SANS Pen Test Cheat Sheet: Scapy

One of my favorite tools for fine-grained interactions with target systems during penetration testing is the mighty Scapy.   While other tools are indispensable for scanning large numbers of machines, Scapy is like a fine-grained scalpel for manipulating a single target in a myriad of cool ways.  With all kinds of features, Scapy just rocks.

In fact, a few years ago, I tweeted thusly:

niBXBKgXTTo that end, just a couple weeks ago, we released a Scapy cheat sheet, covering the items we use Scapy for in the SANS Security 560 course on Network Pen Testing and Ethical Hacking, plus some additional tips and tricks.  Enjoy!

scapy

If you like this kinda thing, plus a whole bunch of other practical, hands-on pen testing techniques (including recon, scanning, exploitation, post exploitation, and more), please do check out the SANS Security 560 course.  I’ve recently added great new stuff on recon-ng, Anti-Virus evasion, PowerShell for post-exploitation, and much more!

Hope to see you there!

–Ed Skoudis.
SANS Instructor & Pen Test Curriculum Lead
Founder, Counter Hack

Pen Test Cheat Sheets:

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

How Not to Fail at a Pen Test: Slides and Stream

Earlier this week, John Strand presented a fantastic webcast that was chock full of pen test tips.  This post contains the slides as well as a link to the streaming slides and webcast audio.

Here’s the description of the talk:

In this presentation, John and Ed will cover some key components that many penetration tests lack, including why it is important to get caught, why it is important to learn from real attackers, and how to gain access to organizations without sending a single exploit.

One of my favorite slides in the presentation is John’s concluding Code of Ethics.  Click on the image below to download all of John’s slides.

If you’d like to hear the full audio stream, you can access it here.  Click on the link, login to your free SANS Portal account, and you can see and hear the stream.

On a directly related note, we’ll be running an exciting SANS Pen Test Hackfest event in Washington DC November 13-20, throwing in pretty much everything we have to make for a fun and exciting event, including an evening of missions in CyberCity, 3 nights of NetWars, and chance to earn up to four SANS Pen Test challenge coins.  Click the image below for details on this nifty event.

Thank you!
–Ed Skoudis.

 

Demanding MOAR From Your Vulnerability Assessments and Pen Tests – Slides and Link

A few weeks ago, I did a presentation on Demanding MOAR from Your Vulnerability Assessments & Pen Tests.  I’d like to share the slides with you now.  The presentation is full of tips, some easy and others more complex, for providing extra value in vuln assessment and pen test work.

Here’s the official description of the talk:

You pay good money for your vulnerability assessments and penetration tests, right? But are you getting real business value from these projects? Do you ever get the sense that your assessors and pen testers are just phoning it in, checking off boxes, and not really properly helping you improve your security stance? In this lively presentation, Ed Skoudis will provide hugely valuable tips for getting the maximum business value out of your vulnerability assessments and pen tests. With specific recommendations for people procuring such projects as well as for testers themselves, this webcast is chock full of insights for effective scoping, best-of-breed methodologies, potent communications, and just plain getting the most vuln assessment and pen test bang for your buck.

Here is the slide deck, which you can flip through at your own pace.

Or, if you prefer, here’s a link to the streaming audio and slides, if you’d like to hear me presenting it.  To see and hear it, click on the link at the right, sign in to your free SANS portal account, and you’ll get access to the stream.

Hope you find it fun and useful!

–Ed Skoudis.
SANS Institute Fellow
SANS Penetration Testing Curriculum Lead
Founder, Counter Hack  

 

Data, Data, Everywhere – What to do with Volumes of Nessus Output

[Editor’s note: Here’s a really nice article by Kevin Fiscus on a tool that’ll help you analyze and manage a great deal of Nessus vulnerability scanner output.  This is really helpful, cool stuff!  Thanks, Kevin.  –Ed.]

By Kevin Fiscus

Doing really good, high-value penetration testing is hard. You have to start with a solid, repeatable methodology on which you build a process implemented via tools and techniques. It is a technical endeavor that is, more often than not, remarkably creative.  But, to do it well, you need to understand hacker techniques, cyber defense, protocols, packets, and even people. Sometimes, however, basic logistics get in the way. The problem, in many cases, is that the tools are simply too good, or rather, they give too much information but lack a particularly effective way for a penetration tester to use that information. Case in point: Nessus.

Nessus is a fantastic vulnerability scanner. It has the capability to perform both credentialed and uncredentialled scans of target environments, and test for tens of thousands of vulnerabilities across an enormous range of platforms. For the budget conscious among us, it is also one of the more cost effective commercial solutions on the market. Unfortunately, while superior in many ways, it is not known for its reporting capabilities. Tenable Network Security, the creators of Nessus, have additional products to provide more advance reporting capabilities, but purchasing them changes the cost structure considerably.

