Mini Penetration Testing Framework

Intro

This page is dedicated in helping you define a mini penetration testing framework and provide you with the essential knowledge and essential tools you need to provide a decent penetration testing engagement. I am going to include only the toolkit needed to do what you are supposed to do, no exotic tools, no exotic portscans, no crazy scenarios, nothing not needed. I am sure you are going to find it very useful and interesting.

Phase 1 : Planning your penetration test

First identify the type of the test you are going to perform/deliver, and by saying the type of the test I mean know what you are planning to deliver to the client. Model all your actions and explain them to the costumer. Security Testing is not hacking is a product, that you are trying to sell to your costumers and at the same time help them gain the best out of it. So what are the types of security testing? The types of testing are 3:

1. Penetration Testing (Includes Proof of Concept).
2. Vulnerability Assessment (Does not include Proof of Concept).
3. Security audit (It is passive, and has to do with security policies and industry de-facto standards). 

The difference between a vulnerability assessment and a penetration test is that in penetration testing you provide your client with proof of concept, meaning actually penetrating the company network or web applications and extracting costumers valuable data. While vulnerability assessment is only assessing your costumers security and not actually penetrating the costumers infrastructure or Web applications, you make assumptions about how a vulnerability could affect the costumers infrastructure or Web Applications and you help your client make more of  a qualitative technical risk assessment. Why proof of concept is important? Because it helps your client understand the real risks and quantify them. Nowadays modern penetration testing methodologies move towards PoC oriented penetration methods. Security audits is a passive methodology that helps identify risks based probably on some industry standard such as PCI DSS e.t.c, I assume that this is very simple to understand. 

Learn about legal issues concerning  your penetration test

Another thing you should do in the planning phase of your penetration tests is to be able to understand all the legal implications of the engagements you are going to perform. You should be able to understand basic legal matters and know what papers you are signing before you sign them, such as confidentiality agreements. If you are planning to do a world wide carrier, or already do a world wide carrier YOU MUST HAVE BASIC KNOWLEDGE of the Computer crime laws and here is a good place to start from, the following links will guide you through the computer crime laws of the most interesting nations of the known world :

1. Cyber crime Laws of the United States
2. Computer crime in Canada
3. Computer Misuse Act 1990
4. Cyber Crimes Laws in Germany

Understand exactly what type of test you are planning to do

You should be able to sell your penetration testing services by using specific scoping rules. So based on the the rules scoping your penetration testing rules should be of two types:

1. Crystal Box Penetration Test
2. Black Box Penetration Test

Crystal Box Penetration Testing is harder to scope but is also more realistic and maybe more expensive, usually client that do not understand real world risks do not want that type of test. Black Box Penetration Testing is more easy to scope and usually cheaper.

Further specifying the type of the test you are selling

Specify even more what you are going to pentest. The lets say the technical types of penetration test that exist are:

1. Network Services tests
2. Client Side Tests
3. Web Application tests
4. Social Engineering Tests
5. Mobile Application Test
6. Physical Security Test
7. Cryptanalysis Test     

I believe that the following types of tests are self explanatory and no further explanation.

Hardening your pentest machine

Make sure that your testing equipment is as it is supposed to be. A good penetration testing laptop should be:

1. Clean of viruses and Trojan horses
2. Using encrypted hard disk 
3. Using two factor authentication for login (e.g use fingerprint and password)
4. Harden 
5. Run only necessary services (reduce the attack service)
6. Having tools for encrypted communication (e.g. use PGP)
7. Having the latest patches.

Note: Between penetration test you should wipe out all information and delete data from previous tests.

Phase 2 : Scoping

When you have planned your pentest and you have standardized it as a product that you can engage the client and start scoping the project. Now when scoping you have to:

1. Agree on the type of the test (Vulnerability Assessment or penetration test, Crystal Box or Black Box)
2. Agree on the sub category of the test (Web Application or Wireless e.t.c) 
3. Agree on the amount of the the man days that are going to be used.
4. Agree on the team members from your company that are going to participate in the test.
5. Agree on the team members that are going to participate from the other company
6. Interview the costumer employees that need to be interviewed to do the scoping
7. Identify the part of the infrastructure  to be tested
8. Identify team leaders from each team
9. Get contact information from the costumer team leader
10. Get contact information from the costumer team system administrator
11. Get contact information from the costumer team network administrator
12. Get contact information from the costumer team lead developer
13. Get contact information from the costumer team firewall administrator
14. Get contact information from the costumer team web application firewall administrator
15. Agree on start and  end date
16. Agree on start and end times
17. Document the agreements and have everyone sign off

