LIS901-2 networking basics and home networking Thomas Krichel 2011-01-22.
NotaCon 2011 - Networking for Pentesters
-
Upload
rob-fuller -
Category
Technology
-
view
3.986 -
download
2
Transcript of NotaCon 2011 - Networking for Pentesters
Networking for Pentesters
Rob Fuller @mubix
JP Bourget @punkrokk
JP’s Intro• BS IT, RIT 2005; MS Computer Security and Information
Assurance, RIT 2008; CISSP; MCSE, CSSA. JP has six years experience in computer networking, system administration, and information security. During the day JP is responsible for Network and Security Management for a medium size global company based in the US. JP is also adjunct faculty at Rochester Institute of Technology where he teaches Networking and Security undergraduate classes. JP also performs pen testing and security audits for local companies in Rochester, NY.
• You can find me on Twitter at http://www.twitter.com/punkrokk and his blog: http://syncurity.net.
meterpreter> getuid
Rob Fuller – Security Consultant • Rob “mubix” Fuller joined Rapid7 in 2010 as a Security Consultant. Rob
has 10 years of Information Security and IT experience. Prior to joining Rapid7 he worked at Applied Security as a Network Attack Operator, a Penetration Tester for the Pentagon, a Senior Incident Response Analyst for the Senate and multiple Information Security Positions in the United States Marine Corps. During his 8 years of service in the United States Marine Corps he was a team lead for the Marine Corps’ Computer Emergency Response Team (MARCERT) and became the first Security Test Engineer for the Marine Corps’ R&D section. He has extensive experience in full scope penetration testing, web application assessments,wireless security, incident response, and related development. Rob has spoken at the US Naval Academy, DojoCon, and RSS and holds a CEH, OSCP, and Security+.
Public Service Announcement
screw ninjas
I want to be a wizard
to become a wizard you must answer every question with another question.
Samurai are still cool...
Thank you
Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
Questions
• ANY AND ALL TIMES, THERE WILL BE NO Q&A AT THE END
• but we will be open to questions after the class physically or digitally
but first...
• Select a target:
• <insert company name here>
!
• Everything we will be doing with these selected targets will be in the open source info gather sense. No malicious traffic will be used against these targets as part of any lab or instructor lead exercise
Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
Networking for Pentesters
• DNS
• SMTP
• SSH
• HTTP
• RDP
DNS
• Zones
• The round trip ride.
• Record Types (+200)
• Wildcards
• Caching / Cache poisoning
• Zone Transfers (kicking it like it’s 1995)
• Brute forcing records
DNS Digging Deeper
• Recursion
• Authoritative Servers
• Non-Authoritative Servers
• DNS TTL
• (only matters on target DNS server)
Non-’A’ Records
• SOA Records
• NS Records
• PTR Records
• MX Records
• SRV Records
• TXT Records
Zone Transfer Commands
• dig
• dig -t AXFR domain.com @ns2.domain.com +short
• host -l
• nslookup
• ls -d
• dnscmd (a part of the support tools)
• dnscmd /EnumZones
• dnscmd /ZonePrint (newer versions of binary)
• dnscmd /EnumRecords domain.com @ (older versions)
DNS Brute Force Tools
• DNSEnum
• Metasploit Module
• Yeti
• Fierce
• Bing
• FOCA
LAB TIME
• Zone transfers....
• Brute force CompanyX’s records
SMTP
• Clear-text protocol
• How email has been working since 1982
• VERBS
• Display Names
• Unforgiving nature (used by machines)
SMTP Verbs• MAIL FROM:
• RCPT TO:
• VRFY
• HELO/EHLO
• DATA
• From:
• To:
• Cc:
• Date:
• Subject:
• (body)
• .
• QUIT
Telnet Email FTW
S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM:<[email protected]> S: 250 Ok C: RCPT TO:<[email protected]> S: 250 Ok C: RCPT TO:<[email protected]> S: 250 Ok !!
