TECH 581 W Computer Network Operations: Laboratory 6, Team 3

Abstract

The purpose of this exercise is to compromise three virtual hosts using primarily passive reconnaissance and research for the first two, with active reconnaissance in addition to the these methods for the third host.  First, the team examines the concept of passive reconnaissance and its relation to this exercise. Then, literature related to the area under question is evaluated. Continuing, a plan is devised by which exploitation of two virtual hosts is attempted, using only vulnerabilities discovered by passive means. Next, active reconnaissance means are employed against a third host, with discovered vulnerabilities targeted for areas of exploit. Finally, we examine the results of these experiments, and attempt to qualify the implications with regard to penetration testing concepts in general.

Introduction

In previous lab exercises, this team has discussed the topics of both passive and active reconnaissance, and attempted to create definitions for each respective area.  In this exercise, we again address the concept of passive reconnaissance, and qualify it with respect to this laboratory exercise. We have presented that passive reconnaissance includes the three concepts of uncertainty, invariant risk, and limitation of scope: the challenges of the current exercise have created the need to examine the ideas of uncertainty and invariant risk in greater detail.

In prior discussion we have speculated that such an action as querying a names server does not present any real risk to an attacker, as conservative application of this query can in no way be singled out as different from acceptable usage. To expand on this, we feel that this can apply to many other common services, such as user authentication, NetBIOS and SMB utilization, and even port interrogation. The key is that an attacker should ‘behave’ in a non-threatening or conservative manner which approximates a ‘normal’ user. It is expected that workstations will attempt logon to a server in a local network environment: it only becomes suspicious when many logon requests are initiated in rapid succession. Likewise, it is ‘normal’ for clients to interrogate a server for offered file shares and services; even port queries are not out of order if the pattern of a ‘port scan’ does not evolve. These ideas are closely tied to the concept of ‘slow scanning’ which was also discussed in a prior lab: here to, we classified this as passive.

Therefore, in light of these considerations, we suggest that the emulation of normal usage patterns with respect to network client behavior necessarily fulfills the requirements of uncertainty and invariant risk, with the limitation of scope to information gathering being assumed. If an attacker does not step outside the bounds of acceptable behavior to gain information, neither is his presence betrayed nor is any real risk taken. We feel this falls solidly within the realm of what could be termed passive reconnaissance.

With this discussion of passive reconnaissance methods in mind, we define two areas of research undertaken within this exercise. First, we propose to use passive reconnaissance coupled with exploit research to attempt the compromise of two virtual machines: namely a Windows XP Service Pack 0 host and a Windows Server 2003 Service Pack 2 host.  Then, we use all methods available, including active reconnaissance, to attempt the compromise of a third virtual host: that being a Windows XP Service Pack 3 machine.

Literature Review

As we proceed from exploits without tools to exploits with tools, we receive a new set of articles to read and review. This week’s readings contain a diverse set of articles within the area of penetration testing. The general topics involved cover the tools, techniques, and procedures for testing a system. Many of the articles cover network issues when conducting penetration tests. Password recovery, blackbox testing and root kits are also covered in this week’s readings.

A networked computer system is a double edged sword. On the one hand it helps us to be more productive, more efficient, and more connected. On the other hand, being connected may also mean being connected to those who wish to exploit our system. Chen, Yang and Lan (2007) discuss using tools such as Nessus and SATAN to test the vulnerability of a networked system. They state, however, that the output of these tools must be analyzed to ensure that it is not a false positive. They discuss a new tool that they developed using a distributed system with two components; a controller and an agent. The agents are placed at different points throughout the network and gather information concerning the security of the system. Once it has conducted a vulnerability scan it will conduct a penetration test to ensure that the scan did not produce a false positive. The controller then receives the results from the agents for analysis so that the controller can formulate a report on the security of the system (p1-4).

Often a firewall is placed between the local area network and the internet to protect the local area network from malicious systems on the internet. Firewalls also need testing to ensure that they are working properly and to locate flaws that will allow the local area network that they are protecting to be vulnerable to attack. Haeni (1997) recommends performing manual testing in addition to automated scanning to ensure that the systems behind the firewall are kept safe. He describes a penetration test in which a denial of service attack is performed against a trusted host behind a firewall so that its IP address can be spoofed. By spoofing the IP address of the trusted host, the attacker can gain access to the target (p1-25).  One issue that I had with his article is that it states that a demilitarized zone is necessary to operate a web server through a firewall. Many routers now have the ability to forward a single port through a firewall to a web server or other service, eliminating the need to have a demilitarized zone.

