Intermediate Hacking

TL;DR – Pwn all the Flags

Introduction

While there is a wealth of resources for beginners, taking the next step is overly simple and consequently under documented. That is because the way to progress your penetration testing skills really comes down to practice.

At this stage, you should have an awareness of vulnerabilities and attack patterns. You are proficient with a wide selection of tools that you have been exposed to, and have had some success using these tools. You are understanding that just as defenses are layered, so to must the attacks be. At this stage, you may have difficulty finding vulnerabilities and shared exploits for your targets. You have probably heard about ‘fuzzing’ and recognize that that is how many vulnerabilities are identified. You probably have some strengths with either network/system attacks or web application attacks. So what next?

Practice.

There is too much to learn and that is a wonderful thing. Just to be proficient as an entry level penetration tester requires you to have a working familiarity with the entire SDLC as well as IT operations. So why are there so many young penetration testers in the field? Dedication, and largely, specialization. In order to develop your skills, you need to keep practicing. Either by specializing on one or a couple aspects, or by developing your understanding of attack (and defense) methodologies.

While this sounds trite, the difficulty is often in staying motivated. Like most everything in life, it is not what you are good at, it is what you enjoy. Persistence builds competence.
That said, there are aspects of hacking that will not appeal to you. Sadly, you have to be a jack of all trades to be a master of one in this game. Keep the end game in mind when you hit one of these. And chances are, you will find something fun in it, because, well it is still hacking.

Vulnerable Virtual Machines

There are a lot of vulnerable virtual machines (VM’s) out there for practice. VulnHub (https://www.vulnhub.com/) and PentesterLab (https://pentesterlab.com/) both offer free VM’s for you to download and practice against.

The problem with vulnerable VM’s is that once you pwn them, their fun usefulness greatly diminishes. However, a few are valuable for leaving on hand to practice tools and techniques. Metasploitable2 is great because it has the common vulnerable web applications on it (Mutillidae and DVWA). Additionally, building a virtualized network and practice perimeter exploitation and firewall/WAF/IDS/IPS bypasses can benefit from having some easy boxes to pivot from. Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide, by Lee Allen, does a good job of covering how to setup a virtualized network, including using a pfSense box as a firewall.

Testing Methodologies and Write-ups

Common advice suggests that your practice should include writing a full penetration report. While this is a great idea, it is a lot of effort. However, if you perform a thorough test and write a complete report, you now have a work sample that shows you understand how to document findings and address your audiences (management and technical staff).

Being familiar with OWASP Testing Guide is important to web application penetration testing. Seriously, best testing guide I have seen as it explains the how (referencing tools and providing examples and references) and why. Even if you not interested in web application testing, give it a once over. The guide is well organized and contains valuable detail:

OWASP Testing Guide, Version 4 
Testing Guide Spreadsheet

For network penetration testing, the Penetration Testing Execution Standard (PTES) contains a lot of good information but does not include a testing guide. PTES at this point is largely a taxonominary (taxonomy and dictionary, of course (right, just taxonomy, but there is good detail)). Due to the breadth of network penetration testing, distilling everything into a set of tests as OWASP has done is a monumental effort. Setting that tangent aside, PTES does present a valuable resource for beginners since it defines attack phases and concepts (http://www.pentest-standard.org/index.php/Main_Page) as well as describing tools and procedures (http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines).

Due to the sensitive nature of pentest reports, there are not many real world write-ups out there. However, there are a lot of capture the flag write-ups. While specific, these can help develop your understanding of exploitation and combining attacks.

Two take-aways from this recommendation:

  1. Evidence collection and reporting is very important. It makes it easier for you to repeat processes and communicate findings.
  2. Reading standards and reports provides a good source of information and broadens knowledge of methods and tools.

Capture the Flag

A couple of the sites I like require a brief write-up to submit the challenge, or get points. I think this adds a lot of value because it forces you to consider why the exploit worked and how to mitigate it.

Hacking-Lab is one such practice site. While the actual CTF events it hosts are largely Euro-centric, that does not detract from the service they proide; they have a dedicated VM, they host CTF events, and you get points. Points has been a motivator for me (seriously, you want to stay ranked a hobo?). I think Hacking-Lab is a good starting point—they have a wide range of challenges, and enough pentesting challenges (OWASP Top 10 and such) to keep you busy for quite a while.

OverTheWire is another great resource. They have a few sets of games, with a suggested order. Helps get you familiar with Linux hacking, privilege escalation and just generally figuring things out on your own. I was really struggling with privilege escalation, and doing Bandit I think gets you into the proper mindset: What do I have access to? What runs with more permissions than I have? How do I exploit that? They also help with buffer overflows and such (still my greatness weakness). Also, a lot of public write-ups which can be quite helpful as a beginner.

Hacker.org is much more about puzzles, crypto and coding challenges than hacking/pentesting. However, it is a great resource with many good challenges. If you do the coding ones, you will start to develop a script library that will help with solving CTF’s in general.

RingZer0Team is really a fantastic resource. It has a lot of challenges, categorized and spanning forensics through SQLi. While the site is slow, and many of the challenges are very hard (even sometimes after figuring them out and/or using hints), the content and support team and user base are top notch. Optionally you can submit write-ups for solved challenges. This gets you ‘gold’ that you can then use to buy hints for challenges. They also have a Slack channel that is active enough with some resources that can help out. Highly recommend this site. And the Forensics challenges in particular will hone your research skills.

Finally, the starting point; We Chall. We Chall allows you to link all of your challenge-sites into this centralized beast. They also host a set of good challenges. Check out some of the other sites as well—there are lot more than what I have included.

Documentation

My personal recommendation is that no matter how much or little you do—keep a log. Having done something once does not ensure that you will remember it exactly and/or be able to readily repeat it. And it can be annoying trying to find something again; should be easier the second time around, right? Sometimes Google penalizes you for knowing a specific term–it is a search engine, not a bookmark engine–so don’t try to do its job.

Building out a set of scripts improves those skills and saves you time later. This is also part of your playbook–how you enumerate and test. While challenges are typically one-offs, there are only so many types of puzzles, and it falls under practice. The first time you are able to use a ‘find -exec’ without looking up the ‘{} \;’ bit is nice.

Scripts should be sufficiently commented–it will make grepping them easier. If you base your script on something else, include the URL/script name–may be helpful on your next revision. Be reasonable here–most of your ‘scripts’ will essentially be ‘functions.’

I distill this log into a notebook that reminds me of techniques, scripts, exploits and such. The daunting breadth of knowledge greatly benefits from organization.

Conclusion

In summary, practice. Find what motivates you to practice; be that bug bounties or CTF sites or writing tools. Part of that practice should include formalizing your efforts–save your scripts, take notes and practice writing. The resulting playbook is your personal guide to intermediate hacking.

Bashing Wargames

As much as I like Python, I have a weird obsession with coming up with bash solutions for wargames. I do not want to see each attempt, just the right answer. This has led to some good uses of constructors and grep inversions, improving my ability to Bash.

Today I discovered the true power of the Bash Brace Expansion. The expression ‘{0..9}’ will output the numbers zero through nine, and ‘{a-z}’ will give you all the letters. To get letters and numbers into one variables, nest them:

{{a..z},{0..9}}

Armed with this knowledge, let’s generate all four-digit alphanumeric PIN combinations:


# Brute Force Four Character Alphanumeric Password
# Solution for Yrivnguna 6: Runs program ( ~/yrivnguna6) to determine result
#!/bin/bash
# Constructor to generate four character alphanumeric combinations:
for i in {{a..z},{0..9}}{{a..z},{0..9}}{{a..z},{0..9}}{{a..z},{0..9}}
do
~/yrivnguna6 $i | if grep -q -v "Wrong"; then print 'Answer: $i'; fi
done

Using PineAP to Find Common SSIDs

Wigle does not show a bias on commonly used/associated SSID for wifi. Performing a wireless survey for clients, you are often more concerned with the immediate site location’s spectrum analysis. But with a penetration testing, things get a bit more open. In order to aid with identifying potential targets devices, the portability and discretion of a Wifi Pineapple is superb. Additionally, canvasing an error and observing the demographics known SSIDs allows us to determine which SSIDs will be more likely to succeed. If AT&T is popular for broadband in the area, ‘attwifi’ is a great choice (representing 8.7% of my current sample size of 854 SSIDs). I wanted a way to support broad research, as well localized results. So I wrote some Python.

