Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Transcription

1 1 Penetration Testing NTS330 Unit 1 Penetration V1.0 February 20, 2011 Juan Ortega Juan Ortega, juaorteg@uat.edu 1 Juan Ortega, juaorteg@uat.edu

2 2 Document Properties Title Version V1.0 Author Pen-testers Reviewed By Approved By Classification Deviant Alert, Inc. Penetration Testing Juan Ortega Juan Ortega Confidential Version Control Version Date Author Description V1.0 February 20,2011 Juan Ortega Final Draft Disclaimer: This penetration report is for educational purposes only. Penetration testing tools (enumeration, vulnerability scanning, and passive/active recon) are tested within a private virtual network set up surely for the purpose of elevating my knowledge. Everything within this document is factious, any similarities to actual things are purely coincidence. 2 Juan Ortega, juaorteg@uat.edu

3 3 1. Executive Summary The passive recon assessment went on completed. The vulnerability and port scanner detected multiple holes in targeted systems. Without a frequent updates such as that of Windows XP SP1, a multitude of exploits can be practiced with ease. The penetration team successfully used Nmap, Netcat, and Nessus as their primary tools for reconnaissance. 3 Juan Ortega, juaorteg@uat.edu

4 4 Table of Contents 1. Executive Summary Table of Illustrations Project Objectives Timeline Summary of Findings Summary of Recommendation Detailed Findings Lab 1 [Information Gathering Lab] Scope of Work Assessment Guided Questions Lab 2 [Enumeration lab] Scope of Work Assumptions Findings (Figures are located in Appendix) Lab 3 [Vulnerability Scanning Lab (Nessus)] Scope of Work Assumptions Findings (Figures are located in Appendix) Appendix References Juan Ortega, juaorteg@uat.edu

5 5 Table of Illustrations 1.0 Project Objectives 1.1 The objectives are the following: Gather information about the organization of initial passive recon Perform passive recon using Nessus to sweep the network of live hosts and services running, as well as the operating system running and service version numbers Perform a vulnerably scan using a tool called Nessus to identify potential holes that can later be exploited. 2.0 Timeline The timeline of the test: Penetration Testing Start Date/Time End Date/Time Lab 1: Information Gathering 19 February February 2010 Lab 2: Enumeration lab 19 February February 2010 Lab 3: Vulnerability Scanning Lab (Nessus) 20 February February 2010 Table 1 Penetration Testing Timeline 3.0 Summary of Findings 3.1 The information gathering had little private eye info on the web site. Because it is meant to be a target, the web site port and OS is already known to everyone visiting the front page. However, the findings incur that the site is isolated from the rest of its sister sites because the site is hosted on their own server. The DNS servers belong to them domain name doesn t however. The apache server is well set up to not reveal its version number, and an OpenSSH daemon is running. 3.2 Enumeration and passive information gathering was achieved through Nmap and Netcat. Seven virtual operating systems running Windows XP SP(1-3), Ubuntu, NetBSD, and Windows Server 2003 have been set up. The Windows XP SP1 was the most susceptible to 5 Juan Ortega, juaorteg@uat.edu

6 6 attack as legacy software is; numerous open ports with services have been discovered and unpatched. Netcat did its job running as a simple port scanner but not after a few problems. 3.3 As with numerous open ports Nessus and Netcat were able to find, that lead to many possible exploitable holes to discover. The vulnerability scanner Nessus, powerful as it is, was able to find many of Windows XP SP1 holes. Over 20 CIFS high risk vulnerabilities alone. The passive recon was a success with the help with these tools. 4.0 Summary of Recommendation 4.1 Since the web site is meant to be hack-able, no recommendations are needed. To strengthen the security would only discourage young hackers away from the site, and to decrease its walls would make it to susceptible and easy, there will be not much of a challenge. 4.2 The host holding Windows XP SP1 needs to be upgraded immediately to Windows XP SP3, as well as the SP2. Over 6 years have made the first Windows release very vulnerable as holes begin to appear in due time. To lessen the risk, upgrading to Windows 7 with the latest patches is the best bet. The host also had no firewall and was running services that might have not been needed. Windows 2003 with IIS 5.1 needs an upgrade as well. NetBSD had only sshd running on port 80, however a firewall would be recommended. Lastly, Linux (Ubuntu) needs iptables correctly configured and services down. 4.3 Without the remedies defined in #4.2 Nessus will be able to pick up the vulnerable holes easily, and this can lead to active recon. Is it recommended to run Nessus constantly until little to no risk reports are confirmed, and the systems are secure. 5.0 Detailed Findings 5.1 Lab 1 [Information Gathering] Scope of Work The scope of this lab was to perform a passive recon assessment of a virtualized network answering the following questions. 6 Juan Ortega, juaorteg@uat.edu

