Script kiddies acquire which item below from other attackers to easily craft an attack:

The Attack

Remote code execution is always performed by an automated tool. Attempting to manually remotely execute code would be at the very best near impossible. These attacks are typically written into an automated script.

Remote arbitrary code execution is most often aimed at giving a remote user administrative access on a vulnerable system. The attack is usually prefaced by an information gathering attack, in which the attacker uses some means such as an automated scanning tool to identify the vulnerable version of software. Once identified, the attacker executes the script against the program with hopes of gaining local administrative access on the host.

Once the attacker has gained local administrative access on the system, the attacker initiates the process discussed in the “Misinformation” section. The attacker will do his best to hide his presence inside the system. Following that, he may use the compromised host to launch remote arbitrary code execution attacks against other hosts.

Although remote execution of arbitrary code can allow an attacker to execute commands on a system, it is subject to some limitations.

Remote Code Execution

One well-known vulnerability in web applications is one that is known as Remote Code Execution. In this type of vulnerability an attacker is able to run code of their choosing with system level privileges on a server that possesses the appropriate weakness. Once sufficiently compromised the attacker may indeed be able to access any and all information on a server such as databases containing information that unsuspecting clients provided.

What makes this particularly dangerous is not only the real threat of information theft and other risks associated with running arbitrary code on the server, but the difficulty in detecting this defect. Uncovering this defect may be challenging at best and impossible at its worst. Extensive code and other reviews of the web application may be impractical if not impossible. Later penetration testing may assist in discover these defects and should be done in the case of more sensitive applications that handle sensitive information.

Penetration

In a vulnerability assessment, the risk assigned to a vulnerability is sometimes hypothetical. We can say that by exploiting vulnerability, we will be able to obtain complete control of the vulnerable host. However, we may not know what exactly can be obtained from that host. Is there sensitive information stored on that host? Does that host provide a critical service, such as monitoring the temperatures of the nuclear reactor? Alternatively, a penetration test will answer those questions because we will exploit the vulnerability and obtain complete control of the vulnerable hosts to determine its purpose, which may include storing sensitive data or providing critical services.

Exploiting a vulnerability can have numerous outcomes including denial of service, information disclosure, and remote code execution. Remote code execution is usually accomplished by spawning a remote command shell that allows the attacker to execute operating system commands on the target system. The list below is just one common technique, albeit at a high level, used to gain remote control of a vulnerable host:

Exploit the vulnerability to spawn a remote shell.

Use the default utilities in the target operating system to steal the password file.

On a Windows system, use a file transfer program (Example: TFTP) to upload a script, such as fgdump (www.foofus.net/fizzgig/fgdump/), that will grab the password file and the locally cached network domain credentials.

Run fgdump to grab the password file.

Use the same file transfer program to transfer the output of fgdump to the attackers system.

Remove the evidence, including deleting the scripts, output files, and any relevant audit logs.

Use Rainbow tables to crack the local Administrator password hash.

Use your new administrator password to log in to systems that were configured with the same local Administrator password, using Remote Desktop or Server Message Block (SMB).

If the victim system was accessed by a domain user, say for example, a domain administrator for troubleshooting purposes, the victim system most likely cached that administrator's password, and the attacker will be able to crack that password, given enough time to do so.

Use your new domain administrator password to log into any system in that domain.

Some of you may be thinking that cracking the administrator password will take too long, especially that 15-character password that contains uppercase and lowercase letters, numbers, and special characters. The latest techniques, such as Graphics Processing Unit (GPU) password cracking, botnets,4 and cloud computing will be able to crack your password efficiently. However, if you are still not convinced, does the attacker really need to crack your password? PSEXEC, which was originally released by Sysinternals (//technet.microsoft.com/en-us/sysinternals/bb897553.aspx), allows you to remotely execute commands on a Windows system by providing a valid user name and password. The popular exploit framework Metasploit contains a PSEXEC module that allows you to either enter the password or the password hash to remotely execute commands; thus, saving the attacker time to crack that supposedly strong password of yours. For more information on this method, review the description at www.metasploit.com/modules/exploit/windows/smb/psexec.

Frequently Asked Questions

Q: If a vulnerability can cause a denial of service and/or remote code execution, is it usually classified as a DoS or as a critical vulnerability?

A: Usually in classification, the worst real possibility is considered the most important. Therefore, if the remote code execution is feasible, if there is proof of concept code, or if someone has shown how it could be done, the vulnerability is critical.

Q: Does the classification of a vulnerability in one of the four categories tell me everything I need to know about it?

A: No. In addition to which class the vulnerability belongs to, you should also consider which of your machines it’s on, what defenses you have, how severe the vulnerability is, and what damage you could take if it were exploited. Some machines are more important than others, and some vulnerabilities will be more devastating than others.

