Wednesday, December 16, 2015

More with smbclient, smbget, enum4linux


More notes because I can never remember and I'm sick of looking it up

Testing open shares/445

List shares with smbclient -L 1.2.3.4

root@localhost:~# smbclient -L 1.2.3.4
Enter root's password: 
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       
        MEMORY_CARD     Disk      FLASH MEMORY PHOTO
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]

        Server               Comment
        ---------            -------

        Workgroup            Master

        ---------            -------

Try to connect to the share

root@localhost:~# smbclient \\\\1.2.3.4\\MEMORY_CARD
Enter root's password: 
Anonymous login successful
Domain=[MSHOME] OS=[VxWorks] Server=[NQ 4.32]
tree connect failed: NT_STATUS_ACCESS_DENIED

Boo

When it works

root@localhost:~# smbclient \\\\2.3.4.5\\MDMLOAD
Enter root's password: 
Anonymous login successful
Domain=[DEMO] OS=[Unix] Server=[Samba 3.6.23-20.el6]
smb: \> l
  .                                   D        0  Wed Nov  4 02:42:15 2015
  ..                                  D        0  Mon Oct 12 20:38:40 2015
  input.csv                           A     2024  Mon Nov  2 22:13:18 2015

59400 blocks of size 2097152. 19612 blocks available

enum4linux can help out when you have a bunch of shares to check or just want to do things quickly. -S to check shares, although you probably just want to do a -a for all.


root@localhost:~/enum4linux-0.8.9# perl enum4linux.pl -S 3.4.5.6
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Dec 15 22:34:52 2015

 ==========================
|    Target Information    |
 ==========================
Target ........... 3.4.5.6   
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ========================================== 
|    Share Enumeration on 3.4.5.6    |
 ========================================== 
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]

        Sharename       Type      Comment
        ---------       ----      -------
        www             Disk      Public Stuff
        IPC$            IPC       IPC Service (Samba Server Version 4.1.12)

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

[+] Attempting to map shares on 3.4.5.6
//3.4.5.6/www     Mapping: OK, Listing: OK
//3.4.5.6/IPC$    Mapping: OK     Listing: DENIED
enum4linux complete on Tue Dec 15 22:35:09 2015

root@localhost:~# smbclient \\\\3.4.5.6\\www
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.12]
smb: \> ls
  .                            DR        0  Sat Dec 12 14:23:20 2015
  ..                            D        0  Thu Oct  8 11:53:20 2015

 oops                           D        0  Fri Nov 27 17:38:04 2015
---SNIP---

Want to download a whole folder?


root@localhost:~# smbget -R smb://3.4.5.6/www/oops
Username for www at 3.4.5.6 [guest] 
Password for www at 3.4.5.6: 
Using workgroup WORKGROUP, guest user
smb://3.4.5.6/www/oops/images/defaultpic.gif   smb://3.4.5.6/www/oops/images/ad2.jpg            
---SNIP---

enum4liux is also super handy internally as it tries multiple ways to get a domain SID, if successful it will brute force the SID to enumerate all the SIDs/user accounts for the domain.
CG

Friday, December 11, 2015

Thoughts on the skills shortage


Sorry no meterpreter shells on this one.

Reading Trey Ford's article https://community.rapid7.com/community/infosec/blog/2015/11/19/ciso-guidance-on-building-the-team led me to want to put some ideas onto the blog that I've discussed at work and over beers but never here. So here it goes.

I'm not going to address each point rather I'm going to just share a few observations and opinions on the subject from my life/career.

1. I don't do any hiring but I can agree that there may be a lack of skilled mid to senior people in the market.  At every place I've worked it was always difficult to find qualified people to just to interview let alone hire. The fix, we/us/you/me need to grow them (more below).

1a. What I don't see is a shortage of INTERESTED junior people. There are tons and tons of people that want to get into infosec but sadly everyone wants mid to seniors and they don't want to train juniors.

2. It CAN be hard to afford people, especially  in expensive places like SFO/Silicon Valley, DC Metro Area, NYC, etc.  However, there is a real reluctance to allow remote workers, so when you base your HQ in an expensive area, or a place with a crappy commute AND don't allow remote employees then you don't get to complain that people are asking for lots of $$$.  Valsmith touched on this in a post as well; (http://carnal0wnage.attackresearch.com/2015/06/hard-to-sprint-when-you-have-two-broken.html).

That being said, I know a lot of people want to make a difference and do cool shit and they are willing to take slight pay cuts to do this (also mentioned in Trey's article). Management should keep this in mind.  Also, maybe its less the pay and more the sense that it's going to be impossible to make impact in your organization. That's what keeps me from wanting to go back to doing gov work.

3. There is a clear problem with senior people getting upset that people "get trained" and leave the company.  Bottom line, we shouldn't get upset.  Every person that goes from junior to mid or mid to senior and moves on to another company brings those skills with them and improves the other company and Security as a whole. Less companies getting pwned or more companies being able to react better/faster to attacks is a good thing.

We should reframe our thinking of not wanting to pay to train someone else's employee and more on we need to grow literally as many security people as we possibly can for our industry. Every company should think this way.

4. Have a FORMAL plan to grow your security people. An unamed CISO mentions this in Trey's article but saidly no details are given; 
“I like to work with entry level candidates on a 2-5 year growth path. I realize they may not be here forever, but I want to focus on giving them the right tools and a good experience.”
 I've  never had a job outside of the military that had a written plan to grow a security engineer/pentester from junior to mid or mid to senior. No required tasks or knowledge identified, no listed skills for my job role, no specific training to take, books to read, or anything to prove I was ready for that next level.  It has always been On the Job Training (OJT).  To be fair there is no replacement for OJT and its absolutely required to gain experience but there is no "growth path" when you rely on the whatever pentest comes in as what guides a person's development or whatever internal projects come up or fires to put out. I think we have attempted to rely on certifications to do some of this, and it does to an extent, but its general knowledge and not going to be organization or position dependent. Not to mention the whole value of certifications dilemma. 

You know who does have a plan to grow people from zero to competency? The military.  They take someone with aptitude (usually) but zero experience (well... assumes zero experience) and put them through training and testing with specific objectives and at the end they demonstrate proficiency in those specified tasks.

I'm not saying we need to get THAT formalized in our training but we need SOME plan on how to take someone with aptitude (and i'm going to make the assumption that if you got through college with a CS degree or demonstrate aptitude some other way) and repeatably train and grow that person from one level to another.

I don't know if we can do this collectively in a broad security community/PTES type sense (maybe we should try?) but i'd certainly like to see it implemented at a team level inside companies.

The second part of the article is also worth a read:
https://community.rapid7.com/community/infosec/blog/2015/12/07/ciso-guidance-on-building-the-team-part-ii


Thoughts?

CG
CG