Category Archives: Penetration Testing

Links from my NEOISF Talk: New School Man-In-The-Middle

2
Posted by Tom on May 20, 2009 – 8:00 pm
Filed under Penetration Testing
Tagged as , , , , , , , , , , ,

Here are the links for the tools from my talk titled “New School Man-In-The-Middle” that was given at the North East Ohio Information Security Forum (NEOISF). I will update this post with a link to the slide deck on SlideShare by the end of the week. Thanks to everyone for coming out!

Old School!
Wireshark
Ettercap
Cain

New School!
Network Miner
The Middler
SSLStrip

* Note: …both the new and old school tools provide the pentester with a ton of value! Use them all!

MITM Defense
ArpON
ArpWatch

UPDATE: Click here to view the slide deck.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Maltego 2.0.2 Released with Local Transforms!

0
Posted by Tom on January 9, 2009 – 12:19 pm
Filed under Penetration Testing
Tagged as , ,

Just a quick blog post about the latest release of Maltego that was just announced. This is great! You can now create custom transforms that will integrate directly with Maltego! This is something that many of us have requested and it’s finally here. From first glance it looks like you can code them in any language as well. Should be interesting to see what the community comes up with in regards to transforms now. I know I have some ideas….

Oh and if that wasn’t enough the pentest entities are now also available locally!

Great work Maltego team! Check out the full announcement here.

What is Maltego if you don’t know about it?
“Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.”

Read more about Maltego here.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Maltego 2.01 Released

0
Posted by Tom on December 3, 2008 – 12:55 am
Filed under Penetration Testing
Tagged as , ,

Looks like the fine folks over at Paterva have released version 2.01 of Maltego. If you don’t know what Maltego is…look here. Check out some of the changes and new features. From the announcement:

Features:

* Copy and paste to/from graphs
* Copy and paste to/from text
* Above can also function as “import”
* Zoom to pointer
* Looking glass zoom mode
* Added notch on slider that will return 10,000 entities (if your RAM can stomach it)
* Brought back “Run All Transforms” – you asked for it!
* Cancel transform run (e.g. i clicked on the wrong transform and it’s taking forever while my graph is turning into a green mush, can we please stop this now)
* Easier Mac install

Fixes:

* Authentication proxies now works (including NTLM)
* Cancel on entity export (small annoying fix)
* Transform manager window resizes properly (useful for those on E^3s)
* The dreadful save bug has been fixed (if you never saw it count yourself lucky)

In addition they note the in the upcoming 2.1 version they will be allowing local scriptable transforms! I am really looking forward to this feature as the custom transform creation process will hopefully get a whole lot easier.

Note that the main download page doesn’t have the new package yet so if you want it now you need to get the download links from the forum post here. I would expect the main site updated later today.

Also…the crippled “community edition” is still on the old version for now (updated shortly I am sure). By the way, it’s only $430 USD for the first year, $320 USD per year thereafter for a license of the commercial version…well worth it!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Information Gathering with Maltego

2
Posted by Tom on October 19, 2008 – 9:51 pm
Filed under Penetration Testing
Tagged as , ,

Last Wednesday I gave a presentation to the Northeast Ohio Information Security Forum on Maltego which is a fantastic tool for information gathering. The presentation focused on a high level overview of the application and how it can be used for all types of security related work including security assessments, investigations and helping find public information about a company or person.

You can download the presentation here. Like I mentioned at the talk you can get more information on Maltego from the Paterva website. If you are looking for a few good tutorials you can check out part one and part two on Room362.com or Ethicalhacker.net.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Finally a use for Incognito

1
Posted by Tom on September 10, 2008 – 11:28 pm
Filed under Penetration Testing
Tagged as

Lets say (hypothetically for the sake of this post) that you were able to exploit the system of a Windows domain admin during a pentest. The goal of this attack? Steal the credentials of the domain admin and continue on with owning the domain. Sure, you could use gsecdump, pass-the-hash and do the same thing…however, Incognito (tool to conduct token passing) is nice when you know a system is vulnerable to an exploit and you want to do everything through a nice Metasploit meterpreter shell. The problem with gsecdump is that it would require you to use psexec to run it remotely on the admin’s system. Depending on the scope of your assessment and if you are trying to be covert, gsecdump/psexec may not be the best idea as you may get noticed by either an anti-virus, HIDS alert or some other detection system on the host, including the admin (don’t get me wrong…gsecdump is a GREAT tool and should be part of any pentest toolkit). So here comes Incognito to help you out in this situation…

How does Incognito work? I won’t go into a ton of detail as you can check out CG’s posts over at Carnal0wnage. He did an awesome two part write up about the tool…in detail…you should check out. Here are the high level steps:

