Penetration Testing

Report

Team 404 John Rodriguez, Nicholas Diley,

Ed Burnham
The information in this report is considered
for educational purposes only. Unauthorized
disclosure of this report can result in
damages or legal issues. This report should
only be distributed to individuals for
educational purposes only. All cases are
hypothetical and for educational intent only.
NTS330 Applied Exploits and Hacking
12/12/2014

Contents
Overview.................................................................................................................... 4
Level 1 Scenario......................................................................................................... 5
Summary................................................................................................................. 5
Discovering our target............................................................................................. 5
Reconnaissance....................................................................................................... 6
Brute Forcing........................................................................................................... 9
SSH access with brute forced account..................................................................11
Scavenging............................................................................................................ 11
Brute forcing (again)............................................................................................. 12
Scavenging............................................................................................................ 14
John The Ripper..................................................................................................... 14
Access................................................................................................................... 15
Scavenging and Decrypting..................................................................................16
Conclusion............................................................................................................. 20
Recommendation.................................................................................................. 20
Findings................................................................................................................. 20
Level 2 Scenario....................................................................................................... 22
Summary............................................................................................................... 22
FTP........................................................................................................................ 22
Reconnaissance..................................................................................................... 23
John The Ripper..................................................................................................... 24
Account Digging.................................................................................................... 25
John The Ripper (again)......................................................................................... 25
Scavenging and Decrypting..................................................................................27
Conclusion............................................................................................................. 29
Recommendations................................................................................................. 29
Findings................................................................................................................. 30
Level 3 Scenario....................................................................................................... 31
Summary............................................................................................................... 31
Reconnaissance..................................................................................................... 31
Gaining Access (with some more Reconnaissance)...............................................33
Cracking................................................................................................................ 35
Scavenging............................................................................................................ 37

Conclusion............................................................................................................. 38
Recommendations................................................................................................. 38
Findings................................................................................................................. 38
References................................................................................................................ 40

Overview
This weeks lab required us to do a penetration test against 3 vulnerable
systems to test our knowledge and skills in penetration testing. Not having
that much information on the systems themselves, we had to do a bit of
reconnaissance to find out more about our targets. Using skills such as
nmap, we found information that would help us in attacking our target. The
lab made us go outside the box and think what could potentially work and
what wouldnt with the information we had collected from our targets. The
scenarios in this lab require us to prove to our CEO that a penetration test
was needed on our site to see what vulnerabilities existed on our network.
(This is information gathered from a non-existent company. Anything found
that exists is purely coincidental. For educational purposes only.)

Level 1 Scenario
Summary
Level 1 dealt with gaining access to a system that had quite a couple of ports
open that are vulnerable to many possible methods and techniques of
attacking. Methods used in this lab required reconnaissance, brute forcing
logins, looking through the file system for files, and decrypting files
encrypted with OpenSSL.

Discovering our target

First thing we do is find the IP address of our target. Since we are to prove
that our network needs serious penetration testing, we will make sure to
prove all essentials targets to being vulnerable. Running netdiscover, we get
this:

Results from netdiscover.

We find quite a few IP addresses. Knowing our environment, we get a bit of a

head start and nmap the 192.168.1.x range. Our servers would most likely
just be the 100 and 110 hosts. We will focus on the first server. The image
below shows the results of our scan.

Reconnaissance

Results from nmap on the 192.168.1.100 and 192.168.1.110 hosts.

We see quite a few open ports on the target. That in itself gives us many
possible entry points that could possibly have vulnerabilities and let an
intruder onto the system. We do a more in depth nmap scan to see what
services and versions of those services are running on the server.

Results from in depth nmap scan.

So we see that an Apache server is running on the server. Why not take a
look and see if it is hosting a website?

Image of the 192.168.1.100 Apache server.

Indeed, this server is hosting a website. We read the information on the

homepage, but nothing of interest seems to be on this page with the
exemption of the game-related web pages. We want to see what else this
website holds, so we go ahead and click the link. Results of this are below.

Results of game-related page link.

Oh! There are a few interesting things in this page. We see that there are
emails and names of employees from the company. Perhaps we should save
these emails and names that are on the website for future notes. We may be
able to use these to gain access to the system.

