Sharpen your axe with BackTrack – Gathering phase [Part 2]

Find your account
As for the hosts, users discovering can be done using many methods. You can scan Google searching for email accounts of your target company, explore corporate Web pages looking at pdf or word documents and who are the creators of this documents; if you have access to the LAN you are testing, you can try to get information from SNMP or SMTP protocol. Below are some scripts and programs that will help you, present in BT.
The harvest, by Edge-Security Research, is a very useful one. It searches for a company name in various resources database (Google, Linkedin, PGP, Bing) and can be used to extract probable username. In Figure 5 you can see the result of a research: maybe vdiaz, cdelojo, cmartorella, and xmendez are also FTP, SSH or RDP users.
Again by Edge-Security.com, you can use metagoofil (/pentest/enumeration/google/metagoofil/) to try to find users that create documents, downloadable from the domain you point at, such as docs or pdfs.

Figure 5

As well as using Web search to catch company users’ names/usernames, you can try to obtain information by SNMP or SMTP.
SNMP is a protocol based on UTP that is often used to monitor server service status. The authentication methods (community strings) are passed in clear and often have the default state (public or private), so you can easily try to find it in order to get many information.
You can use programs such Snmpenum and Onesixtyone for this. Let’s see how they work.
Initially you have to use Onesixtyone to enumerate comunity strings; with the info collected before, make a list of hosts and write it down to a file (/tmp/hosts.txt), then point to pentest/enumeration/snmp/onesixtyone and do the following:

In this command you use a file dict.txt, already present in the onesixtyone folder, to ‘brute force’ the community strings; you use the hosts file you have found before to set targets and, at the end, make a log file.
In Figure 6 you can find a sample of what you can get. In the sample you see some printers, some switches and a server (192.168.1.10).

Figure 6

Go on and use snmpenum over 192.168.1.10 setting ‘public’ as community string, and the windows.txt template (already present) to merge output information (see Figure 7).

Figure 7

This is just a sample, but you can get much more information than these using SNMP. You can find processes running, opened ports, system information and much more.
For now, limit yourself to the users. What you want is to create a document like hosts.txt but with possible user names.
There are many other methods to identify users such as using SMTP server (smtpscan) and try to test the VRFY functionality (smtp-user-enum). Spidering a target website to collect unique words (/pentest/password/cewl) or sniffing network traffic (Wireshark) can also be useful. In the Backtrack > Information Gathering > Network analysis menu you can find many tools to reach your target. Try to find as many names as you can, but do not forget to add to your list the most common user names (root, admin, administrator).

Map the NET
Let’s have a look at network scanners, limiting us to a simple scan, with the only objective to find some services that can be used as a target.
Please, make sure to keep in mind that scanners are much more than what you will read here.
Of course, NC can be used as a network scanner, but the best programs are Unicorscan and Nmap so let’s start with the first one. The commands in Figure 8 perform a simple scan, pointing at a single target (192.168.34.135), testing common TCP (-m T) and UTP (-m U) ports, typically those used by common services such as FTP, SSH, SMB, MySQL. The last command in Figure 8 is a scan of all the subnet 192.168.34.*, but only on FTP, SSH, SMB, and RDP ports.

Figure 8

You can perform the same thing using Nmap. The command nmap 192.168.34.135 scans TCP common port; if you add -sU option it will scan UDP ports. The single target can be replaced with 192.168.34.*, 192.164.34.0/24 or your hosts.txt to explore all subnet or specific IPs; adding the option
-p 21-23,3389 you will limit the scan to port 21, 22, 23 and 3389. The result will be probably the same but if you try Nmap you will see more information. In addition, it can be quickly implemented to determinate what kind of program is listening over the port discovered (-sV) and what operating system is installed (-O). Please, take a look at the Nmap help to learn more options and remember that man command or help are always your friends. If you are afraid to use the Terminal, use the Nmap GUI: Zenmap.
You have to remember that every GUI is at least one layer over its command-line program; anyway let’s use the graphic interface of Nmap and try to find FTP, SSH, Telnet and RDP services in the subnet (Figure 9).
Scanners make a list of hosts using FTP, another one of hosts using RDP, and so on.