Q: If a vulnerability is just a best practice, do I really need to care?

A: Yes, but how much will depend on your security policy and staffing. If you are very low on system administrator time, it’s probably better to deal with the most important and most critical vulnerabilities first. Patch your gaping holes, and then get proactive.

Q: If a DoS vulnerability is exploited, will my machine restore itself when the attack traffic stops?

A: Some will, some won’t. It depends entirely on the targeted machine and service.

Q: How do I know how much of a problem the information that I’m leaking is?

A: You might want to hire a penetration tester or security consultant to advise you, but consider whether any of that information could be used to identify avenues of further technical or social attack. How much? The damage is limited by mostly by your creativity in using the information available.

Service Fraud

Regardless of the deployment architecture chosen by a particular utility company, their customers will have access to the smart meters deployed in their homes and businesses. While tamper-resistant mechanisms should be employed, countermeasures will undoubtedly be published on the Internet.

Once information on how to hack smart meters makes its way onto the Internet, the masses, ranging from hackers to curious consumers, will possess the knowledge on how to defraud their utility company. Some will steal services, while others will be as bold as to collect money from the utility companies by fooling the system to believe that the dwelling generated electricity for the grid instead of consuming it.

The creative hacker/engineer

The creative hacker/engineer is a very specific individual as well. He is highly interested in hacking and vulnerabilities; the only difference is that this person knows how to bundle and exploit vulnerabilities in such a way that it improves the effectiveness of known vulnerabilities. For instance, this person can turn a cross-site scripting vulnerability into remote code execution, and this person can bundle unchecked uploads in combination with remote file inclusion into a remote code execution. This is the engineer to which a hacker group should resort to find out-of-the-box solutions for targeting a system. While not being the quickest or most proficient programmer, using sheer creativity this type of hacker/engineer will find the solution to the problem. This hacker/engineer is not known by his awesome programming skills, but by his ad hoc scripts, which have a tendency to always work. Once a goal (target) is set, this is the person who achieves the goal one way or the other.

Operating System and Software Updates

The single most important thing you can do to aid in the security of any system is to ensure that the software running on it and the underlying operating system are both up to date with the latest security patches. Even though your sensors shouldn’t be visible from the Internet, if your network gets compromised through some other means and an attacker can move laterally to a sensor via a months-old remote code execution vulnerability in your operating system, it’s game over.

I’ve seen many instances where people neglect patching sensor software and operating systems because the sensor doesn’t have Internet access. As a result, it becomes too much of a hassle to perform updates on a regular basis. In such instances, one solution is to set up some type of satellite update server within your network to ensure these updates are occurring in a timely manner. While this is extra management overhead, it does reduce a significant amount of risk to your sensors if they are not being updated frequently enough. One other solution would be to limit access to those domains required for software and system updates with the use of an internal web proxy, but this may prove challenging based on the placement of your sensor in the network.

Vulnerability Scanning

Now that we have a list of IPs, open ports, and services on each machine, it is time to scan the targets for vulnerabilities. Vulnerability is a weakness in the software or system configuration that can often be exploited. Vulnerabilities can come in many forms but most often they are associated with missing patches. Vendors often release patches to fix a known problem or vulnerability. Unpatched software and systems often lead to quick penetration tests because some vulnerabilities allow remote code execution. Remote code execution is definitely one of the holy grails of hacking.

ADDITIONAL INFORMATION

Remote code execution allows an attacker or penetration tester to fully and completely control the remote computer as if he/she were physically sitting in front of it. This includes, but is not limited to, copying, editing, and deleting documents or files, installing new programs, making changes or disabling defensive products like firewalls and antivirus, setting up key loggers or backdoors, and using the newly compromised computer to attack new machines.

It is important to understand this step, as the results will feed directly into step 3 where we will attempt to exploit and gain access to the system. To scan systems for vulnerabilities, we will use a vulnerability scanner. There are several good scanners available to you but for this book we will be focusing on Nessus.

Nessus is a great tool and available for free (as long as you are a home user), from their website at //www.tenable.com/products/nessus. Tenable, the makers of Nessus, allows you to download a full-fledged version and get a key for free. If you are going to use Nessus in a corporate environment, you will need to sign up for the professional feed rather than the HomeFeed. The professional feed will run you about $125 a month ($1500 a year). We will be using the home version for this book. To sign up for a key, visit //nessus.org/register or search the Nessus homepage.

