Tutorial: Finding and Exploiting Vulnerabilities (Nessus and Python)

In this tutorial and accompanying video, I will show you how to use the Nessus Vulnerability scanner, which was discussed in my last post, to search for a vulnerable host/peer, determine its level of vulnerability, and then use Python to write a Proof-of-Concept exploit that automates the exploitation process. We will be enumerating my default gateway, a Cisco Linksys wrt54g router with DD-WRT firmware as our target system.

For this demonstration, I am using a scan policy named “Default Gateway Scan” which has all families of plugins disabled except for “Cisco” and “Web Servers”. The vulnerability we are exploiting is one that is associated with the 3rd party firmware I have installed. As the video shows, you login to Nessus (if you don’t have it installed you can refer to my previous post on Nessus) then select a scan policy, enter your target’s address, and hit “Submit”.

In the video the scan process itself was already completed due to time-constraints, but the premise is you enter in all your options and hit “Submit”, then just wait for the magic to happen. As I stated, when the scan completes, your scan will move from the “Scans” tab to the “Reports” tab. We see that one of the results is listed with a high severity level! This is for good reason, as we can execute any command we want to without being authenticated whatsoever!

The Python script simply asks for the target’s address, the port number, the command you want to execute, and finally the number of times to relaunch the exploit code. A simple modification of the “while” statement can also allow it to loop indefinitely. See the video for more details on the code portion of this attack.

Anyhow I found this vulnerability scanning around for fun at home. Who knew I’d find such a gaping hole! Regardless it isn’t that big of a deal seeing as how I use WPA2 on my home LAN.

 

The Nessus Vulnerability Scanner

In playing around with various apps on early releases of the Back|Track Linux distribution, one really caught my attention, Nessus. Nessus was originally an open-source scanner framework with a registered home feed that was free of charge for home users, and a commercial feed that could be accessed with a commercial license. It is now closed-source, but can still be used free for home use and still allows tons of plugins to be grabbed from the feed for numerous vulnerabilities. In my opinion, Nessus is by far the best vulnerability scanner you are going to find for hobby use without spending a fortune! In fact if you are a home user like me, you won’t spend anything!

Nessus allows you to not only scan services for vulnerabilities, it can do a number of other things:

• perform port scanning and thorough version detection
• attempt login bruteforcing via THC-Hydra plugins for penetrating FTP, SMTP, HTTP, SSH and others
• scan for OS-specific vulnerabilities such as those specific to Windows, Ubuntu, Suse, and Solaris platforms
• scan for local exploits and vulnerabilities
• test for DoS atacks, (Denial of Service)
• scan for bad configuration settings
• DNS vulnerabilities

Nessus previously used a daemon server and a standalone client, but now just uses the nessusd daemon and the web browser interface which listens on port 8834 on the localhost. To get started using Nessus, go to http://www.nessus.org and download the release for your system. If you are using the latest version of Back|Track, Nessus is no longer included as part of the release but you can go here to see an install guide.

Once you install Nessus and get it up and running, you must create a user with a username and password to use to login when you want to use the scanner. Also, you must request a plugin feed key by registering on this site. Once this is done, you register the program and Nessus will download the latest version of the plugin database for you to use. All of this is covered in various online user guides which you can find here.

To get Nessus up and running, fire up the daemon and give Nessus time to load all the plugins. After a few minutes, login with the credentials for the user you created. Now, it is time to create a template by selecting the “Policies Tab”. You can name the policy and add a description so that you can reuse it on future vulnerability scans. The Plugins submenu under “Policies” allows you to customize your scan type right down to each individual plugin and setting, or you can simply enable all or disable all and enable one by one those which you want to test for. Examples of categories are things like Backdoors, Denial of Service, Cisco, Misc, General, Firewalls, P2P File Sharing, CGI Abuses, etc.

Once you have a policy configured to use, you select the “Scan” tab. Here you can add a scan and give it a name, then specify an address or list of addresses by simply typing them in or using an address file.  When you are all set, hit the submit button and let it work its magic!

When the scan completes, it will no longer show up under scans, look under reports and double click the scan name. Here, Nessus will present you with a summary of everything it finds, usually listed by port number or service. It will also tell you the If many items are returned, you can even click above each column to sort the results by the severity level, port number, and so on. In looking through the list of notifications it returned, you can click on an entry to get more details. Often, Nessus will provide you with a URL linking to a whitepaper, blog, or forum post which tells you the nitty-gritty details on the advisory or vulnerability.

