Go Hack Yourself - SploitLab … · · 2018-05-01Go Hack Yourself Offensive Security Tools for Enterprise ... • 3:15 – 4:30: Workshop • 4:30 – 5:30: Workshop Reception

@johnhsawyer [email protected]

Go Hack Yourself Offensive Security Tools for Enterprise

Defenders

John H Sawyer Senior Security Analyst

InGuardians, Inc.


Virtual Machine •  Download via HTTP

–  http://45.0.95.155/

•  Copy from USB –  Note: Copy OVA file to your hard drive FIRST, then Import.


Workshop Agenda •  Administrivia •  Introduction to

Penetration Testing •  VM Walkthrough •  Reconnaissance •  Wireless •  Physical •  Social Engineering

•  Web •  Post Exploitation •  Mobile


Today’s Schedule •  8:30 – 10:30: Workshop •  10:30 – 10:45: Coffee Break •  10:45 – 12:00: Workshop •  12:00 – 1:00: Lunch •  1:00 – 3:00: Workshop •  3:00 – 3:15: Coffee Break •  3:15 – 4:30: Workshop •  4:30 – 5:30: Workshop Reception


Purpose of this Workshop •  Introduction to penetration testing

–  Security professionals focused on defense –  Systems administrators –  Developers

•  Maximize value from 3rd party assessments –  Help to clean up “low-hanging fruit”

•  Have Fun!!


Ego Slide •  InGuardians Senior Security Analyst

–  Penetration Testing •  Web, Network, Smart Grid, Mobile, Physical

–  Architecture Review –  Incident Response & Forensics

•  Author for Dark Reading and InformationWeek •  Infosec Volunteer and Mentor •  DEF CON 14/15 Capture the Flag (1@stplace)


Obligatory Company Slide •  InGuardians, Inc. (formerly IntelGuardians) •  Founded 2003 by Mike Poor, Ed Skoudis, Jay Beale,

Jimmy Alderson, Bob Hillery •  If it’s security-related, we do it.

–  Risk assessment –  Penetration testing –  Architecture reviews –  Incident response and forensics


PENETRATION TESTING Introduction to


Vulnerability Assessment •  “A vulnerability assessment is the process of

identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.”

•  Source: Wikipedia

•  What about.. –  Validation –  Risk to the business


Penetration Test •  “A penetration test, or the short form pentest, is an

attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.”

•  Source: Wikipedia

•  Mimic real attackers •  Show real risk of vulnerabilities


Evolution of Penetration Testing Attack Processs •  Recon •  Scan •  Gain access •  Maintain access •  Cover tracks

Pentest Methodology •  Preparation •  Recon •  Scan •  Exploit •  Analysis •  Report


Penetration Testing Execution Standard •  Pre-engagement interactions •  Intelligence gathering •  Threat modeling •  Exploitation •  Post exploitation •  Reporting

–  Ed Skoudis’ DerbyCon 2014 Keynote


Types of Penetration Testing •  Network

–  Internal –  External

•  Application –  Web –  Mobile –  Desktop

•  Physical

•  Social Engineering –  Email –  Phone –  Other (Social, In-person)

•  Wireless –  WiFi –  Other RF

•  Hardware


Traits of a Good Penetration Tester •  Passion •  Curiosity •  Experience •  Adaptability •  Communication •  Not afraid of failure

•  Diverse background –  sysadmin, developer,

network engineer


Legal Issues •  Job description •  Written permission •  Scope •  Rules of Engagement


Risks •  Denial of Service

–  Network congestion/saturation –  Service resource exhaustion –  Crash (BSOD, Segfault)

•  Data corruption •  Data destruction •  Angry people

–  Sysadmins, users, HR, Legal


VIRTUAL MACHINE Walkthrough


VM Introduction •  Based on Kali Linux •  Customized to include:

–  Additional tools like arachni and Phishing Frenzy –  Added vulnerable web applications –  Removed SDR, RFID, NFC, some wireless, etc.

•  Login: root / Inter0p


Walkthrough •  Kali tools menu •  Terminal

–  Finding things, basic commands, tab completion, screen

•  Services •  SSH

–  Disabled by default (note: change password)

•  Websites (vhosts)


Quick Commands •  passwd

–  change user password

•  service ssh start •  service apache2 start •  service mysql start

–  There are additional options like status, reload, stop. Run without an option to see the list.

