what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Wednesday, July 10, 2013

CREATIVITY DURING PT & VA

Most of the Pentesters testing Networks, Organizations and infrastructures fail due to lack of imagination and lack of adapting to the environment.

Take for example, there are organizations that use the Domain Controller Machines as Proxies Servers, so when doing an Internal Pentest with these companies, you will be working with Proxies to get to the Internet, so obviously they will give you a user-name and a password for the proxy, so that you can communicate and share information during the White Box Internal Pentest. so if you have those credentials, don't you try see if you can join the Domain, yeah, why not use a virtual box to do so. You might just find your self owning the whole Domain Network, or maybe a bunch of Domain Forests. Though Penetrating in Domain Controller environment requires past experience in maintain and developing one or two, when you were System Admin back in the day; adapting to the environment is vital, maybe Primal, as many would say fundamental.

So when i talked about tracking cars, we all know that some of these equipments are really expensive, but you can always adapt, get a normal car GPS, like the one below, these equipments show every route or direction a car is going, this is like 20k now in the market. When i bought my first, they were a little expensive.


   This is a very good way to know which route your target uses mostly, i know couples who have used these devices to burst their cheating spouse. So its just creativity, use what you have and you will make a good pentester out there. No need of buying CoreImpact if you can't afford it, you can always rewrite Metasploit according to your own needs.

Use what you have, manipulate what is there, adapt to what you see and surrounds you, every infrastructure can be broken into. Help them to defend it. Thats why you are there. You are not there to just run Burp, Beef, Nessus, MSF Auxiliary, Nmap, and other tools, that will make the client fancy you. Your job is to help them defend it.



Tuesday, July 02, 2013

DOGS -THE INTRUSION DETECTION SYSTEM

There is nothing which is as bad as being caught by an IDS during a Penetration Testing. Well, i have been caught several times and i will not deny it, i felt terrible.

I remember a few days ago i was in the middle of this assessment and i found a hole on a XAMPP server, and also found out the phpmyadmin CMS was not protected.  It was on the first days of the assessment and i thought there was no need to exploit the flaw even when it was all there for me. So i decided to run Acunetix, due to laziness, because i had loads of other machines on the network to look into. Immediately an IPDS installed on that box shut down all corners of the xampp box, and i couldn't even access the phpMyAdmin. Now that was demoralizing.

So a few nights ago we were doing a recon against a target, collecting information, picking up activity log, registering movements, occupants, picking email addresses and developing a distributed metastasis plan, until when i decided to enter the compound to try get more information especially from their dust bins, since running coverage wasn't as fruitful as we needed. Me and my team we never thought that, the dogs were let out in the compound at a certain point. These big mean beasts were always in the house, feeding and sleeping. Jumping over the fence was easy, the compound is located at cool quiet Estate in the uptown Nairobi. During these tests where Physical, Social and Operational is used, arming yourself with "Get Out Jail Free Card" is advisable due to cops and guards.

Remember dogs are so used to seeing people and you can easily walk through the front door and it will think its just a normal guest.The problem is if you try to break in or jump through the windows and they spot you, you are dead. Learning the dog breeds is one other important aspect that we didn't consider, professional burglars do it. During pentesting we also try to figure out the remote AV versions, IDS version, but unfortunately here we didnt  even get to understand which breed was guarding the house.

2 minutes near the veranda, and these three dogs just jumped out, i almost pooped, i knew i had been caught. Luckily i am really fit, i just turned, dropped my torch and moved real fast towards the fences with dogs on my heels.

Well we eventually found a way to gain access to the target infrastructure and did our reporting, and the mention of the Dogs issue wasn't mention there. Am sure even right now they still think, there were burglars in the compound, or maybe not.





MAXING THE WALLS

Hi good people.

A few Months ago i was tasked to a Penetration Testing, for a Secure Organization and they wanted to know which vulnerabilities they had and how someone with some bad intentions would take it.

Now this organization, i will call Tazama LTD, for security reasons and NDA agreements. This will be used for Knowledge transfer only and should not be used against an infrastructure which could be having similarities.

Now, i was called in for a target, everything was Blackbox Penetration Testing and i was allowed to use Red Team Assessment wherever possible. Now hard to hack infrastructures are my best, since i love challenges, and anything i fear doing, seems to make me grow further.

The thing about security is that the very things that protect you can be turned against you by someone who knows what he's doing.

So first was to get the recon done, find where the offices are based, the HQ and also the Management names from the website. Remember, every battle is won before its fought. The organizations chart, Job vacancies, Emails addresses, Phone numbers, Facts and Figures, were the first to go for.

Recon went on to the operation aspects, Domain names, Network blocks, DNS Servers, etc. As i did this, i realized the IPs they were using as gateway, was not registered under their name, and several offices across the country had Internet Connection from different providers. And to get all the IPs, i had to send mails to all different offices, and X-Originating IPs came with internal network IPs flowing back in to my Thunderbird like little springs on hills.

All the IP were all heavily secured, no ports allowed, except the MailServer in Nairobi, and The Website, hosted in States, now this was a challenge. Alot of pentesters get dead tired, when they see this:

Starting Nmap 5.21 ( http://nmap.org ) at 2012-xx-xx 18:25 EAT
Nmap scan report for xxx.xxx.xxx.xxx

Host is up (0.0037s latency).
All 1000 scanned ports on xxx.xxx.xxx.xxx are closed


I used to be there too, experience is the better teacher. Nothing is impossible.

