IT Breathes!

Recently Backtrack 4 was released, Backtrack is a great resource to learn about security and penetration testing in general. It also has a lot of tools to perform a variety of task. One of the interesting features in Backtrack 4 is the /pentest folder. It contains tools and resources but it’s a little mystified in it’s presentation. Just a directory hanging out there.  For the next few months I’m going to attempt to de-mystify and test as many of the tools as I can. To make this even more exiting I’ll be doing it from A to Z. Starting with the first folder listed alphabetically and going from there.  Originally I had thought of just doing this as a folder by folder but after looking through everything I’ll just make a judgment call when I want to stop fiddling around. Some posts I’ll cover more than one folder and other times I might only cover a tool or two.

Pentest Folder Listing

So let’s get started shall we?

Not too many programs here!

This one is an easy one. There’s not too many Bluetooth tools here to begin with (mainly because a lot of the Bluetooth tools are built in to the OS (such as HCI Dump).

Taking a look at blueprint it’s a tool which allows you to profile a a Bluetooth device. You tell it the Bluetooth device ID and it will spit out as much information as it can

Bluesmash is a GUI tool designed for getting information from phones and exploiting a range of vulnerabilities.  Since I don’t really have access to Bluetooth on this machines I can’t go in to more detail than that. I have played with these tools in the past but since I didn’t have a vulnerable phone available at the time I couldn’t really test the vulnerabilities.

Moving on to the next folder, CISCO, we see there are a selection of tools for dealing with (and discovering) Cisco devices (what else did you expect?).  To test these tools out I used GNS3 (a Cisco router emulator) and setup my own virtual cisco 7200 router. Took me a while to set it up but your best bet is to follow the tutorials at BlindHog. I won’t be supplying any image files, I’ll leave that up to the reader to find.  The basic GNS3 configuration was setup like this:

Go go gadget Cisco emulator!

Since I’m running all these tests in my lab (with Virtual Box) on a virtualized internal network I had to run GNS3 on a virtual Windows XP instance. In the end, though,  it didn’t really give me too many problems getting it setup.

So once I had setup the practice router I was able to test all the tools available in the cisco folder.

A few more apps here

The first tool I took a look at was CAT, or Cisco Auditing Tool. To call it an auditing tool is a little bit of a misnomer since it’s really just a password brute force tool which connects over the telnet port (23). It has some other features for exploiting an old IOS bug but other than that it just takes a wordlist and attempts to guess the password. You’d be better served using something like hydra or medusa instead (we’ll get to those later on). But I have to say it did work at bruteforcing my password and successfully told me what the password was.

hack you? don't mind if I do

Cisco-Global-exploiter has some interesting functions:

Wish I could test all of these

However, since I didn’t have an image for any of the above cisco machines to try out I can’t really confirm if any of these work. But if you do have a cisco device and have tested this out let me know in the comments section.

Cisco-OCS simply scans for vulnerable Cisco devices. Turns out the device I was running wasn’t vulnerable, it was found but not vulnerable.

Ciscos-1.3 does the same as CAS but instead of trying multiple passwords it simply tries to connect to every IP trying the default password ‘cisco’.

And finally we’ve got copy-router-config. This really isn’t too hard to guess. Just start up the tftpd daemon in backtrack and provided you know the community name (an SNMP thing) it will strip out the full config. Letting you analyze it later and identify any weaknesses in the config.

And so ends part 1 of our series. As part of this series I’m going to also tell you how I put together my practice lab and a list of other tools that you can use in windows which are not included in the backtrack cd.

Update: So a friend brought to my attention that I was using an older version of the /pentest folder. Backtrack had released a new CD with a few more tools. Looking through I found two new tools: Redsnarf and Bluebugger. Redsnarf is a bluetooth tool designed to hunt down non-discoverable bluetooth devices (by guessing the last six bytes of the bluetooth address). Bluetooth bugger simply pulls down as much information from a bluetooth phone as it can. Unfortunately since I don’t allow Virtual Box access to my bluetooth hardware I wasn’t able to test these tools. If you have let me know in the comments.

 Further more in the Cisco folder I noticed a rather odd addition, a tool entitled ‘oscanner’. When I looked up what this tool does it doesn’t sound like it’s in the correct folder at all. This tool is really called ‘Oracle Scanner’ and is used to perform a slew of tests again an Oracle database. Since I don’t have Oracle installed I wasn’t able to test it out but from what I’ve read about the tool it sounds promising, if only it was located in the Database folder instead.

If you’ve been reading the news recently in the IT security world you’d know that the website Astalavista was recently hacked. Usually I don’t go care too much about these activities, websites get hacked all the damn time and it’s never really a big deal. But what makes this case special is whoever did the attack decided to paste their entire log online.

First some quick history. A while ago a website called Astalavista.box.sk came about to allow people easy access to security files and cracks

At its start in 1994, was one of the first search engines for computer security related information. In reality it turned out to be used as search engine for security exploits, software for usage in hacking and cracking and different keygenerators and software cracks. The site is also known for referencing things such as spyware and viruses. Because of this, the website is known to possibly contain data, links, downloadable files, and information some users would consider spyware, adware, or other unwanted programs.

