xxxxxxxxxxxxxxxxxxxxx Pentest Lab xxxxxxxxxxxxxxxxxxxxx Secara default untuk mengakses RouterOS dapat melalui: o Telnet o SSH o HTTP o Winbox o FTP o Mac-Telnet ### Minimal Firewall Configuration Fig. Topologi Target Attacker [ vmWare ] ;--------x x---------; [ Notebook ] 192.168.0.1/24 192.168.0.2/24 RouterOS winXP Alatbantu: - PortScanner . Nmap v4.2 - HTTP BruteForce . FScan v0.6 - SSH BruteForce - FTP BruteForce - Portknock ;;;;;;;;;;;; Ada lima Rule ;;;;;;;;;; o1. Drop Port Scanner o2. Drop SSH BruteForce o3. Drop FTP BruteForce o4. Drop HTTP/HTTPS BruteForce o5. PortKnocking Rule o1. Drop Port Scanner ----------------------------------------------------------------------------------- D:\>nmap -vv -sX -sV -p U:53,111,137,500,T:21-25,80,139,179,8080 192.168.0.1 Starting Nmap 4.22SOC8 ( http://insecure.org ) at 2008-07-19 17:12 SE Asia Stand ard Time Initiating ARP Ping Scan at 17:12 Scanning 192.168.0.1 [1 port] Completed ARP Ping Scan at 17:12, 0.11s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 17:12 Completed Parallel DNS resolution of 1 host. at 17:12, 16.50s elapsed Initiating XMAS Scan at 17:12 Scanning 192.168.0.1 [9 ports] Completed XMAS Scan at 17:12, 1.27s elapsed (9 total ports) Initiating Service scan at 17:12 Scanning 4 services on 192.168.0.1 Discovered open port 80/tcp on 192.168.0.1 Discovered open|filtered port 80/tcp on 192.168.0.1 is actually open Discovered open port 23/tcp on 192.168.0.1 Discovered open|filtered port 23/tcp on 192.168.0.1 is actually open Discovered open port 22/tcp on 192.168.0.1 Discovered open|filtered port 22/tcp on 192.168.0.1 is actually open Discovered open port 21/tcp on 192.168.0.1 Discovered open|filtered port 21/tcp on 192.168.0.1 is actually open Completed Service scan at 17:12, 6.09s elapsed (4 services on 1 host) SCRIPT ENGINE: Initiating script scanning. Host 192.168.0.1 appears to be up ... good. Interesting ports on 192.168.0.1: PORT STATE SERVICE VERSION 21/tcp open ftp MikroTik router ftpd 2.9.27 22/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9 (protocol 1.99) 23/tcp open telnet Linux telnetd 24/tcp closed priv-mail 25/tcp closed smtp 80/tcp open http MikroTik router http config 139/tcp closed netbios-ssn 179/tcp closed bgp 8080/tcp closed http-proxy MAC Address: 00:0C:29:D1:59:AB (VMware) Service Info: Host: MikroTik; OS: Linux; Device: router Read data files from: C:\Program Files\Nmap Service detection performed. Please report any incorrect results at http://insec ure.org/nmap/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.203 seconds Raw packets sent: 14 (562B) | Rcvd: 7 (302B) D:\> ----------------------------------------------------------------------------------- Tambahkan rule; ----------------------------------------------------------------------------------- | add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \ | address-list="port scanners" address-list-timeout=2w comment="Drop Port \ | Scanners" disabled=no | add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \ | action=add-src-to-address-list address-list="port scanners" \ | address-list-timeout=2w comment="" disabled=no | add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \ | address-list="port scanners" address-list-timeout=2w comment="" \ | disabled=no | add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \ | address-list="port scanners" address-list-timeout=2w comment="" \ | disabled=no | add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \ | action=add-src-to-address-list address-list="port scanners" \ | address-list-timeout=2w comment="" disabled=no | add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \ | action=add-src-to-address-list address-list="port scanners" \ | address-list-timeout=2w comment="" disabled=no | add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \ | action=add-src-to-address-list address-list="port scanners" \ | address-list-timeout=2w comment="" disabled=no | add chain=input src-address-list="port scanners" action=drop comment="" \ | disabled=no ----------------------------------------------------------------------------------- IP address Attacker akan dimasukkan kedalam ip firewall address-list, Maka; ----------------------------------------------------------------------------------- D:\>nmap -vv -sX -sV -p U:53,111,137,500,T:21-25,80,139,179,8080 192.168.0.1 Starting Nmap 4.22SOC8 ( http://insecure.org ) at 2008-07-19 17:16 SE Asia Stand ard Time Initiating ARP Ping Scan at 17:16 Scanning 192.168.0.1 [1 port] Completed ARP Ping Scan at 17:16, 0.11s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 17:16 Completed Parallel DNS resolution of 1 host. at 17:17, 16.50s elapsed Initiating XMAS Scan at 17:17 Scanning 192.168.0.1 [9 ports] Completed