Systems without a firewall, or with a firewall that is not properly configured, may be compromised and become part of a distributed denial of service attack. In this type of attack, several computers on a network are compromised and used to send network traffic to the target computer. The target computer becomes so occupied with processing the bogus requests that it can no longer process legitimate requests. Mirkovic and Reiher (2004) discuss how such an attack can be performed. Packets of data are transported from their source to their destination through a series of networks. The intermediate networks have little responsibility but to forward the packets. This allows for attacks such as the TCP SYN attack. In this attack multiple TCP SYN requests are sent to the target filling its connection queue so that legitimate requests cannot be completed (p39-54).

Often, root kits are installed on compromised systems so that the compromised systems can be used to conduct the denial of service attack against the target system. Kuhhauser (2003) discusses how an attacker begins by finding a weak point at which to compromise the system. Often these weak points occur because of programming errors in conventional, sequentially programmed components. Once the root kit is installed it will hide itself and then place several backdoors so that the attacker can have access (p12-23).

Another way to gain access to a computer in order to compromise it is to crack a user password on the system.  The article Ethical Hacking and Password Cracking: A Pattern for Individualized Security Exercises (Snyder, 2006, p13-18) discusses exercises designed to teach students how to access and recover passwords such as a Front Page user password.  This article discusses various types of hashes used to encrypt passwords that are stored on a system. These hashes include SHA1, MD4 and MD5. Password recovery tools such as John the Ripper will continually guess the password until successful.

Modeling is sometimes used to assess the vulnerability of networked systems. One such model is Attack Net, which uses the Petri net paradigm.  With this approach, places represent the state of the system and transitions represent events that act on the system to change the state. A token represents the current progress of an attacker (p. 17). When a token is located at a place, the attacker has gained control of that place. Tokens move from place to place via directed arcs by transitions toward the target (p. 17). Another method of modeling network vulnerabilities is discussed in Modeling TCP/IP Networks Topology for Network Vulnerability Analysis (Zakeri, Shahriari, Jalili, Sadoddin, 2004, p1-6).   This approach uses text-based modeling in which definitions of hosts, links, and interfaces are combined to make up the model of the network. Likewise the operating system associated with a host is defined by brand, component and configuration. Services are broken down into service information and access policies. Vulnerabilities are then defined with the vulnerability name, precondition and post condition. Finally the attack is defined as a sequence of vulnerabilities which may be exploited to reach the desired goal.

Our research has shown that many of the vulnerabilities are caused by programming errors within the application layer. One way to locate errors within an application is through black box testing. Bo, Xiang, and Xiaopeng (2007) present MobleTest, which is a utility to perform black box testing on smart mobile devices. MobleTest uses a layered design to adapt to the differences of the various devices. This system allows for simultaneous multiple states and multiple tasks to be tested to determine their effect on each other (p1-7).

With the assistance of these tools and techniques we are better prepared to conduct penetration testing. We have seen how systems can be compromised using root kits, password crackers and denial of service attacks. We have also seen how they can be made more secure testing firewalls and software for vulnerabilities.

Methodology and Procedure

The team began by dividing the lab into two separate testing domains. The first test setup was created to facilitate passive reconnaissance and the second for active reconnaissance. Specifically, the first testing environment was created in VMware Workstation with four hosts running: Windows XP SP 0 (192.168.3.3) as a target, Windows Server 2003 SP 2 (192.168.3.4) as a target also, Windows XP SP 3 (192.168.3.100) as a tool host, and nUbuntu (192.168.3.101) as an observer. It should be noted that the Windows 2003 Server machine had no firewall active, and automatic updates had been disabled. While the nUbuntu machine was not strictly necessary, it offered us the ability to test the passive reconnaissance capabilities of the ‘lanmap’ program, which is not readily available in binary form for Microsoft operating systems.

