08 creative advanced attackswlanpros2.project.ihelphosting.com/wp-content/uploads/...lab part 2 -...

WLSAT Section 8

08 - Creative Advanced Attacks.v7 © 2007 Institute for Network Professionals 1/12/11 1 www.inpnet.org • www.HOTLabs.org

Section 8 Creative Advanced Attacks

On the downhill slide of our journey with Wireless LAN Security Assessment Toolkit, well show you some of the cutting edge and exciting tools and techniques that exist in the WLAN ecosystem. Your kit includes a professional Honeypot to trap would be attackers to your Wireless LANs. Plus we’ve included some unique ‘tools’ on a USB ‘Attack Stick’ – remember, only WITH PERMISSION.

WLSAT Section 8


Lab 8.1: Create a Honeypot KF Sensor

KFSensor is a Windows based Honeypot Intrusion Detection System (IDS).

It acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system services and trojans.

By acting as a decoy server it can divert attacks from critical systems and provide a higher level of information than can be achieved by using firewalls and NIDS alone.

KFSensor is designed for use in a Windows based corporate environment and contains many innovative and unique features such as remote management, a Snort compatible signature engine and emulations of Windows networking protocols.

With its GUI based management console, extensive documentation and low maintenance, KFSensor provides an effective way of improving an organization's network security.

Product Information

Source Key Focus

KF Sensor Professional – Commercial License

$999.00

http://www.keyfocus.net/kfsensor/index.php

Where, When, Why When you want to ‘catch’ someone in the act of attacking your network, a Honeypot is the tool of choice. KF Sensor is a robust, professional Honeypot that can also be used attached to a ‘rogue’ access point of your design to ‘catch’ folks attempting to access your network via the Wireless LAN.

Usage and Features Monitors every port - KFSensor Professional monitors attacks on every TCP and UDP port, as well as detecting ICMP or ping messages. It also monitors all network activity of native Windows server applications. Allowing these to act as part of a Honeypot configuration.

Remote administration - KFSensor Enterprise Edition contains the ability to manage and monitor multiple honeypot installations. Events from different sensors across the network are concatenated in real time allowing an immediate view of attacks as they happen.

KFSensor uses 3072 bit RSA public/private key authentication and 256 bit AES encryption to provide the top of the range security for communication between sensors.

IDS signature engine - KFSensor is the first product to combine the benefits of signature-based IDS with a honeypot system. Its fast signature search engine, has a minimal impact on system performance and can handle thousands of rules.

WLSAT Section 8


It is easy to update the rulebase with new rules from different sources and to create new rules directly from an event.

Requirements / Dependencies • Windows NT, Windows 2000, Windows XP, Windows 2003 Server • 500mb hard disk space • 512mb RAM • 1 NIC card and/or direct internet connection

Lab Part 1 - Configuring KF Sensor

In this lab exercise you configure KFSensor using the Wizard and the individual settings windows.

Step 1. Launch KFSensor (it may already be started on your system. Look for the

KFSensor icon in the system tray - it may be a different color).

Perhaps your computer has ports currently in use (Listened)

Step 2. Select Settings > Set Up Wizard. The Set Up Wizard guides you through the configurations of: - Port Classes - Domain Name Selection - Email Alerts - Systems Service

Step 3. Click the Next button to begin configuring KF Sensor. By default all the port classes will be selected.

Click Next to accept this configuration using all port classes.

Step 4. Now you need to give your system a name. Use a fictitious name that may be attractive to someone who is doing discovery for “juicy” targets. For example, using the following words somewhere in your domain name may get you more hits: - credit - bank - financial - investment - accounting - private - internal

WLSAT Section 8


Enter your domain name (don’t forget to include the .com, .org, .net or whatever extension you are going to use). Click Next.

Step 5. If you would like to receive email alerts of events, enter your target email address and the source email address in this window.

Click Next.

Step 6. Now you can configure the system services. Click the Wizard Help button for more details on each option. Denial of Service - Normal/Cautious Port Activity - 1-12 Hours Proxy Emulation - Allow banner grabs and loop backs - No external connections Network Protocol Analyzer - Disable packet dump files - Enable packet dump files Use the following settings for this lab exercise:

Click Next.

Step 7. Now you are on the system service set up window. A system service allows KFSensor to run like a daemon on your system regardless of who is logged into it. You can change between users without affecting the system service. You must be logged in as the administrator to install the system service. ”Install as a system service” should be selected.

WLSAT Section 8


Click Next.

Step 8. KFSensor should now be ready to configure your system. Click Finish.

