Tools For Penetration Tests: Carlo U. Nicola, HT FHNW With Extracts From Documents Of: Google Wireshark Nmap Nessus
Tools For Penetration Tests: Carlo U. Nicola, HT FHNW With Extracts From Documents Of: Google Wireshark Nmap Nessus
Foot-printing means collecting the profile of the target openly accessible in Internet.
What information are we interested in?
A not exhaustive list:
1. Domain names,
2. Contact persons,
3. Interesting pairs (hostnames, IP addresses) connected with
the company’s name,
4. IP address blocks,
5. Internal system configurations
NS HS11 3
Foot-printing: Domain names (1) + (2)
NS HS11 4
An versatile test tool: Google
NS HS11 5
Google in the early foot-print phase
Below are some questions that are best answered using the
operators Google internally uses for its searches:
NS HS11 6
The Google main operators
NS HS11 7
Email addresses
NS HS11 8
Information in cache
Original:
http://64.233.187.104/search?q=cache:Z7FntxDMrMIJ:www.phrack.org/
hardcover62/+phrack+hardcover62&hl=en
Cached text only:
http://64.233.187.104/search?q=cache:Z7FntxDMrMIJ:www.phrack.org/
hardcover62/+phrack+hardcover62&hl=en&lr=&strip=1
NS HS11 9
Rough network mapping with Google
NS HS11 10
External links
NS HS11 11
Vulnerabilities: Google Dorks (1)
NS HS11 12
Vulnerabilities: Google Dorks (2)
<Dork> "Online Store ‐ Powered by ProductCart"</Dork>
<Category>Advisories and Vulnerabilities</Category>
<Query>"Online Store ‐ Powered by ProductCart"</Query>
<Comment> ProductCart is "an ASP shopping cart that combines
sophisticated ecommerce features with time‐saving
store management tools and remarkable ease of use.
It is widely used by many e‐commerce sites".
Multiple SQL injection vulnerabilities have been
found in the product, they allow anything from
gaining administrative privileges (bypassing the
authentication mechanism), to executing arbitrary
code.
http://www.securityfocus.com/bid/8105
(search SF for more)
</Comment>
NS HS11 13
Google : SQL vulnerability
Query: "executeQuery(“ ".getParameter("
NS HS11 14
Google : DB SQL vulnerability
Query:
"Microsoft OLE DB Provider for ODBC Drivers error '80040e14'" filetype:asp
NS HS11 15
Foot-printing: IP ranges
The question which IP numbers are available to the company is best
answered by searching the database of RIR (Regional Internet Register). In
Europe we query the link: http://www.ripe.net and for North America:
http://www.arin.net .
For the query one needs only a single correct IP number pertinent to the
company. A simple way to get it is via: nslookup fhnw.ch:
C:\Documents and Settings\ulisse>nslookup fhnw.ch
…
Non‐authoritative answer:
Name: fhnw.ch
Address: 147.86.3.160
NS HS11 16
Foot-printing: DNS query
Name server are responsible for the mapping of DN in IP addresses. A
DNS query via dig tells more than that: it reveals names and IP
addresses of important parts of the company’s infrastructure (i.e. the of
the mail servers)
ulisse@beaver:~$ dig fhnw.ch
; <<>> DiG 9.7.0‐P1 <<>> fhnw.ch
...
;; QUESTION SECTION:
;fhnw.ch. IN A
;; ANSWER SECTION:
fhnw.ch. 28 IN A 147.86.3.160
...