Making the Secure, More Insecure: Wireless Cracking with GPU Based Implementations

This article will talk about the possibilities of using a Graphics Processing Unit hardware implementation to crack secure protected wi-fi security mechanisms, and also other passwords and encryption schemes with speeds many times faster than seen with traditional CPU based methods. First, here is a brief description of the most commonly used security protocols seen on wireless networks.

WPA and WPA2-PSK are two of the strongest 802.11 security mechanisms available  to SOHO users, as well as many medium to large corporate networks. We all know about the weaknesses associated with the RC4 algorithm, namely WEP’s implementation of it. Packets can be intercepted, replayed, and the key deduced using open-source utilities specifically designed to crack it. So what is the big deal about WPA?

WPA was suppose to be only a temporary fix for the flaws found in WEP. WPA still implemented RC4 for its encryption mechanism, but uses Temporal Key Integrity Protocol (TKIP) to combine the IVs with the secret key using a mixing function before transmission. TKIP also uses dynamic key mechanisms which routinely changes the key during a session. Basically, the idea is a session can’t be hacked before the key changes again.

WPA2 is the true successor of WEP, and falls into the 802.11i standard. From the name, it would seem that WPA2 is the second version of WPA, but this isn’t the case. They are two very different protocols. WPA2 allows for key caching, Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CMAP), and uses AES to replace TKIP. Administrators can still choose to use TKIP if they need legacy functionality, but AES is considered much more secure. The question is, how secure?

Traditionally speaking, bruteforce attacks were limited to the CPU processing abilities of the attacker’s system. Now, GPU attacks are really starting to hit the mainstream cracking community. A Graphics Processing Unit, or GPU is a special microprocessor that takes graphics rendering away from the processor and handles the load itself. Some clever mind out there knew that GPUs were notoriously powerful, and apparently said to himself “Hey, I bet we could use the processing power of one of these things to crack passwords or encryption keys!” I’m sure you see where this is going. I won’t go into the details about how GPUs specifically work, because hardware and device drivers is not one of my areas of expertise. Here are some figures I found one the website of one GPU cracking solution, I will however give you  to ponder over. These are the number of passwords each hardware solution can compute per second with GPU technology:

Intel Core i7 920:                                   4,000 per second
GTX 295:                                                 2,ooo per second
GTX 480:                                                30,000 per second
ATI HD5970:                                         103,000 per second

As you can tell, this is a huge difference. Perhaps most disturbing is that the i7 processor is no small potatoes. The laptop I am using to write this is relatively new, and I assure you it isn’t close to being on the same level as the i7!

Keep in mind of course, that these technologies not only apply to 802.11 attacks! A GPU may very well be used as the powerhouse of a hashing attack against systems such as MD5, LAN\MAN and SHA. This is why it is imperative to not simply use a strong “password”, but instead use a passphrase which is of sufficient length, use alphanumeric and symbolic keyspaces, mixed cases (upper and lowercase), and words not found in a dictionary. A password such as lary101 is much more easily cracked than one such as H4rd!tO@Cr4ck#th1S$P4ssphr4s3% which uses multiple types of characters and is lengthy. If you look at it, you will also notice that the first word has the first letter capitalized, the second has the last letter capitalized, then the third is back to capitalizing the first again. An alternating pattern such as this will help you remember which letters are capitalized so you don’t forget your password. Is it somewhat of a pain in the butt having to type out a password like this? Yes, but so is having to put your identity back together after it gets stolen because you used the password cheerfan100 on your banking site.

Password cracking has come a long way in recent years. Vendors and government agencies are forced to be vigilant and be aware of the progress not only with cryptanalysis attacks and vulnerability advisories, but also hardware and software trends. Even the most secure of algorithms are rendered useless if you throw enough processing power at it. Commercial licenses for software that performs GPU attacks are very expensive and your average cyberpunk probably doesn’t have access to such a program. Currently, you aren’t likely to experience a GPU based attack on your network, but you should at least be aware of it, and you should certainly make sure there are backup security elements on your network such as MAC filtering, disk encryption, inbound and outbound firewall, limiting DHCP users on wireless routers, etc.

CompTIA Woes

Well guess what I found out today? Apparently, CompTIA announced in January they were no longer going to allow their Security+, A+, and Network+ certifications to be good for life! I don’t know how I just found out, but I did. Now, originally they stated this applied to all their certs, but customer outrage resulted in them announcing they would grandfather in anyone who gets certified before Jan 1, 2011 as still certified for life. This is in stark contrast of what we have all been told over the years about CompTIA certs being “good forever”.

