I was in the middle of the effort to try and protect ISS' Scanner against the licensing being cracked, so I've got some unique insight. It took the crackers about 3 months to crack the 4.0 release of the NT scanner (I was honored that they'd rather crack the NT version I built instead of the UNIX version, but...). All they did was go in and no-op checks for whether the IP address we want to play with was in range. Did a pretty poor job of it, and the cracked scanner would only scan one host at a time. I considered this to be a shot across the bow, and so we considered many things - first of all, you have to run the scanner as an administrator-level user - one possible response would be that if the image were tampered with, and an appropriate number of levels of checking had been bypassed, that we could then change all the passwords on the machine and reboot. Other suggestions involved using the modem to call 911 and scream "Help!". As humorous as these responses might have been, we figured that if it EVER went off by accident at say a .mil site, the user would Not Be Amused, and neither would our management or lawyers. Another somewhat less ghastly response would have been to have the scanner emit an executable that deletes issnt.exe, so all your careful hex editing goes poof. So what we did was decided to raise the bar - we recognized that anything we can do to stop them, they can also undo after a long enough time spent in SoftIce. We pulled some really interesting tricks where setting a no-op where you thought you ought to would cause the app to throw unhandled exceptions, and instituted 2 layers of integrity checking on the binary. We figured that would keep them busy, and every time we recompiled, the offsets would all change, and with any luck, we'd have a new version out by the time they cracked the old one. Up until about the time 5.6 released, this scheme worked well - the crackers never got the latest and greatest - but then someone figured out a way to attack the key itself. Whups. I'm surprised 5.8 is still vulnerable to this one, as it was first known a while back - I thought they'd have fixed it by now. I hope maybe they fixed it in the most recent 6.0 release. So, now that we all know the script kiddiez all can go play with a really powerful vulnerability scanner, how do we defend ourselves? First of all, the scanner will put all sorts of lovely information about the person running it and where they are coming from when it goes to enumerate the network with the initial scatter ping. IF you can snag one of these packets, you can usually get enough information to call the script kiddie's mom fairly quickly. Try this at home, sniff the packets and see just what comes out. If you really ought to be running the scanner, this shouldn't be a problem for you. Secondly, the thing leaves as many tracks as a herd of rhinos. It will leave tons of entries in your sendmail and FTP logs, and NT users should look for logon failures from a guy named 'issr0kz'. It will also tend to leave some very distinctive entries in your web server logs. Many of the entries will include the source IP address, and since it is NT, it is a reasonable assumption (though there are exceptions) that the kiddie is actually sitting in front of the machine in question. Most of the commercial IDS systems will also pick up an ISS scan quite quickly - depending on what they use to trigger it. Bottom line here is that there really isn't anything you can do to completely defeat the crackers - even stuff like dongles can be gotten around, and it is a PITA for the users. At best, the licensing will slow them down, so hopefully only paying customers have the latest version. It is also a great way for someone to subdivide their scanning by admin, and I can give the scanner to someone wanting to use it in a lab without worrying that they are accidently going to scan places they shouldn't. Lastly, no self-respecting hacker would use such a thing, as running a commercial scanner is like putting up a neon sign over your house saying "bust me!" due to the fact they are so (intentionally) noisy. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:24 PDT