tactical exploitation - the other way to pentest

8/12/2019 Tactical Exploitation - The Other Way to Pentest

1/79

Las Vegas August 2007

Tactical ExploitationTactical Exploitationthe other way to pen-test the other way to pen-test

hdm !alsmithhdm !alsmith"lac# $at %&A 2007"lac# $at %&A 2007


2/79


who are we 'who are we '

H D Moore

"rea#ing(oint &ystems )) Metasploit

Valsmith

*++ensi!e ,omputing )) Metasploit


3/79


why listen 'why listen '

A different approach to pwning

Lots of fun techniues! new tools

"eal#world tested $#%


4/79


what do we co!er 'what do we co!er '

&arget profiling

Discover' tools and techniues ()ploitation

*etting 'ou remote access


5/79Las Vegas August 2007

the tactical approachthe tactical approach

Vulnera+ilites are transient

&arget the applications &arget the processes &arget the people &arget the trusts

,ou WILLgain access.




-racers are opportunists

()pand the scope of 'our tests (ver'thing is fair game

/hat 'ou dont test... 0omeone else will1




Hacing is not a+out e)ploits

&he target is the data! not r22t Hacing is using what 'ou have

3asswords! trust relationships 0ervice hi4acing! auth ticets


8/79



personnel disco!erypersonnel disco!ery

5dentif'ing the meatware

*oogle 6ewsgroups 0ense3ost tools (volution from 3aterva.com




&hese tools give us

7ull names! usernames! email (mplo'ment histor' 3hone num+ers 3ersonal sites




0tarted with compan' and 4o+s

7ound online personnel director' 7ound people with access to data

7ound resumes! email addresses (mail name 8 username 8 target




9oe &argetstein

/ors as lead engineer in semiconductor department

(mail address 4oet:compan'.com

;ld newsgroup postings show

4oet:4oes+o).compan'.com

6ow we have username and a host to target to go

after semi conductor information
mailto:[email protected]:[email protected]


14/79


networ# disco!erynetwor# disco!ery

5dentif' 'our target assets

7ind unnown networs 7ind third#part' hosts

Doens of great tools... Lets stic to the less#nown ones


15/79



&he overused old +usted

/hois! *oogle! one transfers "everse D60 looups


16/79



&he shiny newhotness

;ther people=s services -entral;ps.net! Digital3oint.com

Domain&ools.com 3aterva.com


17/79



Domain&ools vs Defcon.org1. Darktangent.net 0 listings0 listings0 listings

2. Defcon.net 0 listings0 listings0 listings

3. Defcon.org 1 listings18 listings 1 listings

4. Hackerjeopardy.com 0 listings0 listings0 listings

. Hackerpoetry.com0 listings0 listings0 listings!. "#edarktangent.com 0 listings0 listings0 listings

$. "#edarktangent.net 0 listings0 listings0 listings

8. "#edarktangent.org 0 listings0 listings0 listings


18/79



Domain&ools vs Defcon.net 1. 0day.com 0 listings0 listings0 listings

2. 0day.net 0 listings0 listings0 listings

3. Darktangent.org 0 listings0 listings0 listings

% snipped personal domains &

12. 'ec(rity)en.com 0 listings0 listings0 listings

13. *eroday.com 0 listings0 listings0 listings


19/79



/hat does this get us

3ro)ied D60 pro+es! transfers List of virtual hosts for each 53 3ort scans! traceroutes! etc *old mine of related info


20/79



Active discover' techniues

&rigger 0M&3 +ounces ?rute force H&&3 vhosts /atch out+ound D60 9ust email the users1


21/79



+ecei,ed- from (nknon /HL gateay1.rsasec(rity.com/21!.1!2.240.20

y %censored& it# '"56 28 7(n 200$ 1-11-2 9000

+ecei,ed- from #yperion.rsasec(rity.com ygateay1.rsasec(rity.com

,ia smtpd /for %censored&. %:::.:::.:::.:::& it#'"56 "#(; 28 7(n 200$ 1!-11-2 90400

y #yperion.na.rsa.net /' 3.8.39


22/79


application disco!eryapplication disco!ery

5f the networ is the toast...

