Kali Linux

Kali LinuxEnsuring Security by Penetration Testing

Denise.Mangold@villanova.eduVillanova University Department of Electrical and Computer EngineeringECE 8484 Fall 2014

Table of ContentsAbstract:3Introduction:3What is Kali Linux:4Setting up the testing environment:5Hardware and Software Setup:5Penetration Testing:6Pre-engagement Interactions phase:6Information Gathering:7Threat Modeling:7Vulnerability Analysis:8Exploitation Phase:10Post Exploitation Phase:14Reporting Phase:15Example (condensed) Report of Penetration Test:15Conclusion:16Bibliography:17( a mix of internet research and books)17

Abstract:

Most companies as well as consumers rely on the Internet for business transactions. This translates to roughly 10 trillion dollars in online transactions a year. The world is vastly interconnected, while this gives rise to new business models, it also exposes new risks of cyber-attacks by criminals, political activist, and malicious actors. It is the responsibility of every person who uses and works with connected devices to be knowledgeable and proactive in the area of cyber security, for the protection of the companies they work for as well as their own personal security. Learning how to discover vulnerabilities and remediate the vulnerabilities is crucial to preventing costly breaches that can cost millions of dollars in revenue also, the cost of lost confidence from consumers. In this paper Kali Linux will be used to demonstrate penetration testing of a faux corporate system (image provided by deterlab). The penetration testing standards for testing execution standard will be used as if this were a real corporation. It is assumed that the pre-engagement interaction has already taken place with the faux corporation being pen tested so that section will not be completely detailed with legalities. Introduction:

In the past year it appeared that no industry was immune from cyber attacks. The following companies were victims of cyber-security breaches;Adobe was hit for 152 million records, ebay 145 million; Bank and financial services JP Morgan Chase 76 million; retails Target and The Home Depot for 70 million and 56 million records. [11] These breaches not only cost the companies millions they also caused consumers; identify theft, time, and aggravation of having to notify their banks, get credits if their cards were compromised, and ultimately the loss of confidence in the retailers with being able to be trusted with bank information. When a retailer is breached it affects not only the retailer, it also has an impact on the consumer, and on the banks, passing the costs of cyber security breaches back down to the consumer. On November 24th 2014 a story broke that Sony Pictures computers were hacked by a group called the GOP the attackers threatened to release data if their demands were not met by a given deadline. It was reported that the hack on Sony pictures was related to the release of a comedy film The Interview which depicts the assassination of North Koreas leader. The data leaks of Sony were unprecedented, the data included Torrents of unreleased Sony Pictures, which undoubtedly would result in loss of revenue, financial and health information about staff. The leak also included the salaries of Sony executives, security certificates and other credential data. The most disturbing part of the hack was emails threatening Sony employees. The hack is believed to be from North Korea, however, the FBI traced the attack to a hotel in Bangkok, so the perpetrator or group has not been positively identified, however, this caused severe damage to Sony Pictures financially, as well as the reputation of the company as a whole. Breaches like the one Sony experienced could have a major impact on the economy. One security breach incident can cause a litany of costs that include legal fees, software updates, customer reimbursement and public relations costs. Once a company is breached it can also face serious fines for not complying with security standards set forth by their specific industry, pharmaceutical, healthcare and financial companies have stringent regulations to protect the information they have about their customers. In this paper I will demonstrate how a corporation could be victimized by cyber security breaches. I will demonstrate vulnerabilities at the OS level; buffer overflows, Web Application; file traversal where I will gain root by gaining access to the /etc/shadow file, and sql injection where I am able to breach the company credit union and transfer money. I will use Kali Linux to find these vulnerabilities, I will remediate and document. The many tools within Kali Linux are used to find, remediate and document these vulnerabilities. What is Kali Linux: Kali Linux is a Debian-derived Linux distribution. The main purpose of Kali Linux is digital forensics and penetration testing. Kali Linux is a GPL-compliant Linux distribution built by penetration testers. Kali Linux originally started as BackTrack, when it was designed it was to be an all-in-one system to be used for security audits, and interestingly, it was designed not to leave any remnants of itself on the system.[7] Kali Linux is funded and developed by offensive security. Kali Linux is supported on a variety of platforms; ARMEL and ARMFH support, Linux, Virtual Machine, VirtualBox, Linux and Windows. Since Kali Linux is a security suite of tools, one would have to ask the question is Kali Linux itself secure? If I were a malicious actor one of the things I would attack is the very security suite being used to audit a system. Since Kali Linux is funded and maintained by Offensive Security a reputable firm they have taken measurable steps to ensure the integrity of the Kali Linux system. The Kali Linux team is made of a small group who can only commit packages and interact with the repositories while using multiple secure protocols. Each individual developer signs the packages developed for Kali Linux when they are built and committed also, the repositories are signed as well.[3] Offensive security is a security company, they offer courses, labs and certifications to train the next generation of hands on security professionals. Kali Linux is comprised of a number of tools for security. The categories of tools are as follows: Information Gathering; Vulnerability Analysis; Wireless Attacks; Web Applications; Exploitation Tools; Forensics Tools; Stress Testing; Sniffing and Spoofing; Password Attacks; Maintaining Access; Reverse Engineering; Hardware Hacking; and Reporting Tools. The tools I use for my project were the following; zenmap, Vega, owasp-zap, sqlmap, hashid, rainbowcrack, edb-debugger. Setting up the testing environment: Deter test image was used for this project paper; Deter is a security testbed and education version of Emulab. Deter is funded by the National Science Foundation and the Department of Homeland Security it is hosted by USC/ISI and UC Berkeley. [1]A deterlab image of FrozbozzCo International, their business model is You name it, we do it! So apparently they do everything. This image was provided for another cyber security class ECE8476 in which we had to find and fix vulnerabilities manually, Kali Linux was not used for that lab, but since this image provided common vulnerabilities, it was an appropriate image to utilize for demonstrating Kali Linux. The deterlab was port forwarded to the local machine, therefore the web services would run on localhost. Hardware and Software Setup: The main system that was used for penetration testing the Frozbozz International deterlab image: iMac 27inch 2.7 GHz Intel Core i5 with 16GB of Ram with VirtualBox installed so Kali Linux could be installed as a virtual machine. Kali Linux version 1.0.9a was installed on Oracles VirtualBox version 4.3.20, 2GB of Ram, 2 virtual processors with PAE/NX enabled, the network was setup in a bridged adapter mode to allow for the Kali Linux machine to talk on the local network.

