A Selection of Network Penetration Test Tools

Transcription

1 A Selection of Network Penetration Test Tools by Abstract This paper presents some of the tools required for a network penetration test. All parts of the test are covered, from the first phase of getting DNS information and IP addresses without making suspicious connections to the target, to the last phase of trying to get control over the target. All the software tools I present here are for free available on the Internet, which makes it possible for the interested reader to try them. The tools presented: Ping, Traceroute, NMAP, John the Ripper, Firewalk, Nessus and the Metasploit Framework. Keywords Penetration test, network, black- and whitehat - 1 -

2 Index Abstract... 1 Keywords... 1 Index... 2 Introduction:... 3 OS build in tools... 4 Ping... 4 Traceroute:... 4 DNS Information:... 5 NMAP:... 6 John (the Ripper):... 8 Firewalk:...10 Nessus:...10 The Metasploit Framework:

3 Introduction: Computer security is getting more and more important in our computerized world. Computers penetrate almost every possible part of our lives, and different networks merge together into the internet. A few years ago, the Internet and the cell phone networks have been separated. Nowadays, you can surf with a cell phone and carry voice over the internet without any problems, and in the near future those networks maybe will get one. Every computer and every network connected to the Internet is a possible target for attackers with bad intentions, often called blackhats or cracker. Sensitive information needs to be protected, and a penetration test on those systems holding sensitive information should be carried out frequently. Poorly patched systems and bad passwords can make it very easy to break into a system. Whitehats on the other hand are computer security professionals, which carry out attacks on system with the intention to find possible security holes and close them, making the system more secure. The tools in this paper are described in a chronological order of such penetration tests. It starts with the real basic tools that most operation systems have already built in after installation to identify a target. Then, after the target has been identified, it is important to know what services it is running, and then use exploits in them to gain control. There are a lot more security related tools available on the Internet like sniffer (like Ethereal, TCPDump, ), penetration test live CDs (like whax, BOSS, AnonymOS, ), Trojans (like BackOriffice, NetBus, ) and more. In the case of a penetration test with physical access to the machine, a total different set of tools will be used. The examples of the tools described in this paper were run on a 800 MHz with 512 MB RAM Linux server called opportunity, running Debian 3.1 sarge. Although all the tools are available on the Internet, the use of them might be prohibited by law in some countries and attacking computers without the proper permission can be seen as a crime

4 OS build in tools Ping Ping is a program for determining if a host in an IP network is up and what the response time is. It sends an ICMP Type 8 (Echo Requests) packet to the target host, which answers with ICMP Type 0 (Echo Response). If the host is down or currently unreachable, the router assigned to the host answers an ICMP Type 3 (Destination Unreachable) packet. Due to security reasons, many systems (either routers or computers) are configured not to answer to ICMP requests, making it more difficult to find out if the target host is up. ICMP is like TCP and UDP a protocol of the internet protocol (IP) suite. martin@opportunity:~$ ping PING ( ) 56(84) bytes of data. 64 bytes from : icmp_seq=1 ttl=242 time=46.1 ms 64 bytes from : icmp_seq=2 ttl=242 time=40.3 ms 64 bytes from : icmp_seq=3 ttl=242 time=39.2 ms 64 bytes from : icmp_seq=4 ttl=242 time=51.1 ms ping statistics packets transmitted, 4 received, 0% packet loss, time 3002ms rtt min/avg/max/mdev = /44.209/51.155/4.795 ms Example 1: ping Traceroute: Traceroute on Linux (and tracert on Windows) is a tool to determine the path to a particular host. It achieves this by sending out packets with incremented time to live (TTL) value. The IP TTL field is used to limit the lifetime of datagrams across the Internet and is decremented just before a router forwards a packet. If this reduction would cause the TTL to 0 or less, the router in question will send back an ICMP Type 11 (Time Exceeded) error message to the original host. So the first packet has a TTL of 1, the second a TTL of 2, and so on. Every hop on the path to the target is sending such an ICMP error message back. With these error messages, a list of hosts on the route to the target can be produced. Traceroute is - 4 -

