Wednesday, July 24, 2013

Penetration Testing - SAMBA SERVER

Aim: The aim is to understand how the countermeasures are applied in order to protect the potential vulnerable organization using the samba server.

Detail summery of configuration in Victim computer.

The attacker system, victim server (Linux) and client (Windows XP) was setup in a virtual environment using VMware workstation 9. They all belong to the host only network and are isolated from the rest of the network.

The Attack system is a Kali Linux which is a distribution based on the Debian GNU/Linux. The Metasploit Framework is used to executing exploit code against a remote target machine. For samba server to work properly we need port 137-139 and 445 opened. The client system is windows XP with service pack 2. The simple file sharing is disabled. Representation of samba server, client (windows XP) and the attack system is shown in figure 1. 


Samba Server

Samba is an open source implementation of a Server Message Block (SMB) file sharing protocol which provides file and print services to the SMB clients. Samba allows non windows servers to communicate with the same networking protocols as windows products. 

It was originally designed for UNIX systems and is compatible with all versions of Linux, windows based systems. There are three daemons that provide required functionality to samba server. These daemons are smbd, nmbd and winbindd.

The smbd server daemon is controlled by SMB service which provide file sharing and print services to windows clients. It is responsible for authentication and resource locking through SMB protocol. The port used are TCP port 139 and 445.

The nmbd server daemon is controlled by SMB service which interacts with NetBIOS and facilities Network Neighbourhood view. The port used are UDP port 137. Windows XP relies on this daemon for file and resource sharing.
The winbindd server daemon is used to emulate the windows user to appear as unix users. It is controlled by winbind service.

Server setup

1. The smb.conf contains the configuration for samba server which is located in /etc/samba/ directory. Here the server is configured as stand-alone server.

[global]
        server string = %h server (Samba %v)
        obey pam restrictions = Yes
        passdb backend = tdbsam, guest
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
        log level = 3
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 10000
        username map script = /etc/samba/scripts/mapusers.sh
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        invalid users = root
        hosts allow = 192.168.13.0/24, 127.0.0.1
        hosts deny = 0.0.0.0/0

[riyaz]
        comment = riyaz share folder
        path = /home/riyaz/share
        valid users = riyaz
        read only = No

Parameter
Comment
[global]
Declaration under this will effect globally. This defines the work group name, host allowed, log files etc.
[riyaz]
This is the share directory called riyaz with writable permission.
 path
/home/riyaz/share This line specifies the path of the shared file.
valid users = riyaz
This is to specify that only, the user riyaz can login and see the shared files.
read only
This parameter controls whether a user has the ability to create or modify files within a share directory.
2. Add user to samba server and create the directory for sharing files.

riyaz@samba:/$ sudo smbpasswd -a riyaz
riyaz@samba:/$ mkdir -p /home/riyaz/share
riyaz@samba:/$ sudo chown -R riyaz:riyaz /home/riyaz

3. Start the samba service

riyaz@samba:/$ /etc/init.d/samba start
Usage: /etc/init.d/samba {start|stop|reload|restart|force-reload}

4. Check that the Samba server is running

riyaz@samba:/$ ps ax | grep mbd
 5040 ?        Ss     0:03 /usr/sbin/nmbd -D
 5042 ?        Ss     0:00 /usr/sbin/smbd -D
 5046 ?        S      0:00 /usr/sbin/smbd -D
 5769 pts/1    R+     0:00 grep mbd
riyaz@samba:/$ ps ax | grep winbind
 5771 pts/1    R+     0:00 grep winbind


Server setup

1. In windows XP open up the windows explorer click on | Tools | Map Network Drives. In the dialog box select the drive letter followed by the //192.168.13.11/riyaz as shown in figure 2.


      When prompted for credentials use user name: riyaz and password: password. After successful login the shared folder will be mapped to the chosen drive as shown in figure 3.


System admin task
This server accepts valid users and requires them to validate before mounting the directory to a drive. In the smb.conf file the following logs declared for the purpose of auditing the samba server.

 All users are individually logged in this folder with the hostname /var/log/samba/

   The Log level is set to 3 which is useful for following exactly what the server is doing. Here is the log of cislab computer when set to 1 which is just the basic information of connection.