Figure 9

Get the Keys
Well done! You have completed your basic network gathering phase, now you can merge all your lists and launch your first attack. What do you need? A username list, a file listing hosts with the specific service, a password list, and a program to put everything together. You don’t have the password list, but one can be easily found in the folder /pentest/password/wordlist/ or by a search on the Web. The kind of attack you will do is called ‘wordlist attack’: it is not the most elegant way to perform a penetration test, but it may be very incisive.
The program you can use to join your lists is Hydra (or its GUI xHydra). Figure 10 explains how it works.
Open the Hydra GUI (Privilege Escalation > Password Attacks > Online Attacks > Hydra-gtk)
and, in the Target tab, insert the target list (e.g.FTP_hosts.txt), the port to test and the protocol (21 / FTP).

Figure 10

The options ‘Show attempts’ and ‘Be verbose’ are useful to better understand what the program does. Go in the Password tab and insert the user and the password lists; don’t forget to check ‘try login as password’ and ‘try empty password’. For a basic test don’t use Tuning and Specific tabs; move to the Start tab and run the attack. It takes a while, but I Hope you can find some user and password association.
You can also try to extend your lists to have more chances, but remember that such attack may take a very long time. In a pen test you must have a very strong reason to spend 8 or more hours for a word list attack.
Anyway, if you find some associations, write them down and be ready to reuse it: users are used to use the same password for more than one service.
You can start to write a file with user:password, you will use it on Hydra in the Password tab instead of users and passwords lists. When you discover a new service, you can first use Hydra with the new file created and then the lists of users and passwords. This will speed up your work.

I hope you now have the user/password to access the FTP, SMB or, if you are lucky, the SSH, or RDP.
This is not the end of the test, this is the beginning. You will use this access to gain more information and to find more vulnerability all over the LAN.
But what about if you can’t find anything? Don’t worry, these are just the first arrows in your quiver. After these, you can try many other things such as web vectors, exploit some vulnerability, or ARP poissoning. There are so many options that the only limit is you and every discovery is the start for the next one.

So when you open a new port, restart from the beginning, restart from sharpenning your axe.

Sharpen your axe with BackTrack – Gathering phase [Part 1]

Abraham Lincoln said ‘Give me six hours to chop down a tree and I will spend the first four sharpening the axe’. This is really the basic concept and the start point of every penetration test.

In a pen test you have to sharpen your axe first by gathering information. The more you obtain, the more surface to attack you will have. The gathering phase isn’t the most exciting one, but surely it is the one that will let you make things better and smarter. So what do you need? Let’s see.
First, you need an adequate system with the right toolkit and a little knowledge of how they work. We will use one of the latest versions of BackTrack (BT) because it is a powerful and widespread operating system, so it will be quite simple to get support or tutorials on the Web: Youtube has a video for almost all the BT tools.
The best way to start with BT is virtualization: you can download its virtual machine ready to be started. In addition, using virtualization, you can easily start a cheap and smart LAB to perform your tests. If you already have a test network, you can also use the bootable CD.

Next you have to be calm and patient, only this way you can collect information and inspect them rightly. You can make your own check-list of tests to do or copy one from the Web, but, when you have your list, you have to follow it meticulously. Remember that you are sharpening.

Now you need to write down all the data you collected in order to have everything recorded so that you can analyze it even when you aren’t connected to the LAN you have to test. Furthermore you will use these records to make a detailed report for your customer or to roll back in case you mess something up.
I use Keepnote to keep track of all my operations and results and Zenmap (Nmap GUI) to map the net, but BT has many more powerful tools than these. Maltego, for example, is awesome.

My friend Netcat
Now let’s start to use the father of all tools, the famous ‘Swiss-army knife for TCP/IP: Netcat‘. Essentially, NC, is a utility which reads and writes data across network connections, using TCP or UDP transport. Nothing more, nothing less.
So why is it so important? When a PC user without experience wants to test if his machine is browsing the Internet, he opens his browser and points to a common address: www.google.com.
This is not the best test he could do, he only finds out if he is browsing, but what about if he is not browsing? So the approach must be different. He has to start from a layer closer to the PC, not closer to the user, and investigate the causes, step by step, up to the human layer.
You are not an inexperienced person, so you start by opening a command shell and pinging your gateway. Is it responding? If not, check it. Then ping an external IP address (e.g. 8.8.8.8 that is the Google DNS). Is it responding? Alright, you are able to go out of your network. Next you test if your DNS is working by pinging a DNS name like www.google.com. Only if all works fine, you open your browser and test the connection. Also, from the browser you can have a problem (e.g. a misconfigured proxy set in the browser) but, after all the tests you have done previously, you can rule out all lower layers and focus on the current one.
That’s why NC is so important. It allow you to start from the lowest layer, it is the equivalent of the ping command used in the example, but it has many more applications.

