scripting for penetration testing - usalearning · pdf filescripting for penetration testing ....

Scripting for Penetration Testing

Table of Contents

Scripting for Penetration Testing .................................................................................................... 2

Scripting for Penetration Testing .................................................................................................... 3

Recon & Enumeration Scripting Example -1 ................................................................................... 5

Recon & Enumeration Scripting Example -2 ................................................................................... 7

Exploit Checking -1 ........................................................................................................................ 10

Exploit Checking -2 ........................................................................................................................ 12

Data Exfiltration Scripts -1 ............................................................................................................ 15

Data Exfiltration Scripts -2 ............................................................................................................ 17

Notices .......................................................................................................................................... 20

of 20


6262


**062 Next section will be a little bit about how you can use this, being a pen tester myself, some of the ways that you can use scripting to help yourself through a vulnerable assessment or a pen test.

of 20


63


Using scripts just make “sense”.

Usually several tasks can be automated.

• Reconnaissance• Enumeration• Exploit checking• Pivoting• Data Exfiltration

If it is a manual process going to be done a lot of times, it is a prime candidate for automation.

**063 For pen testing, there's a lot of repetitive things. You're checking out a network so you're trying to reach out to multiple hosts. So scripting just makes a lot of sense. Once you figure out what it is you want to try, you can make yourself a really good script, similar to what Chris made, and you can use it consistently. The general steps during a pen test is you go out and you do a reconnaissance. That's where you go out and find what hosts are alive out there, and then you do an enumeration of services and ports that are open. So you go out, check out what it is they have available for you to actually possibly

of 20

exploit, and then you use something, a tool, to go out and check any exploits for the versions of the services or the protocols that you're trying to take advantage of. Pivoting is where you try to move from host to host, also known as lateral movement. So sometimes you can do that in a scripted way as well to make it a little easier. Sometimes the pivoting involves cleaning up after yourself. If you're not back- tracking out and you're actually moving, kind of like leapfrogging to a lily pad, if you will, and you want to clean up the box behind you, it makes sense to use a script. As you move to another box, you can wipe clean the box that you were on before. And of course the crown jewels of whatever it is that you're trying to get, data exfiltration-- try to get that stuff out of their network so you can get it home and take a look at it. A lot of this can be done and is done fairly frequently, actually, in a manual way sometimes because, again, that law of diminishing returns. If you're only hopping to one box or you're only doing something to one or two boxes, sometimes trying to figure out how to get it right in a script takes a while, so. But for the most part, a lot of these, especially when you're doing an assessment on a large network, it makes a lot of sense to use batch scripting.

of 20

Recon & Enumeration Scripting Example -1

64


You “own” 20 Windows boxes and want to collect as much information from them as possible. You could do it all by hand, individually… OR, you could write a script.

• Inputs: List of IP addresses to run script on• Outputs: Text file containing enumeration data

Process• Connect to each IP address (batch, net use).• Copy and run enumeration utilities (net, sc, tasklist, enum,

netdom, global, and anything else in the Windows Resource Kits).

• Output results to a text file (batch, redirection).• Copy file to “dropbox” and delete all other traces of activity

(batch).

**064 During the recon and enumeration stage, if you own or have already compromised 20 Windows boxes and you want to do some data gathering, obviously it makes sense to go ahead and write yourself up a script. So this is written in such a way that the input is what you'll need-- a list of IP addresses to run your script on-- and then your output is what you're going to receive at the end of it. It'll be a text file or text files containing the enumeration data that you're looking for. The process, kind of the step-by- step, is connecting to each IP address using net use and your batch

of 20

file, similar to the one that I just demonstrated. You can copy and run enumeration utilities like the Net or SC or Enum. There's quite a few of them. Obviously the Windows Resource Kit has lots and lots of tools that are meant for good that can be subverted to do things that aren't so good. For outputting the results to a text file, you can use your redirection that we talked about in your batch script, and then copy your file to what we call a drop box, but essentially it's a host somewhere on the network that's usually in a quiet part of the network that doesn't get used, and maybe no one's even logged on so no one's going to catch you on that host, so we use a drop box, and then you delete all traces of where you've been. You can do that with a batch script as well. Questions?

of 20


65


You are wandering around a facility and find an open workstation –quick – what do you do? You could try to remember what to do… OR, you could put in your USB drive or CD and run a script.

