Confirming Security of a Server

[agentaika]

Next year my cousin is going to start an online business that will be hosted on his own servers. Because of my computer know-how (I'm fluent in Python, I know some C++, and I'm a Linux geek) he has asked me to perform some penetration tests to verify the security of his current setup. Although I don't know much about hacking, he insisted that I was the most qualified for this task because I'm "well trusted family."

For the last few days I've been digging through webpages and articles trying to find useful information on how to hack. So far I've learned a little about ip spoofing, package sniffing, vulnerability scanners, and password crackers. I even have a couple of programs favorites: nmap, wireshark, john the ripper, and BackTrack 3.

Right now I'm trying to figure out how to tie this loose knowledge together into a successful hack. My goal will be to silently monitor his incoming and outgoing traffic for packets (account information, passwords, etc), and to upload and download some files without authorization. His goal will be to find out my true identity (IP address), and to keep me away from his personal data using commercial software.

Do you know of a quality tutorial, e-book, or video that clearly explains the steps on how to do this? I'm not looking to make a career out of net security so I would rather not spend $200 on a training class, or $40 on a book from Amazon. I'm just looking for a little push in the right direction so I can get started.

Your help would be greatly appreciated.

[DingleBerries]

Blocking single IPs once the penetrate your server is useless, one can simple hop on a unsecured wireless network and do there bidding from there after they have ran nmap on your network. Once your server has been compromised your pretty much fucked, unless you have off site backups that the attacker couldn't get a hold of.

Questions first:

What OS are the servers you are trying to test?

What are they running: Apache version? SQL? Drupal? ect...

Are multiple computers hosting the site(topography or the network)? I.E. you > internet > switch > router > servers OR you > internet > switch > computer ect.

Reason for asking is that there are exploits for switches and routers, once you gain root on one of them you could easily modify a firmware to do your bidding-forward traffic, ddos, ect.

[agentaika]

Blocking single IPs once the penetrate your server is useless, one can simple hop on a unsecured wireless network and do there bidding from there after they have ran nmap on your network. Once your server has been compromised your pretty much fucked, unless you have off site backups that the attacker couldn't get a hold of.

He does plan on doing regular backups of important data.

What OS are the servers you are trying to test?

They're Windows servers, but when I do the tests, I'm going to "attack" as if I don't know this.

What are they running: Apache version? SQL? Drupal? ect...

Apache.

Are multiple computers hosting the site(topography or the network)? I.E. you > internet > switch > router > servers OR you > internet > switch > computer ect.

He lives in a different state so we're not directly connected on the same network.

Reason for asking is that there are exploits for switches and routers, once you gain root on one of them you could easily modify a firmware to do your bidding-forward traffic, ddos, ect.

I didn't know that.

Thank you for your reply.

[DingleBerries]

They're Windows servers, but when I do the tests, I'm going to "attack" as if I don't know this.

When you run nmap against them it should fingerprint the OS. If he was running them in a VM it is a little more difficult. Some one i know was looking at a server the other day and the way the traffic was being routed made it impossible to finger print it.

Apache

If he hasnt created a 404 then going to some randumb made up page should provide you with the Version, there are other ways to find this information out as well. Also use a different user agent, google bot is my favorite, when conducting any injections, xxs or sql, because he is new to this it will be difficult to trace exactly who is attacking him, unless he knows the ips for the google bots and you should also connect to a network not belonging to your self... but since this is a pen test and not a full on attack and he knows your doing it then your fine from doing it at home.

He lives in a different state so we're not directly connected on the same network.

I am no guru by any means, but a deep network scan should reveal all computers on the network, then common sense will help you map it out.

NMAP EXAMPLE:

ip is 192.168.0.1(I know dont comment)

you would want to scan 192.168.0.1/21 to do an intensive scan.

I did'nt know that

I had an old switch that was locked and i didnt know the password, but metasploit had an exploit that allowed me to fix that. Exploits for non malicious purposes are the best.

Thank you for your reply.

Wow don't hear that often, and thank you kind sir!

[twocs]

Seems that this purpose is exactly what Backtrack 3 is built for. Plenty of fun scanners and injectors.

But you'd better get it in writing that your cousin authorizes this activity. You may find yourself thrown to the squad car in this kind of situation, and a piece of paper that says you're legit may be a real asset in such an event. You can read "Chapter 2: Anatomy of a Hack" on the Ethical Hacker on this subject.

