Networking for Pentesters

Rob Fuller @mubix

JP Bourget @punkrokk

JP’s Intro• BS IT, RIT 2005; MS Computer Security and Information

Assurance, RIT 2008; CISSP; MCSE, CSSA. JP has six years experience in computer networking, system administration, and information security. During the day JP is responsible for Network and Security Management for a medium size global company based in the US. JP is also adjunct faculty at Rochester Institute of Technology where he teaches Networking and Security undergraduate classes. JP also performs pen testing and security audits for local companies in Rochester, NY.

• You can find me on Twitter at http://www.twitter.com/punkrokk and his blog: http://syncurity.net.

meterpreter> getuid

Rob Fuller – Security Consultant • Rob “mubix” Fuller joined Rapid7 in 2010 as a Security Consultant. Rob

has 10 years of Information Security and IT experience. Prior to joining Rapid7 he worked at Applied Security as a Network Attack Operator, a Penetration Tester for the Pentagon, a Senior Incident Response Analyst for the Senate and multiple Information Security Positions in the United States Marine Corps. During his 8 years of service in the United States Marine Corps he was a team lead for the Marine Corps’ Computer Emergency Response Team (MARCERT) and became the first Security Test Engineer for the Marine Corps’ R&D section. He has extensive experience in full scope penetration testing, web application assessments,wireless security, incident response, and related development. Rob has spoken at the US Naval Academy, DojoCon, and RSS and holds a CEH, OSCP, and Security+.

Public Service Announcement

screw ninjas

I want to be a wizard

to become a wizard you must answer every question with another question.

Samurai are still cool...

Thank you

Agenda

• Networking for Pentesters

• Information Operations

• Vuln Hunting

• Exploitation

• Persistence

• Pivoting

Questions

• ANY AND ALL TIMES, THERE WILL BE NO Q&A AT THE END

• but we will be open to questions after the class physically or digitally

but first...

• Select a target:

• <insert company name here>

!

• Everything we will be doing with these selected targets will be in the open source info gather sense. No malicious traffic will be used against these targets as part of any lab or instructor lead exercise

Agenda

• Networking for Pentesters

• Information Operations

• Vuln Hunting

• Exploitation

• Persistence

• Pivoting

Networking for Pentesters

• DNS

• SMTP

• SSH

• HTTP

• RDP

DNS

• Zones

• The round trip ride.

• Record Types (+200)

• Wildcards

• Caching / Cache poisoning

• Zone Transfers (kicking it like it’s 1995)

• Brute forcing records

DNS Digging Deeper

• Recursion

• Authoritative Servers

• Non-Authoritative Servers

• DNS TTL

• (only matters on target DNS server)

Non-’A’ Records

• SOA Records

• NS Records

• PTR Records

• MX Records

• SRV Records

• TXT Records

Zone Transfer Commands

• dig

• dig -t AXFR domain.com @ns2.domain.com +short

• host -l

• nslookup

• ls -d

• dnscmd (a part of the support tools)

• dnscmd /EnumZones

• dnscmd /ZonePrint (newer versions of binary)

• dnscmd /EnumRecords domain.com @ (older versions)

DNS Brute Force Tools

• DNSEnum

• Metasploit Module

• Yeti

• Fierce

• Google

• Bing

• FOCA

LAB TIME

• Zone transfers....

• Brute force CompanyX’s records

SMTP

• Clear-text protocol

• How email has been working since 1982

• VERBS

• Display Names

• Unforgiving nature (used by machines)

SMTP Verbs• MAIL FROM:

• RCPT TO:

• VRFY

• HELO/EHLO

• DATA

• From:

• To:

• Cc:

• Date:

• Subject:

• (body)

• .

• QUIT

Telnet Email FTW

S: 220 smtp.example.com ESMTP Postfix  C: HELO relay.example.org  S: 250 Hello relay.example.org, I am glad to meet you  C: MAIL FROM:<bob@example.org>  S: 250 Ok  C: RCPT TO:<alice@example.com>  S: 250 Ok  C: RCPT TO:<theboss@example.com>  S: 250 Ok  !!