More on technical scoping

Technical scoping has to do with what is considered to be exactly your target from the costumer infrastructure perspective, things such as:

1. Target company domain name
2. Target company IP range 
3. Target company PoC extent (e.g. is DoS attack allowed? can you use dangerous exploits?)
4. Target company individual hosts
5. Target company specific applications
6. Target company  specific network devices
7. Third party permission to test their infrastructure if you have to.

Note: Before you do that you should know exactly what is the type the penetration test you are performing meaning black or white box pentest e.t.c.

Phase 3 : Reconnaissance 

During the reconnaissance phase you must gather information using various tools from public sources to learn about the target:

1. People and culture
2. Terminology 
3. Technical infrastructure 

More specifically when performing a proper reconnaissance you want information about:

1. Email addresses
2. Birth dates
3. Social security numbers (e.g. only if it is not against the law)
4. Company career openings
5. Company press releases
6. Company product and provided services
7. Company business partners
8. Company employee names  
9. Employee cell phones and land line numbers
10. Personal information about company employee habits
11. Forums the company employees use for technical information about the company infrastructure
12. Company domain names
13. Words that are repeating in the company sites (in order to start building proper password lists)
14. Password lists and usernames used in publicly accessible company services
15. Company public services
16. Company infrastructure size and topology (when black box test is done)

The list above will help you to possibly :

1. Find publicly accessible passwords (e.g. forgotten passwords)
2. Map company departments to specific people (e.g. financial department, human resource department)
3. Understand the average password complexity (e.g. password size and composition)
4. Understand the password format (e.g. three characters followed by two special characters)  
5. Guess common passwords used (e.g. use the company name C0mAny or c0mapny1)
6. Find publicly accessible usernames (e.g. for brute forcing later on the service)
7. Understand the username format (e.g. for brute forcing later on the service)
8. Build good default password list customized to the company profile
9. Identify the company public domain names
10. Identify company hidden test machines
11. Identify company hidden services
12. Map company infrastructure to specific IP ranges
13. Map company infrastructure to specific network topology 

Generic technical methodology used to perform the reconnaissance

The methodology one can use to perform the reconnaissance is  pretty much standard and can be done by:

1. Asking the target company personnel (only if it is included in the scope engagement)
2. Using social networking sites that company employees hang out
3. Using publicly accessible search engines (e.g. use Google)
4. Using publicly accessible search engine services (e.g. Google alert services)
5. Using  appropriate publicly accessible Whois databases
6. Using  meta data extractors (e.g. from company pdf's downloads e.t.c)
7. Using company costume search engines (e.g. company forum search engine)
8. Doing  company network DNS sweeps
9. Doing company network ICMP sweeps
10. Doing company network TCP/UDP/ICMP tracerouting
11. Organize your data so you can identify properly the information later on using excel

Note: Reconnaissance nowadays is pretty mush a standard procedure, and all information provided should be self explanatory.         

Tools used to perform the reconnaissance

The tools used to perform reconnaissance are pretty much very well know, the key to performing a good reconnaissance is to use the tools that are going to give access to the information without much overlapping and also help you organize your information easy. In this process I am going to go step by step explaining what is already mentioned in the previous section:

1. Asking the target company personnel (only if it is included in the scope engagement)
• You can do that by performing formal interviews with standard questioners.
2. Using publicly accessible search engines (e.g. use Google)
• Use Google search engine (http://www.google.com)
• Use Yahoo search engine (http://search.yahoo.com/)
• Use Google Dorks along with Google search engine and Google Alerts: 
• http://www.exploit-db.com/google-dorks/
• http://googledork.com/
• http://www.hackersforcharity.org/ghdb/
3. Using publicly accessible search engine services (e.g. Google alert services)
• Use Google Alerts (http://www.google.com/alerts?hl=en). Google Alerts are email updates of the latest relevant Google results (web, news, etc.) based on your queries that repeatedly provide you with Google search results of your choice in your Google mail account.
4. Using  appropriate publicly accessible Whois databases
•  http://www.whois.net/
• http://www.iana.org/cgi-bin/whois
5. Using social networking sites
• You can do that by using Internet Social and Professional meeting such as:
• Linked-in
• Face-book
• pipl.com
• Twitter
• My Space
• People Yahoo
• Maltego FireFox Plugin
6. Using  meta data extractors (e.g. from company pdf's downloads e.t.c)
• Using sysinternals strings tool.Strings scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.
• Using ExifTool. ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. ExifTool supports many different metadata formats including EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3, as well as the maker notes of many digital cameras by Canon, Casio, FujiFilm, GE, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon and Sony. Withthattool you can extract:
• Usernames
• File System Paths
• E-mail addresses
• Client software usage (another type of passive vulnerability scan)
• Other useful information
7. Using company costume search engines (e.g. company forum search engine)
• To do that you would have to identify costume company search engines in:
• The company official web site 
• The company forum search engine
• Forums and site search engines that employees hang out
8. Doing  company network DNS sweeps
• Using http://www.dnsstuff.com/
•  Using firece.pl written from RSnake. Fierce domain scan was born out of RSnake personal frustration after performing a web application security audit. With fierce you can:
• Perform forward DNS lookups
• Reverse DNS lookups
• DNS zone transfers
• DNS sub domain dictionary brute forcing
• Attempts to "guess" names that are common amongst a lot of different companies
• If it finds anything on any IP address it will scan up and down a set amount (default 5 but you can expand it with -traverse or increase it to the entire subnet with -wide) looking for anything else with the same domain name in it using reverse lookups. If it finds anything on any of those it will recursively scan until it doesn't find any more.
• Generally speaking firece.pl will look types of DNS records: 
1. SOA: Start of authority record
2. A: Address record
3. PTR: Reverse DNS record
4. NS: Name Server record
5. MX: Mail Server record
6. HINFO: Host Information record
7. TXT: Text record
8. CNAME: Canonical Name record
9. RP: Responsible human record
9. Doing company network ICMP sweeps (for verifying identified IP ranges in reconnaissance)
• Using nmap -PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes.
• Using ping6 for IPv6 enabled services.
• Using  hping2 with the identified IP range:
• -S (SYN flag set)
• -R (RESET flag set)
• -A (ACK flag set)
10. Doing company network TCP/UDP/ICMP tracerouting
• Using tcptraceroute, tcptraceroute is a traceroute implementation using TCP packets.
• Using 0trace.sh. 0trace.py is a python port of Michal Zalewski's 0trace hop enumeration tool.
• Using hping2 -t -z options  

How Internet Control Message protocol (ICMP) is working

ICMP protocol is an Internet error reporting protocol from the perspective of a hacker or a  penetration tester nothing more nothing less. ICMP messages are divided into two general categories: error messages that are used to report problem conditions, and informational messages that are used for diagnostics, testing and other purposes.You have to take into consideration the errors/informational messages reported back from the ICMP protocol. The errors/informational messages returned back from ICMP protocol that we are interested in are:

•  Time Exceeded
• TTL expired in transit
• Fragment reassembly time exceeded (when trying to by pass Firewall, IPS/IDS )

• Destination Unreachable
• Destination network unreachable
• Destination host unreachable
• Destination protocol unreachable
• Destination port unreachable
• Fragmentation required, and DF flag set
• Source route failed
• Destination network unknown
• Destination host unknown
• Source host isolated
• Network administratively prohibited (generated by a firewall)
• Host administratively prohibited (generated by a firewall)
• Network unreachable for TOS
• Host unreachable for TOS
• Communication administratively prohibited (generated by a firewall)
• Host Precedence Violation
• Precedence cutoff in effect

• Echo Reply
• Echo reply (used to ping)

• Echo Request
• Echo request (used to ping)

The most interesting replies from ICMP are the ones in red color. So for example when you do your initial network sweeps to the IP ranges identified from your reconnaissance stage you should be focused in the TTL error replies and the Destination unreachable replies most of the time.The Network administrative prohibited replies are good for testing the firewall. Now when you do trace routing you should perform 3 different types of sweeps a UDP traceroute, a TCP trace route and an ICMP trace route to see how the costumer infrastructure handles different protocols. When using UDP trace routing (even though UDP is connectionless) ICMP is going to reply about the state of the host because of the router in front of the host, not the host itself, unless the request reaches the host interface and there is a UDP service. When doing a TCP trace routing again the ICMP message from the router are going to give you the desired information. Again when tracerouting with ICMP you test the router configuration, the difference is how the middle devices treat the whole transaction.  

