Saturday, May 31, 2008

Basic Packet Crafting with Hping

This is just a quick post about how a tool such as hping can be used to test for open ports on a host. Hping can do alot more than that but for now I'm just going cover a few basics.

Hping is a Linux tool that is run from the command line. What I really like about it is the control you have over the packet. If you dont have hping installed you can pull it down from most repositories.

Okay, firstly view the man page or use --help to list the many options to familierise yourself with hping.


Testing Open Ports

If i want to test for an open port I would issue the following command:

hping -i eth0 -c 1 -S 217.146.186.51 -p 80

Here i'm telling hping to use interface eth0 (-i eth0), send a single packet (-c 1), send a SYN packet (-S), to address 217.146.186.51, to send the packet to port 80 (-p 80), and to be verbose in the output (-V).



From the output in the screenshot you can see that the server returned a SYN-ACK so the port is open.

Below is a packet capture on that interface displaying exactly what was sent.

tcpdump -i eth0 -n -s 1514 host 217.146.186.51



As can be seen the scanned host continues to send out a series of SYN-ACK packets after I have sent my Reset packet.

If I issue the command again but to port 81 instead you will see that the server doesn't return a packet. This tells me the port is probably blocked by a firewall.



I can use a tool such as Nmap to confirm my hping results.

nmap -sS -p 80,81 217.146.186.51



A packet capture of Nmap would have revelead that an ICMP echo request was initially sent when I issued the command above. This could have been prevented using the -P0 switch.


Back to hping, as expected if I issue the command to the host name instead of the IP hping attempts to resolve the address using DNS, this can be seen below in the tcpdump capture.



Another very useful switch is -s. When set it tells hping to use a specific source port. On one occasion whilst in a hotel I found that SSH traffic was blocked on port 22 but all TCP traffic was allowed on port 53. I then asked my wife to reconfigure my SSH server to listen on port TCP 53 and I was able to get back to my home network.


Port Scanning

Hping can also be used as a port scanner to test for a range of open ports. Using the --scan switch followed by a list of ports or a port range I can quickly scan a host.

hping -i eth0 --scan 20-25,80,443 -S 217.146.186.51



In the screenshot above I scan for a port range of 20-25 and also for 80 and 443.

Hping has many other function including more advanced firewall testing and file transfer. I'll cover these in another post.

Thursday, May 1, 2008

Password Attacks in Windows

Okay there are plenty of tools to launch password attacks within Windows but I like this one because it needs no tools other than those that are native to Windows.

The only difficult bit is getting the wordlist together. If anyone knows of a funky way to generate one using native windows tools and existing files on a PC I would love to hear from you. In lieu of a funky solution and without a wordlist that I have got to the box by other means I make my list by creating a file with popular passwords and hope for the best. Remember, if you are making the wordlist, tune it for the company or organisation you are pentesting against.

This attack is going to bruteforce a password using a FOR loop and a text file with some passwords in.


How it Works

Make sure you have a wordlist or create one with possible password in. The password file just needs to be a normal test file with a word on each line.



At the command prompt on one line type:

FOR /F "tokens=1*" %i in (passwords.txt) do net use \\192.168.1.1\IPC$ %i /u:Administrator

The password.txt file must be in the same directory that you run the command from.

Whats happening here is the command attempting to connect to the IPC$ share on 192.168.1.1 and is going through the file password.txt trying every word as a password for the Administrator account.

You don't have to specify the IPC$ share. If there is another share available you can use that.

Obviously this attack can be done on other accounts but remember that they may be subject to lockout after so many failed logins. The Administrator account does not get locked out.

If you find that the account lock out policy is not enforced then you can create a password file with usernames and password in (separated by a space), then throw the file at it using a FOR loop shown in my screenshot.



If you have found a successful pair the outcome will be a open session (net use) and the file out.txt will list the valid credentials.


Lessons learned for Admins

  • Pick a good Administrator password that will not be in a dictionary. and enforce complex passwords for users.
  • Make sure that account lock out policies are enforced.
  • Educate users and helpdesk staff. If they notice that accounts are constantly locked out and the user is not too stupid then they might be your early warning system that something is wrong.
  • Check logs. Account lockouts should be logged and you should be seeing this type of activity in you daily log monitoring routine.

Abusing Mail Servers

This is a quick post on what I discovered a while ago when i played a joke on a friend. I thought I would post it up as it might be interesting to someone else.

Basically, what i'm going to demonstrate in this post is how the SMTP service on an Exchange Server can be abused. It's quite trivial to send a message to someone else using an Exchange server without having a mail account. And as I'll demonstrate also, it's quite easy to spoof your IP address so even if they examine the headers they'll never know where it came from.

Now, why is this useful to an attacker? Well firstly I can send a message to someone and link to a file. If the reciever usually trusts that person I'm pretending to be they will likely click on the link. Secondly, I can spam the world and become a small time spam king and attract many beautiful women.

Bear in mind that the SMTP stuff can be done with telnet to any SMTP server but the IP Spoofing will only work if you are on the same subnet as it uses Arp poisoning.

Okay, heres how it goes.


Tools
>Sterm or Telnet



Method
1. Find a Exchange mail server by either sniffing traffic or scanning for servers with port 25 open

2. Launch Sterm. Select configuration, and enter the IP you want to spoof and the MAC address you want to spoof.



When I played a joke on a certain individual I did my homework and made sure these tied into the same addresses as the person I was spoofing.

After specifying the spoofing settings click on the file drop-down menu and select connect. you need to then enter the IP and port which you want to connect to.

3. At the prompt type :

helo servername.domainname.com

Obviously the FQDN should be used. You could also just type "helo IP-Address" with IP-Address being the one that you are spoofing.


4. Now we would enter who the message is going supposedly from:

mail from: blobby.knob@company.com


5. Now we enter who the message is to:

rcpt to: poor.victim@company.com

Often this address needs to be an internal address as mail relay may be turned off This can be testd though by sending a message to throw-away webmail account.


6. Now we specify the data we are going to send.

data

After typing "data" you should recieve the response 354. This means that you can send data.


7. Enter a subject line and press return:

subject: check this out!


8. Enter some aluring text:

Does my arse look big?
http://goatse.unfg.org/asciigoatse.htm


9. Now finsh the message buy pressing return, entering a period, and pressing return again.

The server should send a 250 code indicating the message is queued. Type quit to finish.


Now, when the recipient get the message they think its from the person it said in the senders details and they will follow the link and ........... well thats what you get for following links right!

Should they look at the headers they will see the spoofed IP address.

As I said, this can be done with Telnet but the IP spoofing part needs Sterm.

Oh and one last thing. Sorry Paul, it was just a joke.