Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

Table of Contents

Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. Planning and Scoping for a Successful Penetration Test

Introduction to advanced penetration testing

Vulnerability assessments

Penetration testing

Advanced penetration testing

Before testing begins

Determining scope

Setting limits — nothing lasts forever

Rules of engagement documentation

Planning for action

Installing VirtualBox

Installing your BackTrack virtual machine

Preparing the virtual guest machine for BackTrack

Installing BackTrack on the virtual disk image

Exploring BackTrack

Logging in

Changing the default password

Updating the applications and operating system

Installing OpenOffice

Effectively manage your test results

Introduction to MagicTree

Starting MagicTree

Adding nodes

Data collection

Report generation

Introduction to the Dradis Framework

Exporting a project template

Importing a project template

Preparing sample data for import

Importing your Nmap data

Exporting data into HTML

Dradis Category field

Changing the default HTML template

Summary

2. Advanced Reconnaissance Techniques

Introduction to reconnaissance

Reconnaissance workflow

DNS recon

Nslookup — it's there when you need it

Default output

Changing nameservers

Creating an automation script

What did we learn?

Domain Information Groper (Dig)

Default output

Zone transfers using Dig

Advanced features of Dig

Shortening the output

Listing the bind version

Reverse DNS lookup using Dig

Multiple commands

Tracing the path

Batching with dig

DNS brute forcing with fierce

Default command usage

Creating a custom wordlist

Gathering and validating domain and IP information

Gathering information with whois

Specifying which registrar to use

Where in the world is this IP?

Defensive measures

Using search engines to do your job for you

SHODAN

Filters

Understanding banners

HTTP banners

Finding specific assets

Finding people (and their documents) on the web

Google hacking database

Google filters

Metagoofil

Searching the Internet for clues

Metadata collection

Extracting metadata from photos using exiftool

Summary

3. Enumeration: Choosing Your Targets Wisely

Adding another virtual machine to our lab

Configuring and testing our Vlab_1 clients

BackTrack Manual ifconfig

Ubuntu — Manual ifconfig

Verifying connectivity

Maintaining IP settings after reboot

Nmap — getting to know you

Commonly seen Nmap scan types and options

Basic scans — warming up

Other Nmap techniques

Remaining stealthy

Taking your time

Trying different scan types

SYN scan

Null scan

ACK scan

Conclusion

Shifting blame — the zombies did it!

IDS rules, how to avoid them

Using decoys

Adding custom Nmap scripts to your arsenal

How to decide if a script is right for you

Adding a new script to the database

SNMP: A goldmine of information just waiting to be discovered

SNMPEnum

SNMPCheck

When the SNMP community string is NOT public

Creating network baselines with scanPBNJ

Setting up MySQL for PBNJ

Starting MySQL

Preparing the PBNJ database

First scan

Reviewing the data

Enumeration avoidance techniques

Naming conventions

Port knocking

Intrusion detection and avoidance systems

Trigger points

SNMP lockdown

Summary

4. Remote Exploitation

Exploitation — Why bother?

Target practice — Adding a Kioptrix virtual machine

Manual exploitation

Enumerating services

Quick scan with Unicornscan

Full scan with Nmap

Banner grabbing with Netcat and Ncat

Banner grabbing with Netcat

Banner grabbing with Ncat

Banner grabbing with smbclient

Searching Exploit-DB

Exploit-DB at hand

Compiling the code

Compiling the proof of concept code

Troubleshooting the code

What are all of these ^M characters and why will they not go away?

