ACCESS LEVELS

There is always a risk any time an attacker can gain any type of access. In most attacks an attacker will not gain immediate root or administrator account access. Rather, it is very much a building-block type of process. Even with a low-level account, such as regular user account, it may be enough for the attacker to leverage this access to move up to a more privileged level. Defense in depth is the goal. This means using the security lab to learn how to build layers of defense. At each layer, you should place controls to slow, deter, delay, and prevent the attacker from getting anything!

Figure 5-10 BeatLM.

ScoopLM and BeatLM (www.securityfriday.com/tools/ScoopLM.html) were originally designed as two products that accomplish just such a task.

Their purpose is to sniff the network for Windows authentication traffic. Once this traffic is detected and captured, you can use ScoopLM’s built-in dictionary and brute-force cracker. Figure 5-10 shows an example of BeatLM. You might note that two authentication attempts were made. The first has NG in the results column, which indicates that authentication failed. However, note that second attempt is listed as OK. This indicates the captured hash is valid. This hash is ready for either a brute-force or dictionary attack.

You are not limited to just capturing Windows authentications. Tools are also available that enable you to capture and crack Kerberos authentication.

Remember that the Kerberos protocol was developed to provide a secure means for mutual authentication between a client and server. It offers the ability for the organization to implement single sign-on (SSO). You should already have a good idea whether Kerberos is being used (because you most likely scanned port 88, the default port for Kerberos, in Chapter 4,‘‘Detecting Live Systems,’’ when port scanning was performed).

KerbCrack, a tool fromwww.ntsecurity.nu, can be used to attack Kerberos.

It consists of two separate programs. The first portion is a sniffer that listens on port 88 for Kerberos logins; the second portion is used as a cracking program to launch a dictionary or brute-force attack on the password. Let’s turn our attention now to a more in-depth review of how password cracking works.

Exploiting a Vulnerability

You might be wondering how many vulnerabilities there are each year. If so, consider that for the last full year of statistics, which was 2006, there were a total of 7,247 vulnerabilities. This represented an increase of more than 39.5 percent from 2005. Vulnerabilities are typically reported as Common Vulnerabilities and Exposures (CVEs). CVEs are weaknesses or holes in your computers and other equipment that can be exploited by hackers. When a CVE is reported, it is cataloged and named by MITRE Corporation.

While MITRE is in the process of researching a candidate CVE, the company creates a name for the candidate. CVEs can be researched at http://nvd.nist.gov/home.cfm. An example of a CVE is shown here:

CVE-2007-6100

Summary: Cross-site scripting (XSS) vulnerability in libraries/auth/

cookie.auth.lib.php in phpMyAdmin before 2.11.2.2, when logins are authen-ticated with the cookie auth type, allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter to index.php, a different vulnerability than CVE-2005-0992.

Published: 11/23/2007

Let’s look at how the vulnerability process might be used by the attacker.

1. The attacker enumerates a system to determine which services and ver-sions are running. For this example, let’s suppose the attacker identifies the system as Red Hat Linux 6.1.

2. The attacker surfs the web for vulnerabilities for Red Hat Linux 6.1. He finds several, as listed in Figure 5-11. Note that there are reported vul-nerabilities for race conditions and the programmable authentication module (PAM).

Figure 5-11 SecurityFocus vulnerability research.

Figure 5-12 Exploit code research.

3. With several vulnerabilities discovered, the attacker now searches the Web for exploit code. Figure 5-12 shows the result of this search. Packet-Storm security,www2.packetstormsecurity.org, returns several matches that might work against the vulnerable site.

4. The attacker downloads the code and launches it against the vulnera-ble target. If it is successful, the attacker has now gained access. If it is unsuccessful, the attacker renews his search and tries another exploit.

When the attacker exploits the vulnerability, he has most likely gained some level of access to the computer system. If the attacker has been able to gain access to a Windows system as a standard user, the next step is escalation of privilege. Whether this is necessary depends on the level of access provided by exploitation of the vulnerability. If the vulnerable service is already operating with privileged access, escalation is not needed.

Other ways that attackers gain access by means of exploit code include the following:

Tricking the user into executing the malicious program. Email is a com-mon attack vector.

Copying it to the system and scheduling it to run at a predetermined time; for example, with the^AT command.

Exploiting interactive access to the system; for example, with Terminal Server, PC Anywhere, or the like.

It’s important to realize that the exploit code used to gain access is limited by type and version of software. As an example, exploits written for Windows NT typically won’t work against Linux systems, nor will they typically work against other versions of Windows. Therefore, these exploits only work for

specific versions of the Windows OS. Microsoft does patch these vulnerabilities after they are publicized. A few examples of exploit code are listed here:

Billybastard.c— Windows 2003 and XP Getad— Windows XP

ERunAs2X.exe— Windows 2000 PipeupAdmin— Windows 2000 GetAdmin— Windows NT 4.0 Sechole— Windows NT 4.0

Buffer Overflows

Buffer overflows are a common attack vector. For a buffer overflow attack to work, the target system has to have two vulnerabilities: a lack of boundary testing in the code, and a machine that executes the code resident in the data or stack segment. Once the stack is smashed, the attacker can deploy his or her payload and take control of the attacked system. Many of the vulnerabilities discovered and cataloged each year occur because of buffer overflows. For a buffer overflow attack to be successful, the objective is to overwrite some control information to change the flow of the control program. Smashing the stack is the most widespread type of buffer-overflow attack. One of the first in-depth papers ever written on this was by Aleph One, ‘‘Smashing the Stack for Fun and Profit.’’ It was originally published by Phrack magazine, and can be found atwww.insecure.org/stf/smashstack.txt.

