Penetration Testing Using The Kill Chain Methodology

Transcription

1 Penetration Testing Using The Kill Chain Methodology Presented by: Rupert Edwards

2 This course is intended for a technically astute audience.this course is 98% hands on.the attendee should have some basic knowledge of the systems being tested in this courses scenarios and lab. This course will focus on three areas: methodology, tools, and technique. Let us note that there are tons of tools that will net the same results. To maintain focus on all three aspects, we will be using just a small subset of popular pentesting tools. If I may add, some of my favorite tools did make it on the list, such as shellter and the backdoor factory. Other tools outside of the Kill Chain tools will be discussed and used in this course. Refer to the syllabus for more detail. What will not be covered in this material: We will not rehash definitions of white hat vs black hat vs gray hat. The assumption is made that you know what penetration testing is and what it entails a pen tester s job. Let us start by stating the fact I am not a lawyer (INAL). You should be aware of the legal ramification that comes with being a pen tester. Know the rules of engagement. Without any rules established, it defaults to a black hat scenario hence is not good. This material will not go over every tool in detail and usage. These tools are feature rich. What will be covered in this material: Why the need for a penetration test. A description of a pen tester. Most importantly, it is to get your Kill Chain environment setup. Also to get familiar with the tools. This document s main focus is on the software installation and tools setup thereafter. It will also introduce some terms that are thrown around a lot in the pen testing community and are often used within the tools themselves. 1

3 Penetration Testing The goal: to identify security vulnerabilities in systems and humans. The Benefits of Penetration Testing: Preventing financial loss Preserving corporate image Easy targets are often referred to as low hanging fruit. These systems tend to make up a good portion of the botnets. What is a Penetration Tester? A penetration tester s job is to see how deep into a system one can penetrate. A system might include, but not limited to, the applications group, desktops group, mobile group, and servers group. A system may also be a logical system that might include all things related to Information Technology (IT) inside the building and outside the building, which may include the IT staff and its in house training and how it responds to an incident. Because such systems are very complex, it is imperative to detail every bit of information and by what means it was acquired. Not all the information will be useful or necessary in the final analysis, but some vulnerabilities are not immediately obvious. Penetration testing is not very useful without proper documentation and remediation. The pen tester s paramount concern should be on the remediation. Recommended read: Models of a Red Team Operations 2

4 The Kill Chain approach to penetration testing What is Kill Chain? From Wikipedia: The term kill chain was originally used as a military concept related to the structure of an attack; consisting of target identification, force dispatch to target, decision, order to attack the target, and finally the destruction of the target. 1. Reconnaissance Uses social engineering to find weaknesses in the target s security posture. 2. Weaponization Crafting attack tools for the target system. 3. Delivery Delivering the attack tools to the target system. 4. Exploit The malicious file intended for an application target system or the operating system vulnerabilities control objectives is opened by the victim on target system. 5. Installation Remote control program installed on target system. 6. Command & Control Successfully compromised hosts will create a C2 channel on the Internet to establish a connection with the C2 server. 7. Actions After the preceding process, the attacker will continue to steal information about the target system, undermine the integrity and availability of information, and further to control the machine to jump to attack other machines, to expand the sphere of influence. 3

5 A walk through of Kill Chain and its attacks tools killchain.py: Kill Chain was created for training pentesting methodology to a large group of students and professionals. 4

6 Anonymizer The Kill Chain console is equipped with a build in anonymizer that uses the Tor network for anonymity. Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. courtesy tor website The Kill Chain De Anonymizer should be self explanatory. Kill Chain SET tool kit is for reconnaissance and social engineering The Social Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open source Python driven tool aimed at penetration testing around Social Engineering. SET has been presented at large scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social engineering penetration tests and supported heavily within the security community. The Social Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social engineering type environment. 5

7 TrustedSec believes that social engineering is one of the hardest attacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 12 months since its release, Metasploit: The Penetrations Tester s Guide written by TrustedSec s founder as well as Devon Kearns, Jim O Gorman, and Mati Aharoni. courtesy TrustedSec website 6

