This weekend I got some time off and decided to build a small network environment that represented real-world security issues and their respective flaws. I may well use this environment to perform tactics and techniques than an attacker might carry out in order to compromise a target. As result I could practice, learn and perform offensive techniques. Then, among other things I use this knowledge to create effective defenses and have some fun!
To get the environment ready I used a refurbished Fortigate 100 box running FortiOS 4.0 . I only configured the basic settings such as IP addresses, routing, admin user and basic firewall rules allowing management access from Internet. I left the remaining settings by default. The setup consisted of a single-arm DMZ. The wan port connected to the internet and the internal port connected to the internal network. After having the network in place I needed an arsenal of tools that allowed me to perform offensive techniques. Kali Linux was my choice because this distribution brings the tools needed to execute the steps an intruder will eventually perform during an attack. This machine was positioned in the wan side of the setup.
With the environment ready I could start. The admirable Ed Skoudis describes the anatomy of an attack as a 5 step model. The steps are reconnaissance, scanning, exploit, keeping access and covering tracks .
So, let’s start with scanning phase. By knowing your target you can go directly into the scanning phase. Here the goal is to find any open ports, which services are they offering and which operating systems are they running.
To do this I used the well known and very popular open source tool for network exploration and security auditing called Nmap created by Fyodor. This tool is so popular that was even briefly shown in movies like Elysium where it is used to port scan Matt Damon’s augmented brain before transferring the data he carries in an attempt to hack the space station. Or The Matrix Reloaded, where Trinity scanned the city power grid to find a vulnerable SSH server.
Fiction apart, I started by launching Nmap using the TCP connect technique (-sT) which performs a 3 way handshake to verify if a TCP port is opened. Skipped DNS resolution (-n) and skipped host discovery (-Pn) which is used to determine if a host is alive in order to optimize the speed when scanning large volume of IP addresses.
The output resulted in two open TCP ports. Then I used this knowledge and executed the next scan in order to determine the service behind the open ports (-sV). This scan was able to tell that the service running on TCP port 443 was a Fortgate firewall http config.
root@linux:~# nmap -n -sT -Pn admin.ville.com Starting Nmap 6.40 ( http://nmap.org ) at 2014-05-11 14:45 EDT Nmap scan report for admin.ville.com Host is up (0.00058s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 6.26 seconds
root@linux:~# nmap -n -sV -Pn admin.ville.com -p 443 Starting Nmap 6.40 ( http://nmap.org ) at 2014-05-11 14:45 EDT Nmap scan report for admin.ville.com Host is up (0.00022s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http Fortinet FortiGate 50B or FortiWifi 80C firewall http config Service Info: Device: firewall; CPE: cpe:/h:fortinet:fortiwifi:80c Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.62 seconds
Now that I had knowledge about the end system the next step was to gain access. Gaining access to a particular system depends on several factors including the architecture, its configuration and the level of access. In this case I had access to the management interface of the firewall so I could try to break in.
When connecting to the TCP port 443 using HTTPS, I was presented with the login page. Here I could try to guess the default password, but FortiOS does not has a default password. By reading the vendor documentation I knew the administrator is prompted to change his password during the initial configuration. I also assumed the user name was “admin” because it is unusual to change this user. So, I only needed the password. To achieve this I used a technique to do login attempts using a list of common passwords. However, this could easily become an issue because by default when the admin user fails 3 consecutive attempts, the Fortigate will lock the account for 60s. In a small business environments where the systems are normally configured by one person who is overloaded and responsible to get the job done for the all IT systems this is likely not to be changed because there are more important things to do. Even though this slows down an attacker, it does not stop him from trying. The other thing is that by default these small Fortigate appliances don’t log system or traffic related stuff into memory and because they do not contain a hard disk one will miss important system log related information. This is an advantage for the attacker who could slip under the radar. This could be easily corrected by a diligent sysadmin using a syslog server or a similar monitoring system.
So, next I needed to know how was the HTTP authentication mechanism constructed. In order to understand how the front-end authentication mechanism worked I accessed the URL through the lens of a proxy like Paros. In this case I used Firefox tamper plugin data which allows access to the details needed. I could see that the authentication uses an HTTP POST request with a set of parameters submitted in clear text. These were all the ingredients needed to launch an automated brute force login attempt.
Looking at my arsenal of tools I decided to use THC Hydra written by van Hauser. A great tool that can guess passwords in a very fast fashion across many different network services. This tool is more than 10 years old and version 8.0 was just released.
So, I used Hydra to perform a dictionary based attack against admin.ville.com using the https-form module. To get a help page for this or any other modules on hydra, one can use -U e.g., hydra https-post-form -U.
The command line might look a little cryptic in the beginning but it consists of:
- <url>:<form parameters>:<condition string> .
Url is the /loginpage. Then the form parameters are the POST parameters captured using Firefox tamper data tool. The username and secretkey parameters have their values replaced by the “^USER^” and “^PASS^” which allows Hydra to substitute it to whatever word it would read from the dictionary. Then follows a condition string to check how a successful login will look like. In this case if an authentication request is successful the HTTP response will contain a Set-Cookie header. Then a static user is used (-l admin) following a dictionary list of words to be used as passwords (-P /usr/share/wordlists/fasttrack.txt). The other parameters are : show login and password combination (-V), exit after the first found login/password pair (-f), execute a task with 3 connections in parallel (-t 3) and wait 61s between each connection task.