5 often used for network troubleshooting and penetration testing, revealing useful information about network infrastructure and IP ranges around a given host. martin@opportunity:~$ traceroute traceroute: Warning: has multiple addresses; using traceroute to ( ), 30 hops max, 38 byte packets ( ) ms ms ms 2 chello vie.surfer.at ( ) ms ms ms 3 at-vie-pe-sr15a-ge-3-1.upc.at ( ) ms ms ms ( ) ms ms ms ( ) ms ms ms 6 * * * 7 at-vie01a-rd1-ge-13-0.aorta.net ( ) ms ms ms 8 at-vie15a-rd1-ge-15-0.aorta.net ( ) ms ms ms ( ) ms ms ms 10 uk-lon01a-rd2-pos-5-0.aorta.net ( ) ms ms ms ( ) ms ms ms 12 * * * 13 po12-0.loncr3.london.opentransit.net ( ) ms ms ms 14 google-1.gw.opentransit.net ( ) ms ms ms ( ) ms ms ( ) ms ( ) ms ms ms Example 2: traceroute DNS Information: Nslookup, host and dig are 3 tools to get data about a target using the domain name service (DNS). Nslookup is available for Windows and Unix, host and dig only for Unix. DNS information can be useful by providing a lot of information, i.e. identifying target IP ranges, mail server, system information, service provider, and more. The nice thing about this useful information is that it is not located at the target but distributed, making it impossible to find you because of your queries. All 3 tools can be used for retrieving all the data stored on a name server for a specific domain, a so called DNS zone transfer. A zone transfer can often be launched to reveal details of nonpublic internal networks and other useful information that can help build an accurate map of the target infrastructure. martin@opportunity:~$ dig ru.is MX ; <<>> DiG <<>> ru.is MX ;; global options: printcmd ;; Got answer: - 5 -

6 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;ru.is. IN MX ;; ANSWER SECTION: ru.is. 120 IN MX 20 mx1.svaka.net. ru.is. 120 IN MX 10 mailgw.ru.is. ;; ADDITIONAL SECTION: mailgw.ru.is IN A ;; Query time: 137 msec ;; SERVER: #53( ) ;; WHEN: Sun Mar 19 20:34: ;; MSG SIZE rcvd: 91 Example 3: Identifying the mail servers of Reykjavik University, mxl.svaka.net & mailgw.ru.is NMAP: NMAP is an open source project for network exploration and security auditing. It is able to scan large networks quite fast, but it also works fine for a single host. By sending raw IP packets, NMAP is able to determine which hosts on a network are up, which ports are open and which services are running on the hosts, if there are any firewalls and what their rules are, and even more. It also finds out which operating system and version is running on the target, by analyzing the TCP/IP stack and the services offered by the target (a technique known as fingerprinting ). It offers a wide range of scanning techniques, even stealth techniques not completing the TCP connection or by abusing the TCP protocol, sending packets that are impossible in the beginning of a normal TCP conversation. An example: the Null Scan option, sending packets with an empty TCP flag header (all bits are 0). opportunity:~#./nmap -sn -A Starting Nmap 4.01 ( ) at :44 CET Interesting ports on localhost.localdomain ( ): (The 1662 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.8.1p1 Debian-8.sarge.4 (protocol 2.0) 25/tcp open smtp Exim smtpd /tcp open http Apache httpd ((Debian GNU/Linux) mod_python/3.1.3 Python/2.3.5 PHP/ mod_perl/ Perl/v5.8.4) - 6 -

7 111/tcp open rpcbind 2 (rpc #100000) 113/tcp open ident OpenBSD identd 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 766/tcp open status 1 (rpc #100024) 1241/tcp open ssl Nessus security scanner 5432/tcp open postgresql PostgreSQL DB Device type: general purpose Running: Linux 2.4.X 2.5.X 2.6.X OS details: Linux or Gentoo 1.2 Linux rc1-rc7 Uptime days (since Tue Mar 14 15:01: ) Service Info: OS: OpenBSD Example 4: Stealth NMAP Null Scan of Opportunity The OS fingerprinting and the service versions are very useful as they can reveal poorly patched services and systems. By using a vulnerability scanner like Nessus (described later), well known exploits on these old services and unpatched systems can be discovered and may be abused for getting control over the system. Another nice feature is the T parameter, allowing the user to choose timing templates, specifying if the scan has to be very fast ( -T 5 ) or really slow ( -T 0 ) to avoid detection by Intrusion Detection Systems. The default timing template is -T 3. NMAP is used in the movie The Matrix Reloaded by Trinitiy to scan the computer of a power plant [3]. opportunity:~#./nmap -O /24 Starting Nmap 4.01 ( ) at :14 CET Interesting ports on : (The 1670 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http 443/tcp open https MAC Address: 00:13:10:2F:E6:7E (Cisco-Linksys) Device type: general purpose Running: Linux 2.4.X 2.5.X OS details: Linux Uptime days (since Fri Jan 6 21:17: ) Interesting ports on : (The 1663 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 139/tcp open netbios-ssn 445/tcp open microsoft-ds - 7 -

