CY4710 EXAM 1
Active Assessment
provides a snapshot of the network at a point in time. Can be less accurate in listing all users and services on the network [why?]
Look for default installs
query for "Microsoft-IIS/5.0 server at" or "apache"
Port Scanners
use the TCP 3-way handshake to determine if a service is available...
EXPN
used to see the real address of an alias, good to know where mail is actually going
VRFY
used to verify an entered email address [same as user accounts]
Multi/handler Exploit
useful when you want to execute a backdoor on a victim machine and need to connect back to take control remotely
Metasploit offers a _____ ______, a ___and a ____for MSF
Metasploit offers a console interface, a CLI and a GUI for MSF.
Nessus
Most well-known vulnerability assessment tool, now owned by Tenable Network Security
Nmap Scan Types -sN
Null Scan - here the packet is sent with no flags set
Nmap Scan Types -O
OS detect using TCP/IP stack fingerprinting.
Nmap Scan Types -O
OS detecting
Nmap Scan Types -a
OS detection and more
Metasploit Framework (MSF)
Owned by Rapid7, open source suite of tools used for penetration testing.
Vulnerability Analysis Goal
Port scanning may find port 21 open and more complete vulnerability scanning and analysis. 1. OS fingerprint reveals Linux 2.2 kernel 2. Service query identifies "ftp as wu-ftpd version 2.4.2" 3. Database lookup to find what specific exploits exist for "wu-ftpd 2.4.2" running on a Linux 2.2 system
Active Intelligence Gathering
Port scanning, Banner Grabbing, Target SMB scanning, DNS discovery and Zone transfer, Sweeping target [ping, SSH/FTP/SNMP]
Nmap Scan Types -sA
TCP ACK scan to be used to map out firewall rulesets to see if firewall is stateful or just a packet filter.
zone transfer
asking for information about the entire zone, host maintain on the domain.
Host Based Analysis
assessments/scanning running on individual computers/host over time. Reports can be generated.
popular port scanning tools
available on most every system is nmap and its GUI version Zenmap [more of these later]
External Community Analysis:
business partners, competitors, contractors, suppliers, org crime, nation-states, script kiddies. - How likely are they to act against the organizations?
Footprinting
can be thought of "casing the joint".
MSF can...
can create custom payloads that will not match known AV/IDS signatures [theoretically]
webmail
can help you in that the account username and email addresses are usually the same scheme, so knowing the convention is telling.
keystroke logger
captures keystroke made on the target machine -keystoke start -keystroke stop -dump: returns results
Meterpreter Commands: Core
command to allow access to MSF modules from within a meterpreter shell for session management, etc.
Meterpreter Commands: Interface
commands to allow access to remote target user interface
Meterpreter Commands: File system
commands to allow access, uploading and downloading files to and from the remote target machine
Meterpreter Commands: Network
commands to allow creation of port forwarding connections (similar to SSH) from a local client's machine, through the established meterpreter connection, tunneled to a host on a remote target network
Meterpreter Commands: System
commands to allow examination of target information, as well as process commands to allow listing, executing or killing of processes
telnet into a mail server
interacts directly with a mail server to gen up an email verify and expand are the 2 commands allowed if it is allowed.
whois ip lookup via ARIN
nslookup theonion.com will yield a part of the private block via the non-authoratative IP. Theonion.com IP can further yield an IP block and name servers from the non-authorative response.
Internal DMZ
on the internal LAN contains records on only those hosts accessible from the inside of the DMZ.
Nmap scanning returns
one of 4 port states [actually there are 6, but these are most common]: - open: Service is running - closed: No service running [potentially never see closed, just wil not show up] - filtered: Blocked port - open|filtered: Open w/ No Response, or Filtered (unsure)
MSFvenom...
output is a shell code in some chosen language or an executable file.
Ping Sweeps
perform automated ping sweeps. - Mass ping requests sent in parallel, round-robin - Can ping sweep bulk IPs, or entire CIDR blocks
Vulnerability Scanners
probe a system by sending its data over a network and analyzing the responses - Fingerprint an OS and its patch level - Software installed and services running
Enumeration is
probing identified services more fully for specific weaknesses. It involves active connections to target systems and directed queries.