Foremost, the team eliminated the use of account cracking for the duration of all the penetration tests, as we could determine no way to simulate a realistic environment with hypothetical user accounts: any method involved biases inherent to members of the team choosing the account parameters, even if blind methods were to be employed. Further, any exploits which required user interaction were deemed unusable for all tests for reasons similar to the account cracking issue. Additionally, although we were already aware of each machines configurations and IP addresses, the team thought it important to prove that this information could be discovered by using only passive reconnaissance means, as this would be a requirement in a ‘real’ penetration exercise. We utilized two parallel methods to do this: the ‘lanmap’ tool was run on the nUbuntu machine until a reasonable network map was generated, and we also used the ‘nbtstat’ tool built into the Windows XP tool host in conjunction with ‘Nete’ (www.cultdeadcow.com/tools/nete.html ). The ‘lanmap’ executable (Figure 1) was able to passively identify the Windows XP SP0 host directly by NetBIOS name and IP address, however, the Windows Server 2003 host was only fingerprinted as ‘Win,’ and so other methods were required to identify it more precisely.

Using the command “nbtstat -RR” and then “nbtstat -r” generated a list of NetBIOS names on the network. The names were ‘XPSP0VM’ and ‘2K3VMWARE,’ which might have been considered sufficient for identification, but we pushed further. Running “nbtstat -a 2K3VMWARE” followed by “nbtstat -c” displayed this host’s NetBIOS name associated with an IP address. It should be noted that NetBIOS names need only be associated with a MAC address; we ran the first command to force an IP address resolution. Finally, to determine the machine type, we ran “nete  /M  2K3VMWARE” which reported that the kernel was NT version 5.2, easily found by web search to belong to the Windows 2003 server family: our task was complete.

The team used web searches to find the most likely points of vulnerability by which to compromise both target hosts. The Windows XP SP0 required very little research as we already had prior knowledge from a previous exercise as to working exploits (ironically, this does fit in with the web search method, as prior lab exercise reports are now part of internet history). We ran the Metasploit ‘ms04_007_killbill’ plug-in from our tool host, and succeeded in compromising the XP SP0 machine in one attempt (Figure 2).

Research of the vulnerabilities for the Server 2003 machine was initially conducted via the Milw0rm archive (http://www.milw0rm.com). We found a working exploit for the MS08-067 vulnerability, and thought it might have a chance of success due to it being corrected only recently (October 23, 2008). In truth, the team was aware that the Server 2003 host was current with updates through April 15 of this year, so we really did not expect success: an admitted bias. We found the Metasploit plug-in for this vulnerability, and attempted to compromise the Server 2003 machine with various configurations for the plug-in; we ran this approximately a dozen times unsuccessfully before we gave up. It should be mentioned that we obtained additional SMB pipe names using the Metasploit pipe_auditor plug-in for use with the primary exploit.

As this exploit did not work, the team decided to create a table of Microsoft security updates from the previous attempted exploit’s date (October 23, 2008) to the current date (Table 1).  This was felt to be appropriate, as in an actual blind testing scenario, it would be reasonable to assume that the failed exploit of a vulnerable area would indicate a target at least current in updates up to the security patch addressing that vulnerability. In addition to Microsoft Security bulletins, we searched the web for any other possible exploits, including the National Vulnerability Database (http://nvd.nist.gov) but found nothing significant in addition to this bulletin based list. The goal of this list creation was to reverse engineer vulnerabilities out of corrective measures, much like the previous lab exercise.

After this, a passive evaluation of the Server 2003 host was done using standard Window’s utilities and third party tools. We used basic methods, such as attempting to connect to shares and services via the file explorer, using the ftp, tftp , and telnet clients, and also remote registry, ‘net use,’ and the remote desktop application. We were unable to successfully connect to the remote host, except for an extremely limited null session via ‘net use 2K3VMWAREIPC$ “” /USER:”” ,’ which proved essentially worthless. Additionally, we used Microsoft’s ‘PortQry’ utility to test individual standard ports, with the most interesting being found by the command “PortQry.exe -n 2K3VMWARE -e 135 -p tcp” which returned a list of RPC endpoints being offered (emap service). Despite this effort, the team did not discover any usable services or ports which responded, and so were unable to use any of the possible vulnerabilities indicated by our table. At this point, the team considered the testing methods exhausted, as we had eliminated account cracking for practicality reasons.

The third part of the testing called for a full-on assault of the third operating system using active brute force tactics and no consideration for stealth. The team decided that, in order to make it interesting, we would run this attack against fully patched Windows XP Service Pack 3. We ran Nessus from another XP machine. The scanner was fully updated. We ran it using the all plug-ins and included dangerous plug-ins. All of this was performed in a second VMware Workstation environment similar to the first setup, with the number of hosts being changed to two.

