Upload
donhan
View
315
Download
6
Embed Size (px)
Citation preview
@johnhsawyer [email protected]
Go Hack Yourself Offensive Security Tools for Enterprise
Defenders
John H Sawyer Senior Security Analyst
InGuardians, Inc.
@johnhsawyer [email protected]
Virtual Machine • Download via HTTP
– http://45.0.95.155/
• Copy from USB – Note: Copy OVA file to your hard drive FIRST, then Import.
@johnhsawyer [email protected]
Workshop Agenda • Administrivia • Introduction to
Penetration Testing • VM Walkthrough • Reconnaissance • Wireless • Physical • Social Engineering
• Web • Post Exploitation • Mobile
@johnhsawyer [email protected]
Today’s Schedule • 8:30 – 10:30: Workshop • 10:30 – 10:45: Coffee Break • 10:45 – 12:00: Workshop • 12:00 – 1:00: Lunch • 1:00 – 3:00: Workshop • 3:00 – 3:15: Coffee Break • 3:15 – 4:30: Workshop • 4:30 – 5:30: Workshop Reception
@johnhsawyer [email protected]
Purpose of this Workshop • Introduction to penetration testing
– Security professionals focused on defense – Systems administrators – Developers
• Maximize value from 3rd party assessments – Help to clean up “low-hanging fruit”
• Have Fun!!
@johnhsawyer [email protected]
Ego Slide • InGuardians Senior Security Analyst
– Penetration Testing • Web, Network, Smart Grid, Mobile, Physical
– Architecture Review – Incident Response & Forensics
• Author for Dark Reading and InformationWeek • Infosec Volunteer and Mentor • DEF CON 14/15 Capture the Flag (1@stplace)
@johnhsawyer [email protected]
Obligatory Company Slide • InGuardians, Inc. (formerly IntelGuardians) • Founded 2003 by Mike Poor, Ed Skoudis, Jay Beale,
Jimmy Alderson, Bob Hillery • If it’s security-related, we do it.
– Risk assessment – Penetration testing – Architecture reviews – Incident response and forensics
@johnhsawyer [email protected]
PENETRATION TESTING Introduction to
@johnhsawyer [email protected]
Vulnerability Assessment • “A vulnerability assessment is the process of
identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.”
• Source: Wikipedia
• What about.. – Validation – Risk to the business
@johnhsawyer [email protected]
Penetration Test • “A penetration test, or the short form pentest, is an
attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.”
• Source: Wikipedia
• Mimic real attackers • Show real risk of vulnerabilities
@johnhsawyer [email protected]
Evolution of Penetration Testing Attack Processs • Recon • Scan • Gain access • Maintain access • Cover tracks
Pentest Methodology • Preparation • Recon • Scan • Exploit • Analysis • Report
@johnhsawyer [email protected]
Penetration Testing Execution Standard • Pre-engagement interactions • Intelligence gathering • Threat modeling • Exploitation • Post exploitation • Reporting
– Ed Skoudis’ DerbyCon 2014 Keynote
@johnhsawyer [email protected]
Types of Penetration Testing • Network
– Internal – External
• Application – Web – Mobile – Desktop
• Physical
• Social Engineering – Email – Phone – Other (Social, In-person)
• Wireless – WiFi – Other RF
• Hardware
@johnhsawyer [email protected]
Traits of a Good Penetration Tester • Passion • Curiosity • Experience • Adaptability • Communication • Not afraid of failure
• Diverse background – sysadmin, developer,
network engineer
@johnhsawyer [email protected]
Legal Issues • Job description • Written permission • Scope • Rules of Engagement
@johnhsawyer [email protected]
Risks • Denial of Service
– Network congestion/saturation – Service resource exhaustion – Crash (BSOD, Segfault)
• Data corruption • Data destruction • Angry people
– Sysadmins, users, HR, Legal
@johnhsawyer [email protected]
VIRTUAL MACHINE Walkthrough
@johnhsawyer [email protected]
VM Introduction • Based on Kali Linux • Customized to include:
– Additional tools like arachni and Phishing Frenzy – Added vulnerable web applications – Removed SDR, RFID, NFC, some wireless, etc.