• Inputs: None• Outputs: Text file of enumeration data, user accounts created,

“malware” installedProcess

• Run the enumeration from the last slide.• Create a new user and try to add it to the local admins group

(batch).• Install your remote access program and set it to run (batch).

**065 So another way with recon and enumeration. This one's a little more, how shall I say, targeted opportunity. I used to also be part of a red team organization, so sometimes we were told to check somewhat physical security, and physical security of course is if you walk up to a machine and, "Oh, it's logged in," and no one's there-- you don't want to sit there and try to figure out what it is you want to do. It would be very nice if you had a script already built and put on a USB drive that you could slap in and run, or perhaps even if they have a USB policy and you're not sure if they have a CD policy, you can put your

of 20

script on a CD and you can run your script that way. No real inputs to speak of because you should have everything on your drive or your CD, and then you can also get all your enumeration data and perhaps some other things; if you're on that machine and it happens to be an admin account, you might want to try to set yourself up with an account that you can use later during the assessment. So you could end up with user accounts created, and should you have a Trojan or something that you want to use, you can go ahead and install that. Very similar to the last slide, run that enumeration to get the data, and then, like I said, you want to go ahead and try to create a user. You might be able to do that, and if you can do that, go ahead and try to add them to the local admin's group. That would be very nice. You can do that in your batch script as well. And then the remote access program, or Remote Access Trojan, or Remote Access Tool-- the RAT-- you can go ahead and set that in and get that running so it can call back to your home machine or whatever you have set up for that. Any questions? Chris, you have something to add? Instructor 2: I just have an example of this. We used to do a training scenario for all the pen testers, and we would sit them down at a computer and say, "Go." And what we would ask them to do-- what they were presented with on the screen was a countdown timer.

of 20

"This box is rebooting in two minutes," but you've got complete access to it. You have a command prompt, it's logged in, whatever-- do something. Whatever it is that you want to do, you've got complete administrator access. What would you do? And we ran through this particular scenario, because out on a pen test I actually had this happen. I went up to a box, moved the mouse, the window came up, I celebrated, and then panicked because up popped the "You've received patches. This box will be rebooting in ten minutes." And I went, "Oh great. Well, what am I going to do?" So I'm sitting there scratching my head trying to think through all the possible things that I can do watching this countdown clock go from ten minutes down to zero, and it struck me that, "Wow, I really wish I had a batch file with me," that I had a USB stick or something that I could just plug in and run all my enumeration piece. I could add my local administrator account. I could do all this stuff, and instead here I am trying to hand-jam it at the command prompt trying to do things quickly while this clock, this doomsday clock basically, is ticking down until it's going to boot me off the system. So just from a pen- testing perspective, this was a really good case to run and it shows how batch scripting-- you can take that moment of panic out of it. You only have to know, "Plug in my USB stick, run my batch file," and the computer does the work for you. You don't

of 20

even have to think about it. So, again, another really good usage of a script. Instructor: Thank you.

Exploit Checking -1

66

Exploit Checking -1

May be a little too “loud” for a pen test.• Inputs: Metasploit exploit module to run, list of IP addresses• Outputs: List of IP address exploit was successful on

Process• Control loop (bash)• Exploit checking (msfconsole)• Output parsing (bash with redirects)

