Cyber Security Auditing Software
Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and firewall devices. Any security issues identified within those technologies will then have to be explained in a way that both management and system maintainers can understand. he network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices. Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve. www.titania.com
With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.
You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues. Why not see for yourself, evaluate for free at titania.com
Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems. www.titania.com
Editor’s note
08/2012 (16)
Dear PenTesters!
Managing Editor: Krzysztof Sikora krzysztof.sikora@software.com.pl Associate Editor: Trajce Dimkov dimkovtrajce@gmail.com 2nd Associate Editor: Aby Rao abyrao@gmail.com Betatesters / Proofreaders: George Bormes, Harish Chaudhary, David Kosorok, Stefanus Natahusada, Dyana Pearson, Emiliano Piscitelli, Ankit Prateek, Aby Rao, Eric Shultz, Steven Swierckx, Marcelo Zúñiga Torres, Gareth Waters, Jeff Weaver, Ed Werzyn, Daniel Wood Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. To create graphs and diagrams we used
Do you remember Fabian “@samuirai” Faessler’s article on exploitation frameworks in the previous issue of PenTest Regular? Since the piece met with very good reception, we decided to devote the current issue to this topic. In the Exploitation Frameworks section we start with Metasploit. Duane Anderson introduces you to VMware vSphere and shows you how to mitigate some of the threats and how to attack that virtual layer. Another outstanding tutorial handles Mercury Framework. Those who store more and more sensitive data on their smartphones will be interested how to analyze Android applications and what vulnerabilities could affect user data. In the article about BeEF, we learn how web application security flaws can be explained to an executive level audience in less abstract way. In the next tutorial, the author explains why it is of such importance to gather information in pentesting and describes a tool, which does almost the whole work for you. What is more? Have you ever been on a tour of any exploitation framework? Now you have a chance! Meet Joshua Smith – your tour guide who will convince you that anyone can become a Metasploit master. The section ends with three other articles about Armitage, Internet Explorer and Windows. In this issue, we continue with Marc Gartenberg’s section on NISPOM. We focus on chapters 3 through 6, which detail the requirements for training, classification and markings, safeguarding, and policies for meetings and visits. From our regular sections Dean Bushmiller prepared for you something extra in PainPill. This time it deals with different types of people in business: delivery, sales, and administrative. Do you want to know why such a clasification, just scroll down and read the article. As usual, we prepared for you the next chapter from John B. Ottman’s book “Save the Database, Save the World!”. This time you have an opportunity to read about the Database SRC Platform. I hope that you will find this issue worthwhile. Should you have any questions or suggestions concerning topics you want to read about, feel free to contact us at en@pentestmag.com. Thank you all for your great support and invaluable help.
program
Enjoy reading! Krzysztof Sikora & PenTest Team
by Mathematical formulas created by Design Science MathType™
DISCLAIMER!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
08/2012 (16) August
Page
4
http://pentestmag.com
CONTENTS
Exploitation Frameworks
06
VMware vSphere Security and Metasploit Exploitation Framework by Duane Anderson
VMware vSphere is another layer in your overall environment to attack. In this article you will learn some of the threats, how to mitigate them and how to attack that virtual layer.
18
Android Vulnerability Analysis with Mercury Framework by Patrik Fehrenbach
Nowadays, users save more sensitive data on their smartphones than on their desktop pc’s. This article will have a close look on Android applications, how to analyze them and what vulnerabilites could affect user data.
Exploit Frameworks: BeEF
26 by Robert Haist
Command Your Windows
62 by Remus Ho
Is command line obsolete in Windows systems? What can you do if have no GUI? How useful are Windows command to a hacker or pen-tester when they obtain a remote shell to a Windows machine?
MS Internet Explorer Same ID
68 Property Remote Code Execution Vulnerability
by Praveen Parihar
Metadata: Your Friend or Foe – An
In this article you will learn about concepts behind Internet Explorer memory corruption, what kinds of bypass techniques are used to launch buffer overflows, heap based and stack overflow attacks and return oriented programming concepts to exploit remote code execution vulnerabilities.
by Vivek Veerappan
NISPOM
Have a look at your computer. Do you have a webcam? And a microphone? I bet there also is a big sticker covering them. No? ... I would suggest buying one now.
34 Analysis with Foca
One of the most important steps in Pentesting is information gathering. Knowing where to look for vulnerabilities saves precious time in pentesting. Imagine a tool which can give you the network tree, including the system names, OS and version of software’s used, email ids and sometimes passwords, and all these without performing any complex pentesting process. That’s exactly what this article is about.
