08 creative advanced attacks.v7

8/8/2019 08 Creative Advanced Attacks.v7

1/27

WLSAT Section 8

08 - Creative Advanced Attacks.v7 2007 Institute for Network Professionals

1/12/11 1 www.inpnet.org www.HOTLabs.org

Section 8Creative Advanced Attacks

On the downhill slide of our journey with Wireless LAN Security Assessment Toolkit, well show you

some of the cutting edge and exciting tools and techniques that exist in the WLAN ecosystem.

Your kit includes a professional Honeypot to trap would be attackers to your Wireless LANs. Plus weveincluded some unique tools on a USB Attack Stick remember, only WITH PERMISSION.


2/27

WLSAT Section 8



Lab 8.1: Create a Honeypot KF Sensor

KFSensor is a Windows based Honeypot Intrusion Detection System (IDS).

It acts as a honeypot to attract and detect hackers and worms by simulatingvulnerable system services and trojans.

By acting as a decoy server it can divert attacks from critical systems andprovide a higher level of information than can be achieved by using firewallsand NIDS alone.

KFSensor is designed for use in a Windows based corporate environment andcontains many innovative and unique features such as remote management,a Snort compatible signature engine and emulations of Windows networkingprotocols.

With its GUI based management console, extensive documentation and lowmaintenance, KFSensor provides an effective way of improving anorganization's network security.

Product Information

Source

Key Focus

KF Sensor Professional Commercial License

$999.00

http://www.keyfocus.net/kfsensor/index.php

Where, When, Why

When you want to catch someone in the act of attacking your network, a

Honeypot is the tool of choice. KF Sensor is a robust, professional Honeypotthat can also be used attached to a rogue access point of your design tocatch folks attempting to access your network via the Wireless LAN.

Usage and Features

Monitors every port - KFSensor Professional monitors attacks on every TCP andUDP port, as well as detecting ICMP or ping messages. It also monitors allnetwork activity of native Windows server applications. Allowing these to actas part of a Honeypot configuration.

Remote administration - KFSensor Enterprise Edition contains the ability tomanage and monitor multiple honeypot installations. Events from differentsensors across the network are concatenated in real time allowing an

immediate view of attacks as they happen.

KFSensor uses 3072 bit RSA public/private key authentication and 256 bit AESencryption to provide the top of the range security for communication betweensensors.

IDS signature engine - KFSensor is the first product to combine the benefits ofsignature-based IDS with a honeypot system.Its fast signature search engine, has a minimal impact on system performanceand can handle thousands of rules.


3/27

WLSAT Section 8



It is easy to update the rulebase with new rules from different sources and tocreate new rules directly from an event.

Requirements / Dependencies

Windows NT, Windows 2000, Windows XP, Windows 2003 Server 500mb hard disk space 512mb RAM 1 NIC card and/or direct internet connection

Lab Part 1 - Configuring KF Sensor

In this lab exercise you configure KFSensor using the Wizard and the individualsettings windows.

Step 1. Launch KFSensor (it may already be started on your system. Look for theKFSensor icon in the system tray - it may be a different color).

Perhaps your computer has ports currently in use (Listened)

Step 2. Select Settings > Set Up Wizard . The Set Up Wizard guides youthrough the configurations of:

- Port Classes- Domain Name Selection- Email Alerts- Systems Service

Step 3. Click the Next button to begin configuring KF Sensor. By default all the portclasses will be selected.

Click Next to accept this configuration using all port classes.Step 4. Now you need to give your system a name. Use a fictitious name that may be

attractive to someone who is doing discovery for juicy targets. For example,

using the following words somewhere in your domain name may get you morehits:

- credit- bank- financial- investment- accounting- private- internal


4/27

WLSAT Section 8



Enter your domain name (dont forget to include the .com, .org, .net orwhatever extension you are going to use). Click Next.

Step 5. If you would like to receive email alerts of events, enter your targetemail address and the source email address in this window.

Click Next.Step 6. Now you can configure the system services. Click the Wizard Helpbutton for more details on each option.

