Sunday, December 11, 2016

Completed Project Part I

Here are some screenshots from my final project and documentation of everything that I worked on. My project was divided into two parts. The first part was building a virtual network and the second part was using Kali Linux to try to penetration test the network and look for vulnerabilities.

Project Goals: 
My main goal this semester was to learn more about security and different ways that hackers attack systems or social engineer users. I chose to work with Kali Linux because it is a free operating system built specifically for penetration testing and security auditing. Kali has over 600 penetration testing tools included and continues to be updated. More information can be found here: http://docs.kali.org/introduction/what-is-kali-linux. Security is always a concern and as a future network engineer or system administrator I wanted to spend some time "thinking like a hacker". A network administrator and system administrator both need to be right 100% of the time when it comes to security. A hacker on the other hand, only need to be right once before they can compromise an entire system.

Project Functionality: 

  • Simulate a typical network setup for a business 
  • Perform vulnerability scanning on a network
  • Research WiFi and attempt to break WEP encryption
  • Control a computer remotely through Metasploit
  • Attempt a brute force or dictionary password attack on a machine.
  • Learn more about Man in the Middle attacks



Part 1: 
The first part of my project consisted of a simple network.

Network Diagram: 

I set the project up at my house for convenience and because it was easier to test on my own network. I hosted all my virtual machines on my laptop in VirtualBox and also setup a wireless network to see if it was possible to break WEP encryption.


I used the Belkin router to separate my house LAN from my testing network so that I wouldn't interfere with my own devices.







VirtualBox Config: 
Below is a screenshot of my VirtualBox config. All the machines were placed on an internal network and pfSense did the routing between the machines and out to the Internet.



I used the book Metasploit: The Penetration Tester's Guide for reference.
Their recommended setup:

  • Unpatched Windows XP Service Pack 2 
  • Ubuntu 9.0.4
  • Metasploitable
  • Back|Track
My setup:


  • pfSense
  • Windows Server 2012 R2 
  • Windows 8.1
  • Windows 8.1
  • Kali Linux (4.3.0)
I decided to use more current operating systems because I wanted to see if there were any know vulnerabilities and because most businesses have moved away from Windows XP. I also wanted my setup to be similar to a business so that was another reason to use more current operating systems.

pfSense Config:
  • Default username and password (admin/pfsense) 
  • SSH enabled
  • No LAN firewall rules 
  • DHCP server enabled


Windows Server Setup:
  • Domain
  • Active Directory
  • DNS server
  • File Server
  • Remote Desktop Services
  • IIS server
  • Credentials (administrator/test)
No updates were installed and I tried to leave as many defaults as possible. 


I also allowed Telnet (p23) and Web (p80) through the firewall for inbound and outbound traffic.



I also created three user accounts so that I could join my client machines to the domain. 


Client Machines: 
  • Windows 8.1 Pro
  • Firewall Disabled 
  • Antivirus Disabled
  • Username: project1
  • Password: P@ssw0rd1

Completed Project Part II

Part II: Penetration Testing
Something I learned from the book Metasploit: The Penetration Tester's Guide was that penetration testers work through certain phases while they are looking at their targets. They consist of:

  1. Pre-engagement Interactions: discussing the scope of the penetration test with the client
  2. Intelligence Gathering: learning how an organization operates. This can include Google searches, exploring their social media pages, LinkedIn connections, and beginning to probe systems to see protections in place
  3. Threat Modeling: using the information from intelligence-gathering to identify vulnerabilities on a target system. In this stage, the tester begins to decide what information they are after. 
  4. Exploitation: using previous information to fire off an exploit to a vulnerable target machine. Exploits need to be researched and should only be tried once the tester is certain that they are going to work. 
  5. Post Exploitation: begins after compromising one machine. At this point, the penetration tester moves to multiple machines and tries to capture as much as they can. 
  6. Reporting: the most important part. This shows the client where their weaknesses are and what they need to change to prevent future attacks. 


NMAP Scanning
The first thing I did on my network was scan all the different hosts to see what services were running. NMAP is built into Kali and it is a port scanner and it returns open ports, running services, and operating system information. More information about NMAP can be found here: http://tools.kali.org/information-gathering/nmap

Below is a network diagram again:


Here are the results of the NMAP scan of the server:

And below is the scan result of the client machine


Not pictured but NMAP also returned the operating system information along with the computer name and domain name. I also scanned with Zenmap and the results were very similar to above. I also tried opening ports and turning on different services to see how that changed the results.

Nessus Scanning: 
Moving on from NMAP, I started to vulnerability scan the machines on my network. For this I used Tenable Security's Nessus Vulnerability Scanner. This scanner is a lot more powerful than NMAP because it can return very detailed information about target machines. It also shows vulnerabilities and explains what exploits could be run against the system. I was able to download a free trial of this software and use it for my project but otherwise you have to pay for it.


Below is a screenshot of the scan results. Overall, everything looked pretty good. Even without updating or patching my test machines the scanner didn't return much.
Below is a detailed view of the scan results from the Windows Server 2012.


If the first two "critical" listing were exploited they could crash the server and force a reboot. More information about those can be found here https://technet.microsoft.com/en-us/library/security/ms14-066.aspx and here https://technet.microsoft.com/en-us/library/security/ms15-034.aspx. I decided to go a different route and the two that items that caught my eye were Telnet and SMB (Server Message Block) Remote Host. I knew that Metasploit had a scanner for SMB and decided to go that route.

Server Message Block is a network protocol used for sharing files, folders, and printers in a network setting. The connections are based on authentication between clients but using Metasploit the logins can be brute forced or dictionary attacked.

