NotaCon 2011 - Networking for Pentesters

4,900 views

Published on

Published in: Technology

NotaCon 2011 - Networking for Pentesters

  1. 1. Networking for Pentesters JP Bourget @punkrokk Rob Fuller @mubix
  2. 2. JP’s Intro • BS IT, RIT 2005; MS Computer Security and Information Assurance, RIT 2008; CISSP; MCSE, CSSA. JP has six years experience in computer networking, system administration, and information security. During the day JP is responsible for Network and Security Management for a medium size global company based in the US. JP is also adjunct faculty at Rochester Institute of Technology where he teaches Networking and Security undergraduate classes. JP also performs pen testing and security audits for local companies in Rochester, NY. • You can find me on Twitter at http://www.twitter.com/ punkrokk and his blog: http://syncurity.net.
  3. 3. meterpreter> getuid Rob Fuller – Security Consultant • Rob “mubix” Fuller joined Rapid7 in 2010 as a Security Consultant. Rob has 10 years of Information Security and IT experience. Prior to joining Rapid7 he worked at Applied Security as a Network Attack Operator, a Penetration Tester for the Pentagon, a Senior Incident Response Analyst for the Senate and multiple Information Security Positions in the United States Marine Corps. During his 8 years of service in the United States Marine Corps he was a team lead for the Marine Corps’ Computer Emergency Response Team (MARCERT) and became the first Security Test Engineer for the Marine Corps’ R&D section. He has extensive experience in full scope penetration testing, web application assessments,wireless security, incident response, and related development. Rob has spoken at the US Naval Academy, DojoCon, and RSS and holds a CEH, OSCP, and Security+.
  4. 4. Public Service Announcement screw ninjas
  5. 5. I want to be a wizard
  6. 6. to become a wizard you must answer every question with another question.
  7. 7. Samurai are still cool...
  8. 8. Thank you
  9. 9. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  10. 10. Questions • ANY AND ALL TIMES, THERE WILL BE NO Q&A AT THE END • but we will be open to questions after the class physically or digitally
  11. 11. but first... • Select a target: • <insert company name here> ! • Everything we will be doing with these selected targets will be in the open source info gather sense. No malicious traffic will be used against these targets as part of any lab or instructor lead exercise
  12. 12. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  13. 13. Networking for Pentesters • DNS • SMTP • SSH • HTTP • RDP
  14. 14. DNS • Zones • The round trip ride. • Record Types (+200) • Wildcards • Caching / Cache poisoning • Zone Transfers (kicking it like it’s 1995) • Brute forcing records
  15. 15. DNS Digging Deeper • Recursion • Authoritative Servers • Non-Authoritative Servers • DNS TTL • (only matters on target DNS server)
  16. 16. Non-’A’ Records • SOA Records • NS Records • PTR Records • MX Records • SRV Records • TXT Records
  17. 17. Zone Transfer Commands • dig • dig -t AXFR domain.com @ns2.domain.com +short • host -l • nslookup • ls -d • dnscmd (a part of the support tools) • dnscmd /EnumZones • dnscmd /ZonePrint (newer versions of binary) • dnscmd /EnumRecords domain.com @ (older versions)
  18. 18. DNS Brute Force Tools • DNSEnum • Metasploit Module • Yeti • Fierce • Google • Bing • FOCA
  19. 19. LAB TIME • Zone transfers.... • Brute force CompanyX’s records
  20. 20. SMTP • Clear-text protocol • How email has been working since 1982 • VERBS • Display Names • Unforgiving nature (used by machines)
  21. 21. SMTP Verbs • MAIL FROM: • RCPT TO: • VRFY • HELO/EHLO • DATA • From: • To: • Cc: • Date: • Subject: • (body) • . • QUIT
  22. 22. Telnet Email FTW S: 220 smtp.example.com ESMTP Postfix  C: HELO relay.example.org  S: 250 Hello relay.example.org, I am glad to meet you  C: MAIL FROM:<bob@example.org>  S: 250 Ok  C: RCPT TO:<alice@example.com>  S: 250 Ok  C: RCPT TO:<theboss@example.com>  S: 250 Ok  ! !
  23. 23. Telnet Email FTW (contd) C: DATA  S: 354 End data with <CR><LF>.<CR><LF>  C: From: "Bob Example" <bob@example.org>  C: To: "Alice Example" <alice@example.com>  C: Cc: theboss@example.com  C: Date: Tue, 15 Jan 2008 16:02:43 -0500  C: Subject: Test message  C:  C: Hello Alice.  C: This is a test message with 5 header fields and 4 lines in the message body.  C:Your friend,  C: Bob  C: .  S: 250 Ok: queued as 12345  C: QUIT  S: 221 Bye