Applications are the +utter. (ach app is an entr' point 7inding these apps is the tric


23/79



&ons of great tools

6map! Amap! 6ito! 6essus -ommercial tools


24/79



0low and stead' wins the deface

0can for specific port! one port onl' 5D0@530 can=t handle slow scans

Ex. nmap -sS -P0 -T 0 -p 1433 ips


25/79



()ample target had custom 5D0 to

detect large of host connections 0tandard nmap lit up 5D0 lie BMA0

;ne port slow scan never detected

Cnow ;0 +ased on port EFG@%


26/79



&arget had internal app for software licensing @

distri+ution

I2!222 nodes had app installed

A couple of hours with 5DA@;ll'd+g showed

static Admin passwordin app=s memor'

All accessi+le nodes owned! 2 e)ploits used


27/79



/e+ Application Attac and Audit

7ramewor /FA7J KMetasploit for the we+

Metasploit F scanning modules 0canning mi)in


28/79



D


29/79


client app disco!eryclient app disco!ery

-lient applications are fun1

Almost alwa's e)ploita+le (as' to fingerprint remotel' ,our last#chance entrance


30/79


client app disco!eryclient app disco!ery

-ommon pro+e methods

Mail lins to the targets "eview e)posed we+ logs 0end MD6s to specific victims A+use all! ever'one! team aliases


31/79


process disco!eryprocess disco!ery

&rac what 'our target does

Activit' via 53 5D counters Last#modified headers 7&3 server statistics


32/79



Loo for patterns of activit'

Large 53 5D increments at night 7&3 stats at certain times

Microsoft 7&3 05&( 0&A&0

/e+ pages +eing uploaded -hec timestamps on images


33/79



()isting tools

6one! reall'... (as' to script

se Khping for 53 5D tracing se netcat for 05&( 0&A&0


34/79


process disco!eryprocess disco!ery A?;" J FN A--& J ALL; J F A33( J OP -D3 J QRRP -/D J FNNRFP

DL - 110 7(A& J GO2 H(L3 J PO2 L50& J FNNRR MD&M J PG2O2 @D - 8$0 M;D( J FGFN

6L0& J PG

6;;3 J POFOG ;3&0 J OQR 3A00 J 2Q2QQQ22 3A0V J ROPG2G 3;"& J ONRQN 3/D J OGNQ

S5& J PFOO "(56 J R "(0& J FRNP "(&" J QFP2 +D - 41 +AB+ - 8 +A" - 2

05&( J 2PN

05T( J ORGN2 0M6& J R 0&A& J F2N '"+ - 303 0&" J FGG 0,0& J OQQOG

&,3( J F2FNNOG ?'+ - 200!4280 B-/D J RO BMCD J B3/D J P2 B"MD J

ftp.microsoft.com %node& 'I" '"="' C ?ptime- 4$ days


35/79



I5 ID onitoring C H=@+.

>


36/79


. /inute "rea#. /inute "rea#

-ome +ac for the e)ploits1


37/79


re-introductionre-introduction

5n our last session...

Discover' techniues and tools 5n this session...

-ompromising s'stems1


38/79


external networ#external networ#

&he crunch' cand' shell

()posed hosts and services V36 and pro)' services -lient#initiated sessions


39/79


attac#ing +tp trans+ersattac#ing +tp trans+ers

Active 7&3 transfers

-lients often e)pose data ports 6A& U Active 7&3 8 7irewall Hole

3assive 7&3 transfers Data port hi4acingJ Do0 at least pasvagg.pl still wors 4ust fine J#%


40/79


attac#ing we ser!ersattac#ing we ser!ers

?rute force vhosts! files! dirs httpJ@@www.cra'.com@old@

0ource control files left in root httpJ@@www.achsong.com@-V0@(ntries


41/79


attac#ing we ser!ersattac#ing we ser!ers

Apache "everse 3ro)'ing

GET /%00 HTTP/1.1

Host !ealhost."om

Apache D'namic Virtual Hosting

GET / HTTP/1.1

Host %00/


42/79


load alancersload alancers

-ause load +alancer to Klea

internal 53 informationse &-3 half#close H&&3 reuest

Alteon A-(director good e)ample


43/79


load alancersload alancers

A-(director mishandles &-3 half#close reuests

?ehavior can +e used as signaturefor e)istence of Load ?alancer

Direct pacets from real we+serverfowarded +ac to client Ewith 53%


44/79


cgi case studycgi case study /e+ Host with 222=s of sites

Had demo -*5 for customers

-*5 had director' traversal www.host.com@cgi#[email protected]@..@..@cgi

-*5 e)ecuta+le U writa+le on ever'director'

-ommon on we+ hosts1


45/79


cgi case studycgi case study

(numeratedJ sernames Dirs ?acup files ;ther -*5 scripts VH;0&0


46/79



&arget happened to run solaris 0olaris treats dirs as files cat @dirname 8 ls @dirname httpJ@@www.host.com@cgi#[email protected]@..@..@..@[email protected]

i d


47/79



7ound -*5 script names

*oogled for vulns*ained shell 22=s of different wa's

;wned due to variet' of la'ered

configuration issues


48/79


attac#ing dns ser!ersattac#ing dns ser!ers

?rute force host names

B5D seuence anal'sis ?56D GJ 3"6* @ ?irthda'

V)/orsJ B5D 8 B5D U "eturn e)tra answers in response

h i i l


49/79


authentication relaysauthentication relays

0M?@-570 clients are fun1 0teal hashes! redirect! M5&M

6&LM rela' +etween protocols

0M?@H&&3@0M&3@3;3F@5MA3 More on this later...

i l i i


50/79


social engineeringsocial engineering

*ive awa' free to's -D";Ms! 0? e's! 6N22s

"eplace 30 with ;pen/"&

-heap and eas' to mae

i l #i l #


51/79


internal networ#internal networ#

&he soft chew' center &his is the fun part J% (as' to tric clients

i iti i


52/79


netios ser!icesnetios ser!ices

6et?5;0 names are magic

/3AD -AL5-(60(

d id i


53/79


dns ser!icesdns ser!ices

Microsoft D60 U DH-3 8 fun

5n4ect host names into D60 Hi4ac the entire networ

d#cpcd 9# W5=D 9i et#0

$i1 #i TL/$i1 #i TL/


54/79


$i1ac#ing TL/$i1ac#ing TL/

Suicl' own all local worstations *ain access to mail and we+ sites

A new twist on Ksm+rela'.cpp

,es! it was released in 22. 6ow implemented in Metasploit F

$i1 #i TL/$i1ac#ing TL/


55/79



. M5&M all out+ound we+ traffic -ache poison the K/3AD host 3lain old A"3 spoofing DH-3 @ 6et?5;0 U K/3AD

"un a rogue /i7i access point Manipulate &;" connections

$i1 #i TL/$i1ac#ing TL/


56/79



. "edirect H&&3 reuests to Kintranet /3AD U 0;-C0 server 0S5D U transparent pro)'ing F2 "edirect



57/79



F. "eturn H&ML page with 6- lin 5( Q@R@OJ 7irefo)J moicon#urlJfileJ@@@@ip@[email protected]

&hird#part' pluginsJ

Ado+e 3D7 Viewer /indows Media 3la'er Microsoft ;ffice



58/79



P. Accept 0M? connection and rela' Accept connection from the client -onnect to the target server Eor client% As target for -hallenge Ce'

3rovide this Ce' to the client Allow the client to authenticate



59/79



Q. ()ecuting remote code Disconnect the client se authenticated session

ADM56X U 0ervice -ontrol ManagerAccess data! call "3- routines! etcAccess the remote registr'



60/79



D

+ile ser!ers+ile ser!ers


61/79


+ile ser!ers+ile ser!ers

#$S applian"es a!e sa&e an' se"(!e)

Don=t worr'! the vendor sure doesn=t npatched 0am+a daemons

0nap! &era0erver! ;0 B! etc.