The reasoning behind this seems to be that they are trying to get on board with ISO standards which define certifications as requiring a shelf life on all certs. I understand that technology is ever-changing, but is it really so important to keep updated on entry level certs if you are staying up to date on your higher-level vendor specific ones? I just don’t think a CCNA should be required to update his Network+ every few years, but that’s just my personal opinion. Most people who have been in IT a long time have a plethora of letters and words after their name: Network+, Security+, Server+, A+, MCP, MCSE, CCNA, etc etc. I imagine it’s enough of a pain in the butt having to renew all the vendor specific ones as it is, let alone if they start having to worry about updating the others.

Some people say this is no problem, just go ahead and get as many as you can before the new year, and many people aren’t worried because they already have all their CompTIA certs, so they must be ok right? Not necessarily, in fact, many people are worried that CompTIA changing the exam standards may cause employers to only accept CompTIA certifications obtained after the switch. The Department of Defense (DoD) is already doing this. This is what the CompTIA website’s Q&A section states:

I work for the DoD and hold a CompTIA certification as part of DoD 8570. How does this affect me?

Beginning January 1, 2011, DoD will require every CompTIA certified IA workforce member to obtain a CompTIA CE credential. As of January 1, 2013, DoD will only recognize CompTIA CE (or CE enrolled) certifications as approved DoD 8570 IA baseline certifications.

Well, sucks for you I suppose. I don’t really know what to make of all this, and being that I am just getting started really pursuing these certs, it brings some confusion and worry to the table. Allot of people, including myself however do feel that most employers will accept either equally though, especially if your main focus is on higher-level vendor specific certs. After all, who in their right mind wouldn’t hire a certified CISSP because his Security+ is expired or of the older version?

Utilizing Virtualization: White Paper+ Video

Virtualization basically means you are running one operating system inside the virtual memory of another operating system. What does this mean? Let’s picture this in a basic example: a Mac OSX user who wants to use Windows XP to run a specific application. If the Mac user is running virtualization software like VMWare, he can create a virtual disk file, mount the XP installation disk, then install the operating system to the virtual disk file. From within OSX, the user can now start and run Windows XP withing the Mac OS. Here is some terminology:

Host OS: the system which the virtualization software is installed on
Guest OS: the operating system running inside the virtualization software
Snapshot: the ability of some virtualization software to be able to revert the guest OS to a previously known good configuration.

Virtualization software comes in many flavors, ranging from free apps like VirtualBox on Linux, to commercial proprietary apps such as VirtualPC and VMWare Workstation. Besides uses for end users, there are many reasons why a person may want to use virtualization in a corporate environment, and I highly doubt I will mention all of them, but here are some major ones that come to mind.

Programmers: A developer who wants to develop a cross-platform application, let’s say an app designed to run on Windows and Mac, can use a program such as VMWare Workstation to test his applications and scripts as he writes them. Let’s pretend for instance, Windows Vista is his host OS, all the developer has to do is test his app on Vista, then fire up his virtual Mac installation and test it there also. A developer may have a plethora of guest machines designed just for testing various platforms. It is an invaluable development tool.

Servers: Most web-hosting companies typically offer 3 subscription services, private dedicated hosting, virtual private hosting, and shared hosting. A dedicated machine means an organization (usually with a large budget and bandwidth requirements) actually rents their own machine from the hosting company. No other website stores its files on the system. The organization usually has access to the filesystem, configuration, and other advanced features including their own IP address. This is quite obviously an expensive solution. The polar opposite is shared hosting, simply meaning an organization’s website shares the same IP address and hardware with with several other websites. This is a low-cost solution, and good for personal sites or businesses who don’t require too much bandwidth. A near ubiquitous middle-ground in terms of price and features between these two options is that of using Virtual Private Servers for Virtual Private Hosting. VPH uses virtualization to allow multiple guest operating systems to be run on one physical server. This allows the look, feel, and functionality of a private server without the high costs that are associated with VPS. The ability to revert to a previous snapshot also is great for servers in case a configuration error or crash occurs, allowing the previous state of the system to be restored.

Honeypots: A honeypot is simply a decoy system which is usually setup in the DMZ section of an organization’s network infrastructure to fool malicious hackers into attacking their system instead of a critical one. Virtualization works especially well for honeypots, because a good honeypot will intentionally contain security vulnerabilities in order to attract the attacker’s attention but they don’t need to be able to effect the integrity of other systems in the network. With virtualization, memory from the guest OS typically cannot write directly to the  memory of the host OS. If a guest OS gets a virus, it cannot normally get transferred to the host OS. If a bug is exploited on the honeypot and the attacker is able to damage it, administrators can simply revert the system back to normal using a snapshot. A virtual honeypot can contain features to perform IDS/IPS tasks, logging, protocol analysis, and more. A security “best practice” is to constantly log all data sent to and from the honeypot. Even if an attack hasn’t occurred yet, precursors such as port scans or ping sweeps can be detected and logged accordingly and a future attack can possibly be better anticipated.

