Penetration Testing

Systems and Enterprise Security 2015

Leonardo Aniello, Ph.D. aniello@dis.uniroma1.it

Outline

• Brief review of cyber attack lifecycle

• Advanced Persistent Threat

• Attack phases

• Detection techniques

• Penetration testing with Metasploit

• Metasploit Framework

• Port scan with nmap

• Backdoor FTP

• Backdoor unreal

• PostgreSQL

Advanced Persistent Threat (APT)

• Definition a long-term pattern of targeted, sophisticated attacks (NIST Special Publication 800-39, Managing Information Security Risk, 2011)

• Advanced: cutting-edge techniques to exploit unknown vulnerabilities (ex: zero-day exploits)

• Persistent: use of stealthy techniques to pursue the goal of remaining hidden in the target system (can hide per months)

• Threat: malicious nature, i.e., aimed at data exfiltration for espionage reasons

Advanced Persistent Threat (APT)

• A hacking team with well-trained attackers

• Well-funded

• Specific and clear goal

– Damage organization

– Steal/destroy information

» Identify data/info of interest

» Devise a plan to breach security and get it

• In past attacks, evidence that such teams are supported/funded by governments

• Attacks generally follow a the same sequence of steps...

Advanced Persistent Threat (APT) • A recent APT “The Great Bank Robbery: the Carbanak APT” (Kaspersky Labs, February 2015) • Started in late 2013

• Targeted banks and financial institutions

• Loss up to 1 billion USD

• Initial infection through spear phishing emails – Malicious attachment that installs the backdoor Carbanak

– Provides remote access to infected machine

• Then, lateral movement to access target resources – Money processing services

– ATM

– Financial accounts

Attack phases

• Scan and discovery

• Vulnerability exploitation

• Payload injection

• Post-Exploitation (repeat until mission accomplishment)

• Interaction with Command and Control / updates

• Data exfiltration / lateral spread / persistence

Attack phases

• Scan and discovery

• Scan of targets

– A specific host

– A range of IP addresses

– A whole LAN

• Discovery of active hosts

• Discovery of open ports on such hosts

• Identification of active services on such ports

Attack phases

• Scan and discovery

• Risk of being detected by Intrusion Detection Systems (IDS)

• Countermeasures (from attacker’s viewpoint) – Employ stealth techniques

port scan example: IDS working above TCP can be bypassed via SYN scan

– Slow down and distribute the scan

» IDS works on time windows

» Malicious hosts doing a low volume of activities are more difficult to detect

Attack phases • Vulnerability exploitation

• Active services on target hosts have been identified – Usually also software version is available

– Look for known vulnerabilities for these services

• Look for exploits related to these vulnerabilities – An exploit is a software which leverages a vulnerability

» Execution of arbitrary code on target machine

» Execution of SQL queries/commands on a database

» Access to the file system

» Privilege escalation

» …

• At the end of the exploitation, it is usually possible to access the target machine

Attack phases https://cve.mitre.org/index.html http://nvd.nist.gov/

• Vulnerability exploitation

• Research of vulnerabilities and related exploits – Already available in used toolkit

– Public databases, ex: National Vulnerability Database (NVD)

» Standard CVE (Common Vulnerabilities and Exposures)

» CVE-2015-5262: http/conn/ssl/SSLConnectionSocketFactory.java in Apache

HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

– Zerodays in black markets

• May require to test many vulnerabilities and exploits – Increased risk of being detected

Attack phases

• Payload injection (malware installation)

• It is the code to be executed on the target machine

• Injected during the exploitation

• Chosen according to used exploit and attack goals – Ex: if the exploits allows to flood the target, and the goal is

running a DDOS, then the payload is not required

• Exploit vs payload – The exploit is a mean to access the target leveraging one of its

vulnerabilities (buffer overflow, SQL injection, …)

– The payload achieves the specific goal of the attack (keylogger, reverse shell, …)

Attack phases

• Payload injection • Payload examples

– Bind shell Binds a command prompt running in the target to some port, which the attacker will then connect to

– Reverse shell Creates a connection from the target to the attacker, to be used to remotely control a command prompt running in the target

– Keylogger Records keys pressed on the keyboard of the target

– RAT (Remote Access Trojan) Provides the attacker a complete control on the target

Attack phases

• Post-Exploitation (repeat until mission accomplishment)

