Information Leakage

Lecture Notes

This lecture will focus on information leakage from chatty protocols and banners

Download here

Practical tasks

This exercise aims to explore how an attacker can enumerate vulnerabilities in a set of hosts, by making use of commonly available tools. The objective is not so much the exploitation of the hosts present, but the acquaintance of the tools and the positioning as assessing vulnerabilities in distributed systems.

As the scope we consider all hosts and services available at the laboratory network (10.110.2.0/24 scope). The assessment should not try to penetration test the systems, but small explorations are allowed (Hint: most have interesting mistakes, bugs and clear vulnerabilities). No data should be corrupted, and no credentials should be modified. Normal operation of the hosts should not be disrupted.

VPN Setup

The lab consists of Virtual Machines running on a restricted environment. In order to access that environment you will need to be connected to the eduroam wireless network, or to connect to the University network through the Checkpoint VPN. For the VPN, please go to https://www.ua.pt/pt/stic/teletrabalho_vpn).

On top of the existing connection to the University (WiFi or VPN), you will need an additional OpenVPN connection to reach the servers. To connect to the VPN, use the configuration provided by the professor. If you are using MS Windows, OpenVPN GUI is recommended. The lab VMs are in a isolated network, with addresses in the range 10.110.2.0/24. Only this scope should be used while connected to the VPN.

After the VPN is connected, you should be able to ping 10.110.128.1, which corresponds to the VPN server interface in the laboratory network.

Network Enumeration

The first task is to know your environment, how many hosts are available and what services they have. To discover the hosts, you can use any tool that sends packets into the network and issues a response. An ICMP (ping) may be enough, or you can build your own tools using sockets or python scapy, or use netcat.

The go to tool probably is nmap as it is very powerful and simple to use. Just open the console and write nmap -h or check it’s manual man nmap

  • Want to scan a network? nmap -sn IPRANGE
  • Want to scan a host? nmap target
  • Want to enumerate the version of each host? nmap -sV target
  • Want to find the OS of a host? nmap -O target

There are many toggles that change the behavior of this tool. You can make it more or less aggressive (-T), specify ports to scan (-PS), and much more.

Tasks:

  • How many host are there in the network?
  • What operating systems and versions are running?
  • Which services are available in each host?
  • Based on the service information, do you have recommendations to make in order to harden the services?

Save the dumps to your computer and do a small writeup with your notes.

CVE Enumeration

Using nmap -sV it is possible to guess the version of the software running on each Virtual Machine. This version can be correlated with the information available at public repositories, such as cvedetails and an initial assessment can be started. In this case, it will be based on public vulnerabilities, expressed in CVEs. Some specific vulnerabilities of custom software, of configuration flaws may be misses by the assessment. Moreover, hosts can fake the software they have or the versions.

Tasks

  • Also enumerate software versions for each server.
  • Look for older versions. You suspect of any specific CVE?
  • Look at the versions of the software available. Do you have specific recommendations for the infrastructure owner?

Write your conclusions in your notes and support them with the logs obtained from running the tools. It is recommended that you create one folder per Virtual Machine.

An interesting feature of nmap is that it allows running specially crafted scripts that automate many tasks. From the perspective of an assessment, the scripts can test the existence of specific vulnerabilities, or enumerate vulnerabilities based on the versions of the software packages detected.

You can list the scripts available by listing the content of /usr/share/nmap/scripts/. Finally, you can run a script by issuing nmap -sV --script script_name target.

Tasks

  • Use the nmap scripting capability and assess the existence of specific vulnerabilities
  • Use the vulners script to enumerate vulnerabilities at a larger scale
  • Any CVE is critical? Would you do any recommendation from your assessment. Be realistic as there is no such thing as perfect security

Further enumeration

Other tools besides nmap provide the capabilities to assess how a system is exposed. In particular ivre, nessus and openvas are popular ones, as they cover a wider range of tests with more depth. We are also observing AI assisted enumeration and pentest, with several projects available. One example is PentestGPT at https://github.com/GreyDGL/PentestGPT .

Several other tools (next section)) will enable fingerprinting by analyzing the resources used, their names, and their content.

IVRE

IVRE is a generic reconnaissance tool that packages several tools into the same environment. It facilitates enumeration and characterization of hosts, providing extensive information about each host.

You can install ivre natively using apt install ivre or use a docker compose deployment as available at the github repository.

If you go for the docker approach, just download the docker-compose.yml file to a new folder and issue docker compose up -d. Then you need to determine the container of the ivre/client and issue docker exec -ti CONTAINER_ID /bin/bash.

To run a scan, do: ivre runscans --range 10.110.2.1 10.110.2.254. This will issue automated scans against the laboratory network. It will take quite a while.

Then we import the scan: ivre scan2db -c RANGE-10.110.2.1-10.110.2.254 -s MySource -r scans/RANGE-10.110.2.1-10.110.2.254/up and then build the views ivre db2view.

The final step is to head to the web interface and check the results.

Task: - Use IVRE to enumerate the laboratory network

Web Assessment

Some of the machines host a webpage, and the scope of this assessment also includes such services. Web pages present a completely different challenge as the services provided are richer in terms of functionality, but also more complex and less secure. Web portals are typical paths towards compromising the security of a system.

For this assessment lets focus on assessing issues with configurations and content. The objective is not to explore typical vulnerabilities (SQLi, LFI, IDOR, etc…) as these will be explored in a future assessment.

For now, lets focus on 3 tools: nikto, dirb and wpscan

It should be noticed that while tools are helpful to discover easily found vulnerabilities, they should be complemented with extensive assessment by humans.

nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto has many settings to tweak it’s behavior, and it will produce a report to a file. The basic usage is something like:

nikto -o report.html -Format htm -host target

Tasks

  • Use this tool against the hosts and report the findings
  • Take notes about each host

DIRB

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analysing the response.

DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner.

DIRB main purpose is to help in professional web application auditing. Specially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerable.

To use DIRB you need to provide a target address and a wordlist. An example would be:

dirb http://IP/ wordlist

You can find many wordlists at /usr/share/wordlists/dirb/

A limitation of DIRB is that it’s limited by the wordlist. If you choose a wordlist inadequate to the host, it may find nothing. This is why there are several wordlists available there. Other tools such as wfuzz provide additional features.

Tasks

  • Enumerate the web hosts for exposed information
  • Is there something wrong with some hosts?
  • Save the tool dumps and write summary notes with your findings

WPScan

WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues. This scanner is more specific than the previous ones and only applies to a specific software. You can check it’s help page with wpscan -h and devise an enumeration against a host. However, the results will only be valid for Wordpress installations.

Tasks

  • Find a system running Wordpress
  • Assess the Wordpress installation

Further activities

Previous
Next