Section PRACTICAL PROTECTION IT SECURITY MAGAZINE Dear Readers, Our current edition addresses one of the most recognized and popular IT security network scanners. This professional pro- grams provides users with easy access to a large, compre- team hensive collection of security-related tools, ranging from port Editor in Chief: Ewa Dudzic [email protected] scanners to password crackers. Thanks to co-operation with BackTrack (BT), Nessus, Snort creators and a group of profes- Managing Editor: Ewelina Sołtysiak [email protected] sional specialists who wrote specific articles for us, we were able to cover specific toolkits and possible uses in one publica- Editorial Advisory Board: Rebecca Wynn, Matt Jonkman, Donald Iverson, Michael Munt, tion. This suite of security tools has been wonderfully described Gary S. Milefsky, Julian Evans, Aby Rao from different points of view, giving us the excellent content pre- sented, below. Proofreaders: Michael Munt, Rebecca Wynn, Elliott Bujan, Bob Folden, Steve Hodge, Looking through the list of articles, you’ll find thematic sec- Jonathan Edwards, Steven Atcheson, Robert tions, presenting each author’s work. Wood, Ewelina Soltysiak We devided our content into sections concerning each one Top Betatesters: Hammad Arshed, of the biggest network scanners in the world: Amit Chugh, Viswa Prakash, M.Younas Imran Special Thanks to the Beta testers and • Nmap: Some of you have most likely used Nmap some- Proofreaders who helped us with this issue. time or another, while others use it on a daily basis for Without their assistance there would not be a Hakin9 magazine. network discovery and security auditing. Besides those functions, there are many more useful options that come Senior Consultant/Publisher: Paweł Marciniak with this utility. • Helix: Is a unique tool necessary for every computer fo- CEO: Ewa Dudzic rensic tool kit! Get the only tool with a Live and Bootable [email protected] side for your investigation needs. Production Director: Andrzej Kuca • BackTrack: The highest rated and acclaimed Linux secu- [email protected] rity distribution to date. BackTrack 5.0 is a Linux-based DTP: Ireneusz Pogroszewski penetration testing arsenal that aids security professionals Art Director: Ireneusz Pogroszewski in the ability to perform assessments in a purely native en- [email protected] vironment dedicated to hacking. • Snort: Combining the benefits of signature, protocol, and Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 anomaly-based inspection, Snort is the most widely de- Phone: 1 917 338 3631 ployed IDS/IPS technology worldwide. With millions of www.hakin9.org/en downloads and nearly 400,000 registered users, Snort Whilst every effort has been made to ensure has become the de facto standard for IPS. the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. You’ll definitely enoy the reading and have a lot of practical All trade marks presented in the magazine knowledge and listings to implement it in your own computer. were used only for informative purposes. Paweł Płocki All rights to trade marks presented in the and Hakin9 team magazine are reserved by the companies which own them. To create graphs and diagrams we used program by Mathematical formulas created by Design Science MathType™ DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss. 4 TBO 03/2012 CONTENTS UlTIMATE NESSUS 5.0 Use Metasploit in Backtrack 5 138 Johan Loos Partial Exposure Key Attacks on RSA 6 HElIx ConFIGuRATIon Theodosis Mourouzis How to Scan with Nessus from within Helix2009R1 is forensically sound… Metasploit 10 Surely? 144 Michael Boman Amy Cox and Eyal Lemberger How to Use Multiplayer Metasploit Real World Imaging Tips using Helix 150 with Armitage 14 KEITH SWANSON Michael Boman Helix 3 Pro: An Experience 154 Create a Basic Web Application Elias Psyllos Scan Policy 32 nMAP AnD ITS MoST Johan Loos IMPoRTAnT FEATuRES Five Steps to Nessus 5 36 Walter Cuestas Know Your Tracks using Nmap 156 Ali Hadi Vulnerability Assesments On Scada Systems With Nessus 5.0 50 Nmap Network Forensics 164 INDRANIL BANERJEE [nu11_()_v0!d] David Harrison Analyzing Vulnerable Systems Nmap How to Use it 168 Using Nessus 5 58 SAHIL KHAN Steve Myers SnoRT: nETWoRK InTRuSIon Nessus 5.0 Installation PREVEnTIon AnD DETECTIon and Configuration Guide 62 SYSTEM VIKAS KUMAR | Ethical Hacker | Speaker PfSense + Snort: Fast approach 180 New to Nessus 5?? Salih Khan Well then don’t miss this!! 88 Johan Loos Using Snort for Intrusion Detection for Small to Medium sized Compliance Auditing with Nessus 5 94 Enterprise (SME) 186 Paul Battle Keith DeBus BACKTRACK 5.0 SCAnnInG Snort for SOHO and Enterprise Networks 192 How Exposed To Hackers Rafael L. Torres Jr. Is the WordPress Website You Built? 