Tent Pester

OWASP Broken Web Applications

noreply@blogger.com (Dave) — Thu, 08 Mar 2012 22:32:00 +0000

Thanks to Anthony Towry for suggesting this VM. I managed to get it installed on my ESXi host recently without too much trouble. Initially it wouldn't run but after converting it with VMWARE vCenter Converter it runs perfectly.

WebGoat wasn't exactly what I was expecting though. On the project homepage it is described like this:
"WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application."
I began the first lesson, HTTP Splitting, and it states in the lesson plan that Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poinsoning. But I am at a loss to find the actual lesson! As far as I can tell it doesn't actually teach you how to perform the attack just gives you a platform to perform the attack.

The solution video shows you how to complete the attack but it doesn't explain why you are doing each stage. I'm not looking to be spoon fed but as a newbie to web application security I was hoping for a bit more information.

Am I missing something? An accompanying guide perhaps?

Web Application Testing

noreply@blogger.com (Dave) — Tue, 07 Feb 2012 22:15:00 +0000

So I've finally booked my OSCP exam for the end of this month which leaves me a few weeks to revise what I have learnt. Even with the extension I was not able to compromise every machine in the lab but I got a large chunk of them!

With the benefit of hindsight I think I should have approached the course differently. While it was certainly helpful to have the two weeks off to concentrate solely on the course you can't think of it like a normal 09:30 - 17:00 five day course at a training centre. Although my evening time is limited it would have been helpful to use the time between study weeks to kick off large port scans, brute force password checking etc. This would have saved quite a bit of the "quality" time I had dedicated to my training.

Anyway the course has certainly been extremely useful and it has definately accelerated my learning. The only area I still feel a bit weak on though is web application attack vectors. This is covered at the end of PWB and therefore I did not have as much time to spend in the labs with this as I would have liked. I also think that this is such a vast topic that it would require a course all to itself. I am going to try and fill some of the gaps in my knowledge before the exam.

My pen tester contact had mentioned to me previously that a good source of information on web application attacks is the OWASP project (www.owasp.org). The Open Web Application Security Project (OWASP) is a 501(c)(3) not-for-profit worldwide charitable organization focused on improving the security of application software. Browsing through their site they have a project called WebGoat which is designed to teach people how to test for and exploit typical web vulnerabilities. I'm going to install it and see what its like, if I get the time I will try and post up the installation procedure and usage.

Time flies...

noreply@blogger.com (Dave) — Wed, 28 Dec 2011 14:41:00 +0000

I've just realised its been a while since I last posted (again). I have been so engrossed with training for PWB (and other unplanned events) that I didn't realise it has almost been two months since my last post!

I'm about three quarters of my way through the course material now but I'm just about to run out of labtime so will have to extend. I am hoping to schedule the exam for the end of January.

One of the modules I have been working on includes a section on auxiliary modules within the Metasploit framework. This includes (amongst many other things) a lot of scanning utilities that I had previously used other tools for - TCP SYN, ACK, NBT, SMTP, SNMP and ARP scanning to name a few. My initial reaction to this was "why would you use anything else?". If MSF can do scanning, service enumeration, and exploitation why bother with the other tools.

After a bit of testing however I found a lot of these modules to be unreliable. Particularly the TCP scanning tools. They seem to crash quite regularly with memory errors if you are scanning multiple hosts. Think I might stick with Nmap in future.

EDIT: Just discovered Unicornscan. Unicornscan has its own dedicated TCP/IP stack so is very fast. It has saved me a lot of time when scanning multiple hosts in the labs.

PWB End of Week 1

noreply@blogger.com (Dave) — Mon, 07 Nov 2011 21:07:00 +0000

I've just finished my first week of study and I think this picture just about sums things up. Wow! I can't tell you how much I am enjoying this course.

In the first few pages they state "This course throws you into the deep end - very quickly" and they are not kidding. By the end of the first day I was writing shell scripts to automate tasks and by the end of the week I was writing them in Python. I'm not a programmer so this was a steep learning curve for me but what a feeling when that script runs and gives the intended result. The course does not spoon feed you the answers either like some other courses I've been on in the past so you really do have to engage brain.