Figure 1: VirutalBox settings

Figure 2: Deterlab Settings

Penetration Testing:The methodology used for my research was from the Penetration Testing Execution Standards, they have seven phases of Penetration testing the phases cover everything related to penetration testing. The seven phases are Pre-engagement Interactions; Intelligence Gathering; Threat Modeling; Vulnerability Analysis; Exploitation; Post Exploitation; and Reporting. [12]Pre-engagement Interactions phase: The pre-engagement phase of penetration testing is when scope of the project is defined, this is extremely critical to penetration testing because neglecting to properly complete pre-engagement activities can create scope creep, as well as create serious legal consequences for the penetration tester. The scope of a project is designed to accurately define what is to be tested, and how each test will be conducted in the rules of engagement. Our faux client has given us scope to penetration test a mirror of their pre-production system, the system we will be testing is a quality assurance machine, which is a mirror of pre-production but the data is NOT production data. The client has assured us that all the data on the machine is their property as well as the equipment it runs on. The client has specifically requested we conduct the penetration test as if we were malicious actors to get the best analysis of the state of their machines. The client is trying to financially justify advanced penetration testing to management in order to avoid costly breaches in the future. Information Gathering: The first step Ill use for this demonstration in penetration testing is Intelligence gathering. It is always important to keep in mind the Rules of Engagement Limitations!! Never go outside the agreed rules of engagement as this could have serious legal consequences. Intelligence gathering is performing reconnaissance against the target to gather as much information as possible to be utilized when penetrating the target during the vulnerability assessment and exploitation phases. The more information gathered the more vectors of attack that can be used.[12] The first act of reconnaissance will be to scan the server using zenmap, the output of zenmap showed that port 8080 was open and filtered. It also provided a lot of information about the system such as Apache httpd 2.2.14 was running on Ubuntu, it also showed that there is php code for the webserver. This is very useful information!

Figure 3: Zenmap output of Frozozzco.com

From the information gathered from the zenmap scan I am able to pull up their website and poke around. I am also able to run web vulnerability scans on the discovered site, I can customize my scans because I now have a deeper knowledge of the system, I know its Linux, running Apache, and PHP.

