Tactical Exploitation: The other way to pentest

Tactical Exploitation: The other way to pentest

This presentations covers an assortment of penetration testing techniques and was originally presented at Black Hat USA in 2007. This was co-presented by HD Moore and valsmith.

A whitepaper is available at https://www.defcon.org/images/defcon-15/dc15-presentations/Moore_and_Valsmith/Whitepaper/dc-15-moore_and_valsmith-WP.pdf.

A video of the presentation is available at https://www.youtube.com/watch?v=DPwY5FylZfQ

4ff143f6a6b7644bba6114d3c52e9513?s=128

HD Moore

July 25, 2007
Tweet

Transcript

  1. Las Vegas – August 2007 Tactical Exploitation Tactical Exploitation “

    “the other way to pen-test “ the other way to pen-test “ hdm / valsmith hdm / valsmith
  2. Las Vegas – August 2007 who are we ? who

    are we ? H D Moore <hdm [at] metasploit.com> BreakingPoint Systems || Metasploit Valsmith <valsmith [at] metasploit.com> Offensive Computing || Metasploit
  3. Las Vegas – August 2007 why listen ? why listen

    ? • A different approach to pwning • New tools, fun techniques • Real-world tested :-)
  4. Las Vegas – August 2007 what do we cover ?

    what do we cover ? • Target profiling • Discovery tools and techniques • Exploitation • Getting you remote access
  5. Las Vegas – August 2007 the tactical approach the tactical

    approach • Vulnerabilites are transient • Target the applications • Target the processes • Target the people • Target the trusts • You WILL gain access.
  6. Las Vegas – August 2007 the tactical approach the tactical

    approach • Crackers are opportunists • Expand the scope of your tests • Everything is fair game • What you dont test... • Someone else will!
  7. Las Vegas – August 2007 the tactical approach the tactical

    approach • Hacking is not about exploits • The target is the data, not r00t • Hacking is using what you have • Passwords, trust relationships • Service hijacking, auth tickets
  8. Las Vegas – August 2007 personnel discovery personnel discovery •

    Security is a people problem • People write your software • People secure your network • Identify the meatware first
  9. Las Vegas – August 2007 personnel discovery personnel discovery •

    Identifying the meatware • Google • Newsgroups • SensePost tools • www.Paterva.com
  10. Las Vegas – August 2007 personnel discovery personnel discovery •

    These tools give us • Full names, usernames, email • Employment history • Phone numbers • Personal sites
  11. Las Vegas – August 2007 personnel discovery personnel discovery CASE

    STUDY
  12. Las Vegas – August 2007 personnel discovery personnel discovery •

    Started with just a name and title • Found online personnel directory • Found people / email addresses • Email name = username = target
  13. Las Vegas – August 2007 personnel discovery personnel discovery DEMO

  14. Las Vegas – August 2007 network discovery network discovery •

    Identify your target assets • Find unknown networks • Find third-party hosts • Dozens of great tools... • Lets stick to the less-known ones
  15. Las Vegas – August 2007 network discovery network discovery •

    The overused old busted • Whois, Google, zone transfers • Reverse DNS lookups
  16. Las Vegas – August 2007 network discovery network discovery •

    The shiny new hotness • Other people's services • CentralOps.net, DigitalPoint.com • DomainTools.com, Paterva.com • RevHosts PIG/VHH modules: • http://revhosts.net/
  17. Las Vegas – August 2007 network discovery network discovery •

    What does this get us? • Proxied DNS probes, transfers • List of virtual hosts for each IP • Port scans, traceroutes, etc • Gold mine of related info
  18. Las Vegas – August 2007 network discovery network discovery •

    Active discovery techniques • Trigger SMTP bounces • Brute force HTTP vhosts • Watch outbound DNS • Just email the users!
  19. Las Vegas – August 2007 network discovery network discovery CASE

