Mastering Metasploit
上QQ阅读APP看书,第一时间看更新

Setting up the environment

Before we start firing sophisticated and complex attack vectors with Metasploit, we must get ourselves comfortable with the work environment. Gathering knowledge about the work environment is really a critical factor, which comes into play before conducting a penetration test. Let's understand the various phases of a penetration test before jumping into Metasploit exercises and see how to organize a penetration test on a professional scale.

Preinteractions

The very first phase of a penetration test, preinteractions, involves a discussion of the critical factors regarding the conduct of a penetration test on a client's organization, company, institute, or network; this is done with the client himself or herself. This serves as the connecting line between the penetration tester and the client. Preinteractions help a client get enough knowledge on what is about to be done over his or her network/domain or server. Therefore, the tester here will serve as an educator to the client. The penetration tester also discusses the scope of the test, all the domains that will be tested, and any special requirements that will be needed while conducting the test on the client's behalf. This includes special privileges, access to critical systems, and so on. The expected positives of the test should also be part of the discussion with the client in this phase. As a process, preinteractions discuss some of the following key points:

  • Scoping: This section discusses the scope of the project and estimates the size of the project. Scope also defines what to include for testing and what to exclude from the test. A tester also discusses ranges and domains under the scope and the type of test (black box or white box) to be performed. For white box testing, what all access options are required by the tester? Questionnaires for administrators, time duration for the test, whether to include stress testing or not, and payment for setting up the terms and conditions are included in the scope.
  • Goals: This section discusses various primary and secondary goals that a penetration test is set to achieve.
  • Testing terms and definitions: This section discusses basic terminologies with the client and helps him or her understand the terms well.
  • Rules of engagement: This section defines the time of testing, timeline, permissions to attack, and regular meetings to update the status of the ongoing test.

Note

For more information on preinteractions, refer to http://www.pentest-standard.org/index.php/File:Pre-engagement.png.

Intelligence gathering / reconnaissance phase

In the intelligence gathering phase, you need to gather as much information as possible about the target network. The target network can be a website, an organization, or might be a full-fledged fortune company. The most important aspect is to gather information about the target from social media networks and use Google dorks (a way to extract sensitive information from Google using specialized queries) to find sensitive information related to the target. Foot printing the organization using active and passive attacks can also be an approach.

The intelligence phase is one of the most crucial phases in penetration testing. Properly gained knowledge about the target will help the tester to stimulate appropriate and exact attacks, rather than trying all possible attack mechanisms; it will also help him or her save an ample amount of time as well. This phase will consume 40 to 60 percent of the total time of the testing, as gaining access to the target depends largely upon how well the system is foot printed.

It's the duty of a penetration tester to gain adequate knowledge about the target by conducting a variety of scans; scanning for services, looking for open ports, and identifying all the services running on those ports, and also to decide which services are vulnerable and how to make use of them to enter into the desired system.

The procedures followed during this phase are required to identify the security policies that are currently set in place at the target, and what can we do to breach them.

Let's discuss this using an example. Consider a black box test against a web server, where the client wants to get his or her network tested against stress testing. Here, we will be testing a server to see what level of stress it can bear, or in simple terms, how the server is responding to the Denial of Service (DoS) attack. A DoS attack or a stress test is the name given to the procedure of sending indefinite requests or data to a server in order to check whether the server handles all the requests successfully or goes down issuing a denial of service.

In order to achieve this, we start our network stress-testing tool and launch an attack towards a target website. However, after a few seconds of launching the attack, we see that the server is not responding to our browser and the website does not open. Additionally, a page shows up saying that the website is currently offline. So what does this mean? Did we successfully take out the web server we wanted? Not at all. In reality, it is a sign of protection mechanism, which is set in place by the server administrator that sensed our malicious intent of taking the server down, and it bans our IP address. Hence, we must collect correct information and identify various services at the target before launching an attack.

Therefore, the better approach can be to test the web server from a different IP range. Maybe keeping two to three different virtual private servers for testing is a good approach. In addition, I advise you to test all the attack vectors under a virtual environment before launching these attack vectors onto the real targets. A proper validation of the attack vectors is mandatory because if we do not validate the attack vectors prior to the attack, it may crash the service at the target, which is not favorable at all.

Now, let's look at the second example. Consider a white box test against a Windows 2000 server. We know that the server is vulnerable to the very common vulnerability in the Windows 2000 server, that is, the distributed component object model (DCOM) exploit. However, when we try to attack it, we do not get the option to access it. Instead, we get an error indicating that the connection is failed or a connection to the given remote address cannot be established. Most likely, this happens because of the use of an added third-party firewall, which blocks the traffic and doesn't let us enter the system premises.

In this case, we can simply change our approach to connecting back from the server, which will establish a connection from the target back to our system, rather than us connecting to the server directly. This is because there might be a possibility that the outbound traffic may not be highly filtered compared to the inbound traffic.