XMAS Scan at 17:17, 1.26s elapsed (9 total ports) Initiating Service scan at 17:17 Scanning 9 services on 192.168.0.1 Completed Service scan at 17:17, 5.00s elapsed (9 services on 1 host) SCRIPT ENGINE: Initiating script scanning. Host 192.168.0.1 appears to be up ... good. Interesting ports on 192.168.0.1: PORT STATE SERVICE VERSION 21/tcp open|filtered ftp 22/tcp open|filtered ssh 23/tcp open|filtered telnet 24/tcp open|filtered priv-mail 25/tcp open|filtered smtp 80/tcp open|filtered http 139/tcp open|filtered netbios-ssn 179/tcp open|filtered bgp 8080/tcp open|filtered http-proxy MAC Address: 00:0C:29:D1:59:AB (VMware) Read data files from: C:\Program Files\Nmap Service detection performed. Please report any incorrect results at http://insec ure.org/nmap/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.094 seconds Raw packets sent: 19 (762B) | Rcvd: 1 (42B) D:\> [admin@MikroTik] ip firewall address-list> print Flags: X - disabled, D - dynamic # LIST ADDRESS 0 Save Haven 192.168.0.3-192.168.0.5 1 D Save Haven 192.168.0.2 2 D port scanners 192.168.0.2 [admin@MikroTik] ip firewall address-list> C:\Documents and Settings\adminz>ping 192.168.0.1 -t Pinging 192.168.0.1 with 32 bytes of data: Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.0.1: Packets: Sent = 24, Received = 19, Lost = 5 (20% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C ^C C:\Documents and Settings\adminz> ----------------------------------------------------------------------------------- o2. Drop SSH BruteForces ----------------------------------------------------------------------------------- | add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \ | action=drop comment="Drop SSH brute forcers" disabled=no | add chain=input protocol=tcp dst-port=22 connection-state=new \ | src-address-list=ssh_stage3 action=add-src-to-address-list \ | address-list=ssh_blacklist address-list-timeout=1w3d comment="" \ | disabled=no | add chain=input protocol=tcp dst-port=22 connection-state=new \ | src-address-list=ssh_stage2 action=add-src-to-address-list \ | address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no | add chain=input protocol=tcp dst-port=22 connection-state=new \ | src-address-list=ssh_stage1 action=add-src-to-address-list \ | address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no | add chain=input protocol=tcp dst-port=22 connection-state=new \ | action=add-src-to-address-list address-list=ssh_stage1 \ | address-list-timeout=1m comment="" disabled=no ----------------------------------------------------------------------------------- o3. Drop FTP BruteForce ----------------------------------------------------------------------------------- | add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \ | action=drop comment="Drop FTP brute forcers" disabled=no | add chain=output protocol=tcp content="530 Login incorrect" \ | dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no | add chain=output protocol=tcp content="530 Login incorrect" \ | action=add-dst-to-address-list address-list=ftp_blacklist \ | address-list-timeout=3h comment="" disabled=no ----------------------------------------------------------------------------------- o4. Drop HTTP/HTTPS BruteForce Meminimalkan attacking terhadap port http/https ke RouterOS dengan BruteForce Seperti: ------------------------------------------------------------------------------------ D:\fscan>fscan.exe --ports 80 --hosts 192.168.0.1 --threads 200 Fast HTTP Auth Scanner v0.6 (c) Andres Tarasco - http://www.514.es [+] Loaded 26 user/pass combinations [+] Loaded 42 ignored webservers [+] Loaded 41 Router authentication schemes [+] Loaded 51 webform authentication schemes [+] Loaded 13 Single Users [+] Scanning 1 hosts (192.168.0.1 - (null)) [+] Scanning 1 ports - bruteforce is active Server Port status password banner 192.168.0.1 80 200 not:found (mikrotik routeros) scan Finished D:\fscan> ------------------------------------------------------------------------------------ Jika dilihat pada log RouterOS : ------------------------------------------------------------------------------------ [admin@MikroTik] > log print 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user Admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user admin from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user cisco from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user 1234 from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user operator from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user user from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user root from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user super from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user