Overt penetration testing
- "White Hat" testing - Usually focused on specific aspects of the network and/or systems security - With full knowledge of organization personnel, IT staff, etc. - Responses may be unrealistic ["practiced"]
The basic steps for exploiting a system in MSF:
- Confirm the intended target system is susceptible to the given exploit. - Choose and configure an exploit. - Choose and configure a payload [e.g., a remote shell, or a meterpreter instance]. - Choose encoding for the target to ensure AV, IDS, and IPS systems ignore payload. - Launch the exploit
Fragmentation Handling
- Don't frag and overlapping frags handled differently
Uses plugins to perform vulnerability tests
- Families of OS specific plugins - Be careful with enabling all plugins [speed] - Dangerous plugins can interrupt or even crash services on target ports Some plugins can break Nessus, may have to restart service
Bogus Flag probe:
- If bogus flag set in SYN packet, Linux will respond with same flag set in its SYN/ACK
Critical
- Internal technical business processes - IT support processes - HR support processes - External integration processes
Avoiding Detection during Exploitation
- Intrusion Detection System - Anti-Virus Software
Vulnerability scanning tools provide:
- Port scanning - Vulnerability assessment - Passwords checkers - General patch level checks
FIN probe:
- RFC793 no response to FIN packet, Win sends FIN/ACK
Host-based Scanning Advantages
1. Speed and Accuracy. 2. Vulnerabilities of a specific system. 3. It takes only a few seconds to fully scan for all patches on a RedHat or Windows 2000 server.
Post Exploitation
1. Target specific additional systems 2. Identify critical infrastructures 3. Discover sensitive information
Mitigation: Internal and External DNS
A smart organization will split their DNS across 2 hosts External and Internal
Threat Community Analysis
Broken down into 2 communities Internal and External.
Most successful footprinting should include:
- Registered names - Range of IP addresses associated with target - Some idea on what the network topology [Routers, host names, etc.] - Idea about user accounts taken from email addresses - General security posture Get creative!
ACK value
- Some send ACK with same number as SYN, others send SYN+1
Nmap Scan Types -sS
- TCP SYN Scan, this is a half open scan. You wait for a syn/ack response or rst. The syn/ack means the port is up, a rst means it is not. - Some sites will not log this query. You need to be root to run this one.
Nmap Scan Types -sT
- TCP connect() scan, a very basic form of scanning. If the port is up the connect() will succeed. - You don't need to be root to do this, the downside is this will logged.
Passive signatures include, among other things
- TTL: OS sets time-to-live on outbound packet - Window Size - Max segment size - DF [Don't Fragment] bit flag - NOP flag bit flag
Network Mapper Tool (nmap.org)
- The "go to" scanner, very popular, native in Unix, preloaded in MSF - Created by Fyodor Vaskovich
TCP Initial Window Size
- Unique size set by implementation
Nmap Options
- Use online help, e.g., nmap.org - $ nmap -h [or just type "nmap"] Gives a quick reference page for most of the common options
Popular ping tools available
- fping [primarily intended for use in scripts] - nmap [option '-sn' to ping scan w/ no port scan] - Pinger! [not to be confused w/ Pinger msg app]
Excluding pages or extensions
-www or -.htm
MSFencode can...
...encode shellcode output by MSFpayload to repair "bad" characters that may trigger antivirus software and IDSs
MSFpayload is used for...
...generating shellcode or an executable payload that can be delivered to a target; its real benefits are realized when developing new exploit modules and testing different types of shellcode with it
Aux modules location
/opt/metasploit/apps/pro/msf3/modules/
Network-based Passive Scanning Advantages
1. A passive scanner operates 24x7, and a scan report can be generated at any time. 2. There is no adverse impact to the network or systems. 3. Can discover client-side vulnerabilities, and vulnerabilities in intranets we don't have permission to scan
Threat Modeling Objectives
1. A representation of threats and their capabilities against an organization. 2. Ability to repeatedly be applied to future tests with the same results. 3. Focuses on 2 elements of traditional threat modeling. 4. Assets, business assets and business processes. 5. Attacker, threat communities and capabilities.
