Fragile Security: Metasploitable

Thursday, May 2, 2013

Luring the Bots for Fun!

Project Introduction

These days I am hosting a custom honeypot which is based on Metasploitable VM. Unfortunately I didn't have the time to build a new one, so I based it on Metasploitable VM. Initially, I wanted to capture all the wordlists hosted on the machines that would target me. Secondly, I wanted to make a statistical analysis of the regions which attack the most. Obviously, a honeypot situated in Greece wouldn't be a good statistical sample, however after a month of honeypot's "production" state I have gathered very interesting data which I would like to share (apart from the wordlists!).

Honeypot Services

The first service which is built in order to lure the bots is the SSH. This has given me a very interesting amount of data and wordlists of the brute force attacks. SSH service by default does not log any failed login attempts. That's why I had to download SSH source code and recompile it in a way that the SSH daemon would log any failed logon attempt. The altered source code (auth_passwd.c) can be found here.

The second service is HTTP. I wanted to lure any bots or blackhats (script kiddies to be more accurate because no one serious blackhat would like to hack a useless site!) who would try to hack a web application. I uploaded to the Apache server a PHP project I had written during my first degree, which is full of vulnerabilities (in the 3rd semester no one had made me an introduction to web application security, I admit it!). In order to log the attacks I installed and configured ModSecurity as I have described in a previous article (later I found that modsecurity can be linked with online honeypot projects! Just google it!). Unfortunately, HTTP service has not faced any attack attempt yet, so this project did not go well!...

Attacking Hosts by Region

Below there is a graph of the number of attacks and the region from which these attacks came from!

I am sure that you had imagined that China would win the race easily!

Conclusion

In the near future I am looking to add more services to my honeypot, so stay tuned for future posts!
And remember: The bots are out there! (like X-Files motto? :p)

Tuesday, March 12, 2013

Building a pentest Lab

Introduction

For education purposes, a penetration test lab is always necessary. I needed this for a relevant project, so I think it could be useful for colleagues and generally for security researchers to publish my experience in building a penetration test lab. I have used vulnerable Linux images which are publicly available over the Internet. However, the main subject of this post is how to build a vulnerable Windows machine (it would be not too difficult if I had decided to leave it unpatched! :p).

Last but not least, I will go through the common cliche and suggest you run all this vulnerable software in NAT mode; don't leave these security holes running in your local network with Internet access!

Prerequisites

First of all, we will need a virtualization software. I have used VMware player which is free and covers my needs for this post. The images used are the following:

Backtrack 5 R3, available here.
Metasploitable v2, available here.
OWASP Broken Web Applications image, available here.
Windows XP SP3 (should be installed from scratch)

What else? Topology!

Below you can see the network topology of my pentest lab. I have taken the liberty to watermark my pictures in order to protect myself from plagiarists.

Building Vulnerable Windows machine

First of all we will need a Windows XP machine. It could be fully patched or not; we will not focus on Windows vulnerabilities thus on vulnerabilities on software installed on a Windows machine.

Below is the software and the relevant exploit I used in order to build this vulnerable Windows machine:

Java 7 update 2, exploitable by this metasploit exploit.
Hacme bank vulnerable web application, available here.
Easyftp server vulnerable versions <=1.7.0.11 and earlier, exploitable by multiple metasploit exploits (use search easyftp under the msfconsole)

Regarding the other VMs on my topology, there are plenty of good articles exploiting the vulnerabilities residing on them.

Conclusion - TBC

I realise that this list is short, but I will come back with updates as my goal is to create a vulnerable Windows machine which is very close to reality and educative at the same time.

Links

A very good repository for old, possibly vulnerable, versions of various software: http://www.oldapps.com
How to install Hacme bank instructions: http://www.pingtrip.com/weblog/2008/09/installing-hacme-bank-on-xp-pro
Metasploit exploits: http://www.metasploit.com/modules/
Exploits Database by Offensive Security http://www.exploit-db.com

Short Bio

Andreas is an Information Security Expert specialised in Information Security Management, IT Governance and IT Risk Management.

Currently he is the Information Security Officer & Principal Security Consultant of Uni Systems S.A., a member company of Quest Holdings.

In the past, he has successfully undertaken the role of the IT Security Risk & Compliance Management Department Business Unit Manager of Syntax IT Group (Syntax IT Inc., Syntax Diamond Information Systems LLC), offering high quality information security services and solutions to large organisations in Greece, Cyprus, Balkans, Turkey and Middle East.

Andreas holds a BSc from the Department of Informatics and Telecommunications, University of Athens, a MSc in Information Security from Royal Holloway, University of London, the CISSP and CISM certifications.

Specialties:

Information Security Management

IT Governance

IT Risk Management

Web Application Security