Defend against Brute Force Attack with Fail2ban

Daily we hear some news related to cybercrime just, like, some malicious users or bots have successfully defaced some publicly accessible websites or some services. As we always try to explain through our articles, how such types of activities are possible when the system is weakly configured or misconfigured. It is therefore important to build some security measures, such as IDS / IPS in the firewall, to defend your server and clients while configuring it.

In this article, we will show how you can protect your network from brute force attacks and running network services?

The answer is: Using IPS in your network.

Table of Content

  • What is an IPS?
  • Introduction to fail2ban
  • Lab Setup Requirement
  • Brute Force Attack in Absence of IPS
  • Intrusion Prevention Lab Set-Up
  • Configure Fail2Ban
  • Protect SSH Against Brute Force Attack
  • Testing Fail2ban
  • How to unban IP in fail2ban for SSH
  • Protect FTP against Brute Force Attack
  • Testing Fail2ban for VSFTP
  • Unban IP for VSFTPD

What is an IPS?

Intrusion Prevention System is short-term as IPS, it networks security measures to examine the incoming traffic to perform intrusion detection and then block the detected incidents. For example, IPS can drop malicious packets, ban the traffic coming from an offending IP address.

Introduction to fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and ban IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally, Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time.

In this article, I will discuss how to prevent your running services against brute force attack using fail2ban.

Source: https://www.fail2ban.org/wiki/index.php/Main_Page

Lab Setup Requirement

Victim’s Machine: Ubuntu 14.04  (192.168.0.105)

Pentester’s Machine: Kali Linux (192.168.0.105)

Brute Force Attack in Absence of IPS

Now let’s try to launch a brute force attack when on port 22 which is open in the target’s network to make unauthorized login. With the help hydra, we will try to guess SSH login credential.

As you can observe in the above image that it has successfully found aarti:123 for ssh login. Similarly, let’s try to launch a brute force attack when on port 21 which is open in the target’s network to make unauthorized login. With the help hydra, we will try to guess FTP login credential.

And from the given below image, you can observe, how badly these services are configured. Even the network administrator has not followed the password complexity rules as a result, it is so easy to launch a brute force against such type of network.

Intrusion Prevention Lab Set-Up

Therefore, I decided to set up the Intrusion Prevention system in this network which will monitor the incoming packets and detects the malicious activities and blocks that traffic coming from wicked IP. It is very easy to install fail2ban as Ubuntu already has a package for fail2ban in apt-repositories.

First of all, let me show you, the iptables rule list, which is empty as shown in the below image and then executes the installation command. Once it gets completed, then copy the configuration of jail.conf file inside jail.local file.

NOTE: While configuring fail2ban in your local machine, you must have root access or can use a non-root user with sudo rights.

Configure Fail2Ban

The service fail2ban has its default configuration files “jail.local” in the /etc/fail2ban directory, therefore, you should not edit this file, but you can override this into jail.local file with the help of below command and then open that file for configuring it as per your requirement.

Above you have seen that we had successfully launched brute force attack on SSH and FTP, therefore I will configure fail2ban to stop brute force attack in the network.

Once the file gets opened you need to focus a few things such as “ignoreip, bantime, maxretry” and then modify their value as per your requirement. Set the IPs you want fail2ban to ignore as ignoreip, set the ban time (in seconds) for a particular time period and maximum number for the user attempts.

Protect SSH Against Brute Force Attack

Ultimately, we come towards that portion of the configuration file which deals with specific services. These are identified by the section headers, such as [ssh].

To enable each of these sections to uncomment header [ssh] and modify the enabled value into “true” as shown in the below image, and then save the jail.local file and restart the fail2ban service:

Testing Fail2ban for SSH

Fail2ban offers a command “fail2ban-client” that can be used to execute Fail2ban from the command line, to check that the Fail2Ban is running and the SSH jail is enabled you can follow the given syntax to confirm its status.

Syntax: fail2ban-client COMMAND

As you can observe, the current filter list and action list is set as 0 or all I can say, it is empty. These values will get change if someone tries to cross the limit of maxretry.

As said above fail2ban will update iptables rules to reject the IP addresses for a specified amount of time and from the given below image you can observe, last 3 policies are automatically created by fail2ban.