Malware Analysis: As stated in the previous section, malware normally cannot cross from guest OS to host OS. This allows virtual machines to be an excellent resource for malware analysis. Researchers can fire up their guest OS, unleash the malware and analyze it, then revert the machine to its previous stable state using a snapshot when they are done. Malware spreading from guest to host is possible though, a user copying a file from an infected guest to a host can obviously put the system at risk, and allowing a worm to scan systems on the subnet from within a guest OS can spread infections. For any malware analysis, it is a “best practice” and usually mandatory to isolate systems withing a lab environment. Virtualization simply makes it easier to implement such as lab using multiple interconnected guest systems for example.

Virtualization makes system management and implementation more scalable. The snapshot features on virtualization software such as VMWare Workstation has saved me from a few serious headaches since I started using virtualization. I hope this gives you some insight, and encourages you to check out virtualization yourself if you haven’t yet done so. I just bet you’ll find at least one use for it!

IT Certifications

I haven’t made a post in quite awhile but with my new work schedule that should all change relatively quickly. This won’t be a long post, just wanted to let everyone know how my career path is going thus far. I have started getting certified, something I probably should have started doing months ago. First, I got Network+ out of the way! I’ll describe it in detail for those who aren’t familiar with it.

Network+ is a certification sponsored by CompTIA. CompTIA is known for industry recognized, vendor-neutral certifications. Rather than focus on one specific vendor, such as MS or Cisco, getting a good foundation with CompTIA certs shows that you are familiar with many different technologies on various platforms. Being Network+ certified won’t land you a job as head of an IT department, but what it does do at the very least is show that you are knowledgeable in areas such as routing concepts, TCP/IP (the majority of the test), network hardware and transmission media, topologies, standards, 802.11 (Wi-fi), network troubleshooting, etc, etc. The amount of time I put into studying the domains was about 2 months off and on. I was really nervous on test day, but wound up passing by a large margin thankfully. I used Mike Meyer’s Network+ Passport as my main study resource.

Security+ is the certification I am now studying for. I should be hopefully be taking the test within the next few weeks. Security+, like Network+ is also vendor neutral, but focuses on concepts of Information Security (known as InfoSec) instead of networking fundamentals. Security+ and Network+ do bleed over into each other a decent amount which I am glad for. You can’t talk about network security infrastructure without referring to things such as wi-fi encryption and TCP/IP which Network+ both touched on a great deal. Security+ focuses also on risk mitigation, intrusion detection and prevention systems (IDS/IPS), cryptography, physical security and biometrics, security policies, and access control methods. Most of the topics are quite familiar to me as I have immersed myself into the security community due to my own interests as a hobby and have done allot of research on my own prior to studying for this exam. The corporate aspects are probably the least familiar to someone like me, topics such as RBAC (rule based access control) and domain controllers/group policy are examples of some of the ones I am really having to dedicate to memorization. For the most part though, it has been interesting and fun studying for it. I purchased Mike Meyer’s Security+ passport along with a Sybex Secuirty+ review guide. I am even using some video lectures, a 20 part series, to aid my study efforts.

CompTIA certifications are simply a starting point. They are great for an individual fresh out of school like myself to get his feet wet and beef up the ol’ resume a tad. After Security+(which I hope I pass the 1st time with flying colors), I am considering either getting a more focused vendor certification such as Cisco’s CCENT or a Microsoft cert, but I haven’t ruled out getting CompTIA’s A+ either. It seems A+ (a hardware and operating system technician centered cert) is very popular under the “desired qualifications” section of job ads. Even when looking for pure networking jobs, I see A+ mentioned often. I can’t say I blame them though, after all what good is a network tech that can’t replace a NIC card?

Anyhow that’s about it for now. It has been exciting so far working towards my career goals. I still have yet to satisfy my desire for a better job where I can use what I know more, but I am confident the fruits of my labor will come to light in the next few months.

