Tactical Exploitations – The other Way to Pentest

Encontrei isto e estou lendo, é bem interessante e tem muitos tópicos bacanas, acredito que seja um Must Have para todos os que trabalham com Pentest/Security

Autores : H D Moore (hdm[at]metasploit.com) ; Valsmith valsmith[at]metasploit.com)
Último Update: 08/09/2007

Título : Tactical Exploitation OR “The Other Way to Pen-Test” OR “Random Pwning Fun Bag”

1.1 Abstract
Penetration testing often focuses on individual vulnerabilities and services. This
paper introduces a tactical approach that does not rely on exploiting known
flaws. The first section of this paper covers information gathering and discovery
techniques, with a concentration on third-party services and new tools. The
second section of this paper combines the information discovery techniques in
the first section with various protocol and implementation weaknesses, in order
to provide clear steps for gaining access to a target network.

Contents
1 Introduction 3
1.1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Author Bio – HD Moore . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Author Bio – Valsmith . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 The Tactical Approach 5
2.1 Vulnerabilties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Competition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Information Discovery 6
3.1 Personnel Discovery . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.1 Search Engines . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.2 Paterva’s Evolution . . . . . . . . . . . . . . . . . . . . . 7
3.2 Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2.1 Discovery Services . . . . . . . . . . . . . . . . . . . . . . 8
3.2.2 Bounce Messages . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.3 Virtual Hosting . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.4 Outbound DNS . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.5 Direct Contact . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Firewalls and IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3.1 Firewall Identification . . . . . . . . . . . . . . . . . . . . 12
3.3.2 IPS Identification . . . . . . . . . . . . . . . . . . . . . . . 12
3.4 Application Discovery . . . . . . . . . . . . . . . . . . . . . . . . 12
3.4.1 Slow and Steady wins the Deface . . . . . . . . . . . . . . 12
3.4.2 Finding Web Apps with W3AF . . . . . . . . . . . . . . . 13
3.4.3 Metasploit 3 Discovery Modules . . . . . . . . . . . . . . 13
3.5 Client Application Discovery . . . . . . . . . . . . . . . . . . . . 14
3.5.1 Browser Fingerprinting . . . . . . . . . . . . . . . . . . . 14
3.5.2 Mail Client Fingerprinting . . . . . . . . . . . . . . . . . . 15
3.5.3 SMB Client Fingerprinting . . . . . . . . . . . . . . . . . 15
3.6 Process Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.6.1 Traffic Monitoring with IP IDs . . . . . . . . . . . . . . . 16
3.6.2 Web Site Monitoring with HTTP . . . . . . . . . . . . . . 17
3.6.3 Usage Monitoring with MS FTP . . . . . . . . . . . . . . 17
4 Information Exploitation 19
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 External Networks . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2.1 Attacking File Transfers . . . . . . . . . . . . . . . . . . . 19
4.2.2 Attacking Mail Services . . . . . . . . . . . . . . . . . . . 21
4.2.3 Attacking Web Servers . . . . . . . . . . . . . . . . . . . . 21
4.2.4 Attacking DNS Servers . . . . . . . . . . . . . . . . . . . 21
4.2.5 Attacking Database Servers . . . . . . . . . . . . . . . . . 22
4.2.6 Attacking NTLM Authentication . . . . . . . . . . . . . . 22
4.2.7 Free Hardware . . . . . . . . . . . . . . . . . . . . . . . . 23
4.3 Internal Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.3.1 Web Proxy Auto-Discovery Protocol . . . . . . . . . . . . 24
4.3.2 Microsoft DNS Servers . . . . . . . . . . . . . . . . . . . . 24
4.3.3 Microsoft WINS Servers . . . . . . . . . . . . . . . . . . . 25
4.3.4 Exploiting NTLM Relays . . . . . . . . . . . . . . . . . . 25
4.3.5 SMB and Samba . . . . . . . . . . . . . . . . . . . . . . . 26
4.4 Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.4.1 NFS Home Directories . . . . . . . . . . . . . . . . . . . . 29
4.4.2 Hijacking SSH . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4.3 Hijacking Kerberos . . . . . . . . . . . . . . . . . . . . . . 31
5 Conclusion 34

Aproveitem este livro maravilhoso escrito por quem realmente entende da coisa =]
http://packetstorm.offensive-security.com/papers/attack/tactical_paper.pdf

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s