Enter The back|track Linux Dragon

1,687 views

Published on

My presentation at AtlSecCon 2013

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,687
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
46
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Enter The back|track Linux Dragon

  1. 1. Enter the BackTrack Linux Dragon Andrew Kozma Atlantic Security Conference March 21-22, 2013 1
  2. 2. • Infosec professional working in healthcare • Fan of all things ninja, samurai and kung fu cinema • A huge fan of BackTrack, Offensive-Security and Bruce Lee • Blues fanatic that secretly wants to learn how to play the harmonica • I am forever a student, always learning something new “A wise man can learn more from a foolish question than a fool can learn from a wise answer.” ~Bruce Lee 2
  3. 3. • Pre-engagement Interactions • Intelligence Gathering • Threat Modeling • Vulnerability Analysis • Exploitation • Post Exploitation • Reporting 3
  4. 4. • “Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it. If nothing within you stays rigid, outward things will disclose themselves. Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot, it becomes the teapot. Now, water can flow or it can crash. Be water, my friend.” ~ Bruce Lee • “Obey the principles without being bound by them.” ~ Bruce Lee • “To hell with circumstances; I create opportunities.” ~ Bruce Lee 4
  5. 5. • Primary difference between an authorized pentest and “Hacking” • Defines the rules of engagement • Provides scope so that critical infrastructure may not be impacted • Legal “CYA” stuff… 5
  6. 6. • Web Reconnaissance framework written in Python • Module based • No direct queries to target (OSINT) • Organized to support the phases of a pentest 6
  7. 7. • The command “show modules” will display all available modules • We are interested what google has stored in its databases regarding our target • We will load the module with the command “load recon/hosts/gather/http/google” • The command “info” provides additional information about the module and any options that can be set. • We have to add our target with the command “set domain your target” 7
  8. 8. • To start reconnaissance we enter the command “run” • It starts to query Google for known hosts associated with the target. • Notice the sleeping to avoid lockout message 8
  9. 9. • Now that we have some hosts we want to get some contacts • We run the “show modules” command again and this time select Jigsaw as our source • To load the module we enter the command “load recon/contacts/gather/http/jigsaw” • Type the command “info” for additional information about this module. • Once again we have to select our target in the options by entering the command “set company your target” • The more information gathered at this phase significantly improves our chances for a successful exploit 9
  10. 10. • We enter the command “run” to start the query against our target • We can already start seeing contacts being collected 10
  11. 11. • Now lets put our intel into a format that will help support Threat Modeling • Lets load the output html report model using the command “load reporting/html_report” • Lets title the report by setting the value for company “set company your target” • Set the filename and location to put the created report “set filename /root/Desktop/yourtarget.html” 11
  12. 12. 12 *Note additional modules can be run to gather DNS and geographic data to complete this report*
  13. 13. • Leveraging all of the data gathered to select attack vectors and plan a well organized strategic attack • Will include social media and various other forms of information • For the demo today we will be targeting an employee A snippet from the PTES site at http://www.pentest-standard.org 13
  14. 14. • Up until now everything was done passively, no direct contact with the target and its related hosts/systems • Will include multiple scans for: ports, services banners and of course vulnerabilities 14
  15. 15. • Attacker - BackTrack 5r3 with updated repositories and tools • Target - Fully patched and updated W7 installation with Microsoft Security Essentials installed and updated • Using a phishing email targeted at an employee with relevant information (Client Side Exploits) • In the “real world” most likely the client will indicate client side attacks are out of scope at the pre-engagement phase due to the incredibly high success rate…. 15
  16. 16. • We are going to use the Social Engineers Toolset • In a terminal navigate to SET “cd/pentest/exploits/set” • From the SET directory “./set” • Select Option 1 16
  17. 17. • For this demo we are going to utilize website attack vectors 17
  18. 18. • We are going to select the Java applet attack • Leverages a customized java applet to deliver the payload • According to Oracle there are a lot of Java users out there  18
  19. 19. • We are going to clone a site using option 2 • NAT/Port forward is required if you have to traverse a firewall for this demo we will say no • We have to enter the ip address of the attacker so the reverse connection can be successful • Enter the url for the site we wish to clone 19
  20. 20. • We want to be able to interact in various ways with the target system • A Meterpreter session provides multiple options and is preferred 20
  21. 21. • We want to successfully compromise the target and option 16 is described as (BEST) 21
  22. 22. • We need to configure some options for our back door • We select port 4444 for this demo • The payload is encoded and hidden within an executable • Then it is moved into the cloned site and our listener is setup to wait for the reverse connection 22