102 Alex Kah BackTrack 5 Toolkit Tutorial 108 VIKAS KUMAR | Ethical Hacker | Speaker Android Exploitation with Metasploit 130 Aditya Gupta www.hakin9.org/en 5 Ultimate NessUs 5.0 Section Partial Exposure Key Attacks on RSA We study the attacks on RSA scheme when partial secret information is available. We focus on the following fundamental questions: (A) how many bits of secret key d does an adversary require in order to reconstruct all of d?, (B) How many randomly located bits from the prime divisor of p of the modulus N are required in order to factorize the modulus completely and efficiently? The motivation behind partial exposure at- of bits from d, or some, even randomly selected tacks or partial key leakage attacks is in- bits from the primes p and q. spired by side-channels attacks and cold- RSA is defined by the following four algorithms; boot attacks where the adversary is assumed to Modulus-Generation, Key-Generation, Encryption have access either to a portion of bits from the and Decryption [9]. least significant bits of the secret key d, or to a percentage of bits from either the least significant Modulus-Generation bits or the most significant bits of the prime divisor p or even some randomly selected bits from the N←(p,q)←ModGen(1n) least significant halves of the prime divisors p and q. under all the scenarios we try to reconstruct ei- Given the security parameter of size n, generate ther the secret key d or one of the prime factors of two distinct large primes the modulus n. p, q with q < p < 2q. Then the modulus is given by N = pq. Keywords RSA, cold-boot attacks, side-channel attacks, Key-Generation least significant bits (lSB), most significant bits (MSB), pseudo-randomness, RSA problem, Fac- (e,d)←KeyGen(p,q) toring problem, Coppersmith’s theorem, lll algo- rithm, brute-force tree search, reconstruction algo- Given p and q, compute . Then φ(N) = (p-1)(q-1) rithm the public key exponent e is chosen such that it belongs to the multiplicative group of integers Introduction , and the secret key ex- mod(φ(N)) HCF(e, φ(N))= 1 RSA is a public key cryptosystem which is widely ponent d is such that . ed = 1mod(φ(N)) used in many applications and was firstly publicly described in 1977 by Ron Rivest, Adi Shamir and Encryption lenard Adleman [9]. let (N, d) be a RSA private M is encrypted via the power map key, where N is an n-bit number given by the prod- x → xe to give C=Memod(N) uct of two primes p and q of equal bit-length (p < q < 2p or q < p < 2q). We study how secure is the Decryption scheme if an adversary is able to expose a fraction C is decrypted via the power map x → xd 6 TBO 03/2012 Partial Exposure Key Attacks on RSA Correction: We have Cd=Med=Mmod(N). For our analysis we study the following ques- The factorization of N cannot be efficiently com- tions: puted on a classical computational model without the knowledge of either p or q, and this provides (A) How many bits from d are required in order to the security to RSA. The security of RSA underlies fully reconstruct d? on two fundamental problems [4, 10]; (B) How many bits from the lSB (or MSB) of the prime factor p (or q) are required in order to • Factoring large numbers: Due to our bounded factorize n? computational resources and data storage, it is (C) How many randomly selected bits from p or d assumed to be computationally hard to retrieve are required in order tofully break RSA? the prime factors of large enough composites. • RSA Problem: The task of efficiently computing Framework of the Attacks e-th roots modulo a large integer n. Thus given Given any form of secret information we try to fully a ciphertext c then it is computationally infeasi- reconstruct either some bits of the key or some bits ble to compute c(1/e) mod(n) and thus compute of any of the prime divisors efficiently. under all m. the scenarios the attacks follow the same frame- work consisting of three main steps as described However, by employing some other attacks like below. side channel attacks or cold boot attacks the ad- versary can expose some bits of d or some bits Step 1 of the prime divisors of n, p and q [2, 6, 8, 10]. Collect information regarding the secret key or For example we know that DRAM remanence ef- the prime divisors of the modulus N. This can be fects make possible practical, non-destructive at- achieved by performing either side-channel at- tacks that recover, a degraded version of, secret tacks or cold-boot attacks on the device which keys stored in computer’s memory. using this an runs the RSA. attacker with physical access to a machine can break popular