Pages

20170302

"The Basics of Hacking and Penetration Testing" by Patrick Engebretson

  • A vulnerability assessment is the process of reviewing services and systems for potential security issues, where as a penetration test actually performs exploitation and Proof of Concept (PoC) attacks to prove that a security issue exists.
  • If you are unsure of the software name or how to spell it, you can use the ‘apt-cache search’ command.
  • If you are interested in penetration testing or hacking, there is no way of getting around the need to know Linux.
  • The “lo” interface is your loopback interface. The “eth0” is your first Ethernet card.
  • The easiest way to get an address is to use DHCP. To assign an address through DHCP, you simple issue the command “dhclient”.
  • It is always a good idea to power off or reboot your attacking machine when you are done running a pen test. This good habit prevents you from accidentally leaving a tool running or inadvertently sending traffic from your network while you are away from your machine.
  • The proper use and setup of a hacking lab is vital because one of the most effective means to learn something is by doing that thing.
  • The single, most crucial point of any hacking lab is the isolation of the network.
  • The remainder of this book will be dedicated to reviewing and teaching the following steps: Reconnaissance, Scanning, Exploitation, and Post Exploitation (or Maintaining Access).
  • As your skills progress beyond the basics you should begin to wean yourself off the use of “vulnerability scanners” in your attack methodology.
  • It is very rare to find critical systems exposed directly to the Internet in today’s world.
  • The process of compromising one machine and then using that machine to compromise another machine is called pivoting.
  • The first step in any penetration test is “reconnaissance”. This phase deals with information gathering about the target.
  • The second step in our methodology can be broken down into two distinct activities. The first activity we conduct is port scanning. Once we have finished with port scanning, we will have a list of open ports and potential services running on each of the targets. The second activity in the scanning phase is vulnerability scanning. Vulnerability scanning is the process of locating and identifying specific weaknesses in the software and services of our targets.
  • The ultimate goal of exploitation is to have administrative access (complete control) over the target machine.
  • Exploitation can occur locally or remotely. Local exploitation requires the attacker to have physical access to the computer while remote exploitation occurs through networks and systems when the attacker cannot physically touch the target.
  • Because most payloads are not persistent, we need to quickly move into post exploitation in order to create a more permanent backdoor to the system.
  • Regardless of the amount of time and planning you put into conducting the penetration test, the client will often judge your work and effectiveness on the basis of the quality of your report.
  • The Penetration Testing Execution Standard (PTES) is a fantastic resource if you are looking to find a more in-depth and thorough methodology.
  • Blackbuntu is an Ubuntu-based security distro with a very friendly community, great support, and active development.
  • The first step in every job is research. The more thoroughly you prepare for a task, the more likely you are to succeed.
  • Reconnaissance, also known as information gathering, is arguably the most important of the four phases we will discuss.
  • Step 1 begins by conducting a thorough search of public information; some organizations call this Open-Source Intelligence (OSINT). The great thing about this phase is that in most cases, we can gather a significant amount of data without ever sending a single packet to the target.
  • It is important to know the difference between which tools do and which tools do not touch the target.
  • There are two main goals in this phase: first, we need to gather as much information as possible about the target; second, we need to sort through all the information gathered and create a list of attackable IP addresses or uniform resource locators (URLs).
  • To be successful at reconnaissance, you must have a strategy.
  • Active reconnaissance includes interacting directly with the target.
  • Passive reconnaissance makes use of the vast amount of information available on the web.
  • HTTrack is a free utility that creates an identical, offline copy of the target website.
  • Utilizing a website-copying tool like HTTrack allows us to explore and thoroughly mine the website “offline” without having to spend additional time traipsing around on the company’s web server.
  • Remember anytime you interact directly with a resource owned by the target, there is a chance you will leave a digital fingerprint behind.
  • When conducting a penetration test, it is important to pay special attention to things like “News” or “Announcements”.
  • There is always a transition period when companies merge. This transition period provides us with unique opportunities to take advantage of the change and confusion.
  • Technical job postings often reveal very detailed information about the technology being used by an organization.
  • It is very difficult, if not impossible, for a company to determine when a hacker or penetration tester is conducting passive reconnaissance. This activity offers a low-risk, high-reward situation for attackers.
  • If you are interested in penetration testing, it is highly suggested that you watch Johnny Long’s video and take a look at the Google Hacking book.
  • To properly use a Google directive, you need three things:
    • The name of the directive you want to use
    • A colon
    • The term you want to use in the directive
  • Utilizing the “site:” directive is a great way to search a specific target and look for additional information.
  • Another good Google directive to use it “intitle:” or “allintitle:”. Adding either of these to your search causes only websites that have your search words in the title of the web page to be returned.
  • Performing this search (“allintitle:index of”) will allow us to view a list of any directories that have been indexed and are available via the web server. This is often a great place to gather reconnaissance on your target.
  • If we want to search for sites that contain specific words in the URL, we can use the “inurl:”a directive.