    STUDY
  20. Las Vegas – August 2007 network discovery network discovery DEMO

  21. Las Vegas – August 2007 firewalls and ips firewalls and

    ips • Firewalls have gotten snobby • Content filtering is now common • Intrusion prevention is annoying • Identify and fingerprint • Increase your stealthiness • Customize your exploits
  22. Las Vegas – August 2007 firewalls and ips firewalls and

    ips • Firewall identification • NAT device source port ranges • Handling of interesting TCP • IPS identification • Use “drop with no alert” sigs • Traverse sig tree to find vendor
  23. Las Vegas – August 2007 firewall and ips firewall and

    ips CASE STUDY
  24. Las Vegas – August 2007 firewall and ips firewall and

    ips DEMO
  25. Las Vegas – August 2007 application discovery application discovery •

    If the network is the toast... • Applications are the butter. • Each app is an entry point • Finding these apps is the trick
  26. Las Vegas – August 2007 application discovery application discovery •

    Tons of great tools • Nmap, Amap, Nikto, Nessus • Commercial tools
  27. Las Vegas – August 2007 application discovery application discovery •

    Slow and steady wins the deface • Scan for specific port, one port only • IDS/IPS can't handle slow scans • Ex. nmap -sS -P0 -T 0 -p 1433 ips
  28. Las Vegas – August 2007 application discovery application discovery •

    Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS • One port slow scan never detected • Know OS based on 1 port (139/22)
  29. Las Vegas – August 2007 application discovery application discovery •

    Some new tools • W3AF for locating web apps • Metasploit 3 includes scanners
  30. Las Vegas – August 2007 application discovery application discovery CASE

    STUDY
  31. Las Vegas – August 2007 application discovery application discovery DEMO

  32. Las Vegas – August 2007 client app discovery client app

    discovery • Client applications are fun! • Almost always exploitable • Easy to fingerprint remotely • Your last-chance entrance
  33. Las Vegas – August 2007 client app discovery client app

    discovery • Common probe methods • Mail links to the targets • Review exposed web logs • Send MDNs to specific victims • Abuse all, everyone, team aliases
  34. Las Vegas – August 2007 client app discovery client app

    discovery • Existing tools • BEEF for browser fun • Not much else...
  35. Las Vegas – August 2007 client app discovery client app

    discovery • Shiny new tools • Metasploit 3 SMTP / HTTP • Metasploit 3 SMB services
  36. Las Vegas – August 2007 client app discovery client app

    discovery CASE STUDY
  37. Las Vegas – August 2007 client app discovery client app

    discovery DEMO
  38. Las Vegas – August 2007 process discovery process discovery •

    Track what your target does • Activity via IP ID counters • Last-modified headers • FTP server statistics
  39. Las Vegas – August 2007 process discovery process discovery •

    Look for patterns of activity • Large IP ID increments at night • FTP stats at certain times • Web pages being uploaded
  40. Las Vegas – August 2007 process discovery process discovery •

    Existing tools? • None :-( • New tools • Metasploit 3 profiling modules • More on exploiting this later...
  41. Las Vegas – August 2007 process discovery process discovery CASE

    STUDY
  42. Las Vegas – August 2007 process discovery process discovery DEMO

  43. Las Vegas – August 2007 15 Minute Break 15 Minute

    Break • Come back for the exploits!
  44. Las Vegas – August 2007 re-introduction re-introduction • In our

    last session... • Discovery techniques and tools • In this session... • Compromising systems!
  45. Las Vegas – August 2007 external network external network •