Now let’s test host machine against brute force attack for ssh login once again:

And as you can obverse, this time we got “Connection refused” error while brute forcing attack on port 22.

Hmm!! Not bad, let’s also check the status for ssh jail status after this attack.

Now you can observe that in the given below image, it has shown 1 ban IP: 192.168.0.104 and anybody can explore log file too for more details.

How to unban IP in fail2ban for SSH

If you wish to unban the IP then again, you can go with fail2ban-client commands and do the same as done here:

And when you will check ssh jail status one more time, this time it won’t be showing any IP in the IP list.

Protect FTP against Brute Force Attack

Similarly, to enable FTP sections to uncomment [vsftpd] header and change the enabled line to be “true” as shown in the below image and even you can modify maxretry or log file path as per your requirement.

[vsftpd]

enabled = true

maxretry = 3

Testing Fail2ban for VSFTPD

Now save jail.local file and restart the fail2ban service and then you can check fail2ban and its Jail status including iptables rules.

With the help of the above command, we concluded that now there are two jails: ssh and vsftpd and also some new fail2ban policies have been created within iptables.

Now let’s test host machine against brute force attack for FTP login:

And as you can obverse, this time we got connection refused error while brute force attack and let’s check status for vsftpd jail status once again.

Yet again you can observe that in the given below image, it has shown 1 ban IP: 192.168.0.104 and anybody can check log file too for more details.

And look at the vsftpd log file, contains all detailed related to login attempt.

Unban IP in fail2ban for VSFTPD

If you wish to unban or unblock the IP then again, you can go with fail2ban-client commands and do the same as done here:

And when you will check vsftpd jail status once again, this time it won’t be showing any IP in the IP list.

Hope! You people will enjoy the article and find helpful in your network penetration testing and you can do more with fail2ban for securing your network.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Magic Unicorn – PowerShell Downgrade Attack and Exploitation tool

Magic Unicorn is a simple tool for using a PowerShell downgrade attack that injects shellcode straight into memory. It is based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Table of Contents

  • Powershell Attack Instruction
  • HTA Attack Instruction
  • Macro Attack Instruction

 Download the unicorn tool from the git repository:

Once downloaded, go in the directory and run unicorn with the following command to see all the possible methods.

 

Powershell Attack Instructions

First, we will try the reverse_tcp payload. As we can see in the main menu all the commands are already written. We just need to replace the IP with our IP.

 

Now this will give us two files. One is a text file named “powershell_attack.txt” which has the PowerShell code that will be run in the victim’s machine using social engineering and the other is “unicorn.rc” which is a custom Metasploit file that will automatically set all the parameters and start a listener.

These files will be saved in the directory where unicorn was cloned. Powershell_attack.txt holds the malicious code and when the victim will execute that code in his command prompt, the attacker will get a reverse connection of his machine.

Now let’s set up a listener first. We need to run the Metasploit “unicorn.rc” file using the following command:

We see a session was obtained in the meterpreter. It was because the PowerShell code was executed in the victim’s command shell. It would have looked something like this:

HTA Attack Instructions

For our next attack, we will be using an HTA payload.

Now convert your IP in bit.ly URL form and send to the victim and then wait for the user to click on the “launcher.hta” file which could be done using social engineering easily.

So, we set up a Metasploit listener next using the RC file and wait for the user to click on the hta payload.

As soon as he ran the file, we received a meterpreter session. We checked the system info using the sysinfo command.

 

Macro Attack Instructions

Now for the third and final payload for this tutorial, we set hands on our beloved macros.

This again creates a text file and a “.rc” file with the same name and on the same destination.

To enable developer mode there are various methods depending upon your version of MS office.

As for a generic approach, let’s say you enabled it like:

File->properties->ribbons->developer mode

You will see an extra tab labeled developer once it gets enabled.

As for the attack, go to developer->macros and create a new macro named “Auto_Open”

Simply paste the contents from “powershell_attack.txt” to this xlsx module and save it.

As soon as you click run (little green icon on the top), it will give you an error! Don’t worry! You want that error. It is supposed to happen.