The outcome was rather disappointing. Nessus was unable to uncover a single exploitable vulnerability in the system. This led to some discussion among the team as to how to progress, as well as why this oft maligned operating system appeared to be so well secured. In view of the passive testing results and the research involving the vulnerability table for Server 2003 (which is identical to the reported vulnerabilities for Windows XP SP 3 sans the entry involving MS SQL server) we considered this test ended also, and so did not attempt any exploit, as none were known to work against this host configuration.

Results and Discussion

It is somewhat remarkable that this team was unable to compromise any machine other than the notoriously insecure configuration found in the Windows XP SP0 host. We examined the test procedures and results, and formulated an explanation for the disappointing outcome. Specifically, we feel that the answer lies in the test environment configuration itself.

Foremost, the environment is too clean. It lacks users and usage, so it really is not a good model of a real network system. There are no services running, no traffic moving in and out. There is a complete lack of intermittent devices that could be used as preliminary targets with the ultimate goal of compromising the system.

To further explain this point, we look back to the discussion of the team’s report from last week. It was noted that while Windows firewall filters most traffic, it creates a barrier to the user. Each time the user wishes to run an application that requires web services, they are prompted to either continue blocking the application, or unblock it, thus opening a port or ports, and incidentally opening a hole in the defenses. It has been the team’s experience that a user with sufficient privileges may become annoyed enough with the constant prompts that they simply turn the firewall off entirely.

Each application added to the system also comes with its own set of bugs and adds vulnerabilities to the mix. As discussed in earlier lab exercises, there are methods that can be used to help mitigate this risk, but it can never be removed entirely. A user with sufficient privileges may circumvent any policy in place and install untested software. This is especially dangerous in an environment where the user feels the policies are too restrictive or interfere with their productivity. Add into the mix web browsing and the possibility of execution of client-side scripts, and the surreptitious installation of malicious code and the once impenetrable fortress now looks like an open-air market.

This should not be taken to mean that the team feels draconian policies and restrictive rights assignment are necessary to secure a system. There is a constant and often noted trade-off between security and usability. What we would suggest instead is that security policies should be flexible in order to provide the services necessary to keep users working efficiently without opening the system to undue risk. This method is difficult, and requires constant review and dialog with the stakeholders. There is not a one-size-fits-all solution, and the only truly secure system is completely useless.

As demonstrated by our results, the base operating system with few services running or applications installed is quite secure. As one adds elements to this secure system, vulnerability will increase. We feel that this concept is also reflected in the overwhelming number of exploits and tools available which target applications, and therefore the OSI seventh layer. Consider also, many of application layer vulnerabilities really arise from how the application is used, e.g. tricking the user to install infected add -ons or browse to a malicious web page. There is a perceivable bias toward this OSI layer, but it is one which simply reflects reality: many more vulnerabilities are present in applications coupled with user interaction than non-interactive lower level functions. This becomes an important factor in penetration testing, as testers may have to rely on the unreliable and unpredictable actions of users to effectively penetrate the target system. It may raise issues of ethics, and even questions of the legitimacy of the test itself, as some might view this as simple trickery or opportunistic treachery.  It would seem that exploits found on the lower levels of the OSI layer, those which most often do not involve human interaction, are much simpler to ‘sell’ to customers, as these are relatively easy to correct from a security standpoint: application users cannot be easily ‘fixed.’ Finding exploits which are rooted in user behavior lays bare the idea that no installation can ever be fully secured as long as humans are employed in the course of normal operation: this is an uncomfortable truth.

Further demonstrated by our results, we believe that in many cases, active scanning will not reveal any more information than what effective passive scanning and careful research will on its own. Conclusively, we found nothing with the Nessus scan which we did not already know from the previous passive test against a machine of similar properties. If situation allows, much can be gained from an active scan, reducing information gathering and research times to a small fraction of the passive approach. However, if time is not an issue or risk of detection is high, passive means provide a thoroughly effective technique. Finally, we can see that biases necessarily exist in such active tools as Nessus, but this is mostly due to the limitations of project development. In theory, the Nessus project could be capable of detecting all known vulnerabilities up to the current date of use, but it seems that this may not be realistic, as it would require a tremendous amount of vigilance and effort on the Nessus team’s part. Hence, we would expect that such active tools as Nessus will always be deficient with respect to the very latest vulnerabilities revealed to the security community simply because of the time lag caused by development and deployment concerns. Therefore, a penetration tester should always check current vulnerability listings when employing an active scanner, as the very latest exploits are likely not checked for.