• Login: root / Inter0p
@johnhsawyer [email protected]
Walkthrough • Kali tools menu • Terminal
– Finding things, basic commands, tab completion, screen
• Services • SSH
– Disabled by default (note: change password)
• Websites (vhosts)
@johnhsawyer [email protected]
Quick Commands • passwd
– change user password
• service ssh start • service apache2 start • service mysql start
– There are additional options like status, reload, stop. Run without an option to see the list.
• screen – useful screen multiplexer. – I’ve included a
nice .screenrc with some nice customizations.
– http://aperiodic.net/screen/quick_reference
@johnhsawyer [email protected]
RECONNAISSANCE Intelligence Gathering
@johnhsawyer [email protected]
Reconnaissance Passive (OSINT) • Search Engines (Google
Dorks) • Web archives • Newsgroups, Google Groups • Whois, Robtex, CentralOps • Shodan, Netcraft • Social networks • Pwnedlist, Breachalarm
Active • Nmap • DNS interrogation • Nessus, Nexpose, Metasploit • Arachni, Burp, wpscan • FOCA, metagoofil • Anything that actively
touches the target network
@johnhsawyer [email protected]
Search Engine s • “Google Dorks” • Bishop Fox SearchDiggity
– GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity – CodeSearchDiggity, DLPDiggity, FlashDiggity – MalwareDiggity, PortScanDiggity, SHODANDiggity – BingBinaryMalwareSearch, and NotInMyBackYard Diggity.
• http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
@johnhsawyer [email protected]
Shodan.io • “Shodan is the world's first search engine for Internet-
connected devices.” • http://www.shodanhq.com/help/filters
– net, os, city, country, geo, hostname, port, before/after
@johnhsawyer [email protected]
Nmap • Network port scanner • TCP and UDP • OS fingerprinting • Service fingerprinting • Nmap Scripting Engine
– Advanced checks – Vulnerability detection
@johnhsawyer [email protected]
Spiderfoot • Automates much of the recon process • Free and Open Source • Runs under Linux and Windows
• cd /opt/spiderfoot • python ./sf.py • http://127.0.0.1:5001
@johnhsawyer [email protected]
Metasploit • Open Source project
– Created by HD Moore – Currently owned and maintained
by Rapid7
• Framework, Community, Pro • Cobalt Strike
@johnhsawyer [email protected]
Metasploit • service postgresql start • service metasploit start • msfconsole • workspace • show / info • use <module> • reload / reload_all
@johnhsawyer [email protected]
WIRELESS Like running Ethernet to your parking lot
@johnhsawyer [email protected]
Wireless • Ubiquitous technology in our environments
– Home, Enterprise, Hotspots, Guest networks
• Plenty of opportunity to make mistakes • Even more opportunity to secure properly • When done properly it can be VERY secure
– Many become complacent on the status of the network AND client
@johnhsawyer [email protected]
Gaining Insight • Wireless adapters work in 4 modes
– Managed, Monitor, Ad-Hoc and Master
• Managed, Ad-Hoc and Master abstract wireless frames – 802.2 and 802.3 – Ethernet, no wireless goodies
@johnhsawyer [email protected]
Monitor Mode • Monitor mode will get us non-abstracted packets
– 802.11 where all the wireless goodies live
• Much of what we need is in plaintext! – Network advertisements (Beacons) – Network capabilities (Beacons, Auth, Association) – Network queries (Probe Requests)
• Generally considered RX only
@johnhsawyer [email protected]
Finding the Wireless Adapter • Which adapter is my wireless adapter?
# iwconfig wlan0 IEEE 802.11abgn ESSID:off/any Mode:Managed Access Point: Not-‐Associated Tx-‐Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off EncrypNon key:off Power Management:off lo no wireless extensions. eth0 no wireless extensions.
@johnhsawyer [email protected]
Getting Monitor • iw to create a sub interface • ifconfig to set state • iwconfig to set wireless state/channel
• iw to remove when done
# iw dev wlan0 interface add mon0 type monitor # ifconfig mon0 up # iwconfig mon0 channel 6
# iw dev wlan0 interface add mon0 type monitor
@johnhsawyer [email protected]
An easier way… • aircrack-ng suite has tons of great tools • airmon-ng sets monitor mode easily! • Monitor interface create, status and channel
• Delete is easy too
# airmon-‐ng start wlan0 6 [trimmed for brevity] Interface Chipset Driver wlan0 Ralink RT2870/3070 rt2800usb -‐ [phy0]
(monitor mode enabled on mon0) #airmon-‐ng stop mon0
@johnhsawyer [email protected]
Monitor Mode Capture • Tcpdump
• Limited analysis • Wireshark also works well
– Much better analysis – Hard to see the forest for the trees
#tcpdump -‐s0 -‐n -‐i mon0 22:49:24.446744 1.0 Mb/s 2412 MHz 11g -‐55dB signal antenna 1 Beacon (HSMM-‐MESH) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] IBSS CH: 1 22:49:24.605689 1.0 Mb/s [bit 15] Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
@johnhsawyer [email protected]
Not All Created Equal • Not every wireless card can do monitor mode! • In a VM? Likely no native pass through
– Need USB!
• Solid choices – ALFA AWUS051NH (v2 with Kali), a/b/g/n, $30-50 – TP-Link TL-WN722N, b/g/n, $30
• None with ac/af support, yet (not to scale)
@johnhsawyer [email protected]
Kismet (1) • Originally a wardriving tool • Expanded beyond original scope
– Network discovery – Security types – Plug-in support
• New PHY types • Attacks
• Great for audit and assessment work
@johnhsawyer [email protected]
Kismet (2) • Expert analysis • Client/Server configuration • Dynamic multiple wireless card support
– or from PCAP!
• Excellent audit tool! • Channel hopping
@johnhsawyer [email protected]
The One On Channel Hopping • 802.11b/g/n, 11 channels (+3 worldwide) • 802.11a, 24 channels (+15 worldwide) • How can we monitor all with one wireless card?
– Move between channels rapidly! – We miss what is on others…
@johnhsawyer [email protected]
Kismet in Action (2)
Ina = interop.pcap <TAB> to Add, then <Enter>
<TAB> to Close Console Window then <Enter>
5
6
7
@johnhsawyer [email protected]
Usage (1) • Use “~” to access the menu • Use arrow keys to navigate the menu • Things to do
– Sort network list with ~ | Sort | <non-autofit> – Customize the display with ~ | View | <option>
• More Customization under ~ | Kismet | Preferences [Network Columns | Client Columns]
@johnhsawyer [email protected]
Usage (2) • After sorting, and menu “inactive” use arrow keys to
navigate discovered networks • <ENTER> on selected to get more network info • In network screen, ~ | View | Client list • To return, ~ | Clients | Close window, ~ | Network |
Close window
@johnhsawyer [email protected]
Clients • A better way to view clients?
– ~ | View | Client List
• An even better in a bit…
1
2
@johnhsawyer [email protected]
Hands on – Your turn! • Start kismet and load “interop.pcap” in the wireless
directory • Change View, Sort, examine network security types
and find interesting networks. • Examine “Autogroup Probe” contents
@johnhsawyer [email protected]
Interesting Finds • We can observe all sorts of security types
– Open, WEP, TKIP WPA PSK, WPA PSK AESCCMP…
• How about <Hidden SSID>? – If we wait and observe client connecting… – Or de-auth…
• No longer a security method • Does not tell us EAP type for enterprise modes • What was in Autogroup Probe?
