ebook img

SANS 560.3 - Exploitation PDF

196 Pages·2017·14.503 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview SANS 560.3 - Exploitation

Copyright© 2017,The SANS Institute.Allrightsreserved. The entirecontentsofthispublication are the property ofthe SANS Institute. PLEASEREAD THETERMSAND CONDITIONSOF THIS COURSEWARELICENSE AGREEMENT ("CLA")CAREFULLYBEFOREUSINGANY OF THE COURSEWARE ASSOCIATEDWITHTHE SANS COURSE.THISIS A LEGALAND ENFORCEABLE CONTRACTBETWEENYOU (THE"USER")ANDTHE SANS INSTITUTEFOR THE COURSEWARE.YOUAGREETHATTHISAGREEMENTIS ENFORCEABLELIKE ANY WRITTENNEGOTIATEDAGREEMENT SIGNEDBY YOU. Withthe CLA,the SANS Institutehereby grantsUser apersonal, non—exclusivelicenseto use the Coursewaresubjectto the terms ofthis agreement. Coursewareincludes allprintedmaterials, including coursebooks andlab workbooks,as well as any digitalor othermedia,virtual machines, and/or data sets distributedby the SANS Instituteto theUser foruse inthe SANS class associatedwith the Courseware. User agreesthatthe CLAis the completeand exclusivestatementofagreementbetween The SANS Instituteandyou andthatthis CLAsupersedesanyoral orwrittenproposal, agreementorother communicationrelatingto the subjectmatter ofthis CLA. BYACCEPTING THIS COURSEWAREYOUAGREE TO BEBOUNDBY THETERMS OF THIS CLA. BYACCEPTINGTHIS SOFTWARE,YOUAGREETHATANYBREACH OF THE TERMS OF THIS CLAMAY CAUSEIRREPARABLEHARMAND SIGNIFICANTINJURYTO THE SANS INSTITUTE,AND THATTHE SANS INSTITUTEMAYENFORCETHESEPROVISIONS BY INJUNCTION(WITHOUTTHENECESSITY OF POSTINGBOND), SPECIFICPERFORMANCE, OROTHEREQUITABLERELIEF. Ifyou do not agree,youmayreturnthe Coursewareto the SANS Institute for a fullrefund, ifapplicable. User maynot copy,reproduce,re-publish, distribute,display,modify orcreate derivativeworks based upon alloranyportion ofthe Courseware,in anymediumwhetherprinted, electronicorotherwise, for any purpose,withoutthe expresspriorwritten consentofthe SANS Institute.Additionally,User may not sell, rent, lease,trade, or otherwisetransferthe Coursewarein anyway, shape, orformwithout the expresswritten consentofthe SANS Institute. Ifanyprovision ofthis CLAis declaredunenforceable in anyjurisdiction, then suchprovision shallbe deemedto be severablefromthis CLAand shallnot affecttheremainder thereof. An amendment or addendumtothis CLAmay accompanythis courseware. SANS acknowledgesthatanyandall softwareand/ortools, graphics,images,tables, charts or graphs presented inthis coursewareare the sole property oftheirrespective trademark/registered/copyright owners,including: AirDrop,AirPort, AirPortTimeCapsule,Apple,AppleRemoteDesktop, AppleTV,AppNap, Back to MyMac, Boot Camp,Cocoa,FaceTime,FileVault,Finder,FireWire,FireWire logo,iCal, iChat, iLife, iMac,iMessage, iPad, iPadAir, iPadMini,iPhone,iPhoto,iPod, iPodclassic,iPodshuffle, iPod nano, iPodtouch, iTunes, iTuneslogo, iWork,Keychain,Keynote,Mac, MacLogo,MacBook,MacBook Air, MacBookPro,Macintosh,Mac OS, MacPro,Numbers, OS X, Pages,Passbook, Retina, Safari, Siri, Spaces, Spotlight,There’sanapp forthat, TimeCapsule,TimeMachine, TouchID,Xcode, Xserve, App Store, andiCloudare registeredtrademarksofApple Inc. GoverningLaw: ThisAgreement shallbe governedby the lawsofthe StateofMaryland,USA. SEC560_3_CO1_O3 SEC560-3 , Exploitation SANS ©EdSkoudis,AllRightsReserved | VersionCOI_03 | lQl7 Welcometo SEC560.3,focusedonexploitation.Inthissection,welookatmanykinds ofexploitsthata penetrationtester orethicalhacker canuseto compromiseatargetmachine, including service-side, client—side, andlocalprivilege escalation exploits.Theseexploitsareoftenpackaged inMetasploit, oneofthemostfully functionaltoolsavailabletoday.Wegooversomeofthemoreadvanced Metasploit options,includingits mightyMeterpreter, discussingsomeofthebestfeaturesinthispowerful payload that arehugelyhelpfulfor penetration testers andethicalhackers. Thecoursethenfocusesonspecific strategiesandtacticspenetration testers canusetoavoidantivirustools detectingandshuttingdownmaliciouspayloads.Wethenconduct alabusingVeil-Evasion