penetration testing is the art of the manipulation
TRANSCRIPT
1
Penetration Testing is
the Art of the Manipulation
Attack & Defense
Author:
JongWon Kim
2
Table of Contents
Penetration Testing is the Art of the Manipulation…………………………...............................................1
Table of Contents……….........................................................................................................................2
About Me.................................................................................................................................................3
Planning the Attack.................................................................................................................................5
Staging the Attack (1): WEB Server ................................................................................................5
- Stage 1. Reconnaissance…………………………………………………………………..……..…5
- Stage 2. Information Gathering.………………………………………………….……...................6
- Stage 3. Target Exploitation……………………………………………………………………..….. 8
- Stage 4. Privilege Escalation…………………………………………………………..……………11
- Stage 5. Maintaining Access………………………………………………………..………………18
Staging the Attack (2): DNS Server .....................................................................................................25
- Stage 1. Information Gathering………………………………………………………….….……25
- Stage 2. Post Exploit(Pivot)……………………………………………………………………..….28
Staging the Forensic…………………………………………………………………………………………35
- Stage 1. Web Shell Detection………………………………………………………………………35
- Stage 2. Log Analysis…………………………………………………………………………..……40
- Stage3. Volatility……………………………………………………………………………………44
Staging the Defense: Code Level…………………………………………………………………………..47
Summary...............................................................................................................................................50
Reference………………………………………………………………………………….……………………51
3
About Me
Name: JongWon Kim
Blog: http://dikien2012.blogspot.com
LinkedIn: http://kr.linkedin.com/pub/jongwon-kim/45/a40/b07/en
Twitter: @dikien2012
My Experience:
Period Working Experience Personal Experience
2011. 08
Working as a Math Teacher
C, Linux, CCNA
2011. 09 Windows 2008 Server, Perl
2011. 10 Reversing
2011. 11 L2,L3,L4, Firewall Configuration WIFI-Hacking(SWSE)
2011. 12 System Hacking(SMFE)
2012. 01~02 Exploit Code Study using ROP
2012. 04~09 Privacy Information Protection Law Security Solution Operation(IPS, WAF,
and DB Access Control)
WEB Hacking Database Security
Technical Skills:
Experience in Black and White Box Penetration Testing to identify system vulnerabilities
and test security controls in firewalls, routers, IDS and IPS, and various types of servers,
including Windows and UNIX Web, Mail, FTP, DNS, Domain Controllers and applications
hosted internally
Strong Web Application Assessment Experience such as SQL Injection, Cross Site
Scripting, Cookie Manipulation, and Buffer Overflows
Vulnerability Detection and Remediation
Familiarity with penetration testing tools such as BackTrack and MetaSpolit vulnerability
scanning tools such as pangolin, wireshark, Nexpose, nmap, Acunetix and AppScan
Familiarity with Open Source Security Testing Methodology Manual (OSSTMM), Open Web
Application Security Project (OWASP)
Conduct onsite and remote Social Engineering testing including persuasion, phishing,
mock websites, and telephone contact
Experience in Evasion Techniques to bypass firewalls, and intrusion detection
Knowledge of security tools such as IPS, WAF and Database monitoring
Ability to conduct source code reviews with PHP
Familiarity with scripting Python
In familiarity with Windows, Solaris, and AIX
4
Familiarity with XML, SOAP, JSON and Ajax and HTML5
Network Switching and Routing (Cisco)
Knowledge of TCP and IP protocols and networking architectures wireless LAN security,
including 802.11 standards
Consulting Skills:
Independence: Self-Managed and Motivated
Team Oriented
Formal policy and procedure documents
Public Speaking
Technical Writing
5
Planning the Attack
After 2100 years, human beings put the micro chipset into their brain to get smarter. As all ages do,
disaster occurs. Some bad guys develop the exploit to manipulate human. Computer malwares are
still big trouble and human zombies are created. I am trying to prevent an even worse tragedy to
analysis the malware. However, the trouble is that the malware is protected by some anti-reversing
key. I got some letter from anonymous. It said that there are anti-reversing code and human botnet
lists on NASA‟s database. At the end of letter, it was written on “aliens/toor”. Let‟s explore!!!