Broken strings — The reunion

Running the exploit

Getting files to and from victim machines

Installing and starting a TFTP server on BackTrack 5

Installing and configuring pure-ftpd

Starting pure-ftpd

Passwords: Something you know…

Cracking the hash

Brute forcing passwords

THC Hydra

Metasploit — learn it and love it

Updating the Metasploit framework

Databases and Metasploit

Installing PostgreSQL on BackTrack 5

Verifying database connectivity

Performing an Nmap scan from within Metasploit

Using auxiliary modules

Using Metasploit to exploit Kioptrix

Summary

5. Web Application Exploitation

Practice makes perfect

Installing Kioptrix Level 3

Creating a Kioptrix VM Level 3 clone

Installing and configuring Mutillidae 2.1.7 on the Ubuntu virtual machine

Installing and configuring pfSense

Preparing the virtual machine for pfSense

pfSense virtual machine persistence

Configuring the pfSense DHCP server

Starting the virtual lab

pfSense DHCP — Permanent reservations

Installing HAProxy for load balancing

Adding Kioptrix3.com to the host file

Detecting load balancers

Quick reality check — Load Balance Detector

So, what are we looking for anyhow?

Detecting Web Application Firewalls (WAF)

Taking on Level 3 — Kioptrix

Web Application Attack and Audit Framework (w3af)

Using w3af GUI to save time

Scanning by using the w3af console

Using WebScarab as a HTTP proxy

Introduction to Mantra

Summary

6. Exploits and Client-Side Attacks

Buffer overflows — A refresher

Cing is believing — Create a vulnerable program

Turning ASLR on and off in BackTrack

Understanding the basics of buffer overflows

Introduction to fuzzing

Introducing vulnserver

Fuzzing tools included in BackTrack

Bruteforce Exploit Detector (BED)

SFUZZ: Simple fuzzer

Fast-Track

Updating Fast-Track

Client-side attacks with Fast-Track

Social Engineering Toolkit

Summary

7. Post-Exploitation

Rules of engagement

What is permitted?

Can you modify anything and everything?

Are you allowed to add persistence?

How is the data that is collected and stored handled by you and your team?

Employee data and personal information

Data gathering, network analysis, and pillaging

Linux

Important directories and files

Important commands

Putting this information to use

Enumeration

Exploitation

Were connected, now what?

Which tools are available on the remote system

Finding network information

Determine connections

Checking installed packages

Package repositories

Programs and services that run at startup

Searching for information

History files and logs

Configurations, settings, and other files

Users and credentials

Moving the files

Microsoft Windows™ post-exploitation

Important directories and files

Using Armitage for post-exploitation

Enumeration

Exploitation

Were connected, now what?

Networking details

Finding installed software and tools

Pivoting

Summary

8. Bypassing Firewalls and Avoiding Detection

Lab preparation

BackTrack guest machine

Ubuntu guest machine

pfSense guest machine configuration

pfSense network setup

WAN IP configuration

LAN IP configuration

Firewall configuration

Stealth scanning through the firewall

Finding the ports

Traceroute to find out if there is a firewall

Finding out if the firewall is blocking certain ports

Hping

Nmap firewalk script

Now you see me, now you don't — Avoiding IDS

Canonicalization

Timing is everything

Blending in

Looking at traffic patterns

Cleaning up compromised hosts

Using a checklist

When to clean up

Local log files

Miscellaneous evasion techniques

Divide and conquer

Hiding out (on controlled units)

File integrity monitoring

Using common network management tools to do the deed

Summary

9. Data Collection Tools and Reporting

Record now — Sort later

Old school — The text editor method

Nano

VIM — The power user's text editor of choice

NoteCase

Dradis framework for collaboration

Binding to an available interface other than 127.0.0.1

The report

Challenge to the reader

Summary

10. Setting Up Virtual Test Lab Environments

Why bother with setting up labs?

Keeping it simple

No-nonsense test example

Network segmentation and firewalls

Requirements

Setup

Adding complexity or emulating target environments

Configuring firewall1

Installing additional packages in pfSense

Firewall2 setup and configuration

Web1

DB1

App1

Admin1

Summary

11. Take the Challenge — Putting It All Together

The scenario

The setup

NewAlts Research Labs' virtual network

Additional system modifications

Web server modifications

The challenge

The walkthrough

Defining the scope

Determining the why

So what is the why of this particular test?

