Usage of Vulnerability Tools

Transcription

1 Usage of Vulnerability Tools Chitransh Chhalotre Computer Science and Engineering Department of Computer Science and Engineering Indian Institute of Technology (IIT), Hyderabad - Chitransh.chhalotre@gmail.com Project guide: Dr. N.P. Dhavale DGM, INFINET Department Institute of Development and Research in Banking Technology (IDRBT) Road No. 1, Castle Hills, Masab Tank, Hyderabad July 13,

2 CONTENTS Certificate Declaration Acknowledgement Abstract 1. Introduction Hacking Black Hat Hackers White Hat Hacker Penetration Testing White Box Testing Black Box Testing Grey Box testing Process and methodology Planning and Preparation Information Gathering and Analysis Enumeration and Fingerprinting Vulnerability detection Penetration Attempt Analysis and Reporting Cleaning up Vulnerabilities Causes Vulnerability Scanning Assessment Scans Maintenance Scans Intrusive vs. Non-intrusive Scans Full Scan vs. Port Scans Vulnerability Scanning Tools Nmap Results Nessus Results

3 8. Metasploit Results Conclusion

4 CERTIFICATE This is to certify that project report titled Usage of Vulnerability Tools submitted by Chitransh Chhalotre of B.Tech. 3rd year, Dept. of Computer Science and Engineering. IIT Hyderabad, is record of a bonafide work carried out by her under my guidance during the period 20 th may 2011 to 20 th july 2011 at Institute of Development and Research in Banking Technology, Hyderabad. The project work is a research study, which has been successfully completed as per the set objectives. Dr. N.P. Dhavale DGM, Infinet office IDRBT,Hyderabad 4

5 DECLARATION I declare that the summer internship project report titled Usage of Vulnerability Tools is my own work conducted under the supervision of Prof. N P Dhavale at the Institue of Development and Research in Banking Technology, Hyderabad. I have put in 61 days of my attendance with my supervisor at IDRBT and have been awarded project fellowship. I further declare that to the best of my knowledge, the report does not contain any part of any work which has been submitted for the award of any degree either in this institute or any other institute without proper citation. Chitransh Chhalotre B.Tech. 3 rd year Dept. of Computer Science and Engineering IIT Hyderabad 5

6 Abstract This document explores the usage of some vulnerability tools, namely Nmap, Nessus and Metasploit in penetration testing for a given scenario created in the lab environment. Its purpose is to facilitate the process of penetration testing by making the person aware of the commonly used features and options in the above mentioned tools and thus allowing him/her to use these tools in an optimal manner. These tools are used for scanning a system for the vulnerabilities that might be present in it (Nmap and Nessus) and then to exploit the vulnerabilities which were found (Metasploit). To explore the usage of the given tools, various tests were made with them to penetrate the given system and the results were recorded showing how effective they were. It was found that certain combinations allowed the hacker to hack the system with relatively less difficulty then others. Also, the same combination which failed in one scenario was successful in other showing the context based nature of this kind of testing. Thus, this document reports the different ways which are effective on the given scenario. 6

7 Introduction Hacking Computer Hacking is the practice of modifying the features of a system, to achieve a functionality which was not intended by the creator. A person who enjoys doing hacking and accepts it as a part of his lifestyle is known as a hacker. A hacker is a person who has strong programming and networking skills and has an intimate understanding of the internal structure of the system which he uses to solve problems and overcoming limits. The term hacking, contrary to the popular belief, does not necessarily mean illegal exploitation of the computer system, It depends on the hacker which way how he wants to conduct his activities. Motivation of the hackers varies from simple genuine curiosity to personal and monetary gains. Some do hacking just for the pure joy for it and to get to know the system better whereas some do it with the malicious intent of harming others or for illicit gains. So depending on the hacker, hacking can either be constructive or destructive. There are two kinds of hackers based on their intentions: Black Hat Hacker White Hat Hacker Black Hat Hacker A black hat hacker is a person who hacks with intent of unauthorized use of the computer and the network resources and breaches confidentiality, integrity and availability of the information systems. They are also called crackers. They compromise the security of a system without permission from the authorities, often with malicious intent. Usually, a black hat is a person who uses their knowledge of vulnerabilities and exploits for private gain, rather than revealing them either to the general public or the manufacturer for correction. Many black hats hack networks and web pages solely for financial gain. Black hats may seek to expand holes in systems; any attempts made to patch software are generally done to prevent others from also compromising a system they have already obtained secure control over. A black hat hacker may write their own zero-day exploits (private software that exploits security vulnerabilities; 0-day exploits have not been distributed to the public). In the most extreme cases, black hats may work to cause damage maliciously, and/or make threats to do so as extortion. Their purpose is mainly to disrupt the normal processes and "violate computer security for little reason beyond maliciousness or for personal gain". These kinds of hackers first find a network or a system which interests them or those which are simply vulnerable and then break into them getting unsanctioned access and doing unwanted and potentially damaging changes to the system. White Hat Hacker A white hat hacker is a person who hacks with the intention of identifying the security weakness in a network or a system, not to take unfair advantage of it, but to expose it so 7