A list of Attack Directives is the following:
1) Compromise as much of NASA‟s network as possible
2) Extract data to find out anti-reversing key and the list of Human Zombie
3) Pivot its network
Staging the Attack
Mission 1. Attack WEB Server
Stage 1. Reconnaissance
Scenario:
Ping the host and get the IP address
Use the whatweb to figure out more information from response
I skipped out DNS brute force since it is the virtual host
Attack Detail
Ping the host and get the IP address
[Figure 1. Ping the host]
We can figure out what is the version of PHP, HTTP Server, Country, Admin Email,
and Operation System. It will show more information if you type “-v a=4”
[Figure 2. whatweb]
6
Stage 2. Information Gathering
Scenario:
Use the nmap to find services and OS that runs on the server
Use nexpose to get more specific information
Use w3af to figure out what web vulnerabilities are
Attack Detail
-sV and -O option of nmap will give you version and OS information
[Figure 3. Services from nmap]
[Figure 4. OS from nmap]
7
This Nexpose results show me 58 vulnerabilities, especially “default SSH password
is toor” is one of the critical things. You can also use Nessus and compare to
Nessus results to increase false positives and false negatives.
[Figure 5. more details from Nexpose]
There are many w3af plugins, but I will use only audit option to save my time
[ Figure 6. w3af: Plugin Setting ]
8
There are XSS, command injection, SQL injection, and LFI. On top of that, there is
upload vulnerability but, it can‟t find out. I will use Blind SQL injection vulnerability to
breach database on Stage 3.
[Figure 7. w3af: results]
Stage 3. Target Exploitation
Scenario:
Use the sqlmap to breach database (target is attack_2 payload)
Use hashcat to crack hashes
Attack Detail
Let‟s find out current database user, name, and password, but it wasn‟t able to get a
password with sqlmap. Current user is general@% and database name is members.
It didn‟t turn out to the password of the general user. I will use another tactic to get
the password later.
[Figure 8. Sqlmap: current database user and name]
9
Members table have four fields: message, sessions, topics, and users. I guess
users might be user‟s ids and passwords and session is also similar role for
authorization.
[Figure 9. Sqlmap: Members database]
As I expected, there are information related users on members table. I am curious
about message table. What‟s the message? Let‟s dig into there.
[Figure 10. Sqlmap: message table on members database]
Let‟s dump message table on members database. There are two hash values. It
looks like some hints to get human botnet lists and anti-reversing key.
10
[Figure 11. Sqlmap: hash values on message table]
Let‟s crack them out using hashcat. Hash values are secret and checkout. I guess
that secret means database name. However, there is a big problem. Sqlmap
doesn‟t show me a table named secret. It means two possibilities. First, there is no
secret table. Second, user named “general” has no authority to look into. I bet
second one and time to privilege escalation to check it out.
[Figure 12. Hashcat: cipher text : clear text]
11
Stage 4. Privilege Escalation
Scenario:
Use a fimap to spawn a shell
Use a Expect to get a TTY
Make a Upload page with “MySQL Dumpfile option”
Upload a webshell
Attack Detail
Use a fimap to figure out which parameters have RFI and LFI vulnerabilities.
[Figure 13. Fimap: vulnerable parameters]
12
-x option means that it will exploit the target with above output. Choose [1] to exploit
“www.nasa.com”. Choose [1] to take advantage of „rfi‟ parameter. I will use
pentestmonkey‟s reverse shell. Let‟s Choose [2] and put my ip address and port to
connect back to my backtrack.
[Figure 14. Fimap: reverse shell]
Netcat is listening on 1000 port for reverse shell
[ Figure 15. Netcat: waiting for a shell]
13
I got a shell and checked my id is www-data, but problem is it communicates
without cipher text. It can be detected IPS. Let‟s reduce this possibility with AES
HTTP shell below.
[Figure 16. Reverse shell: id]
[Figure 17. Wireshark: not cipher text]
“su and ssh” didn‟t work properly. Those two instructions are necessary for post
exploitation. Let‟s solve the problem with magic shell.
[Figure 18. Message: must be run from a terminal]
Time to try “aliens/toor” from the letter. With a magic shell, I can use su and ssh
command.
