Offensive on Benny Simmonds

CNO Attackers Strategy Essay

Tue, 18 Sep 2018 18:51:10 +0000

A paper I prepared as part of the UNSW Master of Cyber Security.

Alternately available as LaTeX and PDF.

Abstract

This paper discusses the motivations behind computer network exploitation, the general lifecycle of an attack operation, and the frictions and asymmetries that exist between both the attacker and the efender. One of the greatest challenges is fitting the ever-increasing and changing amount of information into a whole plan or framework to develop the right strategies to prevent such attacks. Armed with his knowledge seek out the creation of a structured general purpose framework for developing offensive strategies, the components described within it, its design philosophy, and how it can be used. It is eant to provide a concrete and structured approach to CNO strategy development.

Boot to Root

Fri, 10 Aug 2018 20:24:48 +0000

Some fun I hacking on a boot to root challenge I did with a mate recently.

Enumeration

OS Fingerprint

root@kali:~/boot2root# nmap -O 192.168.0.102

Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-26 22:44 EDT
Nmap scan report for 192.168.0.102
Host is up (0.00022s latency).
Not shown: 986 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
8009/tcp  open  ajp13
8080/tcp  open  http-proxy
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 00:50:56:A3:B7:92 (VMware)
Device type: general purpose
Running: Microsoft Windows 2008|Vista|7
OS CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_vista::sp1:home_premium     cpe:/o:microsoft:windows_7
OS details: Microsoft Windows Server 2008 R2 SP1, Microsoft Windows Vista Home Premium SP1, Windows 7, or Windows     Server 2008
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.26 seconds

A Windows box, running a bunch of services like ftp, two http servers, smb and ajp.

CNO Presentation

Fri, 27 Jul 2018 08:47:01 +0000

Intro

Containers, and specifically Docker are attracting a crazy amount of industry attention, particularly, I’m finding the software dev space.

Slide 1

OK, just quickly what is Docker.

Docker is a computer program that performs operating-system-level virtualization also known as containerization. Docker is used to run software packages called “containers”.

“Build once, configure once, and run anywhere.”

Slide 2

In a containerised world, the container becomes the standard unit of management and deployment. Containers provide a safe and consistent space for processes to run in. A container for example, could contain an Apache web server and all the dependencies it requires. Containers can in theory run all sorts of workloads…webapps, database servers, desktop processes.

CNO Day 4 Metasploitable

Thu, 26 Jul 2018 08:54:01 +0000

Awesome tip #1: In metasploit console (msfconsole), once you have loaded up an exploit, take show payloads for a spin. This will show all payloads that are compatible with the given exploit. Awesome!

Today we got the chance to work on Metasploitable 3, a Windows VM with a number of vunerability and flags (15ish of them).

Its a great way to take this knowledge and apply it to an actual machine. I wont detail a full walkthrough, as there are already plenty, and I don’t want to ruin the learning experience.

CNO Day 3 PrivEsc

Wed, 25 Jul 2018 08:54:01 +0000

Privilege Escalation.

Basics

On Windows, SYSTEM is the highest privilege possible. Local Administrators can effectively get SYSTEM privileges.

On Linux, root (uid=0) is the highest privilege possible. Regular users can escalate to root privileges on demand (i.e. sudo).

Techniques

Kernel exploits - leverage a flaw in the OS. Vunerabilty is determined by researching kernel version, patch levels. Tend to be patched quickly.
High privileged programs - get a program running at a higher privilege to execute your code. Often things are unnessarily run with high privileges for convenience sake. For example, JBoss running on TomCat, running as root. Deploy a WAR to JBoss with an embedded reverse shell.
Credential theft - leverage techniques to compromise a user with higher privileges. The primary method of lateral movement within organisations. Dumping of hashes, such as responder, SCF files on writab shares, UNC requests (when a user attempts to \\server an auth request is sent and can be captured), network sniffing. Password reuse. SCF to steal credentials.
Insecure configurations - abuse incorrectly services or programs. Service paths with whitespace is a great example e.g. C:\anti-virus\virus definition\bin\update.exe, Windows path probing will attempt to find and run C:\anti-virus\virus.exe.

On Linux in the /etc/shadow file, the prefix e.g. $6 indicates the hash function and salt, for example, this entry:

CNO Day 2 Exploitation

Tue, 24 Jul 2018 08:47:01 +0000

Exploitation

An exploit is some software which leverages a vunerability to perform an action.

Important to differientiate the payload from the exploit.

A payload is something executed via an exploit.

Finding Exploits

Exploit DB
Google
SearchSploit - a local mirror of exploit-db; useful for local cached copies.

For example CVE-2008-4250, maybe assigned different vendor specific labels. In this case MSE08-067, by searching Google and heading to the Microsoft security bullitin:

CNO Day 1 Enumeration

Mon, 23 Jul 2018 09:26:01 +0000

Covers basics starting with enumeration.

There is a process to exposing vunerabilities. Not a linear process. Imposter syndrome is huge in this field, due to the complexity of the field, and how many domains it covers.

The anatomy of a hack (EEE); Enumeration, Exploitation, Escalation

There are multiple ways to do one thing, for example to figure out if the sshd daemon is running you could:

Check if port 22 is listening netstat -tlp
Check if the sshd process is running
Try to ssh connect to the daemon
List the running services through systemd

Tools

Tools to grok: