Wednesday, January 26, 2011

Reactions to comments from Val's post #1

received this comment to Val's post

"Submitted by Anonymous on Tue, 01/04/2011 - 09:33.
The problem with pentesters phishing ...

The problem with pentesters phishing ... is that it does more harm then good for the organization. Without the education piece following a phish, you setup the organization to ban the practice."

Phishing and client-side attacks have been going on for far too long to not allow your testers to use them during test.**

So on one hand you are correct, every phishing exercise done either by an internal team, pentester, or attacker should be followed by an education piece by your internal security/IT team. Every phishing attack is an opportunity to retrain users.

On the other other hand, its how people get in. To broadly call it useless because 1. you are too lazy to educate your users after the fact or 2. didn't think ahead enough to require the PT shop to leave you with education materials or follow up the phish with an education piece doesn't mean it lacks value.

Like I mentioned in the previous post, you need to know how you are going to stand up in realistic scenarios. Does one client-side 0day leave your whole network open to all sorts of badness? you need to know.

**This is assuming that the company's maturity level supports doing a phishing exercise. If your internal security just plain sucks, then you could probably win the argument that no phishing should be conducted but I would counter with why are you getting a Pentest in the first place if things are that bad. Use those consulting dollars to have the consultant help you with your risk plan, internal vulnerability scanning/patching program, workstation/server hardening or teaching you how to scan your internal assets yourself. To steal a Nickerson analogy..."how do you know you can put up a fight if you cant take punch" BUT that doesnt mean you start out getting your ass kicked by starting training with [INSERT MMA BADASS HERE] instead of working your way up.

Monday, January 24, 2011

Training Like You Fight

One of my favorite talks from this year's BlackHat DC was Ryan Kazanciyan's & Sean Coyne's "The Getaway" talk on data exfiltration.


Everyone should check out the slides and the whitepaper although the slides are better with the case studies and the diagrams. When you check out the slides I encourage you to think about your last pentest and:
1. could your pentest shop emulate an attacker of the level in the case studies.
2. did you or they try to scope the test in order to test things like this...aka do a Full Scope test.
3. if you aren't letting your pentesters go after your network like this how do you think YOUR network will hold up against someone that knows what they are doing?

If you ARE a pentester when was the last time you got the time and scope to do something on the order of these attacks and post exploitation activities from the case studies?

We are getting great at catching our penetration testers (video) but still horrible at catching bad guys. Rather than draining your corporate bank account to have some shop come in and help you clean up your mess and you've discovered someone stealing everything you own... 1. pick a Full Scope shop that can emulate advanced attackers and not just script kiddies with a checkbook and 2. train like you fight, open the scope for your test, give your testers time to conduct a REAL test, and let your pentesters go after it like a real bad guy would.

Instead of making your testers "test' that same 500 hosts out of 10,000 hosts with no client-sides or user interaction allowed...ask, make, force, them to conduct an end-to-end test of the expensive black boxes you have sitting in the rack, your user education, your network segmentation, and your NOC/SOC's ability to test and respond to attacks. Better to find out you suck during your test instead of when someone is stealing everything that makes you money.

Train like you fight.

Sunday, January 9, 2011

Installing Unicornscan on a current Ubuntu Distro

So get unicornscan from here : -- current version I could find is 0.4.7

you'll need some depenedencies

apt-get install flex bison

apt-get install libpcap0.8-dev libgeoip-dev libltdl3-dev libdumbnet1 libdumbnet-dev

* you may need texlive-extra-utils if you are on a headless system like slicehost or linode, otherwise it will bomb out when it tries to make the documentation :-(

apt-get install texlive-extra-utils

Fix up weird lib issues see at the bottom for where i got this:

blah@blah:$ sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h

blah@blah:$ for i in `find ./ -type f -exec grep -l 'ldnet' '{}' \;`; do sed -i bak -e 's/ldnet/ldumbnet/g' $i; done

apply this patch

./configure CFLAGS=-D_GNU_SOURCE
make install

after that it woud compile and run.

I did have to really crank down the pps to get it to actually run, default is 300 i had to use around 75-100

sudo unicornscan -m U -Ir 75 --show-errors -v

Lets test ...

host #1

sudo unicornscan -m U -Ir 75 -v

adding mode `UDPscan' ports `7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831' pps 75
using interface(s) eth0

UDP open domain[ 53] from ttl 50
UDP open netbios-ns[ 137] from ttl 50
UDP open unknown[51468] from ttl 50

msf auxiliary(udp_sweep) > run

[*] Sending 10 probes to> (1 hosts)
[*] Discovered NTP on (NTP v4)
[*] Discovered NetBIOS on (INEEDAFW01:<00>:U :INEEDAFW01:<03>:U :INEEDAFW01:<20>:U :__MSBROWSE__:<01>:G :WORKGROUP:<1d>:U :WORKGROUP:<1e>:G :WORKGROUP:<00>:G :00:00:00:00:00:00)
[*] Discovered DNS on (BIND 9.4.2-P2)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sudo nmap -sU
53/udp open domain
69/udp openfiltered tftp
123/udp open ntp
137/udp open netbios-ns
138/udp openfiltered netbios-dgm

*took approx 13 min for results

Host #2

sudo unicornscan -m U -Ir 75 -v
UDP open sunrpc[ 111] from ttl 50
UDP open shilp[ 2049] from ttl 50

msf auxiliary(udp_sweep) > run

[*] Sending 10 probes to> (1 hosts)
[*] Discovered Portmap on (100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(35483), 100024 v1 TCP(34855), 100003 v2 UDP(2049), 100003 v3 UDP(2049), 100003 v4 UDP(2049), 100021 v1 UDP(51021), 100021 v3 UDP(51021), 100021 v4 UDP(51021), 100003 v2 TCP(2049), 100003 v3 TCP(2049), 100003 v4 TCP(2049), 100021 v1 TCP(32771), 100021 v3 TCP(32771), 100021 v4 TCP(32771), 100005 v1 UDP(54730), 100005 v1 TCP(50729), 100005 v2 UDP(54730), 100005 v2 TCP(50729), 100005 v3 UDP(54730), 100005 v3 TCP(50729))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sudo nmap -sU -v
111/udp open rpcbind
639/udp openfiltered unknown
2049/udp open nfs

*took approx 14 min

Quick notes:
unicornscan sucks for NTP, the metasploit udp_sweep is better even though the port is in the scan list it fails to locate NTP servers

you'll probably want to add some port to the /usr/local/etc/unicornscan/unicorn.conf file in the UDP section, namely 1434,1604,5093,& 523 to be consistent for what metasploit is sending probes for.

you may also want to update the ports list in the above folder to be les stupid as well.

In this case nmap gave consistent results, just took forever

compile stuff from here:

Tuesday, January 4, 2011

SOAP functionality added to wXf

We've pre-packaged SOAP libs and wrappers in wXf and created a couple modules to demonstrate this functionality. The framework is undergoing beta testing and improvements before release. Also, we are adding a couple web specific libs prior to release (or at least trying).

Anyway, here is a video that demos the two modules mentioned above.

wXf - WSDL File Enumeration, SOAP Request from cktricky on Vimeo.