**066 Exploit checking. This may be a little bit-- with the amount of traffic and the type of traffic that'll be traversing a network, not unlike what Ryan said with Nessus doing its thing, this may not be the best way, unless you get permission to run this with a pen test. But the implicit thing that you will need is the Metasploit framework and the exploit module. I'm not sure if people are familiar

of 20

with Metasploit, but it is a pen testing framework that essentially makes testing exploits for a particular type of-- if it's a Windows host, a Linux host, and a particular type of system or software that's running-- you can put in all the required pieces of it and just hit Exploit, and it'll actually send everything to the appropriate ports or whatever it is. So it makes exploiting, or testing exploits, very, very easy. It's a very nice framework. It's very common. Now that it's so common, many of the attacks are blocked because they kind of know that people use Metasploit, not just for pen testing but to try to hack other people. So you would Metasploit and a list of IPs, and then you would-- your output-- you would end up with a list of IP addresses where the exploits were successful. And the process is pretty simple. You set up a control loop using bash because Metasploit runs on Linux. Specifically it runs on something called Kali Linux, which is a Debian-based Linux, and you go ahead and do the exploit checking with-- the MSF is the Metasploit Framework console-- and then you output, or you parse the output, and you can do your redirects and you can send it to grep or to some of those other text parsing type of tools. That'd be helpful. Any questions on this one?

of 20

Exploit Checking -2

67

Exploit Checking -2

Fuzzing is nothing more than a glorified script.• Inputs: Target application or service• Outputs: “User” input sent to the application or service

Process• Generate list of “inputs” to send to the application (perl).• Loop on each “input” (bash).

– Transmit “input” to application (python).– Interpret output from application (bash).– Test to see if application has crashed (bash).– If crashed, store the “input” in a file (bash).

**067 Fuzzing is checking to see if you can bring down a particular piece of software by sending either a tremendous amount of data at it to see if you can bring it to its knees, as it were, or if you send it input that it's not expecting, that software could fail, possibly will fail, and the key to the fuzzing piece is if you can get it to fail and you can get control of the program in such a way that your code now starts to run in place of what that old software was running. But fuzzing is essentially a script that sits there and generates either a ton of output to send to it, or it creates the specific type of input data. So for this input, you just need a target

of 20

application or a service that you point the fuzzing script at, and then your output is user input sent to the application or service. This is just creating the actual-- what you're going to send it, is what you're using the script for. And the process. Generate a list of inputs to send to the application, and they recommend using Perl since Perl is good with manipulating text. And then loop on each input with bash, input meaning the data that you're going to send, mind you, to attack the application. Then interpret the output, should you get some error or something like that, to figure out what's going on using your script, and then test to see if the application has actually crashed. You could kind of look for some error levels, that sort of thing, and if it has crashed you can store the input that caused it, meaning the data that you actually created-- the three million A's that you sent it, or whatever it is that you created that caused it. You want to put that in a file so you can save that off to the side. You could do that multiple times with that script, and then once you figure out the types of input data that you sent it that you want to use, you can do a little bit more analysis on what that is and what you need to change in that to be able to gain access to the program that actually is vulnerable. Chris? Instructor 2: So I'll just add the comment here that this is a Windows scripting class. Why do you not see batch or Windows script for any of

of 20

those actions that are up there? Why is it all bash, Python and Perl? Student: Command prompts isn't basically powerful enough to run it and most of these tools are UNIX tools anyways. Instructor 2: Because trying to do these types of activities with Windows batch would be more frustrating than useful, I think. So back to what was said at-- what Wayne said at the beginning of the module, pick the scripting language that's most applicable or most useful for what you're doing. It may not be Windows batch all the time. There's probably a better tool out there, depending on what you're doing. So pick that, and don't try to kluge a solution into batch just because it's there. Instructor: Good point. Thank you.

of 20

Data Exfiltration Scripts -1

68


Want to prove data can be taken out of a network? Write a script that does something like this:

• Input: List of files for any IP address, credentials• Output: E-Mails of all the files in your gmail account

Process• Running on an internal host, copy files to a “dropbox” (net use).• Compress and encrypt all the files (cabarc, encrypting tool)• Break file archive into 5MB chunks (cabarc).• Create email with 5MB data attachments (echo)• Send emails to a gmail account (bmail).

Another script will be needed on the receiving side to piece it all back together, decrypt it, and save off the individual files.