disk encryption systems or recov- Step 2 er an SSl server’s private key. one consequence Combine all the collected information to recon- of the nature of the attack is that a perfect image struct the 1/4 of either lSB or MSB of the prime of the contents of memory may not be available divisor p to the attacker; instead, some bits may have been flipped. It was observed that, within a DRAM re- Step 3 gion, the decay is overwhelmingly either 0 → 1 or use Coppersmith’s theorem combined with the 1 → 0. The decay direction for a region can be lll algorithm in order to fully reconstruct the prime determined by comparing the number of 0s and divisors. Co-primality of public key e and and φ(N) 1s. (In an uncorrupted key we expect these to be the fact that e is small in a sense that exhaustive approximately equal.) See Figure 1 for more de- search up to e is feasible can be used for the full tails. reconstruction of the prime divisors Figure 1. Properties of memory remanence and decay [6] www.hakin9.org/en 7 Ultimate NessUs 5.0 Section References [1] Blomer.J and May.A (2003). “New Partial Key Exposure Attacks on RSA”. In CRYPTO, Volume 2729 on LNCS [2] Boneh.D(1999). “Twenty years of attacks on the RSA cryptosystem”. Notices of the American Mathematical Socie- ty 46 (2): 203-213 [3] Boneh.D, Durfee.G and Frankel.Y(1998). “An Attack on RSA given a small fraction of the Private Key Bits”. Advances in Cryptology [4]Cohen.H(2000). “A course in computational algebraic number theory”. GTM 138. Springer [5] Coppersmith.D (1997). “Small Solutions to Polynomial Equations, and Low Exponent RSA vulnerabilities”. Journal of Cryptology, v, 10, n. 4 [6] Heninger.N and Shacham.H (2009). “Reconstructing RSA Private Keys from Random Key Bits”. Proceedings of Crypto, Springer-Verlag [7] Lenstra.A, Lenstra.K and Lovasz.L(1982). “Factorizing polynomials with rational coefficients”. Mathematische An- nalen 261 (4): 515-534 [8] Maitra.S, Sarkar.S and Gupta.S (2010). “Factoring RSA Modulus Using Prime Reconstruction from Random Known Bits”. Proceeding of the Third international conference on Cryptology in Africa: 82-99 [9] Rivest.R, Shamir.A and Adleman.L (1978). “A method for obtaining Digital Signatures and Public-Key Cryptosys- tems”. Communications of the ACM 21 (2):120-126 [10] Schneier.B (1996).”Applied Cryptography”. 2nd Edition, John Wiley and Sons Partial Exposure of the Secret Key able separately, and assume the coefficient of f are In this section we study the question: Is it possible relatively prime as a set. let X, Y be bounds on the to fully break RSA given that some bits of p are desired solutions , . Define ( ) and let D x0 y0 Xx, Yy available? The answer is positive and the follow- be the absolute value of the largest coefficient of ing theorem by Coppersmith [5] is the most funda- ̃. f mental theorem in the area of partial exposure at- If XY < D(2/3δ), then in time polynomial in (logD, 2δ) tacks and can be used to build more sophisticated we can find all integers ( , ) with x0 y0 f(x0, y0) = 0, attacks which assume that the bits of either d or p . |x0| < X and |y0| < Y which are available are random, in a sense that we Now assuming that 1/4 of the LSB of p then we are not given a contiguous block of bits. know the value p0 = pmod(2n/4). Hence we can com- pute . Let and define q0 = (N/p0)mod(2n/4) r > 2n/4 Theorem . The we want f(x, y) = (rx + p0)(ry + q0) - N let N = pq be an n-bit RSA modulus. Then given to find a solution ( , ). Since the greatest common x0 y0 the n/4 least significant (or most significant) bits of factor of the coefficient is r we consider f(x, y)/r the prime factor p, one can efficiently factor N. instead. Then the largest coefficient of f(Xx, Y y)/r satisfies the inequality given by Coppermith’s theo- Proof rem.Thus the solution can be found and so we can This is an immediate consequence of Copper- fully construct p. smith’s theorem which uses the lattice basis reduc- Suppose that public key e is small, in a sense that tion algorithm lll [7] in order to find small solutions brute force up to the order of e is feasible. Boneh ( ) to a bivariate polynomial ), provided et al showed that under this assumption given the x0, y0 f(x, y appropriate bounds on and are known in ad- n/4 least significant bits of d we can recover the full x0 y0 vance. We state the theorem below: e in time linear in n and e [2, 3]. In [1] the attack is further developed for larger values of public key e. Coppersmith’s Theorem let be a polynomial in two variables over Using random bits from primes to break f(x, y) the integers, of maximum degree in each vari- RSA δ In this section we one can recover the full prime divisors