[Figure 19. Magic shell]
14
Check the kernel version with “uname -a” to get a root privilege. Download local
exploit source from exploit-db and compile it.
[Figure 20. Download local exploit code]
Execute it and I finally get a root shell and change shell from ”/bin/sh” to “/bin/bash”
for convenience
[Figure 21. Privilege escalation success]
15
[Figure 22. Change the shell to bash]
There is a suspicious folder named treasure. Real treasure is over there, database
password, but I am not sure that this user has a super privilege.
[Figure 23. Password for database]
Below is the job for make a webpage to upload webshell. I create two tables.
[ Figure 24. Make two tables]
16
Insert some values into each table and save them to “/var/www/upload/”.
[Figure 25. Create a “form.php” ]
[Figure 26. Create a “upload.php” ]
17
Choose the file which you would like to prefer and upload and move to
“/var/www/upload/”
[Figure 27. Choose the”r57shell.php” ]
[Figure 28. Move the file in webrooot ]
18
Stage 5. Maintaining Access
Scenario:
Use a weevely to make a backdoor with password
Brute force attack to get an ftp credential with metasploit
Traffic Obfuscation: AES HTTP Reverse shell
Attack Detail
Backdoor was created identified by password=complexpassword
[Figure 29. Make a backdoor]
Use a metasploit for brute force attack and get an id and password.
[Figure 30. Make a backdoor]
19
Upload the backdoor with FTP
[Figure 31. Upload the backdoor]
I don‟t need r57shell, upload.php and form.php files anymore since backdoor is
uploaded successfully
[ Figure 32. Remove unnecessary files]
Change the privilege to read the backdoor by www-data user
[Figure 33. Change the privilege]
20
Connect to the backdoor and check out post exploit modules
[ Figure 34. Weevely: post exploit modules]
Enumerate readable web config files using module “:audit.user_files auto=web “.
Extract credentials from readable file and log in the database with those credentials.
Since this process I have already done, I left it for reader. Let‟s look around internal
network and check out if there is another server. I will exploit 192.168.100.40 on
Mission 2.
[Figure 35. Weevely: Explore internal network]
21
Find writable system script to replace with malicious script. First, enumerate
writable user files using module. Second, upload malicious script replacing system
file.
[Figure 36. Weevely: Upload a malicious script]
If you are lazy to above process, Intersect 2.5(post exploit module) will also be very
nice choice. It includes many awesome feature such as backdoor, collecting
credential, internal network, variety of shells and etc. Select modules you would
create and create it with “:create”.
[Figure 37. Intersect: Setting modules]
[Figure 38. Intersect: backdoor file]
22
Compare normal shell and AES HTTP Reverse shell. From now, I used pentest
monkey‟s reverse shell and weevely‟s backdoor. Since these two shells
communicate not cipher text, I use AES HTTP Reverse shell with cipher text.
[Figure 39. Fimap: Server setting]
[Figure 40. Fimap: Server Start]
[ Figure 41. AES HTTP Reverse shell communicates with cipher text]
23
Upload another webshell to test if this shell works properly. Upload .htaccess to
bypass whitelist extension server side script.
[Figure 42. Upload .htaccess]
Upload another webshell named “c99-bl_hongrae.txt”. The server recognizes “.txt”
extension to “.php” since “.htaccess”.
[Figure 43. Upload the “c99-bl_hongrae.txt”]
24
Check it out if the webshell having extension “.txt” works well. It works very well.
[Figure 44. Upload the “c99-bl_hongrae.txt”]
There is 192.168.100.40 which is alive on internal network. Let‟s attack this one
25
Mission 2. Attack DNS Server
Stage 1. Information Gathering
Scenario:
Make a payload to communicate metasploit
Upload a payload and pivot 192.168.100.40 with that session
SSH Enumerate and Brute force
Attack Detail
Make a custom payload and waiting for connecting back to 1337 ports
[Figure 45. Make a payload]
[Figure 46. Waiting for a session]
Upload a payload with FTP and give the permission to execute it
[Figure 47. Upload a payload]
26
[Figure 48. Change the permission]
[Figure 49. Connecting a Session]
First, enumerate SSH version. It shows SSH-2.0 running on Sun OS
[Figure 50. Enumerate a banner]
27
Second, Brute force attack with known password file
[Figure 51. Brute force]
Third, Connect it and it shows that server is for DNS
[Figure 52. SSH Connection]
28
Stage 2. Post Exploit
Scenario:
Manipulate the forward zone file
From previous, pivot 192.168.100.40 with compromised web server.