1. Ensure you have the latest Metasploit snapshot. Not by doing an “svn update” either…you have to use Subversion and do an “svn co http://metasploit.com/svn/framework3/trunk/”. Run msfconsole through this trunk. Be warned that Subversion is picky with proxy servers if you have to deal with that.
2. Exploit system with Metasploit and a meterpreter payload.
3. Follow CG’s posts (linked above)
4. Once you impersonate the domain admin, use the tool in your meterpreter shell to create a domain user and add your new user to the domain admins group (again…follow CG’s posts).
5. Continue on with your domain compromise…rinse and repeat with your next client and/or pentest! :-)

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Building the pentest team skillset

2
Posted by Tom on July 29, 2008 – 12:11 am
Filed under Penetration Testing
Tagged as

I saw this post on Hexesec the other day that made me think about all the skill’s that when you put them together could make one kick ass penetration testing team. Note that this is a pretty large list of skills that would be difficult if not impossible for one person to master. However, it gives you an idea of the various skill sets that should be required for a robust, high caliber team.

As a pentester you should be familiar with most of these areas, meaning, you should have working knowledge at a minimum. Of course, reverse engineering and vulnerability development may not be everyone’s forte…but take for example the web application pentester. Reverse engineering and vulnerability development is a skill that can be learned (especially if you have a deep programming and development background). Same goes for wireless penetration testing as someone with a networking background can easily pick this up. Everyone will still have their own specialty but you can still expand on your existing skills to learn new ones.

What’s the point? The more you and your team learn the more valuable you become to your organization, clients and your own career.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

The Evolution of Penetration Testing

3
Posted by Tom on July 7, 2008 – 6:00 am
Filed under Penetration Testing

Evolution

Last week GNUCITIZEN posted an article entitled “Tiger Team Operations vs. Penetration Testing”. I personally feel this is a spot on article and is a must read for anyone involved in either tiger team operations or penetration testing. The article focused on three areas in regards to these two types of assessments: quality, pricing and time frames. While these three areas are quite different when comparing a tiger team operation vs. a penetration test I see something more when it comes to penetration testing. I see the penetration test as we know it eventually evolving into tiger team operations.

While we will always need to conduct traditional network and web application penetration tests, clients and employers are asking us to conduct more “unique” assessments. These unique types of assessments include things like social engineering, client-side phishing, physical security reviews, user security awareness, or testing the overall security of a specific facility or business unit. These unique individual assessments are addressing the changing threat landscape and new ways information systems and people are being exploited.

A tiger team can address many of these different types into one unique assessment of it’s own (including network and web application penetration when appropriate). Keep in mind, a tiger team operation is very different then a penetration test in terms of quality and quantity as GNUCITIZEN mentions. A tiger team requires multiple unique skill sets (for example a physical security specialist) and always requires multiple high performance team members. Let’s also not forget about timing and preparation. A tiger team operation and a penetration test should always be conducted unannounced and to conduct the operation properly the team must be held to strict confidentiality. In regards to preparation, a tiger team operation may take many weeks and/or months to prepare. Why so long? The longer preparation time (meaning the reconnaissance phase) the closer you will get to simulating an actual attack on the targets selected. The real bad guys that want to do harm to your organization have the advantage of time…a tiger team must try to replicate this as close as possible. There may also be variations of a tiger team operation as well. Some methods may or may not need to be used depending on the scope and the target(s).

I am currently putting together a presentation for a conference later this year on how tiger team assessments work in a large corporate environment and how you can take these same concepts and use them either with an internal penetration testing program or for clients. More on this in the coming weeks. In the meantime, if you want to know what a tiger team operation/assessment is like…I recommend you check out the Tiger Team series that was on TruTV last year. You can find torrents and also view one of the episodes on the TruTV web site.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Backtrack 3 Released

0
Posted by Tom on June 23, 2008 – 7:00 pm
Filed under Penetration Testing

I’m sure you have already read this on other blogs…however, if you didn’t get the news yet…Backtrack 3 has been officially released last week on the PaulDotCom show. I know myself and others have been using the beta and have been looking forward to this final release. Here are some highlights as posted by Max Moser one of the creators of Backtrack 3:

SAINT
SAINT has provided BackTrack users with a functional version of SAINT, pending a free request for an IP range license through the SAINT website, valid for 1 year.

Maltego
The guys over at Paterva have created a special version of Maltego v2.0 with a community license especially for BackTrack users. We would like to thank Paterva for co-operating with us and allowing us to feature this amazing tool in BackTrack.