[agentaika]

When you run nmap against them it should fingerprint the OS. If he was running them in a VM it is a little more difficult. Some one i know was looking at a server the other day and the way the traffic was being routed made it impossible to finger print it.

I don't believe he'll be running the servers from a virtual machine.

Wow don't hear that often, and thank you kind sir!

:)

Seems that this purpose is exactly what Backtrack 3 is built for. Plenty of fun scanners and injectors.

I've noticed, and I just recently noticed that its categories are listed in order of operation. That is very helpful.

But you'd better get it in writing that your cousin authorizes this activity. You may find yourself thrown to the squad car in this kind of situation, and a piece of paper that says you're legit may be a real asset in such an event.

lol. He has something better planned. He's going to record a video using his webcam giving me permission to do white hat hacking to his server. :) But I appreciate the warning.

Thanks folks.

[Xarf]

Perhaps this is a shot in the dark and a little off the topic but why Apache services on a Win server? Isn't that kind of what IIS is built for?

I know there will be 'those' people that will flame me for speaking slightly towards the favor of Microsoft, It's pretty un-fair to say IIS is un-secure or un-reliable if properly configured.

Perhaps it's just me but it seems silly to be using 3rd party software when perfectly adequate SW is built into the OS.

[DingleBerries]

I am just thinking about exploits, not whether or not the services should be ran on one OS or another.

[gEEEk]

Apache has fewer exploits then IIS :)

[agentaika]

Perhaps this is a shot in the dark and a little off the topic but why Apache services on a Win server? Isn't that kind of what IIS is built for?

I don't know. I'm not even 100% sure if Apache is what he plans on using. But I do know he plans on setting everything up in Windows because that is the operating system he knows best. Personally, I would use Linux.

[Jayze]

Conducting an audit on servers is a good thing, but to start just scanning ... try to make yourself first a map of what you want to do. Besides just hacking a server , you can as well hack a webpage and gain access trough your browser to a certain server, download some shell tools and start from there.

Determine your way of working, are you going straight to the server(s) at hand or are you going to try trough a detour ? You've got a server with serveral services running on it. Or you can go a layer higher and try exploiting web software or you might get in trough a server that's been left out of the firewall (or a stepping stone) Or you might start social engineering the persons that work for that company. So manny different attacks and ways to achieve your goal.

When you scan an IP with NMAP or any other tool, try to find exploits for certain ports / services that run on that sever, from there you can move on to get local root ... But then, usually when you gain access to the server, your IP and so on will be logged, you want to clean those logs or at least delete your entries in it and cloak your presence.

Note down what you and what kind of success you have and make a little tutorial out of it :)

Good luck!

[agentaika]

Thanks a lot for painting a clear picture of what I need to do, Jayze.

So, basically, to perform these tests I'll need to first gather information about his server with a program like nmap, look on a site like milworm for exploits to apply, and then apply those exploits with metasploit to gain root access. Once I get root access, I'll be able to upload a trojan (for the test it'll just be a text file saying "PWNED"), try to download some password hashes, clear the logs to cover my tracks, and then log out.

If I have this right, I think I only have 2 questions remaining:

- Could I also gain root access by cracking his admin password with a program like THC-Hydra?

- What would I use to log into, and browse, the "Victim's" computer?

[Jayze]

Thanks a lot for painting a clear picture of what I need to do, Jayze.

So, basically, to perform these tests I'll need to first gather information about his server with a program like nmap, look on a site like milworm for exploits to apply, and then apply those exploits with metasploit to gain root access. Once I get root access, I'll be able to upload a trojan (for the test it'll just be a text file saying "PWNED"), try to download some password hashes, clear the logs to cover my tracks, and then log out.

If I have this right, I think I only have 2 questions remaining:

- Could I also gain root access by cracking his admin password with a program like THC-Hydra?

- What would I use to log into, and browse, the "Victim's" computer?

Yup, you are right. First scouting then determine what route to take and go for the kill :)

A promising tutorial I recently found is : http://synjunkie.blogspot.com/2008/11/stor...hack-intro.html , it shows you step by step how to try and break security or finding the weak link in their infrastructure.

