The OWASP Foundation http://www.owasp.org OWASP German Chapter Advanced Penetration Testing in secured Enviroments Part 1 Marko Winkler marko.wnklr@gmail.com Content Virtual Lab Planning Reconnaissance Exploitation Prospects Marko Winkler OWASP German Chapter 2 Virtual Lab WLAN 192.168.75.0/24 Kali Linux (Debian) Penetration Tester DHCP Kioptrix Lvl 1 (RedHat) Target DHCP Kali Linux: http://www.kali.org/downloads/ Kioptrix: http://www.kioptrix.com/dlvm/Kioptrix_Level_1.rar Marko Winkler OWASP German Chapter 3 Planning – Dradis Framework Ruby on Rails (RoR) framework web-based interface simplifies data collection throughout the testing cycle manage data overload that can occur when pentesting combining disparate data sources, such as Nmap, Nessus, and even Metasploit sharing data with team members Marko Winkler OWASP German Chapter 4 Planning – Dradis Framework Source: http://dradisframework.org/ Marko Winkler OWASP German Chapter 5 Reconnaissance Information Gathering Correllation, Verification, and Prioritization Putting the information to use Intelligence Gathering is performing reconnaissance against a target to gather as much information as utilized when penetrating the target during the vulnerability assessment and exploitation phases • Find everything you can about a corporation and its employees. Looking for include documents originating from the corporation, images, web sites, IP information and anything else you come across that has the potential to be used for social engineering attacks and physical or logical breaches. • Weed out obvious false or misleading data, sift through anything that is unnecessary and finally to prioritize and categorize your findings. • Use the information you have gathered to develop one or more attack plans. Sources: http://www.pentest-standard.org/index.php/Intelligence_Gathering#Intelligence_Gathering Lee Allen - Advances Penetration Testing for Highly-Secured Enviroments: The Ultimate Security Guide Marko Winkler OWASP German Chapter 6 Reconnaissance – nmap Active Footprinting : Port Scanning & Banner Grabbing Nmap ("Network Mapper") written by Gordon Lyon standard for network auditing/scanning runs on both Linux and Windows (cmd line & GUI) Nmap command syntax: nmap -{type(s)} -{opt(s)} {target} Nmap scripting engine allows you to create and use custom scripts that perform many different functions Marko Winkler OWASP German Chapter 7 Reconnaissance – nmap • Further Information: DefCon18 - http://www.youtube.com/watch?v=wMammEJywyA Marko Winkler OWASP German Chapter 8 Reconnaissance – Banner Grapping enumeration technique used to glean information about computer systems on a network and the services running its open ports used to identify network the version of applications and operating system sually performed on Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP) Tools commonly used to perform banner grabbing are Telnet, nmap, and Netcat Source: http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines#Banner_Grabbing_2 Marko Winkler OWASP German Chapter 9 Exploitation – Exploit-DB Exploit Database (EDB) – an ultimate archive of exploits and vulnerable software aim is to collect exploits from submittals and mailing lists and concentrate them in one, easy to navigate database Marko Winkler OWASP German Chapter 10 Exploitation – searchsploit shell script to search a local repository of exploitdb root@pentest ~# searchsploit [term1] [term2] [term3] Marko Winkler OWASP German Chapter 11 Exploitation – The Hard Way Get exploit: /usr/share/exploitdb/platforms/ Path: /linux/remote/10.c gcc 10.c -o SambaRemoteExploit Troubleshooting? Marko Winkler OWASP German Chapter 12 Exploitation – Metasploit!! single most useful auditing tools/framework freely available to security professionals (MSFconsole & Armitage) Ruby based easily build attack vectors to add exploits, playloads, encoders create and execute advanced attacks uses PostgreSQL as its database Source: http://www.offensive-security.com/metasploit-unleashed/Msfconsole Marko Winkler OWASP German Chapter 13 Prospects – Part 2 Kali Linux VLAN1 Kioptrix VM Lvl 3 VLAN1 WebApp Vbox Host Maschine PFSense VLAN1 WLAN Load Balancing Ubuntu VLAN1 WebApp Mutillidae 2.1.7 Marko Winkler Kioptrix VM Lvl 3 VLAN1 WebApp OWASP German Chapter 14 Resources Lee Allen - Advances Penetration Testing for Highly-Secured Enviroments: The Ultimate Security Guide Marko Winkler OWASP German Chapter 15