Thursday 27 August 2015

Pentesting Methodology Tutorial part -3

Hi friends

welcome to the third part of tutorial:

Planning

We begin in the planning phase of our methodology. If you are working on a larger engagement and need a collaborative solution then Dradis is the tool of choice. It provides capabilities for centralized documentation, team collaboration, and most importantly the ability to import information from our various tools within Kali. There are two versions of Dradis: a community version and a commercial version. As you can guess the version on Kali is the community version.
Lets run through a quick example and fire up Dradis to create our project structure. When you first launch Dradis you will be greeted with an initialization screen. Give the server a password and select the option to create a new project.
dradis
Once you login with no username and the server password you will be dropped into the Dradis framework console. From there we will implement our penetration testing methodology and plan by adding branches and notes. Since we have a lot to cover I will leave it up to the reader to research more on Dradis.
Within a few minutes we have mapped out our project tasks, Rules of Engagement, objectives, and remaining methodology steps.
scope
Dradis is a great tool, but don’t expect it to be a full-fledged project management suite. If you need more firepower don’t forget that Kali has a number of pre-installed applications such as Ruby and MySQL. With this in mind you’re a few steps away from setting up Redmine to add resource planning and Gantt charts to your Kali instance.
Now that we have our project planning and documentation mechanism in place we can move on to the next phase of the penetration testing methodology and that's discovery.

Discovery

We decide to kick-off the Discovery phase by running TheHarvester. TheHarvester is written by Christian and allows us to collect information about a target organization from a variety of sources including Google, Facebook, LinkedIn, spoke, etc. Let’s take a look at the TheHarvester a bit closer.
theharvester1
The screenshot shows TheHarvester options and some example usage. In the next example we'll run TheHarvester against our target domain querying Bing. We also want to ensure we limit our return results to 100. The command and its output would look something like:
theharvester2
With these options selected TheHarvester will query Bing for our domain looking for email addresses as well as additional linked domains. The -n -t options tells TheHarvester to perform reverse DNS lookups on the IP range identified for the domain queried as well as expand the search for our domain across all top level domains. For example, if out domain was nbc.com it would attempt for find domains such as nbc.ca, nbc.biz, etc.
TheHarvester can pull together a significant amount of information that we can use during the scanning phase of Discovery, but in this case we decide to utilize some additional tools to further our Information Gathering efforts prior to moving on to scanning.
At this point we decide that we want to interrogate DNS a bit more with the information gathered from TheHarvester. Because of its features we have choose to run our domains through Fierce. Fierce can initiate DNS zone transfer attempts as well perform bruteforce lookups against DNS. While TheHarvester can perform DNS bruteforcing as well, Fierce contains added functionality and more granular options such as controlling the number of threads used for execution. Here are the Fierce options along with the output from our target domain. Please note that the output here may not be ideal given our test domain that we are using for this example.
theharvester3
With this information in hand we can now import the output from the tools into Dradis and move on to scanning, enumerating services, and vulnerability identification.
Once we have the completed Information Gathering we need to start enumerating discovered networks and services. Kali again saves the day by giving us all the tools we need in one location. While in the normal course if our engagements we would turn to nmap, we wanted to cover a couple other lesser-known scanners starting with fping and hping3.
So using our case study we now have discovered hosts within out domain we will utilize fping to identify systems on our target network.
theharvester4
Based on the output of fping we know that ICMP is enabled and that we were able to enumerate our target network. Now we select one of our hosts and perform a SYN scan with hping3.
theharvester5
Using our list of services we can run nmap against the open ports to identify operating system and service versions.
theharvester6
Next we are going to leverage nmap's vulnerability scanner to check for SMB vulnerabilities on this host. First, let's quickly look at nmap's scripting parameters.
theharvester7
If you are interested you can take a look at the scripts supplied with nmap. On Kali you can find them in /usr/share/nmap/scripts. After doing a bit of searching we come across smb-check-vulns.
theharvester8
After looking at nmap's documentation we find that this script can be used to identify vulnerability conditions with SMB. We also learn that we need to supply an unsafe flag to get it to fully run our scan, with consequences in mind and more importantly permission to impact system availability we run our scan.
theharvester9
We have come to the end of this phase of Discovery. We now have enough information to begin the attack phase of our penetration test against our target environment.
We have come to the end of this phase of Discovery. We now have enough information to begin the attack phase of our penetration test against our target environment.

Attack

Gaining Access

Now that we have identified several vulnerabilities as well as the likelihood of exploitation we decide to try and exploit the MS08-067 vulnerability identified with our nmap scan. We leverage the Metasploit framework to begin our initial attack vector.
Metasploit is very powerful and could be used for various phases within our methodology. That being said Kali provides many options that can be leveraged to meet our testing objectives. In this particular case Metasploit provides a perfect vehicle to exploit this particular vulnerability.
Prior to launching Metasploit we need to startup the Postgres database and the Metasploit server component. These are not configured to startup on boot by default in Kali.
attack1
Next, we launch Metasploit console with the msfconsole command. After doing an initial search we discover that Metasploit does have an exploit for MS08-067. We configure the exploit with the bind shell Meterpreter payload to make us work a bit harder for our objectives. Once all the options are configured we run the exploit using the exploit command.
attack2
Success! We have exploited our vulnerability and have gained access to our system.

