Professional Documents
Culture Documents
XFSC 7201 - Day 1
XFSC 7201 - Day 1
100’s of open source frameworks and tools to use. Remember tools are just that, they are ‘tools’. More
important to understand the techniques and then find the appropriate tool for the job.
Reconnaissance
Active vs. Passive Recon
Reconnaissance is an important part of any penetration test but often skipped due to being
less ‘exciting’
Used to gather information about a target
Passive reconnaissance gathers information without touching the actual target
Eg: Open Source Intelligence (OSINT), WhoIs records, DNS Records (such as querying public
servers), Passive Packet Captures
Active reconnaissance gathers information but results in the target being probed
DNS brute forcing, port scanning, service enumeration, web directory brute forcing
Active DNS and web enumeration often use wordlists to find common paths or subdomains eg:
admin.bcit.ca, blog.bcit.ca, shop.bcit.ca etc…
DNS
DNS seems like a very simple thing but can be extremely useful in planning attacks
Discover alternate hosts in the environment
Get an understanding about the underlying network layout
Gather information about subdomains or other interesting hosts
Eg: admin.company.com may not be searchable on google, but could be found with enumeration
Various record types, some of the more common ones include:
A – host address which maps a name (eg: google.com) to an IP address
PTR – a reverse record which maps an IP address back to a name
MX –mail exchanger records
NS – specifies which name servers are authoritative for a domain
CNAME – canonical name (basically an alias)
TXT - free form text record which often contains ‘extra’ information (useful to attackers)
Dig and NSLookup
Simple lookup :
Simple lookup :
dig bcit.ca
Lookup Name Servers nslookup bcit.ca
dig @8.8.8.8 bcit.ca NS Lookup Name Servers
Lookup using external DNS Server.
nslookup -type=ns
dig @8.8.8.8 bcit.ca
Lookup MX record Lookup using external DNS Server.
dig @8.8.8.8 bcit.ca MX nslookup redhat.com
Lookup CNAME record ns1.redhat.com
dig @8.8.8.8 bcit.ca CNAME Lookup MX record
Lookup TXT record
nslookup -query=mx
dig @8.8.8.8 bcit.ca TXT
WhoIs Records
Query the ownership of
domains and IP addresses
based on the records
contained in ICANN
(Internet Corporation of
Assigned Names and
Numbers)
Can be quite useful in the
reconnaissance phase to
determine asset ownership
and other information such
as contacts and email
address format
Open Source Intelligence (OSINT)
People and organizations have a wealth of information online
Includes website data, search engines, social media, documents, metadata, and 3rd party websites
Lots of valuable data just sitting there but needs to be gathered and correlated
OSINT leverages public information sources to gather this information
OSINT is passive since you are not actually ‘touching’ the target
The biggest challenge is often correlation
How do you link information gathered from the company website, with google searches, and
personal social media accounts?
OSINT tools can help, but manual customization often required
OSINT – Google Dorks
An excellent passive reconnaissance technique is Google
Google has specialized search queries that can be used to find specific targets
Small set of examples:
site: → Search results only from a specific site
inurl: → Search specific elements inside the URL Careful
not to get
intitle: → Search for a particular page title
shunned
“search” → Search must contain the term in quotes
cache: → Search cached content
ext: → Search for specific file extensions
ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:confidential salary |
intext:"budget approved") inurl:confidential
List of Google Dorks: https://www.exploit-db.com/google-hacking-database
OSINT – Document Metadata
When a document is created, default ‘metadata’ is stored with that file
Security aware organizations remove these items
Many tools exist to help extract metadata
One such tool is ‘exiftool’ built into Kali Linux
Some documents contain juicy information such as authors, and last modified by
Could also contain OS and software versions
The power of metadata starts to show when many documents are analyzed together and
correlated which starts to tell a story…
OSINT - Maltego
Free and commercial
versions
Used to find links between
various entities such as
email addresses and
domains
Utilizes “transforms” to
find various associations
Can be weird to use at first
but very useful
OSINT – Recon-NG
Automated reconnaissance
module with many features
Leverages several other
tools, API’s and features
May require API keys for
3rd party searching
Eg: google dorking
without getting shunned
SYN/ACK
ACK
FIN
Receiver
Sender
FIN/ACK
ACK
RST
ACK
TCP “SYN” Scan
SYN
Attacker/Sender
SYN/ACK
Receiver
RST
FIN
Receiver
• Attacker sends a FIN to the destination
• If the port is open, no response should be received
• The attacker is trying to FIN an invalid connection
• If the port is closed, an RST should be received
TCP “NULL” Scan
No Flags
Receiver
• Attacker sends a packet with no TCP flags set
• If the port is open, no response should be received
• The attacker is sending a TCP connection with invalid (no) flags
• If the port is closed, an RST should be received
TCP “XMAS” Scan
FIN/PSH/URG
Receiver
• Attacker sends a FIN/PSH/URG to the destination
• If the port is open, no response should be received
• The attacker is sending a TCP connection with a combination of
flags that don’t make sense
• If the port is closed, an RST should be received
• This technique does not work against Windows systems
Nmap
One of the most popular open source port scanners
Lots of features, both simple and complex
Used to enumerate hosts, scan ports, interrogate services and perform light vulnerability