Buffer overflows occur when a program puts more data into a buffer than what it can hold. Buffers are used because of the need to hold data and variables while a program is running. When a program is executed, a specific amount of memory is assigned to each variable. The amount of memory reserved depends on the type of data the variable is expected to hold. The memory is set aside to hold those variables until the program needs them. These variables cannot just be placed anywhere in memory. There has to be some type of logical order. That function is accomplished by the stack. A typical program may have many stacks created and destroyed, because programs can have many subroutines. Each time a subroutine is created, a stack is created. When the subroutine is finished, a return pointer must tell the program how to return control back to the main program.

For the attacker to do anything more than crash the program, he must be able to precisely tweak the pointer. Here is why: If the attacker understands how the stack works and can precisely feed the function the right amount of data, he can get the function to do whatever he wants, such as opening

a command shell. Tweaking the pointer is no small act. The attacker must precisely tune the type and amount of data that is fed to the function. The buffer will need to be loaded with the attacker’s code. This code can be used to run a command or execute a series of low-level instructions. As the code is loaded onto the stack, the attacker must also overwrite the location of the return pointer.

Stack smashing isn’t the only kind of buffer-overflow attack. There are also heap-based buffer overflows. A heap is a memory space that is dynamically allocated. Heap-based buffer overflows are different from stack-based buffer overflows, since the stack-based buffer overflow depends on overflowing a fixed-length buffer. The best defenses against buffer overflows include the following:

Auditing existing code to search for vulnerabilities

Using type-safe languages to prevent buffer overflows from becoming a problem

Using tools that can protect against buffer overflows or halt erratic activity

Analyzing the source code for strings declared as local variables in func-tions or methods, and verifying the presence of boundary checks Checking for improper use of standard functions, such as input/output functions or string functions

Feeding the application with huge amounts of data and checking for abnormal behavior

IN THE LAB

There is a real risk any time that an attacker can get a password to a system.

During pen test exercises I have seen many times when a low-level user account has had the same password as a domain administrator. Many of us are guilty of reusing passwords. Good password practices and not using the same passwords on multiple accounts is a good start in reducing this vulnerability.

However, you must also understand how passwords are passed across the network. You can see this in action in your lab by downloading ScoopLM. It is available at www.securityfriday.com/tools/ScoopLM.html. After

downloading and installing ScoopLM, start the program on your local Windows computer. While the program attempts to connect to a share on another system by providing a username and password, you should see this information populate the ScoopLM program. You can use the same program to attempt to crack the password or you can move it to another application, such as John the Ripper or Cain & Abel. Whichever password-cracking program you use, you will notice that weak passwords are recovered quite quickly.

Summary

The purpose of this chapter was to introduce you to the process of enumeration.

Enumeration is a critical step for the attacker as he is attempting to identify the services, protocols, and applications that are being used. Security professionals should enumerate their own networks to see what type of information is available. Just consider the fact that no attack occurs in a void. If the attacker wants to attack the network, he/she must first know what services, protocols, and applications are available.

Consider the attacker with the latest Windows 2003 buffer overflow or malware. The malware is useful only against Windows 2003 system. This means the attacker must enumerate active systems and identify which one is running the vulnerable code. Enumeration is also useful to the attacker if it can be used to gather usernames or open shares. If the attacker can identify a local account that is also a domain administrator account, imagine his joy upon finding out that both the local and domain passwords are the same.

That is why services and protocols such as NetBIOS, SNMP, and others are of so much value to the attacker. Even when passwords cannot be guessed, just the username and certain (potentially identifiable) specific attributes about the user may provide sufficient information to launch a successful dictionary attack.

These are but a few of the reasons why security professionals must attempt to enumerate their own networks. The best place to practice these activities is in the lab environment. This chapter clearly identified the types of information that may be exposed in the real world. Security professionals should take heed and consider how to reduce the amount of information, prevent unauthorized enumeration, and mitigate attack vectors that may be exploited because of the inevitability of some enumeration. Although many find it easier to be reactive, true security requires a proactive approach.

Key Terms

Active Directory— Windows implementation of a hierarchical directory service that is LDAP compliant.

Brute-force attack— A method of breaking a cipher or encrypted value by trying a large number of possibilities. Brute-force attacks function by working through all possible values. The feasibility of brute-force attacks depends on the key length and strength of the cipher and the processing power available to the attacker.

Buffer overflow— Occurs when a software application somehow writes data beyond the allocated end of a buffer in memory. Buffer overflow is usually caused by software bugs and improper syntax and program-ming, thus opening or exposing the application to malicious code injections or other targeted attack commands.

Dictionary attack— A method of breaking a cipher or encrypted value by trying all the words in a dictionary file.

Hybrid attack— A method of breaking a cipher or encrypted value by trying all the words in a dictionary file that are mixed with numbers and special characters.

NetBIOS— Frees up applications so they do not have to understand the operation of the network and that different programs on different com-puters can communicate within a local area network.

RainbowCrack technique— A method of precomputing password hashes that speeds up the password cracking process but requires mas-sive amounts of storage.

Relative identifier— Uniquely identifies an account within a Windows domain.

Security identifier— A unique alphanumeric character string that iden-tifies a system to other systems in a Microsoft domain.

Server Message Block— A Windows protocol that allows the system to share files.

Simple Network Management Protocol— A standardized protocol that is used to allow the management of network devices and equipment.

Exercises

This section presents several hands-on exercises to help reinforce your knowl-edge and understanding of the chapter. The author selected the tools and utilities used in these exercises because they are easily obtainable. The goal is to provide you with real hands-on experience.