Vulnerability Analysis in PTES
1. Better evaluate the risks from new vulnerabilities in a system. 2. Learn about fixes and patches from a single source [a vulnerability assessment tool]. 3. Avoid unplanned downtime and lost productivity. 4. Minimize the costs associated with security incidents.
Network-based Active Scanning Advantages
1. Provides extremely accurate snapshot of active hosts, services running, and vulnerabilities present. LOUDER. 2. Independent of network management or system administration — provides a more "honest" assessment of the system or network.
What do the processes do?
Business process act upon those accessing those assets.
Advantages Network-based assessment include:
1. Centralized network-wide vulnerability assessing. 2. Assess the vulnerabilities of hosts than attacks from within or outside the network. 3. Discovery of unknown computers and other resources on the network. 4. Vulnerability information about network resources without monitoring agents.
Vulnerability Analysis
1. Determining the best method/exploit to access the target, based on its vulnerabilities 2. Similar to Enumeration and initial part of Gaining Access in the hacking methodology
Pro's of Passive assesment
1. Establish a baseline 2. Get a better evaluation of systems on the network.
Types of Operating System Probes
1. FIN probe 2. Bogus Flag probe 3. TCP Initial Window Size 4. ACK value 5. Fragmentation Handling
Reporting
1. Findings fully documented for the client to gain an understanding of system vulnerabilities, and threats. 2. An executive summary and full report are provided. 3. Hacking methodology has a different focus than pen testing.
Intelligence Gathering
1. Gather all information possible about target system. 2. Slow probing of target to discover its protection mechanisms. 3. Goal is to remain undetected during this phase! 4. Similar to the Footprinting and Scanning sections in the hacking methodology.
Host-based Assessment Advantages include:
1. Greatly reduced numbers of false positive and false negative reports. 2. Superior scalability over network-based products. 3. Increased security over agent less assessments that require administrative privileges. 4. Outdated applications. 5. Available porst and services. 6. Password strength.
Port Scan Objectives
1. Identify the type of OS on the target system. 2. Identify the TCP/UDP services running on the target. 3. Identify specific applications and versions running on the target. 4. All of this leads us toward system enumeration. 5. Nmap uses well known ports to identify OS and version of application.
Determine best attack methods based on vulnerabilities.
1. Information being sought 2. How organization may be attacked
Network-based Active Scanning Disadvantages
1. Information may be outdated as soon as scan is complete. 2. Addition of new hosts will go unnoticed until the next active scan. 3. Must minimize the ports and vulnerabilities scanned to compensate for low speed and potential adverse impact. 4. Can generate excessive firewall/IDS log entries.
Post Exploitation
1. Latter phase of Exploitation, begins after target[s] is/are compromised. 2. Methodical approach to learning about emergent vulnerabilities during ongoing exploitation. 3. Similar to Escalating Privileges and into Pilfering in the hacking methodology.
Exploitation
1. Launching well-researched, well-planned exploits with a high probability of success. 2. Exploitation should be done only when you expect to succeed. 3. Exploits should not harm the target system, need know all outcomes. 4. Similar to gaining access in the hacking methodology.
Some Vulnerability Analysis Tools
1. Linux and/or Mac (*NIX) - Nessus - OpenVAS - Nexpose 2. Windows and/or Mac - Nessus for Windows - Microsoft Baseline Security Analyzer (MBSA) - Retina - LanSpy
Covert Penetration Testing
1. More realistic testing, closely simulates attacker 2. Without knowledge of organization, IT staff 3. Must still have coordination and authorization of leadership 4. More time consuming, usually requires more skill 5. May not find all vulnerabilities
Vulnerability Analysis includes such activities as...