PyProto Fuzzer

This is the newest of my current projects in development. If you have followed me here from Bleeding Edge Security, you probably are aware that I write most of my software in Python. Why you may ask? Because of its simplicity, but that is for another article. This project is a generic protocol fuzzing API and console which allows Python developers who may not have much experience with socket programming the ability to quickly create connections to web servers and generate test cases to send across the network. If you aren’t familiar with fuzzing, there will be another article coming soon. For now I will give you this tidbit of info:

Fuzzing attempts to find errors and vulnerability in software, web applications, and even operation systems by attempting to point bad data at the running process. For HTTP fuzzing for example, a fuzzer may try to send bad requests, invalid URLs, or even purely random data to try and break the server. There are two main categories of fuzzing: intelligent fuzzing, and dumb fuzzing.

Dumb fuzzing simply sends purely random data to an application in the hopes that an error will occur. This process while known to be effective, can theoretically take days, weeks, and even years to find all possible permutations for a given data set. ASCII codes allow up to 256 characters. With this large number, even generation all possibilities for even short-length fields can be excruciatingly slow.

Intelligent fuzzing on the other hand uses valid protocol data mixed in with garbage data to try and create error cases. Again using HTTP for an example, a fuzzer could initiate a request such as “GET /#3j#iw)>3.html HTTP/1.0\n\n” or maybe “GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.html HTTP/1.0\n\n” as another example. Heuristics can also be useful for intelligent fuzzing. Heuristics are simply a list of characters or strings which have been known to expose security holes in other various applications in the past. Good examples of heuristics  are formatting characters such as “%s” or “%i” a NOP such as “\x90″ or “NULL”, and a buffer overflow sequence such as (“A” * 100).  Intelligent fuzzing can be much more easier to backtrack and determine what caused a specific error to occur, because you are targeting a specific field such as a filename, extension, or request method.

PyProto Fuzzer uses TCP/UDP sockets to fuzz network applications. It uses a template that a user creates, along with either random data or data from a configuration/dictionary file to search for bugs. The default template is “%s” which is a format character for strings in Python. When the program gets a word from the dictionary, (or a random stream from the PRNG), it places it in the template where the “%s” is located, then sends to result to the server. You can fuzz HTTP by creating a template such as this:

“GET /%s.html HTTP/1.0″

This template sends a GET request to an HTTP server, and it uses the filename as the fuzzing field. You could also use index as the filename, and use .”%s” as the extension. This would allow you to fuzz the extension instead of the filename itself. Any parameter in the request can be fuzzed using this method, and I thought using the formatting characters along with a user-defined template would suit this program nicely. Other niceties include:

• The program also includes a fairly detailed log structure. When you execute the console, a logfile is created with the time and date as the filename. The tester can also delete and rename the log as he sees fit.
• Printed server responses, the tester can alter the socket buffer size to trim down response sizes and speed up the execution. Printing entire responses is CPU intensive and creates monstrous log sizes.
• Wait times can be altered by the user, in other words, you can set the time between requests with time.sleep(seconds)

An entire fuzzing API. This program not only includes a user-friendly console and pre-written modules and heuristics dictionaries, but it will include a complete API for creating customized fuzzers on the fly. Features will include:

• Modules for creating socket objects for people who aren’t familiar with sockets. The syntax will be clean and easy such as

socket = Sockets.CreateSocket.connectTCP(host, port)
socket.sendData(data)
data = socket.recvData()

• Modules for connecting and transmitting data to various protocols. As mentioned, support for FTP, SMTP, and others.
• An easy-to-use logging module.
• File-handling modules such as FileRead, FileWrite, and FileAppend.

Other protocols such as SMTP can also be fuzzed using this same method, and I am in the process of designing a module to do just that! The module will be called SMPTConnect, and it will allow the fuzzer to connect and be authenticated to an SMTP server. Once authenticated, the user will be able to fuzz commands, mail headers, etc. I am also going to add modules such as FTPConnect, and probably a few others such as functionality for DNS and SQL. The idea is to create a generic fuzzing module to do dumb fuzzing (such as sending randomized data to TCP port 21) but also to be able to establish a connection with server software using the appropriate protocol restrictions and begin deeper intelligent fuzzing, example: (log into an FTP server with a valid username/password and fuzz FTP commands, data types, file extensions, etc.)

PyProto Fuzzer is now my main project at this point. Other project have been put on hold for a little while as I finish finalizing the first version of the release. Watch for release announcments and updates, as well as releases of other programs I have written in the near future: (Py-Scan:TCP Connect() Port Scanner, Py-Get: WGET clone, Py-Cat, a netcat written in Python, Tupooki: A client/server remote management and administration tool. It will all be coming soon.

Bin Slash Shell blog is now live!

This will be the new home for the cumulative project which was Bleedingedgesecurity.com The new blog format, and SourceForge pages should provide a more clutter-free solution for releasing my software and also for posting interesting topics. I will add more in the next few days…