Enter The back|track Linux Dragon
Post on 14-May-2015
1288 Views
Preview:
DESCRIPTION
Transcript
Enter the BackTrack Linux Dragon
Andrew Kozma
Atlantic Security Conference
March 21-22, 2013 1
• Infosec professional working in healthcare
• Fan of all things ninja, samurai and kung fu cinema
• A huge fan of BackTrack, Offensive-Security and Bruce Lee
• Blues fanatic that secretly wants to learn how to play the harmonica
• I am forever a student, always learning something new
“A wise man can learn more from a foolish
question than a fool can learn from a wise
answer.”
~Bruce Lee
2
• Pre-engagement Interactions
• Intelligence Gathering
• Threat Modeling
• Vulnerability Analysis
• Exploitation
• Post Exploitation
• Reporting
3
• “Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it. If nothing within you stays rigid, outward things will disclose themselves. Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot, it becomes the teapot. Now, water can flow or it can crash. Be water, my friend.” ~ Bruce Lee
• “Obey the principles without being bound by them.” ~ Bruce Lee
• “To hell with circumstances; I create opportunities.” ~ Bruce Lee
4
• Primary difference between an authorized pentest and
“Hacking”
• Defines the rules of engagement
• Provides scope so that critical infrastructure may not be
impacted
• Legal “CYA” stuff…
5
• Web Reconnaissance framework written in Python
• Module based
• No direct queries to target (OSINT)
• Organized to support the phases of a pentest
6
• The command “show modules” will
display all available modules
• We are interested what google has
stored in its databases regarding our
target
• We will load the module with the
command “load
recon/hosts/gather/http/google”
• The command “info” provides
additional information about the
module and any options that can be
set.
• We have to add our target with the
command “set domain your target”
7
• To start reconnaissance we
enter the command “run”
• It starts to query Google for
known hosts associated with
the target.
• Notice the sleeping to avoid
lockout message
8
• Now that we have some hosts we want to get some contacts
• We run the “show modules” command again and this time select Jigsaw as our source
• To load the module we enter the command “load recon/contacts/gather/http/jigsaw”
• Type the command “info” for additional information about this module.
• Once again we have to select our target in the options by entering the command “set company your target”
• The more information gathered at this phase significantly improves our chances for a successful exploit
9
• We enter the command “run” to start
the query against our target
• We can already start seeing contacts
being collected
10
• Now lets put our intel into a format
that will help support Threat Modeling
• Lets load the output html report model
using the command “load
reporting/html_report”
• Lets title the report by setting the value
for company “set company your
target”
• Set the filename and location to put
the created report “set filename
/root/Desktop/yourtarget.html”
11
12
*Note additional modules can be run to gather DNS and geographic data to complete this report*
• Leveraging all of the data gathered to select attack vectors
and plan a well organized strategic attack
• Will include social media and various other forms of information
• For the demo today we will be targeting an employee
A snippet from the PTES site at
http://www.pentest-standard.org
13
• Up until now everything was done passively, no direct contact with the target
and its related hosts/systems
• Will include multiple scans for: ports, services banners and of course
vulnerabilities
14
• Attacker - BackTrack 5r3 with updated repositories and tools
• Target - Fully patched and updated W7 installation with Microsoft Security Essentials installed and updated
• Using a phishing email targeted at an employee with relevant information (Client Side Exploits)
• In the “real world” most likely the client will indicate client side attacks are out of scope at the pre-engagement phase due to the incredibly high success rate….
15
• We are going to use the Social
Engineers Toolset
• In a terminal navigate to SET
“cd/pentest/exploits/set”
• From the SET directory “./set”
• Select Option 1
16
• For this demo we are
going to utilize website
attack vectors
17
• We are going to select the Java
applet attack
• Leverages a customized java
applet to deliver the payload
• According to Oracle there are a lot
of Java users out there
18
• We are going to clone a site using
option 2
• NAT/Port forward is required if
you have to traverse a firewall for
this demo we will say no
• We have to enter the ip address of
the attacker so the reverse
connection can be successful
• Enter the url for the site we wish to
clone
19
• We want to be able to
interact in various ways
with the target system
• A Meterpreter session
provides multiple options
and is preferred
20
• We want to successfully
compromise the target
and option 16 is
described as (BEST)
21
• We need to configure some
options for our back door
• We select port 4444 for this
demo
• The payload is encoded and
hidden within an executable
• Then it is moved into the cloned
site and our listener is setup to
wait for the reverse connection
22
• Now that we have our listener
waiting and we see that the
payload handler is starting lets
send our Phishing email and wait
• Notice that the embedded link
indicates HalifaxMooseheads.ca
• Looks legit right? and from our
intel we can see the target has
posted pictures on social media
sites of his friends and family
enjoying the games
23
• The target has clicked the link to
browse to our malicious site
• He is presented with a “Trusted”
java applet indicating that
something needs to be installed
• This is persistent, if the user clicks
cancel the applet will return again
• User thoughts… Hey it says
(VERIFIED SAFE) right…
24
• The attacker can tell the user has
clicked the link
• However no reverse session
appears indicating something went
awry
• In this particular instance Microsoft
Security Essentials detected our
payload and prevented the
reverse session
• What do we do now…
25
“Defeat is not defeat unless accepted as a
reality-in your own mind.”