• Once obtained a stable access to the target, it is required to

– Keep it over time, remaining hidden (to persist)

– Carry out actions required to get to the goal

» Issue instructions to the payload

• Interactively by using a RAT

• Automatically by using C&C

– Possibly update the payload

Attack phases

• Interaction with C&C • Command and Control infrastructure allows to

– Issue instructions to the malware installed in the target

– Receive information

» Scan results aimed at performing lateral spread

» Exfiltrated data

• Personal Identifiable Information (PII)

• User credentials

• Bank codes

• …

• The type of instructions and information is specific of the attack

Attack phases QinetiQ, "Command & Control: Understanding, denying, detecting", 2014

Attack phases

• Interaction with C&C

• Push model example – IRC channel

» The malware registers itself to an IRC channel where the attacker posts the instructions

• Pull model example – HTTP communication

» The attacker «uploads» the instructions to a web server

» The malware «downloads» the instructions by using GET operations

» And sends information by using POST operations

Attack phases

• Interaction with C&C

• Characteristics of servers for C&C – A single server can be easily identified and blocked

– By replicating according to a p2p model, the detection becomes more difficult

– Dynamically changing DNS bindings (IP addresses change, but domains remain fixed) make finding them harder

– Dynamically changing domains makes detection even harder

» Domains generated according to deterministic algorithm known to the malware

» Updated domains published in some drop zone known to the malware

Attack phases

• Update the payload

• During operations, the attacker may need to modify the installed malware

• Depending on the characteristics of the malware and the type of used C&C – A new version of the payload can be uploaded to the target

– Additional software modules can be loaded and activated

Attack phases

• Data exfiltration

• Use of staging servers where to accumulate data of interest to apply transformations – Aggregation

– Compression

– Encryption

• Reduction of the data volume to transfer aimed at avoiding the detection

• Tradeoff speed/risk – Higher transfer rates allow for higher speed, but also higher

risk to be detected

Attack phases

• Lateral spread

• Allows accessing other machines in target network

• Analysis of the machine already infected – netstat to see what other machines are actively connected

and so reachable

– ifconfig/ipconfig to identify available network interfaces

– Routing tables to get info about network topology

• Network analysis – Port scan to find reachable machines

– Identification of used communication protocols

Attack phases

• Lateral spread

• Credentials gathering – Passwords or session identifiers kept in memory

– Keyloggers to intercept typed credentials

• Network browsing to find and reach target machines – Access to other machines is kept

» Can be used as staging servers (for data exfiltration)

– Intra-network communication is stealthier

» Less analyzed compared to incoming traffic

Attack phases

• Persistence

• For targeted and complex attacks, it is required to keep the foothold

• In windows-based systems – Autorun (scheduled tasks, services, drivers, …)

– Hijack (executable, DLL, link, …)

– Changes to Master Boot Record (MBR), Volume Boot Record (VBR), Basic Input Output System (BIOS), …

Detection Techniques

• Scan and discovery • These activities generate network traffic

• Detection needs network monitoring – Look for anomalous patterns

» Unusual communication flows

– Threshold-based mechanisms

» Number of TCP connection attempts towards distinct endpoints

» Attackers can slow down the scan

• Detection on larger time windows

» Attackers can distribute scan sources

• Clustering to identify the botnet

Detection Techniques

• Vulnerability exploitation and payload injection

• Use of best practices – Antivirus, firewall, IDS, SIEM always updated

– Reduce attack surface

» Disable unnecessary services

» Minimize open ports

» Minimize web entry points

– Personnel training

• Penetration testing to identify vulnerabilities

• Techniques based on anomaly detection or pattern matching to spot the exploit

Detection Techniques

• Interaction with C&C

• Network monitoring

• Detection based on – recognizing anomalous patterns

– recognizing already known malicious patterns

• Detection accuracy depends on interaction mode – Generation of low traffic volumes on «strange» connections

– Generation of high traffic volumes on usual connections

Detection Techniques • Malware

Software intentionally malicious

• Cause damages to a software system

• Break software service

• Steal electronic data

• Get access to private software systems

• …

• Infection vector • Email attachments (social engineering)

• Pendrives

• Web sites (drive-by download)

• …

Detection Techniques

• Static approaches Moser, Kruegel, Kirda, "Limits of Static Analysis for Malware Detection“, in Computer Security Applications Conference, 2007