My Experiences with the
38 Metasploit Framework: From N00b
NISPOM
72 by Marc Gartenberg
In this installment we’ll take a look at Chapters 3 through 6, which detail the requirements for training, classification and markings, safeguarding, and policies for meetings and visits. We’ll review these from a high-level in order to present a broad view of the landscape and the aspects that the NISPOM providing policy for.
PainPill
to Contributor by Joshua Smith
Ever wanted a tour of the Metasploit Framework (MSF)? If you have basic command line skills, and a working knowledge of networking and how hosts are compromised, you can take a guided tour from someone who started as a tourist and ended up as a tour guide. You’ll see how you can use MSF for all sorts of tasks and learn to write your own magic for yourself or to share. The tour doesn’t make every possible stop, but you’ll be informed, entertained, and well on your way to mastering Metasploit.
54
tionality of Metasploit and provides a complete graphical interface to it. The article describes how to set up a penetration testing scenario using Armitage. It moves swiftly from basics to some advances concepts and covers several important aspects of penetration testing using Armitage.
Cyber Attack Management with Armitage
76
The Uncooperative and Politically Connected by Dean Bushmiller
There are three types of people in business: delivery, sales, and administrative. When we start to get layers of administrative people, they might feel disconnected from the mission of the organization. The higher that administrator is, the more impact they have on the test.
Read
78
Save the Database, Save the World! – Chapter 7 by John B. Ottman
by Abhinav Singh
Metasploit has now become the industry standard product for penetration testing. Armitage leverages the func-
08/2012 (16) August
Page
5
http://pentestmag.com
Exploitation Frameworks
VMware vSphere Security and Metasploit Exploitation Framework
VMware vSphere is another layer in your overall environment to attack. In this article you will learn some of the threats, how to mitigate them and how to attack that virtual layer.
F
or a number of years now I have had the privilege of traveling the globe while working with some amazing individuals to provide security assessments and training. In recent years, this work has evolved from performing standard security assessments, forensics and pentesting to focusing on security within the virtual environment. I was introduced to the VMware Hypervisor and it various products by Tim Pierson, a cloud security expert out of Dallas, TX. Working with virtualization has proven to be very enjoyable; however there is always a downside. Many owners, managers and administrators often ignore the need to assess the security of their VMware vSphere environments. Since virtualization is normally implemented in the internal network, the level of risk has been considered low and the security around the Hypervisor and vCenter have been terribly overlooked! Working with VMTraining to develop courseware to help us understand the risks that are inherent within this environment has been a real privilege and I have enjoyed being on the cutting edge of a technology that has taken over the world! We are making certain assumptions while writing this article. For example, we will not go into what VMware vSphere, Hypervisor or vCenter is or does and we expect that you will have a general working knowledge of the VMware environment in 09/2012 (17) September
order to understand the topics we will be explaining and demonstrating within this article. We are going to start this article by discussing a few of the reasons why virtual architecture should
Figure 1. Shodan Search
Figure 2. Shodan Search Results
Page 6
http://pentestmag.com
Virscent Technologies Pvt. Ltd., Ltd. a Brainchild of a team of IIT Kharagpur Graduates, Graduates has been Incubated in E-Cell Cell IIT Kharagpur. Kharagpur It is an IT Solutions & Training Company, Offering ffering Web, Security and Network Solutions, IT Consulting and Support Services to numerous clients across the Globe. We provide the following services: a. b. c. d.
Penetration Testing Multimedia Services Web Development Training: a. Corporate Training b. Classroom Training c. Training programs for Educational Institutions.
Our Partners: 1. E-Cell IIT Kharagpur 2. Education Project Council of India
Website: www.virscent.com Blog
: www.virscent.com/blog
ADVANCED VMWARE SECURITY SECURING THE CLOUD WITH VMWARE VSPHERE 5
Improved Design! Improved Availability! Improved Security!
STABLE VSPHERE ENVIRONMENT!
Attend the VMware Advanced Security with one of our experts!