Phase 4 : Scanning

Now the you have performed the Planning phase and the Reconnaissance phase is time to do the scanning phase. When doing the scanning phase you should configure your tools to use the target IP's and not their domain names (imagine scanning a Web Server with a load balancer in front). This analysis made for scanning mostly refers to external penetration testing, but similar methodologies can be applied to internal penetration tests.

Now when you are dealing with large scans you might have to limit your scope as far as the amount of the targets be scanned is concerned by:

1. Doing a representative IP target sampling based on the costumers network topology.
2. Doing a representative Port target sampling based on the costumers service exposure.

But when you do a small scan you might also consider extending your port scan amount. That way you get a better picture of the costumer infrastructure and cover bigger part of potential risks.  

While scanning you should also run a sniffer, imagine DoSing a production server and not realizing it. Also by running a sniffer in the network while scanning you can have a pretty good idea about what is going on during your scan and also do passive analysis to the traffic collected from the sniffer.

The TCP, the UDP and the IP what about them

The Transmission Control Protocol (TCP) is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol (IP), and therefore the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered delivery of a stream of bytes from a program on one computer to another program on another computer. TCP is the protocol used by major Internet applications such as the World Wide Web, email, remote administration and file transfer. Other applications, which do not require reliable data stream service, may use the User Datagram Protocol (UDP), which provides a datagram service that emphasizes reduced latency over reliability.

The TCP control bits

The TCP control buts also called communication flags or Control flags are used to describe the state of the TCP connection. The control bits are very important for scanning from the penetration tester's perspective. So the control bit are located fin the TCP header and are used during the scanning period a lot, this bits are:

1. URG (1 bit) – indicates that the Urgent pointer field is significant
2. ACK (1 bit) – indicates that the Acknowledgment field is significant. 
3. PSH (1 bit) – Push function. Asks to push the buffered data to the receiving application.
4. RST (1 bit) – Reset the connection (drop connection)
5. SYN (1 bit) – Synchronize sequence numbers. .
6. FIN (1 bit) – No more data from sender

All packets after the initial SYN packet sent by the client should have the ACK set.Meaning that there is a valid connection establishment. The SYN flag is set only in the first packet sent from each end. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others when it is clear.

The UDP protocol

UDP Protocol, is a high performance data transfer protocol designed for transferring large volumetric datasets over high speed wide area networks with low error failure. UDP does not use control bits to control its connection state because it does not establish a connection, it is connectionless and that why we expect from ICMP to do the error control. ICMP is used to do error control in probably all 4th layer protocols. So when you do a UDP scan you expect from ICMP to inform you about what happens, because there no timeout response feature in UDP. That is why you have to do a 4th layer tracerouting in the reconnaissance scan!!!     

Tools to use for scanning 

All this talk is good about the theoretical stuff but what about real action? Well the ONLY tools I am using to perform the scans are:

1. nmap (always the latest version)
2. hping2
3. netcat
4. amap
5. ping6

Options for tools to use for scanning

When scanning with nmap I am using specific options in order to get the best results meaning not to create overhead traffic and over lap information, that I already took from the reconnaissance phase, and this options are:

1. nmap -d -n (no DNS resolution with numerical representation of IP's)
2. nmap --packet-trace (extra useful information)
3. nmap -sS --reason (for syn scan)
4. nmap -sT --reason (for connect scan)
5. nmap -sU --reason (for udp scan)
6. nmap --badsum (all packets should be dropped)

Types of Scan using UDP/TCP protocols

When scanning a system the basic protocol suites you are going to scan are TCP/UDP, for more complicated protocol suits you have to use proprietary tools.

