Video Training: Kali Linux – Assuring Security by Penetration Testing

Want to learn computer security and don’t know where to start? Want to learn some of the latest hacking and pentesting techniques using Kali Linux? Know security pretty well, but want to brush up on your skills and see what the new Kali Linux has to offer?

And all at a very affordable price?

Then look no further than “Kali Linux – Backtrack Evolved: Assuring Security by Penetration Testing“. 

The teacher, Justin Hutchens is a bright young rising infosec star. I had the absolute honor to work on Justin’s training class as a technical reviewer, and can honestly tell you that you are going to be engaged, and you are going to learn some great material from a very impressive, easy to follow and capable teacher.

The course covers almost 3 hours of hands on learning that will teach you how to:

  • Prepare a fully-functional and low-budget security lab, where you can practice and develop your penetration testing skills without fear of legal consequence
  • Gather information about a target with advanced reconnaissance techniques
  • Identify target systems on a network using host discovery tools
  • Identify services running on target systems by scanning and enumeration
  • Discover vulnerabilities to determine potential attack vectors
  • Launch automated exploits and payloads using the Metasploit Framework
  • Learn a variety of hands-on techniques to exploit target systems
  • Establish backdoors to ensure continued access
  • Escalate privileges to acquire maximum control over compromised systems

For pricing and more information see the PacktPub Website.

Check it out!

Advertisements

Performing Automated Network Reconnaissance with Recon-NG

The Recon-NG Framework is a powerful tool that allows you to perform automated information gathering and network reconnaissance. Think of it as Metasploit for information collection.

Recon-NG automates a lot of the steps that are taken in the initial process of a penetration test. It has numerous features that allow you to collect user information for social engineering attacks, and network information for network mapping and much more.

You can automatically hit numerous websites to gather passive information on your target and even actively probe the target itself for data.

Anyone who is familiar with Metasploit will feel right at home as the interface was made to have the same look and feel. The command use and functions are very similar. Basically you can use Recon-NG to gather info on your target, then attack it with Metasploit.

INSTALLING RECON-NG

To install Recon-NG, simply download the program from the Recon-ng repository:

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git

Then surf to the Recon-ng directory:

cd /recon_ng

and run the program:

./recon-ng.py

Screenshot from 2013-06-15 23_09_58

Typing ‘help’ will bring up a list of commands:

Screenshot from 2013-06-15 23_11_00

Now, like Metasploit, you can type ‘show modules’ to display a list of available modules.

Screenshot from 2013-06-15 23_12_11

Some of the modules are passive, they never touch the target network, while some directly probe and can even attack the system you are interested in.

One tactic used to passively probe network structure is to use the Google search engine to enumerate site sub-domains. You know that there will be a http://www.some_target_name.com but what other subdomains are out there?

You can do a Google search for subdomains using the site: and inurl: switches. Then remove sub-domains (-inurl) that you find so other subdomains will appear. This can take a while to do by hand and can require a lot of typing if the target has a large number of sub-domains.

Recon-NG will do this for you automatically and record what it finds in a database.

Just use the ‘recon/hosts/gather/http/web/google_site’ module. Then ‘show options’ to see what the module requires. This one only requires a target domain.

As in Metasploit just type ‘set domain targetname.com‘. Then just type ‘run‘ and the module will execute as seen below:

Screenshot from 2013-06-15 23_22_33

As you can see from the screenshot Recon-NG is enumerating the sub-domains for Microsoft. Within seconds, several of the sub-domains are listed.

All the data collected by Recon-NG is placed in a database. You can create a report to view the data collected. Just type in ‘back‘ to get out of the current module. and then ‘show modules‘ again. Simply use one of the report modules to automatically create a nice report of the data that you have obtained.

Here is a sample of the HTML report:

Screenshot from 2013-06-15 23_30_16

Sub-domain enumeration is only one module you can run, there are many others to choose from. There are also some that require a program API key like Twitter, Shodan, LinkedIn or Google. Using these you can get specific information from the corresponding sites about your targets.