Telnet Email FTW (contd)

C: DATA  S: 354 End data with <CR><LF>.<CR><LF>  C: From: "Bob Example" <bob@example.org>  C: To: "Alice Example" <alice@example.com>  C: Cc: theboss@example.com  C: Date: Tue, 15 Jan 2008 16:02:43 -0500  C: Subject: Test message  C:  C: Hello Alice.  C: This is a test message with 5 header fields and 4 lines in the message body.  C: Your friend,  C: Bob  C: .  S: 250 Ok: queued as 12345  C: QUIT  S: 221 Bye

LAB TIME

1. Send a spoofed email to your buddy

2. Try to send an email with a link

3. Try to send an email with a spoofed display name

SSH

• Tunneling traffic with PuTTY

• Tunneling traffic with OpenSSH

• Master-mode (Man-On-Your-Back) MOYB

• No shell tunneling

• MITM

PuTTy Tunneling

OpenSSH Tunneling

• Local, Dynamic, and Remote

ssh -L host:port:host:port!

ssh -D host:port!

ssh -R host:port:host:port

Examples

ssh -f punkrokk@myhomeserver.com -L 2000:myhomeserver.com:25 (local-port:host:remote-port)

forwards local port 2000 to home port 25   -- Why is this interesting? !

ssh -f -L 3000:talk.google.com:5522 myhomesshserver.net -N

SSH MYOB

• Enable ‘Master Mode’ in config

Host *!

ControlMaster auto! ControlPath /tmp/%r@%h:%p!

• Wait for some to connect somewhere...

SSH

• MITM

http://www.oxid.it/ca_um/topics/ssh-1_to_pix_example.htm SSH Downgrade attacks (2 -> 1) (ettercap)

LAB TIME

• Tunnel (MySQL) port 3306 through a nologin account on Metasploitable to the Windows 2k8 box

HTTP• VERBS

• Headers

• Response Codes

• 1.0 vs 1.1

• DoS Attacks (Slowloris, Strawman)

• Ajax, Flash, SOAP, Django, SSL,

• also known as: lets pile more state on a stateless protocol!

How’s your HTTP Vocabulary?

• GET

• POST

• HEAD

• PUT

• DELETE

• OPTIONS

• PROPFIND

• DEBUG

• TRACE

• CONNECT

• PROPPATCH

• MKCOL

• COPY

• MOVE

• LOCK

• UNLOCK

• VERSION-CONTROL

• REPORT

• CHECKOUT

• CHECKIN

• UNCHECKOUT

• MKWORKSPACE

• UPDATE

• LABEL

• MERGE

• BASELINE-CONTROL

• MKACTIVITY

• ORDERPATCH

• ACL

• PATCH

• SEARCH

HTTP Response Codes• 100s

• You need to wait for some stuff

• 200s

• Stuff is there

• 300s

• Stuff Moved

• 400s

• Stuff isn’t there or you aren’t allowed to see it

• 500s

• Stuff went wrong

1.0 vs 1.1

• OPTIONS verb

• 100 - Continue response code (not cool)

• Compression

• Persistent Connections (very cool)

• Requires the ‘Host:’ header (not cool)

• Supports these crazy things called ‘cookies’

Webdav Trick

• Name a file mysecretwebshell.aspx;.txt

• IIS will reference it as a ASPX page

• WebDAV thinks it’s just a text file

LAB TIME

• Go to your company’s website

• What server type is it?

• Apache, Webrick, IIS, pySockets, etc...

• What server side code does it run?

• ASP{X}, Python, Ruby on Rails, PHP, etc..

• Do you think it has a DB backend? Why?

RDP

• RDP Bruteforcing

• TSGringer (old school)

• ncrack (new school)

• RDP MITM

• Cain and Able still rules

• RDP Hashdump

• Cain and Able

NO LAB

• Difficult to duplicate much less set up for a lab such as this, but definitely take everything you’ve learned here home and try it out

Agenda

• Networking for Pentesters

• Information Operations

• Vuln Hunting

• Exploitation

• Persistence

• Pivoting

Information Operations

• Social Networking Rocks

• Metadata

• Clouds Rain Info

• Nmap (some tricks to using it)

Social Networking Rocks

• Twitter.com

• This is the ONLY service that emails you that someone wants to add you even if they just import your contact info.

• Twitterpeeps.com [Fix link]

• Facebook.com

• “Everything should be public” -- Zuckerberg

• LinkedIn.com

• Their API is much more open than their site. Think evil.

• You probably know all these but they can be horribly twisted

LAB TIME

• Start to fill out data on your company, use social networks to find as much information about the target as possible.

Metadata• Documents

• Usernames

• IP addresses

• Hostnames

• Domains

• Images

• Usernames

• Locations

• Email Headers (Have you ever looked at them?)

• FOCA Free/Pro (King of Metadata)

• EVERYTHING ;-)

LAB TIME

• Open your SPAM folder, and open the email’s header information.

• What can you tell about the sender?

• What can you tell about the organization/infrastructure supporting the sender?