Step 9. Now we are going to customize KF Sensor. Select Settings > Customize. In this area you define the alert behavior, KFSensor window behavior, recent activity intervals, startup behavior and the maximum number of events to keep loaded. We definitely want to disable the audible alarm and we want to increase the number of events that are displayed when KFSensor starts up. Configure your KFSensor as shown next.

Click OK when you have set these configurations.

Step 10. Now you are ready to review the DOS Attack Settings and see if you want to stay with Normal – or use Cautious – or a customized setting. Select Settings > DOS Attack Settings.

WLSAT Section 8


Step 11. To compare the two default settings – Normal and Cautious – click on each separately and review the settings. You can select either setting or define a customized setting for this lab exercise. Click OK when you are finished.

Step 12. Now we are ready to configure the network analyzer function of KF Sensor. We enabled this feature in the Set Up Wizard. Select Settings > Network Protocol Analyzer. In this area you can select to monitor specific interfaces and define the types of packets that you want to capture.

Step 13. Configure your KFSensor network protocol analyzer as shown on the below.

NOTE: This system has a dial-up adapter loaded. On your systems, choose all adapters that are displayed in the list (which include your wired and wireless adapter and the generic Microsoft adapter).

Click OK when you are done.

WLSAT Section 8


Note: Your analyzer trace files are stored in the c:\kfsensor\dumps directory.

Step 14. Select Settings > Email Alerts and review the configuration. You may want to select a Message Title or rethink the sender’s address so you can easily apply email filters for your KFSensor alerts. In this area you also define the email alert interval and the message severity level. Click OK when you are finished.

Step 15. Now select Settings > Local Sensor Configuration. Here you will see the Sensor ID of your KFSensor server. If you install more than one KF Sensor, assign a unique ID to each since this number is kept in the logs to enable you to determine which KFSensor server was hit. Change your KFSensor ID value to kfsensor-zzz where zzz are your first, middle and last initials. We’ll keep this default port and the log level setting at this time. Click OK to accept this setting.

Note: It might warn about restarting KF Sensor in the ‘normal’ way and shuts down. Just restart to return.

Step 16. Look through the other options under the Settings menu option. If you need to know more about any setting, click the Help button on the setting window.

Lab Part 2 - Viewing, Editing and Creating New Scenarios

In this lab exercise you continue to configure KFSensor by viewing the Main Scenario, creating a new scenario and defining the Listens and KFSensor behavior for those Listens.

Step 17. In the KFSensor window, select Scenario > Edit Scenarios. You should have only one scenario defined on your system – the Main Scenario. This is the active scenario at this time.

NOTE: First we are going to look at the Main Scenario – we are not going to edit that scenario, however. We are going to back out and make a new scenario called WLSAT Scenario.

Step 18. Click Edit. At this time you might see a KF Warning box appear. This is not unusual – it indicates that certain ports were in use already when KFSensor started. You can select “Convert to Native” on those ports to have KFSensor listen to activity on them. For example, on Windows systems the NBT (NetBIOS) ports are enabled by default and will generate errors. Click OK.

WLSAT Section 8


We don’t want to edit this scenario – we only want to look at it. This window is showing you “Listens” or defined ports that we are listening on using this scenario.

Step 19. Double-click on FTP Guild (see previous graphic) to get more detail on the configuration of the FTP Listen.

Here you can get an idea of how a Listen is defined – you define the port number and protocol and address to bind the Listen to. This is also where you define the KFSensor action when that Listen is hit as well as the severity level. Finally you can define the DOS attack limits to protect KFSensor from being overwhelmed by

WLSAT Section 8


too many connections on that Listen. Now we are ready to build a brand new scenario.

Step 20. Click Cancel to close the Edit Listen window and Cancel to close the Edit Scenario Window. You should now be viewing the Edit Scenarios window as shown below.

Step 21. Click Add to create a new scenario. You may receive the warning about ports in use. Click OK to close the warning window.

Step 22. Enter the scenario name WLSAT Scenario. Enter the domain name that you defined in the Set Up Wizard. Click Add/Remove Classes…

button.

Step 23. Check off all the classes listed except Linux and click OK.

WLSAT Section 8


Step 24. Now you will see all the Listens for these classes show up in your new scenario. We are going to add a Listen to this group. Click Add. You are going to add a Listen for Laura’s Attack. Enter the information as shown in the configuration below. Click OK when you are done.

Step 25. Your new Listen should show up in the list now. Click OK to save this scenario and close the New Scenario window. Now your NAST Scenario should be listed in the Edit Scenario window. Click OK to close the Edit Scenario window.