If you are interested in profiling SSIDs, or just need a parser for PineAP log files, check out SsidyMetrics.

 

 

Airgraph-ng on Kali 2.0

Airgraph-ng does not install by default with aircrack-ng. Its main wiki page has not been updated for almost six years, but is still relevant and airgraph-ng does see a fix now and again. Getting it running on Kali 2.0 was straightforward enough, but did require a bit of troubleshooting.

Make install threw an error regarding ‘common.mak’ which does not exist. Instead of ‘make install’ it appears that ‘python setup.py install’ should be used for the installation now.

This almost gets you there. Airgraph-ng expects the path /usr/bin/airgraph-ng to be valid, so creating a link to the directory gets it going. The following commands should get airgraph-ng installed and running:

cd /opt
svn co http://svn.aircrack-ng.org/trunk/scripts/airgraph-ng
cd airgraph-ng
python setup.py install
ln -s /opt/airgraph-ng /usr/bin/airgraph-ng

Note that trying this on two installs, first time it is run it says that it is getting ‘oui.txt’. I had to let this run for a minute or two before killing it and being able to successfully create an image.

airgraph-ng CAPR

War-walking Hawaiian Style

Overview

To prepare for an upcoming Wifi Survey, I decided to configure a Wifi Pineapple to use Kismet and GPS as described in Hacking Exposed – Wireless. In addition to the book, there are quite a few articles and posts to make this happen, and overall it is a simple effort.

Configuration

  • WiFi Pineapple Mark V
  • Pineapple Juice 15000
  • GlobalSat BU-353-S4 USB GPS Receiver

Setup

While some people recommend using Kismet for GPS, I did not have success with that configuration and ended up running GPSD. Consequently, the default kistmet.conf file does not require substantial changes as it defaults to a GPS/GPSD configuration.

Daemonizing GPSD and specifying the ‘don’t wait for a client to connect before polling’ flag (-n). Note that a capital ‘N’ flag is used to run GPSD interactively and may assist with your device troubleshooting.

While I think that your GPS will most likely register as /dev/ttyUSB0, double-check the load.

Kismet is a client interface for the Pineapple, so ensure that you install AutoSSH and auto-enable it.

To get Kismet running, we need to do the following:

  1. ssh to Pineapple
  2. Install dependencies:
    1. opkg update
    2. opkg install gpsd
    3. opkg install kistmet_server
  3. Edit Kismet configuration (see Wardriving with WiFi Pineapple Mark V running Kismet)
    1. Modify log directory; logprefix=/sd/kismet/
  4. Run GPS service:
    1. gpsd -n /dev/ttyUSB0
  5. Initialize Antenna
    1. ifconfig wlan1 down
    2. iwconfig wlan1 mode monitor
  6. Run Kismet
    1. kismet_server

Kiswalk Startup/Shutdown Script

With your setup scripts in place, all that needs to be done is to SSH into the Pineapple, run ‘kiswalk.sh start’, go for a walk, SSH back in and run ‘kiswalk.sh stop’

#!/bin/bash

if [[ "$1" == "start" ]]
then
    echo "Starting Kismet..."

    # Initialize GPS device
    gpsd -n /dev/ttyUSB0

    # Put the second antenna in monitor mode
    ifconfig wlan1 down
    iwconfig wlan1 mode monitor

    # Start Kismet
    kismet_server --daemonize
elif [[ "$1" == "stop" ]]
then
    # Stop Kismet
    echo -e '\n!0 shutdown' | nc localhost 2501

    # Download the capture files
    tar cvzf /sd/kismet.tar.gz /sd/kismet/*
    scp /root/kismet.tar.gz root@172.16.42.239:/sd/kismet.tar.gz
else
    echo "kiswalk.sh [start/stop]"
fi

Script maintained on Github

References

Hak5 Forum: GPSD Problem

Hak5 Forum: Track Pineapple via GPS

Wardriving with WiFi Pineapple Mark V running Kismet

MindMap Exporter

MindMap Exporter, affectionately called ‘Mapamajobber,’ is a BurpSuite Extender that is now available in the BApp Store.

