Type packetstorm
Reporter eEye Digital Security
Modified 1999-08-17T00:00:00


Retina vs. IIS4, Round 2 The Brain File  
The followng is a listing of the Brain.ini file that Retina uses for it's miner module.  
this is the actual file listing that uncovered the crash in IIS4. We trimed out some  
variables that are not being used. We will explain more about how the brain file  
works below. To install the brain file just copy it to the following path:  
c:\program files\retina\modules\retina\miner\brain.ini  
Downloads: brain.ini <>  
Title=HTTP Miner   
1=GET /%%passwordpath%%/%%$RPT(65,40,10)%%.%%extention%% HTTP/1.0  
How the brain file works  
To explain the brain file we need to explore some of Retina's features and explain  
how brain files are constructed.  
Retina's AI (Artificial Intelligence) Engine  
The most limiting trait of a program is the rigidity of the code (Logic) built into it.  
It is written by a human to handle a set feature of logic. So in the case of a  
network auditing tool, the logic is designed to handle what the programmer has  
instructed it to do. But what if the program has its own knowledge base, i.e. it  
records what it finds, then compares all of its findings and then it catalogs the  
information based on a defined set of rules. As the application runs it will become  
familiar with the norm and be able to recognize the exception to the norm and  
then be able to report the exception. This is one of the most powerful  
technologies in Retina, and is being used in two of the existing modules in a limited  
way, because of security reasons we did limit the capability of this feature set as  
we define how we can protect it from being abused. Yes this feature is very  
powerful and can be used to DoS (Denial of Service) servers and do data mining  
on server content.   
The AI Engine at work  
Here we will describe some of the data mining capabilities we have currently in  
Retina, the following capabilities might be disabled in current beta releases because  
of the security reasons mentioned above.   
The Browser Module is used to collect links and action URLs from a web site to  
identify all third level domain names associated with the domain being scanned, as  
the domain list is built Retina provides the list as an optional scan list. This  
capability will allow the auditor to identify all possible servers, applications and IP  
addresses that might be a weak link in the chain of security surrounding the  
The Tracer Module is used to perform simple trace route to the target IP  
address, very simple in nature but the information collected along the way can be a  
list of possible gateways, routers and / or proxies that need to be scanned to  
make sure that the security is audited at all entry points to the network.  
The Scanner Module is used to scan for open ports, but when an IP address has  
different open ports than the rest of the sub net, it is a possibility that special  
applications are running on that server or a user is using client application that has  
that port open. This can be used to identify the port and add it to a list warnings  
that need to be checked.   
The Brain File  
The findings from the above mentioned are then logged in what we call a brain file,  
the brain file is a list of commands, variables and actions to be used in a time  
consuming auditing operation, much like brute forcing, but the variables are  
intelligently limited so the results are more accurate. Currently The only module we  
are releasing that acts upon this data is the Miner Module, which takes a brain file  
and constructs queries against web servers and reports anything other than (File  
not found).  
In the above example brain file, the Miner module generates commands based on a  
query command and all varaibles collected within the barin file. The underlined  
directive "%%$RPT(65,40,10)%%" is an overflow generator, 65 is the ascii  
character we want to repeat, 40 is the number of times we want to repeat the  
loop, and 10 is the length to increment the string by.  
In the variables section we list all different words we want to try in all possible  
combinations. the underlined htr extention is what brought our server down.   
Copyright (c) 1999 eEye Digital Security Team  
Permission is hereby granted for the redistribution of this alert   
electronically. It is not to be edited in any way without express consent of eEye. If  
you wish to reprint the whole or any part of this alert in any other medium  
excluding electronic medium, please e-mail for permission.  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There are NO  
warranties with regard to this information.   
In no event shall the author be liable for any damages whatsoever arising out of or  
in connection with the use or spread of this information. Any use of this  
information is at the user's own risk.  
Please send suggestions, updates, and comments to:   
eEye Digital Security Team   
Retina vs. IIS4, Round 2   
Retina vs. IIS4, Round 2 - The Exploit