test from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user Cisco from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user smc from 192.168.0.2 via web 16:49:45 system,error,critical login failure for user support from 192.168.0.2 via web 16:52:17 system,error,critical login failure for user admin via local ------------------------------------------------------------------------------------ Tambahkan Rule di firewall RouterOS ----------------------------------------------------------------------------------- | add chain=input protocol=tcp dst-port=80 src-address-list=web_blacklist \ | action=drop comment="Drop Web brute forcers" disabled=no | add chain=input protocol=tcp dst-port=443 src-address-list=web_blacklist \ | action=drop comment="" disabled=no | add chain=output protocol=tcp content="invalid user name or password" \ | dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no | add chain=output protocol=tcp content="invalid user name or password" \ | action=add-dst-to-address-list address-list=web_blacklist \ | address-list-timeout=3h comment="" disabled=no ----------------------------------------------------------------------------------- Dilakukan Bruteforce lagi, maka: ----------------------------------------------------------------------------------- [admin@MikroTik] ip firewall address-list> pr Flags: X - disabled, D - dynamic # LIST ADDRESS 0 Save Haven 192.168.0.3-192.168.0.5 1 D Save Haven 192.168.0.2 2 D web_blacklist 192.168.0.2 [admin@MikroTik] ip firewall address-list> D:\fscan>fscan.exe --ports 80 --hosts 192.168.0.1 --threads 200 Fast HTTP Auth Scanner v0.6 (c) Andres Tarasco - http://www.514.es [+] Loaded 26 user/pass combinations [+] Loaded 42 ignored webservers [+] Loaded 41 Router authentication schemes [+] Loaded 51 webform authentication schemes [+] Loaded 13 Single Users [+] Scanning 1 hosts (192.168.0.1 - (null)) [+] Scanning 1 ports - bruteforce is active Server Port status password banner scan Finished D:\fscan> ----------------------------------------------------------------------------------- o5. PortKnocking Rule Tambahkan Rule pada Firewall filter: ----------------------------------------------------------------------------------- | add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \ | address-list=knock-knock address-list-timeout=15s comment="Port Knocking" \ | disabled=no | add chain=input protocol=udp dst-port=17954 src-address-list=knock-knock \ | action=add-src-to-address-list address-list="Save Haven" \ | address-list-timeout=3h comment="" disabled=no | add chain=input src-address-list="Save Haven" action=accept comment="" \ | disabled=no | add chain=input action=drop comment="" disabled=no ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- # Download tool portknocking D:\>wget http://www.zeroflux.org/proj/knock/files/knock-cygwin.zip # Ekstrak file D:\knock>dir Volume in drive D is ---data. Volume Serial Number is 20B3-1A4D Directory of D:\knock 19/07/2008 15:24 . 19/07/2008 15:24 .. 03/07/2005 02:30 1.295.582 cygwin1.dll 10/08/2005 14:52 15.238 knock.exe 2 File(s) 1.310.820 bytes 2 Dir(s) 714.395.648 bytes free D:\knock> C:\Documents and Settings\adminz>ping 192.168.0.1 -t Pinging 192.168.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.0.1: Packets: Sent = 6, Received = 0, Lost = 6 (100% loss), Control-C ^C C:\Documents and Settings\adminz> D:\>telnet 192.168.0.1 22 Connecting To 192.168.0.1...Could not open connection to the host, on port 22: C onnect failed D:\>putty -ssh -l admin 192.168.0.1 D:\> --------------------------------------------- |PuTTY Fatal Error [x]| |-------------------------------------------| | | | (X) Network error: Connection timed out | | | | +-----------+ | | | OK | | | +-----------+ | | | --------------------------------------------- D:\knock>knock.exe usage: knock [options] [port[:proto]] ... options: -u, --udp make all ports hits use UDP (default is TCP) -v, --verbose be verbose -V, --version display version -h, --help this help example: knock myserver.example.com 123:tcp 456:udp 789:tcp D:\knock>knock 192.168.0.1 1337:tcp 17954:udp D:\knock> C:\Documents and Settings\adminz>ping 192.168.0.1 -t Pinging 192.168.