TCP SYN scan (with Hping2)

Scanner --- SYN (Sequence Number Set to 1) ---> Target
Scanner <- SYN/ACK (Sequence Number Set 0 and Acknowledgment Set 0) - Target
Scanner --- RST (Sequence Number Set Again to 1) ---> Target (Only if host listens)

Or

Scanner --- RST/ACK ---> Target (Not used by Hping2 connection termination pattern)

Or

Scanner --- FIN ---> Target
Scanner <--- FIN/ACK --- Target
Scanner --- ACK ---> Target

TCP ACK scan (with Hping2)

Scanner - ACK (Sequence Number Set 0 and Acknowledgment Set 0)-> Target
Scanner <--- RST (Sequence Number Set Again to 1) ---> Target

Or

Scanner <--- Connection Timeout or Sent ICMP Error --- Target

TCP Full Handshake or Connect scan (with Hping2)

Scanner --- SYN (Sequence Number Set to 0) ---> Target
Scanner <--- SYN/ACK (Sequence Number Set 0 and Acknowledgment Set 1) --- Target
Scanner --- ACK (Sequence Number Set 1 and Acknowledgment Set 1) ---> Target
Scanner --- FIN/ACK ---> Target
Scanner <--- ACK --- Target

Or

Scanner --- RST ---> Target (Nmap terminates the connection this way!)

UDP scan (with Hping2)

Scanner --- UDP ---> Target
Scanner <--- ICMP error (for closed ports) --- Target
Scanner <--- Connection Timeout (for open or filtered ports) --- Target

TCP NULL scan (with Hping2)

Scanner --- NULL ---> Target (All flags is set to 0)
Scanner <--- RST --- Target

Or

Scanner <--- Timeout Connection --- Target (Target host is filtered from firewall that silently drops the
connection)

TCP FIN scan (with Hping2)

Scanner --- FIN ---> Target
Scanner <--- RST --- Target

Or

Scanner <--- Timeout Connection --- Target (Target host is filtered from firewall that silently drops the
connection)

TCP Xmas scan (with Hping2)

Scanner --- FIN,URG,PUSH ---> Target
Scanner <--- RST --- Target (For all closed ports, drop connection; works in UNIXboxs)

Or

Scanner <--- Timeout Connection --- Target (Target host is filtered and silently drops the connection)

TCP Window scan (with Hping2)

Scanner - ACK (Sequence Number Set 0 and Acknowledgment Set 0)-> Target
Scanner <--- RST (Sequence Number Set Again to 1) ---> Target

Or

Scanner <--- Connection Timeout or Sent ICMP Error --- Target

TCP Mainmon scan (with Hping2 used for BSD hosts)

Scanner --- FIN/ACK ---> Target
Scanner <--- RST (Possibly) --- Target

Or

Scanner <--- Timeout Connection --- Target (Target host is filtered and silently drops the connection)

TCP Idle Scan (using Nmap)

Scanner --- SYN/ACK ---> Zombie
Scanner <--- RST with IP ID = 1 --- Zombie
Scanner --- Forged from zombie SYN ---> Target

Then when open port:

Target --- SYN/ACK ---> Zombie
Target <--- RST IP ID = 2 --- Zombie
Scanner --- SYN/ACK ---> Zombie
Scanner <--- RST IP ID = 3 --- Zombie

Or when closed or filtered port:

Target --- Timeout  or RST ---> Zombie (With timeout or RST no ID is increased)
Scanner --- SYN/ACK ---> Zombie
Scanner <--- RST IP ID = 2 --- Zombie

Version and Operating System (OS) canning with nmap netcat and Amap

Version scanning can also be done using nmap and is similar in the process to port scanning. So when you scan for software versions you should take into consideration the fact that version scanning is generates lots of traffic, so if you do an internal penetration testing and the client is using host based IPS then you might have to use netcat or amap. So version and OS scanning can be done with nmap by using the -sV and the -O options. So the command lines are:

1. nmap -sV (software version scanning)
2. nmap -O (operating system scanning)
3. netcat -vvv (always use verbose option)
4. amap -qv  

Note: The tools amap and netcat should be used for verification reasons and also for bypassing host and network IPS/firewalls or Web Application firewalls.

Enumerating users

Apart from the information extracted during the reconnaissance, the next step to do would be to extract as much information you can so as to exploit the systems. One of the most important information you should be capable to extract would be to get username, so later you can build valid passwords list for your target. 