From the way the format of the email seems to look like, they look like
potential usernames for a system. We are not entirely sure, but we are trying
to grab as many notes as possible from the page that could help us gain
entry to the system. Using a couple of common usernames along with
possible combinations with all the usernames found on the page, the
following text files were created for possible future use along with an image
below.

Emails.txt
Users.txt

Users.txt and Emails.txt are being shown.

This is a good amount of information to go off from. Since this is as much

information that we can get from the website at the moment, we will look
back at the services and ports that were open during our nmap scan.

SSH and FTP are open. The issue with the FTP server though is that it
reported back to be broken (could not bind listening IPv4 socket). Most likely,
we will not be able to use FTP correctly to look around the system. SSH,
however is open, and we could most likely gain entry to the system using
SSH.

We have possible usernames to login to the server through SSH, but we do

not know any passwords. We tried logging in with Root with common
passwords that we could think of, but that did not work. So at least the
server does not have a password that can come to mind to an attacker that
easily. Next up, we will try to brute force our way in.

Brute Forcing
With the list of names that we compiled, we try using Hydra to get in.
Because we don't have any passwords, we will use the same list of names

first along with null, reverse login, and password as the login to hopefully be
able to gain entry with this list. Maybe we can get something out of it.

Hydra command being shown.

We launched the above command to see if we are able to login with any of
the combinations that we piled up from information we found on the website.

Results from using Hydra.

Success! We found one valid login using the list of users. bbanter is the
intern that works here, but his password is also bbanter. That is very
unsecure. This will allow us to gain entry into the system. So let's try SSH
using Banter's account.

SSH access with brute forced account

Gaining access through SSH using bbanter.

We logged in successfully using bbanter. Now we are in the system, but what
are we able to do on this account. Let's find out.
We ran a sudo -l to see what sudo commands the account is able to do.
Unfortunately, there are no sudo commands that we are able to use with this
account. Still, that does not discourage us. It is time to look around the
system to see what we can find as loot or maybe of help to us.

Scavenging
We take a look around the system, but nothing much of interest. We find the
FTP folder under /home/, but we do not have the permissions to gain entry to
the folder. Possibly something good in there, but we are not entirely sure,
since we cannot see what is in the system.
We continue looking around a bit more and find an interesting file named
passwd in the /etc/ folder. We cat this folder to see the contents of the file.

Contents of passwd.

Based on the contents of this file we found, this tells us that there are 3
accounts on this system. One account seems to have sudo access, which is
the aadams. With this knowledge, we know that if we can gain access to
aadams, we'll able to do many more things.
Knowing Linux, we know that Linux creates a file called the shadow file that
stores all the password hashes of all the users in the system. This is also
found in /etc/. Let's cat the shadow file to take a look.
We were denied from doing cat on the shadow file.
So nothing much popped up from the system after looking around for quite
some time. Literally, we were looking around for a good hour and a half. The
server is locked down pretty well, and with this account, there isn't much
that we can do honestly. But now that we know that aadams has root access,
we can try gaining access to that account the same way that we did for
bbanter. Yes, we will be using Hydra.

Brute forcing (again)

There is a wordlist in Kali Linux that contains most common passwords. It is a
rather large list, and we are hoping much success with this wordlist.
We created a file that has aadams and root, since those are probably the two
accounts we want access to. We want to scavenge through the system a bit
more, so elevated privileges would definitely fit the role.

Hydra command to be used against aadams and root.

Using the above command in the image, we will brute force those two
accounts to see if we can gain any elevated privileges on the system.
After a good amount of time that passed, Hydra was able to break in into
aadams account. The password on that account is nostradamus. With this,
we should be able to gain access to the account and have privileges to do
more things on the system. At this time, we think that looking through the
FTP folder and the shadow file will probably do us good.

SSH through the aadams account.

Now that we have the password, we will switch users to aadams, as that
account will definitely give us more leeway in what we can do.

Scavenging
First thing we do once we gain access to the account is do a sudo l to see
what permissions the account holds. We are able to do sudo ls, sudo cat,
sudo more, and sudo su. Thats a lot more that we can do with than with the
bbanter account we previously gained access to. Lets go back to that
shadow file and see what we can find.