Next step is to check out the HQ office in town, and they were up the top floors, up to 20ths, and the building surrounded with others. Driving around town and getting a parking was getting hectic. I needed i better solution. So hired a van for three days, a driver, and packed in my gadgets for this adventure. We drove around the buildings as we looked for an easier way in, without having to drive in, at the same time i had my antenna just a few inches out of the windows, picking up one ESSID that had their Org name on it. Lets call it Tazama1, was a bit faint to receive packets though. So eventually, i knew there must be Tazama2 and maybe 3. With a building that is almost 20 floors, and the offices all way far up, i had a task. Had no tablet on me, and i really needed some good OS for this attack, so i had to find a way to the building, with a good laptop and maybe extra batteries, just incase. (Shud invest in a 12 hrs Laptop Battery :D)

The building has a college and an entertainment office, as long as you knew their names, you would walk right throw the main door. So, i left the van, walked through the main door, social engineered the guards and went to the 2 floor where the Entertainment Agency was located. I realized that the stairs weren't guarded, so up i ran, to the 19th floor, and there i could get clear WiFi signals. That was the first vulnerability picked up. These guards seemed professional, but forgot to secure the stairs, but had their men all over the corridors.








All the doors to the offices were locked with Biometrics hardware, to get in through, you needed a fingerprint and a code. During this kinda of assessment its okay to try break into them, but if you don't have good hardware, you might end up being caught. Its an optional target, but remember these days, a Pentester is like a plumber, a dentist or a mechanic. Everybody is always looking for a good one.


Breaking down the equipment is bad for business as the test is a Covert Operation and thats why we call it BlackBox Penetration Testing.

There were no cameras on the hall way and the toilets aren't closed. Guards Room was closed though, it wasn't like a former Pentest, where we wore guards uniform and walked all over the company, story of another blog post

The WiFi Access Points, were all hardened WPA and all that i would collect were handshakes, nothing further, but to bruteforce later.

airodump-ng -c 9 --bssid xx:xx:xx:xx:xx:xx -w psk ath0

Tried not use --ivs, since i wanted all packets, then de-authenicate the users, and they all connected back and grabbed all data.

The first password list failed, no need to try futher, maybe later on, if there is no more holes to get through. DDOSing the WiFi wasnt an option, although bad guys would do the same to course havoc, i had to choose between that and Penetrating into the systems.

Weekend was approaching, and all i had were WPA Handshakes and Building Structure, Physical Security and Organization chart. So i decided to explore further and the building had basement floors where employees park their cars.

Now one thing you will find in most cities is that Parking Lots are labeled with the company name and who is supposed to park there. Now this is good for governance but at the same time can be used against the organization.  By the end of that day, i had the names and a few car number plates of the users. Target was the IT Tech team, yes it has always been.

Developing plans for the next attack, coming week, was harder, due to that it needed a second player, someone equipped with art of deception. I needed someone  to sell a good lie. This is where putting in a little show, making someone angry or work hard to get a piece of information, without compromising the real intention of the whole scenario seemed real chaotic at this moment. A great way to get people talking about their security is to put them on the defensive, accusing a Information Security guy of having bad IDS systems, Weak Firewalls and before you know it he's telling you where his motion detectors are, what WAF he uses, and even the IPS configurations. With not much experience on this, a back plan was underway.

Now, the backup plan was to follow IT Manager to his house, and hope he has wifi and carries his laptop home with him. This seemed better, and this time i went with one of my fellow workmates.

Monday is pretty havoc in the city, traffic is all over the streets from morning to evening, trailing someone might seem real hard especially with City Cops, not allowing motorists to use street lights. So we decided to plug out my car GPS, stick it with glue under his car, and secure it in a way that it wouldn't fall due to bad roads in Nairobi. The GPS if well charged, can be up, to 6-7 hrs. From here, there was no need of trailing our mark, but to wait for him to park his car the next day in the basement, pick up the GPS, charge it and check out his route.

This whole plan worked okay throughout but with only one issue, he was living in Umoja Estate. This estate is a little crowded, going over recon via such a diverse area was getting almost unreasonable for this type of work especially at night due to the risk of getting mugged or robbed, depending on how many hours we might use breaking into his home WiFi.

Luck was on our end, it was on WEP and a cheaper, older router. No wonder he had no access to WPA Security. With SMB shares on the laptop, we were in via smbclient, and able to know the version of Anti Virus and get to understand which type of exe to upload. Mostly, the best way is to set it up on C: drive which is frequently opened. Setting up an Outrun file, the executable will quickly launch in the background.

With smbclient, you cant read SAM, or even copy it. And even if you copied it, it would still have problems decrypting, a meterpreter call back would give us the hashes, all cleaned up. But nowadays, in real life Pentests MSF seems not to do much, so if you can, get to use your own prepared tools. On this one, Symantec EndPoint Protection, was hell and back. Metasploit was not an option here.

The exe didn't called back until after five days, we used that time to go through any sort of data we pulled from his drive. Machines running Window XP don't have much security even when hooked up on a secure domain, and i still wonder why Security Departments let workstations still share files or hard drives to the network.

A workstation is not a server!

We pulled SQL files, downloaded PST, which had some information about the Employee entry cards and Boimetric data. All the vulnerability reports done by Information Security Dept was also there, so we knew all specific types of servers and their internal IP Address, decryted alot of passwords, and this time we had a connection from our zombie, and it was from Tazama internal network. This is a classic Advanced Persistent Threat.














Now with this form of encrypted network attack, scanning throughout the network is much more easier, and more vulnerabilities were picked, plus new targets.

Reporting and cleaning up is always the last options for a penetration tester.

Show the customer the risks, and group them by:

a) Ease of Identification
b) Ease of Exploitation
c) The impact to the Business
d) Over all Risks
e) Recommendations

More blogs to come,

The thing about security is that the very things that protect you can be turned against you by someone who knows what he's doing.

signing off,

./Chucks.