Clouds Rain Info• Digital Cloud

• clez.net

• serversniff.net

• centralops.net

• whois.sc/[IP/Domain]

• Arin.net’s REST documentation

• magic-net.info

• OldSchool Clouds - ANALOG (Remember you are targeting a physical object, not just a digital one)

• DMV (Tell them you are looking up a lost title)

• Inteillius (Digital data about Analog targets)

• Call HR

LAB TIME

• Find as much information as you can on your company. How many emails can you harvest on them?

nmap• What flags do you normally use?

• [Book Image Here]

• Do you even scan for UDP?

• You’d be surprised what odd things listen on 161 on the internet.

• Can you name all 1024 ‘ephemeral’ ports? How about just the top 100?

!

• NSE Scripts (know them, use them)

LAB TIME

• nmap [TARGET]

• What do you see?

• What ports are open?

• What services are running?

• What possible vulns are there?

Agenda

• Networking for Pentesters

• Information Operations

• Vuln Hunting

• Exploitation

• Persistence

• Pivoting

Vuln Hunting

#1 Question I get is:

‘How do you know a system is vulnerable?’

!

Honest truth is that every pentester uses experience and educated guesses. They call us ‘testers’ for a reason.

Vuln Hunting

• Web Applications

• Network Services

• People

Web App Vuln Hunting• Use the check list...

• [Web Application Hackers Checklist]

• Brute Forcing is now a portion of Information Gathering. Use every scanner possible. None of them do a perfect job, though, so kick off a half dozen scanners then start doing your manual testing.

• Remember, people bookmark things

• [Demo Delicious Enum module]

• The wayback machine is a great source of URLs

• [Demo Wayback Enum module]

LAB TIME• See if you can determine any possible lines of attack

simply by browsing your target company’s web site.

• Is there a id=12

• What about a funny looking cookie or HTTP header?

• How about a login form or registration page?

• Every Sci-Fi/Fantasy book I have every read with a Wizard in it describes them as crotchey but highly, if not overly observant

Network Services

• Running NeXpose, Nessus, or other vuln scanners during a pentest is for people who are under a time constraint. Skilled attackers will only do this if they aren’t worried about getting caught or blocked.

• nmap nse vuln checks, if you want to get caught...

• DONT USE NMAP, do version checks and make an educated guess.

• IF YOU AREN’T 80% SURE YOUR EXPLOIT WILL WORK, DON’T THROW IT. YOU HAVE FAILED YOUR INTEL GATHERING PHASE

• Find out what information you have about the service. Determine the possible vulnerabilities, gather more information. Rinse Repeat.

LAB TIME

• Tell me if [TARGET IP] is vulnerable to anything. Yes you can use prior knowledge. Vuln Hunting is all about experience.

People• Think about where you work. Who is the ‘speaker phone’ for

your section/business unit/office/department/company.

• Now how would you go about getting that particular person’s work number or email?

• This person would know it... How do I get their number? And so on...

• Do you send non-phishing emails in pentests?

• Why not?

• Do you make non-SE phone calls in pentests?

• Why not?

LAB TIME

• Call the CEO of your target company and complain about their car hitting yours.

JUST KIDDING!!!

Agenda

• Networking for Pentesters

• Information Operations

• Vuln Hunting

• Exploitation

• Persistence

• Pivoting

Exploitation

• Payload Selection

• Targeting

Payloads

• Metasploit Payloads

• Singles - Fully functional, self contained payloads. For example ‘add_user’

• Staged - Uses tiny ‘stager’ shellcode in exploit that connects over the network to the attacker in order to download the reset of the payloads functional code

• Shellcode from the net

• Put your big boy pants on, because it might be backdoored, trojaned or otherwise evil.

Payload selection

• Does your target have egress filtering?

• Do they have Windows systems or Macs?

• Do they have protocol inspection?

• Do they have Java installed?

LAB TIME

• What payloads exist in the Metasploit Framework?

• Which payload are you going to use?

• WHY!!!?

Targeting

• ‘show targets’ in Metasploit is an important step in the process

• if your at this point and you still aren’t sure, go gather more information.

Agenda

• Networking for Pentesters

• Information Operations

• Vuln Hunting

• Exploitation

• Persistence

• Pivoting

Persistence

• Know the System

• Know the User

Agenda

• Networking for Pentesters

• Information Operations

• Vuln Hunting

• Exploitation

• Persistence

• Pivoting

Pivoting• Windows ‘Super Secret Ninja Hacker Tools’

• (Ninjas suck, they use Windows)

• net

• at

• dir

• Meterpreter tools:

• Metasploit Pro VPN pivoting (‘cause it’s PIMP!)

• portfwd

• Metasploit tools:

• route

• psexec

LAB TIME

• Pivot from our Metasploitable box to the other machine on the DMZ

• Then try to find a way into the intranet

thats it..

GTFO 100.100.100.101

Feedback: notaconwizards@gmail.com