Penetration Testing is the Art of the Manipulation

Penetration Testing is
the Art of the Manipulation
Attack & Defense

Author:
JongWon Kim
dikien2012@gmail.com

1

Table of Contents

Penetration Testing is the Art of the Manipulation…………………………...............................................1

Table of Contents……….........................................................................................................................2

About Me.................................................................................................................................................3

Planning the Attack.................................................................................................................................5

Staging the Attack (1): WEB Server ................................................................................................5

- Stage 1. Reconnaissance…………………………………………………………………..……..…5

- Stage 2. Information Gathering.………………………………………………….……...................6

- Stage 3. Target Exploitation……………………………………………………………………..….. 8

- Stage 4. Privilege Escalation…………………………………………………………..……………11

- Stage 5. Maintaining Access………………………………………………………..………………18

Staging the Attack (2): DNS Server .....................................................................................................25

- Stage 1. Information Gathering………………………………………………………….….……25

- Stage 2. Post Exploit(Pivot)……………………………………………………………………..….28

Staging the Forensic…………………………………………………………………………………………35

- Stage 1. Web Shell Detection………………………………………………………………………35

- Stage 2. Log Analysis…………………………………………………………………………..……40

- Stage3. Volatility……………………………………………………………………………………44

Staging the Defense: Code Level…………………………………………………………………………..47

Summary...............................................................................................................................................50

Reference………………………………………………………………………………….……………………51

2

About Me
Name: JongWon Kim

Blog: http://dikien2012.blogspot.com

LinkedIn: http://kr.linkedin.com/pub/jongwon-kim/45/a40/b07/en

Twitter: @dikien2012

My Experience:

Period Working Experience Personal Experience
2011. 08  C, Linux, CCNA
2011. 09  Windows 2008 Server, Perl
2011. 10  Working as a Math Teacher  Reversing
 L2,L3,L4, Firewall Configuration
2011. 11
 WIFI-Hacking(SWSE)
2011. 12  System Hacking(SMFE)
2012. 01~02  Exploit Code Study using ROP
 Privacy Information Protection Law
 WEB Hacking
2012. 04~09  Security Solution Operation(IPS, WAF,
 Database Security
and DB Access Control)

Technical Skills:

 Experience in Black and White Box Penetration Testing to identify system vulnerabilities
and test security controls in firewalls, routers, IDS and IPS, and various types of servers,
including Windows and UNIX Web, Mail, FTP, DNS, Domain Controllers and applications
hosted internally

 Strong Web Application Assessment Experience such as SQL Injection, Cross Site
Scripting, Cookie Manipulation, and Buffer Overflows

 Vulnerability Detection and Remediation

 Familiarity with penetration testing tools such as BackTrack and MetaSpolit vulnerability
scanning tools such as pangolin, wireshark, Nexpose, nmap, Acunetix and AppScan

 Familiarity with Open Source Security Testing Methodology Manual (OSSTMM), Open Web
Application Security Project (OWASP)

 Conduct onsite and remote Social Engineering testing including persuasion, phishing,
mock websites, and telephone contact

 Experience in Evasion Techniques to bypass firewalls, and intrusion detection

 Knowledge of security tools such as IPS, WAF and Database monitoring

 Ability to conduct source code reviews with PHP

 Familiarity with scripting Python

 In familiarity with Windows, Solaris, and AIX

3

 Familiarity with XML, SOAP, JSON and Ajax and HTML5

 Network Switching and Routing (Cisco)

 Knowledge of TCP and IP protocols and networking architectures wireless LAN security,
including 802.11 standards

Consulting Skills:

 Independence: Self-Managed and Motivated

 Team Oriented

 Formal policy and procedure documents

 Public Speaking

 Technical Writing

4

Planning the Attack
After 2100 years, human beings put the micro chipset into their brain to get smarter. As all ages do,
disaster occurs. Some bad guys develop the exploit to manipulate human. Computer malwares are
still big trouble and human zombies are created. I am trying to prevent an even worse tragedy to
analysis the malware. However, the trouble is that the malware is protected by some anti-reversing
key. I got some letter from anonymous. It said that there are anti-reversing code and human botnet
lists on NASA‟s database. At the end of letter, it was written on “aliens/toor”. Let‟s explore!!!

