Penetration Testing With Kali
description
Transcript of Penetration Testing With Kali
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 1 of 365
Penetration Testing with Kali Linux
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 2 of 365
All rights reserved to Offensive Security, 2014 ©
No part of this publication, in whole or in part, may be reproduced,
copied, transferred or any other right reserved to its copyright owner,
including photocopying and all other copying, any transfer or
transmission using any network or other means of communication,
any broadcast for distant learning, in any form or by any means such
as any information storage, transmission or retrieval system, without
prior written permission from the author.
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 3 of 365
Penetration Testing: What You Should Know ........................................................ 13
About Kali Linux ......................................................................................................................... 13
About Penetration Testing .......................................................................................................... 14
Legal ............................................................................................................................................... 15
The megacorpone.com Domain ................................................................................................. 16
Offensive Security Labs .............................................................................................................. 16
VPN Labs Overview ................................................................................................................... 16
Lab Control Panel ....................................................................................................................... 19
Reporting .................................................................................................................................... 20
Getting Comfortable with Kali Linux ....................................................................... 23
Finding Your Way Around Kali ................................................................................................ 23
Booting Up Kali Linux ............................................................................................................... 23
The Kali Menu ............................................................................................................................ 24
find, locate, and which ................................................................................................................ 24
Exercises ..................................................................................................................................... 25
Managing Kali Linux Services ................................................................................................... 26
Default root Password ................................................................................................................ 26
SSH Service ................................................................................................................................ 27
HTTP Service ............................................................................................................................. 28
Exercises ..................................................................................................................................... 29
The Bash Environment ................................................................................................. 30
Intro to Bash Scripting ................................................................................................................. 30
Practical Bash Usage – Example 1 ............................................................................................. 30
Practical Bash Usage – Example 2 ............................................................................................. 34
Exercises ..................................................................................................................................... 37
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 4 of 365
The Essential Tools ....................................................................................................... 38
Netcat ............................................................................................................................................. 38
Connecting to a TCP/UDP Port ................................................................................................ 38
Listening on a TCP/UDP Port .................................................................................................. 40
Transferring Files with Netcat ................................................................................................... 42
Remote Administration with Netcat .......................................................................................... 44
Exercises ..................................................................................................................................... 50
Ncat ................................................................................................................................................ 50
Exercises ..................................................................................................................................... 52
Wireshark ...................................................................................................................................... 53
Wireshark Basics ........................................................................................................................ 53
Making Sense of Network Dumps ............................................................................................. 55
Capture and Display Filters ....................................................................................................... 56
Following TCP Streams ............................................................................................................. 57
Exercises ..................................................................................................................................... 58
Tcpdump ....................................................................................................................................... 59
Filtering Traffic .......................................................................................................................... 59
Advanced Header Filtering ........................................................................................................ 61
Exercises ..................................................................................................................................... 64
Passive Information Gathering .................................................................................. 65
A Tale From the Author .............................................................................................................. 65
Open Web Information Gathering ............................................................................................ 67
Google ............................................................................................................................................ 67
Enumerating with Google .......................................................................................................... 67
Google Hacking .......................................................................................................................... 72
Email Harvesting ....................................................................................................................... 76
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 5 of 365
Additional Resources .................................................................................................................. 77
Netcraft ....................................................................................................................................... 77
Whois Enumeration ................................................................................................................... 79
Exercise ....................................................................................................................................... 81
Recon-‐‑ng ........................................................................................................................................ 82
Active Information Gathering .................................................................................... 85
DNS Enumeration ........................................................................................................................ 85
Interacting With a DNS Server ................................................................................................. 85
Automating Lookups .................................................................................................................. 86
Forward Lookup Brute Force ...................................................................................................... 86
Reverse Lookup Brute Force ....................................................................................................... 87
DNS Zone Transfers .................................................................................................................. 88
Relevant Tools in Kali Linux ..................................................................................................... 92
Exercises ..................................................................................................................................... 95
Port Scanning ................................................................................................................................ 96
A Cautionary Tale From the Author ......................................................................................... 96
TCP CONNECT / SYN Scanning ............................................................................................ 96
UDP Scanning ........................................................................................................................... 98
Common Port Scanning Pitfalls ................................................................................................ 99
Port Scanning with Nmap ....................................................................................................... 100
OS Fingerprinting ................................................................................................................... 105
Banner Grabbing/Service Enumeration ................................................................................... 106
Nmap Scripting Engine (NSE) ................................................................................................ 107
Exercises ................................................................................................................................... 108
SMB Enumeration ...................................................................................................................... 109
Scanning for the NetBIOS Service .......................................................................................... 109
Null Session Enumeration. ...................................................................................................... 110
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 6 of 365
Nmap SMB NSE Scripts ......................................................................................................... 113
