PEN TEST EXERCISE 1
The CEO of a small company hires you to do a penetration test. He believes his company is secure, and has contracted you only to look at a server that contains a web-based list of the company’s contact information.
Exploit all vulnerable services, passwords etc… try to get to the CEO financial info
CONFIGURATION: 2 Virtual Machines
- PenTest Lab Disk 1.100: This LiveCD is configured with an IP address of 192.168.1.100 – no additional configuration is necessary. Set VM to NAT.
- Pentest Machine: Backtrack 5r2 or any other version you might have available. Set VM to NAT and add a second network card.
For this lab we will assume that the machines will be running on VM ware and that the student is well versed on this or any other virtualization technology (Virtual Box, Virtual PC, etc…) and knows how to set up a virtual machine. Once you boot both systems you will have the following scenario:
This is you attacking machine, we are using Backtrack 5r2. As we already know the IP scheme we are using is 192.168.1.x / 24 and our victim’s IP is 192.168.1.100. We need to configure our attacker to be on the same IP range, so in order to do this we issue the following command on a terminal:
- ifconfig eth0 192.168.1.111
Now we are ready to work!
STEP ONE: Reconissance
In order to see the live systems on the network we can type this command:
- genlist -s 192.168.1.\*
Genlist is a simple tool that let us scan a segment and points the hosts that are live on our network, as you can see the output is very clean and simple. Only live hosts are shown. In our case we see our victim 192.168.1.100 and ourselves 192.168.1.111. If you try to ping the victim machine you will fail as the machine will not answer to your ping requests. This is a normal security procedure implemented on a network. If the machine is not responding the casual intruder will assume it’s because this IP is not live at the moment. But because you can identify the live hosts with other tools (like genlist) you know the machine is alive. With this information we can proceed to run an nmap scan in order to find more information about the system.
There are are many switches that allow us to perform stealth scans to a system. The most basic is: nmap –sS 192.168.1.100. As described on the official nmap site:
- -sS: SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap’s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the
- -sV: Enables version detection, as. Alternatively, you can use
-A, which enables version detection among other things
Here are the results:
As you can see we are shown all the open ports and their respective service and version. So with this info we know that we can maybe try to find usernames and passwords to access the ftp service, or the ssh service. We also know that it is running a web server because prort 80 is open and running Apache. So the logical first thing to do is to see if we can actually access some kind of website by typing:
- Firefox 192.168.1.100 80
Nice! They have a working website that can provide valuable information. Let’s dig some more. If we scroll down the page we find a list of emails from some interesting people. Let’s copy it and put it on a text file. When you see this information the first thing you come up with is the fact that the user name is usually the first part of those emails as they are written or with some sort of variation. So the first thing we do in order to get usernames is remove the info right from the @ sign so we end up with just the names::
STEP TWO: Password attacks
So now we will try to get to work and find some passwords. As we saw earlier on our nmap scan we discovered that ftp and ssh are running on our victims, you know that we can connect to a machine running those services if we get the right credentials. The first thing we can do is try to connect to the ftp to see if anonymous users are allowed even when the initial information tell us that the service is broken and is unable to listen to any IPv4 socket. Well, we have nothing to loose so let’s try it:
- ftp 192.168.1.100
As you can see we failed. As it was stated originally we could not create a bind to listen to the server connection and this try yielded no results. But we still have ssh. This time we need to use some tool in order to get the right email@example.com credential because ssh don’t allow annonymous users to log in. In this case the tool of choice is Hydra. http://www.thc.org/thc-hydra/ The program has a GUI but we are not going to be using it, all information will be written via the terminal. So the first thing you will do is type man hydra to get the user manual and read it. Do it, don’t just learn a few switches from this tutorial, get to know the tool and experiment with it, don’t learn a few tricks, try to assimilate the usage of the tool so you can get a lot of mileage out of it. Anyway, is a short manual so read and play with the damn thing! For our attack we will use the following instruction:
- hydra 192.168.1.100 ssh -L users.txt -p password -e s
This instruction is broken down as this:
- hydra – this calls the application
- 192.168.1.100 – this sets the target IP
- ssh – this set the service we want to guess the password for
- -L users.txt – try to login using the names from the list mentioned
- -p password – try to use the same users.txt file as passwords
- -e s – to establish that you will use the usernames as a password
So we are telling hydra to attack the ssh service on 192.168.1.100 by using the users.txt file and use it’s values as both usernames and password. Let’s see what happens.
We failed for a second time. So what do we do??? Well… remember that the original username pattern was last name, initial??? What if we reverse it??? Let’s take a look…
Now we have both versions. Lets run hydra again:
Bullseye!!! We got a valid username / password combination: bbanter for both user and password. Now you can fix your users.txt file and erase the last name, initial data. We know it doesn’t work. Now to log in we type: ssh firstname.lastname@example.org and use bbanter as password when asked!