  24. 24. LAB TIME 1. Send a spoofed email to your buddy 2. Try to send an email with a link 3. Try to send an email with a spoofed display name
  25. 25. SSH • Tunneling traffic with PuTTY • Tunneling traffic with OpenSSH • Master-mode (Man-On-Your-Back) MOYB • No shell tunneling • MITM
  26. 26. PuTTy Tunneling
  27. 27. OpenSSH Tunneling • Local, Dynamic, and Remote ssh -L host:port:host:port! ssh -D host:port! ssh -R host:port:host:port
  28. 28. Examples ssh -f punkrokk@myhomeserver.com -L 2000:myhomeserver.com:25 (localport:host:remote-port) forwards local port 2000 to home port 25   -- Why is this interesting? ! ssh -f -L 3000:talk.google.com:5522 myhomesshserver.net -N
  29. 29. SSH MYOB • Enable ‘Master Mode’ in config Host *! ControlMaster auto! ControlPath /tmp/%r@%h:%p! • Wait for some to connect somewhere...
  30. 30. SSH • MITM http://www.oxid.it/ca_um/topics/ ssh-1_to_pix_example.htm SSH Downgrade attacks (2 -> 1) (ettercap)
  31. 31. LAB TIME • Tunnel (MySQL) port 3306 through a nologin account on Metasploitable to the Windows 2k8 box
  32. 32. HTTP • VERBS • Headers • Response Codes • 1.0 vs 1.1 • DoS Attacks (Slowloris, Strawman) • Ajax, Flash, SOAP, Django, SSL, • also known as: lets pile more state on a stateless protocol!
  33. 33. How’s your HTTP Vocabulary? • GET • POST • HEAD • PUT • DELETE • OPTIONS • PROPFIND • DEBUG • TRACE • CONNECT • PROPPATCH • MKCOL • COPY • MOVE • LOCK • UNLOCK • VERSION- CONTROL • REPORT • CHECKOUT • CHECKIN • UNCHECKOUT • MKWORKSPACE • UPDATE • LABEL • MERGE • BASELINECONTROL • MKACTIVITY • ORDERPATCH • ACL • PATCH • SEARCH
  34. 34. HTTP Response Codes • 100s • You need to wait for some stuff • 200s • Stuff is there • 300s • Stuff Moved • 400s • Stuff isn’t there or you aren’t allowed to see it • 500s • Stuff went wrong
  35. 35. 1.0 vs 1.1 • OPTIONS verb • 100 - Continue response code (not cool) • Compression • Persistent Connections (very cool) • Requires the ‘Host:’ header (not cool) • Supports these crazy things called ‘cookies’
  36. 36. Webdav Trick • Name a file mysecretwebshell.aspx;.txt • IIS will reference it as a ASPX page • WebDAV thinks it’s just a text file
  37. 37. LAB TIME • Go to your company’s website • What server type is it? • Apache, Webrick, IIS, pySockets, etc... • What server side code does it run? • ASP{X}, Python, Ruby on Rails, PHP, etc.. • Do you think it has a DB backend? Why?
  38. 38. RDP • RDP Bruteforcing • TSGringer (old school) • ncrack (new school) • RDP MITM • Cain and Able still rules • RDP Hashdump • Cain and Able
  39. 39. NO LAB • Difficult to duplicate much less set up for a lab such as this, but definitely take everything you’ve learned here home and try it out
  40. 40. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  41. 41. Information Operations • Social Networking Rocks • Metadata • Clouds Rain Info • Nmap (some tricks to using it)
  42. 42. Social Networking Rocks • Twitter.com • This is the ONLY service that emails you that someone wants to add you even if they just import your contact info. • Twitterpeeps.com [Fix link] • Facebook.com • “Everything should be public” -- Zuckerberg • LinkedIn.com • Their API is much more open than their site. Think evil. • You probably know all these but they can be horribly twisted
  43. 43. LAB TIME • Start to fill out data on your company, use social networks to find as much information about the target as possible.
  44. 44. Metadata • Documents • Usernames • IP addresses • Hostnames • Domains • Images • Usernames • Locations • Email Headers (Have you ever looked at them?) • FOCA Free/Pro (King of Metadata) • EVERYTHING ;-)
  45. 45. LAB TIME • Open your SPAM folder, and open the email’s header information. • What can you tell about the sender? • What can you tell about the organization/ infrastructure supporting the sender?
  46. 46. Clouds Rain Info • Digital Cloud • clez.net • serversniff.net • centralops.net • whois.sc/[IP/Domain] • Arin.net’s REST documentation • magic-net.info • OldSchool Clouds - ANALOG • DMV (Tell them you are looking up a lost title) • Inteillius (Digital data about Analog targets) • Call HR (Remember you are targeting a physical object, not just a digital one)
  47. 47. LAB TIME • Find as much information as you can on your company. How many emails can you harvest on them?