DNSSEC:N
Name servers:
ns.inwx.de
ns1.fhnw.ch [147.86.3.20]
NS HS11 17
ns2.fhnw.ch [147.86.3.21]
Foot-printing: automated DNS query
NS HS11 18
Scanning
NS HS11 19
Scanning: Network structure
ulisse@beaver:~$ traceroute ‐q 1 www.fhnw.ch
traceroute to www.fhnw.ch (147.86.3.160), 30 hops max, 60 byte packets
1 10.212.136.1 (10.212.136.1) 1.287 ms
2 nd41u101‐sta‐vl3213.net.fhnw.ch (10.212.16.33) 3.039 ms
3 nc40u101‐sta‐vl3113.net.fhnw.ch (10.212.16.17) 1.516 ms
4 nca0e001‐sta‐vl3113.net.fhnw.ch (10.218.0.17) 2.147 ms
5 nda0e001‐sta‐vl3113.net.fhnw.ch (10.218.0.18) 1.986 ms
6 *
7 *
NS HS11 23
Scanning: traceroute from int. host to external
Output of: traceroute –q 1 www.ethz.ch
ulisse@beaver:~$ traceroute ‐q 1 www.ethz.ch
traceroute to www.ethz.ch (129.132.19.220), 30 hops max, 60 byte packets
1 10.212.136.1 (10.212.136.1) 6.655 ms
2 nd41u101‐sta‐vl3213.net.fhnw.ch (10.212.16.33) 2.251 ms
3 nc40u101‐sta‐vl3113.net.fhnw.ch (10.212.16.17) 2.153 ms
4 nca0e001‐sta‐vl3113.net.fhnw.ch (10.218.0.17) 2.618 ms
5 nda0e001‐sta‐vl3113.net.fhnw.ch (10.218.0.18) 2.515 ms
6 nfa0e002‐sta.net.fhnw.ch (10.218.0.252) 2.402 ms
7 nda0e001‐sin‐vl4064.net.fhnw.ch (193.73.125.14) 12.274 ms
8 unibi7‐vl‐501.urz.p.unibas.ch (192.43.192.213) 3.674 ms
9 swiba2.urz.p.unibas.ch (192.43.192.196) 5.537 ms
10 swiez2‐10ge‐5‐4.switch.ch (130.59.37.105) 5.375 ms
11 rou‐gw‐rz‐tengig‐to‐switch.ethz.ch (192.33.92.1) 5.281 ms
12 rou‐fw‐rz‐rz‐gw.ethz.ch (192.33.92.169) 4.453 ms
13 * * till hop 30 NS HS11 24
Scanning: hping3 (1)
hping3 allows to trace a route to a machine using UDP, TCP and ICMP.
Thus we can trace the route to using a TCP SYN port 80 probe.
ulisse@beaver:~$ hping3 ‐‐ttl 1 ‐‐traceroute ‐‐destport 80 ‐‐syn lis.technik.fhnw.ch
HPING lis.technik.fhnw.ch (eth0 147.86.20.21): S set, 40 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=192.168.1.1 name=UNKNOWN
hop=1 hoprtt=0.6 ms
hop=2 TTL 0 during transit from ip=85.3.128.1 name=zhhia00p‐adsl15.bluewin.ch
hop=2 hoprtt=13.0 ms
hop=3 TTL 0 during transit from ip=213.3.247.190 name=net1701.zhhia00p‐rtdi02.bluewin.ch
hop=3 hoprtt=12.8 ms
hop=4 TTL 0 during transit from ip=213.3.247.189 name=net1701.zhhdz09p‐rtdi02.bluewin.ch
hop=4 hoprtt=12.6 ms
hop=5 TTL 0 during transit from ip=195.186.0.198 name=198‐0‐186‐195.bluewin.ch
hop=5 hoprtt=12.7 ms
hop=6 TTL 0 during transit from ip=138.187.129.113 name=i79zhb‐025‐bun1.bb.ip‐plus.net
hop=6 hoprtt=15.1 ms NS HS11 25
Scanning: hping3 (2)
hping3 option in the example:
1. --ttl Start with ttt set to 1 s
2. --traceroute Increment ttl for every subsequent attempt
3. --destport Set the destination port
4. --syn Set the SYN flag in TCP header.
NS HS11 26
FHNW network so far
147.86.20.21 Internet
138.187.129.113
Switch
10.51.2.32 :DNS
UB
10.212.16.33
10.212.16.17
192.43.192.222
10.218.0.17
10.218.0.18
10.218.0.252
10.212.136.0/24 193.73.125.14
NS HS11 27
nmap
NS HS11 28
nmap: network exploration tool
Download: http://www.insecure.org/nmap/
(3) TCP SYN (half open) (9) Xmas Tree (FIN, URG, PSH flags set)
(6) ICMP (ping sweep) (12) Null Scan (FIN, URG, PSH, RST,
ACK,SYN flags not set)
NS HS11 30
nmap: functionality (2)
NS HS11 31
nmap: Labor Bedingungen
NS HS11 32
Scanning: network’s mapping
NS HS11 33
Scanning: ports open/closed (1)
NS HS11 35
Scanning: ports open/closed (3)
NS HS11 36
Scanning: OS detection (1)
NS HS11 37
Scanning: OS detection (2)
NS HS11 38
Scanning: vulnerability assessment
NS HS11 39
Scanning: vulnerability checkers
NS HS11 40
Vulnerability checker tool: Nessus
NS HS11 41
What does Nessus do?
