A network breach can result in data loss, and for SMBs, that can cripple the company beyond repair. It’s of the utmost importance to ensure that your customers have secure networks, free of malicious attacks. But this is easier said than done, as hackers become more well-versed in common defense techniques.
The best way to defend your customer’s network is to make sure you understand the enemy’s offense. Your enemies are going to understand penetration testing tools, so it’s time that you understand how these tools can be used against your customers. Nessus, Metasploit, and Hydra are three common penetration testing tools used by many security professionals.
In this excerpt from Chapter 3 of Seven Deadliest Network Attacks (Syngress), the authors examine the three common techniques and show how attackers can use these tools to make atatcks more efficient.
Adapted from Seven Deadliest Network Attacks (Syngress)
By Stacy Prowell, Rob Kraus, and Mike Borkin
Having spent a good amount of time talking about penetration tools and the gray area about what a hacker tool is and is not, let us look at some attacks and how penetration testing tools can be used to maximize the effectiveness and efficiency of an attack. Although several tools will be discussed, it is impossible to cover every tool an attacker may require in one chapter or even an entire book. The tools and scenarios that follow provide an overview to help us understand the potential impact penetration testing tools can have on your organization.
Nessus Vulnerability Scanning
Nessus is a tool that has been used by security professionals for many years. This tool is a vulnerability scanner that allows network security professionals and administrators to audit their networks by scanning ranges of Internet Protocol (IP) addresses and identifying vulnerabilities with a series of plug-ins. These plug-ins are written using a language called the Nessus Attack Scripting Language (NASL).
NASL plug-ins are a core part of the Nessus platform and are used to identify specific vulnerabilities and flaws in network resources. One of the great features of Nessus is that anyone can write NASL plug-ins and implement them as part of the scanner. Custom plug-ins can be written to detect vulnerabilities specific to the organization that developed the plug-in. Additionally the plug-ins can be shared with the Nessus development team and may be included in updates to the Nessus platform.
Configuring the initial setup of the Nessus server and client application takes only a few minutes. After setting up the application and determining the scope of the vulnerability scan, the attacker can configure the scanner to scan a single IP address or entire blocks of IP addresses. The time required for a scan to complete depends on how many plug-ins are being used, throughput of the network, scan speed settings, and the number of IP addresses included in the scan.
Once Nessus is configured to scan a network and the scan completes, the vulnerabilities are reported back to the Nessus application. The Nessus application can then present the data gathered back to the user in a variety of helpful formats. In many cases, the Nessus Client application will present information about all the network elements (indicated by their IP addresses) identified during the scans, information gathered from services detected running on the elements, and information about the vulnerabilities that may be associated with the services. This information usually includes detailed information about the vulnerabilities found, including links to Web sites with more detailed information.
story continues…
Nessus also indicates the severity of vulnerabilities as part of the report details, so administrators and security professionals can identify possible steps to remediate the issues identified. In some cases, Nessus will also present the user with possible remediation steps and general recommendations for fixing identified issues, in addition to links to vulnerability databases that can provide more information on the inner workings of how vulnerabilities can be leveraged.
The system the attacker scanned (in the simulated virtual machine lab environment) is a Windows XP computer with missing security patches. The scan provided many results; however, the vulnerability the attacker appears to be interested in is the MS08-067 Security BulletinE identified in his or her scan report (Figure 3.1).
With the information provided by the Nessus scanner and the reports it generates, it is easy to see how an attacker can use this tool to identify vulnerabilities in network resources. You may also be considering the value this tool can provide for identifying missing patches in your own organization. Once an attacker has used a tool such as Nessus to identify vulnerabilities, he or she will then use the information learned to move on to the exploitation phase of the attack.
FIGURE 3.1
There are many options for configuration within the Nessus scans, including some options for performing DoS attacks. Refer to Chapter 1, “Denial of Service,” for more information on how DoS attacks can cripple networks or even countries. In most cases, the use of DoS attacks is not recommended against production systems unless the specific intent is to verify whether or not a DoS condition is possible for a specific application. These types of tests should be reserved for evaluation during nonpeak hours and ideally with redundant systems in place to take over processing of data should the DoS be successful. Although a penetration tester may have to take all of this into consideration, an attacker may elect to use the DoS plug-ins specifically to cause a disruption or degradation of service. This type of activity can be used to execute a deliberate attack against a primary target or even to distract administrators while the attacker focuses on another target.
Nessus is a great tool for administrators and security professionals to use in their efforts to maintain and assess security within their networks. However, this is an example of a tool attackers can easily use as well. A good part of understanding the best defense is to learn and know the attacks work and how to identify them. It is a good idea to download Nessus to become familiar with the tool and how it can help your organization.
NOTE
Scanners such as Nessus are “noisy” when being used with the default settings. Noisy means if Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) is properly configured, it should detect a large amount of network traffic targeting individual or multiple systems with what appears to be suspicious activity. However, attackers may use IDS or IPS evasion technique to elude detection by these systems. Nessus also has the option of using one plug-in at a time to reduce the attack fingerprint and the chances of the malicious activities being detected.
story continues…
Metasploit Framework
One of the most popular (for good reason) tools out there today is Metasploit. Actually, Metasploit is far more than a tool; it is a framework that encompasses many different capabilities. The Metasploit framework has many different components that make up its functionality. The users, contributors, and developers of Metasploit are very active in its development and maintenance.
