Ya hemos realizado varios escaneos al sistema y hemos identificado los servicios que se ejecutan en este. Pasemos ahora a recolectar información sensible del sistema o de interés para posibles ataques.
Se hace necesario realizar varios tipos de test; entre ellos un escaneo de directorios y archivos (árbol de directorios del aplicativo web), pruebas de conexión a los diferentes servicios, etc. Todos estos procedimientos son detallados en las metodologías ISSAF y OSSTMM.
Si observamos la página web del sistema objetivo, esta nos ofrece información sobre la finalidad del sistema y de las personas/usuarios que administran/utilizan el servidor. Estos son:
Sr. System Admin: Adam Adams – adamsa@herot.net
System Admin (Intern): Bob Banter – banterb@herot.net
System Admin: Chad Coffee – coffeec@herot.net
Muy posiblemente los usuarios válidos en el sistema sean:
- adamsa
- banterb
- coffeec
Y estos nos sirvan para llevar a cabo un ataque de autenticación a los servicios que actualmente ofrece (FTP, SSH)
Aun así y con el objetivo de recolectar más información realicemos un escaneo de directorios y vulnerabilidades web con la herramienta nikto.
root@bt:/pentest/web/nikto# perl nikto.pl -h http://192.168.1.110
- Nikto v2.1.0
—————————————————————————
+ Target IP: 192.168.1.110
+ Target Hostname: 192.168.1.110
+ Target Port: 80
+ Start Time: 2010-01-22 20:49:26
—————————————————————————
+ Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2
+ OSVDB-0: mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ OSVDB-0: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-0: Apache/2.2.4 appears to be outdated (current is at least Apache/2.2.14). Apache 1.3.41 and 2.0.63 are also current.
+ OSVDB-0: mod_ssl/2.2.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OSVDB-0: OpenSSL/0.9.8b appears to be outdated (current is at least 0.9.8i) (may depend on server version)
+ 3588 items checked: 6 item(s) reported on remote host
+ End Time: 2010-01-22 20:50:02 (36 seconds)
—————————————————————————
+ 1 host(s) tested
Pasemos ahora a explorar el código fuente del sitio Web con el objetivo de buscar información oculta. Para ello realizaremos una descarga de todo el Website con la herramienta WGet.
root@bt:~/Sec-Track/De-Ice_II# wget -r http://192.168.1.110
–2010-01-21 21:02:52– http://192.168.1.110/
Connecting to 192.168.1.110:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2036 (2.0K) [text/html]
Saving to: `192.168.1.110/index.html’
100%[======================================>] 2,036 –.-K/s in 0s
2010-01-21 21:02:52 (103 MB/s) – `192.168.1.110/index.html’ saved [2036/2036]
Loading robots.txt; please ignore errors.
–2010-01-21 21:02:52– http://192.168.1.110/robots.txt
Reusing existing connection to 192.168.1.110:80.
HTTP request sent, awaiting response… 404 Not Found
2010-01-21 21:02:52 ERROR 404: Not Found.
–2010-01-21 21:02:52– http://192.168.1.110/level.html
Reusing existing connection to 192.168.1.110:80.
HTTP request sent, awaiting response… 200 OK
Length: 2309 (2.3K) [text/html]
Saving to: `192.168.1.110/level.html’
100%[======================================>] 2,309 –.-K/s in 0s
2010-01-21 21:02:52 (157 MB/s) – `192.168.1.110/level.html’ saved [2309/2309]
–2010-01-21 21:02:52– http://192.168.1.110/copyright.txt
Reusing existing connection to 192.168.1.110:80.
HTTP request sent, awaiting response… 200 OK
Length: 15719 (15K) [text/plain]
Saving to: `192.168.1.110/copyright.txt’
100%[======================================>] 15,719 –.-K/s in 0s
2010-01-21 21:02:52 (177 MB/s) – `192.168.1.110/copyright.txt’ saved [15719/15719]
–2010-01-21 21:02:52– http://192.168.1.110/index2.html
Reusing existing connection to 192.168.1.110:80.
HTTP request sent, awaiting response… 200 OK
Length: 847 [text/html]
Saving to: `192.168.1.110/index2.html’
100%[======================================>] 847 –.-K/s in 0.001s
2010-01-21 21:02:52 (968 KB/s) – `192.168.1.110/index2.html’ saved [847/847]
FINISHED –2010-01-21 21:02:52–
Downloaded: 4 files, 20K in 0.001s (20.5 MB/s)
Luego de analizar los archivos descargados pudimos darnos cuenta que no existe ninguna información de relevancia para el Test de Penetración. Lo que si pudimos encontrar fue un archivo (level.html) con información relacionada con el entorno De-Ice LiveCD II:
<B><I>The disk is considered Level 1</I></B>, and minimal penetration skills are required in order to exploit this disk. Additional skills required to complete this challenge is a more-than-basic understanding of unix commands and basic functionality of the unix OS. All tools needed to exploit this disk can be found on the BackTrack Penetration LiveCD (version 2) found at Remote-Exploit.org. No additional downloads or disks are needed.