  • It can also be very valuable to search the Google cache rather than the target’s website. This process not only reduces your digital footprints on the target’s server, making it harder to catch you, it also provides a hacker with the occasional opportunity to view web pages and files that have been removed from the original website.
  • We can use the “cache:” directive to limit our search results and show only information pulled directly from the Google cache.
  • It is important that you understand that clicking on any of the URLs will bring you to the live website, not the cached version.
  • We can utilize “filetype:” to search for specific file extensions.
  • When an application has a specific vulnerability, hackers and security researches will typically place a Google Dork in the exploit, which allows you to search for vulnerable versions utilizing Google. The exploit-db.com website which is run by the folks who created BackTrack and Kali Linux (Offensive-Security) has an extensive list of Google Dorks and additional Google Hacking Techniques.
  • It is worth your time to learn how to leverage the search capabilities of Yahoo, Bing, Ask, Dogpile, and many more.
  • As a final warning, it should be pointed out that these passive searches are only passive as long as you are searching. Once you make a connection with the target system (by clicking on any of the links), you are back to active mode.
  • Newsgroups and Bulletin Board Systems like Usenet and Google Groups can be very useful for gathering information.
  • It is not uncommon to find discussions on public forums where these admins will post entire, un-redacted sections of their config files. To make matters worse, many people create posts using their company email address.
  • An excellent tool to use in reconnaissance is the Harvester.
  • Many search engines also employ throttling techniques that will attempt to prevent you from running automated searches.
  • You can use the ‘locate’ command to help find where the tool is installed. In order to use the locate command you need to first run the ‘updatedb’ command.
  • Step 1 of reconnaissance is very cyclical because in-depth reconnaissance often leads to the discovery of new targets, which, in turn, lead to additional reconnaissance.
  • A very simple but effective means for collecting additional information about our target is Whois. The Whois service allows us to access specific information about our target including the IP address of host names of the company’s Domain Name Systems (DNS) servers and contact information which usually contains an address and a phone number.
  • It is important to record all the information and pay special attention to the DNS servers. If the DNS servers are listed by name only we will use the Host command to translate those names into IP addresses.
  • You can also use a web browser to search Whois. By navigating to http://www.whois.net, you can search for your target in the “WHOIS Lookup” box.
  • Sometimes, the output will not provide many details. We can often access these additional details be querying the specific whois server listed in the output of our original search.
  • Another great source of information is Netcraft. You can visit their site as http://news.netcraft.com.
  • Oftentimes, our reconnaissance efforts will result in host names rather than IP addresses. When this occurs, we can use the “host” tool to perform a translation for us.
  • The host command can also be used in reverse. Using the ‘-a’ switch will provide you with verbose output and possible reveal additional information about your target.
  • DNS servers are an excellent target for hackers and penetration testers. They usually contain information that is considered highly valuable to attackers. DNS is a core component of both our local networks and the Internet. Among other things, DNS is responsible for the process of translating domain names to IP addresses.
  • In order for DNS to function properly, it needs to be aware of both the IP address and the corresponding domain name of each computer on its network.
  • Remember one of the key elements of information gathering is to collect IP addresses that belong to the target.
  • Although it is becoming rarer to find, one of our first tasks when interacting with a target DNS is to attempt a zone transfer.
  • During a zone transfer, also commonly referred to as AXFR, one DNS server will send all the host-to-IP mappings it contains to another DNS server. This process allows multiple DNS servers to stay in sync.
  • ‘nslookup’ is a tool that can be used to query DNS servers and potentially obtain records about the various hosts of which it is aware.
  • A software’s ‘man’ page is a text-based documentation system that describes a particular tool, including its basic and advanced uses, and other details about how the program functions.
  • Utilizing the ‘set type=any’ option in nslookup will provide use with a more complete DNS record.
  • Another great tool for extracting information from DNS is ‘dig’.
  • In some cases, a zone transfer can result in the target DNS server sending all the records it contains. This is especially valuable if your target does not distinguish between internal and external IPs when conducting a zone transfer. We can attempt a zone transfer with dig by using the ‘-t AXFR’ switch.
  • Assuming your target is hosting their own email server, this is often a great place to attack.
  • One of the first things to do when attempting to recon an e-mail server is to send an e-mail to the organization with an empty ‘.bat’ file or a non malicious ‘.exe’ file like calc.exe.
  • Having a return message from a target email server also us to inspect the headers of the e-mail. Inspecting the Internet headers will often allows us to extract some basic information about the email server, including IP addresses and the specific software versions or brand of e-mail server running.
  • Another excellent information gathering tool is “MetaGooFil”. MetaGooFil is a metadata extraction tool.
  • Metadata is often defined as “data about data”.
  • ThreatAgent takes OSINT gathering to the next level by using a number of different sites, tools, and technologies to create an entire dossier for you about your target.
  • Social engineering is the process of exploiting the “human” weakness that is inherent in every organization. When utilizing social engineering, the attacker’s goal is to get an employee to divulge some information that should be kept confidential.