A list of Attack Directives is the following:

1) Compromise as much of NASA‟s network as possible

2) Extract data to find out anti-reversing key and the list of Human Zombie

3) Pivot its network

Staging the Attack
 Mission 1. Attack WEB Server
Stage 1. Reconnaissance
 Scenario:

 Ping the host and get the IP address

 Use the whatweb to figure out more information from response

 I skipped out DNS brute force since it is the virtual host

 Attack Detail

 Ping the host and get the IP address

[Figure 1. Ping the host]

 We can figure out what is the version of PHP, HTTP Server, Country, Admin Email,
and Operation System. It will show more information if you type “-v a=4”

[Figure 2. whatweb]

5

Stage 2. Information Gathering
 Scenario:

 Use the nmap to find services and OS that runs on the server

 Use nexpose to get more specific information

 Use w3af to figure out what web vulnerabilities are

 Attack Detail

 -sV and -O option of nmap will give you version and OS information

[Figure 3. Services from nmap]

[Figure 4. OS from nmap]

6

 This Nexpose results show me 58 vulnerabilities, especially “default SSH password
is toor” is one of the critical things. You can also use Nessus and compare to
Nessus results to increase false positives and false negatives.

[Figure 5. more details from Nexpose]

 There are many w3af plugins, but I will use only audit option to save my time

[ Figure 6. w3af: Plugin Setting ]

7

 There are XSS, command injection, SQL injection, and LFI. On top of that, there is
upload vulnerability but, it can‟t find out. I will use Blind SQL injection vulnerability to
breach database on Stage 3.

[Figure 7. w3af: results]

Stage 3. Target Exploitation
 Scenario:

 Use the sqlmap to breach database (target is attack_2 payload)

 Use hashcat to crack hashes

 Attack Detail

 Let‟s find out current database user, name, and password, but it wasn‟t able to get a
password with sqlmap. Current user is general@% and database name is members.
It didn‟t turn out to the password of the general user. I will use another tactic to get
the password later.

[Figure 8. Sqlmap: current database user and name]

8

 Members table have four fields: message, sessions, topics, and users. I guess
users might be user‟s ids and passwords and session is also similar role for
authorization.

[Figure 9. Sqlmap: Members database]

 As I expected, there are information related users on members table. I am curious
about message table. What‟s the message? Let‟s dig into there.

[Figure 10. Sqlmap: message table on members database]

 Let‟s dump message table on members database. There are two hash values. It
looks like some hints to get human botnet lists and anti-reversing key.

9

[Figure 11. Sqlmap: hash values on message table]

 Let‟s crack them out using hashcat. Hash values are secret and checkout. I guess
that secret means database name. However, there is a big problem. Sqlmap
doesn‟t show me a table named secret. It means two possibilities. First, there is no
secret table. Second, user named “general” has no authority to look into. I bet
second one and time to privilege escalation to check it out.

[Figure 12. Hashcat: cipher text : clear text]

10

Stage 4. Privilege Escalation
 Scenario:

 Use a fimap to spawn a shell

 Use a Expect to get a TTY

 Make a Upload page with “MySQL Dumpfile option”

 Upload a webshell

 Attack Detail

 Use a fimap to figure out which parameters have RFI and LFI vulnerabilities.

[Figure 13. Fimap: vulnerable parameters]

11

 -x option means that it will exploit the target with above output. Choose [1] to exploit
“www.nasa.com”. Choose [1] to take advantage of „rfi‟ parameter. I will use
pentestmonkey‟s reverse shell. Let‟s Choose [2] and put my ip address and port to
connect back to my backtrack.

[Figure 14. Fimap: reverse shell]

 Netcat is listening on 1000 port for reverse shell

[ Figure 15. Netcat: waiting for a shell]

12

 I got a shell and checked my id is www-data, but problem is it communicates
without cipher text. It can be detected IPS. Let‟s reduce this possibility with AES
HTTP shell below.

[Figure 16. Reverse shell: id]

[Figure 17. Wireshark: not cipher text]

 “su and ssh” didn‟t work properly. Those two instructions are necessary for post
exploitation. Let‟s solve the problem with magic shell.