•  screen –  useful screen multiplexer. –  I’ve included a

nice .screenrc with some nice customizations.

–  http://aperiodic.net/screen/quick_reference


RECONNAISSANCE Intelligence Gathering


Reconnaissance Passive (OSINT) •  Search Engines (Google

Dorks) •  Web archives •  Newsgroups, Google Groups •  Whois, Robtex, CentralOps •  Shodan, Netcraft •  Social networks •  Pwnedlist, Breachalarm

Active •  Nmap •  DNS interrogation •  Nessus, Nexpose, Metasploit •  Arachni, Burp, wpscan •  FOCA, metagoofil •  Anything that actively

touches the target network


Search Engine s •  “Google Dorks” •  Bishop Fox SearchDiggity

–  GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity –  CodeSearchDiggity, DLPDiggity, FlashDiggity –  MalwareDiggity, PortScanDiggity, SHODANDiggity –  BingBinaryMalwareSearch, and NotInMyBackYard Diggity.

•  http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/


Shodan.io •  “Shodan is the world's first search engine for Internet-

connected devices.” •  http://www.shodanhq.com/help/filters

–  net, os, city, country, geo, hostname, port, before/after


Nmap •  Network port scanner •  TCP and UDP •  OS fingerprinting •  Service fingerprinting •  Nmap Scripting Engine

–  Advanced checks –  Vulnerability detection


Spiderfoot •  Automates much of the recon process •  Free and Open Source •  Runs under Linux and Windows

•  cd /opt/spiderfoot •  python ./sf.py •  http://127.0.0.1:5001


Metasploit •  Open Source project

–  Created by HD Moore –  Currently owned and maintained

by Rapid7

•  Framework, Community, Pro •  Cobalt Strike


Metasploit •  service postgresql start •  service metasploit start •  msfconsole •  workspace •  show / info •  use <module> •  reload / reload_all


WIRELESS Like running Ethernet to your parking lot


Wireless •  Ubiquitous technology in our environments

–  Home, Enterprise, Hotspots, Guest networks

•  Plenty of opportunity to make mistakes •  Even more opportunity to secure properly •  When done properly it can be VERY secure

–  Many become complacent on the status of the network AND client


Gaining Insight •  Wireless adapters work in 4 modes

–  Managed, Monitor, Ad-Hoc and Master

•  Managed, Ad-Hoc and Master abstract wireless frames –  802.2 and 802.3 –  Ethernet, no wireless goodies


Monitor Mode •  Monitor mode will get us non-abstracted packets

–  802.11 where all the wireless goodies live

•  Much of what we need is in plaintext! –  Network advertisements (Beacons) –  Network capabilities (Beacons, Auth, Association) –  Network queries (Probe Requests)

•  Generally considered RX only


Finding the Wireless Adapter •  Which adapter is my wireless adapter?

# iwconfig wlan0 IEEE 802.11abgn ESSID:off/any Mode:Managed Access Point: Not-‐Associated Tx-‐Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off EncrypNon key:off Power Management:off lo no wireless extensions. eth0 no wireless extensions.


Getting Monitor •  iw to create a sub interface •  ifconfig to set state •  iwconfig to set wireless state/channel

•  iw to remove when done

# iw dev wlan0 interface add mon0 type monitor # ifconfig mon0 up # iwconfig mon0 channel 6

# iw dev wlan0 interface add mon0 type monitor


An easier way… •  aircrack-ng suite has tons of great tools •  airmon-ng sets monitor mode easily! •  Monitor interface create, status and channel

•  Delete is easy too

# airmon-‐ng start wlan0 6 [trimmed for brevity] Interface Chipset Driver wlan0 Ralink RT2870/3070 rt2800usb -‐ [phy0]

(monitor mode enabled on mon0) #airmon-‐ng stop mon0


Monitor Mode Capture •  Tcpdump

•  Limited analysis •  Wireshark also works well

–  Much better analysis –  Hard to see the forest for the trees

#tcpdump -‐s0 -‐n -‐i mon0 22:49:24.446744 1.0 Mb/s 2412 MHz 11g -‐55dB signal antenna 1 Beacon (HSMM-‐MESH) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] IBSS CH: 1 22:49:24.605689 1.0 Mb/s [bit 15] Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]


Not All Created Equal •  Not every wireless card can do monitor mode! •  In a VM? Likely no native pass through

–  Need USB!

