Tactical Exploitation: The other way to pentest

Tactical Exploitation: The other way to pentest

This presentations covers an assortment of penetration testing techniques and was originally presented at Black Hat USA in 2007. This was co-presented by HD Moore and valsmith.

A whitepaper is available at https://www.defcon.org/images/defcon-15/dc15-presentations/Moore_and_Valsmith/Whitepaper/dc-15-moore_and_valsmith-WP.pdf.

A video of the presentation is available at https://www.youtube.com/watch?v=DPwY5FylZfQ

4ff143f6a6b7644bba6114d3c52e9513?s=128

HD Moore

July 25, 2007
Tweet

Transcript

  1. 1.

    Las Vegas – August 2007 Tactical Exploitation Tactical Exploitation “

    “the other way to pen-test “ the other way to pen-test “ hdm / valsmith hdm / valsmith
  2. 2.

    Las Vegas – August 2007 who are we ? who

    are we ? H D Moore <hdm [at] metasploit.com> BreakingPoint Systems || Metasploit Valsmith <valsmith [at] metasploit.com> Offensive Computing || Metasploit
  3. 3.

    Las Vegas – August 2007 why listen ? why listen

    ? • A different approach to pwning • New tools, fun techniques • Real-world tested :-)
  4. 4.

    Las Vegas – August 2007 what do we cover ?

    what do we cover ? • Target profiling • Discovery tools and techniques • Exploitation • Getting you remote access
  5. 5.

    Las Vegas – August 2007 the tactical approach the tactical

    approach • Vulnerabilites are transient • Target the applications • Target the processes • Target the people • Target the trusts • You WILL gain access.
  6. 6.

    Las Vegas – August 2007 the tactical approach the tactical

    approach • Crackers are opportunists • Expand the scope of your tests • Everything is fair game • What you dont test... • Someone else will!
  7. 7.

    Las Vegas – August 2007 the tactical approach the tactical

    approach • Hacking is not about exploits • The target is the data, not r00t • Hacking is using what you have • Passwords, trust relationships • Service hijacking, auth tickets
  8. 8.

    Las Vegas – August 2007 personnel discovery personnel discovery •

    Security is a people problem • People write your software • People secure your network • Identify the meatware first
  9. 9.

    Las Vegas – August 2007 personnel discovery personnel discovery •

    Identifying the meatware • Google • Newsgroups • SensePost tools • www.Paterva.com
  10. 10.

    Las Vegas – August 2007 personnel discovery personnel discovery •

    These tools give us • Full names, usernames, email • Employment history • Phone numbers • Personal sites
  11. 12.

    Las Vegas – August 2007 personnel discovery personnel discovery •

    Started with just a name and title • Found online personnel directory • Found people / email addresses • Email name = username = target
  12. 14.

    Las Vegas – August 2007 network discovery network discovery •

    Identify your target assets • Find unknown networks • Find third-party hosts • Dozens of great tools... • Lets stick to the less-known ones
  13. 15.

    Las Vegas – August 2007 network discovery network discovery •

    The overused old busted • Whois, Google, zone transfers • Reverse DNS lookups
  14. 16.

    Las Vegas – August 2007 network discovery network discovery •

    The shiny new hotness • Other people's services • CentralOps.net, DigitalPoint.com • DomainTools.com, Paterva.com • RevHosts PIG/VHH modules: • http://revhosts.net/
  15. 17.

    Las Vegas – August 2007 network discovery network discovery •

    What does this get us? • Proxied DNS probes, transfers • List of virtual hosts for each IP • Port scans, traceroutes, etc • Gold mine of related info
  16. 18.

    Las Vegas – August 2007 network discovery network discovery •

    Active discovery techniques • Trigger SMTP bounces • Brute force HTTP vhosts • Watch outbound DNS • Just email the users!
  17. 21.

    Las Vegas – August 2007 firewalls and ips firewalls and

    ips • Firewalls have gotten snobby • Content filtering is now common • Intrusion prevention is annoying • Identify and fingerprint • Increase your stealthiness • Customize your exploits
  18. 22.

    Las Vegas – August 2007 firewalls and ips firewalls and

    ips • Firewall identification • NAT device source port ranges • Handling of interesting TCP • IPS identification • Use “drop with no alert” sigs • Traverse sig tree to find vendor
  19. 25.

    Las Vegas – August 2007 application discovery application discovery •

    If the network is the toast... • Applications are the butter. • Each app is an entry point • Finding these apps is the trick
  20. 26.

    Las Vegas – August 2007 application discovery application discovery •

    Tons of great tools • Nmap, Amap, Nikto, Nessus • Commercial tools
  21. 27.

    Las Vegas – August 2007 application discovery application discovery •

    Slow and steady wins the deface • Scan for specific port, one port only • IDS/IPS can't handle slow scans • Ex. nmap -sS -P0 -T 0 -p 1433 ips
  22. 28.

    Las Vegas – August 2007 application discovery application discovery •

    Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS • One port slow scan never detected • Know OS based on 1 port (139/22)
  23. 29.

    Las Vegas – August 2007 application discovery application discovery •

    Some new tools • W3AF for locating web apps • Metasploit 3 includes scanners
  24. 32.

    Las Vegas – August 2007 client app discovery client app

    discovery • Client applications are fun! • Almost always exploitable • Easy to fingerprint remotely • Your last-chance entrance
  25. 33.