  • In order to be successful, you must be supremely confident, knowledgeable of the situation, and flexible enough to go “off script”. If you are conducting social engineering over the phone, it can be extremely helpful to have detailed and well-written notes in case you are asked about some obscure detail.
  • It is human nature for most people to insert the thumb drive or CD into their PC just to see what is on the drive.
  • Once the reconnaissance step is completed, you should have a solid understanding of your target including the organization, structure, and even technologies deployed inside the company.
  • While conducting the review process, it is a good idea to create a single list that can be used as a central repository for recording IP addresses.
  • During the process of reviewing your findings, be sure to transform any relevant, non-IP based information, into an IP address.
  • Remember you should never rely on a single search engine to do all of your reconnaissance.
  • Once you understand the basics, it is definitely worth your time to review Johnny Long’s GHDB. You can find the GHDB at http://www.hackersforcharity.org/ghdb.
  • Paterva’s Maltego is a very powerful tool that aggregates information from public databases and provides shockingly accurate details about your target organization.
  • Finally, it is worth your time to explore the “Swiss Army Knife Internet Tool” Robotex.
  • The more information you are able to collect, the better your chances of success in later phases of the penetration test.
  • Recall that one of the final steps in reconnaissance was to create a list of IP addresses that both belonged to the target and that we were authorized to attack. This list is the key to transitioning from step 1 to step 2. In step 1, we mapped our gathered information to attackable IP addresses. In step 2, we will map IP addresses to open ports and services.
  • It is important to understand that it is the job of most networks to allow at least some communication to flow into and out of their borders.
  • Each service, connection, or route to another network provides a potential foothold for an attacker. Scanning is the process of identifying live systems and the services that exist on those systems.
  • For the purpose of our methodology, we will break step 2 into four distinct phases:
    • Determining if a system is alive with ping packets.
    • Port scanning the system with Nmap.
    • Leveraging the Nmap scripting engine (NSE) to further interrogate the target.
    • Scanning the system for vulnerabilities with Nessus.
  • Step 2.1 is the process of determining whether a target system is turned on and capable of communicating or interacting with our machine. This step is the least reliable and we should always continue with steps 2.2-2.4 regardless of the outcome of this test.
  • Simple defined, ports provide a way or location for software, services, and networks to communicate with hardware like a computer. A port is a data connection that allows a computer to exchange information with other computers , software, or devices.
  • The use of multiple ports allows for simultaneous communication without the need to wait.
  • Many common network services run on standard port numbers and can give attackers an indication as to the function of the target system.
  • We need to pay special attention to the discovery of any open ports on our target systems. You should make detailed notes and save the output of any tool run in step 2.2. Remember every open port is a potential gateway into the target system.
  • Vulnerability scanning is the process of locating and identifying known weaknesses in the services and software running on a target machine.
  • Many systems today can be exploited directly with little or no skill when a machine is discovered to have a known vulnerability.
  • It is important to mention that there is a difference in the severity of various vulnerability.
  • Whether we are going after some super secret internal machine or simple attempting to gain access to a network, we usually begin by scanning the perimeter devices. The reason for this is simple, we start at the perimeter because most of the information we have from step 1 belongs to perimeter devices. Also, with many of today’s technologies and architectures, it is not always possible to reach directly into a network. As a result, we often employ a hacking methodology where we chain a series of machines together in order to reach our final target. First, we conquer a perimeter device, and then we move to an internal machine.
  • The process of compromising one machine and then using that machine as a stepping stone to attack another machine is called “pivoting”.
  • Perimeter devices are computers, servers, routers, firewalls, or other equipment, which sit at the outer edge of a protected network.
  • A ping is a special type of network packet called an Internet Control Message Protocol (ICMP) packet.
  • If the target host is down (offline) or blocking ICMP packets, you will see 100% packet loss or a “Destination Host Unreachable” message depending on which operating system you are using.
  • Because we know that pings can be useful in determining if a host is alive, we can use the ping tool as a host discovery service.
  • A ping sweep is a series of pings that are automatically sent to a range of IP addresses, rather than individually entering each target’s address.
  • The simplest way to run a ping sweep is with a tool called FPing.
  • It is important to remember that not every host will respond to ping request; some hosts may be firewalled or otherwise blocking ping packets.
  • Recall that the goal of port scanning is to identify which ports are open and determine what services are available on our target system.
  • There are a total of 65,536 (0-65,535) ports on every computer. Ports can be either transmission control protocol (TCP) or user datagram protocol (UDP) depending on the service utilizing the port or nature of the communication occurring on the port.
  • If you had to choose only one tool to conduct port scanning, you would undoubtedly choose Nmap.
  • Scripting and automation become key when you want to advance your skill set to the next level.
  • In most jobs, your main goal will be to get an administrative shell or backdoor access to the machine. This shell is literally a terminal that allows you to control the target PC from the command line.
  • When we conduct a port scan, our tool will literally create a packet and send it to each designated port on the machine. The goal is to determine what kind of a response we get from the target port.
  • The first computer connects to the second computer by sending a SYN packet to a specified port number. If the second computer is listening, it will respond with an SYN/ACK. When the first computer receives the SYN/ACK, it replies with an ACK packet.
  • Unless you are in a great hurry, it is always recommended to scan all ports, not just the 1000 most common.
  • You can scan all the ports by specifying “-p-” when running Nmap. Using the “-Pn” switch with every Nmap scan is also recommended. Utilizing the “-Pn” switch will cause Nmap to disable host discovery and force the tool to scan every system as if it were alive.
  • Whenever possible, always try to create a single text file containing all your target IPs. Most of the tools we discuss have a switch or mechanism for loading this text file.
  • SYN scans are faster because rather than completing the entire three-way handshake, it only completes the first two steps of the process.
  • The reset packet tells the target machine to disregard any previous packets and close the connection between the two machines.
  • Another advantage to the SYN scan is that in some instances, it provides a level of obscurity or stealth. Because of this feature, the SYN scan is often referred to as the “Stealth Scan”.
  • Do not neglect to scan UDP ports!
  • TCP is considered a “connection-oriented protocol” because it requires that the communication between both the sender and the receiver stays in sync. This process ensures that the packets sent from one computer to another arrive at the receiver intact and in the order they were sent. On the other hand, UDP is said to be “connectionless” because the sender simply sends packets to the receiver with no mechanism for ensuring that the packets arrive at the destination.
  • One of the most important traits for a penetration tester to have is thoroughness.
  • To elicit a more useful response from our target, we can add the “-sV” switch to our UDP scan. The “-sV” switch is used for version scanning but, in this case, can also help us narrow the results of our UDP scan.
  • In the computer world, a request for comments (RFC) is a document that contains either notes or the technical specifications covering a given technology or standard.
  • Xmas tree scans get their name from the fact that the FIN, PSH, and URG packet flags are set to “on”; as a result, the packet has so many flags turned on and the packet is often described as being “lit up like a Christmas tree”.
  • In general, the Xmas tree and null scans work against Unix and Linux machines but not Windows.
  • Null scans, like Xmas tree scans, are probes made with packets that violate traditional TCP communication. In many ways, the null scan is the exact opposite of a Xmas tree scan because the null scan utilizes packets that are devoid of any flags (completely empty).
  • Target systems will respond to null scans in the exact same way they respond to Xmas tree scans. Specifically, an open port on the target system will send no response back to Nmap, whereas a closed port will respond with an RST packet.
  • It is important to understand that neither the Xmas tree nor the null scans seek to establish any type of communications channel. The whole goal of these scans is to determine if a port is open or closed.
  • Learning to utilize the NSE is critical to getting the most out of Nmap.
  • The NSE and its scripts are prebuilt into Nmap.
  • In order to invoke the NSE, we use “--script” argument followed by the category or script name, and the target IP address.
  • When conducting version scanning, Nmap sends probes to the open port in an attempt to determine specific information about the service that is listening.
  • Slow scans are great for avoiding detection while fast scans can be helpful when you have a limited amount of time or large number of hosts to scan.
  • Last, the “-0” switch can be useful for fingerprinting the operating system.
  • While reviewing the Nmap output, you should take a few moments to attempt to log into any remote access services that were discovered in your port scan.
  • Telnet and SSH are great remote services that you should always try to connect to.
  • Vulnerability is a weakness in the software or system configuration that can often be exploited. Vulnerabilities can come in many different forms but most often they are associated with missing patches.
  • Remote code execution is definitely one of the holy grails of hacking.
  • Remote code execution allows an attacker or penetration tester to fully and completely control the remote computer as if he/she were physically sitting in front of it.
  • One of the key components of Nessus is the plug-ins. A plug-in is a small block of code that is sent to the target machine to check for a known vulnerability.
  • Some plug-ins and checks are considered dangerous because they check for the vulnerability by attempting to actually exploit the system.
  • The easiest way to practice port scanning is to set up two machines or use virtual machines.
  • When a person is first learning about port scanning, one of the best ways to practice is to pick a subnet and hide an IP address in the network. After hiding the target in the subnet, the goal is to locate the target. Once the target has been located, the next step is to conduct a full port scan of the system.
  • Your ultimate goal should be to write your own custom NSE scripts and extend the framework even further.
  • Another great tool for you to learn is OpenVAS. OpenVAS is the open vulnerability assessment system.
  • OpenVAS is very similar to Nessus and allows you to scan targets for vulnerabilities.
  • In the simplest terms, exploitation is the process of gaining control over a system.
  • More accurately defined, a n exploit is a way to bypass a security flaw or circumvent security controls.
  • Just to be clear, exploitation is the process of launching an exploit. An exploit is the realization, actualization, or weaponization of vulnerability. Exploits are issues or bugs in the software code that give a hacker or attacker the ability to launch or execute a payload against the target system. A payload is a way to turn the target machine into a puppet and force it to do our will.