Denial of Service- Normal/Cautious

Port Activity- 1-12 Hours

Proxy Emulation- Allow banner grabs and loop backs- No external connections

Network Protocol Analyzer- Disable packet dump files- Enable packet dump files

Use the following settings for this lab exercise:

Click Next.Step 7. Now you are on the system service set up window. A system service allows

KFSensor to run like a daemon on your system regardless of who is logged into it.You can change between users without affecting the system service. You must belogged in as the administrator to install the system service.

Install as a system service should be selected.


5/27

WLSAT Section 8



Click Next.Step 8. KFSensor should now be ready to configure your system. Click Finish.Step 9. Now we are going to customize KF Sensor. Select Settings >

Customize. In this area you define the alert behavior, KFSensor windowbehavior, recent activity intervals, startup behavior and the maximum number ofevents to keep loaded.

We definitely want to disable the audible alarm and we want to increase thenumber of events that are displayed when KFSensor starts up.

Configure your KFSensor as shown next.

Click OK when you have set these configurations.Step 10. Now you are ready to review the DOS Attack Settings and see if you want to stay

with Normal or use Cautious or a customized setting. Select Settings >DOS Attack Settings.


6/27

WLSAT Section 8



Step 11. To compare the two default settings Normal and Cautious click on eachseparately and review the settings . You can select either setting or define a customized setting for this lab exercise. Click OK when youare finished.

Step 12. Now we are ready to configure the network analyzer function of KF Sensor. Weenabled this feature in the Set Up Wizard.

Select Settings > Network Protocol Analyzer .In this area you can select to monitor specific interfaces and define the types ofpackets that you want to capture.

Step 13. Configure your KFSensor network protocol analyzer as shown on the below.

NOTE: This system has a dial-up adapter loaded. On your systems, choose alladapters that are displayed in the list (which include your wired and wirelessadapter and the generic Microsoft adapter).

Click OK when you are done.


7/27

WLSAT Section 8



Note: Your analyzer trace files are stored in the c:\kfsensor\dumps directory.

Step 14. Select Settings > Email Alerts and review the configuration. Youmay want to select a Message Title or rethink the senders address so you caneasily apply email filters for your KFSensor alerts. In this area you also define theemail alert interval and the message severity level. Click OK when you arefinished.

Step 15. Now select Settings > Local Sensor Configuration . Here youwill see the Sensor ID of your KFSensor server. If you install more than one KFSensor, assign a unique ID to each since this number is kept in the logs to enableyou to determine which KFSensor server was hit.

Change your KFSensor ID value to kfsensor-zzz where zzz are your first,middle and last initials.

Well keep this default port and the log level setting at this time. Click OK toaccept this setting.

Note: It might warn about restarting KF Sensor in the normal way and shutsdown. Just restart to return.

Step 16. Look through the other options under the Settings menu option. If youneed to know more about any setting, click the Help button on the settingwindow.

Lab Part 2 - Viewing, Editing and Creating New Scenarios

In this lab exercise you continue to configure KFSensor by viewing the MainScenario, creating a new scenario and defining the Listens and KFSensorbehavior for those Listens.

Step 17. In the KFSensor window, select Scenario > Edit Scenarios . Youshould have only one scenario defined on your system the Main Scenario. This isthe active scenario at this time.

NOTE: First we are going to look at the Main Scenario we are not going to editthat scenario, however. We are going to back out and make a new scenariocalled WLSAT Scenario.

Step 18. Click Edit. At this time you might see a KF Warning box appear. This is notunusual it indicates that certain ports were in use already when KFSensorstarted. You can select Convert to Native on those ports to have KFSensor listento activity on them. For example, on Windows systems the NBT (NetBIOS) portsare enabled by default and will generate errors.

Click OK.


8/27

WLSAT Section 8



We dont want to edit this scenario we only want to look at it. This window isshowing you Listens or defined ports that we are listening on using thisscenario.

Step 19. Double-click on FTP Guild (see previous graphic) to get more detailon the configuration of the FTP Listen.

Here you can get an idea of how a Listen is defined you define the port numberand protocol and address to bind the Listen to. This is also where you define theKFSensor action when that Listen is hit as well as the severity level. Finally youcan define the DOS attack limits to protect KFSensor from being overwhelmed by


9/27

WLSAT Section 8



too many connections on that Listen.

Now we are ready to build a brand new scenario.

