SimWitty Internship: Week 3

This week I experimented with some of the tools I am considering using for the lab. These consisted of:

• Inguma
• Fast-Track
• Metasploit Framework 3

Inguma is interesting but I won't be using it. The GUI version is just plain broken, and the console version seems buggy. It will nicely autoscan a system, but the most useful information you get back is the netbios name table.

Fast-Track has a lot of potential but the documentation is very slim. There are many references to a wiki and other things at thepentest.com but the site seems to be dying or dead. Fast-Track used to be backed by SecureState.com but I'm not even sure that Dave Kennedy (the author) even works there anymore. There is no information on Fast-Track to be found at the SecureState site anymore. I will still continue to investigate this tool, just because it seems like it could be very useful.

This leaves us with the tool of choice: Metasploit Framework 3. Metasploit is very broad in scope, and covers just about any area a pen-tester could need. Its abilities range from the 'autopwn' tool to creating custom exploit modules.
I was able to successfully attack a test vm running Windows XP SP3. The exploit I used was exploit/windows/browser/ie_createobject. It was a good example for this lab, because it basically creates a malicious webserver that listens for connections. I connected to it from the vm using IE 6, and got exploited with no real visible clue. The page contained some random text but I'm sure this could be adjusted. I just chose a simple reverse tcp shell for the payload, and it connected back just fine. I was able to execute commands on the victim.

Since it is obvious that Metasploit is going to be the most useful, I intend on doing much more practice with it. I need to concentrate on figuring a way to get a toolkit uploaded to the exploited computer. This way I can work on scanning the network from the inside and increasing my foothold with tools like Ettercap.

One small note, Matriux doesn't come with a pdf viewer as far as I could tell. Both the Metasploit user manual and developer manual are pdf files. You can install a pdf viewer by typing sudo apt-get update, and then sudo apt-get install epdfview.

SimWitty Internship: Week 2

The task this week was to choose which tools from the Matriux arsenal are most appropriate to use for this project. Restating the goal of the project will probably aid in clarity. The objective is to simulate client side type attacks through penetration testing and determine how the SimWitty appliance handles this traffic/behavior. With this in mind, the main tasks with this project should be:

• Crafting email messages that link to a malicious website.
• Creating the proper exploits for this website to affect workstations running Windows XP professional.
• Gain control of those workstations if possible.
• Attempt to increase the foothold within the network.

With this being the goal, certain tools are ruled out immediately. I won’t be needing any tools in the Wireless class or the Bluetooth class. On the other hand, certain tools will be absolutely necessary. These are mainly the tools in the Framework class. For all the other basic classes it is more hit and miss, some will be useful and some will not. I made an Microsoft Access database that includes: the tool name, a description of the tool, whether it is necessary to the project, and a link to the tools website. I then created a report from the database, and printed the report out to pdf format (available here).

I am fairly certain that the main tool I will be using is the Metasploit Framework. MSF is a very nicely packaged system that should allow me to accomplish the project goals. In looking at the Fast-Track toolset, it also has possibilities. It is (at first glance) a scripted and simplified way of interacting with MSF, but I also believe it brings some of its own functionality to the table. Other tools that will probably be useful are those whose purpose is to explore a LAN and consolidate a foothold there. An example of this class is Ettercap. It goes without saying that Wireshark and Nmap will be needed.

There are many tools in Matriux that would be useful in a real world situation that I won’t be using in this project. This is no reflection on the tool or the Matriux arsenal, this is just a specialized case. An example of this is the Reconnaissance class. In the real world, it would be necessary to discover a lot more about the target company. For client side attacks such as spear-phishing to work, the attacker must be as familiar as possible with the target.

SimWitty Internship: Week 1

Overview

In the world of information security, threats are constantly changing and attack vectors are always moving. Security is tightened on servers, networks are more closely monitored, so attackers look for other ways to infiltrate the network. This is evidenced by the recent attack on Google (and other companies). The intrusion was accomplished by targeting specific users and compromising their workstation using a web browser 0day. The breach was most likely initiated through links sent in IM or email. As security on servers and networks is locked down, it becomes more apparent what a weak spot the workstation can be. The workstation is often a far more complex environment than a server, at least as far as getting it locked down. This is the place where the employee must work... must have certain software installed to do their job. There are often many third party components installed on the workstation, and patch management on third party components is not generally given much attention.

 
In order for SimWitty to be an effective security appliance, it must be able to detect and alert on this type of workstation based behavior. One way to test this ability is through penetration testing. The penetration test must be able to simulate this type of client side based attack.  This will be the main goal of my internship with the SimWitty project: to simulate client side type attacks through penetration testing and determine how the SimWitty appliance handles this traffic/behavior.

Problem

• Prevention is hard. There will always be new vulnerabilities discovered, and thus 0day attacks generated. For this reason, a solution that relies solely on trying to prevent attack and intrusion is likely doomed to fail.
• Detection is the next best thing. Since prevention of every type of attack is impractical, it is vital to be able to at least detect when an attack has succeeded. Only by knowing a breach has occurred can it be stopped.

Solution

•  Prevent what you can and detect everything else. Preventing known attacks through patch management and signature based detection is the start of any good security program. The trickier question is how to detect 0day attacks on your assets.
• Use pen testing to verify detection. Through the proper setup and execution of a pen testing exercise, detection can be verified.
• Analyze, Adjust, and Re-Test. Only through various tests and adjustments can detection be perfected within a system.

Plan

In order for a pen testing exercise to be successful, it must be planned beforehand and documented afterwards. The SimWitty project has decided to use the Matriux security distribution for it’s security testing suite, so the plan will start with Matriux.

1. Explore the Matriux Arsenal. The Matriux distribution will have in the neighborhood of 300 different tools/utilities/libraries.  With this much to choose from, it becomes essential to decide which tools will be useful to the test.
2. Explore VirtualBox and it’s networking capabilities. My testing will be against a virtual network that simulates a small business. My virtualization software of choice is VirtualBox. One advantage of the VirtualBox platform is the ability of its simulated network interfaces to operate in promiscuous mode. To analyze the test results, the operator must understand and be familiar with how the test platform works.
3. Build an example network. For the testing to be relevant, it must operate against a target that resembles reality as closely as possible. I will attempt to create a representation of a small business network using virtual machines consisting of a Windows 2008 Server, a couple of Windows XP workstations, and either a SimWitty appliance or a Snort server.
4. Execute an attack simulation. Having decided on which tools from Matriux will be most useful, I will attempt an attack against my virtual network. The goal will be to simulate some sort of a client side attack that an employee at a small business might face, such as email phishing for login credentials, a malicious file attachment, or phishing with redirection to a malicious website.
5. Document how the attack is detected and reported on. I will observe the behavior of SimWitty/Snort device to see whether the attack is detected, and how the device alerts about the attack. I may also employ another machine that will sit on the network and record all traffic passively. This could allow me to create pcap files that would be useful to those developing the detection and reporting engines of SimWitty.
6. Document the process and results. As I am working on the internship, I intend to keep copious notes throughout the process. After I am done, I will use these notes to do a write-up of the entire process. This should prove helpful to any interns that may follow by allowing them to recreate beginning steps, then proceed to deeper research topics.

Summary

 I look forward to the SimWitty internship being not only a great challenge, but a great learning opportunity. It will test (and build) my ability to plan, my ability to think through problems, my ability to adapt and adjust, and my ability to document and communicate with others. I believe that this work should give me a firm understanding of the basics of penetration testing, and a glimpse into the kind of real world problems that an information security professional must be able to react to and deal with.