8 that the owner can fix the breach. They might do so with proper permissions from the concerned authorities and are many times hired to do so by different companies and firms. They are also called ethical hackers. The primary difference between white and black hat hackers is that a white hat hacker claims to observe ethical principles. Like black hats, white hats are often intimately familiar with the internal details of security systems, and can delve into obscure machine code when needed to find a solution to a tricky problem. This category also involves those who are adept at methodologies like penetration testing and vulnerability assessment helping an organisation to secure its information network. Penetration Testing Penetration Testing is a method to evaluate the security of the information system or network set up by an organisation by simulating the attack from a malicious hacker or a black hat hacker. It involves gathering the information about the system, such as its IP Address, Operating System, status of the ports etc. It also involves identification of the vulnerabilities present in the system due to the various reasons such as complexities, unsafe programming, protocol weakness, operating system flaws etc. This testing is carried out posing a potential attacker and can include exploitation of the vulnerabilities found with assessment of the reaction of the countermeasures taken. Any issues which are found with the security of the systems are reported to the owners and possible solutions are also presented with them. The foremost aim of such a procedure is to check the feasibility of an attack and its impact if it is successful. For example, the Payment Card Industry Data Security Standard (PCI DSS), and security and auditing standard, requires both annual and on-going penetration testing (after system changes). Based on the knowledge available to the penetration tester, there are three ways in which the testing can be classified: White Box Testing Grey Box Testing Black Box testing White Box testing In this kind of testing, the penetrator has the complete knowledge about the intended target and its infrastructure. While this makes the penetration easier for the hacker, it is a very unrealistic scenario as the potential attacker is usually outside the system and has no knowledge about the system or network and thus his modus operandi is different from what the penetrators follow. One advantage of this kind of testing is that it is cost effective. This investigates the scenario if any inside person tries to hack the system and gain unauthorized entry or if some sensitive information is leaked which leads to attacker having the information about or access to source code, network layouts and possibly even some passwords Black Box testing 8

9 In this kind of testing, the attacker has no prior knowledge of any information about the implementation details of the system and thus has to first identify the location and extent of the systems before commencing the analysis. This type of testing investigates the scenario when an outsider tries to break into a secure system. Thus, it is very realistic scenario but it is not cost effective. Black box penetration testing is a labour-intensive activity and requires expertise to minimize the risk to targeted systems on contrary to the white box penetration which is an automated inexpensive process. Thus it consumes more time is difficult when compared to the white box testing Grey Box testing This kind of testing lies between the two types of penetration explained above. Here, the penetration tester has limited information about the working of the system. There is partial disclosure of the information. Depending on the information revealed, it takes varying degree of manual labour and automated testing for penetration and it can be less cost effective or most cost effective. On the basis of the location of the penetrator, there are again two types of penetration Internal External Internal Testing In this type of penetration, the penetrator is present inside the network of the organisation. This kind of testing is required to secure your internal system because it has been shown by various researches that about 50% of the security incidents occur inside the perimeter such as information leaks etc. which may be accidental, caused by the ineptness of the employee or deliberate, caused by some employee with malicious intentions. Since these employee are inside the organisation they might have access to data and knowledge about how the security architecture is being used and as to how it can be compromised. Thus internal testing deals with how to secure the system in above mentioned scenarios. External Testing In this kind of testing, the penetrator is located outside the information system. It simulates the attack of any external cracker on the network. It assesses the ability of the network to withstand the external attacks and also does vulnerability assessment. Such type of testing is usually carried out on internet facing information systems setup within the organisation. This test examines external IT systems for any weakness that could be used by an external attacker to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organisation to address each weakness. Also, on the basis of the target there are two types of attacking Network Attacking Application Attacking 9