Installing Nessus is very straightforward. It runs on all major operating systems including Linux, Windows, OS X, FreeBSD and more. Nessus runs using a client/server architecture, which allows you to have multiple clients, connect to the server instance if you want to. Once set up, the server runs quietly in the background, and you interact with the server through a browser. There are many good tutorials on the Internet for installing Nessus on Kali (or any Linux system). In general, to install Nessus, you need to complete the following steps:

Download the installer from www.nessus.org.

Register for a noncommercial HomeFeed key on the Nessus website by submitting your e-mail address. The Nessus crew will e-mail you a unique product key that can be used to register the product. Please be sure to pay special attention to the end-user license agreement that restricts how a HomeFeed can be used.

Install the program.

Create a Nessus user to access the system.

Enter your HomeFeed (or Professional) key.

Update the plug-ins.

Use a browser to connect to the Nessus server.

ADDITIONAL INFORMATION

Installing Nessus on Backtrack or Kali is straightforward. You can either use the “apt-get” command or you download the .deb package from the Nessus site, .deb files can be installed using the command:

  dpkg –i name_of_.deb_file_to_install

If you are running Kali or Backtrack, you can install via “apt-get” by simply opening a terminal and issue the command as shown below:

  apt-get install nessus

Next set up a Nessus user by entering the following command into the terminal window:

  /opt/nessus/sbin/nessus-adduser

After issuing the “nessus-adduser” command, you will be asked to choose a user name and password. Be sure to answer each question pertaining to the Nessus user setup. Once a user has been created, you need to activate your registration key. To activate your registration key, run the following commands in a terminal window:

  /opt/nessus/bin/nessus-fetch --register your_reg_key

You will need to replace “your_reg_key” with the key you received from Tenable. The Nessus key is only good for a single installation; if you need to reinstall, you will have to register for a new key. After entering this command, you will need to wait several minutes while the initial plug-ins are downloaded to your local machine. Once all the plug-ins have been successfully downloaded, you can start the Nessus server by running the following command:

  /etc/init.d/nessusd start

When you reboot your attacker machine and attempt to access Nessus through a browser, you may see an “Unable to Connect” error message. If this happens, open a terminal and reissue the “/etc/init.d/nessusd start” command.

One of the key components of Nessus is the plug-ins. A plug-in is a small block of code that is sent to the target machine to check for a known vulnerability. Nessus has literally thousands of plug-ins. These will need to be downloaded the first time you start the program. The default installation will set up Nessus to automatically update the plug-ins for you.

Once you have installed the Nessus server, you can access it by opening a browser and entering //127.0.0.1:8834 in the uniform resource locator (URL) (assuming you are accessing Nessus on the same computer you installed the server on). Do not forget the “https” in the URL as Nessus uses a secure connection when communicating with the server. If you receive a message “Connection Untrusted Message” or a “Certificate Warning”, you can ignore these for now by adding an exception and continuing. Nessus will take a few minutes to initialize and process the plug-ins that were recently downloaded. Once everything has been processed, you will be prompted with a login screen. Enter the user name and password you created when installing the program. Once you log into the program, you will be presented with the main Nessus screen.

You can navigate Nessus by clicking the various headings at the top of the page. Each heading represents a different component of the Nessus tool including: Results, Scans, Templates, Policies, Users, and Configuration. Before we can use Nessus, we need to either create a custom policy or make use of one of the predefined policies that Nessus creates for us. You can create a custom policy by clicking the “Policies” tab at the top of the web page. To set up a scan policy, you need to provide a name. If you are going to set up multiple policies, you should also enter a description. Please take a minute to review Figure 3.7 which allows you to enable safe checks. Note that the HTML5 interface which is now enabled by default and has the safe checks menu under “Configuration, then Advanced”.

You will want to set up safe checks in most cases (which is enabled by default). The reason for this is simple. Some plug-ins and checks are considered dangerous because they check for the vulnerability by attempting to actually exploit the system. Be aware that removing the “Safe Checks” check has the potential to cause network and system disruptions or even take systems offline. By ensuring that you have “Safe Checks”, you can avoid unintentional network disruptions.

Next, we move into the scan policies, which allow you to customize what type of policies you can use within the Nessus interface. There are many options that you can use to customize your scan policy. For the purpose of this book, we will use the defaults. Take a moment to click the policies template, select one of the default templates or create your own. Review the various options by clicking each of the options on the left-hand side of the menu. You will notice General Settings, Credentials, Plug-ins, and Preferences. This will take you through each of the remaining pages where you can set additional options for your policy.

Once your scan policy is set, you can save it by clicking the “Update” button. You only need to set up your scan policy one time. Once your scan has been submitted, you will be able to use that policy to perform vulnerability scans against your target.