    The crunchy candy shell • Exposed hosts and services • VPN and proxy services • Client-initiated sessions
  46. Las Vegas – August 2007 attacking file transfers attacking file

    transfers • FTP transfers • Active FTP source ports • Passive FTP servers • NFS transfers • TFTP transfers
  47. Las Vegas – August 2007 attacking mail services attacking mail

    services • Four different attack points • The mail relay servers • The antivirus gateways • The real mail server • The users mail client • File name clobbering...
  48. Las Vegas – August 2007 attacking web servers attacking web

    servers • Brute force files and directories • Brute force virtual hosts • Standard application flaws • Load balancer fun... • Clueless users cgi-bin's are often the Achilles heel
  49. Las Vegas – August 2007 attacking dns servers attacking dns

    servers • Brute force host name entries • Brute force internal hosts • XID sequence analysis • Return extra answers...
  50. Las Vegas – August 2007 attacking db servers attacking db

    servers • Well-known user/pass combos • Business apps hardcode auth • Features available to anonymous • No-patch bugs (DB2, Ingres, etc)
  51. Las Vegas – August 2007 authentication relays authentication relays •

    SMB/CIFS clients are fun! • Steal hashes, redirect, MITM • Remote shell, no vuln needed • NTLM relay between protocols • SMB/HTTP/SMTP/POP3/IMAP
  52. Las Vegas – August 2007 social engineering social engineering •

    Give away free toys • CDROMs, USB keys, N800s • Replace UPS with OpenWRT • Cheap and easy to make
  53. Las Vegas – August 2007 internal network internal network •

    The soft chewy center • This is the fun part :) • Easy to trick clients
  54. Las Vegas – August 2007 file services file services •

    SMB is awesome • Look for AFP exports of SMB data • NAS storage devices • Rarely, if ever, patch Samba :-)
  55. Las Vegas – August 2007 file services file services •

    NFS is your friend • Dont forget its easy cousin NIS • Scan for port 111 / 2049 • showmount -e / showmount -a • Whats exported, whose mounting?
  56. Las Vegas – August 2007 file services file services •

    Exported NFS home directories • Important target! • If you get control • Own every node that mounts it
  57. Las Vegas – August 2007 file services file services •

    If you are root on home server • Become anyone (NIS/su) • Harvest known_hosts files • Harvest allowed_keys • Modify .login, etc. + insert trojans
  58. Las Vegas – August 2007 file services file services •

    Software distro servers are fun! • All nodes access over NFS • Write to software distro directories • Trojan every node at once • No exploits needed!
  59. Las Vegas – August 2007 file services file services CASE

    STUDY
  60. Las Vegas – August 2007 netbios services netbios services •

    NetBIOS names are magic • WPAD • CALICENSE
  61. Las Vegas – August 2007 dns services dns services •

    Microsoft DNS + DHCP = fun • Inject host names into DNS • Hijack the entire network • dhcpcd -h WPAD -i eth0
  62. Las Vegas – August 2007 wins services wins services •

    Advertise your WINS service • Control name lookups • Attack other client apps
  63. Las Vegas – August 2007 license servers license servers •

    A soft spot in desktop apps • Computer Associates • Bugs and simple to spoof • FlexLM network services
  64. Las Vegas – August 2007 remote desktops remote desktops •

    RDP • Great for gathering other targets • Domain lists available pre-auth • If not available, start your own: • net start “terminal services”
  65. Las Vegas – August 2007 remote desktops remote desktops •

    VNC • The authentication bug is great :) • MITM attacks are still viable • Install your own with Metasploit 3 • vncinject payloads
  66. Las Vegas – August 2007 trust relationships trust relationships •

    The target is unavailable to YOU • Not to another host you can reach... • Networks may not trust everyone • But they often trust each other :) •
  67. Las Vegas – August 2007 trust relationships trust relationships CASE

    STUDY
  68. Las Vegas – August 2007 Hijacking SSH Hijacking SSH CASE

    STUDY
  69. Las Vegas – August 2007 Hijacking Kerberos Hijacking Kerberos CASE

    STUDY
  70. Las Vegas – August 2007 Hijacking NTLM Hijacking NTLM CASE

    STUDY
  71. Las Vegas – August 2007 Conclusion Conclusion • Compromise a

    “secure” network • Determination + creativity wins • Tools cannot replace talent.