- NEW VMTRAINING COURSES -
Upcoming Class Dates: Rockville, Maryland
9/17/2012
Cincinnati, Ohio
9/17/2012
Copenhagen, Denmark
9/24/2012
Luxembourg
9/24/2012
Veenendaal, Netherlands
10/15/2012
Kuala Lumpur, Malaysia
10/15/2012
Toronto, Ontario
10/29/2012
Ottawa, Ontario
10/29/2012
Des Moines, Iowa
11/5/2012
Online
11/5/2012
London, UK
11/5/2012
Paris, France
11/26/2012
Denver, CO
11/26/2012
San Jose, CA
12/03/2012
Rockville, Maryland
12/17/2012
Cloud Security, Audit and Compliance Ultimate Bootcamp
VMware vSphere 5.0 Advanced Administration & VCAP5-DCA Prep
Call VMTraining Today! +1 (815) 313-4472 or visit www.VMTraining.net CVSE (Certified Virtualization Security Expert) is a service mark of Global Training Solutions, Inc. and/or its affiliates in the United States, Canada, and other countries, and may not be used without written permission. VMware is a registered trademark of VMware, Inc. in the United States and/or other countries. All other trademarks are the property of their respective owners. Global Training Solutions is not associated with any product or vendor in this advertisement and/or course.
Exploitation Frameworks
Android Vulnerability Analysis with Mercury Framework
Nowadays, users save more sensitive data on their smartphones than on their desktop pc’s. This article will have a close look on Android applications, how to analyze them and what vulnerabilites could affect user data.
D
uring the past few years, smartphones and other mobile devices have seen their computational power and data connectivity rise to a level nearly equivalent to that available on desktop computers. Nowadays, users save more sensitive data on their smartphones than on their desktop pc’s. Users are now able to login to their email accounts, plan meetings, share thoughts and even do banking transactions with their smartphones. When talking about smartphones, we are looking at the devices that run operating systems just like desktop pc’s. Android is an open source operating system based on a monolithic Linux based kernel with a layered structure of service including core native libraries and application frameworks. There are currently more than two million downloadable applications in the central repository of Android applications run by Google and Android applications can also be downloaded from other third-party sites. On the application level, each software package is sandboxed by the kernel. In theory, even if an application gets exploited the attacker is not able to gain access to unprivileged data. Focusing on the Android application privileges or as in the unix world called the permissions is a very basic and important part of the Android security model. Android’s permission model requires that each ap09/2012 (17) September
plication explicitly requests the right to access protected resources before it may be installed. This will ensure that an application isn’t able to access sensitive information stored on the system or in the private space of another application and that accessing hardware features such as the camera or GPS is not allowed. Each application on the device runs under a seperate User ID and Group ID which means that every application is isolated from one another. There is also an option for the application to share different resources over the UID. Despite these security controls, applications can be a serious security risk. This article will have a close look on Android applications, how to analyze them and what vulnerabilites could affect user data. For analyzing applications running on Android, a new tool has been developed by MWR InfoSecurity called “The Mercury Framework“ which offers security researchers a free framework to find vulnerabilities, write proof-of-concept and exploits, and allows dynamic analysis of Android applications. To comprehend this tutorial it is necessary to have a basic knowledge of the Android security system and the functionality of well known security issues like SQL injections, directory traversal or insecure file permissions.
Page 18
http://pentestmag.com
Exploitation Frameworks
Exploit Frameworks: BeEF Have a look at your computer. Do you have a webcam? And a microphone? I bet there also is a big sticker covering them. No? ... I would suggest buying one now.
O
ne of the biggest challanges for professional penetration testers is the user acceptance and risk classification of test results. Especially web application security flaws can be quite difficult to explain to an executive level audience. People sometimes need to see the possible impact at a less abstract level during the final results presentation. Web application focused client-side exploit frameworks like The Browser Exploitation Framework (BeEF) come in quite handy for this task. The idea behind BeEF is to collect many client-side attack vectors with the ability to manage and use everything in one place. Another advantage is the easy customization of available modules for every new project. This tutorial will handle the basic setup and functionality of BeEF to get you everything you need to plan you first client-side browser attacks.
