2. WHOAMI
• Security Consultant (PenetrationTester) at Coalfire Labs
• Occasional blogger
• Car and firearm enthusiast
3. What is this talk about?
• Looking beyond the “High” findings
• Using XSS to do more than alert(1);
• Pivoting between networks
• Overview of some of my tools
4. Who is the target audience?
• People starting out in penetration testing
• People interested in penetration testing
5. SCANNING
Scenario:
• You run a Nessus scan
• No “High” or “Critical” findings
• No broadcast protocols
• What next?
6. Useful Findings:
• [INFO] HyperTextTransfer Protocol (HTTP) Information
• [INFO] HTTP ServerType andVersion
• [INFO] Service Detection
• [INFO] Additional DNS Hostnames
• [INFO] Host Fully Qualified Domain Name (FQDN) Resolution
• [MEDIUM] DNS Server ZoneTransfer Information Disclosure (AXFR)
• All of this information can be found with nmap as well
7. VHOSTS
What are Vhosts?
• https://en.wikipedia.org/wiki/Virtual_hosting
• Multiple domain names on a single server
• Different names for different services
• HTTP has a “Host” request header
26. Hopping networks
• Some devices may have more than one
network interface
• You can use them to pivot into previously
inaccessible networks
• Metasploit has a way to make this easy
33. SOCKS Proxy: another way to pivot
• use auxiliary/server/socks4a
• verify with netstat
• edit
/etc/proxychains.conf
34. Hwacha
• Linux/MacOS mass exploitation tool
• execute shellcode in memory
• harvest history files, private keys
• dump credentials from memory with mimipenguin
35. Using Hwacha with Proxychains
• Hwacha is a lateral movement tool
• Can deploy shellcode in memory
• Can be tunneled through a SOCKS proxy with
proxychains
36. We have a Shell!
• Meterpreter x64 Linux
• Never touched disk
37. QUESTIONS?
• Here’s what we covered:
• Finding additional attack surface throughVHOSTS
• Using XSS to compromise a WordPress Admin
• UsingYertle to upload a WordPress backdoor
• Cracking WordPress Hashes
• Pivoting from one network to another
• Testing for credential re-use