1. Port scans 2. Vulnerability scans 3. Banner grabbing
There are 7 sections which comprise PTES...each section is cumulative, and builds upon information learned during the previous ones
1. Pre-engagement Interactions 2. Intelligence Gathering 3. Threat Modeling 4. Vulnerability Analysis 5. Exploitation 6. Post Exploitation 7. Reporting
Microsoft Baseline Security Analyzer
1. Program that analyzes a Windows system for vulnerabilities [host-based] 2. Analyzes in several areas - OS and related utilities - patch levels - Accounts - password content and expiration - Services - whether unneeded services present - Utility security settings [e.g. IIS, SQL Server] - Etc.
Vulnerability Analysis Objectives
1. Understand state of vulnerability within a network, system, or host. 2. After identifying live hosts and running services, we now probe identified services more fully for specific weaknesses. 3. Difference between intel gathering and enumeration is in the level of intrusiveness.
Threat Modeling [focuses on the Assets and the Threats]
1. Use results of intelligence gathering to find existing target vulnerabilities. 2. View target organization as an attacker. 3. Determine best attack methods based on vulnerabilities. 4. Similar to Scanning and initial Enumeration in the hacking methodology
3 weakness in setting up a remote shell
1. hackers create new process on a remote host
listener setup
1. use multi/handler 2. set payload windows/ meterpreter/reverse_tcp 3. set lhost 127.0.0.1 4. set lport <listening port> 5. exploit
Where to put Vulnerability Scanning Tools
1.Don't want them resident on bastion hosts, firewalls • Could be used against you 2. Safer to reside in secure zones, but less useful 3. Best to install on a laptop • Think of scanner as a mobile appliance • Connect to DMZ, insecure zone, secure zone when needed • Disconnect when not being used
3 weakness in setting up a remote shell
2. remote shell is limited by the process you are using, until it can escalate.
3 weakness in setting up a remote shell
3. You only see a portion of the file structure to access a file above your process you are accessing
OpenVAS
A derivative of the Nessus project - Open source, so free to download and use - Preloaded in Kali Linux
Use of Intelligence gathering
A pen-tester or high level attacker will take time to gather intelligence about network/target before proceeding. End result will be thorough understanding of the target [i.e. knowing systems, IP's, domain names, services, etc]
Broken critical processes may be low hanging fruit which ____.
Allow access to assets.
systems command
Allows examination of target information, as well as process commands to allow listing, executing or killing of processes
What does Network based analysis do that host based does not?
Allows us to do assessments on agentless hosts. Looking at the network health as a whole. Communication between hosts. Identify host that are unknowns.
Why don't we go straight to vulnerability analysis?
Allows us to find out information about the ports and service, so we can go straight to the ports and service we know are open, so that we are not detected and blocked by an IDS or IPS.
nmap
Allows users to scan networks and individual computers to determine which ones are up and what services are running on them. One of the most powerful scanners available, as well as one of the most utilized by hackers!
Meterpreter
An advanced MSF payload tool
Business Asset Analysis
Analyze documentation and interview personnel to decide what assets present the largest target for attackers - Policies and procedures - Product and marketing information - Financial records - Personnel data [internal] - Customer data [external]
Threat Modeling Process
At a high level, the threat modeling process is fairly straightforward: 1. Gather relevant documentation 2. Identify and categorize primary and secondary assets 3. Identify and categorize threats and threat communities 4. Map threat communities against primary and secondary assets
Nmap Scan Types -f
Causes the scan to fragment the packets, in an attempt to evade firewall and IDS packet filters.
chroot
Changes the logical root directory for an application (e.g., the meterpreter shell)
Port Scanners
Creates, initiates, or uses TCP flags to evoke a response from a system
Vulnerability assessment
Database must be accessed for comparison against known vulnerabilities
Pre-engagement Interactions
Defines the scope and terms of the penetration test with the client. PTES is often management or organizational leadership. No real equivalent in the hacking methodology, other than general preparations. Stick to the scope of the agreement.
Nmap Scan Types -Pn
Does not ping the hosts prior to scanning. Skips host discovery and assumes all hosts are online [quieter scan].
Network-based Passive Scanning Disadvantages
For a passive scan to work, a detectable host must elicit or respond to a packet — if a server never communicates on the network, the scanner will never see it.
