2. JP’s Intro
• BS IT, RIT 2005; MS Computer Security and Information
Assurance, RIT 2008; CISSP; MCSE, CSSA. JP has six years
experience in computer networking, system administration,
and information security. During the day JP is responsible for
Network and Security Management for a medium size global
company based in the US. JP is also adjunct faculty at
Rochester Institute of Technology where he teaches
Networking and Security undergraduate classes. JP also
performs pen testing and security audits for local companies
in Rochester, NY.
• You can find me on Twitter at http://www.twitter.com/
punkrokk and his blog: http://syncurity.net.
3. meterpreter> getuid
Rob Fuller – Security Consultant
• Rob “mubix” Fuller joined Rapid7 in 2010 as a Security Consultant. Rob
has 10 years of Information Security and IT experience. Prior to joining
Rapid7 he worked at Applied Security as a Network Attack Operator, a
Penetration Tester for the Pentagon, a Senior Incident Response Analyst
for the Senate and multiple Information Security Positions in the United
States Marine Corps. During his 8 years of service in the United States
Marine Corps he was a team lead for the Marine Corps’ Computer
Emergency Response Team (MARCERT) and became the first Security
Test Engineer for the Marine Corps’ R&D section. He has extensive
experience in full scope penetration testing, web application
assessments,wireless security, incident response, and related
development. Rob has spoken at the US Naval Academy, DojoCon, and
RSS and holds a CEH, OSCP, and Security+.
9. Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
10. Questions
• ANY AND ALL TIMES, THERE WILL BE
NO Q&A AT THE END
• but we will be open to questions after the
class physically or digitally
11. but first...
• Select a target:
• <insert company name here>
!
• Everything we will be doing with these
selected targets will be in the open source
info gather sense. No malicious traffic will be
used against these targets as part of any lab
or instructor lead exercise
12. Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
14. DNS
• Zones
• The round trip ride.
• Record Types (+200)
• Wildcards
• Caching / Cache poisoning
• Zone Transfers (kicking it like it’s 1995)
• Brute forcing records
15. DNS Digging Deeper
• Recursion
• Authoritative Servers
• Non-Authoritative Servers
• DNS TTL
• (only matters on target DNS server)
16. Non-’A’ Records
• SOA Records
• NS Records
• PTR Records
• MX Records
• SRV Records
• TXT Records
17. Zone Transfer
Commands
• dig
• dig -t AXFR domain.com @ns2.domain.com +short
• host -l
• nslookup
• ls -d
• dnscmd (a part of the support tools)
• dnscmd /EnumZones
• dnscmd /ZonePrint (newer versions of binary)
• dnscmd /EnumRecords domain.com @ (older versions)
18. DNS Brute Force Tools
• DNSEnum
• Metasploit Module
• Yeti
• Fierce
• Google
• Bing
• FOCA
19. LAB TIME
• Zone transfers....
• Brute force CompanyX’s records
20. SMTP
• Clear-text protocol
• How email has been working since 1982
• VERBS
• Display Names
• Unforgiving nature (used by machines)
21. SMTP Verbs
• MAIL FROM:
• RCPT TO:
• VRFY
• HELO/EHLO
• DATA
• From:
• To:
• Cc:
• Date:
• Subject:
• (body)
• .
• QUIT
22. Telnet Email FTW
S: 220 smtp.example.com ESMTP Postfix
C: HELO relay.example.org
S: 250 Hello relay.example.org, I am glad to meet you
C: MAIL FROM:<bob@example.org>
S: 250 Ok
C: RCPT TO:<alice@example.com>
S: 250 Ok
C: RCPT TO:<theboss@example.com>
S: 250 Ok
!
!
23. Telnet Email FTW
(contd)
C: DATA
S: 354 End data with <CR><LF>.<CR><LF>
C: From: "Bob Example" <bob@example.org>
C: To: "Alice Example" <alice@example.com>
C: Cc: theboss@example.com
C: Date: Tue, 15 Jan 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 header fields and 4 lines in the message body.
C:Your friend,
C: Bob
C: .
S: 250 Ok: queued as 12345
C: QUIT
S: 221 Bye
24. LAB TIME
1. Send a spoofed email to your buddy
2. Try to send an email with a link
3. Try to send an email with a spoofed display
name
25. SSH
• Tunneling traffic with PuTTY
• Tunneling traffic with OpenSSH
• Master-mode (Man-On-Your-Back) MOYB
• No shell tunneling
• MITM
28. Examples
ssh -f punkrokk@myhomeserver.com -L
2000:myhomeserver.com:25 (localport:host:remote-port)
forwards local port 2000 to home port 25
-- Why is this interesting?
!
ssh -f -L 3000:talk.google.com:5522
myhomesshserver.net -N
29. SSH MYOB
• Enable ‘Master Mode’ in config
Host *!
ControlMaster auto!
ControlPath /tmp/%r@%h:%p!
• Wait for some to connect somewhere...
31. LAB TIME
• Tunnel (MySQL) port 3306 through a
nologin account on Metasploitable to the
Windows 2k8 box
32. HTTP
• VERBS
• Headers
• Response Codes
• 1.0 vs 1.1
• DoS Attacks (Slowloris, Strawman)
• Ajax, Flash, SOAP, Django, SSL,
• also known as: lets pile more state on a stateless
protocol!
34. HTTP Response Codes
• 100s
• You need to wait for some stuff
• 200s
• Stuff is there
• 300s
• Stuff Moved
• 400s
• Stuff isn’t there or you aren’t allowed to see it
• 500s
• Stuff went wrong
35. 1.0 vs 1.1
• OPTIONS verb
• 100 - Continue response code (not cool)
• Compression
• Persistent Connections (very cool)
• Requires the ‘Host:’ header (not cool)
• Supports these crazy things called ‘cookies’
36. Webdav Trick
• Name a file mysecretwebshell.aspx;.txt
• IIS will reference it as a ASPX page
• WebDAV thinks it’s just a text file
37. LAB TIME
• Go to your company’s website
• What server type is it?
