• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Penetration Testing is the Art of the Manipulation
 

Penetration Testing is the Art of the Manipulation

on

  • 2,840 views

 

Statistics

Views

Total Views
2,840
Views on SlideShare
2,756
Embed Views
84

Actions

Likes
3
Downloads
20
Comments
1

6 Embeds 84

http://dikien2012.blogspot.kr 56
http://dikien2012.blogspot.com 20
http://dikien2012.blogspot.com.au 3
http://dikien2012.blogspot.hk 2
http://dikien2012.blogspot.in 2
http://dikien2012.blogspot.jp 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Penetration Testing is the Art of the Manipulation Penetration Testing is the Art of the Manipulation Document Transcript

    • Penetration Testing isthe Art of the Manipulation Attack & Defense Author: JongWon Kim dikien2012@gmail.com 1
    • Table of ContentsPenetration Testing is the Art of the Manipulation…………………………...............................................1Table of Contents……….........................................................................................................................2About Me.................................................................................................................................................3Planning the Attack.................................................................................................................................5Staging the Attack (1): WEB Server ................................................................................................5 - Stage 1. Reconnaissance…………………………………………………………………..……..…5 - Stage 2. Information Gathering.………………………………………………….……...................6 - Stage 3. Target Exploitation……………………………………………………………………..….. 8 - Stage 4. Privilege Escalation…………………………………………………………..……………11 - Stage 5. Maintaining Access………………………………………………………..………………18Staging the Attack (2): DNS Server .....................................................................................................25 - Stage 1. Information Gathering………………………………………………………….….……25 - Stage 2. Post Exploit(Pivot)……………………………………………………………………..….28Staging the Forensic…………………………………………………………………………………………35 - Stage 1. Web Shell Detection………………………………………………………………………35 - Stage 2. Log Analysis…………………………………………………………………………..……40 - Stage3. Volatility……………………………………………………………………………………44Staging the Defense: Code Level…………………………………………………………………………..47Summary...............................................................................................................................................50Reference………………………………………………………………………………….……………………51 2
    • About MeName: JongWon KimBlog: http://dikien2012.blogspot.comLinkedIn: http://kr.linkedin.com/pub/jongwon-kim/45/a40/b07/enTwitter: @dikien2012My Experience: Period Working Experience Personal Experience 2011. 08  C, Linux, CCNA 2011. 09  Windows 2008 Server, Perl 2011. 10  Working as a Math Teacher  Reversing  L2,L3,L4, Firewall Configuration 2011. 11  WIFI-Hacking(SWSE) 2011. 12  System Hacking(SMFE)2012. 01~02  Exploit Code Study using ROP  Privacy Information Protection Law  WEB Hacking2012. 04~09  Security Solution Operation(IPS, WAF,  Database Security and DB Access Control)Technical Skills:  Experience in Black and White Box Penetration Testing to identify system vulnerabilities and test security controls in firewalls, routers, IDS and IPS, and various types of servers, including Windows and UNIX Web, Mail, FTP, DNS, Domain Controllers and applications hosted internally  Strong Web Application Assessment Experience such as SQL Injection, Cross Site Scripting, Cookie Manipulation, and Buffer Overflows  Vulnerability Detection and Remediation  Familiarity with penetration testing tools such as BackTrack and MetaSpolit vulnerability scanning tools such as pangolin, wireshark, Nexpose, nmap, Acunetix and AppScan  Familiarity with Open Source Security Testing Methodology Manual (OSSTMM), Open Web Application Security Project (OWASP)  Conduct onsite and remote Social Engineering testing including persuasion, phishing, mock websites, and telephone contact  Experience in Evasion Techniques to bypass firewalls, and intrusion detection  Knowledge of security tools such as IPS, WAF and Database monitoring  Ability to conduct source code reviews with PHP  Familiarity with scripting Python  In familiarity with Windows, Solaris, and AIX 3