@johnhsawyer [email protected]
airgraph-ng • Show me some charts! • CAPR
– Client to Access Point Relationship – Which clients are connected to each AP, easy to read
• CPG – Common Probe Graph – Which APS have clients connected to?
• Where are they, and what is the security setting? • Low hanging corporate fruit
@johnhsawyer [email protected]
Setup • airgraph-ng does not read from pcaps • Needs airodump .csv output • Convert!
• Output temp-01.csv can be used with airgraph-ng
# airodump-‐ng -‐r interop.pcap -‐w temp ^C (when enNre pcap read)
# airgraph-‐ng -‐i temp-‐01.csv -‐o interop-‐capr.png -‐g CAPR # airgraph-‐ng -‐i temp-‐01.csv -‐o interop-‐cpg.png -‐g CPG
@johnhsawyer [email protected]
CAPR
@johnhsawyer [email protected]
CPG
@johnhsawyer [email protected]
Hands on – Your turn! • Generate your own .csv files using airodump • Generate both CAPR and CPG graphs with airgraph-ng • Examine CAPR for networks and client in which de-
auth might yield results (WPA* PSK, <Hidden SSID>) • Examine CPG graphs for low hanging fruit IE machines
that have connected to a “home” and “corporate” network
@johnhsawyer [email protected]
De-Auth • Spoofing packets from an AP to a client
– We don’t want your kind around here anymore…
• Has legitimate use, un-spoofed • Ok, this one is a bit evil
– Technically, it is a DoS – Used responsibly for information gathering
@johnhsawyer [email protected]
Why De-auth? • Some network info can only be obtained during client connect • <Hidden-SSID> network name recovery
– As part of additional assessment (WPA PSK, WEP)
• WPA*-PSK 4-way handshake on client join – Needed to evaluate/crack PSK
• WPA-Enterprise 4-way handshake on client join – Determine negotiated EAP type – What is expected vs. observed (iOS)
• Evil uses too
@johnhsawyer [email protected]
aireplay-ng • aireplay-ng will inject spoofed de-auth packets • Against broadcast* (evil) • Against a single client (responsible)
– Kismet and CAPR graphs helpful
@johnhsawyer [email protected]
Make it so (1) • I like to use two wireless cards • One to inject de-auths, the other for monitor mode
capture • Be sure to set correct channels on both!
# iwconfig wlan0 channel 9 # airmon-‐ng start wlan1 9 # iwconfig mon0 channel 9
Terminal 1: # aireplay-‐ng -‐-‐deauth 0 -‐e linksys -‐c c0:ff:ee:c0:ff:ee wlan0
Terminal 2 # tcpdump -‐s0 -‐n -‐i mon0
@johnhsawyer [email protected]
Make it so (2) • Can be done with one card with sub-interfaces • Unreliable while TX in monitor mode, missed packets
# iwconfig wlan0 channel 9 # airmon-‐ng start wlan0 9 # iwconfig mon0 channel 9
Terminal 1: # aireplay-‐ng -‐-‐deauth 0 -‐e linksys -‐c c0:ff:ee:c0:ff:ee wlan0
Terminal 2 # tcpdump -‐s0 -‐n -‐i mon0
@johnhsawyer [email protected]
Make it so (3) • What if I don’t have the SSID?
– IE <Hidden SSID>
• Use the BSSID/MAC address instead
# aireplay-‐ng -‐-‐deauth 0 -‐b 00:00:de:ad:be:ef -‐c c0:ff:ee:c0:ff:ee wlan0
@johnhsawyer [email protected]
Review • It is important to review what is in the air! • Catching Rogue-APs • Determining angles of attack, low hanging fruit • Evaluating security method in use compared to what is
configured • Evaluating EAP types and inner-authentication
mechanisms (dumb down attacks) • Thinking like an attacker is important!
@johnhsawyer [email protected]
PHYSICAL Olivia Newton John wants to get…
@johnhsawyer [email protected]
Physical • Having physical access requires little/no exploits to compromise
– It is even more fun when it does!