MindMap Exporter is used to export a Burp session’s HTTP History to a comma-delimited and/or MindMap file. This aids with documentation of OWASP Testing Guide V4 tests OTG-INFO-007 (Map execution paths through application) and OTG-INFO-006 (Identify application entry points).

Options include filtering unique results, selecting only in scope requests, inclusion of parameters and inclusion of cookies.

Source code is open and available on GitHub, in my Burp repository.

Mapamajobber

Note that sample image maps the 2015 SANS Holiday Hack Challenge and was modified (Root node label and color-coding).

2015 SANS Holiday Hack Challenge

It is exciting to see the SANS Holiday Hack Challenge write-ups being shared. So I thought that I would share the write-up that I submitted. While I did not manage to compromise the final server, I did manage a lot of learning the fun that goes with progress. SANS and CounterHack did an incredible job creating the game, story and environments, as they do every year.

Reporting on Web Form Attacks

THC-Hydra provides excellent output for plugging screenshots into your reports.

Hydra Web Form Cracking

Unfortunately, if there is a redirect associated with the login, Hydra returns a lot of false positives (or false negatives).

While not as clear, a ZAP screenshot highlighting the Fuzzer value with a differing result size can provide the evidence.

ZAP Fuzzer Result Size

Metasploit Database Authentication

Fixing Metasploit Database Errors

[*] Starting the Metasploit Framework console...-[-] Failed to connect to the database: FATAL: password authentication failed for user "msf3"
FATAL: password authentication failed for user "msf3"

or

[*] Starting the Metasploit Framework console...[-] Failed to connect to the database: FATAL: password authentication failed for user "msf4_user"
FATAL: password authentication failed for user "msf4_user"

Issue

Three times I have had issues with the Metasploit database presenting authentication errors. This has happened after version updates and applies to the Community Edition running on Kali.

Fix

Some users create a new user/database and point Metasploit to it. Instructions can be found here. I have found that this will work until a new version comes along.
Other users, myself included, have had more success with re-installing Metasploit. The following script walks you through deleting the Metasploit PostgreSQL database and re-installing Metasploit.

Clearly not ideal, but I have not been able to find the actual cause nor a permanent solution.

Script

apt-get purge metasploit
su postgres
echo 'drop database msf3;' | psql
echo 'drop user msf3;' | psql
exit
rm -fr /opt/metasploit
root@kali:~# rm -fr ./.msf4
root@kali:~# apt-get install metasploit

Example

@kali:~# apt-get purge metasploit
root@kali:~# su postgres
postgres@kali:~$ psql
psql (9.1.14)
Type "help" for help.

postgres=# \list
List of databases
    Name     |   Owner   | Encoding  | Collate | Ctype |   Access privileges    
-------------+-----------+-----------+---------+-------+----------------------- 
 msf3        | msf3      | SQL_ASCII | C       | C     |  
 postgres    | postgres  | SQL_ASCII | C       | C     |  
 template0   | postgres  | SQL_ASCII | C       | C     | =c/postgres          + 
             |           |           |         |       | postgres=CTc/postgres 
 template1   | postgres  | SQL_ASCII | C       | C     | =c/postgres          + 
             |           |           |         |       | postgres=CTc/postgres 
(4 rows)

postgres=# drop database msf3;
DROP DATABASE
postgres=# drop user msf3;
DROP ROLE
postgres=# \list
List of databases
List of databases
                              List of databases 
    Name     |  Owner   | Encoding  | Collate | Ctype |   Access privileges    
-------------+----------+-----------+---------+-------+----------------------- 
 postgres    | postgres | SQL_ASCII | C       | C     |  
 template0   | postgres | SQL_ASCII | C       | C     | =c/postgres          + 
             |          |           |         |       | postgres=CTc/postgres 
 template1   | postgres | SQL_ASCII | C       | C     | =c/postgres          + 
             |          |           |         |       | postgres=CTc/postgres 
(3 rows)

postgres=# \q
postgres@kali:/root/.msf4$ exit
exit
root@kali:~# rm -fr /opt/metasploit
root@kali:~# rm -fr ./.msf4
root@kali:~# apt-get install metasploit

© 2019 /dev/thought

Theme by Anders NorénUp ↑