Practical Security Assessment (Penetration Testing) - Active Intelligence Gathering

Masscan

Masscan a perfect tool for scanning humongous network ranges. But we will do it the normal way through nmap, even though nmap is slower than masscan when we talk about the scale.

NMAP - Network Mapper

Common options:

-A  # very aggressive and noisy, like a wild bear when it's awake in winter
-F  # scanning only top 100 ports
-sA # stateful port? can test firewalls but returns everything unfiltered
-sS # SYN stealthy scan
-sX # XMAS stealthy scan, good for UNIX scanning
-sI # zombie host scan, super stealthy => learn more below
-sV # service version
-sC # run default nse scripts according to -sV, learn more https://nmap.org/book/nse-usage.html
-sP # ping scan
-Pn # no ping => gotta be stealthy, and bypass firewall filtering!
-p- # scan all the ports from 0 to 65535
-n  # do not do DNS resolution, will save time
-v  # verbose mode, show all the output possible
-T(0-5) # timing, how fast you want to scan; set to 0 if paranoid (gonna be super slow)
# learn more on timing https://nmap.org/book/performance-timing-templates.html

--reason       # display why a port is in a particular state
--open         # show results for open ports only, very useful, saves time on analysis
--spoof_mac    # creates a fake MAC address to send packets from
--scan_delay   # adds a delay between probes; do not use with max_parallelism
--max_parallelism  # how many probes you want at once?
--packet-trace     # will show the packets that are sent and received

-oX # outputs results in XML
-oG # outputs results in a greppable format
-oA # outputs result in normal, grappable, and XML

Be Stealhy, Confuse Admin

Idle scan - put blame on zombies: https://nmap.org/book/idlescan.html Want to find zombies? Sure! Scan for 1000 random IPs to see if some of them are zombies:

$ nmap -iR 1000 --script ipidseq -T4 -v -oA zombies

Want to find anonymous FTP servers to store your files temporarily? (may take ~30-60 mins)

$ nmap -iR 1000 --script ftp-anon -T4 -v -oA ftpAnon.txt

Want to decoy machines on the network to confuse the admin?

$ nmap -D IP_1,IP_2,IP_3,ME -p 80,21,22,25,443 -Pn REAL_TARGET_IP

Other scans

$ nmap -p- -sS -n -v  --reason --open -oX demo-ports.xml 127.0.0.1
$ nmap -sU -n -v --open --reason 127.0.0.1
$ nmap -sS -sV -sC -v -n -p 21,22,80 127.0.0.1

Nmap scripts

Update: $ nmap -script-updatedb Learn about available scripts in nmap and where/how to use them here

Use zenmap for nmap GUI

Zenmap is pre-installed on Kali and is available here

SNMP - Simple Network Management Protocol

Let's hunt for community strings that are like passwords for communicating with devices. Fast SNMP scanner: https://github.com/trailofbits/onesixtyone

$ onesixtyone -c dict.txt 192.168.0.1

Try other dictionaries as well like this.

To have better chances in guessing community strings, try add your own ideas based on OSINT of the target, e.g.: company_name-public or company_name-private.

In Metasploit:

use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_enumshares

What About TCP-Wrapped Services?

TCP Wrapper is a host-based network access control mechanism in Unix-based systems. When we nmap a host, we will receive a response that a port is tcpwrapped if there is a TCP Wrapper or an IDS (Intrusion Detection System).

There are two files that take care of it: /etc/hosts.allow and /etc/hosts.deny. TCP Wrapper means that we do not have the right access control privileges to access this particular service. It also may mean that the IDS is trying to mess with you and pretend to have everything TCP wrapped.

If you are lucky and it is a real TCP Wrapper, then this means that your host is not allowed to access these ports even though they are open. If you can fake yourself to be a host that can access (such as 127.0.0.1). However, if you see that a ton of ports are tcpwrapped, that may mean that you are dealing with an IDS that is messing with you. Try another way to check for ports, e.g. either slowing down your nmap scans with -T0 or using nc command to grab banners from services.

Vulnerability Scanners

• Nessus is a vulnerability scanner that has a home and pro versions. Home version is free but limited to scanning 16 IPs.
• Nexpose is a commercial version of a vulnerability scanner.
• OpenVAS is an open source vulnerability scanner, good stuff to find low-hanging fruit.

Responder (when on the network)

• Responder.py is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Yep, quite a list, and I agree: a whole lot of acronyms, way too many. If you are going into security or IT administration, it can be useful to know what they all are.

Responderacts as a server that "knows" about the network resources that the users request. For example, if user's machine requests something that does not exists (a typo), then Responder can reply saying that "yes, I know where it is!". Respondercan ask to enter the username/pass or just capture users' password hashes without them even realizing that.

Best part: it can capture NTLMv2 hashes (which later can be set on the path of cracking with hashcat) or even pop up a simple auth window when a user goes to a network location that cannot be found.

• MultiRelay is a tool that comes with Responder and it allows you to relay all that captured authentication info to other services on the network (targeting Admins). This means that you don't even need to crack the passwords, just pass them along to the known authentication servers and see if they let you in.

To run the attack, you can start it with -i flag for your IP address, -b flag in Off for NTLM authentication, -r flag in Off so that you won't break the network:

$ responder -i your_IP_address -b Off -r Off -w On

Responder will take some time to start gathering data. When it starts gathering the data, you will see a lot of output in the terminal. It will poison LLMNR requests and make victims to use your machine as a proxy for the Internet (everything in cleartext will be visible right away). It will also capture NTLM hashes for you that you can try to crack with hashcat or John The Ripper.

However, if the passwords are too strong, cracking those hashes will be infeasible. So, you can replay the SMB connections against other servers without any need to cracking the hashes (profit!). For that, set up Impacket Framework (a collection of Python classes for working with network protocols). You will need to configure the Impacket first before actually laterally moving in the network and using captured hashes against other services. To configure it, follow the SANS write-up.

Vulnerability Databases

• Vulmon is a search engine for known vulnerabilities and exploits
• NVD NIST is a national vulnerability database
• CVE MITRE is yet another vulnerability database
• Exploit DB is a database of all kinds of known exploits

Advices to Your Customers

• Don't use typical names for DNS, mail, prod, dev, etc.
• Port knocking for the win
• Have a dummy service (like telnet) and if someone is trying to connect there => block that IP
• Have an IDS and IPS in place, just for the sake of it
• Change your default SNMP community strings => don't give info to the attackers