Step 20. Click Cancel to close the Edit Listen window and Cancel to close the EditScenario Window. You should now be viewing the Edit Scenarios window as shownbelow.

Step 21. Click Add to create a new scenario. You may receive the warning about ports inuse. Click OK to close the warning window.

Step 22. Enter the scenario name WLSAT Scenario . Enter the domain name thatyou defined in the Set Up Wizard. Click Add/Remove Classesbutton.

Step 23. Check off all the classes listed except Linux and click OK.


10/27

WLSAT Section 8



Step 24. Now you will see all the Listens for these classes show up in your new scenario.We are going to add a Listen to this group. Click Add.You are going to add a Listen for Lauras Attack . Enter the information asshown in the configuration below. Click OK when you are done.

Step 25. Your new Listen should show up in the list now. Click OK to save this scenario andclose the New Scenario window. Now your NAST Scenario should be listed in theEdit Scenario window. Click OK to close the Edit Scenario window.

Step 26. Select Scenario > Switch Scenario . Select your WLSATScenario from the drop-down list and click OK.NOTE: KFSensor hesitates for a moment as it switches scenarios be patient. It might need to be restarted the switch might cause the servicesto stop.

Lab Part 3 - Viewing and Adding Visitor Rules

In this lab exercise you view and edit rules related to visitors that hit KFSensor. You will work with your WLSAT Scenario only.

First IP Address: ___________________________________

Last IP Address: ___________________________________


11/27

WLSAT Section 8



NOTE: If you are going to connect to the KFSensor system using a Listen port(perhaps one that has been converted to native, such as the FTP port) and youdont want your communication to be logged, enter a Visitor Rule to excludeyour connection on that port. Visitor rules are only used to close connectionswith, or ignore visitors. They are NOT a lockout feature. Use signatures to dolockouts based on ports or payload.

Step 1. In KF Sensor, select Scenario > Edit Active Visitor Rules toopen the Visitor Rules window.

Step 2. Click Add.Step 3. Enter the following rule information:

Name: Instructor Machine First IP: See above Last IP: See above Host DNS name: Leave blank Protocol: Any Sensor Port: Leave blank Visitor Port: Leave blank Min. Connections: Leave blank Max. Connections: Leave blank Actions: Ignore Set Severity: No change

Click OK to close the Edit Rule window.Step 4. Your new rule is visible when you edit the active scenario and click the Rulesbutton.

Lab Part 4 - Creating Signature Rules

In this lab exercise you create a signature rule based on traffic received and

review how signatures are created and imported.

Step 5. In KF Sensor, click the Ports View button.This might be enabled by default when the server starts.

Step 6. Maximize the window so you can see the Received column information.This column shows the data related to the event (if any).


12/27

WLSAT Section 8



Step 7. Double-click one of the events that show data was transferred.The Event Detail window appears.

Step 8. Click the Signature tab. If no signature is associated with this event,click the Create button. The Edit Signature window appears showing the signaturedata definition.

Click OK to accept this configuration.Step 9. The Add Signature window is now displayed. You can provide a message with yoursignature and include a Source Reference (such as a website that contains

additional information on this signature).


13/27

WLSAT Section 8



Note: Unless you are actively working with a partner to see live traffic, youllonly see your own little networks Windows traffic.

The signature will be defined as hand coded which means it takesprecedence over the other KF signatures. It is that easy to add signatures fromexisting events.

In order for KFSensor's signature engine to be most effective it is best to buildup and maintain a large rule base. KFSensor can import rules written in Snortformat. There are a number of different sources for Snort rules and the firststage is to download copies of different rule sets.

Unlike a network IDS, KFSensor uses signatures to provide information on anattack and not to identify attacks. It is therefore possible to use experimentaland non-certified rule sets.

The official Snort and community rules sets can be obtained at:http://www.snort.org/rules/

Another important source of rules is Bleeding Snort:http://www.bleedingsnort.com/index.php


14/27

WLSAT Section 8



Lab 8.2: Creative Wireless Attacks

Instructor will now demonstrate creative

wireless attacks.


15/27

WLSAT Section 8



Lab 8.3: NirSoft Password & History Utilities

This group is a series of individual software packages aimed at PasswordRecovery, History Recovery or Product Key Recovery.

