Topics of Interest
- Application Protocol Fuzzing
- Cloud Computing and Virtualization
- Custom Applications and Attacks
- Cyber Warfare
- Data Center Planning and Consolidation
- DDoS and Botnet Simulation
- Deep Packet Inspection
- IPTV
- IPv4/IPv6
- Layer 2-7
- Network Traffic Generation
- Performance Testing
- Security Updates
- Server Load Testing
- VoIP
- 10/40/100 GigE
Devices
Security Automation With BreakingPoint TCL API
If you're building an IPS, or are running one in your organization, IPS testing is important to ensure attacks are being blocked. In my first post on the BreakingPoint TCL API, I gave just enough detail to get users running default components in the TCL API. If you take a look at the code archive for the last post, you can see that there's not much customization going on. Today I will focus on using the BreakingPoint TCL API to create targeted tests using our Security testing component.
Finding Security AttacksIf you're following along, run the harness.tcl script we mentioned previously to get connected. Then take a look at the output of this command:
% dict for {path strike} [$bps listStrikes -reference MS08-067] { puts "$path [dict get $strike name]" }
Assuming you are running StrikePack 36110 (BreakingPoint users head to the Member's Section above) or greater, you will see a list of strikes covering the MS08-067 NetpwPathCanonicalize bug patched by Microsoft in October 2008. Unsure of what StrikePack revision you're running? You can retrieve that via the TCL API:
% $bps getStrikepackId
As you're digging around in the APIs, remember that the interactive shell provides usage help for all commands. If you issue $bps listStrikes -help, you'll see that you can do searches for strikes by keyword, reference, or protocol, and you can limit your searches to a particular branch of the strike tree (e.g. /strikes/exploits/browser) or to a particular depth.
Now that we know how to search for specific strikes, we need to build an Attack Series. An Attack Series is one or more groups of strikes that can be saved outside of any given test. Each of these groups can have optional sets of Security evasions applied to them.
Creating an Attack Series is simple:
% set attacks [$bps createAttackSeries -name "TCL Demo Attack Series"]
When a new Attack Series is created, a default group called 'Strikes' is created.
Again, take a look at the help by issuing $attacks -help. The main method we care about is addStrike. So, taking the example search above, we can add all the NetpwPathCanonicalize strikes to an Attack Series in a very simple loop:
% dict for {path strike} [$bps listStrikes -reference MS08-067] {
$attacks addStrike Strikes $path
puts "\[+] $path"
}
% $attacks save -force true
Performing the Security Test
The last step we need to get those MS08-067 strikes running is to configure a test with a security component that's set to use our Attack Series. The main difference in running a targeted Attack Series versus just running a canned Security component is to call the configure method with the attackPlan option.
% $bps configure -name "TCL Security Using Attack Series"
% set security [$bps createComponent security TCLDemoSecurityComponent]
% $security setDomain server 1 default
% $security setDomain client 2 default
% $security configure -attackPlan $attacks
% $bps save -force
% $bps run
Looking Forward to Next Time
At this point we have run the test and we can get the results and see how our IPS did at blocking the MS08-067 attacks. You did run the test thru an actual security device, right? I did, and I can say that Brand-X usually blocks the attacks. There are some tests where not all strike attempts are blocked. If that IPS were protecting an actual network, it might be worthwhile to look into that after applying the MS08-067 patch. You have applied that patch, right? Let's hope so.
The code archive for this post includes several variations on the ideas presented here. One script lists all the strikes on the system. Another script will take a single strike path as an argument and run that strike out whichever test ports you specify (that particular script got me free sushi from a customer, so please realize that gifts ARE accepted!). Another script will take multiple strike paths on stdin and create an Attack Series and test. Please take a look at the examples and post back with any code examples of your own!
Next time, I'm going to go deeper on the Security component. We're going to take a look at BreakingPoint's Security Evasions and how to work with them in the TCL API.
Tags: