ITSY 1300 - Learning Activity Plans Learning Activity 1 Learning Outcome (Use Legion software to detect and map network shares, and attempt a brute force attack against password protected shares) Students will deploy Legion software on a work station to collect information about potential vulnerabilities within the network. By utilizing Legion the student will be able to identify network shares and map a drive to that share. This allows several things. First, an administrator can check to ensure that, if permitted, shares have adequate password protection. Second, this simple scan allows administrators to detect holes within the network that can be utilized by an intruder to insert/install additional monitoring software on the target computer. Recommended Resources for this Learning Activity Legion Available for download: http://packetstormsecurity.org/groups/rhino9/, Platforms supported: All versions of Windows and Unix. Legion is a NetBIOS scanner which can enumerate NetBIOS file shares across large ranges of IP addresses. Legion also provides a brute force password cracking component which can be directed against a single NetBIOS file share. Recommended Instructor Preparation for Learning Activity Instructor Notes: Legion performs its scan/enumeration of shares in two phases. First, Legion performs a simple port scan looking for systems which respond to connection attempts on TCP port 139 (NetBIOS-ssn). Second, Legion reconnects to each system share that responded to the port scan in phase one with a more extensive probe. As each share is probed again, Legion once again establishes a NetBIOS-ssn connection over TCP port 139. The way this looks to the system is as follows: 9 LEGIONBOX01 *SMBSERVER TCP: D=139 S=2168 SYN SEQ=100114 LEN=0 WIN=8192 10 *SMBSERVER LEGIONBOX01 TCP: D=2168 S=139 SYN ACK=100115 SEQ=173595 LEN=0 WIN=8760 11 LEGIONBOX01 *SMBSERVER TCP: D=139 S=2168 WIN=8760 ACK=173596 ***Note*** Legion follows the sequence numbers accordingly. Ask the students if the incremental sequence numbers could be used for something other than just this scan. (ie session hijacking) Once Legion completes the three way handshake it initiates a NetBIOS session request to the destination system using “*SMBSERVER<20>” as the Called NetBIOS name. If the destination system accepts the NetBIOS session request it responds positively and the session is established. 12 LEGIONBOX01 *SMBSERVER NETB: D=*SMBSERVER<20> S=LEGIONBOX01<00> Session request 13 *SMBSERVER LEGIONBOX01 NETB: Session confirm Once this has been accomplished, the target ends the NetBIOS session but leaves the NetBIOS-ssn TCP connection in place to allow further communication between these two systems in the future. Instructor Notes: At this point the instructor should have at least two (2) target machines that have at least two (2) network shares configured. One should be password protected and the other should be left open. Make note of the IP addresses for the target machines to give to the students. A more realistic approach would be to give them a small range to scan so they can discover the shares. Have the students download and install the Legion software. Once the installation is complete, have the students begin their scan. Scanning Using Legion: When Legion is started the initial screen appears, and gives the user two scan types choose from, “Scan Range” and “Scan List”. The Scan Range option allows the user to scan a range of IP addresses up to an entire class B network. To perform this function the user simply has to check the Scan Range radio button, fill in the starting and ending IP addresses of the range they wish to scan, choose a connection speed, and click the Scan button. In order to scan a list of individual IP addresses, the user needs to check the Scan List radio button, then type each targets IP address into the Scan List box, then click add, select a connection speed, then finally begin the scan by clicking the Scan button. If the user has a large list of target IP addresses to scan, Legion allows importing a list of IP addresses from a standard text file by clicking the Import List button. ***No matter which scan type chosen the results are given in an Explorer-type view. Simply navigating this tree the user can now map any share by highlighting it in the left-hand panel and clicking the Map Drive button at the bottom of the screen.*** Legion will then automatically display the shares detected and present them in a format as seen in the picture above. Instructor Notes: At this point have the students expand the shares by clicking the “+” in the left pane. This will show all available shares that can be mapped as virtual drives on the students machine. Instructor Notes: Have the students click the Map Drive button and the share will be mapped on their machine. A confirmation will be given. Instructor Notes: Have the students verify the share by exploring My Computer. Instructor Notes: The students can then open and explore the share, and save files or copy files that they need. This is intended to show the students the inherent security risks of not only allowing network sharing, but by having no password protection on the shares. Using Legion to Perform a Brute-force on a password protected share: When you need to attempt a brute force password cracking attack against a NetBIOS share with share level access, you can initiate the Brute Force Password Cracking Tool by clicking the Show BF Tool button at the bottom of the screen. The Force Share dialog box will appear. The user must type the name of the target share in the Path dialog box and add one or more word lists to the Word Lists dialog box, then click the Start button. Legion will display a response informing the user whether the brute force attempt was successful or not. If a successful password crack is initiated, Legion will then map the share to the first available drive and let the administrator/hacker know. Instructor Notes: Show the event viewer logs from the server or target machine so the students become familiar with the pattern/fingerprint that a Legion attack leaves on the