CyberP3i Hands-on Lab Series

Transcription

1 CyberP3i Hands-on Lab Series Lab Series using NETLAB Designer: Dr. Lixin Wang, Associate Professor Hands-On Lab for Application Attacks The NDG Security+ Pod Topology Is Used

2 1. Introduction In this lab, students will exploit the Shellshock vulnerability on a Linux system using either an environment variable or the w3af framework. 2. Objectives Upon completion training of this lab, students will be familiar with using the w3af framework be able to exploit the Shellshock vulnerability on a Linux system using an environment variable be able to exploit the Shellshock vulnerability on a Linux system using the w3af framework 3. POD Topology 4. Lab Settings The information in the table below will be needed in order to log into the virtual machines used in this lab. The task section (Section 5) below provide details on the use of this information.

3 Pre-Lab Setup Before continuing to the tasks in Part 5 below, log into the following VM systems below as instructed. I. Kali 1). On the login screen, select Other. 2). When presented with the username, type root. Press Enter. 3). When prompted for the password, type toor. Press Enter. 4). Minimize the PC viewer window. II. Ubuntu 1). On the login screen, select the student account. 2). When prompted for the password, type securepassword. Press Enter. 3). Minimize the PC viewer window. III. Security Onion 1). On the login screen, type soadmin. Press Enter. 2). When prompted for the password, type mypassword. 3). Open a new Terminal. 4). Type the command below and press Enter. Use mypassword when prompted for root privileges. sudo service nsm start 5). Close the Terminal window when services are finished starting. 6). Minimize the PC viewer window. 5. Lab Instructions Part 1. Using an environment variable exploit the Shellshock vulnerability 1) Active the Ubuntu PC viewer.

4 2) Open a terminal window on Ubuntu by clicking the Terminal icon on the left menu on Ubuntu desktop 3) Change to the directory /home/scripts by executing the following command cd /home/scripts 4) To run a vulnerability check on the current bash configuration for the Ubuntu system, run the following script./shellshock_test.sh 5) The program env on Linux allows modification of the environmental variables for a command, and the command bash -c allows running a specific command(s) by starting a new process. We use both commands together to test whether the Linux system is vulnerable to shellshock by running the following command: env e= (){ :; }; echo the Linux system is vulnerable to shellshock bash -c echo shellshock Linux system vulnerability test 6) If your system is vulnerable to the Bash "Shellshock" bug, the above command will produce a following output: The Linux system is vulnerable to shellshock shellshock Linux system vulnerability test 7) Otherwise, you will see the following message: shellshock Linux system vulnerability test 8) Therefore, our Ubuntu system is NOT vulnerable to the shellshock vulnerability. The system is up to date. 9) We define e to be '(){ :; }; echo the Linux system is vulnerable to shellshock as an environmental variable, and then run bash with the command echo shellshock Linux system vulnerability test. But the semi colon (;) outside the pair of curly-brackets {}

5 allows ending one command and entering another on the same line so indeed the function could have had more than one command. The colon (:) is a no-op. It ran the command (echo the Linux system is vulnerable to shellshock) after the function definition instead of just defining the function. Basically, it did not stop after the function's definition and instead went on to run other commands (during the function definition) by starting a new process due to the command bash -c. Part 2. Using w3af exploit the Shellshock vulnerability on the Kali virtual machine 1) Open the Kali PC viewer on the Kali virtual machine. 2) Make sure the apache web server is up and running on the Ubuntu Linux system. Open the Iceweasel browser on Kali and type You should the following message on this page: Webserver functional! This is the default web page for this server. 3) Open a terminal on Kali 4) Start the loop interface by running the following command on the terminal on the terminal: ifconfig lo up 5) Change the directory to /opt/w3af cd /opt/w3af 6) Start the w3af console application by running the following command:./w3af_console 7) At this prompt you can start typing commands. The first command you have to learn is help (please note that commands are case sensitive) w3af>>>help w3af>>> help target

6 w3af>>> 8) To enter a configuration menu, you just have to type its name and hit enter, you will see how the prompt changes and you are now in that context. For example, 9) All the configuration menus provide the following commands: help, view, set, and back 10) Plugins do all the magic. The plugins will find the URLs, discover the vulnerabilities and exploit them. So now, we will learn how to configure the plugins. Also, w3af had three core types of plugins: discovery, audit and exploit. The complete list of plugins types is: discovery audit grep exploit output mangle bruteforce evasion Discovery plugins find new points of injection that are later used by audit plugins to find vulnerabilities. Exploit plugins use the vulnerabilities found in the audit phase and return something useful to the user ( remote shell, SQL table dump, a proxy, etc). 11) The plugins are configured using the plugins configuration menu.