7 Assessment Guided Questions 1. What is the name of the organization you chose? What do they do? I decided to do a passive recon on Hackthissite.org because it is the only web site that actually encourages people to hack. It is a training ground for young hackers to improve their skills much like hellbounchackers.org with distinctive challenging missions. 2. What operating systems do they use on their web server? Why? Many organization web sites (.org) tend to show a powered by advertisement at the bottom of the web site. Without using any tools we already know the web site is powered by FreeBSD with apache running PHP. 3. What web server are they using (Apache, IIS, etc.)? What version is it? Running a port scan against the target web site reveals Apache running on port 80; however, the version number was emitted. The apache daemon seems to be configured well. Port scan also revealed port 22 running OpenSSH 5.1p1 and port 113 auth. [The web site says, Yes, we're asking you to explore the security of our own site to see if it can be hacked. Permission to port scan is not needed.] 4. Does it appear they are hosting their web server? It does appear the owners of the site are hosting their own web server. The domain name however is registered to enom.com. 5. What programming languages are used on the site? HTML, XHTML, CSS, PHP, Javascript, and some Adobe Flash. 6. What are the networks in use by the organization? List Ranges? NS7.ZONEEDIT.COM NS19.ZONEEDIT.COM NS1.HACKTHISSITE.ORG NS2.HACKTHISSITE.ORG 7. Does it appear they are hosting any other services from their network ranges? (Do not scan network segments) 7 Juan Ortega, juaorteg@uat.edu

8 8 No, every other service including the hack this site store is in a completely separate network. The developers of the site wanted to isolate the site so it can be attacked without risking damage to other sites. 8. What type of information did you turn up using search engines? Much of the links found searching the web site is for help in the mission challenges of the site. 9. Is there anything that you found particularly useful or juicy during your information gathering exercise? Nothing much, the procedure went as expected. 10. What tools and web sites did you use during this lab exercise? Nslookup, dig, and whois (shell command and here Lab 2 [Enumeration Lab (NMap)] Scope of Work Assumptions To perform a passive enumeration scan against a network. Review data retrieved from live hosts, open ports, filtered ports, and ICMP pings. The assumptions will be that Windows XP SP1 will have a greater number of vulnerabilities than the higher service packs. I am assuming NetBSD would be difficult to get information from. Linux systems (depending on the configuration) should be fairly easy as far as getting services (daemons) with version numbers running Findings (Figures are located in Appendix) Using nmap to ping sweep entire virtual network, it was able to find 7 live hosts in seconds. A little batch or shell script can also be made to utilize ping for the same functionality Port scanning 7 live hosts was successful. Many of the services reveled port 445 (Microsoft-ds) open meaning File Sharing was enabled. 8 Juan Ortega, juaorteg@uat.edu