Nessus
Tenable would not allow for redistribution of Nessus on BackTrack 3.

Kernel
2.6.21.5. Yes, yes, stop whining….We had serious deliberations concerning the BT3 kernel. We decided not to upgrade to a newer kernel as wireless injection patches were not fully tested and verified. We did not want to jeopardize the awesome wireless capabilities of BT3 for the sake of sexiness or slightly increased hardware compatibilities. All relevant security patches have been applied.

Tools
As usual, updated, sharpened, SVN’ed and armed to the teeth. This release we have some special features such as spoonwep, fastrack and other cool additions.

Availability
For the first time we distribute three different version of Backtrack 3
– CD version
– USB version
– VMWare version

BackTrack 3 final download page is here.

Final Requests
We request the community to not mirror or torrent this release, or otherwise distribute it online without our knowledge. We are trying to gather statistics about bt3 downloads. If you would like to mirror BT3 then please:

1) Think again! Traffic generated by BT3 downloads is CRAZY.
2) Please contact us before doing so.
3) Send us monthly statistics of downloads for the iso.

If you would like to add a link to BackTrack downloads to your website, please use:

http://www.remote-exploit.org/backtrack_download.html as the download link.

Rants
Problems, fixes, bugs, opinions – should all end up in our Remote Exploit community forums, and our wiki.

Awesome that Maltego has been added to Backtrack! Safe to say that Maltego is the best Internet reconnaissance tool out there. Too bad about Nessus but I hear SAINT is a good vulnerability scanner alternative (note that SAINT is a commercial product like Nessus but they don’t have a “home user” plugin feed like Nessus provides). Also, be sure to link to the Backtrack 3 download as Max specifies. Please don’t torrent the iso as they would like to track overall download statistics.

One final reminder, the Security Justice podcast will be interviewing Dave Kennedy of SecureState on the Fast-track script he developed. Fast-track in included in the Backtrack 3 distribution and is an integral part of using Backtrack 3 to it’s fullest potential. Look for this special edition podcast in the next week or so.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

The Ethical Hacker Network: Interview with Ed Skoudis of Intelguardians

0
Posted by Tom on May 21, 2008 – 9:52 am
Filed under Penetration Testing

<%image(20080521-edbanner.jpg|532|159|Ed Skoudis)%>

Very good interview over at The Ethical Hacker Network with Ed Skoudis of Intelguardians. Ed talks about his career, how Intelguardians came to be, his new SANS 560 Course, and a little about his hacker challenges that he is famous for. I know several of the Intelguardians and I have a huge amount of respect for all of them. If you are just getting into information security or penetration testing, Ed is one person that should be a role model for your career.

From the article’s author it looks like part two and three will be with Johnny Long and HD Moore. Awesome stuff…looks to be like a great series of interviews.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Nessus “registered” plugin feed to be discontinued

2
Posted by Tom on May 14, 2008 – 1:26 pm
Filed under Penetration Testing

<%image(20080514-nessus.jpg|76|73|Nessus)%>

I came across this post by Martin McKeay on the Network Security Blog today talking about changes to the Nessus license that Tenable will be starting July 31st. Martin makes some really good points and I recommend you read his post. Basically as a corporate user you will need to pay for the new “ProfessionalFeed”. A corporate user is classified as anyone that uses Nessus in a corporate environment, including MSSP’s and security consultants (some exceptions apply for non-profit and charities). From the Nessus announcement:

“…Tenable’s “Direct Feed” will be re-named to the “ProfessionalFeed” and the “Registered Feed” will be discontinued. The ProfessionalFeed will entitle subscribers to the latest vulnerability and patch audits, configuration and content audits and commercial support for their Nessus 3 installation. The ProfessionalFeed will serve as Tenable’s commercial subscription and will be required for individuals and organizations that want to use Tenable’s Nessus plugins commercially.”

Looks like you are now getting everything that you would have gotten if you were a previous “commercial” user including support for Nessus 3. Home users will still be allowed to download the free “HomeFeed”.

My thoughts are that I personally get a ton of value out of Nessus…it’s simply the most versatile vulnerability scanner out there (from a pentest and customization perspective especially). Now that it is going to this “pay for plugins” model it doesn’t really change much for me..I think the Tenable guys do great work and now that they will have more cash flowing in I would suspect the Nessus product offering will only get stronger.

Oh, and don’t forget that Tenable is offering a limited time rebate for corporate users:

“Tenable is offering a 25 percent rebate for the Direct Feed subscription service (normally available at $1200 per year), beginning May 14, 2008 until July 31, 2008 only when purchased through Tenable’s e-commerce site.”

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS