Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bsides Puerto Rico 2017-2018

1,205 views

Published on

Do more with less: Combining small findings to make a big impact

https://www.n00py.io/2018/01/bsides-puerto-rico-2017-2018-presentation/

Published in: Technology
  • Be the first to comment

Bsides Puerto Rico 2017-2018

  1. 1. Esteban Rodriguez https://www.n00py.io DO MORE WITH LESS Combining small findings to make a big impact
  2. 2. WHOAMI • Security Consultant (PenetrationTester) at Coalfire Labs • Occasional blogger • Car and firearm enthusiast
  3. 3. What is this talk about? • Looking beyond the “High” findings • Using XSS to do more than alert(1); • Pivoting between networks • Overview of some of my tools
  4. 4. Who is the target audience? • People starting out in penetration testing • People interested in penetration testing
  5. 5. SCANNING Scenario: • You run a Nessus scan • No “High” or “Critical” findings • No broadcast protocols • What next?
  6. 6. Useful Findings: • [INFO] HyperTextTransfer Protocol (HTTP) Information • [INFO] HTTP ServerType andVersion • [INFO] Service Detection • [INFO] Additional DNS Hostnames • [INFO] Host Fully Qualified Domain Name (FQDN) Resolution • [MEDIUM] DNS Server ZoneTransfer Information Disclosure (AXFR) • All of this information can be found with nmap as well
  7. 7. VHOSTS What are Vhosts? • https://en.wikipedia.org/wiki/Virtual_hosting • Multiple domain names on a single server • Different names for different services • HTTP has a “Host” request header
  8. 8. Manual Discovery of a Vhost • Dirb, Nikto
  9. 9. Apache Server Status Page
  10. 10. Scanning a Vhost will have different results
  11. 11. WordPress • Open-source content management system (CMS) • User developed plug-ins
  12. 12. Attacking WordPress • WPScan - Defacto Wordpress Scanning tool • WPForce - Wordpress API brute forcer
  13. 13. XSS! But what can we do with that?
  14. 14. Why Stored XSS is cool: • Will not be blocked by browser XSS filters • Persistent • Can cause the target to perform ANY action YOU want!
  15. 15. Exploiting XSS in Wordpress • If you can, find a PoC
  16. 16. Deploying our payload to the target • Send a login request • Populate the XFF header with a script tag
  17. 17. Add a backdoor Admin account • Grab CSRF token • POST to add user page
  18. 18. What happens to the victim? • They view the activity log • JavaScript runs silently • New Admin account is created
  19. 19. Post Exploitation • New user account is created as Admin • Attacker can now use this access to upload a backdoor
  20. 20. Javascript Flow
  21. 21. Yertle • Yertle is a WordPress post-exploitation tool • Dump WordPress hashes, among other things • Pivot to Metasploit
  22. 22. Hash Cracking • You can use Hashcat or JTR to crack
  23. 23. Why Metasploit? • Hundreds of Modules • Easy to manage shells • Pivoting made easy • It’s completely free
  24. 24. Yertle • PHP shell made for wordpress • Dump hashes • Pivot to meterpreter • Insert keylogger / BeEF hook • Persistent
  25. 25. Getting a Meterpreter shell with Yertle
  26. 26. Hopping networks • Some devices may have more than one network interface • You can use them to pivot into previously inaccessible networks • Metasploit has a way to make this easy
  27. 27. Pivoting Scenarios • Firewall rules Image adapted from: https://kpmgsecurity.files.wordpress.com/2015/08/port-forwarding13.png
  28. 28. Hopping networks
  29. 29. Port Scanning with Metasploit • use auxiliary/scanner/portscan/syn • set PORTS, RHOSTS
  30. 30. Using Metasploit to spray credentials • use auxiliary/scanner/ssh/ssh_login
  31. 31. Upgrading a shell to Meterpreter • use post/multi/manage/shell_to_meterpreter
  32. 32. Downside of this module • Writes to /tmp/ twice • Can we do better?
  33. 33. SOCKS Proxy: another way to pivot • use auxiliary/server/socks4a • verify with netstat • edit
 /etc/proxychains.conf
  34. 34. Hwacha • Linux/MacOS mass exploitation tool • execute shellcode in memory • harvest history files, private keys • dump credentials from memory with mimipenguin
  35. 35. Using Hwacha with Proxychains • Hwacha is a lateral movement tool • Can deploy shellcode in memory • Can be tunneled through a SOCKS proxy with proxychains
  36. 36. We have a Shell! • Meterpreter x64 Linux • Never touched disk
  37. 37. QUESTIONS? • Here’s what we covered: • Finding additional attack surface throughVHOSTS • Using XSS to compromise a WordPress Admin • UsingYertle to upload a WordPress backdoor • Cracking WordPress Hashes • Pivoting from one network to another • Testing for credential re-use
  38. 38. LINKS • https://www.n00py.io/ • https://github.com/n00py/ • Dogecoin DRaGToYPDrV846bJeZvEgviZQAwtj5Rkyq

×