• Don’t require malware execution, only its content is analyzed

• Signature-based techniques

– Database of regular expressions specifying the sequences of bytes/instructions considered as malicious

– Not effective against polymorphic malware…

• Polymorphic malware

– Malware appearance is changed

– Encryption

– Append/pre-pend data

Detection Techniques

• Static approaches

• Limits of Polymorphic malware – Decrypted code remains the same

– Signature-based techniques on data in memory

» Allow their detection

» Not effective against metamorphic malware…

• Metamorphic malware – Recodes itself every time it repropagates

– Add a variable number of NOP, permutation of used registers, insertion of isolated code sections (never executed)

– Shuffling of functions and data structures

Detection Techniques • Static approaches

Christodorescu, Jha, Seshia, Song, Bryant, "Semantics-aware malware detection," in Security and Privacy 2005

• Limits of Metamorphic malware

– Malware semantic remains the same

– Semantic-aware malware detector

» Check if a software is semantically similar to a known malware

» Template: represents a malicious behavior

• Decrypting in polymorphic malware

• Search for email addresses

• …

» Matching of templates to code sections of the software to analyze

• Based on the effects in memory

Detection Techniques • Dynamic approaches

M. Egele, T. Scholte, E. Kirda, C. Kruegel, "A survey on automated dynamic malware-analysis techniques and tools", ACM Comput. Surv. 2012

• Require malware execution to analyze its actual behavior

• Several approaches, complementary to each other – Monitoring of function calls

– Analysis of parameters passed to functions

– Tracing of information flows

– Tracing of executed instructions

– Monitoring of AutoStart Extensibility Points

Detection Techniques • Monitoring of function calls

• Allows to obtain a high-level view of the real behavior of a software

• Function calls intercepted through hooking

• Malware executing in kernel-mode can bypass hooks

• Analysis of function calls trace – Represented as a graph

» Nodes are functions

» Edges are function calls

– Matching to known malware based on graph distance

» i.e., edit distance

Detection Techniques • Analysis of parameters passed to functions

• Focus on real values passed when a function is invoked

• Tracing the values of parameters and returned result allows to link distinct function calls

• Example – open() returns the descriptor of the file just opened

– read() requires file descriptor as parameter

– If descriptors are the same, the link is obvious

Detection Techniques • Tracing of information flows

• Goal: understanding how data of interest propagate as software compute them

• Data to be monitored are marked with labels – These labels propagate together with marked data and enable tracing

– Trivial example

» X: datum of interest marked with label L1

» Instruction: Y = X

» L1 is propagated to Y

Detection Techniques • Tracing of information flows

• Aspects to take into account – Direct dependencies between data

» A = A + X

» If both A and X are labeled, how to propagate the label?

– Address dependencies

» Read/write addresses derived from labeled data

» A = X[10] where X is labeled

» B = C[Y] where Y is labeled

Detection Techniques • Tracing of executed instructions

• Sequence of assembly instructions

• Can include additional useful information – Example: report on system calls and function calls

• Monitoring of AutoStart Extensibility Points

• ASEP: mechanisms allowing applications to be executed at startup or when another specific application starts

• Often used by malware to become persistent

• Can provide information useful for detection purposes

Outline

• Brief review of cyber attack lifecycle

• Advanced Persistent Threat

• Attack phases

• Detection techniques

• Penetration testing with Metasploit

• Metasploit Framework

• Port scan with nmap

• Backdoor FTP

• Backdoor unreal

• PostgreSQL

Metasploit Framework

«Imagine that sometime in the not-so-distant future an attacker decides to attack a multinational company’s

digital assets, targeting hundreds of millions of dollars worth of intellectual property buried behind millions

of dollars in infrastructure. Naturally, the attacker begins by firing up the latest version of Metasploit.»

Metasploit - The Penetration Tester’s Guide,

Introduction

Metasploit Framework

• Penetration Testing

• One of the most effective way to find vulnerabilities

• By circumventing security mechanisms, a penetration tester can identify the specific methods an attacker may employ to compromise the system – And by consequence find proper countermeasures

• Metasploit is a framework aimed at automate and ease several common operations of penetration testing

Metasploit Framework

• Penetration Testing Execution Standard (PTES) [http://www.pentest-standard.org]

• Adopted by several authoritative members of security community

• Goals – Fostering awareness about the importance of penetration

testing

– Establishing fundamental principles for carrying out a penetration testing

Metasploit Framework

• Phases of a Penetration Testing

• Pre-engagement interactions (goals definition)

• Intelligence Gathering (what security mechanisms are being used?)

