Pen-Tests in 2008 and Why don’t you crack ssh?

I made a pen-test lately to a medium size American firm and it seems public remote exploits for devices such as Juniper, Netopia, Cisco (telnet) and default Linux services has gone to as low as one or two for each since 2004.

Since any respectable firm has windows update turned on and the Fedora style Linux distribution also has automatic updates, I got to the conclusion that the cycle of:
Safe –> Research –> Exploit –> Public Disclosure –> Patch –> Automatic Update –> Safe
results that Black-Box Penetration Testers don’t have much to show the client except for configuration errors and a few user enumerations and less critical stuff that don’t get fixed by the vendors.

The solution for that would be that pen-testers will find their own exploits. That is why in the last years most of the written tools are fuzzers.
Cisco, Netopia, Juniper and Linux services were already fuzzed as hell before they were shipped to clients so this doesn’t seem to be a good approach to the problem.

My suggestions:
1) if you are a pen-tester, research and discover your own vulnerabilities and create workarounds for them, show it to your client and keep it to yourself!
2) If you are a researcher, supply a working P.O.C because the pen-testers doesn’t have time to buy that machine and develop a working shellcode to work with your vulnerability

Being 13 hops away from the machines I had been pen-testing I was amazed to see that products which are extremely mainstream and trusted fail for such a simple task.
I used Nmap to scan the network range (of course with -P0 or -PN in the new version) and just two HTTP servers were discovered from 8 hosts, as I am not a big fan of Nmap I returned to what I was using in the past GFI Languard.

I scanned the targets using GFI Languard (which is a great tool when used inside local networks) and I set complete TCP and UDP ports scan with 20 seconds TCP timeout and 8 seconds UDP timeout, this timeouts are EXTREME and should achieve the most accurate results. The scan results were very poor, detecting about 3 open ports on 8 machines!!! Of course I checked nothing else is running on my internet connection to make sure this was just a bad dream. I scanned again and one more port was discovered, SSH!

I decided this cannot be true and I returned to Nmap using the “slow and Intensive” scan and the results were better, about 5 TCP ports and 1 SNMP, I thought “still no way that is all they got!”

Finally, I installed the latest version of Nessus (Tenable Nessus 3), configured it to be with high timeouts and ran the scan. The results were AMAZING!!! It didn’t miss any of what the other scanners have found and he discovered 15 more UDP ports and 7 more TCP ports. From now on, I am only scanning with Nessus, my time is worth it!

Now that I had some interesting services to attack, I wanted to try and log into one of the Linux machines using SSH. To me it sounds simple, “I will download a dictionary/brute force SSH tool and that’s it”. Apparently not!
There is an ancient perl script running all across the web to do SSH and “expect” THAT-IS-LAME. Some guy really agreed about that and wrote a ruby script to use the lib NET::SSH and automate attempts, quite similar to Tim’s SShatter perl script, that is nice but still no multithreading supported.
Of course you may think “Why not use T.H.C Hydra?”, the answer would be because by default it’s not configured to be compiled with LIBSSH and you got to get some libs, you will burn a few hours to make it work!

My dear friend “Kiril Nesenko” AKA “axi1es” wrote for YOU guys the script for “The Common Lazy Fedora Guy” which will download hydra, the SSH and other libs, will configure and compile it and will execute the Hydra all automatically, enjoy! :)
http://www.linkstofiles.com/install_hydra-5.4-src+ssh.sh

Share
  • Legion

    “2) If you are a researcher, supply a working P.O.C because the pen-testers doesn’t have time to buy that machine and develop a working shellcode to work with your vulnerability”

    I hate to break it to you, but researchers don’t exist to give pen-tester exploits, in fact most researchers would be pretty happy if pen-testers ceased to exist.

    And if you don’t already have hydra set up, what kind of pen-tester are you anyway? Attempting to brute force ssh isn’t exactly a niche attack that will only work in a few scenarios.

  • http://rafelivgi.blogspot.com/ Rafel Ivgi

    I haven’t worked as a pen-tester for a few years, I was busy doing much crazier stuff :)
    I only took this one time job because it was short and profitable.

    I, Myself AM A RESEARCHER, you are welcome to use google and learn about people before you make cinical comments

    As a researcher, I am hoping pen-testers will not extinct as I would not want to be the poor man running dictionary attacks and metasploit on machines and write to write a 47 pages report on how another boaring network is hackable (because they all are one way or another!) and if there are no pen-testers who will people refer to then researchers?!

    The point was not about Hydra being set-up, like it is in BackTrack3(not compiled with SSH), its about not wasting time on compiling Hydra with SSH.

  • MrGutts

    Interesting that you ran into the LanGuard and Nmap issue also. I experienced the same thing with various builds of nmap this year and some back in 07.. LG is really not my sole go to scanner. I do like the nice report formats it can pump out.

  • http://maestro-ec.com w0lf

    From your post “if you are a pen-tester, research and discover your own vulnerabilities and create workarounds for them, show it to your client and keep it to yourself!”

    Wouldn’t that be rude on not contributing to the community? I can think of keeping some exploits private for making money by black-hats. But as a security professional, would it not be our responsibility to report the flaw to vendor, wait for it’s patch and release vulnerability public. I wouldn’t say that disclose complete PoC, but a basic idea what the exploit is all about would be fine.

    Any comments?