NS HS11 42
What does Nessus check for?
NS HS11 43
Traffic shaping and Intrusion Detection Systems
(IDS)
NS HS11 44
Traffic shaping
NS HS11 46
Traffic shaping functions
NS HS11 47
PacketShaper classification
• Gnutella • Real
Switches
A partition:
→ Creates a virtual pipe within a link for
`each traffic class;
→ Provides a minimal and maximal
bandwidth for each class;
→ So it enables an efficient bandwidth's use
NS HS11 49
PacketShaper report: HTTP
NS HS11 50
No Shaping Shaping
Host and network intrusion detection
Intrusion prevention:
1. Network firewall:
→ Restrict flow of packets (see firewall slides);
2. System security:
→ Find buffer overflow vulnerabilities and remove them!
Intrusion detection:
1. Discover system modifications:
→ Tripwire
2. Look for attack in progress:
→ Network traffic patterns
→ System calls, other system events
NS HS11 51
Tripwire
NS HS11 52
How to outsmart Tripwire
NS HS11 53
How to detect modified binary in memory
NS HS11 54
Code's example and its relevant automaton
f(int x) { open()
x ? getuid() : geteuid(); Entry(g) Entry(f)
x++
geteuid()
getuid()
}
g() { close()
fd = open("foo", O_RDONLY);
f(0); close(fd); f(1);
exit(0); exit()
} Exit(g) Exit(f)
NS HS11 55
General intrusion detection
http://www.snort.org/ NS HS11 56
Example of misuse that leads to detection: rootkit
A typical rootkit sniffs networks for passwords:
– It is a collection of programs that allow attacker to install and
operate a packet sniffer (on Unix machines).
rootkit attack:
– Use stolen password or dictionary attack to get access as a
legitimate user;
– Get root access using vulnerabilities in rdist, sendmail,
/bin/mail, loadmodule, rpc.ypupdated (NIS Network
Information Service data base), lpr, or passwd.
– Via ftp the rootkit is uploaded to the host, unpacked,
compiled, and installed.
– It then collects more username/password pairs and then
moves on.
NS HS11 57
Rootkit covers its tracks
Modifies netstat, ps, ls, du, ifconfig, login
– Modified binaries hide the new files used by rootkit
– Modified login allows attacker to return for fishing new passwords
NS HS11 58
Detecting rootkit on system
NS HS11 59
Detecting network attack (Sept. 2003)
Symantec honeypot running Red Hat Linux 9.
Attack
– Samba ‘call_trans2open’ Remote Buffer Overflow (BID 7294)
– Attacker installed a copy of the SHV4 Rootkit
Snort NIDS generated alerts against this attack from its standard rule
signature:
alert tcp $EXTERNAL_NET any ‐> $HOME_NET 139 \
msg:"NETBIOS SMB trans2open buffer overflow attempt"; \
flow:to_server,established; \
content:"|00|"; offset:0; depth:1; \
content:"|ff|SMB|32|"; offset:4; depth:5; \
content:"|0014|"; offset:60; depth:2; \
...
NS HS11 61
Anomaly Detection
Basic idea:
→ Monitor network traffic, system calls;
→ Compute statistical properties;
→ Report errors if statistics lies outside an empirical
established range.
Example: IDES (Denning, SRI)
→ For each user, store the daily count of certain activities
• E.g., Fraction of hours spent reading email.
→ Maintain a list of counts for several days;
→ Report anomaly if count is outside weighted norm.
The crux is that the most unpredictable user is the most dangerous.
NS HS11 62
Anomaly: sys calls' sequences
Build traces during normal run of program:
• Example of program's (good) behavior
(sys calls), open read write open mmap
write fchmod close
• Sample traces are stored in file (as 4- Profile Model/Pattern
calls sequences):
Discrepancy
open read write open
Acceptable
read write open mmap
Statistical
Structural
write open mmap write
open mmap write fchmod
mmap write fchmod close Illegal
• Report anomaly if for example the Match
following sequence is observed:
open read read open mmap write fchmod
close
Compute # of mismatches to get mismatch
rate.
NS HS11 64
Example: strategic intrusion assessment (Lunt 1999)
NS HS11 65
Appendices
NS HS11 66
Appendix A: How to attach a IDS in a LAN
NS HS11 67
Appendix B: Packet analysis (1)
NS HS11 68
Appendix B: Packet analysis (2)
NS HS11 69
Appendix B: Packet analysis (3)
NS HS11 70