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Reply from 192.168.0.1: bytes=32 time<1ms TTL=64 Ping statistics for 192.168.0.1: Packets: Sent = 18, Received = 11, Lost = 7 (38% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C ^C C:\Documents and Settings\adminz> D:\>putty -ssh -l admin 192.168.0.1 D:\> ======================================================================================= | 192.168.0.1 - PuTTY [_][O][X]| |-------------------------------------------------------------------------------------+ |Using username "admin". [^]| |admin@192.168.0.1's password: | || | | || | MMM MMM KKK TTTTTTTTTTT KKK | || | MMMM MMMM KKK TTTTTTTTTTT KKK | || | MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK | || | MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK | || | MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK | || | MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK | || | | || | MikroTik RouterOS 2.9.27 (c) 1999-2006 http://www.mikrotik.com/ | || | | || | | || | | || | | || | | || | | || | | || | | || | | || | | || | | || | | || |Terminal xterm detected, using multiline input mode | || |[admin@MikroTik] > log print | || |17:38:31 system,info,account user admin logged in from 192.168.0.2 via ssh [v]| ======================================================================================= Export file configuration -------------------------; / ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \ address-list="port scanners" address-list-timeout=2w comment="Drop Port \ Scanners" disabled=no add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \ action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w comment="" disabled=no add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \ address-list="port scanners" address-list-timeout=2w comment="" \ disabled=no add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \ address-list="port scanners" address-list-timeout=2w comment="" \ disabled=no add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \ action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w comment="" disabled=no add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \ action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w comment="" disabled=no add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \ action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w comment="" disabled=no add chain=input src-address-list="port scanners" action=drop comment="" \ disabled=no add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \ action=drop comment="Drop SSH brute forcers" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage3 action=add-src-to-address-list \ address-list=ssh_blacklist address-list-timeout=1w3d comment="" \ disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage2 action=add-src-to-address-list \ address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ src-address-list=ssh_stage1 action=add-src-to-address-list \ address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new \ action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m comment="" disabled=no add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \ action=drop comment="Drop FTP brute forcers" disabled=no add chain=output protocol=tcp content="530 Login incorrect" \ dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no add chain=output protocol=tcp content="530 Login incorrect" \ action=add-dst-to-address-list address-list=ftp_blacklist \ address-list-timeout=3h comment="" disabled=no add chain=input protocol=tcp dst-port=80 src-address-list=web_blacklist \ action=drop comment="Drop Web brute forcers" disabled=no add chain=input protocol=tcp dst-port=443 src-address-list=web_blacklist \ action=drop comment="" disabled=no add chain=output protocol=tcp content="invalid user name or password" \ dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no add chain=output protocol=tcp content="invalid user name or password" \ action=add-dst-to-address-list address-list=web_blacklist \ address-list-timeout=3h comment="" disabled=no add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list \ address-list=knock-knock address-list-timeout=15s comment="Port Knocking" \ disabled=no add chain=input protocol=udp dst-port=17954 src-address-list=knock-knock \ action=add-src-to-address-list address-list="Save Haven" \ address-list-timeout=3h comment="" disabled=no add chain=input src-address-list="Save Haven" action=accept comment="" \ disabled=no add chain=input action=drop comment="" disabled=no ### Other Security o SSH Preshated Key authentication Generate Publik dan private key Menggunakan ssh keygen pada *NIX sh$ ssh-keygen -t dsa -f ./id_dsa Generating public/private dsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_dsa. Your public key has been saved in ./id_dsa.pub. The key fingerprint is: 91:d7:08:be:b6:a1:67:5e:81:02:cb:4d:47:d6:a0:3b admin-ssh@beka Menggunakan PuTTYGen Pada Windows Upload file publik key ke RouterOS gunakan Scp, selanjutnya import file, [admin@MikroTik] user ssh-keys> import file=id_dsa.pub user=admin-ssh [admin@MikroTik] user ssh-keys> print # USER KEY-OWNER 0 admin-ssh admin-ssh@beka [admin@MikroTik] user ssh-keys> o Firewall - http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling o Syslog Daemon