machine. This will help the future administrators identify the attack and allow then to fix the problem. Attack Signature The true signature of a Legion enumeration attempt, as well as many other enumeration attempts are inbound NetBIOS session TCP connections to TCP port 139. Unfortunately, Microsoft has not implemented a native capability into their platforms which will allow the monitoring and logging of network level events such at these. On systems the share enumeration component of Legion does result in the generation of a Privilege Use Success Event #576 in the Security Event Log, and the brute force password cracking tool results in the generation of Logon/Logoff Failure Events #529 (and potentially #539 if the account gets locked out) in the Security Event Log. Protect Against Legion For WinNT/2000/XP Systems: 1) 2) Prevent the anonymous user from connecting to a null session and enumerating system information by setting the RestrictAnonymous registry key. See Microsoft knowledge base article Q143474 for information regarding the implementation of this feature. If you are connected to a LAN and you must use NetBIOS file sharing, adhere to the Principle of Least Privilege when granting access to those shares. (i.e. Share only the directories that are absolutely required, make the share read only if possible, grant user level share access only to required individuals). 3) 4) Install a personal firewall, implement a security policy which denies inbound access to the NetBIOS over IP ports (TCP and UDP ports 135 through 139), and monitor the firewall logs for signs of illicit activity. Ensure that the account policy is configured to lock out all accounts after a small number of unsuccessful login attempts. For the Network: 1) Block all inbound network traffic destined for the NetBIOS over IP ports (TCP and UDP ports 135 through 139) at the perimeter firewall or perimeter router. Instructor Notes: At this time, have the students begin their scans. ITSY 1300 Hands-on Lab 1. Perform a Scan Range scan first. What is the range of the scan? ____________________________________________ 2. How many targets are identified in the scan? ____________________________________________ 3. How long did the scan take? ____________________________________________ 4. How many shares were found during the scan? ____________________________________________ 5. Once the scan was complete, were there any shares that had password protection? ____________________________________________ 6. Map a drive to the shares. Are you able to view My Computer and see your new share/ mapped drive? ____________________________________________ 7. Are you able to access that drive as if the mapped drive were on your machine? ____________________________________________ 8. What could be a potential threat associated with a share that is mapped? ____________________________________________ ____________________________________________ ____________________________________________ ____________________________________________ 9. Choose your own IP range for a scan and list the range below. ____________________________________________ ____________________________________________ ____________________________________________ 10.Were any shares identified during this scan? If so, what were they? ____________________________________________ ____________________________________________ ____________________________________________ ____________________________________________ ____________________________________________ 11.Are you able to map a drive to these shares? ____________________________________________ 12.Are you able to access the mapped drive that you just created? ____________________________________________ 13.From an Administrator point of view, what hazards does this share impose on the network? ____________________________________________ ____________________________________________ ____________________________________________ ____________________________________________ ____________________________________________ ____________________________________________ 14.Are you allowed to copy or save from or to the mapped drives? ____________________________________________ 15.What hazards could this impose on the network? ____________________________________________ ____________________________________________ ____________________________________________ ____________________________________________ ____________________________________________ ____________________________________________ 16.Perform a List Scan. What is/are the IP addresses of the scan? ____________________________________________ 17.How many targets are identified in the scan? ____________________________________________ 18.How long did the scan take? ____________________________________________ 19.How many shares were found during the scan? ____________________________________________ 20.Once the scan was complete, were there any shares that had password protection? ____________________________________________ 21.Map a drive to the shares. Are you able to view My Computer and see your new share/ mapped drive? ____________________________________________ 22.Are you able to access that drive as if the mapped drive were on your machine? ____________________________________________ 23.Try and copy a file to the shares. Was it successful? If yes, what advantages could this allow an intruder to do? ____________________________________________ ____________________________________________ ____________________________________________ ____________________________________________ 24.Choose your own IP range for a scan and list the range below. Then save the range as a text file. What is the name of the text file? ____________________________________________ ____________________________________________ ____________________________________________ 25.Were you able to scan that range using the text file? ____________________________________________ 26.In your own words, do you believe that network shares are a hazard or valuable tool that should continue to be utilized on a network regardless of the vulnerabilities?