9 Nmap feature to delay packets works well. One of the options is the scan-delay <number> argument, the higher the number, the longer it takes to complete. This is important for passive recon as sending a large number of packets might trigger IDS servers running logging. A number of 10 took to complete while number of 1 took 3.08 seconds Adjusting Nmap to only scan port 80 and 443 came up with a much faster scan. Three of the 7 hosts reported having both ports open, while only one had port 80 but not port 443 open. The arguments for specifying a port is essentially p 80, Scanning host (Windows XP SP1) reveled 8 ports open. As far as I know Nmap has 3 states, Open, Closed, and Filter. Open means a connection can be established connecting. Closed means there is no service (daemon) listening to connections in that ports; and closed means there is a firewall in the way dropping packets. The argument used is reason for verifying the state, in case of open its syn-ack Besides using a pipeline to output the scan results, the argument ox can be used to output into XML. Other formats also exist A host blocking ICMP pings may mean the target is down, but most cases a firewall is in place blocking packets. The argument -PN can be used in this case treats the host online and skips host discovery It took a while to get netcat to work as a port scanner, despite numerous examples of the -z argument. To get it working I had to use -vz and even that it does not say the connection was successful. However, it was able to find all the ports open. The usage of netcat over nmap seems circumstantial. Netcat has some features that nmap does not, such as connect and bind to a port for a backdoor connection. However in port scanning Nmap was king; therefore, use Nmap for strictly port scanning, and netcat for a connection For an OS detection, the target was NetBSD to add a challenge into the tool; the Windows systems were easy targets. Not only did Nmap figured out correctly the system was running NetBSD but also identified the version number as 5.X which is connect. It was running 5.9 current Argument -A can be used to fingerprint applications running on a target. Unless the service (daemon) has been well configured Nmap picks up the version number. If a version number is 9 Juan Ortega, juaorteg@uat.edu

10 10 not picked up, connecting to it using Netcat, the header or HEAD usually comes up with version number. If all fails assume the version by its plugin; for example, guessing apache s version by looking at the PHP plugin, which number is supported As stated in section #7, using -PN argument can accomplish this. Nmap assumes the host is alive and scans for open ports. A target blocking ICMP but discovering that sshd is open on port 22 obviously means the host is alive sx sets up Xmas scan. An Xmas tree scan turns on the FIN, URG, and PUSH flags in an attempt to avoid firewall or IDS detection After creating a list of IP addresses from target hosts, the argument -il <filename> scans through them. 5.3 Lab 3 [Vulnerability Scanning Lab (Nessus)] Scope of Work Assumptions The purpose of this scope is to perform a vulnerability scan against targeted systems. A tool called Nessus would be used to perform the test. Being one of the most powerful vulnerability scanners there is, assumptions run high in accuracy when using Nessus. Nmap was able to find many open ports from 7 different systems (Windows, Linux, NetBSD), the results should be interesting, but not surprising Findings (Figures are located in Appendix) Nessus is downloaded and installed, the daemon is running in background. All the VMs are started and ready. The first target that sure to have promising results is Windows XP SP1. The IP address of the target is A policy especially tripped for Windows XP has been created with the appropriate name as WinXPSP1_Policy. Plugins used are: Windows Windows: Microsoft Bulletins 10 Juan Ortega, juaorteg@uat.edu

11 11 Windows: User Management Web Servers Settings Service detection SNMP SMTP problems RPC Misc. General Gain a shell remotely Firewalls FTP Denial of Service DNS Backdoors Brute force attacks The scan is performed A few false positives have been discovered: Anonymous FTP Enabled CVE Risk: Medium FTP Supports Clear Text Authentication Risk: Low Hypertext Transfer Protocol (HTTP) Information Severity: Low Many of these can be set up intentionally by the administration; it does not generally mean a risk Nessus returned many vulnerabilities scanning Windows XP SP1. An alarming number of high risk cifs had been found all exploitable. It is not believed to have missed one Nessus version 3 uses the NBE format to explort data, the new Nessus 4 uses another format called.nessus which seems to be an improvement Zip file created. 11 Juan Ortega, juaorteg@uat.edu

12 Appendix 6.1 Lab 1 [Information Gathering] Lab 2 [Enumeration Lab (NMap)] Juan Ortega, juaorteg@uat.edu

13 Juan Ortega,

14 Juan Ortega,

15 Juan Ortega,

16 Lab 3 [Vulnerability Scanning Lab (Nessus)] Juan Ortega, juaorteg@uat.edu

17 Juan Ortega,

18 References 1. Hackthissite. Retrieved February 20, 2011 from hackthissite Web site: 2. WHOIS Search for Domain Registration Information. Retrieved February 20, 2011 from networksolutions Web Site: 3. The GNU Netcat Project. Retrieved February 20, 2011 from Sourceforge Web site: 4. Nessus. Retrieved February 20, 2011 from Nessus Web site: 5. Nmap. Retrieved February 20, 2011 from nmap Web site: 18 Juan Ortega,