•  Solid choices –  ALFA AWUS051NH (v2 with Kali), a/b/g/n, $30-50 –  TP-Link TL-WN722N, b/g/n, $30

•  None with ac/af support, yet (not to scale)


Kismet (1) •  Originally a wardriving tool •  Expanded beyond original scope

–  Network discovery –  Security types –  Plug-in support

•  New PHY types •  Attacks

•  Great for audit and assessment work


Kismet (2) •  Expert analysis •  Client/Server configuration •  Dynamic multiple wireless card support

–  or from PCAP!

•  Excellent audit tool! •  Channel hopping


The One On Channel Hopping •  802.11b/g/n, 11 channels (+3 worldwide) •  802.11a, 24 channels (+15 worldwide) •  How can we monitor all with one wireless card?

–  Move between channels rapidly! –  We miss what is on others…


Kismet in Action (2) # cd wireless # kismet

1

2

3 4


Kismet in Action (2)

Ina = interop.pcap <TAB> to Add, then <Enter>

<TAB> to Close Console Window then <Enter>

5

6

7


Usage (1) •  Use “~” to access the menu •  Use arrow keys to navigate the menu •  Things to do

–  Sort network list with ~ | Sort | <non-autofit> –  Customize the display with ~ | View | <option>

•  More Customization under ~ | Kismet | Preferences [Network Columns | Client Columns]


Usage (2) •  After sorting, and menu “inactive” use arrow keys to

navigate discovered networks •  <ENTER> on selected to get more network info •  In network screen, ~ | View | Client list •  To return, ~ | Clients | Close window, ~ | Network |

Close window


Clients •  A better way to view clients?

–  ~ | View | Client List

•  An even better in a bit…

1

2


Hands on – Your turn! •  Start kismet and load “interop.pcap” in the wireless

directory •  Change View, Sort, examine network security types

and find interesting networks. •  Examine “Autogroup Probe” contents


Interesting Finds •  We can observe all sorts of security types

–  Open, WEP, TKIP WPA PSK, WPA PSK AESCCMP…

•  How about <Hidden SSID>? –  If we wait and observe client connecting… –  Or de-auth…

•  No longer a security method •  Does not tell us EAP type for enterprise modes •  What was in Autogroup Probe?


airgraph-ng •  Show me some charts! •  CAPR

–  Client to Access Point Relationship –  Which clients are connected to each AP, easy to read

•  CPG –  Common Probe Graph –  Which APS have clients connected to?

•  Where are they, and what is the security setting? •  Low hanging corporate fruit


Setup •  airgraph-ng does not read from pcaps •  Needs airodump .csv output •  Convert!

•  Output temp-01.csv can be used with airgraph-ng

# airodump-‐ng -‐r interop.pcap -‐w temp ^C (when enNre pcap read)

# airgraph-‐ng -‐i temp-‐01.csv -‐o interop-‐capr.png -‐g CAPR # airgraph-‐ng -‐i temp-‐01.csv -‐o interop-‐cpg.png -‐g CPG


CAPR


CPG


Hands on – Your turn! •  Generate your own .csv files using airodump •  Generate both CAPR and CPG graphs with airgraph-ng •  Examine CAPR for networks and client in which de-

auth might yield results (WPA* PSK, <Hidden SSID>) •  Examine CPG graphs for low hanging fruit IE machines

that have connected to a “home” and “corporate” network


De-Auth •  Spoofing packets from an AP to a client

–  We don’t want your kind around here anymore…

•  Has legitimate use, un-spoofed •  Ok, this one is a bit evil

–  Technically, it is a DoS –  Used responsibly for information gathering


Why De-auth? •  Some network info can only be obtained during client connect •  <Hidden-SSID> network name recovery

–  As part of additional assessment (WPA PSK, WEP)

•  WPA*-PSK 4-way handshake on client join –  Needed to evaluate/crack PSK

•  WPA-Enterprise 4-way handshake on client join –  Determine negotiated EAP type –  What is expected vs. observed (iOS)

•  Evil uses too


aireplay-ng •  aireplay-ng will inject spoofed de-auth packets •  Against broadcast* (evil) •  Against a single client (responsible)

–  Kismet and CAPR graphs helpful


Make it so (1) •  I like to use two wireless cards •  One to inject de-auths, the other for monitor mode

capture •  Be sure to set correct channels on both!