Because of the sensitive nature of the information obtained by these tools

please be careful and always have permission first before deploying theserecovery tools.

Product Information

Source

NirSoft

Freeware

www.nirsoft.net

Where, When, Why

SecurityPassword and History Recovery Utilities (multiple applications)

Have you or any of your friends or family ever forgotten a password? Of courseyou have had this experience. Well, with these simple tools you can quicklyfind the passwords and get back to happy computing.

Now, with this great power comes great responsibility as well. You need to usethese tools for good and not for evil!

You can recover passwords, history from IE and Cookies as well as recoverthose pesky Microsoft Product Keys. Use the ProduKey BEFORE you need toreinstall and you can be ready for those Office and XP keys youll be all readyto reinstall after a crash.

WARNING: ALWAYS HAVE PERMISSION BEFORE

USING ANY OF THESE RECOVERY UTILITIES

IMPORTANT NOTE: Many of these utilities might trip your Anti-Virus alarms not as a virus per se, but as a hacking tool.

Some AV products will delete the offending files directly from your USB Stick -to replace them, copy the original files from the Student DVD to theappropriate location on your Ultimate USB stick \5 Security\Toolname\Tool

Usage and Features MessenPass Recovery of instant messenger passwords MailPassView Recovery of popular e-mail client passwords Protected Storage PassView Recovery of all passwords and

AutoComplete strings from Protected Storage Dialupass Recovery of VPN and Internet dialup connection

passwords Asterisk Logger Reveal passwords hidden behind asterisk (******)

characters in password boxes


16/27

WLSAT Section 8



SniffPass Listen on the network for POP3, IMAP4, SMTP, FTP andHTTP passwords

Network Password Recovery Recover network passwordsstored by Windows XP

WirelessKeyView View Wireless LAN WEP and WPA keys IE PassView View Internet Explorer passwords IECookiesView View and Modify cookies stored on your computer

IEHistoryView View and Delete URLS youve visited in the lastfew days WinUpdatesList Display all the Windows updates on the target

machine ProduKey Recover Microsoft Office/Windows Product CD-Keys

Requirements / Dependencies

Any Windows operating system

Where to Go for More Information

www.nirsoft.net

This is the Manual way of running these in the next lab we will use anAttack Stick to automate the process

What you will do in this lab:

Run through a series of hands-on lab exercises testing a variety ofpassword and history recovery utilities.

As a penetration test showing what information is vulnerable

Lab Part 1 - Messenpass

Step 1. Launch MessenPass .Did it find any of your Instant Messenger accounts and passwords? _______

Step 2. Try exporting an HTML file of the results


17/27

WLSAT Section 8



Lab Part 2 - MailPassView

Step 1. Launch MailPassView .Did it find any of your Mail accounts and passwords? ________

Step 2. You can export an HTML file of the results.

Lab Part 3 Protected Storage Passview

Protected Storage PassView is a small utility to reveal the content of the"Protected Storage" registry key. This registry key contains the passwordsstored on your computer by Internet Explorer, Outlook Express and MSNExplorer.

The usage is trivial: once executed, Protected Storage PassView displays in itswindow all the passwords it's able to find, showing the resource name, thepassword type, the username (if available) and the password.

The 'View' menu allows you to filter the main window content by displayingonly certain types of passwords

Step 1. Launch Protected Storage PassView .


18/27

WLSAT Section 8



Step 2. Note the wealth of information this quickly provides web sites, passwords, etc. These items are clearly and easily available to anyone who has access to your

computers!What was discovered on *your* computer? _____________________________

How does this make you feel about the security of your private information?

____________________________________________________

Step 3. Like the other NirSoft products, this too can export to an HTML file.


19/27

WLSAT Section 8



Lab Part 4 Asterisk Logger

Step 1. Launch Asterisk Logger .Step 2. Open the window that contains the asterisk text-box you want to reveal. The

password will be instantly revealed inside the password box, and in addition, a

record containing the password and other information will be added to the mainwindow of Asterisk Logger utility.

Step 3. After you reveal all the passwords you need, you can select the desired passwordsin the main window of Asterisk Logger, and save them into a text or HTML file.