8 766/tcp open unknown 1241/tcp open nessus 5432/tcp open postgres Device type: general purpose Running: Linux 2.4.X 2.5.X 2.6.X OS details: Linux or Gentoo 1.2 Linux rc1-rc7, Linux Uptime days (since Tue Mar 14 15:01: ) Nmap finished: 256 IP addresses (2 hosts up) scanned in seconds Example 5: Scanning the sub-network with OS detection John (the Ripper): John the Ripper is a fast password cracker, currently for almost every platform available. It supports most Unix password hash functions, as well as Kerberos and Windows 2000/XP LM hashes, and more. Its purpose is to detect weak passwords. System passwords in Windows are stored in the SAM database, in Linux in /etc/shadow, which can only be read by root. aa:$1$kctu9.rd$y3vub0crk0ggkb5kghicy.:13221:0:99999:7::: top:$1$kqs5m2pr$n043g3ynhlfzoa9czxjda.:13221:0:99999:7::: john:$1$m7hk6/zi$6s3gqncqej2eluspe7gag/:13221:0:99999:7::: paul:$1$mmo8jxij$uctmchyxl4/enhfpatze00:13221:0:99999:7::: walter:$1$jjtzttxz$54o4uaq1pnwzjsyh15hof1:13221:0:99999:7::: linda:$1$dwnln1r0$inxbqabbr11r4ijb7prdb/:13221:0:99999:7::: paolo:$1$dykjspfz$upbv56t3p1h5m4pcfcr81.:13221:0:99999:7::: oracle:$1$lfmgdrrm$mjmhdknx5xepcoyv3ghgs0:13221:0:99999:7::: sandy:$1$5kuyryuf$js2wpkuvptdc7vrysikou0:13221:0:99999:7::: temp:$1$si.rrxz4$0fdnl4dsqad1dvtfkwwcu1:13221:0:99999:7::: Example 6: Part of /etc/shadow, showing the test users and their hashed passwords John supports 3 different modes for cracking passwords: Dictionary attack, Single crack and Incremental mode. 1. Single crack: is the most basic mode which runs first when no specific mode was requested. It uses the login names, users home directories and any other information saved for that user in the /etc/passwd file, and will apply a large set of mangling rules. 2. Dictionary attack: a dictionary file is a file, containing one word per line. A quite big one can be found at ftp://ftp.openwall.com/pub/wordlists/all.gz, containing about 4 million words from several languages

9 3. Incremental mode: This is the most powerful mode, it will try all possible character combinations as passwords. Cracking with this mode will never terminate, because of the enormous number of combinations. You can specify the set of characters used. For the first experiment 10 users were added, john was running for 48 hours: Username Password cracked time aa test yes 15s top secret yes 15s john aek25bk no --- paul england yes 2m walter UKW!25bf no --- linda god yes <100m paolo limewire no --- oracle oracle yes 1s sandy lokomotion no --- temp Temp yes 1s Experiment 1: User list After only 2 seconds, oracle and temp were cracked, because of the really weak password. After 15 seconds, aa and top were cracked. In less then 100 minutes, Lindas password got cracked, and after restarting with a new wordlist (the big one mentioned above), pauls password got cracked. The second experiment intended to show the speed of the incremental mode. John was running for about 89 hours. The number in the username is equal to the length of the password. Username Password cracked time Username Password cracked time a1 a yes 45s a5 asdf1 yes 9m b1 yes 5m b5 9kk!$ no --- c1 " yes 5m c5 l<ßb3 no --- a2 a9 yes 9m a6 franz3 no --- b2 B/ yes 10h b6?help8 no --- c2 f. yes 10h c6 >yps%4 no --- a3 5eü no --- a7 hjan4k! no --- b3 ;op no --- b7 klo!re1 no --- c3 l & no --- a8 ~bqr2zu= no --- a4 at+i no --- b8 pia+r)l2 no --- b4 #la3 no --- c4 tor3 yes 19h - 9 -