Step 26. Select Scenario > Switch Scenario. Select your WLSAT Scenario from the drop-down list and click OK.

NOTE: KFSensor hesitates for a moment as it switches scenarios – be patient. It might need to be restarted – the switch might cause the services to stop.

Lab Part 3 - Viewing and Adding Visitor Rules

In this lab exercise you view and edit rules related to visitors that hit KF Sensor. You will work with your WLSAT Scenario only.

First IP Address: ___________________________________ Last IP Address: ___________________________________

WLSAT Section 8


NOTE: If you are going to connect to the KFSensor system using a Listen port (perhaps one that has been converted to native, such as the FTP port) and you don’t want your communication to be logged, enter a Visitor Rule to exclude your connection on that port. Visitor rules are only used to close connections with, or ignore visitors. They are NOT a “lockout” feature. Use signatures to do lockouts based on ports or payload.

Step 1. In KF Sensor, select Scenario > Edit Active Visitor Rules to open the Visitor Rules window.

Step 2. Click Add.

Step 3. Enter the following rule information: Name: Instructor Machine First IP: See above Last IP: See above Host DNS name: Leave blank Protocol: Any Sensor Port: Leave blank Visitor Port: Leave blank Min. Connections: Leave blank Max. Connections: Leave blank Actions: Ignore Set Severity: No change Click OK to close the Edit Rule window.

Step 4. Your new rule is visible when you edit the active scenario and click the Rules button.

Lab Part 4 - Creating Signature Rules

In this lab exercise you create a signature rule based on traffic received and review how signatures are created and imported.

Step 5. In KF Sensor, click the Ports View button.

This might be enabled by default when the server starts.

Step 6. Maximize the window so you can see the Received column information. This column shows the data related to the event (if any).

WLSAT Section 8


Step 7. Double-click one of the events that show data was transferred. The Event Detail window appears.

Step 8. Click the Signature tab. If no signature is associated with this event, click the Create button. The Edit Signature window appears showing the signature data definition.

Click OK to accept this configuration.

Step 9. The Add Signature window is now displayed. You can provide a message with your signature and include a Source Reference (such as a website that contains additional information on this signature).

WLSAT Section 8


Note: Unless you are actively working with a ‘partner’ to see live traffic, you’ll only see your own little network’s Windows traffic.

The signature will be defined as “hand coded” which means it takes precedence over the other KF signatures. It is that easy to add signatures from existing events. In order for KFSensor's signature engine to be most effective it is best to build up and maintain a large rule base. KFSensor can import rules written in Snort format. There are a number of different sources for Snort rules and the first stage is to download copies of different rule sets. Unlike a network IDS, KFSensor uses signatures to provide information on an attack and not to identify attacks. It is therefore possible to use experimental and non-certified rule sets. The official Snort and community rules sets can be obtained at: http://www.snort.org/rules/

Another important source of rules is Bleeding Snort: http://www.bleedingsnort.com/index.php

WLSAT Section 8


Lab 8.2: Creative Wireless Attacks

Instructor will now demonstrate creative wireless attacks.

WLSAT Section 8


Lab 8.3: NirSoft Password & History Utilities

This group is a series of individual software packages aimed at Password Recovery, History Recovery or Product Key Recovery. Because of the sensitive nature of the information obtained by these tools – please be careful and always have permission first before deploying these recovery tools.

Product Information

Source NirSoft

Freeware

www.nirsoft.net

Where, When, Why Security—Password and History Recovery Utilities (multiple applications)

Have you or any of your friends or family ever forgotten a password? Of course you have had this experience. Well, with these simple tools you can quickly find the passwords and get back to happy computing.

Now, with this great power comes great responsibility as well. You need to use these tools for good and not for evil!

You can recover passwords, history from IE and Cookies as well as recover those pesky Microsoft Product Keys. Use the ProduKey BEFORE you need to reinstall and you can be ready for those Office and XP keys – you’ll be all ready to reinstall after a crash.

WARNING: ALWAYS HAVE PERMISSION BEFORE USING ANY OF THESE RECOVERY UTILITIES

IMPORTANT NOTE: Many of these utilities might trip your Anti-Virus alarms – not as a ‘virus’ per se, but as a ‘hacking tool.’