    •  Familiarity with XML, SOAP, JSON and Ajax and HTML5  Network Switching and Routing (Cisco)  Knowledge of TCP and IP protocols and networking architectures wireless LAN security, including 802.11 standardsConsulting Skills:  Independence: Self-Managed and Motivated  Team Oriented  Formal policy and procedure documents  Public Speaking  Technical Writing 4
    • Planning the AttackAfter 2100 years, human beings put the micro chipset into their brain to get smarter. As all ages do,disaster occurs. Some bad guys develop the exploit to manipulate human. Computer malwares arestill big trouble and human zombies are created. I am trying to prevent an even worse tragedy toanalysis the malware. However, the trouble is that the malware is protected by some anti-reversingkey. I got some letter from anonymous. It said that there are anti-reversing code and human botnetlists on NASA‟s database. At the end of letter, it was written on “aliens/toor”. Let‟s explore!!!A list of Attack Directives is the following: 1) Compromise as much of NASA‟s network as possible 2) Extract data to find out anti-reversing key and the list of Human Zombie 3) Pivot its networkStaging the Attack  Mission 1. Attack WEB Server Stage 1. Reconnaissance  Scenario:  Ping the host and get the IP address  Use the whatweb to figure out more information from response  I skipped out DNS brute force since it is the virtual host  Attack Detail  Ping the host and get the IP address [Figure 1. Ping the host]  We can figure out what is the version of PHP, HTTP Server, Country, Admin Email, and Operation System. It will show more information if you type “-v a=4” [Figure 2. whatweb] 5
    • Stage 2. Information Gathering Scenario:  Use the nmap to find services and OS that runs on the server  Use nexpose to get more specific information  Use w3af to figure out what web vulnerabilities are Attack Detail  -sV and -O option of nmap will give you version and OS information [Figure 3. Services from nmap] [Figure 4. OS from nmap] 6
    •  This Nexpose results show me 58 vulnerabilities, especially “default SSH password is toor” is one of the critical things. You can also use Nessus and compare to Nessus results to increase false positives and false negatives. [Figure 5. more details from Nexpose] There are many w3af plugins, but I will use only audit option to save my time [ Figure 6. w3af: Plugin Setting ] 7
    •  There are XSS, command injection, SQL injection, and LFI. On top of that, there is upload vulnerability but, it can‟t find out. I will use Blind SQL injection vulnerability to breach database on Stage 3. [Figure 7. w3af: results] Stage 3. Target Exploitation Scenario:  Use the sqlmap to breach database (target is attack_2 payload)  Use hashcat to crack hashes Attack Detail  Let‟s find out current database user, name, and password, but it wasn‟t able to get a password with sqlmap. Current user is general@% and database name is members. It didn‟t turn out to the password of the general user. I will use another tactic to get the password later. [Figure 8. Sqlmap: current database user and name] 8
    •  Members table have four fields: message, sessions, topics, and users. I guess users might be user‟s ids and passwords and session is also similar role for authorization. [Figure 9. Sqlmap: Members database] As I expected, there are information related users on members table. I am curious about message table. What‟s the message? Let‟s dig into there. [Figure 10. Sqlmap: message table on members database] Let‟s dump message table on members database. There are two hash values. It looks like some hints to get human botnet lists and anti-reversing key. 9
    • [Figure 11. Sqlmap: hash values on message table] Let‟s crack them out using hashcat. Hash values are secret and checkout. I guess that secret means database name. However, there is a big problem. Sqlmap doesn‟t show me a table named secret. It means two possibilities. First, there is no secret table. Second, user named “general” has no authority to look into. I bet second one and time to privilege escalation to check it out. [Figure 12. Hashcat: cipher text : clear text] 10