Threat Modeling: During the threat analysis phase only the website might be in scope, however after close review and discussions with the company it appears there is a back end database that is easily identifiable. Since we identified this server as a whole in our Pre-engagement Interaction and have full permission to continue testing all applications including databases we are free to penetration test the database. In our Faux Corporation the company believes that its web server poses a significant threat. However, since it houses a SQL database for the credit union in which employees move, deposit and withdraw money. In general SQL Injections should be considered a high impact security. The sql database for Frozbozz Intl. contains sensitive information about the employees, such as social security numbers, bank routing information, full name and email, this information gives a strong motive to malicious attackers to exploit this system since there is financial gain to be had from the exploitation. Vulnerability Analysis: The first part of vulnerability testing is the process of finding the flaws in the system that can be exploited by a malicious attacker. Since I know that the system is running a web server on port 8080 I start there. Ill use Web Application Scanners to get an idea of system vulnerabilities. I run two separate scans one using Vega, the other using OSWASP-ZAP for comparison and verification.

Figure 4: Vega output of scan

Vulnerabilities Found Vega: Figure 5: alerts

The vulnerabilities found as follows : 1. Cross Site scriptinga. Local file include (file traversal) b. Page Fingerprint Differential Detected local file include 2. SQL Error, this means possible SQL injection vulnerability. In SQL injection techniques actors often look for errors to show the system is vulnerable to a SQL Injection. a. /cgi-bin/FCCU.phpb. /cgi-bin/FCCU.php3. SQL Injection These are actual SQL Injection a. /cgi-bin/FCCU.phpb. /cgi-bin/FCCU.php

As we promised the customer we would do more than just one type of scan of vulnerabilities for their systems for a comparison of vulnerabilities found. The next choice of scanner was OSWASP-ZAP, we ran the OSWASP-ZAP with the default parameters for the vulnerability scanning.

Vulnerabilities Found OSWASP-ZAP

Figure 6: OWASP-ZAP scan

The default settings for scans on Vega found more vulnerability, however, both found the one that was exploited for root access to the machine. Exploitation Phase:

File Traversal: The one high alert that was particularly useful is one of a file traversal as seen in figure 4. The HTTP request was able to view the /etc/shadow file, giving me the users and hashes of their passwords. Having the output of the /etc/shadow allows me to know the user names and hashes of their passwords. I will use Kali to break the hash of the passwords of a user and of root so I can gain access to the Linux system and su to the root user. Its always safe to assume that direct login for root is disabled, but since all we need is a username of regular privilege and the root password to gain root access, that is more than sufficient to own the box. The next Kali Linux application I used was HashID. I was able to determine that the hash used for the /etc/shadow file was MD5, from that knowledge Im able to use the appropriate cracking software for that particular hash. The next application to be used was RainbowCrack, since the type of hash was known to be MD5 rainbow tables were created in RainbowCrack with the following procedure: Password Cracking:

1. Create rainbow tablesa. rtgen md5 loweralpha 1 5 0 2000 8000 testingb. rtgen md5 loweralpha 1 5 1 2000 8000 0 2. After creating the tables the next step is to sort the tables. This is done for all rainbow tables created. a. rtsort md5_loweralpha#1-5_0_2000x8000_0.rt3. The next stage is to run rcrack a. rcrack /usr/share/rainbowcrack/*.rt h $1$UKoOQUPw$vtrmLJpKLSKoV6LTlbJBD1

I was able to crack the hash of wilbars account. I used this same procedure on the roots hash, which gave me the root password as well. I am all set to actually break into the system. On a UNIX system root has power over everything! So gaining root access from the file traversal and password cracking this vulnerability would need to be addressed quickly. This vulnerability will be discussed in reporting, remediating section regarding password policies.

Buffer Overflow: Since I was able to gain root access to the Linux system I had a look around, the first order of business was to investigate the web server code. I was able to do this having root access. I logged on as Wilbur and did a su root using the hashed root password. The webserver code was found in /usr/local/fhttpd/server and I see that the webserver is written in C code. Being a security professional hired by Frozbozz, I know that OWASP identifies buffer overflows as vulnerabilities, I know I should check the C code that the webserver is written in to ensure that it is protected from buffer overflow attacks. A buffer overflow is when the buffer, which is an amount of contiguous memory set aside for storing information. A program has to remember certain things, such as what data was imputed prior to the current operation, this information is stored in a memory buffer.[4]

Buffer Overflow Penetration My exploit is done directly on the server for this one. I was able to gain access and peruse the server with the help of Kali, however executing the buffer overflow was done by crafting my own exploit against the webserver code. My exploit utilized nc (net cat which is often termed the swiss army knife) I create a text file that contains a lot of characters, from the webserver C code I was able to identify the malloc and buffsize in the code. I want to make sure that the code is protected by bounds checking to prevent buffer overflows.