Soon after the error on the user screen, we would have obtained a session successfully in meterpreter!

Use sysinfo double check our successful exploitation using unicorn!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Multiple Ways to Exploiting PUT Method

Hi Friends, today’s article is related to exploiting the HTTP PUT method vulnerability through various techniques. First, we will determine if the HTTP PUT method is enabled on the target victim machine, a post which we will utilize several different methods to upload a Meterpreter reverse shell on the target and compromise the same.

Table of Content 

  • Introduction to HTTP PUT Method
  • Scanning HTTP PUT Method (Nikto)
  • Exploiting PUT Method Using Cadaver
  • Exploiting PUT Method Using Nmap
  • Exploiting PUT Method Using Poster
  • Exploiting PUT Method Using Metasploit
  • Exploiting PUT Method Using Burpsuite
  • Exploiting PUT Method Using Curl

Introduction to HTTP PUT Method

PUT method was originally intended as one of the HTTP method used for file management operations. If the HTTP PUT method is enabled on the webserver it can be used to upload a malicious resource to the target server, such as a web shell, and execute it

As this method is used to change or delete the files from the target server’s file system, it often results in arising in various File upload vulnerabilities, leading the way for critical and dangerous attacks. As a best practice, the file access permissions of the organizations’ critical servers should be strictly limited with restricted access to authorized users, if in case the organization absolutely MUST have these methods enabled.

Note: In this tutorial, we are using a Vulnerable target machine for Pentesting purposes and to illustrate the use of various tools. This is purely meant for educational purposes in the testing environment and should not be used in a Production environment without the authorized permissions from the relevant authorities/management.

Requirements 

Target: Metasploitable 2

Attacker: Kali Linux machine

Let’s Begin!!!!

Boot your Kali Linux machine (IP: 192.168.1.105) and in parallel, type victim IP as 192.168.1.103 in the Firefox browser and click on WebDAV. As we can see from the screenshot it is listing only the parent directory. 

First of all, we need to ensure that the vulnerable target machine has the HTTP PUT method allowed us to upload malicious backdoors. In order to confirm the same, we need to scan the target using Nikto.

Nikto is a popular Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other issues. It also performs generic and server type specific checks. Below is the command to scan the URL:

Upon running the above command, we can observe that the highlighted part in below screenshot displays that the HTTP PUT method is allowed. Now let’s hack the vulnerable target machine by uploading the PHP malicious file, using the various techniques shown in upcoming sections.

Prepare the malicious file to be uploaded with msfvenom :

Msfvenom can be used to create PHP meterpreter payload that gives us a reverse shell. Execute the following command to perform the same

Copy the code from <?php to die() and save it in a file with .php extension as shell.php file , on the desktop .This will be utilized later in the upcoming sections, to upload the file on the web server.

In parallel, load the Metasploit framework by typing msfconsole on a new terminal and start multi/handler. This will be utilized in the later part of the section

Cadaver

Cadaver is a command line tool pre-installed in the Kali machine that enables the uploading and downloading of a file on WebDAV.

Type the target host URL to upload the malicious file, using the command given below.

Now once we are inside the victim’s directory, upload the file shell.php from the Desktop to the target machine’s path, by executing the below command :

To verify whether the file is uploaded or not, run the URL: 192.168.1.103/dav/ on the browser. Awesome!!! As we can see, the malicious file shell.php has been uploaded on the web server.

Now, let’s launch the Metasploit framework and start a handler using the exploit/multi/handler module. Assign the other values like the LHOST and LPORT values to the Kali machine’s IP and port to listen on, respectively. Once done, execute by running the command exploit to start listening for the incoming connections.

Press Enter and we will observe that the reverse TCP handler has been started on Kali IP 192.168.1.105:4444.

Now go back to the previously uploaded shell.php file and click on the same. Once run, we will get the TCP reverse connection automatically on the meterpreter shell. Further, run the sysinfo command on the meterpreter session to get machine OS/architecture details.

 

Nmap

Nmap is an opensource port scanner and network exploitation tool. If PUT Method is enabled on any web server, then we can also upload a malicious file to a remote web server with the help of NMAP. Below is the command to configure the same. We must specify the filename and URL path with NSE arguments. in parallel, prepare the malicious file nmap.php to upload to the target server.