Nmap Scan Types -sn
Essentially a simple ping scan while disabling port scanning. By default, this switch includes a TCP ACK packet to port 80 [HTTP]. If you get a RST back, the machine is up. This helps get by ICMP filters.
Meterpreter
Essentially, it is a super-horsepower remote shell to the target, with its own set of embedded exploitation commands
Hacking methodology includes...
Footprinting, Scanning, Enumeration, Gaining Access, Creating Backdoors, Escalating Privilege and Pilfering
Threat Capability Analysis
For each threat community or agent, their capabilities must be analyzed. Use to develop an accurate threat model that reflects the probability of the threat to successfully target and compromise the organization. Model the motivation of their threat and capability against the organization.
Nessus
GUI or within MSF command line
Intelligence Gathering
Gather all information possible about target system. 1. Open source information [Google hacking]. 2. Social media searches. 3. Footprinting.
Banner grabbing
Getting information about the server by default [the version of http it is using]
Use of Intelligence gathering
Goal is to remain undetected until one needs to be overt to get more information. Script Kiddies, worms, viruses usually do not do this.
Passive Intelligence Gathering
Google hacking, OSINT, WhoIs, Netcraft, NSlookup/Host
Covert Penetration Testing
Harder to do, it takes a lot more work on the pen testers side. Ensure that you are not held liable for damage done. Covert takes more time because each step is more methodical. You maybe able to expoit quickly but the actual payload may not return anything for a while.
Barracuda
IDS which grades the emails in order to let it pass into the network
types of information you look for in fingerprinting
IP ranges, domains, records associated with target, develop a picture/map of the network
Exploitation Goal
Identify the least path of resistance to the target, without being detected, and deliver an attack with the most impact
enumeration
Identifying on the network all the vulnerabilities that can be exploited. Looking at the specifics of the vulnerabilities that exist.
Non-critical
If you get enough small information it could give you a critical process.
What are the 2 categories of attackers?
Insider and outsider threats
chroot
Intended to support PoLP by making it impossible for an application to reference files and directories that exist above its pseudo-root directory
why would you use a scan that gives you minimal information?
It makes you less detectable
Shortcomings of Passive Assessment
It takes too long and you may not see everything on the network. Requires persistance that you may not have to detect changes. DHCP gives you a false sense users or devices as the IPs are leased.
Meterpreter
Its purpose is to provide complex, advanced exploitation features that would otherwise be tedious to implement purely in assembly
What OS comes preloaded with Metasploit?
Kali Linux
Intelligence Gathering
Known as Footprinting and Scanning. Very deliberate and methodical to remain undetected. Everything unknown should be catalogued. Internet evolves so keeping good records is important.
Overt Penetration Testing
Level of overtness is what you worked out with the organization. Leadership doesn't trust their organizations network, and work out to its needs.
Threat Modeling
Look at the threat that might exploit the vulnerabilities to the organization. What is the motivation to penetrate us the organization. The threat is looking to match tools to the vulnerabilities.
In order to run Armitage one must link to ______
MSF PostgreSQL
Two utilities (commands) within MSF
MSFConsole and MSFpayload [MSFencode, MSFvenom, MSFupdate] run at the kernel shell
MSFencode and MSFpayload are being deprecated; each of their functionality is now captured in the single ____.
MSFvenom Utility 10
MSF console
Provides a comprehensive interactive interpreter/interface environment for virtually all MSF functionality. Launched from Linux CLI with msfconsole.
What are the ramifications of being more intrusive?
Ramifications include being detected and another is being louder vice covert.
Intelligence Gathering
Reconnaisance against the target to gather as much information as possible to use later when penetrating vulnerability analysis and exploitation.
port scanning
Sometimes ICMP packets are blocked at the router or firewall, preventing ping replies. In this case, the next step is to go deeper with port scanning.
Host-based Scanning Disadvantages
The biggest disadvantage is that credentials must be known and provided • Often, obtaining these credentials can take time, even in a cooperative overt situation.
Payload
The deliverable. A piece of code to be executed by an attacking exploit; could be a shell script, a few commands, an executable.