    Las Vegas – August 2007 client app discovery client app

    discovery • Common probe methods • Mail links to the targets • Review exposed web logs • Send MDNs to specific victims • Abuse all, everyone, team aliases
  26. 34.

    Las Vegas – August 2007 client app discovery client app

    discovery • Existing tools • BEEF for browser fun • Not much else...
  27. 35.

    Las Vegas – August 2007 client app discovery client app

    discovery • Shiny new tools • Metasploit 3 SMTP / HTTP • Metasploit 3 SMB services
  28. 38.

    Las Vegas – August 2007 process discovery process discovery •

    Track what your target does • Activity via IP ID counters • Last-modified headers • FTP server statistics
  29. 39.

    Las Vegas – August 2007 process discovery process discovery •

    Look for patterns of activity • Large IP ID increments at night • FTP stats at certain times • Web pages being uploaded
  30. 40.

    Las Vegas – August 2007 process discovery process discovery •

    Existing tools? • None :-( • New tools • Metasploit 3 profiling modules • More on exploiting this later...
  31. 43.

    Las Vegas – August 2007 15 Minute Break 15 Minute

    Break • Come back for the exploits!
  32. 44.

    Las Vegas – August 2007 re-introduction re-introduction • In our

    last session... • Discovery techniques and tools • In this session... • Compromising systems!
  33. 45.

    Las Vegas – August 2007 external network external network •

    The crunchy candy shell • Exposed hosts and services • VPN and proxy services • Client-initiated sessions
  34. 46.

    Las Vegas – August 2007 attacking file transfers attacking file

    transfers • FTP transfers • Active FTP source ports • Passive FTP servers • NFS transfers • TFTP transfers
  35. 47.

    Las Vegas – August 2007 attacking mail services attacking mail

    services • Four different attack points • The mail relay servers • The antivirus gateways • The real mail server • The users mail client • File name clobbering...
  36. 48.

    Las Vegas – August 2007 attacking web servers attacking web

    servers • Brute force files and directories • Brute force virtual hosts • Standard application flaws • Load balancer fun... • Clueless users cgi-bin's are often the Achilles heel
  37. 49.

    Las Vegas – August 2007 attacking dns servers attacking dns

    servers • Brute force host name entries • Brute force internal hosts • XID sequence analysis • Return extra answers...
  38. 50.

    Las Vegas – August 2007 attacking db servers attacking db

    servers • Well-known user/pass combos • Business apps hardcode auth • Features available to anonymous • No-patch bugs (DB2, Ingres, etc)
  39. 51.

    Las Vegas – August 2007 authentication relays authentication relays •

    SMB/CIFS clients are fun! • Steal hashes, redirect, MITM • Remote shell, no vuln needed • NTLM relay between protocols • SMB/HTTP/SMTP/POP3/IMAP
  40. 52.

    Las Vegas – August 2007 social engineering social engineering •

    Give away free toys • CDROMs, USB keys, N800s • Replace UPS with OpenWRT • Cheap and easy to make
  41. 53.

    Las Vegas – August 2007 internal network internal network •

    The soft chewy center • This is the fun part :) • Easy to trick clients
  42. 54.

    Las Vegas – August 2007 file services file services •

    SMB is awesome • Look for AFP exports of SMB data • NAS storage devices • Rarely, if ever, patch Samba :-)
  43. 55.

    Las Vegas – August 2007 file services file services •

    NFS is your friend • Dont forget its easy cousin NIS • Scan for port 111 / 2049 • showmount -e / showmount -a • Whats exported, whose mounting?
  44. 56.

    Las Vegas – August 2007 file services file services •

    Exported NFS home directories • Important target! • If you get control • Own every node that mounts it
  45. 57.

    Las Vegas – August 2007 file services file services •

    If you are root on home server • Become anyone (NIS/su) • Harvest known_hosts files • Harvest allowed_keys • Modify .login, etc. + insert trojans
  46. 58.

    Las Vegas – August 2007 file services file services •

    Software distro servers are fun! • All nodes access over NFS • Write to software distro directories • Trojan every node at once • No exploits needed!
  47. 60.

    Las Vegas – August 2007 netbios services netbios services •

    NetBIOS names are magic • WPAD • CALICENSE
  48. 61.

    Las Vegas – August 2007 dns services dns services •

    Microsoft DNS + DHCP = fun • Inject host names into DNS • Hijack the entire network • dhcpcd -h WPAD -i eth0
  49. 62.

    Las Vegas – August 2007 wins services wins services •

    Advertise your WINS service • Control name lookups • Attack other client apps
  50. 63.

    Las Vegas – August 2007 license servers license servers •

    A soft spot in desktop apps • Computer Associates • Bugs and simple to spoof • FlexLM network services
  51. 64.

    Las Vegas – August 2007 remote desktops remote desktops •

    RDP • Great for gathering other targets • Domain lists available pre-auth • If not available, start your own: • net start “terminal services”
  52. 65.

    Las Vegas – August 2007 remote desktops remote desktops •

    VNC • The authentication bug is great :) • MITM attacks are still viable • Install your own with Metasploit 3 • vncinject payloads
  53. 66.

    Las Vegas – August 2007 trust relationships trust relationships •

    The target is unavailable to YOU • Not to another host you can reach... • Networks may not trust everyone • But they often trust each other :) •
  54. 71.

    Las Vegas – August 2007 Conclusion Conclusion • Compromise a

    “secure” network • Determination + creativity wins • Tools cannot replace talent.