen", I can always play dumb.

> Secondly, the thing leaves as many tracks as a herd of rhinos.  It will
> leave tons of entries in your sendmail and FTP logs, and NT users should
> look for logon failures from a guy named 'issr0kz'.  It will also tend to
> leave some very distinctive entries in your web server logs.  Many of the
> entries will include the source IP address, and since it is NT, it is a
> reasonable assumption (though there are exceptions) that the kiddie is
> actually sitting in front of the machine in question.

No, it's not stealthy.  It would be mostly used against targets of
opportunity, though.  I would think there is a reasonably small percentage
of the admins out there that would catch such a scan, but weren't already
protected against it.  It's a canned set of bugs, a good one, but a finite
set.  If I have enough clue to watch for this type of thing, I probably
also have enough to guard against it.

As for the kiddie being in front of the console, sure some will.  One of
these days we'll see a IS BO plugin or some such, though.  (I has occurred
to me that the ISS engine would make a hell of a delivery mechanism for an
Internet worm.  A bit large, though.)

> Most of the commercial IDS systems will also pick up an ISS scan quite
> quickly - depending on what they use to trigger it.

Indeed.  The same will also usually shut it down, protecting from
intrusion.  You can then inform the net admin for where the scan came
from.  Sadly, that often doesn't work.  I gave up sending mail about scans
my Back Officer Friendly picks up... the ISPs just ignore me.  For another
example, ask JP about the .gov sites that have been attacking him for
months.

> Bottom line here is that there really isn't anything you can do to
> completely defeat the crackers - even stuff like dongles can be gotten
> around, and it is a PITA for the users.  At best, the licensing will slow
> them down, so hopefully only paying customers have the latest version.

Well, as mentioned, copy protection can't work entirely.  As for not having
the
latest version...  ISS seems to not try to prevent that.  The password for
the
website hasn't changed for over a year, and I believe it's given to all
customers.  Little good it would do to improve that, since I can just give
away the image at will.  You might try slipping in a watermark of some sort
in the .exe that installs the product.  That mostly works if I don't know
it's
there.  That could be defeated by comparing two copies from two different
customers.  Besides, I can still give it away and plead ignorance when I
get
caught.

> It
> is also a great way for someone to subdivide their scanning by admin, and I
> can give the scanner to someone wanting to use it in a lab without worrying
> that they are accidently going to scan places they shouldn't.  Lastly, no
> self-respecting hacker would use such a thing, as running a commercial
> scanner is like putting up a neon sign over your house saying "bust me!"
> due to the fact they are so (intentionally) noisy.

Hmm...  Substitute your favorite word that's not "hacker" here.  I use it.
I use it to attack other sites.  I just have permission, that's all.  I do
claim to be a "self-respecting hacker".  Direct all flames my way for
inclusion on a page of ridicule on my web site.

You also forgot the part about teaching the black hats new exploits... I
pulled the rdist hole off the wire with a Sniffer when I couldn't find any
other info about the hole.  This demonstrates the ridiculousness of MS
trying to "escrow" vulnerabilities with the ICSA consortium, to keep them
away from "bad guys" like me.  Umm... guys?  I've got a subscription....

                                                        BB