System Browsing

Now we'd like to validate our access as well as upload additional tools to gather information and launch further attacks.
attack3
After confirming that we are running under the SYSTEM. We decide that we should dump hashes in order to help with attacks against other systems.
attack4
Once we have the hashes we can launch John on our Kali system to crack the administrator password. On many networks the administrator account password will be the same across all systems or groups of systems so this will come in handy as we continue to exploit our target network.
attack5

Installing Additional Tools

Once we dump hashes we decide to upload some additional tools to pivot and launch attacks from our compromised host. While we could download our tool-kits using Meterpreter we wanted to demonstrate a couple of additional ways to upload tools to our exploited host. In order to continue we drop into a shell.
meter1
We decide to leverage Windows tftp.exe client to upload our tool-set. We first need to start the tftp daemon on our Kali instance. In order to do this we ran:
meter2
Once our tftp server started we downloaded sbd.exe as well as create an administrator account, so we can get back into our target in the future.
meter3
Next, we launch our backdoor using sbd.exe. Sbd is very similar to Netcat however it allows us to encrypt our data channel with a shared secret.
meter4
We then connect with the sdb client on our Kali machine.
meter5
Using this backdoor we can repeat our Discovery process to identify additional hosts or networks and vulnerabilities. We can also use this access to pivot and launch attacks until our objectives are met.

Reporting

Documentation is critical to the success of the penetration test. This can be performed through screen-shots or tool output. Since we are using Dradis we ensure that we output all tools to text or XML files as well as take screen-shots where tool output is less efficient.
Some tools provide self-documenting features. Take Metasploit for instance. It provides a database that captures output from various tools as you progress through your penetration test. In addition, Meterpreter has the screenshot feature that allows us to take a screen capture of the victim's desktop. Here is a screenshot from our previously compromised host.
meter6
Once this data is input or imported into Dradis we can output reports in HTML and Word documents. The screen shot below should give you the idea.
kali1

Conclusion

Kali is a valuable resource when performing penetration testing. Sometimes the tools can seem a bit overwhelming. Leveraging a methodology such as NIST 800-115 will bring some consistency and continuity to your penetration tests.
While we did not cover every tool on the distribution nor demonstrate all mapped tools in our example we hope this brief introduction will help you formulate a plan of attack when using Kali for penetration testing

5 comments:

  1. check my link
    www.junaidmugloo.blogspot.com

    ReplyDelete
  2. check my link
    www.junaidmugloo.blogspot.com

    ReplyDelete
  3. EASY SPY” this works bad and complicated for me, confused until requested the services of a private investigator, whose service where very affordable, I’d recommended ALEXGHACKLORD to you. He is a reliable, tested and legitimate IT expert who specialize in infiltrating any systems or network operation known and unknown. Write to : ALEXGHACKLORD@ Gmail . com for any hacking services.
    He specializes in the following services :
    *Spy on Cheating Partners
    *Identification of Cheating Partner or Employee, Mole in a system.
    *Keeping Tabs on Employees or Doing Online Background Checks
    *Gaining Full Access To Any Mobile Device, Whatsapp, Email,Gps, Snapchat,instagram,facebook,kik,hangout,viber And Any Other Social Media Accounts
    *Accessing University Portals or Any Website
    *Hack into Bank, Company and Security Agents Websites
    *Hack Bank Accounts, Credit card, BTC top up, BTC investment & Mining, ETH Investment etc.
    Contact : ALEXGHACKLORD@Gmail. com
    REPLY

    ReplyDelete
  4. I am announcing this amazing testimonial on this blog, about united hacking company how the Blank ATM Card experience changed my whole life.the blank Atm Programmed Card and cash money directly in any ATM Machine around you. There is no risk of being caught, because the card has been programmed in such a way that it´s not traceable,so luckily i read about the blank ATM card exercise and how it has made people become rich. I contacted the email address i attached to the testimonial of some beneficiaries and here i am today, all thanks to united Tech Hackers Team Incorporation world wide for helping me with a blank ATM Card. Now all my financial worries are over. All you need to do is send a message to the email address provided: unitedblankatmhackcard@gmail.com

    ReplyDelete
  5. My wife was putting up some

    attitude and acting

    strange,and we have been

    married for eight years,I

    explained my problems to my

    friend and he recommended

    brillianthackers800@gmail.com

    ,I sent him a mail explaining

    my situation to him and he

    helped me hack into her

    phone,Walt sent me a WhatsApp

    conversation between my wife

    and her concubine which she

    told him everything about me

    and our marriage and he also

    recorded a call conversation

    between she and her concubine

    talking about how they were

    going to kill me and take my

    money and properties,I took

    this to court and I won the

    case,they were locked up in

    prison all thanks to Walt who

    saved my life through his

    hacking experience,every

    dollar I spent on this job

    was worth it,message him and

    he will help you with your

    problems.
    +1(224)2140835(WHATSAPP)

    ReplyDelete