The problem, thus, is one of data overload from any vulnerability scanner, including Nessus. Particularly when performing internal, credentialed scans against network resources, the amount of data generated can be overwhelming. While generally presented in an easy-to-understand format, the data you’ll be given includes each vulnerability individually. Nessus has the capability to view results by IP address or by vulnerability, so identifying the most vulnerable server by vulnerability count or the most common critical severity vulnerability is fairly easy. But what if you wanted to identify the most vulnerable server in terms of the common vulnerability scoring system (CVSS), or wanted to count the number of servers with at least one high or at least one critical severity vulnerability? These things can be difficult within the Nessus interface and are more difficult when looking at Nessus output reports. Fortunately, there are answers for nifty and high-value ways to slice and dice Nessus results.

Nessus has the ability to output reports in a variety of formats, one of which is XML. This has allowed the security community to create tools to parse Nessus results and convert them into a variety of other formats. The one I tend to like can be found at http://www.melcara.com and is called, very originally, “Nessus Parser.” The current version, as of the writing of this posting, is v20a.  And, it’s free.

The Melcara Nessus Parser is a Perl program that converts Nessus XML output into a Microsoft Excel workbook. It doesn’t just create a CSV file with basic scan results, it creates an entire workbook consisting of over TWENTY tabs. A brief tour of at least a few of these tabs will help illustrate the benefits of this tool.

The “Home Worksheet” tab contains summary information about the numbers and counts of vulnerabilities and vulnerable systems as shown below:

The “CVSS Score Total” tab includes, for each IP address scanned, Common Vulnerability Scoring System results and allows you to tune the final scores by introducing a score modifier. By changing the value of a few cells, you can increase the contributing factor of a medium severity from 1 to 1.25, a high severity to 1.5 and a critical to 1.75 (or any value you want). The spreadsheet has been formatted to allow easy sorting on any column.

A series of five tabs labeled Critical, High, Medium, Low, and Informational provide counts and details for each identified vulnerability. For each tab, it lists the type of vulnerability (plugin family), the vulnerability name (plugin name), the number of instances of that vulnerability identified, a description of the vulnerability, the recommended solution, and whether there are exploits for the vulnerability included in Canvas, Metasploit, or Core Impact.  That last tidbit is really cool and helpful for penetration testers looking to move from scanning into outright exploitation of target systems.

The “Device Type” tab provides the IP address, fully qualified domain name, NetBIOS name, and device type for every tested system while the “HostConfigData” tab provides the number of vulnerabilities by severity for each IP address. This tab also provides information about minimum password length, password history length, minimum/maximum password age, complexity requirements and account lockout information if credentialed tests were run. The “portScanData” tab contains information about listening ports and services for each IP address while “InstalledSoftwareData” provides information about software identified to be installed on each target system.

The “UserAccount Data” tab provides information about user accounts found on each tested system, including where the account was found (local or Active Directory), the account name, and the SID and the type of account (e.g. Domain User, Domain Administrator, etc.). This tab also includes information about whether the password for the account has ever been changed, whether the account has been disabled, whether it has ever logged in, and information about certain group membership. Additional tabs provide information about Wireless Access Points and SSIDs detected, passed or failed compliance or policy checks, and various summary information.

Other than the “Home Worksheet”, all of the tabs are formatted to allow for filtering and sorting of the data in any column, and because the data is in Excel, the workbooks can be expanded with graphs, charts, pivot tables, etc. That’s pretty sweet.  Also, got a whole bunch of Nessus results from several scans against several target environments?  The Melcara Nessus Parser has the capability of taking multiple Nessus XML files as input, and track which file the results came from, for each row of data presented. Thus, if you wanted to scan five different locations individually, you could look at their results individually, as a whole, or any subset thereof.

Getting the Nessus Parser to run can be somewhat challenging. You, of course, need to install Perl and there are a whole set of CPAN modules that need to be installed for it to run. That said, it is my experience that the author of the tool is extremely helpful, should you run into problems. Once everything is set up, running the tool is easy and involves these steps:

Step 1: Export the results of your Nessus scans in XML (or .nessus) format
Step 2: Place all the XML files into a directory
Step 3: Execute the command “perl parse_nessus_xml.v20a.pl -d <directory>” where the directory is the location of the XML files.