5nconsistent file permissions A73 vs 670 vs 0M?

sama is awesomesama is awesome


62/79


sama is awesomesama is awesome

GGG called! want their +ugs +ac "emem+er those scar' K6LL 0essions 0am+a (6M @ 05D0" user listing Massive information leas via D-("3-

0hares! sers! 3olicies ?rute force accounts Eno locout%

sm case studysm case study


63/79



;ld +ugs +ac to haunt new +o)es

7ound ;0 B ?o) running 0M? ser sent mail touting ;0 B sec

3revious scans had found vulns

serJ Kfalse positive! its ;0 B

sJ K;wned



64/79



3erformed 6ull 0ession net use WWos)sm+WipcX K @userJ

(numerated users and shares?rute forced several user accounts

*ot shell! escalated to rootserJ K+ut . .+ut . . its ;0 B1

sama !s metasploitsama !s metasploit


65/79


sama !s metasploitsama !s metasploit

Metasploit modules for 0am+a Linu) Ev0'scall U &argets% Mac ;0 B E33-@)NR% 0olaris E03A"-!)NR%

Au)iliar' 3o-s

n+s ser!icesn+s ser!ices


66/79



670 is 'our friend Dont forget its eas' cousin 650

0can for port @ 2PG showmo(nt -e / showmo(nt -a

/hats e)ported! whose mounting



67/79



()ported 670 home directories 5mportant target1

5f 'ou get control ;wn ever' nodethat mounts it



68/79



5f 'ou are root on home server ?ecome an'one E650@su% Harvest *nown+hostsfiles Harvest allowe'+*eys

Modif' .login! etc. U insert tro4ans



69/79



0oftware distro servers are fun1 All nodes access over 670 /rite to software distro directories &ro4an ever' node at once

6o e)ploits needed1

+ile ser!ices+ile ser!ices


70/79


+ile ser!ices+ile ser!ices

()ampleJ all nodes were disless @ patched

-lients got software from 670 server

/e haced the software server

sing trust hi4acing e)plained later 5nserted tro4aned gnu +inaries

222=s of nodes sent us shells

trust relationshipstrust relationships


71/79


trust relationshipstrust relationships

&he target is unavaila+le to , 6ot to another host 'ou can reach...

6etwors ma' not trust ever'one ?ut the' often trust each other J%

truststrusts


72/79


truststrusts

Deal with firewalls@&-3 wrappers@A-Ls

7ind a node that is accepted and own it

3eople wrapper ni) and leave /indows

open

Hac the /indows +o) and port forward

past wrappers

truststrusts


73/79


truststrusts

()ampleJ Mi)ed networ with ni)wrapperd

&arget 0olaris homedir server Had auth credentials +ut couldn=t reach

port

7ound vulnera+le win +o) ! owned @installed portfworward to homedir port

$i1ac#ing &&$$i1ac#ing &&$


74/79


$i1ac#ing &&$$i1ac#ing &&$ 5dea is to a+use legitimate users access

over 00H

5f user can access other s'stems! wh'

can=t 'ou Eeven without users password%

;ne time passwords 6o pro+lem1

5ntel gathering



75/79


$i1ac#ing &&$$i1ac#ing &&$ Availa+le tools

Metalstorm ssh hi4acing &ro4aned ssh clients 00H master modes

Dont for get &&, hi4acing

Appcap &&,/atcher

/ho suspects a dead 00H session



76/79



D

$i1ac#ing 3ereros$i1ac#ing 3ereros


77/79


$i1ac#ing 3ereros$i1ac#ing 3ereros Cer+eros is great for one time

authentication . . even for hacers

5dea is to +ecome a user and hi4ac

er+eros ticets

*ain access to other trusted nodes



78/79



D

,onclusion,onclusion


79/79


,onclusion,onclusion

-ompromise a Ksecure networ

Determination U creativit' wins &ools cannot replace talent.

tactical exploitation - the other way to pentest

Documents