Offensive Security 101 Workshop

Last updated 5 years ago

Offensive Security 101 Workshop

Types of Assessments

Penetration Testing Process

Traditionally penetration test are broken into various phases as shown below:

Red Team Operations

A red team operation can be defined as "an extended form of engagement conducted over a period of weeks and designed to achieve a set objective such as data exfiltration, and in the process test an organization's detection and response capabilities."

Note if there is no defense than there is no red team. A red teams pure purpose to help strengthen the blue team.

Penetration Testing vs Red Team Engagements

Scheduled security test vs adversarial based assessments
Red Team = Blue Team present and operational
Red Teams sole purpose is to support the Blue Team
A penetration test does not emulate an attacker\, it discovers exploitable vulnerabilities
- Chaining of vulnerabilities to demonstrate PoC against vulnerable systems ( Yay to DA!)
In red team engagements operational controls are baselines and stress tested.
- Are your sensors working?

What is a Red Team

A red team is an independent group that challenges an organization to improve its effectiveness by assuming an adversarial role or point of view.

It is particularly effective in organizations with strong cultures and fixed ways of approaching problems.

What is a Purple Team?

How are Purple Teams Successful??

A true purple team’s mission should be to provide emphasis not on the remediation of vulnerabilities but rather prevention and detection growth of the organization.

Setting Up Your Lab Machines

Before starting the lab, ensure both of your VMs are imported in VirtualBox/ VMware
- https://docs\.oracle\.com/cd/E26217_01/E26796/html/qs\-import\-vm\.html
- https://docs\.vmware\.com/en/VMware\-Workstation\-Pro/12\.0/com\.vmware\.ws\.using\.doc/GUID\-DDCBE9C0\-0EC9\-4D09\-8042\-18436DA62F7A\.html
Next, confirm both VMs are set to NAT or Host Only for network traffic
- Settings > Network > NAT
- Settings > Network > Host-Only
Log into your Kali VM using the credentials root:toor
- Enter the command ifconfig and write your IP Address down
Log into your metasploitable2 VM using the credentials msfadmin:msfadmin
- Enter the command ifconfig and write your IP Address down
Confirm network connectivity between hosts by send a ping command from kali to metasploitable and metasploitable to kali

**Note if you wish to access both VMs using your host terminal simply type: sudo service ssh start on each machine and connect to both over ssh.

OSX/Linux – Terminal
Windows – Putty/CMDER

Passive Recon

Social Mapper
- OSINT Social Media Mapping Tool
Maltego
- Take your APIs to the next level
Fat Fingers & GitHub
- TruffleHog searches through git repositories for secrets.
Creds already available?
- pwnedOrNot uses haveibeenpwned v2 api to test email accounts and tries to find the password in Pastebin Dumps

Active Recon

EyeWitness takes screenshots of websites\, provides server header info\, and can identify default credentials if possible.
AWSBucketDump
- Dump Those Buckets!
How hard will it be to Phish?
- Spoofcheck is a program that checks SPF and DMARC records for weak configurations that allow spoofing.
Enumerate DNS with python
- D nsrecon

Open source Intelligence (OSINT)

Recon & Enumeration

Quickly Generate List of Ips for Enumeration

Quick One liners to quickly Ping hosts

TCP Flags overview

SYN = Synchronize = starts a connection between two devices
- “Hello\, I want to have a conversation with you”
ACK = Acknowledgement = confirms receipt of a packet
- “Got your hello\, I can hear you loud and clear”
URG = Urgent = requests data to be processed immediately
- “There’s important data that needs to be handled quickly”
PSH = Push = sends all buffered data immediately
- “Don’t hold data waiting for more”
FIN = Finish = no more data is coming
- “Thanks for the chat\, goodbye!”
RST = Resets = resets the connection
- “There was an error in the communication”

TCP Flags in Wireshark

Using netcat to enumerate ports

Using NETcat & Grep to enumerate open ports

Banner Grabbing with Netcat

Network Mapper - NMAP

Nmap –sV Scan

Nmap –A Scan

Nmap –sV Scan

Hack for 5

Flag #1 – Find out the syntax to output an Nmap scan in a greppable file format?

Flag#2 – What Nmap flag will allow you to manually apply a user agent string to your Nmap scan?

**hint** - manual nmap

Grepping & NMAP

Building a Simple Enumeration Script with BASH, Grep, & CUT

https://github\.com/LibertyUnix/exam_scripts/blob/master/base\-recon\.sh

Building a Simple Enumeration Script with BASH

Banner Grabbing with Netcat

Break

Wireshark

Triggering the Backdoor & Connecting to the Shell

VSFTPD v2.3.4 contains a backdoor that is triggered by entering anystring:) as the username (no password required).

Passing shells with netcat

Transferring data with netcat

Transferring Encoded data with Netcat

Decoding netcat shadow transfer

Risk of clear text communication

Hack for 5

Flag #1 – Find /etc/shadow file being transferred without base 64 encoding

Flag#2 – What is the Wireshark filter to only see traffic originating from the compromised machine?

**hint** - manualnmap

Web applications o my!

Scanning web applications with Nikto

Netcat & dirbuster

Web applications o my!

https://netsec\.ws/?p=331

A non-interactive shell is a shell that can not interact with the user. It’s most often run from a script. This means that .bashrcand .profile are not executed

Python Pseudo-terminal utilities

pty.spawn(argv[\,master_read[\,stdin_read]])
Spawn a process\, and connect its controlling terminal with the current process’s standardio.
- This is often used to baffle programs which insist on reading from the controlling terminal
The functionsmaster_readandstdin_readshould be functions which read from a file descriptor.
- The defaults try to read 1024 bytes each time they are called

PreviousPresented Research

Last updated 5 years ago

Types of Assessments

Penetration Testing Process

Traditionally penetration test are broken into various phases as shown below:

Red Team Operations

Note if there is no defense than there is no red team. A red teams pure purpose to help strengthen the blue team.