SMB Logins
Using a custom word list I was able to successfully login to the server's administrator account using the password: test.


Here's the successful login results. 

This test test just shows the importance of strong passwords and why defaults should always be changed. This test also shows why it is important to monitor logs on the server side and watch for numerous failed login attempts. In a real world setting, brute forcing most likely would not be used because it is noisy and hopefully would alarm administrators.

On the server side, it is also important to set Password Policies for complexity and length. Depending on the environment account lockout policies are also important. If I had these in place my attack would have been a lot harder.



And every failed attempt showed up in the server logs.




SSH Logins
Moving on from SMB logins, I was able to attack SSH. On my pfSense router, I had SSH enabled and using a tool called Hydra I was able to login to the router. More information about Hydra can be found here: http://tools.kali.org/password-attacks/hydra. Since the pfSense box was configured using the default credentials, attacking it was simple.

Previously, I only had to find a valid password; this time I had to get both the username and password.

Below is the username word list







Below is the password word list






And as expected the router accepted the credentials and I was able to use these to SSH to it later on.

Again this just shows how important it is to use something other than a default or common password. You'd be surprised too by how many devices on the Internet today still are using default credentials to login. This was even proven recently after examining the attack on the DNS provider Dyn. According to Brian Krebs, "The malware, used to perform a DDOS attack on the DNS provider Dyn relied on factory default or hard-coded usernames and passwords for IOT devices". This was taken from his October 1 blog post for Krebs on Security https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

Meterpreter
After realizing that there probably wasn't going to be an exploit for my test network, I decided to again go a different route. Other ways that hackers target machines is by installing a backdoor on systems. This can be done through various methods but it is commonly done through emails, flash drives, or file downloads. For this test, I was able to use the Metasploit framework to create an executable to place on the target machine. 

To better understand how this works I referenced this guide https://www.exploit-db.com/docs/18532.pdf. In the end, I was able to use a payload containing a Meterpreter Reverse TCP session and then encode it using the Shikata ga nai encoder in MSVenom. 

Below shows the encoding of the file and then the payload to be delivered when the target opens the file. 


Here my Kali machine is listening for when the target opens the file and ready to begin a Meterpreter session. 

Here is how the setup looked. The target machine would connect back to the Kali box once the file was opened. At this point, the Windows machine was able to be controlled from Kali.
Here is a video showing what this actually looked like live. The window on the left is the Kali VirtualBox instance and the window on the right is the Windows 8.1 VirtualBox machine. The first time I tried to open the file it failed because Windows Defender caught it and flagged it as malware. after disabling Windows Defender it worked as expected. In the video, I start a keylogger on the target machine then I remotely open Chrome and send them to Facebook. The target enters their credentials and those are stored for later. This was just one example of what could be done. In a real world environment, hopefully there would be other monitoring devices in place before this could even be done. 




Completed Project Part III

Wireless
The final piece of this project that I wanted to examine was wireless. I wanted to figure out if it was possible to break WEP encryption and simulate that in my test network. For this test, I used the wireless suite within Kali called Aircrack-ng. More information about Aircrack-ng can be found here: https://www.aircrack-ng.org/doku.php?id=getting_started. In theory, this is easy to do but I found it to be very hard to do in my test network. In the end, I wasn't able to crack it. I was able to see all the beacons from the wireless access point and  I was able to de-authenticate clients but for whatever reason I couldn't capture data packets. I tested packet injection and that worked fine but I'm thinking it was a driver error that was limiting data packet capture. Anyways here's my setup





I tried the test on 3 different access points and changed the channels but still couldn't capture anything.


Captive Portal
After being discourage by the WEP attempts, I decided to move on to something better. I used a WiFi Pineapple to create a captive portal and Man in the Middle attack. After thinking through the mindset of a hacker, I tried to figure out what it is that an attacker would be after. Is is financial information, personal information,  login credentials, Internet searches? I decided to go the financial information route and do this by obtaining a credit card number.

For this attack, I decided to set it up to something similar that might be seen at a public WiFi hotspot. I made a captive portal page similar to the website of a coffee shop and then required users to enter a credit card number before they could access the Internet.

Here was the setup:
The Pineapple would be set to the same SSID of the coffee shop (in this case Barista's Daily Grind) and then clients would connect to it not being able to spot the difference between the real one and my fake one. Another sure way of getting clients to connect would be to de-authenticate all clients from the real coffee shop access point. This would cause all previously connected clients to automatically connect to my fake one.

The coffee shop's actual website looks like this:

I tried to base my captive portal off of this design and after writing some HTML, CSS, and PHP here is what I came up with.
As soon as users try to connect they are immediately redirected to this page where they are forced to enter a credit card number. Once the number is entered, it is then stored to a text file on the Pineapple itself.

This attack is interesting because it is no longer dependent on vulnerabilities but rather playing on the human side or social engineering. Another interesting thing about this attack is that for the average user it is typically going to be undetectable. The user will think they are connecting to the coffee shop when in reality they are connecting to my device. Hopefully the user will be cautious and start to ask questions but that depends on the person. If you run a trace route command on the computer, you will see the extra hop through the Pineapple but otherwise it will be unnoticeable. If a user actually enters a number and connects, there are numerous things that can be done to them. With a Man in the Middle attack, you could redirect DNS, spoof websites, possibly decrypt HTTPS, and the list goes on. A penetration tester could use this to target other systems or a hacker could use this for malicious gains. It again just goes to show how important it is to be alert and safe on the Internet.