# iwconfig wlan0 channel 9 # airmon-‐ng start wlan1 9 # iwconfig mon0 channel 9

Terminal 1: # aireplay-‐ng -‐-‐deauth 0 -‐e linksys -‐c c0:ff:ee:c0:ff:ee wlan0

Terminal 2 # tcpdump -‐s0 -‐n -‐i mon0


Make it so (2) •  Can be done with one card with sub-interfaces •  Unreliable while TX in monitor mode, missed packets

# iwconfig wlan0 channel 9 # airmon-‐ng start wlan0 9 # iwconfig mon0 channel 9

Terminal 1: # aireplay-‐ng -‐-‐deauth 0 -‐e linksys -‐c c0:ff:ee:c0:ff:ee wlan0

Terminal 2 # tcpdump -‐s0 -‐n -‐i mon0


Make it so (3) •  What if I don’t have the SSID?

–  IE <Hidden SSID>

•  Use the BSSID/MAC address instead

# aireplay-‐ng -‐-‐deauth 0 -‐b 00:00:de:ad:be:ef -‐c c0:ff:ee:c0:ff:ee wlan0


Review •  It is important to review what is in the air! •  Catching Rogue-APs •  Determining angles of attack, low hanging fruit •  Evaluating security method in use compared to what is

configured •  Evaluating EAP types and inner-authentication

mechanisms (dumb down attacks) •  Thinking like an attacker is important!


PHYSICAL Olivia Newton John wants to get…


Physical •  Having physical access requires little/no exploits to compromise

–  It is even more fun when it does!

•  Think about what an attacker could do if they have physical access to

•  a receptionist’s workstation •  an IT staff member’s workstation •  a network closet/IDF •  your datacenter… •  Physical access is often considered “game over”


Tools •  Few “technical” tools exist here

–  Unless we talk prox/pin pad –  Most occasions don’t require anything technical

•  Most powerful tool for this part is your brain –  Time, creativity and patience –  Thinking outside of the box –  Hacking “hardware” from the dumpster

•  How minor gaps in implementation can be used


Powers of Observation (1) •  Observing how physical security systems are implemented! •  Observing the movements of others per a long period of time •  Where do cameras point? Are they monitored actively or

reactively? •  How do doors unlock from the outside?

–  How do they unlock from the inside? –  Motion sensor? Capacitive touch bar? –  What side are the hinges on?


Powers of Observation (2) •  Under door gaps? Gaps in door frames?

–  What can we use out of the dumpster? –  Lowes/Home depot craft time!

•  Other methods of access –  Balconies –  Loading Docks

•  Unmotivated/Lax building security •  What do badges look like? To the internet!


Social Engineering •  This is a game unto itself

–  So many subtleties

•  TL;DR, it is a game of confidence –  Act like you belong –  Play the part –  “Hey, how’s it going?”


Dress the Part •  Back to powers of observation…by others

–  How will staff perceive you in the organization?

•  How are other dressed? –  Construction –  Fire Extinguisher inspection –  Package delivery* –  Repair technician*

•  Casual office or professional dress


Scenario Based Testing •  In your own organizations you are likely a known

quantity •  Apply your observations to current installs •  Craft a scenario

–  test your observations –  with permission –  with readily available “tools”


Policies •  Physical security design at time of build

–  Just like DevOps, bake in security

•  Tailgating •  Reporting of suspicious activity •  Audit and observe adherence to policy


Review •  Physical security is just like electronic! •  Requires power of observation •  Creative thinking and application of unusual techniques •  Physical access is often considered “game over”


SOCIAL ENGINEERING Because there is no patch for human…


Why Does It Work? •  Desire to be helpful

–  Par Avion

•  Tendency to trust people •  Fear of getting into trouble

–  Daisy

•  Willingness to cut corners

•  http://www.social-engineer.org/framework


Elements of a Good Phish •  Urges recipient to take action •  Targets an emotional response •  Mimics content for a trusted source •  Spoofs the source to appear legitimate •  Bypasses mail security controls

–  http://arstechnica.com/information-technology/2014/02/16/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/


Recon-ng •  Modular reconnaissance

framework •  Created by Tim Tomes •  Enumerate

–  Hosts –  Domains –  Names –  Email addresses


Recon-ng Commands •  show modules •  workspaces add interop •  add domains

inguardians.com •  load netcraft •  load bing_domain_web •  load google_site_web •  load brute_hosts

•  search contacts •  load facebook •  load linkedin_crawl •  load mangle •  load html


Other Recon Tools •  theharvester

–  This is included on the VM

•  FOCA –  Windows only but great at

identifying docs and pulling metadata including usernames, software versions, servers, network shares, etc.