[2013/05/10 18:40:14, 1] smbd/service.c:make_connection_snum(662)
  cislab (192.168.13.10) connect to service riyaz initially as user riyaz (uid=1003, gid=1003) (pid 6071)

The syslog is set to 0 so it doesn’t log anything to the syslog file. All the log will be in the above specific directory for every connections. 

Log all the important and offensive events against your target including attacks detected services’ logs nature and origin of the attack, damage caused and your critical assessment on countermeasures and prevention mechanism s:

Log files from the Victim system: the samba server is configured to log all the connection attempts to the server. After the attack is launched the file highlighted in figure 4, 1 and 2 are created. 


The content of log file highlighted in figure 4, log.192.168.13.149 is as shown below in figure 5, from line 38 to 42 the attack system negotiate with the server to set up the session with the user name "/=`nohup " + payload.encoded + "`" and from line 51 to 54 the we can see the authentication fails and the connection is closed by the server. Even though the connection is closed it execute arbitrary command to establish connection as shown in figure 6.




Origin of attack: The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking externals scripts defined in smb.conf.
Damage caused: privilege escalation with super user rights.

Countermeasures and prevention mechanism:

A patch against Samba 3.0.20  usermap exploit is available at http://www.samba.org/samba/security/ .
This defect may be eased by removing all defined external script invocations such as username map script, add printer command, etc. from samba configuration file (smb.conf).
The Samba Team always encourages users to run the latest stable release as a defence against attacks and apply any patch if available for the current version.
Firewall Iptables rules to filter ports.
Review of log files to see any abnormality like reboot of system, remote login attempts, etc.
Always use key authentication with strong passphrases.
The security policy needs to be in place to grant users the minimum access required to do their job. Enforce these policies in perimeter devices.
Separate the server from external connection to limit the damages.


Penetration Testing
1. Information Gathering and Service Enumeration

We need to know whether the target system is live on the network, this can be accomplished with the use of Nmap. By using nmap –sV <taget ip> -p <port range> we can enumerate the service running in the target port



As highlighter in figure 7, the host 192.168.13.10 has port 139 & 445 open. The operating system is Microsoft windows XP. The host 192.168.13.11 has port 139 & 445 open which runs samba 3.X which implies the system is *nix based.

Form figure 7 output as highlighted by 5, we can infer that the host has a Samba 3.X smbd service running on TCP ports 139 and 445. After searching for potential vulnerabilities on internet, we are ready to exploit this service to gain access to the host. We will refine to see  which version of SMB service was in use by the victim machine, Metasploit provides many auxiliary scanners that can assist us, one of which being found at auxiliary/scanner/smb/smb_version.


So now we know that the smb service on victim machine is "Unix Samba 3.0.20-Debian" This information will help us in picking an exploit that is compatible with this version of Samba. We can use all the exploit for the victim samba service until one works, this will generate lots of traffic in the victim’s network which is not good.

Vulnerability Assessment

Using internet to search for known vulnerability. The Common Vulnerabilities and Exposures (http://cve.mitre.org/) database revels this version of samba service is vulnerable, some of them are as listed below.

· CVE-2007-2447: Remote Command Injection Vulnerability (http://www.samba.org/samba/security/CVE-2007-2447.html and https://security-tracker.debian.org/tracker/CVE-2007-2447 ).

·     CVE-2009-0022: Potential access to "/" in setups with registry shares enabled (http://www.samba.org/samba/security/CVE-2009-0022.html )
·         CVE-2013-0213.html: Clickjacking in SWAT (http://www.samba.org/samba/security/CVE-2013-0213 )

·         CVE-2009-0022: Potential access to "/" in setups with registry shares enabled (http://www.samba.org/samba/security/CVE-2009-0022.html )

·  CVE-2012-1182: "root" credential remote code execution. (http://www.samba.org/samba/security/CVE-2012-1182 )

·  CVE-2011-2694: Cross-Site Scripting vulnerability in SWAT (http://www.samba.org/samba/security/CVE-2011-2694 )

· CVE-2010-2063: Memory Corruption Vulnerability (http://www.samba.org/samba/security/CVE-2010-2063.html )

·         CVE-2009-2906: Remote DoS against smbd on authenticated connections (http://www.samba.org/samba/security/CVE-2009-2906.html )

·         CVE-2008-1105: Boundary failure when parsing SMB responses can result in a buffer overrun ( http://www.samba.org/samba/security/CVE-2008-1105.html )
·  CVE-2007-0452: Potential Denial of Service bug in smbd (http://www.samba.org/samba/security/CVE-2007-0452.html )
From the list of above vulnerability, the CVE-2007-2447: Remote Command Injection Vulnerability is of interest. We use metasploit to search for exploit and it is available, this exploit only work when the "username map script" in smb.conf option is enabled.

