Enter the BackTrack Linux Dragon

Andrew Kozma

Atlantic Security Conference

March 21-22, 2013 1

• Infosec professional working in healthcare

• Fan of all things ninja, samurai and kung fu cinema

• A huge fan of BackTrack, Offensive-Security and Bruce Lee

• Blues fanatic that secretly wants to learn how to play the harmonica

• I am forever a student, always learning something new

“A wise man can learn more from a foolish

question than a fool can learn from a wise

answer.”

~Bruce Lee

2

• Pre-engagement Interactions

• Intelligence Gathering

• Threat Modeling

• Vulnerability Analysis

• Exploitation

• Post Exploitation

• Reporting

3

• “Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it. If nothing within you stays rigid, outward things will disclose themselves. Empty your mind, be formless. Shapeless, like water. If you put water into a cup, it becomes the cup. You put water into a bottle and it becomes the bottle. You put it in a teapot, it becomes the teapot. Now, water can flow or it can crash. Be water, my friend.” ~ Bruce Lee

• “Obey the principles without being bound by them.” ~ Bruce Lee

• “To hell with circumstances; I create opportunities.” ~ Bruce Lee

4

• Primary difference between an authorized pentest and

“Hacking”

• Defines the rules of engagement

• Provides scope so that critical infrastructure may not be

impacted

• Legal “CYA” stuff…

5

• Web Reconnaissance framework written in Python

• Module based

• No direct queries to target (OSINT)

• Organized to support the phases of a pentest

6

• The command “show modules” will

display all available modules

• We are interested what google has

stored in its databases regarding our

target

• We will load the module with the

command “load

recon/hosts/gather/http/google”

• The command “info” provides

additional information about the

module and any options that can be

set.

• We have to add our target with the

command “set domain your target”

7

• To start reconnaissance we

enter the command “run”

• It starts to query Google for

known hosts associated with

the target.

• Notice the sleeping to avoid

lockout message

8

• Now that we have some hosts we want to get some contacts

• We run the “show modules” command again and this time select Jigsaw as our source

• To load the module we enter the command “load recon/contacts/gather/http/jigsaw”

• Type the command “info” for additional information about this module.

• Once again we have to select our target in the options by entering the command “set company your target”

• The more information gathered at this phase significantly improves our chances for a successful exploit

9

• We enter the command “run” to start

the query against our target

• We can already start seeing contacts

being collected

10

• Now lets put our intel into a format

that will help support Threat Modeling

• Lets load the output html report model

using the command “load

reporting/html_report”

• Lets title the report by setting the value

for company “set company your

target”

• Set the filename and location to put

the created report “set filename

/root/Desktop/yourtarget.html”

11

12

*Note additional modules can be run to gather DNS and geographic data to complete this report*

• Leveraging all of the data gathered to select attack vectors

and plan a well organized strategic attack

• Will include social media and various other forms of information

• For the demo today we will be targeting an employee

A snippet from the PTES site at

http://www.pentest-standard.org

13

• Up until now everything was done passively, no direct contact with the target

and its related hosts/systems

• Will include multiple scans for: ports, services banners and of course

vulnerabilities

14

• Attacker - BackTrack 5r3 with updated repositories and tools

• Target - Fully patched and updated W7 installation with Microsoft Security Essentials installed and updated

• Using a phishing email targeted at an employee with relevant information (Client Side Exploits)

• In the “real world” most likely the client will indicate client side attacks are out of scope at the pre-engagement phase due to the incredibly high success rate….

15

• We are going to use the Social

Engineers Toolset

• In a terminal navigate to SET

“cd/pentest/exploits/set”

• From the SET directory “./set”

• Select Option 1

16

• For this demo we are

going to utilize website

attack vectors

17

• We are going to select the Java

applet attack

• Leverages a customized java

applet to deliver the payload

• According to Oracle there are a lot

of Java users out there

18

• We are going to clone a site using

option 2

• NAT/Port forward is required if

you have to traverse a firewall for

this demo we will say no

• We have to enter the ip address of

the attacker so the reverse

connection can be successful

• Enter the url for the site we wish to

clone

19

• We want to be able to

interact in various ways

with the target system

• A Meterpreter session

provides multiple options

and is preferred

20

• We want to successfully

compromise the target

and option 16 is

described as (BEST)

21

• We need to configure some

options for our back door

• We select port 4444 for this

demo

• The payload is encoded and

hidden within an executable

• Then it is moved into the cloned

site and our listener is setup to

wait for the reverse connection

22

• Now that we have our listener

waiting and we see that the

payload handler is starting lets

send our Phishing email and wait

• Notice that the embedded link

indicates HalifaxMooseheads.ca

• Looks legit right? and from our

intel we can see the target has

posted pictures on social media

sites of his friends and family

enjoying the games

23

• The target has clicked the link to

browse to our malicious site

• He is presented with a “Trusted”

java applet indicating that

something needs to be installed

• This is persistent, if the user clicks

cancel the applet will return again

• User thoughts… Hey it says

(VERIFIED SAFE) right…

24

• The attacker can tell the user has

clicked the link

• However no reverse session

appears indicating something went

awry

• In this particular instance Microsoft

Security Essentials detected our

payload and prevented the

reverse session

• What do we do now…

25

“Defeat is not defeat unless accepted as a

reality-in your own mind.”