1. Create payload text file.2. Open second terminal window and run gdb.3. Create exploit.sh script to deliver the payload via nc a. nc localhost 8080 < payload 4. I was able to create a segfault/buffer overflow.

Figure 7: Segmentation Fault

After I successfully demonstrated buffer overflow vulnerability. I use Kali Linux reverse engineer program edb-debugger to find where the buffer overflow is happening in which part of the code. I am able to reverse engineer the webserver.c code to find where the coding error took place, and make recommendations to the company on remediating the vulnerability. A buffer overflow could be devastating to a company because by using the jump to address stored in a register technique is reliable enough to automate an attack with almost a guarantee of success when its run. For this very reason, this is the common technique for worms to exploit stack buffer overflow vulnerabilities.

Figure 8: edb-debugger

SQL Injection: From the vulnerability scan it is shown that the clients server is also subject to sql injection attacks. Because of the file traversal attack with me being able to gain root into the system, I go to the directory where the php code is stored, which is located in /usr/lib/cgi-bin/FCCU.php. I open this file to investigate how well its written. I can see that the DB user and password are stored in this file, I also notice that there are no real escape string, which is used to prevent MySQL injections.

Figure 9: php code for sql

I know I could get into the database from the server, but I had to show the client that their website was vulnerable to SQL injections as Vega and OSWASP-ZAP had both reported. The clients in this situation decided to link this server to a test database so we could demonstrate an sql injection and prove the severity of such an attack. I also used sqlmap

Figure 10: SQLMap

Web SQL-Injection attack: I navigated to the following website. http://localhost:8080/cgi-bin/FCCU.phpThe credit union page was displayed.

. Issued the following attack, after the url id=2 FCCU.php&submit=Submit&password=letmein

. The page gave the following SELECT * FROM accounts WHERE id = /FCCU.php AND password = 'letmein'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/FCCU.php AND password = 'letmein'' at line 1

. I checked the version of MySQL and it's greater than 5 so I was able to exploit the information schema . I was able to determine the number of columns from issuing the order by 1,2,3,4 until I came to an error. 9 columns. x. I was able to see the columns from the information schema exploit.

I was able to determine the local dba user was FCCU and that user did NOT have grant access, but had insert, so I did an INSERT query where I gave myself 10 million dollars. Since I did not have a linked account to the credit union no money was transferred. The sql injection where I transfer money was done to demonstrate severity of the vulnerability because we had a solid pre-engagement phase we knew that the system was just a mirror of production and not actual production, and that permission was granted to perform this type of attack.

. INSERT INTO `accounts` (`id`,`bal`,`first`,`last`,`phone`,`ssn`,`bday`,`email`,`password`) VALUES ("1170","10000000","Denise","Mangold","7721","555-55-5555","32510602","unixgrl","welcome");I know the columns I should be interested in are id and password in the table of accounts. . I know that I need to access 2 tables id and password.