Developing the Rules of Engagement document

Initial plan of attack

Enumeration and exploitation

Reporting

Summary

Index

Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

Copyright © 2012 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: May 2012

Production Reference: 1090512

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK

ISBN 978-1-84951-774-4

www.packtpub.com

Cover Image by Asher Wishkerman ( <a.wishkerman@mpic.de> )

Credits

Author

Lee Allen

Reviewers

Steven McElrea

Aaron M. Woody

Acquisition Editor

Kartikey Pandey

Lead Technical Editor

Kartikey Pandey

Technical Editor

Naheed Shaikh

Project Coordinator

Michelle Quadros

Proofreader

Lynda Sliwoski

Indexer

Tejal Daruwale

Graphics

Manu Joseph

Production Coordinator

Prachali Bhiwandkar

Cover Work

Prachali Bhiwandkar

About the Author

Lee Allen is currently the Vulnerability Management Program Lead for one of the Fortune 500. Among many other responsibilities, he performs security assessments and penetration testing.

Lee is very passionate and driven about the subject of penetration testing and security research. His journey into the exciting world of security began back in the 80s while visiting BBS's with his trusty Commodore 64 and a room carpeted with 5.25-inch diskettes. Throughout the years, he has continued his attempts at remaining up-to-date with the latest and greatest in the security industry and the community.

He has several industry certifications including the OSWP and has been working in the IT industry for over 15 years. His hobbies and obsessions include validating and reviewing proof of concept exploit code, programming, security research, attending security conferences, discussing technology, writing, 3D Game development, and skiing.

I would like to thank my wife Kellie for always being supportive and my children Heather, Kristina, Natalie, Mason, Alyssa, and Seth for helping me perfect the art of multitasking. I would also like to thank my son-in-law Justin Willis for his service to our country. In addition, I would like to thank Kartikey Pandey and Michelle Quadros for their help and guidance throughout the writing process. A special thanks goes to Steven McElrea and Aaron M. Woody for taking the time to work through all of the examples and labs in the book and to point out my errors, it's people like you that make the security community awesome and fun!

About the Reviewers

Steven McElrea has been working in IT for over 10 years mostly as a Microsoft Windows and Exchange Server administrator. Having been bitten by the security bug, he's been playing around and learning about InfoSec for a several years now. He has a nice little blog (www.kioptrix.com) that does its best to show and teach the newcomers the basic principals of information security. He is currently working in security professionally and he loves it. The switch to InfoSec is the best career move he could've made.

Thank you Amélie, Victoria, and James. Je vous aimes tous. Thanks to Richer for getting me into this mess in the first place. Also, I need to thank Dookie for helping me calm down and getting my foot in the door. I must also thank my parents for being supportive, even during our difficult times; I love you both.

Aaron M. Woody is an expert in information security with over 14 years experience across several industry verticals. His experience includes securing some of the largest financial institutions in the world performing perimeter security implementation and forensics investigations. Currently, Aaron is a Solutions Engineer for a leading information security firm, Accuvant Inc., based in Denver, CO. He is an active instructor, teaching hacking and forensics, and maintains a blog, n00bpentesting.com. Aaron can also be followed on twitter at @shai_saint.

I sincerely thank my wife Melissa and my children, Alexis, Elisa, and Jenni for sharing me with this project. I also appreciate the sanity checks by Steven McElrea (@loneferret) for his friendship and partnership during the review process. I would like to give an extra special thanks to Lee Allen for involving me in this project; thank you.

www.PacktPub.com

Support files, eBooks, discount offers and more

You might want to visit www.PacktPub.com for support files and downloads related to your book.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

http://PacktLib.PacktPub.com

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.

Why Subscribe?

Fully searchable across every book published by Packt

Copy and paste, print and bookmark content