~Bruce Lee

“If you always put limits on everything you do,

physical or anything else, it will spread into

your work and into your life. There are no limits.

There are only plateaus, and you must not stay

there, you must go beyond them.”

~Bruce Lee 26

*Try Harder and the BackTrack Dragon are registered Trademarks of Offensive-Security*

Many thanks to the team at Offensive Security for being an educational sponsor of

AtlSecCon 2013

27

• Lets try this again…

• The attack vector will not

change but we will be

changing the delivery of the

payload

• We are still leveraging

Social-Engineering Attacks

28

• Once again we will be

using option 2 Website

Attack Vectors

29

• We are going to clone a site again

with option 2

• Automation is a beautiful thing…

let’s take moment to thank David

Kennedy of TrustedSec .com

@dave_rel1k for all of his efforts.

• Hugs brah! SET is so full of win!

30

• This time however we are going to change the payload

• Pyinjector is relatively new and has been available since the summer of 2012

• It injects shellcode directly into memory via powershell

• Because it does not touch disk it makes it very difficult for AV services to detect … sneaky sneaky…

31

• Once again we want to use

Meterpreter to interact with

the compromised host via a

reverse tcp connection

32

• This is definitely sweet!

• Yuuupp Multi-Powershell-

Injection homie! (*Notice the

ports associated)

• The payload is moved into

the cloned website

33

• Our reverse handler is

ready and waiting

• Again the target sees the

same java applet message

• User thoughts… it must be

ok… It even says it is

(Verified Safe)… plus I

really want those tickets…

• What is going to happen

this time…

34

• Sessions baby…. 5 of them

• Lets list the active sessions using the

command “sessions -i”

• Lets interact with the host using one

of the sessions with the command

“sessions - i 1” for session 1

35

• Entering the command “screenshot” at

the meterpreter prompt saves a .jpg of

whatever the target is currently

viewing

• We can start an interactive shell with

the “shell” command

• We can view “sysinfo”, create new

users or dump password hashes for

offline cracking

36

• We can even create a directory or

steal data, the possibilities are

numerous

37

• We want to further penetrate the targets network, looking for

other services and additional targets. (Pivoting)

• We want to maintain persistence so that we can return as

required

• Dump the hashes for offline cracking and use those credentials

to compromise other systems and services. (Pass the Hash)

38

• Nobody likes to do it

• This is where the real value for

the client is

• A sample report can be

downloaded from Offensive

Security for review

39

• How could this have all been avoided?

• Security awareness…

• User Behavior…

• What is the impact of tools like SET allowing the automation of attacks?

• Easier to attack? – Yes… this is how a 12 year old script kiddie can pwn a seasoned

infosec professional with years of experience.

• Easier to defend? - The use of tools like SET can help your defensive posture because it

allows us as security professionals to quickly test new attack vectors and exploits . The results can be leveraged to modify or change security counter measures where required.

40

• A great resource from Rapid7 (AtlSecCon 2013 Sponsor) to setup your lab:

• https://community.rapid7.com/community/infosec/blog/2011/01/05/how-to-set-up-a-pentesting-lab

• For additional information on the Penetration Testing Execution Standard please visit:

• http://www.pentest-standard.org/index.php/Main_Page

• http://nostarch.com/metasploit

• The Recon-ng project created by Tim Tomes (@LaNMaSteR53) can be located here:

• https://bitbucket.org/LaNMaSteR53/recon-ng

• For news about all things SET and a great security blog:

• https://www.trustedsec.com/news-and-events/

• @dave_rel1k

• A sample penetration report from Offensive-Security can be downloaded from here:

• http://www.offensive-security.com/penetration-testing-sample-report.pdf

• BackTrack, the BackTrack dragon logo, the Try Harder message, Kali-Linux and Offensive-Security are all registered trademarks of Offensive-Security.

• The amazing images of Bruce Lee are the work of South Korea’s Kim Dae Hwan darkdamage.deviantart.com/

41

• “Absorb what is useful,

discard what is not, add

what is uniquely your own.”

~Bruce Lee

• Social Media

• @k0z1can

• http://ca.linkedin.com/in/andrewkozma

42