Results from the sudo cat shadow command.

So we werent able to simply cat it at first. We had to run it with sudo to be

able to. That still did not stop us though as the shadow file gave us all the
hashes that we wanted earlier. From this, we can see that all the hashes are
MD5 hashes, due to the $1$ at the beginning of the hash. We should be able
to use John The Ripper to crack the hashes for us.

John The Ripper

After using John The Ripper, we get the following results:

Results from using John The Ripper

We stopped the process once it cracked the root password, as we believe we

would not need access to the ccoffee account in the system. Root will allow
us to do anything in the system. The password to root happened to be tarot.

Access
Now that we have the root password, we switch users using su root to switch
over to the root account.
Success! We now have root access at this point in time. We should be able to
do anything now in the system. We remind ourselves that the FTP folder is
still there. We should probably look in there again now with root.

Scavenging and Decrypting

Looking through the ftp folder.

We find a folder inside the ftp folder named incoming. Since it is simply a
folder, we keep venturing in.
A file named salary_dec2003.csv.enc was in the folder. So we may have
possibly found quite the interesting file that may contain sensitive
information. The issue with the file right now is that it is encrypted. When we
cat the file, we get nothing is readable.

Cat results from the encrypted file.

We do not know much about this file, with the exception that it is encrypted.
We do not know what method or format was used to format this particular
file. We do want to know how we can identify the file, however.
After a while of researching, the command file may possibly tell us what is
going on with this file. The result only followed back with data. So this does
not tell us much about the file.
At this point, we are almost not sure how we will be able to access the file. It
definitely is encrypted is all we know. Our next shot after researching some
more is to use the strings command. In the end, it only gave us some
gibberish. However, since the file seems to contain many strings and there is
only so much that terminal can show us, maybe there is a way to see the
beginning of the file instead. I believe something is there that can help us
identify the file a little more.
After some researching, we can use a command following the strings
command named | head. Since we want it to show us the beginning of the
strings command, we use strings salary_dec2003.csv.enc | head to hopefully
give us the beginning of the file.

Results from the strings command.

It seemed to be more gibberish. The only readable part of the file was at the
very top which said Salted_n. We do not know what this means. It seems we
have to research some more to be able to identify the file.
We researched some more on what kind of encryption ends on .enc, but that
didnt help us too much. We ended up researching and stuck for a good while
until we decided that we should probably research whatever we just pulled
from the strings command. We must say, that was a great idea!
Researching Salted_n, we found that this is found in files encrypted by
OpenSSL. So at least we know what it was encrypted with! The issue now is
decrypting with! Since it was encrypted with OpenSSL, we assume that the
target has OpenSSL installed, and with that, we should also be able to
decrypt it.

OpenSSL installed on the system.

So we do confirm that OpenSSL exists on the system, as the image above

shows.
We take a look at the syntax for OpenSSL (research online), as none of us
really have experience using the tool before. It took us a good number of
tries, but we reached to a point where we had to know what cipher the file
was encrypted with. Since we did not know, we decided to just start going
down the list until we got one that worked. There are 3 of us, so it should not
take us too long to go through the ciphers that OpenSSL provides.
Using the first cipher, we decrypted the file, or at least it seems like we did. It
had asked us for a password, but one of us remembered that the file we
previously found on bbanter specifically said that to not change the file, as it
will break ftp encryption, which most likely actually means this file to be
honest.
When we cat the file we decrypted, nothing appears, or appears to be just a
bunch of white space. Since terminal shows us the end of the file, we want to
see the beginning of the file with the | head command we used previously
when looking at the strings of the file.

Results from using cat on the file we decrypted.

Success! We see the information on two employees in the company. We were

able to gain entry to the system, give us root access, and access some very
sensitive information. This alone tells us that our network was not very
secure at all.

Conclusion
We came to the conclusion that we need to update our password policy, as
weak passwords is what allowed us to gain entry into the system to begin
with. That will have to change, as well, as fixing our ftp server. Our ftp server
is broken, but of course, that also delayed us from getting easy access and
possibly getting the salary file early on. Much of the system needs to be
updated and changed.