10 Network Attacking This type of attack identifies threats which may exploit vulnerabilities in the information assets at the network level, also the services available over the network and operating system s network stack tested. This type of testing covers the first four layers of the OSI model. It explores the scenario when the network faces attacks such as IP spoofing, man in the middle, DoS attacks, eavesdropping. Application Attacking This type of attack exploits the vulnerabilities in the application which can be there due to flaws in the design, development, deployment, upgrade, or maintenance of the application. The application can be web based, client server model or stand alone. It covers layers 5-7 of the OSI model. It includes testing the application for attacks such as Buffer Flow, Cross side scripting, SQL injection, Session Hijacking etc. Process and Methodology Planning and Preparation For carrying out a penetration test for an organisation, lots of preparation is needed. Before starting, ideally there should be a meeting between the officials and the penetration testers. In this meeting, they should decide the scope, extent and the aim of the penetration test. Generally, the aim of the Penetration Test is to demonstrate the presence of weakness in the network infrastructure which might compromise it. The scoping of the penetration test is done by identifying the machines, systems and network, operational requirements and the staff involved. Also, agreement must be there on the form of the output result. Another important aspect on which planning is required is the duration and the timing of the test. The test should be carried out in such a way that it has a minimal effect on the normal work and everyday processes. A tester may have to decide on some particular interval during the day in which he wants to carry out the test. Testing during the intervals of heavy and critical use should be avoided. There is a possibility that the test might crash the system due to the unusual network traffic created by it. So, possible measures should be taken to deal with any future system failure and if such a risk cannot be tolerated, then such system should be excluded from the test Information Gathering and Analysis After the planning and preparation, the next step is to gather as much information as we can about the target system. For this purpose, there are plenty of tools available online which allow you to do network survey. A network survey is an introduction to the system. It allows us to find the reachable hosts in the system. Through a network survey, we get information about the following fields: Domain names Server names Internet Service Provider IP addresses of hosts Network map 10

11 After completing a network survey, the next task to be done is a port scan. There are basically about 65,000 possible TCP and UDP ports. The basic results obtained from a port scan are a list of open ports on a particular IP addresses. At this point system information like the operating system should also be associated with the IP address. Enumeration and Fingerprinting Target network enumeration and host fingerprinting are crucial parts of both legitimate penetration testing and a hacking attack. You cannot go on the offensive without detailed terrain mapping and target reconnaissance. A great deal of enumeration and fingerprinting tools such as ping, traceroute, whois, dig, host, and various port scanners (especially Fyodor's Nmap) are already available on internet and elsewhere. Specific targets are determined in this phase. Various services and open ports are determined. Operating system enumeration is also done. The methods used for the same can be: Banner grabbing Responses to various protocol (ICMP &TCP) commands Port / Service Scans TCP Connect, TCP SYN, TCP FIN, etc. Vulnerability Detection The next step after gathering of relevant information is to determine the vulnerability that exists in each of the systems in the network. The Tester needs to have a collection of exploits and vulnerabilities for this purpose. He should analyse the gathered information to find any vulnerability using his skills and knowledge. This is called manual vulnerability detection. There are tools available on the internet which can automate the whole process such as Nessus etc. They scan the systems and generate a list of vulnerabilities present on each system with the available exploits. This will allow us to create a list of targets to be investigated in detail. These systems will be subject to a penetration attempt in the next step. Penetration Attempt After the detection of the vulnerabilities, the targets for the penetration test are identified. Also timeline is decided for carrying out the penetration test. For performing the penetration test on a system, there are various tools available on the internet. But these tools need customization to be suited for our specific purpose. Although we might know that a vulnerability is present in a system, it does not mean that it can be exploited. Therefore, it might not be possible to penetrate a system even when in theory it is possible. First of all, the tester should try the existing exploits on the system with the vulnerabilities. Next step is password cracking. There will be services on this system running in Telnet and FTP. These applications can be subjected to password cracking. Some of the passwords cracking methods are: Dictionary attack Brute Force Hybrid Crack 11