  • Reconnaissance and scanning will help to bring order and direction to exploitation.
  • The output from scanning should be used to help shape, focus, and direct your attacks.
  • Online password crackers work by attempting to brute force their way into a system by trying an exhaustive list of passwords and/or user name combinations.
  • Medusa is described as a parallel login brute forcer that attempts to gain access to remote authentication services.
  • A password dictionary is a file that contains a list of potential passwords.
  • There are also tools available that will build dictionary lists for you. However, fortunately, the fine folks at Kali have already included a few word lists for us to use. You can find these dictionaries in the /usr/share/wordlists directory which contains one of the most notorious password lists called “RockYou” (taken from an extremely large data breach).
  • If your reconnaissance efforts were rewarded with a list of usernames, you may want to start with those.
  • Remember, the first part of an e-mail address can often be used to generate a working domain user name.
  • An exploit framework is a formal structure for developing and launching exploits. Frameworks assist the development process by providing organization and guidelines for how the various pieces are assembled and interact with each other.
  • The easiest way to access the msfconsole is by opening a terminal window and entering: msfconsole.
  • It is vital that you keep Metasploit up-to-date. This is easily accomplished by entering the following command into a terminal: msfupdate.
  • vulnerabilities are the weaknesses that allow the attacker to exploit the systems and execute remote code (payloads) on the target. Payloads are the additional software or functionality that we run on the target system once the exploit has been successfully executed.
  • Rather than blindly spraying exploits at a target, we need to find a way to match up known system vulnerabilities with the prepackaged exploits in Metasploit.
  • Once we have started the msfconsole (and updated Metasploit), we can use the “search” command to locate any exploits related to our Nessus or Nmap findings.
  • It is important to pay close attention to the exploit rank. This information provides details about how dependable the exploit is (how often the exploit is successful) as well as how likely the exploit is to cause instability or crashed on the target system.
  • Because Metasploit is already running and we have already found our exploit, we continue by issuing the “use” command in the “msf>” terminal to select the desired exploit. This command tells Metasploit to use the exploit that your vulnerability scanner identified.
  • Once we have the exploit loaded, we need to view the available payloads. This is accomplished by entering “show payloads” in the “msf>” terminal.
  • To select one of the payloads, we type “set payload” followed by the payload name into the “msf>” terminal.
  • Different payloads will require different additional options to be set. If you fail to set the required options for a given payload, your exploit will fail.
  • To view the available options, issue the “show options” in the “msf>” terminal.
  • To send your exploit to the target machine, simply type the keyword “exploit” into the “msf>” terminal and hit the Enter key to begin the process.
  • Below you will find a cheat sheet of the steps required to run Metasploit against a target machine.
    • Start Metasploit by opening a terminal and issue the following command: msf> msfconsole
    • Use the “search” command to search for exploits that match your vulnerability scanning report: msf> search missing_patch_number (or CVE)
    • Issue the “use” command to select the desired exploit: msf> use exploit_name_and_path_as_shown_in_2a
    • Issue “show payloads” command to show available payloads: msf> show payloads.
    • Issue “set” command to select payload: msf> set payload path_to_payload
    • Issue “show options” to view any options needing to be filled out before exploiting the target: msf> show options;
    • Issue the “set” command for any options listed: msf> set option_name desired_option_input
    • Issue “exploit” command to launch exploit against target: msf> exploit.
  • Remember, one of the powers of Metasploit is the ability to mix and match exploits and payloads.
  • In a “bind” payload, we are both sending the exploit and making a connection to the target from the attacking machine.
  • In a “reverse” payload, the attacking machine sends the exploit but forces the target machine to connect back to the attacker. In this type of attack, rather than passively waiting for an incoming connection on a specified port or service, the target machine actively make a connection back to the attacker.
  • The Meta-Interpreter, or Meterpreter, is a payload available in metasploit that gives a powerful command shell that can be used to interact with their target.
  • Another big advantage of the Meterpreter is the fact that it runs entirely in memory and never utilizes the hard drive.
  • It is very important to understand that the Meterpreter will run with the privileges associated with the program that was exploited.
  • Another reason for using the Meterpreter over a traditional cmd or Linux shell stems from the fact that starting either of these on a target machine often starts a new process that can be detected by a keen user or wily administrator.
  • Migrating the Meterpreter server to another process is important, in case the vulnerable service you attacked is shut down or stopped.
  • Password cracking is certainly a useful way to escalate privileges and often allows us to gain administrative rights on a target machine.
  • Never, never, never use the same password for your local machine administrator account as you do for your domain administrator account.
  • If we can access the password hashes on a target machine, the chances are good that with enough time, JtR a password-cracking tool, can discover the plaintext version of a password. Password hashes are the encrypted and scrambled version of a plaintext password.
  • In its most basic form, password cracking consists of two parts:
    • Locate and download the target system’s password hash file.