Recommendation
Thanks to John The Ripper for decrypting those hashes that we had found,
we were able to gain access to root. It really is a great tool to decrypting
hashes. Also, Hydra gave us access to the system in the first place! Being
able to brute force with the wordlists we gave it helped a ton. Without that,
we may have had a difficult time getting in. Recommend using those tools.

Findings
Passwd file.
Shadow file.
Salary_dec2003.csv.enc

Level 2 Scenario
Summary
Level 2 dealt with gaining access to a system that had quite a couple of ports
open that are vulnerable to many possible methods and techniques of
attacking. Methods used in this lab required reconnaissance, decrypting
hashes,

FTP
For this box, we were tasked with breaking into the next level of their server,
this time however it was explicitly said in the directions that this box in
particular is an FTP server, so rather than the first approach of possible SSL,
we would try to get in through FTP instead.
By running the command ftp 192.168.1.110 we were prompted with the
with a login screen within the shell. Although we do not have the official login
or passwords for any of the staff, even though the names of the staff along
with various emails were presented in the website, we still tried to use the
anonymous login to gain access to the system.

To our surprise, the anonymous login worked, and we then had access to
various directories within the server itself. Using simple commands of ls and
cd/cdup to browse the directories, we found that we had quite a bit at our
disposal in terms of how we can traverse the server.

Reconnaissance

Eventually we made our way into the etc folder with a couple of peculiar files
within. The thing that piqued our interest most was the login.defs file, but it
really didn't turn out to be anything, but another that stood out what the
shadow file was. Upon catting the file, we found that it had quite a bit of
information within, even having what seemed to be a password hash for root
within the system.

John The Ripper

Using the John the Ripper tool within Kali to compare the hashes and crack
them, what it came out to be was a really simple answer, apparently the
password to root was toor.

(Within the picture we had already cracked the hash.)

Account Digging
With that out of the way, we tried to login to the box using these credentials,
however it did not work, leading us to believe that root was not allowed
within this environment.
The next step would be maybe to find some user accounts, so more digging
within the box ensued. The core file within the directory seemed to have
quite a bit of data within it, so by using the get core command within the ftp
server, we was later able to cat it out on my kali box, however it was
unreadable for the most part. However at the end of the file itself, it seemed
to have some useful information within it, where they seemed to be
password hashes for the various user accounts within the system, including
root, aadams, bbanter and ccoffee.

John The Ripper (again)

Removing the unnecessary information, we determined that they were an
MD5 hash due to the syntax of the hashes themselves, but for this, we ran
them through john the ripper once more to read the hashes and compare
them to one of the wordlists we had on hand. RockYou.txt was a very large
file, but the Metasploit framework contains wordlists that we are able to use
with John The Ripper, and we later were able to find out the login credentials
for two particular accounts.

We left it running against the word key for about two minutes or so before it
came back with results, of which this included the password for bbanter and
root. Since we seemingly had the credentials now for the box, we
immediately tried to ssh into the server with the command ssh
bbanter@192.168.1.110, of which we were immediately prompted for the
password. The password we received from the hashes turned out to be
Zymurgy, which allowed me to login. Immediately we attempted to switch
user to root with the password provided, and needless to say, it worked.

Scavenging and Decrypting

Now that we had root access, all that was left was to try and scour their
system for more information. By backing out of the bbanter folder to the
home directory, we found the root folder. Inside of the root folder were two
more hidden directories that we were able to see with ls -A, of which inside
of that folder was the customer account file customer_account.csv.enc.

Catting these would prove to be futile as the files were encrypted, of which
we did not know the means of how to unencrypt them until we looked at the
other file copy.sh. Within this file it showed the process they had used to
encrypt the file, so it was only a matter of using the same process to
unencrypt the file. The command we used for this was openssl enc -d -aes256-cbc -salt -in customer_account.csv.enc -out creditCardStuff
-pass file:/etc/ssl/certs/pw successfully unencrypting the file.

Catting my file creditCardStuff gave me information that would be the

names of the corporations, the card type they used, the account number,
expiration date and delivery methods. Beyond that, there wasn't any other
peculiar or interesting pieces of information that could top what we found
within the root folder.