toseehowwecan createpayloads thatarelesslikelyto bedetectedbyantivirustools. Attheendofthissection,welookatthedifferencesbetween raw command shellandtrueterminalaccess of targetsystems,discussingvariouswaystoleverageraw shelltogetterminal controlofasystem.Thefinal topic is anextremelyusefulmethodforpivoting aportusingLinuxNetcat relays. ©2017 Ed Skoudis 1 TABLE OF CONTENTS(I) WEMhyExpXloitation? Pe|tOa|tsCpatleogonrlze5o34 LABMSfconso'e36 TheMeterPreteréz LABMEterPreter76 AVEvasmnWIthvell-Evasmn99 ............................................................................................................................................................... LABUSIngVe||_EvaS|on I..0.7.... .................................................................................................................................... MetasplomDatabasesandToo,Integramn 1.2;... .....LAB.MetasplmtDatabasesandTOOI.Integratlo.n............................................................................................................. 5.5.._.. I ............................................................................................................................................................. Post_Exp|°|tatl°nActwmes l..4.8.... SEC560| NetworkPenetration TestingandEthicalHacking 2 Thisslideis atableofcontents.Notethatalllabsare highlightedinholdforeasyreference. ' 2 ©2017 Ed Skoudis TABLE OF CONTENTS(2) PortPivotRelay 150 ................................................................................................................................................................. LABPONPIVOtReIaYS I..5..3.... . .......................................................................................................................................................... pest-EXP]o,tatlonwmh Empwe 1.5.... ..................................................................................................................................................................................... LABEmee 1.85... SEC56O| NetworkPenetrationTestlng and EthicalHacking 3 Thisslideis atableofcontents.Notethatalllabsare highlightedinboldforeasyreference. ©2017 Ed Skoudis 3 Course Roadmap 560.3 NetworkPenetration Testing & Ethical Hacking ' Why Exploitation? ° Exploit Categories . Pen Test Plannm, g . Metasploit . Recon > LAB: msfconsole °The Meterpreter ' Scanning > LAB: Meterpreter . E lm.tatw. n °AV Evasion withVeil-Evasion > LABzVeil-Evasion o Post—Exploitation ° Metasploit Databases andTool Integration > LAB: MSF DB andTool integration Password AttaCkS ° ° Post-Exploitation Activities and Mercfless P1V0t1ng ' Port PiVOt Relay > LAB: Port Pivot Relay ° web APP AttaCkS 0 Post Exploitation with Empire > LAB: Empire SEC560| NetworkPenetrationTesting andEthicalHacking 4 Thenextsegmentofthiscoursediscussesexploitationoftargetsystems.Attheendofthescanningphase,you needtotakeaninventoryoftheinformationyouretrieved so farandthevariouspossiblevulnerabilitiesidentified. IftheRulesofEngagementfortheprojectallowus todo so, wewillusethis informationtoexploitsystemsinthe targetenvironment. Therearemanyoptionsforexploitingsystems.Inthissection,weexploremanyofthemostcommonandpowerful techniquesuse aspenetration testersandethicalhackers. 4 ©2017 Ed Skoudis i What Is Exploitation? - Exploit: Code or technique that a threat uses to take advantage of a vulnerability — For apenetration testerexploitationofteninvolves gainingaccess to a machine to runcommands on it in the form ofa shell — Possiblywithlimited privileges — Perhaps with superuser privileges . Some examples ofWhatyou can do once you’ve exploited a target: — Move files to atarget machine — Take files from a target machine — Sniff packets atthe target — Reconfigure the target machine }Especially — Install softwareon a target machine dangerous! SECSéO | NetworkPenetrationTesting andEthicalHacking 5 Beforewediscusshowto exploittargetsystems,weneedto define exploitation.Aswediscussedin560.1,an exploitis codeoratechniquethatathreatusesto takeadvantageofasecurityvulnerability