-THC-Hydra is a tool you can use, but such an attempt will be logged ...

-Therefor you need to look around for some basic windows tools like 'Net' (http://www.ss64.com/nt/net_share.html) and for the rest browse this forum a bit and use google (he is your friend)

log your progress and show it here.

[agentaika]

Yup, you are right. First scouting then determine what route to take and go for the kill :)

A promising tutorial I recently found is : http://synjunkie.blogspot.com/2008/11/stor...hack-intro.html , it shows you step by step how to try and break security or finding the weak link in their infrastructure.

Oodalalee! This is exactly what I need right now.

-THC-Hydra is a tool you can use, but such an attempt will be logged ...

For this test that might actually be a good thing. We'll be able to both look through the logs and see what I did wrong, and what he did wrong.

-Therefor you need to look around for some basic windows tools like 'Net' (http://www.ss64.com/nt/net_share.html) and for the rest browse this forum a bit and use google (he is your friend)

log your progress and show it here.

Will do.

Thanks again.

[gEEEk]

My goal will be to silently monitor his incoming and outgoing traffic for packets (account information, passwords, etc), and to upload and download some files without authorization. His goal will be to find out my true identity (IP address), and to keep me away from his personal data using commercial software.

Just a quick question, if you're not on the same network. How will you be able to monitor his outgoing and ingoing traffic without the use of a RAT or something simular..

Enlighten me.

[Sparda]

Just a quick question, if you're not on the same network. How will you be able to monitor his outgoing and ingoing traffic without the use of a RAT or something simular..

Enlighten me.

Take over the first router that connects him to the internet and have it duplicate all the traffic to and from him at your IP.

[agentaika]

Just a quick question, if you're not on the same network. How will you be able to monitor his outgoing and ingoing traffic without the use of a RAT or something simular..

Enlighten me.

I don't know. That is why I made this thread.

Take over the first router that connects him to the internet and have it duplicate all the traffic to and from him at your IP.

Which program would I use?

Here is the workflow I've figured out so far.

Conceal Identity

- I won't need to conceal my identity for this test.

Exploitation

- Use nmap and hping to get information (OS, software, etc) about Victim

- Go to milworm, or a similar site, to find exploits for software used by Victim

- Apply exploit using Metasploit

- Backdoor the Victim using socat

- Transfer files using --??--

- Upload a trojan (it'll just be a text file) to create a permanent backdoor for next hack

- Clear the Victim's log so actions won't be cataloged using --??--

Administrator Access

- Use nmap and hping to get information (OS, software, etc) about Victim

- Use THC-Hydra to crack administrator password

- Backdoor the Victim using socat

- Transfer files using --??--

- Upload a trojan to create a permanent backdoor for next hack

- Clear the Victim's log so actions won't be cataloged using --??--

[X3N]

if you have physical access to the computer then just usbhack him.

odds are good your not going to be successful with hydra your better off using some exploit.

or just pack your trojan into some file he will open. then email it to him or trick him into opening it by binding it to another exe...

[agentaika]

if you have physical access to the computer then just usbhack him.

That might go against the point of the test. We're trying to verify the security of his online server. But I'll still be able to make use of the information you've provided. Maybe I should give USBSwitchblade a second look.

Thank you.

odds are good your not going to be successful with hydra your better off using some exploit.

Running an exploit is the only way to get unauthorized access to someone's computer?

I find it so odd that someone like me, who has been using computers since the 80s, is having a hard time understanding this when 12 year olds today are able to hack without any problem. :( What in the hell are these kids reading? I want that. lol.

pr just pack your trojan into some file he will open. then email it to him or trick him into opening it by binding it to another exe...

Oh noes. This is a white hat attack. I don't want to do anything that could do serious damage.

[X3N]

That might go against the point of the test. We're trying to verify the security of his online server. But I'll still be able to make use of the information you've provided. Maybe I should give USBSwitchblade a second look.

Thank you.

Running an exploit is the only way to get unauthorized access to someone's computer?

I find it so odd that someone like me, who has been using computers since the 80s, is having a hard time understanding this when 12 year olds today are able to hack without any problem. :( What in the hell are these kids reading? I want that. lol.

Oh noes. This is a white hat attack. I don't want to do anything that could do serious damage.

create your own trojan...or a reverse bindshell... use metasploit