20/27

WLSAT Section 8



Lab Part 5 - SniffPass

Step 1. Launch SniffPass .Step 2. Click on FileStart Capture or click on the green arrow.Step 3. A Capture Options window opens. Highlight the adaptor you are using

for packet captures and select either RAW Sockets or WinPcap PacketCapture Driver .Note: Choose RAW Sockets if you dont have WinPcap loaded already on yourtarget machine.

Step 4. Click OK.

Step 5. Generate some traffic by using the browser to login to a site where you mustenter your name and password.


21/27

WLSAT Section 8



Lab Part 6 Network Password Recovery

Step 1. Launch Network Password Recovery .

Step 2. Did it find any of your Windows Network accounts and passwords? _______

Step 3. You can export an HTML file of the results

Lab Part 7 - WirelessKeyView

Step 1. Launch WirelessKeyView .

Step 2. Did it find any of your Wireless accounts and passwords? ____________

Note: The keys are shown in both HEX and ASCII values



22/27

WLSAT Section 8



Lab Part 8 IE PassView

Step 1. Launch IE PassView .

Step 2. Did it find any of your Internet Explorer accounts and passwords?



23/27

WLSAT Section 8



Lab Part 9 IECookiesView Internet Explorer Cookies Manager

Step 1. Launch IECookiesView .

L

Step 2. Look through the column headings by scrolling to the right.


Lab Part 10 - IEHistoryView

Step 1. Launch IEHistoryView .Step 2. Did you know your surfing history was this easy to see?

Step 3. Now using the options in Microsoft IE, clear out your history and cache and tryrunning this utility again. Did it clear your data?


24/27

WLSAT Section 8



Lab Part 11 - WinUpdatesList

Step 1. Launch WinUpdatesList .Step 2. How many times has the target machine been patched or updated by Microsoft

for the Windows OS? _______


Lab Part 12 - ProduKey

Step 1. Launch ProduKey .

Step 2. Cut and paste these keys into a text file and save as part of your backup. Whenits time to restore, youll have your CD-Keys all ready to go.


25/27

WLSAT Section 8



What you learned in this Lab:

In this Lab you learned to use Password & History Recovery Utilities to:

1. View all the different types of saved passwords and history files that areavailable to anyone with access to your computer

2. These tools can all be run remotely if a hacker has control of your

computer3. As an example in a penetration test, you can show the clients the

vulnerabilities of their machines to a anyone with these simple softwareutilities

4. Your Anti-Virus software might have caught a few of these tools, but whatabout those the AV didnt catch?


26/27


27/27

WLSAT Section 8

What you will do in this lab:

Use the Attack Stick to run USB Switchblade on a target device toretrieve passwords, detailed information, etc.

Lab Part 1 Penetration Test Demonstration

DO NOT USE THIS WITHOUT APPROPRIATE PERMISSIONS!Using this tool in a penetration testing mode can be used to scare unawareindividuals of the items on their computer that share their personalinformation. With only a few seconds, and physical access to a USB port, manypieces of personal information and history can be gathered.

Use with Caution.

Step 3. Insert Attack Stick in target computer. If Autorun does not launch they youwill need to Launch USB SwitchBlade. Start the GO.BATfile in the \WIP\CMD\ directory or at your USBdrive prompt, type:\WIP\CMD\go.bat.

Step 4. You might have tripped an Anti-Virus alarm by running this Attack. Try turningoff Anti-Virus for a period of time.

Step 5. When the attack is complete, remove the USB stick.

Step 6. On a different computer (or the same as the target it doesnt matter) retrievethe found information by opening the \WIP\DUMP folder and finding afolder with a name of the target computer. Inside youll find a set of filescontaining massive amounts of personal information.

Step 7. Please review each of these files.

Step 8. Did you find passwords? For what programs? Did it find ALL passwords?Why or why not? _________________________________________________

Step 9. There are other sets of tools that can use this same method for good and notfor evil! Running scripts to update A/V packages, etc.

IMPORTANT! Please delete the contents of the \win\dump folder beforecontinuing it contains private information!

What you learned in this Lab:

In this Lab you learned to use USB Switchblade to:

Wow! Was it really that easy to find all that personal information?

How am I going to protect myself and my computer from this type of attackin the future?

What else might I do with this type of platform?

08 creative advanced attacks.v7

Documents