7 12) All plugins can be configured here except the exploit plugins. The example below demonstrates how to find the syntax for a plugin: 13) The example below demonstrates the use of the list command to see all available plugins and their status. 14) To audit the shell_shock, run the following command

8 15) To know exactly what a plugin does, he can also run the audit command with the option desc like this: 16) Now we know what this plugin does, but let's check their internals: 17) The configuration menus for the plugins also have the set command for changing the parameters values, and the view command for listing existing values. 18) Before we start to scan the vulnerability, we need to set the target. Run the command back twice to get the w3af framework: 19) After configuring all desired plugins, the user has to set the target URL and finally start the scan. We want to exploit the CVE vulnerability against the cgi-bin running on the Ubuntu s Apache web server. The target selection is done this way: 20) Now we can start to exploit the shell_shock vulnerability by running 6. References Security+ Lab Series in NDG NETLAB+: Lab 10 Analyze and Differentiate Types of Malware & Application Attacks

9 7. Appendix In this appendix, we introduce the terms and knowledge needed for this lab. Common Vulnerabilities and Exposures (CVE) Metasploit exploit modules generally target a single vulnerability on the target. A vulnerability in software is a flaw that can potentially be used by an unauthorized user to cross a security boundary. To provide a uniform method to refer to vulnerabilities, the dictionary of Common Vulnerabilities and Exposures (CVE) was created. Not all vulnerabilities are sufficiently serious to warrant a CVE number. Referencing a vulnerability by its CVE number helps different researchers be sure that they are talking about the same underlying issue. CVE numbers have the form CVE-YYYY-ZZZZ where YYYY is the year and ZZZZ is an identifier within that year, like CVE Prior to 2014, identifiers were four digits; subsequent identifiers may be as long as seven digits. Bash Bash is the shell, or command language interpreter, for the GNU operating system. The name is an acronym for the Bourne-Again SHell. While the GNU operating system provides other shells, Bash is the default shell. bash -c string If the -c option is present, then commands are read from string. If there are arguments after the string, they are assigned to the positional parameters, starting with $0. The Shellshock bash bug (also known as Bashdoor) is a critical vulnerability that has been discovered in the widely used Bash command processor, present in most Linux and UNIX distributions and Mac OS X. Many Internet-facing services, such as some web servers, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. The US Department of Homeland Security's CERT team has issued an alert about the Bash bug (known as CVE , but also given the more media-friendly moniker of "Shellshock" by some), and warned that if exploited the vulnerability could allow a remote hacker to execute malicious code on an affected system. One serious concern is that malware authors could exploit the vulnerability to create a fastspreading worm - taking advantage of the ubiquitousness of Bash. Are your computers vulnerable? Fortunately, there's an easy way to tell if your computers might be at risk. Open a terminal window and enter the following command at the $ prompt: env x='() { :;}; echo vulnerable' bash -c echo cve If you are not vulnerable, then the following will be shown:

10 bash: warning: x: ignoring function definition attempt bash: error importing function definition for x cve But if you are vulnerable, then you will see: vulnerable cve env is program that allows modification of the environmental variables for a command. The shell allows functions to be defined and in fact used as commands. For example, $ x() { echo test;}; x test What should happen as given, is that you define x to be '() { :;}; echo vulnerable' as an environmental variable, and then run bash with the command 'echo cve But the semi colon (;) allows ending one command and entering another on the same line so indeed the function could have had more than one command. The colon (:) is a no-op. It ran the command (echo vulnerability) after the function definition instead of just defining the function. bash -c allows running a specific command(s), in a new process. SUMMARY: Basically, it did not stop after the function's definition and instead went on to run other commands (but during the function definition) in a new process. The documentation for w3af The document is the user s guide for the Web Application Attack and Audit Framework (w3af), its goal is to provide a basic overview of what the framework is, how it works and what you can do with it. w3af is a complete environment for auditing and exploiting Web applications. This environment provides a solid platform for web vulnerability assessments and penetration tests. w3af/exploit/os_commanding-0>>> help Available commands: help Display this information lsp List payloads payload <payload> Execute "payload" and get the result read <file> Read the remote server <file> and echo to this console write <file> <content> Write <content> to the remote <file> upload <local> <remote> Upload <local> file to <remote> location

11 execute <cmd> exec <cmd> e <cmd> exit Run <cmd> on the remote operating system Exit this shell session 8. Review Questions 1) What is the following Linux command used for? env e= (){ :; }; echo the Linux system is vulnerable to shellshock bash -c echo shellshock Linux system vulnerability test 2) What is the Shellshock bash bug? 3) What is the framework w3af used for?