12 There are two more suitable methods to attempt a penetration. This is through social engineering and testing the organization s physical security. Social engineering is an art used by hackers that capitalizes on the weakness of the human element of the organization s defence. Physical security testing involves a situation of penetration testers trying to gain access to the organization s facility by defeating their physical security. Social engineering can be used to get pass the organization s physical security as well. Analysis and Reporting After conduction all the tasks above, the next task ahead is to generate a report for the organization. The report should start with an overview of the penetration testing process done. This should be followed by an analysis and commentary on critical vulnerabilities that exist in the network or systems. Vital vulnerabilities are addressed first to highlight it to the organization. Less vital vulnerabilities should then be highlighted. The reason for separating the vital vulnerabilities from the less vital ones helps the organization in decision making. For example, organizations might accept the risk incurred from the less vital vulnerabilities and only address to fix the more vital ones. The other contents of the report should be as follows: - Summary of any successful penetration scenarios Detailed listing of all information gathered during penetration testing Detailed listing of all vulnerabilities found Description of all vulnerabilities found Suggestions and techniques to resolve vulnerabilities found Cleaning Up The cleaning up process is done to clear any mess that has been made as a result of the penetration test. A detailed and exact list of all actions performed during the penetration test must be kept. This is vital so that any cleaning up of the system can be done. The cleaning up of compromised hosts must be done securely as well as not affecting the organization s normal operations. The cleaning up process should be verified by the organization s staff to ensure that it has been done successfully. Bad practices and improperly documented actions during penetration test will result in the cleaning up process being left as a backup and restore job for the organization thus affecting normal operations and taking up its IT resources. Vulnerabilities Vulnerability is a flaw or weakness in a system s design, implementation or operation and management which allows an attacker to exploit the security of the system. Through vulnerability, a cracker can mount an attack on the system and can get unauthorised access, elevated privileges etc. There are many types of vulnerabilities and they can be caused by various reasons such as unsafe programming or user negligence in managing a system. An attacker can use this to gain unwanted functionality in the software or application and then 12

13 can use it to open a command prompt to the system, or to destroy files or to steal information for gain. Causes Complexity: Large, complex systems increase probability of flaws and unintended access points. Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw Connectivity: More physical connections, privileges, ports, protocols, and services and time each of those are accessible increase vulnerability Password Management Flaws: The computer user uses weak passwords that could be discovered by brute force. The computer user stores the password on the computer where a program can access it. Users re-use passwords between many programs and websites Fundamental Operating System Design Flaws: The operating system designer chooses to enforce suboptimal policies on user/program management. For example operating systems with policies such as default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator. Internet Website Browsing: Some internet websites may contain harmful Spyware or Adware that can be installed automatically on the computer systems. After visiting those websites, the computer systems become infected and personal information will be collected and passed on to third party individuals. Software bugs: The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application. Too feeble learning from history: for example most vulnerabilities discovered in IPv4 protocol software where discovered in the new IPv6 implementation. Unchecked user input: The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflows, SQL injection or other non-validated inputs) Human Factor: The research has shown that the most vulnerable point in most information systems is the human user, operator, designer, or other human. So humans should be considered in their different roles as asset, threat, information resources. Social engineering is an increasing security concern. Vulnerability Scanning Vulnerability scans provide a mechanism for system administrators to assess the security posture of the servers they manage by probing the systems for open ports, services and 13