(http://th3j35t3r.wordpress.com/2012/07/04/project-looking-glass/)). Having a machine with a static IP adress or domain is helpful. So grab your machine, and bring it on! First, we download the source files to a destination folder of your choice via git:
Installation and Startup of BeEF
Everything should be ready to start. Simply use the startup script:
To have a look at this outstanding tool we first need to get it running. BeEF is written in Ruby and therefore comes with the usual gem dependency shabang. It should work on Linux, OSX and Windows, as BeEF acts as a kind of C&C server (Yes, some people DO use it for bad things – as always 09/2012 (17) September
$ git clone https://github.com/beefproject/beef.git
The main dependencies are Ruby in version >= 1.9.2 and the sqlite3 binaries and libs (also the dev packages). I’m not going into Linux distro flavours here because every pentester sure knows his own machine. Now we need to install the Ruby prerequisites:
$ cd beef/ $ gem install bundler $ bundle install
$ ./beef
If you sacrificed your first computer to the gods of Ruby, BeEF will start up as expected and will
Page 26
http://pentestmag.com
Daten Daten der SySS der SySS GmbH GmbH
In the field of IT security consulting and penetration testing we are the market In the field of IT security consulting and leader in Germany. penetration testing we are the market SySS, established in 1998, advises leader in Germany. numerous companies in a national SySS, establishedcontext. in 1998, advises and international numerous companies in a national A large number of satisfied customers, and international context. live hacking events as well as fairs A large number ofour satisfied have established role ascustomers, a live hackingITevents as well as fairs demanded company. have established our role as a The following are major areas of SySS: demanded IT company. • Penetration Testing The following are major areas of SySS: • Trainings D enthält vertrauliche Informationen des jeweiligen Kunden und darf nicht sdrückliche Genehmigung der SySS GmbH vervielfältigt oder an Dritte •• Penetration Testing LiveInformationen Hacking geben werden. Weitere zu den Sicherheitstest finden Sie er Webseite unter www.SySS.de •• Trainings D enthält vertrauliche des jeweiligen Kunden und darf nicht ITInformationen Forensics sdrückliche Genehmigung der SySS GmbH vervielfältigt oder an Dritte • LiveInformationen Hacking geben werden. Weitere zu den Sicherheitstest finden Sie er Webseite unter www.SySS.de • IT Forensics
You are looking for more than just a new working environment? You are looking for more than just a new der SySS GmbH At SySS, you have the possibility to give working environment? your passion room in an experienced but der SySS GmbH At SySS, you the possibility young and stillhave expanding team. to give your passion room in an experienced but When you are facing difficulties you say young and still expanding team. „bring it on!“ and start being creative to When yousituation? are facingAnd difficulties youyou say solve the above all, Kunde vertrauliche „bring it on!“ andExcellent, start being creative to have team spirit? because Informationen solve And above Datum the situation? Kunde currently we need people in theall, you vertrauliche have teamareas spirit? because following ofExcellent, our company in Informationen Ihr Ansprechpartner bei SySS Datum currently we need people in the Tübingen/Germany: following areas of our company in • Penetration-Testing Ihr Ansprechpartner bei SySS Tübingen/Germany: • IT Forensics • Penetration-Testing • IT Forensics
Daten Daten
SySS. The PenTest Experts. SySS. The PenTest Experts. SySS GmbH · Wohlboldstrasse 8 · 72072 Tübingen · GERMANY Phone +49 (0) 7071 407856-0 · www.syss.de SySS GmbH · Wohlboldstrasse 8 · 72072 Tübingen · GERMANY Phone +49 (0) 7071 407856-0 · www.syss.de
Exploitation Frameworks
Metadata: Your Friend or Foe – An Analysis with Foca
One of the most important steps in Pentesting is information gathering. Knowing where to look for vulnerabilities saves precious time in pentesting. Imagine a tool which can give you the network tree, including the system names, OS and version of software’s used, email ids and sometimes passwords, and all these without performing any complex pentesting process. That’s exactly what this article is about.
F
oca – Spanish word for Seal. It has been a famous tool for information gathering ever since Jose Palazon Palatko and Chema Alonso from Informatica64 presented the tool at Defcon. What is Foca? The official definition given by the developers of this tool is “A fingerprinting and information gathering tool for pentesters. It searches for servers, domains, URLS and public documents and print out discovered information in a network tree. It also searches for data leaks such as metadata, directory listing, unsecure HTTP methods, .listing or .DS_Store files, active cache in DNS Serves, etc.”. Foca uses metadata for most of its information gathering.
file was created, access rights etc. The common things that can be found in the properties dialog box such as author name, the name of company the software is registered under etc., all these come under metadata. Apart from this Foca looks at other kinds of information known as hidden information which is also part of metadata but these are the details that can’t be found in the properties of the file e.g. of this type of info are, the template you have used to draft the document, printer infor-
Metadata
Metadata can be defined as the data about your data. It is the information which gives a description, an explanation or something makes it easy to manage huge volumes of data. There are various ways in which metadata can be defined based on its uses. 1) Descriptive metadata: This mainly handles with discovery and identification e.g. title, abstract, author and keywords. 2) Structural metadata: It describes how various objects are grouped together e.g. how chapters are formed from page numbers. 3) Administrative metadata: It is mainly management related e.g. of these are when the 09/2012 (17) September
Figure 1. Installation
Page 34
http://pentestmag.com
Exploitation Frameworks
My Experiences with the Metasploit Framework From N00b to Contributor Ever wanted a tour of the Metasploit Framework (MSF)? If you have basic command line skills, and a working knowledge of networking and how hosts are compromised, you can take a guided tour from someone who started as a tourist and ended up as a tour guide. You’ll see how you can use MSF for all sorts of tasks and learn to write your own magic for yourself or to share. The tour doesn’t make every possible stop, but you’ll be informed, entertained, and well on your way to mastering Metasploit.
