tactical exploitation · black hat usa 2007 application discovery • example target had custom ids...
TRANSCRIPT
![Page 1: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/1.jpg)
Black Hat USA 2007
Tactical ExploitationTactical Exploitation““the other way to pen-test “the other way to pen-test “
hdm / valsmithhdm / valsmith
![Page 2: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/2.jpg)
Black Hat USA 2007
who are we ?who are we ?
H D Moore <hdm [at] metasploit.com>
BreakingPoint Systems || Metasploit
Valsmith <valsmith [at] metasploit.com>
Offensive Computing || Metasploit
![Page 3: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/3.jpg)
Black Hat USA 2007
why listen ?why listen ?• A different approach to pwning
• New tools, fun techniques
• Real-world tested :-)
![Page 4: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/4.jpg)
Black Hat USA 2007
what do we cover ?what do we cover ?• Target profiling
• Discovery tools and techniques
• Exploitation• Getting you remote access
![Page 5: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/5.jpg)
Black Hat USA 2007
the tactical approachthe tactical approach• Vulnerabilites are transient
• Target the applications• Target the processes• Target the people• Target the trusts
• You WILL gain access.
![Page 6: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/6.jpg)
Black Hat USA 2007
the tactical approachthe tactical approach• Crackers are opportunists
• Expand the scope of your tests• Everything is fair game
• What you dont test...• Someone else will.
![Page 7: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/7.jpg)
Black Hat USA 2007
the tactical approachthe tactical approach• Hacking is not about exploits
• The target is the data, not r00t
• Hacking is using what you have• Passwords, trust relationships• Service hijacking, auth tickets
![Page 8: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/8.jpg)
Black Hat USA 2007
personnel discoverypersonnel discovery• Security is a people problem
• People write your software• People secure your network
• Identify the meatware first
![Page 9: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/9.jpg)
Black Hat USA 2007
personnel discoverypersonnel discovery• Identifying the meatware
• Google• Newsgroups• SensePost tools• www.Paterva.com
![Page 10: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/10.jpg)
Black Hat USA 2007
personnel discoverypersonnel discovery• These tools give us
• Full names, usernames, email• Employment history• Phone numbers• Personal sites
![Page 11: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/11.jpg)
Black Hat USA 2007
personnel discoverypersonnel discovery
CASE STUDY
![Page 12: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/12.jpg)
Black Hat USA 2007
personnel discoverypersonnel discovery• Started with no information but CO
name and function
• Found online personnel directory
• Found people / email addresses
• Email name = username = target
![Page 13: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/13.jpg)
Black Hat USA 2007
personnel discoverypersonnel discovery
DEMO
![Page 14: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/14.jpg)
Black Hat USA 2007
network discoverynetwork discovery• Identify your target assets
• Find unknown networks• Find third-party hosts
• Dozens of great tools...• Lets stick to the less-known ones
![Page 15: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/15.jpg)
Black Hat USA 2007
network discoverynetwork discovery• The overused old busted
• Whois, Google, zone transfers• Reverse DNS lookups
![Page 16: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/16.jpg)
Black Hat USA 2007
network discoverynetwork discovery• The shiny new hotness
• Other people's services• CentralOps.net• DigitalPoint.com• DomainTools.com• Paterva.com
![Page 17: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/17.jpg)
Black Hat USA 2007
network discoverynetwork discovery• What does this get us?
• Proxied DNS probes, transfers• List of virtual hosts for each IP• Port scans, traceroutes, etc• Gold mine of related info
![Page 18: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/18.jpg)
Black Hat USA 2007
network discoverynetwork discovery• Active discovery techniques
• Trigger SMTP bounces• Brute force HTTP vhosts• Watch outbound DNS• Just email the users!
![Page 19: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/19.jpg)
Black Hat USA 2007
network discoverynetwork discovery
CASE STUDY
![Page 20: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/20.jpg)
Black Hat USA 2007
network discoverynetwork discovery
DEMO
![Page 21: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/21.jpg)
Black Hat USA 2007
firewalls and ipsfirewalls and ips• Firewalls have gotten snobby
• Content filtering is now common• Intrusion prevention is annoying
• Identify and fingerprint• Increase your stealthiness• Customize your exploits
![Page 22: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/22.jpg)
Black Hat USA 2007
firewalls and ipsfirewalls and ips• Firewall identification
• NAT device source port ranges• Handling of interesting TCP
• IPS identification• Use “drop with no alert” sigs• Traverse sig tree to find vendor
![Page 23: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/23.jpg)
Black Hat USA 2007
firewall and ipsfirewall and ips
CASE STUDY
![Page 24: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/24.jpg)
Black Hat USA 2007
firewall and ipsfirewall and ips
DEMO
![Page 25: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/25.jpg)
Black Hat USA 2007
application discoveryapplication discovery• If the network is the toast...• Applications are the butter.