of an RSA modulus given some of bits al- located randomly in the least significant halves of the prime divisors. The reconstruction method de- scribed is a brute-force search exploiting the know bits to prune wrong branches of the search tree, thereby reducing the total search space towards possible factorization. Below we describe the re- construction algorithm but firstly we establish some Figure 2. The propagation of the search tree algorithm by notations as given in [6, 8]. considering the above relation 8 TBO 03/2012 Definition 1 let to be the i-th bit of X with ] being the X[i] X[0 lSB and Xi the partial approximation of X through the bits 0 to i. Definition 2 let the length of the RSA modulus N. l N The Algorithm 1 below outputs all possible pairs ( , ) by appending ( , ) to the partial so- pi qi p[i] q[i] lutions ( , ) and prunes the incor- p[i] q[i] p(i-1) q(i-1) rect ones by checking the validity of the available relations. Most Comprehensive Algorithm 1 The Exhibition Input: N, t and , for some random values of the Fastest Growing Sectors of recent years p[i] q[j] of i, j in the Center of Eurasia Output: Contiguous t many lSBs of p and q Initialize: 1 i = 1 and p0 = q0 = p[0] = q[0] = for all ( , ) do p[i] q[i] p(i-1) q(i-1) for all possible ( , ) do p[i] q[i] pi := APPEND(p[i], p(i-1)) INFORMATION, DATA AND NETWORK SECURITY EXHIBITION qi := APPEND(q[i], q(i-1)) if N = pqmod(2+i) then ADD the pair (pi, qi) at level i; i i REPoRT all ( , ) pairs p q t-1 p-1 OCCUPATIONAL SAFETY AND HEALTH EXHIBITION We notice, that there are 4 possible choices for SMART HOUSES AND BUILDING AUTOMATION EXHIBITION ( , ) branches at level i. However, using p[i] q[i] Multivariate Hensel’s lemma we can obtain the relation. See Figure 2. p[i] + q[i] = (N – p q )[i]mod2 i-1 i-1 16th INTERNATIONAL SECURITY AND RFID EXHIBITION 16th INTERNATIONAL FIRE, This relation cuts down the relations from 4 to 2. EMERGENCY RESCUE EXHIBITION A more sophisticated complexity analysis of the algorithm shows that given 0.3 fraction of bits from the lSB halves of the primes p and q are enough to fully reconstruct the prime divisors p and q. Then by applying Coppersmith’s theorem again we fully break the RSA scheme. ThEoDoSIS MoURoUzIS Theodosis Mourouzis is a PhD student at University Col- lege London, studying cryptography under the super- SEPTEMBER 20th - 23rd, 2012 vision of Dr Nicolas Courtois. His main academic in- terests lie in the area of optimization of arbitrary alge- IFM ISTANBUL EXPO CENTER (IDTM) braic computations over a non-commutative setting for cryptographic and cryptanalytic, algebraic attacks and cryptanalysis of block ciphers. He obtained a BSc in Mathematics and a MMaths from University of Cam- bridge (2008-2010) studying Number Theory and Alge- bra. Email: [email protected]. THIS EXHIBITION IS ORGANIZED WITH THE PERMISSIONS OF T.O.B.B. IN ACCORDANCE WITH THE LAW NUMBER 5174. www.hakin9.org/en Ultimate NessUs 5.0 Section how to Scan with Nessus from within Metasploit When you perform a penetration test with Metasploit you sometimes import vulnerability scanning results for example Nessus Vulnerability Scanner. Usually you start the scan externally from Metasploit framework and then import the results into Metasploit. What you can do is to manage the nessus http://www.nessus.org and download the ubuntu scan from within Metasploit and easily 11.10 version for your architecture (32-bit or 64- import the results into your process. But bit). let’s start from the beginning. Installing What you should know Install nessus by running To get the most of this article you should have a working (and preferably updated) BackTrack 5 R3 32-bit system, 32-bit or 64-bit shouldn’t matter but I per- sonally run a 32-bit system in a virtual machine. # dpkg --install Nessus-5.0.1-ubuntu1110_i386.deb This article makes extensive use of the command line so you should preferably be familiar with that. 64-bit What you will learn # dpkg --install Nessus-5.0.1-ubuntu1110_amd64.deb After reading this article you should know how to run a nessus scan both from the nessus console and, more importantly, from within the Metasploit Framework. Installing Nessus on BackTrack 5 R3 To run a nessus vulnerability scan from the Metasploit console you first need to have a nes- sus installation somewhere. Please refer to http:// www.tenable.com/products/nessus/nessus-prod- uct-overview for download and installation instruc- tions. I’ll wait while you install it, and don’t forget to register your installation so you can download the latest plugins for it. Downloading To download nessus vulnerability scanner go to Figure 1. Registering Nessus 10 TBO 03/2012