T
his article is a tour. A tour of the Metasploit Framework (MSF) and my experiences with it. You’ll see how I went from being a newbie (to both MSF and infosec), to a competent user, to a reasonably competent (At least that’s the way I fancy myself) MSF contributor. This article is not meant to be an exhaustive guide. When you’re done reading this article, I hope you are, at a minimum, convinced that you can easily use MSF to solve a wide variety of problems from any information security domain (with or without writing any real code). Ideally you’ll feel informed, entertained, and convinced that you can become a Metasploit master, as well as contribute to MSF and its active community. As with any tour, we cannot stop at every possible point of interest, and you are at the mercy of the tour guide for funny anecdotes and the exact path from stop to stop.
Self.about # about the tour guide
First, let’s talk about me. Me, me, me, me (My last name is Smith after all. Plus, I went as Agent Smith for Halloween once. If you still don’t understand this footnote, I hereby revoke your hacker credentials or hacker application). I introduce myself, in some length, not because I think you need to know me, but rather so you understand where I’m coming from, how my past experiences have col09/2012 (17) September
ored my view of the problem and solution spaces, and to demonstrate that your background and age do not really matter if you have passion. I studied Aeronautical Engineering. I took one C class and an embedded control class where we used C++. Other than that, and one brutal “numerical computing” class, I didn’t study the science of computers. I did have two older brothers who studied computer science, which led me to avoid the field for fear of following too closely in my siblings’ footsteps. I also had a computer science roommate in college. I learned not to ask Comp Sci majors for help (My theory: <generalization> there are two types of computer scientists: those that like computers and those that don’t. More specifically, there are those that enjoy knowing how computers and software work and those that do not. </generalization> For the record, I don’t want to help you fix your computer either) with my computer (Especially your blazingly fast Pentium II 250 MHz laptop running Windows 95 (my first computer)). Bottom line, I couldn’t find much help, so I decided to help myself, but it would be years before I became terribly capable. “Scrubbing” through the subsequent decade: being in command of 50 nuclear ICBMs on 11 Sep 2001, multiple knee surgeries, reading (most of) “Upgrading and Repairing PCs, 11th Ed.”, and completely “lucking into” a job pentesting
Page 38
http://pentestmag.com
Keep up to date on the latest developments in the world of digital forensics Read Feature Articles on:
/ Training and Certfication / Management issues / Tools and Techniques / eDiscovery/eInvestigation / Incident Response/First Response / Hardware and Software / Network Forensics / Cyber Forensics / and much more...
Apple Autopsy:
/ A Digital Forensics look at all things Apple
From the Lab:
/ In depth technical articles on products and techniques
Legal Section:
/ In-depth articles on legal matters affecting Digital Forensics along with the latest legal news from around the world
Visit digitalforensicsmagazine.com
for the latest news and views from the digitalforensic community with special articles for registered users.
NEXT ISSUE OUT SOON SUBSCRIBE NOW Prospective authors should contact editorial@digitalforensicsmagazine.com for information on submissions.
Exploitation Frameworks
Cyber Attack Management with Armitage
Metasploit has now become the industry standard product for penetration testing. Armitage leverages the functionality of Metasploit and provides a complete graphical interface to it. The article describes how to set up a penetration testing scenario using Armitage. It moves swiftly from basics to some advances concepts and covers several important aspects of penetration testing using Armitage.