Getting Human Botnet and Anti-Reversing Key
Destroy the machine
Attack Detail
Change company main hompage ip address to my ip address
[Figure 53. Pollute forward zone file]
Setting the compromised web server to attack victims and use CVE-2012-1889
vulnerability with the metasploit
[Figure 54. Metasploit: CVE-2012-1889]
29
As soon as clients try to connect company‟s website, they will be in the big trouble.
Even if clients have anti-virus solution, it would be useless since the exploit migrate
very fast
[Figure 55. Antivirus is so slow]
Regardless of anti-virus solution, session was created, and works well
[Figure 56. Metasploit: sessions]
Collecting information of compromised the desktop
[Figure 57. Metasploit: Collecting *.inc]
30
“db.inc” looks like curious and opens it. It‟s the password that I am looking for. I am
sure this machine belongs to database administrator.
[Figure 58. Metasploit: found database password]
Check out server name and available tokens
[Figure 59. Metasploit: UID and Tokens]
Check out hash dump and crack it with john
[Figure 60. Metasploit: Hashdump]
31
[Figure 61. John: Crack the Hashdump]
Getting more information with “run scraper”
[Figure 62. Metasploit: Getting more Information]
Make a persistent backdoor with “run metsvc –A” and check out that works properly
[Figure 63. Metasploit: Making a backdoor]
32
[Figure 64. Metasploit: Backdoor is running]
Run VNC and I found there is a HeidiSQL for administration. I finally was able to get
a secret table. There are human botnet list and decoding key for reverisng.
[Figure 65. Metasploit: VNC]
[Figure 66. VNC: Connecting secret table]
[Figure 67. VNC: Human Botnet List]
33
[Figure 68. VNC: Decoding Key]
After getting information, I set up my mind to destroy that machine using bat file
[Figure 69. Bat file]
[Figure 70. Execute a bat file]
[Figure 71. Execute a bat file]
34
[Figure 72. Deleting system files]
After rebooting, computer doesn‟t work properly
[Figure 73. Booting Fail]
35
Staging the Forensic
Stage 1. Web Shell Detection
Scenario:
First Filter: Web Shell Detector(NeoPI & Emposha)
Second Filter: Manual Job with Grep
Manual Job
Details
I will use the NeoPI to detect whether web shell is uploaded or not. This is basic
NeoPI‟s options. Upload folders are “/tmp/” and “/var/www/upload/”, I will look into
one of them. Let‟s look at “/var/www/” with “./neopi.py /var/www/ -a”, -a means it will
run all test. It will show you 5 different types of results.
[Figure 74. NeoPI: Entropy]
[Figure 75. NeoPI: Longestword]
36
[Figure 76. NeoPI: Signature]
[Figure 77. NeoPI: IC]
[Figure 78. NeoPI: Commulative]
At this time, I will use another web shell detector named Emposha to reduce false
positive. Upload it at webroot folder and execute it at the browser. In my opinion,
NeoPI‟s performance is better than Emposha.
[Figure 79. Emposha: Upload at webroot]
37
[Figure 80. Emposha: Result(1)]
[Figure 81. Emposha: Result(2)]
[Figure 82. Emposha: Result(3)]
38
[Figure 83. Emposha: Result(4)]
[Figure 84. Emposha: Result(5)]
[Figure 85. Emposha: Result(5)]
[Figure 86. Emposha: Result(6)]
39
If you find one that is suspicious, you can test it manually with grep instruction. I will
choose one of the files that are suspicious from upper outcome.
[Figure 86. Grep: Command]
[Figure 87. Grep: Evidence(1)]
[Figure 88. Grep: Evidence(2)]
Below are dangerous functions. It can be used with the argument of the grep.