    • Use a tool to convert the hashed (encrypted) passwords into a plaintext password.
  • Most systems do not store your password as the plaintext value you enter, but rather they store an encrypted version of the password. This encrypted version is called a hash.
  • By its definition, a hash, once encrypted, is never meant to be decrypted.
  • Accessing the raw hashes on some Windows systems may require an extra step. Bkhive is a tool which allows you to extract the Syskey boot key from the system hive. It may be necessary to use bkhive to extract the system key in order to fully expose the password hashes.
  • Originally Microsoft utilized a hashing algorithm called Lan Manager (or LM for short). LM hashes suffered from several key weaknesses that made password cracking a trivial task. First, when LM hashes are created, the entire password is converted to uppercase.
  • To further compound this issue, every LM password is 14 characters in length. If a password is <14 a="" are="" characters="" filled="" if="" is="" letters="" missing="" null="" password="" the="" values.="" with="">14 characters, the password is truncated at 14 characters.
  • The final nail in the coffin of LM passwords is the fact that all stored passwords, which are now 14 characters in length, actually get split in half and stored as two individual seven-character passwords. The length of a password is one source of its strength; unfortunately because of the LM design, the max password that needs to be cracked is seven characters.
  • Fortunately, Microsoft addressed these issues and now uses a more secure algorithm called NTLM to create its password hashes.
  • Old systems often put your entire network at risk.
  • One advantage of using a password dictionary is that it is very efficient. The main disadvantage of this technique is that if the exact password is not in the dictionary, JtR will be unsuccessful. Another method for cracking passwords is to brute force letter combinations. Brute forcing letter combinations means that the password cracker will generate passwords in a sequential order until it has exhausted every possible combination.
  • Below you will find a brief recap of the steps used to crack Windows passwords.
    • Shutdown the target machine.
    • Boot the target to Backtrack or an alternate OS via a live CD or USB drive.
    • Mount the local hard drive.
    • Use Samdump2 and extract the hashes.
    • Use JtR to crack the passwords.
  • With a Meterpreter session running on your target, simply enter the command “hashdump”. Meterpreter will bypass all the existing Windows security mechanisms and present you with a dump of the target user name and hashes.
  • Linux systems do not use a SAM file to store the password hashes. Rather, the encrypted Linux password hashes are contained in a file called the “shadow” file which is located at /etc/shadow.
  • The bad news is that only privileged users can access the /etc/shadow file.
  • Linux also makes use of a redacted password list located at /etc/passwd. This list is typically readable by all users and we can utilize a special function included with JtR to combine the /etc/shadow and /etc/password lists. The output of this process is a single list which includes the original hashes.
  • Unprivileged user can combine the /etc/passwd lists by utilizing the “unshadow” command.
  • Most modern Linux systems store their passwords using the secure hash algorithm (SHA), so be sure that your version of JtR is capable of cracking SHA hashes.
  • Password resetting is another technique that can be used to gain access to a system or to escalate privileges; however, this method is much less subtle than password cracking.
  • Once you change the password, there will be no way to restore it.
  • To perform password resetting, you will need to once again boot the target system to a Kali DVD or thumb drive.
  • From here, you can run the “chntpw” command to reset the password.
  • Sniffing is the process of capturing and viewing traffic as it is passed along the network.
  • Network traffic sent without using encryption is often referred to as clear text because it is human readable and requires no deciphering.
  • In promiscuous mode, all network traffic is passed onto the CPU for processing regardless of whether it was destined for the system or not.
  • hub works by simply sending all traffic it receives to all the devices connected to its physical ports.
  • When you first plug a computer into a switch, the media access control (MAC) address of the computer’s NIC is registered with the switch. This information (the computer’s MAC address and switch’s port number) is then used by the switch to intelligently route traffic or a specific machine to the specific import.
  • It should be pointed out that the discrete routing property of a switch was originally designed to increase performance, not to increase security. As a result of this, any increase in security should be viewed as a by-product of the design rather than its original goal.
  • In other words, in some instances, we can cause a switch to broadcast all traffic to all ports making it behave exactly like a hub.
  • Most switches have a limited amount of memory that can be used to remember the table containing MAC address and corresponding port numbers. .By exhausting this memory and loading the table with bogus MAC addresses, a switch will often become incapable of reading or accessing valid entries in the MAC to port table.
  • The concept of fail open simply means that when the switch fails to properly and discreetly route traffic, it falls back to a hub-like state (open) that sends all traffic to all ports.
  • Switches that fail closed operate in exactly the opposite manner of a file open switch. Rather than broadcasting all traffic to all ports, fail closed switches simply stop routing traffic altogether.
  • Dsniff is an excellent collection of tools that provide many useful functions for sniffing network traffic.
  • One of the dsniff tools written by Dug Song, called macof, provides us with the ability to flood a switch with thousands of random MAC addresses.
  • One of the simplest most powerful tools for sniffing network traffic is Wireshark.
  • It is well worth the effort to take the time to review and master Wireshark filters.