A
rmitage is a penetration testing platform that runs over Metasploit framework and uses its modular structure to create a graphical interface of the framework. Armitage organizes Metasploit's capabilities around the hacking process. Armitage has almost the same features as Metasploit with few differences but the reason which has led to the popularity of this tool is the ease with which it can be used. Armitage is the most recommended platform for those who are new into the field of penetration testing. Armitage has all the primary features of a pentesting framework like discovery, access, post-
exploitation, and maneuver. Armitage's dynamic workspaces let you define and switch between target criteria quickly. Armitage can launch targeted scans, vulnerability assessment, figure-printing and also imports data from many other security tools like nmap, Nessus, Dradis etc. Armitage visualizes your current targets so you'll know the hosts you're working with and where you have sessions. Armitage recommends possible exploits along with attack parameters and will optionally run active checks to tell you which exploits will work. The Graphical interface of Armitage gives it an upper hand over Metasploit as it eases up the process of penetration testing to a considerable degree. Armitage can also perform a wide range of postexploitation activities by leveraging the power of its built-in meterpreter agent. With the click of a menu we can log keystrokes, escalate our privileges,
Figure 1. Armitage connection window
Figure 2. Armitage login GUI
09/2012 (17) September
Page 54
http://pentestmag.com
Exploitation Frameworks
Command Your Windows Is command line obsolete in Windows systems? What can you do if have no GUI? How useful are Windows command to a hacker or pen-tester when they obtain a remote shell to a Windows machine?
S
ystems these days do not really require users to use command line. Windows, Mac, Linux and even traditionally commandbased UNIX also come with a GUI (Graphical User Interface) such as KDE. Command line may seem to be obsolete for many, but it is still very useful to hackers and pen-testers when GUI is not available such as using remote shell. For this article, I will be sharing some of the useful windows commands that a hacker or pen-tester can use when obtaining a remote shell to the system.
User group and account
command like net user <username> will show the user account information such as the password policy and the associated user group. After establishing the user accounts, next step is to view all the local user groups in the system. The command net localgroup will list all the local user groups. With the list of all the user groups, you will need to find out whether the user account that you are currently accessing is associated to administrative privilege user group such as “Administrators” group. The command “net localgroup administrator” (Figure 2) will list down all the associated users. If your account is not listed in the administrator group or another user group that has privilege rights, you will need to perform further privilege elevation. Knowing that the currently accessed user has privileged credentials, you may want to create a privileged user account to be used for future purposes such as remote access and accessing shared folders.
When gaining remote shell to the system through exploits, a hacker will be interested to find out which user account and what privileges that the account has that they are currently accessing. Using the command “whoami /user” will provide the user account that you have currently used to connect to the system. The net command is a useful command, which allows you to manage user account, policy and network resources. You can use net user to list all the user accounts in the system (Figure 1). Appending the username to the Figure 1. List of all user accounts 09/2012 (17) September
Page 62
http://pentestmag.com
9
Practical solutions to headline threats. Three days of information security insight. Only RSA® Conference Europe 2012 delivers the steps and strategies needed to protect your organisation’s assets. From managing smartphones and tablets, to the workplace risks from social media tools, get the techniques you want and the answers you need. Hear from highly regarded keynotes including Wikipedia founder Jimmy Wales, internationally renowned security technologist Bruce Schneier, and investigative journalist, author and broadcaster Misha Glenny – one of the world’s leading experts on cybercrime and global mafia networks.
• Leave with actionable solutions • Build your skills • Network with like-minded professionals • Stay informed, stay ahead
Date: 9 - 11 October Venue: Hilton London Metropole Hotel, U.K.
Hear how the world’s security experts manage challenges like:
• Mobile security • Data breaches • Hacktivism
• Cybercrime • Malware threats • Cloud computing
Get the practical insight your organisation needs. Attend and play your part in Europe’s most informative information security event.
Find out more at
www.rsaconference.com/pen ©2012 EMC Corporation. All rights reserved. RSA, the RSA logo and RSA Conferences are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other products and services mentioned are trademarks of their respective companies. RSA Security U.K. Limited. Incorporated on June 6, 1996. Company Number: 3208788. Registered Office: 1 Carnegie Road, Newbury, Berkshire, RG14 5DJ, England
THE GREAT CIPHER MIGHTIER THAN THE SWORD
Exploitation Frameworks
MS Internet Explorer Same ID Property Remote Code Execution Vulnerability In this article you will learn about concepts behind Internet Explorer memory corruption, what kinds of bypass techniques are used to launch buffer overflows, heap based and stack overflow attacks and return oriented programming concepts to exploit remote code execution vulnerabilities. You should know memory structure, DEP (Data execution prevention), ASLR (Address space layout randomization) and exploitation methods to corrupt memory, Metasploit familiarization, return oriented programming basics.