Enumerating users in Linux/Unix boxes

The ways you can do user enumeration in a Linux/Unix box are two:

1. Local user/group enumeration
2. Remote user/group enumeration

The first can be done by issuing the command cat /etc/passwd and the second can be done using the finger command finger @target-box in port 79 or the ypcat tool or with ldapsearch.

• finger:
• finger 'a b c d e f g h' @example.com
• finger admin@example.com
• finger user@example.com
• finger 0@example.com
• finger .@example.com
• finger **@example.com
• finger test@example.com
• finger @example.com

Enumerating users in Windows Boxes

Again the ways someone can extract user information are two:

1. Local user/group enumeration
2. Remote user/group enumeration

You can do it locally if you dump the usernames from SAM account with appropriate tools (which I will mention later on) that and you can do it remotely if you able to establish a null session using the command:

• net use \\target IP "" /u: "" (from command line in Windows 2000 or w  hen RestrictAnonymous is set to 1 in Windows 2003, XP and Vista).

The pulling can be done using a very old tool called enum by Jordan Ritter and nbtdump by David Litchfield and the options you can use to do that are:

• enum:
• -U to get username list
• -G to get user Group
• -M to get Machine list
• -P to get password policy

• nbtdump: With nbtdump you can use this script to scan all the IP's in the IP.txt file  (nbtdump will try to login using the username as a password)
• for /f %%a in (IPs.txt) do (nbtdump.exe %%a)

When you want to enumerate Windows Box users and RestrictAnonymous is enabled (RestrictAnonymous is enabled by default in Windows 2003,XP,Vista and 7) you can use two other tools called User2sid and Sid2user. User2sid and Sid2user are two small utilities for Windows NT, created by Evgenii Rudny, that allow the administrator to query the SAM to find out a SID value for a given account name and vice versa. User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine and Sid2user.exe can then be used to retrieve the names of all the user accounts and more. These utilities do not exploit a bug but call the functions; LookupAccountName and LookupAccountSid respectively. These tools can be called against a remote machine without providing logon credentials except those needed for a null session connection (meaning blank password and username). These tools rely on the ability to create a null session in order to work. This tools use the LookupAccountName Windows API.

• User2sid
• Usage (first check for null session and establish one): 
• net use \\target IP "" /u: "" 
• uset2sid \\target IP machine name

• Sid2user
• Usage:
• Run first User2sid to collect the SID list first.
• sid2user \\target IP machine name

You can also use a batch script to launch Sid2user after generating the list with the SID's do that by typing:

• for L %i (1000,1,1000) do @sid2user \\target IP <SID without RID>

Enumerating user in Mail Servers

In mail servers you can enumerate users using the EXPN and VRFY SMTP commands:

• VRFY username (verifies if username exists - enumeration of accounts)
• EXPN username (verifies if username is valid - enumeration of accounts)

Phase 5 : Exploitation

Exploitation means only three things and nothing else, these three things are:

1. Misconfiguration exploitation (e.g. unprotected mssql service)
2. Password exploitation (e.g. blank passwords, password cracking)
3. Zero day exploits and UN-patched machines

We will first focus on analyzing exploit types. Generally speaking exploits are categorized in three main types:

1. Service side exploits:
• Operating system service (e.g. IISv5.0)
• Installed software (e.g. WinSCPv1.0 e.t.c)
2. Client side exploits:
• Internet Browser (e.g. you can use aurora with firefox, IE e.t.c)
• Web Application client side exploits (e.g. XSS e.t.c)
3. Local privilege escalation:
• Operating system service (e.g. lsass)
  
• Installed software (e.g. other tools e.t.c)

Note: The reason I am distinguishing OS and other software is that Windows services might crash the system while other software will not. 


Most notable exploits in Windows and Linux/Unix machines

It is good to know the most famous exploits so you can try to reverse engineer them or see which worms used them and understand how useful and popular were:

• Windows services:
• MS-RPC-DCOM: MS03-026
• LSASS:MS 04-11
• uPNP:MS05-039
• RRAS:MS06-25
• Server Service:MS 06-040
• Server Service:MS 08-067

• Unix/Linux:
• Solaris sandmin command
• Solarisand Mac OS X SMB overflow
• Linux-squid NTLM Authentication overflow

In order to better exploit a machine you can do a software inventory to the costumer site (when a crystal box pentest is made) by issuing the command dir /s "C:\Program Files" , search though the programs and construct a set of client side script to be executed from the costumer personnel so you can test the box.    

