From the BlogSubscribe Now

Top 5 Common Internal Infrastructure Issues

Top 5 Common Internal Infrastructure Issues Via 7Safe.com

Here’s a great post illustrating the top 5 common infrastructure issues found in penetration testing. There’s a lot more to this type of penetration testing than just running software and attacking servers etc. There’s what the author calls ‘adaptive thinking’, thinking around the ways an attacker can get at and into a resource using whatever methods are available.

To be honest, none of the items on this list are rocket science but they are more often overlooked, bypassed or have a compensating control written for them. We, as leaders in information security have to be able to enforce the level of protection necessary to keep the ‘entity’ safe. Can you say that is the case in your environment?

In order to be effective we have to train the ‘C’ level staff on the risk, and that can be difficult. How do you enforce the level of security necessary to keep your company safe?

pwntooth v0.2.1 | Hackerjournals Tools

Another interesting tool – pwntooth v0.2.1 – for automated bluetooth penetration testing:

pwntooth v0.2.1

“pwntooth (pown-tooth) is designed to automate Bluetooth Pen-Testing. It scans for devices, then runs the tools specified in the pwntooth.conf; included blueper, bluesnarfer, Bluetooth Stack Smasher (BSS), carwhisperer, psm_scan, rfcomm_scan, and vcardblaster. pwntooth is a fully automated “search and destroy” tool for advanced users who wish to run a series of tests against each device in the target area.”

Download via the authors website, below.

via pwntooth v0.2.1 | Hackerjournals Tools.

Using Core Impact Pro Modules

Core IMPACT Pro has the ability to do a full on Network Vulnerability Test, or you can do just Information Gathering using the Network RPT tabs. There’s little attention paid to the modules that make up the suite of tools – and there is so much fun to be had in there. Maybe there is a time when you want to write your own exploits and execute them in Core; or you want to do specific types of discovery and attack – well, Core IMPACT Pro gives you that ability, with tremendous flexibility. I’m going to walk you through a couple of scenarios using the “modules” view, just to show how simple yet excruciatingly effective that portion can be.

Firstly, create a new workspace and click on the “Modules View” tab at the bottom, left of the Modules workspace. You will see a list of folders.

Take time to look around; look in all the folders at all the available tools, and note the modules structure. You’ll be pleasantly surprised at what is available there. If you wanted to perform a specific targeted attack, or information gathering using a single method, you can have some serious fun here.

I’m going to start with an ICMP sweep to identify all “live” hosts on a subnet.

– double click on the “Information Gathering” folder in the modules workspace. The folder will expand.
– double click on the “Network Discovery” folder – that folder expands also!
– double click “Network Discovery – ICMP”. Input the subnet details you want to scan as shown in the image below, and hit “OK”.

Core Impact will perform an ICMP sweep to find hosts, and will attempt to resolve the hostnames. One thing to notice – this is lightening fast!

Once the sweep is done, Core Impact displays the discovered hosts. That’s great, but I want more information so I’m going to attempt to identify the operating systems of the discovered hosts. For a mostly Windows based network (assumption), I prefer using SMB information gathering.

In the modules workspace:

– double click the OS Detection folder
– drag “OS Detect by SMB” and drop it onto your network block (where it says “Network: 192.168.100.0.)

The module will then attempt to find the OS of all the hosts listed in that subnet. In my example there is a mix of operating systems. There were a few that didn’t come up in the SMB scan so there’s more information to be had. Isn’t there always?

In the OS Detection folder there is Nmap OS Stack Fingerprinting. Using Nmap OS Stack Fingerprinting the same way I used the SMB module (drag and drop) I can see some Cisco routers – I’m even given the IOS rev – useful information indeed – plus I see some Macs. I’m going to take a look at a Mac.

When I TCP port scan the Mac I see the Windows File Sharing services running. I’m going to try enumerating users on this machine by dragging the SMB information-gathering module and dropping it onto the host. The SAMR Dumper module gives me some useful information.

Module "DCE-RPC SAMR Dumper" (v1.18) started execution on Wed Jun 24 16:46:45 2009

Retrieving endpoint list from 192.168.100.2

Found domain(s):

. STEVE-SHEAD-C

. Builtin

Found user: nobody

Found user: root

Found user: daemon

Found user: unknown

Found user: lp

Found user: uucp

Found user: postfix

Found user: www

Found user: mysql

Found user: sshd

Found user: qtss

Found user: imap

Found user: mailman

Found user: appserver

Found user: clamav

Found user: amavisd

Found user: jabber

Found user: xgridcontroller

Found user: xgridagent

Found user: appowner

Found user: securityagent

Found user: sshead

The anonymous user has NULL SMB password.

Received 23 entries.

-- Module finished execution after 2 secs.

These usernames can be used in a password attack on this machine if you are so inclined – but I’m not interested in that right now.

I’m going to scan the IP 192.168.0.254 machine since it looks like a Windows 2000 machine (don’t worry – it’s a security test machine). After checking the open ports listed on this machine I’m pretty sure it’s vulnerable to an older remote RPC exploit (ms06-040 worked on this in the old days) to gain access.

– double click the “Exploits” folder in the Modules view
– double click the “Remote” folder and drag the “MSRPC SRVSVC NetrpPath Canonicalize (MS06-040) exploit” onto the host.

If the exploit succeeds, you will see the agent installed just below the host. Depending on whether you chose a “bind” shell or a “reverse” shell will dictate how you want to interact. I love reverse shells personally.

We can connect to the agent and continue the attack. By right clicking on the agent we can invoke an encrypted remote command prompt. The “ipconfig” command reveals that this machine is dual homed – that means there’s more fun to be had.

I’d like to explore the newly found network using Core IMPACT – why not right? This is one of the many fancy features of Core IMPACT. I can now set the installed agent as a “Source” (right click on the agent and select “Set as Source) and pivot any attack from this agent to the new network. This feature can be extended and remote networks can be explored using “agent chaining” – but that’s another story.

I will start the information gathering cycle again on the newly discovered network and perhaps exploit a Windows XP machine on the remote network.

Ok – let’s stop there for now. You can see that I could have branched off in a number of different directions, attacks, scans and much more, just from messing around in the modules area. Sometimes it pays to get granular and use individual scans and attacks. Sometimes it pays to have the flexibility to craft your own exploits and be able to incorporate them into your Core IMPACT environment. The moral here is don’t just play with the automated stuff – though that is a ton of fun – you’re missing so much more by leaving out the modules – and the modules can lead you in some pretty interesting directions, that you wouldn’t otherwise see if everything was automated.

Standard Penetration Testing Checklist