• Think about what an attacker could do if they have physical access to
• a receptionist’s workstation • an IT staff member’s workstation • a network closet/IDF • your datacenter… • Physical access is often considered “game over”
@johnhsawyer [email protected]
Tools • Few “technical” tools exist here
– Unless we talk prox/pin pad – Most occasions don’t require anything technical
• Most powerful tool for this part is your brain – Time, creativity and patience – Thinking outside of the box – Hacking “hardware” from the dumpster
• How minor gaps in implementation can be used
@johnhsawyer [email protected]
Powers of Observation (1) • Observing how physical security systems are implemented! • Observing the movements of others per a long period of time • Where do cameras point? Are they monitored actively or
reactively? • How do doors unlock from the outside?
– How do they unlock from the inside? – Motion sensor? Capacitive touch bar? – What side are the hinges on?
@johnhsawyer [email protected]
Powers of Observation (2) • Under door gaps? Gaps in door frames?
– What can we use out of the dumpster? – Lowes/Home depot craft time!
• Other methods of access – Balconies – Loading Docks
• Unmotivated/Lax building security • What do badges look like? To the internet!
@johnhsawyer [email protected]
Social Engineering • This is a game unto itself
– So many subtleties
• TL;DR, it is a game of confidence – Act like you belong – Play the part – “Hey, how’s it going?”
@johnhsawyer [email protected]
Dress the Part • Back to powers of observation…by others
– How will staff perceive you in the organization?
• How are other dressed? – Construction – Fire Extinguisher inspection – Package delivery* – Repair technician*
• Casual office or professional dress
@johnhsawyer [email protected]
Scenario Based Testing • In your own organizations you are likely a known
quantity • Apply your observations to current installs • Craft a scenario
– test your observations – with permission – with readily available “tools”
@johnhsawyer [email protected]
Policies • Physical security design at time of build
– Just like DevOps, bake in security
• Tailgating • Reporting of suspicious activity • Audit and observe adherence to policy
@johnhsawyer [email protected]
Review • Physical security is just like electronic! • Requires power of observation • Creative thinking and application of unusual techniques • Physical access is often considered “game over”
@johnhsawyer [email protected]
SOCIAL ENGINEERING Because there is no patch for human…
@johnhsawyer [email protected]
Why Does It Work? • Desire to be helpful
– Par Avion
• Tendency to trust people • Fear of getting into trouble
– Daisy
• Willingness to cut corners
• http://www.social-engineer.org/framework
@johnhsawyer [email protected]
Elements of a Good Phish • Urges recipient to take action • Targets an emotional response • Mimics content for a trusted source • Spoofs the source to appear legitimate • Bypasses mail security controls
– http://arstechnica.com/information-technology/2014/02/16/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/
@johnhsawyer [email protected]
Recon-ng • Modular reconnaissance
framework • Created by Tim Tomes • Enumerate
– Hosts – Domains – Names – Email addresses
@johnhsawyer [email protected]
Recon-ng Commands • show modules • workspaces add interop • add domains
inguardians.com • load netcraft • load bing_domain_web • load google_site_web • load brute_hosts
• search contacts • load facebook • load linkedin_crawl • load mangle • load html
@johnhsawyer [email protected]
Other Recon Tools • theharvester
– This is included on the VM
• FOCA – Windows only but great at
identifying docs and pulling metadata including usernames, software versions, servers, network shares, etc.
• Maltego – Great tool for identifying
relationships between hosts, networks, identities and more.