PHP: require(), include(), eval(), exec(), passthru(), system(), fopen(), etc Python: exec(), eval(), execfile(), compile(), input() Perl: open(), sysopen(), glob(), system() C: system(), exec(), strcpy(), strcat(), sprintf() Java: system.* (system.runtime)
40
Stage 2. Log Analysis
Scenario:
Collecting Log files
Analysis
Details
Analysis the utmp with utmp parser. If user log out, this will be wiped out. Wtmp,
lastlog, secure, xferlog, sulog, ~./history, access_log, error_log and other logs can
be analyzed similarly.
[Figure 89. Utmp Analysis(1)]
[Figure 90. Utmp Analysis(2)]
41
There is a backdoor and someone tried to use “CVE-2012-2122” to bypass
Authentication
[Figure 91. Bash_History Analysis]
Something was injected into local directory and there will be a suspicious user from
“flush privilege”
[Figure 92. MySQL_History Analysis]
[Figure 92. Apache2 Log Analysis(1): SQL Injection]
42
[Figure 93. Apache2 Log Analysis(2): WebShell]
[Figure 94. Apache2 Log Analysis(3): Directory Traversal]
[Figure 95. Permission Analysis(1): User]
[Figure 96. Permission Analysis(2): Group]
43
[Figure 97. Log Analysis: Passwd]
[Figure 98. Log Analysis: Service]
[Figure 99. Log Analysis: Hidden files]
On top of that, these following commands will also be worth: “cat /etc/crontab”, “ls
/etc/cron.daily/”, “cat /etc/login.defs | grep -v "#"”, "cat /etc/profile | grep umask”,
“rpcinfo –p”, “ps -ef | grep rpc”, “ps -aux | grep ftp”, “ls -ltrR /var/spool/cron”, and
“crontab -l”
44
Stage 3. Volatility
Details
Sorry for missing original memory dump from DBA[figure- ]. Maintaining the
evidence is essential for forensic. However, I forgot to dump the memory when I
destroy DBA‟s machine. I just will show how to extract memory image and analysis
basic commands.
[Figure 100. Moonsol: Dump the memory to protect the evidence(1)]
[Figure 101. Moonsol: Dump the memory to protect the evidence(2)]
45
[Figure 102. Volatility: Prepare]
[Figure 103. Volatility: cmdscan]
[Figure 104. Volatility: connscan]
46
[Figure 105. Volatility: getsids]
[Figure 106. Volatility: pstree]
[Figure 107. Volatility: svcscan]
47
Staging the Defense
I referenced “Essential PHP Security” and “Pro PHP Security” for secure coding. I wrote two page
index.php, vulnerable page and indexs.php, more secure page. I have learned input validation from
user input is extremely important step before query go into database. Checking based on white list is
much better than black list for upload file. I used internal function, regular expression and type
conversion to be secured the code. Also, I did white list checking way as much as possible. Especially,
Restricting length of input value from preventing SQL Injection is a nice idea. I didn‟t apply to secure
token, but it would be better if it was.
[Figure 108. Secure Coding: String Type SQL Injection = Escape Data + Length Restriction]
[Figure 109. Secure Coding: Directory Traversal]
48
[Figure 110. Secure Coding: Checking based on White List(1)]
[Figure 111. Secure Coding: Checking based on White List(2)]
49
[Figure 112. Secure Coding: Checking based on White List(3)]
50
Summary
“If DNS server was compromised from bad guy, what would be happen?” I started to write this paper
with the thought. Recent vulnerabilities from Java, flash, and windows are severely threaten to us
called zero day vulnerability. Of course, I do not think there are companies that allow connecting to
DNS server from anonymous. I make this scenario to show as many as attack types. I hope that this
paper will be securing your valuable assets. I used every tool about web and database on backtrack 5
R3. I compared each of tools and tried to get catch what is the strong point of each of them. My future
work might be making a suitable tool for me and concentrate on improving many advanced
techniques about web hacking. Thank you for reading my study. I always believe that my strong point
is that I have a quick learning skill than my competitors.