[Figure 18. Message: must be run from a terminal]

 Time to try “aliens/toor” from the letter. With a magic shell, I can use su and ssh
command.

[Figure 19. Magic shell]

13

 Check the kernel version with “uname -a” to get a root privilege. Download local
exploit source from exploit-db and compile it.

[Figure 20. Download local exploit code]

 Execute it and I finally get a root shell and change shell from ”/bin/sh” to “/bin/bash”
for convenience

[Figure 21. Privilege escalation success]

14

[Figure 22. Change the shell to bash]

 There is a suspicious folder named treasure. Real treasure is over there, database
password, but I am not sure that this user has a super privilege.

[Figure 23. Password for database]

 Below is the job for make a webpage to upload webshell. I create two tables.

[ Figure 24. Make two tables]

15

 Insert some values into each table and save them to “/var/www/upload/”.

[Figure 25. Create a “form.php” ]

[Figure 26. Create a “upload.php” ]

16

 Choose the file which you would like to prefer and upload and move to
“/var/www/upload/”

[Figure 27. Choose the”r57shell.php” ]

[Figure 28. Move the file in webrooot ]

17

Stage 5. Maintaining Access
 Scenario:

 Use a weevely to make a backdoor with password

 Brute force attack to get an ftp credential with metasploit

 Traffic Obfuscation: AES HTTP Reverse shell

 Attack Detail

 Backdoor was created identified by password=complexpassword

[Figure 29. Make a backdoor]

 Use a metasploit for brute force attack and get an id and password.

[Figure 30. Make a backdoor]

18

 Upload the backdoor with FTP

[Figure 31. Upload the backdoor]

 I don‟t need r57shell, upload.php and form.php files anymore since backdoor is
uploaded successfully

[ Figure 32. Remove unnecessary files]

 Change the privilege to read the backdoor by www-data user

[Figure 33. Change the privilege]

19

 Connect to the backdoor and check out post exploit modules

[ Figure 34. Weevely: post exploit modules]

 Enumerate readable web config files using module “:audit.user_files auto=web “.
Extract credentials from readable file and log in the database with those credentials.
Since this process I have already done, I left it for reader. Let‟s look around internal
network and check out if there is another server. I will exploit 192.168.100.40 on
Mission 2.

[Figure 35. Weevely: Explore internal network]

20

 Find writable system script to replace with malicious script. First, enumerate
writable user files using module. Second, upload malicious script replacing system
file.

[Figure 36. Weevely: Upload a malicious script]

 If you are lazy to above process, Intersect 2.5(post exploit module) will also be very
nice choice. It includes many awesome feature such as backdoor, collecting
credential, internal network, variety of shells and etc. Select modules you would
create and create it with “:create”.

[Figure 37. Intersect: Setting modules]

[Figure 38. Intersect: backdoor file]

21

 Compare normal shell and AES HTTP Reverse shell. From now, I used pentest
monkey‟s reverse shell and weevely‟s backdoor. Since these two shells
communicate not cipher text, I use AES HTTP Reverse shell with cipher text.

[Figure 39. Fimap: Server setting]

[Figure 40. Fimap: Server Start]

[ Figure 41. AES HTTP Reverse shell communicates with cipher text]

22

 Upload another webshell to test if this shell works properly. Upload .htaccess to
bypass whitelist extension server side script.

[Figure 42. Upload .htaccess]

 Upload another webshell named “c99-bl_hongrae.txt”. The server recognizes “.txt”
extension to “.php” since “.htaccess”.

[Figure 43. Upload the “c99-bl_hongrae.txt”]

23

 Check it out if the webshell having extension “.txt” works well. It works very well.