• Apache, Webrick, IIS, pySockets, etc...
• What server side code does it run?
• ASP{X}, Python, Ruby on Rails, PHP, etc..
• Do you think it has a DB backend? Why?
38. RDP
• RDP Bruteforcing
• TSGringer (old school)
• ncrack (new school)
• RDP MITM
• Cain and Able still rules
• RDP Hashdump
• Cain and Able
39. NO LAB
• Difficult to duplicate much less set up for a
lab such as this, but definitely take
everything you’ve learned here home and
try it out
40. Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
42. Social Networking
Rocks
• Twitter.com
• This is the ONLY service that emails you that someone
wants to add you even if they just import your contact info.
• Twitterpeeps.com [Fix link]
• Facebook.com
• “Everything should be public” -- Zuckerberg
• LinkedIn.com
• Their API is much more open than their site. Think evil.
• You probably know all these but they can be horribly twisted
43. LAB TIME
• Start to fill out data on your company, use
social networks to find as much
information about the target as possible.
44. Metadata
• Documents
• Usernames
• IP addresses
• Hostnames
• Domains
• Images
• Usernames
• Locations
• Email Headers (Have you ever looked at them?)
• FOCA Free/Pro (King of Metadata)
• EVERYTHING ;-)
45. LAB TIME
• Open your SPAM folder, and open the
email’s header information.
• What can you tell about the sender?
• What can you tell about the organization/
infrastructure supporting the sender?
46. Clouds Rain Info
• Digital Cloud
• clez.net
• serversniff.net
• centralops.net
• whois.sc/[IP/Domain]
• Arin.net’s REST documentation
• magic-net.info
• OldSchool Clouds - ANALOG
• DMV (Tell them you are looking up a lost title)
• Inteillius (Digital data about Analog targets)
• Call HR
(Remember you are targeting a physical object, not just a digital one)
47. LAB TIME
• Find as much information as you can on
your company. How many emails can you
harvest on them?
48. nmap
• What flags do you normally use?
• [Book Image Here]
• Do you even scan for UDP?
• You’d be surprised what odd things listen on 161 on
the internet.
• Can you name all 1024 ‘ephemeral’ ports? How about just
the top 100?
!
• NSE Scripts (know them, use them)
49. LAB TIME
• nmap [TARGET]
• What do you see?
• What ports are open?
• What services are running?
• What possible vulns are there?
50. Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
51. Vuln Hunting
#1 Question I get is:
‘How do you know a system is vulnerable?’
!
Honest truth is that every pentester uses
experience and educated guesses. They call
us ‘testers’ for a reason.
53. Web App Vuln Hunting
• Use the check list...
• [Web Application Hackers Checklist]
• Brute Forcing is now a portion of Information Gathering. Use
every scanner possible. None of them do a perfect job, though,
so kick off a half dozen scanners then start doing your manual
testing.
• Remember, people bookmark things
• [Demo Delicious Enum module]
• The wayback machine is a great source of URLs
• [Demo Wayback Enum module]
54. LAB TIME
• See if you can determine any possible lines of attack
simply by browsing your target company’s web site.
• Is there a id=12
• What about a funny looking cookie or HTTP
header?
• How about a login form or registration page?
• Every Sci-Fi/Fantasy book I have every read with a
Wizard in it describes them as crotchey but highly, if
not overly observant
55. Network Services
Nessus, other vuln scanners during a pentest
• Running NeXpose,are underor time constraint. Skilled attackers will
is for people who
a
only do this if they aren’t worried about getting caught or blocked.
• nmap nse vuln checks, if you want to get caught...
• DONT USE NMAP, do version checks and make an educated guess.
• IF YOU AREN’T 80% SURE YOUR EXPLOIT WILL WORK, DON’T
THROW IT.YOU HAVE FAILED YOUR INTEL GATHERING
PHASE
out what information
• Findpossible vulnerabilities,you have about the service. Determine
the
gather more information. Rinse Repeat.
56. LAB TIME
• Tell me if [TARGET IP] is vulnerable to
anything.Yes you can use prior knowledge.
Vuln Hunting is all about experience.
57. People
• Think about where you work. Who is the ‘speaker phone’ for
your section/business unit/office/department/company.
• Now how would you go about getting that particular person’s
work number or email?
• This person would know it... How do I get their number?
And so on...
• Do you send non-phishing emails in pentests?
• Why not?
• Do you make non-SE phone calls in pentests?
• Why not?
58. LAB TIME
• Call the CEO of your target company and
complain about their car hitting yours.
JUST KIDDING!!!
59. Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting
61. Payloads
• Metasploit Payloads
• Singles - Fully functional, self contained payloads. For
example ‘add_user’
• Staged - Uses tiny ‘stager’ shellcode in exploit that
connects over the network to the attacker in order
to download the reset of the payloads functional code
• Shellcode from the net
• Put your big boy pants on, because it might be
backdoored, trojaned or otherwise evil.
62. Payload selection
• Does your target have egress filtering?
• Do they have Windows systems or Macs?
• Do they have protocol inspection?
• Do they have Java installed?
63. LAB TIME
• What payloads exist in the Metasploit
Framework?
• Which payload are you going to use?
• WHY!!!?
64. Targeting
• ‘show targets’ in Metasploit is an important
step in the process
• if your at this point and you still aren’t sure,
go gather more information.
65. Agenda
• Networking for Pentesters
• Information Operations
• Vuln Hunting
• Exploitation
• Persistence
• Pivoting