W
eb browser vulnerabilities are widely exploited by attackers and often lead to a complete compromise of the target computer. Local or remote vulnerabilities can be exploited by sending a specially crafted webpage which makes a victim infected if it is exploited successfully. Microsoft recently released a cumulative security patch bulletin for twelve Internet Explorer vulnerabilities which can be exploited by an attacker if a user views a specially crafted webpage. If any of the vulnerability is exploited by an attacker then same privileges of target computer can be obtained and it can be severely hampered by an attacker. The affected IE remote code execution vulnerabilities are as follows: • Center Element Remote Code Execution Vulnerability – CVE-2012-1523 • HTML Sanitization Vulnerability – CVE-20121858 • EUC-JP Character Encoding Vulnerability – CVE-2012-1872 • Null Byte Information Disclosure Vulnerability – CVE-2012-1873 • Developer Toolbar Remote Code Execution Vulnerability – CVE-2012-1874 09/2012 (17) September
• Same ID Property Remote Code Execution Vulnerability – CVE-2012-1875 • Col Element Remote Code Execution Vulnerability – CVE-2012-1876 • Title Element Change Remote Code Execution Vulnerability – CVE-2012-1877 • OnBeforeDeactivate Event Remote Code Execution Vulnerability – CVE-2012-1878 • Insert Adjacent Text Remote Code Execution Vulnerability – CVE-2012-1879 • Insert Row Remote Code Execution Vulnerability – CVE-2012-1880 • On Rows Inserted Event Remote Code Execution Vulnerability – CVE-2012-1881 • Scrolling Events Information Disclosure Vulnerability – CVE-2012-1882 Internet explorer does not handle the objects in memory properly therefore creates a vulnerability which could be further exploited by an attacker, we have shown some of vulnerabilities like HTML sanitization vulnerability, null byte information disclosure vulnerability which reveals the memory corruption shown in internet explorer, we will be showing that same ID property remote code execution vulnerability can be exploited easily. Same ID property remote code execution vulnerability is caused by memory mismanagement
Page 68
http://pentestmag.com
nispom
NISPOM NISPOM as a whole is designed to “prescribe the requirements, restrictions, and other safeguards to prevent unauthorized disclosure of classified information.” That’s it. Plain and simple. The beauty of this document lies in its simplicity, however, if anyone has ever written policy before, they are fully aware of how difficult it is to make something simple.
F
or those who just joined, we are analyzing the different aspects behind the central policy document of the US Federal Government and it’s various Agencies titled NISPOM. The National Industrial Security Program Operating Manual (NISPOM) looking at the strengths and weaknesses of what the United States Department of Defense set out as standards and methods for their contractor base. In this installment we’ll take a look at Chapters 3 through 6, which detail the requirements for training, classification and markings, safeguarding, and policies for meetings and visits. We’ll review these from a high-level in order to present a broad view of the landscape and the aspects that the NISPOM providing policy for.
The Physical Reality
To refresh, the Chapters we’ll be discussing in this series of articles are from NISPOM as follows: • General Provisions and Requirements • Chapter 2 – Security Clearances • Section 1 – Facility Clearances • Section 2 – Personnel Security Clearances • Section 3 – Foreign Ownership, Control, or Influence (FOCI) (Highlight indicates the ar09/2012 (17) September
• • • • • • •
• •
•
Page 72
eas to be discussed in this installment of The Physical Aspects of Cybersecurity and Their Importance – NISPOM) Chapter 3 – Security Training and Briefings Chapter 4 – Classification and Marking Chapter 5 – Safeguarding Classified Information Chapter 6 – Visits and Meetings Chapter 7 – Subcontracting Chapter 8 – Information System Security Chapter 9 – Special Requirements • Section 1 – RD and FRD • Section 2 – DoD Critical Nuclear Weapon Design Information (CNWDI) • Section 3 – Intelligence Information • Section 4 – Communication Security (COMSEC) Chapter 10 – International Security Requirements Chapter 11 – Miscellaneous Information • Section 1 – TEMPEST • Section 2 – Defense Technical Information Center (DTIC) • Section 3 – Independent Research and Development (IR&D) Efforts Appendices (http://en.wikipedia.org/wiki/NISPOM, downloaded 17 June 2012)
http://pentestmag.com
PainPill
Painpill – The Uncooperative and Politically Connected If you have read my column in the past year, you have heard me talk about what it takes to be a technical person and deal with a nontechnical person. In all these cases I have blamed us, the technician, for not having the skills to deal with business people. I don’t like blaming myself, but I own it. In summary, suck it up, get better not bitter.