•  Maltego –  Great tool for identifying

relationships between hosts, networks, identities and more.

•  metagoofil –  metadata –  A little dated but still very

useful


Phishing Frenzy •  Services

–  Apache2 –  Redis –  MySQL –  Beef-xss –  /var/www/phishing-frenzy

•  bundle exec sidekiq -C config/sidekiq.yml

•  Creds: admin / Inter0p! •  Documentation:

–  http://phishingfrenzy.com/


WEB APPLICATION TESTING Everything has a web interface these days


Automated Discovery •  Nikto •  Wpscan •  Dirb •  Arachni


Manual Discovery •  Burp Suite •  OWASP ZAP •  Fiddler


Vulnerable Web Apps in Class VM •  http://dojo-basic

–  Includes OWASP Top 10 vulnerabilities

•  http://dvwa –  Damn Vulnerable Web App

•  http://dojo-scavenger –  Find the Keys

Note: The Dojo-‐Basic and Dojo-‐Scavenger apps are included from the Samurai WTF project


MOBILE APP/DEVICE TESTING Introduction to


Overview •  Static analysis •  Runtime analysis and system level monitoring •  Network analysis •  Web site, web service, API


Review EULAs and Privacy Policies •  I <3 policy review!

–  That stuff is for the FNG

•  Most apps point to their website for current policies –  Privacy Policy –  End User License Agreement (EULA) –  Terms and Conditions

•  Not all apps/sites have a privacy policy


Common Tools •  SSH •  VNC server •  A compiler (Xcode, gcc, agcc) •  Android SDK (adb, monitor) •  Jailbroken iDevice •  Rooted Android Device •  Ubertooth (Bluetooth analysis)


Static Analysis •  iOS

–  otool –  class-dump-z –  dumpdecrypted (or Clutch) –  iNalyzer –  iRet –  IDA

•  Android –  apktool –  dex2jar –  Java decompiler (jd-gui) –  Androguard


Dynamic (Runtime) Analysis •  Debugger

–  gdb, eclipse, IDA

•  Memory dumper –  LiME, dumpheap

•  Monitor (Android) •  mac-robber •  Snoop-it

•  IDA / Hopper •  Network sniffing

–  Tcpdump / Wireshark –  Network Miner

•  iRet


Server Side Analysis •  Port scanner (nmap) •  Vulnerability scanner (Nessus, Nexpose) •  Web proxy (Burp, ZAP, Fiddler) •  Web vulnerability scanner (Burp, Arachni)

•  Do not perform without authorization!


NEXT STEPS Where to go from here…


Next Steps •  Build your own lab

–  VMWare (ESXi), VirtualBox, Hyper-V –  Vulnhub.com –  Network equipment (HW or SW)

•  Certifications –  OSCP –  GPEN, GPWN, GXPN

•  Bug Bounties


POWERSHELL It’s everywhere you want to be…


Offensive Powershell •  Great for bypassing

antivirus and application whitelisting

•  On current Windows workstation and server operating systems

•  More and more offensive tools are leveraging Powershell


Offensive Powershell Projects •  Powersploit

–  https://github.com/mattifestation/PowerSploit

•  Veil PowerTools –  PowerView provides incredible insight into AD environments –  https://github.com/Veil-Framework/PowerTools

•  There are some others but these are my “go to” tools once inside.


Thank You •  Teaching Assistants

–  Larry Pesce – InGuardians –  Joseph Wilson – University of Florida –  Bryce Lay – ComSys

•  Interop Staff •  InGuardians •  My wife and family


Contact Information •  Contact information:

John H Sawyer [email protected] @johnhsawyer 352-389-4704

•  Slides: https://www.sploitlab.com


Additional Links •  https://github.com/danielmiessler/SecLists

–  Great for feeding into Burp Intruder and Dirb

•  http://pwnwiki.io/#!index.md –  Excellent post exploitation information

•  Namecheap.com –  Cheap domains and SSL cert for about $12

•  Verizon Data Breach Investigation Report –  http://www.verizonenterprise.com/DBIR/

Documents

Go Hack Yourself - SploitLab … · · 2018-05-01Go Hack Yourself Offensive Security Tools for Enterprise ... • 3:15 – 4:30: Workshop • 4:30 – 5:30: Workshop Reception