8 Kill Chain OpenVas to perform vulnerability assessments against target. OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. courtesy OpenVas website 7

9 Veil Evasion generate payload executables that bypass common antivirus solutions. courtesy veil Framework website 8

10 Kill Chain WebSploit Advanced MITM Framework perform social engineering along with man in the middle attacks and much more. This is full feature pentesting tool. Kill Chain Metasploit Framework is for executing exploits against targets. The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its best known sub project is the open source [2] Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub projects include the Opcode Database,shellcode archive and related research. The Metasploit Project is well known for its anti forensic and evasion tools, some of which are built into the Metasploit Framework. 9

11 Kill Chain WiFite For wireless site survey. 10

12 Setting up your Kill Chain environment What software is required: Pen testing OS: K Linux Free Download Virtual Machine Applications: VMWare Player Free VirtualBox Free Download for Linux, Windows, and OSx Parallels Costs Money; For OS X Installing Killchain.py sudo apt get update Follow the screenshots below. In the screenshot I am root. sudoapt get installwebsploitopenvasveil evasiontor sudogitclonehttps : //github.com/ruped24/killchaincdkillchain sudopythonkillchain. py 11

13 Once the installation is complete. Go through the options on the menu. Option 4, OpenVas takes a while on first run. Go get a coffee or two. You can launch multi Kill Chain sessions. No need to watch paint dry. Once OpenVas setup has completed. Reset openvas web interface admin password by running the commands below in an external terminal. openvas start openvasmd user = admin new password = Your_new_reset_admin_password Point your browser to Login Username = admin Login Password = Your_new_reset_admin_password Option 5, note on Veil Evasion: Veil Evasion will complete the setup upon launch. Accept all the defaults. This takes a while. Done leave the screen tho, there re dialog you will have to click through. Once it s complete, it will auto launch. Option 6; Websploit: To exit websploit, type exit. Option 7; Metasploit: To exit metasploit, type exit. Option 8; WiFite: It is for site survey. Within the context of this course. Run wifite in an external terminal to do wireless attacks against target. Now you should be cooking with gas Tell me and I ll forget; show me and I may remember; involve me and I ll understand. 12

14 Terms and definitions: Target A target is a specific system or a specific systems group. C2 Serve r Command and control servers, also called C&C or C2, are used by attackers to maintain communications with compromised systems within a target network. The terms command and control are often bandied about without a clear understanding, even among some security professionals, of how these communications techniques work to govern malware. Exploits Exploit code is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial of service attack. Injection Code injection is the exploitation of a computer bug that is caused by processing invalid data. Injection is used by an attacker to introduce (or inject ) code into a vulnerable computer program and change the course of execution. The result of successful code injection is often disastrous (for instance: code injection is used by some computer worms to propagate). Payload A payload refers to the part of malware which performs a malicious action. In the analysis of malicious software such as worms, viruses and Trojans, it refers to the software s harmful results. Shellcode Shellcode is basically a list of carefully crafted instructions that can be executed once the code is injected into a running application. Stack and heapbased buffer overflows are the most popular way of doing so. The term shellcode literally refers to written code that starts a command shell. Encoder An encoder is a device, circuit, transducer, software program, algorithm or person that converts information from one format or code to another, for the purposes of standardization, speed or compressions. 13

15 Backdoor A backdoor is an undocumented method of gaining access to program or a computer by using another installed program or rootkit that bypasses normal authentication. The backdoor is generally written by the programmer who created the original program and is often only known to that person. Reverse shell A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved. Bind shell Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection. The attacker then connects to the victim machine s listener which then leads to code or command execution on the server. Meterpreter Meterpreter is an advanced, dynamically extensible payload that uses in memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client side Ruby API. It features command history, tab completion, channels, and more. Site survey A wireless site survey, sometimes called an RF site survey or wireless survey, is the process of planning and designing a wireless network, to provide a wireless solution that will deliver the required wireless coverage, data rates, network capacity, roaming capability and Quality of Service (QoS). Tell me and I ll forget; show me and I may remember; involve me and I ll understand. Cyber Kill Chain is a registered trademark of Lockheed Martin. 14