• Each app is an entry point• Finding these apps is the trick
![Page 26: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/26.jpg)
Black Hat USA 2007
application discoveryapplication discovery• Tons of great tools
• Nmap, Amap, Nikto, Nessus• Commercial tools
![Page 27: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/27.jpg)
Black Hat USA 2007
application discoveryapplication discovery• Slow and steady wins the deface
• Scan for specific port, one port only
• IDS/IPS can't handle slow scans• Ex. nmap -sS -P0 -T 0 -p 1433 ips
![Page 28: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/28.jpg)
Black Hat USA 2007
application discoveryapplication discovery• Example target had custom IDS to
detect large # of host connections
• Standard nmap lit up IDS like XMAS
• One port slow scan never detected
• Know OS based on 1 port (139/22)
![Page 29: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/29.jpg)
Black Hat USA 2007
application discoveryapplication discovery• Some new tools
• W3AF for locating web apps• Metasploit 3 includes scanners
![Page 30: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/30.jpg)
Black Hat USA 2007
application discoveryapplication discovery
CASE STUDY
![Page 31: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/31.jpg)
Black Hat USA 2007
application discoveryapplication discovery
DEMO
![Page 32: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/32.jpg)
Black Hat USA 2007
client app discoveryclient app discovery• Client applications are fun!
• Almost always exploitable• Easy to fingerprint remotely• Your last-chance entrance
![Page 33: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/33.jpg)
Black Hat USA 2007
client app discoveryclient app discovery• Common probe methods
• Mail links to the targets• Review exposed web logs• Send MDNs to specific victims• Abuse all, everyone, team aliases
![Page 34: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/34.jpg)
Black Hat USA 2007
client app discoveryclient app discovery• Existing tools
• BEEF for browser fun• Not much else...
![Page 35: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/35.jpg)
Black Hat USA 2007
client app discoveryclient app discovery• Shiny new tools
• Metasploit 3 SMTP / HTTP• Metasploit 3 SMB services
![Page 36: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/36.jpg)
Black Hat USA 2007
client app discoveryclient app discovery
CASE STUDY
![Page 37: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/37.jpg)
Black Hat USA 2007
client app discoveryclient app discovery
DEMO
![Page 38: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/38.jpg)
Black Hat USA 2007
process discoveryprocess discovery• Track what your target does
• Activity via IP ID counters• Last-modified headers• FTP server statistics
![Page 39: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/39.jpg)
Black Hat USA 2007
process discoveryprocess discovery• Look for patterns of activity
• Large IP ID increments at night• FTP stats at certain times• Web pages being uploaded
![Page 40: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/40.jpg)
Black Hat USA 2007
process discoveryprocess discovery• Existing tools?
• None :-(
• New tools• Metasploit 3 profiling modules• More on exploiting this later...
![Page 41: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/41.jpg)
Black Hat USA 2007
process discoveryprocess discovery
CASE STUDY
![Page 42: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/42.jpg)
Black Hat USA 2007
process discoveryprocess discovery
DEMO
![Page 43: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/43.jpg)
Black Hat USA 2007
15 Minute Break15 Minute Break• Come back for the exploits!
![Page 44: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/44.jpg)
Black Hat USA 2007
re-introductionre-introduction• In our last session...
• Discovery techniques and tools
• In this session...• Compromising systems!
![Page 45: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/45.jpg)
Black Hat USA 2007
external networkexternal network• The crunchy candy shell
• Exposed hosts and services• VPN and proxy services• Client-initiated sessions
![Page 46: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/46.jpg)
Black Hat USA 2007
attacking file transfersattacking file transfers• FTP transfers
• Active FTP source ports• Passive FTP servers
• NFS transfers• TFTP transfers
![Page 47: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/47.jpg)
Black Hat USA 2007
attacking mail servicesattacking mail services• Four different attack points
• The mail relay servers• The antivirus gateways• The real mail server• The users mail client
• File name clobbering...
![Page 48: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/48.jpg)
Black Hat USA 2007
attacking web serversattacking web servers• Brute force files and directories• Brute force virtual hosts• Standard application flaws• Load balancer fun...• Clueless users cgi-bin's are often
the Achilles heel
![Page 49: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/49.jpg)
Black Hat USA 2007
attacking dns serversattacking dns servers• Brute force host name entries• Brute force internal hosts• XID sequence analysis• Return extra answers...
![Page 50: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/50.jpg)
Black Hat USA 2007
attacking db serversattacking db servers• Well-known user/pass combos
• Business apps hardcode auth
• Features available to anonymous• No-patch bugs (DB2, Ingres, etc)
![Page 51: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/51.jpg)
Black Hat USA 2007
authentication relaysauthentication relays• SMB/CIFS clients are fun!
• Steal hashes, redirect, MITM
• NTLM relay between protocols• SMB/HTTP/SMTP/POP3/IMAP
![Page 52: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/52.jpg)
Black Hat USA 2007
social engineeringsocial engineering• Give away free toys
• CDROMs, USB keys, N800s
• Replace UPS with OpenWRT• Cheap and easy to make
![Page 53: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/53.jpg)
Black Hat USA 2007
internal networkinternal network• The soft chewy center
• This is the fun part :)• Easy to trick clients
![Page 54: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/54.jpg)
Black Hat USA 2007
file servicesfile services• SMB is awesome
• Look for AFP exports of SMB data
• NAS storage devices• Rarely, if ever, patch Samba :-)
![Page 55: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/55.jpg)
Black Hat USA 2007
file servicesfile services• NFS is your friend
• Dont forget its easy cousin NIS
• Scan for port 111 / 2049• showmount -e / showmount -a• Whats exported, whose mounting?
![Page 56: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/56.jpg)
Black Hat USA 2007
file servicesfile services• Exported NFS home directories
• Important target!
• If you get control• Own every node that mounts it
![Page 57: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/57.jpg)
Black Hat USA 2007
file servicesfile services• If you are root on home server
• Become anyone (NIS/su)• Harvest known_hosts files• Harvest allowed_keys• Modify .login, etc. + insert trojans
![Page 58: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/58.jpg)
Black Hat USA 2007
file servicesfile services• Software distro servers are fun!
• All nodes access over NFS• Write to software distro directories• Trojan every node at once• No exploits needed!
![Page 59: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/59.jpg)
Black Hat USA 2007
file servicesfile services
CASE STUDY
![Page 60: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/60.jpg)
Black Hat USA 2007
netbios servicesnetbios services• NetBIOS names are magic
• WPAD• ISASRV• CALICENSE
![Page 61: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/61.jpg)
Black Hat USA 2007
dns servicesdns services• Microsoft DNS + DHCP = fun
• Inject and overwrite DNS• Hijack the entire network• Impersonate servers
![Page 62: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/62.jpg)
Black Hat USA 2007
wins serviceswins services• Advertise your WINS service
• Control name lookups• Attack other client apps
![Page 63: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/63.jpg)
Black Hat USA 2007
license serverslicense servers• A soft spot in desktop apps
• Computer Associates• Bugs and simple to spoof
• FlexLM network services
![Page 64: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/64.jpg)
Black Hat USA 2007
remote desktopsremote desktops• RDP
• Great for gathering other targets• Domain lists available pre-auth• If not available, start your own:
• net start “terminal services”
![Page 65: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/65.jpg)
Black Hat USA 2007
remote desktopsremote desktops• VNC
• The authentication bug is great :)• MITM attacks are still viable• Install your own with Metasploit 3
• vncinject payloads
![Page 66: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/66.jpg)
Black Hat USA 2007
trust relationshipstrust relationships• The target is unavailable to YOU
• Not to another host you can reach...
• Networks may not trust everyone• But they often trust each other :)
•
![Page 67: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/67.jpg)
Black Hat USA 2007
trust relationshipstrust relationships
CASE STUDY
![Page 68: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/68.jpg)
Black Hat USA 2007
Hijacking SSHHijacking SSH
CASE STUDY
![Page 69: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/69.jpg)
Black Hat USA 2007
Hijacking KerberosHijacking Kerberos
CASE STUDY
![Page 70: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/70.jpg)
Black Hat USA 2007
Hijacking NTLMHijacking NTLM
CASE STUDY
![Page 71: Tactical Exploitation · Black Hat USA 2007 application discovery • Example target had custom IDS to detect large # of host connections • Standard nmap lit up IDS like XMAS •](https://reader030.vdocuments.us/reader030/viewer/2022011906/5f38a27125684e337d08b3c5/html5/thumbnails/71.jpg)
Black Hat USA 2007
ConclusionConclusion• Compromise a patched network
• Determination / creativity wins
• Lots of new pen-test tools
• The best tool is still YOU!