14 application and operating system patch levels. Open ports are queried for information regarding what services are listening and each service is compared against a database of known vulnerabilities or issues. System Administrators can utilize vulnerability scan reports to assess the security posture of their system and outline remediation tasks required to bring the system into compliance. There are two primary types of vulnerability scans: Assessments Scans Maintenance Scans. Assessment Scans Assessment scans involve scanning a system as it exists to a computer or user outside the systems firewall. Assessment scans typically run without credentials and with or without exceptions in firewall rules. Port assessment scans provide reports on what ports are visible, what services are running on the open ports and any known vulnerabilities for each service. Full assessment scans provide similar reports to the port assessment scans but include information for services running on all system ports. Maintenance Scans Maintenance scans are similar to assessment scans but typically produce more in-depth scanning reports. Maintenance scans typically run with credentials and exceptions in host firewall rules. Port maintenance scans provide reports on what services are running on each port and any known vulnerabilities for each service, application and operating system. Full maintenance scans provide similar reports to the port assessment scan, but report on all system ports. This report is a key component for determining remediation requirements for the System Administrator. Credentialed versus Non-Credentialed Scans One of the critical components of a Maintenance Scan is the use of system credentials. The scanning engine utilizes these credentials to login to the system to enumerate services, applications and patch levels. The information obtained by using credentials during a maintenance scan allows administrators to perform a more comprehensive assessment of the security posture of their system, verify the performance of their patching mechanisms, check service configurations and discover erroneously or maliciously installed services. Intrusive versus Non-Intrusive Scans There are two classes of vulnerability scans, intrusive and non-intrusive. Simply put, nonintrusive scans have little to no system impact when run. Intrusive scans however, have a possibility of disrupting a service or taking a system offline. Non-intrusive scans are the standard for examining systems and discovering services and vulnerabilities. Intrusive scans are similar to non-intrusive scans but also test remediation efforts. Full Scan versus Port Scans The degree of access a system grants to the vulnerability-scanning engine determines the comprehensiveness of a scan. Port scans are scans initiated against a firewalled system testing 14

15 only those ports open to the public. Port scans are the least comprehensive scan type as they provide a superficial view of the system. Full scans are scans initiated against a firewalled system testing all 65,535 ports. Full scans provide a comprehensive view of the system that allows system administrators to check services not available to the general user and discover services running erroneously or maliciously. Vulnerability Scanning Tools A vulnerability assessment application (a vulnerability scanner) can be defined as a tool that can be used to test a system or network security and finds weak points. These applications do not provide protection or security directly to a system or network, but collect and report information that other mechanisms, policies and applications can implement so as to provide protection against the identified vulnerabilities. The vulnerability scanners perform various services. The vulnerability scanners can be classified according to the services in the following ways: Port Scanner: A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. It can perform various types of scans such as TCP scanning, UDP scanning, ACK scanning, FIN scanning to determine whether the ports are open, closed or filtered. Network enumerator or network scanner: It is a computer program used to retrieve user names, and info on groups, shares and services of networked computers. This type of program scans networks for vulnerabilities in the security of that network. If there is vulnerability with the security of the network, it will send a report back to a hacker who may use this info to exploit that network glitch to gain entry to the network or for other malicious activities. Ethical hackers often also use the information to remove the glitches and strengthen their network. Network enumerators are often used by script kiddies for ease of use, as well as by more experienced hackers in cooperation with other programs/manual lookups. Also, whois queries, zone transfers, ping sweeps and traceroute can be performed. Web Application Scanner: A web application security scanner is program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. Unlike source code scanners, web application scanners don't have access to the source code and therefore detect vulnerabilities by actually performing attacks. Web application scanners can look for a wide variety of vulnerabilities, including: Input/output validation(cross-site scripting, SQL injection) Specific application problems Server configuration mistakes/errors/versions Database security scanner: A database security scanner scans the database for vulnerabilities which may be present in them allowing unauthorized access to data 15