Tools used to scan for vulnerabilities

In order to test for vulnerabilities you can use the following very well know vulnerability scanners which I consider to be the top of the top:

1. Nessus
2. metasploit arsenal
3. Qualys 
4. Rapid7
5. OpenVas
6. nmap 

Note: To utilize nmap a vulnerability scanner you have to use the --script option and see the appropriate options (always test for latest worms exploits).

Things to know to about exploits

When you use scan for a vulnerability and find one you better find a stable and working exploit that does not crash the remote service. If you do not do that all your work is done for nothing. Fixing exploits is not so hard and the dark art of buffer overflows is not so dark (you can find numerous articles about how to fix an exploit in my blog). So in order to start fixing exploits you have to know a few thing about Linux/Unix and Windows defenses, more specifically you have to know what SafeSEH, ASLR, Compiler canary and DEP is.

About Address space layout randomization (ASLR)

Address space layout randomization (ASLR) is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space  

About Data Execution Prevention (DEP)

Data Execution Prevention (DEP) is a security feature included in modern operating systems. It is known to be available in Linux, Mac OS X, and Microsoft Windows operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example. DEP runs in two modes: hardware-enforced DEP for CPUs that can mark memory pages as nonexecutable, and software-enforced DEP with a limited prevention for CPUs that do not have hardware support. Software-enforced DEP does not protect from execution of code in data pages, but instead from another type of attack (SEH overwrite).

Note: Windows 2000 SP0 -SP4 and Windows XP SP0-SP2 does not support DEP and

Using metasploit the right way

If you use metasploit to launch exploit you will find out that exploit are rated as excellent, very good, good e.t.c. The exploits rated as excellent usually do not crash the service and might be OS independent (e.g. run on Windows XP , 2003 e.t.c), you have to know about it. Another feature that might be interesting is also the check utility that get the banner and finds out if the software you are trying to exploit is indeed vulnerable to the vulnerability it is supposed to be, so that is bad because if the software is back ported then it is not going to be effective the exploit attempt.

Using the proper shellcode or back door

When launching an exploit from metasploit you should also take into consideration the exit function you are going to use with the exploit, also the IPS/IDS bypassing features of metasploit might break your exploit and finally you should choose the proper shellcode format and know how a shellcode works e.g. is it a two stage shellcode or a single stage shellcode. You should also know also understand the difference between a reverse shell and a bind shell. When the host uses a firewall binding a shell is not going to help you do anything interesting.  

Note: There are also numerous ways can install a back door without sing shellcodes through exploits, just by making usage of the netcat tool, check in the Internet for netcat tutorials.

Fixing exploits using metasploit and other tools

Metasploit is a very good tool fir fixing and developing exploits. The ONLY tools you need to fix and launch a simple exploit are:

1. pattern_create.rb
2. pattern_offset.rb
3. Olly Debugger v1.0
4. gcc
5. wine
6. Python

Note: You have to learn how to compile windows exploits in Linux Backtrack.

Misconfiguration exploitation

Misconfiguration exploitation means bad service authentication mechanisms, that for example can be brute forced (e.g. mssql service can be brute forced, well not exactly, and also Basic HTTP authentication can be brute forced) or use no access control at all or give valuable information or assign high privileges into services and processes that later on can help escalate privileges, Man In the Middle (MIM) attacks, Man In the Middle (MIM) downgrade attacks. Generally speaking from perspective of the pan-tester misconfiguration means:

1. Service blank Password or no at all authentication
2. MIM attacks (e.g. No network access control is applied).
3. Downgrade MIM attacks (e.t.c bad cryptographic configuration is also applied)
4. Excessive privileges assigned to the service (e.g. Incognito privilege escalation tool for example)
5. No security in depth applied to the infrastructure  
   

Note: Most of this issues can be resolved with patch management enforcement and unified  authentication mechanisms such as Single Sign On e.t.c.