So far I've been focusing on Information Gathering techniques (with the likes of Google Hacking, Whois/DNS, SNMP and SMTP Reconnaissance) and Port Scanning (mostly with Nmap). I couldn't believe how much information is out there and how much you can find out about an organisation before you even 'touch' their network. They recommend Johnny Long's "Google Hacking for Penetration Testers" for further information but the latest version is four years old now If anyone comment on whether this is still relevant or if there is something more recent that would be appreciated.

I'm only a week in but I would thoroughly recommend this course. It has definitely given me the shot in the arm I was looking for and I have learnt so much more (and more quickly) than if I had tried to do it purely "self taught". The course is a mix of lab guide and videos and while there are some inconsistencies between the two and the occasional inaccuracy (one section in both the guide and the video describes a tool called goog-mail.py which is no longer present in Backtrack, I had to download it from another site) it is not enough to hold you up for very long.

I am glad I opted for the 60 days of lab time as well. I suppose it depends on how much free time a person has but for me I don't get that much time in the evenings so I will need to spread it out and there is a LOT more to learn.

One thing I would definitely recommend is getting the lab guide printed out and bound before you start. It comes in PDF format and it is 300+ pages but I found it so much easier to read when it was printed out on a couple of trees. Sorry mother nature!

Brief Update

noreply@blogger.com (Dave) — Sun, 30 Oct 2011 19:59:00 +0000

I've not posted for a little while so just a quick update to prove I'm not dead! I've finally organised my PWB course and I'm due to start tomorrow. I've got the week off work to study and then another week in a months time. In between I plan to study in the evenings.

I've got sixty days of labtime so I will have to complete the exam by the end of December. Its going to be a tough couple of months but I'm really looking forward to it and can't wait to get started!

Obviously I won't be able to share any details of the course on here but I will try and post some progress updates as I go.

Net Disco

noreply@blogger.com (Dave) — Mon, 10 Oct 2011 21:46:00 +0000

I thought I would check out Netdiscover this evening as recommended in a comment on my 'Beginning' post (thanks again!). Netdisco. is an active/passive ARP reconnaisance tool written by Jaime Penalba and is included with the BackTrack5 distribution.

I am guessing that it works by sending out ARP requests for IP addresses in the subnet/range you wish to scan as a way of determining how many live hosts there are on the network. I also suspect that the "passive" mode doesn't send any requests it just sits there and monitors what other ARP requests it sees. I am going to use Wireshark (a tool most network engineers are familiar with!) to try and see what it actually does.

So this is the screen you see when you fire up the tool. I won't go through all the options but the main ones appear to be -r (specify the subnet you wish to scan), -p (passive mode) -s (amount of time in milliseconds between each arp request) and -c (number of times to send each ARP request). I imagine that the -s option would be useful if you are trying to avoid triggering any Intrustion Detection Systems, too many ARP requests from the same source address in a short amount of time could look suspicious!

So I've started with a normal scan using netdiscover -r 192.168.1.0/24 -s 1000
I don't have any IDS at home to avoid but I wanted the scan to proceed fairly slowly so I could watch what happened in Wireshark.

This confirms that ND is sending ARP requests to each address in order to see if there is anything alive out there. The timestamps confirm the space between requests at 1 second.
Interestingly ND appears to use a false IP address for its ARP requests - 192.168.1.67! The IP address of the BT5 VM is 192.168.1.17 so I am not sure where this came from. Looking back through to the start of the capture I can not see any checks being performed to see if this address was available or not so I wonder how this address was decided upon? Further investigation required!

The results show nine live IPs detected which is the same amount as detected by AutoScan the other day. I have an additional VM running this time but because the BT5 host is left out of the scan the total is the same. The vendors are identified automatically from the OUI of the MAC address but again, as with Nmap, the iPhone wasn't recognised. Perhaps a new version/database update is required?