Well, open your Terminal window and have a look at the NC help.

At the beginning you will use options -l(set NC in listening mode), -v (verbose mode is always better) and -p (set port where NC is listening).Try this:
Open two Terminal windows in the same machine. In the first window start a service that listens
on a specific port using Netcat (it is called the listener).

If you have a look at the network connection of your BT machine, using the command netstat -nat, you will find a listening connection on port 4444 (tcp 0.0.0.0:4444 LISTEN).
In the second window use NC as a client and connect to localhost on port 4444

Hit enter and you establish a simple connection with NC, but what is this?
Essentially, it is a simple chat. If you write something in window 1, it will redirect to windows 2 andvice versa (see Figure 1).

Figure 1

So NC is a program that allows you to communicate using TCP or UDP protocols and you can use it whether as a client or as a server. TCP/UDP connections are more useful than a simple chat: you can use NC to test if a remote port is open, to grab information about a service listening on a remote PC (the banner) and to connect to this service; otherwise you can use it to redirect text, request html page, and, last but not least, remotely admin a PC.
If you have two PCs try to use NC between them or just continue the testing in the same machine (that is the lower layer).
For example, you can try to pass text:

…and if the listener is as the following, you can also
create a file with the text sent:

You can also try the -c option for remote administration.
I suggest you to dig the Internet to search more about Netcat use.

Network hosts identification
As I said, finding information about the target is the base of a successful test. What is the first thing you have to do when you reach a LAN you have to check? Find hosts to use as targets. If you can, create your own hosts individuation scripts using ping and NC or use some of the wonderful tools present in BT. In my opinion, the best are Unicornscan and Nmap, but, since I will shortly explain them later, let’s explore some other programs with less possibility, but working as well.
Start using netdiscover to find live hosts. Using netdiscover -P a network scan is started using common LAN address (the one you are connected to) (see Figure 2).
Netdiscover can be also used on another network interface (-i) and IP range (-r). The -P option is useful for a better output. Netdiscover is a continuing scan tool: it scans over and over the net in order to find new hosts and it could be used to
implement a very simple intrusion detection system. To stop the scan you have to use [CTRL+C].
In a similar way you can use fping with option -g to analyze a range of IPs. Note that fping uses ICMP protocol, whereas netdiscover uses ARP protocol to locate network hosts – this is a good double check.

Figure 2

Don’t forget to write down everything and trace all. Particularly start to compile a list of live hosts. You can also try to give a DNS name to the hosts you find using smbscan, but you will notice that the program can find only a few, those with net bios name enable.
Let’s now try to find something more using DNS discovering. If you are in a domain or if you are scanning for DNS name in the Web, you can try to operate a DNS zone transfer and capture DNS records.
When you can perform this operation, you get other sensible information and, maybe, hosts not previously discovered.
The DNS transfer zone is a query that synchronizes Primary and Secondary DNS servers but if administrators misconfigure them, everyone can query for transfer and get all DNS records. DNSenum is a tool that tries to make a zone transfer and catch the results. The basic operation is quite simple: you just have to set the domain name to target.
Note that you can try the zone transfer both on a local (see Figure 3) or an Internet domain (see Figure 4).
You have to notice that a DNS zone transfer, even if successfully done, does not give hackers a direct access to the servers, but gives them many information that can be useful to expand the attack surface. Look at Figure 4; the DNS transfer zone highlights at least 3 attack vectors: webmail, ftp, sftp.

Figure 3

Figure 4

It is therefore essential to block all the attacks and scans you can. Also ARP and ICMP scans must be stopped in a protected LAN. Unfortunately this isn’t always practicable: in a Microsoft domain, for example, some administrative system tools do not work with restrictive local firewall policies.
It is not easy to find balance between security and efficiency.

You have done a good hosts analysis and you have a list of IPs alive in the network. Now you can start user account identification.

[end of part 1]

You can find other NetCat info in this post