16 or elevated privileges. They perform tests for vulnerabilities which are database typical. General Vulnerability Scanner: A scanner which scans a system to detect vulnerabilities in its OS or the protocols it follows to communicate with the network or the web applications deployed on it. There are various vulnerability tools which are available on the internet but in our testing we made use of these three tools: Nmap Nessus Metasploit Nmap Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) [1] used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses. Unlike many simple port scanners that just send packets at some predefined constant rate, Nmap accounts for the network conditions (latency fluctuations, network congestion, the target interference with the scan) during the run. Also, owing to the large and active user community providing feedback on its features and contributing back, Nmap has succeeded to extend its discovery capabilities beyond basic host being up/down or port being open/closed to being able to determine operating system of the target, names and versions of the listening services, estimate uptime, the type of device, presence of the firewall. Nmap runs on Linux, Microsoft Windows, Solaris, HP-UX and BSD variants (including Mac OS X), and also on AmigaOS and SGI IRIX.Linux is the most popular Nmap platform with Windows following it closely. Various features provided by nmap are: Host Discovery Port Scanning Version detection OS detection Scriptable Interaction with the target Results Nmap is a highly customizable tool providing many options. Thus, we carried out tests using various combinations of the options available and then assessed the results. 16

17 The result of the scan that gave us maximum information was: Starting Nmap 5.21 ( ) at :40 IST NSE: Loaded 80 scripts for scanning. Initiating ARP Ping Scan at 11:40 Scanning [1 port] Completed ARP Ping Scan at 11:40, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 11:40 Completed Parallel DNS resolution of 1 host. at 11:40, 0.61s elapsed Initiating SYN Stealth Scan at 11:40 Scanning idrbt.ac.in ( ) [1000 ports] Discovered open port 8000/tcp on Completed SYN Stealth Scan at 11:40, 19.86s elapsed (1000 total ports) Initiating UDP Scan at 11:40 Scanning idrbt.ac.in ( ) [1000 ports] Completed UDP Scan at 11:40, 4.02s elapsed (1000 total ports) Initiating Service scan at 11:40 Scanning 1001 services on idrbt.ac.in ( ) Completed Service scan at 12:23, s elapsed (1001 services on 1 host) Initiating OS detection (try#1) against idrbt.ac.in ( ) Retrying OS detection (try#2) against idrbt.ac.in ( ) NSE: Script scanning NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:23 Completed NSE at 12:23, 37.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:23 17

18 Completed NSE at 12:24, 5.00s elapsed NSE: Script Scanning completed. Nmap scan report for idrbt.ac.in ( ) Host is up (0.0014s latency). Not shown: 1000 open filtered ports, 999 filtered ports PORT STATE SERVICE VERSION 8000/tcp open http Apache Tomcat/Coyote JSP engine 1.1 _http-malware-host: Host appears to be clean _http-date: Thu, 07 Jul :53:04 GMT; -17s from local time. _html-title: Apache Tomcat http-headers: Server: Apache-Coyote/1.1 Accept-Ranges: bytes ETag: W/" " Last-Modified: Wed, 13 May :15:04 GMT Content-Type: text/html Content-Length: 7777 Date: Thu, 07 Jul :53:06 GMT Connection: close _ (Request type: HEAD) _http-enum: _http-iis-webdav-vuln: ERROR: This web server is not supported. MAC Address: 00:18:19:6A:14:F8 (Cisco Systems) 18

19 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING) : Microsoft Windows XP 2003 (98%) Aggressive OS guesses: Microsoft Windows XP Professional SP2 (French) (98%), Microsoft Windows Server 2003 SP0 or Windows XP SP2 (91%), Microsoft Windows XP SP2 (91%), Microsoft Windows XP SP3 (91%), Microsoft Windows Server 2003 SP1 (91%), Microsoft Windows Server 2003 SP2 (89%), Microsoft Windows XP Professional SP2 (firewall enabled) (89%), Microsoft Windows Small Business Server 2003 (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Incremental Host script results: asn-query: BGP: /23 Country: IN Origin AS: RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI _ Peer AS: HOP RTT ADDRESS ms idrbt.ac.in ( ) Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at Nmap done: 1 IP address (1 host up) scanned in seconds Raw packets sent: 4096 ( KB) Rcvd: 30 (2166B) 19