Thriving off of the success of Astalavista.box.sk another site came along: Astalavista.com. This site was really just a rip-off of Astalavista masking itself as a security ‘community’.  From their own site:

Astalavista.com – the hacking & security community, is one of the world’s most popular and comprehensive computer security web sites. Astalavista.com was originally founded in 1997, by a hacker computer enthusiast. The name of the site came from the unforgettable line in the Terminator 2 movie – “Hasta La Vista Baby”. Since then, the site became the underground’s most respected and well maintained community for anything you ever wanted to know about security. The enormous database, the constant updates, the unique nature of the content published, the new services and features, all offered for free, turned Astalavista.com into what it is today – a cult!

It wasn’t until recently that a group known as Anti.sec decided they had had enough of Astalavista.com and decided to see what they could do. Most obviously they got in (using a 0day exploit no less). But what was interesting about this case was to see how easy it is to go from:

Exploit -> Command Line access -> Local Exploit -> Root Access

But what was even scarier is to see how common tools unix admins use on a daily basis (and current configurations) can be used against them to not only expose  weakness’ in their local machines but in a whole host of machines. Especially when we’re talking about CMS sites.

Let’s start with how they got in. There’s not much here (because the log is purposefully vague here, to keep the script kiddies at bay) but basically they used a 0day (or unknown) exploit against their Light Speed HTTP daemon. Once they had access to the server they were logged in as the ‘apache’ user. This user doesn’t have many rights other than reading websites. So using a local privilege escalation exploit they gained local root access. This is pretty much the end of this machine. Once someone has escalated their privileges to root they ‘own’ the box. They can install rootkits, keyloggers, bots, deface websites etc etc. And normally the hack would end here. But being the industrious kids they are they proceed to poke holes in the rest of their security. A quick scan through the ‘history’ log shows anytime someone used a command. Whoever the admin was for this machine felt it was necessary to log on to their database server passing the password through the command line:

mysql -h -ucontrexxuser2 -p0fEYNZgXz1pKe com_contrexx2_live < /root/defaultp_ports.sql

But the password stealing doesn’t end there. Peppered throughout the site are php scripts used to connect to the database. These scripts are normally used by content management systems (such as WordPress or cPanel) and because they are databases driven they obviously need access to the database. You can see above that at least the account wasn’t the ‘root’ account, the admin account in mysql, but was instead used for a separate account. At least they didn’t get the admin account…

sh-3.2# cat .my.cnf
[client]
user=da_admin
password=X9dctmRH

Oh nevermind. You see, the above file (my.cnf) is a MySQL configuration file. Some programs let you put this file in your home directory to make it easier on you when logging in to the server. The problem: it stores your password in plaintext. For a IT security website they sure don’t practice good security. And ‘da_admin’ really?

But it gets worse. Through reading a bunch of files the group found a file used for backup. Normally this would be a good thing, showing prudence on the part of the administrators that they were properly conducting backups. The problem? The file was a simple shell script which connected to an FTP server and uploaded the backups:

# ftp for synology backup server
FTP_HOST="212.254.194.163";
FTP_PORT="21";
FTP_USER="astalavista.com";
FTP_PASS="yWHOJbzpWTWC6Xrmg1WnfBk5V";
FTP_DIR="/astalavista.com";

As you can see the attacker has yet another password. Now in the log the attacker simply logs on to this server to see what’s there. Presumably they’re just after astalavista.com. In reality I’d be surprised if they didn’t log on to that server as well using SSH (because nowadays most systems are segregated when it comes to FTP and User logon). And, as demonstrated above, it is trivial to escalate privileges once you have local command line access.

So armed with this information the attackers knew the following:
-    Atalasvista.com website files, scripts, forums and content
-    The Database Admin username and password
-    The backup location (and access to the backups)

Without using much of your imagination you can imagine what they did next:

sh-3.2# rm -rf backup/
sh-3.2# rm -rf backup.14161/
sh-3.2# rm -rf ftp/
sh-3.2# rm -rf jon/
sh-3.2# rm -rf my/
sh-3.2# rm -rf mysqldata/
sh-3.2# rm -rf test/
sh-3.2# rm -rf tmp/
sh-3.2# cd ~
sh-3.2# rm -rf *
sh-3.2# rm -rf /var/log/
rm: cannot remove directory `/var/log//proftpd': Directory not empty
sh-3.2# rm -rf /home/*

ftp> cd astalavista.com
250 CWD command successful.
ftp> ls -la
[snip]
ftp> mdelete *

mysql> drop database astanet_membersystem;
mysql> drop database com_contrexx;
mysql> drop database com_contrexx2;
mysql> drop database com_contrexx2_live;
mysql> drop database ideapool;
mysql> drop database yourmaster;
mysql> drop database astanet_ads;
mysql> drop database astanet_mailing_lists;
mysql> drop database astanet_mediawiki;

Basically they did the following:

1. Delete the local website, scripts and pages
2. Delete the temp, test and logs
3. Delete the user folders
4. Connected to the FTP backup site and deleted the backups
5. Connected to the Database and dropped all the website database tables

They removed any existence of this website.

What can you learn from this? There’s a couple of things:

• Don’t store your passwords in plaintext
• Segregate your database access on a user basis
• Keep your current systems up to date with patches and security
• Do not push your backups but instead force the backup server to pull the information
• Never pass passwords through the commandline

All in all an impressive display and interesting log to read through.

Update: The attackers also went after one of the individuals who was researching in to this attack. You can see his log here. Basically used an SSH attack to gain access, found a boatload of passwords on the machine, accessed the database, dropped the database and deleted the entire file system. Still interesting.