What is the difference between intel gathering and enumeration?
The key difference between intel gathering and enumeration is in the level of intrusiveness. Enumeration involves active connections to target systems and directed queries.
Nmap Scan Types -sU
This is a UDP scan. Sends a 0 byte UDP packet to each port; if you get back an ICMP unreachable message, then the port is closed. Otherwise it's assumed to be open. This can be a very slow scan.
Nmap Scan Types -sI
This is a blind port "Zombie" scan, aka Idle scan. No packets are sent to the target from your real IP. You will need a Zombie to perform this scan.
Nmap Scan Types -sF
This is a surprise, unprovoked FIN scan. You should get back a rst from a closed port and perhaps nothing from an open port.
Nmap Scan Types -sO
This is an IP protocol scan to find out what IP protocols are supported by the host. Sends a raw IP packet without any other header info to each IP protocol possibly supported by the target. An ICMP protocol unreachable message means it is not supported. No response means it is.
Nmap Scan Types -sX
This one comes at you lit up like a Christmas tree [thus Xmas scan] with the FIN, URG, and PUSH flags set. It simply is just a malformed packet...
Nmap Scan Types -PA
Use TCP ACK packets through the network to see if any response is seen.
Nmap Scan Types -PS
Use TCP SYN packets. A RST or a SYN/ACK will let you know the host is up.
Penetration Testing Execution Standards (PTES)
Used to define and establish a baseline of fundamental principles required to conduct a penetration test. Flow of activities very similar to the hacking methodology
Nmap Scan Types -PE
Uses ICMP echo for host discovery.
multiencoding of a payload
Uses multiple iterations and various encodings on the way to creating a final encoded payload executable in MSFvenom to circumvent sophisticated AV's
Nessus
Uses nmap for initial port scanning • Two-level architecture - Server: define policies, run scans - Client: control scans, view reports • Nessus can be used externally [Kali Kernal prompt] or internally within the MSF
Use of Intelligence Gathering
Using social media, google, whois, wayback machine and nmap and other passive modes to gather intelligence against a target.
Sysinternals Tools
Vulnerability assessment tool for Windows machines. Many interesting and useful security tools. • Autoruns - shows programs configured to run during system bootup or login • Process Explorer - information about handles and DLL processes that are opened or loaded
Why do we look at the assetsof a Business?
We look at the assets to see what threats might be motivated to act agains them.
Passive Stack Fingerprinting
We may be able to passively listen to network traffic and still determine the OS. TCP/IP stack fingerprinting is the passive collection of network layer-4 attributes. Cost is time spent waiting for a reply.
multi/handler exploit module
You can launch a special listener to initiate a meterpreter session
Listener
a component that "listens" for an incoming connection on the target system, after it has been exploited; typically waits for contact from an attacker machine.
Module
a piece of software used by MSF; may be an exploit module, an auxiliary module; we think in terms of a library of prebuilt MSF modules. The highest level of entity in the framework.
footprinting
a systemic approach to recreate a complete profile of an organization's network and security posture. i.e. internet site, intranet site, remote access and extranet
Shellcode
a type of payload that performs a set of intructions [script] on the target system; usually written in assembly language.
Meterpreter Step 1
able to avoid creation of a new process because it executes in the context of the process that is being exploited
scanners are very noisy
actively attempt connections, query services through ports, etc. ... like the proverbial bull-in-a-china-shop. - easily logged by the target! - There are limited ways to make them more stealthy
MSF modules: Auxiliary
allow us to do other things that aren't strictly related to exploitation of a vulnerability with a payload. Can be used during phases other than exploitation, e.g., Intel Gathering
MSF not only gives you a suite of tools, but...
allows you to develop your own
BL:
an attacker exploits a vulnerability to deliver a payload onto a target
The MSF
an open-source tool that provides a simplified method for launching attacks, it also attracts low-level hackers and script kiddies who can create additional problems for network and IT managers
Meterpreter Step 2
are all executed entirely within memory using the technique described in Remote Library Injection
Network-based Assessment
are conducted from central locations on the network.
