You Spent All That Money And You Still Got Owned… – Joe McCray
You often run up against all sorts of defensive measures when penetration testing (Firewalls, IDs/IPS, WAF, …) and the testers still get in!
Often you get in, only to find that the company is already owned (enter Incident Handling mode)
More and more security measures are being implemented on company networks.
- Firewalls are commonplace (perimeter and host based)
- Anti-virus is smarter
- Intrusion Detection / Prevention systems are hard to detect, let alone bypass
- NAC Solutions are making their way into networks
- IT Hardware / Software vendors are integrating security into their SDLC
Still. Companies get owned.
Comments like “We can’t patch those! Those are our development servers” don’t help.
“Always go for the quick shell” –> Google dork search for anything that hints at SQL Injection, remote/local file includes.
Figure out if it’s load balanced
DNS or IP load balanced –> it makes a difference
Check the returned headers to see if things are different
- Server Header
Use DNS queries and Netcraft.com
Tools to do this
- Load Balancer Detection – lbd.sh
Identifying Intrusion Prevention Systems
Most are still in detection only mode
See if it’s blocking…. break out CURL and try ../../../../winnt/system32/cmd.exe?d
Did you get blocked, is your IP banned –> If so it’s an IPS in blocking mode
Look for RST and other hints
Does the IPS monitor SSL traffic –> Many don’t
Attacking through TOR
Push attacks through TOR to help with IP-Banning
Clients should be blocking TOR proxies
Due to PCI, there are a lot of WAFs being implemented
Send almost any special character it will respond
Often easy to identify
Check in return headers for hints and information.
Tools like wafwoof can also be used –> waffun is a project being worked on currently
Examine / Request all possible std return codes (200, 404, 301, ..) and then see what gets returned if you try an XSS attack… are they identical?
Encoding is sometimes dealt with by a WAF… double encoding not so often.
DotDefender WAF –> Simple unencoded SQLi gets through. Blacklist on specific words and commands
Blocking the word SELECT –> Easy to bypass using UNICODE
FIXED by the vendor –> Only blocks unicode –> FAIL
SQL Injection to Metasploit
- Written in Perl, but still good.
- Great from going from SQLi to shell
- Written in Python
- Allows you to drop to a shell
Client-Side filtering == BAD
“You’re going to put all the security on the hackers laptop!”
Blocking things like = sign doesn’t stop SQLi
Encoding things bypasses these blacklists
Rules in IDS/IPS are sometimes looking for specifics like 1=1
Wait… doesn’t 2=2 as well!
Blacklist rule-sets are a loosing proposition as encoding can bypass the rules
Practice your kung-fu
- check your encoding and bypass techniques
- find something that will bypass a lot of the rules
- Also now offers a smoketest
- Implements core ruleset, PHPIDS and Snort
Lots of companies have IDS… how many actually look at it though?
Getting in via the Client-Side
Email a client-side exploit exported from Metasploit
Use reverse HTTPS to bypass some detections
SET (Social Engineering Toolkit)
“Real hackers aren’t scanning your network anymore”
Pivoting into the LAN
Metasploit offers a pivot
Compile programs so they don’t need an install, upload to remote system and run
Common LAN Security Solutions
DHCP MAC Address REservations
- Find a non-NAC supported system
See a pattern here
Tools like VOIPhopper are perfect for going from one VLAN to another.
Looking around the network for a user
- net commands on Windows are great for finding network information
- Script output and find the Administrators
- Escalate to SYSTEM/Administrator
- Run commands using psexec, pskill, …
- Kill protections, stop services
Certain AV/HIDS have blacklist filenames that aren’t checked… not hashes… filenames!
Use the new getsystem in Metasploit
Owning the Domain
Use token stealing (in Metasploit / Incognito)
Find an admin, steal the token, win!