As an ethical hacker, it is important to be able to find vulnerabilities before attackers do. One tool that can help you accomplish this goal is the vulnerability scanner. Vulnerability scanners are effective at finding known vulnerabilities and buffer overflows.
11.1. Locating Known Buffer Overflows and Security Holes
In this exercise, you run a well-known vulnerability scanner to search for known buffer overflows and security holes.
Estimated Time: 15 minutes.
The Sessions tab Create a session or open an existing session.
The Scan Setup tab Select targets and set up a scan to run now or later.
The Data Analysis tab View results and generate reports.
The Configuration tab Change the scanning policy, process control, network information, and other options.
The Schedule tab View the current scan schedule and delete unneeded jobs.
The Documentation tab Introduction, frequently asked questions, vulnerability information, and reference information.
Exam Prep Questions
Which of the following is an example of a multipartite virus or worm?
Buffer overflows can be a serious problem. Which of the following C/C++ functions perform bound checks?
Which of the following is not considered an optional part of a virus program?
Which piece of malicious code was written with the VBS worm generator?
The functionality of Tripwire could best be compared to which of the following?
Which of the following describes the stack mechanism that computers use to pass arguments to functions and reference local variables?
Heap-based buffer overflows are different from stack based buffer overflows because stack-based buffer overflows are dependant on overflowing what?
Which of the following is not a defense against buffer overflows?
Jon has written a virus that is executed when opened in Word or Excel. Which of the following best describes this type of virus?
Which malicious program exploited vulnerability in Local Security Authority Subsystem Service (LSASS)? LSASS is used by Windows computers to verify a user logging in to a Windows domain or computer.
You are visiting a client site and have noticed a sheep dip system. What is it used for?
Which of the following is Melissa considered?
Which type of virus or worm has the capability to infect a system in more than one way?
Which portion of the virus is responsible for copying the virus and attaching it to a suitable host?
In the Intel architecture, which of the following instructions is one byte long and is represented in assembly language by the hex value 0X90?
Answers to Exam Questions
1. B. Nimda had the capability to infect in many different ways, including malformed MIME header and IFrame exploit within email propagation, placing an infected riched20.dll in the document, prepending itself to target executable files, and by attempting to connect to open shares and copy itself to these locations. Answer A is incorrect, as the Brain virus is an MBR virus. Answer C is incorrect, as Sasser exploited a buffer overflow, and answer D is incorrect because Staog was a single infector Linux virus.
2. D. The strncat function accepts a length value as a parameter, which should be no larger than the size of the destination buffer. Answers A, B, and C are incorrect as gets, memcpy, and strcpy do not perform automatic bounds checking and should be avoided.
3. A. Virus programs have two required components, which include search routines and infection routines. The infection routine is the portion of the virus responsible for copying the virus and attaching it to a suitable host. Answers B, C, and D are incorrect because the payload routine, anti-detection routine, and trigger routine are all considered optional.
4. B. Anna Kournikova was created in only a few hours using a tool called the VBS Worm Generator. Answers A, C, and D are incorrect because they were not created with the VBS Worm Generator.
5. C. Tripwire provides integrity assurance. Tripwire looks for changes that may have occurred from hackers or malicious software. By monitoring attributes of files that typically do not change, such as binary signatures, size, changes in size, or integrity scans, Tripwire can be useful for detecting intrusions, attacks, and the corruption of data. Answer A is incorrect because Tripwire is not used to guard the stack against buffer overflow. Answer B is incorrect, as heuristic scanning looks for actions that programs or applications would not typically perform. Answer D is incorrect, as signature scanning is performed to look for known signatures of viruses and worms.
6. C. The stack is a last in first out (LIFO) mechanism that computers use to pass arguments to functions as well as reference local variables. Answer A is incorrect, as a first in first out mechanism is useful for buffering a stream of data between a sender and receiver, which are not synchronized but is not used in stack operations. Answers B and D are incorrect because push refers to the act of pushing elements onto the stack, whereas pop refers to removing elements off the stack.
7. C. Heap-based buffer overflows are different from stack based buffer overflows in that stack based buffer overflows are dependant on overflowing a fixed length buffer. This makes answers A, B, and D incorrect. In heap based buffer overflow attacks, the attacker overflows a buffer that is placed in the lower part of the heap.
8. A.. Answers B, C, and D are incorrect because the question asks which of the following is not a defense, and each of those items are a defense. Defenses against buffer overflows include manual auditing of code, disabling stack execution, safer C library support, and better compiler techniques. Answer A is the correct choice, as enabling stack execution is something you would not want to do.
9. B. A macro virus is designed to be imbedded in a document. After being embedded, the virus writer can have the macro execute each time the document is opened. Many applications, such as Microsoft Word and Excel, support powerful macro languages. Answer A is incorrect, as an MBR infector targets the boot sector of a disk. Answer C is incorrect, as a file infector typically targets files or applications and can append or prepend themselves to the infected item. Answer D is incorrect because a mass mailer is a type of virus or worm that sends itself to many or all the individuals listed in your address book.
10. A. The Sasser worm targets a security issue with the Local Security Authority Subsystem Service. Answer B is incorrect because Sobig does not exploit LSASS. Sobig activates from infected emails when a victim clicks on the infected attachment. After this, the worm will install itself and start to spread further. Answer C is incorrect because Netsky spreads via email as a .pif or .zip attachment. Answer D is incorrect, as Code Red exploits an idq.dll buffer overflow.
11. C. A sheepdip system is used for checking media, file, diskettes, or CD-ROMs for viruses and malicious code before they are used in a secure network or computer. Answers A, B, and D are incorrect because a sheep dip system is not specifically for an integrity checker, honeypot, or to detect buffer overflows.
12. B. Melissa is a good example of a macro infector. Answer A is incorrect, as Melissa is not an MBR infector. Answer C is incorrect because Melissa is not a file infector. Answer D is incorrect, as a true worm requires no interaction from the end user, and Melissa requires no interaction from a user. Melissa needed to trick the victim into opening an attachment to execute its payload.
13. D. A multipartite virus can use more than one propagation method. Answer A is incorrect because an appender is a virus that adds its code to the end of a file. Answer B is incorrect, as a polymorphic virus is one that has the capability to mutate. Answer C is incorrect, as a prepender is a virus that adds its code to the beginning of a file.
14. A. The infection routine is the portion of the virus responsible for copying the virus and attaching it to a suitable host. Answers B, C, and D are incorrect, as the search routine is responsible for locating new files, disk space, or RAM to infect. The anti-detection routine is designed to make the virus more stealth like and avoid detection. The trigger routine's purpose is to launch the payload at a given date and time.
15. C. NOP, which stands for no operation, is a one byte long instruction and is represented in assembly language by the hex value 0X90? Answer A is incorrect, as Add is 03 hex. Answer B is incorrect, as Mov is 8B; and answer D is incorrect because Sub is 2B.
Suggested Reading and Resources
www.l0t3k.org/programming/docs/b0fBuffer overflow information
www.insecure.org/stf/smashstack.txtSmashing the stack for fun and profit
http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci1046472,00.html?bucket=ETAHow buffer overflows work
www.phrack.org/phrack/56/p56-0x05Limitations of Stackguard and other buffer overflow protections
www.exn.ca/nerds/20000504-55.cfmThe history of viruses
www.ntsecrets.com/info/nimda.htmHow Nimda works
www.iwriteiam.nl/Ha_iloveyou.htmlAnalysis of the I Love You virus
www.extremetech.com/article2/0,1697,325439,00.aspHow antivirus works
http://vx.netlux.orgVirus toolkits and virus writing information
Cryptographic Attacks and Defenses