The parser will look at all of the files in the selected directory, identify those that contain Nessus output, and generate an output report based on provided input. There are a couple of additional command line switches that can be used to control the output:

  • The default output file will be called “nessus_report_XXXXXXXXX” where the X’s will be replace with data and time information. If you want to change the prefix of “nessus_report” to something else, you do it with the -o option
  • If you want to run the tool against an individual file instead of a directory, you can use the -f <filename> instead of -d <directory>.
  • The -r option allows you to change the severity of individual Nessus plugins by plugin ID.

The Melcara Nessus Parser can be of tremendous value in reviewing, sorting, analyzing and working with Nessus output. As a penetration tester, the ability to identify the most vulnerable targets or to find that one obscure vulnerability is awesome. As a defensive security professional using Nessus to attempt to improve security, the ability to take the output from a scanning tool like Nessus and truly work with the output is amazing.

If you are new to vulnerability scans, Nessus and/or penetration testing in general, or if you have been doing this type of thing for a while and want to take your skills to the next level, you will definitely want to check out SANS SEC560: Network Penetration Testing and Ethical Hacking. This course not only teaches you cool hacker tools and techniques, it also provides you with an industry proven methodology that ensures your penetrations tests provide real business value.

–Kevin Fiscus
SANS Certified Instructor

UPDATE: Diligent reader Vikneswaran Kunasegaran (@SecurityBazinga) noticed that the Melcara script didn’t work on Kali Linux (and possibly some Debian systems) due to some missing dependencies.  He wrote a handy little script that automatically pulls down those dependencies and gets your system ready.  You could do what the script does manually, if you’d prefer, or just copy and paste it into a file, chmod it so that it is executable, and run it.  Thanks, Vikneswaran.  Nice work!  Here’s the script:

#!/bin/sh
#install dependencies for running nessus parser melcara.com#

#update#
sudo apt-get update

#install dependencies#
sudo cpan install XML::TreePP
sudo cpan install Data::Dumper
sudo cpan install Math::Round
sudo cpan install Excel::Writer::XLSX
sudo cpan install Data::Table
sudo cpan install Excel::Writer::XLSX::Chart

#Thank you Have Fun!#

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Network Pen Testing Tips, Tricks, Tools and Resources

[Editor’s Note: For this year’s SANS Pen Test Poster, we asked some of the best pen testers and instructors in the industry to share their wisdom in a series of tips, tricks, tools, and useful resources for various kinds of penetration tests.  We got some great input on network pen testing, web app pen testing, mobile pen testing, exploit writing, and wireless pen testing.  We’ll be posting these really useful recommendations as a series of blog posts over the next few weeks.  The first in the series is this set of recommendations from the amazing John Strand of Black Hills Information Security. –Ed.]

By John Strand

Methodology

  • Recon – This is the one area most people skip over or put the least amount of effort into. Don’t. Without question, this is the most important phase. If done correctly, it is possible to gain access to a network without using a single exploit. For example, take a look at the modules available in recon- ng. Some of our favorites are the pwnlist modules and namechk.
  • Scanning – Try to be as accurate as possible. If your scanner supports a scan dedicated to PCI, don’t use it. PCI scans have a very high false positive rate. If the project is a Crystal-box or Grey-box test, look into credentialed scanning. It will reduce the false positives, and the scan will run much faster. As an added bonus, it will also dramatically reduce the likelihood of crashing a system. Finally, always review the low and medium risk findings. These lower-risk findings may add up and result in significant potential for attack.
  • Exploitation – Always explicitly set the TARGET in Metasploit, as it will reduce the likelihood of a target crash and will increase the likelihood of successful exploitation. Get very comfortable with the Social Engineering Toolkit. Learn how to bypass AV, see the reference section below.
  • Post-Exploitation – After you have access to a target system, put the exploits away. Dump the passwords, crack the passwords. Get familiar with mimikatz. Get familiar with passing the hash. Get familiar with password spraying. Pivot mercilessly.
  • Reporting – Tell a narrative and demonstrate the risk through screenshots and videos. Never, ever, copy and paste results from an automated tool.

Must-Have Tools

Software

Hardware

Teensy* – Emulate keyboards to take over systems.
Pwnplug* – Small, portable, powerful covert pen testing platform.
* These tools are available on a commercial (cost) basis.

