[HACK YOURSELF FIRST] Part 1: Defending against basic attacks by Mike H

Submitted by Network Defence on Fri, 18/05/2012 - 09:00

In this article

Here is a list of tools we’ll be using:
- nmap (port scanning, service detection and versioning)
- medusa (bruteforce windows smb credentials, SSH and lots of others)
- metasploit (we are just going to use database support for building lists of services)

Background

In this article we are going to cover some of the most common problems on internal networks and offer up some quick ways to detect and mitigate against these issues. Contrary to the impression you may get from reading security news, most people are not getting hacked by zero day exploits. Most people are getting hacked by face-palmingly basic issues. In fact the Verizon Data breach report cites that 96% of attacks did not require a high level of sophistication. This is certainly reflected in our pentesting experiences as well.

I'd like to leave off from the the you-can't-defend-what-you-don't-understand article. I am going to assume you have a pretty good idea of what your network looks like and what kinds of hosts are on it.

As a network defender there are a bunch of things you can do yourself to secure your network against common issues. Most people don’t get to build a network from scratch but instead inherit one that may have reused local administrator passwords and so on. Such issues can be a problem.

Tip

Remember if someone else knows more about the issues on your network than you do...you don’t own the network, they do!

Prerequisites

This tutorial assumes you have gone and got yourself a backtrack VM or are comfortable getting things done on Ubuntu.

Get backtrack

If you don’t already have a backtrack VM grab an image from here: www.backtrack-linux.org. For those with short attention spans, check out this previous post for more information on getting yourself set up.

Running backtrack will save you from having to setup metasploit’s database support yourself. If you don’t want to use backtrack here is a good tutorial on getting database support for metasploit going under Ubuntu

Get some wordlists

Have a look in the data/wordlists directory of metasploit for targeted password dictionaries (oracle, unix etc).

To be honest the technique that works the best is googling “[device name] default password”. If you are a network admin you most likely know these default passwords already, its just a case of actually doing a scan and rooting them all out. (next section)

Methodology

The general idea is we are going to build a list hosts that have a given service listening, and we are going to do a password brute force on each applicable service. This could be extended to applying a metasploit module to each services.

Password collection methodology
1. Locate passwords, those shared passwords that’re used everywhere (y’know the ones)
2. Use passwords against each available service
3. Access hosts, use access to locate more passwords
4. Goto 1.

1. Use nmap to generate lists of hosts

Something simple like this works well enough to get started:

nmap -sV -sC -iL addr_ranges.txt -oA scan_results

This takes a list of address ranges or hosts (-iL), does service versioning and discovery scripts (-sV -sC) on the top 1000 tcp ports and outputs in all three formats (-oA). Don't forget to check back to this article if you are new to nmap.

Nmap’s scripts are enormously useful. For instance they can find MS-SQL service packs and patch levels and some common vulnerabilities like the vmware guest stealing path traversal vulnerability.

Tip

Check out the nmap script repo for a world of useful nmap scripts!

Outputting in all three formats (-oA switch) is useful, as the XML can be used to import into metasploit. And the grepable (gnmap) format is good for generating host lists by service names (that may be running on odd ports) and feeding the hostlists to medusa.

The XML output can be converted to HTML for easy viewing of all the results.

xsltproc /usr/share/nmap/nmap.xsl scan_results.xml > scan_results.html

You may need to tune your scan to the size of the network. Nmap has the super useful --top-ports flag. So if you want a quick scan you can to --top-ports 100 to just to the 100 top ports instead of the default 1000 top ports.

Nmap discovery scripts are also useful for snmp enumeration. The following will do a UDP scan on port 161 and snmp scripts

nmap -sU -p 161 -sC -sV -iL addr_ranges.txt -oA snmp_results

2. Extracting host lists from scan results (the ghetto way)

Build lists of hosts from gnmap file

Sometimes the hosts you are after don't all run a service on a given port but may all include a word in a banner grabbed by nmap. eg. 'hp' This is useful if you want to find hosts that you know may have default passwords.

In this case you can use grep on the gnmap file to find all the hosts that have the string.

  grep -i hp 10.1.1-top1000.gnmap | cut -d ' ' -f  | sort -u > hp-ips.txt

This finds all the hosts that had the string hp in a banner somewhere (remember that nmap with -A is doing service detection and grabbing banners). Now you have a list of IPs that you are interested in you can use this with another tool.

Use host lists in a bruteforcer

Medusa is slow but its also reliable (so long as you don’t try to run scans concurrently using the -T and -t options). You can do faster scans with concurrency using ncrack but it can be less reliable. Medusa can be good for when you have found a password on one system and you want to find all the other systems where that one password is used.

Tip

Medusa supports a good range of protocols, with modules most likely you’ll want to test windows auth (smbnt module) and ssh.

List of protocols supported by Medusa:
ftp ,nntp, rlogin, ssh, vnc, http, pcanywhere, rsh, svn, web-form,
mssql, pop3, smbnt, telnet, mysql, rexec, snmp, vmauthd

So now we have our host list we can root out that default password that’s used everywhere:

 medusa -M ssh -H /tmp/somelongfilename.txt -u root -p changeme -O default-ssh-pws.txt

Extracting host lists from scan results (the metasploit way)

Tip

Don't worry if you're not familiar with Metaspoilt, we will be covering it in another post. In the meantime if you want to know more about it - check out Metasploit Unleashed the free online course from the Metasploit development team.

1. Import the scan results into Metasploit

On backtrack metasploit’s database support is set up and ready to go. All we need to do is grab the db credentials out of the config file here:

cat /opt/framework/config/database.yml

Connect metasploit to database if you haven't done so already

db_connect msf3:@localhost/msf3

Create a new workspace to import the results into:

 workspace -a hack_myself_1st

In msfconsole the command is:

db_import nmap_subnet_1.xml

2. Query metasploit for a given service

To find all your SQL servers for instance just do this

services -u -1433

And metasploit will dutifully output a list for you

msf > services -u -p 1433

Services
========

host          port  proto  name      state  info
----          ----  -----  ----      -----  ----
192.168.1.220 1433  tcp    ms-sql-s  open   Microsoft SQL Server
192.168.1.230   1433  tcp    ms-sql-s  open  Microsoft SQL Server
192.168.1.240  1433  tcp    ms-sql-s  open   Microsoft SQL Server 2005

3. Export the results to use in another tool

From here you can use the services command to list all hosts by service and apply an exploit or scanner to all applicable hosts. You can do this:

 services -u -p 22 --rhosts

This will output all the hosts with port 22 open to a temporary file. You can then feed the temporary file to another tool such as Medusa.

Conclusion

That's all for part 1. In part 2 we will examine some of the common issues you may come across and how to find and fix them.

About the Author

Mike Haworth is an aspiring software vandal and contributor to the
BeEF framework. He works as pentester for Aura Information Security