Telnet Email FTW (contd)
C: DATA S: 354 End data with <CR><LF>.<CR><LF> C: From: "Bob Example" <[email protected]> C: To: "Alice Example" <[email protected]> C: Cc: [email protected] C: Date: Tue, 15 Jan 2008 16:02:43 -0500 C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 header fields and 4 lines in the message body. C: Your friend, C: Bob C: . S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye
LAB TIME
1. Send a spoofed email to your buddy
2. Try to send an email with a link
3. Try to send an email with a spoofed display name
SSH
• Tunneling traffic with PuTTY
• Tunneling traffic with OpenSSH
• Master-mode (Man-On-Your-Back) MOYB
• No shell tunneling
• MITM
PuTTy Tunneling
OpenSSH Tunneling
• Local, Dynamic, and Remote
ssh -L host:port:host:port!
ssh -D host:port!
ssh -R host:port:host:port
Examples
ssh -f [email protected] -L 2000:myhomeserver.com:25 (local-port:host:remote-port)
forwards local port 2000 to home port 25 -- Why is this interesting? !
ssh -f -L 3000:talk.google.com:5522 myhomesshserver.net -N
SSH MYOB
• Enable ‘Master Mode’ in config
Host *!
ControlMaster auto! ControlPath /tmp/%r@%h:%p!
• Wait for some to connect somewhere...
SSH
• MITM
http://www.oxid.it/ca_um/topics/ssh-1_to_pix_example.htm SSH Downgrade attacks (2 -> 1) (ettercap)
LAB TIME
• Tunnel (MySQL) port 3306 through a nologin account on Metasploitable to the Windows 2k8 box
HTTP• VERBS
• Headers
• Response Codes
• 1.0 vs 1.1
• DoS Attacks (Slowloris, Strawman)
• Ajax, Flash, SOAP, Django, SSL,
• also known as: lets pile more state on a stateless protocol!
How’s your HTTP Vocabulary?
• GET
• POST
• HEAD
• PUT
• DELETE
• OPTIONS
• PROPFIND
• DEBUG
• TRACE
• CONNECT
• PROPPATCH
• MKCOL
• COPY
• MOVE
• LOCK
• UNLOCK
• VERSION-CONTROL
• REPORT
• CHECKOUT
• CHECKIN
• UNCHECKOUT
• MKWORKSPACE
• UPDATE
• LABEL
• MERGE
• BASELINE-CONTROL
• MKACTIVITY
• ORDERPATCH
• ACL
• PATCH
• SEARCH
HTTP Response Codes• 100s
• You need to wait for some stuff
• 200s
• Stuff is there
• 300s
• Stuff Moved
• 400s
• Stuff isn’t there or you aren’t allowed to see it
• 500s
• Stuff went wrong
1.0 vs 1.1
• OPTIONS verb
• 100 - Continue response code (not cool)
• Compression
• Persistent Connections (very cool)
• Requires the ‘Host:’ header (not cool)
• Supports these crazy things called ‘cookies’
Webdav Trick
• Name a file mysecretwebshell.aspx;.txt
• IIS will reference it as a ASPX page
• WebDAV thinks it’s just a text file
LAB TIME
• Go to your company’s website
• What server type is it?
• Apache, Webrick, IIS, pySockets, etc...
• What server side code does it run?
• ASP{X}, Python, Ruby on Rails, PHP, etc..
• Do you think it has a DB backend? Why?
RDP
• RDP Bruteforcing
• TSGringer (old school)
• ncrack (new school)
• RDP MITM
• Cain and Able still rules
• RDP Hashdump
• Cain and Able
NO LAB
• Difficult to duplicate much less set up for a lab such as this, but definitely take everything you’ve learned here home and try it out
Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
Information Operations
• Social Networking Rocks
• Metadata
• Clouds Rain Info
• Nmap (some tricks to using it)
Social Networking Rocks
• Twitter.com
• This is the ONLY service that emails you that someone wants to add you even if they just import your contact info.
• Twitterpeeps.com [Fix link]
• Facebook.com
• “Everything should be public” -- Zuckerberg
• LinkedIn.com
• Their API is much more open than their site. Think evil.
• You probably know all these but they can be horribly twisted
LAB TIME
• Start to fill out data on your company, use social networks to find as much information about the target as possible.
Metadata• Documents
• Usernames
• IP addresses
• Hostnames
• Domains
• Images
• Usernames
• Locations
• Email Headers (Have you ever looked at them?)
• FOCA Free/Pro (King of Metadata)
• EVERYTHING ;-)
LAB TIME
• Open your SPAM folder, and open the email’s header information.
• What can you tell about the sender?
• What can you tell about the organization/infrastructure supporting the sender?