51
Reference
1. Essential PHP Security by Chris Shiflett (Oct 20, 2005)
2. Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses (Expert's Voice in Open Source) by Chris Snyder, Thomas Myer and Michael Southwell (Dec 9, 2010)
3. 데이터베이스 보안 by 조은백(Feb 11, 2011)
4. HTML5&CSS3 실무테크닉 by 조승한, 안종일(Mar 5, 2012)
5. Python,PHP,HTML5,AJAX,JQuery Online Study
6. RFI 방어 입력값 검증 PHP코드정리
7. InfoSec Resources – PT Example
8. Protocol-Level Evasion of Web Application Firewalls | Qualys Security Labs | Qualys Community
9. RFI DDOS 봇넷분석
10. [시스템 해킹] 리눅스 Setuid :: 네이버 블로그
11. [시스템 해킹] 리눅스 backdoor 찾는법과 숨기는법 :: 네이버 블로그
12. Meterpreter_cheat_sheet_v0.1.pdf
13. Post-Exploitation Without A TTY | pentestmonkey
14. 취약한 PHP코드 참조하기
15. htaccess를 이용
16. Apache 가이드 강추
17. MySQL 보안 설정(권한)
18. 40 Beautiful Free HTML5 & CSS3 Templates
19. Online Hash Crack MD5 / LM / NTLM / SHA1 / MySQL5 / MySQL323 / MD4 / WPA / WPA2 - Passwords recovery - Reverse hash lookup Online - Hash Calculator
20. [Linux1] 20일차 - find,grep.. :: 네이버블로그
21. 리눅스-vsftp-설치,설정(root),파일업.. :: 네이버블로그
22. contagio: CVE-2012-1889 Microsoft XML vulnerability - Samples and Analysis by Brian Mariani and Frédéric Bourla
23. John The Ripper Hash Formats | pentestmonkey
24. SkipfishDoc - skipfish - Project documentation - web application security scanner - Google Project Hosting
25. Wooks Home. : PHP Injection
26. Backtrack 5 R3 Metasploit Post Modules (What To Do After You Compromise A System)
27. Python Backdoor - Aes Encrypted Traffic
28. Apache의 access log 관리 방법 :: 네이버 블로그
29. grep 명령어 및 옵션 :: 네이버 블로그
52
30. Metasploit: CVE-2012-2122: mysql취약점인데 이미 패치됨
31. 솔라리스 DNS
32. Fedora VSFTP 업로드
33. mysql 원격
34. sql injection sample code + remode code excution
35. PHP - mySQL 개발자를 위한 보안 팁 .. :: 네이버블로그
36. cyb3r sh3ll - Browse Files at SourceForge.net
37. Xss Trojan Using Evilweb Tool
38. msfpayload
39. su crack ssh bruth force metasploit
40. Nmap Scripting Engine Introduction With Http-Enumeration
41. CVE-2012-2122 : Serious Mysql Authentication Bypass Vulnerability | The Hacker News
42. hackers 매거진
43. ohdae/Intersect-2.5 · GitHub
44. msfconsole haking ftp + backdors - YouTube
45. SQL Injection/LFI/XSS Exploit Scanner + web shell Hunter - XCode - Yogyafree - YouTube
46. Weevely 0.6 Tutorial - bruteforce and SQL pwnage - YouTube
47. CVE-2012-1889- Microsoft XML Core Services Vulnerability Metasploit Demo - YouTube
48. sqlmap (EuroPython2011) - YouTube
49. FIMAP - AES HTTP Reverse Shell Plugin - YouTube
50. 백도어FIMAP - Local File Inclusion to Remote Code Execution - YouTube
51. SQLMap 페이지변조 js삽입해서 shell of the future하기
52. Information Security: Tutorial: How to scan exp... | SecurityStreet
53. Deface All Sites on Server Without Root - YouTube
54. Programming a Custom Backdoor in Python - YouTube
55. How SQL Injection Attacks Work 유투브 인터뷰
56. Mercury : 시스템 로그 분석
57. Pragmatic Forensics : 잽싸게 올리고 빠지는 utmp parser
58. Memory Acquisition Tools
59. MoonSols Windows Memory Toolkit | MoonSols
60. ToTo : 해킹 후 깔끔하게 로그 지우기
61. Reversing & Malware Analysis Training Part 8 - Malware Memory Foresnics - YouTube