Resources for Staying Current

http://www.pauldotcom.com
http://pen-testing.sans.org/blog/
http://www.darknet.org.uk/
http://computer-forensics.sans.org/blog/
http://www.darkoperator.com/
http://lanmaster53.com/
http://blog.commandlinekungfu.com/
http://www.pentest-standard.org/
https://community.rapid7.com/community/metasploit/blog
http://www.tenable.com/blog 

Associated SANS Courses

SEC504: Hacker Techniques, Exploits, and Incident Handling www.sans.org/sec504
SEC560: Network Penetration Testing and Ethical Hacking www.sans.org/sec560

–John Strand
@strandjs 

SANS Pen Test Cheat Sheet: Nmap v1.1

 

Whenever we attend information security conferences like DerbyCon, ShmooCon, or any of the many BSides we support, we always take SANS Pen Test Cheat Sheets with us and everyone that comes by the booth takes a few for themselves and their colleagues back at the office.

So… we have made them available for you to download, print, and share with others.

Ed Skoudis and the fine folks at Counter Hack have put together a nifty Nmap cheat sheet covering some of the most useful options of everyone’s favorite general-purpose port scanner, Nmap.  And, with its scripting engine, Nmap can do all kinds of wonderful things for security professionals.

Please check out the updated cheat sheet below.  Even if you are an experienced attacker, it might cover a tip or trick that’s new and useful to you.

Nmap_CheatSheet_page1

2-Page, Printable, PDF: NmapCheatSheetv1.1

Oh… we just made something that we think is pretty helpful. Here is a desktop wallpapers, in multiple sizes, based on the Nmap Cheat Sheet for you to download and use.

(Click on the image for full-sized version to download)

NMAP_1280X1024NMap_1280x1024
NMAP_1920X1080NMap_1920x1080
NMAP_5120X2880NMap_5120x2880

Learn how to use Nmap and penetration testing methods, techniques, and tools in SANS SEC560: Network Penetration Testing and Ethical Hacking.

–Ed Skoudis.

SANS Fellow
Counter Hack Challenges Founder

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Announcement: The Network Scanning Watch List

[Editor’s Note: A recurring concern among penetration testers is that a scan may have an unexpected and seriously undesirable impact on some target devices.  We’ve all heard stories about a simple TCP SYN scan killing this or that network device or SCADA system.  Wouldn’t it be cool if someone built and maintained a list of such devices, so we know what to watch out for?  I’m happy to announce that Owen Connolly and Robin Wood (digininja) have done some great work pulling together the Network Scanning Watch List of devices that have encountered problems when scanned.  In this post, Owen describes the project, links to the current list, and invites you to contribute.  Here at Counter Hack, we’ll be helping out in keeping the list updated with input from the community. Awesome stuff, Owen and Robin!  Thanks for contributing to the community and helping penetration testers.  –Ed.]

By Owen Connolly

So, one day, an interesting discussion started on the SANS pen test discussion list (called the “GPWN” list). Robin Wood (a.k.a., DigiNinja) asked if there was a list of devices maintained anywhere, that tended to hang, fall over, or otherwise behave weirdly when scanned in a penetration test or vulnerability assessment. This excellent request prompted me and several other people to leap in with definitive “No! But I’d watch out for XXX device…”. Those warnings of course led to a lot of similar answers and a few new and interesting ones.  As penetration testers, one of the last things we want to do is inadvertently break things in a target environment by running a simple port or vulnerability scan.  A list of stuff to watch out for would be very helpful to people.

After letting the ideas, warnings, and tales of woe run for a while and having a couple of chats with Robin, we agreed to compile our findings so far and also ask in a few other fora  for other examples of things. We then took all the submissions and put them in a spreadsheet on Google docs and have agreed to maintain this list going forward.

Without further adieu, we’d like to announce…

The Network Scanning Watch List

This list contains reports of unusual negative behavior (such as crashing, freezing, or massive performance hits) suffered by various devices while under common port and vulnerability scans.  The list includes the vendor, product, scanning tool (if such information is available), the impact, and some comments.

The list can be found herehttps://docs.google.com/spreadsheet/ccc?key=0Agg23JycSkYddDZHRnltVlZUMkVKSnUtN2g0WDl5clE&usp=sharing

We would very much like to keep this alive and for that reason, we have set up a Google group/mailing list at https://groups.google.com/forum/?fromgroups&hl=en#!forum/netscanwatch. We hope people will use this group to help keep us informed of any new devices they come across and also sharing additional advice.

We hope it helps a few of you out there and that maybe some of the vendors/manufacturers involved would be interested in figuring out why their stuff doesn’t like being scanned! We welcome input from all directions…

Thanks also to Ed for offering to publish this through the SANS Pen-test blog.  As we started from the GPWN mailing list, announcing it here only seems right! Oh, and Ed also offered us the use of his assistant… After clarification, we realised he meant to help us keep the list updated! :-)

Thanks to all who contributed and those who hopefully will!

Ojc


Owen Connolly
http://linkedin.com/in/ojconnolly