  48. 48. nmap • What flags do you normally use? • [Book Image Here] • Do you even scan for UDP? • You’d be surprised what odd things listen on 161 on the internet. • Can you name all 1024 ‘ephemeral’ ports? How about just the top 100? ! • NSE Scripts (know them, use them)
  49. 49. LAB TIME • nmap [TARGET] • What do you see? • What ports are open? • What services are running? • What possible vulns are there?
  50. 50. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  51. 51. Vuln Hunting #1 Question I get is: ‘How do you know a system is vulnerable?’ ! Honest truth is that every pentester uses experience and educated guesses. They call us ‘testers’ for a reason.
  52. 52. Vuln Hunting • Web Applications • Network Services • People
  53. 53. Web App Vuln Hunting • Use the check list... • [Web Application Hackers Checklist] • Brute Forcing is now a portion of Information Gathering. Use every scanner possible. None of them do a perfect job, though, so kick off a half dozen scanners then start doing your manual testing. • Remember, people bookmark things • [Demo Delicious Enum module] • The wayback machine is a great source of URLs • [Demo Wayback Enum module]
  54. 54. LAB TIME • See if you can determine any possible lines of attack simply by browsing your target company’s web site. • Is there a id=12 • What about a funny looking cookie or HTTP header? • How about a login form or registration page? • Every Sci-Fi/Fantasy book I have every read with a Wizard in it describes them as crotchey but highly, if not overly observant
  55. 55. Network Services Nessus, other vuln scanners during a pentest • Running NeXpose,are underor time constraint. Skilled attackers will is for people who a only do this if they aren’t worried about getting caught or blocked. • nmap nse vuln checks, if you want to get caught... • DONT USE NMAP, do version checks and make an educated guess. • IF YOU AREN’T 80% SURE YOUR EXPLOIT WILL WORK, DON’T THROW IT.YOU HAVE FAILED YOUR INTEL GATHERING PHASE out what information • Findpossible vulnerabilities,you have about the service. Determine the gather more information. Rinse Repeat.
  56. 56. LAB TIME • Tell me if [TARGET IP] is vulnerable to anything.Yes you can use prior knowledge. Vuln Hunting is all about experience.
  57. 57. People • Think about where you work. Who is the ‘speaker phone’ for your section/business unit/office/department/company. • Now how would you go about getting that particular person’s work number or email? • This person would know it... How do I get their number? And so on... • Do you send non-phishing emails in pentests? • Why not? • Do you make non-SE phone calls in pentests? • Why not?
  58. 58. LAB TIME • Call the CEO of your target company and complain about their car hitting yours. JUST KIDDING!!!
  59. 59. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  60. 60. Exploitation • Payload Selection • Targeting
  61. 61. Payloads • Metasploit Payloads • Singles - Fully functional, self contained payloads. For example ‘add_user’ • Staged - Uses tiny ‘stager’ shellcode in exploit that connects over the network to the attacker in order to download the reset of the payloads functional code • Shellcode from the net • Put your big boy pants on, because it might be backdoored, trojaned or otherwise evil.
  62. 62. Payload selection • Does your target have egress filtering? • Do they have Windows systems or Macs? • Do they have protocol inspection? • Do they have Java installed?
  63. 63. LAB TIME • What payloads exist in the Metasploit Framework? • Which payload are you going to use? • WHY!!!?
  64. 64. Targeting • ‘show targets’ in Metasploit is an important step in the process • if your at this point and you still aren’t sure, go gather more information.
  65. 65. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  66. 66. Persistence • Know the System • Know the User
  67. 67. Agenda • Networking for Pentesters • Information Operations • Vuln Hunting • Exploitation • Persistence • Pivoting
  68. 68. Pivoting • Windows ‘Super Secret Ninja Hacker Tools’ • (Ninjas suck, they use Windows) • net • at • dir • Meterpreter tools: • Metasploit Pro VPN pivoting (‘cause it’s PIMP!) • portfwd • Metasploit tools: • route • psexec
  69. 69. LAB TIME • Pivot from our Metasploitable box to the other machine on the DMZ • Then try to find a way into the intranet
  70. 70. thats it.. GTFO 100.100.100.101 Feedback: notaconwizards@gmail.com

×