In examining the implications of specific exploit of an OSI layer with regard to effect on other layers, we must propose that upper layers are necessarily compromised by lower level exploits. As one area addressed by the McCumber cube model is ‘availability,’ we are certain that at the very least a lower level exploit can deny layers above it access to information. Whether this is a network hardware compromise, or a host based exploit, it cannot be denied that this is true. We do recognize that the issue is not always this simple, however. As the OSI model incorporates both ‘host’ and ‘network proper’ components (usually divided below the fourth layer), there are situations involving the host layers where an exploit will compromise all layers of the host, even those which lie ‘below’ the exploited layer: essentially an attack on the ‘processing’ McCumber subset of coordinates. A good example of this is a layer seven web browser exploit: this often renders a host entirely compromised, with such things as layer four proxies inserted into the network stack. In this situation we see a reversal of the previous concept: higher level exploits necessarily imply lower level compromise.

Furthermore, we believe an exception may exist with relation to encryption technologies found at layer six of the model. Consider that though an attacker may ‘possess’ lower levels such as those involving network hardware, a properly devised encrypted communication scheme will betray no usable information to the attacker. While the transmission of information may ultimately be denied, the ‘confidentiality’ aspect of the McCumber model is not affected. In addition, the attacker may only disrupt this traffic at the risk of betraying his own presence: hence, in theory it appears that this traffic will likely be left to function normally, all the while retaining its aspect of confidentiality.

Problems and Issues

We encountered very few real problems with this laboratory exercise, although we found having two network interfaces running for a virtual machine created dual connections between hosts on different subnets. This initially proved confusing, as NetBIOS names resolved to IP addresses which were unexpected. The team corrected the issue by disabling the second subnet interface for all hosts running in the test environment.

Conclusions

In conclusion the, the team has attempted the compromise of three Microsoft Windows based operating systems. The first, namely Windows XP SP 0, fell easily to basic passive reconnaissance and research coupled with the Metasploit ‘killbill’ plug-n. The second machine, a Windows Server 2003 installation, remained unexploited despite extensive passive reconnaissance and the reverse engineering of Microsoft security bulletins. The team attempted approximately a dozen configurations of the Metasploit MS08-067 plug-in against this host, and remained unsuccessful in exploit attempts, as no additional vulnerabilities were found. Similarly, the Windows XP SP 3 machine betrayed no vulnerabilities, even though active measures were employed: no exploit was even attempted as research regarding the second machine indicated no exploit was possible. The team speculated that these machines were too clean with regard to use environment, and questioned the practicality of such configurations, as it does not reflect normal usage employments. Additionally, the team presented a discussion of penetration tools and exploits encountered in this exercise, and noted that most were found in layer seven of the OSI model. Furthermore, the team discovered that the use of active tools does not contribute substantially to the effectiveness of penetration testing if careful research and information gathering is done in preparation. Finally, an examination of the OSI model reveals that the exploit of lower layers implies compromise of higher layers, with exceptions.

Charts, Tables, and Illustrations

Figure 1: Lanmap used to passively fingerprint Windows XP SP0.

Figure 2: Compromise of Windows XP SP0 with Metasploit  ‘ms04_007_killbill’ plug-in.

Table 1: Table 1: Microsoft Server 2003 SP2 (NT v5.2) security patches since October 23, 2008 (MS08-067).

References

Bo, J., Xiang, L., & Xiaopeng, G. (2007). MobileTest: A Tool Supporting Automatic Black Box Test for Software on Smart Mobile Devices. pp. 1-7.

Chen, S.-J., Yang, C.-H., & Lan, S.-W. (2007). A Distributed Network Security Assessment Tool with Vulnerability Scan andPenetration Test. pp. 1-4.

Haeni, R. E. (1997, January). Firewall PenetrationTesting. pp. 1-25.

Kuhnhauser, W. E. (2003). Root Kits An Operating Systems Viewpoint. pp. 12-23.

McDermott, J. P. (2001). Attack Net Penetration Testing. pp. 15-21.

Mirkovic, J., & Reiher, P. (2004, April). A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. pp. 39-54.

Snyder, R. (2006). Ethical Hacking And Password Cracking: A Pattern For Individualized Security Exercises.  pp. 13-18.

Zakeri, R., Shahriari, R., Jalili, R., & Sadoddin, R. (2004). Modeling TCP/IP Networks Topology for Network Vulnerability Analysis.