  • Armitage is built on Metasploit; but rather than requiring the penetration tester to dig for vulnerabilities and match exploits, Armitage includes functionality which can be used to automate the entire process.
  • De-ICE CDs allow you to practice a series of penetration testing challenges following a realistic scenario. You can get your hands on these great CDs by downloading them at http://heorot.net.net/livecds/.
  • Believe it or not, there is tremendous value and learning potential in banging your head against a seemingly insurmountable problem.
  • You should take some time to review the password brute forcing tool Hydra.
  • Along with your own personal password dictionary, you should begin building a list of default usernames and passwords for various network devices.
  • A Rainbow table it a precomputed list of password hashes.
  • Once you are comfortable with Wireshark, digging into dsniff is highly recommended.
  • Once you have successfully studied and used Wireshark, dsniff, tcpdump, and Ettercap, you will be well on your way to mastering the basics of network sniffing.
  • Initially, we all start out as a person who must rely on others to develop and release new exploit tools, but to become truly elite you will need to learn how to read, write, and create your own exploits.
  • A good place to start learning about exploitation is by getting to know buffer overflows.
  • Whenever possible, you should spend time learning a programming language like “C”. Once you are comfortable with C, you should focus on understanding at least the basics of Assembly Language.
  • Social engineering is one of the easiest techniques that can be used for gaining access to an organization or individual computer; yet it can be one of the most challenging if you do not do your homework on your target and victims.
  • SET is an extremely powerful tool aimed at targeting one off the weakest areas in any information security program: the users.
  • Social engineering success often hinges on plausibility and credibility.
  • By sending the traffic through a proxy, you can collect and analyze all your requests as well as the responses from the web application.
  • The use of an intercepting proxy is the key as it allows you to edit the values of the variables before they reach the web application.
  • It is also critical to understand that it is up to the waiting web application to figure out what to do with your malformed request.
  • The easiest way to uncover all the files and pages on a website is to simply feed a uniform resource locator (URL) into a spider and turn the automated tool loose.
  • After running a port scan and discovering a service running on port 80 or port 443, one of the first tools that should be used to evaluate the service is Nikto. Nikto is a web server vulnerability scanner.
  • The second warning is that while surfing the Internet using a local proxy, all https traffic will show up as having an invalid certificate! This is an expected behavior because your proxy is sitting in the middle of your connection.
  • As a side note, it is important that you always pay attention to invalid security certificates when browsing.. At this point, certificates are your best defense and often your only warning against a man-in-the-middle attack.
  • Viewing HTTP response and requests can also be useful for discovering username and password information. Just remember, the value in many of these fields will be Base64 encoded.
  • Most modern web applications rely on the use of interpreted programming languages and back-end databases to store information and generate dynamically driven content to the user.
  • An interpreted language differs from a compiled language because the interpreted language generates machine code just before it is executed.
  • Knowing that user input will often be used to build code that is executed on the target system, injection attacks focus on submitting, sending, and manipulating user-driven input.
  • By adding the extra quote, Ben would close off the string containing the user-supplied word of ‘laptop’ and add some additional code to be executed by the SQL server, namely ‘or 1 = 1 --’.
  • In most SQL versions, everything that follows the “--” is simply ignored by the interpreter.
  • The key to understanding how to use SQL injections is to understand the subtleties in how the statements are constructed.
  • Many web applications use SQL to perform authentication.
  • As a result, in some instances, it is possible to simply enter a username followed by the “--” sequence. If interpreted correctly, this can cause the SQL statement to simply bypass or ignore the section of code that checks for a password and gives you access to the specified user. However, this technique will only work if you already know that username.
  • If you do not know the username, you should begin by entering the following into the username textbox: ‘or 1 = 1 --’.
  • Leaving the username parameter blank and using an expression that will always evaluate to true is a key way to attack a system when we are unsure of the usernames required to log into a database. Not entering a username will cause most databases to simply grab the first user in the database. In many instances, the first user account in a database is an administrative account.
  • If you have a username, we need to attack the password field; here again we can enter the statement: ‘or’ 1 = 1 --.
  • XSS is the process of injecting scripts into a web application.
  • When we are only interested in providing proof that the system is vulnerable, we can use some basic JavaScript to test for the presence of XSS. Website input boxes are an excellent place to start. Rather than entering expected information into a textbox, a penetration tester should attempt to enter the script tag followed by a JavaScript “alert” directly into the field. The classic example of this is listed below: “”.
  • The ability to intercept and change variables before they reach the website is one of the first places you should start with web hacking.
  • One of the most beneficial aspects of finding all available pages by spidering is that we will have a larger attack surface to explore. The larger our attack surface is, the more likely an automated web vulnerability scanner can locate an exploitable issue.
  • Fortunately, the fine folks at the OWASP organization have developed a vulnerable platform for learning and practicing web-based attacks. This project, called WebGoat, is an intentionally misconfigured and vulnerable web server.