  23. 23. • Now that we have our listener waiting and we see that the payload handler is starting lets send our Phishing email and wait • Notice that the embedded link indicates HalifaxMooseheads.ca • Looks legit right? and from our intel we can see the target has posted pictures on social media sites of his friends and family enjoying the games 23
  24. 24. • The target has clicked the link to browse to our malicious site • He is presented with a “Trusted” java applet indicating that something needs to be installed • This is persistent, if the user clicks cancel the applet will return again • User thoughts… Hey it says (VERIFIED SAFE) right… 24
  25. 25. • The attacker can tell the user has clicked the link • However no reverse session appears indicating something went awry • In this particular instance Microsoft Security Essentials detected our payload and prevented the reverse session • What do we do now… 25
  26. 26. “Defeat is not defeat unless accepted as a reality-in your own mind.” ~Bruce Lee “If you always put limits on everything you do, physical or anything else, it will spread into your work and into your life. There are no limits. There are only plateaus, and you must not stay there, you must go beyond them.” ~Bruce Lee 26
  27. 27. *Try Harder and the BackTrack Dragon are registered Trademarks of Offensive-Security* Many thanks to the team at Offensive Security for being an educational sponsor of AtlSecCon 2013 27
  28. 28. • Lets try this again… • The attack vector will not change but we will be changing the delivery of the payload • We are still leveraging Social-Engineering Attacks 28
  29. 29. • Once again we will be using option 2 Website Attack Vectors 29
  30. 30. • We are going to clone a site again with option 2 • Automation is a beautiful thing… let’s take moment to thank David Kennedy of TrustedSec .com @dave_rel1k for all of his efforts. • Hugs brah! SET is so full of win! 30
  31. 31. • This time however we are going to change the payload • Pyinjector is relatively new and has been available since the summer of 2012 • It injects shellcode directly into memory via powershell • Because it does not touch disk it makes it very difficult for AV services to detect … sneaky sneaky… 31
  32. 32. • Once again we want to use Meterpreter to interact with the compromised host via a reverse tcp connection 32
  33. 33. • This is definitely sweet! • Yuuupp Multi-Powershell- Injection homie! (*Notice the ports associated) • The payload is moved into the cloned website 33
  34. 34. • Our reverse handler is ready and waiting • Again the target sees the same java applet message • User thoughts… it must be ok… It even says it is (Verified Safe)… plus I really want those tickets… • What is going to happen this time… 34
  35. 35. • Sessions baby…. 5 of them • Lets list the active sessions using the command “sessions -i” • Lets interact with the host using one of the sessions with the command “sessions - i 1” for session 1 35
  36. 36. • Entering the command “screenshot” at the meterpreter prompt saves a .jpg of whatever the target is currently viewing • We can start an interactive shell with the “shell” command • We can view “sysinfo”, create new users or dump password hashes for offline cracking 36
  37. 37. • We can even create a directory or steal data, the possibilities are numerous 37
  38. 38. • We want to further penetrate the targets network, looking for other services and additional targets. (Pivoting) • We want to maintain persistence so that we can return as required • Dump the hashes for offline cracking and use those credentials to compromise other systems and services. (Pass the Hash) 38
  39. 39. • Nobody likes to do it • This is where the real value for the client is • A sample report can be downloaded from Offensive Security for review 39
  40. 40. • How could this have all been avoided? • Security awareness… • User Behavior… • What is the impact of tools like SET allowing the automation of attacks? • Easier to attack? – Yes… this is how a 12 year old script kiddie can pwn a seasoned infosec professional with years of experience. • Easier to defend? - The use of tools like SET can help your defensive posture because it allows us as security professionals to quickly test new attack vectors and exploits . The results can be leveraged to modify or change security counter measures where required. 40
  41. 41. • A great resource from Rapid7 (AtlSecCon 2013 Sponsor) to setup your lab: • https://community.rapid7.com/community/infosec/blog/2011/01/05/how-to-set-up-a-pentesting-lab • For additional information on the Penetration Testing Execution Standard please visit: • http://www.pentest-standard.org/index.php/Main_Page • http://nostarch.com/metasploit • The Recon-ng project created by Tim Tomes (@LaNMaSteR53) can be located here: • https://bitbucket.org/LaNMaSteR53/recon-ng • For news about all things SET and a great security blog: • https://www.trustedsec.com/news-and-events/ • @dave_rel1k • A sample penetration report from Offensive-Security can be downloaded from here: • http://www.offensive-security.com/penetration-testing-sample-report.pdf • BackTrack, the BackTrack dragon logo, the Try Harder message, Kali-Linux and Offensive-Security are all registered trademarks of Offensive-Security. • The amazing images of Bruce Lee are the work of South Korea’s Kim Dae Hwan darkdamage.deviantart.com/ 41
  42. 42. • “Absorb what is useful, discard what is not, add what is uniquely your own.” ~Bruce Lee • Social Media • @k0z1can • http://ca.linkedin.com/in/andrewkozma 42

×