Sicurezza Informatica

luigi capuzzello

Penetration Test

External Black Box Type

Versione: 2.2

Luigi Capuzzello

15/09/2015

The document aims to analyze in detail the main phases of a penetration test, in particular: how to become silent, how to performe information gathering and service information gathering, how to find exploits and how you can actually use them.

By the way the platform used to perform the penetration test is Kali (not Kali 2.0 because at the moment it works but not perfectly).

http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a

http://www.slideshare.net/luigicapuzzello

@FisherKasparov

luigi.capuzzello

Sommario

2Legal disclaimer

3How to become silent.

4TORtunnel: setup

6TORtunnel and nmap, hydra, sqlmap, firefox

7Information Gathering.

8Service Information Gathering

8Nmap

9FTP (21)

10DNS (53).

11SNMP (161)

12SMTP (25)

13SMB (139 - 445)

14HTTP (80) (scanning delle reti)

14Initial Fingerprint

17XSS: Cross Site Scripting.

21CSRF: Cross Site Reference Forgery.

21Path Traversal Attack.

22SQL Injection: sqlmap

23Search for Vulnerability

23nmap

23openVAS

25Metasploit

27Exploit

27How to compile an exploit manually

27mspayload: crypt and decrypt shell

28Cheat AV

29Conclusion

Legal disclaimer

Usage of this document for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Author assume no liability and are not responsible for any misuse or damage caused by this docuemnt.

How to become silent.

This step is strictly not necessary, but sometime you need to simulate a penetration test very close to reality so it becomes very important to implement this item.Anyway, if you decide to become silent you must implement it as your first activity.

Depending on the activity you want to perform, you can use different tools that allow you to maintain an effective anonymity. The anonymity level can change from weak to strong but it is never absolutely secure. In particular, you can use tools like: Wingate HTTP proxy;

SOCKS proxy (with a software like SocksCap to specify which IP, port and programs have to use SOCKS proxy); Proxy PHP; TOR

VPN

I can also use iptables to drop all outgoing packets from my ip to the penetration test target.I can do this operation with a simple command:

#iptables -A OUTPUT --dest -j DROP

Remember also that :

if you want to see which roles I defined in the OUT chain you must use this command:

#iptables L OUTPUT if you want to empty the OUTPUT chain you must use this command:

#iptables F OUTPUT

In this document I will focus my attention to a particular software called TORtunnel.Using TORtunnel we will reach a low level of anonymity but we can make our test with a good speed, so I think it is the right balance.

TORtunnel: setupActually Tortunnel is a partial onion proxy implementation thats designed to build single-hop circuits through Tor exit nodes. This is useful in cases where you might want a very low level of anonymity, and dont want to deal with the performance implications of using Tors full three-hop circuits.If you want to use TORtunnel you must start installing also some other software

#apt-get install tor vidalia proxychains privoxy tor-geoipdb nmap libboost-system1.49.0

proxychains is a tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5. We must configure it just like that:$ nano /etc/proxychains.conf

And modify it as follows:

[ProxyList]

# add proxy here ...

# meanwile

# defaults set to "tor"

#socks4 127.0.0.1 9050

socks5 127.0.0.1 5060Now there is a problem with applications that use TOR network, when they need the IP address of the target, they send a DNS request which is untorified; so we send traffic in anonymous way but we send a clear DNS request.To solve this problem we need proxy which prevent DNS leaks.

Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.Once we have installed priv

oxy we need to configure it

$ sudo nano /etc/privoxy/config

And modify it as follows:

# A rule that uses a SOCKS 4 gateway for all destinations but no

# HTTP parent looks like this:

#

# forward-socks4 / socks-gw.example.com:1080 .

#

#

# To chain Privoxy and Tor, both running on the same system,

# you would use something like:

#

# forward-socks5 / 127.0.0.1:9050 .

forward-socks5 / 127.0.0.1:5060

OK, at this point we can finally install TORtunnel.

$ cd /usr/src/

$ wget http://www.thoughtcrime.org/software/tortunnel/tortunnel-0.3.tar.gz

$ tar xvzf tortunnel-0.3.tar.gz

$ cd tortunnel-0.3/

$ ./configure

$ make

$ sudo make installOnce we have installed tortunnel we can use this command to open the gate to the tortunnel.#torproxy -p 5060 -r

Or you can force a specific tor exit node (maybe we it is much more faster than the other).

#torproxy -p 5060 -n

By the way, To find a valid exit node you can open vidalia, click the network option and choose nodes with ipaddress in the rightside of the panel.

Or if you are using a tor browser you can see some nodes from here.

Now we are ready.

We have created a SOCKS proxy on 127.0.0.1:5060.

All the packets send to that proxy will be send on TOR network and will arrive to the target with the excit noed IP.

TORtunnel and nmap, hydra, sqlmap, firefoxOK we are actually read to make some test in silent state.

If we want to make some information gathering on a particular , we have to execute these simple instructions:

#iptables -A OUTPUT --dest -j DROP#torproxy -p 5060 -r

[or also #torproxy -p 5060 -n ]

And now I can use nmap for test the TCP port and fine the services version#proxychains nmap sVT -P0 -PNOr I can use Hydra to test if a particular password is actually strong#proxychains hydra -V -l Administrator -P /pentest/passwords/wordlists/darkc0de.lst v

Or I can use sqlmap to test a possible sql injection on the site. #proxychains python sqlmap.py -u "http:///products.php?ID=10"

Or maybe we just want to see some HTTP pages on the target.#proxychains firefox

Information Gathering.As you know in this phase the main aim is to get as many information as possible about the target. This phase could seems boring (and actually it is very boring) but it is very important; if you complete this step correctly then you will definitely find something interesting about your target. Every bit of information could help us in finding break into the perimeter.

Another very important thing you have to do in this phase is to organize all the information you got with great intelligence. The risk is only one but it is very dangerous: to drown in a sea of information.

We have many programs to achive our aim but I report just a few of them, just the ones I think are very usefull.

We are doing a black box penetration attack, so the goal is to simulate an external hacking, we have zero knowledge about our target, we have just an IP (I will call it ) or an IP range.We can start making a reverse DNS query.

We can do it simple with sites likes:

http://www.yougetsignal.com/tools/web-sites-on-web-server/If everything goes fine we will have one or more domains associated with our (I will call it )We have to analyze all the we found and we can use some google dork to get some more information about possible subdomain.One very interesting google dork we can use is: site: -site:www.For example

site:target.com site:www.target.com

We can also get some more informatin about using a specific program called dmitry:

#dmitry Also theharvester is an interesting tool to get quickly some other information:

# theharvester -d -b For example:#theharvest d target.com b google

We can do DNSenumeration with some tools (dnsrecon, dnsenum and host)#dnsrecon d -t axfr

#dnsrecon d -t std

#dnsrecon d -t goo#dnsrecon -t brt -D /usr/share/dnsrecon/namelist.txt -d #dnsenum #./fierce -dns #host vt A #host vt MX #host vt SOA #host vt NS #host l

You can also use auxiliary modules of metasploit framework to get some other information (please refer to metasploit chapter for more datails)Service Information Gathering

The purpose of this phase is to find the active services on the machines we found in the previous step.The master tool to achive this aim is nmap.

Nmap

Nmap implement many interesting type of scanning.

For example we can find all the machines active on an internal network:#nmap sn 192.168.1.0/24 oG outputfileWe can find all the TCP open ports, the version of the services and the file system of a specific machinery or of a specific network :

# nmap O sV sT PN T5 TARGET (SO e TCP)We can do the same thing on UDP port, and we can specfy the more exploitable