This phase involves the following procedures when viewed as a process:

  • Target selection: This involves selecting the targets to attack, identifying the goals of the attack, and the time of the attack.
  • Covert gathering: This involves on-location gathering, the equipment in use, and dumpster diving. Also, it covers off-site gathering that involves data warehouses' identification; this phase is generally considered during a white box penetration test.
  • Foot printing: This involves active or passive scans to identify various technologies used at the target, which include port scanning, banner grabbing, and so on.
  • Identifying protection mechanisms: This involves identifying firewalls, filtering systems, network- and host-based protections, and so on.

Note

For more information on gathering intelligence, refer to http://www.pentest-standard.org/index.php/Intelligence_Gathering.

Presensing the test grounds

It happens most of the times throughout a penetration tester's life that when he or she starts testing an environment, he or she knows what to do next. What it means is that if he or she sees a Windows box running, he or she switches his approach towards the exploits that works perfectly for Windows. An example of this might be an exploit for the NETAPI vulnerability, which is the most favorable choice for testing a Windows XP box. Suppose, he or she needs to visit an organization, and before going there, he or she comes to know that 90 percent of the machines in the organization are running on Windows XP, and some of them use Windows 2000 Server. He or she quickly builds a mindset that he or she will be using the NETAPI exploit for XP-based systems and the DCOM exploit for Windows 2000 server from Metasploit to successfully complete the testing phase. However, we will also see how we can use these exploits practically in the latter phase of this chapter.

Consider another example of a white box test on a web server where the server is hosting ASP and ASPX pages. In this case, we switch our approach to use Windows-based exploits and Internet Information Services (IIS) testing tools. Therefore, ignoring the exploits and tools for Linux.

Hence, presensing the environment under a test provides an upper hand to build a strategy of the test that we need to follow at the client's site.

Note

For more information on the NETAPI vulnerability, visit http://technet.microsoft.com/en-us/security/bulletin/ms08-067.

For more information on the DCOM vulnerability, visit http://www.rapid7.com/db/modules/exploit/Windows /dcerpc/ms03_026_dcom.

Modeling threats

In order to conduct a correct penetration test, threat modeling is required. This phase focuses on modeling out correct threats, their effect, and their categorization based on the impact they can cause. However, based on the analysis made during the intelligence-gathering phase, we can model out the best possible attack vectors for a target in this phase. Threat modeling applies to business asset analysis, process analysis, threat analysis, and threat capability analysis. This phase answers the following set of questions:

  • How can we attack a particular network?
  • What is the crucial data we need to gain access to?
  • What approach is best suited for the attack?
  • What are the highest-rated threats?

Modeling threats will help a penetration tester to perform the following set of operations:

  • Gather relevant documentation about high-level threats
  • Identify an organization's assets on a categorical basis
  • Identify and categorize threats
  • Mapping threats to the assets of an organization

Modeling threats will help to define assets of the highest priority with threats that can influence these assets.

Now, let's discuss the third example. Consider a black box test against a company's website. Here, information about the company's clients is the primary asset. However, it is also possible that in a different database on the same backend, transaction records are also stored. In this case, an attacker can use the threat of a SQL injection to step over to the transaction records database. Hence, transaction records are the secondary asset. Therefore, mapping a SQL injection attack to primary and secondary assets is achievable during this phase.

Vulnerability scanners such as Nessus can help model out threats clearly and quickly using the automated approach. This can prove to be handy while conducting large tests.

Note

For more information on the processes involved during the threat modeling phase, refer to http://www.pentest-standard.org/index.php/Threat_Modeling.

Vulnerability analysis

Vulnerability analysis is the process of discovering flaws in a system or an application. These flaws can vary from a server to web application, an insecure application design to vulnerable database services, and a VOIP-based server to SCADA-based services. This phase generally contains three different mechanisms, which are testing, validation, and research. Testing consists of active and passive tests. Validation consists of dropping the false positives and confirming the existence of vulnerability through manual validations. Research refers to verifying a vulnerability that is found and triggering it to confirm its existence.

Note

For more information on the processes involved during the threat modeling phase, refer to http://www.pentest-standard.org/index.php/Vulnerability_Analysis.

Exploitation and post-exploitation

The exploitation phase involves taking advantage of the previously discovered vulnerabilities. This phase is considered to be the actual attack phase. In this phase, a penetration tester fires up exploits at the target vulnerabilities of a system in order to gain access. This phase is covered majorly throughout the book.

The post-exploitation phase is the latter phase of exploitation. This phase covers various tasks that we can perform on an exploited system, such as elevating privileges, uploading/downloading files, pivoting, and so on.

Note

For more information on the processes involved during the exploitation phase, refer to http://www.pentest-standard.org/index.php/Exploitation. For more information on post exploitation, refer to http://www.pentest-standard.org/index.php/Post_Exploitation.

Reporting

Creating a formal report of the entire penetration test is the last phase to conduct while carrying out a penetration test. Identifying key vulnerabilities, creating charts and graphs, recommendations, and proposed fixes are a vital part of the penetration test report. An entire section dedicated to reporting is covered in the latter half of this book.

Tip

For more information on the processes involved during the threat modeling phase, refer to http://www.pentest-standard.org/index.php/Reporting.