[HACK YOURSELF FIRST] Part 1: Defending against basic attacks by Mike H
In this article
Here is a list of tools we’ll be using:
- nmap (port scanning, service detection and versioning)
- medusa (bruteforce windows smb credentials, SSH and lots of others)
- metasploit (we are just going to use database support for building lists of services)
In this article we are going to cover some of the most common problems on internal networks and offer up some quick ways to detect and mitigate against these issues. Contrary to the impression you may get from reading security news, most people are not getting hacked by zero day exploits. Most people are getting hacked by face-palmingly basic issues. In fact the Verizon Data breach report cites that 96% of attacks did not require a high level of sophistication. This is certainly reflected in our pentesting experiences as well.
I'd like to leave off from the the you-can't-defend-what-you-don't-understand article. I am going to assume you have a pretty good idea of what your network looks like and what kinds of hosts are on it.
As a network defender there are a bunch of things you can do yourself to secure your network against common issues. Most people don’t get to build a network from scratch but instead inherit one that may have reused local administrator passwords and so on. Such issues can be a problem.
Remember if someone else knows more about the issues on your network than you do...you don’t own the network, they do!
This tutorial assumes you have gone and got yourself a backtrack VM or are comfortable getting things done on Ubuntu.
If you don’t already have a backtrack VM grab an image from here: www.backtrack-linux.org. For those with short attention spans, check out this previous post for more information on getting yourself set up.
Running backtrack will save you from having to setup metasploit’s database support yourself. If you don’t want to use backtrack here is a good tutorial on getting database support for metasploit going under Ubuntu
Get some wordlists
Have a look in the data/wordlists directory of metasploit for targeted password dictionaries (oracle, unix etc).
To be honest the technique that works the best is googling “[device name] default password”. If you are a network admin you most likely know these default passwords already, its just a case of actually doing a scan and rooting them all out. (next section)
The general idea is we are going to build a list hosts that have a given service listening, and we are going to do a password brute force on each applicable service. This could be extended to applying a metasploit module to each services.
Password collection methodology
1. Locate passwords, those shared passwords that’re used everywhere (y’know the ones)
2. Use passwords against each available service
3. Access hosts, use access to locate more passwords
4. Goto 1.
1. Use nmap to generate lists of hosts
Something simple like this works well enough to get started:
nmap -sV -sC -iL addr_ranges.txt -oA scan_results
This takes a list of address ranges or hosts (-iL), does service versioning and discovery scripts (-sV -sC) on the top 1000 tcp ports and outputs in all three formats (-oA). Don't forget to check back to this article if you are new to nmap.
Nmap’s scripts are enormously useful. For instance they can find MS-SQL service packs and patch levels and some common vulnerabilities like the vmware guest stealing path traversal vulnerability.
Check out the nmap script repo for a world of useful nmap scripts!
Outputting in all three formats (-oA switch) is useful, as the XML can be used to import into metasploit. And the grepable (gnmap) format is good for generating host lists by service names (that may be running on odd ports) and feeding the hostlists to medusa.
The XML output can be converted to HTML for easy viewing of all the results.
xsltproc /usr/share/nmap/nmap.xsl scan_results.xml > scan_results.html
You may need to tune your scan to the size of the network. Nmap has the super useful --top-ports flag. So if you want a quick scan you can to --top-ports 100 to just to the 100 top ports instead of the default 1000 top ports.
Nmap discovery scripts are also useful for snmp enumeration. The following will do a UDP scan on port 161 and snmp scripts
nmap -sU -p 161 -sC -sV -iL addr_ranges.txt -oA snmp_results
2. Extracting host lists from scan results (the ghetto way)
Build lists of hosts from gnmap file
Sometimes the hosts you are after don't all run a service on a given port but may all include a word in a banner grabbed by nmap. eg. 'hp' This is useful if you want to find hosts that you know may have default passwords.
In this case you can use grep on the gnmap file to find all the hosts that have the string.
grep -i hp 10.1.1-top1000.gnmap | cut -d ' ' -f | sort -u > hp-ips.txt
This finds all the hosts that had the string hp in a banner somewhere (remember that nmap with -A is doing service detection and grabbing banners). Now you have a list of IPs that you are interested in you can use this with another tool.
Use host lists in a bruteforcer
Medusa is slow but its also reliable (so long as you don’t try to run scans concurrently using the -T and -t options). You can do faster scans with concurrency using ncrack but it can be less reliable. Medusa can be good for when you have found a password on one system and you want to find all the other systems where that one password is used.
Medusa supports a good range of protocols, with modules most likely you’ll want to test windows auth (smbnt module) and ssh.
List of protocols supported by Medusa:
ftp ,nntp, rlogin, ssh, vnc, http, pcanywhere, rsh, svn, web-form,
mssql, pop3, smbnt, telnet, mysql, rexec, snmp, vmauthd
So now we have our host list we can root out that default password that’s used everywhere:
medusa -M ssh -H /tmp/somelongfilename.txt -u root -p changeme -O default-ssh-pws.txt
Extracting host lists from scan results (the metasploit way)
Don't worry if you're not familiar with Metaspoilt, we will be covering it in another post. In the meantime if you want to know more about it - check out Metasploit Unleashed the free online course from the Metasploit development team.
1. Import the scan results into Metasploit
On backtrack metasploit’s database support is set up and ready to go. All we need to do is grab the db credentials out of the config file here:
Connect metasploit to database if you haven't done so already
Create a new workspace to import the results into:
workspace -a hack_myself_1st
In msfconsole the command is:
2. Query metasploit for a given service
To find all your SQL servers for instance just do this
services -u -1433
And metasploit will dutifully output a list for you
msf > services -u -p 1433 Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 192.168.1.220 1433 tcp ms-sql-s open Microsoft SQL Server 192.168.1.230 1433 tcp ms-sql-s open Microsoft SQL Server 192.168.1.240 1433 tcp ms-sql-s open Microsoft SQL Server 2005
3. Export the results to use in another tool
From here you can use the services command to list all hosts by service and apply an exploit or scanner to all applicable hosts. You can do this:
services -u -p 22 --rhosts
This will output all the hosts with port 22 open to a temporary file. You can then feed the temporary file to another tool such as Medusa.
That's all for part 1. In part 2 we will examine some of the common issues you may come across and how to find and fix them.