<BR><BR>
<B>Minimum time required to penetrate this CD is: 30 Minutes (approx.)</B><BR>
This time is only possible if you know exactly what to do, and in what order. Do not get frustrated if penetration of this system exceeds hours, or even days.
This exercise is intended to provide a real-world simulation of a penetration test task. Sometimes, banging your head IS the answer… so bang away. >;-)
etc….
En la fase anterior no pudimos identificar el banner del servicio que se ejecutaba en el puerto 22 (SSH) con nmap, para esto simplemente ejecuto la herramienta Netcat:
root@bt:~# nc 192.168.1.110 22
SSH-1.99-OpenSSH_4.3
Además de esto vamos a realizar un escaneo de vulnerabilidades con la herramienta Nessus.
Para ello voy a deshabilitar todos los plugins que vienen activos por defecto, pues solo vamos a requerir algunos que están relacionados con los puertos y servicios que identificamos en la primera fase del Test de Penetración.
Brute Force Attacks
- Hydra FTP
- Hydra SSH2
FTP
- Anonymous FTP Enabled
- Anonymous FTP Writeable root Directory
- FTP Privileged Port Bounce Scan
- FTP Server Any Command Accepted (Possible Backdoor Proxy)
- FTP Server Bad Command Sequence Accepted (Possible Backdoor Proxy)
- FTP Server Copyrighted Material Present
- FTP Server No Command Accepted (Possible Backdoor Proxy)
- Etc…
Finger Abuses
- Finger .@host Unused Account Disclosure
- Finger 0@host Unused Account Disclosure
- Finger Service Remote Information Disclosure
- Etc…
General
- Enumerate
- OS Identification
- OS Identification FTP
- OS Identification HTTP
- OS Identification ICMP
- OS Identification Linux Distribution
- OS Identification SSH
Web Servers
- Apache
- PHP
- Etc…
Gain a Shell Remotely
- OpenSSH
- OpenSSL
- Shell Command Execution Vulnerability
- Etc…
Entre otras…
Como vemos este escaneo está configurado de manera muy general, y enfocado únicamente a los servicios encontrados con Nmap. Por ello solo encontramos las siguientes Alertas de Seguridad en el resultado de Nessus.
Nessus Report
The Nessus Security Scanner was used to assess the security of 1 host
- 2 security warnings have been found
- 1 security note has been found
List of open ports :
- ssh (22/tcp)
- ipp (631/tcp)
- http (80/tcp)
- ftp (21/tcp) (Security warnings found
Warning found on port ftp (21/tcp)
Synopsis :
Anonymous logins are allowed on the remote FTP server.
Description :
This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing a password or unique credentials. This allows a user to access any files made available on the FTP server.
Solution :
Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is not available.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE : CVE-1999-0497
Other references : OSVDB:69
Nessus ID : 10079
————————————————————————————————————————
Warning found on port ftp (21/tcp)
Synopsis :
The remote FTP server contains world-writable directories.
Description :
By crawling through the remote FTP server, Nessus discovered several directories were marked as being world-writable.
This could have several negative impacts:
* Temporary file uploads are sometimes immediately available to all anonymous users, allowing the FTP server to be used as a ‘drop’ point. This may faciliate trading copyrighted, pornographic or questionable material.
* A user may be able to upload large files that consume disk space, resulting in a denial of service condition.
* A user can upload a malicious program. If an administrator routinely checks the ‘incoming’ directory, they may load a document or run a program that exploits a vulnerability in client software.
Solution :
Configure the remote FTP directories so that they are not world-writable.
Risk factor :
Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P)
Other references : OSVDB:76
Nessus ID : 19782
————————————————————————————————————————
Information found on port ftp (21/tcp)
Synopsis :
The remote FTP server allows credentials to be transmitted in clear text.
Description :
The remote FTP does not encrypt its data and control connections. The user name and password are transmitted in clear text and may be intercepted by a network sniffer, or a man-in-the-middle attack.
Solution :
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server such as data and control connections must be encrypted.
Risk factor :
Low / CVSS Base Score : 2.6
(CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Nessus ID : 34324)
————————————————————————————————————————
Finalmente comprobamos manualmente este acceso al servidor FTP que permite login anónimo.
root@bt:~/Sec-Track/De-Ice_II/192.168.1.110# ftp 192.168.1.110
Connected to 192.168.1.110.
220 (vsFTPd 2.0.4)
Name (192.168.1.110:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
En la próxima fase (post) llevaremos a cabo una primera exploración dentro del servidor FTP en busca de información sensible que nos permita elevar privilegios en el sistema objetivo. En caso de no encontrar nada relevante procederemos a intentar un login por medio del servidor SSH.