Some AV products will delete the offending files directly from your USB Stick –- to replace them, copy the original files from the Student DVD to the appropriate location on your Ultimate USB stick \5 – Security\Toolname\Tool

Usage and Features • MessenPass – Recovery of instant messenger passwords • MailPassView – Recovery of popular e-mail client passwords • Protected Storage PassView – Recovery of all passwords and

AutoComplete strings from Protected Storage • Dialupass – Recovery of VPN and Internet dialup connection

passwords • Asterisk Logger – Reveal passwords hidden behind asterisk (******)

characters in password boxes

WLSAT Section 8


• SniffPass – Listen on the network for POP3, IMAP4, SMTP, FTP and HTTP passwords

• Network Password Recovery – Recover network passwords stored by Windows XP

• WirelessKeyView – View Wireless LAN WEP and WPA keys • IE PassView – View Internet Explorer passwords • IECookiesView – View and Modify cookies stored on your computer • IEHistoryView – View and Delete URLS you’ve visited in the last

few days • WinUpdatesList – Display all the Windows updates on the target

machine • ProduKey – Recover Microsoft Office/Windows Product CD-Keys

Requirements / Dependencies • Any Windows operating system

Where to Go for More Information • www.nirsoft.net

This is the ‘Manual’ way of running these… in the next lab we will use an ‘Attack’ Stick to automate the process

What you will do in this lab:

• Run through a series of hands-on lab exercises testing a variety of password and history recovery utilities.

• As a penetration test – showing what information is vulnerable

Lab Part 1 - Messenpass

Step 1. Launch MessenPass.

Did it find any of your Instant Messenger accounts and passwords? _______

Step 2. Try exporting an HTML file of the results

WLSAT Section 8


Lab Part 2 - MailPassView

Step 1. Launch MailPassView.

Did it find any of your Mail accounts and passwords? ________

Step 2. You can export an HTML file of the results.

Lab Part 3 – Protected Storage Passview Protected Storage PassView is a small utility to reveal the content of the "Protected Storage" registry key. This registry key contains the passwords stored on your computer by Internet Explorer, Outlook Express and MSN Explorer.

The usage is trivial: once executed, Protected Storage PassView displays in its window all the passwords it's able to find, showing the resource name, the password type, the username (if available) and the password.

The 'View' menu allows you to filter the main window content by displaying only certain types of passwords

Step 1. Launch Protected Storage PassView.

WLSAT Section 8


Step 2. Note the wealth of information this quickly provides – web sites, passwords, etc. – These items are clearly and easily available to anyone who has access to your computers!

What was discovered on *your* computer? _____________________________

How does this make you feel about the security of your private information?

____________________________________________________

Step 3. Like the other NirSoft products, this too can export to an HTML file.

WLSAT Section 8


Lab Part 4 – Asterisk Logger

Step 1. Launch Asterisk Logger.

Step 2. Open the window that contains the asterisk text-box you want to reveal. The password will be instantly revealed inside the password box, and in addition, a record containing the password and other information will be added to the main window of Asterisk Logger utility.

Step 3. After you reveal all the passwords you need, you can select the desired passwords in the main window of Asterisk Logger, and save them into a text or HTML file.

WLSAT Section 8


Lab Part 5 - SniffPass

Step 1. Launch SniffPass.

Step 2. Click on FileàStart Capture or click on the green arrow.

Step 3. A Capture Options window opens. Highlight the adaptor you are using for packet captures and select either RAW Sockets or WinPcap Packet Capture Driver.

Note: Choose RAW Sockets if you don’t have WinPcap loaded already on your target machine.

Step 4. Click OK.

Step 5. Generate some traffic by using the browser to login to a site where you must enter your name and password.

WLSAT Section 8


Lab Part 6 – Network Password Recovery

Step 1. Launch Network Password Recovery.

Step 2. Did it find any of your Windows Network accounts and passwords? _______

Step 3. You can export an HTML file of the results

Lab Part 7 - WirelessKeyView

Step 1. Launch WirelessKeyView.

Step 2. Did it find any of your Wireless accounts and passwords? ____________

Note: The keys are shown in both HEX and ASCII values


WLSAT Section 8


Lab Part 8 – IE PassView

Step 1. Launch IE PassView.

Step 2. Did it find any of your Internet Explorer accounts and passwords?


WLSAT Section 8


Lab Part 9 – IECookiesView – Internet Explorer Cookies Manager

Step 1. Launch IECookiesView.

L

Step 2. Look through the column headings by scrolling to the right.


Lab Part 10 - IEHistoryView

Step 1. Launch IEHistoryView.

Step 2. Did you know your surfing history was this easy to see?

Step 3. Now using the options in Microsoft IE, clear out your history and cache and try running this utility again. Did it clear your data?

WLSAT Section 8


Lab Part 11 - WinUpdatesList

Step 1. Launch WinUpdatesList.