    • Stage 4. Privilege Escalation Scenario:  Use a fimap to spawn a shell  Use a Expect to get a TTY  Make a Upload page with “MySQL Dumpfile option”  Upload a webshell Attack Detail  Use a fimap to figure out which parameters have RFI and LFI vulnerabilities. [Figure 13. Fimap: vulnerable parameters] 11
    •  -x option means that it will exploit the target with above output. Choose [1] to exploit “www.nasa.com”. Choose [1] to take advantage of „rfi‟ parameter. I will use pentestmonkey‟s reverse shell. Let‟s Choose [2] and put my ip address and port to connect back to my backtrack. [Figure 14. Fimap: reverse shell] Netcat is listening on 1000 port for reverse shell [ Figure 15. Netcat: waiting for a shell] 12
    •  I got a shell and checked my id is www-data, but problem is it communicates without cipher text. It can be detected IPS. Let‟s reduce this possibility with AES HTTP shell below. [Figure 16. Reverse shell: id] [Figure 17. Wireshark: not cipher text] “su and ssh” didn‟t work properly. Those two instructions are necessary for post exploitation. Let‟s solve the problem with magic shell. [Figure 18. Message: must be run from a terminal] Time to try “aliens/toor” from the letter. With a magic shell, I can use su and ssh command. [Figure 19. Magic shell] 13
    •  Check the kernel version with “uname -a” to get a root privilege. Download local exploit source from exploit-db and compile it. [Figure 20. Download local exploit code] Execute it and I finally get a root shell and change shell from ”/bin/sh” to “/bin/bash” for convenience [Figure 21. Privilege escalation success] 14
    • [Figure 22. Change the shell to bash] There is a suspicious folder named treasure. Real treasure is over there, database password, but I am not sure that this user has a super privilege. [Figure 23. Password for database] Below is the job for make a webpage to upload webshell. I create two tables. [ Figure 24. Make two tables] 15
    •  Insert some values into each table and save them to “/var/www/upload/”. [Figure 25. Create a “form.php” ] [Figure 26. Create a “upload.php” ] 16
    •  Choose the file which you would like to prefer and upload and move to “/var/www/upload/” [Figure 27. Choose the”r57shell.php” ] [Figure 28. Move the file in webrooot ] 17
    • Stage 5. Maintaining Access Scenario:  Use a weevely to make a backdoor with password  Brute force attack to get an ftp credential with metasploit  Traffic Obfuscation: AES HTTP Reverse shell Attack Detail  Backdoor was created identified by password=complexpassword [Figure 29. Make a backdoor]  Use a metasploit for brute force attack and get an id and password. [Figure 30. Make a backdoor] 18
    •  Upload the backdoor with FTP [Figure 31. Upload the backdoor] I don‟t need r57shell, upload.php and form.php files anymore since backdoor is uploaded successfully [ Figure 32. Remove unnecessary files] Change the privilege to read the backdoor by www-data user [Figure 33. Change the privilege] 19
    •  Connect to the backdoor and check out post exploit modules [ Figure 34. Weevely: post exploit modules] Enumerate readable web config files using module “:audit.user_files auto=web “. Extract credentials from readable file and log in the database with those credentials. Since this process I have already done, I left it for reader. Let‟s look around internal network and check out if there is another server. I will exploit 192.168.100.40 on Mission 2. [Figure 35. Weevely: Explore internal network] 20
    •  Find writable system script to replace with malicious script. First, enumerate writable user files using module. Second, upload malicious script replacing system file. [Figure 36. Weevely: Upload a malicious script] If you are lazy to above process, Intersect 2.5(post exploit module) will also be very nice choice. It includes many awesome feature such as backdoor, collecting credential, internal network, variety of shells and etc. Select modules you would create and create it with “:create”. [Figure 37. Intersect: Setting modules] [Figure 38. Intersect: backdoor file] 21