  • The OWASP Top Ten Project is an official list of the top web threats as defined by leading security researchers and top experts.
  • Persistent reusable backdoors on systems are a malicious attacker’s best friend.
  • A backdoor is a piece of software that resides on the target computer and allows the attacker to return (connect) to the machine at any time.
  • It is important to understand that many exploits are fleeting. They work and provide access only as long as the program that was exploited remains running.
  • Netcat is an incredibly simple and unbelievable flexible tool that allows communication and network traffic to flow from one machine to another.
  • It is important to understand that once you kill or close the Netcat connection, you will need to restart the listener on the target machine before making another connection.
  • If we upload Netcat to the target, we can use the program to transfer files to and from our target across a network.
  • You may run across situations where both Nmap and Nessus are unable to discover the service behind the port. In these cases, it can be beneficial to use Netcat to make a blind connection to the port.
  • If we start Netcat using the “-e” switch, it will execute whatever program we specify directly after the “-e”. The program will execute on the target machine and will only run once a connection has been established. The “-e” switch is incredibly powerful and very useful for setting up a backdoor shell on a target.
  • Cryptcat utilizes twofish encryption to keep the traffic between the client and the server confidential.
  • Rootkits are extremely stealthy.
  • Hacker Defender is a full-fledged Windows rootkit that is relatively easy to understand and configure.
  • It is important to understand that in order to configure and install a rootkit, administrative access is required. So the first step in avoiding rootkits is to de-privilege your users.
  • There are very few legitimate reasons for allowing your users to run around with full admin rights.
  • Monitoring outbound traffic can be vital in detecting rootkits and other malware.
  • Another good tactic for detecting rootkits and backdoors is to regularly port scan your systems.
  • If you learn only one Metasploit payload, it better be meterpreter.
  • Below you will find a simplified methodology for conducting post exploitation with meterpreter.
    • Exploit and drop meterpreter payload on the target.
    • Use the “migrate” command to move meterpreter to a common process, which is always running and not well understood. Service host (svchost.exe) is a perfect example.
    • Use the “kill” command to disable antivirus.
    • Use the “shell” command to access a command prompt on the target machine and use the “netsh advfirewall firewall” command to make changes to the Windows firewall settings (allowing a connection or port through).
    • With the AV disabled, use the “upload” command to upload a toolkit which includes a rootkit and several other tools we have discussed in this book (nmap, Metasploit, John the Ripper, Netcat, etc.).
    • Install the rootkit with the “execute -f” command.
    • If your rootkit does not include a backdoor, install Netcat as a persistent backdoor using the “execute -f” command.
    • Modify registry using the “reg” command in order to ensure that Netcat is persistent.
    • Dump the password hashes using the “hashdump” command and use John to crack passwords.
    • Configure the rootkit .ini file to hide the uploaded files, backdoor, newly opened ports using the “edit” command.
    • Test the uploaded backdoor by making a new connection from the attacker machine to the target.
    • Clear the event logs using the “clearev” command.
    • Pillage or pivot to next target.
  • Anytime malware is used or studied, there is a chance that the malware will escape or infect the host system.
  • If you are interested in expanding your knowledge of rootkits, it is important to study and master the inner workings of modern operating systems.
  • It is important to remember that in many cases, the better you do your job as a penetration tester, the less your client will actually notice or “feel” your work. As a result, the final report is often the only tangible evidence that a client will receive from the penetration tester and the penetration testing (PT) process.
  • In reality, oftentimes your perceived efforts and success will be judged more on your report than your actual success of failure to compromise a network.
  • At a minimum, a well-rounded and presented penetration testing report should include the following:
    • An executive summary.
    • A walkthrough of how the penetration test was performed to provide an understanding of how you successfully compromised or hacked the system(s).
    • A detailed report.
    • Raw output (when requested) and supporting information.
  • The executive summary should be a very brief overview of your major findings.
  • Always present critical findings first. This makes your penetration test easier to read and allows the client to take action on the most serious findings first.
  • Anytime you discover a major finding or successfully complete an exploit, you should include a screenshot in the detailed report. This will serve as undeniable evidence and provide the reader with a visualization of your success.
  • Whenever possible, when writing the penetration testing report, you need to include mitigations and suggestions for addressing the issues you discovered.
  • If you are providing the raw output of your tools as part of the penetration testing report, findings in the detailed report should include links and references to specific pages in the raw output section.
  • Remember a penetration testing report often contains very sensitive information about the organization. You must ensure the information contained in the report remains private.
  • A much better way of encrypting a document is to use a tool like TrueCrypt to encrypt the documents.
  • There is always a chance that the system can be hacked by some unknown technique or new zero-day flaw.
  • Right or wrong, your reputation as a penetration tester will have a direct correlation to the quality of the reports that you put out.
  • It is always a good idea to have a sample report in hand. Many prospective clients will ask for a sample report before making a final decision.
  • Ultimately, good customer service is worth its weight in gold and will often repay you 10-fold.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)