SSL Server Has SSLv2 Enabled Vulnerability, PCI and IIS

If you are involved with PCI compliance scanning you are probably familiar with the "SSL Server Has SSLv2 Enabled" vulnerability. It's one of those annoying items that always seem to show up on scan reports. Fortunately, there is a simple way to test for this vulnerability and an easy way to fix it.

Using nmap and its script scanning capability you can scan for and detect this vulnerability. An example command is listed below.

nmap -p443 --script=sslv2.nse 10.10.10.10 -vvv

If the server supports SSLv2 nmap will report:

Interesting ports on 10.10.10.10:
PORT    STATE SERVICE
443/tcp open  https
|  sslv2: server still supports SSLv2
|       SSL2_DES_192_EDE3_CBC_WITH_MD5
|       SSL2_RC2_CBC_128_CBC_WITH_MD5
|       SSL2_RC4_128_WITH_MD5
|       SSL2_RC4_64_WITH_MD5
|       SSL2_DES_64_CBC_WITH_MD5
|_      SSL2_RC4_128_EXPORT40_WITH_MD5

How to fix a vulnerable IIS server:

Open regedit and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

Change the "Enabled" value to dword 00000000
"Enabled"=dword:00000000

Reboot the server and run nmap again to verify the vulnerability has been closed.

Security awareness training

Security awareness training is one of the least expensive and most effective ways of protecting your organizations assets. I came across this site which has some useful games, videos and quizzes suitable for a general user population. Enjoy.

http://www.onguardonline.gov/

SHODAN - Banner grabbing search engine

I recently discovered a new search engine which has some interesting capabilities, from the site..

SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well. Let me know which services interest you the most and I'll prioritize them in my scanning.

What makes this interesting (and somewhat controversial)  is SHODAN (Sentient Hyper-Optimized Data Access Network) has done the leg work and initial scanning for those wishing to break into (or secure) systems.

If a new exploit is released which targets a vulnerability in a specific version of Apache, lets say, why bother scaning for vulnerable web servers when someone else has done it for you? Add filtering by country / domain / keyword and an attacker can build a nice set of targets without ever sending a packet to any of them.

Here are a few SHODAN queries to demonstrate

IIS servers running default page: 

http://shodan.surtri.com/?q=port%3A80+iisstart.htm  

Cisco devices listening on port 80: 

http://shodan.surtri.com/?q=port%3A80+%22Cisco%22 

IP's in the US with telnet open: 

http://shodan.surtri.com/?q=country%3Aus+port%3A23 

Citrix servers in Brazil on port 80
http://shodan.surtri.com/?q=citrix%20country:BR%20port:80 

Using Nmap to fingerprint network applications

nmap is one of my favorite network tools. It's versatile and powerful and lots of fun to use. Nmap scan types are denoted by -s*. -sS is a syn stealth or half-open scan and -sT is a TCP connect scan which uses the full TCP three way handshake. One of the most useful scan types is -sV, which "fingerprints" the open ports nmap discovers. By fingerprinting the port, nmap can often determine exactly what application or service is listening behind it.

To illustrate, take the example below. This is an internet host that appears to be listening on port 443 which is commonly used for https.

nmap -sS 66.57.111.10

PORT     STATE SERVICE
443/tcp  open  https

If we change the scan type to -sV and add -p443 we can fingerprint the listening port.

nmap -sV -p443 66.57.111.10

PORT    STATE SERVICE VERSION
443/tcp open  ssh     WeOnlyDo sshd 2.1.3 (protocol 2.0)

Very interesting, -sV shows us that its actually an SSH server listening on the port and also tells us the specific version of the software.