    •  Compare normal shell and AES HTTP Reverse shell. From now, I used pentest monkey‟s reverse shell and weevely‟s backdoor. Since these two shells communicate not cipher text, I use AES HTTP Reverse shell with cipher text. [Figure 39. Fimap: Server setting] [Figure 40. Fimap: Server Start] [ Figure 41. AES HTTP Reverse shell communicates with cipher text] 22
    •  Upload another webshell to test if this shell works properly. Upload .htaccess to bypass whitelist extension server side script. [Figure 42. Upload .htaccess] Upload another webshell named “c99-bl_hongrae.txt”. The server recognizes “.txt” extension to “.php” since “.htaccess”. [Figure 43. Upload the “c99-bl_hongrae.txt”] 23
    •  Check it out if the webshell having extension “.txt” works well. It works very well. [Figure 44. Upload the “c99-bl_hongrae.txt”] There is 192.168.100.40 which is alive on internal network. Let‟s attack this one 24
    •  Mission 2. Attack DNS Server Stage 1. Information Gathering  Scenario:  Make a payload to communicate metasploit  Upload a payload and pivot 192.168.100.40 with that session  SSH Enumerate and Brute force  Attack Detail  Make a custom payload and waiting for connecting back to 1337 ports [Figure 45. Make a payload] [Figure 46. Waiting for a session]  Upload a payload with FTP and give the permission to execute it [Figure 47. Upload a payload] 25
    • [Figure 48. Change the permission] [Figure 49. Connecting a Session] First, enumerate SSH version. It shows SSH-2.0 running on Sun OS [Figure 50. Enumerate a banner] 26
    •  Second, Brute force attack with known password file [Figure 51. Brute force] Third, Connect it and it shows that server is for DNS [Figure 52. SSH Connection] 27
    • Stage 2. Post Exploit Scenario:  Manipulate the forward zone file  From previous, pivot 192.168.100.40 with compromised web server.  Getting Human Botnet and Anti-Reversing Key  Destroy the machine Attack Detail  Change company main hompage ip address to my ip address [Figure 53. Pollute forward zone file]  Setting the compromised web server to attack victims and use CVE-2012-1889 vulnerability with the metasploit [Figure 54. Metasploit: CVE-2012-1889] 28
    •  As soon as clients try to connect company‟s website, they will be in the big trouble. Even if clients have anti-virus solution, it would be useless since the exploit migrate very fast [Figure 55. Antivirus is so slow] Regardless of anti-virus solution, session was created, and works well [Figure 56. Metasploit: sessions] Collecting information of compromised the desktop [Figure 57. Metasploit: Collecting *.inc] 29
    •  “db.inc” looks like curious and opens it. It‟s the password that I am looking for. I am sure this machine belongs to database administrator. [Figure 58. Metasploit: found database password] Check out server name and available tokens [Figure 59. Metasploit: UID and Tokens] Check out hash dump and crack it with john [Figure 60. Metasploit: Hashdump] 30
    • [Figure 61. John: Crack the Hashdump] Getting more information with “run scraper” [Figure 62. Metasploit: Getting more Information] Make a persistent backdoor with “run metsvc –A” and check out that works properly [Figure 63. Metasploit: Making a backdoor] 31
    • [Figure 64. Metasploit: Backdoor is running] Run VNC and I found there is a HeidiSQL for administration. I finally was able to get a secret table. There are human botnet list and decoding key for reverisng. [Figure 65. Metasploit: VNC] [Figure 66. VNC: Connecting secret table] [Figure 67. VNC: Human Botnet List] 32
    • [Figure 68. VNC: Decoding Key] After getting information, I set up my mind to destroy that machine using bat file [Figure 69. Bat file] [Figure 70. Execute a bat file] [Figure 71. Execute a bat file] 33
    • [Figure 72. Deleting system files] After rebooting, computer doesn‟t work properly [Figure 73. Booting Fail] 34