Now that you have a policy setup, you can run a scan against your target. To set up a scan, you need to click the “Scans” link located in the top menu followed by the “New Scan” button located on the right-hand side of the page. Nessus will bring up a new window that can be used to configure and customize your scan. You can enter individual addresses to scan a single target or a list of IPs to scan multiple hosts. Figure 3.8 shows the “New Scan” screen.

Before launching the scan you need to provide a name, select a policy, and enter the IP address of your targets. It is definitely worth the effort to provide a descriptive name to your scan. Doing so will allow you to quickly locate and sort your scan results at a later date. You can enter your target IP addresses individually in the “Scan Targets” box or if you have your target IP addresses saved to a text file, you can use the “Browse…” button to locate and load it. The latest versions of Nessus provide you with the ability to either run your scan immediately or create a Template and schedule the scan to kick off at a later date and time. This can be extremely handy if you need to kick your scan off at a particular time. Once your options are set, you can click the “Create Scan” button in the lower right. Nessus will provide you with information about the progress of your scan while it is running.

When Nessus finishes the scan, you will be able to review the results by clicking the “Results” link in the menu bar. The report will provide you with a detailed listing of all the vulnerabilities that Nessus discovered. We are especially interested in vulnerabilities labeled high or critical. You should take time to closely review the report and make detailed notes about the system. We will use these results in the next step to gain access to the system.

Once we have completed port scanning and vulnerability scanning for each of our targets, we should have enough information to begin attacking the system.

Summary

This chapter did not cover all possible obfuscation techniques available in PHP, because especially in terms of encoding and encryption, the possibilities are endless. However, we did cover basic and advanced string obfuscation patterns, learned how to access and cast superglobals, and saw several ways to execute code with eval() and beyond. In real-life situations, the possibility to use filters and streams for inclusions are particularly interesting, since many Web applications are vulnerable against local file inclusions, which can be easily turned into actual remote code executions with these techniques, while at the same time making detection and forensics extremely hard to accomplish. PHP is not very cooperative here, and it contains a lot of possibilities for creating code that is unreadable but still works.

PHP nevertheless contains far more quirks, bugs, and vulnerabilities which can be useful during an attack to unveil and manipulate data and execute code. PHP 6 might introduce a whole new array of issues and new obfuscation techniques, not only the Unicode support and the enhanced chr() function (see //php.net/manual/en/function.chr.php). Unicode whitespace might play an important role as well as possibilities to generate ASCII payloads from a Unicode string by harvesting table index information from other characters.

With this discussion of PHP behind us, let us move on to Chapter 7 and see what techniques can be used to obfuscate queries and comparable data in SQL.

Overview: Why Is Metasploit Here?

Metasploit came about primarily to provide a framework for penetration testers to develop exploits. The typical life cycle of a vulnerability and its exploitation is as follows:

Discovery A security researcher or the vendor discovers a critical security vulnerability in the software.

Disclosure The security researcher either adheres to a responsible disclosure policy and informs the vendor, or discloses it on a public mailing list. Either way, the vendor needs to come up with a patch for the vulnerability.

Analysis The researcher or others across the world begin analyzing the vulnerability to determine its exploitability. Can it be exploited? Remotely? Would the exploitation result in remote code execution, or would it simply crash the remote service? What is the length of the exploit code that can be injected? This phase also involves debugging the vulnerable application as malicious input is injected to the vulnerable piece of code.

Exploit Development Once the answers to the key questions are determined, the process of developing the exploit begins. This has usually been considered a bit of a black art, requiring an in-depth understanding of the processor's registers, assembly code, offsets, and payloads.

Testing This is the phase where the coder now checks the exploit code against various platforms, service pack, or patches, and possibly even for different processors (e.g., Intel, Sparc, and so on).

Release Once the exploit is tested, and the specific parameters required for its successful execution have been determined, the coder releases the exploit, either privately or on a public forum. Often, the exploit is tweaked so that it does not work right out of the box. This is usually done to dissuade script kiddies from simply downloading the exploit and running it against a vulnerable system.

All of this has undergone a bit of a paradigm shift. With Metasploit it is now quite straightforward for even an amateur coder to be able to write an exploit. The framework already comes with more than 60 exploits pre-packaged to work right out of the box. The development of new exploits is proceeding at a rapid pace, and as the popularity of the tool soars, the availability of exploits is also likely to increase. This is quite similar to the large number of plugins that Nessus now has.

But this is only part of the story. Where Metasploit really comes into its own is in the way it has been architected and developed. It is now likely to become the first free (partially open-source, since it is now distributed under its own Metasploit License) security tool, which covers the entire gamut of security testing—recon modules to determine vulnerable hosts and interface with scanners such as Nmap and Nessus, exploits and payloads to attack the specific vulnerabilities, and post-exploitation goodies to stealthily own the system, and possibly the entire network.