Conclusion
This is the first time any of us had to use OpenSSL to decrypt anything. With
an OpenSSL resource and looking through the syntax, we were able to
understand how to decrypt the interesting records that we found. Also,
allowing anonymous login on FTP is definitely not safe. John The Ripper was
very fun to use as well. In the end, we were able to get into the system and
grab a couple of files that prove that our network was not secure.

Recommendations
OpenSSL is a good tool to use, but not good enough when you can decrypt it
easily. There are plenty of other encrypting methods out there. John The
Ripper, however, is such a great tool to use to decrypt hashes. It didnt fail us
when we were trying to grab the passwords of the accounts we needed to
access. With this, it gets our full recommendation! Also, we need to
complicate our passwords some more.

Findings
Shadow file
Core file
customer_account.csv.enc
copy.sh

Level 3 Scenario
Summary
Level 2 dealt with gaining access to a system that had quite a couple of ports
open that are vulnerable to many possible methods and techniques of
attacking. Methods used in this lab are reconnaissance, using fuzzing tools,
and decrypting.

Reconnaissance
With this box, we initially had some issues with nmapping it. This led us to
using tools like netdiscover on it. While we later figured out that the issue
was from being on the wrong network range, netdiscover revealed a second
IP address under the main one.

After this, we checked out the 192.168.2.101 address with dirbuster and
nikto. These revealed that the root folder was publicly available.

Using this information, we started delving further into the site, testing
usernames from the .100 site and various possible hidden folders (such as
.bash, .ssh, etc.). Eventually this led us to 192.168.2.100/home/pirrip/.ssh.
This contained an rsa key that could be used to ssh into the box.

We copied the id_rsa file to our Kali box in the .ssh directory. We gave the file
read/write permissions and then attempted to ssh into the box under pirrip.

Gaining Access (with some more Reconnaissance)

After getting into the box under pirrip's credentials, we did some snooping
around. This eventually lead us to /var/mail. When we got there, there were 3
files, havisham, magwitch, and pirrip. We catted out pirrip, revealing a
number of emails, one of which contained the password issued to pirrip,
0l1v3rTw1st.

Password in hand, we ran sudo -l to see which, if any, superuser permissions

pirrip's account could use. The one that stood out was his ability to use vi as
superuser.

Cracking

From here, our immediate reaction was to use his vi privileges to get the
shadow and passwd files from /etc/. However, John The Ripper was taking far
too long to crack the password.

Instead, we remembered that it was possible to run commands through vi,

and thus, with superuser permissions, by typing :!command. We followed
through by running :!/bash/bin through vi. This gave us access to a root level
shell.

Scavenging

After getting access to root, we began snooping around the box's folders. We
came across great_expectations.zip in /root/.save. From here we unzipped

the file, revealing a .tar file. We untarred that file, which gave us some
images and a file named Jan08. Catting Jan08 gave us the information that
we were after, the social security numbers of three of the users.

Conclusion
With this, we conclude that the entire network needs to be looked at. We
were able to gain entry to the system using the password file found on the
website. No one normally should not be able to have that kind of access on
our servers. Also, we should not be sending our credentials through e-mail,
especially unencrypted as we found on the server. We need to review our
policies.

Recommendations
DirBuster and Nikto were really helpful at first to help us start gaining entry
to the system. We didnt have any users or anything of the sort to start off
with, but looking through the website, we were able to see that our
directories are completely in the open. John The Ripper, once again, was
helpful for the most part, even though we used a different method of gaining
those passwords.

Findings
id_rsa file

7 emails, one with login credentials

Shadow file
Passwd file
Great_expectations.zip
Jan08 file containing Social Security Numbers

References
Burns, B. (2007). Security power tools. Sebastopol, CA: O'Reilly.
Encrypt & Decrypt Files from the Command Line with OpenSSL | OSXDaily.
(n.d.). Retrieved December 14, 2014, from
http://osxdaily.com/2012/01/30/encrypt-and-decrypt-files-with-openssl/
Welcome to the OpenSSL Project. (n.d.). Retrieved December 14, 2014, from
https://www.openssl.org/