[Figure 44. Upload the “c99-bl_hongrae.txt”]

 There is 192.168.100.40 which is alive on internal network. Let‟s attack this one

24

 Mission 2. Attack DNS Server

Stage 1. Information Gathering
 Scenario:

 Make a payload to communicate metasploit

 Upload a payload and pivot 192.168.100.40 with that session

 SSH Enumerate and Brute force

 Attack Detail

 Make a custom payload and waiting for connecting back to 1337 ports

[Figure 45. Make a payload]

[Figure 46. Waiting for a session]

 Upload a payload with FTP and give the permission to execute it

[Figure 47. Upload a payload]

25

[Figure 48. Change the permission]

[Figure 49. Connecting a Session]

 First, enumerate SSH version. It shows SSH-2.0 running on Sun OS

[Figure 50. Enumerate a banner]

26

 Second, Brute force attack with known password file

[Figure 51. Brute force]

 Third, Connect it and it shows that server is for DNS

[Figure 52. SSH Connection]

27

Stage 2. Post Exploit

 Scenario:

 Manipulate the forward zone file

 From previous, pivot 192.168.100.40 with compromised web server.

 Getting Human Botnet and Anti-Reversing Key

 Destroy the machine

 Attack Detail

 Change company main hompage ip address to my ip address

[Figure 53. Pollute forward zone file]

 Setting the compromised web server to attack victims and use CVE-2012-1889
vulnerability with the metasploit

[Figure 54. Metasploit: CVE-2012-1889]

28

 As soon as clients try to connect company‟s website, they will be in the big trouble.
Even if clients have anti-virus solution, it would be useless since the exploit migrate
very fast

[Figure 55. Antivirus is so slow]

 Regardless of anti-virus solution, session was created, and works well

[Figure 56. Metasploit: sessions]

 Collecting information of compromised the desktop

[Figure 57. Metasploit: Collecting *.inc]

29

 “db.inc” looks like curious and opens it. It‟s the password that I am looking for. I am
sure this machine belongs to database administrator.

[Figure 58. Metasploit: found database password]

 Check out server name and available tokens

[Figure 59. Metasploit: UID and Tokens]

 Check out hash dump and crack it with john

[Figure 60. Metasploit: Hashdump]

30

[Figure 61. John: Crack the Hashdump]

 Getting more information with “run scraper”

[Figure 62. Metasploit: Getting more Information]

 Make a persistent backdoor with “run metsvc –A” and check out that works properly

[Figure 63. Metasploit: Making a backdoor]

31

[Figure 64. Metasploit: Backdoor is running]

 Run VNC and I found there is a HeidiSQL for administration. I finally was able to get
a secret table. There are human botnet list and decoding key for reverisng.

[Figure 65. Metasploit: VNC]

[Figure 66. VNC: Connecting secret table]

[Figure 67. VNC: Human Botnet List]

32

[Figure 68. VNC: Decoding Key]

 After getting information, I set up my mind to destroy that machine using bat file

[Figure 69. Bat file]

[Figure 70. Execute a bat file]

[Figure 71. Execute a bat file]

33

[Figure 72. Deleting system files]

 After rebooting, computer doesn‟t work properly

[Figure 73. Booting Fail]

34

Staging the Forensic
Stage 1. Web Shell Detection
 Scenario:

 First Filter: Web Shell Detector(NeoPI & Emposha)

 Second Filter: Manual Job with Grep

 Manual Job

 Details

 I will use the NeoPI to detect whether web shell is uploaded or not. This is basic
NeoPI‟s options. Upload folders are “/tmp/” and “/var/www/upload/”, I will look into
one of them. Let‟s look at “/var/www/” with “./neopi.py /var/www/ -a”, -a means it will
run all test. It will show you 5 different types of results.

[Figure 74. NeoPI: Entropy]

[Figure 75. NeoPI: Longestword]

35

[Figure 76. NeoPI: Signature]

[Figure 77. NeoPI: IC]

[Figure 78. NeoPI: Commulative]

 At this time, I will use another web shell detector named Emposha to reduce false
positive. Upload it at webroot folder and execute it at the browser. In my opinion,
NeoPI‟s performance is better than Emposha.

[Figure 79. Emposha: Upload at webroot]

36

[Figure 80. Emposha: Result(1)]



37





38

 If you find one that is suspicious, you can test it manually with grep instruction. I will
choose one of the files that are suspicious from upper outcome.

[Figure 86. Grep: Command]

[Figure 87. Grep: Evidence(1)]

[Figure 88. Grep: Evidence(2)]

Below are dangerous functions. It can be used with the argument of the grep.