Description of the exploit: Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution (reference: http://www.exploit-db.com/exploits/16320/).

From the list of above vulnerability, the CVE-2007-2447: Remote Command Injection Vulnerability is of interest. We use metasploit to search for exploit and it is available, this exploit only work when the "username map script" in smb.conf option is enabled.

Description of the exploit: Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution (reference: http://www.exploit-db.com/exploits/16320/).

Exploit

After enumeration we are ready to launch our attack using metasploit on console mode to take over the victim system. We are configuring the exploit and the payload as follows,

use exploit/multi/samba/usermap_script
set RHOST 192.168.13.11
set payload cmd/unix/bind_netcat
exploit

If the exploit is succeeds will open a telnet connection with the remote system.



From the above figure the exploit is successful and we got shell session as root user. 

Clearing the tracks
The server will log all the attempt made by the individual connections separately to the /var/log/samba/ directory with the file name in the format of log.<hostname/IP address> so the log file needs to be cleared to clear the tracks.

Clear the log

sudo bash -c “> /var/log/<file name>”

Mitigate the risks:

The information about the service we are running should be hard to collect. The system need to be fully patched, it includes the kernel and all applications. The services needs to running in least privileged mode. Firewall needs to be in place to filter packets based on mac address and the TCP header flags. This will prevent the information gathering process by attacker’s crafted packets.

In this samba server the smb.conf file contains username map which is used to convert a login name input from the client to initiate the session, which requires local *nix username. The policy on *nix system for username is different from the windows and we need to map windows user to the *nix user name. This user name mapping has two forms user name and user name script. The user name script Depend on external command to perform user mapping. The following is the extract from the smb.conf file from the section 

[global]
username map script = /etc/samba/scripts/mapusers.sh

This allows us to define external command to execute. If the above line is disabled the attacker will not be able to execute the arbitrary command. The below figure shows the failure of the remote exploit.


Critical self-evaluation

While setting up the samba server I tried different OS to install the old version of the samba package but all failed due to incompatible libraries. Future moving from the incompatible libraries to dependency on sub dependency, so we searched the internet for suitable OS which has the requirements for the samba server version 3.0.20 and found out the Debain OS lenny is well suited and we give it a try initially we had problem compiling the samba and then got few other library’s to get it work. If the test bed for the victim system provided it would have given us more time to investigate future exploits.

Conclusion
As a security professional we need to know how it is easy for hackers to exploit the vulnerable of the services which are unpatched. There are free tools to collect information about the services running in the organization. As the vulnerability are discovered the vendor provides the updates to patch the services we need to regularly update the services. Regular audit of the system needs to be in place to ensure there is no easy way for the attacker to carry out the dirty job of attacking our server. 
As the task is divided among the team we focus on individual deliverable and communicate to each other to see how we can help others in their deliverables. We coordinated well to achieve the end task.

References

  1. Bauer M. D. (2005). Linux Server Security. Second Edition Edition. O'Reilly Media.
  2. EC-Council. (2010). Penetration Testing: Procedures & Methodologies (EC-Council Certified Security Analyst). First Edition. Course Technology.
  3. Kennedy, D. (2011). Metasploit: The Penetration Tester's Guide. First Edition. No Starch Press.
  4. Petersen, R. (2010). Fedora 14 Networking and Servers. Edition. Surfing turtle press.
  5. Rucilez, D. (n.d.). Hacking Samba / SMB Server in Metasploit Framework. Retrieved from Eli the computer guy - free online computer training course: http://www.elithecomputerguy.com/2013/01/22/hacking-samba-smb-servers-in-metasploit/