PenetrationTestingLabor

Simulating a network for penetration testing and remote exploits.

Agenda

Time for all tests: 9 units

• One unit will be used by Udo Payer for general information about penetration testing
• We will build four stations (90 minutes per station) for testing:
  • Network
  • Microsoft Windows
  • Linux
  • General Penetration Testing (Computer Forensic, Metasploit, ADS-Files, System Identification)
• Next Meeting will be on 4.12.2009 with all members! At this time all virtual machines must be ready! We will put them then on a separate share.
• Demo show-case of nagios in action, possibly provided by PreinChristian

General Information

VM Basesystems

• VirtualBox 3.01
• VM Ware Workstation 7.0

->>Note

Every Systems should be available on both systems

Scanning Testserver:

• Virtual Linux Server from Michael (Note for Michael: X11(Client#9)
• One Windows XP Client with all installed and needed Tools from Christian

Network Layout

What layout will be chosen in each group? Will e have a similar setup or is the maintainer of the station responsible for planning on his own?

Network (PreinChristian)

Cisco ASA used as Firewall

Cisco ASA with enabled SSL VPN System identification

• Title: CISCO ASA SSL VPN Detection
• Synopsis: The remote host is a Cisco Adaptive Security Appliance (ASA) running an SSL VPN server
• Nessus ID: 42796

Cisco ASA with enabled SSL VPN "DoS"-Attack

• Title: Infinite HTTP request
• Risk Rating: High
• Family: Denial of Service
• Short Summary: Infinite HTTP request kills the web server
• Synopsis: The remote web server is vulnerable to the 'infinite request' attack.
• Description: It was possible to kill the web server by sending an invalid 'infinite' HTTP request that never ends, like:* GET / HTTP/1.0 Referer: XXXXXXXXXXXXXXXXXXXXXXXX ... A cracker may exploit this vulnerability to make your web server crash continually (if the attack saturates virtual memory on the target) or even execute arbitrary code on your system (in case of buffer / heap overflow).
• BID: 2465
• Nessus ID: 11084

Microsoft Windows (LatzkaFelix, PangerlChristoph)

Microsoft Windows 7

• One Windows 7 RC without any Servicepacks and/or Patch Download smb-dos.py.txt

Microsoft Windows 2000 Professional

• One Windows 2000 Workstation without any Servicepacks and/or Patch
• One Windows 2000 Workstation with SP4 and all Patches

Windows XP Professional

• One Windows XP Professional without any Servicepacks and/or Patch
• One Windows XP Professional with SP 1
• One Windows XP Professional with SP 2
• One Windows XP Professional with SP 3 and all Patches

Microsoft Windows NT 4.0 Workstation

• One Windows NT 4.0 Workstation without any Service Pack and/or Patch
• One Windows NT 4.0 Workstation with SP6 and all Patches

Linux (FladischerMichael)

Required software for the participants (assuming Windows):

• PuTTy?
• Xming

Guardian

This host is set up with the latest stable release of Debian (Lenny) running on amd64 architecture. It's purpose is to monitor traffic on interfaces through Snort. Maybe it will additionally serve as a OpenVAS?/Nessus server later on. Running services:

• Snort
• Apache
• MySQL
• SSH

Failjail

Set up using Debian Potato on i386.

• Directory traversal through insecure Perl or PHP script on Apache targeting /etc/passwd and /etc/shadow. This should open the possibility to attack password hashes stored there.

Web (KlemencicOliver)

Tools

• Linux installation with Apache + Mysql + PHP (Guardian from http://storage.fladi.at/~FladischerMichael/Campus02/)
• Windows 7 installation with VS 2008 + ASP.NET MVC -> TODO

Sql Injection

• User Input is EVIL -> Validate all user input - form fields, cookies, query strings, ... (anything which comes from the user)
• Most popular attack: Sql injection
  • Java: ParameterizedQuery?
  • .NET: ADO.NET Parameters
  • PHP: Escaping

$query = "SELECT column1 FROM table WHERE column2 = '".mysql_real_escape_string($_POST['column2value'])."'";

XSS (Cross Side Scripting)

• Goal of the attacker: inject code on web pages ("jumpcode")
• The attacker can not directly exploit the jumpcode for personal gain -> Needs FORM input instead
• Once the jumpcode is on the site: exploit (page hijacking, logging of sensitive information, ...)
• Solution: Encoding

CSRF (Cross Side Request Forgery)

• The web application does not sufficiently verify whether the request was intentionally provided by the user who submitted the request (http://cwe.mitre.org/data/definitions/352.html)
• Solution: Antiforgery- token: Generate a random token which is stored as cookie and as hidden form field (http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/)

General Penetration Testing (PayerUdo)

Identifying Virtualization

How to find out if a host is running virtualized or not and how to identify the virtualization system (e.g. VMware, VirtualBox, ...).

Exploits

Just some possible targets for an attack.

Name	Target	URL	Comment
Linux Kernel 2.6.x SCTP FWD Memory COrruption Remote Exploit	Linux Kernel	http://www.milw0rm.com/exploits/9403
ProFTP? 2.9 (welcome message) Remote Buffer Overflow Exploit	ProFTP? Server	http://www.milw0rm.com/exploits/9508
Geronimo Server Console Directory Traversal	Geronimo J2EE?	http://www.milw0rm.com/exploits/8458	Run as root to get access to /etc/shadow.
Kaminsky DNS Cache Poisoning	BIND 9.4.1-9.4.2	http://www.milw0rm.com/exploits/6122
clamav-milter Remote Root	Sendmail	http://www.milw0rm.com/exploits/4761	Vulnerable versions are not mentioned.