 PHP: require(), include(), eval(), exec(), passthru(), system(), fopen(), etc
 Python: exec(), eval(), execfile(), compile(), input()
 Perl: open(), sysopen(), glob(), system()
 C: system(), exec(), strcpy(), strcat(), sprintf()
 Java: system.* (system.runtime)

39

Stage 2. Log Analysis

 Scenario:

 Collecting Log files

 Analysis

 Details

 Analysis the utmp with utmp parser. If user log out, this will be wiped out. Wtmp,
lastlog, secure, xferlog, sulog, ~./history, access_log, error_log and other logs can
be analyzed similarly.

[Figure 89. Utmp Analysis(1)]

[Figure 90. Utmp Analysis(2)]

40

 There is a backdoor and someone tried to use “CVE-2012-2122” to bypass
Authentication

[Figure 91. Bash_History Analysis]

 Something was injected into local directory and there will be a suspicious user from
“flush privilege”

[Figure 92. MySQL_History Analysis]

[Figure 92. Apache2 Log Analysis(1): SQL Injection]

41

[Figure 93. Apache2 Log Analysis(2): WebShell]

[Figure 94. Apache2 Log Analysis(3): Directory Traversal]

[Figure 95. Permission Analysis(1): User]

[Figure 96. Permission Analysis(2): Group]

42

[Figure 97. Log Analysis: Passwd]

[Figure 98. Log Analysis: Service]

[Figure 99. Log Analysis: Hidden files]

 On top of that, these following commands will also be worth: “cat /etc/crontab”, “ls
/etc/cron.daily/”, “cat /etc/login.defs | grep -v "#"”, "cat /etc/profile | grep umask”,
“rpcinfo –p”, “ps -ef | grep rpc”, “ps -aux | grep ftp”, “ls -ltrR /var/spool/cron”, and
“crontab -l”

43

Stage 3. Volatility

 Details

 Sorry for missing original memory dump from DBA[figure- ]. Maintaining the
evidence is essential for forensic. However, I forgot to dump the memory when I
destroy DBA‟s machine. I just will show how to extract memory image and analysis
basic commands.

[Figure 100. Moonsol: Dump the memory to protect the evidence(1)]

[Figure 101. Moonsol: Dump the memory to protect the evidence(2)]

44

[Figure 102. Volatility: Prepare]

[Figure 103. Volatility: cmdscan]

[Figure 104. Volatility: connscan]

45

[Figure 105. Volatility: getsids]

[Figure 106. Volatility: pstree]

[Figure 107. Volatility: svcscan]

46

Staging the Defense
I referenced “Essential PHP Security” and “Pro PHP Security” for secure coding. I wrote two page
index.php, vulnerable page and indexs.php, more secure page. I have learned input validation from
user input is extremely important step before query go into database. Checking based on white list is
much better than black list for upload file. I used internal function, regular expression and type
conversion to be secured the code. Also, I did white list checking way as much as possible. Especially,
Restricting length of input value from preventing SQL Injection is a nice idea. I didn‟t apply to secure
token, but it would be better if it was.

[Figure 108. Secure Coding: String Type SQL Injection = Escape Data + Length Restriction]

[Figure 109. Secure Coding: Directory Traversal]

47

[Figure 110. Secure Coding: Checking based on White List(1)]


48


49

Summary
“If DNS server was compromised from bad guy, what would be happen?” I started to write this paper
with the thought. Recent vulnerabilities from Java, flash, and windows are severely threaten to us
called zero day vulnerability. Of course, I do not think there are companies that allow connecting to
DNS server from anonymous. I make this scenario to show as many as attack types. I hope that this
paper will be securing your valuable assets. I used every tool about web and database on backtrack 5
R3. I compared each of tools and tried to get catch what is the strong point of each of them. My future
work might be making a suitable tool for me and concentrate on improving many advanced
techniques about web hacking. Thank you for reading my study. I always believe that my strong point
is that I have a quick learning skill than my competitors.