T
here are three types of people in business: delivery, sales, and administrative. When we start to get layers of administrative people, they might feel disconnected from the mission of the organization. The higher that administrator is, the more impact they have on the test. They might be able to stop the test. They might convince someone else to stop the test. These reasons are almost never in the best interest of the organization or the mission.
When do we see these people?
You gather all the people impacted by the test together early in the project to openly discuss what is going to happen and when. This is both a good strategy and a bad one. Bad because people who have no real work are going to show up and start asking questions. The good questions and the informative discussions are going to get pushed aside in favor of the following non-issues: one-foot-blueumbrella, teaching the basics, RTFM, project-no-resource, nothing bad happens to us, legal eagles, not my budget, blamestorming. We are going to look at each of these and identify the fixes if possible.
One-Foot-Blue-Umbrella
You have been roped into the conversation by the person who wants to debate academics or RFC interpretations. The conversation goes like this: When does this ever happen? Well I suppose you would get these results if you stood on one foot holding a blue umbrella in the rain. WHAT? You fell into the trap of exception after exception. You would like to run away. Don’t; it is bad for business. Put these questions in the question parking lot. Tell 09/2012 (17) September
them you will look it up later, but the agenda for the meeting is densely packed.
Teaching the basics
I run into people who have no idea what a penetration test is all about. That is fine with me. My job is to be understood. I try to clear this up in our first informal meeting with the main stakeholders. I then follow up with an email that describes these steps and definitions. If a new person is injected into the conversation late, they slow the meeting down to a crawl because I need to teach the basics again. The fastest way to deal with this is to resubmit the first few emails in the chain before we meet or print these emails just in case a new person shows up unannounced. Ask them to read the details and at the break you can address any questions they might have. This gives them some security and we can move on with the meeting.
RTFM
You take the time to scope the test and write a formal proposal. You follow up with a pre-meeting email to discuss the test. You detail your phases and tools as completely as is reasonable. You identify all the meeting participants. You send the email. There are many reasons why people do not Read The Frenching eMail. There is one person who wants you to explain so that they can control the meeting or control you. I know you want to smack them. Don’t; it is bad for business. Take your email as the basis for the introduction slides in your presentation. If no one stops you, you can go fast. If a control freak starts asking questions that were in the email, go back and show the slides again.
Page 76
http://pentestmag.com
read
Save The Database, Save The World! Chapter 7 THE DATABASE SRC PLATFORM
â&#x20AC;&#x153;In 2009, targeted attacks accounted for 89 percent of records compromised.â&#x20AC;?â&#x20AC;?
T
o achieve continuous compliance, database SRC requires enterprise solution architecture. Cross-platform management from a single console is a key requirement as modern organizations maintain and operate mission-critical applications on operating systems and databases from several different suppliers. SRC teams must manage separate and distinct compliance policies assigned to each database instance. Oracle 10g database compliance policies are separate and distinct from the policies that govern Microsoft SQL Server 2008 R2, and the compliance demands of the HR department will be different from those of the finance department. It is impractical for database SRC teams to manage unique programs for every database publisher. Therefore, a key question is: How does an organization govern the compliance requirements of so many heterogeneous database endpoints across the enterprise? Even more importantly, how does an organization provide reporting and a single version of the truth for database SRC? Database SRC requirements include not only a centralized management console, but a highly scalable, cross-platform solution architecture as well. The solution architecture of an integrated set of database SRC applications should deliver a complete and comprehensive framework for risk management. Fur09/2012 (17) September
Page 78
http://pentestmag.com
In the Upcoming Issue of
Biometrics Available to download on October 1st More topics in PenTest Magazine: Honeypots, eBanking, eDiscovery, Sandbox, Phishing, Spoofing, SSH Tunelling, Guide to BackTrack, IAST, Cloud Application Pentesting, PCI Security Standards, Android as a Pentesting Platform, Intrusion Detection Systems ... and more
If you would like to contact PenTest team, just send an email to krzysztof.sikora@software.com.pl or ewa.dudzic@software.com.pl . We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.
q: how much does Serenity cost?
a: it’s Priceless. Not stillness, not tranquility� but the serenity to do business online, as one should � unmolested. The site is built and launched, it has started making noise on the marketplace. Web servers are gently humming to the tune of orders ringing in, customers chirping, and purposefulness ful�lled. Life is good, not a cloud in the sky � just the daily, most welcome laborious bustle for earned reward, recognition and ever-growing customer satisfaction leading to loyalty and repeat orders. Word of mouth is you�re getting to be one of the best! GO ON, READ THE REST OF THE STORY...