As seen from the below screenshot, the nmap.php file has been uploaded successfully.

Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot, the file nmap.php has been uploaded on the web server.

Simultaneously, open Metasploit MSF console and use multi/handler; then go back to previously uploaded nmap.php file and run it. As can be seen below, this will give us a meterpreter session.

Poster

The poster is a Firefox Add-on and a developer tool for interacting with web services to let the end-user trigger the HTTP requests with parameters like GET, POST, PUT and DELETE and also enables to set the entity body, and content type

Prepare the malicious file poster.php that you would like to upload to the target machine. Install the Poster plug-in from Firefox Add-on. Click on the tools from the menu bar. And then click on Poster from the drop-down menu. The following dialog box will open. Type the URL as mentioned in the screenshot and provide the path of the malicious file to be uploaded via Browse option and finally click on PUT action.

Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot, the file poster.php has been uploaded on the web server.

Simultaneously, open Metasploit MSF console and use multi/handler; then go back to previously uploaded poster.php file and run it. This will give us a meterpreter session.

Burpsuite

Burpsuite is one of the most popular proxy interception tools whose graphical interface can be effectively utilized to analyze all kind of GET and POST requests.

Configure the manual proxy settings of end users’ browser so as to intercept the GET request Browse the URL http://192.168.1.103 but don’t hit ENTER yet. In parallel, let us navigate to the Burpsuite Proxy tab and click Intercept is on the option under the Intercept sub-option, to capture the request. As soon as we hit ENTER in the users’ browser, we will be able to fetch the data under the intercept window.

Now right-click on the same window and a list of multiple options will get displayed. A further click on Send to the repeater.

 

In the below-highlighted screenshot, we will observe two panels – left and right for the HTTP Request and HTTP Response respectively. The GET method can be observed in the HTTP request and we will now replace GET with the PUT method in order to upload the file with name burp.php comprising of malicious content/code.

Type PUT /dav/burp.php HTTP/1.1 in the header and then paste the php malicious code starting from dav directory through PUT request.

Verify and confirm the file upload by browsing the same URL 192.168.1.103/dav in the end users’ browser and we can see the burp.php file has been uploaded in the /dav directory of the web server.

Simultaneously, open Metasploit MSF console and use multi/handler; then go back to previously uploaded burp.php file and run it. This will give us a meterpreter session.

Metasploit

Metasploit Framework is a well-known platform for developing, testing, and executing exploits. It is an open source tool for performing various exploits against the target machines. This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests. Set ACTION to either PUT or DELETE. PUT is the default.

Metasploit has in-built auxiliary modules dedicated to scanning HTTP methods and gives us the ability to PUT a file with auxiliary/scanner/http/http_put. Below are the commands to accomplish the same

Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot, the file meter.php has been uploaded on the web server.

 

Simultaneously, open Metasploit MSF console and use multi/handler; then go back to previously uploaded meter.php file and run it. This will give us a meterpreter session.

 cURL

cURL is a well-known command line tool to send or receive the data using the URL syntax and is compatible with various well-known protocols (HTTPS, FTP, SCP, LDAP, Telnet etc.)

To exploit the PUT method with cURL, the command is:

Type the same URL in browser 192.168.1.103/dav and execute the same. As evident from the screenshot, the file curl.php has been uploaded on the web server.

 

Simultaneously, open Metasploit MSF console and use multi/handler; then go back to previously uploaded curl.php file and run it. This will give us a meterpreter session.

Author: Ankur Sachdev is an Information Security consultant and researcher in the field of Network & WebApp Penetration Testing. Contact Here

Multiple Ways to Detect HTTP Options

Hi Friends, today we will walk through various HTTP Protocol methods and the tools used to extract those available HTTP methods in a web server. As we are already aware that the HTTP protocol comprises of a number of methods that can be utilized to not only gather the information from the web server but can also perform specific actions on the web server. These techniques and methods are helpful for the web application developers in the deployment and testing stage of web applications.

