Hakin9 Exploiting Software April Issue is Out!

The April issue of Hakin9 Mobile Security is out. This month’s magazine features the article “Cisco IOS Rootkits and Malware: A practical guide” by Jason Nehrboss:

Propagating the worm code into a new router can either be quite easy, difficult, or impossible. There are many variations of supported IOS code and hardware platforms. The author discusses the use of and demonstrates an IOS Embedded Event Manager rootkit and worm. When a router is infected it can be leveraged into a powerful malware platform. Capabilities demonstrated are network packet captures, reverse shell connections, a spam module, and a mini malware httpd server leveraged with ip address hijacking. In this article you will learn how to exploit critical network devices, network traffic traversing these devices and act as a launch point for further attacks into a network You will also learn about a self replicating IOS worm with stealth features and self defense mechanisms, all with platform independent code.

Also in this issue Craig Wright continues his excellent series on exploit creation. This month’s article is entitled, “Taking control, Functions to DLL injection“:

DLL injection is one of the most common methods used by malware such as a rootkit to load it into the host’s privileged processes. Once injected, code can be inserted into functions being transmitted between the compromised code and a library function. This step is frequently followed with API hooking where the malicious code is used to vary the library function calls and returns. This article is part of a monthly series designed to take the reader from a novice to being able to create and deploy their own shellcode and exploits. With this knowledge, you will learn just how easy it is for sophisticated attackers to create code that can bypass many security tools. More, armed with this knowledge you will have the ability to reverse engineer attack code and even malware allowing you to determine what the attacker was intending to launch against your system.

Other articles include:

  • Deceiving Networks Defenses with Nmap Camouflaged Scanning By Roberto Saia
  • Exploiting Software By Swetha Dabbara
  • Cross Site Request Forgery – Session Riding By Miroslav Ludvik and Michal Srnec
  • Data Logging with Syslog: A troubleshooting and auditing mechanism By Abdy Martinez
  • Social Engineering – New Era of Corporate Espionage By Amar Suhas

Check it out!

Strong Cybersecurity Legislation needed to prevent Inevitable Attack

Cybersecurity experts warned congress on April 24th that unless strong legislation is passed to enforce basic security standards for critical infrastructure, this country could face a major cyber attack.  “If we don’t do that this year, an attack is inevitable,” Center for Strategic and International Studies Senior Fellow James Lewis told the congressional committee.

According to an article on Government Computer News, the attacks that the public is seeing are only the “tip of the iceberg”, and it is the attacks that the public does not see that are very disconcerting. Shawn Henry, former executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, echoed what the NSA said a few years ago, that network operators “need to assume that they have or will be compromised”:

“The threat has reached the point that a determined adversary will access any system that is directly accessible from the network,” said Henry, who now is president of CrowdStrike Services, a cybersecurity intelligence start-up. “They will keep coming until they come in.”

The article also mentions that though China and Russia are a major concern, that are not the top threat to American networks. Lewis said, “I don’t worry about China and Russia, they aren’t going to start a war just for fun. I don’t know if we can say that for Iran and North Korea.”

Though many main stream computer security experts would counter the statement that a major attack is inevitable, the key really lays in the fact that a lot of information causing the concern is not released publicly. Even the NSA caught a lot of flack recently about their concerns about the hacker group Anonymous. But you have to realize the NSA has access to information that the public will never see, and if they are concerned, there really has to be something to it.

US networks would be much stronger if companies did enforce basic standard security procedures. But my question is why hasn’t critical infrastructure entities already implemented it? And why would we need more legislation passed to force them to do it, when it should already be done?

Metasploitable – Gaining Root on a Vulnerable Linux System

As I mentioned in my previous post, Metasploitable is a purposefully vulnerable Ubuntu 8.04 image that is running several unpatched services. Metasploitable is a great platform to practice and develop your penetration testing skills. In this tutorial, I will show you how to scan the system, find one of the vulnerable services and then exploit the service to gain root access.

In this tutorial I am using a system running Backtrack 5r2 and the Ubuntu Metasploitable VMWare image.

On your Backtrack system, run the Metasploit console.

(From the GUI menu -Backtrack/Exploitation Tools/Network Exploitation Tools/Metasploit Framework/Msfconsole)

Scan the host

First thing we will do is scan the target ( in this case) with nmap:

The -Ss option tells nmap to perform a stealth scan, the -A option tells it to try to discover OS and service version levels. As you can see from the above picture, several services are running on multiple ports. If you notice, you will see this box is running Samba on ports 139 and 445. Samba provides SMB file and print services for Windows clients.

In this tutorial we will focus on the Samba service. Nmap says it is running version 3.x, let’s see if we can get more specific information. Metasploit has some amazing auxiliary modules, one section being the scanner section. Let’s search the scanner section for the SMB Protocol:

Looks like the scanner section has a SMB version detector. In the picture above, I select and run the SMB detector program. The program responds with the exact version of Samba – 3.0.20.

Doing a online quick search for vulnerabilities for this version of Samba returns “Username Map Script”. If we use the “search samba” command in Metasploit it lists available exploits.

An exploit exists for “Username Map Script” and it has a rating of excellent, which means it is very solid and reliable exploit.


Now we will use the “Username Map Script” to gain a root level shell on the system:

In the picture above, we simply chose the exploit to use, configured it with the target address,, then told it to run the exploit. The exploit ran the exploit against the system, created a remote session with the target and opens up a command shell. As you can see, I ran the “id” command in the remote shell and it returned:

uid=0(root) gid=0(root)

We do in fact have a remote access root command shell with the target machine.


There you have it, a remote root shell from a vulnerable Linux service. In a real world situation, the attacker would then make moves to recover data from the machine (passwords, documents, etc), and possibly use this machine to penetrate deeper into the target network.

As you can see, if software updates are not done on your system (OS manufacturer does not matter) your system could be at risk of being compromised. And as always, do not try these techniques on a system that you do not have permission to do so.

If you liked this tutorial and want to learn a lot more about security testing Windows and Linux systems with the latest version of Backtrack (Kali Linux), check out my book, “Basic Security Testing with Kali Linux“.

Practice Linux Penetration Testing Skills with Metasploitable

Okay, you have been reading up on computer security, and even played around with Backtrack some. You have been gaining some penetration testing skills, but now you want to try them out. What do you do?

There are several sites that exist that allow you to (legally) test your abilities, but why not try them out on Metasploit’s own Metasploitable?

Metasploitable is a VMWare Ubuntu 8.04 image that is purposefully left with several vulnerabilities so you can check out your mad skills. Okay, before I get a bunch of e-mails about this, yes Ubuntu (Linux) has vulnerabilities. That is why you need to update your Linux software just as you would your Windows boxes.

Metasploitable is running several services that have not been patched and it is a non-persistant image (changes are not saved) so you can play to your hearts content and if you really mess up, just re-boot and the Ubuntu image will be restored to original.

The best way to become a good penetration tester is to practice. And Metasploitable is a good Linux platform to play with. I will not go into to much depth (there are plenty of Metasploitable tutorials out there already) but in my next post (Metasploitable – Gaining Root on a Vulnerable Linux System) I will show you how to get root access on the image using Backtrack 5R2.

Metasploitable – Check it out!