10 d4 Qr4! no --- Experiment 2: User list Due to the quite slow CPU, the randomness of the character sequence and the big set of possible characters only a few passwords could get cracked. For highly sensitive systems, more time and a stronger CPU would make sense, as a possible attacker might have both. System administrators should use John regularly to find weak user passwords. Firewalk: Firewalk is a utility that can determine the filtering rules of a firewall or a packet filter. It uses traceroute-like IP packets to find out whether or not a particular packet can pass trough the filter, by sending IP packets with TTL values set to expire one hop past a given gateway. If an ICMP Type 11 (TTL esceeded in transit) message comes back, the packet passed through the filter and a response was later generated. If the packet was dropped without a comment, it was probably done at the gateway, although it is also possible that it passed through the filter and the target produced an ICMP error message, but the firewall is blocking outgoing ICMP packets. If an ICMP Type 13 (communication administratively prohibited) message is received, a simple filter such as a router access control list is being used. Firewalk doesn t work in networks where network address translation or any kind of proxy server is being used. It works effectively against hosts in true IP routed environments. You need to know the IP address of the filtering device and one host behind it to start the scan. Nessus: Nessus is a vulnerability scanner, consisting of 2 programs: the server nessusd program which does the scanning, and a client which presents the results to the user. In Unix you can connect to the server with the command line client nessus or the

11 graphical user interface NessusClient, for Windows there is only a GUI client available, NessusWX. The result of a scan can be exported in various formats: plain text, HTML, XML or LATEX. Every security check in Nessus is coded as a plugin, written in NASL (Nessus Attack Scripting Language), a scripting language optimized for custom network interaction. More then 10,000 plugins are available by now, new ones generated every day. These plugins are immediately available to the direct feed customers ($1,200 per year and scanner), and are delivered seven days later to the registered feed customers (free). When performing a scan, nessus first does a port scan to find all open ports, and afterwards tries the exploits on the open ports. It can be used to scan many hosts at a time, or even a whole network. Below is the first part of a scan report with the most important facts found by nessus. The detailed information is truncated as it would be far too long. Nessus Scan Report SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 0 - Number of security warnings found : 3 - Number of security notes found : 38 TESTED HOSTS (Security warnings found) DETAILS :. List of open ports : o ssh (22/tcp) (Security notes found) o netbios-ns (137/tcp) (Security notes found) o general/tcp (Security notes found) o cycleserv (763/udp) (Security notes found) o sunrpc (111/udp) (Security notes found) o unknown (766/tcp) (Security notes found) o postgresql (5432/tcp) (Security notes found) o nessus (1241/tcp) (Security notes found) o microsoft-ds (445/tcp) (Security warnings found) o netbios-ssn (139/tcp) (Security notes found) o ident (113/tcp) (Security notes found)

12 o sunrpc (111/tcp) (Security notes found) o http (80/tcp) (Security warnings found) o smtp (25/tcp) (Security notes found) Example 7: Scan report without detailed information on Opportunity The Metasploit Framework: The Metasploit Framework is an open source vulnerability exploiter. After scanning a host with NMAP for running services, and checking them with Nessus for vulnerabilities, Metasploit can be used to take over the system or run any desired command with privileged rights. It is available for Windows, BSD, OS X and Linux, written mostly in Perl. It offers 3 different interfaces: the console interface was designed to be fast and flexible, offering an interactive command line. If a command is not recognized by Metasploit, it checks if it is a system command and executes it. The command line interface in a normal shell can be used for automated exploit testing. The web interface is a stand alone web server, offering access to the Metasploit framework to every browser. It is really easy to use: select an exploit, specify a target, verify the exploit options, selecting the payload, launching the exploit. The payload is the code to run on the target, usually opening a reverse shell, adding a privileged user or download and run backdoor software from the internet. The current version, 2.5, has 125 available exploits and 75 payloads. With the modularity of the exploit and the payload it is possible to combine almost every exploit with any payload, just depending on the operation system running at the target

13 References: [1] Network Security Assessment, by Chris McNab, O Reilly ISBN: X [2] Firewalk Whitepaper, retrieved March 20, 2006, from [3] Matrix mixes life and hacking, retrieved March 19, 2006, from [4] John the Ripper online Documentation, retrieved March 16, 2006, from [5] Nessus Advanced User Guide, retrieved March 21, 2006, from [6] Open-Source Security Testing Methodology Manual, retrieved March 22, 2006, from [7] BSI Studie Penetrationstest, retrieved March 20, 2006, from [8] Metasploit User Guide, retrieved March 21, 2006, from [9] The man pages shipped with the programs