    • Staging the Forensic Stage 1. Web Shell Detection  Scenario:  First Filter: Web Shell Detector(NeoPI & Emposha)  Second Filter: Manual Job with Grep  Manual Job  Details  I will use the NeoPI to detect whether web shell is uploaded or not. This is basic NeoPI‟s options. Upload folders are “/tmp/” and “/var/www/upload/”, I will look into one of them. Let‟s look at “/var/www/” with “./neopi.py /var/www/ -a”, -a means it will run all test. It will show you 5 different types of results. [Figure 74. NeoPI: Entropy] [Figure 75. NeoPI: Longestword] 35
    • [Figure 76. NeoPI: Signature] [Figure 77. NeoPI: IC] [Figure 78. NeoPI: Commulative] At this time, I will use another web shell detector named Emposha to reduce false positive. Upload it at webroot folder and execute it at the browser. In my opinion, NeoPI‟s performance is better than Emposha. [Figure 79. Emposha: Upload at webroot] 36
    • [Figure 80. Emposha: Result(1)][Figure 81. Emposha: Result(2)][Figure 82. Emposha: Result(3)] 37
    • [Figure 83. Emposha: Result(4)][Figure 84. Emposha: Result(5)][Figure 85. Emposha: Result(5)][Figure 86. Emposha: Result(6)] 38
    •  If you find one that is suspicious, you can test it manually with grep instruction. I will choose one of the files that are suspicious from upper outcome. [Figure 86. Grep: Command] [Figure 87. Grep: Evidence(1)] [Figure 88. Grep: Evidence(2)] Below are dangerous functions. It can be used with the argument of the grep. PHP: require(), include(), eval(), exec(), passthru(), system(), fopen(), etc Python: exec(), eval(), execfile(), compile(), input() Perl: open(), sysopen(), glob(), system() C: system(), exec(), strcpy(), strcat(), sprintf() Java: system.* (system.runtime) 39
    • Stage 2. Log Analysis Scenario:  Collecting Log files  Analysis Details  Analysis the utmp with utmp parser. If user log out, this will be wiped out. Wtmp, lastlog, secure, xferlog, sulog, ~./history, access_log, error_log and other logs can be analyzed similarly. [Figure 89. Utmp Analysis(1)] [Figure 90. Utmp Analysis(2)] 40
    •  There is a backdoor and someone tried to use “CVE-2012-2122” to bypass Authentication [Figure 91. Bash_History Analysis] Something was injected into local directory and there will be a suspicious user from “flush privilege” [Figure 92. MySQL_History Analysis] [Figure 92. Apache2 Log Analysis(1): SQL Injection] 41
    • [Figure 93. Apache2 Log Analysis(2): WebShell][Figure 94. Apache2 Log Analysis(3): Directory Traversal] [Figure 95. Permission Analysis(1): User] [Figure 96. Permission Analysis(2): Group] 42
    • [Figure 97. Log Analysis: Passwd] [Figure 98. Log Analysis: Service] [Figure 99. Log Analysis: Hidden files] On top of that, these following commands will also be worth: “cat /etc/crontab”, “ls /etc/cron.daily/”, “cat /etc/login.defs | grep -v "#"”, "cat /etc/profile | grep umask”, “rpcinfo –p”, “ps -ef | grep rpc”, “ps -aux | grep ftp”, “ls -ltrR /var/spool/cron”, and “crontab -l” 43
    • Stage 3. Volatility Details  Sorry for missing original memory dump from DBA[figure- ]. Maintaining the evidence is essential for forensic. However, I forgot to dump the memory when I destroy DBA‟s machine. I just will show how to extract memory image and analysis basic commands. [Figure 100. Moonsol: Dump the memory to protect the evidence(1)] [Figure 101. Moonsol: Dump the memory to protect the evidence(2)] 44
    • [Figure 102. Volatility: Prepare][Figure 103. Volatility: cmdscan][Figure 104. Volatility: connscan] 45
    • [Figure 105. Volatility: getsids] [Figure 106. Volatility: pstree][Figure 107. Volatility: svcscan] 46
    • Staging the DefenseI referenced “Essential PHP Security” and “Pro PHP Security” for secure coding. I wrote two pageindex.php, vulnerable page and indexs.php, more secure page. I have learned input validation fromuser input is extremely important step before query go into database. Checking based on white list ismuch better than black list for upload file. I used internal function, regular expression and typeconversion to be secured the code. Also, I did white list checking way as much as possible. Especially,Restricting length of input value from preventing SQL Injection is a nice idea. I didn‟t apply to securetoken, but it would be better if it was. [Figure 108. Secure Coding: String Type SQL Injection = Escape Data + Length Restriction] [Figure 109. Secure Coding: Directory Traversal] 47