A task consisting of 3 connections attempt with a pause of 61s between each task was chosen in order to avoid the account to be locked using the default Fortigate admin lock threshold settings. Of course this will be very time consuming exercise and might require weeks or months to find a password using a big wordlist. However, in this case Hydra was able to found a password after 30m due to a common password.
root@linux:~# hydra admin.ville.com https-post-form "/logincheck:username=^USER^&secretkey=^PASS^&ajax=1:S=Set-Cookie" -l admin -P /usr/share/wordlists/fasttrack.txt -V -f -t 3 -W 61
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) starting at 2014-05-17 18:22:54 [DATA] 3 tasks, 1 server, 126 login tries (l:1/p:126), ~42 tries per task [DATA] attacking service http-post-form on port 80 [ATTEMPT] target admin.ville.com - login "admin" - pass "P@55w0rd!" - 34 of 126 [child 0] [ATTEMPT] target admin.ville.com - login "admin" - pass "P@ssword!" - 35 of 126 [child 2] [ATTEMPT] target admin.ville.com - login "admin" - pass "Password!" - 36 of 126 [child 1] [STATUS] 1.64 tries/min, 36 tries in 00:22h, 90 todo in 00:56h, 3 active [STATUS] 1.57 tries/min, 36 tries in 00:23h, 90 todo in 00:58h, 3 active [www-form] host: admin.ville.com login: admin password: P@55w0rd! [STATUS] attack finished for admin.ville.com (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2014-05-17 18:46:29
Next, with access to the system I might want to continue exploiting other systems to find valuable information such as other passwords in the system which might allow me to establish foothold and strengthen my position. With access to the system I could look to see any other users which were configured in the system.
FG100A# get system admin
name: admin name: JulesArgent name: ColeGannon name: DoubleTrouble
FG100A # show system admin admin set password ENC AK1VW7boNstVjM36VO5a8tvBAgUJwLjryl1E+27F+lOBAE=
FG100A # show system admin ColeGannon set password ENC AK1OtpiTYJpak5+mlrSoGbFUU60sYMLvCB7o/QOeLCFK28=
FG100A # show system admin DoubleTrouble set password ENC AK1P6IPcOA4ONEoOaNZ4xHNnonB0q16ZuAwrfzewhnY4CU=
Then, with valid credentials and their respective hashes I could attempt to crack them.. To accomplish this, I launched an offline dictionary attack followed by a brute force attack against the hashes using Hashcat – An extremely fast and powerful password cracking tool made by Atom. The command was executed to run a dictionary attack (-a 0) with the hashing algorithm type Fortinet (-m 7000) using the well known rockyou wordlist containing over 14 million passwords.
root@kali:/tmp# hashcat -a 0 -m 7000 ville.hash /usr/share/wordlists/rockyou.txt Initializing hashcat v0.47 by atom with 8 threads and 32mb segment-size... Added hashes from file fortinet: 3 (3 salts) NOTE: press enter for status-screen
Input.Mode: Dict (/usr/share/wordlists/rockyou.txt) Index.....: 5/5 (segment), 553080 (words), 5720149 (bytes) Recovered.: 2/3 hashes, 2/3 salts Speed/sec.: 8.10M plains, 8.10M words Progress..: 553080/553080 (100.00%) Running...: --:--:--:-- Estimated.: --:--:--:--
Started: Sat May 17 13:44:34 2014 Stopped: Sat May 17 13:44:38 2014
This attack is very effective and fast. But, not all passwords are on the dictionary file. As result I could continue with a brute force technique to pursue the extraction of remaining password. The second command was executed to run a brute force attack (-a 3) with the hashing algorithm type Fortigate (-m 7000) and to try using a charset that contains all upper-case letters, all lower-case letters and all digits (?a) for the maximum size of 9 characters. In a matter of days/weeks the password could be broken.
root@kali:/tmp# hashcat -a 3 -m 7000 ville.hash ?a?a?a?a?a?a?a?a?a --pw-min=1 Initializing hashcat v0.47 by atom with 8 threads and 32mb segment-size... Added hashes from file fortinet: 1 (1 salts) Activating quick-digest mode for single-hash with salt
NOTE: press enter for status-screen
Input.Mode: Mask (?a?a?a?a?a)  Index.....: 0/1 (segment), 7737809375 (words), 0 (bytes) Recovered.: 0/1 hashes, 0/1 salts Speed/sec.: - plains, 21.54M words Progress..: 1284549568/7737809375 (16.60%) Running...: 00:00:00:59 Estimated.: 00:00:04:59
Now, lets summarize the mistakes made by Ville.com so one perhaps learn from their errors and omissions.
Mistake #1 – Ville.com was not filtering incoming traffic to the management interface of its firewall. By allowing any IP address from the Internet to connect to the management interface Ville.com was exposed to a variety of attacks. A Nmap scan easily revealed the open ports and services associated with the ports. If there is a strong reason for someone to be able to do remote administration then the system should be configured with a list of trusted hosts and its configuration should be reviewed by someone who understands security.
Mistake #2 : A common password based on dictionary with default account lock-out settings was used. This made an dictionary based attack easy to pull off using THC Hydra tool. Ville.com should consider applying as countermeasure to prevent such attacks a strong password or pass-phrase. Make sure is at least 12 characters long with a combination of numbers, upper and lower case letters plus special characters. Furthermore, passwords should be changed often. Other than that whenever possible use a second factor authentication methods such as Token, SMS or e-mail.
Mistake #3 : Ville.com was not using any kind of central logging system that would allow one to easily identify the password guessing attack. Further would allow a diligent sysadmin to do log review and identify abnormal activity even in case the attacker would attempt to cover its tracks.
Even though there are plenty of books and open source information that describe the methods and techniques demonstrated, the environment was built from scratch and allows to learn or reinforce techniques. The tools and tactics used are not new. However, they are relevant and used in today’s attacks. Likewise, one can learn, practice and look behind the scenes to better know them and the impact they have. Part II will follow with more steps and how an attacker might increase its foothold , strengthen its position and move laterally.