onatargetsystem.For apenetration tester,exploitingatargetmachine isgainingsomeformofaccesstothesystem,usuallyto run commands onit. Wealso usethephrasecompromisingamachineina similarfashion.Accordingto Wikipedia,an exploitis, “Apiece ofsoftware,a chunkofdata,orsequenceofcommandsthattake advantageofabug,glitchor vulnerability inordertocauseunintended orunanticipatedbehaviortooccuroncomputer software,hardware, or somethingelectronic(usuallycomputerized).” (http://en.wikipedia.org/wiki/Exploit_%28computer_security%29) Ourexploitationmaygiveuslimitedprivileges onthesystem,runningalimitedsetofcommandsas alowlyuser account.Orourexploitmayprovidesuperuserprivileges onthemachine (UIDO onLinux/UNIX, orAdministrator orSYSTEMonWindows).Alternatively, ourinitialexploitmaygiveuslimitedprivileges, whichwethenescalate with alocalprivilege escalationattacktogetsuperuserrightsonthebox. Thecommandswerunonthetargetmachinethatwe’vecompromisedwithourexploitmay allowusto movefiles toorfromthemachine.Wecoulduploadprograms ortakeappropriateinformationfromamachineinan authorizedfashionaccordingtoourRulesofEngagement.Wemightrunprograms onit, includingasnifferthat couldcapturepacketstraversingthenetwork onwhichthetargetmachinesits. Wecouldreconfigure themachine, alteringits settingsso thatitismoreuseful insubsequenttesting,possiblyas ajump-offorpivotpointto exploit othersystems.Wemighteveninstallsoftwarepackages onthemachine. Ofcourse,anyoftheseactionsis significant andcouldimpactaproduction environmentinprofoundways, especiallyreconfiguring thetargetmachine orinstallingsoftwarethatmayinterferewith existingsoftwareonthe target. ©2017 Ed Skoudis 5 Why Exploitation? Scenario: Pivot False positive reduction/elimination /)0 through DMZ — But even ifexploitdoesn’twork, you still Qewall maywant to reporton detected vulnerability Proof ofvulnerability and thereforemore Internal realistic treatment ofrisk System Use ofone machine as a pivot point to get deeper inside the network Scenario: Pivot — Moreofa sense ofWhat areal badperson can through intranet accomplish DMZ Exploitation leads to post-exploitation System ...which really helps us understandthebusiness risks — Internal thatthe target organi.zatl.on faces due to dl.scovered System/ml; . vulnerabilities . c ‘SECS60{ NetworkPenetration TestingandEthicalHacking 6 Whywouldwe considerexploitingatargetmachine duringatest?First,keepinmindthatnotalltestsactually involveexploitation.Sometargetorganizations merelywant alistofpotentialvulnerabilitiesorevenjust open portsfortheirtestresults,withoutanymore detailedconfirmation ofexploitabilityofthetargets. Otherorganizationsscopeteststoincludeexploitationforseveralreasons.First,byactuallyexploitinga system, wecanreduce thenumberoffalsepositives wegetfromourvulnerability scanningtool.Afterall, iftheexploit worksincompromisingthetargetmachine, wehave confirmed thatthevulnerabilityis actuallypresent.Notethat ifanexploitdoesnotwork,there stillmightbe a significantvulnerability onthetarget.Butthegivenexploitcode thetestersusedmighthaveflaws causingittofail.Another evilattackermighthaveadifferentandbetterexploit thatwouldsucceed.Thus,westillshouldreport discoveredpotentialvulnerabilities, eventhoughwecannot successfullyexploitthem. Asuccessfulexploitalsooffersproofthat avulnerability exists,helpingmotivatethetargetorganizationtoaddress itstrueriskinamoreeffectivemanner. Furthermore,bycompromisingonemachine, wemayusethat systemasapivotpointtodiscover, scan,andexploit additionalsystems.Forexample,bycompromising onemachine onaDMZ,wecanthenusethat systemto compromiseothermachines ontheDMZ orpossiblytheinternalnetwork.Alternatively,ifthepenetration test includesclient—side exploitationwithin itsscope,wemaycompromiseaninternalsystemandthenpivotthroughit togetaccesstointernalserversorevenDMZ servers,apowerful formofattackthatmimicswhatmanyreal-world badguysdotoday.But,weshoulddosuchpivoting onlyifitis explicitlyagreedtobytargetorganization personnel. And,thatgetsustothemostvaluablepart ofexploitation:It allowsustoperformpost-exploitation activities,that letusbetterunderstandanddemonstrate thebusiness implications andrisksassociatedwiththevulnerabilities we've exploited.That'swhywe'll spendagooddealoftime inthisbookdiscussingpost-exploitation activities. 6 ©2017 Ed Skoudis Risks of Exploitation , , . Service crash . System crash - System stability or integrityimpacted . Data exposure with legal ramifications - As apenetration tester, youlikely do not want to be in possession of millionsofcredit card numbers or other similarlysensitiveinformation . Inadvertentlyaccessing the wrong system — Out ofscope or even thewrongtarget organization . Because ofthese concerns, verify that exploitation is allowedby Rules ofEngagement — And... double—check for a given systemwhether it is in scope - Also, understand the probabilistic nature ofexploit success SEC560l NetworkPenetrationTesting andEthicalHacking 7 Exploiting targetmachinesdoesbringsomesignificantrisks,however,whichmustbe carefullydiscussedwithtarget organizationpersonnel. Exploitation couldcauseatargetservicetocrash,resultingin adenialofservicecondition.Onacriticalproduction system,suchserviceinterruptioncouldresultinsignificant damagesfromfinancial, reputational, andother perspectives. Beyondthecrashofanindividualservice,theentiretargetsystemcouldcrash,causingseveralservices tocome offline. Orinsteadofbringing asystemdownimmediately,anexploitcouldmakeitunstable. Thus,the service orsystemcontinuesto runbuthasproblems intermittentlythatmightbedifficult orimpossibletotrackback totheexploitationattempt. Furthermore, anexploitmayviolatetheintegrityofthesystem,tweakingits configuration orworse.Important and sensitive datacouldbelost. Also,byexploitingasystemtogetaccess to files orsniffpacketsfromthenetwork,thetestingteammightseedata that itisn’tofficially authorizedto View.Infinancial services,healthcare, governmentagencies,andotherindustries, there couldbe significant legalimplicationsfortesterswhoViewthisdatabecause theirjobusually doesnothavean explicitneedfordataaccess. Another concernwithexploitationinvolvesinadvertentlyattackingthewrongsystemandsuccessfully compromising it. Apenetration testerwhoisn’tcarefulcouldcompromisesystemsthatareoutsideofthe scopeoftheprojector evenoutsidethetargetorganization,facing significant legalimplications. Because ofalltheseconcerns,notonlyshouldexploitationbediscussedwiththetargetorganizationinthecontextof thewholeproject, butitshouldalsobe addressedonasystem-by—systembasis. Thatis, before runningexploits against apalticular machine,checkwithtargetorganizationpersonneltomakesurethegiventargetis inscopeand whether accessing itorviewing datafromithasanyimplications. ©2017 Ed Skoudls 7 course Roadmap 560.3 Network PenetrationTesting & Ethical Hacking -Why Exploitation? - Exploit Categories . Pen Test Planning ° Metasploit . > LAB: msfconsole ‘ RECOII. ~The Meterpreter . Scanning > LAB: Meterpreter E lul. tatw. n 'AV EvasionwithVeil-Evasion ° > LABzVeil-Evasion . Post-Exploitation - Metasploit Databases andTool Integration > LAB: MSF DB andTool Integration ' Password AttaCkS - Post-Exploitation Activities and Mercfless Pivoting ° Port Pivot Relay > LAB: Port Pivot Relay . web APP AttaCkS ' Post Exploitation with Empire > LAB: Empire l SEC560| NetworkPenetrationTesting andEthicalHacking :8 Penetrationtestersandethicalhackersoftenattacktargetsystemsusing exploits.Therearethousands of exploitsavailableonafreeandcommercialbasistoday,withnew onesreleased onaregularbasis.But,notall exploitsareidentical.Thereare numerousdifferentwaystocategorize exploits,basedonhowtheyfunction, thevulnerabilitiestheytarget,wheretheyrun,andso on. Fromapenetration tester andethicalhacking perspective, oneofthemostusefulmeansforcategorizing exploitsseparatesthemintoclient-side, service— side,andlocalprivilegeescalationattacks.Let’sexploreeachofthesedifferentcategoriesindetailtoseehow wecanusetheminourpenetrationtestingandethicalhackingwork. © 2017 Ed Skoudis

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.