The framework can be used for exploit development, penetration testing, creating malicious payloads for client-side attacks, fuzzing, active exploitation, and almost anything you could imagine a penetration tester might need. It can even be used to verify operating system patches applied by network and server administers. A detailed guide for using the Metasploit framework and many of its features can be found at www.offensive-security.com/metasploit-unleashed/. The framework was recently migrated from Perl to Ruby; however, some of the components are imple- mented with assembler and C.
The framework has many exploits and payloads to choose from to make short work of obtaining administrative access to computers, servers, and network equipment. Exploits are used to leverage flaws or vulnerabilities found in software. Payloads are the code and instructions that allow attackers to interact with compromised systems. This scenario will demonstrate the use of Metasploit to leverage a vulnerability in a computer using the Windows XP operating system and then to use information gleaned from the system to exploit other parts of the network.
Several techniques are used by attackers to discover network resources. Some of the techniques involve mapping the layout of a network, port scanning, and service identification. The focus of this chapter is penetration testing tools and how they can be leveraged for attacks and not a specific tutorial on the use of these techniques for host identification and classification. This first scenario assumes that the target has already been identified and classified by the attacker. The system the attacker has identified is the same system that was previously scanned in the section “Nessus Vulnerability Scanning.”
Although Metasploit provides several ways to interact with the framework during attacks in this example, the attacker uses the msfconsole. After an attacker has identified and classified a target system, he or she will determine the exploit and payload to use to help him or her achieve his or her goals. In our scenario, the initial goal of the attacker is to compromise a single computer in an effort to learn more information about the network before attacking the Windows Active Directory domain directly.
Figure 3.2 is a screenshot of the attacker preparing his or her exploit and payload to attack a Windows XP operating system that is missing critical patches. The exploit is leveraging the Microsoft Security Bulletin MS08-067G vulnerability that affects many of the Microsoft platforms outlined in the referenced link.
FIGURE 3.2
Exploit Selection
Metasploit has exploits and payloads to fit many situations including attacks leveraging a large number of Microsoft vulnerabilities.
Once the exploit is successfully executed, the attacker has an opportunity to interact with the operating system and perform a variety of information gathering and other post-exploitation tasks. In this scenario, the attacker decided to use the meterpreter/bind_tcp payload to perform some advanced attacks and interact with the compromised computer.
story continues…
Figure 3.3 demonstrates the attacker executing the previously configured exploit and payload against the Windows XP target. Upon completion of a successful attack, a meterpreter session is started, and the attacker can now take advantage of the functionality meterpreter provides. In our scenario, the attacker uses the hashdump command to obtain a copy of the hashed passwords stored on the operating system.
Once the attacker has obtained the password hashes, he or she can crack them offline to obtain the clear-text equivalent and use the passwords obtained to conduct further attacks against the network. Some of the popular tools used for cracking passwords include RainbowCrack, Ophcrack, and John the Ripper. Password attacks and storage are covered in depth in Chapter 1, “Windows Operating System– Password Attacks,” of Seven Deadliest Microsoft Attacks, another book in the Syngress Seven Deadliest Attacks Series.†
FIGURE 3.3
Password Hashes Obtained
FIGURE 3.4
SMB Login Configurations
In many cases, depending on the password complexity, it only takes a few minutes or even a few seconds to crack passwords using these tools. For those of you who wish to crack the super top-secret password found in Figure 3.3, we will save you the time and let you know the Administrator password will result in a clear-text password of “Skynetsecure!!” (This is one of the passwords used in the VMWare lab environment while working on this book and has no significance outside the lab.)
Now that the attacker has the clear-text equivalent to the hashed password he or she obtained by using the hashdump command from within the meterpreter session, he or she can start expanding his or her control over the network. Many times administrators will attempt to reduce the complexity of administration of network environments by reusing passwords across multiple systems. With this knowledge, the attacker will now take the credentials he or she obtained from reversing the captured hashes to check if the administrator accounts on other systems within the network are using the same passwords.
In Figure 3.4, the attacker configures one of the Metasploit auxiliary modules to use Server Message Block (SMB) login attempts against multiple systems to reveal if passwords are being reused within the network.
FIGURE 3.5
SMB Login Results
The attacker has configured Metasploit to check an entire subnet for computers that accept the username and password using the credentials previously obtained.
The output in Figure 3.5 indicates our attacker was successful in identifying another system using the same password as the one previously compromised. Now the attacker has the ability to take full control of yet another system without having to go through the exploitation phase using a tool similar to Metasploit. This can save the attacker a lot of time while he or she starts taking total control of the systems within the target network.
The VMWare lab environment the attacker was using was limited to five target systems. However, in production networks with hundreds of systems the rewards are often much greater for an attacker. It is not uncommon for penetration testers and attackers to identify many systems reusing passwords, and Metasploit makes easy work of extending an attacker’s control of a target network.