At this point I wonder why all the IPs are in order apart from the Nintendo lurking at the bottom. The capture shows that ND sent an ARP request for .13 in order but no response was recieved:

I trawl through the capture looking for some clues when I come across this:

Bingo! ND must automatically add hosts that it sees ARP traffic from even when doing an active scan. This must be the way it detects hosts when using the -p option as it will not be sending any requests. I might try and find out if it adds hosts it sees any kind of traffic for or just ARP broadcasts.

Back to skool...

noreply@blogger.com (Dave) — Wed, 05 Oct 2011 15:37:00 +0000

I've been looking into some qualifications and training courses to give me a bit of a kick start. I have noticed that a lot of the job advertisments for pen testers list CREST's (Council of Registered Ethical Security Testers) Registered Tester as a desirable qualification to have so I thought I would start my investigations there.

I sent an email to CREST to ask if they provide or recommend any training courses for the Registered Tester exam. I got a fairly detailed response the next day explaining that there are currently no plans to offer training courses as they wish to ensure there is never a conflict of interest where the training provided also provides the examination. They sent links to a couple of courses that may or may not provide suitable preperation for the exam but at this time they were not officially endorsing them. They also sent me the titles of a couple of books recommended by the assesors (Hacking Exposed and Network Security Assessment) but I don't think I could learn enough from books to pass the exam - which includes a practicle element.

I've seen EC Council's Certified Ethical Hacker advertised a lot but I don't think it is CESG approved like CREST. On the plus side there is an associated training course and it seems to be widely available but on the negative side I haven't seen any jobs that are looking for CEH people. I decided to take a punt and email the pen tester that was on site at the start of the year to see if he was able to offer any recommendations.

To be honest I wasn't expecting a reply as the guy must be quite busy and we only met the once! A few days later though and I recieved a really detailed reply with a long list of recommendations on where to start, an overview on what the job was like and what you must be prepared to do (long hours, travelling, working alone etc.) He also highly recommended a course by Offensive Security called "Penetration Testing with Backtrack". EDIT - I have also since been recommended this course by several of the nice people on the Security Focus mailing list!

PWB is an online training course with a strong hands on element. It is self paced learning but you have to pay for labtime in 30 day increments. It also includes a qualification to become an Offensive Security Certified Professional. The certification process seems pretty hardcore as you are given 24 hours at the end of your alloted labtime to break into an unknown network using the skills you learnt on the course!

I have had a read through the syllabus for the course and it seems very comprehensive. There are a lot of areas that I know I'm going to be fairly weak in to begin with so I think it will prove to be quite a challenge. But it is often said that doing anything worthwhile is never easy! I've decided to go for 60 days of lab time as the average time to go through the course materials is approximately 80 hours and I don't think I will find the time to do this in just one month.

Beginning

noreply@blogger.com (Dave) — Tue, 04 Oct 2011 21:43:00 +0000

Phase 1: Reconnaissance
A lot of this phase focuses on information gathering using Social Engineering and Dumpster Diving and while I don't doubt that these are useful skills to know it is difficult to practice in a home/lab environment. I'm not going to try and sweet talk myself into giving me my passwords and I don't really fancy rummaging around in the bins, the neighbours might find that odd! There are other techniques described as well like interrogating DNS servers, Whois searches etc but they are not really relevant at the moment, I already have access to the network so I am going to concetrate on simulating an internal pen test.

Phase 2: Scanning
First I will attempt to discover what live machines there are on the network. The easiest way to do this is by sending an ICMP echo request or ping. I don't want to do this by hand so I am going to use one of the Network Scanning tools in Backtrack (BT5). The first one in the list is Autoscan, this is what I see when I fire it up:

Next I can specify the subnet I wish to scan. I have removed some of the default entries as I know what the network and subnet mask is in this case

I skip through the next few options without changing anything, I am surprised by the results for two reasons. One I wasn't expecting the tool to attempt to fingerprint (identify) the host systems as well as ICMP scanning them and two I wasn't expecting to see this many hosts on my network!

I started this quite late in the evening and I'd really like to go to bed now but I just know I won't be able to sleep until I've figured out what all these hosts are and if they all belong to me or not! I skip forward a few pages in the book and come to the section describing Nmap. I decide to see if Nmap will provide any more information about the hosts than Autoscan.