As you can see here we are connected to our victim. So what is the next step??? If you remember we were able to guess only one username / password combination but there has to be others for sure so what we need to do is to capture both the passwd and shadow file so we can join them with john the ripper and with the aid of either a brute force attack or a dictionary start working on cracking them. To do this we need to go to the etc folder to get those files so we type cd /etc, press enter and type ls -a to see the directory: Next we type cat passwd, then copy and paste the results and save the file as passwd.txt inside the folder of john the ripper (go to pentest/passwords/john and save the file there)
The next thing is to do the same thing with the shadow file…. But…. We don’t have permision to access the file. As you can see if we try the sudo we get an error so we can’t access the server as bbanter. Well we better plan another attack with hydra but this time let’s use a dictionary….
STEP THREE: Dictionary Attack with Hydra
To find a dictionary just go to /pentest/passwords/wordlist There you will find a file called darkc0de.lst. To make things easier move the file to the desktop and copy the contents to a text file (mine is dictionary.txt) This will make the command writing easier. Now we can focus only on the IT users so we run the following command:
- hydra 192.168.1.100 ssh -l aadams -P dictionary.txt
Excellent! Now we can login again with the user email@example.com and the password nostradamus. This time we are able to login, type cd /etc and cat shadow and when we get the access denied message we can type sudo cat shadow and this time we are able to get the shadow file. Now we can use john the ripper to crack all available passwords!
Now that we have the shadow and passwd files we can combine them to get a hash that can be cracked with john the ripper. Visit this site to learn more about john http://www.openwall.com/john/ and of course type man john and read the manual… DO IT! To access john type on your terminal cd /pentest/passwords/john… this will take you to the folder where john lives. Type ls -a and verify that both the passwd.txt and shadow.txt files are there and make sure that you move the dictionary.txt file to this folder also. Now we type ./unshadow passwd.txt shadow.txt >hashes.txt and with that we are combining both files so we can have the user info and it’s hash together ready for cracking. To see it type cat hashes.txt
Now all we need to do is call john along with a our dictionary and tell him to attack the hashes.txt file. To do that we write the following instruction:
- ./john –wordlist=dictionary.txt hashes.txt
Now we wait until john works with the hash file. Here are the results:
As we can see we got two passwords that we already had but we also got the root password! Now we can finally get into the machine as root and dig in to get the financial info from the CEO! Because we were successful in accessing the shadow file with the user aadams we will try to log in again and invoke the su command and see if by using the tarot password we can actually become the root user:
STEP FIVE: Searching for the CEO financial information
We start moving around by using the ls –a command to see the directories available in order to find the CEO financial data (our last challenge). The first thing we should do is go to the home directory to see other folders / directories and the one that pops up once we type cd .. and ls –a is the ftp directory so when we dig in we find another directory. Once we are into that second folder we find something really interesting, a document with the word salary and the extension .enc
After goggling around a little about the .enc file I found a couple of links that shed some light on what to do with the file to be able to decrypt it and read it:
After reading through I had another question I needed to answer: What was the type of cipher used? This time it was a Windows app that came to the rescue. I typically use an app called Secure Shell http://www.ssh.com to connect to unix / linux boxes from Windows and I remembered that the app gave you the type of cypher used. So, I booted an XP machine and fired up Secure Shell, once connected it showed that the cipher used was –aes-128-cbc so now I had all the data to crack the document.
In the end I was able to use the following command:
- openssl enc –enc Type -d -in file.extension.enc -out file.extension -k password
- openssl: invokes the app
- enc: specify encryption type
- -d: the encrition applied will be decrypted
- -in: the encrypted file (input)
- -out: the decrypted file you want (output)
- -k: password to decrypt the file
After the decryption I passed the new file on to a text file and used the cat command to read it. To my delight I was able to end up with the financial information from the case scenario challenge so it was game over with all challenges met!
As you can see this was an interesting challenge that we were able to do without fancy tools like Nessus or Metasploit. We used nmap, firefox, hydra, john the ripper and open ssl. With a good dose of research based on the output gained from nmap the tools needed were easily deducted.
- Port 80 (http) – firefox – found possible user names
- Port 22 (ssh) – hydra – exploited the possible users so we could log in via ssh
Once in got the passwd and shadow files and crack them with JTR and finally through research, open ssl was found to be an alternative for the decryption of the file. So all we needed was right there if you knew what you could do to explore based on open ports. The fundamentals always come to the rescue. But even though this attack seemed very easy it’s very dangerous because hydra produces a lot of noise as it tries password after password against the server. remember, this is an online attack not like john that is offline. This makes it very easy to get caught by a system administrator. On a next post I will run the attack with wireshark scanning it so you can see all the noise that hydra creates on the network. Thanks for reading!