Penetration Testing vs Red Team Engagements

Scheduled security test vs adversarial based assessments
Red Team = Blue Team present and operational
Red Teams sole purpose is to support the Blue Team
A penetration test does not emulate an attacker\, it discovers exploitable vulnerabilities
- Chaining of vulnerabilities to demonstrate PoC against vulnerable systems ( Yay to DA!)
In red team engagements operational controls are baselines and stress tested.
- Are your sensors working?

What is a Red Team

A red team is an independent group that challenges an organization to improve its effectiveness by assuming an adversarial role or point of view.

It is particularly effective in organizations with strong cultures and fixed ways of approaching problems.

What is a Purple Team?

How are Purple Teams Successful??

A true purple team’s mission should be to provide emphasis not on the remediation of vulnerabilities but rather prevention and detection growth of the organization.

Setting Up Your Lab Machines

Before starting the lab, ensure both of your VMs are imported in VirtualBox/ VMware
- https://docs\.oracle\.com/cd/E26217_01/E26796/html/qs\-import\-vm\.html
- https://docs\.vmware\.com/en/VMware\-Workstation\-Pro/12\.0/com\.vmware\.ws\.using\.doc/GUID\-DDCBE9C0\-0EC9\-4D09\-8042\-18436DA62F7A\.html
Next, confirm both VMs are set to NAT or Host Only for network traffic
- Settings > Network > NAT
- Settings > Network > Host-Only
Log into your Kali VM using the credentials root:toor
- Enter the command ifconfig and write your IP Address down
Log into your metasploitable2 VM using the credentials msfadmin:msfadmin
- Enter the command ifconfig and write your IP Address down
Confirm network connectivity between hosts by send a ping command from kali to metasploitable and metasploitable to kali

**Note if you wish to access both VMs using your host terminal simply type: sudo service ssh start on each machine and connect to both over ssh.

OSX/Linux – Terminal
Windows – Putty/CMDER

Passive Recon

Social Mapper
- OSINT Social Media Mapping Tool
Maltego
- Take your APIs to the next level
Fat Fingers & GitHub
- TruffleHog searches through git repositories for secrets.
Creds already available?
- pwnedOrNot uses haveibeenpwned v2 api to test email accounts and tries to find the password in Pastebin Dumps

Active Recon

EyeWitness takes screenshots of websites\, provides server header info\, and can identify default credentials if possible.
AWSBucketDump
- Dump Those Buckets!
How hard will it be to Phish?
- Spoofcheck is a program that checks SPF and DMARC records for weak configurations that allow spoofing.
Enumerate DNS with python
- D nsrecon

Open source Intelligence (OSINT)

Recon & Enumeration

Quickly Generate List of Ips for Enumeration

Quick One liners to quickly Ping hosts

TCP Flags overview

SYN = Synchronize = starts a connection between two devices
- “Hello\, I want to have a conversation with you”
ACK = Acknowledgement = confirms receipt of a packet
- “Got your hello\, I can hear you loud and clear”
URG = Urgent = requests data to be processed immediately
- “There’s important data that needs to be handled quickly”
PSH = Push = sends all buffered data immediately
- “Don’t hold data waiting for more”
FIN = Finish = no more data is coming
- “Thanks for the chat\, goodbye!”
RST = Resets = resets the connection
- “There was an error in the communication”

TCP Flags in Wireshark

Using netcat to enumerate ports

Using NETcat & Grep to enumerate open ports

Banner Grabbing with Netcat

Network Mapper - NMAP

Nmap –sV Scan

Nmap –A Scan

Nmap –sV Scan

Hack for 5

Flag #1 – Find out the syntax to output an Nmap scan in a greppable file format?

Flag#2 – What Nmap flag will allow you to manually apply a user agent string to your Nmap scan?

**hint** - manual nmap

Grepping & NMAP

Building a Simple Enumeration Script with BASH, Grep, & CUT

https://github\.com/LibertyUnix/exam_scripts/blob/master/base\-recon\.sh

Building a Simple Enumeration Script with BASH

Banner Grabbing with Netcat

Break

Wireshark

Triggering the Backdoor & Connecting to the Shell

VSFTPD v2.3.4 contains a backdoor that is triggered by entering anystring:) as the username (no password required).

Passing shells with netcat

Transferring data with netcat

Transferring Encoded data with Netcat

Decoding netcat shadow transfer

Risk of clear text communication

Hack for 5

Flag #1 – Find /etc/shadow file being transferred without base 64 encoding

Flag#2 – What is the Wireshark filter to only see traffic originating from the compromised machine?

**hint** - manualnmap

Web applications o my!

Scanning web applications with Nikto

Netcat & dirbuster

Web applications o my!

https://netsec\.ws/?p=331

A non-interactive shell is a shell that can not interact with the user. It’s most often run from a script. This means that .bashrcand .profile are not executed

Python Pseudo-terminal utilities

pty.spawn(argv[\,master_read[\,stdin_read]])
Spawn a process\, and connect its controlling terminal with the current process’s standardio.
- This is often used to baffle programs which insist on reading from the controlling terminal
The functionsmaster_readandstdin_readshould be functions which read from a file descriptor.
- The defaults try to read 1024 bytes each time they are called