TIP
Meterpreter is a part of the payload that is injected into memory and does not place fil
s on the hard drive. This is achieved by injecting a dynamic link library (DLL) into a process that is already running using a technique called Remote Library Injection. The DLL allows attackers to perform tasks that were once complicated in a faster and more efficient manner.
story continues…
Hydra Password Attacks
The last scenario for this chapter explores the types of attacks performed by using Hydra. This tool is one of the best login cracking tools available to penetration testers and attackers due to the number of protocols it supports and the reliability of the results it provides. Currently the tool supports login attacks for over 30 protocols and applications. Some of the protocols supported include SMB, Post Office Protocol 3, Simple Mail Transfer Protocol, telnet, Cisco telnet, Hypertext Transfer Protocol (HTTP), Microsoft Structured Query Language (MSSQL), and MySQL.
This scenario explores the dangers associated with the use of poorly configured management protocols. The attacker has identified what appears to be a Cisco router with telnet and Simple Network Management Protocol (SNMP) enabled. Both of these protocols are used by administrators to remotely administer the device or query performance statistics. The attacker first decides to perform a dictionary attack against the telnet interface but has no success in gaining access to the device.
The attacker decides to focus his or her attacks against the SNMP service running on the device. Attackers can use dictionary attacks against SNMP services just as they can against the telnet interface; however, with SNMP, the password is implemented in the form of a community string. This community sting allows administrators to apply access restrictions to the devices using the SNMP. Typically there are two community strings for management of devices: one of the community strings is usually a read-only community string and the other is a read-write community string.
Unfortunately, many times the SNMP services on devices are enabled by default and are configured with default community strings. Additionally, if the SNMP service is not enabled, many times administrators will configure SNMP with easily guessable community strings. A few of the most common SNMP community strings seen today are public, private, ro, rw, and internal. The knowledge of these common configurations allows attackers to use tools such as Hydra to automate the detection of default or easily guessable community strings. Figure 3.6 shows our attacker using Hydra to identify community strings on his or her Cisco router target.
After the scan is completed, the attacker is presented with the results. It appears from the results the attacker was been able to successfully identify two community names “public” and “private.” Up to this point, the attacker really did not have any success with gaining access to the network, but because he or she has the SNMP community strings for a Cisco device, he or she may be able to learn more information to perform additional attacks.
FIGURE 3.6
Hydra SNMP Dictionary Attack
Since the attacker now has the public and private community strings, he or she may try some advanced attacks that may result in further compromise of the network. The attacker uses the information learned to conduct his or her next attack against the network. By knowing the public community string, he or she is able to query configuration parameters of the device; however, with the private community string, he or she has read or write access to the device.
story continues…
The attacker uses the knowledge of SNMP, Management Information Base (MIB), and Trivial File Transfer Protocol (TFTP) to transfer the Cisco router configuration file to a remote TFTP server. This is accomplished by the attacker setting up a TFTP server to listen for incoming TFTP write requests and then using the MIB Object Identifiers (OIDs) and the snmpset command to instruct the router to transfer its configuration file to the TFTP server. Once the attacker has performed the attack successfully, he or she can use TFTP to retrieve the file transferred to the TFTP server. A detailed explanation on how to use SNMP, MIB, and OIDs for this type of attack can be found on Cisco’s support site. Although the Cisco Web site demonstrates the use of this type of functionality with the legitimate user in mind, we can see how an attacker can use it to his or her advantage.
Once the file is retrieved by the attacker, he or she can now review the router con- figuration file and learn more about the layout of the network, the protocols used, the access lists implemented, and possibly the password of the router. If the passwords configured for the device are stored in clear text, then the attacker may be able to use this password to gain access to network components or cause a DoS by reconfiguring the router to drop all legitimate traffic.
NOTE
It is common for attackers to use word lists with tools such as Hydra to increase the chanc- es of success while perform password attacks. These word lists may contain many different words that are common in English and other languages.
The “dictionary” †part of “dictionary attack” really has two meanings. First, it means a list of words that are compiled to form a dictionary for use in password attacks. Second, a dictionary attack can actually use the entire list of words found in a dictionary. Oxford Dictionary’s Web site indicates over 171,000 †words in the second edition of their dictionary. This may be a little excessive for dictionary attacks, so it pays to know what the most common words used are.
WARNING
In some cases, the Cisco passwords may be encrypted using the service password-encryption command. This will result in the encryption of the passwords using a weak Cisco “Type 7” proprietary encryption algorithm that can be reversed to its clear-text equivalent by using publicly available tools such as Cain and Abel.
Although this scenario focused a lot on the exploitation of a router by manipulating SNMP, the tool that made this all possible was Hydra. There are many other types of attacks an attacker can perform against many protocols using this powerful tool.
©2011 Elsevier, Inc. All rights reserved. Printed with permission from Syngress, a division of Elsevier. Copyright 2011. “Seven Deadliest Network Attacks” by . For more information on this title and other similar books, please visit elsevierdirect.com.