~Bruce Lee
“If you always put limits on everything you do,
physical or anything else, it will spread into
your work and into your life. There are no limits.
There are only plateaus, and you must not stay
there, you must go beyond them.”
~Bruce Lee 26
*Try Harder and the BackTrack Dragon are registered Trademarks of Offensive-Security*
Many thanks to the team at Offensive Security for being an educational sponsor of
AtlSecCon 2013
27
• Lets try this again…
• The attack vector will not
change but we will be
changing the delivery of the
payload
• We are still leveraging
Social-Engineering Attacks
28
• Once again we will be
using option 2 Website
Attack Vectors
29
• We are going to clone a site again
with option 2
• Automation is a beautiful thing…
let’s take moment to thank David
Kennedy of TrustedSec .com
@dave_rel1k for all of his efforts.
• Hugs brah! SET is so full of win!
30
• This time however we are going to change the payload
• Pyinjector is relatively new and has been available since the summer of 2012
• It injects shellcode directly into memory via powershell
• Because it does not touch disk it makes it very difficult for AV services to detect … sneaky sneaky…
31
• Once again we want to use
Meterpreter to interact with
the compromised host via a
reverse tcp connection
32
• This is definitely sweet!
• Yuuupp Multi-Powershell-
Injection homie! (*Notice the
ports associated)
• The payload is moved into
the cloned website
33
• Our reverse handler is
ready and waiting
• Again the target sees the
same java applet message
• User thoughts… it must be
ok… It even says it is
(Verified Safe)… plus I
really want those tickets…
• What is going to happen
this time…
34
• Sessions baby…. 5 of them
• Lets list the active sessions using the
command “sessions -i”
• Lets interact with the host using one
of the sessions with the command
“sessions - i 1” for session 1
35
• Entering the command “screenshot” at
the meterpreter prompt saves a .jpg of
whatever the target is currently
viewing
• We can start an interactive shell with
the “shell” command
• We can view “sysinfo”, create new
users or dump password hashes for
offline cracking
36
• We can even create a directory or
steal data, the possibilities are
numerous
37
• We want to further penetrate the targets network, looking for
other services and additional targets. (Pivoting)
• We want to maintain persistence so that we can return as
required
• Dump the hashes for offline cracking and use those credentials
to compromise other systems and services. (Pass the Hash)
38
• Nobody likes to do it
• This is where the real value for
the client is
• A sample report can be
downloaded from Offensive
Security for review
39
• How could this have all been avoided?
• Security awareness…
• User Behavior…
• What is the impact of tools like SET allowing the automation of attacks?
• Easier to attack? – Yes… this is how a 12 year old script kiddie can pwn a seasoned
infosec professional with years of experience.
• Easier to defend? - The use of tools like SET can help your defensive posture because it
allows us as security professionals to quickly test new attack vectors and exploits . The results can be leveraged to modify or change security counter measures where required.
40
• A great resource from Rapid7 (AtlSecCon 2013 Sponsor) to setup your lab:
• https://community.rapid7.com/community/infosec/blog/2011/01/05/how-to-set-up-a-pentesting-lab
• For additional information on the Penetration Testing Execution Standard please visit:
• http://www.pentest-standard.org/index.php/Main_Page
• http://nostarch.com/metasploit
• The Recon-ng project created by Tim Tomes (@LaNMaSteR53) can be located here:
• https://bitbucket.org/LaNMaSteR53/recon-ng
• For news about all things SET and a great security blog:
• https://www.trustedsec.com/news-and-events/
• @dave_rel1k
• A sample penetration report from Offensive-Security can be downloaded from here:
• http://www.offensive-security.com/penetration-testing-sample-report.pdf
• BackTrack, the BackTrack dragon logo, the Try Harder message, Kali-Linux and Offensive-Security are all registered trademarks of Offensive-Security.
• The amazing images of Bruce Lee are the work of South Korea’s Kim Dae Hwan darkdamage.deviantart.com/
41
• “Absorb what is useful,
discard what is not, add
what is uniquely your own.”
~Bruce Lee
• Social Media
• @k0z1can
• http://ca.linkedin.com/in/andrewkozma
42
top related