MSF payloads...
are designed to run in memory and never to write data to the hard disk thus, when an MSF payload is sent with an exploit, most AV programs will not detect that the payload has been run on the target. Modifying a payload to avoid triggering the AV signature is key.
Payload
are the code or commands that are intended to be executed on the target, upon successful entry via an exploit; payloads allow an attacker to control the exploited system
Exploits
are tools and techniques used to gain access into a target by taking advantage of a vulnerability
Vulnerability Scanners
are tools used for assessing system, network, app vulnerabilities. - They find only known vulnerabilities then you patch them.
Vulnerability Scanners
are very "loud" and create lots of network traffic, so generally not part of covert pen-testing
nslookup on a linux machine
does not yield much information. nslookup itself enters into interactive mode which allows you to enter more commands.
Metasploit Utilities
enable interface with other features of MSF in specific situations, e.g., for new exploit development
Multi/handler Exploit
establishes a local listening server that waits for a connection signal to be sent back from the remote host
Meterpreter Session
executes in the context of the process that is being exploited - Remember that meterpreter is a payload delivered within an exploited process. - Meterpreter is not created as its own new process on the host
Vulnerability Analysis
exposed weaknesses in a target network or system — now we want to take advantage of [i.e., exploit] those weaknesses
• Connect scan (-sT):
full TCP connect
Armitage
fully interactive MSF GUI. MSF PostgreSQL database [and MSF Console] must be running before starting Armitage.
MSF modules: info
get details for a specific module
sessions command
give you a list of running sessions in meterpreter
DNS Zone Transfer
gives you a blueprint of the network to build a DNS database.
Service Fingerprinting
goes a step beyond port scanning to reveal actual services running, and deeper information such as their revision/patch level associated with each port. It is also more time consuming and noticeable because it generates considerably more traffic.
• SYN scan (-sS):
half-open scan [no final ACK]
Command to get help is...
help <command>
MSF CLI
historical, was depricated in favor of msfconsole. Ran at the kernal allowed user more flexibility.
PING
if performed and a host is not alive, what could that mean? It is filtered. Ping sends a controlled package to check if a host is alive. The package is normally 64 bytes, and the most important aspect is that the ping came back.
Banner Grabbing
involves connecting to a remote service and observing the output. may identify "make and model" of a running service, which in many cases is enough to set vulnerability analysis in motion. Common manual techniques for banner grabbing include use of netcat (nc) and telnet.
Scanning
involves scanning the IPs we've identified in footprinting. In scanning we're using the footprinted information to check the network for viabilitiy.
Passive assessment
involves sniffing network traffic to deduce a list of active systems, services, applications, and vulnerabilities over time. - Passive assessment is a continuous effort such that the sniffer monitors the network 24/7 - Can have shortcomings with passive assessment, i.e., consider DHCP server
remote shells
involves the creation of a new process in the target process list
Exploit
is a means by which an attacker [threat]takes advantage of a system. app, service flaw. The goal is an outcome unintended by developer
Meterpreter
is a metaspolit interpreter.
whois
is a query and response tool, which gives domain registry, company name, information such as IP ranges, domain names, site owner manager or sys admins.
The MSF
is an environment for exploit development, as well as a platform for launching exploits on real-world targets
Scanning
is analogous to checking the doors, windows, mail slots, etc., to see if they're unlocked, and how well they're protected...We still are not yet entering the building, but we are looking for vulnerabilities that we can use to get further during the next steps.
The MSF
is packaged with exploits that can provide real damage if not used properly
short coming of ping
is the command, it is a one by one, unless you can script it to ping more hosts at once. NMAP with an option [-sn] can perform a ping sweep.
Meterpreter
is what is running on the target host, the payload
why would you use a scan that has every flag set in a 3 way handshake?
it will detect if a host is filtering, and if anything is returned. This is a loud scan used to figure out ports and services.
Filetype
look for certain file types such as .pdf, .doc, .xls etc
Internal Community Analysis:
management, developers, technicians, staff employees, contractors, general users - what do they all have access to?