**068 For the data exfiltration piece, if you want to prove that data can be taken out of a network, you could write a script that deals with email, and you would just need a list of files that you're trying for any IP address and credentials, and then you'd end up with some emails with all the files in your Gmail account or whatever account that you end up sending it to. So the process is running on an internal host, so this assumes that you're already inside. You copy files to your drop box using the net use command, and then you compress and encrypt-- and this is kind of the

of 20

sneaker, more hacker-ish-- not necessarily for vulnerability assessment or pen testing-- but doing it this way is a sneakier way-- compressing it first and then encrypting it-- so when it does leave the network it's not as easily read, or read at all, actually. You can use cabarc, an encrypting tool, and then you break the files, archive, into 5- megabyte chunks. Again, trying to go low and slow and smaller so people can't see what you're doing. You create email with these attachments that are 5 megabytes, and you can do that with echo, and then you can send the emails to whatever account-- this says Gmail account-- to whatever account outside using bmail as your tool. So on the flipside of this, you do have to have the receiving end of it. So you'll have to have another script on the far side that'll piece it back together, decrypt it and then unzip it all that, so you'll have the individual files saved off that way. But this is just kind of a sneaky way to try to prove that you can get information out from a network. Any questions?

of 20


69


Want to test data leakage protection and see what it triggers on?

Write a script for it.

• Input: Destination URL• Output: HTTP posts & E-Mails of sensitive information

Process• Create junk files of various sizes containing “naughty” words

(echo)– e.g., 1 SSN, 2 SSN, 10 SSN, 50 SSN, 1 HIPAA, 2 HIPAA, etc.

• Create random files of various sizes (VBS).– e.g., 5MB, 25MB, 50MB, 100MB, 250MB, etc.

• Post files to destination URL (VBS & Windows API).• Create E-Mail with “naughty” words (echo).• Send E-Mail (bmail).

**069 All righty. This next piece with data exfiltration deals with-- this is data leakage protection, but I've heard it also called data loss prevention, DLP. If you're trying to test, this is a system that checks for important company information or data leaving their network. So they're triggered based on a couple of different things. Some of them have kind of like dirty word searches, like if it says "proprietary" or whatever the sensitivity or sensitive-- whatever your important documents are marked with. Sometimes it's looking for those dirty words. If it's the government, if it's secret, top secret, it's looking for those kind of words.

of 20

And then another piece of data loss prevention deals with the size of the file flowing out. If you have some 5- gigabyte file flowing out of your network, it's kind of an obvious, "Why do we have such a thing happening?" So that should trigger. So this is meant to be kind of a test for that, whether to try to be sneaky and not be seen or, in most cases, this is actually to see at what level will your alarms go off, do your alarms go off, and at what level do your alarms go off. So you'll need a destination URL. You'll want to set up basically a web server on the far end on the outside someplace that you can use to put your information. The output, or what you'll end up having, is the HTTP posts and the email, so we'll be doing it a couple different ways here. We'll be posting and we'll be sending out emails. The process is you create junk files that have these dirty words. You talk to your customer and you find out what it is. Is it "top secret"? What is it? "Proprietary"-- that sort of thing-- and you put those words into the files. Some of them could also be-- if you're a HIPAA-regulated source, you might need to pay attention to your protected health information, your PHI, your EPHI, the electronic version of that. If certain words that your company uses should trigger, you check that. Some basic stuff for PII, or personally identifiable information, as the

of 20

government calls it, are social security numbers. So you can just gen up a script that creates 50 fake social security numbers. You can just run through them and see if putting those in files-- and then you can also create random files of different sizes. Again, this is to test to see where the alarm-- if the alarm goes off, and where approximately the alarm goes off when you're trying to send a giant file outside. You can create those using VB Script, and then you can post the files to the destination URL using VB Script and the Windows And then also, in the same way that we just did the emails before, we can create the emails using echo, and you just make sure you put in the keywords that they're supposed to be looking for in the DLP system, and then you send the email using bmail. Any questions?

of 20

Notices

6

Notices

© 2015 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

of 20

scripting for penetration testing - usalearning · pdf filescripting for penetration testing ....

Documents