Clouds Rain Info• Digital Cloud
• clez.net
• serversniff.net
• centralops.net
• whois.sc/[IP/Domain]
• Arin.net’s REST documentation
• magic-net.info
• OldSchool Clouds - ANALOG (Remember you are targeting a physical object, not just a digital one)
• DMV (Tell them you are looking up a lost title)
• Inteillius (Digital data about Analog targets)
• Call HR
LAB TIME
• Find as much information as you can on your company. How many emails can you harvest on them?
nmap• What flags do you normally use?
• [Book Image Here]
• Do you even scan for UDP?
• You’d be surprised what odd things listen on 161 on the internet.
• Can you name all 1024 ‘ephemeral’ ports? How about just the top 100?
!
• NSE Scripts (know them, use them)
LAB TIME
• nmap [TARGET]
• What do you see?
• What ports are open?
• What services are running?
• What possible vulns are there?
Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
Vuln Hunting
#1 Question I get is:
‘How do you know a system is vulnerable?’
!
Honest truth is that every pentester uses experience and educated guesses. They call us ‘testers’ for a reason.
Vuln Hunting
• Web Applications
• Network Services
• People
Web App Vuln Hunting• Use the check list...
• [Web Application Hackers Checklist]
• Brute Forcing is now a portion of Information Gathering. Use every scanner possible. None of them do a perfect job, though, so kick off a half dozen scanners then start doing your manual testing.
• Remember, people bookmark things
• [Demo Delicious Enum module]
• The wayback machine is a great source of URLs
• [Demo Wayback Enum module]
LAB TIME• See if you can determine any possible lines of attack
simply by browsing your target company’s web site.
• Is there a id=12
• What about a funny looking cookie or HTTP header?
• How about a login form or registration page?
• Every Sci-Fi/Fantasy book I have every read with a Wizard in it describes them as crotchey but highly, if not overly observant
Network Services
• Running NeXpose, Nessus, or other vuln scanners during a pentest is for people who are under a time constraint. Skilled attackers will only do this if they aren’t worried about getting caught or blocked.
• nmap nse vuln checks, if you want to get caught...
• DONT USE NMAP, do version checks and make an educated guess.
• IF YOU AREN’T 80% SURE YOUR EXPLOIT WILL WORK, DON’T THROW IT. YOU HAVE FAILED YOUR INTEL GATHERING PHASE
• Find out what information you have about the service. Determine the possible vulnerabilities, gather more information. Rinse Repeat.
LAB TIME
• Tell me if [TARGET IP] is vulnerable to anything. Yes you can use prior knowledge. Vuln Hunting is all about experience.
People• Think about where you work. Who is the ‘speaker phone’ for
your section/business unit/office/department/company.
• Now how would you go about getting that particular person’s work number or email?
• This person would know it... How do I get their number? And so on...
• Do you send non-phishing emails in pentests?
• Why not?
• Do you make non-SE phone calls in pentests?
• Why not?
LAB TIME
• Call the CEO of your target company and complain about their car hitting yours.
JUST KIDDING!!!
Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
Exploitation
• Payload Selection
• Targeting
Payloads
• Metasploit Payloads
• Singles - Fully functional, self contained payloads. For example ‘add_user’
• Staged - Uses tiny ‘stager’ shellcode in exploit that connects over the network to the attacker in order to download the reset of the payloads functional code
• Shellcode from the net
• Put your big boy pants on, because it might be backdoored, trojaned or otherwise evil.
Payload selection
• Does your target have egress filtering?
• Do they have Windows systems or Macs?
• Do they have protocol inspection?
• Do they have Java installed?
LAB TIME
• What payloads exist in the Metasploit Framework?
• Which payload are you going to use?
• WHY!!!?
Targeting
• ‘show targets’ in Metasploit is an important step in the process
• if your at this point and you still aren’t sure, go gather more information.
Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
Persistence
• Know the System
• Know the User
Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
Pivoting• Windows ‘Super Secret Ninja Hacker Tools’
• (Ninjas suck, they use Windows)
• net
• at
• dir
• Meterpreter tools:
• Metasploit Pro VPN pivoting (‘cause it’s PIMP!)
• portfwd
• Metasploit tools:
• route
• psexec
LAB TIME
• Pivot from our Metasploitable box to the other machine on the DMZ
• Then try to find a way into the intranet