Exercises ................................................................................................................................... 115
SMTP Enumeration ................................................................................................................... 116
Exercise ..................................................................................................................................... 117
SNMP Enumeration ................................................................................................................... 118
A Note From the Author .......................................................................................................... 118
MIB Tree .................................................................................................................................. 119
Scanning for SNMP ................................................................................................................. 120
Windows SNMP Enumeration Example ................................................................................. 121
Exercises ................................................................................................................................... 122
Vulnerability Scanning .............................................................................................. 123
Vulnerability Scanning with Nmap ........................................................................................ 123
The OpenVAS Vulnerability Scanner ..................................................................................... 128
OpenVAS Initial Setup ............................................................................................................ 128
Exercises ................................................................................................................................... 135
Buffer Overflows ........................................................................................................ 136
Fuzzing ........................................................................................................................................ 137
Vulnerability History ............................................................................................................... 137
A Word About DEP and ASLR ............................................................................................... 137
Interacting with the POP3 Protocol ........................................................................................ 138
Exercises ................................................................................................................................... 141
Win32 Buffer Overflow Exploitation ...................................................................................... 142
Replicating the Crash ............................................................................................................... 142
Controlling EIP ........................................................................................................................ 142
Locating Space for Your Shellcode ........................................................................................... 146
Checking for Bad Characters .................................................................................................... 149
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 7 of 365
Redirecting the Execution Flow ............................................................................................... 152
Finding a Return Address ........................................................................................................ 152
Generating Shellcode with Metasploit ..................................................................................... 158
Getting a Shell .......................................................................................................................... 161
Improving the Exploit .............................................................................................................. 164
Linux Buffer Overflow Exploitation ....................................................................................... 165
Setting Up the Environment .................................................................................................... 165
Crashing Crossfire .................................................................................................................... 166
Controlling EIP ........................................................................................................................ 168
Finding Space for Our Shellcode .............................................................................................. 169
Improving Exploit Reliability .................................................................................................. 170
Discovering Bad Characters ..................................................................................................... 171
Finding a Return Address ........................................................................................................ 172
Getting a Shell .......................................................................................................................... 174
Working with Exploits .............................................................................................................. 177
Searching for Exploits ............................................................................................................... 178
Finding Exploits in Kali Linux ................................................................................................ 178
Finding Exploits on the Web .................................................................................................... 179
Customizing and Fixing Exploits ............................................................................................ 182
Setting Up a Development Environment ................................................................................ 182
Dealing with Various Exploit Code Languages ....................................................................... 182
Exercises ................................................................................................................................... 186
Post Exploitation ......................................................................................................... 187
A Word About Anti Virus Software ....................................................................................... 187
File Transfers .............................................................................................................................. 188
The Non-‐‑Interactive Shell ........................................................................................................ 188
Uploading Files ........................................................................................................................ 189
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 8 of 365
Exercises ................................................................................................................................... 196
Privilege Escalation ................................................................................................................... 196
Privilege Escalation Exploits ................................................................................................... 196
Configuration Issues ................................................................................................................ 202
Incorrect File and Service Permissions .................................................................................... 202
Think Like a Network Administrator ....................................................................................... 204
Exercises ................................................................................................................................... 204
Client Side Attacks ..................................................................................................... 205
Know Your Target ..................................................................................................................... 205
Passive Client Information Gathering ..................................................................................... 206
Active Client Information Gathering ....................................................................................... 207
Social Engineering and Client Side Attacks ............................................................................ 207
Exercises ................................................................................................................................... 208
MS12-‐‑037-‐‑ Internet Explorer 8 Fixed Col Span ID ................................................................ 208
Setting up the Client Side Exploit ........................................................................................... 210
Swapping Out the Shellcode .................................................................................................... 211
Exercises ................................................................................................................................... 212
Java Signed Applet Attack ........................................................................................................ 213
Exercises ................................................................................................................................... 218
Web Application Attacks ........................................................................................... 219
Essential Iceweasel Add-‐‑ons .................................................................................................... 219
Cross Site Scripting (XSS) ......................................................................................................... 220
Browser Redirection and IFRAME Injection .......................................................................... 223
Stealing Cookies and Session Information ............................................................................... 224
Exercises ................................................................................................................................... 226
File Inclusion Vulnerabilities ................................................................................................... 227
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 9 of 365
Local File Inclusion .................................................................................................................. 227
Exercises ................................................................................................................................... 233
Remote File Inclusion ............................................................................................................... 233
Exercise ..................................................................................................................................... 234
MySQL SQL Injection ................................................................................................................ 235
Authentication Bypass ............................................................................................................. 235
Exercises ................................................................................................................................... 240
Enumerating the Database ....................................................................................................... 240
Column Number Enumeration ................................................................................................ 241
Understanding the Layout of the Output ................................................................................ 243
Extracting Data from the Database ......................................................................................... 244
Exercises ................................................................................................................................... 245
Leveraging SQL Injection for Code Execution ........................................................................ 246
Exercises ................................................................................................................................... 248
Web Application Proxies .......................................................................................................... 249
Exercises ................................................................................................................................... 251
Automated SQL Injection Tools .............................................................................................. 252
Exercises ................................................................................................................................... 255
Password Attacks ........................................................................................................ 256
Preparing for Brute Force ......................................................................................................... 256
Dictionary Files ........................................................................................................................ 256
Key-‐‑space Brute Force .............................................................................................................. 257
Pwdump and Fgdump .............................................................................................................. 259
Windows Credential Editor (WCE) ......................................................................................... 261
Exercises ................................................................................................................................... 262
Password Profiling ................................................................................................................... 263
Password Mutating .................................................................................................................. 264
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 10 of 365
Exercise ..................................................................................................................................... 266
Online Password Attacks .......................................................................................................... 266
Hydra Medusa and Ncrack ...................................................................................................... 266
Choosing the Right Protocol – Speed vs. Reward .................................................................... 269
Exercises ................................................................................................................................... 269
Password Hash Attacks ............................................................................................................ 270
Password Hashes ...................................................................................................................... 270
Password Cracking ................................................................................................................... 270
John the Ripper ......................................................................................................................... 272
Rainbow Tables ........................................................................................................................ 275
Passing the Hash in Windows ................................................................................................. 276
Exercises ................................................................................................................................... 277
Port Redirection and Tunneling .............................................................................. 278
Port Forwarding/Redirection ................................................................................................... 278
SSH Tunneling ........................................................................................................................... 281
Local Port Forwarding ............................................................................................................. 281
Remote Port Forwarding .......................................................................................................... 283
Dynamic Port Forwarding ....................................................................................................... 285
Proxychains ................................................................................................................................. 286
HTTP Tunneling ........................................................................................................................ 288
Traffic Encapsulation ................................................................................................................ 289
Exercises ................................................................................................................................... 290
The Metasploit Framework ....................................................................................... 291
Metaspliot User Interfaces ....................................................................................................... 292
Setting up Metasploit Framework on Kali ............................................................................... 293
Exploring the Metaspliot Framework ...................................................................................... 293
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 11 of 365
Auxiliary Modules ..................................................................................................................... 294
Getting Familiar with MSF Syntax ......................................................................................... 294
Metasploit Database Access ..................................................................................................... 300
Exercises ................................................................................................................................... 302
Exploit Modules ......................................................................................................................... 303
Exercises ................................................................................................................................... 306
Metasploit Payloads .................................................................................................................. 306
Staged vs. Non-‐‑Staged Payloads .............................................................................................. 306
Meterpreter Payloads ............................................................................................................... 307
Experimenting with Meterpreter ............................................................................................. 308
Executable Payloads ................................................................................................................. 310
Reverse HTTPS Meterpreter ................................................................................................... 312
Metasploit Exploit Multi Handler ........................................................................................... 312
Revisiting Client Side Attacks ................................................................................................. 315
Exercises ................................................................................................................................... 315
Building Your Own MSF Module ........................................................................................... 316
Exercise ..................................................................................................................................... 318
Post Exploitation with Metasploit ........................................................................................... 319
Meterpreter Post Exploitation Features ................................................................................... 319
Post Exploitation Modules ....................................................................................................... 320
Bypassing Antivirus Software .................................................................................. 323
Encoding Payloads with Metasploit ....................................................................................... 324
Crypting Known Malware with Software Protectors ........................................................... 326
Using Custom/Uncommon Tools and Payloads ................................................................... 328
Exercise ........................................................................................................................................ 330
Assembling the Pieces -‐‑ Penetration Test Breakdown ........................................ 331
Penetration Testing with Kali Linux
PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. Page 12 of 365
Phase 0 – Scenario Description ................................................................................................ 331
Phase 1 – Information Gathering ............................................................................................. 332
Phase 2 – Vulnerability Identification and Prioritization .................................................... 332
Password Cracking ................................................................................................................... 333
Phase 3 – Research and Development .................................................................................... 336
Phase 4 – Exploitation ............................................................................................................... 337
Linux Local Privilege Escalation ............................................................................................. 337
Phase 5 – Post Exploitation ....................................................................................................... 340
Expanding Influence ................................................................................................................ 340
Client Side Attack Against Internal Network ......................................................................... 341
Privilege Escalation Through AD Misconfigurations ............................................................. 345
Port Tunneling ......................................................................................................................... 347
SSH Tunneling with HTTP Encapsulation ............................................................................ 348
Looking for High Value Targets ............................................................................................... 355
Domain Privilege Escalation .................................................................................................... 361
Going for the Kill ...................................................................................................................... 363