20 From the scan we got the following information about the server on which we performed the scan: MAC address: 00:18:19:6A:14:F8 (Cisco Systems) Resolved name: idrbt.ac.in ISP: RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI OS: Microsoft Windows XP 2003 Port: 8000/tcp, http open, Service- Apache Tomcat/Coyote JSP engine 1.1 Nessus In computer security, Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example: Vulnerabilities that allow a remote cracker to control or access sensitive data on a system. Misconfiguration (e.g. open mail relay, missing patches, etc). Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack. Denials of service against the TCP/IP stack by using mangled packets On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user. According to surveys done by sectools.org, Nessus is the world's most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide. 20

21 Results Nessus is a tool with many options. Thus, we have to configure it to make it suit our purpose. For this purpose many tests were done over the time period of 1 month using many policies, including the ones which are predefined in the software and some created by us. All these scans did not yield the same vulnerabilities. All of them highlighted the low risk vulnerabilities which are very difficult to exploit. Some of them highlighted the medium risk vulnerabilities which can be exploited with some effort and only some of them showed vulnerabilities which were highly exploitable. The medium and high risk vulnerabilities were shown in PCI-DSS policy (pre-set in Nessus) and with one the new policies which were created. 21

22 The main vulnerabilities detected were: Apache Tomcat Manager Common Administrative Credentials The default username and password were not changed which are publically exploitable. 22

23 Multiple vulnerabilities of Apache Tomcat 23

24 24

25 According to Nessus, based on the version of the apache tomcat, it can be affected by various vulnerabilities as denial of service, cross-site scripting etc. 25

26 Microsoft Windows 2000 unsupported installation The OS installed on the server is an unsupported windows 2000 server which means that the security patches of the newly discovered vulnerabilities in Windows won t apply to this OS. Thus, it is susceptible to any of the new vulnerabilities found. 26

27 Metasploit The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research. The Metasploit Project is also well-known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework. The basic steps for exploiting a system using the Framework include - 1. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 300 different exploits for Windows, Unix/Linux and Mac OS X systems are included); 2. Checking whether the intended target system is susceptible to the chosen exploit (optional); 3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry, for instance a remote shell or a VNC server); 4. Choosing the encoding technique to encode the payload so that the intrusionprevention system (IPS) will not catch the encoded payload; 5. Executing the exploit. This modularity of allowing combining any exploit with any payload is the major advantage of the Framework: it facilitates the tasks of attackers, exploit writers, and payload writers. 27

28 Results Here, we used the reverse TCP connection to open up a connection between us and the server to bypass the firewall. In this method, the reverse TCP payload generated by Metasploit is placed on server by social engineering. This payload is an executable file, which when executed, opens up a connection between a port on sever and a port on our system. This happens as the connection was requested from inside the firewall and not outside it. The firewall blocks the incoming traffic but does not restrict the outbound traffic. Thus, we set a server listening for the connection on our system on a port on which the reverse TCP payload is directed to connect. When the application is executed on the server, a meterpreter session opens which then allows us to do various things such as add/delete users, download/upload files, keylogging, opening a command promt line to the system shell. 28

29 29

30 30

31 In the above screenshots, we have demonstrated the use of metasploit, that is how a sever is set up and then how the meterpreter session allows us to do various things in the server 31

32 Conclusion The Vulnerability tools Nmap, Nessus and Metasploit are very powerful and among the best in their classes. They contain among themselves almost all the known vulnerabilities and exploits. But they have to be customised heavily to suit ones purpose. They have many options available and thus we need to perform various tests with different combinations till we get the maximum amount of information possible. For this purpose, documenting and reporting the results is very important as then we can compare the results of previous scan with the present scan and identify what new information about the system was revealed in this scan. One more conclusion was that even though vulnerabilities might be present in the system but it may not be possible to exploit them. It might be theoretically possible but it depends on the skill of the tester/attacker to actually exploit them. Also, it can be noted that use of these tools for purposes other than penetration testing (black hat cracking) can lead to the attacker being identified and legal actions taken against him as while performing some tests, the IP address of the tester was identified and blocked by the Symnatec Endpoint protection which was present on the server. The stealth is not maintained when we use the tools unless we especially go for stealth tests/ attacks which are not as effective as the others. 32

33 33