Tuesday, October 28, 2008

Pen-Tests in 2008 and Why don't you crack ssh?

I made a pen-test lately to a medium size American firm and it seems public remote exploits for devices such as Juniper, Netopia, Cisco (telnet) and default Linux services has gone to as low as one or two for each since 2004.

Since any respectable firm has windows update turned on and the Fedora style Linux distribution also has automatic updates, I got to the conclusion that the cycle of:
Safe --> Research --> Exploit --> Public Disclosure --> Patch --> Automatic Update --> Safe
results that Black-Box Penetration Testers don't have much to show the client except for configuration errors and a few user enumerations and less critical stuff that don’t get fixed by the vendors.

The solution for that would be that pen-testers will find their own exploits. That is why in the last years most of the written tools are fuzzers.
Cisco, Netopia, Juniper and Linux services were already fuzzed as hell before they were shipped to clients so this doesn't seem to be a good approach to the problem.

My suggestions:
1) if you are a pen-tester, research and discover your own vulnerabilities and create workarounds for them, show it to your client and keep it to yourself!
2) If you are a researcher, supply a working P.O.C because the pen-testers doesn't have time to buy that machine and develop a working shellcode to work with your vulnerability

Being 13 hops away from the machines I had been pen-testing I was amazed to see that products which are extremely mainstream and trusted fail for such a simple task.
I used Nmap to scan the network range (of course with -P0 or -PN in the new version) and just two HTTP servers were discovered from 8 hosts, as I am not a big fan of Nmap I returned to what I was using in the past GFI Languard.

I scanned the targets using GFI Languard (which is a great tool when used inside local networks) and I set complete TCP and UDP ports scan with 20 seconds TCP timeout and 8 seconds UDP timeout, this timeouts are EXTREME and should achieve the most accurate results. The scan results were very poor, detecting about 3 open ports on 8 machines!!! Of course I checked nothing else is running on my internet connection to make sure this was just a bad dream. I scanned again and one more port was discovered, SSH!

I decided this cannot be true and I returned to Nmap using the "slow and Intensive" scan and the results were better, about 5 TCP ports and 1 SNMP, I thought “still no way that is all they got!”

Finally, I installed the latest version of Nessus (Tenable Nessus 3), configured it to be with high timeouts and ran the scan. The results were AMAZING!!! It didn't miss any of what the other scanners have found and he discovered 15 more UDP ports and 7 more TCP ports. From now on, I am only scanning with Nessus, my time is worth it!

Now that I had some interesting services to attack, I wanted to try and log into one of the Linux machines using SSH. To me it sounds simple, "I will download a dictionary/brute force SSH tool and that's it". Apparently not!
There is an ancient perl script running all across the web to do SSH and "expect” THAT-IS-LAME. Some guy really agreed about that and wrote a ruby script to use the lib NET::SSH and automate attempts, quite similar to Tim's SShatter perl script, that is nice but still no multithreading supported.
Of course you may think "Why not use T.H.C Hydra?", the answer would be because by default it’s not configured to be compiled with LIBSSH and you got to get some libs, you will burn a few hours to make it work!

My dear friend "Kiril Nesenko" AKA "axi1es" wrote for YOU guys the script for "The Common Lazy Fedora Guy" which will download hydra, the SSH and other libs, will configure and compile it and will execute the Hydra all automatically, enjoy! :)