Step 2. How many times has the target machine been ‘patched’ or updated by Microsoft for the Windows OS? _______


Lab Part 12 - ProduKey

Step 1. Launch ProduKey.

Step 2. Cut and paste these keys into a text file and save as part of your backup. When it’s time to restore, you’ll have your CD-Keys all ready to go.

WLSAT Section 8


What you learned in this Lab: In this Lab you learned to use Password & History Recovery Utilities to:

1. View all the different types of saved passwords and history files that are available to anyone with access to your computer

2. These tools can all be run remotely if a hacker has control of your computer

3. As an example in a penetration test, you can show the clients the vulnerabilities of their machines to a anyone with these simple software utilities

4. Your Anti-Virus software might have caught a few of these tools, but what about those the AV didn’t catch?

WLSAT Section 8


Lab 8.4: Attack and Recovery - USB Switchblade

The goal of the Attack & Recovery tools (based on USB Switchblade) is to silently recover information from a target Windows 2000 or higher computer, including password hashes, LSA secrets, IP information, etc... the original Amish technique of using social engineering to trick a user into running the payload when choosing "Open folder to display files" upon insertion. While the USB Switchblade does require a system running Windows 2000, XP, or 2003 logged in with Administrative privileges and physical access, the beauty lies in the fact that the payload can run silently and without modifying the system or sending network traffic, making it near invisible.

Product Information

Source Hak.5 Team

Combination of Freeware

Where, When, Why Ok, now this one is going to be hard to justify the Where, When and Why—Unless you have the correct permissions to do a Penetration Test on the target devices. A single USB stick designed to ‘hack’ into an unsuspecting computer, copy down the SAM files, IE history, Protected Storage, Passwords, etc.

As a penetration testing demonstration, this small USB device excels at ‘scaring’ the target. By showing how easy it is to learn a very large amount of information about the target machine, very quickly, very easily.

For example the USB Switchblade can be used to retrieve information from a target system at a LAN party by lending the key to an unsuspecting individual with the intent to distribute a game patch or the like.

Usage and Features • Using this tool to stealthily retrieve passwords, Internet browsing history

and detailed information from a target machine. • Shows Product Keys, Passwords from IE, Firefox, Wireless, Windows,

Protected storage and more!

DO NOT USE THIS WITHOUT APPROPRIATE PERMISSIONS!

Requirements / Dependencies • Windows Target Machine with physical access to USB Port

Where to Go for More Information • http://www.hak5.org/wiki/Switchblade_Packages • http://www.hak5.org/forums/viewtopic.php?p=31505 • http://www.hak5.org/wiki/index.php?title=USB_Switchblade

WLSAT Section 8


What you will do in this lab:

• Use the ‘Attack Stick’ to run USB Switchblade on a target device to retrieve passwords, detailed information, etc.

Lab Part 1 – Penetration Test Demonstration DO NOT USE THIS WITHOUT APPROPRIATE PERMISSIONS!

Using this tool in a penetration testing mode can be used to ‘scare’ unaware individuals of the items on their computer that ‘share’ their personal information. With only a few seconds, and physical access to a USB port, many pieces of personal information and history can be gathered.

Use with Caution.

Step 3. Insert ‘Attack Stick’ in target computer. If Autorun does not launch – they you will need to Launch USB SwitchBlade. Start the GO.BAT file in the \WIP\CMD\ directory – or at your USB drive prompt, type: \WIP\CMD\go.bat.

Step 4. You might have tripped an Anti-Virus alarm by running this Attack. Try turning off Anti-Virus for a period of time.

Step 5. When the attack is complete, remove the USB stick.

Step 6. On a different computer (or the same as the target – it doesn’t matter) retrieve the ‘found’ information by opening the \WIP\DUMP folder and finding a folder with a name of the target computer. Inside you’ll find a set of files containing massive amounts of personal information.

Step 7. Please review each of these files.

Step 8. Did you find passwords? For what programs? Did it find ALL passwords? Why or why not? _________________________________________________

Step 9. There are other sets of tools that can use this same method for good and not for evil! Running scripts to update A/V packages, etc.

IMPORTANT! Please delete the contents of the \win\dump folder before continuing – it contains private information!

What you learned in this Lab: In this Lab you learned to use USB Switchblade to:

• Wow! Was it really that easy to find all that personal information?

• How am I going to protect myself and my computer from this type of attack in the future?

• What else might I do with this type of platform?

08 creative advanced attackswlanpros2.project.ihelphosting.com/wp-content/uploads/...lab part 2 -...

Documents