For example you can search Twitter for tweets from your target or even check Shodan for open systems.

I have just briefly touched on some of the capabilities of Recon-NG. It is really an impressive tool that is well worth checking into.

For more information check out the Recon-NG Wiki page!

Creating Remote Shells that Bypass Anti-Virus with “Veil”

Many people think that if they are running an Anti-Virus and a firewall, that they are generally safe from hacker attacks. But the truth is far from that. Meet “Veil” a remote shell payload generator that can bypass most current Anti-Virus programs.

Many Anti-Virus programs work by pattern or signature matching. If a program looks like malware that it has been programed to look for it catches it. If the malicious file has a signature that AV has not seen before, many will dutifully say that the file is clean and not a threat.

If you can change or mask the signature of malware, or a remote shell in this case, then most likely AV will allow it to run and the attacker gets a remote connection to the system.

Veil, a new payload generator created by security expert and Blackhat USA class instructor Chris Truncer, does just that. It takes a standard Metasploit payload and through a menu driven program allows you to create 21 different payloads that most likely will bypass anti-virus.

But how well does it work?

Following the directions on Chris’s page, I downloaded and installed Veil on my Kali (Backtrack) system.

Simply pick what payload you want:

Veil Payload Generator Menu

Then you can choose to use Metasploit’s standard msvenom shellcode or choose your own. I just chose the default, msfvenom:

Veil Options

Next choose the type of payload, I just chose reverse TCP. Then enter the IP address of the Kali system and the port you want to use:

Veil setting remote address

Veil will then create the payload and present you with two options. You can feed the payload into Pyinstaller or Py2Exe to create a Windows executable file.

This is where I got a bit stuck. For some reason Pyinstaller did not want to co-operate on my Kali machine. Fussed with it for a while, then just followed Chris’s instructions for creating the .exe file on a Windows machine and it worked without a hitch.

Basically install Python, Py2exe, and PyCrypto on Windows (all in the same directory). Then just copy over your created payload.py file, the RunMe.bat file and setup.py (found in your Kali Veil directory), into your Windows Python Directory.

Run the Bat file and sit back and watch the magic. When it is done you will have a payload.exe file. Any Windows system that runs it will try to connect out to the Kali system.

Finally start a Metasploit payload handler on your Kali system so the remote shell can connect to you. In Kali at a terminal prompt, type “msfconsole” and then:

Veil Running

Make sure you use the same IP address as LHOST and port as LPORT that you used in creating the payload.

Now, when a Windows system runs the payload.exe file we get this:

Veil Session

A remote session.

Then if we type “shell”:

Veil Shell

This was a fully updated Windows 7 system with a very good Anti-Virus installed and updated with an intrusion detection system running. It didn’t see a thing.

This should prove that you can not trust in your Firewall and AV alone to protect you from online threats. Unfortunately many times your network security depends on your users and what they allow to run. Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail.

Blocking certain file types from entering or leaving your network is also a good idea.

And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.

For more information on Veil, and other pentesting topics, check out Chris’s training session at Blackhat USA 2013!

Buffer Overflow Exploit found in Nginx Server 1.3.9-1.4.0

Nginx Logo

Earlier this month Nginx disclosed that there was a buffer exploit vulnerability in some versions of their product. Recently, Metasploit released an exploit module for the vulnerability.

Nginx, the ever popular opensource HTTP Server and Proxy publicly disclosed that a Buffer Overflow was discovered in versions 1.3.9 – 1.4.0. According to Shodan there are almost 3 million servers on the web that use Nginx with almost 12,000 running the affected versions.

A notification from Nginx stated that a specially crafted request could trigger a stack-based buffer overflow:

Nginx

The exploit released by Metasploit can take advantage of the overflow to run a payload that could include a remote shell:

This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible.

The issue has been fixed in Nginx 1.4.1 & 1.5.0 and a patch is available (see Nginx announcement above).