Although there is a GUI with Nmap I have decided to force myself to learn the command line. If there is a choice between GUI and CLI I always try to use the CLI as it gives you more flexibility and, I believe, a better understanding of the product. So I start scanning each host in order using 'nmap -O ip address'.

Don't really need to go much further than the first line, 'my.router' kind of gives it away what this device is. The MAC address OUI at the bottom confirms that this is my ADSL router. Interestingly though on the Aggresive OS guesses it doesn't list Draytek at all.

192.168.1.10 has been identified correctly by AutoScan so I move onto .11. Nmap reports that the host seems down, I go back to AutoScan to check but it is reporting that it is still up. Nmap helpfully suggests using the -Pn option if you believe the host is really up, this option will treat all hosts as online and skip host discovery:

Ahhh, the iPhone! Had forgotten about that! To confirm I try to lookup the OUI (first 6 character of the mac address) on http://www.coffer.com/mac_find/ but it comes back as unknown. Mr Google, however, returns a result from hwaddress.com listing it as belonging to Apple Inc.

192.168.1.12 I know to be my Backtrack VM so I bypass that but .13 has now gone off the network. Bit worrying. I tried a simple ping and left it running, occasionaly the host responds and then goes unreachable again. I will keep the ping running and try a quick scan if it starts replying. Moving on to .14 this should be interesting as AutoScan identified this as a firewall. Nmap -O is taking a bit longer to come back this time round, eventually it reports that all 1000 scanned ports are filtered and it has no idea of the OS. I know this device to be my laptop running a personal firewall. It is good to know that it is doing its job well but I will return to this again and see if there are any other ways of identifying it with Nmap or another tool.

192.168.1.15 returns a few open ports including ftp, ssh, http, https and mysql. The OS is detected as Linux 2.6.X and the MAC address is a VMWare one. I believe this to be my DVWA (Damn Vulnerable Web Application) VM.

192.168.1.16 returns a single open port (SSH) but it is not sure which OS. From the agressive guesses it's pretty sure its Linux of some kind. And it is, this is a Redhat VM.

192.168.1.19 is the last one on the list which I know to be my VMWare host. Nmap picks up seven open ports but is unable to identify the operating system.

EDIT: with the Linux VMs and VMWare I need to spend some more time on trying to find out what they are using penetration testing tools and techniques rather than just utilising my knowledge of my network setup.

And just as I'm about to fall asleep on my keyboard the .13 host starts replying again. I quickly break the ping and run nmap -Pn:

Ninendo? Must be the Wii!! This has been switched off all day but it must periodically connect to the WiFi to check for updates or something. Nice and locked down though, no open ports!

Conclusions so far: Might not bother with AutoScan in the future. It has a nice GUI but from my initial findings Nmap appears to give more information. It looks like there are command line options for scanning subnets as well so I will try them next time.

An old book read with new eyes

noreply@blogger.com (Dave) — Mon, 19 Sep 2011 21:11:00 +0000

So I've got the lab pretty much sorted now. I've downloaded Metasploitable at the recommendation of a couple of people (cheers!) and will install that shortly.

What next is the question I ask myself! Some kind of guide and/or methodology to follow would be useful. Some readers have suggested a couple of books to read which I will check out at some point in the future but for now I thought I would go back to a book I purchased some time ago, but which of late has just been gathering dust on my bookshelf. Counter Hack Reloaded by Ed Skoudis is a book I bought a few years back to try and learn a bit more about the kind of attacks our firewalls were reporting in the IPS logs but to be honest I used it more as a reference than a book to be read in depth.

The first few chapters in the book are to give an overview of networking and operating systems but the remainder of the book is organised into chapters dedicated to common phases of an attack - Reconnaissance, Scanning, Gaining Access, Maintaining Access and Covering Tracks. I would presume these to be similar to the phases used by a penetration tester. While the book is a little bit old now (published in 2006) it is well written and a lot of the tools described are still in use. I figure I could use it as a good starting point.

I plan to follow it through and I'll try and describe my experiences at each stage here.

Lab continued

noreply@blogger.com (Dave) — Mon, 12 Sep 2011 19:46:00 +0000

So I have been looking for operating systems to install in my shiny new lab today. I already had a Redhat 6.1 ISO handy so I installed that. I have also downloaded the latest version of BackTrack to use as my hacking platform. For those that don't know BackTrack is a Linux distribution that comes pre-installed with all the security tools you could wish for, and probably a few more besides. I will expand on BackTrack a bit more in later posts as I start using it.

I was searching around the web for other OS's that I could use for learning purposes and I came across this excellent page by Felipe Martins:

http://www.felipemartins.info/2011/05/pentesting-vulnerable-study-frameworks-complete-list/

as the URL suggests it is a complete list of vulnerable systems/sites that can be used for studying penetration testing. Top bloke!

There are a number of operating systems and web apps listed that are specifically designed to be insecure so that the beginner/trainee can practice their skills. There are also a number of war games sites that I will have to check out at a later time.

For now I have decided to download DVWA (Damn Vulnerable Web Application) and I was going to go for DVL (Damn Vulnerable Linux) but it looks like they are still working on version 2.0 (to be released soon).

Building a test lab

noreply@blogger.com (Dave) — Sun, 11 Sep 2011 16:33:00 +0000

So, although I don't know much at this stage I do know that I will need access to a test environment so I can practice using tools and breaking into systems. I can't really practice on my existing home PC (wife wouldn't be happy about this as she uses it for work!) or on the network at work (production systems, possible legal issues there too) so I decided I would need to build my own virtual environment.

A family member recently replaced their PC with a laptop and they were going to skip the old PC. Its only a Dell Inspiron 531 1GB of memory but it has a 64 bit AMD processor and I thought it would be enough to get me going. Wrong! Tried installing VMWare vSphere 4 but it repeatedly failed with some very strange error messages. A quick google search shows that the error is probably due to the on board NIC not being compatible. I could order a new NIC for it but I really didn't want to waste any money on such an old machine especially if I wasn't 100% sure it would fix my problem.

So I started looking around work for some spare hardware to borrow. After a quick chat with the man in the know and a brief search we managed to locate a Dell Optiplex 745 that was surplus to requirements. It has a dual core Intel 1.86Ghz CPU with 2GB of RAM and a couple of fairly large hard disks. Perfect! VMWare installed no problems and I was up and running.

Now I should point out at this point that the Optiplex is at the office, I have not stolen anything! The machine will have work related uses as well as what I have planned for it. There is an existing test lab at work but the server boys are a tad protective over it so it will be much better to have a lab of my own.

So I have VMWare up and running and to appease her indoors I am going to dispose of the Inspiron. I have enough computers lying around the house as it is apparently (how is that possible?). I have removed the hard disk and the memory and installed it in the Optiplex. The hard disk will be used to store ISO images so as not to impeach on the main OS storage drive.

Now to acquire some operating systems....

Who, what and why

noreply@blogger.com (Dave) — Fri, 09 Sep 2011 22:50:00 +0000

So, first post. Also first blog. Errr, not sure how to begin....

I am a thirty something IT bod who has been working in the industry for about 15 years. I have been doing network support for the majority of that time but of late I have been getting somewhat bored of dealing with the same things week after week. Projects throw up the same issues, people want the same changes implementing, faults are always network problems (they are not!) and so on.

I need a change of direction.

I've always had an interest in computer security and about six months ago I had the privilege of escorting a Penetration Tester around our site so he could do his thing for our annual audit. I got talking to him and he was kind enough to show me some of the tools and processes he used for his job. Since then I have been thinking what a great job it must be - constantly challenging, constantly learning new methods of testing/breaking security and always with different targets and environments.

The question is how do you get to be a penetration tester when you have zero penetration testing experience?

This is what I aim to discover! I thought I would record the path I take in this blog so that a) it might help somebody else in the future if they are attempting the same thing and b) it will keep me focused to ensure I am constantly striving to attain my goal.

More to come, watch this space (or the one above to be more accurate)!