. SELECT * FROM accounts WHERE id = id -- AND password = '$password' This gave me all the user ID and passwords of the other users. Post Exploitation Phase: The purpose of the post exploitation phase is to determine the value of the machine that was penetration tested. The value of the machine is determined by the value of the information stored on the machine, and the usefulness of that machine for gaining further unauthorized access into the network. Our penetration test showed that this machine is a critical security liability for the company. We demonstrated using more than one tool to verify the validity and criticality of the penetration-tested machine. Reporting Phase: The reporting phase is the phase in which a detailed document of the penetration test is documented with recommendations to the client. The report should be well structured with the following sections as examples. Summary; Background; Risk Ranking; General Findings/Observations; Recommendations; Technical Report and a Roadmap for remediating the security risks. Kali Linux does have reporting features that were not utilized for this paper, some of the reporting tools that come with Kali Linux are ones for evidence management, documentation, and Media capture tools, with each section having a variable number of tools for each purpose. Example (condensed) Report of Penetration Test: 1. Background: Frozbozz has started a new initiative to have penetration testing all pre-production systems as part of the quality assurance cycle. They would like to have it company policy to security test all systems before they go into production. Their goal is to minimize the possibility of a costly security breach as well as to protect customer, employee and company data. 2. Systematic issues: The penetration testing was successful in breaching the OS, web application and the database. 3. Risk Ranking/Profile: a. EXTREME: SQL Injection of the database; The MySQL database allows for sql injections and the ability to transfer, grant and manipulate financial information contained in that database; it also exposes sensitive information such as employee SS#, phone, address, and bank information. b. EXTREME: File traversal within the web application; this vulnerability exposes the users, and their hashed passwords; this was easily exploited and elevated privilege was gained at the OS level. c. HIGH: Buffer Overflow; A buffer overflow vulnerability exposes the server to malicious code such as worms. 4. General Findings: The OS was behind on critical patches; lack of OS hardening, there is a lack of application hardening, the credentials were easily guessed for MySQL as well as the OS users. Lack of quality testing of application coding; web application design flaws. 5. Recommendation Summary: Patch OS; insert mysql_real_escape_string to protect against SQL Injection attacks. Redesign the cgi-bin web application to run in a chroot environment to protect against file traversal attacks exposing OS file system. The webserver.c code should have memory bounds checking to prevent buffer overflow attacks. 6. Strategic Roadmap: This usually includes the roadmap to remediate the security issues found. The frozbozz would have a roadmap stating the OS would be first to be remediated, the DB and Webserver would have dependencies on the developers time, as both would have to be re-written, however, this would be defined in a project plan; probably utilizing the Agile methodology. 7. Technical Report: This section of the report would focus on technical details of the test, attack path, parameters used within tools such as Vega or OSWASP-ZAP, tools used, and outcome. Conclusion: No company or individual is immune to security breaches. The past few years has seen unprecedented breaches costing millions of dollars; security breaches have a severe impact on the economy as a whole. The financial loss a company takes from the breach alone, the loss in consumer confidence, and the loss of a once solid reputation. Once a reputation has been damaged it is exceptionally hard to overcome negative perceptions. Companies need to incorporate security testing and governance into their IT infrastructure. Security should not be an after thought but a continued part of the IT lifecycle. Being proactive with security is analogist to purchasing car insurance, its not valuable until the need arises, and however not having it can cause great devastation that can be difficult or even impossible to recover.

Bibliography:( a mix of internet research and books)

1. "About DeterLab | DETER." About DeterLab | DETER. N.p., n.d. Web. 16 Dec. 2014. (http://www.isi.deterlab.net )

2. Alcorn, Wade, Christian Frichot, and Michele Orru. The Browser Hacker's Handbook. N.p.: n.p., n.d. Print.

3. Ali, S. Kali Linux: Assuring Security by Penetration Testing. S.l.: Packt Limited, 2014. Print.

4. "Behind the App: The Story of Kali Linux." Lifehacker. N.p., n.d. Web. 12 Dec. 2014.(http://lifehacker.com/behind-the-app-the-story-of-kali-linux-1666168491)

5. Erickson, Jon. Hacking: The Art of Exploitation. San Francisco, CA: No Starch, 2008. Print.

6. "Infographic: 2014's Top Breaches So Far." - BankInfoSecurity. N.p., n.d. Web. 16 Dec. 2014. (http://www.bankinfosecurity.com/infographic-2014s-top-breaches-so-far-a-7408 )

7. "Kali Linux | Rebirth of BackTrack, the Penetration Testing Distribution." Kali Linux. N.p., n.d. Web. 11 Dec. 2014. (https://www.kali.org )

8. "Kali Linux." BlackMORE Ops. N.p., n.d. Web. 12 Dec. 2014.

9. Kim, Peter. The Hacker Playbook: Practical Guide to Penetration Testing. North Charleston, SC: Secure Planet, LLC, 2014. Print.

10. "Offensive Security Training and Services." Offensive Security. N.p., n.d. Web. 16 Dec. 2014. (http://www.offensive-security.com )

11. "Survey Shows the Cost of Security Breaches Is on the Rise." CSO Online. N.p., n.d. Web. 16 Dec. 2014. (http://www.csoonline.com/article/2689346/big-data-security/survey-shows-the-cost-of-security-breaches-are-on-the-rise.html )

12. "Main Page." The Penetration Testing Execution Standard. N.p., n.d. Web. 16 Dec. 2014. (http://www.pentest-standard.org/index.php/Main_Page )