    • [Figure 110. Secure Coding: Checking based on White List(1)][Figure 111. Secure Coding: Checking based on White List(2)] 48
    • [Figure 112. Secure Coding: Checking based on White List(3)] 49
    • Summary“If DNS server was compromised from bad guy, what would be happen?” I started to write this paperwith the thought. Recent vulnerabilities from Java, flash, and windows are severely threaten to uscalled zero day vulnerability. Of course, I do not think there are companies that allow connecting toDNS server from anonymous. I make this scenario to show as many as attack types. I hope that thispaper will be securing your valuable assets. I used every tool about web and database on backtrack 5R3. I compared each of tools and tried to get catch what is the strong point of each of them. My futurework might be making a suitable tool for me and concentrate on improving many advancedtechniques about web hacking. Thank you for reading my study. I always believe that my strong pointis that I have a quick learning skill than my competitors. 50
    • Reference1. Essential PHP Security by Chris Shiflett (Oct 20, 2005)2. Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses (Experts Voice in Open Source) by Chris Snyder, Thomas Myer and Michael Southwell (Dec 9, 2010)3. 데이터베이스 보안 by 조은백(Feb 11, 2011)4. HTML5&CSS3 실무테크닉 by 조승한, 안종일(Mar 5, 2012)5. Python,PHP,HTML5,AJAX,JQuery Online Study6. RFI 방어 입력값 검증 PHP코드정리7. InfoSec Resources – PT Example8. Protocol-Level Evasion of Web Application Firewalls | Qualys Security Labs | Qualys Community9. RFI DDOS 봇넷분석10. [시스템 해킹] 리눅스 Setuid :: 네이버 블로그11. [시스템 해킹] 리눅스 backdoor 찾는법과 숨기는법 :: 네이버 블로그12. Meterpreter_cheat_sheet_v0.1.pdf13. Post-Exploitation Without A TTY | pentestmonkey14. 취약한 PHP코드 참조하기15. htaccess를 이용16. Apache 가이드 강추17. MySQL 보안 설정(권한)18. 40 Beautiful Free HTML5 & CSS3 Templates19. Online Hash Crack MD5 / LM / NTLM / SHA1 / MySQL5 / MySQL323 / MD4 / WPA / WPA2 - Passwords recovery - Reverse hash lookup Online - Hash Calculator20. [Linux1] 20일차 - find,grep.. :: 네이버블로그21. 리눅스-vsftp-설치,설정(root),파일업.. :: 네이버블로그22. contagio: CVE-2012-1889 Microsoft XML vulnerability - Samples and Analysis by Brian Mariani and Frédéric Bourla23. John The Ripper Hash Formats | pentestmonkey24. SkipfishDoc - skipfish - Project documentation - web application security scanner - Google Project Hosting25. Wooks Home. : PHP Injection26. Backtrack 5 R3 Metasploit Post Modules (What To Do After You Compromise A System)27. Python Backdoor - Aes Encrypted Traffic28. Apache의 access log 관리 방법 :: 네이버 블로그29. grep 명령어 및 옵션 :: 네이버 블로그 51
    • 30. Metasploit: CVE-2012-2122: mysql취약점인데 이미 패치됨31. 솔라리스 DNS32. Fedora VSFTP 업로드33. mysql 원격34. sql injection sample code + remode code excution35. PHP - mySQL 개발자를 위한 보안 팁 .. :: 네이버블로그36. cyb3r sh3ll - Browse Files at SourceForge.net37. Xss Trojan Using Evilweb Tool38. msfpayload39. su crack ssh bruth force metasploit40. Nmap Scripting Engine Introduction With Http-Enumeration41. CVE-2012-2122 : Serious Mysql Authentication Bypass Vulnerability | The Hacker News42. hackers 매거진43. ohdae/Intersect-2.5 · GitHub44. msfconsole haking ftp + backdors - YouTube45. SQL Injection/LFI/XSS Exploit Scanner + web shell Hunter - XCode - Yogyafree - YouTube46. Weevely 0.6 Tutorial - bruteforce and SQL pwnage - YouTube47. CVE-2012-1889- Microsoft XML Core Services Vulnerability Metasploit Demo - YouTube48. sqlmap (EuroPython2011) - YouTube49. FIMAP - AES HTTP Reverse Shell Plugin - YouTube50. 백도어FIMAP - Local File Inclusion to Remote Code Execution - YouTube51. SQLMap 페이지변조 js삽입해서 shell of the future하기52. Information Security: Tutorial: How to scan exp... | SecurityStreet53. Deface All Sites on Server Without Root - YouTube54. Programming a Custom Backdoor in Python - YouTube55. How SQL Injection Attacks Work 유투브 인터뷰56. Mercury : 시스템 로그 분석57. Pragmatic Forensics : 잽싸게 올리고 빠지는 utmp parser58. Memory Acquisition Tools59. MoonSols Windows Memory Toolkit | MoonSols60. ToTo : 해킹 후 깔끔하게 로그 지우기61. Reversing & Malware Analysis Training Part 8 - Malware Memory Foresnics - YouTube 52