• Threat Modeling (how can the target be attacked?)

• Vulnerability Analysis (how can I attack the target in practice?)

• Exploitation (the actual attack)

• Post Exploitation (what can I do once the target has been compromised?)

• Reporting (what has been done? how? how to remedy?)

Metasploit Framework

Disclaimer

• This tutorial is for educational purposes only

• I am not responsible for how you use these tools in any way shape or form

• These tools are very powerful and can cause a lot of damage to systems

• Who carries out unauthorized penetration testing may be prosecuted

Metasploit Framework

• VM Ubuntu 14.04

• Username: user

• Password: pass

Metasploit Framework

• msfconsole interface

• Start it in the terminal

• postgres database (command db_status)

• Organized in modules

– options

– auxiliary

– exploit

– payloads

– targets

Metasploit Framework

• Basic usage • Scanning using auxiliary modules

• Exploit selection and configuration

• Payload selection and configuration

• Exploitation

For the tutorial,

start Metasploitable VM with VirtualBox Metasploitable is an intentionally vulnerable Linux virtual machine

[http://sourceforge.net/projects/metasploitable/]

Metasploit Framework

• Discovery of hosts in the subnetwork • Discovery with udp_probe module

• From terminal, identify the subnetwork to scan

– ifconfig

• From msfconsole, auxiliary/scanner/discovery/udp_probe module

– use command

– info command

– set command

– exploit command

• Analysis of the results: hosts command

Metasploit Framework

• Port scan of target host (metasploitable)

• Port scan with nmap

• help db_nmap

• Carry out a port scan with

– High verbosity (flag -v)

–Many info on the host and its services (flag -A)

• Analysis of the results: services -u

Metasploit Framework

• Exploitation of a backdoor in the FTP server

“The backdoor payload is interesting. In response to a :) smiley face in the FTP

username, a TCP callback shell is attempted. There is no obfuscation. More interestingly, there's no attempt to broadcast any notification of installation of

the bad package. So it's unclear how victims would be identified; and also pretty much guaranteed that any major redistributor would notice the badness.

Therefore, perhaps someone was just having some lulz instead of seriously trying to cause trouble.”

[http://scarybeastsecurity.blogspot.it/2011/07/alert-vsftpd-download-backdoored.html]

Metasploit Framework

• Exploitation of a backdoor in the FTP server

• Look for an exploit for the FTP server running in the target

– search command

• Use of the exploit to obtain root privileges

– Selection of payload cmd/unix/interact

» set payload command

– Exploitation

» exploit command

– Verify exploitation

Metasploit Framework

• Exploitation of a backdoor in Unreal IRC daemon

• CVE-2010-2075 UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands.

Metasploit Framework

• Exploitation of a backdoor in Unreal IRC daemon

• From www.unrealircd.org [https://www.unrealircd.org/txt/unrealsecadvisory.20100612.txt] Hi all, This is very embarrassing... We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been replaced quite a while ago with a version with a backdoor (trojan) in it. This backdoor allows a person to execute ANY command with the privileges of the user running the ircd. The backdoor can be executed regardless of any user restrictions (so even if you have passworded server or hub that doesn't allow any users in). It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now. Obviously, this is a very serious issue, and we're taking precautions so this will never happen again, and if it somehow does that it will be noticed quickly. We will also re-implement PGP/GPG signing of releases. Even though in practice (very) few people verify files, it will still be useful for those people who do.

Metasploit Framework

• Exploitation of a backdoor in Unreal IRC daemon

• Look for an exploit related to unreal

– Select the best one

• Use a reverse shell as payload

– set lhost command

Metasploit Framework

• Exploitation in more steps

• First step

– brute force attack to find login credentials for postgres DB

– Look for and execute a login scanner for postgres DB

–What are the credentials?

Metasploit Framework

• Exploitation in more steps • Second step

– Exploitation of a postgres vulnerability (which anyway needs credentials to run) to inject a payload

– Use of meterpreter Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

– Look for an exploit for postgres DB to inject payload

» Use meterpreter reverse TCP as payload

» Verify user (shell command for remote terminal)

Metasploit Framework

• Exploitation in more steps

• Third step

– Privilege escalation by using the udev_netlink exploit

» background command on meterpreter

» sessions command on msfconsole