• metagoofil – metadata – A little dated but still very
useful
@johnhsawyer [email protected]
Phishing Frenzy • Services
– Apache2 – Redis – MySQL – Beef-xss – /var/www/phishing-frenzy
• bundle exec sidekiq -C config/sidekiq.yml
• Creds: admin / Inter0p! • Documentation:
– http://phishingfrenzy.com/
@johnhsawyer [email protected]
WEB APPLICATION TESTING Everything has a web interface these days
@johnhsawyer [email protected]
Automated Discovery • Nikto • Wpscan • Dirb • Arachni
@johnhsawyer [email protected]
Manual Discovery • Burp Suite • OWASP ZAP • Fiddler
@johnhsawyer [email protected]
Vulnerable Web Apps in Class VM • http://dojo-basic
– Includes OWASP Top 10 vulnerabilities
• http://dvwa – Damn Vulnerable Web App
• http://dojo-scavenger – Find the Keys
Note: The Dojo-‐Basic and Dojo-‐Scavenger apps are included from the Samurai WTF project
@johnhsawyer [email protected]
MOBILE APP/DEVICE TESTING Introduction to
@johnhsawyer [email protected]
Overview • Static analysis • Runtime analysis and system level monitoring • Network analysis • Web site, web service, API
@johnhsawyer [email protected]
Review EULAs and Privacy Policies • I <3 policy review!
– That stuff is for the FNG
• Most apps point to their website for current policies – Privacy Policy – End User License Agreement (EULA) – Terms and Conditions
• Not all apps/sites have a privacy policy
@johnhsawyer [email protected]
Common Tools • SSH • VNC server • A compiler (Xcode, gcc, agcc) • Android SDK (adb, monitor) • Jailbroken iDevice • Rooted Android Device • Ubertooth (Bluetooth analysis)
@johnhsawyer [email protected]
Static Analysis • iOS
– otool – class-dump-z – dumpdecrypted (or Clutch) – iNalyzer – iRet – IDA
• Android – apktool – dex2jar – Java decompiler (jd-gui) – Androguard
@johnhsawyer [email protected]
Dynamic (Runtime) Analysis • Debugger
– gdb, eclipse, IDA
• Memory dumper – LiME, dumpheap
• Monitor (Android) • mac-robber • Snoop-it
• IDA / Hopper • Network sniffing
– Tcpdump / Wireshark – Network Miner
• iRet
@johnhsawyer [email protected]
Server Side Analysis • Port scanner (nmap) • Vulnerability scanner (Nessus, Nexpose) • Web proxy (Burp, ZAP, Fiddler) • Web vulnerability scanner (Burp, Arachni)
• Do not perform without authorization!
@johnhsawyer [email protected]
NEXT STEPS Where to go from here…
@johnhsawyer [email protected]
Next Steps • Build your own lab
– VMWare (ESXi), VirtualBox, Hyper-V – Vulnhub.com – Network equipment (HW or SW)
• Certifications – OSCP – GPEN, GPWN, GXPN
• Bug Bounties
@johnhsawyer [email protected]
POWERSHELL It’s everywhere you want to be…
@johnhsawyer [email protected]
Offensive Powershell • Great for bypassing
antivirus and application whitelisting
• On current Windows workstation and server operating systems
• More and more offensive tools are leveraging Powershell
@johnhsawyer [email protected]
Offensive Powershell Projects • Powersploit
– https://github.com/mattifestation/PowerSploit
• Veil PowerTools – PowerView provides incredible insight into AD environments – https://github.com/Veil-Framework/PowerTools
• There are some others but these are my “go to” tools once inside.
@johnhsawyer [email protected]
Thank You • Teaching Assistants
– Larry Pesce – InGuardians – Joseph Wilson – University of Florida – Bryce Lay – ComSys
• Interop Staff • InGuardians • My wife and family
@johnhsawyer [email protected]
Contact Information • Contact information:
John H Sawyer [email protected] @johnhsawyer 352-389-4704
• Slides: https://www.sploitlab.com
@johnhsawyer [email protected]
Additional Links • https://github.com/danielmiessler/SecLists
– Great for feeding into Burp Intruder and Dirb
• http://pwnwiki.io/#!index.md – Excellent post exploitation information
• Namecheap.com – Cheap domains and SSL cert for about $12
• Verizon Data Breach Investigation Report – http://www.verizonenterprise.com/DBIR/