September 20, 2006

Point, click, root: System exploitation with open tools

Author: Shawn Hermans

IT managers face a problem determining what products and policies are best to properly secure their network. The problem with many security products is that it is hard to validate their claims. Penetration testing is a process for testing the security of networks by imitating an attacker. This process typically involves gathering information through Internet searches and other open sources, scanning and mapping the targeted network with tools like Nmap, determining vulnerabilities on targeted computers, and exploiting those computers. Conducting a successful penetration test involves a great deal of knowledge and a wide variety of software, including some of the following open source tools.

Password and login cracking

Passwords remain one of the weakest links in the security chain. People cannot be trusted to pick random passwords. According to a UK technology blog, the 10 most common passwords in the UK include '123,' '123456,' and 'password'. This list does not take into account other predictable passwords such as loved ones' birthdates and names. Even if people choose good passwords, they tend to reuse them. Studies show 67% of people use the same password across five or more applications and 32% use them for nine or more. As some sites still transmit login information unencrypted, one compromised password can easily lead to further compromise.

The easiest way to gain access to a password is to steal it. Older programs like FTP and Telnet do not protect passwords via encryption, so anyone who intercepts network traffic with those protocols can easily steal passwords. Programs like Wireshark enable easy capture of network traffic. If the attacker is on the same LAN, ARP spoofing can redirect all traffic on the same subnet to a single computer. If the attacker is outside the LAN, phishing is one of the most popular methods of gathering sensitive information including passwords. Key logging software installed on compromised computers or public computers provide another source of unencrypted passwords.

Secure protocols never send a plaintext (unencrypted) password as a form of authentication. Secure protocols typically send some sort of encrypted form of the password or encrypt something with the password as proof of knowing the password. Likewise, passwords are stored as password hashes (a form of encryption) while stored on hard drives.

This does not mean protected forms of passwords are not useful to an attacker. Password cracking works by guessing possible passwords and comparing those to the stolen password hash. Attackers can crack weak passwords using tools such as John the Ripper. Additionally, a flaw in the way Windows stores certain password hashes in a form that allows passwords of up to 14 characters to be cracked in minutes by looking up password hashes in tables of pre-computed password hashes

A pen tester can crack a weak password without access to password hashes by guessing at the login interface. THC Hydra is a tool that automates the password guessing process. Hydra takes input from a file containing potential passwords and attempts each one. Hydra can parallelize the password guessing process to increase the number of guesses per second. The THC Hyrdra readme contain examples on how parallelization of password guessing can increase the cracking speed. The examples used a password file with 295 entries, with one of those entries being the valid password. Cracking FTP with one task takes on average of 46 minutes (comparable to entering passwords by hand), while using 128 parallel tasks takes only half a minute.

Pen testing 101

Penetration testing, also known as pen testing, assesses vulnerabilities of information systems by using an independent third-party to attempt to gain unauthorized access to an organization's system resources. Penetration testers utilize a variety of techniques and tools to gain access to systems, including
social engineering, password cracking, network scanning, exploiting computer vulnerabilities, and dumpster diving.

Companies may be motivated to conduct third-party penetration tests on their networks by recent legislation and other pressures to increase network security. Section 404 of the Sarbanes-Oxley Act states that a corporation must assess the effectiveness of its internal controls. Similar laws, such as HIPAA, may motivate those in the medical industry to seek outside assessment of their information security. Additionally, financial losses due to network intrusions provide a monetary motivation for companies to evaluate their network security.

It is important to understand that there are legitimate and illegitimate reasons to use penetration testing tools. It is never acceptable to conduct a penetration test without explicit written authorization of a system's owner. The Computer Ethics Institute published the Ten Commandments of Computer Ethics as a guideline for computer security professionals. Some excerpts include:

  • Thou shalt not use a computer to harm other people.
  • Thou shalt not interfere with other people's computer work.
  • Thou shalt not use a computer to steal.
  • Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.

Penetration testing is not a replacement for other good security practices, such as formulating sound security policies, developing security metrics, training users in their role in securing the networks and conducting regular security audits.

Exploitation using buffer overflows

Sometimes more powerful techniques than password cracking are required to gain access to a network. Malicious programmers have used the buffer overflow for over two decades to break into computer systems. Faulty programs that do not properly check and limit input parameters are the cause of buffer overflows. Overflowing a buffer can cause a system to crash or can allow arbitrary command execution. The paper Smashing the Stack for Profit and Fun provided the first widespread introduction to the exploitation of buffer overflows on the PC platform and is still a great introduction to the subject.

Writing code to exploit buffer overflows requires detailed knowledge of processor architectures and the ability to write assembly code. The Metasploit Framework simplifies the development and exploitation of these vulnerabilities greatly by reducing the learning curve required. The Metasploit Web site summarizes its utility: Point. Click. Root.

The Metasploit Framework is an automated environment for creating, testing, and using exploit code. Its functionality is similar to commercial products such as Canvas and Core Impact, without the multi-thousand-dollar price tag.

Metasploit works by separating an exploit into two parts: a payload and exploit code. Because buffer overflow exploits are highly dependent on the underlying processor architecture and specific versions of software installed, exploit code typically will be effective only against specific versions of
software. The payload is the action executed during system exploitation is often useful against multiple versions of the targeted software. The default payloads included in Metasploit can spawn a remote screen viewer server on the victim's machine, associate a local shell to a listening port, generate a reverse shell back to the attacker's machine, or execute a command. Currently Metasploit includes more than 65 payloads, covering nine operating systems and four architectures. It contains close to 100 exploits, with the ability to add custom exploits.

The Metasploit Framework has three interfaces: a console, a command-line shell, and a Web-based interface. Each of the interfaces works in a similar manner. The first step is choosing an exploit from the list of available exploits. Descriptions and a list of vulnerable targets are included for each exploit. Once the attacker chooses an exploit, he can then select target-specific options such as the address of the remote host and the vulnerable port. The attacker chooses a payload to achieve the desired objective, and additional options may be required for each payload. After all this information is given, the attacker clicks a button and performs the desired exploit. If successful, the attacker can potentially gain complete control over the vulnerable system.

Penetration testing distributions

Many Linux distributions exist to conduct penetration testing. Instead of choosing which one is right for you, try them all in one DVD. SecureDVD is a live DVD distribution featuring the 10 best live distributions for penetration testing, forensics, and recovery. This distribution includes password cracking utilities, network scanners, tools for spoofing MAC and IP addresses, and exploitation code. It is a great resource for beginners to learn about penetration testing and a useful tool for the experienced pen tester.


  • Security
Click Here!