Sample tools that can be used for misconfiguration exploitation

The tools you can use for this type of attacks are many and costume bash and batch scripting should be to perform this attacks. But the most interesting tools for this attacks are:

1. Ettercap (using ARP poisoning)
2. SSLStrip (using ARP poisoning)
3. Cain & Abel (using ARP poisoning)
4. MSSQLPing 

Note: In order to use Ettercap you have to learn how to use the filter compiler properly.Also for constructing valid password list see next section.

Password exploitation

There two types of password attacks that an attacker can exploit:

1. Local password cracking (e.g. crack password from compromised machines)
2. Remote brute forcing  (e.g. brute force services remotely)

The first type of password exploitation is used after a machine is compromised , the second when remote brute force attack is made. When you do remote password attack you can very easily do three things that you might not like when pen testing:

1. Lock out the account 
2. Be identified by IDS or blocked from IPS (IDS is also going to generate lots of traffic)
3. Cause a DoS attack to the service you are brute forcing from excessive logs

 Note: When doing remote brute forcing you should check out the lock out policy and try out most common passwords identified from reconnaissance phase e.g. if the lock out policy is three failed attempts to lock the account for half  an hour you can try 2 different passwords every 31 minutes per username or the same password for all usernames.

Password remote attacks

Tools used for remote passwords attacks are:

1. THC Hydra

Note: I only use Hydra-THC to do remote brute forcing, he best tool ever.

Password local attacks

Local password cracking nowadays is a standard procedure. The tools you have to use are pretty much standard. So when for example have compromised a machine and extract the password hashes you have to identify the password format. So there are two types of remote brute forcing:

• Brute forcing all character set:
• Usage of character set based on the password security policy (e.g. password format)

• Targeted dictionary brute forcing:
• Usage of a costume dictionary based on the company and build on the reconnaissance phase
• Usage of character set based on the password security policy (e.g. password format) 

Note: The first type of  brute forcing is not going to be very helpful. 

Tools used to create costume lists found by default in the backtrack are:

1. grep
2. cut 
3. wc
4. awk
5. pw-inspector (taken from Hydra)

Tools used to extract password hashes by dumping them of sniffing them are:

1. meterpreter hashdump
2. pwdump
3. pwdump3e-6
4. pwdump7
5. fgdump (for remote password dumping when the user credentials are known)

Tools used to crack password hashes are:

1. Cain & Abel 
2. john
3. Ophcrack
4. Rainbow tables

Note: Password cracking is a big thing in penetration testing so you have to dedicate a lot more time that just reading posts or tutorials. In this section is only 10% of what you need to do proper password cracking. 

Phase 6 : Deliverables

We talked about all the different penetration testing phases and got a grasp about penetrating properly the client infrastructure, now what is left is to do the reporting. The reporting is very important, because it shows all the work you have done and also shows that you succeeded to do a proper technical risk analysis.

Report Structure


The report structure takes into consideration the whole results and makes it understandable from all type of personnel

• Statement of Confidentiality
• Declares that both parties have signed a confidentiality agreement
• Executive Summary
• Introductory document that has a short description of what you did.
• Findings and Analysis with no details
• Action Plan
• Categorization of the vulnerabilities based on their impact and time to be fixed.
• Steps to Mitigate or Manage Risk
• Next step for a retest
• Further actions on increasing or reducing the scope
• Management Overview
• Goals and Objectives for the pentest
• Project Team composition and names
• Project Dates
• Analytical Process
• Insight on the penetration test process used
• Costume or public vulnerability categorization (e.g. OWASP or OSTMM) 
• Generic risk categorization based on type of vulnerability and impact
• Detailed Findings
• Short technical description on what was found
• Overview
• Short technical explanation of the findings
• Statistical analysis of the vulnerabilities based on occurrence
• Statistical analysis of the vulnerabilities based on  their impact
• Statistical analysis of the vulnerabilities based on their type (optional)
• Statistical analysis of the OS's identified (optional)
• Statistical analysis of the  services identified (optional)
• Areas of Analysis Table Ratings
• Identified sections that were tested form the client infrastructure
• Key Vulnerabilities Table Ratings
• Analysis of the vulnerability based on the:
• Business impact
• Remediation Action
• Difficulty to exploit 
• Tools Used
• Detailed list of the tools used
• Appendices
• Detailed analysis of the vulnerabilities
• Vulnerabilities Screen shots 

Other documents

You should also keep an inventory excel on how to identified and how you exploited the vulnerability.