GET and POST is the most well-known methods that are used to access and submit information provided by a web server, respectively. HTTP Protocol allows various other methods as well, like PUT, CONNECT, TRACE, HEAD, DELETE. These methods can be used for malicious purposes if the web server is left misconfigured and hence poses a major security risk for the web application, as this could allow an attacker to modify the files stored on the web server.

OPTIONS: The OPTIONS method is used to request the available HTTP methods on a web server.

GET: GET request is the most common and widely used methods for the websites. This method is used to retrieve the data from the web server for a specific resource. As the GET method only requests for the data and doesn’t modify the content of any resources, it’s considered to be safe.

POST: POST requests are used to send (or submit) the data to the web server so as to create or update a resource. The information sent is stored in the request body of the HTTP request and processed further. An example illustrating the same is “Contact us” form page on a website. When we fill a form and submit it, the input data is then stored in the response body of the request and sent across to the server.

PUT: The PUT method allows the end-user (client) to upload new files on the web server. An attacker can exploit it by uploading malicious files or by using the victim’s server as a file repository.

CONNECT: The CONNECT method could allow a client to use the web server as a proxy.

TRACE: This method echoes back to the client, the same string which has been sent across to the server, and is used mainly for debugging purposes.

HEAD: The HEAD method is almost similar to GET, however without the message-body in the response. In other words, if the HTTP request GET /products return a list of products, then the HEAD /products will trigger a similar HTTP request, however, won’t retrieve the list of products.

DELETE: This method enables a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to perform a DoS attack.

Now let us use some tools to identify the HTTP methods enabled or supported by the web server

Metasploit

Metasploit Framework is a well-known platform for developing, testing, and executing exploits. It is an open source tool for performing various exploits against the target machines.

Metasploit has in-built auxiliary modules dedicated to scanning HTTP methods. Through the Metasploit framework command line (CLI), we can identify the HTTP Options available on the target URL as follows:

cURL

cURL is a command line tool to get or send the data using the URL syntax and is compatible with various well-known protocols (HTTPS, FTP, SCP, LDAP, Telnet etc.) along with command line (CLI) options for performing various tasks (Eg: User authentication , FTP uploading , SSL connections etc). The cURL utility by default comes installed in most of the distributions. However if in case, cURL is not installed, then we can install the same via apt-get install curl command. For more details refer the below URL

https://www.hackingarticles.in/web-application-penetration-testing-curl/

Through the cURL command we can identify the HTTP Options available on the target URL as follows :

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from other server-specific information (Server response, version details etc)

Nikto

Nikto is a Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other issues. It performs generic and server types of specific checks.

Through the Nikto command we can identify the HTTP Options available on the target URL as follows :

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from another detailed server specific information (Server response, version details etc)

Nmap

Nmap is a free and open-source security scanner, used to discover hosts and services on the network. This is another method of checking which HTTP methods are enabled by using an NMAP script called http-methods.nse, which can be obtained from https://nmap.org/nsedoc/scripts/http-methods.html .

Let us use NMAP command to enumerate all of the HTTP methods supported by a web server on the target URL as follows :

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE) along with highlighting the potential risk methods (i.e TRACE) out of them.

Netcat

Netcat is a utility tool having the capability to write and read data across TCP and UDP network connections, along with features like in-built port scanning, network debugging and file transfer etc.

Through the Netcat command we can identify the HTTP Options available on the target URL as follows :

Press enter and the following options appear in the command line. Enter the server details as follows (and as highlighted in red )

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from other server-specific information (Server response, version details etc)

 

Burpsuite

Burp Suite is a platform for performing various security testing for web applications, from initial mapping and analysis to identifying and exploiting application vulnerabilities.

As we are aware that the HTTP OPTIONS method provides us with the most effective way to discover the different methods allowed on an HTTP server. So, let us capture the URL request in Burpsuite GUI and change the HTTP method type in the Request section to OPTIONS, as seen below.

As shown, the RESPONSE from the web server not only displays the list of HTTP methods allowed, however also highlights the server version details (Eg: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL 1.0.0/k DAV/2 PHP/5.4.3)

Author: Ankur Sachdev is an Information Security consultant and researcher in the field of Network & WebApp Penetration Testing. Contact Here