Domain Name Server
maps IP addresses to host names
Detection software
relies on known malicious code signatures, so any payload that is custom built has a greater chance of going undetected
Extension walking
replacing .htm with .bak or .old [or others]
MSF modules: search
search for a specific subcategory or module
• FIN scan (-sF):
send FIN, listen for RST
• Xmas scan (-sX):
set FIN/PSH/URG flags to "light packet up like a Christmas tree"
nslookup -d theonion.com Windows OS commands
should list all available DNS record types
host -v theonion.com Linux/Mac OS command
should list all available DNS records, similar to "-a" with verbosity.
Allows you to view available MSF modules and their options for conducting exploitation:
show and search
Meterpreter
small piece of code which executes on the target host that calls back to your host which then allows you to send the meterpreter code back to the signal.
MSFvenom...
takes an MSF payload module, with associated option values and an output type, and generates a standalone payload
Meterpreter Step 3
the meterpreter allows for complete control and automation when it comes to writing payload extensions
Why is foot printing necessary?
to ensure that all pieces of information related to the network and posture fit and are known.
MSFvenom functionality...
transforms raw payload code into a new binary file that ideally doesn't match a known signatures.
whois can be used maliciously
using a wildcard whois -h domainname*, looks at everything with the domainname in the internet db for that site. the domainname.* may or maynot give you anything. gives a hostlookup of everything for registered domain names for sub categories.
webmail
using the headers in emails gives you server information and IPs. Emailing the server even erroneously the email server will give you user agent, path and time stamp and verbiage it uses.
Mail verification
vrfy and expn 2 commands used in a telnet session with a mail server. Neither tool is often enabled.
port scanning
we touch [but still do not enter!] target systems with services that are allowed through the firewall [e.g., web servers].
Exploitation
we want to bypass a target's security mechanisms and maintain stealth - Precision strike, not brute force attack - Countermeasure avoidance (AV, IDS) - Evasion
robots.txt
web crawlers use the file[s] [which are publicly available to everyone] located under the root level of a site. Gives the web crawler information about the site for searchable content. Also known as "robots exclusion protocol". e.g http://www.example.com/robots.txt
webmail
what kind of services it is running, e.g. IMAP, POP
External DMZ
will only contain names of hosts/servers in the external DMZ.
MSFvenom allows...
you to create your own payload to be launched undetected by the target host.
Detecting the OS
• "There are many nuances that vary between one vendor's IP stack implementation and another's... • Vendors often interpret specific RFC guidance differently when writing their TCP/IP stack... • Probing for these differences... [we can] begin to make [an] educated guess as to the exact OS in use..."
Business Process Analysis
• Focus is the business processes that represent and support the organization's mission. • Identify critical and non-critical processes. • An aggregation of non-critical processes can become critical.
Nmap Scan Types -n
• Never do DNS resolution. • Helps speed up scanning. • Alternative is '-R' to always resolve [default is sometimes].
Nmap Timing Options -T#
• Paranoid [0] - Serial scan [one port at a a time] - 5 minutes between packets • Sneaky [1] - Serial scan - 15 seconds between packets • Polite [2] - Serial scan - 0.4 seconds between scans • Normal [3] - Quick without overloading network • Aggressive [4] - 5 minute timeout per host - Waits 1.25 seconds for probe response • Insane [5] - For a very fast network - Only waits .3 seconds for probe response
Port scanning
• Software packages installed, and their versions • Services running on targets, and their patches • Possible vulnerabilities on these combinations
Passwords checkers
• Strength and policy conformance
Nmap Scan Types -D
• This is a decoy scan. It places the real scanning IP in the midst of several decoy IPs. • Thus an IDS might report 5-10 port scans from unique IP addresses, but won't know which IP was scanning them and which were decoys.
Nessus Structure
• User accounts for scan authorization [admin] • Can interactively configure through running server [browser-based access] • Uses plugins to perform vulnerability tests
Nmap Scan Types -v
• Verbose mode [use '-vv' for greater verbosity]. • Scan will tell you what it is doing as it progresses.