scanning
Graphical version known as Zenmap
Nmap has a host which can be scanned to learn the tool and get practice:
scanme.nmap.org
Various switches, and options, which are covered next (this is barely scratching the surface)
Nmap
SYN-ACK goes to
192.168.1.5
Decoy Scan
• SYN: SRC = 192.168.1.6 DST = 192.168.1.4
192.168.1.3 • SYN: SRC = 192.168.1.8 DST = 192.168.1.4
• SYN: SRC = 192.168.1.12 DST = 192.168.1.4
• SYN: SRC = 192.168.1.14 DST = 192.168.1.4
• SYN: SRC = 192.168.1.3 DST = 192.168.1.4
192.168.1.5
SYN-ACK sent back to 192.168.1.3 (attacker)
The attacker cannot see the others, but masks the attack origin 36
Hping3 - Examples
Vulnerabilities are mitigated using controls which usually involves some kind of patching
Eg: When Microsoft discovers a bug/security weakness they release a patch
Exploits
A vulnerability is simply a discovered weakness, exploits take advantage of those
weaknesses usually for the purpose of performing some type of malicious action
Example – CVE-2019-0708 (Vuln in MS RDP – Blue Keep)
MS Advisory
53
HTTP Interception Proxies
• Web app testing requires a unique set of tools
• HTTP Interception Proxies
• Commonly used by penetration testers in web application assessments
• Burp Suite and OWASP’s ZAP are by far the most common
• Used to intercept communication between a web browser and a destination website
• Easy to bypass client based restrictions ie: JavaScript since the HTTP traffic has already left the
browser
Automated Exploitation Frameworks
Hackers and security consultants often leverage automated exploitation frameworks
Exploit code is ported over to a tool, and can be launched against a target using point and
click methods
Good for security consultants to test vulnerabilities
Also allows script kiddies and malicious threat actors to exploit systems with more ease
Most popular open source tool is the Metasploit Framework
Commercial tools also exist
Metasploit Framework
Metasploit framework (MSF) has a large number of built in exploits
Built and maintained by Rapid7
Allows automated exploitation of a target without needing to understand how the exploit
code works
When a vulnerability is released, exploit code can be easily ported into MSF
Separates exploit and payload allowing the target to be exploited using a known
vulnerability followed by loading/injecting a payload of choice
Metasploit has a commercial offering (Metasploit Pro)
Metasploit Commands
msfconsole → Launch Metasploit with Kali Linux
search → Search for an exploit
Eg “search IE 8” or “search Adobe CVE-XXX”
use → Use an exploit
set → used to set various configurable settings within the framework
set payload → choose a specific payload
set VarName → many exploits and payloads have specific values that need to be set
help → Show help information
show → Show’s the info for a specific exploit or payload and the required variables
More Help: https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/
Metasploit Exploits
Exploits in Metasploit are stored in the ‘exploit’ folder
The subfolder is the platform which could be ‘windows’, ‘linux’, ‘android’ and ‘multi’ (among others)
‘multi’ contains platform/OS independent exploits such as HTTP, FTP, SSH etc..
TAB completion → exploit/windows/ + TAB shows all the available windows exploits
For example, if a vulnerability scan identifies a windows XP host is vulnerable to the NetAPI
vulnerability in MS08-067 (pretty much obsolete now)
We could run the following from the MSF prompt
msf > use exploit/windows/smb/ms08_067_netapi
To see the types of victim systems supported type (after selecting the exploit): show targets
To see the types of payloads that are supported type: show payloads
To see what options are required type: show options
Metasploit Payloads
Remember that exploits and payloads are separate things
Exploits take advantage of a vulnerability but payloads actually provide you with functionality
MSF separates exploits and payloads so developers can write exploits independent of a payload
Metasploit has a number of payloads supported on various platforms such as Windows,
Linux, PHP, Java
The most common payload is Meterpreter
Windows: windows/meterpreter/reverse_tcp
Recall that a reverse shell means the victim connects back to the attacker
If we want to make a connection to the victim use the bind_tcp option instead
Meterpreter shells are also provided for Linux, PHP, Java etc… with limited features
Metasploit’s Meterpreter
Meterpreter is MSF’s most powerful backdoor
If Meterpreter is running as a reverse TCP shell, 2 options will be required
LHOST → Your IP address where the victim should connect (the attacker IP)
LPORT → The port you want to listen on for the victim to connect (attacker port)
When you launch Meterpreter, your system will begin listening on this chosen port
By default, Meterpreter uses TCP Port 4444
Many organizations block this port, but it’s trivial to bypass by simply choosing an alternative port
RHOST/RPORT → this is the victim IP/port (ie: where you found the vulnerable service)
Once the exploit and payload have been set
The attack process can be launched by running ‘exploit’ or ‘run’ from the msf> prompt 4
The ‘L’ in LHOST/LPORT indicates ‘Local’ whereas the ‘R’ in RHOST/RPORT indicates ‘Remote’
MSF Exploit + Payload
Exploit Module Options:
Payload Options:
https://www.offensive-security.com/metasploit-unleashed/auxiliary-module-reference/
WARNING!
These are very vulnerable systems. DO NOT install on your company network or expose to
the internet as it will very likely get attacked.
Our Setup
Our attacking systems will run on a Kali VM
Our victim systems will be running a Metasploitabe2 VM
KALI VM Vuln VM
192.168.1.5 192.168.1.8