zAnti – Fast & Simple Android Based Security Testing Platform

zImperium’s zAnti is a quick and simple Android based app that you can use to  test your network security. Want network scanning, Man-in-the-Middle (MITM) attacks, exploit capability and reporting features all from your Droid table or phone? Then look no further.

If you liked the previous version (called Anti) then you will love this update. zAnti seems to be smoother and easier to use than its predecessor. zAnti still comes with a token type credit system that allows you to access the more advanced features, but like the first one, you can still see the power of zAnti with the free version.

So how does it work?

Once you start the App, you will be asked to login. Then zAnti does a quick scan of available Wi-Fi networks and asks which one you want to test. Just select the network and zAnti does a quick scan and shows all the available hosts on the network.

Found a target that looks interesting? Just select it and with a quick swipe of the finger and you reach the Action menu. From here you can perform several different attacks including sniffing and exploit attempts. Swipe again and you come to the Nmap menu where you have the option to run several levels of nmap based scanning to attempt to detect OS version and service identification. Swipe once more and you will come to a comment page where you can write notes about the target.

In a test, I ran zAnti on my 7″ Polaroid Android Tablet. Within a few seconds I had a complete list of all the machines on my network. Selecting one of my Windows 7 systems from the menu I performed a deeper nmap scan. The scan found no open ports, and it could not provide much information about the client. But by switching to the Action menu I choose the sniffer option:

Within seconds I was viewing a list of all the webpages that my Windows 7 wired client was visiting, remotely on my droid tablet! Obviously some type of ARP (Address Resolution Protocol) cache poisoning was going on here.

A quick look at the Windows 7 client’s ARP Table showed that zAnti successfully performed a man-in-the-middle attack on the client. And sure enough, switched its MAC address for the client gateway. This effectively put the wireless Droid in between my router and the wired Windows 7 Client so it could sniff all the network traffic!

Even though you need to buy credits to do the more advanced attacks and Pentest reporting features, Free zAnti is a fun, sleek, uber-cool tool to add to the security toolbox. And if you need the advanced features, the support will help the company create even more feature rich programs in the future (zImperium is also working on some interesting looking mobile defense projects).

Did I mention they have a beta program from an iOS based version?  🙂

Check it out!

Metasploitable – Gaining Root on a Vulnerable Linux System

As I mentioned in my previous post, Metasploitable is a purposefully vulnerable Ubuntu 8.04 image that is running several unpatched services. Metasploitable is a great platform to practice and develop your penetration testing skills. In this tutorial, I will show you how to scan the system, find one of the vulnerable services and then exploit the service to gain root access.

In this tutorial I am using a system running Backtrack 5r2 and the Ubuntu Metasploitable VMWare image.

On your Backtrack system, run the Metasploit console.

(From the GUI menu -Backtrack/Exploitation Tools/Network Exploitation Tools/Metasploit Framework/Msfconsole)

Scan the host

First thing we will do is scan the target (192.168.0.117 in this case) with nmap:

The -Ss option tells nmap to perform a stealth scan, the -A option tells it to try to discover OS and service version levels. As you can see from the above picture, several services are running on multiple ports. If you notice, you will see this box is running Samba on ports 139 and 445. Samba provides SMB file and print services for Windows clients.

In this tutorial we will focus on the Samba service. Nmap says it is running version 3.x, let’s see if we can get more specific information. Metasploit has some amazing auxiliary modules, one section being the scanner section. Let’s search the scanner section for the SMB Protocol:

Looks like the scanner section has a SMB version detector. In the picture above, I select and run the SMB detector program. The program responds with the exact version of Samba – 3.0.20.

Doing a online quick search for vulnerabilities for this version of Samba returns “Username Map Script”. If we use the “search samba” command in Metasploit it lists available exploits.

An exploit exists for “Username Map Script” and it has a rating of excellent, which means it is very solid and reliable exploit.

Exploiting

Now we will use the “Username Map Script” to gain a root level shell on the system:

In the picture above, we simply chose the exploit to use, configured it with the target address, 192.168.0.117, then told it to run the exploit. The exploit ran the exploit against the system, created a remote session with the target and opens up a command shell. As you can see, I ran the “id” command in the remote shell and it returned:

uid=0(root) gid=0(root)

We do in fact have a remote access root command shell with the target machine.

Conclusion

There you have it, a remote root shell from a vulnerable Linux service. In a real world situation, the attacker would then make moves to recover data from the machine (passwords, documents, etc), and possibly use this machine to penetrate deeper into the target network.

As you can see, if software updates are not done on your system (OS manufacturer does not matter) your system could be at risk of being compromised. And as always, do not try these techniques on a system that you do not have permission to do so.

If you liked this tutorial and want to learn a lot more about security testing Windows and Linux systems with the latest version of Backtrack (Kali Linux), check out my book, “Basic Security Testing with Kali Linux“.

Practice Linux Penetration Testing Skills with Metasploitable

Okay, you have been reading up on computer security, and even played around with Backtrack some. You have been gaining some penetration testing skills, but now you want to try them out. What do you do?

There are several sites that exist that allow you to (legally) test your abilities, but why not try them out on Metasploit’s own Metasploitable?

Metasploitable is a VMWare Ubuntu 8.04 image that is purposefully left with several vulnerabilities so you can check out your mad skills. Okay, before I get a bunch of e-mails about this, yes Ubuntu (Linux) has vulnerabilities. That is why you need to update your Linux software just as you would your Windows boxes.

Metasploitable is running several services that have not been patched and it is a non-persistant image (changes are not saved) so you can play to your hearts content and if you really mess up, just re-boot and the Ubuntu image will be restored to original.

The best way to become a good penetration tester is to practice. And Metasploitable is a good Linux platform to play with. I will not go into to much depth (there are plenty of Metasploitable tutorials out there already) but in my next post (Metasploitable – Gaining Root on a Vulnerable Linux System) I will show you how to get root access on the image using Backtrack 5R2.

Metasploitable – Check it out!