50

Reference
1. Essential PHP Security by Chris Shiflett (Oct 20, 2005)

2. Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses (Expert's Voice in Open
Source) by Chris Snyder, Thomas Myer and Michael Southwell (Dec 9, 2010)

3. 데이터베이스 보안 by 조은백(Feb 11, 2011)

4. HTML5&CSS3 실무테크닉 by 조승한, 안종일(Mar 5, 2012)

5. Python,PHP,HTML5,AJAX,JQuery Online Study

6. RFI 방어 입력값 검증 PHP코드정리

7. InfoSec Resources – PT Example

8. Protocol-Level Evasion of Web Application Firewalls | Qualys Security Labs | Qualys Community

9. RFI DDOS 봇넷분석

10. [시스템 해킹] 리눅스 Setuid :: 네이버 블로그

11. [시스템 해킹] 리눅스 backdoor 찾는법과 숨기는법 :: 네이버 블로그

12. Meterpreter_cheat_sheet_v0.1.pdf

13. Post-Exploitation Without A TTY | pentestmonkey

14. 취약한 PHP코드 참조하기

15. htaccess를 이용

16. Apache 가이드 강추

17. MySQL 보안 설정(권한)

18. 40 Beautiful Free HTML5 & CSS3 Templates

19. Online Hash Crack MD5 / LM / NTLM / SHA1 / MySQL5 / MySQL323 / MD4 / WPA / WPA2 - Passwords recovery -
Reverse hash lookup Online - Hash Calculator

20. [Linux1] 20일차 - find,grep.. :: 네이버블로그

21. 리눅스-vsftp-설치,설정(root),파일업.. :: 네이버블로그

22. contagio: CVE-2012-1889 Microsoft XML vulnerability - Samples and Analysis by Brian Mariani and Frédéric Bourla

23. John The Ripper Hash Formats | pentestmonkey

24. SkipfishDoc - skipfish - Project documentation - web application security scanner - Google Project Hosting

25. Wooks Home. : PHP Injection

26. Backtrack 5 R3 Metasploit Post Modules (What To Do After You Compromise A System)

27. Python Backdoor - Aes Encrypted Traffic

28. Apache의 access log 관리 방법 :: 네이버 블로그

29. grep 명령어 및 옵션 :: 네이버 블로그

51

30. Metasploit: CVE-2012-2122: mysql취약점인데 이미 패치됨

31. 솔라리스 DNS

32. Fedora VSFTP 업로드

33. mysql 원격

34. sql injection sample code + remode code excution

35. PHP - mySQL 개발자를 위한 보안 팁 .. :: 네이버블로그

36. cyb3r sh3ll - Browse Files at SourceForge.net

37. Xss Trojan Using Evilweb Tool

38. msfpayload

39. su crack ssh bruth force metasploit

40. Nmap Scripting Engine Introduction With Http-Enumeration

41. CVE-2012-2122 : Serious Mysql Authentication Bypass Vulnerability | The Hacker News

42. hackers 매거진

43. ohdae/Intersect-2.5 · GitHub

44. msfconsole haking ftp + backdors - YouTube

45. SQL Injection/LFI/XSS Exploit Scanner + web shell Hunter - XCode - Yogyafree - YouTube

46. Weevely 0.6 Tutorial - bruteforce and SQL pwnage - YouTube

47. CVE-2012-1889- Microsoft XML Core Services Vulnerability Metasploit Demo - YouTube

48. sqlmap (EuroPython2011) - YouTube

49. FIMAP - AES HTTP Reverse Shell Plugin - YouTube

50. 백도어FIMAP - Local File Inclusion to Remote Code Execution - YouTube

51. SQLMap 페이지변조 js삽입해서 shell of the future하기

52. Information Security: Tutorial: How to scan exp... | SecurityStreet

53. Deface All Sites on Server Without Root - YouTube

54. Programming a Custom Backdoor in Python - YouTube

55. How SQL Injection Attacks Work 유투브 인터뷰

56. Mercury : 시스템 로그 분석

57. Pragmatic Forensics : 잽싸게 올리고 빠지는 utmp parser

58. Memory Acquisition Tools

59. MoonSols Windows Memory Toolkit | MoonSols

60. ToTo : 해킹 후 깔끔하게 로그 지우기

61. Reversing & Malware Analysis Training Part 8 - Malware Memory Foresnics - YouTube

52

Penetration Testing is the Art of the Manipulation

More Related Content

Similar to Penetration Testing is the Art of the Manipulation (20)

Recently uploaded (20)

Penetration Testing is the Art of the Manipulation